From dan at geer.org Wed Jul 1 16:53:19 2015 From: dan at geer.org (dan at geer.org) Date: Wed, 01 Jul 2015 16:53:19 -0400 Subject: [Dailydave] The OPM Mess and the Bigger Picture In-Reply-To: Your message of "Tue, 30 Jun 2015 10:32:37 -0400." <5592A885.6080305@immunityinc.com> Message-ID: <20150701205319.677572282B2@palinka.tinho.net> Keying in on this: > And that's pretty much exactly what the Chinese stole here, except > without the French guy from "The Professional" and all the outfits. The > problem, as we're going to drill home again and again over the next year > during damage control in congressional meetings each more painful and > less informative than the last, wasn't that OPM didn't protect the > database, but that they HAD THE DATABASE COLLECTED AT ALL. I'd sent a comment to the Passcode folks at the Christian Science Monitor that may not have made it into print (electrons). To prove I agree with you, here it is: -----------------8<------------cut-here------------8<----------------- Q: Should the Office of Personnel Management chief be held responsible for the lapse in security that led to the breach of millions of personal records? A: No. Changing a person will not help -- it is purely symbolic, and such symbolic gestures are precisely, totally, and without debate what happens in political hierarchies (read, Washington) whenever there is bad news to handle. Even talking about whether to fire someone is a criminally profligate waste of the citizenry's attention span. What is neither a waste nor a diversion is the question that matters: When data is scarce or precious, there may be compelling reason to centralize it but if and only if that centralization is risk cognizant. When data is either plentiful or of marginal value, then centralizing it can only create risk, never value. Therefore, what is to be asked of those to whom OPM reports is what, exactly, was their raison d'etre for assigning the OPM its role as centralizer (scarcity or preciousness of what, exactly), and whether they delegated to OPM their own duty of risk cognizance on purpose or by accident. If wanting prediction, then the supposed reforms embodied in the Dodd-Frank law massively removed resilience from the financial system by forcing the centralization of functions previously widely dispersed into what now can only be described as freshly minted single points of failure waiting to happen. It is the urge to centralize that is what political hierarchies do. It is apologists for, and hucksters of, centralization that should lose their jobs. Dan Geer -----------------8<------------cut-here------------8<----------------- From dave at immunityinc.com Mon Jul 13 13:20:46 2015 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 13 Jul 2015 13:20:46 -0400 Subject: [Dailydave] Words are hard. Message-ID: <55A3F36E.2010608@immunityinc.com> Ok, so I wanted to add some of that whole "reality" thing to the latest breathless expos? from The Intercept. It's not a bad thing that there's a "newspaper" writing about how force feeding prisoners is maybe wrong, or maybe how the Govt isn't telling the whole truth and nothing but the truth. But that's only effective if you haven't krazy glued your newspaper's stun-beam of Righteous Indignation to 11. So, without further ado, please get your tactical kilt on, click through, and read the article, and then let's talk about SIGINT. https://firstlook.org/theintercept/2015/07/09/spying-internet-orders-magnitude-invasive-phone-metadata/ Micah's Twitter question (for those of you using HTML compliant mail readers, you can see it above) is pertinent. I said he got some facts wrong. Maybe he got the facts right, but his interpretative dance of outrage was wrong? Regardless, I think he probably missed out on an important section in the regulation which he could have been more breathless about, which I will paste below: C2.3.3. Foreign Intelligence. Subject to the special limitation contained in section C2.5., below, information may be collected about a United States person if the information constitutes foreign intelligence, provided the intentional collection of foreign intelligence about United States persons shall be limited to persons who are: C2.3.3.5. Corporations or other commercial organizations believed to have some relationship with foreign powers, organizations, or persons. Hey, that's a pretty big door! Nevertheless, ignoring that for now, let's talk about "collection". Micah complains that when the intelligence community uses the word "collection" they do so in a special way. And that's true, because /SIGINT collection/ is not the same as /seashell collection/ the exact way that /prime numbers/ are not the same as /prime rib/. Those words are similar, but used in a different context they can mean different things. This is upsetting, but a fact of our language and our life. Let me tell you how it really works in the head of the IC: "US data is like toddler poo. It's icky and gross and all over the place and if I absolutely have