Rediscovery and Security News

First things first: Happy 2012 everyone.

So, this blog has been silent for a little while now. More astute readers might argue along the lines of “hey man! This is supposed to be a technical blog – where are all them technical articles? Have you ran out of material?”.

Take a deep breath, the dreaded, almost compulsory metablogging block after a long pause is coming …

The answer is a big NO! There is an abundance of material that I am proud of BUT a lot of this research has been done while solving problems for paying clients. The problem can be refined as “how do you tip-tap-toe around NDAs and do you choose to do so?”. Smart money says not to do it, so I am not. Keep this point in mind for the latter part of this post.

One of the design decisions for this rebooted blog was that it should confer an era of positivity, at least by security and research standards, which is not the happiest of domains. So, for better or worse, I decided to bottle the acid for some time, even if that meant leaving gems such as the following (courtesy of a well known mailing list) untouched:

I have problems with those that create malware – under the guise of
“security research” – which then gets used by the bad guys.

I’m not saying that one can never stop breaking into things. I just
don’t like the glorification of creating malware by the so-called
“good guys”. If all of that energy instead was placed into prevention,
then we would be better off.

[SNIP]
P.S. One might argue that a whitehat or security researcher can’t
change sides and go into prevention, or in other words, be a Builder
instead of a Breaker. They can’t because they don’t have the skills to
do it.

Finished picking your jaw off the floor? Good! While Cpt. Obvious is on its way with the usual “vuln != exploit != malware” reply, let’s get things moving with a pet peeve of mine that I have not seen addressed.

Almost every time a new security trend comes out, there is nary a hint that this might have been discovered some place else or sometime before. Given that security overlaps a lot with cryptography, I just cannot get around my head around the fact while rediscovery is a well accepted notion within the cryptography field (and this has been proved time and time and time again) that while something you are “discovering” might have been discovered (and countered!) before.

Enter infosec, an ecosystem where NDAs are ten-a-penny, the underground is more tight-lipped than ever, the general consensus is that confidentiality is a necessity and where a lot of “discoveries” are handled either via the black-market (and lack of morals implied therein) or via security brokers. It was all fine and dandy but the introduction of both fame-seeking researchers and “researchers” as well the very fact that infosec makes for entertaining and sensationalist headlines that actually “sell seats in the audience” and everyday we are constantly bombarded with “news” and “research” (use of quotes intentional if you haven’t guessed already) where it can fall into one of the following categories:

  • News from the obvious department. This one is getting more and more annoying lately but it is much too obvious a target
  • Less obvious stuff that falls below the radar of cargo-cult security but still way more likely to have been encountered in the field by serious practitioners who fall into one of the non-disclosure categories listed above
  • Actual new and/or insightful findings, which tend to be lost within the sea of useless information, the stuff that REALLY makes your day
  • Since there is a very fine line between 2 and 3 (again, 1 is way too easy of a target to make fun of or suggest anything) and one can never be sure in such a rapidly and secretive landscape, for the love of $DEITY, next time see something related to infosec findings, keep in the back of your head that this might be a rediscovery and dear reporters, PLEASE DROP THE SENSATIONAL HEADLINES.

    I am not holding my breath that this will ever happen but one can only hope …

    PS:
    Finally, an image courtesy of blackhats.com infosuck webcomic. Not exactly the point that I am trying to convey but the message is quite similar and in any case it is much too funny to be left outside the party.

    Leave a Reply

    Your email address will not be published. Required fields are marked *