Security Hackers Interviewed 57
An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."
Re:In conclusion... (Score:1, Flamebait)
He also hosts my website
Tom
Re:In conclusion... (Score:1)
Re:In conclusion... (Score:2)
Tom
"Blue hat" hackers (Score:5, Funny)
We have more then enough hat colours as things stand.
Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)
Re:"Blue hat" hackers (Score:1)
New Denial of Service attack on Hat Colors (Score:1)
Enumerate all the possible colors of Hats and file trademarks on them (Purple Hat, Aqua Hat, Green Hat, Pink Hat, etc.)
Then, write a Perl script that does daily google queries for each color of hat. Whenever someone else starts using Aqua Hat, or Gold Hat or whatever, Write them a Cease and Desist Letter. Also have your script attempt to locate new names of colors. Then automatically generate Trademark applications for those names of Hats as well.
File a Patent application for your Perl Script. Say i
Red hat hackers (Score:1)
Just like Customer Service (Score:5, Interesting)
Security is a neat buzz word lately. We all "need" to do security, blah, blah, blah.
Security is just like customer service. In order for it to be effective you have to ingrain it in a culture which places it as a top priority. It's obvious that most developers and corporations think of this as an after thought.
Okay, we need functionality x and y. Great, now that we have it
Just reading the article it shows that the developers were surprised someone can reverse engineer their code; they were "annoyed" someone created a graphical exploit. Annoyed? How about pissed? What about "motivated" to plug the hole. Obviously we weren't there to hear this first hand but it sounds like just an oh well we should do something about this. The article talks about a priority shift. Just another corporate slogan.
If it was a true culture shift you would see something like: x company has announced the hiring of 1,000 new software programmers to create a new division of security. This new division will audit all code for potential security problems before any new programs are released.
Re:Just like Customer Service (Score:1)
Re:Just like Customer Service (Score:4, Insightful)
That would be followed immediately by "On IRC, 10,000 hackers were recruited to find holes in X Company's security measures."
Security is a concern, but it is mostly exclusive from features. For 99.9% of the features you add, there is a way to make them secure. Unless the feature is to upload and execute random code I guess.
The biggest problem with security is that you can't guard against things you don't know about. Hackers find holes, and then they get closed. It's hard to fill in a hole if you don't know it is there. In a way, for every hack that is exploited the fix makes things more secure than they were. Unfortunately there is a window of opportunity in between the finding and the fixing during which your pants are around your ankles.
Re:Just like Customer Service (Score:3, Interesting)
But this is the point. How can you secure code when you don't actively audit it? The reason why there are 10,000 holes is that companies don't have the mindset of features + security = release. It is first develop the features then release. And after the fact add security.
It will take a huge culture shift to get that the concept that in order for programs to be secure they have to have security built in from
Re:Just like Customer Service (Score:2)
Sounds reasonable, BUT.
The entire purpose of security is to guard against things you don't know about. Otherwise it's too much like Monday morning quarterbacking.
Finding holes is not particularly difficult. Just use it in unexpected ways and look for unexpected results. Closed source is pretty useless as a defence. The attacks are based on what the program actually does. The source shows what the programmer thin
Re:Just like Customer Service (Score:4, Insightful)
1) Metasploit isn't a graphical exploit; it's a Perl shell, very well done, that made exploit development and deployment a far more reliable endeavor.
2) They're pretty damn motivated -- not perfect, but way more than I've seen any corp. Like I said -- the "intro to security lecture" (people WILL find your holes, you WILL get attacked, etc) just didn't happen.
3) 13 open reqs for just one consultancy I know of that's got security auditing gigs at MS. Yeah.
4) I hadn't made the link between customer service and security. You're completely right about it needing to be a cultural element.
--Dan
Re:Just like Customer Service (Score:2)
I guess I was referring to this:
"Version 2.3 of the Metasploit Framework includes a web interface"
when I meant graphical. [metasploit.com]
Re:Just like Customer Service (Score:2)
Congrads on the good press coverage.