to I will touch it with a paper towel and throw it in the trash, but mostly I just want to avoid stepping in it or smearing it on reports that I send to people who wear suits for a living." That's the full direct meaning of /minimization/. To be more technical: There are good operational security reasons that I am imagining as a non-Lawyer or IC member for gathering a whole mailspool, and then, on a computer that you control, filtering out the data that you are not legally allowed to store or have your analysts look at to create reports. Let's take the top few reasons and just chew on them, like the fat Cuban cigar I imagine every Intercept employee is issued upon hiring, but never allowed to light until Snowden returns to the Homeland on the back of a giant bald eagle to save us all. Here's some scenarios and let's see what issues they're trying to solve with their definition of /collection/, from a hacker's perspective: 1. If you don't grab US Data from a mail server, you are obviously the Americans. This may have some pretty bad follow-on effects. For example, if you are the Americans using a stolen Chinese RAT to pretend to be the Chinese while hacking a Russian system, now the Chinese AND Russians know that you have stolen that RAT and toolchain, and can go find out when and where, and you are losing sources and methods in a big way all over the place. 2. Filtering out American data can take some time and CPU cycles, and may be impossible on un-intelligible data (which is why that whole clause about the data being intelligible is in there). So, as an example, you are downloading a 5 gig /personaldata.tar.bz2/ that has some emails from Americans on a SparcStation last updated in 2001 when Sun was a company that sold computers. You are not going to untar that bad boy on the target system, because BZ2 was written by trolls who hated spare CPU cycles, and designed their algorithm to use as many as possible and if that SparcStation was to do so it would overheat and send an alert to the bored Russian private trying to watch porn on it. So you bring the file down, decompress it locally, filter things out, then move on with life. 3. The list of "Americans" you know about might be private. Best to filter things out privately then, rather than trying to push that list out to random machines, eh? In addition, let's break it down with some some additional fun facts! 1. If your mom sends you unencrypted email and it happens to be going over a fiber cable or sat link unencrypted, it's going to be stored and read by the Chinese and Russians and so forth. They don't do minimization at all. Sometimes they like to edit the data "in transit" to add funny videos to unencrypted emails and web pages which is why the whole "RickRoll" thing happens. Americans never do that. 2. http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties <--read here to see how the US is the only country with an official minimization policy that applies to foreign nationals. It ain't much, but let's just say you could in subjective time watch all the Nicholas Sparks movies and still be waiting for any policy whatsoever from China, Russian, or France when it comes to non-citizens. Hopefully this email provided some food for thought, because to be honest, you don't have to dress the USG's position on stuff up to find things that maybe should be changed. It actually weakens your position. Anyways, -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: some_facts_wrong.JPG Type: image/jpeg Size: 67399 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From aquynh at gmail.com Wed Jul 15 10:30:08 2015 From: aquynh at gmail.com (Nguyen Anh Quynh) Date: Wed, 15 Jul 2015 22:30:08 +0800 Subject: [Dailydave] Capstone disassembly engine 3.0.4 is out! Message-ID: Greetings, We are excited to announce version 3.0.4 of Capstone disassembly framework! This stable release fixes some potential security issues in the core, so existing users are strongly recommended to upgrade. Summary of important changes in v3.0.4: - Fixed memory corruption bugs of X86, Arm, Mips, PowerPC & XCore architectures. - Properly handle some X86 instructions: OUT, SSE. - Improve Python binding with more installation options. - Improve cross compile for Android. More details are available at http://capstone-engine.org/Version-3.0.4.html (For those who do not know, Capstone is an open source multi-arch, multi-platform disassembly engine with homepage at http://capstone-engine.org) Thanks, Quynh -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at immunityinc.com Mon Jul 20 10:43:14 2015 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 20 Jul 2015 10:43:14 -0400 Subject: [Dailydave] BIS Cyber Regulations Message-ID: <55AD0902.5060506@immunityinc.com> Like many people, today I'm sending some fairly long comments about the new "cyber regulations" coming out of the Commerce Dept. You can too! And they don't have to be long. All you have to do is send a friendly email as they suggest: This link will give you