Comments on: I am Served and TQBF gets Drunk

By: Dwayne

Dwayne — Thu, 26 Jul 2007 15:58:21 +0000

By: Iang

Iang — Thu, 18 Aug 2005 11:32:22 +0000

I’m with you on this issue. The underlying issue is that there is no data on which to separate out the truth from the fluff. The security community has grown up in so much of a secrecy environment that all claims are suspect, and all products are based on hype.

We need data, data, and more data. We need to unravel this attitude of not trusting anyone else with the things we’ve learnt. 50 beers is a cheap price to get the data.

By: Emergent Chaos

Emergent Chaos — Thu, 18 Aug 2005 04:05:02 +0000

Where’s the Evidence?

Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details….

By: Pete

Pete — Tue, 16 Aug 2005 14:47:27 +0000

@David: that link is the honey monkey one that we discussed here: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/thank_god_for_h.html. Bottom line: not a zero-day by my definition.

By: David Maynor

David Maynor — Mon, 15 Aug 2005 13:30:46 +0000

http://www.securityfocus.com/news/11273/2

By: Not Bad For a Cubicle

Not Bad For a Cubicle — Fri, 12 Aug 2005 20:40:57 +0000

0day’s don’t excite me but beer always gets my attention

There’s been a lot of back-and-forth between Pete Lindstrom, Adam Shostack, and TQBF regarding the benefits (or lack thereof) of vulnerability research and disclosure, culminating in Pete saying he’d buy beer…

C’mon, just poi…

By: Chris Walsh

Chris Walsh — Fri, 12 Aug 2005 20:31:00 +0000

If I buy a round, can I sit in for the floor show? After 25 beers apiece, I anticipate quite a barnburner.

By: J.J.

J.J. — Fri, 12 Aug 2005 13:49:57 +0000

Why does the truth/myth of zero-days matter? The issue is merely academic. If we base any security design on the assumption that a given system is secure, then we have failed.

Whether through a sys admin not applying a patch/triage config quickly enough, carelessness in a configuration or the dancing pigs problem, every system has the potential to be compromised at some point once it’s deployed.

IDS detection of the attack has the same troubles.

Reference Matt Blaze’s whitepaper on safelocks. The best safe you can buy on the market can only be expected to deny a safecracker for 60 minutes. Blaze’s ultimate conclusion:

“Perhaps we would do better learning instead to design systems that recognize the inevitability of software errors, tolerating them as safe locks tolerate inevitable mechanical imperfections. ”

Maybe I’m missing a larger picture, but if we’re not building systems that assume the inevitability of compromise, then we’re failing to secure the systems.

Of course, you won’t know that, because it’s self-enforcing mindset. Since you’re not building systems that monitor secure systems for unexpected breaches, you’ll never see them. Since you never see them, they don’t exist – right?

J.J.

links:
dancing pigs: http://en.wikipedia.org/wiki/Dancing_pigs
matt blaze: http://www.crypto.com/papers/

By: Dave Aitel

Dave Aitel — Fri, 12 Aug 2005 12:47:05 +0000

Or, for more examples:
o RealServer ../../../ overflow
o Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
o Samba bug that HDM got hacked with

The list goes on and on. Exploits being used as 0day is the rule, not the exception. If you were on DD you’d get to see a few more examples…

By: Thomas Ptacek

Thomas Ptacek — Fri, 12 Aug 2005 01:29:58 +0000

You’re on. I’m 5 minutes away from there.