Disqus - Latest Comments for Chris_B

Re: Bejtlich Considered Wrong (For A Change)

Chris_B — Wed, 19 Jul 2006 06:04:51 -0000

Pardon me for intruding, but the problem with the whole debate is that the terms are not qualified. In that sense Richard is just as wrong as what he tries to refute. I'm not even sure the terms can be qualifed or the statement can be made meaningful without 20 pages of disclaimers.

Re: CitySec is a Movement! Woo!

Chris_B — Wed, 02 Aug 2006 03:44:39 -0000

EdoSec (Tokyo) anyone?

Re: Dear Apple Pundits, Please Stop Writing About Security.

Chris_B — Mon, 07 Aug 2006 01:20:32 -0000

so many words wasted in so many places

rather than " Dear Apple Pundits, Please Stop Writing About Security." I'd just say "Dear Pundits, blah blah"

not entirely sure who deserves the car battery hooked up to their nipples, but someone sure does.

Re: The AV Doth Protest Too much (Consumer Reports)

Chris_B — Tue, 22 Aug 2006 02:56:05 -0000

Those of us who worked for companies McAfee devoured under the guise of NAI learned not to trust the business people there but the AVERT folks tended to be good at heart. Its too bad that they probably had to go through some of the corporate vipers in their "official" communications.

Re: The AV Doth Protest Too much (Consumer Reports)

Chris_B — Wed, 23 Aug 2006 21:36:44 -0000

Actually the point was passed a few years ago.

Re: Ignore Igor Muttik’s “Retrospective” Antivirus Testing Method

Chris_B — Sun, 27 Aug 2006 21:29:44 -0000

"suprising problems" No. Not surprising at all. AV Engines from any company tend to be pretty much as good as the latest DAT file. AV companies are

Oh and yes, test case viruses do get out of the lab. Happned more than once while I was at NAI Japan.

Re: Dino Dai Zovi vs. Dan Kaminsky on SSL VPN Security. Round 1: Fight!

Chris_B — Sun, 27 Aug 2006 22:12:05 -0000

The IP vs Network layer stuff is only meaningful if you have a complete pellethead doing the design of the network and if you dont use AAA type per client destination control.

Just because I've verified the user with their token & the machine with its cert & MAC check doesnt mean I have to trust either one completely now does it?

Re: My Dad Can Beat Up Your Dad: Part 1

Chris_B — Wed, 30 Aug 2006 03:06:00 -0000

Somehow I'm not persuaded by any of the current arguments:

1) its hard to do vs "anyone could do it"
2) lower install base vs more presteige
3) # of open ports, OOB user perms

None of these have anything convincing about them at all on either side. The interesting question really is not which OS is "more secure" but indeed why to date there is no in the wild malware for OSX.

Re: Jon Gruber’s Silly Challenge To Maynor And Ellch

Chris_B — Sun, 03 Sep 2006 20:17:05 -0000

Daniel already said it, but TP, you being the champ of full disclosure and all that, whether the prize is $1000 or $1 doesnt matter. Gruber is calling these folks out and I'm willing to bet a box of donuts that they wont accept because in reality they are all hat/no cattle.

The real joke here is on the media for hyping up what was probably just finely polished bullshit to begin with.

Re: I Did Not Predict The Demise Of Application Proxies In Dark Reading

Chris_B — Sun, 03 Sep 2006 21:15:37 -0000

The irony of Pescatore's comment is that he worked for Trusted Information Systems, the folks who made Gauntlet, a proxy based firewall.

Considering how completely borked most apps are in terms of obeying their own stated protocols, its hard for me to imagine a meta-proxy engine which could accept updated protocol def files. As for the whole "IDS/IPS as inline protocol enforcement", well so far thats monkey & hammich land too.

I sure do wish such a thing was doable tho.

Re: Jon Gruber’s Silly Challenge To Maynor And Ellch

Chris_B — Mon, 04 Sep 2006 00:08:35 -0000

Understood, but you have shown yourself to have cattle to go with the hat. These boys have not. Either they REALLY know something OR are immature and unprofessional. Way past time they put up or shut up.