easy instructions. https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#addresses All you have to say is "I'm and I'm worried about the unforeseen impact these new Cyber regulations will have on the community, the security industry, and industry at large." That's it! Easy. Everyone should do it. Feel free to send me a twitter message when you do so we can leverage your responses. If you're totally pro, you can write something a bit longer and share it via Google Docs so other people can see what you said! :) -dave -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From james at cyberinvasion.net Mon Jul 20 11:25:39 2015 From: james at cyberinvasion.net (James Gannon) Date: Mon, 20 Jul 2015 15:25:39 +0000 Subject: [Dailydave] BIS Cyber Regulations In-Reply-To: <55AD0902.5060506@immunityinc.com> References: <55AD0902.5060506@immunityinc.com> Message-ID: My commerts are posted here: http://www.regulations.gov/#!documentDetail;D=BIS-2015-0011-0085 And in blog post form here: http://www.netgov.ch/wassenaar-comments/ Like Dave I totally encourage anyone to send a comment, no matter how small, this is important for the future of our industry. J -----Original Message----- From: dailydave-bounces at lists.immunityinc.com [mailto:dailydave-bounces at lists.immunityinc.com] On Behalf Of Dave Aitel Sent: Monday, July 20, 2015 3:43 PM To: dailydave at lists.immunityinc.com Subject: [Dailydave] BIS Cyber Regulations Like many people, today I'm sending some fairly long comments about the new "cyber regulations" coming out of the Commerce Dept. You can too! And they don't have to be long. All you have to do is send a friendly email as they suggest: This link will give you easy instructions. https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#addresses All you have to say is "I'm and I'm worried about the unforeseen impact these new Cyber regulations will have on the community, the security industry, and industry at large." That's it! Easy. Everyone should do it. Feel free to send me a twitter message when you do so we can leverage your responses. If you're totally pro, you can write something a bit longer and share it via Google Docs so other people can see what you said! :) -dave From dave at immunityinc.com Tue Jul 21 08:32:26 2015 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 21 Jul 2015 08:32:26 -0400 Subject: [Dailydave] The Crypto Summit and "Just say no" Message-ID: <55AE3BDA.3090908@immunityinc.com> (this is long and dry, sorry in advance, but I felt it was impt stuff). So last week in DC I attended the Crypto Summit , put together by "Access". It was a series of panels, one of which was an entertaining bloodbath. Watch that one here: https://youtu.be/SZSr9Ao8zBY . This one as well had some funny moments:https://youtu.be/A0OotbJoGSg in which Matt Blaze said things like "Every day is 0day." and "I am in the most incompetent field (security) of the most incompetent field (computer science) of all of engineering". His point being "We have a near-impossible job, and you are making it a lot harder by even asking for key escrow, and the effect of that is not something you actually want, because the results of us failing are catastrophic for society and the rule of law". Nate's (EFF) argument as well was quite interesting. Over and over the Justice Dept lawyers drilled home the idea that they should have access to any data at rest where they have a warrant. Nate and others' response was that the 4th amendment is not a limit on freedom, but a limit on the intrusion of privacy BY the government. In other words, the ability to get a warrant does not force everyone to pre-place surveillance equipment in their house. Nate also knows the history of physical safes weirdly well, and apparently there was a brief time where people were creating tumbler safes that were essentially uncrackable unless you knew the combination, and no laws were suddenly created to outlaw them. This is only relevant because the government is asking for that capability digitally, and in a massively more intrusive area. The other major argument from this side is of course, "show us real numbers and studies on how this is effecting law enforcement, rather than trying to scare us with random stories of pretend kidnappings". Marc Rotenburg pointed out that wiretaps are almost never used for kidnapping, and in general that whole area is used for counter-narcotics, which, if you've seen The Wire, is not news. It does not help the DoJ that the only official reports on the subject have a grand total of 4 times encryption has been uncrackable during an investigation last year. From comments from other people in the audience, who had been to similar meetings in Silicon Valley and elsewhere in DC and NYC, this was in fact the most Key-Escrow-Positive summit they'd been to. That's a telling statement, because the people from the Justice Dept were relentlessly hounded by the other people on the panels and an audience one step away from throwing rotten fruit. Telling also is who