Dailydave mailing list archives
Encoding hacker total quality management
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 28 Jun 2005 10:06:18 -0400
Today, in addition to various running-the-company tasks, I'm writing a specialized encoder/decoder. When you're writing decoders you become (unless you're me, cause I'm stupid in this way :>) very concious about the "size" of the decoder in bytes, and how much your encoded shellcode is bigger than your decoded shellcode. Size is a weird thing. I've always been a bit obsessed with the "ADM/TESO/GOBBLES[*]" effect. One of the claims of GOBBLES was that they were the "largest" hacker group. After apache-nosejob.c this isn't hard to believe, seeing as they managed to outsmart the best of the time, while still making a joke about it. That sort of sploit isn't something you drop unless you have some things that are a lot better in your cache. Another datapoint: ADM and TESO made almost inapproprietly large spashes in the community when they were active. Almost all their exploits were beyond the standard, and at times it seemed they were the ones finding all the new bug-classes. But at their peak, they couldn't have been very large groups. Certainly smaller than the reverse engineering and security group at a good sized IDS/IPS company these days. I've been turning these anomolies around in my head like ocean glass for a while. At first I turned to the natural desire of hackers for security. Rare knowledge is more valuable to hackers even more than in most other fields. And, of course, most hackers are naturally abnormal personalities, so it's hard to hold a large group together and still maintain the bonds of trust. This is, after all, an activity that's on-the-face illegal. And whitehats typically aren't invited to the party, mostly because this is a "use-it-or-lose-it" kind of game. If you don't play it for keeps, you tend to suck at it. The problem with that as an explaination is that hackers are geniuses at security. If they want to maintain security across a large group, they develop a counter-intel program complete with sigint and humint, custom watermarking, false-flag excersizes, and the whole lot. It can be done. My new thought, and this is something I've come to slowly, is that hackers develop in small groups because that way each of them is a hundred times more productive. The more you read about the China on Stratfor, the more you read that the Chinese state-run companies are feeling threatened by the economies of scale of the larger western companies. But I think the true threat is the smaller companies. Looking at a status message I sent to Immunity yesterday, everyone had about three exploits on it, in active development. You just can't get that level of performance when people are sitting in an office checking on the stock price and getting free soda. And you can't maintain it for 3-5 years, which is how long most hacker groups last before merging, disolving, and reforming. (Although I think Immunity will be around for a lot longer. :>) Perhaps this is because in this field, specialization is a large detriment to productivity. We have the same person on Solaris locals and on Windows kernel exploits. Today I'm doing both a new MOSDEF and some QA on an 0day - two completely different things. But if I was in a big team, I'd be doing one thing, over and over, like a cog in the wheel, for "efficiencies of scale". I'm not certain I've figured out the [*]ADM/TESO/GOBBLES phenominon, or if it can even be figured out, but more and more I think the way to really model the amazing efforts of tiny groups of hackers compared to the larger industry is as hundreds of tiny interlocking startups. -dave [*] Lots of you spent the whole email thinking about the dozens of preceeding groups. But can you name six groups that came afterwards that made a similar splash? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Encoding hacker total quality management Dave Aitel (Jun 28)
- Re: Encoding hacker total quality management Steve Lord (Jun 29)