Ding ding ding... End of first round. <insert ring girl with below sign>
Largest application software security focused event in 2011 - don't miss: http://www.appsecusa.org Sept 20-23 2011 ### Ding ding ding... Now "let's get it on" Let's keep a professional..debate. Free speech only works with more free speech add bourbon for a party. On Sep 1, 2011, at 3:26 AM, "Sergio 'shadown' Alvarez" <shad...@gmail.com> wrote: > >> "Blackhat IS about breaking stuff, the vendors area offers defense >> products and services to improve your security. For building stuff (as >> in development) there are other conferences out there. People go to >> Blackhat to be aware of what things might go wrong in order to protect >> better themselves." >> >> I really take offense to your comment. > > There's no offense within the truth. > btw, I forgot trainings in that paragraph. > >> I am seeing malware out in the field that is based on work by >> so-called noble "security researchers". > > You are seeing?, woow, how? > From this mail its clear you have no idea, and even less about the reverse > engineering that is required to do such analysis. I am a reverse engineer, > and I know what I'm talking about, but this is not the list to get into > discussion about malware and reversing. > >> My litmus test is: If there were no whitehats and security >> researchers, would we be better off at fighting the bad guys? >> >> My answer is emphatically "yes". > > Might I ask you a question? Why are you even in this mailinglist if you are > the kind of guy or developer that just don't care about doing your products > correctly? > Based on your answer a whitehat for you is a nightmare, the one who is giving > your boss the red pill and because of that you are 'force' to rewrite your > code and do things as you should have done from the very beginning. > > People that follow your line of thinking are the ones who need to be replaced > by people willing to learn in order to do better and more secure products. > >> I agree with Gary and from knowing Gary from all of his posts and >> podcasts, this is not a new stance from him. I am in complete >> agreement with him and always have been. > > I do agree with Gary in that there is a need of having a new Conference about > Defense Technologies and Awareness *for Developers*, that bring top notch > security professionals and researchers together. > > I highlight *for developers* because for people who know what they are doing > there are a bunch of conferences, and since you brought the topic malware, > here you have some specifically for that topic: > > http://www.virusbtn.com/news/calendar/index > > Specially the VB Conference is really good. (Virus Bulletin) > >> And while I am here, the "Builders vs. Breakers" term should be >> attributed to Mark Curphey. You can probably still find his original >> post. > > I'm sort of sick of the whole attribution thingy. I've seen many of that in > academia 'research', where they just take research from some unknown > researcher and put a label to it and clame attribution afterwards. > The "Builders vs Breakers" meme has been discuss since *years*, I mean since > before the 90s, and specially in other disciplines than software development. > But since you've mentioned a specific person, a resent discussion which > predates the author you've mentioned is here from June 3, 2008: > http://marc.info/?l=cryptography&m=121260561401776&w=2 > http://news.cnet.com/2300-1029_3-6240826.html?tag=ne.gall.pg > Let me know if you find an article from the that Mark Curphey which predates > that one and I'll give you another one older just to fit your needs. > >> The next question is: Can we ever prevent people from being "security >> researchers" or "white hats" or "black hats" or "bad guys"? No. > > Can we prevent people from developing shitty code? > Can we prevent people from talking BS? > > Neither. > >> But I think we have to start to take the lipstick off of the pigs and >> recognize what it is. It's called "Blackhat", isn't it? > > A blackhat is the first one willing to keep things secret, so that nobody > knows anything. > Thanks to whitehats and researchers who present their work and bring some > light to blind people is that products evolve during the time. > Otherwise we would still have products like Windows 95 or Windows NT 4.0 > which were joke from a security point of view. When Bill Gates sent the > famous letter to all the company ask to stop doing what ever it was they were > doing and start auditing and reviewing the security of their developments, a > lot of developers and project managers quit because they didn't want to > rebuild right what they've built wrong. I believe you think like those > developers and PMs, that's not the way to go. > >> Very unfortunately, there is more glamour - and probably more reward - >> in breaking stuff. > > That's a media/press problem, they are guilty for that. > I personally have great respect for products well engineered. > >> What I hate is that "security researchers" and the "white hats" try to >> present themselves as noble and as the good guys. > > I don't share that mindset, security researchers present a project and let > the industry to come up with better solutions to the problem. > >> It's f*cking >> bullsh*t and a total scam. Ten years later for me and the state of >> infosec is much worse. > > Compare Windows 2000 and Window 7, MacOS 9.x vs Lion, or Linux kernel 2.2 vs > 2.6 (or 3.x) and then we talk OK? > >> There is also a nasty faction of infosec that will never want to solve >> problems which will put themselves out of work. Yep, I am throwing >> down that gauntlet FWIW. > > There are also a lot of people accumulating dust under the carpet like > nothing happens, hoping no one will uncover their hidden trash. > > Cheers, > Sergio > >> Stephen >> >> >> On Wed, Aug 31, 2011 at 1:01 PM, Sergio 'shadown' Alvarez >> <shad...