<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Seriously - it is like the Cambrian explosion up in here. Every
platform seems to have dissolved - be it Java, or Windows, or
various forms of "Secure Computing" now protected by a combination
of platitudes and useless aphorisms. <br>
</p>
<p>For example, check out this news article from last week:<br>
</p>
<p><img src="cid:part1.A16B6C5F.C74A658F@immunityinc.com" alt=""
height="441" width="657"></p>
<p>Not to pick on anyone in particular, but there's a word for "bug
that allows guests to execute code on hosts" and it's "Hypervisor
escape", which sounds more appreciably scary and impactful except
we like to pretend they don't exist. :) <br>
</p>
<p>Look, I dunno what sort of policy arm or governmental agency is
supposed to do the big picture stuff in cyber. But it might be
worth poking them if they sit next to you and pointing out that
climate change may, or may not be, controlled by humans, but for
whatever reason, it's getting pretty windy out if you consider
Struts bugs to be air current, at least. <br>
</p>
<p>The NTIA would call this "Market Failure" but perhaps it is more
pretense failure? Recently, as a study in pretense, I spent some
time looking at the Florida State educational assessments and by
their own depressed standards, <a moz-do-not-send="true"
href="http://www.fldoe.org/accountability/assessments/k-12-student-assessment/results/2017.stml">Florida
fails 40% of its students in Math at pretty much every grade
level</a>. So even while the Miami Dade Educational Commissioner
is<a moz-do-not-send="true"
href="http://miami.cbslocal.com/2017/06/28/historic-achievement-no-f-graded-schools-in-miami-dade-county/">
crowing about how no school is an "F" this year </a>- I'm not
sure if you can judge a school system full of 60%s anything other
than an Fail overall. <br>
</p>
<p>We spend all our time arguing about the details of our public
school system but the pretense is that you even have a public
school system, in other words. It's not hard to draw similar
analogies to a lot of how we talk about the information security
ecosystem. Or perhaps it's just that too much time in the rarefied
gasses of the policy world have depressed me, and I need some time
turning rage into clicky-clicky things that may or may not pop
calculators. <br>
</p>
<p>Anyways, if you like writing up exploits, for the many many cool
bugs that are now out there, please let me know because we are
still hiring. You do have to out-hack me during the interview
though. :)</p>
<p>And if you want to know the one thing that does scare me, as an
attacker[1], then I'll be going into it in depth in my keynote at
T2 next month, although without revealing anything secret[2],
which, as it turns out, is a super hard balancing act. So far
reviews of the talk have gone from "That was awful, like eating
glass but more painful" to "This is not great". <br>
</p>
<p>-dave<br>
</p>
<p>[1]. It is automated security response and apoptosis.</p>
<p><br>
</p>
<p>[2]. This is the slide I'm having the most trouble with, because
I don't want to call people out, but I think it is an important
concept strategically. <br>
</p>
<p><img src="cid:part4.BD07B789.7A0121F4@immunityinc.com" alt=""
height="353" width="622"></p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>