Tuesday, January 31, 2006

January's Security Streams

It's been quite a busy month, still I've managed to keep my blog up to date with over 30 posts during January, here they are with short summaries. Thanks for the comments folks!

I often get the question, how many people is my blog attracting, the answer is quantity doesn't matter, but the quality of the visits, still, for January there were 7,562 unique visits and over 13,000 pageloads. I'm already counting over 400 .mil sub domains, have the majority of security/AV vendors(hi!) reading it, and the best is how long they spend on average, and how often they come back. To sum up, 60% of all visits come from direct bookmark of my blog, 30% through referers, and 10% from search engines. It is also worth mentioning my last referring link, notice the domain and what they are interested in.

1. What's the potential of the IM security market? Symantec thinks big" gives a brief overview of the wise acquisition Symantec did and a little something the IM security market.

2. "Keep your friends close, your intelligence buddies closer!" mentioning the release of a book excerpt and provides further resources on various NSA and intelligence related topics

3. "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" is Google Earth or satellite imagery a national security threat? At least the Russian FSB thinks so!

4. "How to secure the Internet" discusses the U.S National Strategy to Secure Cyberspace and some thoughts on the topic

5. "Malware - Future Trends" the original announcement for the release of my research

6. "Watch out your Wallets!" gives more info on ID theft and talks about a case that left a 22 years old student in debt of $412,000

7. "Would we ever witness the end of plain text communications?" a released report on the growth of VPNs prompted me to open up the topic, recently, Yahoo! communicate over SSL by default which is a great progress from my point of view

8. "Why we cannot measure the real cost of cybercrime?" an in-depth summary of my thoughts on why we cannot measure the real cost of cybercrime, and why I doubt the costs outpace those due to drug smuggling

9. "The never-ending "cookie debate" tries to emphasize on how the Cookie Monster should worry about cookies only, and what else to keep in mind concerning further techniques that somehow invade your privacy

10. "The hidden internet economy" here I argue on what would the total E-commerce revenues be given those afraid to purchase over the Internet actually start doing it.

11. "Security threats to consider when doing E-Banking" provides a link to practical research conducted by a dude I happen to know :)

12. "Insecure Irony" is indeed an ironical event, namely how a private enterprise, one used to gather intelligence actually lost sensitive info belonging to the Intelligence Community

13. "Future Trends of Malware" the post mentioning my Slashdotted research and the rest of the people and respected sites that recognized it

14. "To report, or not to report?" how can you measure costs when the majority of companies aren't even reporting the breaches, cannot define a breach, or think certain breaches don't require law enforcement intervention?

15. "Anonymity or Privacy on the Internet?" argues on what exactly different individuals are trying to achieve, is it Anonymity, is it Privacy and provides further resources on the topic

16. "What are botnet herds up to?" gives a brief overview of recent botnet herds' activities the ways used to increase the revenues through affiliate networks, or domaining. It also provides good resources on the topic of Bots and Botnets

17. "China - the biggest black spot on the Internet’s map" a very recent and resourceful overview of Internet Censorship in China, that also provides further resources on the topic

18. "FBI's 2005 Computer Crime Survey - what's to consider?" one day after the release of the FBI's survey I summarized the key points to keep in mind

19. "Why relying on virus signatures simply doesn't work anymore?" a very practical post that argues and tries to build more awareness on how the number of signatures detected by a vendor doesn't actually matter, still there are other solutions that will get more attention with the time. I received a lot of feedback on this, both vendors and from folks I met through my blog, thanks for the ideas!!

20. "2006 = 1984?" gives more details on private sector companies innovating in the wrong field, and further resources on censorship and surveillance practices

21. "Cyberterrorism - recent developments" an extended overview of Cyberterrorism, and a lot of facts worth mentioning obtained through a recently released report on the topic

22. "Still worry about your search history and BigBrother?" Some humor, be it even a black one is always useful

23. "Homebrew Hacking, bring your Nintendo DS!" Homebrew hacking is slowly emerging and I see a lot of potential in the "do it yourself culture"

24. "Visualization, Intelligence and the Starlight project" a post worth checkin' out, it provides an overview of various visualization technologies and talks about the Starlight project

25. "The Feds, Google, MSN's reaction, and how you got "bigbrothered"?" I'm not coining new terms here, "bigbrothered" is slowly starting to be used be pretty much everyone, yet I try to give practical tips on why the whole idea was wrong from the very beginning, and how other distribution vectors should also be considered

26. "Personal Data Security Breaches - 2000/2005" I came across a great report summarizing the issue, and tried to highlight the cases worth mentioning, some are funny, others are unacceptable

27. "Skype to control botnets?!" good someone is brainstoring, but that's rather unpractical compared to common sense approaches botnet herders currently use

28. "Security Interviews 2004/2005 - Part 1" Grab a beer and start going through this great contribution, soon to appear at Astalavista itself!

29. "Security Interviews 2004/2005 - Part 2" Part 2

30. "Security Interviews 2004/2005 - Part 3" and Part 3

31. "Twisted Reality" Everything is not always as it seems, and it's Google I have in mind :(

32. "How we all get 0wn3d by Nature at the bottom line?" :)

33. "Was the WMF vulnerability purchased/sold for $4000?!" among the few vendors I actually trust released a nice summary no one seems to be taking into consideration, still I find it truly realistic given the potential of the 0day market for software vulnerabilities

Till next month, and thanks to all readers for taking their time to go through my research and contributions!

Technorati tags :
,

Monday, January 30, 2006

Was the WMF vulnerability purchased for $4000?!

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

Concerning the WMF vulnerability, it states :

"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."

Two months ago, I had a chat with David Endler, director of Security Research at TippingPoint, and their ZeroDayInitiative, that is an alternative to iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the first vulnerability appeared on Ebay felt "good" mainly because what I was long envisioning actually happened - motivated by the already offered financial rewards, a researcher decided to get higher publicity, thus better bids. I never stopped thinking on who gains, or who should actually gain, the vendor, the end user, the Internet as a whole, or I'm just being a moralist in here as always?

This very whole concept seemed flawed from the very beginning to me, and while you wish you could permanently employ every great researcher you ever came across to, on demand HR and where necessary seems to work just fine. But starting with money as an incentive is a moral game where "better propositions" under different situations could also be taken into consideration. Researchers will always have what to report, and once ego, reputation and publicity are by default, it comes to the bottom line - the hard cash, not "who'll pay more for my research?", but "who values my research most of everyone else?". And when it comes to money, I feel it's quite common sense to conclude that the underground, have plenty of it. I am not saying that a respected researcher will sell his/her research to a illegal party, but the a company's most serious competitors are not its current, but the emerging ones, I feel quite a lot of not so publicly known folks have a lot to contribute..

Possible scenarios on future vulnerability purchasing trends might be :

- what if vendors start offering rewards ($ at the bottom line) for responsibly reported vulnerabilities to eliminate the need of intermediaries at all, and are the current intermediaries doing an important role of centralizing such purchases? I think the Full Disclosure movement, both conscious or subconscious :) is rather active, and would continue to be. Now, what if Microsoft breaks the rules and opens up its deep pocketed coat?

- how is the 0day status of a purchased vulnerability measured today? My point is, what if the WMF vulnerability was used to "nail down" targeted corporate customers, or even the British government as it actually happened , and this went totally unnoticed due to the lack of mass outbreaks, but the author sort of cashed twice, by selling the though to be 0day to iDefense, or ZeroDay's Initiative? What if?

- requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?

Some buddies often ask me, why do I always brainstorm on the worst case scenario? I don't actually, but try to brainstorm on the key factors and how the current situation would inevitably influence the future. And while I'm not Forrester Research, I don't charge hefty sums for 10 pages report on the threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..

At the bottom line, ensure $ isn't the only incentive a researcher is getting, and don't treat them like they are all the same, because they aren't, instead sense what matters mostly to the individual and go beyond the financial incentive, or you'll lose in the long term.

What are you thoughts on purchasing vulnerabilities as far as the long term is concerned? What is the most effective compared to the current approaches way of dealing with 0day vulnerabilities? Might a researcher sell his findings to the underground given he knows where to do it? What do you think?

How we all get 0wn3d by Nature at the bottom line?

I just came across a clip courtesy of NASA that can be described as a beautiful devastation, still it reminds me of how insecure we are at the bottom line. And no, I don't see how you will distribute a signature for this, or can you? :)

Technorati tags :
,

Twisted Reality

I looked up the definition of Evil today, and I found it, I tried to play a Google War and came across 256 million occurrences of it, still there's a hope for all of us I guess. On the 17th of January I blogged on how China turned into the biggest black spot on the Internet's map, to find out that I even have activists commenting in my blog :)

Google has agreed to "remove certain sensitive information from our search results" you all know it by now, what you perhaps don't know is how what used to be the old Google still has its marks on the web. Google's Information for Webmasters still states that :

"Google views the comprehensiveness of our search results as an extremely important priority. We're committed to providing thorough and unbiased search results for our users."

I guess Chinese users should print this and stick it on their walls to remind them of the past as it says exactly the same. They have also removed their "censored notice" from "older removals", how come, and for what reason? Lack of accountability for when "local laws, regulations, or policies" were removing "sensitive information" before the date?! Google is my benchmark for disruption, but I guess its actions and "do no evil" motto were simply too pure for the business world, which on the majority of occasions is capable of destroying morale, even individuals..

