Monday, December 29, 2008

Some Non-Speculation on the CCC Breaking the CII Talk Tomorrow

I'll fess up right away. I have no interest in playing hermenuetical games with redacted texts or trying to divine the flaws that will be released tomorrow.

And the first time I read the talk writeup I thought, "Oh, God, here we go again... more preconference disclosure bullshit."

And of course they were allready at it over on Dailydave. BGP. Crypto. Everybody loves BGP and Crypto. Some new DoS?

Get ready for the FUD machines to start. Time to get ill. Get the bucket ready. But after reading HD's blog (which was based on knowledge of the vulnerability) a second time (once wasn't enough) I'm thinking perhaps this one is different:

Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works.

Not in terms of the vulnerability (or vulnerabilities) to be disclosed (although that very well be) but as way of disclosing critical vulnerabilities that does neither trivializes nor desensitizes flaws that need to be addressed by vendors and the end-user community. The current model isn't working so well.

As you can already see, if folks within the hacker/researcher community (who should know better) conflate all the scary Internet infrastructure vulnerabilities of course folks technology journalists will.

In the broader IT press, Kaminsky's DNS will be treated the same as Watson's TCP as Gont's ICMP as Oulu's ASN.1/SNMP as Guardent's TCP as Lee' TCP, etc. ad naeseum.

(If I weren't typing on this damn Netbook I'd add links but google them yourself if you are interested. But you get the point)

Within the mainstream media, each of these will be covered with approximately the same number of words, the same oversimplification and carefully selected, out of context quotes, regardless of the technical merit of the research, regardless of the scope of the flaws, and the professionalism (or lack thereof) of the finders.

And each time there where will be the Oh-My-God-the-Internet-is-Doomed-thank-God-for-the-Hackers-that-Saved-It narrative.

(Compare the recent wired article on Summer DNS flaws with the coverage of the 2003 TCP vulnerability discovered by Paul (Tony) Watson (aka the man that saved the Internet) and you will see an eerie similarity.)

Another wasted news cycle, and despite the claims of the finders, the security of th e Infrastructure is not improved. End users are either confused or cynical. It is conference season again. It is just too easy to dimiss the research as an individual trying to make a name for themselves and climb the corporate security ladder, a consulting company marketing its services or a vendor hawking their wares in the guise of a BlackHat talk.

Unless there is proof.

And that is where it looks like this will be different. There is a huge difference between what you can prove with a few boxes in your basement, a one-rack testbed with 50-100k of gear, an ISP with live users, or the larger Internet.

Each environment to demonstrate attack vectors and vulnerabilities is increasingly less contrived and more and more like reality. Each is an environment less out of the control of the attacker/adversary/researcher which is where it starts to get interesting. Meaning attacks on an Internet scale.

That is why real incidents (i.e. the smurf attacks of 98, the DDoS of 2000, the worms) teach far better lessons. They provide real data. They impact the bottom lines of vendors and users and impact operational best practicies.

Compare that with flash in the pan vulnerability presentations and you'll see why in the long run I wish more researchers would go beyond proof of concept and operationalize their exploits and discovered vulnerabilities.

Regardless of the technical details of the disclosure, it will be interesting to watch what happens. Will this be more of the same or the start of something new?

No comments: