Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.
Clever.
What makes you think MS released their advisory as soon as they learned about the exploit?
...will be to invest money in marketing to find some way in which this study is not "fair"; in other words, how it doesn't align with limited and unrealistic testing methodology that only focuses on very specific ways their tools succeed in detecting malware.
"I don't want to say it's rubbish," Kaspersky told PC Authority. "But the security experts don't pay attention to these tests. It doesn't reflect the real level of protection."
That's right. Security experts recognize Anti-Virus for what it is: an outdated security mechanism which amounts to nothing more than an IPS for your system, detecting known threats. I'm glad this industry is finally starting to realize their approach is ineffective against modern, sophisticated adversaries.
...just remember this when they try to tell you their product protects from "unknown" or "future" threats - threats that start as POC's, or are built from POC's to specifically target your company. These are rubbish to AV vendors. They don't care about these "hard" problems, and have no interest in protecting you from them.
I see it as tacit acknowledgment that their industry has given up on innovation.
'Demographics have shown that not only are FireFox users a somewhat small percentage of the internet, they actually are even smaller in terms of online spending, therefore blocking FireFox seems to have only minimal financial drawbacks, whereas ending resource theft has tremendous financial rewards for honest, hard-working website owners and developers.'
Firefox users represent a very small percentage of online spenders, therefore blocking them 'has tremendous financial rewards.' How, exactly, does that work? Ending resource theft may have tremendous financial rewards as a general statement, but linking that to blocking Firefox users is a non-sequitur. If anything, you're just taking away that very small percentage of profit, which means less money. Someone's purdy smert.
An informed person would have said something to the effect of this being a symbolic gesture about ending resource theft, although even that claim is specious IMO.
Passenger profiling, which Israel has shown to be effective (no hijackings since the 80's, with even more enemies than the US), or the current put-everything-they-tried-last-time-in-a-plastic-b aggie approach currently used?
The privacy implications are staggering, no doubt, but I'm glad to see the government at least begin to apply a bit of intelligence into securing air travel. The current system is painful and totally ineffective. The implementation will make all the difference. I'm sure the USG will screw it up, but there's a right way to do this.
Critics say the new recruiting tool lacks reality? Recruiting is a sales activity: sell these jobs to the public. While you can't outright lie when selling something (at least, by law, in the US), omitting "the rest of the story" is a common and accepted tactic. Why should we expect that a *recruiting* *game* be realistic? If it were a war simulator, now that'd be another thing, but I don't think anyone's trying to suggest we use this for formal military training...
This isn't news, it's just people looking for something else to complain about.
God for-fucking-bid the "battlefield" should in anyway involve some kind of consideration of what might be best for the human constitutents
Agreed. I said out loud when I read this "I guess I'm in the group with the worst-funded lobbyists: the American public."
It would be nice to see a grassroots campaign to fund lobbyists who lobby against lobbyist-friendly rules (campaign finance, schmoozing, etc.). I think that sort of an organization would get a *lot* of donations.
I've worked in oppressive IT environments before, and granted, I'd love to be in a job that offered this benefit.
-BUT-
It's built on a colossally bad idea. The customer/has/ to come first for a business to stay profitable. How happy will your employees be if they're all laid off because customer service - already working against some Indian firms due to language barrier, etc. when dealing with outsorced services - suffers a decline?
What needs to happen is the customer comes first, and the employee second. As opposed to most companies' priorities now: 1) Executive Board 2) Customer 3) Executive Board 4) Shareholders 5) My Daughter's pet pig 6) Something Else 7) Executive Board 8) Employee
negative stereotypes like the image of the male hacker
How is this a negative stereotype for women? Perhaps a bit exclusionary, but it doesn't degrade or otherwise oppress women... And besides, isn't being a hacker, in the larger social context, a negative stereotype in and of itself? Why would women want to be associated with a stereotype that, in current pop-culture terms, implies illegal activity?
