Friday, April 07, 2006

I'd like to buy an 0, HOPE6, BSOD, Captain Obvious and media whoring...

Let's start with CanSecWest, and the vulnerability commercialization panel they had on Wednesday. There was much spirited debate but no end agreement between the parties... takes me back to ShmooCon and the BOF panel on training... but I digress.

In the press, Michael Sutton is quoted as saying that vendors need to pay for vulns, and later in the article a customer states he expects vendors to pay for vulns as well.
"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them."
Let's blithely assume for a moment that vendors and researchers could agree on the dollar value of a vulnerability (ROTFLMAO). There is still a big problem with the 'buying vulnerabilities protects customers' argument: if Oracle buys a vuln from David Litchfield, Oracle now owns the vuln. That means that they don't EVER have to fix it if they don't want to. I'm not just picking on Oracle - this is true of ANY vendor. They wouldn't be buying vulns, they'd be buying silence. And that would just piss everyone off - hell, that's why full disclosure practices started to begin with - the only way to get a vendor to fix a security bug was to publicly shame them with it. So I wholeheartedly disagree that vendors buying bugs would make me as a computer user any safer.

I have no problem with reputable third parties buying vulnerabilities and working with vendors to protect customers. I'll admit I think Tipping Point's ZDI program does a better job of that than iDefense's VCP program simply because iDefense's customers leak their confidential advisories all the time before patches are available. But these programs do play an important role in the security ecosystem that benefit customers, researchers, and vendors.

Other stuff:

Dates for HOPE number 6 have been announced - July 21-23, just a week or so before Black Hat Vegas. Of course I've added HOPE to the upcoming cons list...

Check this out - I've heard most people aren't having much trouble with Apple's Boot Camp beta, but this guy managed to get the legendary Blue Screen of Death. I haven't seen that on one of my boxes in over five years. Wow. Comments on the blog suggest that this was a known bug in the beta relating to iSight... doh!

Adam Shostack makes some interesting observations on recent media regarding rootkits on the Emergent Chaos blog. Yeah, he is right, this is a Captain Obvious type of situation where everyone in the security space already knew that rootkits were a big dangerous problem. But I think (or at least hope) the point of the Microsoft presentation at InfoSecWorld in FL that spurred the eweek article was to educate less security savvy customers about threats we are facing today and give guidance on how to deal with them. Adam also mentions the extremely cool work being done by John Heasman of NGS on ACPI BIOS rootkits that was presented not only at Black Hat Federal, but Black Hat Amsterdam and will again be presented in May at the Computer and Enterprise Investigations Conference. Right now it is super cutting edge stuff - so maybe if John gives the talk often enough, more people will pay attention (and by someone I don't mean the bad guys). After giving the talk at Black Hat Federal in January, Rob Lemos ran a story which quoted Greg Hoglund as saying:
"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, CEO of reverse engineering firm HBGary and editor of Rootkit.com. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."

It would be a shame if the security industry didn't pay attention in January to John's early warning and is surprised when malicious bios rootkits emerge.

And since I've mentioned CEIC, I may as well throw a shameless plug out for Vinnie Liu's talk on Defeating Forensic Analysis (with his business partner Patrick Stach) on Thursday May 4 at the con. Vinnie is a very smart guy - if you are attending CEIC, I'd definitely attend their session. I'm such a groupie I'd go to NV just to see this talk, but I think that would violate the restraining order...

~Elphie

Labels: , , , , , , , , , ,

2 Comments:

Anonymous Anonymous said...