Re: Jon Gruber’s Silly Challenge To Maynor And Ellch

Chris_B — Mon, 04 Sep 2006 17:58:37 -0000

Johnny Cache's "response" http://www.802.11mercenary.net/slashdot/

While not outright turning down the challenge, he does so with weasel words and FUD.

Re: Jon Gruber’s Silly Challenge To Maynor And Ellch

Chris_B — Tue, 05 Sep 2006 00:26:04 -0000

TP: Its really a matter of did they BS or not. If they did they have cut their own throats in terms of professional credibility. If it wasnt BS, they still completely mishandled the "demo" and the presentation. Even if they have found severe problems with two manufacturers 802.11 implementations, they are going to be remembered as "those jerkoffs from blackhat" rather than as quality researchers.

IMNSHO we as an industry are about a decade past that sort of thing. Its high time we cleaned our own closets before digging too deep into those of others.

Re: Proposal To Resolve Apple/SecureWorks Deadlock

Chris_B — Wed, 06 Sep 2006 23:24:23 -0000

Very generous of you to assume that both sides really have a dog in the fight.

Re: Proposal To Resolve Apple/SecureWorks Deadlock

Chris_B — Thu, 07 Sep 2006 18:02:25 -0000

Dave's stated idea is good, perhaps the fine points need to be tuned, but for its worth persuing.

Anyone care to make a gentlemen's wager for or against secureworks? I'll put up a dozen donunts against.

Re: (317) INDY-SEC, Coming Soon to Indianapolis

Chris_B — Tue, 12 Sep 2006 00:20:44 -0000

asked before, but once again, anyone up for EdoSec in Tokyo?

Re: “Attackers are smart, you are not.” is a bad message

Chris_B — Thu, 21 Sep 2006 03:22:13 -0000

Truth is that the HTTP protocol is such a dogs breakfast that if you put up a gateway that interprets strictly it *will* end up breaking something. Right now I'm stuck between a certain http security appliance vendor and a server team about to battle over whose fault it is that the app doesnt work.

Re: Apple Wireless Security Update

Chris_B — Fri, 22 Sep 2006 23:20:26 -0000

Its a mistake to look at this as pro/anti Apple tho thats of course the easiest and most sensationalist way to see it.

Even with a patch release I still stand by my previous two comments:
1 we (security practitioners of any stripe) as an industry need to stop acting like children.
2 SecureWorks were all hat no cattle.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Mon, 02 Oct 2006 23:37:47 -0000

Poorly written and not very well thought out.

BTW I read Schneier. I'm guessing you dont manage to finish the articles.

Anyways thanks for writing, now I have one less consultancy on my list.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Tue, 03 Oct 2006 00:06:36 -0000

TP, I didnt think it was Matasano. The headers for the guest posts are pretty clear. No Bruce S. isn't right all the time but the author of this post does not seem to have actually read any of Bruce S.'s commentary on the TSA in full, thus my comment.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Tue, 03 Oct 2006 00:34:38 -0000

Where I work I've argued against putting in snakeoil or borked products many times. I just cant put my stamp of approval on something thats going to degrade the network, not solve any security problems but provide a false sense of security.

You know one reason I like Schneier getting published in main stream media? His message of "security theater" is a good one and its better that the pundit who speaks those words has a verifyable background in a slightly related area than just being a regular pundit, salesperson of hot air.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Tue, 03 Oct 2006 18:44:43 -0000

"I’m irritated by his inconsistent stance on disclosure."

Well this is definitely one B&W issue with alot of shades of gray. OT1H we have the way Matasano handles disclosure, OTOH we have SecureWorks & legions of script kiddies. Etc. &nasium.

"What has Schneier done compared to Avi Rubin and Ed Felten?"

Publish. Alot. There's a fistfull of guys like Avi Rubin & Ed Felten (Ross Anderson comes to mind) who do very good work that does not get publicized outside of "the community". You are essentially asking of Schneier, "what have you done for me lately?" in terms of technical security work, and the answer really is not a lot. Its been years since he did the nose to the grindstone stuff it seems. However, he does seem to be good at writing, speaking in public and being a face to the outside world.