That said, you can't deny the gender gap in and of itself. I simply dispute this as a factor.
While a lot of these developments are exciting technologically-speaking, it fascinates me that so much energy is spent securing data in transmission, when really, it's the data storage that needs more focus. How often has data been intercepted in-transit versus in-storage? Moreover, how much data has realistically been intercepted & used that's been secured using currently-available technologies?
No thanks. I'll take the simplicity of gaim to accomplish the given task; relaying a text 'conversation'.
I happen to agree. The problem is, this is a very engineering approach to a social problem; such approaches are often rejected by society because that's not how most people think.
The problem with acceptance and continued use of Linux outside of the realm of highly-technical users is one of approach, and this article makes a good point of a symptom of that problem.
I recently watched two of my friends in their mid-twenties spend 8 straight man-hours on myspace.com. These types of electronic social networking uses are exactly where recreational computer use is going right now, and for the Linux community to keep or increase its market share amongst younger tech-savvy users, it needs to acknowlege this trend.
From the site: The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.
The RDS is a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.
Using this, and some solid up-front admin work and strong procedures, a default deny on filesystems (especially server filesystems) is absolutely feasible and a good idea for strong security.
While the automated system seems to make sense to prevent slowdowns by having people discuss naming, this doesn't seem like a great solution. Many people may even think: I've heard of that CME thing before, I'm already protected.
This isn't the primary benefit of such a system. The benefit is that, as an administrator with systems running differen anti-virus software for reasons beyond my control, I can tell what is running around on my network without having to play the name-matching game. Or, while researching a virus, I can look on a number of vendor's sites (since different analyses typically result in different information, this is wise to get as much information as possible) and be certain I'm reading information about the same piece of malware. When speaking internally to other IT groups, I can refer to this name, as opposed to having 2 or 3 different names being tossed out during a conference call.
This is absolutely true. Not only are there the politics external to US-CERT that have to be considered when developing this, remember this is the federal government, and internal politics and red tape must be fought the entire time as well.
Having worked with the US-CERT folks directly (no I'm not a gov't employee), I can say that the people I've worked with have been competent, headstrong individuals genuinely interested in their initiatives to improve security. This *is* atypical for the US Government, I will grant you, but it doesn't mean credit isn't due.
I'm interested to see how they handle variants. This is going to be key, and the stuff I've read so far doesn't mention anything about it. That could be the make-or-break point of the nomenclature.
My understanding from reading the paper is that this approach is only effective for english-language words. Using complex passwords (special characters, numbers, etc.) seems like it would significantly reduce the effectiveness of this attack. A nice follow-up to this paper would be applying the research to analyze how this would impact password guessing in situations with complex passwords.
It would be nice if the Phrack editors would make the bound final issue available online for a reasonable fee. I won't be able to get to where it will be available, but would love to have a copy.
Given that the roots of Phrack and the EFF are so closely tied, it would be a great gesture to donate any profits made from online sales to the EFF...
It's sad to see such a historical element of a sub-culture that so influenced me fade away. Here's hoping 2600 can keep it alive.
Would you trust a vendor peddling software to solve a problem it was largely instrumental in creating?
If MS had willingly seen & corrected their mistakes long ago, without the constant prodding of the security industry, I would be more inclined to trust this product. But with the current state of affairs, this is akin to someone cutting your arm with a knife, then offering to stitch it up for you.
Slashdot Mirror
Holding back your zero day exploits until directly after the MS Patchday...if your bug hasn't been removed, then you have up to a full month of time to abuse it.
Clever.
What makes you think MS released their advisory as soon as they learned about the exploit?
...will be to invest money in marketing to find some way in which this study is not "fair"; in other words, how it doesn't align with limited and unrealistic testing methodology that only focuses on very specific ways their tools succeed in detecting malware.
They've done (Skoudis) it before (Secunia).
