Michael (LV) over at
terminal23
hits the nail right on the head with the latest
articles and
blog
posts
regarding full disclosure and responsible disclosure. I'd rather hear
from the community about a new security vulnerability than wait for a
vendor to respond and come up with a fix. All the while that same
vulnerability could already be being exploited by somebody else. When I
know about a new security vulnerability, be it a 0day or one that's
still unpatched, I can at least plan on using other layers (you are
practicing defense in depth, aren't you?) of security to mitigate it.
Even better, would be for everyone to stop researching security
vulnerabilities all together... black hats, white hats, you name it! But
then, we'd all have to find a new career.. and it's a totally
unrealistic goal right from the start. There will always be someone
finding security holes, and if one "responsible" researcher can find
one, you can bet there is someone else that knows as well, with an
entirely different intent.
These latest discussions reminds me of the
controversy
with Michael Lynn, Cisco and Black Hat back in 2005. My favorite is this
quote from Schneier's
blog:
Full disclosure is good for society. But because it helps the bad
guys as well as the good guys (see my essay on secrecy and
security for
more discussion of the balance), many of us have championed
"responsible
disclosure"
guidelines that give vendors a head start in fixing vulnerabilities
before they're announced.
The problem is that not all researchers follow these guidelines. And
laws limiting free speech do more harm to society than good. (In any
case, laws won't completely fix the problem; we can't get laws
passed in every possible country security researchers live.) So
the only reasonable course of action for a company is to work with
researchers who alert them to vulnerabilities, but also assume that
vulnerability information will sometimes be released without prior
warning.
A colleague of mine once compared Michael Lynn and responsible
disclosure to the medical/pharmaceutical industry. It's not always the
case, but I find the comparison insightful; I would like to hear any
research a doctor has about an Rx with potentially dangerous,
undisclosed side effects... wouldn't anybody?
Posted by Marcin on Friday, January 5, 2007 in
Security.
As some of you know, I should be (hopefully) graduating this August.
I'll be taking a couple classes this summer to finish up the credits I
need and finally graduate. I've been thinking more and more about some
entry-level security certifications but am not sure whether it would be
worth pursuing right now.
What do you guys think of the SANS GIAC Security Essentials
Certification
(GSEC)? I know certifications are a hit or miss with many people, and a
lot of certifications seem to be worth less than the paper they are
printed on. Any advice to a graduating college student and taking the
certification path, and to anyone whose taken the test, what study
materials do you recommend?
I'd like to finish this post by congratulating Martin
McKeay
for earning his SANS GIAC Systems and Network
Auditor (GSNA)
certification. Way to go! :)
Posted by Marcin on Friday, January 5, 2007 in
Security.
With the recent
vulnerabilities
in Adobe Acrobat/Reader and reported exploits, I just want to point you
all to a free, light-weight self-executable PDF reader for Windows:
Foxit Reader 2.0.
It's super fast for simple text PDFs, however it sometimes has issues
and slows down to a crawl when working with large, graphically
complicated PDFs (like those damn product brochures from various vendors
who shall remain nameless). Oh, and also... there have been no reported
vulnerabilities or exploits out there for it (that doesn't mean it's
fully secure, but it's pretty good track record so far).
My recommendation would be for everyone to use Foxit as their default
reader and in Adobe Acrobat and Reader remove unneeded plugins and
disable vulnerable settings such as:
- "Automatically detect urls in text"
- "Display PDFs in browser windows"
- "Allow documents to open other files and launch other applications"
- "Allow multimedia operations"
Posted by Marcin on Thursday, January 4, 2007 in
Security.
I couldn't take it anymore, so I bit the bullet and bought a ticket to
ShmooCon for $150. Next thing I need to
arrange are hotel accommodations. Wardman Park Marriott is too expensive
for us poor college students, so I'll be looking into getting a room
somewhere else for cheap. Luickly, Shmoo created the
ShmooCon-roommate
mailing list for people looking to save some $$$ on their stay in
Washington D.C.. March will be fast approaching and the sooner things
are taken care of, the better.
Once a schedule is posted up (sometime in February), it'd be cool to
arrange a get-together of attending bloggers from Security Bloggers
Network. Who's interested?
Posted by Marcin on Tuesday, January 2, 2007 in
Security.
Happy New Year everyone! I had a great night with my friends and a lot
of unneeded drama, but oh well. I'm disappointed I wasn't able to snag
ShmooCon tickets for $75; they sold out in under three minutes! I'm
still organizing a trip with several other students from my school, I
just need to know who's definitely in and who's not. E-mail me if you
are truly interested.
We had "Predictions of 2007," let's hear some Resolutions! I made some
New Year's resolutions for 2007 and I hope to keep them this time. Here
are a couple of mine:
- Finish books I start. During a semester I will be reading anywhere
from 5-10 books. I hope to do this by reading one chapter per week
per book. [I have no idea how, but Richard
Bejtlich
from TaoSecurity reads so many books (52 in 2006); hopefully he can
give some tips! edit: Ask and we shall
`receive <http://taosecurity.blogspot.com/2007/01/reading-tips.html>`_...that
was quick, thanks Richard!]
- Rid myself of Windows dependence! Currently I run Windows XP Pro on
my workstation, Ubuntu on my laptop, and Slackware on my home server.
I will run Slackware as my desktop OS and also turn an Alpha
Workstation (thanks Chad!) into an OpenBSD server.
- Live securely. Ideas from
Bejtlich
again, how many of you do not always practice what you preach? To
whoever is running Windows at home, does YOUR user account have
administrator privileges? I don't know how people will take this (I
want to hear your opinions), but I will admit my Windows user account
had administrator privileges. I don't see it so much as hypocrisy but
because I have just been too lazy and frustrated with programs that
require them.
- Live healthy and continue exercising daily. In 2006, I lost 32lbs and
feel 100x better than I ever did before. I find my energy throughout
the day is greater when I eat well, exercise and get enough sleep. I
can free my mind and take out some aggression at the gym and I think
more clearly than I did before. My advice to anyone looking to lose
weight this year, eat healthy and divide food into portions. Abs are
made in the kitchen, and like anything else in life, too much of a
good thing is bad for you.
Let's hear some of your resolutions, and again, Happy New Year and I
hope 2007 will be even better than last year for everyone. :)
Posted by Marcin on Monday, January 1, 2007 in
News,
School and
Security.
