osdir.com
mailing list archive

Subject: Re: The lack of hard questions - msg#00000

List: security.dailydave

Date: Next Index Thread: Next Index

Hey folks – we’re here, watching this thread.  Send us your questions, either directly to msrcteam@xxxxxxxxxxxxx or to the list.  We’ll answer them here:blogs.technet.com/ecostrat in a future post. 

 

From: dailydave-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:dailydave-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dave Aitel
Sent: Tuesday, August 26, 2008 2:02 PM
To: security curmudgeon
Cc: dailydave
Subject: Re: [Dailydave] The lack of hard questions

 

I didn't get to see the talk, so I'm not sure what questions you asked and what the answers were. Of course, you can feel free to ask them here. Peer review isn't a static thing.

-dave

On Tue, Aug 26, 2008 at 4:48 PM, security curmudgeon <jericho@xxxxxxxxxxxxx> wrote:


: Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your

: World *Mike Reavey, Steve Adegbite, Katie Moussouris*
: https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
:
: Obviously my favorite part is the slide with CANVAS. :> But I think it's
: interesting that Microsoft is doing this stuff and I don't think people
: have asked them the hard questions about it yet.  Also, those are quite
: cool caricatures .

Their "hard questions" in the slides were far from hard. I think you had
left the room, but I went to the mic and asked them ~ 10 hard(er)
questions. They answered a few, 'no commented' one and evaded a few. These
were questions that came to mind while they gave their presentation, and
the general lack of serious questions and putting them on the spot
afterwards was a huge disappointment.

I left BlackHat feeling that one of the purposes of BH (and DC) was to
give the audience a chance to ask real questions, not the fluff questions
that we see more and more each year. The audience has turned from a
skeptical crowd into a passive herd, accepting anything presented,
regardless of accuracy or sanity.

I had to leave early on Saturday but I was told that Reavey, Adegbite
and/or Moussouris wanted to speak with me because of the questions I
asked. If any of you are reading this list, feel free to mail me if you
had questions about my questions or skepticism. And no, I held back a few
questions as they were cheap shots at the presenters/Microsoft but
underscored the basis for some skepticism. After one comment Steve made to
me in front of the audience, I should have let loose. Sometimes it doesn't
pay to be a good guy. =)


- security curmudgeon

 

_______________________________________________
Dailydave mailing list
Dailydave@xxxxxxxxxxxxxxxxxxxxx
http://lists.immunitysec.com/mailman/listinfo/dailydave
Was this page helpful?
Yes No
Thread at a glance:

Next Message by Date: click to view message preview

Re: The lack of hard questions

But the problem is, if there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for MS, how can MS accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)? Doesn't anyone remember gobbles :) On Aug 27, 2008, at 4:55 PM, Valdis.Kletnieks@xxxxxx wrote: > On Wed, 27 Aug 2008 09:05:42 EDT, Pusscat said: >> My assumption would be that if it can be made reliable by anyone, >> then it's >> reliable. It probably shouldn't be a quantum value, collapsed by our >> inability ;) > > Yes, it only has to be weaponized once.

Next Message by Thread: click to view message preview

Re: The lack of hard questions

Mike Reavey writes: -+----------------- | Hey folks - we're here, watching this thread. Send us your | questions, either directly to msrcteam@xxxxxxxxxxxxx or to the | list. We'll answer them here:blogs.technet.com/ecostrat in a | future post. One question I've always wanted to know is based on partial knowledge on my part. As I recall the story -- and this is subject to correction -- back when one CD's worth of Windows source was posted on the Internet new exploits began appearing in perhaps a fortnight. That was interesting inasmuch as it proved that amateurs could do it via source analysis and, which is more, this is about the time when MSFT began providing source to a number of governments as part of the monopoly defense -- including countries had (have) competent national laboratories, e.g., Russia. So my questions: what sort of vulns do you get back from foreign governments and, assuming that they don't share except with you, how often are what those governments discover previously unknown, how often are the vulns that are discovered discovered independently, and do you ever see exploits of vulns that have only been identified by governments (and do those exploits correlate with the nature of who is doing the discovering)? A white paper on your efforts to avoid being a vector of cyber warfare would serve, should one be handy. In respect, --dan
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by