[Dailydave] A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

[Nathan Landon]

It’s naive empiricism, much like the discussions around terrorism:  https://www.youtube.com/watch?time_continue=33&v=9dKiLclupUM

What Dave is essentially saying (I think) and what Alex Stamos misses is that 0-days have fat tail risks.

-Nate

> On Nov 1, 2019, at 11:57 AM, Don A. Bailey <don.bailey at gmail.com> wrote:
> 
> Alex is exceptional but this is a critical fact that is indeed overlooked by a vocal majority.
> 
>> On Nov 1, 2019, at 11:22 AM, Dave Aitel <dave.aitel at gmail.com> wrote:
>> 
>> 
>> Ok, so you can/should watch it here:
>> https://www.youtube.com/watch?v=uohyx7OIugY <https://www.youtube.com/watch?v=uohyx7OIugY>
>> 
>> Alex is a great keynote speaker and I really like a lot of his talk (especially where he delves into how disintermediation has broken all social systems without ever using the word disintermediation) but also I think he's super wrong about something so I'm going to spam this at him (and all of you) to annoy him, specifically in a section about priorities as a community, which is followed by a whole section on how the technical companies all emulate Steve Jobs and pretend everything they do is perfect.
>> 
>> <image.png>
>> 
>> 
>> 
>> "Even in a position where we faced the best attackers, I only saw true 0day deployed twice"
>> 
>> <image.png>
>> 
>> 
>> 
>> <image.png>
>> 
>> 
>> """If you have Superman vision and you're able to zoom in to the screen you would see that every pixel on the screen is actually comprised of sub pixels right of red green blue sub pixels this sub pixel represents all of the human harm ever caused by side-channel attacks in the history of information security. This is what dominates discussion in the security research community - super complicated esoteric issues for which there's almost no demonstration ever or even good theoretical purposes in which this would be the best way for somebody to leak out information or somehow otherwise compromise the system. And so this is the fundamental issue - that if you actually look at what people are working on that pyramid is inverted. People are spending way more than a sub-pixel thinking about super esoteric side-channel attacks in Intel processors. That doesn't mean we shouldn't research. It doesn't mean we shouldn't fix it. But it shouldn't be the thing that we think way more about..... I want to read way more about how people are making it easier for real enterprises to patch their systems. I want to read way more about how people are designing their systems to not be able to be easily abused to cause harm and a variety of really horrible ways then I read about more side-channel attacks. I certainly don't want people coming up with with damn names and domains just for their side channel attack. That drives me totally insane."""
>> 
>> So here's two things:
>> 1. The security research community is tiny. We get a not insignificant subset of it at INFILTRATE every year. The reason the material the research community puts out gets attention is precisely because it turns conventional wisdom on its head. You study the latest heap overflow because it fills in your knowledge of how weird machines work in the real world. You learn about HTTP Desync attacks because they reflect a larger problem in parsers in general, in that you cannot ADD two parsers together to get a more secure solution (which is also what weird machines tell you). Hey it turns out WAFs and AVs can only make you LESS secure, not more. That's a USEFUL thing to know!
>> 
>> You study side channel attacks because it answers the question "If I can't trust the silicon what can I trust?" and the answer is a dried leaf you found in your driveway and an old walnut stick, and not the latest blinky box from a company set up by a conglomerate that also does government contracting "on the side" for a government that is not yours. :)
>> 
>> 2. There's lots of hackers out there who use ONLY 0day. This is one of those things that's obvious every time you talk to a group of old ones about their favorite bugs and everyone's favorite was one that nobody detected for decades. Kaspersky finds someone using Chrome 0day about once a month now. And that's because advanced attacks have strategic impact, and even if you solved the entire rest of that pyramid, one good 0day can tumble a society.
>> 
>> How would one detect side channel attacks exactly? What it looks like is someone (me maybe) buying a bunch of VMs in your hosting provider and then using their CPU for a little bit.
>> 
>> I don't think Maersk had issues with patching. The issue is that no matter how good at patching you are, it doesn't matter in the face of a worm that uses Active Directory to traverse around, and they probably did not listen to the Bloodhound researchers talk about the many many ways AD is a risk all by itself. Every attacker (Avast <https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/> and the Indian Nuclear <https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/> hackers, this week alone) seems to have Domain Admin but the security engineering community hasn't asked why yet...
>> 
>> -dave
>> 
>> 
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/a58f2888/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/a58f2888/attachment-0001.sig>