I've moved to a part time contract with AppGate and I'm focused largely on INFILTRATE now, which gives me some time to attend cyber policy briefings. Most cyber policy briefings are the same 200 people, and they tend to be held under Chatham House rules, which means they are not recorded and you can't quote anyone directly. I'm not sure why, since getting someone in Cyber Policy to say anything controversial is as impossible as getting them to think about any kind of change that doesn't involve giving more money to CISA, for some reason.
As part of prepping for INFILTRATE, like many of you, I've been attending a suite of online security conferences, from SANS (Zoom+Slack), to Summercon (Youtube), to Matt Suiche's
OPCODE (Youtube) to today's
ACM Program Analysis conference (Youtube), still going on !
That program analysis conference is AMAZING btw. The first talk, by
Peter O'Hearn is on point, as he starts off with some high level lessons learned trying to transfer his academic work on static analysis into Facebook's efforts, then three quarters of the way through dives like a pelican into the depths of concurrency analytics theory. He talks about what worked and what didn't work and how to scale.... and I dunno how to explain it. It's just a nuclear sub of a talk, rising from the icy sea with advanced technology and primordial fire.
INFILTRATE is not going to be a purely virtual conference. A lot of what you do at a good conference is have conversations you can't have over a Chinese teleconference system, sometimes with a beverage of choice. We're going to have a hybrid conference - there's some amazing things about virtual conferences but they're not everything, as I'm sure you're aware.
I've also had time to try to catch up with the exploit firehose.
This bug in particular - an integer overflow in Variant processing in the core feature of Windows. That would have been an amazing 0day to have. Or maybe not? It's hard to know without writing the exploit, looking at the target space, testing a lot of things. Recently one of the people in a policy conference asked "What is it that makes a government different anyways?" And the answer, of course, is vertical integration. When you find an 0day, it's hard to know anything about it other than it gets you a shell! And there's so much to know - much of which you want to talk about over fried alligator with music just loud enough to keep recording devices guessing.
-dave