[Dailydave] The uncomfortable whitehat truth

Justin F jnf at asac.co
Mon Oct 19 14:04:47 EDT 2015


> Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a heads up on various vulnerability pipelines.

Is there a government in the world that does not contain the
capability to require SSL keys from CAs or similar? Would this not
mean that everything is potentially compromised and things like DANE
should be pushed hard instead of defaulting to dependence on a system
that is broken by design?

> And on the other hand, maybe they are reading your mail,

How many countries do not have a google et al datacenter in them? Is
it not reasonable to suspect that the hiring standards of tech
companies are significantly lower than the bar for spies et al, and
thus is it not reasonable to conclude that anything you store in the
cloud (id est email) is likely compromised not by *a* government, but
lots of them and probably a lot of other nefarious organizations as
well?

It's actually amazing how much confidence we put into electronic
storage mediums while at the same ignoring that they're so easily
compromised by both legal and illegal means-- APT can get to the POTUS
email and force the State Departments mail servers down and run
circles around OPM for a long period of time, but PRISM is irrelevant
and the PRC compromising PRISM is irrelevant and god only knows whom
else is in there, thereby rendering the medium unreliable.


On Mon, Oct 19, 2015 at 9:00 AM, Dave Aitel <dave.aitel at gmail.com> wrote:
>
>
> I'm not sure how to explain this intuition, but clearly security at everything.com is pretty owned. It's a high priority target that is by definition poorly defended. So when people submit bugs to Microsoft or Adobe or really any commercial company, they are sending a signal to various APTs which may or may not act on that signal, depending on their particular OPSEC guidelines.
>
> Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a heads up on various vulnerability pipelines.
>
> So on one hand, if you're doing statistical analysis you will say "There is a huge overlap in the kinds of bugs we are finding and the kinds of bugs our adversary has! We are making a difference!"
>
> And on the other hand, maybe they are reading your mail, and killing the ones you happen to find, like a farmer culling the herd of a sick sheep.
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>


More information about the Dailydave mailing list