On Wed, Sep 30, 2009 at 01:18:15PM -0400, blanchard_mich...@emc.com wrote: > True, but to study the enemy you must study HIS tactics and HIS > maneuvers. Not create brand new ones and study them. You must study > existing malware, pull it apart, debug it, decompile it, see what makes > it tick. Then extrapolate and try to predict the "bad guy's" next move > based upon his past behavior. > > How can we study what the real bad guys are if we create something > completely different than what the bad guys would ever think of?
I think there are two problems with this reasoning. Let me tackle the second paragraph first. The bad guys are resourceful, well-funded, diligent, and very smart. (We're not stupid, and they've been kicking our asses for years.) There's no value in speculating what they have or haven't thought of, first, because there's no way to really know, and second, because they've already demonstrated a LOT of ingenuity -- certainly far more than we have. I think it's pointless to worry that we might give them new ideas: they're already producing those in great profusion, as we can tell just from the few samples that comes to our attention. Now as to the first paragraph, I disagree there as well. One of the reasons why the security "industry" is a miserable failure (nod to Marcus Ranum) is our collective failure of imagination. We don't train people to think like attackers, and we do train them to deal with the attacks that we already know about. This Is Not Working. We need to train people to be ingenious, devious bastards (and bastardettes) because only then will they have the kind of mindset that's necessary to defend against the attacks we *don't* already know about. Yes, this approach carries risks: we might wind up teaching the bad guys something they don't already know. We see a few of the people we've trained decide to switch sides. All possible. But IMHO it's still way better than what we're doing now. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.