lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Feb 2011 16:13:28 -0500
From: jf <jf@...co.net>
To: Michal Zalewski <lcamtuf@...edump.cx>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: What the f*** is going on?

> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

I can't say I (strongly) disagree on any particular point you've made, generally speaking-- you're right, especially about the progress made in the last 10-15 years. However at a certain point in every philosophers philosophy, the philosphers philosophies become apparent.. I sorta disagree with one point:

"[...] The reason why I am frightened is the emergence of a new class of government contractors - a class that depends on th
e perpetration of an alluring, yet completely meaningless myth: that an incredibly sophisticated and determined adversary is constantly scheming to wage a devastating cyber-war
against everything we hold dear."

There is some truth to this statement; $they woke something up in an office in DC somewhere and the gov got sorta serious. Naturally this results the whole supply/demand thing. Point being, the government reached out and not vice versa. Their threat was real, and it's been persistant since more or less the turn of the century and as far as I can tell, it's never stopped. If it did for Google, you're either mistaken, they got what they were after or being called out in the press and putting economic threats on the table was the asymetric weapon needed; if I had to guess, I'd choose option 1, 2 and 3.

I'd agree, that as of yet, we're hardly talking about an all-in zero-sum game, and that part is very much over-hyped. However, calling it an all out myth is misleading, and saying it's because contractors are pushing a myth is just wrong. You should be mindful, they looked outward and supply was created for the demand. Prior to your employer's compromise, this thing, everyone called it a lie, some crap made up by the CIA, et cetera. Now it's unimpressive hype.. I'd love to see Chinese history books in 100 years.

That said, the world is not ending of course, but that doesn't mean there isn't a real threat either. In ~2005, I was a defense contractor watching NIDS when they came looking for someone who could reverse; I knew enough assembly to write up shellcode, but this was my intro to windows reversing and therein lay your first bad omen as to their actual ability. Over the course of a weekend we got the algorithm out, wrote up a program to read the pcap's and got to work on analysis. Come Monday, we dropped bombs and from the fires emerged a request for our report/tools from another agency and I got to redact my first report, and then another and another. Everyone had this problem, and had it for *years* with little to no discernable progress. They hadn't even identified how $they were getting in, like what bug. So we identified that too, and wrote up a binary patch for it (that went 100% unused except on my machine), et cetera. And then that long string of office 0-days in 2006 sta
 rted, and eventually I ended up with the private SSL keys for a few absurdly large american companies (ended up on a machine of ours), and then the documents started cleaning themselves and this happened multiple times a week for the ~2 years with countless 80-100 hour weeks and all of you telling me my life was a myth/lie/CIA fabrication/et cetera. 

That's the bug, and there's no patch for it. You will have too many unqualified people and too few qualified people, the later will pick up the slack for the former but everyone breaks eventually. As over-hyped as some aspects of it are, it really fundamentally needs to be understood just how unprepared they were and the progress they've made since then. 

That all said, I think you missed what appears to be the more dangerous aspect (at least to me anyways), it's not that IS..erm iDef..erm hbgary et al are selling such things or even marketing methods, et cetera-- as if that's not what blackhat et cetera are basically about (& we can probably look to the '@...ke generation' for proper blame placement). But it's that through moonlight maze, titan rain, et al they realized a few incredibly important things, the relevant ones are:

0.) There is really no attribution 
1.) Even if there was a means for attribution, there is no international legal framework, what constitutes a legal act of war?
2.) In the absence of (1), how do you progress criminal justice cases against foreign nationals when the foreign nation is not entirely cooperative?

These three aspects make it really potent, and my concerns relate to how such lines of thought will develop as they mature as they all circumvent fairly fundamental aspects our fairy tale.

Anyone from the AV industry got a big set and want to step up and talk about your aurora attacks?  

jf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists