[Note: the tone of this post is intended to be fairly light, with a bit of exasperation and frustration thrown in, along with some rhetoric that I amuse myself with in my spare time.]
Richard Bejtlich weighs in on the Saturday-morning television war I’ve been having with TQBF. Before getting into details, I’d like to lay claim to being Gamera and not Godzilla et. al. (You will likely agree in this case that the "turtle" is a nice metaphor for your impression of my position, even though it is as likely a wrong impression).
Anyway, here is the Tao:
Tom does make an excellent point regarding cryptanalysis: why is it ok to analyze and break crypto algorithms, but supposedly not security software? Could it be that the people who really need strong crypto, like .gov and .mil types, know that bad guys are always trying to break the good guys’ crypto?
If we are to believe Pete, we would not recognize this fact.
I would like to table the discussion of cryptanalysis for another post, because Richard is right, it is an excellent point that TQBF makes, one that requires some thought and elaboration (not necessarily in that order) on my part. I think, however, that Bejtlich is using this point to make a general observation about my position, which is a bit disappointing because it misses the mark entirely (hopefully I haven’t).
My position, which has been clearly stated in a number of places is that I am the most self-confident security professional in the world, because I actually believe the REAL threat exists. While everyone else works on the manufactured stuff, I want to protect my assets against true threats.
Regardless of my level of confidence, however, I don’t claim to have evidence and I refuse to manufacture it. And I find general "cloak and dagger" statements that security professionals make to be lacking any impact whatsoever.
Which brings me to Bejtlich’s (mildly condescending) comment:
"Pete and friends, there are people who have developed techniques months, and in some cases, years, before they appear in mailing lists or Black Hat talks.
With regard to discussions on specific new vulnerabilities and exploits, all I can tell you is "those who say don’t know, and those who know can’t say." "
Richard, let me be clear on this (in the same mildly condescending manner) : Those who REALLY know don’t say that they can’t say. You see, it sets you up. So those of us who admit to not knowing know that those who don’t admit to not knowing still don’t know, because if they did know, they wouldn’t admit it. And they sure as hell wouldn’t claim to know and just can’t say. They just wouldn’t say.
If you really do know and can’t say, why would you hang the entire Internet out to dry by keeping in-the-wild exploits against undercover vulnerabilities a secret while you encourage the wheel spinning of research and disclosure?
If there really is a lot of bad stuff, black hat activity going on out there, why would you recommend anyone distract themselves as frequently as we are forcefully distracted with the self-manufactured threat? We should be focusing on the important stuff, right? (I am really curious how these secrets among dozens, hundreds, or what have you can be kept for each and every compromise.)
If (perhaps) there isn’t a threat out there, why would you allow the entire world to perpetuate the myth while you reaped the benefits (oops, I think I may be on to something)?
Why doesn’t anyone really want to get to the bottom of this?
In the past five years, the only real public evidence of an in-the-wild exploit against an undercover vulnerability (I am told I can’t use "zero day" because it just means there is no patch) is the WebDAV vulnerability. And if you recall, Cybertrust (then TruSecure) screamed it from the rafters.
[I don't think TaoSecurity accepts trackbacks.]