So we know a lot of people who've gone into Big Corpo or sold a company or
just worked hard and gotten lucky and happen to be richer than the average
bear. And while a lot of those people put their money into nice things,
nothing wrong with that, a lot of them also try to use that money to change
the world, and then they find out it's harder to change the world with
money than it is with an exploit. And I know a lot of people who say this
out of experience.
I used to say, and I continue to say, that most cyber policy experts have
never seen a real exploit. Yes, even the news reports of 0days are
addictive. They have cool names, like a street drug, they have a shadowy
underworld, they have a bodyguard of rumors and insinuations. Literally, as
I write this, Kaspersky is at CCC doing a street barker presentation on how
much someone thought they were a legitimate target worth throwing down an
iOS 0day chain on, which frankly is not something I would brag about as a
nominally defensive company.
Part of the problem is we analyze exploits out of failures. Reverse
engineering an exploit does not show you the exploit any more than
dissecting a Humboldt squid can show you the terrors of the deep.
Once you've seen an exploit change the world, you are forever stunned. It
is impossible to go backwards to your previous life. It is like your first
taste of sex or love or the feral inhuman joy of combat. For some people,
it's probably better.
But how exploits really work has shockingly little to do with the circus
around exploits on social media or in the news, or press releases from
endpoint security companies or government agencies.
And the same is true with philanthropy. Here we have "Give Miami Day!"
where some random billionaire will match your funds if you give to your
school, which should be getting all the government funding it needs, but
clearly isn't. I don't know if this is at all useful to be honest. It feels
more like covering a hole your government put in your school budget on
purpose.
I tried buying MEL science kits for entire classes of my local grade
school. It worked once, and one of the kids was like "I didn't even know I
liked science". But it was largely impossible to get the kits USED by the
teachers, who are under levels of logistical stress that would stymie a
Marine platoon. So I ended up giving up on this effort.
I supported Project Grapple, which worked well because they have a leader
at the top who is focused on the success of a small set of kids in a very
personal way. But those kinds of leaders are almost impossible to find.
When you find them, it's the best investment you can make if you want to
change the world one kid at a time, which might be the only way. And these
leaders don't last forever.
A lot of big donors focus on things like FIRST Robotics, which frankly has
been a massive success and offers a lifeline for kids in schools where
nothing else matters or meets with any success. It's prohibitively tricky
to figure out which schools have a local leader that can take money and
build a robotics club out of it. It's very much not important that the kids
WIN the competitions - which at the top level are between Northrop Grumman,
Raytheon, and Lockheed Martin engineering teams doing ad-hoc group
apprenticeships. So again, finding these leaders is a constraining problem.
Just like with exploits, what I find is that changing the world with
philanthropy is targeted , personal, and more complicated than it looks. I
have seen very smart people struggle with finding leverage in this space.
Nonprofits are themselves often quite exploitative of their employees or
just generally ineffective.
Anyways, what I'd like to see is the Gulas and Syversons and Alperovitch's
and Pollocks and so forth put a Slack channel together to build a bit of a
body of work on how to do this correctly. A bugtraq for changing the world
with dollars, if you will.
-dave
I think one thing this community does really well, better than almost any
other community I've found, is training. It's amazing, in a way,
because this is a community of professional secret holders. And yet
everywhere you look, a hacker is putting their heart and soul into
iterating on lab exercises for their class in whatever sub-field they are
an expert in.
And giving training is hard. It's hard in the way consulting is hard, but
with even more social activity. On one hand: It's lucrative? But hour for
hour, you're probably better off financially by finding a new bug or doing
consulting work, or any number of other activities than building,
marketing, and running a training class.
When I left my last position, one of the first things I did was pay for and
take Amy Burnette's browser exploitation class. And that's paid off to this
day, really. And there's so many good classes, taught by all the
specialists in our various sub-niches.
It's spectacular that in this world of auto-didacts, we are gifted in the
quantity and quality of training available in our field in a way that is
basically unheard of in any other field.
Of course, there's a lot of things you can't learn from training, and I was
reflecting on this while sitting down and reading the labyrinthine
specifications of some huge protocol for one of my current projects. A lot
of the best bugs I've ever seen hackers find have been from doing exactly
that: They sit and hit page down on some extensively huge and boring
documentation with the steady, persistent rhythm of a neurodivergent
woodpecker pecking at a tree, each tap bringing them closer to the elusive
kernel of truth.
Like, I know people who have various protocol RFCs printed out for long
airplane rides. I've seen hackers read through a book on an operating
system design and then just circle an LPE in the book with a yellow
highlighter.
On the flip side, there are times when you dive headfirst into a colossal
specification, emerging as a veritable guru on an esoteric legacy mail
transfer mess like X.400. Yet, despite this newfound expertise, you find
yourself no more enlightened or advantaged than before, as if you've scaled
a mountain only to find the summit shrouded in the same thick fog that
cloaked its base.
Anyways, happy holidays everyone. Hopefully you had a year of worthy
discoveries.
-dave
Call for Papers 2024
t2 infosec has been pushing the boundaries of security research for two decades and it don't stop. We're back April 18-19, 2024 - Helsinki, Finland.
CFP and registration are both open.
This is an event for newcomers, established merchants of dual use computer code, beginners of vulndev, cyber vagabonds, retired or redacted, and hackers of all sorts.
If you have new original security research targeting old, current or future technology, please submit: https://if.t2.fi/action/call_for_papers
Got 99 problems but an 0day ain't one.
Helsinki offers a Northern European mood, with the resilience built by using Linux on the desktop since 1991, fueled by IRC, demoscene, VHS tapes, invention of modern backpropagation, a lot of memes and sauna. This is the country, which exports Alan Wake 2, quantum computers, and solitude.
As regularly as seasons change, new technology is introduced, vulnerabilities - old and new are discovered, lessons of tradecraft are learned and teachings of the old slowly forgotten.To foster the passion for advancement of (in)security and to keep that fire burning bright for future generations, we gather an intimate crowd of people every year to enjoy the advance of offensive research, share lessons of coming back from the edge, and build those valuable human connections.
Whether your research tackles LLMs, qubits, Azure/AWS/GCP, iOS internals, the market leading or lagging EDR products, access control systems, SoC, BTLE, tipping ChatGPT or something else, which is surprising to either humans or computers, we'd like to hear about it. Security researchers, you know the rules and so do we.
This is an event for the community, by the community. Our focus is on technical excellence, not politics or player hating. Come as you are. The advisory board will be reviewing submissions until 2024-02-04. Slide deck submission final deadline 2024-04-02 for accepted talks.
First come, first served. Submissions will not be returned.
Quick facts for speakers
+ presentation length 60-120 minutes, in English
+ complimentary travel and accommodation for one person[6]
+ decent speaker hospitality benefits
+ no marketing or product propaganda
Still not sure if this is for you? Check out the blast from the past. !!LINK!!
[0] hunter2
[6] except literally @nudehaberdasher and @0xcharlie
Call for Paper submissions
https://if.t2.fi/action/call_for_papers
Buy a ticket to the conference
https://if.t2.fi/action/register/attendees
--
Tomi 'T' Tuominen | Founder @ t2 infosec conference | https://t2.fi