Full Disclosure mailing list archives

Re: Foreign Intelligence Resistant systems [was Re: reasonable return on investment; better investments in security [....]]

From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Fri, 18 Oct 2013 08:10:48 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Breathe...
But yes all governments it appears are at it. Remember APT1 and the Estonia take-down by Russia.

Sadly I can see a day where membership of an international list like these, is considered akin to spying for everyone 
else.

Sigh.

coderman <coderman () gmail com> wrote:

i must amend this prior advice.

in addition to legal protections, educational support, and competitive
programs,

also provide:
- direct and unrestricted backbone access to various individuals or
groups who demonstrate competence in either the educational or
competitive realms, in order for them to mount additional attack
strategies against any reach-able target.  this access must consist of
both passive taps of backbone traffic as well as injection taps for
raw packet transmission at core rates. this should be available on the
Internet backbone at internet exchanges, private fiber through public
right of way, and core networks of operators of licensed wireless
spectrum.


a side benefit of implementing these reforms would be the de-facto
de-funding of offensive network operations by third parties or
governments. the cost to keep ahead of such a widespread, popular, and
distributed effort would be enormous, and provide continually
decreasing returns.


...  getting there is much more complicated of course.   *grin*


---


On Sun, Apr 21, 2013 at 1:29 PM, coderman <coderman () gmail com> wrote:

On Fri, Apr 19, 2013 at 1:26 PM, <paul.szabo () sydney edu au> wrote:

...

2012-02-15 - Vulnerability Discovered by VUPEN
2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 and Reported

to Adobe...


Is a delay of a year before reporting to the vendor, acceptable?



three years or more is better of course!  i would not be disappointed
with a dozen months, however.
  alas external factors (especially when licenses are non-exclusive)
complicate longevity of weaponized exploits...


if you really want to improve security:
 a) remove all criminal and civil liability for "hacking", computer
trespass, and all related activities performed over data networks;
establish proactive "shield" legislation to protect and encourage
unrestricted security research of any subject on any network. extend
to international agreements for blanket protection in all
jurisdictions.
 b) establish lock picking, computing, and hacking curriculum in pre
school through grade school with subsidized access to technical
resources including mobile, tablet, laptop test equipment, grid/cloud
computing on-demand, software defined radios with full
receive/transmit, and gigabit internet service or faster.
 c) organize a program of blue and red teaming challenges for
educational and public participation at the district, regional, and
national level cultivating expertise and rewarding it with hacking
toys, access, and monies.

if implemented, i can guarantee a significant and measurable
improvement in the security posture of the systems that remain  in
such an environment.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


- --
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.9

iQFMBAEBCAA2BQJSYN73LxxTY290dCBIZXJiZXJ0IDxzY290dC5hLmhlcmJlcnRA
Z29vZ2xlbWFpbC5jb20+AAoJEJHf3PUjVwdRJ08H/09c9UtHcJ2sURyXdILyo86Q
zK9K4lt79HHPncVT2iZthg6lLeQkWptGrHBDGN9BU+RE/cbpHkaMBHuQB9tDA5xm
Yrn2new55Y9JvEDuQzwDKMPbtjTcBx9vtCNGvQhnGwMyid6pIkaDs8NqSrbRLQ3c
P0Knhxz4KWCQxNUpqakrHkm/HwzK6tX1va5WyREOxVjoaodzBroM2HtHhm6BjPn4
xgfYIsiAyoZIAlQTVNfi0iEfM0Oj+IGWPZngAA1qIjUJdMvkkRE9EQX3ggHeYLTc
WN2A+dLvI17jqXqt2awsdrFLCy38lHYfeM7iOCUB1sAxHSGb92CcskMaQXXt11s=
=sp3K
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Foreign Intelligence Resistant systems [was Re: reasonable return on investment; better investments in security [....]] coderman (Oct 17)
- Re: Foreign Intelligence Resistant systems [was Re: reasonable return on investment; better investments in security [....]] Scott Herbert (Oct 18)