the sponsors are: the Business Software Alliance (known for their anti-'piracy' efforts), Microsoft, LinkedIn (!?!), and Google. The BSA is a pretty decently powerful lobbying group. Their take on the matter is at 24 minutes into this: https://youtu.be/_rD987SXoJI. It is worth listening to, to say the least. He's the first one to talk about the Wassenaar "intrusion tools" regulations, and he is not into the idea at all. By which I mean to say, the BSA is fighting any increase in regulatory burden tooth and nail, and that's no small thing. Having read the Coalition and EFF's responses to the Wassenaar regulatory comment period along with all of the hackers who posted theirs yesterday, I can say that having lawyers comb over and write seventy pages in depth on the details of every word of a regulation is a powerful thing. And the alliance against key escrow and the Wassenaar regulations is broad indeed. Reread this article from Emin Sirer to see why it matters, where he discusses the elements that go into public policy in this area, as split between government, business, and the populace. At one point during the Crypto Summit Carrie Cordero from the Justice Dept finally spoke to the elephant in the room. The whole time the DoJ side had been pitching "You better come to the table and negotiate because otherwise we'll force the issue with legislation". But after a frustrating hour of getting nowhere, with the business and EFF side giving no ground whatsoever she exclaimed, "This White House won't propose legislation on this issue because they're in silicon valley's pocket, and until a new Administration comes in that will, we're going to get nowhere on this issue." I don't think a Hillary Administration is going to be any more Pro-DoJ on this issue. And knowing that, the DoJ and NSA are making a massive mistake by even ASKING FOR KEY ESCROW AT ALL. It is stupid counter-insurgency policy to piss the whole technical community off for an issue you are going to lose anyways. And the business community is extremely angry about these issues. It is hard to overstate how abused they feel about the fifty years of rope they've had around their neck on the cryptographic export issue, which has been used to blackmail and control them again and again. People look at the Wassenaar stuff and always say "Well, SOME regulation is going to happen in this area, so we might as well design one for the government that hurts us the least!". But additional regulation is not a given. Export control is a terrible place to PUT regulation over software and ideas, and there is a vast and powerful alliance against any additional regulatory burden in this space that is going to force the government to "Just say no". And it's one that you can and should be adding your voice to, because this is going to be an ongoing struggle. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From dave at immunityinc.com Tue Jul 21 14:19:54 2015 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 21 Jul 2015 14:19:54 -0400 Subject: [Dailydave] An experiment...gone right. Message-ID: <55AE8D4A.5090002@immunityinc.com> So I wanted to thank all the Anonymous and non-anonymous people (esp. Scott Arciszewski aka @voodooKobra) who helped me write the Immunity BIS comments yesterday. It's a pretty amazing testimony to both our community and technology that you can literally crowdsource via a Google Doc a process like that, and come out far better, far faster, than any team in a room could do so alone. This article has a roundup of some of the comments. http://passcode.csmonitor.com/wassenaar-comments Also, I'll be at Defcon on a panel talking about this stuff - there is a special guest and you'll want to hear them! https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Denaro And there's this BlackHat panel: https://www.blackhat.com/us-15/briefings.html#panel-how-the-wassenaar-arrangements-export-control-of-intrusion-software-affects-the-security-industry -dave -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From dave at immunityinc.com Mon Jul 27 10:29:24 2015 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 27 Jul 2015 10:29:24 -0400 Subject: [Dailydave] Getting Learned Up Message-ID: <55B64044.6090901@immunityinc.com> Right now in Columbia we have some intrepid students going through our Client-Side and Ring0 exploitation class. But if you are not sucking down the firehose that is an Immunity Training, taught by Lurene and Facundo who have trouble blinking without seeing a WinDBG frameset on the back of their eyelids, then you probably are like "I wish I knew more." And lo and behold: INFILTRATE Videos are being released today. Boom! HERE THEY ARE: https://vimeo.com/album/3416096 I have a few personal favorites out of the videos. Ideally an INFILTRATE talk should be so far ahead that it is relevant a year out - and frankly, these are. But let me remind you that actually COMING to INFILTRATE is a thousand times better than catching the talks in a Vimeo stream months later. You