Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

[Nathan Landon <nathan.landon () digitaloperatives com>]

It’s naive empiricism, much like the discussions around terrorism:  
https://www.youtube.com/watch?time_continue=33&v=9dKiLclupUM

What Dave is essentially saying (I think) and what Alex Stamos misses is that 0-days have fat tail risks.

-Nate

> On Nov 1, 2019, at 11:57 AM, Don A. Bailey <don.bailey () gmail com> wrote:
>
> Alex is exceptional but this is a critical fact that is indeed overlooked by a vocal majority.
>
> > On Nov 1, 2019, at 11:22 AM, Dave Aitel <dave.aitel () gmail com> wrote:
> >
> > 
> > Ok, so you can/should watch it here:
> > https://www.youtube.com/watch?v=uohyx7OIugY <https://www.youtube.com/watch?v=uohyx7OIugY>
> >
> > Alex is a great keynote speaker and I really like a lot of his talk (especially where he delves into how 
> > disintermediation has broken all social systems without ever using the word disintermediation) but also I think he's 
> > super wrong about something so I'm going to spam this at him (and all of you) to annoy him, specifically in a 
> > section about priorities as a community, which is followed by a whole section on how the technical companies all 
> > emulate Steve Jobs and pretend everything they do is perfect.
> >
> > <image.png>
> >
> >
> >
> > "Even in a position where we faced the best attackers, I only saw true 0day deployed twice"
> >
> > <image.png>
> >
> >
> >
> > <image.png>
> >
> >
> > """If you have Superman vision and you're able to zoom in to the screen you would see that every pixel on the screen 
> > is actually comprised of sub pixels right of red green blue sub pixels this sub pixel represents all of the human 
> > harm ever caused by side-channel attacks in the history of information security. This is what dominates discussion 
> > in the security research community - super complicated esoteric issues for which there's almost no demonstration 
> > ever or even good theoretical purposes in which this would be the best way for somebody to leak out information or 
> > somehow otherwise compromise the system. And so this is the fundamental issue - that if you actually look at what 
> > people are working on that pyramid is inverted. People are spending way more than a sub-pixel thinking about super 
> > esoteric side-channel attacks in Intel processors. That doesn't mean we shouldn't research. It doesn't mean we 
> > shouldn't fix it. But it shouldn't be the thing that we think way more about..... I want to read way more about how 
> > people are making it easier for real enterprises to patch their systems. I want to read way more about how people 
> > are designing their systems to not be able to be easily abused to cause harm and a variety of really horrible ways 
> > then I read about more side-channel attacks. I certainly don't want people coming up with with damn names and 
> > domains just for their side channel attack. That drives me totally insane."""
> >
> > So here's two things:
> > 1. The security research community is tiny. We get a not insignificant subset of it at INFILTRATE every year. The 
> > reason the material the research community puts out gets attention is precisely because it turns conventional wisdom 
> > on its head. You study the latest heap overflow because it fills in your knowledge of how weird machines work in the 
> > real world. You learn about HTTP Desync attacks because they reflect a larger problem in parsers in general, in that 
> > you cannot ADD two parsers together to get a more secure solution (which is also what weird machines tell you). Hey 
> > it turns out WAFs and AVs can only make you LESS secure, not more. That's a USEFUL thing to know!
> >
> > You study side channel attacks because it answers the question "If I can't trust the silicon what can I trust?" and 
> > the answer is a dried leaf you found in your driveway and an old walnut stick, and not the latest blinky box from a 
> > company set up by a conglomerate that also does government contracting "on the side" for a government that is not 
> > yours. :)
> >
> > 2. There's lots of hackers out there who use ONLY 0day. This is one of those things that's obvious every time you 
> > talk to a group of old ones about their favorite bugs and everyone's favorite was one that nobody detected for 
> > decades. Kaspersky finds someone using Chrome 0day about once a month now. And that's because advanced attacks have 
> > strategic impact, and even if you solved the entire rest of that pyramid, one good 0day can tumble a society.
> >
> > How would one detect side channel attacks exactly? What it looks like is someone (me maybe) buying a bunch of VMs in 
> > your hosting provider and then using their CPU for a little bit.
> >
> > I don't think Maersk had issues with patching. The issue is that no matter how good at patching you are, it doesn't 
> > matter in the face of a worm that uses Active Directory to traverse around, and they probably did not listen to the 
> > Bloodhound researchers talk about the many many ways AD is a risk all by itself. Every attacker (Avast 
> > <https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/> and 
> > the Indian Nuclear 
> > <https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/>
> >  hackers, this week alone) seems to have Domain Admin but the security engineering community hasn't asked why yet...
> >
> > -dave
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave