It’s naive empiricism, much like the discussions around terrorism: https://www.youtube.com/watch?time_continue=33&v=9dKiLclupUM
What Dave is essentially saying (I think) and what Alex Stamos misses is that 0-days have fat tail risks. -Nate > On Nov 1, 2019, at 11:57 AM, Don A. Bailey <[email protected]> wrote: > > Alex is exceptional but this is a critical fact that is indeed overlooked by > a vocal majority. > >> On Nov 1, 2019, at 11:22 AM, Dave Aitel <[email protected]> wrote: >> >> >> Ok, so you can/should watch it here: >> https://www.youtube.com/watch?v=uohyx7OIugY >> <https://www.youtube.com/watch?v=uohyx7OIugY> >> >> Alex is a great keynote speaker and I really like a lot of his talk >> (especially where he delves into how disintermediation has broken all social >> systems without ever using the word disintermediation) but also I think he's >> super wrong about something so I'm going to spam this at him (and all of >> you) to annoy him, specifically in a section about priorities as a >> community, which is followed by a whole section on how the technical >> companies all emulate Steve Jobs and pretend everything they do is perfect. >> >> <image.png> >> >> >> >> "Even in a position where we faced the best attackers, I only saw true 0day >> deployed twice" >> >> <image.png> >> >> >> >> <image.png> >> >> >> """If you have Superman vision and you're able to zoom in to the screen you >> would see that every pixel on the screen is actually comprised of sub pixels >> right of red green blue sub pixels this sub pixel represents all of the >> human harm ever caused by side-channel attacks in the history of information >> security. This is what dominates discussion in the security research >> community - super complicated esoteric issues for which there's almost no >> demonstration ever or even good theoretical purposes in which this would be >> the best way for somebody to leak out information or somehow otherwise >> compromise the system. And so this is the fundamental issue - that if you >> actually look at what people are working on that pyramid is inverted. People >> are spending way more than a sub-pixel thinking about super esoteric >> side-channel attacks in Intel processors. That doesn't mean we shouldn't >> research. It doesn't mean we shouldn't fix it. But it shouldn't be the thing >> that we think way more about..... I want to read way more about how people >> are making it easier for real enterprises to patch their systems. I want to >> read way more about how people are designing their systems to not be able to >> be easily abused to cause harm and a variety of really horrible ways then I >> read about more side-channel attacks. I certainly don't want people coming >> up with with damn names and domains just for their side channel attack. That >> drives me totally insane.""" >> >> So here's two things: >> 1. The security research community is tiny. We get a not insignificant >> subset of it at INFILTRATE every year. The reason the material the research >> community puts out gets attention is precisely because it turns conventional >> wisdom on its head. You study the latest heap overflow because it fills in >> your knowledge of how weird machines work in the real world. You learn about >> HTTP Desync attacks because they reflect a larger problem in parsers in >> general, in that you cannot ADD two parsers together to get a more secure >> solution (which is also what weird machines tell you). Hey it turns out WAFs >> and AVs can only make you LESS secure, not more. That's a USEFUL thing to >> know! >> >> You study side channel attacks because it answers the question "If I can't >> trust the silicon what can I trust?" and the answer is a dried leaf you >> found in your driveway and an old walnut stick, and not the latest blinky >> box from a company set up by a conglomerate that also does government >> contracting "on the side" for a government that is not yours. :) >> >> 2. There's lots of hackers out there who use ONLY 0day. This is one of those >> things that's obvious every time you talk to a group of old ones about their >> favorite bugs and everyone's favorite was one that nobody detected for >> decades. Kaspersky finds someone using Chrome 0day about once a month now. >> And that's because advanced attacks have strategic impact, and even if you >> solved the entire rest of that pyramid, one good 0day can tumble a society. >> >> How would one detect side channel attacks exactly? What it looks like is >> someone (me maybe) buying a bunch of VMs in your hosting provider and then >> using their CPU for a little bit. >> >> I don't think Maersk had issues with patching. The issue is that no matter >> how good at patching you are, it doesn't matter in the face of a worm that >> uses Active Directory to traverse around, and they probably did not listen >> to the Bloodhound researchers talk about the many many ways AD is a risk all >> by itself. Every attacker (Avast >> <https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/> >> and the Indian Nuclear >> <https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/> >> hackers, this week alone) seems to have Domain Admin but the security >> engineering community hasn't asked why yet... >> >> -dave >> >> >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