Lots of people laugh at that sort of work, but its a required role if security people want to be treated as professionals and not just dateless teenaged wonderkids and academics. Someone has to face the outside world and talk about the issues we deal with on the inside. Seems Schneier volunteered. Alot of people here may say that "someone else" would be better, but I dont see too many others stepping up to the plate.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Tue, 03 Oct 2006 21:42:48 -0000

Good point on personal issues. I havent noticed it but I'll keep my eyes open for it.

I dont really get your point with the second question. I wasnt writing with Matasano specifically in mind, but more generally.

FWIW I try to read as much "security" related things in main stream as I can so I have a sense of how we are perceived.

Re: Finger 79/tcp # dcox@bpointsys.com: Black and White

Chris_B — Tue, 03 Oct 2006 23:02:44 -0000

I addressed that with "in terms of technical security work, and the answer really is not a lot. Its been years since he did the nose to the grindstone stuff it seems." Did I miss something?

Re: A New Cisco Logo

Chris_B — Tue, 03 Oct 2006 23:11:01 -0000

the lines look like something a Bubble 2.0 music company might use to suggest an audio waveform.

Re: SYMC’s got the funk

Chris_B — Fri, 13 Oct 2006 00:46:40 -0000

to invoke a cliche: "I just threw up in my mouth a little bit"

Re: Browser Wars 2.0: Will security be the battleground?

Chris_B — Fri, 13 Oct 2006 00:51:20 -0000

Recently I was doing some bog standard XSS testing against a few sites with various browsers. I noticed that Opera (on OSX) tossed out a warning page when attempting to click on a xss link or manually enter a xss test URL. Makes me wonder if there is any justifyable reason that other browsers dont implement this behavior.

Re: Filesystems Fall To Primitive Fuzzing Tools

Chris_B — Sun, 29 Oct 2006 21:15:54 -0000

Not everyone keeps up with mailing lists either.

I miss Usenet...

Re: Attacking Military Wives Is Plain Old Mean

Chris_B — Tue, 31 Oct 2006 00:44:51 -0000

Soon the Verisign goons will be able to sell these people some more "security" to trick the browser even more.

BTW I thought Web 2.0 was built on top of a dungheap. Guess I was wrong.

Re: Devil’s Advocate: Crossbeam’s A Rounding Error Compared To The Catalyst

Chris_B — Tue, 07 Nov 2006 22:27:59 -0000

Yes to all of TP's comments about the network team buying/deploying/managing on the ground secops. Its true world wide as far as I've seen and I think its going to get "truer".

Yes to Cisco as a "safe buy" for the network team manager who dont know why product A is "better" than product B. I've seen alot of box-mover VARs able to massively overload a deal with Cisco security product just on the brand name alone ("For your 100 user RAS VPN you are going to need an ASA, a PIX and a VPN 3500, oh and some new switches too. Just sign here")

No comment to Crossbeam's viability. Honestly I've never heard of them before these two threads, AFAIK they dont do business here in Japan. At first glance I really cant understand their value add beyond assembling other companies product in one box, but again, I need to read more before I can say a clear opinion.

As for David vs Goliath in the sec market, well theres plenty of room in the world for the remoras, hyenas, vultures and the oxpecker.

Re: Updated BlackHat HVM Rootkits Slides

Chris_B — Mon, 20 Nov 2006 22:06:59 -0000

blue text on black? someone needs a spanking.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Chris_B — Mon, 20 Nov 2006 22:16:19 -0000

"article 3" of your response was of most interest to me. I dont know enough about the claims you make, but you've piqued my interest.

BTW why pick on Gruber in regards to security? Does anyone take him seriously on the topic besides other zealots? As you rightly pointed out, I come here to read about sec but there to read about HIG/design.

