The Laziness of the Blackhat
July 9, 2007
No, I’m not calling blackhats lazy. But I was reading Dave G’s post about WabiSabiLabi, where he talked about the idea that by having an auction site that gives enough detail about the vulnerabilities, there’s enough detail that a smart researcher can go out and find the bug themselves.
Which is absolutely true.
But it reminds me of when I was all excited about Napster, and I was having a talk with my dad. I was, at the time, an idealistic (if misguided) youth, and I was expounding on the whole “information should be free”/”music just wants to be heard”/”the future won’t have a place for the RIAA” (okay, the last one’s still true). And he made an incredibly good point that has stuck with me to this day:
“The point of the lawsuits”, he said, “isn’t to make music sharing go away. The point is just to make it hard enough for the average user that they’ll use something slightly more expensive. And if the music can be offered in an easy format at a somewhat cheap cost, but it’s hard to use the free way of doing it, most people will use the legitimate way.”
Of course, this was years before iTunes came along, but my dad called that one – even I find BT, Limewire, etc. to be more of a hassle than they’re worth. I’ll happily pay $0.99 for a song.
And that’s the point around things like Wabisabilabi – it’s not that there aren’t researchers out there who will go find the vulns themselves. It’s that, at a low enough cost, most won’t. I mean, think about it – if you’re a company doing vuln research, are you going to spend a day of a single researcher’s time (at $50-$70/hour fully loaded) to have them try to go find the vuln themselves? Or are you going to spend $500?
It comes down to a smart business decision – if you can buy it cheaper than you can build it, with less effort (and with less opportunity cost, because that researcher can be working on something else), you probably will. It’s the same reason that Dave’s tools and Metasploit are so popular – they allow the community not to have to go do it themselves.
If they can buy it cheaply enough, most people won’t go to the trouble of doing it themselves. It just doesn’t make sense.
The real threat of identity theft…
July 6, 2007
A friend recently sent me an email that warned me that I had my phone numbers on the bottom of my email signature – she was worried for me because “you can’t be too careful with all the identity theft going on”. And, while I’ve yet to really think of a threat scenario where someone knowing my Skype-In number could cause the compromise of my NPPI, I knew I had to reflect on ID theft for a minute.
And then I read this post over at Sunnet Beskerming about a recent major ID breach. From the post:
“Continuing a trend of employees stealing valuable data, an employee at a Fidelity National Information Services subsidiary at some time prior to May 2007 stole more than 2 million records that contained a range of personal, financial account, and credit card data for users of Fidelity services.”
With all the people who worry about technical ID theft (like the TJX breach), I think that this type of theft is likely far more prevalent. It reminds me of an article that Schneier wrote a few years ago in Dr. Dobbs on Attack Trees. It was a relatively overcomplexificated article for a really simple theme:
Intelligent and rational attackers will always use the lowest cost, least complex attack vector.
Thus, if you’re trying to steal data, and you have two choices: 1) Do a major Sneakers-level social engineering attack, or; 2) just pay the insider a few hundred bucks; a decent attacker will always pay the few hundred bucks.
The technical attack is always cool, but it’s the simple attack that takes the day almost every time.
Jobs 6:15
July 5, 2007
So, anybody who has ever gone out for a drink with Amrit knows that he’s a genuinely funny guy. I have to point to an absolutely great blog post that he just put up on the iPhone, security threats and driving in the Bay Area. Absolutely hilarious stuff. From the post:
“So what does the iPhone, mobile security and bad driving have to do with each other? First they shouldn’t mix – that is mobile devices and driving. It is a bad combination, bad like Ike and Tina, or Michael Jackson and young children, or Dick Cheney and Democracy.”