Comments - Dave Aitel Interview

Networking/Security Forums -> News // Columns // Articles

Author: ryansuttonLocation: San Francisco, California PostPosted: Fri May 13, 2005 12:37 am    Post subject:
    ----
That was an enjoyable read, many thanks to Don and Dave for their time invested. Hope to see more like this in the future.

~Ryan

Author: njanLocation: Scotland, UK PostPosted: Fri May 13, 2005 12:48 am    Post subject:
    ----
Many thanks for the interview!

There's one question in particular which has a slightly disappointing reply, although I'm not sure whether other IT/Security Pros would agree with me or not (or even find the question as interesting as I necessarily do..):

Quote:

Question

Do you see security professionals such as yourself who actively do exploit development at odds with your security professional status?

Dave’s Answer

A security professional not knowing how to write exploits is akin to a chef not knowing how to actually cook. If you can't write exploits, you can't know what's actually possible with vulnerabilities, and you're just blowing hot air.


This is obviously fairly central to the Full-Disclosure vs. Zero (or limited) Disclosure debate - the argument as to whether or not exploit code (enabling dissection of - and response to - a particular vulnerability to be done, but also enabling the vulnerability to be exploited as part of an attack) should be released. I feel here that (on paper) he hasn't quite answered the question that was asked:

Quote:
Do you see security professionals such as yourself who actively do exploit development at odds with your security professional status?


The response to this question could have been quite an interesting commentary about active exploit development (and full disclosure) versus partial or non-disclosure (and vendor notification). Dave chose to answer the question on the assumption that anyone who doesn't "actively do exploit development" is incapable of doing so (rather than having chosen not to do so). It seems to me that the question asks about the development itself, not the knowledge as to how to do so. Perhaps alt_don was in fact referring to the capability to do this, rather than the occupation of doing this itself - I'm not sure Very Happy

That said, the response he gave is interesting also - and not necessarily one I would agree with - but still.

Thankyou again for an interesting interview. Wink

Author: dadragon PostPosted: Fri May 13, 2005 8:28 am    Post subject:
    ----
that was a nice interview with an active member of the blackhat community. Thanks Don but who have you got lined up next? How about David Litchfield that would also be interesting Wink

Author: neewtLocation: Sweden PostPosted: Fri May 13, 2005 9:38 am    Post subject:
    ----
While I don't fancy Dave Aitel and Immunisec's "disclosure-ethics", this was a good read and he makes several interesting pointers.

I hope there will be additional interviews in the future, with for example Marty Roesch (SourceFire/Snort) and Ron Gula (Tenable/Nessus). Perhaps the articles should be a little more focused on the particular "proffesionals" field of expertise? I would have enjoyed a few questions on how Immunisec "harvests" for vulnerabilities, and how much they pay for them et cetera.

Thank you Dave, and a good job Alt. Don! Wink

Author: insecurepc PostPosted: Sun May 15, 2005 6:41 pm    Post subject:
    ----
Don Parkers Question

What would you advise the budding computer security enthusiast on our forum to study material wise?


Dave’s Asnwer

Learning assembly is the key to really understanding vulnerabilities. Immunity offers a few good classes in writing exploits, but for people with smaller budgets, there are a number of books on the subject out now. I think The Shellcoder's Handbook, which I helped write, is a bit on the advanced side for many beginners, who may feel more comfortable with some of the other books that have recently come out on the subject.
And, of course, there's always the old favorites of Dildog's “Tao of Windows Buffer Overflows” and Aleph1's “Smashing the Stack”. The key is practice. If you spend an hour a day working out, you'll get big muscles and manage to get chicks. If you spend that hour a day learning how to write exploits, you'll get rich, and still get chicks. It's a win/win either way, as long as you don't sit in front of your couch and smoke pot all day, and even then, you'll get the druggie chicks, who are a lot of fun to hang with, right up until they all marry muscle-bound middle management and rich hackers.

My response The queston is specifically on "budding computer security enthusiast ". Assembly or Assembler programming and learning its vulnerabilities is not for the "new computer security enthusiast at all. For those already very familar high level programming languages already, it is not a place to start. Why? take a look at http://en.wikipedia.org/wiki/Assembly

or per http://www.liv.ac.uk/HPC/HTMLF90Course/HTMLF90CourseNotesnode10.html

Quote:
Assembler code is a Low-Level Language. It is so-called because the structure of the language reflects the instruction set (and architecture) of the CPU. A programmer can get very close to the physical hardware. Low-level languages allow very efficient use of the machine but are difficult to use.


For new security user? No. For a high level intermediate or advanced user, yes.

Don Parkers Question

In my opinion one of the biggest threats out there today is the uninformed home user. Hence the bot net problems, and launch points for other black hat attacks. Do you think that computer users should have to do a “computer competency” exam, much like new car drivers do. This is unrealistic I agree, but a valid question I think.