Re: How Matasano Predicts The Future Of Security

Chris_B — Wed, 22 Nov 2006 07:09:00 -0000

Have some pitty on us CISSPs. Some of us have families to feed and just want to get better jobs. Not all of us can be as ensmartened as you bug finding bastiches.

Re: Who Needs Your Silly Rings, Anyways?

Chris_B — Wed, 22 Nov 2006 07:15:51 -0000

could it possibly be that most fanboys of any OS cant tell shit from shinola when it comes to security and thus pick and choose their pundits based on the perceived level of pseudo knowledge rather than being able to dicern whether said pundit is an appropriate person to speak on the topic of security?

Seriously folks, most people cant tell one vuln from another and are very happy when someone tells them how to either fix the problem or avoid it to begin with. Unfortunately most pundits take the easy way out and blame vendors at the top of their lungs without providing any actual assistance to anyone.

Re: Is The New OS X DMG Threat Real?

Chris_B — Mon, 27 Nov 2006 00:19:48 -0000

I'm just surprised that the press hasnt soiled themselves on this one yet. Anyways, nice summary of facts on the ground.

Re: Are All Analysts Marketing-Execs-In-Training?

Chris_B — Tue, 28 Nov 2006 22:33:13 -0000

"Also I would note that a move from one vendor to another, such as an executive moving from IBM/Tivoli to CA, or a lead engineer moving from McAfee to Symantec is far more questionable than an analyst moving to a vendor and that happens all the time."

No. Not at all. Us folk who are the clients of both analysts and vendors make assumptions which of the two will be more biased. Analysts are actually anonymous to most clients. Fact is most of us will never ever meet them online or off.

Re: Vulnerability Sportsmen vs. Vulnerability Hunters

Chris_B — Thu, 30 Nov 2006 01:52:39 -0000

Dino,

Nice post. You also nailed the root of the problem with the two fellows from Secureworks rather nicely.

dre,

I for one dont like your solution and I cant imagine anyone with repeat clients who would. As far as blaming "capitalism" I'll just give you the benefit of the doubt and assume that was supposed to be a joke.

I for one look forward to the day when the whole hat thing is passe, when "vulnerability hunters" are standard practice professionals verifying software much in the same way that any business uses an accountant to verify their books. It aint glamorous, but the fact is it shouldnt be.

Re: Safety Vs. Security

Chris_B — Mon, 11 Dec 2006 00:16:07 -0000

"safety vs security" is indeed the most apt analogy I've see so far on this issue. I wouldnt say its the be all and end all since both words express conditions which cant be quantified, however this is a more reasonable way to talk about the issue. BTW IMNSHO, security is both a technological and human problem. To try and view it as strictly one or the other dont do no help at all.

dre,

I've heard that sort of windbaggery before about how OSX users are being targeted "everyday" but the fact remains, I have not seen any evidence of it at all. Once I see it I'm sure I'll change my tune.

Re: Month of VersionTracker Bugs

Chris_B — Mon, 15 Jan 2007 20:03:17 -0000

Pretty darn soon there will be a waiting list for the Maynard & Crabs Security Dude Ranch what with all the MOXB crowd just waiting to get in. Sign up now and get a room with a view of no cattle and a complimentary genuine Stetson 15 gallon hat at no additional cost.

Re: More Disclosure Ramblings (Responding to mjr)

Chris_B — Wed, 24 Jan 2007 23:17:37 -0000

I read MR's words but perhaps received different meaning from them. I'm also frustrated at the pimping trend, the glory hogs and shit stirrers. I've also been of the mind that its been over ten years now, when are "we" going to grow the fuck up?

Sure we can debate this one till the cows come home (guests of Maynard & Crab's Dude Ranch excepted), but really, how can we as professionals expect to be treated as such when so many of us behave so poorly?

Of course I'm not talking at the Matasano folk here, y'all have more than proved yourselves as professionals in every sense.

Re: Halvar’s Secret

Chris_B — Wed, 07 Feb 2007 19:08:23 -0000

Those checksums are clearly proof of a photo of Elvis having lunch with Vladamir Putin at El Barge in London.

