Re: [Full-disclosure] What the f*** is going on?

[jf <jf@xxxxxxxxx>]

> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

I can't say I (strongly) disagree on any particular point you've made, 
generally speaking-- you're right, especially about the progress made in the 
last 10-15 years. However at a certain point in every philosophers philosophy, 
the philosphers philosophies become apparent.. I sorta disagree with one point:

"[...] The reason why I am frightened is the emergence of a new class of 
government contractors - a class that depends on th
e perpetration of an alluring, yet completely meaningless myth: that an 
incredibly sophisticated and determined adversary is constantly scheming to 
wage a devastating cyber-war
against everything we hold dear."

There is some truth to this statement; $they woke something up in an office in 
DC somewhere and the gov got sorta serious. Naturally this results the whole 
supply/demand thing. Point being, the government reached out and not vice 
versa. Their threat was real, and it's been persistant since more or less the 
turn of the century and as far as I can tell, it's never stopped. If it did for 
Google, you're either mistaken, they got what they were after or being called 
out in the press and putting economic threats on the table was the asymetric 
weapon needed; if I had to guess, I'd choose option 1, 2 and 3.

I'd agree, that as of yet, we're hardly talking about an all-in zero-sum game, 
and that part is very much over-hyped. However, calling it an all out myth is 
misleading, and saying it's because contractors are pushing a myth is just 
wrong. You should be mindful, they looked outward and supply was created for 
the demand. Prior to your employer's compromise, this thing, everyone called it 
a lie, some crap made up by the CIA, et cetera. Now it's unimpressive hype.. 
I'd love to see Chinese history books in 100 years.

That said, the world is not ending of course, but that doesn't mean there isn't 
a real threat either. In ~2005, I was a defense contractor watching NIDS when 
they came looking for someone who could reverse; I knew enough assembly to 
write up shellcode, but this was my intro to windows reversing and therein lay 
your first bad omen as to their actual ability. Over the course of a weekend we 
got the algorithm out, wrote up a program to read the pcap's and got to work on 
analysis. Come Monday, we dropped bombs and from the fires emerged a request 
for our report/tools from another agency and I got to redact my first report, 
and then another and another. Everyone had this problem, and had it for *years* 
with little to no discernable progress. They hadn't even identified how $they 
were getting in, like what bug. So we identified that too, and wrote up a 
binary patch for it (that went 100% unused except on my machine), et cetera. 
And then that long string of office 0-days in 2006 sta
 rted, and eventually I ended up with the private SSL keys for a few absurdly 
large american companies (ended up on a machine of ours), and then the 
documents started cleaning themselves and this happened multiple times a week 
for the ~2 years with countless 80-100 hour weeks and all of you telling me my 
life was a myth/lie/CIA fabrication/et cetera. 

That's the bug, and there's no patch for it. You will have too many unqualified 
people and too few qualified people, the later will pick up the slack for the 
former but everyone breaks eventually. As over-hyped as some aspects of it are, 
it really fundamentally needs to be understood just how unprepared they were 
and the progress they've made since then. 

That all said, I think you missed what appears to be the more dangerous aspect 
(at least to me anyways), it's not that IS..erm iDef..erm hbgary et al are 
selling such things or even marketing methods, et cetera-- as if that's not 
what blackhat et cetera are basically about (& we can probably look to the 
'@stake generation' for proper blame placement). But it's that through 
moonlight maze, titan rain, et al they realized a few incredibly important 
things, the relevant ones are:

0.) There is really no attribution 
1.) Even if there was a means for attribution, there is no international legal 
framework, what constitutes a legal act of war?
2.) In the absence of (1), how do you progress criminal justice cases against 
foreign nationals when the foreign nation is not entirely cooperative?

These three aspects make it really potent, and my concerns relate to how such 
lines of thought will develop as they mature as they all circumvent fairly 
fundamental aspects our fairy tale.

Anyone from the AV industry got a big set and want to step up and talk about 
your aurora attacks?  

jf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/