Welcome in a "Twisted Reality" where one event looks like an entirely different one - on request, and the list is getting bigger!

But what is actually filtered in china these days, what are the topics of interest? Four years ago, a great initiative brough more insights into what's deemed "sensitive information", and while of course the list is changed on-the-fly, it is important to know how it blocks the top results, as this is where all the traffic goes.

Recently, CNET did a nice research on which sites are blocked by which search engine, I ever saw Neworder in there :)

The best thing about China's backbone is how centralized it really is and the way researchers are finding common censorship patters that could prove useful for future research. Is TOR with its potential applicable in China, and would initiatives such as the the Anonymous OS, or even TorPark, an USB extension of the idea, the future?

Meanwhile, in case they are interested parties reading this post, consider taking a look at the "Handbook for Bloggers and Cyber-Dissidents" courtesy of Reporters Without Borders.

Technorati tags :
, , , , , ,

Thursday, January 26, 2006

Security Interviews 2004/2005 - Part 2

Part 2 includes :
11. Eric (SnakeByte)http://www.snake-basket.de/ - 2005
12. Björn Andreassonhttp://www.warindustries.com/ - 2005
13. Bruce - http://www.dallascon.com/ - 2005
14. Nikolay Nedyalkov - http://www.iseca.org/ - 2005
15. Roman Polesek - http://www.hakin9.org/en/ - 2005
16. John Young - http://www.cryptome.org/ - 2005

Go through Part 1 and Part 3 as well!

Part of Asta's Security Newsletter---------------------------
Interview with SnakeByte (Eric), http://www.snake-basket.de/

Astalavista : Hi Eric, would you please introduce yourself to our readers and share your experience in the security scene?

Eric : I am 24 years old, currently studying computer science in Darmstadt, Germany for quite some time now. I am mostly a lazy guy, doing whatever I am currently interested in. My interest in computer security started with viruses ( no, I never spreaded one ), which were really interesting back then, but nowadays every worm looks the same;(

Astalavista : Things have changed much since the days of Webfringe, Progenic, BlackCode etc. What do you think are the main threats to security these days? Is it our dependece on technologies and the Internet the fact that it's insecure by design or you might have something else in mind?

Eric : I think security itself got a lot better since then but we have more dumb users who work hard to make it worse now. Most users nowadays get flooded with viruses and just click them,
also the recent rise in phishing attacks - it's not the box which gets attacked here, it's the user. Security also got a lot more commercial.

Astalavista : What is your opinion on today's malware and virii scene? Do you think that groups such as the infamous A29 have been gaining too much publicity? What do you think motivates virii writers and virii groups now in comparison to a couple of years ago?

Eric : It's 29a :) And they deserve the publicity they got. They did and are doing some really cool stuff. But they also were clever enough to be responsible with the stuff they created. About motivation for virii writers - it's different for each of them, have to ask them.

But I think there is a new motivation - money. Nowadays you can get paid for a couple of infected computers, so spammers can abuse them.

Astalavista : What do you think of Symantec ? Is too much purchasing power under one roof going to end up badly, or eventually the whole industry is going to benefit from their actions?

Eric : Sure monopolies are always bad but we get them everywhere nowadays. Maybe we need another revolution...

Astalavista : Is the practice of employing teen virii writers possessing what is thought to be a "know-how" a wise idea? Or it just promotes lack of law enforcement and creates ordes of source modifying or real malware coders?

Eric : I dont think it is a wise idea at all, but don't tell my boss ;-) Whether one has written virii or not should not influence your decision to you hire him/her.

Astalavista : Application security has gained much attention lately. Since you have significant programming experience, what do you think would be the trends in this field over the next couple of years, would software be indeed coded more securely?

Eric : Maybe,if universities started to teach coding in a secure way instead of teaching us more java bullcrap. But I think the open source development is indeed helpful there. If you want to
run something like a server, a quick glance at the code will tell you whether you really want to use this piece or search for another one.

Astalavista : Microsoft and its efforts to fight spyware has sparckled a huge debate over the Internet. Do you think it's somehow ironic that MS's IE is the number one reason for the existence of spyware. Would we see yet another industry build on MS's insecurities?

Eric : It's the only reasonable way for MS to react. Heh, they are just a company.

Astalavista : The Googlemania is still pretty hot. Are you somehow concerned about their one-page privacy policy, contradictive statements, and the lack of retention policies given the fact that they process the world's searches in the most advanced way and the U.S post 9/11 Internet wiretapping initiatives?

Eric : Yes I am, that's why their only product I use is the websearch function. As soon as I find another good website like google.

Astalavista: Thanks for your time Eric!
-----------------------------------------

Interview with Bjorn Andreasson, http://www.warindustries.com/

Astalavista : Hi Bjorn, would you please introducte yourself and share some more information about your background in the security world?

Bjorn : My name is Bjorn "phonic" Andreasson and I live in Sweden, I'm turning 22 this year. I've been a part of the so called "underground" since the age of 14 which gives a total of 8 years. I got my first computer at the age of 13 and I quickly got involved in Warez as my uncle showed me some basic stuff about the internet. After a while I realised Warez websites was "uncool" because of all the popups, porn ads, only trying to get as many clicks on your ads as possible to earn enough money to cover your phone bill. So, there I was viewing the Fringe of the web (www.webfringe.com) and I found all those wonderful h/p/v/c/a websites, which caught my eye. I knew I could do better than most of these guys as I had a lot of experience from the Warez scene -I knew how to attract visitors quickly. The first version of War Industries I belive was a total ripoff from Warforge.com as I didn't know better at the age of 15/16, I quickly understood this wasn't the way to do it so I made my first version of the War Industries and I might add it looked VERY ugly as I recall it:)

From there I have had several designers making new versions, trying to improve it and I belive we've acheived that goal now. It should be mentioned that during 2000 and 2003 War Industries was put on ice as I couldn't cover the expenses so it was only me and a friend keeping the name alive until 2003 when I relaunched the website and turned it into what it is today (Badass). I've also been a part of the Progenic.com crew as well. As Blackcode.com crew, it was practicly my work that made BC famous because I sent a shitload of hits to it back in '99 when WarIndustries received 4,000 unique hits on a daily basis. I also owned www.icqwar.com which held only ICQ war tools, some of my own creation, very basic but handy. The site had 3,000 unique hits on a daily basis after only one week online. After four weeks I got a letter from AOL to give me the domain name or being sued. What could I do? 16 years old, of course, I gave it away! Well that's pretty much my story.

Astalavista : WarIndustries.com has been around since 1998, nice to see that it's still alive.
What is the site's mission, is it hacking or security oriented? Shall we expect some quality stuff to be released in the future, too?

Bjorn : WarIndustries can't really be placed anywhere. It's either black, gray or white hat. I'd say we're a mix with a touch of them all. Our focus is to enlighten people in the means of programming, getting them to know google as their best friend. We've released a couple of video tutorials wich are very popular because they make things so easy. We're going to release a
couple of new ones soon, as soon as we get around to it as most of us got jobs and other stuff to attend to. Don't miss out on our brand new T-shirts coming up in a month! If you're something, you've got to have one of those!

Astalavista : What do you think has changed during all these years? Give a comparison between the scene back in 1998 as you knew it and today's global security industry, and is there a scene to talk about?

Bjorn : I'd say people are a way more enlightened today. Back in '98 you could pretty much do anything you liked without getting caught. Today you can't even download Warez without getting problems. I'd say there's a scene but very different from the oldschool I know. I am trying not to get involved and I have my own way. Maybe that's why WarIndustries is so popular.

Astalavista : Is Google evil, or let's put it this way, how can Google be evil? Why would Google want to be evil and what can we do about it if it starts getting too evil?

Bjorn : Google is not evil, Google is your best friend!

Astalavista : Give your comments on Microsoft's security ambitions given the fact that they've recently started competing in the anti-virus industry. They even introduced anti-spyware application - all this comming from MS?

Bjorn : If it wasn't for Microsoft, there wouldn't be viruses so I'm blaiming them for writing crap software. Why do they always leave a project unfinished and start another one? I mean Windows XP is working fine, why Longhorn? Why can't they make XP totally secure, like OpenBSD, there hasn't been a remote root exploit for many years as of what I've heard? That's security! If I didn't know better, I'd say MS is writing low-quality software so they can get
into the Anti-virus scene and make even more profits!

Astalavista : Recently, the EU has been actively debating software patents. Share your thoughts on this and the future of open-source software?

Bjorn : I can't make up my mind when it comes to Open/Closed source.There's benefits from both sides. Open source is fixed much quicker but also discovered way more often than closed. This is my opinion.

Astalavista : In conclusion, I would really appreciate if you share your comments about the Astalavista.com site and, particularly, about our security newsletter?

Bjorn : Actually, I haven't checked out Astalavista that much. I have known it for many years but I never got around. I promise I'll check it out!

Astalavista : Thanks for your time Bjorn!
--------------------------------------------

Interview with Bruce, http://www.dallascon.com/

Astalavista : Hi Bruce, would you please share with us some more information on your background in the security industry and what is DallasCon 2005 all about?

