Hello!
The comments on this profile are unclaimed and thus are unverified.
Do they belong to you? Claim these comments.
Richard Bejtlich
Is this you? Claim Profile »
1 year ago
in Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes on Matasano Chargen
Posts and comments like these are the reason why Matasano is the King of Technical Blogs.
2 years ago
in Questions for StillSecure About Cobia on Matasano Chargen
http://cobia.stillsecure.com/?q=node/132
"Is Cobia open source?
The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."
Replace that with:
"Is Cobia open source?
No."
That will make a lot of people happier.
"Is Cobia open source?
The definition of “open source” is evolving as companies create new licenses or add “riders” to OSI licenses such as the GPL. Some believe that open source means it must be one of the OSI compliant licenses (GPL, Mozilla, Apache, etc.). We’ve found what is most important to a majority of open source software users is that open source software is free of charge and include easy access to source code. Cobia software meets these requirements through our community license structure."
Replace that with:
"Is Cobia open source?
No."
That will make a lot of people happier.
2 years ago
in Take Me Off Your List! on Matasano Chargen
As I alluded to in my post on this ridiculous list, I was actually contacted by the author (who is unnamed at itsecurity.com) for my "review" for "glaring omissions." I told him I didn't want any part of his list. You can see previous work of his here.
2 years ago
in When Did Denial Of Service Attacks Stop Being Vulnerabilities? on Matasano Chargen
Tom, right on. This is another example where lack of agreement on even the most basic terms makes digital security a joke compared to older disciplines. If we can't agree on CIA as defining security, I think the situation is hopeless.
2 years ago
in Boston’s BeanSec 2 is TONIGHT at 6PM on Matasano Chargen
Someone please explain the Billerica reference. I grew up there! :) I almost fell out of my chair when I read this.
2 years ago
in “Attackers are smart, you are not.” is a bad message on Matasano Chargen
I think the complexity or at least the size of the attack and vulnerability set is beginning to overwhelm the capacity of many security shops. They can't keep up. Many security managers are completely out of touch with modern attacks. They are stuck in the days when buffer overflows were novel.
The best approach may be exposing the defenders to these attacks through conferences like Black Hat and CanSecWest, and blogs like Matasano Chargen, of course. :)
The best approach may be exposing the defenders to these attacks through conferences like Black Hat and CanSecWest, and blogs like Matasano Chargen, of course. :)
2 years ago
in Information Security: The End Of The Wild West on danielmiessler.com | grep understanding
If security were measured by deploying a single service and keeping it compromise-free for 2 years, we're already there. Plenty of Unix services (and even operating systems) can survive/have survived for a lot longer without compromise.
The problem is:
1. The threat is always growing in number, becoming smarter, and more creative.
2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.
3. Vulnerabilities are growing with complexity, lines of code, and feature sets.
I agree that those "with average skills and little interest in the field" will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.
The problem is:
1. The threat is always growing in number, becoming smarter, and more creative.
2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.
3. Vulnerabilities are growing with complexity, lines of code, and feature sets.
I agree that those "with average skills and little interest in the field" will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.
2 years ago
in Information Security: The End Of The Wild West on dmiessler.com | grep understanding
If security were measured by deploying a single service and keeping it compromise-free for 2 years, we're already there. Plenty of Unix services (and even operating systems) can survive/have survived for a lot longer without compromise.
The problem is:
1. The threat is always growing in number, becoming smarter, and more creative.
2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.
3. Vulnerabilities are growing with complexity, lines of code, and feature sets.
I agree that those "with average skills and little interest in the field" will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.
The problem is:
1. The threat is always growing in number, becoming smarter, and more creative.
2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.
3. Vulnerabilities are growing with complexity, lines of code, and feature sets.
I agree that those "with average skills and little interest in the field" will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.
2 years ago
in Bejtlich Considered Wrong (For A Change) on Matasano Chargen
External intruder ("outsider") scenario:
1. Outsider attacks and compromises victim.
2. Victim recovers, outsider remains at large.
3. Return to step 1, except add to the number of outsiders.
Internal intruder ("insider") scenario:
1. Insider attacks and compromises victim.
2. Victim recovers, and removes insider.
3. The insider population has decreased. Until a new malicious insider is hired, the threat has actually decreased -- as opposed to the external intruder scenario.
1. Outsider attacks and compromises victim.
2. Victim recovers, outsider remains at large.
3. Return to step 1, except add to the number of outsiders.
Internal intruder ("insider") scenario:
1. Insider attacks and compromises victim.
2. Victim recovers, and removes insider.
3. The insider population has decreased. Until a new malicious insider is hired, the threat has actually decreased -- as opposed to the external intruder scenario.
2 years ago
in Bejtlich Considered Wrong (For A Change) on Matasano Chargen
I've worked $10 million dollar external attacker incidents. How's that for quantifiable damage?
I am not confusing threats with countermeasures. When I say remove the internal threat, I literally mean remove the internal threat -- walking people out the door and removing all access to their previous employers.
I am not confusing threats with countermeasures. When I say remove the internal threat, I literally mean remove the internal threat -- walking people out the door and removing all access to their previous employers.
3 years ago
in Improving The Great Firewall of China on Matasano Chargen
Nice historical insights Tom. Did you remember the 2004 paper, or did you search for it?