Dave’s Answer

Perhaps we should also sign a two-year service plan, much as most cell phone users do? Except in the overblown minds of prosecuting attorneys, the damage any DDoS attack does is far overshadowed by a single car crash. Cars kill people; DDoSes don't. A persistent DDoS can put a company out of business, but there are technological ways to prevent this sort of thing, and they're in place now at all the major ISPs. I'm not sure why everyone is so scared of Botnets. I imagine the only reason they get so much attention is that they're quite an easy problem to solve, and people love to show how smart they are by solving easy problems.

My response Dave's answer is clearly blowing off the home and small office user/owner and of no help in understanding the core question(s). Which is what these group of users are concerned about and how to address them.

I would think Dave or his sister/brother/parents are not in that single car crash. Or that anyone he may care about has that small electronic store front and hopefully they they survive long enough, to not go out of business. This all based on his clear general lack of concern over the small guy.

This continues with answers like "there are technological answers to prevent this sort of thing" which is of no use to anyone. Dave's "I don't care" attitude shines bright in his answers. According to Dave we should all be using only major ISP's.

The question on a general lack of understanding is a valid one and deserves to be answered properly. Not with disrespect and distain attitudes the blackhat hackers are known for. The bots example was clearly just an example, not the Holy Grail for home or small business users.

Daves attitude toward other users and business is very similar to statements made by Kevin Mitnick prior to and even a few since his arrest and trials. Keven now alters his words since he's attempting to make money off his own history. (I'm refering to the IRC logs of his private chats with others during and after his adventures with Digial's VAX OS made public during the trial by the FBI). This is something to remember next time anyone thinks a private room is private using in IRC or any chat type applications. There isn't any privacy online, only variations of how pubic your "private" converstation is.

Author: capiLocation: Portugal PostPosted: Sun May 15, 2005 7:18 pm    Post subject:
    ----
insecurepc wrote:
My response The queston is specifically on "budding computer security enthusiast ". Assembly or Assembler programming and learning its vulnerabilities is not for the "new computer security enthusiast at all. [...assembly is difficult... etc...]

I would have to disagree. Regardless of the assembly language's learning curve being steep or not, Dave's statement that "Learning assembly is the key to really understanding vulnerabilities" is still very much true. Any security enthusiast, new or otherwise, will have to learn assembly language if they want to really understand what's going on. Simply put, the sooner you start learning it, the sooner you will get there.

Quote:
My response Dave's answer is clearly blowing off the home and small office user/owner and of no help in understanding the core question(s). [...]

I would think Dave or his sister/brother/parents are not in that single car crash. Or that anyone he may care about has that small electronic store front and hopefully they they survive long enough, to not go out of business. This all based on his clear general lack of concern over the small guy. [...]

First of all, I fail to see the relevance of the man's family and them having been in a car crash or not. Let's try to keep measured and professional here please. The argument doesn't even make sense, as he was clearly stating that a car crash is by far more important than a DDoS attack, not the other way around (that was his whole point, just read "Cars kill people; DDoSes don't.").

Frankly I don't see much else that could have productively been said in answer to that question. Pheer teh l33t DDoSers for they will bore you to death? Poor users? Headaches suck? Maybe that would be less "disdainful to the common man"?

I am not in any way affiliated with, nor do I personally know, Dave Aitel. However, I think we can keep things at a constructive level, can't we? He spent the time to answer our questions, I think the least we could do would be to avoid five parragraphs of stating how he doesn't give a damn about anyone because he's a blackhat and he said that DDoSes are overhyped by the media...

Author: njanLocation: Scotland, UK PostPosted: Sun May 15, 2005 7:33 pm    Post subject:
    ----
Quote:

I would have to disagree. Regardless of the assembly language's learning curve being steep or not, Dave's statement that "Learning assembly is the key to really understanding vulnerabilities" is still very much true. Any security enthusiast, new or otherwise, will have to learn assembly language if they want to really understand what's going on. Simply put, the sooner you start learning it, the sooner you will get there.


Not necessarily - as with the question I commented on earlier, I think that Dave Aitel is overstating the significance of learning vulnerabilities and the role that they play; specific to vulnerabilities, there are plenty of vulnerabilities, such as SQL Injection attacks, Cross-Site Scripting, and other network-related vulnerabilities (such as some TCP/IP stack exploits) which do not always necessarily require a knowledge of assembly in order to understand or exploit- in fact, arguably, the only type of vulnerabilities which do require a knowledge of assembly are local (generally privilege escalation) exploits which necessitate local access.

