Shostack + Friends Blog Archive


Glad to be a perfect straight man

In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better:

  1. Legislate/enforce the law
  2. Buy exploits now and then
  3. Create Software security data sheets
  4. More honeypots

I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information flow back underground. Were we better off in the days of Zardoz? It would move the mailing lists and web sites offshore, not slow down the rate of finding things.

(2) would seem to help, but Immunity is already doing it. Is that helping?

(3) I really like. Better data from software authors is good.

(4) I’m not sure I understand.

Pete also says:

I don’t see any reason that exploit code would cease to exist, the volume and proliferation would just slow down. Of course, I certainly wouldn’t lose sleep if there were no exploits anymore. Ultimately, the existence of these host intrusion prevention products is what makes my opinion stronger – because there are solutions that don’t rely on signatures of known attacks.

I certainly would lose sleep, because without easy access to exploit code, we don’t see exchanges like this. Without such commentary, how can we decide if our tools work?

2 comments on "Glad to be a perfect straight man"

  • Pete says:

    – I generally agree with your comment about (1) though wouldn’t rule it out given the state we are in. I also think that your dislike of (1) points to disbelief that (4) is effective.
    – It is important to note that (2) is not “now and then,” it is with very specific constraints – time and focus on software.
    – (3) is my favorite as well.
    – (4) is meant to portray a complete alternative to vulnerability management – that of threat monitoring and identifying “zero-day” whatevers.
    – I don’t think you get my point about non-existent exploit code. With non-existent exploits, we don’t >need

  • adam says:

    So it seems to me that you’d like to trade fewer script kiddies for more intensive analysis of the attacks that happen?
    Last I heard, analysis took hours per minute of hacker technical activity. (1st Ed honeypot book.) Has that fallen substantially?
    Our tools need to work because attack code exists. If it exists publicly, so we can study it, and enable script kiddies to use it, we can test more easily. If we drive the code underground, then we rely on honeypots, and the analysis that comes from them. Lots of high-transaction costs for the good guys.
    Are we going to be more effective at stamping out sploit code than we’ve been at stamping out, say, heroin? Because if we’re not, I think its a bad trade.

Comments are closed.