Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build bioluminescence on the way
down.
Because of my history at the NSA, I always believed managers at Immunity
had to be as technical or more as anyone in their tree. This is less being
a manager than being a Dungeon Master but it's also the only way to grow
Ogres.
There's a scene in the West Wing when someone tells Donna that her job
can't be where she grows into a person, and she says, "Why Not? Why can't
it be that thing?" and for a lot of us at Immunity that rung true, with
kids and divorces and entire new career fields.
I sent one last email to the internal list, but at some level a lot of
Immunity is spread out amongst the stars and I wanted to thank everyone at
once. It was the honor of a lifetime to work beside you all. We did great
things together.
-dave
I wanted everyone to browse here and enjoy this Microsoft Teams
vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md
I also enjoy the discussion
<https://twitter.com/taviso/status/1336365194071535617?s=20> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
things.
[image: image.png]
Measurement is the first step of something else: intermediate analysis. I
think we failed, as a community, when we accepted the premise that
vulnerabilities could be flattened down to simple numbers, CVSS scores, VEP
scores, whatever. Bugs are inherently complex and interlinked. Losing that
is losing their essence - you lose the ability to think coherently about
them.
But if you follow any set of scoring guidelines for vulnerabilities, and
the best ones are qualitative, like the Pwnie Awards, you know that even
though a massive amount of effort has gone into mitigation, assessment,
secure coding frameworks, education, and everything else that makes up the
meta-SDL, we are flooded with bugs. The mitigations aren't working. The
secure coding frameworks, aren't. For every bug we find and fix a dozen
more are written by the developers we thought we trained.
It is a natural response to try to hide from this knowledge of failure. To
cook the CVE numbers. To take refuge in our stock prices. Let's write
another blogpost about catching an APT and give it a funny insulting
nickname.
Unfortunately without intermediate analysis you cannot do higher level
strategy. And the treadmill of the information security technology arena is
beyond exhausting. An equally fast treadmill is running next to it for
security policy and legal policy and another one for incident response.
There's no intermediate analysis happening in any area, so we are left
making strategy choices by random chance or luck or the occasional
herculean effort.
-dave
https://twitter.com/JesseHeinig/status/1336913378564919297https://twitter.com/ClipperChip/status/1337289319988473856
People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found
some long lost hieroglyphic clue when the reality of how everything cyber
evolved is staring right at them in flickering neon lights. As Hunter S.
Thomson said, "with the right kind of eyes you can go up onto the top floor
of any Silicon Valley building and you can almost see the high-water mark.
That place where the wave finally broke and rolled back."
When I was 20, working at the NSA, I once attended a cypherpunk meeting in
DC, with Diffie and others crowded into a brownstone somewhere in one of
the nicer parts of the city. The cypherpunk motto is very simple, "Privacy
is necessary for an open society in the electronic age. We cannot expect
governments, corporations, or other large, faceless organizations to grant
us privacy. We must defend our own privacy if we expect to have any.
Cypherpunks write code. We know that someone has to write software to
defend privacy, and we're going to write it."
At 20, in my larval stage, I was so socially awkward that it wrapped around
to blithe unfiltered ignorance. During introductions, when they asked me
where I worked and I said, "The DoD", they asked me why. I shrugged,
"'Cypherpunks write code', and there are are more at the NSA than you might
think." And people got over it - I pestered people with technical questions
later as I always do, and there were snacks. But everyone in that room was
a fighter, striving against an unspoken force on the field we now know as
cyber war.
Although no genre is "about" anything, to some extent Cyberpunk novels have
often had a keen awareness of analyzing what it means to be a human mind.
The new game Cyberpunk 2077 is an excellent adaptation of this theme, and
avoids playing the horrors of modern life for laughs - where GTA 5
leveraged its open world to poke fun at the system, and Red Dead Redemption
allowed you to marvel at the world despite its failures, Cyberpunk 2077
drops you into the scene in first person as a rollercoaster of existential
dread takes you on a fast paced journey into tasting every gritty
philosophical sandgrain of losing what it means to be a human, to have a
mind of your own.
William Gibson has said, "Science Fiction is never about the future. It's
always about the present." but he also said "The future is already here,
it's just unevenly distributed." And in the same sense that chemistry is
just really slow applied electromagnetism, Cyberpunk literature, and the
new game is exactly that, is a story about how some place's future,
Xinjiang's perhaps, is all of our futures. The way that brownstone living
room was, if you had the right kind of eyes.
-dave
https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=The…
(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-…
)
Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.
I lolled at this section which is so true it hurts:
Since publishing that book I explored the concepts of sovereignty and
cyberspace more deeply. I published a new paper developing an argument
about the relationship between the two in International Studies Review last
year. Sovereignty is a concept that needs to be rescued from international
law, which works with a dead and mummified version of it. Most of what that
discipline says about its application to the cyber domain is legally
correct but totally useless for solving today’s governance problems. And
most of them have no idea how to apply the concept to cyberspace other than
to point out, endlessly, that physical layer devices can be assigned to a
territory.
"""