Re: Allman on Coordinating Vulnerability Disclosure

Chris_B — Mon, 26 Feb 2007 19:06:41 -0000

The gentlemen from IBM above summed it up nicely. Dave, do I read you wrong or are you coming to the defense of those who have been accused of pimping?

Re: Allman on Coordinating Vulnerability Disclosure

Chris_B — Wed, 28 Feb 2007 19:31:45 -0000

Um.. Dave, I read the same article come to think of it and I think you are being a bit thin skinned. If MJR classed you guys with the Purple Hats, I kinda missed it completely. Man up a bit.

Re: On The Different Types Of Penetration Tests

Chris_B — Wed, 07 Mar 2007 20:10:17 -0000

TP,

The transgressive bit didnt come at the end. The thing which is going to upset alot of pester divas of all types is the fact that this stuff really is QA processes.

Re: On The Different Types Of Penetration Tests

Chris_B — Thu, 08 Mar 2007 19:34:04 -0000

TP,

OTOH a methodology can be good for people whose heads are too much in the game, forcing them to mind the shot clock and get the rest of the work done.

Chris E,

Even now a certain percentage of pesting can be automated and can spot the low hanging fruit. I expect that this percentage will rise over time. Of course human eyes will always spot more, but eliminating some problems before shipping is better than waiting for someone else to identify those problems for you.

Re: More on Pen Testing

Chris_B — Tue, 13 Mar 2007 20:42:43 -0000

Wasnt it Deming who talked about the "PDCA model" of management? PDCA or Six Sigma type ideas should mandate good design and verification of implementation.

There sure do seem to be lots of Chris's round lately!

Re: Gaming Vulnerability Statistics

Chris_B — Thu, 15 Mar 2007 22:49:43 -0000

You said "Vulnerability statistics are generally bunk." I say remove "generally". These should always be regarded as marcomms and nothing more. Crime stats are a good analogy since what gets counted differs from place to place and from year to year.

Re: Gaming Vulnerability Statistics

Chris_B — Sun, 18 Mar 2007 20:09:27 -0000

MS Seems interested in how things are counted as well (nach) http://www.computerworld.com/action/article.do?...

Re: Take Me Off Your List!

Chris_B — Sun, 18 Mar 2007 22:26:38 -0000

TP

You need a new category, may I suggest either "snark" or "humor".

Re: George Ou Goes All-In On Dave Maynor’s WiFi Findings

Chris_B — Wed, 21 Mar 2007 21:15:44 -0000

As TP said, at best this new "revelation" just muddies the waters more. George Ou looks like even less of a journalist than before and Lynn Fox has new catch copy to add to her resume.

Re: Lindstrom on SSL

Chris_B — Tue, 27 Mar 2007 08:52:10 -0000

Dave,

Everywhere I've worked it is terminate the inbound on a specialty device and then monitor the traffic.

As far as Lindstrom goes, use the old maxim "Dont Feed The Trolls"

Re: PWN2OWN: CanSecWest’s OS X Challenge

Chris_B — Mon, 02 Apr 2007 20:27:56 -0000

Yeah... um... seems to me the best way to deal with this would indeed be a smash and grab.

Re: Questions for StillSecure About Cobia

Chris_B — Tue, 03 Apr 2007 21:35:12 -0000

@alan

Guess what? Some potential users/customers DO in fact care about a company's marketing claims. I'm not one of the "thought leaders" or developers or smart guys, I'm just a plain old ISO at a reasonably well known financial company with a fairly lengthy background in operational IT security.

I dont care about claims of o/Open s/Source for the sake of morality or the good of the world, etc. I do care about marketing claims which look like riding on the coat tails of those who have done "good works" however. See by my view as someone who can recommend the use or purchase of a security product, if your main story smells fishy, something else about your company might be fishy as well. This is not an accusation, this is just the perspective of a potential user/customer.