Anyone who argues that these types of vulnerability (SQL injection, XSS, TCP/IP vulnerabilities (particularly those which are DoS vulns rather than remote code execution) ) are insignificant or not proper vulnerabilities really misunderstands why vulnerabilities are an issue in the first place - the reason that security is big business is because insecurity does damage. You'd be hard pressed to find a decent Security Pro who didn't do what they did because they enjoyed it, but ultimately, the reason that those of us who work in IT or InfoSec are employed is because businesses don't want their computer systems broken into. For these businesses, it doesn't matter whether SQL Injection is a 'proper' vulnerability or not - it does damage, and that's what matters.

(Continuing this argument, you could argue that a SQL Injection is a more significant attack in many instances than a local privilege escalation buffer overflow - although the overflow requires local access and the result is access to a computer system, the SQL Injection works remotely and the result, especially for companies which hold customer information and financial details, is very damaging.)

I suppose any evaluation of what he said really depends upon what you think the significance of these two types of vulnerability are (local vs. remote). There's also that ambiguous 'really' qualifier in there; I'm sure a perfectly valid response to this argument could be "sure, you can understand these vulnerabilities, but in order to really understand them, you need to understand assembler".

Smile

Author: bknows PostPosted: Thu May 19, 2005 1:32 pm    Post subject:
    ----
Good interview. Somewhat irritating, but that's good too!

Quote:
I'd sooner have rabies than regulation. All vendors throughout time have made outlandish claims.


I don't like regulation either, but it seems the only way to get the majority to comply (and even then they cheat like fire (a la SOX)). All you out there who deal with SOX, you know that it majorly (nice word) beefed up security of most companies. Sure, SOX has a lot of crap in it too, but overall, it has been good for security, bad for the bottom line.

Also, what outlandish claims has this vendor made? He admitted ALL vendors make them? Seriously...


Quote:
A security professional not knowing how to write exploits is akin to a chef not knowing how to actually cook. If you can't write exploits, you can't know what's actually possible with vulnerabilities, and you're just blowing hot air.


First, I'm a sec pro who doesn't write exploits or know assembler. I agree that would certainly enhance MY understanding and help me do my job better. Having said that, his statement is simply not true.

So I'm just blowing hot air at my company? All that I've done is useless? All my work is pretend?

Take one of the larger problems he mentioned: unsecured and uninformed home users. I need to know how to write exploits to help moms, dads, and kids understand that they need to run winupdate and that they shouldn't open emails with strange subjects or click on attachments from those they don't know?

I need to know exploits to craft good policies so my company has a clue? To convince management that we need a procedure for ensuring servers put in the DMZ should be certified first? To provide basic infosec training to new employees at orientation? and the list goes on.

Perhaps he meant sec pro in the sense of those super technical people that the rest of us rely on. But even then, most of the guys I go to don't write exploits. Does Schneier write exploits? Greg Shipley? Even if they do, there's a lot more to security than writing exploits.

Call me a securi-skiddie if you want, but I add read value to my company everyday, and thanks to SOX, a lot more than last year. We wouldn't need regulation if business just did the right thing.

I think his exploit comment is advertising for his exploit classes they teach. And if you fall for it, the thing that gets exploited is YOU!

Having said that, overall, a good interview. Thanks, Don!

Author: njanLocation: Scotland, UK PostPosted: Thu May 19, 2005 3:19 pm    Post subject:
    ----
Well put, bknows, thankyou for saying what I was thinking! Smile

Author: mxb PostPosted: Thu May 19, 2005 4:19 pm    Post subject:
    ----
bknows wrote:
Perhaps he meant sec pro in the sense of those super technical people that the rest of us rely on. But even then, most of the guys I go to don't write exploits. Does Schneier write exploits? Greg Shipley? Even if they do, there's a lot more to security than writing exploits.


I think he meant security professional as in one who finds vulnerabilities in systems; application security testers, penetration testers etc. This seems to be the focus of the company where he works and their products.

Cheers,
Martin

Author: Sgt_BLocation: Chicago, IL US PostPosted: Thu May 19, 2005 4:42 pm    Post subject:
    ----
As a pentester I don't think one has to know how to write exploits or know assembly at all. As a matter of fact, I can't code exploits, and assembly makes me cranky. This does not mean I can't do my job. In fact, I do my job quite well, and my results help my clients immensely.

One does have to understand the theory behind vulnerability, and must know what the exploit you're running against a host does. Without that knowledge you're blindly poking at a server which puts the client at unnecessary risk.

Then theres the matter of a successful pentest where it simply wasn't necessary to run (or write) "exploits". Does the knowledge of assembly or exploit code writing help there? No.

Exploitation of vulnerability is not pigeon-holed into technical knowledge of exploit coding or assembly. At its base, it is theory and mindset. After that, there are a plethora of technical abilites that support theory, and allow a security professional to do his or her job.

Like bknows said having the skill of being able to code exploits would greatly enhance my abilities, but I'm just not there yet. This certainly does not mean I "blow hot air".

If my job were application code audits, then yes, not knowing assembly would prevent me from doing that job.

