[Dailydave] Ferns (Devonian to Present Day)
Dave Aitel
dave.aitel at gmail.com
Fri Jan 4 15:22:46 UTC 2019
I really like Andrea Biondo's latest paper. I like that it has -0 in it as
an exploit primitive, and that he takes it from almost nothing to RCE by
looking at the many levels of javascript optimization. It unfolded
poetically, like a Cretaceous fern after the rain.
https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/
If you're the kind of person who ALSO liked that paper, then you should
come to INFILTRATE <http://infiltratecon.com/> this year, or even submit a
talk (you still have a couple weeks!). :)
Also, I've been trying behind the scenes, unsuccessfully, to blatantly copy
this idea that the Brits came up with, which I think we in the US should
do, but much bigger and better, as usual:
https://www.ncsc.gov.uk/information/industry-100
The basic idea is that you can have people work in both industry and in
Government at the same time - say, for one day a week at the Government
location. You can hold their clearances, and you can have them get
perspective on the kinds of problems you're trying to solve while also
feeding the best ideas from industry into your mindbase. And it doesn't
hurt that when you have a crisis, you have a built in network of people to
call that you don't have to develop whole new relationships with (and who
don't kinda distrust you by default).
There are a lot of roadblocks: Which government organization should do
this? DHS? DoD? DARPA? So many issues with each one. How do you get real
value out of one day a week? What will those people do? Who will manage
them? How will their corporate jobs fare? How do we handle conflicts of
interest AT SCALE?
I think all these questions are answerable. But we have this problem where
clearances means government service is essentially a one-way door - a
diode, if you will. You start there, then you eventually leave and your
clearance lapses and you never go back.
But ideally we need a plan other than whining about talent shortages...
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20190104/890d4162/attachment.html>
More information about the Dailydave
mailing list