Jerry Springer’s Bugtraq
Dave G. | February 21st, 2006 | Filed Under: Disclosure
Nothing like ethical debates on bugtraq. To try and sum up the original post in a sentence or two, it would be:
Advanced societies are producing tougher computer crime laws which will reduce/eliminate the number of talented security professionals because there won’t be as many people who have real life experience breaking into computers. Advanced societies will ultimately have less security because security professionals won’t have a hacking background.
If this were an episode of Jerry Springer, it might sound something like:
“I can’t break into a computer to explore? *BEEP* you, I do what I WHOAAH-ant!”
Normally, you just read this type of post and either agree with it or not. My personal take is that reducing the punishment of a crime in order to make sure that we are able to properly defend ourselves from computer crime is ridiculous. There may be a seperate issue of whether or not the current punishment fits the crime, but that isn’t what this was about, nor do I understand the laws well enough to comment.
So far, Soooooo BUGTRAQ.
Then, mjr weighed in. It started out reasonable, comparing computer trespass to physical trespass. Concisely put:
Advanced societies have a sense of property. We should favor property owner’s rights to control their property, not the trespasser’s ability to go where they please.
In Springerspeak:
Stay away fr’m my BLEEPING woman! She ain’t yers, n’ i love ‘er!
At this point, you typically have a lot of yelling, some finger pointing, and finally the bouncers seperate today’s guests.
That’s when mjr comes back in wielding a folding chair, and while intending to take a swing at his combatant, instead hits some guy next to him. Let’s call him ‘The entire industry of penetration testers’.
What you’ll find is that engineers who understand engineering discipline find bug-hunting to be an utterly boring process; well-designed and implemented systems don’t need “pen testers” - they cross-check themselves.The only reason the industry is in the horrible condition it’s in today is because the vast majority of code that’s been fielded to date is crap. That will have to change. And when it does, “pen testers” will become peons in the quality assurance department. … Put differently: either way you slice it, pentesters aren’t worth a bucket of warm spit as far as I am concerned.
Who’s-it in the what-now?
Well-designed and implemented systems not only need penetration testers, I would assert that they are actually more likely to have been penetration tested. Why? Because if the person who owned the security process at an organization is savvy enough to incorporate security into requirements, design and implementation, they will absolutely know that they NEED to continue to have security be a part of testing. Our industry changes too fast. Engineers are always going to be pressed for time. Even if everyone had the time, mistakes happen. Mistakes that are increasingly more likely to be monetized by an attacker.
Final Thoughts
Relaxing the laws are not going to help us become a more secure society. Having security built into software and software development lifecycles will. Software engineers should all know how to design and build secure software. However, they will never be perfect. Penetration testers reduce the risk that an mistake made earlier in the process is found by someone interested in fixing the problem, not exploiting it. Take care of yourself, and each other.
daveg: good discussion in the comments
Chris_B
February 22nd, 2006 1:24 amActually MJR makes a good point. Its just too bad that your self interest got in the way of it. Most of the work that passes for “pen testing” really could be made completely redundant with automated QA testing.
Anonymous
February 22nd, 2006 8:20 amperhaps you should clarify what you consider “pen testing” and if your definition includes the usage of braincells during the pen testing practice.
MJR does not make any sense (which has been the usual for the last 5-8 year) in his commentary is just an inflamatory attempt to attract attention given he has not had anything relevant to contribute for the past several years.
You could equally yell “if things were done right firewalls and NIDS would not be worth a bucket of piss and anyone who developed them should be sent to some neonazi redneck gulag” but that would just be an offensive rant if you are not MJR.
His crazy ravings against bug finders and pen testers are ridiculous and more so when you consider that they are coming from the CSO of a vulnerability scanning company (Tenable).
When MJR was a “star” he proved his points with code (and not bug-free code btw), his crazy rants of today are just the sad demostrations of a man that has been watching the game from the sidelines for too long now and intimately knows that he can’t get back on it anymore.
Chris Walsh
February 22nd, 2006 11:08 amSo, I guess Ross Anderson and Markus Kuhn are script kiddies for their work “pen testing” various chunks of hardware which (one hopes!) have been through extensive QA. Or maybe it’s OK if you do it to hardware or firmware.
Dave G.
February 22nd, 2006 5:38 pmchris_b: Marcus’ point had nothing to do with automated QA testing. He actually said that this was about design and engineering. I agree with people who say that penetration testing should be integrated with QA processes. The way Marcus communicated (even calling a pen tester a ‘peon in the QA’ department), just speaks to disdain of a set of skills that are valuable part of the development process. If automation could remove the need for testers than why do we have QA departments? QA automation tools have existed for years, still seem to have plenty of testers (and poor quality software) around. Penetration testing is security QA. And if the criticism is that a lot of pen testing work is peformed poorly, then I would agree and say that this is true of every part of the software industry.
Chris_B
February 22nd, 2006 8:53 pmdave g: The question which comes to my mind is more one of “why arent automatable methods like ‘fuzzing’ included as part of a formal Security QA process?” and if this would indeed be beneficial, why isnt this being advocated? After all, if professionals provide more than these types of clickety click services, it would seem to be in the interests of those professionals to distinguish themselves.
GM
February 23rd, 2006 1:44 pm“Most of the work that passes for ‘pen testing’ really could be made completely redundant with automated QA testing.”
Then you probably don’t know any REAL pen testers.
Penetration testing isn’t just about the code. It’s about the business processes and human elements and how they interplay with the hardware, firmware, operating system, configurations and code. (It’s even about the physical security if you’re really thorough.)
Oh, and the ad hominem arguments are tiresome. Let’s skip them, shall we?
Dave G.
February 23rd, 2006 6:55 pmchris_b: It is valuable, and we do actively advocate it with our customers. And development organizations are changing as a result of the industry’s advocacy. I ran the training organization for @stake, where we trained managers, architects, developers, and QA professionals on secure software development and building security into the software development lifecycle. Our organization trained thousands of people. That still has little effect on the value of penetration testing. What it can do, however, is reduce the amount of time spent on the findings of a penetration test. To use mjr’s analogy, we have gotten better at building bridges, that doesn’t mean we stopped stress testing them after they were done. Automated or not, inhouse or third party, many applications need to be tested for security. People that are good at this provide value to businesses.
Leave a reply