Tales of Ordinary Madness » Me and My Big Ideas

Narcissistic Vulnerability Pimp

Chris — Mon, 26 Apr 2010 02:21:44 +0000

I have always held Verizon’s Business Security division in rather high regard, primarily because over the last several years I’ve found their Data Breech Investigations report a useful and very telling document. I’m often in the situation in my career of explaining the “real” threat that X poses. This document has always provided something for me to point at and say here is why you, Mr. BusinessMan need to care about securing your enterprise. Having Verizon’s name tied to it gave it some additional weight.

However, this morning I read the article entitled “Redefining Security Researcher” by Wade Baker. In this blog posting the author suggests that the InfoSec community suffers from the “ridiculous yet long-standing inability to distinguish the good guys from the bad guys”. I have several issues with Wade’s terminology and his logic.

First, as Wade suggests the headlines do often read “Security Researcher Breaks This” and “Security Researcher Exposes That”. However, the author of the article or his/her editor picks that headline not the “Security Researcher”. Just like the television reporter gets to decide if the term “World’s Number One Hacker” appears underneath Gregory D. Evans when he mugs for CNN. We in the industry have only limited influence over the terminology used. A perfect example of this is death of the term “cracker” and the changing of the word “hacker” to be synonymous with criminal.

Also, let’s not forget that even the Narcissistic Vulnerability Pimp is doing research. It’s not like they have some secret vulnerability hole where they can pull vulnerabilities from. While you might object to their methods of disclosure, that doesn’t mean that their efforts are due anything less than being called a “Security Researcher”. They are in fact researching security issues.

Finally, as Wade points out in his later comments on the post, several analogies do fall flat when used to further explain disclosure. Admittedly no analogy is destined to be a perfect fit; however I do feel that I’ve found an analogy that works well enough – Bullet-Proof vests. Imagine someone discovered that a certain brand of 9mm ammunition could easily pierce a standard bullet proof vest. They contact the manufacturer and inform them that the vest fails to stop this particular brand of bullet. The manufacturer says “we don’t believe that to be a real issue”. How should this be handled? Hundreds perhaps thousands of vests with this vulnerability are deployed in military, police, and civilian circles. If the bad guys get wind of this, you can be sure this brand of bullet will become the round of choice. I think the only responsible thing to do is go public with this information. This allows each person to make an educated decision when they put on a vest – like wearing some additional layer of protection. Hopefully the public outrage will force the vendor to look into the problem and fix the issue.

Vulnerability disclosure is a touchy subject and will always be a balancing act between being responsible and doing what is best to protect the consumer, allowing the consumer to make an educated decision about what software provides the level of security and functionality necessary to get the job done.

Mr. Deity Episode 4: Mr. Deity and the Messages

Chris — Mon, 21 Sep 2009 01:26:18 +0000

These are too damn funny. No idea why I’m just discovering these guys now…

My lil’ peanut

Chris — Wed, 12 Aug 2009 02:02:39 +0000

Here he/she is — the first public viewing of our new little peanut. I think he/she has my eyes.

Building my security lab

Chris — Wed, 20 May 2009 01:09:53 +0000

So I’ve been slowly (that is VERY slowly) re-arranging my office to make some additional room for some additional computers. My goal is to create a security lab that will allow me in my spare time to work on my web assessment/penetration skills. My intention was to utilize either VMWare or Sun’s Virtual Box to give me some additional flexibility and hopefully keep my electric bill somewhere below the GDP of Micronesia (which in case you are wondering is about 232 million USD). Well while poking around today, I found this great article that covers Virtual Appliances, with a specific focus on those that would be of interest to the security professional. Now many of these would have nothing to do with my web application penetration testing, but they are still some pretty neat appliances. It’s worth a read:

Virtual appliances for the security professional

Why do you believe in god?

Chris — Tue, 19 May 2009 02:09:01 +0000

Wait, you want me to believe the National Organization for Marriage is just a bunch of bigots?

Chris — Tue, 21 Apr 2009 01:17:17 +0000

Okay, when you put it that way, I guess they just might be. Great job Redditors!

http://blog.reddit.com/2009/04/redditors-receive-homo-heros-honor-for.html

What Would Jesus NOT Do?

Chris — Sat, 18 Apr 2009 00:23:14 +0000

I want a debaptism certificate

Chris — Thu, 16 Apr 2009 00:50:35 +0000

I knew I missed something when I was in the UK. I missed an opportunity to purchase a Certificate of Debaptism from the National Secular Society.

Debaptism Certificate

Why must you be so mean?

Chris — Wed, 15 Apr 2009 00:19:25 +0000

My good friend Sunil asked me the other day why I was so harsh on religion. If I remember the timing correctly he was responding primarliy to the “Crazy vs Religious” cartoon I posted below. Sam Harris summed it up for me very well in the video below, but I’d like to paraphrase. If I came to you and insisted that there was inside of me a giant invisible machine powered by invisible winged monkeys that generated the very energy that kept all of life going, you would dismiss me a crazy person. This is a totally rational response to what I have claimed. Unless I can provide some shred of evidence, I should be dismissed as a kook. However, religion is given a pass when it comes to rational thought. Challenge religion to produce any evidence of its claims and suddenly you are guilty of oppression and religious intolerance. Claiming that a man walked on water, or rose from the dead, or flew off into the sky on a winged horse, or parted the sea is no less crazy than my winged monkeys whodrive the giant love engine. As I’ve said before, how can we as an rational animal be expected to advance, when we insist on bringing the boogey man from the past along with us.

As long as religion continues to attempt to change laws or prevent archaic laws from being changed (like preventing two consenting adults from legally marrying), I will speak harshly of religion. As long as religion keeps attmepting to prevent birth control from being taught in schools or preventing condoms from being distributed to a contintent whose population is being decimated by AIDs, I will continue to speak harshly of religion.

Chris “hearts” Sam Harris

Chris — Tue, 14 Apr 2009 22:35:55 +0000

Hugh Hewitt vs Sam Harris
Uploaded by apologetics