[Dailydave] So many bugs...

Mon Sep 18 16:09:30 UTC 2017

Seriously - it is like the Cambrian explosion up in here. Every platform
seems to have dissolved - be it Java, or Windows, or various forms of
"Secure Computing" now protected by a combination of platitudes and
useless aphorisms.

For example, check out this news article from last week:

Not to pick on anyone in particular, but there's a word for "bug that
allows guests to execute code on hosts" and it's "Hypervisor escape",
which sounds more appreciably scary and impactful except we like to
pretend they don't exist. :)

Look, I dunno what sort of policy arm or governmental agency is supposed
to do the big picture stuff in cyber.  But it might be worth poking them
if they sit next to you and pointing out that climate change may, or may
not be, controlled by humans, but for whatever reason, it's getting
pretty windy out if you consider Struts bugs to be air current, at least.

The NTIA would call this "Market Failure" but perhaps it is more
pretense failure? Recently, as a study in pretense, I spent some time
looking at the Florida State educational assessments and by their own
depressed standards, Florida fails 40% of its students in Math at pretty
much every grade level
<http://www.fldoe.org/accountability/assessments/k-12-student-assessment/results/2017.stml>.
So even while the Miami Dade Educational Commissioner iscrowing about
how no school is an "F" this year
<http://miami.cbslocal.com/2017/06/28/historic-achievement-no-f-graded-schools-in-miami-dade-county/>-
I'm not sure if you can judge a school system full of 60%s anything
other than an Fail overall.

We spend all our time arguing about the details of our public school
system but the pretense is that you even have a public school system, in
other words. It's not hard to draw similar analogies to a lot of how we
talk about the information security ecosystem. Or perhaps it's just that
too much time in the rarefied gasses of the policy world have depressed
me, and I need some time turning rage into clicky-clicky things that may
or may not pop calculators. 

Anyways, if you like writing up exploits, for the many many cool bugs
that are now out there, please let me know because we are still hiring.
You do have to out-hack me during the interview though. :)

And if you want to know the one thing that does scare me, as an
attacker[1], then I'll be going into it in depth in my keynote at T2
next month, although without revealing anything secret[2], which, as it
turns out, is a super hard balancing act. So far reviews of the talk
have gone from "That was awful, like eating glass but more painful" to
"This is not great".

-dave

[1]. It is automated security response and apoptosis.

[2]. This is the slide I'm having the most trouble with, because I don't
want to call people out, but I think it is an important concept
strategically.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170918/e4724083/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ggeaakapkekjlnjn.png
Type: image/png
Size: 269054 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170918/e4724083/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dhifpmhhkngbplnb.png
Type: image/png
Size: 487100 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170918/e4724083/attachment-0003.png>