get to eat alligator and hang with random people who have no nametags on! And our early bird pricing is going away at the end of this week. Likewise, if you want to be one of our sponsors next year, let me know! Thanks, Dave Aitel Immunity, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From dave.aitel at gmail.com Tue Jul 28 14:30:52 2015 From: dave.aitel at gmail.com (Dave Aitel) Date: Tue, 28 Jul 2015 18:30:52 +0000 Subject: [Dailydave] "Technical Keynotes and Invited Talks" Message-ID: https://vimeo.com/album/3416096/video/130242081 So last year the INFILTRATE OpenCFP process worked flawlessly. You don't get different talks than you would have picked using some really complex spreadsheet and voting system, like most conferences do, than by using an OpenCFP and having the public choose what they want to see. And of course, we don't even validate that the people voting are also coming to the conference, but it doesn't really seem to matter. We do some minor cleanup of the votes to avoid basic fraud, but other than that, it's just the best way to pick talks ever. But we did have an invited talk which I linked to above. Braden Thomas did a TON of work cracking cable modems open and not in the boring way that everyone else does (which qualifies as "Junk Hacking") where you find some sort of buffer overflow or backdoor or worse, a CSRF issue that just so happens to own the model of cable modem you just so happen to be using in your house. Instead, Braden looked at the DOCSIS protocol itself, and one of the things I loved about it was how he went over the process from "They used DES" to "Here's how you ACTUALLY economically brute for DES". Anyways, it was a great talk. I hope he comes next year with something on the 3.0 protocol, since everyone is switching over now. :) But if you haven't seen it, click the link at the top of the email!!! -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave.aitel at gmail.com Fri Jul 31 10:55:33 2015 From: dave.aitel at gmail.com (Dave Aitel) Date: Fri, 31 Jul 2015 14:55:33 +0000 Subject: [Dailydave] Remember The Titans Message-ID: I went back a couple days ago and re-read the latest Qualys exploit, as you should: http://seclists.org/oss-sec/2015/q3/185 . "Hi, here is a program that uses RLIMIT_FSIZE to like, own all the systems you probably have in your enterprise!" Unix is neat! But equally important is the Qihoo360 talk from Syscan 15. This is available here: https://www.youtube.com/watch?v=5imoFfjZjx0 . Notice how they beat up all of Microsoft's very latest projection work, without breaking a sweat, but all the while in a very Chinese way, praising the cleverness of their opponent. Both of these talks are phenomenal work that is done while making it look easy and should teach you a strategic lesson about hacking. People go to Vegas to be distracted. And it's fun to be distracted by what is a literal modern-day witch hunt from Chris Seghoian and friends against hackers because they can do things that scare children. Equally true is that it is easy to be distracted by whatever the latest junk hacking is that appears in Wired or on CNN. Or, of course, by whatever random magic trick someone at Google's Project Zero has put out on a blog. "OMG FLASH HAS ANOTHER BUG!?!?!!" Project Zero is irrelevant and I'll tell you why in six words or less: People have actual shit to secure. P0 is about marketing dollars, and annoying their competition and building a talent base. But that talent base will leave in 20 seconds once they realize marketing has no value, and they're going to get used to secure Android from Stagefreight Bug 2.0, or Nest from whatever horrible bugs are in that platform, or the Google App Engine from the thousand insane isolation bugs that effect it that they won't admit are a catastrophic isolation design failure. Don't believe me? Where are the P0 entries against Android and Nest and Chromebook and App Engine? I'm sure they give them sixty days, just like external companies, right? Why would you have all your best hackers working on random external companies and not securing the stuff you deliver to customers and depend on for your business? Where's all the hard core XSS work against Inbox.google.com that needs to be publicized? Just getting used by the Chinese APT666 group, then? That Qualys userhelper bug and the Qihoo360 IE talk should remind you that aside from all the things that get mad twitter retweets by Infosec Taylor Swift personas, there's old school hackers available and possibly bored, sitting on all the servers that underlie all your assumptions, like a divide by zero error lurking in the corner of your vision. Remember when various members of TESO didn't have 150 thousand twitter followers because they hinted at having iOS jailbreaks which are, frankly, cakewalk for a hacker like Lorian to produce? Where do you think the rest of TESO went, if not to Twitter or Project Zero? In summary let me put it this way: You cannot afford to be distracted by the show. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lcamtuf at coredump.cx Fri Jul 31 12:52:42 2015 From: lcamtuf at coredump.cx (Michal Zalewski) Date: Fri, 31 Jul 2015 09:52:42 -0700 Subject: [Dailydave] Remember The Titans In-Reply-To: References: Message-ID: > I went back a couple days ago and re-read the latest Qualys exploit, as you > should: http://seclists.org/oss-sec/2015/q3/185 . Interestingly, history sorta repeats itself: https://lwn.net/Articles/6137/ Now... while I generally agree with you that some of the most-publicized work is usually just a distraction and that it gets picked up by the press based primarily on how much effort is put into marketing the research and whether it superficially touches one of the "cool" topics (IoT, mobile, privacy), this one snippet caught my eye: > [...rant about P0...] > Why would you have all your best hackers working on random external > companies and not securing the stuff you deliver to customers and depend on > for your business? Where's all the hard core XSS work against > Inbox.google.com that needs to be publicized? While folks tend to have strong opinions about P0 and I don't really want to change yours, this bit seems a bit harsh. The vast majority of our security folks are indeed working on other things, including some really phenomenal work on systemic XSS mitigations (or multiple containment layers for AppEngine, so that breaking one is not a game-ending situation). P0 is a comparatively small effort, given the overall size of our security team, and it caters specifically to people who don't want to do anything but vuln research, full-time. Heck, I like breaking stuff and I'm not on P0. /mz From andreas at haxx.ml Fri Jul 31 14:55:48 2015 From: andreas at haxx.ml (Andreas Lindh) Date: Fri, 31 Jul 2015 20:55:48 +0200 Subject: [Dailydave] Remember The Titans In-Reply-To: References:

Message-ID: <55BBC4B4.2000705@haxx.ml> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't want to come off as some Google fanboi or anything, and I don't always agree with P0's methods, but Google's business model pretty much starts and ends with people using the internet (and not just Google's own services). Making (or appearing to make, whatever your opinion is) the internet safer by finding and getting bugs fixed seems like a pretty good start in that regard. Andreas On 07/31/2015 06:52 PM, Michal Zalewski wrote: >> I went back a couple days ago and re-read the latest Qualys >> exploit, as you should: http://seclists.org/oss-sec/2015/q3/185 >> . > > Interestingly, history sorta repeats itself: > https://lwn.net/Articles/6137/ > > Now... while I generally agree with you that some of the > most-publicized work is usually just a distraction and that it > gets picked up by the press based primarily on how much effort is > put into marketing the research and whether it superficially > touches one of the "cool" topics (IoT, mobile, privacy), this one > snippet caught my eye: > >> [...rant about P0...] Why would you have all your best hackers >> working on random external companies and not securing the stuff >> you deliver to customers and depend on for your business? Where's >> all the hard core XSS work against Inbox.google.com that needs to >> be publicized? > > While folks tend to have strong opinions about P0 and I don't > really want to change yours, this bit seems a bit harsh. The vast > majority of our security folks are indeed working on other things, > including some really phenomenal work on systemic XSS mitigations > (or multiple containment layers for AppEngine, so that breaking one > is not a game-ending situation). P0 is a comparatively small > effort, given the overall size of our security team, and it caters > specifically to people who don't want to do anything but vuln > research, full-time. > > Heck, I like breaking stuff and I'm not on P0. > > /mz _______________________________________________ Dailydave > mailing list Dailydave at lists.immunityinc.com > https://lists.immunityinc.com/mailman/listinfo/dailydave > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJVu8S0AAoJEI415gQuBbe0og4QAIm11CflTFBgg6fup0GJhmaS JvkXBXVLZnJ7wf3BlL75Jf3ehOXuGhSFyc8nsQs7WqBnchVpkz+JW8/CfIsXITIp mO/eN+yDGrNJO3lceC2XY0hEOp8rwfiWt1o3ztSnbKWKyuSXrOL+2pE7dy0QUFbv k+Lq2LmJoJAn/zZQmDVG/GXug0TpRDOK8zuPpcR9MaZ8jgdl1dW78arvAoonYCrv CsrY3HSIZimA8KEschBu8PyrCDnQ15v5aFNG7dML/POw6KHDz/myZjHlLPueCUtS l1xiyx8gmfxFmMRqnE/9hSfOVZJ7Osl1JL8YmcIzi8ytcY2rNBeeoWc0fZJ8EV2T MQ901cywuJuZF27goYjq6nj8b2QsPYiXgdjH5IKf/vNhrjDG+h/vsoKuL08V262u wtUrWdWvLd+xe88EpEukdy7keA5wMDSkafwEjTbdafmSA7JNBeyRO9JpD6PEJ9F7 L7+bjTfbYT2LaC09v8yEAn0Z5Fo2S0EH7ctitz4VCYfSmYNmPptLSN/1h3kgLQO5 QmNm9yz6p8Lsg69zsqHIu8mHsyzG5kRTPxlgsENpytaZ1hd7Ft2iGUTuU0GiZdkB Webep2xzaCPWrBhj+HLnjkA93bLPB4Lbdtw8pISCQ4IOQKPxhE78YtVip0F1h9hX OLuecrT92lTxfxnZn3Xv =JIPb -----END PGP SIGNATURE----- From hawkes at inertiawar.com Fri Jul 31 16:31:45 2015 From: hawkes at inertiawar.com (Ben Hawkes) Date: Fri, 31 Jul 2015 13:31:45 -0700 Subject: [Dailydave] Remember The Titans In-Reply-To: References: