[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] SMS Banking

To: "craig.wright@xxxxxxxxxxxxxxxxxxxxxxx" <craig.wright@xxxxxxxxxxxxxxxxxxxxxxx>, "'full-disclosure'" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] SMS Banking
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
Date: Wed, 10 Feb 2010 19:15:52 +0000

I don't know who all those other guys were, and since everything on FD gets 
replicated, I'll just keep it here.  SANS has dropped out, so it's just you and 
me, kid.

The "initially proposed tasks" were what YOU said, not me.  You calculating the 
propensity for some package to have a software vulnerability over time is NOT 
calculating risk.  Again - this is YOUR words, not mine:

"Where a system uses an SMS response with a separate system (such as a web 
page), the probability that the banking user is compromised and a fraud is 
committed, P(Compromise), can be calculated as: P(Compromise) = P(C.SMS) x 
P(C.PIN)
Where: P(C.SMS) is the probability of compromising the SMS function and 
P(C.PIN) is the compromise of the user authentication method"

You say you can model the probability of compromise with a formula.  I say you 
can't.  Period, end of story.  I said let's debate it.  You said you won't 
unless I pay you.  Then you bet me $10,000 while trying to say you can model 
software vulnerabilities and then said you can put up a system that I can't 
hack in 6 months after upping the bet to $100,000.  

It's all there in black and white.  In writing.  

Are we all here to understand that it takes the greatest mind in the world and 
the most highly certified computer professional on the face of the globe to 
understand that a system becomes less secure over time when left alone and that 
the more people that use it the less secure it becomes?  Really?  That is your 
contribution?

You won't wiggle out of this one, sir.  You've bet $100,000 that you can put up 
a system that can't be hacked.  You've staked your reputation on the fact that 
you can use a calculator to determine the probability of a system being 
compromised. Please note that *I* don't even have to hack it.  In fact, I plan 
on being on a beach somewhere after offering $10,000 for someone to hack it for 
me.  There are about 1 billion people in China would could use $10,000.  But 
that's another story. 

I further predict that this is about the time that you'll say "oh, no, I didn't 
say that" and that I somehow agreed to your silly "choose 50 or 100 packages 
and I'll model code vulnerabilities instead."  Once everyone here replies back 
saying "dude, you are changing your tune" you'll whimp out, and rescind the 
bet, and crawl back into your academic womb. 

If not, produce the contract stating that you will pay me $100,000 if your 
system gets hacked "any way I choose" and that you can calculate risk of 
compromise with a formula.  

t





> -----Original Message-----
> From: Craig S. Wright [mailto:craig.wright@xxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, February 10, 2010 10:54 AM
> To: Thor (Hammer of God); 'full-disclosure'
> Cc: pen-test@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx;
> stephen@xxxxxxxx; 'Jeff Frisk'; 'Ben Wright'
> Subject: RE: [Full-disclosure] SMS Banking
> 
> " You are changing the bet in mid-stream "
> Not at all. This was and is the bet. The initially proposed 2 tasks
> remain
> unchanged.
> 
> The statement on SMS was that this is a time degrading risk function.
> That
> is, the proposed SMS solution would become less secure over time. The
> longer
> it ran, the more attacks. It would also be a function of users, the
> more
> users, the less secure. In case you cannot understand what the SMS
> quote you
> have means, it simply means that adding an independent 2nd factor
> lowers the
> inherently high risk of a purely SMS based system.
> 
> "The risk of deploying any given solution takes into account FAR too
> many
> real-world elements than any formula can address. "
> The SMS formula is not the be all - it was a simple extrapolation based
> on a
> highly insecure proposal. My model as I have put it is an expert
> system. The
> risk associated with each application on a system is derived as with
> dependence and path.
> 
> Please as stated, choose the 100 software applications.
> 
> Regards,
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] SMS Banking
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] SMS Banking
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] SMS Banking
  - From: Craig S. Wright
- Re: [Full-disclosure] SMS Banking
  - From: Craig S. Wright
- Re: [Full-disclosure] SMS Banking
  - From: Craig S. Wright
- Re: [Full-disclosure] SMS Banking
  - From: Craig S. Wright

Prev by Date: [Full-disclosure] FW: SMS Banking
Next by Date: [Full-disclosure] FW: SMS Banking
Previous by thread: Re: [Full-disclosure] SMS Banking
Next by thread: Re: [Full-disclosure] SMS Banking
Index(es):
- Date
- Thread