@gmail.com> wrote: >>> Hi gem, >>> >>> I've read your article to see what direction you were willing to take, >>> before jumping into the conversation. Your post was exactly what I thought >>> you were heading to. >>> >>> I disagree with your thought for many reasons. >>> >>> But first I would like to use proper terms so that we don't misuse some >>> vocabulary: >>> >>> You said: """Software security should be a balanced approach of offense and >>> defense (white hat and black hat, if you will)""" >>> >>> Whitehat: reports what he/she has found. Network vulenerabilities, software >>> security flaws, flawed crypto, design flaws, or whatever it is that the >>> individual found it was broken or wrong. >>> >>> Blackhat: doesn't report what he/she found, because she/he want to keep it >>> that way. >>> >>> Of course there are a lot of grays out there too. >>> >>> Defense is…well... defense. >>> >>> To design and build proper software and hardware there are a lot of >>> conferences out there, as well as trainings and a huge amount of >>> literature. There are very good books when it comes to secure software >>> development. >>> >>> Every year what is presented, in the best security conferences, are new >>> techniques that developers need to be aware of in order to build secure >>> products. Most of the presentations talk about things that were wrongly >>> designed and/or corner-cases which were not considered. >>> >>> There are also a lot of tools and libraries which help development teams to >>> do things right, specially libraries and templates like Microsoft Safeint >>> as well as the safe APIs, which prevent developers from shooting themselves. >>> They just need to use them. There are also managed languages, APIs to >>> handle SQL securely, etc. It is just that a lot of developers don't use >>> what is available to them. >>> >>> Blackhat is great as it is now, there are talks about new defense >>> technologies from time to time too. Having more talks about defense would >>> be use, in my opinion, to sale products than anything else. I don't believe >>> it would do any good to Blackhat. >>> >>> """I am not opposed to breaking stuff (see "Exploiting Software" from >>> 2004), but I am worried about an overemphasis on breaking stuff.""" >>> >>> Blackhat IS about breaking stuff, the vendors area offers defense products >>> and services to improve your security. For building stuff (as in >>> development) there are other conferences out there. People go to Blackhat >>> to be aware of what things might go wrong in order to protect better >>> themselves. And even then many good talks overlap unfortunately. >>> >>> Regards, >>> Sergio >>> >>> On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote: >>> >>>> hi sc-l, >>>> >>>> I went to Blackhat for the first time ever this year (even though I am >>>> basically allergic to Las Vegas), and it got me started thinking about >>>> building things properly versus breaking things in our field. Blackhat >>>> was mostly about breaking stuff of course. I am not opposed to breaking >>>> stuff (see "Exploiting Software" from 2004), but I am worried about an >>>> overemphasis on breaking stuff. >>>> >>>> After a quick and dirty blog entry on the subject >>>> <http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, >>>> I sat down and wrote a better article about it: >>>> >>>> Software [In]security: Balancing All the Breaking with some Building >>>> http://www.informit.com/articles/article.aspx?p=1750195 >>>> >>>> I've also had a chat with Adam Shostack (a member of the newly formed >>>> Blackhat Advisors) about the possibility of adding some building content >>>> to Blackhat. Go Adam! >>>> >>>> Do you agree that Blackhat could do with some building content?? >>>> >>>> gem >>>> >>>> company www.cigital.com >>>> podcast www.cigital.com/silverbullet >>>> blog www.cigital.com/justoceleague >>>> book www.swsec.com >>>> >>>> _______________________________________________ >>>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>>> List information, subscriptions, etc - >>>> http://krvw.com/mailman/listinfo/sc-l >>>> List charter available at - http://www.securecoding.org/list/charter.php >>>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >>>> as a free, non-commercial service to the software security community. >>>> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >>>> _______________________________________________ >>> >>> >>> _______________________________________________ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >>> _______________________________________________ >>> >> >> >> >> -- >> http://www.linkedin.com/in/stephencraigevans > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________