On Mon, May 12, 2014 at 9:09 AM, Pete Herzog <lists@isecom.org> wrote:
"Hi, I’m your friend and security researcher, Pete Herzog.
we're almost family Pete, no need to introduce yourself! ... was starting to wonder how you've been... you never call, you rarely write, regarding your piece published at: http://www.tripwire.com/state-of-security/vulnerability-management/so-you-li... this reply is a little long, as i took the time to respond in depth to each of the issues i observed in your piece; i hope you view this as the best of intentions and sincere desire for thoroughness it is. any criticism is entirely constructive. if you feel despondent or hopeless about the future where you have been so wrong and so ill equipped to secure digital systems, see the end of this thread for crisis hotline resources in your area.
But I’m here today to take a moment and talk to you about the pain of neglect, isolation, abuse, and infection, better known as “vulnerability management”.
you might be interested in the other thread on treating addiction. my own empirical study linking INFOSEC/COMSEC responsibilities with ethanol abuse, clandestine chemical poisonings, and a rapidly escalating habit for high fiber lifestyle is progressing nicely, but not yet ready for publication. (DWDM not ingested fiber)
In many ways vulnerability management can be part of a healthy system and over-all good security.
agreed! i find it very helpful to find vulns first, use them for early signalling of adversary capabilities and interest, weaponize them for great justice, and distribute them in limited fashion toward end of life cycle to friends and peers, where again they serve as useful feedback on third party OPSEC and integrity.
That's how my new article starts. 5 points on the pain of vulnerability management and how to make it hurt less.
unfortunately in previous private vulnerability assessments all social media platforms failed to survive our common criteria for credible computing contract services. at least you're not paying for them? ... i will however provide my feedback via this medium: 0. "how to make it hurt less" first off, you may be interested in my research on the best synth routes for clandestine medicating and near term memory cleansing with common chemicals or seedy suppliers. this information was cultivated during my research into INFOSEC/COMSEC professional who are clearly exceptionally capable in this domain. 1. "You can’t manage vulnerabilities in closed software any more than you can manage tunnel construction in an ant nest." this is not true. by actively managing the execution of all processes on all your systems and the communication they make between each other and remote (networked or bus connected services) peers. blocking and altering shared library methods, system calls, and network communication is effective against open source, closed source, promiscuous source, and other development practices. 2. "Managing vulnerabilities will not get you security. Especially since patched vulnerabilities is a subset of found vulnerabilities which is assumed (for far too many) to be a subset of having security." this is why it is critical to find as many vulnerabilities as possible in the systems you use before others do. use the vulnerabilities you find as a model of class of weakness upon which to defend in depth. more to do after this, but for another discussion... ;) 3. "But if you wanted to have all the domesticated animals on your new arc you can’t do it by only looking house pets as that would exclude goats, cows, horses, yetis, and many animals maybe you don’t know or didn’t consider. So when scanning for vulnerabilities you can only, at best, find the vulnerabilities the scanner knows about." i for one wish they omitted the goats. they make great work on the blackberry bushes, but the pasture fences are challenge and escalating war of attrition they so far show no difficulty defeating with clever goat skillz. more to the point above, this is why it is critical to employ not just all existing scanners, fuzzers, frameworks, and toolsets but also to improve them internally while also developing your own infrastructure for vulnerability discovery, defense, and weaponization. (this is called "big vuln" or "big vuln dev" by our team for lack of a better allegory) 4. "It Can Feel a Lot Like Doing Dishes. Vulnerability management is an endless race that can’t be won." so true! however, this is why complete and continuous automation is mandatory at the moment of analyst discovery or developer prototype. thus the repetitiveness is delegated to the machines who do our bidding without tire or negligence. 5. "when you manage operational controls as part of vulnerability management you can actually take yourself out of the rat race of patch vs. exploit. That’s huge!" patch vs. exploit is a false dichotomy. if you're not solving for both concurrently you're doing it wrong. (don't feel bad, this is a common failure.) 6. "Filling a Hole Has Never Been So Dirty ... We think vulnerability management is straight-forward: there’s a hole and you fill it and the hole is gone." who are these "we" you speak of? the last time i saw that mindset in play was a sales associate for a security consulting firm hawking some weird devops / continuous integration like thing i don't remember too well. anyone who thinks vulnerability management is easy is unaware of their ignorance, risk, and update latencies in their organization. 