Alex is exceptional but this is a critical fact that is indeed overlooked by a vocal majority.
> On Nov 1, 2019, at 11:22 AM, Dave Aitel <[email protected]> wrote: > > > Ok, so you can/should watch it here: > https://www.youtube.com/watch?v=uohyx7OIugY > > Alex is a great keynote speaker and I really like a lot of his talk > (especially where he delves into how disintermediation has broken all social > systems without ever using the word disintermediation) but also I think he's > super wrong about something so I'm going to spam this at him (and all of you) > to annoy him, specifically in a section about priorities as a community, > which is followed by a whole section on how the technical companies all > emulate Steve Jobs and pretend everything they do is perfect. > > <image.png> > > > > "Even in a position where we faced the best attackers, I only saw true 0day > deployed twice" > > <image.png> > > > > <image.png> > > > """If you have Superman vision and you're able to zoom in to the screen you > would see that every pixel on the screen is actually comprised of sub pixels > right of red green blue sub pixels this sub pixel represents all of the human > harm ever caused by side-channel attacks in the history of information > security. This is what dominates discussion in the security research > community - super complicated esoteric issues for which there's almost no > demonstration ever or even good theoretical purposes in which this would be > the best way for somebody to leak out information or somehow otherwise > compromise the system. And so this is the fundamental issue - that if you > actually look at what people are working on that pyramid is inverted. People > are spending way more than a sub-pixel thinking about super esoteric > side-channel attacks in Intel processors. That doesn't mean we shouldn't > research. It doesn't mean we shouldn't fix it. But it shouldn't be the thing > that we think way more about..... I want to read way more about how people > are making it easier for real enterprises to patch their systems. I want to > read way more about how people are designing their systems to not be able to > be easily abused to cause harm and a variety of really horrible ways then I > read about more side-channel attacks. I certainly don't want people coming up > with with damn names and domains just for their side channel attack. That > drives me totally insane.""" > > So here's two things: > 1. The security research community is tiny. We get a not insignificant subset > of it at INFILTRATE every year. The reason the material the research > community puts out gets attention is precisely because it turns conventional > wisdom on its head. You study the latest heap overflow because it fills in > your knowledge of how weird machines work in the real world. You learn about > HTTP Desync attacks because they reflect a larger problem in parsers in > general, in that you cannot ADD two parsers together to get a more secure > solution (which is also what weird machines tell you). Hey it turns out WAFs > and AVs can only make you LESS secure, not more. That's a USEFUL thing to > know! > > You study side channel attacks because it answers the question "If I can't > trust the silicon what can I trust?" and the answer is a dried leaf you found > in your driveway and an old walnut stick, and not the latest blinky box from > a company set up by a conglomerate that also does government contracting "on > the side" for a government that is not yours. :) > > 2. There's lots of hackers out there who use ONLY 0day. This is one of those > things that's obvious every time you talk to a group of old ones about their > favorite bugs and everyone's favorite was one that nobody detected for > decades. Kaspersky finds someone using Chrome 0day about once a month now. > And that's because advanced attacks have strategic impact, and even if you > solved the entire rest of that pyramid, one good 0day can tumble a society. > > How would one detect side channel attacks exactly? What it looks like is > someone (me maybe) buying a bunch of VMs in your hosting provider and then > using their CPU for a little bit. > > I don't think Maersk had issues with patching. The issue is that no matter > how good at patching you are, it doesn't matter in the face of a worm that > uses Active Directory to traverse around, and they probably did not listen to > the Bloodhound researchers talk about the many many ways AD is a risk all by > itself. Every attacker (Avast and the Indian Nuclear hackers, this week > alone) seems to have Domain Admin but the security engineering community > hasn't asked why yet... > > -dave > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