Joey
Re:Just like Customer Service (Score:2)
Re:Just like Customer Service (Score:2)
This one:
http://seclists.org/lists/bugtraq/2000/Nov/0322.h
Re:Just like Customer Service (Score:2)
The problem with this is that of the 1,000 employees, about fifteen, or 1.5% will be knowlegeable enough to find actual exploits or vulnerabilities.
Because of this, about 95% (3.5% stick around to "manage" the 1.5% that do the work) o
Security and its ways (Score:1)
On the Dan Kaminksy Interview (Score:2, Insightful)
Blue Hat? (Score:1, Insightful)
--Noel Anderson
Wireless networking
engineer, Microsoft
I can play both of those, a single-forty-year-old woman, a fresh-out-of-college jerk, a recently-made-available celebrity, a professional weatherman with agrophobia, or even an FBI/CIA/NSA agent with a hardcore case of "the powertrip", and you'll never know the difference.
So why bother defining me? To h
Who is this clown? (Score:4, Interesting)
Re:Who is this clown? (Score:3, Interesting)
You may have to forgive the guy for continuing to process the world in terms of his religious background: the mystery at the Unknown Other, the power of the symbols we use to communicate Good and Evil, humanity's need for the company of other humans and the need to treat each other person with respect and dignity (althoug
Re:Who is this clown? (Score:1)
In a monotone voice: (Score:1)
There is no hive mind that can one day change every opinion towards some sort of 'rightthink'.
Microsoft has said the right things about security for years.
Why Blue Hat ? (Score:1)
Another problem with metrics... (Score:3, Interesting)
You need to look at what the actual failures are, whether the kinds of failures are changing or not, whether there's a common cause to some class of failures and how hard it would be to address that common cause, and whether different systems tend to suffer from different kinds of failures.
Buffer overflows, for example. Everyone gets hit by buffer overflows, there's a common cause, but some of the techniques you can use to address them are easier than others. Non-executable stacks, great. Easy to do, if the hardware supports it, and doesn't have much of an impact on the developers. Changing to a language where buffer overflows can't happen? That's hard.
Code injection by playing quoting games, using '%2E%2E' or some complex Unicode string instead of '..', or telling me your name is '%34;cat%20/etc/passwd;echo%20%34'. Different symptoms, sometimes you can systematically fix them, sometimes you can't. A lot of what people think they know about these kinds of attacks is wrong, and they fix them badly and someone with a name like "d'Artagnon" finds he's a hacker.
Sandboxes. Lots of bad information about these going around. Microsoft used to say sandboxes were a bad idea, too much overhead. I don't know if they still do, but they need to come up with a fully sandboxed inherently safe version of Internet Explorer... the sooner the better. Oh, and Firefox has been playing with fire here too... and Apple needs to quit trying to sandbox dashboard at all and just treat it as another application platform... before they end up with people depending on a sandbox that isn't really there.
But the bottom line is, all the metrics in the world won't tell you whether these problems are things that vendors should be held directly accountable for, or whether they're the user's responsibility for configuring their systems correctly, or whether it's a third party plugin/cgi/component vendor that's the real problem.
Re:Another problem with metrics... (Score:2)
With that, the nature of open source is find and fix and become a hero.
Closed source would really rather that exploits not be published.
To measure the relative security, imagine how hard it was to find the exploit. If they're finding low-hanging fruit, there has to be plenty left. If it takes heroic effort, then there are not so many left.
OpenBSD publishes a security patch. Do you apply it? Likely not, sinc
Dear Dan: MS 'security' is bullshit (Score:2)
Dan, MS security is for shit by any fucking metric you want to hurl at it. And no amount of hemming and hawing about hats and China and whatnot is ever going to alter the profound and terrifying reality of that a company larger than the GDP of fucking Belgium
Re:Dear Dan: MS 'security' is bullshit (Score:2)
You might want to read the artcile linked, which clearly indicates that Dan does not work for Microsoft.
tin foil hat on (Score:1)
Re:tin foil hat on (Score:1)
Well what is Dan upto... (Score:2)