Bruce : Thanks for this opportunity. I have over 7 years of engineering experience working as a System's Engineer for companies such as Nortel Networks and Fujitsu. Realizing the importance of real information security training experince for everyday people, about 4 years ago a few colleagues and I decided to start truely academic Information Security Conference in Dallas and see what happens. We held the first DallasCon in 2002, just a few months after the tragic events of Septmber 11, 2001 in the U.S. The reponse was overwhelming with academic papers being presented from as far away as Russia and attending coming from countries such as Japan and China. Astalavista : There are so many active security cons and conferences out there that it is sometimes hard to decide which one is worth visiting. What, in your opinion, makes a con/conference qualified? Do you think that although there's nothing wrong with commercialization, some cons are becoming too commercial so they have lost sight of what their vision used to be in the very beginning of their history?

Bruce : Truly, I must admit the lure of money being thrown at many of similar conferneces such as ours is sometimes overwhelming. When a company such as Microsoft comes knocking on your door with a fist full of cash wanting to by into a Keynote speaker slot, it's hard to resist the temptation to give in. But we have tried to separate the academics from the commercial side. The training courses and the conference itself are designed to present the latest unbiased view of current trends in information security. We have a team of dedicated colleagues that read every paper carefully and look for flagrant promotions of certain technologies or companies. They also work very closely with the speakers who are chosen to present at DallasCon, to make
sure that they know what is expected from them. We do offer sponsorship opportunites to companies to help us carry the costs of such an event, but we try very hard to separate the business side from what people come to DallasCon for, which is the latest unbiased view of the trends and research in information security. I think many conferneces lose sight of what made
them big and forget their roots.

Astalavista : Like pretty much every organization, ChoicePoint or T-Mobile, keep a great deal of personal, often sensitive information about us, as citizens, students or employees. What actions do you think should be taken by the general public, the companies themselves and the government to ensure that the security within such databases or service providers is well beyond the acceptable level of security for most organizations?

Bruce : I think companies need to stop treating their customers like numbers and really put a face with the information that they are gathering. When someone gives you detailed information about themselves, they have put their trust in your company to protect them. When a breach is made, the cusomter feels betrayed and may never come back to you to do business. I laugh when I hear that huge muti-billion dollar companies are constantly having their cusotmer data stolen. I wonder how much they are really spending on security? How much are their cusotmers worth to them? These days it is hard to distinguish between legitiamte companies and fake ones online. It's funny, but people have trouble revealing their credit card information or social security number to a physical business down the street, but put the same business online and people throw that information at you without thinking twice. I think consumers need to stop taking security for granted and use some common sense. The first step of security is common sense...You can't put a price on that!

Astalavista : Two words - Symbian and malware - what are your assumptions for the future trends on the mobile malware front?

Bruce : I predict that it will be huge. The future of mobile OS is wide open and as the competition for market share grows, mobile companies want to offer anything they can in a smart-phone. I am always surprised as to what phones can do right now... in a few years, they might even serve us breakfast in bed! The downside is the huge vulnerability of the mobile-OS. First of all, more people own phones than computers around the world. It is the obvious next frontier for virus writers. Secondly, theoretically, it is much easier to infect an entire phone network than PC's. All you need is one infected phone syncking with a base station. Again, I go back to my previous answer, people need to use common sense... Do you really need to put your financial data or your sensitive e-mail on your phone?

Astalavista : What is your opinion about the mass introduction of biometrics on a world wide scale?

Bruce : Good - it will make security more individualized. We will all carry our security inside our DNA. Bad - it might increase the market for organ theft! (just kidding!)

Astalavista : In conclusion, I would appreciate if you share your comments about the Astalavista.com site, and particularly about this security publication?

Bruce : I have been visiting Astalavista.com for many years now, and I am very
impressed with the up to date cutting edge news, articles and really underground topics covered on your site. When we wanted to really reach out to the educated hacker community, Astalavista.com was the obvious choice. Thanks for putting us on your site and thanks for helping us promote our event.

Astalavista : You're welcome, wish you luck with the con!
-----------------------------

Interview with Nicolay Nedyalkov, http://www.iseca.org/

Astalavista : Hi Nicolay, would you, please, introduce yourself to our readers and share some info about your experience in the information security industry? Also what is ISECA all about?

Nicolay : My interest in information security dates back from 1996. At that time, respected Bulgarian experts from all over the country used to meet periodically at closed seminars where we exchanged our ideas and experience. At a later stage we developed the phreedom.org E-zine. I have also participated in numerous national and international mathematics and IT contests.

Currently I am a managing director for the R&D; department of one of Bulgaria’s most Prominent IT companies – Information Service. In 2002 I decided to initiate an InfoSec course at the University of Sofia. Once the course “Network Security? became part of the university’s curriculum, we immediately got the interest of over 500 students. During 2003, with the help of several experienced security colleagues of mine we developed another fresh and very useful course in “Secure programming?. Both of the courses fitted perfectly into the program curriculum and actually they attracted more students than we had expected. I am also teaching four other courses in Software technologies. As a whole, we contributed for the development of IT education in Bulgaria establishing the ISECA (Information Security Association), whose main purpose is to connect our members and inspire them to innovate, create, and enrich their personal knowledge, while being part of a unique community.

Astalavista : Correct me if I'm wrong but I believe not many Eastern European universities emphasize on the practicality of their computer and network security courses? What are your future plans for enriching the course selection further, and also integrating a more practical approach into your curriculum ?

Nicolay : During the last couple of years we have seen a definite slowdown in Europe regarding
information security courses and programmes. Until now we have already developed over eight courses, including the course Information Systems Security Audits, which is widely applicable. Furter, there is intensive work on the development of a new Network & Software Security Lab. We are also negotiating with ABA representatives for the introduction of a professional certification program – “Risk Management in the Financial and Banking Sector?

In fall 2005, University of Sofia will start a specialized master Information Security Program, coordinated by ISECA.

Astalavista : Who are the people behind ISECA, and what are the current local/global projects you're working on, or intend to develop in the upcoming future?

Nicolay : Our core members include certified security consultants and auditors, researchers, IS managers and class teaching professors. Among the key projects we’ve already developed or we are working on at the moment are:

- A National Laboratory for Network and Software Audits, being developed in close cooperation
with The University of Sofia. The lab will be used for audits and R&D; in the industry.
- An Information Security Portal – ISECA
- A National anti-spam system and its integration within international ones like SpamHouse
- Safeguarding the local business interests of information security and promoting its development on a government level
- Active participation in the development of the Bulgarian Law for E-trade and E-signature
- Subscription based “Vulnerability Notification? service
- Centralized log analysis and security monitoring

Astalavista : What is the current situation of the Bulgarian IT and Security market? What was it like 5 years ago, and is there an active security scene in the country?

Nicolay : We are currently witnessing a boom in the Bulgarian demand for information security services as a great number of businesses are realizing the importance of information security. On the other hand we are in a process of building strategical relationships with Bulgarian and multinational companies providing security related products and services. In the last couple of years official government bodies also have emphasized on sustaining secure communications. In response, our main goal in the upcoming future would be to build a collaborative working atmosphere with stable relationships between key partners and experts

Astalavista : Bulgaria and Eastern Europe have always been famous as a place where the
first computer viruses actually originated, to name the Dark Avenger as the most famous author. What do you think caused this - plain curiosity, outstanding programming skills, or you might have something else in mind?

Nicolay: It is a fact that Bulgaria is popular with its potential in the creation of viruses, trojans and malware at all. The thing is that there are a great number of highly skilled experts, who cannot apply their talent in the still growing local market; consequently they sometimes switch to the dark side. One of our main aims is namely to attract people with great potential and provide them with a professional and stable basis, on which they could develop themselves on the right track. The Bulgarian – Dark Avenger, well, he used to be an idol for the virus writers and the name still brings respect.

Astalavista : Is there an open-source scene in Bulgaria, how mature is it, and do you believe the country would be among the many other actively adopting open-source solutions in the future, for various government or nation's purposes?

Nicolay : Yes, there is a Free Software Society . Several municipalities have already
turned into E-municipalities with the help of open source software. There was a proposition for the introduction of a law for integrating open source software within the government’s administration, which was unfortunately rejected later on. Free Software Society is in close contact with various political movements, which reflects the overall support and understanding of open source from the society. The use of open source is also within the objectives of one of the main political parties in the country, a goal that resulted from the many initiatives undertaken by the Free Software Society. ISECA’s members are also active participants in the core direction of the FSS. We are currently developing a new opensource research team, part of Information Service – OSRT (Open-Source Research Team).

Astalavista : How skilled is the Bulgarian IT labor market and do you think there's a shortage of well - trained specialists in both IT and Information Security? How can this be tackled?

Nicolay : There are a great number of highly qualified software developers in Bulgaria, who created the Bulgarian Association for Software Developers. We have had numerous seminars and lectures between ISECA and the Association. One of our main objectives is namely to locate
and unite the highly qualified IT and Security experts within Bulgaria. Both organizations are constantly seeking to establish stable relations with international organizations with the idea to exchange experience and promote mutually beneficial partnerships.

Astalavista : India is among the well-known outsourcing countries for various IT
skills, while on the other hand the Bulgarian programmers are well- respected all over the world, winning international math and programming contests. Do you think an intangible asset like this should be taken more seriously by the Bulgarian Government, and what do you think would be the future trends?

