https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=The…
(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-…
)
Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.
I lolled at this section which is so true it hurts:
Since publishing that book I explored the concepts of sovereignty and
cyberspace more deeply. I published a new paper developing an argument
about the relationship between the two in International Studies Review last
year. Sovereignty is a concept that needs to be rescued from international
law, which works with a dead and mummified version of it. Most of what that
discipline says about its application to the cyber domain is legally
correct but totally useless for solving today’s governance problems. And
most of them have no idea how to apply the concept to cyberspace other than
to point out, endlessly, that physical layer devices can be assigned to a
territory.
"""
So because we are thankful for all the support of every attendee at
INFILTRATE for the past ten years (Yes, TEN YEARS!), we are releasing a
special featured speakers series for the end of the year. If you are signed
up for INFILTRATE 2020, PLAGUE EDITION then you already got an email invite
to the first viewing-and-Q&A session with Marco Ivaldi.
These talks are great - something I can say because we do our standard
INFILTRATE dry-run process with every speaker, and they are making the
extra effort to add things to the slides that confused us. And unlike most
online events, we are pre-processing the talks to give them crystal clear
audio and visuals.
We have a couple dozen slots left in our online webinar silo, so if you
feel like you deserve and desire to attend the Viewing+Q&A , please let me
know. Otherwise, we will release the talks "at some point in the near
future".
Thanks!
Dave Aitel
Happy Friday! For those of you who enjoy laughing at my video editing job
or want to learn about how big companies do vulnerability management "at
scale" or what the alternatives are to CVSS, we've recently published a new
fifteen minute video: https://vimeo.com/473562240 .
-dave
It's MONDAY, and I wanted to send over the shorts we did with Chris Eng and
Ben Edwards. I think there's a lot of value in a robust question and answer
session with paper authors. Too often papers are supposed to stand on their
own without any real discussion.
(PHP IS DOUBLE PLUS UNGOOD)
https://vimeo.com/457850389/373c907909
(CVSS, an INTRODUCTION TO FAIL)
https://vimeo.com/454453494/330060fbb2
(XXE)
https://vimeo.com/464273744
Right now I'm editing the next in the series, which I think you will like,
which is a more in-depth discussion on vulnerabilities and prioritization
and dinosaurs.
-dave
Recently Thomas Dullien wrote a blogpost
<http://addxorrol.blogspot.com/2020/07/the-missing-os.html> asking what the
OS of the future really looks like, considering the computer of the future
is a distributed mega-engine. I would, annoyingly, posit that the
algorithms that make sense to understand in that world are those already
implemented in the many species of social insects.
In that sense, I think there are things missing from his list of the basics
of what a datacenter computer contains. At some level, I think the right
set of algorithmic support will undergo phase changes as you scale up, but
still be viable at small scales: (see this new paper for a detailed
example: https://www.biorxiv.org/content/10.1101/2020.08.20.259614v1)
I will include Thomas's list below:
- Some form of cluster-wide file system.
- A horizontally scalable key-value store.
- A distributed consistent key-value store.
- Some sort of pub/sub message queuing system.
- A job scheduler / container orchestrator.
I would say some level of ID is missing - large-colony ants have Caste
systems for a reason. I think people in general ignore ID because maybe you
can make ID and security a micro-service on top of a pub/sub message
queuing system? I'm not sure. But in general, the same thing is true for
most security analysis systems sold today - they see an infection, they
treat a computer/network as infected and respond appropriately.
At Immunity/AppGate we've been trying to go the other direction - tying
your security directly to your identity. AppGate SDP already does this for
network services, but we've also expanded upon that by using a graph
database, INNUENDO Agent, a custom Windows Kernel module, and a lot of
other excitement to build automated response that looks at your ID as much
as it does your computer:
CONSTELLATION + AppGate SDP (3m)
https://vimeo.com/431931225/add11f4230
CONSTELLATION vs. Ransomware (9m)
https://vimeo.com/421712679/d4a1918354
CONSTELLATION vs. Robbinhood (11m)
https://vimeo.com/417796331/bb0426f9fb
-dave
Sometimes we review books on this list, but I spent last week, for seven
days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking
<https://ringzer0.training/advanced-browser-exploitation.html> class. But
before I do, I want to point out that 36 Minutes into this video (
https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to
switch from management back into the technical field. "It's hard, but it's
very rewarding."