Many people know the importance of self confidence and try to boost their own by using many different personal development models. Self confidence to most people is the ability to feel at ease in most situations but low self confidence in many areas may be due to a lack of self esteem. Low self esteem takes a more subtle form that low self confidence. So if you are tired of feeling not good enough, afraid of moving towards your desires and goals, feel that no matter what you do it is just never good enough, then your self esteem could do with a boost.
Every day we make decisions based on our level of self-esteem. We also exhibit that level of self esteem to those around us through our behaviour. 90% of all communication is non-verbal - it is not what you say but ho you say it that matters! Your body language, tonality and facial gestures can all tell a completely different story to your words. It is our behaviour which influences others and people react to us by reading our non-verbal communications. Have you ever met someone you just didn't like although on the surface they seemed polite and courteous, or you met someone who seemed to speak confidently yet you knew they were really frightened underneath and just displaying bravado?
Parental and peer influences play a major part in moulding our level of self-esteem when we are children and in our early years of adolescence. The opinions of the people closest to us and how they reacted to us as individuals or part of the group was a dominant factor in the processes involved in forming our self esteem.
As adults we tend to perpetuate these beliefs about ourselves and in the vast majority of cases they are ridiculously erroneous. It is time to re-evaluate our opinion of ourselves and come to some new conclusions about these old belief patterns.
Ask yourself some serious question:
Is your long-held view about yourself accurate? Do we respect the sources from which we derived these beliefs? Most of the negative feedback we bought into as we were growing up actually came from people we have little or no respect for and as adults we would probably laugh their comments away! Yet the damage to your self esteem was done when you were very young and you still carry it with you to this day.
Is it possible that even those people you respected, who influenced your self-worth, were wrong? Perhaps they had low self esteem also.
As adults we have the opportunity to reshape our self-esteem. Try to judge accurately the feedback you receive from people you respect. This process will allow you to deepen your understanding of yourself and expand your self-image. It will also show you were you actually need to change things about yourself and were you don't. Many people are striving to better themselves in areas where they are just fine or actually excelling and it is only because they have an inaccurate picture of themselves in their minds due to low self esteem!
Setting small goals and achieving them will greatly boost your self-esteem. Identify your real weakness and strengths and begin a training program to better your inter-personal or professional skills. This will support you in your future big life goals and boost your self-esteem and self confidence to high levels you didn't existed!
Learn to recognise what makes you feel good about yourself and do more of it. Everyone has certain things that they do which makes them feel worthwhile but people with low self esteem tend to belittle these feelings or ignore them.
Take inventory of all the things that you have already accomplished in your life no matter how small they may seem. Recognise that you have made achievements in your life and remember all the positive things that you have done for yourself and others. Take a note of your failures and don't make excuses like "I'm just not good enough" or "I just knew that would happen to me", analyse the situation and prepare yourself better for the next time. If someone else created success, regardless of the obstacles, then you are capable of doing the same! Remember everyone has different strengths and weakness so do not judge your own performance against that of another just use them as inspiration and know that what one human being has achieved so can another!
Surround yourself with people who respect you and want what is best for you - people who are honest about your strengths and will help you work through your weakness. Give the same level of support to them!
Avoid people who continually undermine you or make you feel small. These people are just displaying very low self esteem. As your own self esteem grows you will find that you are no longer intimidated by another's self confidence or success and you can actually be joyful for them! Do things you love to do and that make you happy. A truly happy person never has low self esteem they are too busy enjoying life! By getting busy living your life with passion and joy you will not be able to be self-consciousness.
If you find yourself feeling self-conscious in any situation focus on the fact that others can tell and many of them will be feeling the same. Be honest. People respond to someone better if they openly say "To tell you the truth I'm a bit nervous" rather than displaying bravo or fake confidence that they can see right through. Their reactions to you, will show your mind at a deep level, that there was actually nothing to be frightened of and everything is great. If someone reacts to this negatively they are just displaying low self esteem and very quickly you will find others noticing this! Really listen to people when they talk to you instead of running through all the negative things that could happen in your head or focusing on your lack of confidence. People respond to someone who is truly with them in the moment..
Breath deeply and slow down. Don't rush to do things.
Stop the negative talk! 'I'm no good at that' or "I couldn't possibly do that" are affirmations that support your lack of self esteem. Instead say "I have never done that before but I am willing to try" or "how best can I do that?". Which leads us to the last point - the quality of the questions you ask yourself s very important.
When you ask a question it almost always has a preposition in it. For example, "How did I mess that up?" presumes that something was messed up, a better way of phrasing the question would be "what way can I fix this quickly?", as this presumes you can and will fix it. Or "How am I ever going to reach my goal?" could be rephrased as "what way will lead me to my goal quicker" presumes that you are going to reach your goal! Get the picture? Change the quality of your questions and your results will change!
Practise these techniques and watch your self esteem rise day by day. lucid dream

3:03 PM  
Blogger Elphaba said...

This comment makes more sense attached to some of my June 2006 posts on identity, so I'm not sure if it is spam or an authentic reader comment. But either way it is well written (though poorly formatted) and positive in attitude, so I'm going ahead and approving it for posting...

~E

3:59 PM  

Post a Comment

<< Home