So I can't help but notice MOVEit, an "old enterprise file sharing system" is getting a ton of press, after ransomware crews found/bought an 0day and then went hog wild. I mean this is the sort of thing only predictable if you listen to Risky Biz or the invite-only more hardcore uncensored podcast "Risky Life", where there are whole episodes devoted to the hilarity that is the machine learning world still passing Python pickle files around like it's 1999, or the software distribution channels being so broken for nearly everything that PyPI itself had to just "stop accepting new stuff" because security wasn't so much an afterthought as an anti-pattern, and "Cthulhu help you" if you used NPM. 

Any alien species coming to Earth would take one look at our technology ecosystems and just shake their head-appendage and say "You LIVE like this?" with the same tone of voice Marie Kondo has walking into a hoarder's kitchen, "Let me get this straight - at your biggest, most professional companies, you can correctly patch a bug only 50% of the time?" 

I love this for us. I love the chaos and the self-aggrandizement, and the shared helplessness and in the face of that, the misplaced optimism and hope, the "Advisories" and "Alerts" and "Reporting". It's not that we can't do better, it's just that if doing better requires that we don't take ourselves so seriously, we just won't.    

-dave

On Fri, Mar 31, 2023 at 9:32 AM Dave Aitel <dave.aitel@gmail.com> wrote:
image.pnghttps://twitter.com/thezdi/status/1638617627626176513

image.png
Yawps


So one thing I have as a "lessons learned" from the past 20 years is that security is not a proactive sport. In fact, we are all experts at running to where the ball _was_as opposed to where it is _going_.

Like, if you listen to Risky Biz this week, Patrick asks Metlstorm whether it's time to go out and replace all the old enterprise file sharing systems you have around, proactively. And the answer, from Metl, who's hacked into every org in Oceania for the past 20 years, is "yeah, this is generating huge return on investment for the ransomware crews so they're just going to keep doing it, and being proactive might be a great idea." But what he didn't say, but clearly had in his head was "but lol, nobody is going to actually do that. So good luck out there chooms!"

At some level, STIX and TAXII and the whole CTI market are about passing around information on what someone _might_ have used to hack something, at some point in the _distant past_. It's a paleontology of hackers past - XML schemas about huge ancient reptiles swimming in the tropical seas of your networks, the taxonomies of extinct orders we now know only through a delicate finger-like flipper bone or a clever piece of shellcode.

-dave