<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 31, 2015 at 7:55 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I went back a couple days ago and re-read the latest Qualys exploit, as you should: <a href="http://seclists.org/oss-sec/2015/q3/185" target="_blank">http://seclists.org/oss-sec/2015/q3/185</a> . "Hi, here is a program that uses RLIMIT_FSIZE to like, own all the systems you probably have in your enterprise!" Unix is neat! </div><div><br></div><div>But equally important is the Qihoo360 talk from Syscan 15. This is available here: <a href="https://www.youtube.com/watch?v=5imoFfjZjx0" target="_blank">https://www.youtube.com/watch?v=5imoFfjZjx0</a> . Notice how they beat up all of Microsoft's very latest projection work, without breaking a sweat, but all the while in a very Chinese way, praising the cleverness of their opponent. </div><div><br></div><div>Both of these talks are phenomenal work that is done while making it look easy and should teach you a strategic lesson about hacking. </div><div><br></div><div>People go to Vegas to be distracted. And it's fun to be distracted by what is a literal modern-day witch hunt from Chris Seghoian and friends against hackers because they can do things that scare children. Equally true is that it is easy to be distracted by whatever the latest junk hacking is that appears in Wired or on CNN. Or, of course, by whatever random magic trick someone at Google's Project Zero has put out on a blog. "OMG FLASH HAS ANOTHER BUG!?!?!!"</div><div><br></div></div></blockquote><div><br></div><div>Perfect timing! I'd encourage everyone to go and be distracted by Mateusz' just-released blog post: <a href="http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html">http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html</a></div><div><br></div><div>As far as distractions go, I'm really proud of the work that Mateusz has done on fonts recently, as it exactly encapsulates everything that Project Zero is about: cutting edge attack research on high priority targets performed in the public domain. You're definitely right that Mateusz' work is often indistinguishable from magic, but you're not right about the motivations for his work, or that of Project Zero's. </div><div><br></div><div>I'm never quite sure how to respond to the claims that Project Zero is marketing driven - we've spoken publicly about our reasoning in creating the team[1] in the past, our technical strategy, and what we hope to achieve. But perhaps let me distill this down: Project Zero's success is measured based on the impact of its engineering output on user safety, and nothing else.</div><div><br></div><div>Our team consists 100% of security researchers with a background in software exploitation. In the past year, we've fixed 250+ bugs, and released 20+ technical reports on our blog. We apply 90-day deadlines to Android [2] and Chrome [3]. We've helped deploy exploit mitigations and sandbox improvements into Flash, Chrome, and Linux. We don't release glossy PDFs or press releases! But we do think that we can make a substantial positive impact on the security of both Google and our users - even if takes longer than we'd all like, we're in it for the long haul.</div><div><br></div><div>[1] <a href="https://cansecwest.com/slides/2015/Project%20Zero%20-%20making%200day%20hard%20-%20Ben%20Hawkes.pdf">https://cansecwest.com/slides/2015/Project%20Zero%20-%20making%200day%20hard%20-%20Ben%20Hawkes.pdf</a></div><div>[2] For example: <a href="https://code.google.com/p/google-security-research/issues/detail?id=252">https://code.google.com/p/google-security-research/issues/detail?id=252</a></div><div>[3] For example: <a href="https://code.google.com/p/google-security-research/issues/detail?id=364">https://code.google.com/p/google-security-research/issues/detail?id=364</a></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div>Project Zero is irrelevant and I'll tell you why in six words or less: People have actual shit to secure. P0 is about marketing dollars, and annoying their competition and building a talent base. But that talent base will leave in 20 seconds once they realize marketing has no value, and they're going to get used to secure Android from Stagefreight Bug 2.0, or Nest from whatever horrible bugs are in that platform, or the Google App Engine from the <a href="https://threatpost.com/researchers-disclose-further-vulnerabilities-in-google-app-engine/112849" target="_blank">thousand insane isolation bugs that effect it</a> that they won't admit are a catastrophic isolation design failure.</div><div><br></div><div>Don't believe me? Where are the P0 entries against Android and Nest and Chromebook and App Engine? I'm sure they give them sixty days, just like external companies, right?</div><div><br></div><div>Why would you have all your best hackers working on random external companies and not securing the stuff you deliver to customers and depend on for your business? Where's all the hard core XSS work against <a href="http://Inbox.google.com" target="_blank">Inbox.google.com</a> that needs to be publicized? Just getting used by the Chinese APT666 group, then?</div><div><br></div><div>That Qualys userhelper bug and the Qihoo360 IE talk should remind you that aside from all the things that get mad twitter retweets by Infosec Taylor Swift personas, there's <a href="https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html" target="_blank">old school hackers</a> available and possibly bored, sitting on all the servers that underlie all your assumptions, like a divide by zero error lurking in the corner of your vision. </div><div><br></div><div>Remember when various members of TESO didn't have 150 thousand twitter followers because they hinted at having iOS jailbreaks which are, frankly, cakewalk for a hacker like Lorian to produce? Where do you think the rest of TESO went, if not to Twitter or Project Zero? </div><div><br></div><div>In summary let me put it this way: You cannot afford to be distracted by the show. </div></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div></div>