DISQUS

Anyone who references Shelly "The Machine" Levene is allright in my book. Good on ya Dave, its one of my favorite movies ever.

Now see this is part of why I keep coming back to Matasano. The article looks perfectly reasonable and the knife to someone's eye doesn't come till the end.

a bit off topic, but I haven't heard the name escape.com in many years now; makes me wonder how Roman the old 2600 folks are getting by

TP,

"I don’t think “blog” and “shame” are acronyms."

I thought they were synonyms.

Anyways looking forward to seeing how this one plays out.

@David Maynor

I don't dislike you, I don't even know you. This is business not personal. If you dislike me, well thats on you.

My employer does make extensive use of QA services and does pay for several reporting and research services. We have a reasonably good (IMNSHO) security experts group who as far as I've seen is quite able to differentiate vendor hype from potential threats to our business environment. We also have a rather long set of terms and conditions to which we subject every vendor before we sign any contracts.

We try and do a reasonable amount of due diligence before we go to T&C though. Part of due diligence is estimating the risk that a company will end up affecting reputational risk. Once again, from a business perspective, you look risky.

I hope this is clear enough and that you understand I'm speaking with my work hat on. Maybe someday we'll run into each other and can work out whether we get along personally. If you are at Black Hat Japan, lets have a drink there.

@David Maynor

None of your response addresses my comment. Let me try and put it a bit more clearly: I dont want to do business with a company that has you as a prominent figure because you come off as a PR problem.

Its not you personally, I generally dont want to deal with a QA service or advisory service that makes the sordid details of their business relations with others a matter of public record.

Is any of that unclear?

As a "user" (meaning corporate customer of various security services), allow me to repeat that how a vendor presents themselves to the public has something to do with this whole question. The vendors who come off as "part of the problem", whether that be by releasing 0days or airing their dirty laundry in public, are not vendors who I could consider contracting for any security services at all.

"We" customers don't care who is the 1337est of them all in terms of bugs found and weaponized. What it comes down to is the perception that people who do things which might cause harm to cant be trusted.

Probably my experience in various aspects of security (not as a bug hunter) colors my opinion, but it is what it is.

From where I sit as someone who can recommend doing business with one security vendor over another, Maynor's childish antics make these sorts of choices much easier. Thanks to their "as we feel like it" disclosure policy, its easy to see that Errata just isnt a company I'd ever invite to an RFP, much less recommend.

Nice. The race to the bottom started by 3Com and iDefence is now complete. I for one hope that Matasano is able to use this idea in regards to a Tipping Point vulnerability.

This is indeed a non solution for many reasons, the first two which come to my head being:

1 it takes a far too limited view of financial institutions which get subject to phishes. The "what qualifies as a bank" problem.

2 it assumes that "bank" has the same meaning to all Internet users. The "do they speak English in what" problem.

Somehow the idea of bug bounties by outside parties still makes my skin crawl. Some bits of my employer use TippingPoint, but I'll do my best to keep my branch's cash out of their hands.

While I doubt that McAffee has even the slightest chance of claiming the moral high ground here (or anywhere for that matter) and I have no intention of ever buying more than AV from them, it would be interesting to see an official statement of practice from them in this area.

Wonder if this is going to be the one which finally makes it crystal clear to everyone that bug bounties and our whole current disclosure infrastructure is morally corrupt?

Nonetheless, thanks for the coverage.

Dave,

"who gets to call themselves a financial institution" is not a hard problem. Governments get to define that. Unfortunately for the greater problem, not all governments agree on what level of responsibility financial institutions must bear to solve the issues at hand. The problem is more that this is yet another attempt to peddle a non solution by shifting the blame.

As much as anti virus software is a license to print money, I wouldnt buy AV stocks now because at some point, enough buyers are going to figure out that its a loosing game.

Having read all this, including Jay Daley's "secure last mile" bit reminds me once again of the analogy of using an armored car to deliver messages between cardboard hobo shacks.

Alot more food on the plate now. I'm starting to see other practical issues with implementation and maintenance in terms of bigcorp.com but should talk to a few people before opening my mouth in public.

One question being, how well can a DNSSEC server work if its cut off from the outside world?

TIS Labs eh? Figures. Same guys who sold the whole Key Escrow thing to Slick "Seegar" Willy & The Clintonistas.

Oh and TP, you werent supposed to reveal the secret of Cmd Opt 4. I'm going to have your Amateur Designer license revoked.

Looks like alan is just gonna wait out this little boiling kettle till everyone has forgotten about it and then the Marketologists can get on with selling their opensawrus

my bad. "authentication" wasnt the word to use. should have gone for "authenticity" instead. Still chewing on this overall so may back down again or not.

"bad technology" in the sense that it will cause Godzilla like counter effects or in the sense that there is disagreement on what problem it is intended to solve exactly ?

But seriously. All hyperbole aside, I see your points but for reasons of practicality, I dont entirely agree with your assertion that authentication should be solved at a higher layer.

TP

I think you finally hit the nail on the head. Protocols are generally not the answer because technology cant fix social problems on a large scale. This has been under my fingernails for a while now but I dont think the idea will be generally popular with anyone. The Internet isnt broken and cant be fixed. People are broken. The "fix" tends to come from social structures and laws (and law enforcement).

In any case its not SSL/TLS or the Verisign protection racket goons which secure your purchases from Amazon or your ebanking; its consumer protection laws which limit your liability for misuse of your credit card or protect you from bank fraud (in the US anyways, the rest of the world is different).

SSL/TLS/PGP/SSH are due dilligance practices. DNSSEC may or may not be in the future.

@alan

Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.

I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.

Yeah... um... seems to me the best way to deal with this would indeed be a smash and grab.

Dave,

Everywhere I've worked it is terminate the inbound on a specialty device and then monitor the traffic.

As far as Lindstrom goes, use the old maxim "Dont Feed The Trolls"

As TP said, at best this new "revelation" just muddies the waters more. George Ou looks like even less of a journalist than before and Lynn Fox has new catch copy to add to her resume.

TP

You need a new category, may I suggest either "snark" or "humor".

MS Seems interested in how things are counted as well (nach) http://www.computerworld.com/action/article.do?...