[Dailydave] FireEye is sad.

Moses Hernandez moses at moses.io
Sun Sep 13 20:07:27 EDT 2015

Being in Vendor land right now, I'll keep my comments brief, because they
are just that my comments from just me.

On the subject of regulation however, I just want to be clear. I was, and
to an extend, still am in the camp of 'regulation'. I know that the
Wassenaar arrangement was far from what I had in mind. The proposed
legislation was rather sickening. When I think of maturity in our field, or
even just playing in the big leagues, I try and think of what other
professions look like.

Just for a moment, suspend belief and think about the basic mechanism of
getting from onto our tables. For us Americans on the list, lets just
consider the FDA. Consumers want to have confidence in the product that
they are buying. They want to know that the Blue Bell Ice Cream they are
consuming is going to be maybe not as good as Cherry Garcia(
http://www.benjerry.com/flavors/cherry-garcia-ice-cream), but still edible,
one would hope:


Interesting story found here: (
which claims:

  "Federal officials put the cost of compliance at about $380 million for
an industry that generates about $1.1 trillion in retail food sales."

Confidence breeds markets to grow in a sustainable way, or at a minimum
just grow. But of course, Wassenar-like regulatory changes, could always
happen in the Food industry, even if all we want is to be not poisoned, and
for things like this you have associations. This is where our industry,
probably lacks a bit of guidance, but stroll through any state capital and
you will see these types of association buildings: (http://www.ffva.com/).

Even though we can understand why this would be important in the age of
say, Wassanar, what does this have to do with vendors and their attempts to
shutdown research? I think what we need to understand as an industry is
that just like the car manufacturers from time to time will take an
actuarial approach to safety and try and avoid correcting issues, we may
find the same in our lines of work. Safety, maybe even, regulatory style
safety, will eventually happen. It's just the way we have to mature. We
probably will not see if some time until there is a sudden event that
forces is, because our trajectory of growing the software segments and our
industry will really slow.

But then again, confidence breeds growth in markets, so who is going to buy
the car with the lowest safety rating? And who will buy the food that will
poison them the most?[1]

[1] we do. (

On Fri, Sep 11, 2015 at 9:27 AM, Dave Aitel <dave at immunityinc.com> wrote:

> The real question in security is always how to play Poker against an
> opponent who can see all your cards.
> http://www.forbes.com/sites/thomasbrewster/2015/09/10/fireeye-slammed-over-injunction/
> https://lists.immunityinc.com/pipermail/dailydave/2013-March/000353.html
> In a way our "IP" laws have confused a lot of us about security. What if
> management teams say. This, of course, directly relates to the
> "regulation is GOING to happen" Wassenaar crowd because it's the exact
> same fundamental psychology at work. "We're going to regulate away the
> threat" is as useless as saying "hackers won't buy our boxes to find out
> how to bypass our defenses".
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150913/a932e686/attachment.html>

More information about the Dailydave mailing list