7. "In the end, playing dirty is the only way most vulnerability managers can keep their heads above water. But let’s just call that a risk decision." what you call "playing dirty" is just decision making in the midst of a series of one crises after another in an endless procession. crisis mitigation and resolution should not be cast in a negative air of "playing dirty". rather, take this as opportunity to find the exceptionally rare operations crew who runs a ship so tight there are no crises, only prioritized opportunities for even further improvement. 8. "closely followed by NATO, NIST, FBI, NASA, NSA, all branches of armed forces, and the White House." this is just awefull! i suffered through a number of years with a stalker intent on making me into a skin cover for a realdoll in some psychotic delusion he was compelled by. i know the unease and fear and stress that a malicious stalker can have on the psyche. i presume you've looked into local resources to prosecute or order to be restrained. if they're unable or unwilling to resolve the issue, contact me off list for more extreme methods to handle this. i got your back Pete; and we'll get these rogue's off your back one way or another! 9. "don’t forget to see me in Richmond, VA from June 4 – 6 at RVAse" sorry Pete, i quit going east of the mississippi given the fallout that inevitably follows. as a US tax payer, i try to limit the resources expended to violate my privacy and presume a threat where none exists. and frankly it diminishes the intimacy of my memories knowing that they've surveiled my masturbatory sessions in remote locales. i am taking this moment to segue into one last observation in your piece, but it deals with adult subject matter that may not be appropriate for all audiences. if you are not mature enough for the discussion below, please don't read it! . . . - this break intentionally inserted for decency - . . . Z. "... the adult film star process which pretty much gets you from film star to adult film star by doing just one thing on film." i don't often discuss my personal past in these lists or online in general. for a while i had a career in INFOSEC but came to a realization that there must other line of work supporting a upper middle class salary which were not so terribly detrimental to my mental and physical health. i transitioned into gonzo group gay porn which met the cost of living requirements but still had above average physical demands even if a great improvement over the dark INFOSEC years. after five years building a library of over 1,782 different scenes stretching to 12 days of continuous copulation my career in porn was ended in a crippling accident while testing a prototype manbian machine fucking investment that was my doom rather than return on investment. don't write me, the rights have already been sold for a moving drama with A list cast. my point is that i published a greatest "best-of coderass at 1.75 FPS, abridged" anthology as career end salute on a 180 minute collector s edition BluRay paid for by the sale of creative rights mentioned above. this video release rocketed to the top of all the best seller lists and made me a household name and continues to feed me a torrent of franchise fees, recurring profit share, and ongoing royalties which can only be described as obscene and ridiculous. for some reason every other effort was just not enough to bump me up above obscure D list status... it's a funny world. TL;DR: my adult film star process required 1,782 scenes, 45,000 minutes of film, and spanned 73%* of known sex acts possible to act out between two or more humans but less than twenty humans at once. this is as far removed from "doing just one thing" as i can imagine, and frankly it disrespects the strenuous effort and creative acting myself and other sex workers practice in mostly thankless service to others. you should be ashamed! [* automatic identification and categorization of sex acts is surprisingly complicated! the corresponding language theoretic effort to map 1 to 20 human bodies in movement for 15 minutes or less into a formal language to exhaustively delineate all the possible perversions possible to commit under the sun was gargantuan in terms of earth human hours and the resulting corpus. we are close to proving that not everything which can be done has been. if you would be interested in performing a provably unique sex act for a large sum of money and only modest surgical modification, please get in touch] P.P.S. some people ask me what i do now for a living since confined to robotic wheelchair and bed rest. the truth is, i could never turn my back entirely on the INFOSEC community in which i started my first career and sojourn into the great world alone. so now i am busking at conferences doing INFOSEC comedy routines, selling nerdcore rap put to chiptunes on independent labels, and manning the crisis hotlines for substance abuse and domestic violence victims, who strangely enough overlap to a non trivial degree with the set of self confessed INFOSEC professionals. my time spent replying to INFOSEC threads on mailing lists is gratis, as no one pays me for it, and no one like what i say enough to tip me. "have you hugged your data spill incident responder today?" best regards, friend of Pete and former pr0n star, codermange