Nicolay : Every year there is a leakage of highly qualitfied young professionals with great potential for growth, looking for further career development . The core reason for this “brainwave?, so painful for the Bulgharian econmy and society, is the lack of a relevant government policy, ensuring stable and beneficial career opportunities for the young generation. I honestly hope that further government policies, not only those related to the IT industry, would be successful in providing what a nation needs – a bright future for its brightest minds.

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site and, in particular, our security newsletter?

Nicolay : I have been visiting Astalavista.com since its early days and it is great to see that recently the portal has successfully established among the few serious and comprehensive sites. Furthermore, you can always find whatever you are looking for - software, as well as recommendations and shared experience in information security. I believe Bulgaria needs the same high quality portal, one of our main ideas behind ISECA.

Astalavista : Thanks for your time!
-------------------------------------

Interview with Roman Polesek, http://www.hakin9.org/

Astalavista : Hi Roman, would you please introduce yourself, share some info about your background in the security industry, and tell us what is Hakin9 all about?

Roman : My name is Roman Polesek, I am an editor-in-chief of the 'hakin9 - practical protection' magazine since Summer of 2004. I'm 27 years old if it does matter. This might be a bit surprising for folks who know our magazine well, but I'm more a journalist/editor (and that is my education) than a CS/security master. Of course, I worked as a sysadmin for some time,
use mainly Unices and code in several languages, but in the IT industry world I'm rather a self made man. I suppose I have no right to call myself "a hacker" in the proper meaning of the word. In short, 'hakin9' -- subtitled as "Hard Core IT Security Magazine" – aims to be a perfect source of strictly technical, IT security related quality information. We noticed that both the market and the community lack comprehensive, in-depth works on this topic. Decision was pretty simple: "Let's do it and let's do it good – we cannot fail". At the moment, with total circulation of nearly 50 thousand copies, we have 7 language versions. The magazine is available worldwide, by subscription or in distribution. However, it's important to remember that we are not encouraging anyone to commit any criminal acts. Beside disclaimers published in every issue of the mag, we emphasize on the legal matters wherever possible. We do not want to make a magazine for the so-called script-kiddies and assume that our readers are professionals and require some portion of knowledge to fully utilize magazine's content. On the other hand, as we all know, "The information wants to be free". 

There's no reason to avoid any particular subjects. Every article that precisely describes an attack technique includes a section that is to help defending from the threat we present. 'hakin9' is not only a magazine. The free cover CD is attached to every hardcopy. The disc includes a live Linux distribution called 'hakin9.live' along with plenty of useful documentation [RFCs, FYIs, HOWTOs] and a really huge amount of computer/network security applications. We also prepare our own tutorials that allow readers to exercise the techniques described in articles [only in their very own networks!]. Since the next issue of 'hakin9', the CD will also contain full versions of commercial applications for Windows. Athough we rarely use Microsoft Windows, we consider it useful and some of the readers requested such software. One of the articles from each issue is available for free, just to make sure anyone that buys 'hakin9' won't regret the purchase. See our website if you're interested in trying 'hakin9' articles.

Astalavista : What do you think are the critical success factors for a security oriented hard cover magazine?

Roman : I am convinced that the crucial matter is honesty. Our target readers are highly educated, extremely intelligent people and would easily recognize any marketing lies. We just do not say things that aren't true. Everyone can see what we publish and how we do it. The other important thing is diversity. It's obvious that creating a magazine that fits everybody is impossible. There will always be a guy that is not satisfied with, say, the cover story or the layout or anything else. This is nothing unusual, but should be expressed loud and
clear. That's why we cover different topics -- from e.g. attacks on Bluetooth stack, through data recovery in Linux or anti-cracking techniques for Windows programmers to methods of compromising EM emissions. Last but not least, the mother of all successes is making
people aware of magazines’ existence. Nobody would buy 'hakin9' unless they know we are available. But the main thing is that magazines like ours will never be mass publications, they have their niche that needs to be cultivated. The general rule -- for all press publishers, not only us -- is "Respect your readers and they will respect you". Selling many copies of one issue, using lies and misleading information, is not difficult. What's difficult is to make sure that users will consider you a professional who just makes a good magazine, not a travelling agent.

Astalavista : What is the current situation on Poland's IT and Security scene, and do you think it's developing in the right direction from your point of view, beside Poland's obvious anti-software patents policy?

Roman : Yes, "Thank you Poland" and all. It's always nice to know that someone in the world has positive connotations with your country. But I cannot give you any general overview of the Polish scene. It's just too diverse and I work with IT specialists from all over the world, so I do not concentrate on Poland particularly. After all, most of the important things happen in the USA. Really, the main problem in Poland is software piracy. I'm not talking about P2P networks specifically, I'm talking about the consciousness of Polish people. They are just not aware of the
fact that using cracked apps is a crime, a pure theft. I suppose this problem is present in all countries. And poverty does not justify such a procedure at all, we have plenty of free substitutes for even the most popular software. The Polish scene (I mean community by that, of course) is not very different from any other country. We do have a very strong group of open source ideologists (some might call them the followers of Richard Stallman :)), we do have some anti-patent people (I'd recommend http://7thguard.net for those who understand Polish). But we do not have any spectacular successes with any real inventions or discoveries (mind
that for now I'm talking about the community, not the corporations). I'd only mention two phenomena your readers might have heard of. One is the LSD, [Last Stage of Delirium] an independent research group known for pointing out bugs in Microsoft RPC some years ago. The other well known is Michal "lcamtuf" Zalewski, an author of a powerful passive network scanner called "p0f" and a set of very useful debugging/binary analysis called "fenris". The reason for this unimpressive situation is the fact that Poland was cut off from the capitalist world for nearly 50 years [and ENIAC was introduced in 1947], so we were isolated from real computing during that time. We just have to make these 50 years in the next few years. On the other hand, IT specialists from Poland -- say, programmers -- are considered very ingenious and good workers. For offshore corporations they are really attractive.

Astalavista : During 2004/2005 we've seen record breaking *reported* vulnerabilities. What do you think is the primary reason, increasing Internet population, programmers’ deepening their security knowledge, companies in a hurry to integrate more features with a trade-off in security or perhaps something else?

Roman : All of them. The increasing number of Internet users does not directly influence the number of vulns found, though. The new Internauts are mainly people who have never used computers and networks before. Of course the other thing is that Internet "aggregates" huge amounts of data, which was publicly unavailable before. There are more and more programmers and IT security specialists. Their population is constantly growing, be it because of the money they can earn or just the popularity of Computer Sciences. To be honest, most of them are at most average at their job, but for example people from India an China have great potential.
But you are right. Marketing and pressure for higher sales make companies work in a great hurry, they just don't care about average Joe Sixpack. And Joe Sixpack would hardly ever notice any security vulnerabilities, not mentioning they would probably never report such flaws. Finding bugs in software has also become some kind of a fashion these days. It's an intellectual challenge, similar to solving riddles. No wonder that along with the increasing number of people able to understand, say, the C code, the number of vulns reported increases. There is one more thing I'd like to mention. I suppose that the scale of reported vulns would appear far greater if proprietary software creators informed about all flaws found in their products. It's not in
their interest of course.

Astalavista : Thought or at least positioned to be secure, MAC's and Firefox browsers have started putting a lot of efforts to patch the numerous vulnerabilities that keep on getting reported. Is it the design of the software itself or the successful mass patching and early response procedures that matters most in these cases?

Roman : I have great respect for Apple products, though the only Mac I use is a very old Performa :), just for experiments with BSD distributions. I consider Macs secure in general. I also use Mozilla Firefox daily. I'd bet on the latter case, but like I said I'm no programming guru. The developers try to act fast and release patches as soon as possible, so at least average users can feel secure. The fact that there are plenty of developers makes it only better. Bugs in the code are not a nemesis themselves, you cannot avoid bugs in more complex applications. The only solution that makes sense for me is to conduct constant audits and release patches frequently. Look at the Microsoft Internet Explorer [I am aware this example is a
bit trivial]. I have a feeling that this company's ways of dealing with flaws is just childish, reminds me of covering your own eyes and hoping it will make yourself invisible to other kids on the playground. I'm not criticizing Microsoft at all -- it's just that the company with so many great specialists has problems with securing their code, and their software is the most popular solution in the world, no doubt. Apple is competing with Windows in general and Firefox tries to bite a part of the browser market. Looking at their financial and market share results makes me sure that the way the patches are done by these enterprises are the only right solution. Repeating that your product is secure and just better does not make it secure and better.

Astalavista : In may, a DNS glitch at Google forwarded its traffic to www.google.com.net (GoSearchGo.com) for 15 minutes. What are your comments about this event when it comes to security and mass DNS hijacking attempts on a large scale? Do you also picture a P3P enabled Google used on a large scale in the near future and do you fear that Google might be the next
data aggregator (they are to a certain extent) breached into?

