Re: What the f*** is going on?

[jf <jf () ownco net>]

> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

I can't say I (strongly) disagree on any particular point you've made, generally speaking-- you're right, especially 
about the progress made in the last 10-15 years. However at a certain point in every philosophers philosophy, the 
philosphers philosophies become apparent.. I sorta disagree with one point:

"[...] The reason why I am frightened is the emergence of a new class of government contractors - a class that depends 
on th
e perpetration of an alluring, yet completely meaningless myth: that an incredibly sophisticated and determined 
adversary is constantly scheming to wage a devastating cyber-war
against everything we hold dear."

There is some truth to this statement; $they woke something up in an office in DC somewhere and the gov got sorta 
serious. Naturally this results the whole supply/demand thing. Point being, the government reached out and not vice 
versa. Their threat was real, and it's been persistant since more or less the turn of the century and as far as I can 
tell, it's never stopped. If it did for Google, you're either mistaken, they got what they were after or being called 
out in the press and putting economic threats on the table was the asymetric weapon needed; if I had to guess, I'd 
choose option 1, 2 and 3.

I'd agree, that as of yet, we're hardly talking about an all-in zero-sum game, and that part is very much over-hyped. 
However, calling it an all out myth is misleading, and saying it's because contractors are pushing a myth is just 
wrong. You should be mindful, they looked outward and supply was created for the demand. Prior to your employer's 
compromise, this thing, everyone called it a lie, some crap made up by the CIA, et cetera. Now it's unimpressive hype.. 
I'd love to see Chinese history books in 100 years.

That said, the world is not ending of course, but that doesn't mean there isn't a real threat either. In ~2005, I was a 
defense contractor watching NIDS when they came looking for someone who could reverse; I knew enough assembly to write 
up shellcode, but this was my intro to windows reversing and therein lay your first bad omen as to their actual 
ability. Over the course of a weekend we got the algorithm out, wrote up a program to read the pcap's and got to work 
on analysis. Come Monday, we dropped bombs and from the fires emerged a request for our report/tools from another 
agency and I got to redact my first report, and then another and another. Everyone had this problem, and had it for 
*years* with little to no discernable progress. They hadn't even identified how $they were getting in, like what bug. 
So we identified that too, and wrote up a binary patch for it (that went 100% unused except on my machine), et cetera. 
And then that long string of office 0-days in 2006 sta
 rted, and eventually I ended up with the private SSL keys for a few absurdly large american companies (ended up on a 
machine of ours), and then the documents started cleaning themselves and this happened multiple times a week for the ~2 
years with countless 80-100 hour weeks and all of you telling me my life was a myth/lie/CIA fabrication/et cetera. 

That's the bug, and there's no patch for it. You will have too many unqualified people and too few qualified people, 
the later will pick up the slack for the former but everyone breaks eventually. As over-hyped as some aspects of it 
are, it really fundamentally needs to be understood just how unprepared they were and the progress they've made since 
then. 

That all said, I think you missed what appears to be the more dangerous aspect (at least to me anyways), it's not that 
IS..erm iDef..erm hbgary et al are selling such things or even marketing methods, et cetera-- as if that's not what 
blackhat et cetera are basically about (& we can probably look to the '@stake generation' for proper blame placement). 
But it's that through moonlight maze, titan rain, et al they realized a few incredibly important things, the relevant 
ones are:

0.) There is really no attribution 
1.) Even if there was a means for attribution, there is no international legal framework, what constitutes a legal act 
of war?
2.) In the absence of (1), how do you progress criminal justice cases against foreign nationals when the foreign nation 
is not entirely cooperative?

These three aspects make it really potent, and my concerns relate to how such lines of thought will develop as they 
mature as they all circumvent fairly fundamental aspects our fairy tale.

Anyone from the AV industry got a big set and want to step up and talk about your aurora attacks?  

jf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/