So, here are the problems I have with both sides of this debate right now. I wouldn't normally play along with politics like this, but it's a nice Sunday afternoon, and I am feeling saucy.
I post this is an open forum because I believe this debate is useful in an open forum and I don't believe that Dave should be going up against polidiots in Congress alone. Let's think about what is happening. Our claim is that healthcare.gov is is insecure. We are the ones making that claim, and so the burden of proof is on us. They have effectively proven that they had some sort of pen tests done (who knows the scope, or how much risk was simply "accepted"). However, the only way to prove that the website is truly insecure is to break the law. They know this (and let's not forget there is extreme bias here). You need to look at this from the point of view of the people you are trying to convince. I hate this term "passive reconnoissance" because the people you are trying to convince have *no* idea what this means. You are either using the website in the way it was intended or you are not (their POV, not mine). That paints a black and white picture that could fall under the CFAA. In fact, passive recon sounds like something the NSA does to collect metadata. Just saying. Krush obviously has no idea how software development works. Yes, let's build honeypots into our extremely time-crunched multi-million dollar web application instead of actually building security measures in. That makes perfect sense. However, he is playing the political game that Dave is not. He knows exactly who is audience is, and plays straight into their hand. He is telling them anything vaguely technical that backs up the story that everything is secure. And you can't prove that what he is saying isn't true. The fact that no "real" data is stored permanently (a point that both the Congress people and Krush make repeatedly) is no point at all. TJX and Target both had all their data stolen in transit (memory scanning malware). Nieman Marcus and Michaels are now likely in that boat as well. This is the perfect time to refute their point since it is fresh on everyone's mind. Any data existing on those servers at any given point in time should be considered at risk. There needs to be a solid story on the 70,000 number. Is there source code available for these scripts? Dave is going to get clobbered on this if he can't show exactly what this means. Anyone that is technical probably understands what is happening, but to anyone who doesn't know what an HTTP request is, the explanations are very soft and confusing (most media outlets?). This doesn't work in favor of the arguments because it makes it seem like something is being hidden. In the end, this is a political problem. Not a technical problem. You can throw out hard numbers (hell, they might even be correct), and they can put words in your mouth and twist what you say to discredit you and you lose. Politicking is all about 10 second sound bites. That is their game right now. Not to prove Dave wrong, but to discredit him. Let's recap: we can't prove the website is insecure without breaking the law, and our politichildren are not concerned about proving it is secure. They probably don't even know what "secure" means when it comes to technical systems like healthcare.gov. I believe Dave is approaching this as a technical problem, when this is actually a political problem. For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are effectively being told "trust us, it is secure". We should be saying, "Fine, we trust you. Let us verify". Our tax dollars built the system. Maybe we should be allowed to view the source code. I don't really expect any replies, but I love to eat crow. Feel free to teach me something. /me grabs some popcorn [1]. I believe Reagan stole this from the Russians. On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <da...@derbycon.com> wrote: > As long as it involves the death star creation we may have a chance.. > On Jan 26, 2014 9:57 PM, "Brandon Perry" <bperry.volat...@gmail.com> > wrote: > >> I think the only way to solve this debate is a Celebrity Deathmatch-style >> stand off. >> >> I will get the petition ready on https://wwws.whitehouse.gov/petitions. >> Stay tuned. >> >> >> On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy <da...@derbycon.com>wrote: >> >>> Yoooo, whats up. This dude is crazy and probably Waylon Krush (can't >>> confirm that). He's been tweeting each news organization in an attempt to >>> throw a bunch of crap out there. Make your own determination, but I'm not >>> the only one that's found it. First it was I absolutely had access to 70k >>> and I'm the next Weev and should be arrested, now it's I've morphed myself >>> into a media whore. Regardless, when its fixed, I'll post as I've always >>> said. Even did a full writeup and updates explaining everything: >>> >>> >>> https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/ >>> >>> Dude keeps changing and morphing the story into a bunch of different >>> things and changing the story. Happy to explain whenever and I'm not the >>> only one who came to the same damn conclusion, 7 others did as well that >>> were under NDA. >>> >>> Make your own determination, I've always done things on ethics and being >>> up front, not hiding in the shadows and claiming insane things behind cloak >>> and daggers. >>> >>> -Dave >>> >>> >>> truthinallthi...@hushmail.me via lists.grok.org.uk Jan 22 (2 days ago) >>> to root, full-disclosure This site is making waves on twitter: >>> http://70000in4mins.wordpress.com/ So what say you? Has our dear sweet >>> Lord of the SET hacked healthcare.gov? <http://healthcare.gov/?> Or did >>> he lie about what is really going on to get close to his hero's at Fox >>> News? Has the spotlight turned him into another Gregory Evans? Desperate >>> and willing to do anything for his next hit of the spotlight? Or did he >>> find a way to have Google let him do 70,000 searches in four mins like he >>> claims? >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/