Roman : The real point is -- DJB mentioned that in an interview for the next issue of 'hakin9' -- that some of the protocols we use, especially SMTP and DNS, are outdated. To be precise, they were outdated at the moment they were being created. It's nobody's fault. We have a saying in Poland that "Nobody is a prophet in his own country". Even Bill Gates didn't notice the potential of the Internet. I would say Google has really nothing to do with any DNS forgery. The protocol is flawful. What's worse, we can live without the problematic SMTP. Without DNS, which is a core of the Internet. For example, I just cannot imagine my mother using IP addresses to surf the WWW. I'm not afraid of threats to Google security. They have technology, they have money, they have ideas. I might say that it's Google, which will start and force security improvements in domain resolving mechanism. Daniel J. Bernstein claims that the first thing we should do is to implement some method of authentication in DNS protocol. Be it PKI, be it anything else -- we have to do it so that we would have some time to introduce a really secure DNS replacement. As for the hijacking itself, I consider it one of the most primitive kinds of abusing IT infrastructure. It's just like taking over somebody's house. It's as bad as deleting someone's data for sports or DDoS attacks used for fun and/or profit.

Astalavista : Anonymous P2P networks have been getting a lot of popularity recently namely because of RIAA's lawsuits on a mass scale. How thin do you think is the line between using P2P networks to circumvent censorship in Orwellian parts of the world, and the distribution of copyrighted materials?

Roman : 'hakin9' team likes P2P networks, the more anonymous, the better. We use them for distributing our free articles and our CD. It makes me laugh when **AAs send e-mails with legal threats based on the American legal system to Polish or Swedish citizens. Sometimes they're like an old blind man in the fog. Instead of adopting P2P for selling their video or music, they make the community angry. Digressions aside. I don't feel that P2P networks will help anyone make their transfers safe [security through obscurity, right?] and that they will help to fight censorship in countries like North Korea or even China. On the other side, I can imagine modifying XMPP [Jabber] protocol to transfer SSL-secured data -- it may be already done, I had no time to investigate it further. Unauthorized distribution of copyrighted content, however, will always be a problem. There's no way to prevent such behaviour. Recent events show us that writing a P2P client is a piece of cake, even a clever 9 years old boy can do this. I would rather make it easier for people to buy electronic copyrighted materials without the need to download it illegally. Regarding that according to some statistics even 30 per cent of total internet transfers are generated by P2P networks, I'm rather afraid that some stupid people downloading pr0n or Britney Spears MP3s could easily kill the Net some day. To sum up, each technology has its profits and costs. Obvious :). The profit of P2P is the ease of distributing any content. The cost is the people using it in an illegal manner. I can see no reason for prohibiting these network just because some people prefer bad quality motion pictures to going to the movies. Should we prohibit usage of knives only because of the fact that someone tabbed the kitchen knife in someone s stomach?

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site, in particular, our security newsletter?

Roman : I'm very impressed with the amount of data available for Astalavista's visitors. I'm not a member though, so I cannot really make a detailed review. To be honest, I had some problems with recognizing which of your websites are free and which ones are not. But I have managed to do it and use it almost daily :). As for the newsletter, it's one of the most informative and professional ones I have ever seen. Since having read Issue 16, I couldn't stop myself from reading the archives. I am a subscriber and strongly advise everybody to do the same. As a person professionally dealing with IT security, I mean it – this is not an advertisement for Astalavista. This is the truth.

Astalavista : Thanks for your time Roman!
---------------------------------------------

Interview with John Young, http://www.cryptome.org/

Astalavista : Hi John, would you, please, introduce yourself to our readers, share some info on your background, and tell us something more about what are Cryptome.org and the Eyeball-Series.org all about?

John : Cryptome was set up in June 1996, an outgrowth of the Cypherpunks mail list. Its original purpose was to publish hard to get documents on encryption and then gradually expanded to include documents on inforamtion security, intelligence, national security, privacy and freedom of expression. Its stated purpose now is: "Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance -- open, secret and classified documents -- but not limited to those. Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here -- or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored." The Eyeball Series was initiated in 2002 in response to the US government's removal of public documents and increased classification. Its intent is to show what can be obtained despite this clampdown.

Astalavista : What is your opinion about cyberterrorism in terms of platform for education, recrewting, propaganda and eventual real economic or life loses?

John : Cyberterrorism is a threat manufactured by government and business in a futile attempt to continue control of information and deny it to the public. Cyber media threatens authorities and authoritarians so it is demonized as if an enemy of the state, and, not least,
corporate profits.

Astalavista : A couple of words - privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes?

John : Privacy should be a right of citizens worldwide, in particular the right to keep government and business from gaining access to private information and personal data. The argument that government needs to violate privacy in order to assure security is a lie. The business of gathering private information by corporations and then selling that to government and other businesses is a great threat to civil liberties. Much of this technology was developed for intelligence and military uses but has since been expanded to include civil society.

Astalavista : Shouldn't the U.S be actively working on hydrogen power or alternative power sources instead of increasing its presence in the Middle East or to put the question in another way, what is the U.S doing in Iraq in your opinion? What do you think is the overall attitude of the average American towards these ambitions?

John : No question there should be energy sources as alternatives to the hegemonic fossil fuels. Dependence on fossil fuels is a rigged addiction of that worldwide cartel. Car ads are the most evil form of advertising, right up there with crippling disease of national security.

Astalavista : Is ECHELON still functioning in your opinion and what do you believe is the current state of global communications interception? Who's who and what are the actual capabilities?

John : Echelon continues to operate, and has gotten a giant boost since 9/11. The original 5 national beneficiaries -- US, UK, CA, AU and NZ -- have been supplemented by partial participation of other nations through global treaties to share information allegedly about terrorism. Terrorism is a bloated threat, manufactured to justify huge funding increases in
defense, law enforcement and intelligence budgest around the globe. Businesses which supply these agencies have thrived enormously, and some that were withering with the end of the Cold War have resurged in unprecedented profits, exceeding those of the Cold War.

Astalavista : Network-centric warfare and electronic warfare are already an active doctrine for the U.S government. How do you picture the upcoming future, both at land and space and might the Wargames scenario become reality some day?

John : Network wargames are as pointless and wasteful as Cold War wargames were. They churn activity and consume expensive resources. None are reality-based, that is, outside the reality of imaginary warfare.

Astalavista : Do you believe there's currently too much classified or declassified information, namely documents, maps, satellite imagery etc. available on the Net these days? In the post 9/11 world, this digital transparency is obviously very handy for both terrorists and governments, but who do you think is benefiting from it?

John : Far from being too much information available to the public, there is a diminishing amount, especially about exploitation of those who have access to classified and "privileged" information -- government and business -- and those who lack access. The concocted warning that open information aids terrorism is a canard of great legacy, one that is customarily spread during times of crisis, the very times when secret government expands and becomes less accountable. "National security" is the brand name of this cheat.

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site, in particular, our security newsletter?

John : Great site, very informative, give yourself a prize and a vacation at G8 with the world class bandits.

Astalavista : Thanks for your time John!

John : Thanks to you!
-----------------------

Security Interviews 2004/2005 - Part 3

Part 3 includes :

17. Eric Goldman - http://www.ericgoldman.org/ - 2005
18. Robert - http://www.cgisecurity.com/ - 2005
19. Johannes B. Ullrich - http://isc.sans.org/ - 2005
20. Daniel Brandt - http://google-watch.org/ - 2005
21. David Endler - http://www.tippingpoint.com/ - 2005
22. Vladimir, ZARAZAhttp://security.nnov.ru/ - 2005

Go through Part 1 and Part 2 as well!

Part of Asta's Security Newsletter
------------------------------------------

Interview with Eric Goldman, http://www.ericgoldman.org/

Astalavista : Hi Eric, would you, please, introduce yourself to our readers and share some info about your profession and experience in the industry?

Eric : I am an Assistant Professor of Law at Marquette University Law School in Milwaukee, Wisconsin. I have been a full-time professor for 3 years. Before becoming an academic, I was an Internet lawyer for 8 years in the Silicon Valley. I worked first at a private law firm, where most
of my clients were Internet companies that allowed users to interact with other users (eBay was a leading example of that). Then, from 2000-2002, I worked at Epinions.com (soon to be part of eBay) as its general counsel. As an academic, I principally spend my time thinking and writing about Internet law topics. Some of my recent papers have addressed warez trading, spam, search engine liability and adware. I run two blogs: Technology & Marketing Law Blog, where we discuss many Internet law, IP law and marketing law topics, and Goldman’s Observations, a personal blog where I comment on other topics of interest.

Astalavista : Teaching tech and Internet-savvy students on CyberLaw and Copyrights infringement is definitely a challenge when it comes to influencing attitudes, while perhaps creative when it comes to discussions. What's the overall attitude of your students towards online music and movies sharing?

Eric : Students have a variety of perspectives about file sharing. Some students come from a content owner background; for example, they may have been a freelance author in the past. These students tend to strongly support the enforcement efforts of content owners, and they view unpermitted file sharing as stealing/theft, etc. Other students come from a technology background and subscribe to the “information wants to be free? philosophy. These students come into the classroom pretty hostile to content owners’ efforts and tend to be fatalistic about the long-term success of enforcement efforts. However, I think both of these groups are the minority. I think the significant majority of students do not really understand how copyright law applies to file sharing. They learned how to share files in school and do so regularly without fully understanding the legal ramifications. Usually, their thinking is: “if everyone is doing it, it must be OK.? These students tend to be surprised by the incongruity between their behavior and the law. Even when we discuss the rather restrictive nature of copyright law, these students are not always convinced to change their behavior. Deep down, they still want the files they want, and file sharing is how they get those files. As a result, I’ll be interested to see how attitudes evolve with the emergence of legal download sites like iTunes. I suspect these sites may be retraining students that there is a cost-affordable (but not free) way to get the files they want. We’ll see how this changes the classroom discussions!

