- Dailydave - mm4.emwd.com

"Severely lacking".
by Dave Aitel 20 Jan '21

20 Jan '21

Recently I read this post from Maddie Stone of Google's Project Zero: https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-re… . In particular, it has a bolded line of "*As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.*" which is the most honest thing I've read from the defensive community in a long while. Like I feel like it's a good idea to have as a reflexive habit the concept of "What am I looking directly at that I'm not seeing." As a kid I was obsessed with various elements of biology, despite not having the grades to show for it. But as an adult I wish I could go back in time and just blow my own mind with a few short things I've learned. Most of them are obvious in retrospect, such as the following: - Birds are dinosaurs - Genes sometimes travel in-between species, carried by bacteria that infect both of them - 40% of all animals are parasites - Metabolism (and cells) evolved before DNA - Energy Epochs <http://suvratk.blogspot.com/2017/07/olivia-judson-on-energy-expansions-of.h…> are useful predictive tools I mean, for most people on this list the same thing is true for hacking. For me these things might include: - State tables are more important than memory handling - Timing attacks are impossible to explain to people, so they never get fixed - Attack tools tend towards generics - It doesn't matter if they catch you, if they won't ever do the meta-analysis to put the larger picture together -dave

1 0

The Lost Decade of Security Metrics
by Dave Aitel 05 Jan '21

05 Jan '21

A thousand years ago I subscribed to the Security Metrics mailing list. Metrics are important - or rather, I think good decision making is important, and without metrics your decision making is essentially luck. But we haven't seen any progress on this in a decade, and I wanted to talk about the meta-reason why: Oversimplification in the hopes of scaling. There's a theme in security metrics, a deep Wrong, that the community cannot correct, of trying to devolve features in their datasets to a single number. CVSS is the most obvious example, but Sasha's VEP paper here ( https://www.lawfareblog.com/developing-objective-repeatable-scoring-system-…) demonstrates most clearly the categorical example of the oversimplification issue, one that all of FIRST has seemingly fallen into. If I took all the paintings in the world, and ran them through a neural network to score them 1.0 through 10.0, the resulting number would be, like CVSS, useless. Right now on the Metrics mailing list someone is soliciting for a survey where they ask people how they are using CVSS and how useful it might be for them. But the more useful you think CVSS is for you, the less useful it actually is being, since it can only lead you to wasting the little security budget you have. *CVSS is the phrenology of security metrics.* Being simple and easy to use does not make it helpful for rational decision making. If we want to make progress, we have to admit that we cannot join the false-positive and false-negative and throughput numbers of our WAF in any way. They must remain three different numbers. We can perhaps work on visualizing or representing this information differently, but they're in different dimensions and cannot be combined. The same is true for vulnerabilities. The reason security managers are reaching for a yes/no "Is there an exploit available" metric for patch prioritization is that CVSS does not work, and won't ever work, and despite the sunk cost the community has put into it, should be thrown out wholesale. -dave

4 3

"Is it done yet? Boom! Typey Typey!"
by Dave Aitel 31 Dec '20

31 Dec '20

Today is my last day at Immunity. I don't know what to say about it that everyone on this list doesn't already know or that isn't weighed down with embarrassing secrets. At its best Immunity was a family, but also a machine for producing absolute monsters, and not just in the technical arenas. Even when it came to project management, we dropped people in the deep waters of the Marianas Trench and expected them to build bioluminescence on the way down. Because of my history at the NSA, I always believed managers at Immunity had to be as technical or more as anyone in their tree. This is less being a manager than being a Dungeon Master but it's also the only way to grow Ogres. There's a scene in the West Wing when someone tells Donna that her job can't be where she grows into a person, and she says, "Why Not? Why can't it be that thing?" and for a lot of us at Immunity that rung true, with kids and divorces and entire new career fields. I sent one last email to the internal list, but at some level a lot of Immunity is spread out amongst the stars and I wanted to thank everyone at once. It was the honor of a lifetime to work beside you all. We did great things together. -dave

