[Dailydave] The new model of insecurity

Sergio 'shadown' Alvarez shadown at gmail.com
Tue Apr 1 01:53:08 EDT 2014


Hi Dave,

Completely agree with you on this.

On the top of that, if you ever had any sort of discussion with Cisco you will also know that they will get pretty sure that you will never present anywhere what ever security related issues you've discussed with them, and if they manage to do that it goes to their "problem solved" branch.

They don't really care about security, they care about what ever might go public and try to make it look as inoffensive as possible. That's all they do.

I'm wondering if people who uses their products realize that they lack a way to check if their products have been compromised. Cisco and Huawei among others fall into this category. On other platforms you can do OS level hardening, add host IPS and stuff like that, to do all sort of monitoring. On these routers and switches they don't have anything beyond the features bundled with their system. Some people believe that by forcing a core dump they will have a clean memory dump that will allow them to check if they've been compromised or not, which is the very first thing anybody would patch to hide.

I guess that's what you get when you relay on stuff that has been designed 20 years ago, cross your fingers and pray so that nothing goes wrong. xD

That's what makes Cisco, Huawei, Extreme Networks, among others so much fun to play with. ;-)

Cheers,
  Sergio

On Mar 31, 2014, at 11:16 PM, Dave Aitel wrote:

> http://www.rsaconference.com/videos/126/the-new-model-of-security
> 
> Cisco's keynote starts with the traditional eyeball gouging "humorous" video making fun of how it's hard to get different security solutions to work together. Wouldn't it be easier if everyone just bought everything from Cisco? I'm sure it would! The video ends with all the actors cursing at the audience, which is telling, and then Christopher Young apologizing for the video, like it's the first time he's ever seen it and he's sorry for subjecting the audience to the cursing parts of it, or, you know, any of the "jokes". 
> 
> After that it is a painful sit-down between Christopher Young (SVP of Cisco's Security Business Group) and Padmasree Warrior (CTO/Chief Strategy Officer of Cisco). Why do companies do these sit-down style keynotes? It's like someone did a study on the most unlikely way to capture an audience's attention, and then implemented it as relentlessly as a Chinese SSHD password brute forcer. 
> 
> At one point Padma says "I'm not a security expert and you are, which is why I hired you". The Chief Strategy Officer of Cisco is not a security expert?! Lovely.
> 
> These things are scripted to sound unscripted, but instead they sound like horribly written scripts delivered by people who hate what they are saying. That, or there was some sort of contest on the least funny way to say "Internet of Things" eighty times in 24 minutes - and let me tell you, they *found* it.
> 
> Open APP ID gets announced to no applause whatsoever. "The policy can be dynamic. We need a community working on that. " Or in other words, "Please somebody do our work for us so we can catch up to whoever the market leader is in this space". Marty might have to explain this to us all in better terms on the list here, cause Padma and Christopher chew their explanation up like a three year old eating a Lima bean and Brussels sprouts salad. They want to build controls for applications except the mobile systems they want to control are not under enterprise control at all (they "assume the devices are untrusted"), and the network traffic will be encrypted. So how are they controlling things again? 
> 
> In the end, these people got on stage to demonstrate that they have a muddled thought process and no clear vision for the future. Look, after watching this you can't help but feel sorry for everyone involved in the production of this keynote, and the entire marketing team the CEO of Cisco fired after watching it on YouTube. I'd worry if I was either Padma or Christopher as well because they've clearly lost sight of both the forest and trees, if this keynote is anything to go by.
> 
> -dave
> 
> 
> 
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140401/8e3e7a20/attachment.html>


More information about the Dailydave mailing list