-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Maiffret wrote:
Keith McCammon wrote:
Eric Hacker wrote:

(a lot of good stuff) 8)

What I take from this discussion is reinforcement
of something I think about a lot:

Where is "The Line"?

Which raises the question, "What is The Line?"
..and that is like pornography - you can't define it,
but you damn sure know it when you see it.

All of us, or those who have been in this business
for a while, have, at one time or another, danced
right up to the edge of it. C'mon, fess up - you know
what I mean. It's at this point we can freeze the image
because everything hangs on what happens next.

The content of a person's/company's/etc character
gets a real big test, right now.

Some give out a big "Whoa!", back away a bit to look
things over.
Some surf the edge, taking pictures of the other side.
Some see how far over they can go without getting punished.
Some don't even see it.

There are security companies out there that routinely dance
on the other side of The Line, thinking the fake camera around
their neck will fool people. Others dance on the edge - it's
seductive alright, but sometimes they learn the cost of
slipping and how sharp the edge can be...and sometimes
they don't.

I'd like to think people would do security for the good reasons
rather than the bad, and handle things responsibly...but in the
competition for market share, press (ego share), and survival, a
lot of them don't. Those are the ones I stay well away from.

On vulnerabilities and whatnot:

Full-disclosure information on vulnerabilities is in itself a good
thing, even if it's only a preliminary "heads-up". The trick is
in how it is presented. This takes us back to where "the
line" is - rinse, repeat.

As for encoding attacks and such, I always go back to
the old maxim "Defense always lags Offense". It's the law. ;)
But new offense generates new defense, which generates new
offense....see "recursive". The trick is closing the gap between
Offense and Defense as tightly as possible...without
going over the line.

At the moment, some encoding attacks can be effectively (I didn't say
completely) modeled now (RPC and DNS for instance), others are
problematic, and there are probably more that haven't been
discovered. "...never completely emulate..." is too strong for me. Modeling
boils down to "How many cycles you wanna throw at it?" vs performance issues
vs risk/reward. If analysis is done correctly, you don't necessarily
have to get complete modeling to get a positive detection.

Best regards,

Randy
- -----
"Sesame Street called. The letter E would like to withdraw its
sponsorship of Internet cliches, and assert full rights to the use
of its image and trademark sound."
      -- Anatoly Delm 13 Sep 2000 ---

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1

iQA/AwUBO7yh0O5yl3TXUvYdEQKafwCgw9OteK29qyCN0wROJl9KofYSoDIAoKsT
ar3gxUKych28d4jmsOniJ3sc
=CKD8
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]