Re: A Case Against DNSSEC, Count 1: Solves A Non-Problem

Chris_B — Tue, 03 Apr 2007 23:02:20 -0000

TP

I think you finally hit the nail on the head. Protocols are generally not the answer because technology cant fix social problems on a large scale. This has been under my fingernails for a while now but I dont think the idea will be generally popular with anyone. The Internet isnt broken and cant be fixed. People are broken. The "fix" tends to come from social structures and laws (and law enforcement).

In any case its not SSL/TLS or the Verisign protection racket goons which secure your purchases from Amazon or your ebanking; its consumer protection laws which limit your liability for misuse of your credit card or protect you from bank fraud (in the US anyways, the rest of the world is different).

SSL/TLS/PGP/SSH are due dilligance practices. DNSSEC may or may not be in the future.

Re: A Case Against DNSSEC, Count 1: Solves A Non-Problem

Chris_B — Tue, 03 Apr 2007 23:58:46 -0000

"bad technology" in the sense that it will cause Godzilla like counter effects or in the sense that there is disagreement on what problem it is intended to solve exactly ?

But seriously. All hyperbole aside, I see your points but for reasons of practicality, I dont entirely agree with your assertion that authentication should be solved at a higher layer.

Re: A Case Against DNSSEC, Count 1: Solves A Non-Problem

Chris_B — Wed, 04 Apr 2007 20:02:29 -0000

my bad. "authentication" wasnt the word to use. should have gone for "authenticity" instead. Still chewing on this overall so may back down again or not.

Re: Questions for StillSecure About Cobia

Chris_B — Thu, 05 Apr 2007 23:19:52 -0000

Looks like alan is just gonna wait out this little boiling kettle till everyone has forgotten about it and then the Marketologists can get on with selling their opensawrus

Re: A Case Against DNSSEC, Count 2: Too Complicated To Deploy

Chris_B — Thu, 05 Apr 2007 23:33:46 -0000

Alot more food on the plate now. I'm starting to see other practical issues with implementation and maintenance in terms of bigcorp.com but should talk to a few people before opening my mouth in public.

One question being, how well can a DNSSEC server work if its cut off from the outside world?

TIS Labs eh? Figures. Same guys who sold the whole Key Escrow thing to Slick "Seegar" Willy & The Clintonistas.

Oh and TP, you werent supposed to reveal the secret of Cmd Opt 4. I'm going to have your Amateur Designer license revoked.

Re: A Case Against DNSSEC, Count 2: Too Complicated To Deploy

Chris_B — Sun, 08 Apr 2007 20:27:04 -0000

Having read all this, including Jay Daley's "secure last mile" bit reminds me once again of the analogy of using an armored car to deliver messages between cardboard hobo shacks.

Re: .safe .shenanigans

Chris_B — Tue, 10 Apr 2007 22:18:28 -0000

Dave,

"who gets to call themselves a financial institution" is not a hard problem. Governments get to define that. Unfortunately for the greater problem, not all governments agree on what level of responsibility financial institutions must bear to solve the issues at hand. The problem is more that this is yet another attempt to peddle a non solution by shifting the blame.

As much as anti virus software is a license to print money, I wouldnt buy AV stocks now because at some point, enough buyers are going to figure out that its a loosing game.

Re: THIS JUST IN: BLOGS A CRAPPY WAY TO HANDLE DISCLOSURE

Chris_B — Thu, 26 Apr 2007 20:05:30 -0000

Wonder if this is going to be the one which finally makes it crystal clear to everyone that bug bounties and our whole current disclosure infrastructure is morally corrupt?

Nonetheless, thanks for the coverage.

Re: McAfee: For Us, It’s Internet First, Then Customers — Unlike 3Com!

Chris_B — Mon, 07 May 2007 21:22:03 -0000

Somehow the idea of bug bounties by outside parties still makes my skin crawl. Some bits of my employer use TippingPoint, but I'll do my best to keep my branch's cash out of their hands.

While I doubt that McAffee has even the slightest chance of claiming the moral high ground here (or anywhere for that matter) and I have no intention of ever buying more than AV from them, it would be interesting to see an official statement of practice from them in this area.