1 0

How many treadmills can you run on at once?
by Dave Aitel 17 Dec '20

17 Dec '20

I wanted everyone to browse here and enjoy this Microsoft Teams vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md I also enjoy the discussion <https://twitter.com/taviso/status/1336365194071535617?s=20> it has engendered when it comes to how to measure vulnerabilities that are "in the cloud" or via "Auto-update". It would be good to get clarity on these things. [image: image.png] Measurement is the first step of something else: intermediate analysis. I think we failed, as a community, when we accepted the premise that vulnerabilities could be flattened down to simple numbers, CVSS scores, VEP scores, whatever. Bugs are inherently complex and interlinked. Losing that is losing their essence - you lose the ability to think coherently about them. But if you follow any set of scoring guidelines for vulnerabilities, and the best ones are qualitative, like the Pwnie Awards, you know that even though a massive amount of effort has gone into mitigation, assessment, secure coding frameworks, education, and everything else that makes up the meta-SDL, we are flooded with bugs. The mitigations aren't working. The secure coding frameworks, aren't. For every bug we find and fix a dozen more are written by the developers we thought we trained. It is a natural response to try to hide from this knowledge of failure. To cook the CVE numbers. To take refuge in our stock prices. Let's write another blogpost about catching an APT and give it a funny insulting nickname. Unfortunately without intermediate analysis you cannot do higher level strategy. And the treadmill of the information security technology arena is beyond exhausting. An equally fast treadmill is running next to it for security policy and legal policy and another one for incident response. There's no intermediate analysis happening in any area, so we are left making strategy choices by random chance or luck or the occasional herculean effort. -dave

2 1

Kiroshi Optics
by Dave Aitel 11 Dec '20

11 Dec '20

https://twitter.com/JesseHeinig/status/1336913378564919297 https://twitter.com/ClipperChip/status/1337289319988473856 People seem to think you can use etymology as some clue to deciphering the cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid book <https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002> on it, and it's weird when people stress "Cybernetics" as if they've found some long lost hieroglyphic clue when the reality of how everything cyber evolved is staring right at them in flickering neon lights. As Hunter S. Thomson said, "with the right kind of eyes you can go up onto the top floor of any Silicon Valley building and you can almost see the high-water mark. That place where the wave finally broke and rolled back." When I was 20, working at the NSA, I once attended a cypherpunk meeting in DC, with Diffie and others crowded into a brownstone somewhere in one of the nicer parts of the city. The cypherpunk motto is very simple, "Privacy is necessary for an open society in the electronic age. We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy. We must defend our own privacy if we expect to have any. Cypherpunks write code. We know that someone has to write software to defend privacy, and we're going to write it." At 20, in my larval stage, I was so socially awkward that it wrapped around to blithe unfiltered ignorance. During introductions, when they asked me where I worked and I said, "The DoD", they asked me why. I shrugged, "'Cypherpunks write code', and there are are more at the NSA than you might think." And people got over it - I pestered people with technical questions later as I always do, and there were snacks. But everyone in that room was a fighter, striving against an unspoken force on the field we now know as cyber war. Although no genre is "about" anything, to some extent Cyberpunk novels have often had a keen awareness of analyzing what it means to be a human mind. The new game Cyberpunk 2077 is an excellent adaptation of this theme, and avoids playing the horrors of modern life for laughs - where GTA 5 leveraged its open world to poke fun at the system, and Red Dead Redemption allowed you to marvel at the world despite its failures, Cyberpunk 2077 drops you into the scene in first person as a rollercoaster of existential dread takes you on a fast paced journey into tasting every gritty philosophical sandgrain of losing what it means to be a human, to have a mind of your own. William Gibson has said, "Science Fiction is never about the future. It's always about the present." but he also said "The future is already here, it's just unevenly distributed." And in the same sense that chemistry is just really slow applied electromagnetism, Cyberpunk literature, and the new game is exactly that, is a story about how some place's future, Xinjiang's perhaps, is all of our futures. The way that brownstone living room was, if you had the right kind of eyes. -dave