That's right. Security experts recognize Anti-Virus for what it is: an outdated security mechanism which amounts to nothing more than an IPS for your system, detecting known threats. I'm glad this industry is finally starting to realize their approach is ineffective against modern, sophisticated adversaries.
...just remember this when they try to tell you their product protects from "unknown" or "future" threats - threats that start as POC's, or are built from POC's to specifically target your company. These are rubbish to AV vendors. They don't care about these "hard" problems, and have no interest in protecting you from them.
I see it as tacit acknowledgment that their industry has given up on innovation.
...is:
Quis custodiet, ipsos custodes
- Juvenal
'Demographics have shown that not only are FireFox users a somewhat small percentage of the internet, they actually are even smaller in terms of online spending, therefore blocking FireFox seems to have only minimal financial drawbacks, whereas ending resource theft has tremendous financial rewards for honest, hard-working website owners and developers.'
Firefox users represent a very small percentage of online spenders, therefore blocking them 'has tremendous financial rewards.' How, exactly, does that work? Ending resource theft may have tremendous financial rewards as a general statement, but linking that to blocking Firefox users is a non-sequitur. If anything, you're just taking away that very small percentage of profit, which means less money. Someone's purdy smert.
An informed person would have said something to the effect of this being a symbolic gesture about ending resource theft, although even that claim is specious IMO.
Passenger profiling, which Israel has shown to be effective (no hijackings since the 80's, with even more enemies than the US), or the current put-everything-they-tried-last-time-in-a-plastic-b aggie approach currently used?
The privacy implications are staggering, no doubt, but I'm glad to see the government at least begin to apply a bit of intelligence into securing air travel. The current system is painful and totally ineffective. The implementation will make all the difference. I'm sure the USG will screw it up, but there's a right way to do this.
Critics say the new recruiting tool lacks reality? Recruiting is a sales activity: sell these jobs to the public. While you can't outright lie when selling something (at least, by law, in the US), omitting "the rest of the story" is a common and accepted tactic. Why should we expect that a *recruiting* *game* be realistic? If it were a war simulator, now that'd be another thing, but I don't think anyone's trying to suggest we use this for formal military training... This isn't news, it's just people looking for something else to complain about.
that, in 2003, said "IDS is dead", has "failed to live up to the hype," "is a market failure," and "will be obsolete by 2005." Sure Gartner, whatever.
These guys have little credibility left in my mind.
God for-fucking-bid the "battlefield" should in anyway involve some kind of consideration of what might be best for the human constitutents
Agreed. I said out loud when I read this "I guess I'm in the group with the worst-funded lobbyists: the American public."
It would be nice to see a grassroots campaign to fund lobbyists who lobby against lobbyist-friendly rules (campaign finance, schmoozing, etc.). I think that sort of an organization would get a *lot* of donations.
I guess a comment only modded a lowly "2" is worthy of its own /. entry now... oh how our standards have fallen.
AND YES I AM BITTER.
A list of McNealy zingers. I have to say, I'm gonna miss reading absurd quotes from this guy.
I've worked in oppressive IT environments before, and granted, I'd love to be in a job that offered this benefit.
/has/ to come first for a business to stay profitable. How happy will your employees be if they're all laid off because customer service - already working against some Indian firms due to language barrier, etc. when dealing with outsorced services - suffers a decline?
-BUT-
It's built on a colossally bad idea. The customer
What needs to happen is the customer comes first, and the employee second. As opposed to most companies' priorities now:
1) Executive Board
2) Customer
3) Executive Board
4) Shareholders
5) My Daughter's pet pig
6) Something Else
7) Executive Board
8) Employee
negative stereotypes like the image of the male hacker
How is this a negative stereotype for women? Perhaps a bit exclusionary, but it doesn't degrade or otherwise oppress women... And besides, isn't being a hacker, in the larger social context, a negative stereotype in and of itself? Why would women want to be associated with a stereotype that, in current pop-culture terms, implies illegal activity?
That said, you can't deny the gender gap in and of itself. I simply dispute this as a factor.
