[Dailydave] A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos
Alex Stamos
alex at stamos.org
Sat Nov 2 00:25:11 UTC 2019
Hi, Dave-
I'm glad you enjoyed the keynote, and I appreciate the risks from 0-day. I
would disagree with Nathan that I'm a naive empiricist. I learned something
really important when I took the CISO job at Yahoo, my first big-company VP
position under a very experienced Silicon Valley executive named Jay
Rossiter. Jay told me "Son, you are coming from a world where you could
focus on really specific and interesting challenges but now your job is now
all about portfolio management. You have an infinite set of problems and
very finite resources, your entire role here is to try to apply your
limited human and financial capital to the problems that hurt us the most.
That's it."
Ok, maybe I imagined him calling me "Son" or that he was chewing grass
while he said this or the warm yellow glow of the setting midwest son that
bathed us in warm companionship while we repaired our combine in time for
the harvest and perhaps even the smell of Ma's apple pie wafting from the
picnic. But he definitely told me that stuff about portfolio management,
and boy was he right. He was super duper right at Yahoo, where security was
as well resourced as you would expect at a company fighting to survive via
quarterly MAU/revenue and where we were facing a massive cliff of tech debt
that started in 1997.
So I agree with you in the world where the portfolio of resources the
greater security and safety community had to apply to the problem set of
"computers hurt people" was restricted to people who attend Infiltrate and
find new bugs all day. These people should definitely exist and do their
damndest, and I don't think redeploying Tavis to work on authentication
would make the situation better (he also interpreted my talk to be about
people in his line of work). However, I'm really worried about some other
follow-on effects from security research and I would say that the
sub-portfolios that are really being mismanaged right now are:
*Internal Corporate Teams* - Too many CISOs and Directors (where the real
work happens) are enamored of the high-end threat because it makes them
feel like they are players on the global stage. Maersk was a victim of an
act that would fit in the broadest definition of "international cyberwar"
but *in the worst possible way*, as collateral damage caused by practices
equivalent to moving to northern Syria and getting a real good deal on a
used white Toyota pickup and driving it around the desert without taking
that weird black flag off because it looks really metal. They got owned
because of really weak basic practices and couldn't recover because they
had never practiced respondoing to a disaster this large. I can't speak as
to what their focus *was*, but it wasn't on the realistic threats.
*Academic CS Security Research* - I originally gave a version of this talk
at USENIX, and I was really focused on how InfoSec in Computer Science
departments is warped by a need to make any individual problem "CS Hard".
CS Hard problems tend to have really complex solutions that also happen to
be unique. Real solutions to real problems usually need to be simple and
preferably based upon some fix that has been deployed in a different but
related context. This is a salient problem in the academy right now; I'm
trying to get help from CS grad students and even if they are interested in
my problem space they are struggling to figure out how to publish on these
problems in a way that will get them academic jobs.
*New Startups / Venture Capital* - Probably the absolutely worst balanced
area in security is the startup space, where 90% of the money and effort
are applied to the top 10% of the pyramid I used in that talk. Walk the
floor at RSA this February and try to imagine how most of those products
could be deployed by the 15 person security team at a not-sexy but critical
company, like a large manufacturer of heavy equipment (like the combine Jay
and I were fixin') that happens to have big competitors in the PRC. The
reverse-takeover of FireEye by Mandiant was not recognized at the time for
what it really was, a demonstration that products focused on the
super-high-end threat would, by definition, generally be unusable by most
of the enterprise security TAM due to lack of customer resources. Most of
the companies on the RSA floor won't exist in a decade, and normally the VC
world would take huge losses and readjust. That process is going to take a
long time because of all of the spectacular dumb money in the market and
the fact that VCs with absolutely no practical defensive experience are
raising nine-figure funds focused on security. If you are looking to invest
in security, find the next Tanium or Cloudflare: companies focused on real
operational challenges that just happen to provide security benefits to
organizations with limited security staff.
So what does this half to do with the "research community"? While I agree
that research at the cutting edge of risk is critical, it also has an
outsized influence on all three of these other areas. VCs, CISOs, academics
all take their cues from people on stage at
BlackHat/Defcon/Infiltrate/Recon/CanSec etc..., which should be a
terrifying thought. I still believe that a good defense should be based
upon understand offense, but that should be offense as it is really
practiced that not the kinds of hypos I discussed like side-channel.
