hello dailydave readers. i already emailed dave to say thanks for ruining my famously low profile.
on the bright (i guess) side, him doing so has forced me to make a post i've been mulling over for the past while so you have a long "interesting" post to read and not just me making fun of slashdot users. it's largely inspired by a recent
stratfor email (i'm a huge fan of these guys) and a recent discussion on
dailydave on the usefulness of HIPS products.
i realized that the discussion was basically the same discussion that comes up over and over again on mailing lists (no, not the one about if disclosure is good or bad). after reading the aforementioned stratfor email, i realized this argument is really just another form of the idealism v realism debate.
it goes like this :
Idealist : all security products designed to stop attacks/attackers are useless and snake oil, because a skilled enough attacker can always evade the HIPS/evade the NIPS/defeat the heap protection/own you.
Realist : security products are useful and worth purchasing because they can stop unskilled attackers armed with off the shelf (freely downloadable) exploit frameworks like metasploit (although hd's recent
talk at cansec stated that the new nips evasion techniques evade almost every product) and they stop actual malware as seen on the internets.
i think my bias/opinion probably shows even in that simple problem statement, but what can you do, it's human nature. i started thinking about idealism v realism at cansec when someone told me that hips are useless and trivial to evade (idealist). i said, ok chief, julien's
release of
slipfest makes it easy to test ways of evading them, but the fact remains that i've seen a hips product stop metasploit, core IMPACT, and some malware from the internets, so you can't really deny it does serve some purpose (realist).
i will trot out some awesome industry buzzword bingo here and say that in my opinion, security is not stopping 100% of all possible attackers, it really IS about threat modeling and threat mitigation. if you're expecting the top 2% of attackers to come after you, you need a top shelf solution. if your threat model is whatever random malware is out there running on web sites your users are browsing with IE, you need something good enough to stop that. sure, you leave yourself open to some things, but if these things aren't in your threat model and you're willing to accept that risk, so be it. this is big picture shit, which if you're thinking about security and what you need to do about it, is what you should be thinking about.
the stratfor email i read made what i thought was a very good point: that realism will always win in the short term (pragmatism) but it needs to be guided long term by idealism. the 'state of the art' in computer security seems to me to be a trickle down effect. techniques/exploits/vulnerabilities are created/discovered and kept private, then maybe they get distributed to a small group of people, then maybe they published somewhere in a non mainstream publication/location, etc etc and then eventually someone implements them in a form so easy to use that anyone can do it. the idealist says, we need to be thinking about these problems because mr. realist, although you may say they are not in widespread usage by j random attacker right now, someday soon THEY WILL BE. this boils down to, think about the future, or it will kick your ass eventually. maybe the industry has realized this, and this is why research is pretty hot again right now...
thanks again, dave, good to see you and sinan last night as always.
