[funsec] DefCon 'Race to Zero'
gdead at shmoo.com
Fri Apr 25 21:49:37 CDT 2008
On Apr 25, 2008, at 8:05 PM, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> - -- Colin Keigher <colin at afreak.ca> wrote:
>> And yet the general public still unknowingly gets malware by
> applications that let them have free MP3s or whatever they want today.
> Defcon can allow proper exposure on this subject.
> Proper exposure?
> I'm sorry, but if people don't already realize that their behavior
> is already dangerous by reading the plethora of data, articles,
> research, blogs, etc. that is available, some controversial contest
> to write "stealthy" malware at DefCon ain't gonna do it either.
Honestly, I think it's sad that everyone is scared of talking about/
building/demo-ing 0day these days. 10 years ago you could go to any
security/hacker con and several talks would be revealing some new vuln/
exploit. IMO, that's changed dramatically due to several reasons:
- the increased value of 0day information has driven out the casual
researcher and turned many of them into employees or consultants.
Disclosing 0day at a conference rather than having a customer pay for
it can have a big impact on someone's wallet.
- The fear of being sued or arrested. Various laws and civil cases
have had a chilling effect (see wendy seltzer's work on this) on the
research community. Sklyerov et al spooked everyone and convinced
many that it's just not worth the hassle anymore.
- MS et al have hijacked the discussion of responsible disclosure.
They have very carefully crafted the message in way that implies that
if you don't agree with them and their definition of "responsible
disclosure" then you must be against making things more secure and
really be a malicious hacker at heart.
I find the whole situation offensive. We are WAY too polite about
discussing vulnerabilities in public right now. The ppl attacking us
aren't ashamed to share information, and we shouldn't be either.
Unfortunately, as a community, there's a self-imposed gag order in
place that basically says "if you drop 0-day, you are evil"
Just because you don't talk about something, doesn't mean it's not
there... that's been a core tenant of security research for a long
time. That's why we have concepts like full-disclosure and that's why
many conferences were originally created. More power to the contest
organizers for encouraging public discourse about the state of
> - - ferg
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
> -----END PGP SIGNATURE-----
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> ferg's tech blog: http://fergdawg.blogspot.com/
> Fun and Misc security discussion for OT posts.
> Note: funsec is a public and open mailing list.
More information about the funsec