Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] In his own words: Confessions of a cyber warrior

Shava Nerad shava23 at gmail.com
Wed Jul 10 10:27:35 PDT 2013


Still, it made me think in relation to the dimension of CFAA pushback we
have gotten.  The CFAA encourages a corporate development cycle of pushing
crappy software out exposed to the net without audit, and to leave nets
without monitoring or pentesting, because user data is insured and/or there
are no penalties for its loss, corporate data loss is poorly understood and
poisoning entirely unassessed, and it's assumed the feds will clean things
up at taxpayer expense.

Why pay for security?

And this would suit a "national security" interest that wanted compromised
software.  As sick as that is for a larger perspective of national security
from cyberthreats -- we have already seen some rather poor decisions made.

Essay on my G+ yesterday in more pot-boiler mode, if anyone's interested.

Yrs,
SN
On Jul 10, 2013 12:21 PM, "David Goulet" <dgoulet at ev0ke.net> wrote:

> Jacob Appelbaum:
> > Andreas Bader:
> >> Eugen Leitl:
> >>
> >>> Grimes: How many exploits does your unit have access to?
> >>>
> >>> Cyber warrior: Literally tens of thousands -- it's more than that. We
> have
> >>> tens of thousands of ready-to-use bugs in single applications, single
> >>> operating systems.
> >>>
> >>> Grimes: Is most of it zero-days?
> >>>
> >>> Cyber warrior: It's all zero-days. Literally, if you can name the
> software or
> >>> the controller, we have ways to exploit it. There is no software that
> isn't
> >>> easily crackable. In the last few years, every publicly known and
> patched bug
> >>> makes almost no impact on us. They aren't scratching the surface.
> >>
> >>
> >> Tens of thousands zero-days; that sounds like totally shit. That guy
> >> seems to be a script kiddie poser, nothing more.
> >> Are there any real "hackers" that can issue a competent statement to
> that?
> >>
> >
> > I couldn't disagree more. This sounds consistent with the current arms
> > race and also relates directly to the 0day markets that have been active
> > for many many years. Remember though: buying 0day bugs or exploits for
> > 0day is just one part of a much larger picture.
>
> I have to agree here with you. The 0day market is booming and we have a
> very
> unclear picture as of now on the magnitude of that market.
>
> However, there is something weird in this guy statement. With my
> experience,
> finding exploitable 0days for known software is not that trivial, it takes
> time
> and effort. Now, creating a working exploit (preferably remotely of
> course) is
> also very difficult!
>
> He goes on stating:
>
> "I would hack the software and create buffer overflow exploits. I was
> pretty
> good at this. There wasn't a piece of software I couldn't break. It's not
> hard."
>
> To be honest, for my self being a person that does security contest for
> years
> now (Defcon, iCTF, csaw, etc...) and in security communities, someone
> speaking
> like that is a bit of a red flag in terms of deep knowledge of software/OS
> exploitation (especially OS exploits).
>
> 0day development is not an easy business (like he is picturing it). From
> friends
> in the reverse engineering field (AV corp.), a *lot* of people are doing
> that
> full time in Russia for malware development and word! it takes time,
> experience
> and knowledgeable people.
>
> In a nutshell, in my opinion, this interview looks more like a guy that
> wants to
> flash rather then the real truth. There is SURELY true stuff in there but I
> doubt seriously the part about the extent of 0day and bugs development.
> This is
> just too fishy to be serious... anyway that should not mean we should not
> take
> this seriously!
>
> Cheers!
> David
>
> >
> > All the best,
> > Jacob
> >
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130710/364bbf02/attachment.html>


More information about the liberationtech mailing list