Here's my one top tip for making remote classes easier as a student: TURN
YOUR FREAKING CAMERA ON. This forces you to pay attention to the trainer.
Also: trainers do better when they can see if you are picking up the
material.
I like the remote format better in many ways than the in-person format. I
like seeing everyone else's questions in the Discord. I like being able to
take a big break during the day to get food and then come back to the
exercises later and get real-time answers to my questions by Amy typing
things up on her cellular phone at the local Troy bar. I like continuing to
have lungs complete with working alveoli.
Also, the Browser Hacking class is effective. Everyone in the class (I was
quite nervous since I didn't even know Javascript and last wrote an exploit
in 1992AD) can write Chrome and Webkit exploits now. This is a useful
feature. Obviously the first half of the class is "This is the giant
optimized data structure they invented to allow people to check Gmail super
fast" and the second half is "this is what those bug-classes look like in
source code, and how you build your exploit primitives and plug them
together".
I guess my summary is this: Great class. It is well worth the money just to
feel the dragon inside you wake up and swallow something whole again.
-dave
(List Note: I have turned off bounce processing, since it was misfiring and
kicking people off the list for no reason.)
[image: image.png]
Bistahieversor or MS08-067?
If you had to list out the problems with CVSS it would be like analyzing
the anatomical issues of a children's drawing. No part of it fits together
properly. Here's a problem: Scoring of threats is not one dimensional, and
numbers can't carry the whole story. We need a vulnerability scoring system
that's extensible, and programable.
But I have an alternative: Take each vulnerability attribute and assign it
to a dinosaur part! Is it a client-side? Then it's got legs! Does it need
user interaction? Then short stumpy legs. Is it a true remote against a
service? Then it's got wings. Is it a root bug? Then it has a big mouth?
User-level access? Duckbill.
That way, the attributes of the vulnerability reflect themselves as a
literal model - a denizen of your Cretatous nightmares. But it rings true -
getting attacked by five hundred pre-auth XSS bugs in your web front-end is
exactly like getting attacked by a horde of ducks. And of course,
vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox
escape has legs and teeth.
Modeling is better than scoring in every way. Maybe your network is a
Animantarx <https://en.wikipedia.org/wiki/Animantarx>, a living citadel,
but more likely you're a Diplodocus, a big bag of walking meat getting
nibbled to death by ducks.
-dave
So I'm making a video on metrics, of all things, and I wanted to post both this
question <https://twitter.com/daveaitel/status/1281629327776522242?s=20>and
the best answer so far to the list to see if anyone had any other ideas or
followups.
-dave
[image: image.png]
[image: image.png]
So one thing people don't have any scope of measuring - (maybe as a set
diagram finite states?) - is the difference between two parsers for the
same protocol. Ten years ago a lot of the security community had a
discussion about "LangSec <http://langsec.org/>" which turns out to have
been entirely correct in retrospect.
NCCGroup's recently released analysis of the F5 bug is a key example of
this principle in action:
https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5…
Most people look at HTTP Desync as simply using Content-Length confusion -
figuring out ways to make one request look like it's not the same length,
and using that for SSRF or XSS or various other attacks. But *ANY
DIFFERENCE IN THE PARSERS* leads to critical level attacks.
Of course, what this means is that you need to have different emulated
parsers for each web server behind you depending on if they are
Apache/IIS/NGinx . . .
-dave
https://www.youtube.com/watch?v=F_Kza6fdkSU
So I wanted to highlight this talk from Brad Spengler about the state of
Linux security. It's a damning report if you read even a little bit between
the lines. And on many levels. As Halvar points out, Android deliberately
avoided investing what they knew they needed to invest in platform security
in the effort to gather significant early market share, even knowing it
would harm their user-base in a multitude of ways.
And this kind of philosophical trade off taken by companies filters into
the Linux security ecosystem, creating Ogres of various sorts, like
Calamity Gannon's corruption of various parts of Hyrule. For example,
phones often run on an older Linux kernel, which means there is economic
incentive to backport features and security fixes to those kernels, or
pretend you can.
Likewise, much of the effort of the Linux security community is focused on
KASLR, which Brad points out, is largely a waste of time.
He also talks about Syzkiller, automated exploit generation, and a host of
other things. Well worth a listen!
-dave