Astalavista : Where do you think is the weakest link when it comes to copyright infringement of content online, the distribution process of the content or its development practices?

Eric : With respect to activities like warez trading, consistently the weakest link has been insiders at content companies. Not surprisingly (at least to security professionals), employees are the biggest security risk. I do think content owners are aware of these risks and have taken a number of steps to improve in-house security, but the content owners will never be able to eliminate this risk. I’d like to note a second-order issue here. Content owners have historically staggered the release of their content across different geographical markets. We’ve recently seen a trend towards content owners releasing their content on the same day worldwide (the most recent Harry Potter book is a good example of that). I think the content owners’ global release of content will reduce some of the damage from warez traders distributing content before it’s been released in other geographic markets. So as the content owners evolve their distribution practices, they will help limit the impact of other weak links in the distribution process.

Astalavista : Do you envision the commercialization of P2P networks given the amount of multimedia traded there, and the obvious fact that Internet users are willing to spend money on online content purchases (given Apple's Itune store success, even Shawn Fanning's Snocap for instance) given the potential of this technology?

Eric : Personally, I’m not optimistic about the commercialization of the P2P networks. The content owners continue to show little interest in embracing the current forms of technology. I think if the content owners wanted to go in this direction, they would have done so before spending years and lots of money litigating against Napster, Aimster, Grokster and Streamcast.

In my opinion, without the buy-in of the content owners, P2P networks have little chance of becoming the dominant form of commercialized content downloads. So I think, for now, we’ll see much more content owners’ efforts directed towards proprietary download sites than cooperation with the P2P networks.

Astalavista : Were spyware/adware as well as malware the main influence factors for users to start legally purchasing entertainment content online?

Eric : We have some evidence to suggest otherwise. A recent study conducted at UC Berkeley watched the behavior of users downloading file-sharing software. The users didn’t understand the EULAs they were presented with, so they were not very careful about downloading. But, more importantly, the users persisted in downloading file-sharing software even when they were told and clearly understood that the software was bundled with adware. If this result is believable, users will tolerate software bundles—even if those bundles are risky from a security standpoint—so long as the software will help them get where they want.

Instead, I would attribute the comparative success of the music download sites to their responsiveness to consumer needs. Consumers have made it clear what they want—they want music when they want it, they want to listen to it in the order of their choosing, they want to pay a low amount for just the music they want (not the music they don’t), they want the interface to be user-friendly and they want to deal with trustworthy sources. Also, consumers have surprisingly eclectic tastes, so any music download site must have a large database that’s
diverse enough to satisfy idiosyncratic tastes. The most recent generation of music download sites have finally provided an offering that satisfies most of these key attributes. They aren’t perfect yet, but the modern sites are so much better than prior offering where the pricing was off, the databases were incomplete, or the sites were still trying to tell consumers how they should enjoy the music (rather than letting the consumers decide for themselves).

P2P file-sharing networks still serve a consumer need, but the content owners have succeeded some in increasing the search costs that consumers have to receive (such as by using spoof files). As consumer search costs using file-sharing increase, legal downloading sites with efficient search/navigation interfaces become more attractive.

Astalavista : How would you explain the major investments of known companies
into spyware/adware? Is it legal but unethical from a moral point of view?

Eric : I’m a little contrarian on this topic, so I may be unintentionally controversial here. From my perspective, we should start with a basic proposition: adware and spyware are not inherently evil. Like many other technologies, adware and spyware are good technology capable of being misused. Indeed, I think adware and spyware are an essential part of our future technological toolkit—perhaps not in the existing form, but in some form. We should not dismiss the technology any more than we should dismiss P2P file sharing technology simply because many users choose to engage in illegal file sharing using it.

Once we realize that adware and spyware are not necessarily bad and could even be useful, then it makes sense that major brand-name companies are working with adware/spyware. Adware and spyware offer new—and potentially better—ways to solve consumers’ needs, so we should expect and want companies to continue innovating. Let me give an example. I use Microsoft XP and it constantly watches my activities. Indeed, in response to my actions/inactions, I get lots of pop-up alerts/notifications….“updates are available? “you are now connected online? “we have detected a virus? etc. I want my operating system to be monitoring my behavior and alerting me to problems that need my attention. In fact, I’d be happy if Microsoft fixed problems that don’t need my attention without even disturbing me. Microsoft is aware of this and is working on technological innovations to be smarter about when it delivers alerts.

So from my perspective, Microsoft is in the spyware business. They have huge investments in spyware. I’m glad they are making these investments and I hope they find even better ways to implement their software. I think adware and spyware have been maligned because a number of otherwise-legitimate marketers have engaged in (and may continue to engage in) some questionable practices. These practices can range from deceptive/ambiguous disclosures to exploiting security holes. I remain optimistic that legitimate businesses will evolve their practices. We’ve seen movement by companies like Claria (eliminating pop-up ads), WhenU (deliberately scaling back installations by taking more efforts to confirm that users want the software) and 180solutions (cleaning up its distribution channels). This is not to say that we’ve reached the right place yet, but I like to think that the major adware companies will continue to improve their practices over time.

However, there will also be people who will disseminate software that is intended to harm consumers, such as by destroying or stealing data. We have to remain constantly vigilant against these threats. But they are far from new; we’ve had to deal with malicious virus writers for a couple of decades. In thinking about the policy implications, we should not lump the purveyors of intentionally harmful software together with legitimate businesses that are evolving their business practices.

Astalavista : Do you think the distributed and globalized nature of the Internet is actually the double edged sword when it comes to fighting/tracing cyber criminals and limiting the impact of an already distributed/hosted copyrighted information?

Eric : There’s no question that the global nature of the Internet poses significant challenges to enforcement against infringement and criminals. While this is mostly a problem, the need for cross-border coordination creates an opportunity for governments to develop compatible laws and legal systems, and there could be real long-term benefits from that.

Astalavista : What's your opinion on the current state of DRM (Digital Rights Management) when it comes to usefulness and global acceptance?

Eric : I know DRM is pretty unpopular in a lot of circles, especially academic circles. Personally, I don’t have a problem with DRM. I look at DRM as a way of determining the attributes of the product I’m buying. Consider the analogy to physical space. When I buy a car, most manufacturers give me some options to purchase. For example, I can upgrade the seat covers to the leather package if I’m willing to pay for that. The manufacturer could make that choice for me (and sometimes they do), but when it’s my choice, I can pay for what I value. DRM is a way of creating different product attributes in digital bits. In theory, with DRM, I can buy 24 hour viewing rights, 1 year viewing rights or perpetual viewing rights. Depending on my needs, I may prefer to pay less and get less, or I may want the perpetual rights and will happily pay more for that. Without DRM, we’ve relied on physical nature of the content storage medium, plus post-hoc copyright infringement enforcement, to establish those different attributes. DRM does a much more effective job of defining the product. Therefore, DRM gives the content owners new ways to create products that respond to consumer needs. Of course, consumers need to understand what they are buying when it’s controlled by DRM, but that’s a consumer disclosure issue that we’ve encountered in lots of contexts before.

As far as I can tell, consumers have no problem with DRM. Indeed, the comparative success of download sites like iTunes indicates that consumers don’t really care about DRM so long as they can get what they want.

Astalavista : In conclusion, I would really appreciate if you share your comments
about the Astalavista.com site and, particularly, about our security newsletter?

Eric : My first introduction to your site was when one of my articles was linked on the site. My traffic immediately took off like a rocket ship. I was very impressed with the quantity and
sophistication of your readers. Thanks for giving me an opportunity to speak with them.
------------------------------------

Interview with Robert, http://www.cgisecurity.com/

Astalavista : Hi Robert, would you, please, introduce yourself to our readers and share some info about your profession and experience in the industry?

Robert : I first started to get interested in the hacker/security aspect of computers in the 90's in high school where I had my first brush with a non 'windows/mac system' called 'VMS' (a VAX/VMS system to be exact). A yearlater I *finally* got access to an internet connection and to my amazement discovered that it was possible to break into a website with nothing more than your browser which was something I found to be rather interesting. This *interest* grew into a website I originally hosted on xoom (some free hoster I forget which :) that later became CGISecurity.com in September of 2000 where I've published numerous articles and white papers pertaining to website security. In 2003 I 'sold out' (get paid to do what you'd do for free ) and was hired to perform R&D; and QA on a Web Application Security Product where I am to this day. In 2004 I Co Founded 'The Web Application Security Consortium' with Jeremiah Grossman to provide an outlet for some projects that multiple people we knew where interested in participating in. A year later I created 'The Web Security Mailing List' as a forum where people can freely discuss all aspects of Web Security where I am currently the lead list moderator.

Astalavista : Recently, there's been a growing trend towards the use of automated code auditing/exploitation tools in web applications security. Do you believe automation in this particular case gives a false sense of security, and provides managers with point'n'click efficiency, compared to a structured and an in-depth approach from a consultant?

