Still, it made me think in relation to the dimension of CFAA pushback we have gotten. The CFAA encourages a corporate development cycle of pushing crappy software out exposed to the net without audit, and to leave nets without monitoring or pentesting, because user data is insured and/or there are no penalties for its loss, corporate data loss is poorly understood and poisoning entirely unassessed, and it's assumed the feds will clean things up at taxpayer expense.
Why pay for security? And this would suit a "national security" interest that wanted compromised software. As sick as that is for a larger perspective of national security from cyberthreats -- we have already seen some rather poor decisions made. Essay on my G+ yesterday in more pot-boiler mode, if anyone's interested. Yrs, SN On Jul 10, 2013 12:21 PM, "David Goulet" <dgou...@ev0ke.net> wrote: > Jacob Appelbaum: > > Andreas Bader: > >> Eugen Leitl: > >> > >>> Grimes: How many exploits does your unit have access to? > >>> > >>> Cyber warrior: Literally tens of thousands -- it's more than that. We > have > >>> tens of thousands of ready-to-use bugs in single applications, single > >>> operating systems. > >>> > >>> Grimes: Is most of it zero-days? > >>> > >>> Cyber warrior: It's all zero-days. Literally, if you can name the > software or > >>> the controller, we have ways to exploit it. There is no software that > isn't > >>> easily crackable. In the last few years, every publicly known and > patched bug > >>> makes almost no impact on us. They aren't scratching the surface. > >> > >> > >> Tens of thousands zero-days; that sounds like totally shit. That guy > >> seems to be a script kiddie poser, nothing more. > >> Are there any real "hackers" that can issue a competent statement to > that? > >> > > > > I couldn't disagree more. This sounds consistent with the current arms > > race and also relates directly to the 0day markets that have been active > > for many many years. Remember though: buying 0day bugs or exploits for > > 0day is just one part of a much larger picture. > > I have to agree here with you. The 0day market is booming and we have a > very > unclear picture as of now on the magnitude of that market. > > However, there is something weird in this guy statement. With my > experience, > finding exploitable 0days for known software is not that trivial, it takes > time > and effort. Now, creating a working exploit (preferably remotely of > course) is > also very difficult! > > He goes on stating: > > "I would hack the software and create buffer overflow exploits. I was > pretty > good at this. There wasn't a piece of software I couldn't break. It's not > hard." > > To be honest, for my self being a person that does security contest for > years > now (Defcon, iCTF, csaw, etc...) and in security communities, someone > speaking > like that is a bit of a red flag in terms of deep knowledge of software/OS > exploitation (especially OS exploits). > > 0day development is not an easy business (like he is picturing it). From > friends > in the reverse engineering field (AV corp.), a *lot* of people are doing > that > full time in Russia for malware development and word! it takes time, > experience > and knowledgeable people. > > In a nutshell, in my opinion, this interview looks more like a guy that > wants to > flash rather then the real truth. There is SURELY true stuff in there but I > doubt seriously the part about the extent of 0day and bugs development. > This is > just too fishy to be serious... anyway that should not mean we should not > take > this seriously! > > Cheers! > David > > > > > All the best, > > Jacob > > > > -- > > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
