[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] SMS Banking
- To: "craig.wright@xxxxxxxxxxxxxxxxxxxxxxx" <craig.wright@xxxxxxxxxxxxxxxxxxxxxxx>, "Valdis.Kletnieks@xxxxxx" <Valdis.Kletnieks@xxxxxx>
- Subject: Re: [Full-disclosure] SMS Banking
- From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
- Date: Wed, 10 Feb 2010 06:41:32 +0000
See my follow up email first.
Are you asserting that your entire basis for what "risk" is comprised of is the
number of new vulnerabilities found in code? Risk=code vulnerabilities?
Please tell me you know more about this industry than that. Actually, DON'T
tell me that. I don't want to start to feel more sorry for you than I already
do.
We don't need six months. Pick whatever 100 you want. Come up with your risk
factor. I'll deploy them, and they will be 100% vulnerable to immediate
"exploitation" and I'll laugh at your "risk figures" all the way to the bank.
This is getting better by the minute.
Care to up your bet? I'll wager 4:1 for you. Let's make it my $100k to your
$25k, even though you've already set the terms and the amount in writing
previously. I'm happy to amend this.
t
From: Craig S. Wright [mailto:craig.wright@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 09, 2010 10:28 PM
To: Thor (Hammer of God); Valdis.Kletnieks@xxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx; 'full-disclosure';
security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] SMS Banking
I will happily do this.
"That it can be hacked, or will be hacked"
Anything CAN be hacked.
Software first. Choose 100 common software products. I will define scale here
first. This will be number of vulnerabilities (new) that are found in each
piece of software each month. This will also be related to the common metrics
for the level of the vulnerability. This will be for 6 months. Choose the
number of vulnerabilities and the impact of each of these for 6 months. It has
to be commonly run software with a user base that I cannot count on one hand.
My predictions will be for these products and will have a confidence bound set
at 95% (or alpha=5%).
"I further assume that the "loser" will be financially responsible for the
"audits" done my way."
Are you saying that you will pay MY fees when you lose?
"won't look at the software code"
When you can get MS to give me their code this may be an issue, but it is not
as yet.
Regards,
...
Dr. Craig S Wright<http://gse-compliance.blogspot.com/> GSE-Malware,
GSE-Compliance, LLM, & ...
Information Defense<http://www.information-defense.com/> Pty Ltd
From: Thor (Hammer of God) [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, 10 February 2010 3:59 PM
To: craig.wright@xxxxxxxxxxxxxxxxxxxxxxx; Valdis.Kletnieks@xxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx; 'full-disclosure';
security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] SMS Banking
Now you're talking. But first let's work up an actual contract. Neither of
your components define anything. When you say that you are going to predict
"risk" with your magic formula, do you mean if the software has
vulnerabilities? That it can be hacked, or will be hacked?
Be sure to define this properly and definitively - if you end up saying that a
system has a 1% change of being hacked, and I (or my auditors) hack it, would
you claim you were "right"? I question if you can even define the parameters
of this bet, much less apply your formulas, but we'll see.
I also want to know what "scale" you plan to use. So far, even though I've
asked, you've not provided what the "answer" to your formula is, or how it will
be applied. I'm assuming, unless you are going to change your tune which I
wouldn't doubt, that you won't look at the software code or threat models, but
rather apply your formulas. I further assume that the "loser" will be
financially responsible for the "audits" done my way.
I'm more than happy to take your money, and I look forward to doing so.
Since one of your masters degrees is in law, I'm assuming you can clearly
define the terms of the contract. I will, of course, insist upon a contract,
and I hope you won't mind that I have my own attorney look it over. I'm not
immediately trusting of the competence of one with a doctorate degree and
multiple masters degrees who can't spell "technology" or "experience" correctly
on his on-line CV.
You are officially "on." And I'm looking forward to it.
t
From: Craig S. Wright [mailto:craig.wright@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 09, 2010 7:41 PM
To: Valdis.Kletnieks@xxxxxx; Thor (Hammer of God)
Cc: pen-test@xxxxxxxxxxxxxxxxx; 'full-disclosure';
security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] SMS Banking
I have a simple answer to this. Forget the debate, rhetoric is not a scientific
method of determining truth.
"Thor" wants a challenge, let's have one - a real one and not one based on
verbalisations, abuse and unfounded assertions.
I suggest two components;
1 A selection of software products are tested using both processes, that
is I use a model for the risk of these products, and "Thor" can make up
whatever guesses he wishes. We model (or "Thor" guesses, pulls from a hat...)
the vulnerabilities over a time period. The number of bugs in software as well
as the risk are to be presented as a monthly estimate.
2 We model a few systems (say 50). We can use Honeypots (real systems set
to log all activity without interference) run by an independent party to each
of us. I use probabilistic models to calculate the risk. "Thor" does whatever
he wants.
Each of the predictions is published by all parties. The one who is most
accurate wins. Fairly simple?
I will even give a handicap to "Thor", I will offer to predict within a 95%
confidence interval and that for me to win, at least 90 of the 100 software
products and 45 of the 50 systems have to lie within my predicted range that I
calculate and release. "Thor" has to simply guess better than I do no matter
how far out he is.
I will put up $10,000 Au for my side. Let's see if "Thor" has something real to
offer.
Regards,
...
Dr. Craig S Wright<http://gse-compliance.blogspot.com/> GSE-Malware,
GSE-Compliance, LLM, & ...
Information Defense<http://www.information-defense.com/> Pty Ltd
_____________________________________________
From: Valdis.Kletnieks@xxxxxx [mailto:Valdis.Kletnieks@xxxxxx]
Sent: Wednesday, 10 February 2010 7:03 AM
To: Thor (Hammer of God)
Cc: pen-test@xxxxxxxxxxxxxxxxx; full-disclosure;
craig.wright@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] SMS Banking
* PGP Signed by an unknown key
On Tue, 09 Feb 2010 17:39:39 GMT, "Thor (Hammer of God)" said:
> how about accepting a challenge to an open debate on the subject at Defcon?
"Alright folks just make yourself at home, Have a snow cone and enjoy the show"
-- Webb Wilder
* Unknown Key
* 0xB4D3D7B0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/