[Dailydave] Remember The Titans
Dave Aitel
dave.aitel at gmail.com
Fri Jul 31 10:55:33 EDT 2015
I went back a couple days ago and re-read the latest Qualys exploit, as you
should: http://seclists.org/oss-sec/2015/q3/185 . "Hi, here is a program
that uses RLIMIT_FSIZE to like, own all the systems you probably have in
your enterprise!" Unix is neat!
But equally important is the Qihoo360 talk from Syscan 15. This is
available here: https://www.youtube.com/watch?v=5imoFfjZjx0 . Notice how
they beat up all of Microsoft's very latest projection work, without
breaking a sweat, but all the while in a very Chinese way, praising the
cleverness of their opponent.
Both of these talks are phenomenal work that is done while making it look
easy and should teach you a strategic lesson about hacking.
People go to Vegas to be distracted. And it's fun to be distracted by what
is a literal modern-day witch hunt from Chris Seghoian and friends against
hackers because they can do things that scare children. Equally true is
that it is easy to be distracted by whatever the latest junk hacking is
that appears in Wired or on CNN. Or, of course, by whatever random magic
trick someone at Google's Project Zero has put out on a blog. "OMG FLASH
HAS ANOTHER BUG!?!?!!"
Project Zero is irrelevant and I'll tell you why in six words or less:
People have actual shit to secure. P0 is about marketing dollars, and
annoying their competition and building a talent base. But that talent base
will leave in 20 seconds once they realize marketing has no value, and
they're going to get used to secure Android from Stagefreight Bug 2.0, or
Nest from whatever horrible bugs are in that platform, or the Google App
Engine from the thousand insane isolation bugs that effect it
<https://threatpost.com/researchers-disclose-further-vulnerabilities-in-google-app-engine/112849>
that they won't admit are a catastrophic isolation design failure.
Don't believe me? Where are the P0 entries against Android and Nest and
Chromebook and App Engine? I'm sure they give them sixty days, just like
external companies, right?
Why would you have all your best hackers working on random external
companies and not securing the stuff you deliver to customers and depend on
for your business? Where's all the hard core XSS work against
Inbox.google.com that needs to be publicized? Just getting used by the
Chinese APT666 group, then?
That Qualys userhelper bug and the Qihoo360 IE talk should remind you that
aside from all the things that get mad twitter retweets by Infosec Taylor
Swift personas, there's old school hackers
<https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html>
available and possibly bored, sitting on all the servers that underlie all
your assumptions, like a divide by zero error lurking in the corner of your
vision.
Remember when various members of TESO didn't have 150 thousand twitter
followers because they hinted at having iOS jailbreaks which are, frankly,
cakewalk for a hacker like Lorian to produce? Where do you think the rest
of TESO went, if not to Twitter or Project Zero?
In summary let me put it this way: You cannot afford to be distracted by
the show.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150731/10724067/attachment.html>
More information about the Dailydave
mailing list