1 0

Worth a listen on your morning drive
by Dave Aitel 11 Dec '20

11 Dec '20

https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=The… (text: https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-… ) Keynote by Milton Mueller, Professor at the Georgia Institute of Technology (Atlanta, USA) in the School of Public Policy. I lolled at this section which is so true it hurts: Since publishing that book I explored the concepts of sovereignty and cyberspace more deeply. I published a new paper developing an argument about the relationship between the two in International Studies Review last year. Sovereignty is a concept that needs to be rescued from international law, which works with a dead and mummified version of it. Most of what that discipline says about its application to the cyber domain is legally correct but totally useless for solving today’s governance problems. And most of them have no idea how to apply the concept to cyberspace other than to point out, endlessly, that physical layer devices can be assigned to a territory. """

1 0

Gratitude
by Dave Aitel 25 Nov '20

25 Nov '20

So because we are thankful for all the support of every attendee at INFILTRATE for the past ten years (Yes, TEN YEARS!), we are releasing a special featured speakers series for the end of the year. If you are signed up for INFILTRATE 2020, PLAGUE EDITION then you already got an email invite to the first viewing-and-Q&A session with Marco Ivaldi. These talks are great - something I can say because we do our standard INFILTRATE dry-run process with every speaker, and they are making the extra effort to add things to the slides that confused us. And unlike most online events, we are pre-processing the talks to give them crystal clear audio and visuals. We have a couple dozen slots left in our online webinar silo, so if you feel like you deserve and desire to attend the Viewing+Q&A , please let me know. Otherwise, we will release the talks "at some point in the near future". Thanks! Dave Aitel

1 0

Deana Shick on INFILTRATE ONLINE
by Dave Aitel 30 Oct '20

30 Oct '20

Happy Friday! For those of you who enjoy laughing at my video editing job or want to learn about how big companies do vulnerability management "at scale" or what the alternatives are to CVSS, we've recently published a new fifteen minute video: https://vimeo.com/473562240 . -dave

1 0

Things to Watch!
by Dave Aitel 19 Oct '20

19 Oct '20

It's MONDAY, and I wanted to send over the shorts we did with Chris Eng and Ben Edwards. I think there's a lot of value in a robust question and answer session with paper authors. Too often papers are supposed to stand on their own without any real discussion. (PHP IS DOUBLE PLUS UNGOOD) https://vimeo.com/457850389/373c907909 (CVSS, an INTRODUCTION TO FAIL) https://vimeo.com/454453494/330060fbb2 (XXE) https://vimeo.com/464273744 Right now I'm editing the next in the series, which I think you will like, which is a more in-depth discussion on vulnerabilities and prioritization and dinosaurs. -dave

1 0

Identity + Host
by Dave Aitel 21 Sep '20

21 Sep '20

Recently Thomas Dullien wrote a blogpost <http://addxorrol.blogspot.com/2020/07/the-missing-os.html> asking what the OS of the future really looks like, considering the computer of the future is a distributed mega-engine. I would, annoyingly, posit that the algorithms that make sense to understand in that world are those already implemented in the many species of social insects. In that sense, I think there are things missing from his list of the basics of what a datacenter computer contains. At some level, I think the right set of algorithmic support will undergo phase changes as you scale up, but still be viable at small scales: (see this new paper for a detailed example: https://www.biorxiv.org/content/10.1101/2020.08.20.259614v1) I will include Thomas's list below: - Some form of cluster-wide file system. - A horizontally scalable key-value store. - A distributed consistent key-value store. - Some sort of pub/sub message queuing system. - A job scheduler / container orchestrator. I would say some level of ID is missing - large-colony ants have Caste systems for a reason. I think people in general ignore ID because maybe you can make ID and security a micro-service on top of a pub/sub message queuing system? I'm not sure. But in general, the same thing is true for most security analysis systems sold today - they see an infection, they treat a computer/network as infected and respond appropriately. At Immunity/AppGate we've been trying to go the other direction - tying your security directly to your identity. AppGate SDP already does this for network services, but we've also expanded upon that by using a graph database, INNUENDO Agent, a custom Windows Kernel module, and a lot of other excitement to build automated response that looks at your ID as much as it does your computer: CONSTELLATION + AppGate SDP (3m) https://vimeo.com/431931225/add11f4230 CONSTELLATION vs. Ransomware (9m) https://vimeo.com/421712679/d4a1918354 CONSTELLATION vs. Robbinhood (11m) https://vimeo.com/417796331/bb0426f9fb -dave

1 0

2026

2025

2024

2023

2022

2021

2020

Dailydave