Robert : Scanners provide a good baseline of the common types of issues that exist but are not magic bullets. It shouldn't come to a surprise to you but many of these consultants use these automated scanning tools (Both freeware and commercial) in conjunction with manual review and simply verify the results. The skill of the person using any specialized product greatly impacts the end result. Someone with a good security understanding can save immense amounts of time by using such an automated product. If your organization doesn't have a 'security guy'
then a consultant may be the best solution for you.

Astalavista : Phishers are indeed taking a large portion of today's e-commerce flow. Do you believe corporations are greatly contributing to the epidemic, by not taking web security seriously enough to ensure their web sites aren't vulnerable to attacks in favour of online scammers?

Robert : Phishing doesn't *require* that a website be vulnerable to anything it just simply requires a look alike site exploiting a users lack of security education and/or patches. I wouldn't say they are contributing towards it, but I do think that educating your user (as best as you can)
is a requirement that should be in place at any online organization.

Astalavista : What are you comments on the future use of web application worms, compared to today's botnets/scams oriented malware? What are the opportunities and how do you picture their potential/use in the upcoming future?

Robert : In 2005 we saw a rise in the use of search engines to 'data mine' Vulnerable and/or suspect hosts. Some of the larger search engines are starting to put measures in place such as daily request limitations, CAPTCHA's, and string filtering to help slow down the issue. While these efforts are noteworthy they are not going to be able to prevent *all* malicious uses
a search engine allows. I think the future 'web worms' will borrow methodologies from security scanners created to discover new vulnerabilities that will have no patches available. While the downside of this is to slow infection rates and lots of noise, the upside is infecting machines with no vendor supplied patch available because the 'vendor' may be a consultant or ex employee who is no longer available. Worms such as Nimda infected both the server and its visitors making it highly effective and I expect this user/server trend to increase in the future. I also suspect a switch towards 'data mining' worms, that is worms that are trying to steal useful data. Modern day versions of these worms steal cd keys to games and operating systems. The use
of worms to seek and steal data from a server environment, or user machine is only going to grow as credit card and identity theft continue to grow. While investigating a break-in into a friends ISP I discovered the use of a shopping cart 'kit' left behind by the attacker. This kit contained roughly 8 popular online shopping carts that where modified to grab copies of a customers order, a 'shopping cart rootkit' if you will. I suspect some type of automation of either auto backdooring of popular software or uploading modified copies to start creeping its way into future web worms. In 2002 I wrote an article titled 'Anatomy of the web application worm' describing some of these 'new' threats that web application worms maybring to us.

Astalavista : Is the multitude and availability of open-source or freeware web application exploitation tools benefiting the industry, resulting in constant abuse of web servers worldwide, or actually making the situation even worse for the still catching up corporations given the overall web applications abuse?

Robert : This entirely depends on the 'product'. There are tools that allow you to verify if a host is vulnerable without actually exploiting it which I consider to be a good thing while some of these 'point and root' tools are not helping out as many people as they are hurting. In the past
few years a shift has started involving 'full disclosure' where people are deciding not to release ./hack friendly exploits but are instead releasing 'just enough detail' for someone to verify it. This 'shift' is something that I fully support.

Astalavista : CGISecurity.com has been around for quite a few years. What are your plans for future projects regarding web security, and is it that you feel the industry is lacking right now - awareness, capabilities or incentives to deal with the problem?

Robert : Actually September 14th will be the 5th year anniversary of CGISecurity.com. Right now I'm heavily involved in 'The Web Application Security Consortium' where we have numerous projects underway to provide documentation, education, and guides for users. I plan on expanding CGISecurity into a one stop shop for all 'web security' related documentation where you can (hopefully) find just about anything you could ever need. To answer the second part of your question I'd say all three with awareness (education) being the biggest problem. 

One of the things that the industry hasn't 'gotten' yet (in my opinion) is security review throughout an application's lifecycle. Sure developers are starting to take 'secure development' more seriously but as many of your readers know deadlines hamper good intentions and often temporary solutions (if at all) are put in place to make something work in time for release. This is why we need security review during all phases of the cycle not just during development and post production. I think that a much overlooked aspect of the development cycle is Quality Assurance. QA's job is to ensure that a product works according to requirements, identify as many pre release (and post release) bugs as possible, and to think about ways to break the product. I think that more companies need to implement 'QA security testing' as a release requirement as well as train their testers to have a deeper understanding of these 'bugs' that they've been discovering. You've heard the term 'security in layers' so why can't this process be implemented throughout most development cycles? Developers get busy and may overlook something in the rush to meet the release date which is why (before release)
they need someone double checking their work (QA) before it goes production.

Astalavista : In conclusion, I would like to ask you what is your opinion of the Astalavista.com's web site and, in particular, our security newsletter?

Robert : I first discovered astalavista in my 'referrer' logs when it linked to one of my articles. Since then I've been visiting on and off for a few years and only recently discovered the newsletter which I think is a great resource for those unable to keep up with all the news sites, and mailing list postings.
-------------------------

Interview with David Endler, http://www.tippingpoint.com/

Astalavista : Hi Dave, would you, please, introduce yourself to our readers and share with us some info about your experience in the industry?

Dave : Sure, I'm 6'1", a Leo, I like long walks on the beach, coffee ice cream,^H^H^H^H^H^H^H . . . oh, sorry, wrong window. I'm the Director of Security Research at 3Com's security division, TippingPoint. Some of the functions that fall under me include 3Com's internal product Security testing, 3Com Security Response, and the Digital Vaccine team Responsible for TippingPoint IPS vulnerability filters. Prior to 3Com, I was the director of iDefense Labs overseeing vulnerability and malware research. Before that, I had various security research roles with Xerox Corporation, the National Security Agency, and MIT.

Astalavista : What's the goal of your Zero Day Initiative, how successful is your approach so far, and what differentiates it from iDefense's one?

Dave : Over the past few years, no one can deny the obvious increase in the number of capable security researchers as well as the advancement of publicly available security researching tools. We wanted to tap into this network of global researchers in such a manner as to benefit the researchers, 3Com customers, and the general public. Our approach was the construction
of the Zero Day Initiative (ZDI), , launched on August 15, 2005. The main goals behind the program are:

a.) Extend 3Com's existing vulnerability research organization by leveraging
the methodologies, expertise, and time of others.
b.) Responsibly report 0day vulnerabilities to the affected vendors
c.) Protect our customers through the TippingPoint Intrusion
Prevention Systems (IPS) while the product vendor is working on a patch
d.) Protect all technology end users by eliminating 0day vulnerabilities
through collaboration with the security community, both vendors and
researchers.

The ZDI has had an incredibly positive result in only three months of activity, far exceeding our expectations. To date we have had over 200 researchers sign up through the portal, and received over 100 vulnerability submissions. We suspect that part of the early success of the program can be attributed to the wild launch party we threw at Blackhat/Defcon 2005.

The ZDI is different from iDefense's program in a number of ways. 3Com has invested considerable resources to ensure the success of the ZDI. As a result, ZDI contributors will receive a much higher valuation for their research. We provide 0day protection filters for our clients, without disclosing any details regarding the vulnerability, through our TippingPoint IPS, as opposed to simply selling vulnerability details in advance of public disclosure. Finally, we altruistically attempt to protect the public at large by sharing the acquired 0day data with other security vendors (yes, this includes competitors) in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

Astalavista : 0day vulnerabilities have always been a buzzword in the security community, while in recent years decision makers have started realizing their importance when evaluating possible solutions as well. What's the myth behind 0day vulnerabilities from your point of view,
and should it get the highest priority the way I'm seeing it recently?

Dave : Certainly not all vulnerabilities should be treated equally, including 0day. A typical vendor-announced vulnerability can be just as devastating as a 0day due to the trend of shrinking windows of time for exploit release. Obviously, for an organization or home user that doesn't stay up-to-date with security patches, a three-year old exploit for a patched vulnerability could be just as devastating as a 0day exploit. I think 0day vulnerability protection has begun to take more shape in security buying decisions simply due to the growing frustration and helplessness felt by users when vendors take a long time to patch these issues when exploits are widely circulating. In the last year alone, we saw several of the 0day browser exploits incorporated into spyware sites within one day of their disclosure.

Astalavista : Do you feel the ongoing monetization and actual development of security vulnerabilities market would act as an incentive for a ShadowCrew style underground market, whose "rewards" for 0day vulnerabilities will contribute to its instant monopoly?

Dave : I think there will always be an underground market, but I doubt it will ever have a monopoly for a few reasons. We know there is a thriving underground market today for 0days, especially browser vulnerabilities that can be used to inject Trojans and steal financial data. I think the main obstacle currently curbing the growth of the underground vulnerability-purchase
movement is a lack of trust. Since a security researcher doesn't really know the identity of an underground buyer, there's no guarantee he will get paid once he unveils his discovery. Also at the end of the day, many researchers want these vulnerabilities to be fixed and want to receive the appropriate recognition in the mainstream security community.

Astalavista : While you are currently acting as the intermediary between a vendor and researcher, do you picture the long-term scenario of actually bidding for someone else's research given the appearance of other competitors, the existence of the underground market I already mentioned, and the transparency of both? How do you think would the market evolve?