While a lot of these developments are exciting technologically-speaking, it fascinates me that so much energy is spent securing data in transmission, when really, it's the data storage that needs more focus. How often has data been intercepted in-transit versus in-storage? Moreover, how much data has realistically been intercepted & used that's been secured using currently-available technologies?
Devices capable of storing data used to steal data!
It doesn't take that many weeks to recall CD's and tell resellers to take them off of their shelves.
They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.
No thanks. I'll take the simplicity of gaim to accomplish the given task; relaying a text 'conversation'.
:-)
I happen to agree. The problem is, this is a very engineering approach to a social problem; such approaches are often rejected by society because that's not how most people think.
The problem with acceptance and continued use of Linux outside of the realm of highly-technical users is one of approach, and this article makes a good point of a symptom of that problem.
I recently watched two of my friends in their mid-twenties spend 8 straight man-hours on myspace.com. These types of electronic social networking uses are exactly where recreational computer use is going right now, and for the Linux community to keep or increase its market share amongst younger tech-savvy users, it needs to acknowlege this trend.
IMO, of course
Need to learn to use the preview button - it's the National Software REFERENCE Library. My apologies. Time to go home from work it seems.
Enumerating both good and bad programs is probably a good idea.
Exactly. Which is why the National Software Repository Library exists.
From the site:
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.
The RDS is a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.
Using this, and some solid up-front admin work and strong procedures, a default deny on filesystems (especially server filesystems) is absolutely feasible and a good idea for strong security.
While the automated system seems to make sense to prevent slowdowns by having people discuss naming, this doesn't seem like a great solution. Many people may even think: I've heard of that CME thing before, I'm already protected.
This isn't the primary benefit of such a system. The benefit is that, as an administrator with systems running differen anti-virus software for reasons beyond my control, I can tell what is running around on my network without having to play the name-matching game. Or, while researching a virus, I can look on a number of vendor's sites (since different analyses typically result in different information, this is wise to get as much information as possible) and be certain I'm reading information about the same piece of malware. When speaking internally to other IT groups, I can refer to this name, as opposed to having 2 or 3 different names being tossed out during a conference call.
Please mod the parent up.
This is absolutely true. Not only are there the politics external to US-CERT that have to be considered when developing this, remember this is the federal government, and internal politics and red tape must be fought the entire time as well.
Having worked with the US-CERT folks directly (no I'm not a gov't employee), I can say that the people I've worked with have been competent, headstrong individuals genuinely interested in their initiatives to improve security. This *is* atypical for the US Government, I will grant you, but it doesn't mean credit isn't due.
I'm interested to see how they handle variants. This is going to be key, and the stuff I've read so far doesn't mention anything about it. That could be the make-or-break point of the nomenclature.
My understanding from reading the paper is that this approach is only effective for english-language words. Using complex passwords (special characters, numbers, etc.) seems like it would significantly reduce the effectiveness of this attack. A nice follow-up to this paper would be applying the research to analyze how this would impact password guessing in situations with complex passwords.
Sometimes, old tricks are the best tricks!
Action in this scenario is obviously preferred
This is not necessarily true, and I'm not just talking about honeynets/honeypots, either.
It would be nice if the Phrack editors would make the bound final issue available online for a reasonable fee. I won't be able to get to where it will be available, but would love to have a copy.
Given that the roots of Phrack and the EFF are so closely tied, it would be a great gesture to donate any profits made from online sales to the EFF...
It's sad to see such a historical element of a sub-culture that so influenced me fade away. Here's hoping 2600 can keep it alive.
Would you trust a vendor peddling software to solve a problem it was largely instrumental in creating?
If MS had willingly seen & corrected their mistakes long ago, without the constant prodding of the security industry, I would be more inclined to trust this product. But with the current state of affairs, this is akin to someone cutting your arm with a knife, then offering to stitch it up for you.
No thanks, I'll find another doctor.