No announcement yet.

Can the academics beat the black hats?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Can the academics beat the black hats?

    Testing is practically a fetish among the Ruby community. I just went to RubyConf (which was, well, very, very different from DEFCON) and one of the things covered was fuzz testing, i.e. generating all sorts of random tests to hammer your code with, and seeing what breaks.

    The guy who gave the presentation (who played a music video through aalib. I so have to do that at DC15) pointed out that this parallels the (black/gray hat) approach of discovering security vulnerabilities by hammering a program with randomly generated input until it breaks. (e.g. eEye discovering countless IIS flaws by hammering it with randomly constructed HTTP requests, or discovering HTML parsing vunerabilities in IE by permutating HTML tags in weird ways until it broke)

    Rubyists are completely nuts about testing. The real weaknesses seem to be in standard libraries which have been bundled with Ruby for years and have gone unmaintained (one was just disclosed in Ruby's standard CGI library).

    Really feels like the academic crowd is really starting to give a shit about building bulletproof applications. I walk the line between the tribes being the hippie college drop-out that I am (and I fit in kinda weird at both cons), but: in languages like Ruby, are the fundamental security problems which have plagued software since its inception finally being solved in very generalized ways?

    That's not to say that I don't except elaborate ways to attack extensively tested systems will be devised... the obvious places to hit such a system are the leaky abstractions (e.g. a DoS through resource exaustion), high level conceptual attacks, or find a place where the generalities afforded by the language let you sneak something craftily through.

    I guess what I'm really asking is: if the stakes are being raised on the developer side by solving many of the fundamental problems which have plagued software since its inception, will the black/gray hats have to get smarter to compensate?
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Can the academics beat the black hats?

    Whose to say that there aren't hackers that are also academic, or academics that aren't black hats, or white hats that don't do black hat things or grey hats that don't do black hat things and go to college, or redhats that are asshats?

    Heh-heh. Seriously though...

    Just because some colleges are focusing on educating their students on the merit of security in their applications, does not mean it's happening at all colleges.

    Teams seem as strong as their weakest coder.

    Fuzz-testing is no proof of security, it should only be a tool to help uncover coding mistakes. (Problems uncovered with fuzz-testing are sufficient as conditions to showing security problems in code, but not necessary: If problem found with fuzz testing -> code has problem (T) but if not problem found with fuzz testing -> not code has problem (F))

    Can academics beat blackhats? Only in specific cases where there are limits put in place in the "game" but not when there are no limits to what blackhats can do.

    Security includes availability.

    Denial of Service is an example of a failure in availability.

    Physical access allows for the chance for physical damage or termination of power which are failures in availability.

    Sufficient physical damage or termination of power provides denial of service.

    Denial of Service is a failure in security.

    Game over.

    With no limits in such a game, physical access is possible with sufficient numbers of people. Eample Given: an invading army.

    Does an invading army with intention to break security meet the common description of a blackhat? Sure.

    Impose limits in the game, and the academics have a chance or an advantage if THEY define the limits. Without limits, "blackhats," have an advantage.


    • #3
      Re: Can the academics beat the black hats?

      I suppose you need a balance... an academic who has little or no knowledge of how the stuff works in practice is unlikely to succeed - and neither is simply brute force testing and trial and error without a decent knowledge of how it all works.

      Also, they're offering courses in hacking offering at Abertay University starting this year (that's in Scotland by the way, where I live ) apparently they teach students all aspects of hacking and 'countermeasures' so as to train the security experts of the future, i guess.