[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] What the f*** is going on?



On Tue, Feb 22, 2011 at 1:13 PM, jf <jf@xxxxxxxxx> wrote:
>...
> In ~2005, I was a defense contractor watching NIDS when they came looking for 
> someone who could reverse; I knew enough assembly to write up shellcode, but 
> this was my intro to windows reversing and therein lay your first bad omen as 
> to their actual ability. Over the course of a weekend we got the algorithm 
> out, wrote up a program to read the pcap's and got to work on analysis. Come 
> Monday, we dropped bombs and from the fires emerged a request for our 
> report/tools from another agency and I got to redact my first report, and 
> then another and another. Everyone had this problem, and had it for *years* 
> with little to no discernable progress. They hadn't even identified how $they 
> were getting in, like what bug. So we identified that too, and wrote up a 
> binary patch for it (that went 100% unused except on my machine), et cetera. 
> And then that long string of office 0-days in 2006 started, and eventually I 
> ended up with the private SSL keys for a few absurdly large american companie
 s (ended up on a machine of ours), and then the documents started cleaning 
themselves and this happened multiple times a week for the ~2 years with 
countless 80-100 hour weeks and all of you telling me my life was a 
myth/lie/CIA fabrication/et cetera.

hey, ZDI started that year. this when you funnel pcap 0day to ZDI payday... ;)



> These three aspects make it really potent, and my concerns relate to how such 
> lines of thought will develop as they mature as they all circumvent fairly 
> fundamental aspects our fairy tale.
>
> Anyone from the AV industry got a big set and want to step up and talk about 
> your aurora attacks?

make the operating environment hostile and resilient to attackers. no
AV product can do that from within the system that must be resilient
against attack.

(not to say AV is worthless, but more akin to crowd based negative
reputation assignment of known malicious payloads rather than any
protection against same...)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/