tag:blogger.com,1999:blog-13756280.post382621936285561715..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: 100% secure websitesJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-13756280.post-25065094550811379772008-06-14T05:48:00.000-07:002008-06-14T05:48:00.000-07:00Good Job! :)Good Job! :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62657686278034512592008-03-08T23:41:00.000-08:002008-03-08T23:41:00.000-08:00Hmph, I never noticed that before. I just updated ...Hmph, I never noticed that before. I just updated the settings.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-35633136719050219772008-03-08T23:18:00.000-08:002008-03-08T23:18:00.000-08:00Hi, just a curious question, how come these commen...Hi, just a curious question, how come these comments are dated only the time and not the day as well, like March 8/08 etc...??Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45608418339396206422008-03-08T21:03:00.000-08:002008-03-08T21:03:00.000-08:00@Yousif, "effective level", yep that's the key. Th...@Yousif, "effective level", yep that's the key. The trouble is figure out how to quantify and measure what exactly that is.<BR/><BR/>@Anonymous, <BR/><BR/>> I'm assuming that the troublemakers don't send you Christmas cards and the the financially motivated don't call you at home. <BR/><BR/>Not so far.<BR/><BR/>> So other than falling back on "experience", <BR/><BR/>My experiences are my own and may or may not be representative of the masses. That's one reason why I allow comments here, so people can share their unique experiences as drive towards better understanding.<BR/><BR/>> can you substantiate any of your comments in this blog post about the behavior of troublemakers and financially motivated or are you making broad generalizations (again *sigh*) without being able to back it up?<BR/><BR/>Not sure I understand your question. Meaning, do the types of attackers we've defined here exist? Or were you asking whether they actually do the things I described? In any event, I guess you are asking for some kind of report, in which case there are tons around you might Google for.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8418949707785268332008-03-08T20:50:00.000-08:002008-03-08T20:50:00.000-08:00I'm assuming that the troublemakers don't send you...I'm assuming that the troublemakers don't send you Christmas cards and the the financially motivated don't call you at home. So other than falling back on "experience", can you substantiate any of your comments in this blog post about the behavior of troublemakers and financially motivated or are you making broad generalizations (again *sigh*) without being able to back it up?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60270625520033016062008-03-07T23:34:00.000-08:002008-03-07T23:34:00.000-08:00Good post Jeremiah, I agree with what you have sai...Good post Jeremiah, I agree with what you have said. My quote is "There Is No Such Thing As Security" and in all means, it's fairly true. I've had a customer before that defined against "There's no point in securing your website if it's not hacker-proof". I thought it was rather false. The para dime is always changing and there's no factual way to secure anything 100%, but we can surely elevate this to a stable and effective level.Yousif Yaldahttps://www.blogger.com/profile/17130171565447829176noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-31952918879743724742008-03-07T14:35:00.000-08:002008-03-07T14:35:00.000-08:00For sure if your website is less attractive and ha...For sure if your website is less attractive and harder to break in, most of hackers are going to move on to an other target.<BR/><BR/>You can improve your security architecture to reduce the impact when being hacked.<BR/>But how can an e-commerce website avoid stocking their clients private information?<BR/><BR/>The idea is good but in most cases not feasible.<BR/><BR/>Plus they are <A HREF="http://blog.benjamin-mosse.com/2008/03/03/a-massive-attack-from-a-javascript-worm-impossible-or-a-real-threat/" REL="nofollow">new ways</A> of earning money from hacking using basic vulnerabilities.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9031592298649933082008-03-07T14:27:00.000-08:002008-03-07T14:27:00.000-08:00> Jeremiah: I think your logic is globally irrespo...> Jeremiah: I think your logic is globally irresponsible. <BR/><BR/>And I think your logic in impractical and naive.<BR/><BR/>> If I spent most of my time running from bears and let my friends take the fall - I wouldn't have many friends.<BR/><BR/>I have no idea have many friends you have.<BR/><BR/>> Here's a question for you: what if all my friends ran at the same pace? <BR/><BR/>Then they’d defy the laws of physics. Besides, believing that every website will have equal security ever is rather silly anyway.<BR/><BR/>> If everyone is a WhiteHatSec customer, then you guys get to decide who has security and who does not.<BR/><BR/>As much as I and my investors would enjoy this result, I don’t think its rational to expect it.<BR/><BR/>> Also - for those who have read Geekonomics, the book speaks to the "Broken Windows" theory. This theory states that less broken windows around the neighborhood creates less crime. If we want to reduce Internet crime, we have to reduce all software weaknesses, not just the top ten or the most critical.<BR/><BR/>I think the same book categorically dismissed that theory as a fallacy. How it applies here I have no idea either.<BR/><BR/>> Perfect security isn't 100%, it's to be as CWE-free as possible with your applications, especially the most visible ones. Perfect security is perfect enough for your applications, taking in the risk and repair factors. <BR/><BR/>see comment #1Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79524755549086602012008-03-07T14:10:00.000-08:002008-03-07T14:10:00.000-08:00Jeremiah: I think your logic is globally irrespons...Jeremiah: I think your logic is globally irresponsible. If I spent most of my time running from bears and let my friends take the fall - I wouldn't have many friends.<BR/><BR/>Here's a question for you: what if all my friends ran at the same pace? If everyone is a WhiteHatSec customer, then you guys get to decide who has security and who does not.<BR/><BR/>Also - for those who have read Geekonomics, the book speaks to the "Broken Windows" theory. This theory states that less broken windows around the neighborhood creates less crime. If we want to reduce Internet crime, we have to reduce all software weaknesses, not just the top ten or the most critical.<BR/><BR/>Perfect security isn't 100%, it's to be as CWE-free as possible with your applications, especially the most visible ones. Perfect security is perfect enough for your applications, taking in the risk and repair factors.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40802185256047879872008-03-07T13:06:00.000-08:002008-03-07T13:06:00.000-08:00@Francois, thanks, yep thats another little varian...@Francois, thanks, yep thats another little variant in there. Perhaps we can combine the state-sponsored and the one you mentioned in "hired hacker" class. While the two might have different targets typically, their skill/motivation is probably relatively the same.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24530341182565439452008-03-07T12:13:00.000-08:002008-03-07T12:13:00.000-08:00What about a fourth one:Hired Hacker to break a sp...What about a fourth one:<BR/>Hired Hacker to break a specific target (website, company,...)<BR/>It's a hybrid between the first one and second one since he will take the necessary time to achieve his goal FOR financial gain.<BR/>They can be:<BR/>- spy for another company<BR/>- detective/hacker to obtain information about something/someone<BR/>- hacker being hired by a disgruntled employee seeking revenge <BR/>- And many others...<BR/><BR/>Francois LAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62565107435310718812008-03-07T10:05:00.000-08:002008-03-07T10:05:00.000-08:00You know, that's a really good point. I think I fo...You know, that's a really good point. I think I forgot about them since I'm not used to dealing with those types of adversaries. I think I'd rank their skill/drive as equal to or more than the average troublemaker. They'd be difficult, if not impossible, to keep out. I also think they have more defined targets as you've described. I wouldn't think the state sponsored bad guy would be targeting ecommerce of financials would you?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72968250108110929582008-03-07T10:01:00.000-08:002008-03-07T10:01:00.000-08:00Don't forget the 3rd type of hacker. The 202/8 - c...Don't forget the 3rd type of hacker. The 202/8 - china / state sponsored hacker which will at all costs invest in obscure exploits, research, steal cisco source, sell pirated ios, and backdoor 802.11 chipsets.Anonymousnoreply@blogger.com