[Dailydave] Remember The Titans

[Ben Hawkes]

On Fri, Jul 31, 2015 at 7:55 AM, Dave Aitel <dave.aitel at gmail.com> wrote:

> I went back a couple days ago and re-read the latest Qualys exploit, as
> you should: http://seclists.org/oss-sec/2015/q3/185 . "Hi, here is a
> program that uses RLIMIT_FSIZE to like, own all the systems you probably
> have in your enterprise!" Unix is neat!
>
> But equally important is the Qihoo360 talk from Syscan 15. This is
> available here: https://www.youtube.com/watch?v=5imoFfjZjx0 . Notice how
> they beat up all of Microsoft's very latest projection work, without
> breaking a sweat, but all the while in a very Chinese way, praising the
> cleverness of their opponent.
>
> Both of these talks are phenomenal work that is done while making it look
> easy and should teach you a strategic lesson about hacking.
>
> People go to Vegas to be distracted. And it's fun to be distracted by what
> is a literal modern-day witch hunt from Chris Seghoian and friends against
> hackers because they can do things that scare children. Equally true is
> that it is easy to be distracted by whatever the latest junk hacking is
> that appears in Wired or on CNN. Or, of course, by whatever random magic
> trick someone at Google's Project Zero has put out on a blog. "OMG FLASH
> HAS ANOTHER BUG!?!?!!"
>
>
Perfect timing! I'd encourage everyone to go and be distracted by Mateusz'
just-released blog post:
http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html

As far as distractions go, I'm really proud of the work that Mateusz has
done on fonts recently, as it exactly encapsulates everything that Project
Zero is about: cutting edge attack research on high priority targets
performed in the public domain. You're definitely right that Mateusz' work
is often indistinguishable from magic, but you're not right about the
motivations for his work, or that of Project Zero's.

I'm never quite sure how to respond to the claims that Project Zero is
marketing driven - we've spoken publicly about our reasoning in creating
the team[1] in the past, our technical strategy, and what we hope to
achieve. But perhaps let me distill this down: Project Zero's success is
measured based on the impact of its engineering output on user safety, and
nothing else.

Our team consists 100% of security researchers with a background in
software exploitation. In the past year, we've fixed 250+ bugs, and
released 20+ technical reports on our blog. We apply 90-day deadlines to
Android [2] and Chrome [3]. We've helped deploy exploit mitigations and
sandbox improvements into Flash, Chrome, and Linux. We don't release glossy
PDFs or press releases! But we do think that we can make a substantial
positive impact on the security of both Google and our users - even if
takes longer than we'd all like, we're in it for the long haul.

[1]
https://cansecwest.com/slides/2015/Project%20Zero%20-%20making%200day%20hard%20-%20Ben%20Hawkes.pdf
[2] For example:
https://code.google.com/p/google-security-research/issues/detail?id=252
[3] For example:
https://code.google.com/p/google-security-research/issues/detail?id=364



> Project Zero is irrelevant and I'll tell you why in six words or less:
> People have actual shit to secure. P0 is about marketing dollars, and
> annoying their competition and building a talent base. But that talent base
> will leave in 20 seconds once they realize marketing has no value, and
> they're going to get used to secure Android from Stagefreight Bug 2.0, or
> Nest from whatever horrible bugs are in that platform, or the Google App
> Engine from the thousand insane isolation bugs that effect it
> <https://threatpost.com/researchers-disclose-further-vulnerabilities-in-google-app-engine/112849>
> that they won't admit are a catastrophic isolation design failure.
>
> Don't believe me? Where are the P0 entries against Android and Nest and
> Chromebook and App Engine? I'm sure they give them sixty days, just like
> external companies, right?
>
> Why would you have all your best hackers working on random external
> companies and not securing the stuff you deliver to customers and depend on
> for your business? Where's all the hard core XSS work against
> Inbox.google.com that needs to be publicized? Just getting used by the
> Chinese APT666 group, then?
>
> That Qualys userhelper bug and the Qihoo360 IE talk should remind you that
> aside from all the things that get mad twitter retweets by Infosec Taylor
> Swift personas, there's old school hackers
> <https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html>
> available and possibly bored, sitting on all the servers that underlie all
> your assumptions, like a divide by zero error lurking in the corner of your
> vision.
>
> Remember when various members of TESO didn't have 150 thousand twitter
> followers because they hinted at having iOS jailbreaks which are, frankly,
> cakewalk for a hacker like Lorian to produce? Where do you think the rest
> of TESO went, if not to Twitter or Project Zero?
>
> In summary let me put it this way: You cannot afford to be distracted by
> the show.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150731/d22ef3c8/attachment.html>