DISQUS

We're working on writing security blog walk-and-talks now. You want us on that wall. You need us on that wall!

You know, it's not like I just made "varied sentence length" and "bullet lists" up.

It's assumed that a lot of SSO tokens are encrypted and are therefore a good excuse to talk about why generalist programmers shouldn't be directly working with AES.

You would never use a straight ASCII string as a crypto key. The hash gives you 128 bits of key material to use.

I don't think Coding Horror wants the attribution.

Thanks, John. We appreciate it. Right now, we're just keeping our heads in the game and busting up the software in our projects. It's cathartic.

The irony is, the rap on me is that I write too much in C!

There's a zillion great reasons to have a debugger in a high level language, starting with "you can write a special-purpose debugger for a new project in 5-10 minutes".

The post was up for far less than that.

Matt:

The goal, once I saw Halvar's post, was to wait for Dan's imminent confirmation (we expected a blog post from him) and post then.

I was surprised that Dan continued to keep it quiet after Halvar posted, and even more surprised to see our draft had been published. It was a worst-case scenario for us.

There are a lot of things I could have done differently to keep us out of this story, almost all of which I wish I did.

Joey, it sucks that you think that, and I have no illusions that I'm going to change your mind. But I'm going to come back at you on the "bashing Kaminsky" comment, because it's not true. Did I doubt Dan had a real new vulnerability, and not just a clever new exploit? Absolutely. Did I get set straight? Yes. I've respected Dan since his talk at Black Hat in '04 when he stored files in DNS caches.

I think Dan has a right to feel like he took flak from me even after telling me what the vuln was. At this point, I've fumbled any moral authority I have to persist in those arguments. But I didn't make them to hurt Dan's feelings. He retains what is likely to be the best talk at Black Hat, though it's his business to tell you why.

It was a Black Hat presentation about our work on virtualized rootkit detection. It was certainly intended to gather press. That's a big part of why people do Black Hat presentations.

You don't have to take our word for it or give us the benefit of the doubt, though: the slides from our talk are online, and they're pretty detailed:

http://www.matasano.com/log/925/slides-from-vt-...

In what sense? Peter, Nate, and I, both together and independently, spent months working on virtualized rootkit detection, based in part on a virtualized rootkit prototype built at Matasano. It was not an easy project. Joanna had the only other known virtualized rootkit besides Dino's. The only thing I'd have done differently at Black Hat '07 is change the title of the talk; nobody got the joke.

What would I have done differently here? Almost everything.

Thankfully, Max and the Playbook team have been drunk with Playbook for awhile now, and far away from this debacle.

I'd gladly trade all of this press for none of this press, jf, but we deserve the hits we're taking.

Erin's a team member here, yes. She's also my wife. This issue has basically nothing to do with her judgement, and everything to do with me and Jeremy's.

I asked to get a post queued up in anticipation that the story would break yesterday, after Halvar published in the morning. The intent was for it to go live once Kaminsky confirmed Halvar. Among other things, I did two things I regret:

(1) We staged the post on the blog; when we proofread it, we were playing russian roulette with the Wordpress UI to keep it "Unpublished".

(2) I decided that once the information was "in play" (confirmed by Kaminsky), it was open season. We have a huge audience, and we should have let it hit Kaminsky before we chimed in.

Little bit, yeah.

Dan: I know what you mean about that. I had the same experience with Mudge, San Mehat, and Ramsey Dow, back in the '90s. And every time I've ever underestimated some 19 year old --- pretty much every time --- I've gotten depantsed as a result.

Ulysses: I think those are all good points. I was overeager with this story.

Dan: duly noted. The irony isn't lost on me.

I just thought maybe you wouldn't want it all here, Dan. But if you object, I'll delete the request.

Everyone:

We're in a bit of a tight spot here. We can't moderate comments piecemeal, so anyone who's posted something here before can post now. We don't want to turn off comments on this post, because it's really helping us to hear how people are handling this.

But we don't want to make things worse than how they already are. There are other blogs talking about technical details now. Can I ask a favor of all of you not to make our comment threads, which are almost always better than our posts, the epicenter for distributing DNS info today?

freno --- that is indeed a good blog post, but Jamis is using GDB to inspect processes. Timur's job was to write GDB.

I don't think he is; there was some, um, controversy in the office about whether he could get it working with "just" procmod, and he had wound up in a sudo irb to test.

There will eventually be public playbook pricing, on the website, where everyone can see it. We're just shy.