Having been on both sides of the divide, I’d say that for the most part there is not much practical work coming out of academia that is making a big impact in the real world. There are certainly a few exceptions, most of them in the world of cryptography.

There are lots of reasons for this, an important one being that industry and academia don’t share very much. Lots of academics are reinventing what industry has been doing for years.

Academics don’t just suffer because they don’t know what industry has done. They suffer from not understanding the problems well.

Academics don’t spend enough time with customers or with companies in the industry to figure out the true problems that need to be solved. Part of this is because academics tend to be more focused on publishable results than on which problems need a better solution.

Academic peer review is a great thing, but in the security field, the fact that publications usually have to meet a high novelty bar is a bad thing. The real world would benefit if industry could say, “Here’s a proposed system. It’s a combination of a lot of ideas, but it’s a new, novel system.”

Right now, academics don’t get any credit toward tenure for breaking stuff (though they still might do it for the publicity). But it would be great if academics could get publication credit by publicly analyzing those systems. I think they should get credit for contributing in a practical way to industry – the world would get better systems, after all.

I don’t know how to fix the problem. This is a downward spiral: the less relevant academia is, the less effort industry will put into the relationship, which will leave academia less able to provide value to industry.

(from J.Viega, Myth of Security, O’Reilly 2009)

Attualmente l’implementazione consiste in una serie di patch per il kernel di Linux e in una libreria.

Da leggere il draft con le specifiche (ecco l’abstract):

This document describes an extension to TCP [RFC0793] which permits a small, mostly constant data payload to be carried in the SYN+ACK frame of the 3-way handshake.  This new behaviour is enabled by an option in the SYN packet to ensure backwards compatibility.  We should how this has latency benefits, specifically for cryptographic applications.

e la pagina del wiki con le differenze tra Obfuscated TCP e le principali alternative (SSL, IPSec)

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.

Il testo completo di Peter Gutmann è all’indirizzo http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

• HP Scrawlr: Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly.
• Microsoft Source Code Analyzer for SQL Injection: Microsoft Source Code Analyzer for SQL Injection is a static dataflow analysis tool to help find SQL Injection vulnerabilities in Active Server Pages (ASP) code.

Sul blog Security Vulnerability Research & Defense c’è un confronto tra Scrawlr, MSCASI e UrlScan.

TIA-1091 addresses the access and network security for IP-based services. The scope for this document is to specify the security features and mechanisms for secure access to the IM subsystem (IMS) for the 3G mobile telecommunication system. The IMS supports IP Multimedia applications such as video, audio and multimedia conferences using SIP, Session Initiation Protocol, as the signaling protocol for creating and terminating Multimedia sessions, cf.. This document only deals with how the SIP signaling is protected between the subscriber and the IMS, how the subscriber is authenticated and how the subscriber authenticates the IMS.

No one wants to buy security. They want to buy something truly useful — database management systems, Web 2.0 collaboration tools, a company-wide network — and they want it to be secure. They don’t want to have to become IT security experts. They don’t want to have to go to the RSA Conference. This is the future of IT security.

Su Reddit e su Schneier.com alcuni commenti all’articolo.

Provo a scaricare la versione PDF e viene  fuori il form per l’autenticazione poiché i paper su Usenix sono disponibili solo per gli associati (diventano disponibili a  tutti solo dopo un anno dalla presentazione):

Provo dunque l’opzione “Versione HTML” di Google… e a sorpresa

e poco più sotto l’intero paper

La domanda è: ma come fa Google? Suggerimenti, link?

Ecco i passi per diventare dei professionisti in sicurezza informatica:

Buy an offshore university degree in computer science.
Use the CISSP, CISA, CISM, etc, etc certificate title in your email signature and start writing in mailing lists.
Go at security conferences to meet people and spread your name and if you want to be really considered cool organize one yourself.
Write some article on some local magazine by translating (stealing) articles from securityfocus and other international websites.
Setup a blog stating that you are a master in what you do.

E ancora:

Ok, now you can be considered a computer security professional even if you know nothing about computer security.
…
You can work successfully even if you don’t know anything about security!
…
Imho we should think about writing a ‘how to became a successful computer security professional in 30 days’ !

Il messaggio completo, che sottoscrivo in pieno, è qui. Da leggere.

Mi è venuta l’idea per un libro che, visto come vanno le cose, venderebbe davvero molto: PenTest for Dummies ovvero Penetration test per deficienti e come sottotitolo “Come i deficienti fanno i penetration test”.
Sarebbe anche facile da scrivere: la sicurezza in mano ai deficienti non è altro che un processo ripetitivo che richiede poche conoscenze ed è il più possibile automatizzato. Altro sottotitolo: La catena di montaggio dell’hacking. O anche: Breve storia dei figli di Nessus.

Venderebbe tanto perché per qualche strano motivo tutti i deficienti della rete si stanno improvvisando pen-tester. Gente che non sa programmare fa sicurezza, gente che non distingue i layer del modello OSI fa sicurezza, gente che confonde IDS con IPS fa sicurezza… e gli esempi potrebbero continuare ancora per molto.

Signori, la sicurezza è una scienza, e come tale va studiata e trattata. Non ci sono scorciatoie.

Una lista altamente selezionata dei migliori blog sulla sicurezza scritti da italiani per italiani:

• Il blog di Andrea Ghirardini sulla computer forensics
• Il blog di Feliciano Intini, Chief Security Advisor di Microsoft Italia
• Il blog di Marco Misitano, Security Consulting alla Cisco Systems Italia
• Il blog di Claudio Telmon
• …continua