Dave : Good question. I hope the markets evolve in a way that encourages Vendors to put more skin in the game. It behooves these vendors to help protect their own customers more by rewarding outside researchers for security discoveries that escape internal QA testing. The only vendors I know of who currently do this are Netscape and Mozilla through their bug bounty
programs. I think a "0-bay" auction model could be viable if a neutral party launched it that was trustworthy as a vulnerability "escrow agent" and could guarantee anonymity and payment to researchers. There was some good discussion on the Daily Dave list of some of the issues raised by such an auction model.

Astalavista : Should a vendor's competencies be judged on how promptly it reacts to a vulnerability notification and actually provides a (working) fix? Moreover, should vendors be held somehow accountable for their practices in situations like these, thus eliminating or opening up windows of opportunity for pretty much anything malicious?

Dave : I've worn the hat of a security researcher, vulnerability disclosure intermediary, and most recently, a vendor. I now have a great amount of sympathy for all three groups. In general, vendors need to make a more concerted effort to reach out to security researchers in the vulnerability disclosure process. Many vendors don't seem to understand that most security researchers get no tangible benefit for reporting a security issue. More and more 0day disclosures it seems are also the result of a vendor-researcher relationship breaking down due to a misunderstanding over email or poor follow-up from the vendor. Ideally, vendors should also reward these researchers, if not with money, then other perks or recognition as a sign of appreciation. It's hard to judge all vendors the same on the amount of time it takes to patch a vulnerability. Some vulnerabilities legitimately take longer to fix and QA than others. Because there are no laws today that govern a vendor's security response, the market is going to have to be the ultimate judge in this arena. If enough potential customers are lost to a competitor because of poor security patch handling or a destructive worm, you can bet that more money will be budgeted into their security development lifecycle.

Astalavista : Having conducted security research for the NSA must have been quite an experience. Does the agency's approach on security research somehow differ from the industry's one, in terms of needs for sure, but in what way exactly?

Dave : No comment :-)

Astalavista : Can money buy creativity and innovation from an R&D's point of view?

Dave : Of course no amount of money can buy your way to really innovative research.Some of the most prolific research teams are built through visionary research directors creating a nurturing and non-restrictive environment, insulating the team from most corporate pressures and politics.

Astalavista : Thanks for your time!
-------------------------------------

Interview with Vladimir, aka 3APA3A http://www.security.nnov.ru/

Astalavista : Hi Vladimir, would you please introduce yourself to our readers, and share some info on your background and experience with information security?

Vladimir : OK. I'm 31, I’m married, and we have two daughters. For last 10 years I'm support service head for middle sized ISP in Nizhny Novgorod, Russia. As so, I'm not occupied in IT security industry and I'm not security professional. It's just a kind of useful hobby. And that's the reason why I use nickname though I have no relation to any illegal activity. Everyone who is interested can easily find my real name. In addition to my primary
job, I give few classes a week on computer science in Nizhny Novgorod State University.

I started on the Russian scene in the late 90s with the article on HTTP chats security. 'Cross site scripting' was quite new vulnerability class and the term itself arrived few years after. Later I began to publish some articles on the Bugtraq. Because my previous nickname taken from Pushkin's personage was not understandable abroad, I used gamer's nick '3APA3A', 'zaraza' in Cyrillic, it means infection. It also has a meaning of English 'swine' :). No, there is no relation with famous 3APA3A. ZARAZA virus, it was few years before.

I'm not 'bug digger', as one may think. Some bugs were discovered in the process of troubleshooting, while others were found in attempt to discover new vulnerability class or exploitation approach. And I’m proud to catch a few :)

Astalavista : What are some of your current and future projects?

Vladimir : Since 1999 http://www.security.nnov.ru
is the only project I'm constantly involved in. Sometimes, I patch old bugs and create new ones within 3proxy http://www.security.nnov.ru/soft/3proxy/.

Astalavista : How would you describe the current state of the Russian security scene? Also, what are you comments on the overall bad PR for, both, Russia, and Eastern Europe as a hackers' haven?

Vladimir : "hack" is an opposite to technology for me. The industry with technology is a conveyor, while the hack works only here and now. Hacking is the process of creating something to solve one particular problem without enough money, resources and, most important, without knowledge. In the best case it's something new for everyone and nobody to share knowledge and resources with you.

If you mean a lack of money, resources and knowledge - yes, Russia is hackers' heaven :)

We had interesting discussion on this topic with David Endler (from your Newsletter #23) Of cause you know how many viruses originated from Russia and you know some "famous" virus writing teams. Do you know any software written here? Well.. may be after some research you can find Outpost and Kaspersky Antivirus you have never used... That's all. You think. Lets look at the city I live. Many really interesting things from Quake II graphical drivers and Intel debugging and profiling tools to Motorola and Nortel firmware were written here. It's not largest city and Russia is large country. Same goes to Eastern Europe, India and China.

We have a lot of unknown programmers and few famous virus writers, that's the problem :)

The security scene in Russia is really hard question. Of course, there are few professionals, they are well-known buddies, who work for well-known companies. They publish their really useful books and write their really professional articles and receive their really good money. There are old-school hackers who do not speak Russian for few years. There are “underground" e-zines, none of them are living enough to spell correctly. There are "security teams" known by defacing each over and publishing up to 6 bugs in PHP scripts. Teenage #hax0r1ng IRC channels. And, of cause, guys who do their business with trojans and botnets and prefer to stay invisible.

That's all, folks. There is no scene. No place to meet each over. No Russian Defcon.

Astalavista : What are the most significant trends that happened with vulnerability researching as a whole since you've started your project?

Vladimir : Any new technology arrives as a hack, but grows into industry. It was with computers, software, network security and finally it happens with vulnerability research. This fact changes everything. No place left for real hacking. The guys on this scene became professionals. If you enter this without knowledge, all you can is to find some bugs in unknown PHP scripts.

Astalavista : Do you think a huge percentage of today's Internet threats are mainly posed by the great deal of window of vulnerabilities out there, and how should we respond to the concept of 0day by itself? Patching is definitely not worth it on certain occasions from my point of view!

Vladimir : Imagine a 100,000,000 of purely patched default configuration Fedora Core machines with users running their Mozilla's from root account. That's what we have in Windows world. Did you know that, 99% of Windows trojans/viruses/backdoors will not work if executed from unprivileged account? Life could be much more secure if only administrator with special license (like driver's one) might configure system and get penalties in case of virus incidents :)

Did you know that, most ISPs do not monitor suspicious activity from their customers and can not stop attack from their network within 24 hours? It's almost impossible to coordinate something between providers. There are non-formal organizations, like NSP-SEC, but it only
coordinates large providers from few countries. Coordination and short abuse response time
would be another step.

Astalavista : What is your attitude towards an 0bay market for software vulnerabilities? And who wins and who loses from your point of view?

Vladimir : On the real market both sides win. No doubt, the fact there is now a legal market for 0days is a good news for researches and end users, because it rises vulnerability price and establishes some standards. This "white" market is in it's beginning. There are only few players.

Who can value 0day Internet Explorer bug? First of all, Microsoft. But for some reason it does not. The second, IDS/IPS vendors and security consulting companies to make signatures and PR. Bugtraq posting is really good PR. If vulnerability is then exploited in-the-wild, it raises the article in Washington Post. It's even better PR.

Astalavista : Do you also, somehow picture a centralized underground ecosystem, the way we are currently seeing/intercepting exchange of 0day vulnerabilities on IRC channels, web forums. But one with better transparency of its content, sellers and buyers?

Vladimir : And, of cause, underground market is always ready to pay. Exploits are required to install a trojan. Trojan is required to create a botnet. Botnet is required for spamming, DDoS and blackmailing, phishing, illegal content hosting. It's definitely a kind of ecosystem with different roles and specializations and it's money cycle as a basement.

With some dirty games with 0day Internet Explorer vulnerability you can make a new car on the botnet market or (and?) just few thousands dollars with PR. Underground market is not
centralized and lies on private contacts. Forums and IRC channels you can find are the top of the iceberg. It makes it less vulnerable. I bet last WMF exploit was sold without any IRC channels and forums.

Astalavista : Can there ever be a responsible disclosure, and ow do you picture it?

Vladimir : According to Russian legislation, a vendor may not sell roduct without informing customer about any known defect or imitation on it. I bet different countries have similar legislations. I don't understand why it doesn't work with computer software. Vendor should either timely inform customers on defect in software or should stop to sell it.

Of cause, disclosing information without informing vendor is just stupid and non-profitable for everyone. From other side, a vendor has not eliminated vulnerability after few months and has
not informed customers there is nothing non-responsible in publishing this information. I never saw vendor who blames esearchers in non-responsible disclosure to stop selling defective product.

There were few attempts to standardize disclosure policy, FPolicy is the first one.

Astalavista : Can a vulnerability researcher gets evil if not reated properly, and what could follow? :)

Vladimir : Sure. Imagine a situation you want to get money rom vendor for vulnerability information you discovered. There is nothing bad in getting money for your work and
vendor should be interested in buying this information on the irst place. But it can be just a blackmail if not "treated properly".

Astalavista : In conclusion, I wanted to ask on some of your uture predictions for 2006 concerning vulnerability research, nd the industry as a whole?

Vladimir : One year is small period. Maybe we will see endors to buy vulnerabilities. "Vulnerability researcher" ay be scripted on somebody's business card and become profession by this way. "Vulnerability researching" as University course... No, let's wait for another 2-3 years :)

Astalavista : Thank you for your time!