Anyway, I guess I agree with you, Dave, in the small-picture but I think I
was addressing a larger problem.
Thanks for the shoutout. Peace,
Alex
On Fri, Nov 1, 2019 at 8:18 AM Dave Aitel <dave.aitel at gmail.com> wrote:
> Ok, so you can/should watch it here:
> https://www.youtube.com/watch?v=uohyx7OIugY
>
> Alex is a great keynote speaker and I really like a lot of his talk
> (especially where he delves into how disintermediation has broken all
> social systems without ever using the word disintermediation) but also I
> think he's super wrong about something so I'm going to spam this at him
> (and all of you) to annoy him, specifically in a section about priorities
> as a community, which is followed by a whole section on how the technical
> companies all emulate Steve Jobs and pretend everything they do is perfect.
>
> [image: image.png]
>
>
> "Even in a position where we faced the best attackers, I only saw true
> 0day deployed twice"
>
> [image: image.png]
>
>
> [image: image.png]
>
> """If you have Superman vision and you're able to zoom in to the screen
> you would see that every pixel on the screen is actually comprised of sub
> pixels right of red green blue sub pixels *this sub pixel represents all
> of the human harm ever caused by side-channel attacks in the history of
> information security.* This is what dominates discussion in the security
> research community - super complicated esoteric issues for which there's
> almost no demonstration ever or even good theoretical purposes in which
> this would be the best way for somebody to leak out information or somehow
> otherwise compromise the system. And so this is the fundamental issue -
> that if you actually look at what people are working on that pyramid is
> inverted. People are spending way more than a sub-pixel thinking about
> super esoteric side-channel attacks in Intel processors. That doesn't mean
> we shouldn't research. It doesn't mean we shouldn't fix it. But it
> shouldn't be the thing that we think way more about..... I want to read way
> more about how people are making it easier for real enterprises to patch
> their systems. I want to read way more about how people are designing their
> systems to not be able to be easily abused to cause harm and a variety of
> really horrible ways then I read about more side-channel attacks. I
> certainly don't want people coming up with with damn names and domains just
> for their side channel attack. That drives me totally insane."""
>
> So here's two things:
> 1. The security research community is tiny. We get a not insignificant
> subset of it at INFILTRATE every year. The reason the material the research
> community puts out gets attention is precisely because it turns
> conventional wisdom on its head. You study the latest heap overflow because
> it fills in your knowledge of how weird machines work in the real world.
> You learn about HTTP Desync attacks because they reflect a larger problem
> in parsers in general, in that you cannot ADD two parsers together to get a
> more secure solution (which is also what weird machines tell you). Hey it
> turns out WAFs and AVs can only make you LESS secure, not more. That's a
> USEFUL thing to know!
>
> You study side channel attacks because it answers the question "If I can't
> trust the silicon what can I trust?" and the answer is a dried leaf you
> found in your driveway and an old walnut stick, and not the latest blinky
> box from a company set up by a conglomerate that also does *government
> contracting* "on the side" for a government that is not yours. :)
>
> 2. There's lots of hackers out there who use ONLY 0day. This is one of
> those things that's obvious every time you talk to a group of old ones
> about their favorite bugs and everyone's favorite was one that nobody
> detected for decades. Kaspersky finds someone using Chrome 0day about once
> a month now. And that's because advanced attacks have strategic impact, and
> even if you solved the entire rest of that pyramid, one good 0day can
> tumble a society.
>
> How would one detect side channel attacks exactly? What it looks like is
> someone (me maybe) buying a bunch of VMs in your hosting provider and then
> using their CPU for a little bit.
>
> I don't think Maersk had issues with patching. The issue is that no matter
> how good at patching you are, it doesn't matter in the face of a worm that
> uses Active Directory to traverse around, and they probably did not listen
> to the Bloodhound researchers talk about the many many ways AD is a risk
> all by itself. Every attacker (Avast
> <https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/>
> and the Indian Nuclear
> <https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/>
> hackers, this week alone) seems to have Domain Admin but the security
> engineering community hasn't asked why yet...
>
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/7f82245c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 249750 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/7f82245c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 380673 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/7f82245c/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 237032 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/7f82245c/attachment-0005.png>
More information about the Dailydave
mailing list