Re: more .shenanigans

Chris_B — Wed, 09 May 2007 23:18:13 -0000

This is indeed a non solution for many reasons, the first two which come to my head being:

1 it takes a far too limited view of financial institutions which get subject to phishes. The "what qualifies as a bank" problem.

2 it assumes that "bank" has the same meaning to all Internet users. The "do they speak English in what" problem.

Re: In Which We Improve Upon The Business Model Of The Last Post

Chris_B — Wed, 06 Jun 2007 22:28:27 -0000

Nice. The race to the bottom started by 3Com and iDefence is now complete. I for one hope that Matasano is able to use this idea in regards to a Tipping Point vulnerability.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Wed, 13 Jun 2007 20:47:46 -0000

From where I sit as someone who can recommend doing business with one security vendor over another, Maynor's childish antics make these sorts of choices much easier. Thanks to their "as we feel like it" disclosure policy, its easy to see that Errata just isnt a company I'd ever invite to an RFP, much less recommend.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Wed, 20 Jun 2007 06:13:43 -0000

As a "user" (meaning corporate customer of various security services), allow me to repeat that how a vendor presents themselves to the public has something to do with this whole question. The vendors who come off as "part of the problem", whether that be by releasing 0days or airing their dirty laundry in public, are not vendors who I could consider contracting for any security services at all.

"We" customers don't care who is the 1337est of them all in terms of bugs found and weaponized. What it comes down to is the perception that people who do things which might cause harm to cant be trusted.

Probably my experience in various aspects of security (not as a bug hunter) colors my opinion, but it is what it is.

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Wed, 20 Jun 2007 22:26:29 -0000

@David Maynor

None of your response addresses my comment. Let me try and put it a bit more clearly: I dont want to do business with a company that has you as a prominent figure because you come off as a PR problem.

Its not you personally, I generally dont want to deal with a QA service or advisory service that makes the sordid details of their business relations with others a matter of public record.

Is any of that unclear?

Re: Safari vs. Maynor: Dogs and Cats Living Together, Mass Hysteria!

Chris_B — Fri, 22 Jun 2007 04:56:39 -0000

@David Maynor

I don't dislike you, I don't even know you. This is business not personal. If you dislike me, well thats on you.

My employer does make extensive use of QA services and does pay for several reporting and research services. We have a reasonably good (IMNSHO) security experts group who as far as I've seen is quite able to differentiate vendor hype from potential threats to our business environment. We also have a rather long set of terms and conditions to which we subject every vendor before we sign any contracts.

We try and do a reasonable amount of due diligence before we go to T&C though. Part of due diligence is estimating the risk that a company will end up affecting reputational risk. Once again, from a business perspective, you look risky.

I hope this is clear enough and that you understand I'm speaking with my work hat on. Maybe someday we'll run into each other and can work out whether we get along personally. If you are at Black Hat Japan, lets have a drink there.

Re: Joanna’s Shocking Confession: There Exists Some Amount Of Money For Which I Would Agree To See BluePill Detected By Lawson, Ferrie, Dai Zovi and Ptacek.

Chris_B — Sun, 01 Jul 2007 22:55:49 -0000

TP,

"I don’t think “blog” and “shame” are acronyms."

I thought they were synonyms.

Anyways looking forward to seeing how this one plays out.

Re: The X86 Memory System And Why It’s Hard To Virtualize Securely

Chris_B — Sun, 30 Sep 2007 23:03:02 -0000

a bit off topic, but I haven't heard the name escape.com in many years now; makes me wonder how Roman the old 2600 folks are getting by

Re: The Wikipedia Advertising Vulnerability And How Not To Mess It Up

Chris_B — Sun, 16 Dec 2007 20:19:38 -0000

Now see this is part of why I keep coming back to Matasano. The article looks perfectly reasonable and the knife to someone's eye doesn't come till the end.

Re: Rootkits Are Top Of Mind, Bottom Of Pile, Only They Really Aren’t

Chris_B — Mon, 23 Jun 2008 04:11:00 -0000

Anyone who references Shelly "The Machine" Levene is allright in my book. Good on ya Dave, its one of my favorite movies ever.