<html><head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type"></head>
<body>
<div>
<div style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">We, with our background in attacks/offense, who have taken on the mission to defend, have embedded ourselves inside these corporations for years to essentially "backdoor" more meaningful security improvements into them. Over these years, we have been buffeted from both sides by our offense-oriented brethren and by the often conservative organizations who pay our salaries, as we raged against the corporate machine.<br>
<br>This year, as the content chair of BlueHat, I took a risk by inviting open conversation about the fact that trust itself is under attack. For the technology giants to survive and remain as strong as they have traditionally been, they must unite against those who undermine that trust. This is why I was able to invite an engineer from a competitor mega corporation to close the conference with a talk about designing products and services that are resistant to abuse and surveillance. <br>
<br>Corporations may be powerful now, but that power is dependent upon people being willing to buy or use the products and services they build. No green can grow out of rocky terrain when the soil of trust has been eroded. <br>
<br>To me, with my chosen mission of defense, the adversary is not important. Those of us embedded in these companies use our influence as individuals to turn the giant ships, sometimes setting course straight for the eye of the storm. <br>
<br>I've been Leia for a long time, devising strategies that turn the ship on which I sail towards thwarting common adversaries, calling upon my collective Obi Wan Kenobi's to band together for defense. Here is a blog I wrote back in 2008, when life seemed simpler (but we all knew it wasn't as simple as it appeared): <a href="http://blogs.technet.com/b/bluehat/archive/2008/08/07/threats-in-a-blender-and-other-raisons-d-tre.aspx">http://blogs.technet.com/b/bluehat/archive/2008/08/07/threats-in-a-blender-and-other-raisons-d-tre.aspx</a> .<br>
<br>And here is the blog I wrote a couple of weeks ago, where the last two paragraphs discuss engaging across borders, across company lines, to help defend the users, no matter the adversary: <a href="http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx">http://blogs.technet.com/b/bluehat/archive/2013/12/06/bluehat-v13-is-coming.aspx</a> .<br>
<br>While I cannot predict what will happen in 2014 or beyond, if we set our united course to meet the adversaries, whomever they may be, we can only be struck down temporarily - before we rise up more powerful than you can possibly imagine.<br>
<br>The Force is strong in all of you, friend and foe - many of you are both. Those who know me know my profound respect for both sides of The Force. <br><br>So Merry Christmas, crank up that rebel music: <a href="http://youtu.be/yv9XZI3zwF4">http://youtu.be/yv9XZI3zwF4</a> . And<br>
Happy New Year, May The Force be with you all.<br><br>Katie<br><br>Sent from my Windows Phone</div></div>
<div dir="ltr">
<hr>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">From: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:dominique.brezinski@gmail.com">Dominique Brezinski</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Sent: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">12/24/2013 8:30 AM</span><br><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">To: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:dave@immunityinc.com">Dave Aitel</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Cc: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:dailydave@lists.immunityinc.com">dailydave</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Subject: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Re: [Dailydave] 2013 - A New Hope</span><br><br></div></body></html>
<div dir="ltr">I think you just highlighted the catalyst for a truly Gibson-esque future where the power of corporations greatly supersedes governments. When corporations are forced to turn their resources and innovation towards defending against governments, their agility and cross-border capability will play to their advantage. Taxation is an example on the finance side. We will see how it plays out on the information side.<div>
<br></div><div>Dom</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 24, 2013 at 7:50 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<br>
2013 - A New Hope<br>
<br>
<br>
So I hesitate to make predictions, but I think it's important to at
some level acknowledge that 2013 was a huge year for information
security. A few things happened... :<br>
<br>
o The rebirth of managed security services. <br>
<br>
When you don't care about bringing hackers to court, but you DO care
about the security of your IP, you start to evolve a very different
fabric on your network and you need a completely different
specialist set of skills. Managed Security Services used to be the
haven of total technical wash-outs, with IDS monkeys watching
screens for alerts nobody cared about. This has changed, and I think
the watershed moment was February 2013, with Mandiant releasing
their <a href="https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/" target="_blank">APT1
report</a>. We are moving to a much more highly skilled, and
expensive, version of managed security services, with Mandiant,
Crowdstrike, Terremark, and others all competing with similar