Message-ID: On Fri, Jul 31, 2015 at 7:55 AM, Dave Aitel wrote: > I went back a couple days ago and re-read the latest Qualys exploit, as > you should: http://seclists.org/oss-sec/2015/q3/185 . "Hi, here is a > program that uses RLIMIT_FSIZE to like, own all the systems you probably > have in your enterprise!" Unix is neat! > > But equally important is the Qihoo360 talk from Syscan 15. This is > available here: https://www.youtube.com/watch?v=5imoFfjZjx0 . Notice how > they beat up all of Microsoft's very latest projection work, without > breaking a sweat, but all the while in a very Chinese way, praising the > cleverness of their opponent. > > Both of these talks are phenomenal work that is done while making it look > easy and should teach you a strategic lesson about hacking. > > People go to Vegas to be distracted. And it's fun to be distracted by what > is a literal modern-day witch hunt from Chris Seghoian and friends against > hackers because they can do things that scare children. Equally true is > that it is easy to be distracted by whatever the latest junk hacking is > that appears in Wired or on CNN. Or, of course, by whatever random magic > trick someone at Google's Project Zero has put out on a blog. "OMG FLASH > HAS ANOTHER BUG!?!?!!" > > Perfect timing! I'd encourage everyone to go and be distracted by Mateusz' just-released blog post: http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html As far as distractions go, I'm really proud of the work that Mateusz has done on fonts recently, as it exactly encapsulates everything that Project Zero is about: cutting edge attack research on high priority targets performed in the public domain. You're definitely right that Mateusz' work is often indistinguishable from magic, but you're not right about the motivations for his work, or that of Project Zero's. I'm never quite sure how to respond to the claims that Project Zero is marketing driven - we've spoken publicly about our reasoning in creating the team[1] in the past, our technical strategy, and what we hope to achieve. But perhaps let me distill this down: Project Zero's success is measured based on the impact of its engineering output on user safety, and nothing else. Our team consists 100% of security researchers with a background in software exploitation. In the past year, we've fixed 250+ bugs, and released 20+ technical reports on our blog. We apply 90-day deadlines to Android [2] and Chrome [3]. We've helped deploy exploit mitigations and sandbox improvements into Flash, Chrome, and Linux. We don't release glossy PDFs or press releases! But we do think that we can make a substantial positive impact on the security of both Google and our users - even if takes longer than we'd all like, we're in it for the long haul. [1] https://cansecwest.com/slides/2015/Project%20Zero%20-%20making%200day%20hard%20-%20Ben%20Hawkes.pdf [2] For example: https://code.google.com/p/google-security-research/issues/detail?id=252 [3] For example: https://code.google.com/p/google-security-research/issues/detail?id=364 > Project Zero is irrelevant and I'll tell you why in six words or less: > People have actual shit to secure. P0 is about marketing dollars, and > annoying their competition and building a talent base. But that talent base > will leave in 20 seconds once they realize marketing has no value, and > they're going to get used to secure Android from Stagefreight Bug 2.0, or > Nest from whatever horrible bugs are in that platform, or the Google App > Engine from the thousand insane isolation bugs that effect it > > that they won't admit are a catastrophic isolation design failure. > > Don't believe me? Where are the P0 entries against Android and Nest and > Chromebook and App Engine? I'm sure they give them sixty days, just like > external companies, right? > > Why would you have all your best hackers working on random external > companies and not securing the stuff you deliver to customers and depend on > for your business? Where's all the hard core XSS work against > Inbox.google.com that needs to be publicized? Just getting used by the > Chinese APT666 group, then? > > That Qualys userhelper bug and the Qihoo360 IE talk should remind you that > aside from all the things that get mad twitter retweets by Infosec Taylor > Swift personas, there's old school hackers > > available and possibly bored, sitting on all the servers that underlie all > your assumptions, like a divide by zero error lurking in the corner of your > vision. > > Remember when various members of TESO didn't have 150 thousand twitter > followers because they hinted at having iOS jailbreaks which are, frankly, > cakewalk for a hacker like Lorian to produce? Where do you think the rest > of TESO went, if not to Twitter or Project Zero? > > In summary let me put it this way: You cannot afford to be distracted by > the show. > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunityinc.com > https://lists.immunityinc.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: