Thanks for this post, Dave. I enjoyed reading it. Regarding the EQ Group leak, I think that there's a good case to be made that an insider or an ex-employee was responsible. I hope to have some reasons posted on why that is in the next few days.
Jeff Carr On Wed, Aug 17, 2016 at 9:00 AM, <[email protected]> wrote: > Send Dailydave mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.immunityinc.com/mailman/listinfo/dailydave > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dailydave digest..." > > > Today's Topics: > > 1. Latency is a demogorgon (dave aitel) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 17 Aug 2016 11:01:50 -0400 > From: dave aitel <[email protected]> > To: "[email protected]" > <[email protected]> > Subject: [Dailydave] Latency is a demogorgon > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > > > So every remote access trojan framework has a high level interpreter > built into it these days. It brings you back to something from that Zero > Day movie (which we all watched drunk to make it bearable, admit it) > where a Kaspersky analyst talked about Stuxnet being "Big but amazingly > BUG FREE". Not having subtle bugs is something you can do much more > easily in Python/Lua/Ruby/etc than in C/C++. There are other good > reasons to have a high level language in your RAT system, but that is a > major one. > > One of the other major reasons is that you can push complex logic to the > endpoint that only lives there temporally. By complex logic, we mean > full-on exploits. You can drive CANVAS's entire MSRPC libraries inside > INNUENDO <https://immunityinc.com/products/innuendo/>, without ever > touching disk. And we often do (MSRPC is still important in the world > even though the last good public bug was MS08-026). > > And this is a good reason to choose Python instead of Lua in your RAT. > You're going to want to write your exploits in Python. You're going to > want to run your exploits on the remote side - because of Latency. > > Latency is a funny thing. Inside all networking code is a hellish > mishmash of timeouts, MTUs, retries, and buffers. That mishmash does > Murphy-law-level chaotic things in the face of what you might consider > very reasonable network conditions. Sat hops are one second latency > bombs. Add a couple of those, and a bit of packet loss, and TCP breaks > down in some hard to debug ways that will drive your exploits from > "Working \o/" to "Not worky worky sadface". This is hard to emulate on > VMWare or other software stacks for some reason. > > In any case, there are bad things about putting Python in your RAT, but > one GOOD thing is that no soon-to-be-fired-for-extreme-idiocy operator > will ever upload an entire package to some random redirector box on the > Internet to avoid latency issues. > > That said, I still lean towards HUMINT being a source for the EQGRP > leak. It's kinda a happy battle between colossal stupidity and insane > malice at this point? > > -dave > > TL;DR: https://twitter.com/itsDanielSuarez/status/764898078663012356 > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <https://lists.immunityinc.com/pipermail/dailydave/ > attachments/20160817/520a7d61/attachment-0001.html> > > ------------------------------ > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > > End of Dailydave Digest, Vol 57, Issue 8 > **************************************** > -- Jeffrey Carr (jeffreycarr.com) CEO, Taia Global, Inc. (taiaglobal.com) Founder, Suits and Spooks (suitsandspooks.com) Author, "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly Media, 2009, 2011) THE CONTENTS OF THIS EMAIL ARE FOR THE RECIPIENT'S EYES ONLY AND MAY NOT BE DUPLICATED OR DISTRIBUTED WITHOUT PRIOR PERMISSION.
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