technologies and methodologies and price points. This is the
pendulum swinging away from offense a bit more, assuming people can
afford these services (which is not at all a given).<br>
<br>
o The Snowden Event<br>
<br>
Look, there's very little in the "revelations" Snowden has talked
about that wasn't already highly visible to industry insiders: What
can be done, is being done. And everyone who says Cyber is a
asymmetric warfare should be eating their words now, since you
cannot believe the US Intel Community has succeeded to the level
they have in this space and think it was a game for small players
anymore. My <a href="http://www.youtube.com/watch?v=D5ULFP4CgQU" target="_blank">USENIX
talk from 2011</a> pointed out much of what has come out. The most
obvious angle on the story is the growing push-back from
corporations. Google building certificate pinning into Chrome by
default hurts not just Iran, but also all the allied governments
Google calls home, who are just as happy about how the global PKI
system SSL depends on bends to their whims. The corporations have
been taking huge unbalanced risks on behalf of their governments,
and these chickens are coming home to roost. Or, to be more
specific, vultures, as <a href="http://venturebeat.com/2013/12/03/everyone-hates-huawei-ceo-says-company-is-giving-up-on-the-us/" target="_blank">Huawei
demonstrated</a> by being thrown out of the largest market for IT
gear in the world. But it's exactly that horrifying prospect that
scares Facebook and Google and every other big US IT company into
taking a hard line with the USG, and no doubt, with one eye on <a href="http://www.reuters.com/article/2013/11/13/us-cisco-results-idUSBRE9AC16F20131113" target="_blank">Cisco's
revenue sheet </a>.<br>
<br>
To quote from today's<a href="http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html" target="_blank">
Washington Post article:</a><br>
"""<br>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:left;font-style:normal;display:inline!important;font-weight:normal;float:none;line-height:22.5px;text-transform:none;font-size:15px;white-space:normal;font-family:Georgia,serif;word-spacing:0px">Microsoft general
counsel Brad Smith took to his company’s blog and<span> </span></span><a href="http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx" style="border-bottom-width:1px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:left;font-style:normal;font-weight:normal;border-bottom-color:rgb(212,212,212);border-bottom-style:solid;line-height:22.5px;color:rgb(0,91,136);text-transform:none;font-size:15px;white-space:normal;text-decoration:none;font-family:Georgia,serif;word-spacing:0px" target="_blank">called the NSA an “advanced persistent threat</a><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:left;font-style:normal;display:inline!important;font-weight:normal;float:none;line-height:22.5px;text-transform:none;font-size:15px;white-space:normal;font-family:Georgia,serif;word-spacing:0px">” — the worst of
all fighting words in U.S. cybersecurity circles, generally
reserved for Chinese state-sponsored hackers and sophisticated
criminal enterprises.</span><br>
"""<br>
<br>
What should scare administration officials is that when you talk to
big financials in NY, they feel the exact same way. In my
discussions, they are now MORE invested in securing themselves
against the US Government than the Chinese government! <br>
<br>
It is safe to say these battle lines have yet to be completely
redrawn, and when they do the Chinese and US governments will be on
the same side, with Chinese and US corporations allied against them.<br>
<br>
And we will then officially exit the "Golden age of SIGINT" and
enter the scrappy Bronze Age of Targeted Access.<br>
<br>
o The rise of Bitcoin<br>
<br>
The financials (and business in general) are extremely excited about
the useful shared delusion that is Bitcoin. Nobody knows how this
pans out, but it doesn't necessarily pan out well for groups whose <a href="http://www.nytimes.com/2013/12/06/business/international/china-bars-banks-from-using-bitcoin.html?_r=0" target="_blank">root
of power is controlling the flow of commerce</a>. <br>
<br>
o The cementing of Leaks as cyberweapons<br>
<br>
Every reporter I talk to now who is starting a new venture has a
foundational element of "some place people can send me leaked
documents". The concept of leaking things into the public eye as a
cyber-weapon has gone from "Assange is a crazy loon" to "This is how
things get done" in a fairly rapid space. It's easy to forget that
the whole reason he started WikiLeaks was that he believed that you
could forever change how government works by draining the ocean of
secrecy they live in (and of course, to get babes). The Russian and
Chinese and Iranians and so forth are snarkily reveling in how the
USG is painfully handling the leaks, but of course, their turn is
coming, and they are far more vulnerable.<br>
<br>
Conclusion:<br>
<br>
So to sum up, 2013 was a year governments (and in particular the
USG) found their influence sharply contracting, with budget cuts,
shutdowns, and philosophical pressure on all sides. I, with the rest
of the hacker community, look forward to 2014, when the empire can
strike back.<span class="HOEnZb"><font color="#888888"><br>
<br>
-dave<br></font></span>
P.S. MERRY CHRISTMAS AND HAPPY NEW YEARS TO ALL DD LIST READERS!<br>
<br>
</div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>