Conversely, if my job were to audit web applications, would my knowledge of assembly or lack thereof have any impact on how well I do my job?

"Security Professionals" cover a wide area of talents and job duties. To lump them all into one category and make the statement Aitel made was a bit ridiculous.

Author: hugoLocation: Netherlands, Europe PostPosted: Thu May 19, 2005 5:42 pm    Post subject:
    ----
Sgt_B wrote:
As a pentester I don't think one has to know how to write exploits or know assembly at all.


There's quite a difference between 'knowing assembly' and 'understanding assembly', a difference of 'guru' and 'beginner'.

I can't read a line of machine code -- but I understand how it works. I can grasp how a computer does its work internally. I can also deduce how to make something go boom. Exploiting it is a whole other cup of tea.

But, by not even understanding assembly, could one be really considered a security-professional?

It's like a doctor that looks up what medicine goes with the symptom without understanding anything about the human body's internal processes.

If a person uses tools to pen-test networks without understanding, or even knowing, why these strings of bytes are possibly malicious, isn't he just a point-and-click monkey, meaning anyone can do that specific job?

In my point of view I think he is. (I have sudden visions of some company actually hiring monkeys to do this, but let's not go there.)

Anyways, I noticed a lot of people saying they don't understand assembly and can do their security work just fine.

My question to those people is: if you see a big string of AAAAAAAAAAAAAAAAAAAAA's with ASCII garbage appearing in your log-files, you know what's up, right?

If you do, I can conclude that you do understand assembly. Smile

If you don't, well... Wink

Author: alt.don PostPosted: Thu May 19, 2005 6:50 pm    Post subject:
    ----
Hi guys,

First off lets keep the commentary professional here, and keep personal animosity out of it. Hugo is right in that you must understand assembly, but not necessarily be able to code it. Does Dave have a point in his comment about "you must be able to write exploit code"? I personally feel that like in any job you will have the elite, and then the others. Dave Aitel is obviously part of the hacking elite. The large remainder of us are knowledgeable and competent. If we want to be elite then we know what we have to learn; C, ASM, and other stuff. No one likes to have their ignorance pointed out, nor do I, he is though giving his informed opinion.

Author: bknows PostPosted: Fri May 20, 2005 1:24 pm    Post subject:
    ----
Quote:

I think he meant security professional as in one who finds vulnerabilities in systems; application security testers, penetration testers etc. This seems to be the focus of the company where he works and their products.


That would make a lot more sense.

Quote:
I personally feel that like in any job you will have the elite, and then the others. Dave Aitel is obviously part of the hacking elite. The large remainder of us are knowledgeable and competent.


Call it picky, but Dave used the word "professional" not "elite." We may be compentent, but in Dave's mind, we are NOT "professional." At best, he was not very clear. I think we should be picky when an expert speaks, as it carrys a bit more weight. Not everyone thinks for herself, but too many rely on the quotes of others for their wisdom.

Don, perhaps you might ping him for more clarification and post his reply?

Author: dadragon PostPosted: Fri May 20, 2005 5:05 pm    Post subject:
    ----
Quote:
My question to those people is: if you see a big string of AAAAAAAAAAAAAAAAAAAAA's with ASCII garbage appearing in your log-files, you know what's up, right?
Laughing

I enjoyed that interview and still want to know who is lined up next but do you think they will bother? Let's wait and see... Wink

Author: alt.don PostPosted: Fri May 20, 2005 7:48 pm    Post subject:
    ----
I already have several other people lined up for the series of interviews that Dave Aitel was kind enough to contribute too. Stay tuned as they say.

Author: alt.don PostPosted: Sat May 21, 2005 3:03 am    Post subject:
    ----
Apologies for the bump on this. Not something that should be done Smile Dave Aitel has indicated that he is willing to answer a second round of questions based on the responses to his interview. Soooo, you guys feel free to post the questions here. If there are none then I will simply formulate them myself. Much as I said before many thanks to Dave for doing this on his billable time. Lastly, in retrospect I perhaps should of worded some of the questions better. That is my fault. Also as I alluded to earlier there are quite a few others who are lined up for interviews such as HDM of metasploit fame, Mike Sues, and others. Stay tuned!

Author: dadragon PostPosted: Sat May 21, 2005 10:41 am    Post subject:
    ----
Thats great Don, even better is Dave agreeing to answer some more questions with regards to the interiew and I am sure others will appreciate that as well. But please note that if you carry on like that we might insist on interviewing Alt.Don sometime in the near future Laughing

Author: alt.don PostPosted: Sat May 21, 2005 2:39 pm    Post subject:
    ----
Well many thanks for the complement dadragon it is appreciated. These inteviews I feel add a value not found anywhere else. It is great to see the leading lights in the computer security industry giving us their time and thoughts.



Networking/Security Forums -> News // Columns // Articles


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group