mailing list archives
Re: 2013 - A New Hope
From: Katie M <k8ek8e () gmail com>
Date: Tue, 24 Dec 2013 10:08:04 -0800
We, with our background in attacks/offense, who have taken on the mission
to defend, have embedded ourselves inside these corporations for years to
essentially "backdoor" more meaningful security improvements into them.
Over these years, we have been buffeted from both sides by our
offense-oriented brethren and by the often conservative organizations who
pay our salaries, as we raged against the corporate machine.
This year, as the content chair of BlueHat, I took a risk by inviting open
conversation about the fact that trust itself is under attack. For the
technology giants to survive and remain as strong as they have
traditionally been, they must unite against those who undermine that trust.
This is why I was able to invite an engineer from a competitor mega
corporation to close the conference with a talk about designing products
and services that are resistant to abuse and surveillance.
Corporations may be powerful now, but that power is dependent upon people
being willing to buy or use the products and services they build. No green
can grow out of rocky terrain when the soil of trust has been eroded.
To me, with my chosen mission of defense, the adversary is not important.
Those of us embedded in these companies use our influence as individuals to
turn the giant ships, sometimes setting course straight for the eye of the
I've been Leia for a long time, devising strategies that turn the ship on
which I sail towards thwarting common adversaries, calling upon my
collective Obi Wan Kenobi's to band together for defense. Here is a blog I
wrote back in 2008, when life seemed simpler (but we all knew it wasn't as
simple as it appeared):
And here is the blog I wrote a couple of weeks ago, where the last two
paragraphs discuss engaging across borders, across company lines, to help
defend the users, no matter the adversary:
While I cannot predict what will happen in 2014 or beyond, if we set our
united course to meet the adversaries, whomever they may be, we can only be
struck down temporarily - before we rise up more powerful than you can
The Force is strong in all of you, friend and foe - many of you are both.
Those who know me know my profound respect for both sides of The Force.
So Merry Christmas, crank up that rebel music: http://youtu.be/yv9XZI3zwF4. And
Happy New Year, May The Force be with you all.
Sent from my Windows Phone
From: Dominique Brezinski <dominique.brezinski () gmail com>
Sent: 12/24/2013 8:30 AM
To: Dave Aitel <dave () immunityinc com>
Cc: dailydave <dailydave () lists immunityinc com>
Subject: Re: [Dailydave] 2013 - A New Hope
I think you just highlighted the catalyst for a truly Gibson-esque future
where the power of corporations greatly supersedes governments. When
corporations are forced to turn their resources and innovation towards
defending against governments, their agility and cross-border capability
will play to their advantage. Taxation is an example on the finance side.
We will see how it plays out on the information side.
On Tue, Dec 24, 2013 at 7:50 AM, Dave Aitel <dave () immunityinc com> wrote:
2013 - A New Hope
So I hesitate to make predictions, but I think it's important to at some
level acknowledge that 2013 was a huge year for information security. A few
things happened... :
o The rebirth of managed security services.
When you don't care about bringing hackers to court, but you DO care about
the security of your IP, you start to evolve a very different fabric on
your network and you need a completely different specialist set of skills.
Managed Security Services used to be the haven of total technical
wash-outs, with IDS monkeys watching screens for alerts nobody cared about.
This has changed, and I think the watershed moment was February 2013, with
Mandiant releasing their APT1
We are moving to a much more highly skilled, and expensive, version of
managed security services, with Mandiant, Crowdstrike, Terremark, and
others all competing with similar technologies and methodologies and price
points. This is the pendulum swinging away from offense a bit more,
assuming people can afford these services (which is not at all a given).
o The Snowden Event
Look, there's very little in the "revelations" Snowden has talked about
that wasn't already highly visible to industry insiders: What can be done,
is being done. And everyone who says Cyber is a asymmetric warfare should
be eating their words now, since you cannot believe the US Intel Community
has succeeded to the level they have in this space and think it was a game
for small players anymore. My USENIX talk from 2011<http://www.youtube.com/watch?v=D5ULFP4CgQU>pointed out much of
what has come out. The most obvious angle on the story
is the growing push-back from corporations. Google building certificate
pinning into Chrome by default hurts not just Iran, but also all the allied
governments Google calls home, who are just as happy about how the global
PKI system SSL depends on bends to their whims. The corporations have been
taking huge unbalanced risks on behalf of their governments, and these
chickens are coming home to roost. Or, to be more specific, vultures, as Huawei
being thrown out of the largest market for IT gear in the world. But
it's exactly that horrifying prospect that scares Facebook and Google and
every other big US IT company into taking a hard line with the USG, and no
doubt, with one eye on Cisco's revenue sheet
To quote from today's Washington Post
Microsoft general counsel Brad Smith took to his company’s blog and called
the NSA an “advanced persistent
— the worst of all fighting words in U.S. cybersecurity circles, generally
reserved for Chinese state-sponsored hackers and sophisticated criminal
What should scare administration officials is that when you talk to big
financials in NY, they feel the exact same way. In my discussions, they are
now MORE invested in securing themselves against the US Government than the
It is safe to say these battle lines have yet to be completely redrawn,
and when they do the Chinese and US governments will be on the same side,
with Chinese and US corporations allied against them.
And we will then officially exit the "Golden age of SIGINT" and enter the
scrappy Bronze Age of Targeted Access.
o The rise of Bitcoin
The financials (and business in general) are extremely excited about the
useful shared delusion that is Bitcoin. Nobody knows how this pans out, but
it doesn't necessarily pan out well for groups whose root of power is
controlling the flow of
o The cementing of Leaks as cyberweapons
Every reporter I talk to now who is starting a new venture has a
foundational element of "some place people can send me leaked documents".
The concept of leaking things into the public eye as a cyber-weapon has
gone from "Assange is a crazy loon" to "This is how things get done" in a
fairly rapid space. It's easy to forget that the whole reason he started
WikiLeaks was that he believed that you could forever change how government
works by draining the ocean of secrecy they live in (and of course, to get
babes). The Russian and Chinese and Iranians and so forth are snarkily
reveling in how the USG is painfully handling the leaks, but of course,
their turn is coming, and they are far more vulnerable.
So to sum up, 2013 was a year governments (and in particular the USG)
found their influence sharply contracting, with budget cuts, shutdowns, and
philosophical pressure on all sides. I, with the rest of the hacker
community, look forward to 2014, when the empire can strike back.
P.S. MERRY CHRISTMAS AND HAPPY NEW YEARS TO ALL DD LIST READERS!
Dailydave mailing list
Dailydave () lists immunityinc com
Dailydave mailing list
Dailydave () lists immunityinc com