Encoding hacker total quality management

[Dave Aitel <dave () immunitysec com>]

Today, in addition to various running-the-company tasks, I'm writing a
specialized encoder/decoder. When you're writing decoders you become
(unless you're me, cause I'm stupid in this way :>) very concious about
the "size" of the decoder in bytes, and how much your encoded shellcode
is bigger than your decoded shellcode.

Size is a weird thing. I've always been a bit obsessed with the
"ADM/TESO/GOBBLES[*]" effect. One of the claims of GOBBLES was that they
were the "largest" hacker group. After apache-nosejob.c this isn't hard
to believe, seeing as they managed to outsmart the best of the time,
while still making a joke about it. That sort of sploit isn't something
you drop unless you have some things that are a lot better in your cache.

Another datapoint: ADM and TESO made almost inapproprietly large spashes
in the community when they were active. Almost all their exploits were
beyond the standard, and at times it seemed they were the ones finding
all the new bug-classes. But at their peak, they couldn't have been very
large groups. Certainly smaller than the reverse engineering and
security group at a good sized IDS/IPS company these days.

I've been turning these anomolies around in my head like ocean glass for
a while. At first I turned to the natural desire of hackers for
security. Rare knowledge is more valuable to hackers even more than in
most other fields. And, of course, most hackers are naturally abnormal
personalities, so it's hard to hold a large group together and still
maintain the bonds of trust. This is, after all, an activity that's
on-the-face illegal. And whitehats typically aren't invited to the
party, mostly because this is a "use-it-or-lose-it" kind of game. If you
don't play it for keeps, you tend to suck at it.

The problem with that as an explaination is that hackers are geniuses at
security. If they want to maintain security across a large group, they
develop a counter-intel program complete with sigint and humint, custom
watermarking, false-flag excersizes, and the whole lot. It can be done.

My new thought, and this is something I've come to slowly, is that
hackers develop in small groups because that way each of them is a
hundred times more productive. The more you read about the China on
Stratfor, the more you read that the Chinese state-run companies are
feeling threatened by the economies of scale of the larger western
companies. But I think the true threat is the smaller companies. Looking
at a status message I sent to Immunity yesterday, everyone had about
three exploits on it, in active development. You just can't get that
level of performance when people are sitting in an office checking on
the stock price and getting free soda. And you can't maintain it for 3-5
years, which is how long most hacker groups last before merging,
disolving, and reforming. (Although I think Immunity will be around for
a lot longer. :>)

Perhaps this is because in this field, specialization is a large
detriment to productivity. We have the same person on Solaris locals and
on Windows kernel exploits. Today I'm doing both a new MOSDEF and some
QA on an 0day - two completely different things. But if I was in a big
team, I'd be doing one thing, over and over, like a cog in the wheel,
for "efficiencies of scale". I'm not certain I've figured out the
[*]ADM/TESO/GOBBLES phenominon, or if it can even be figured out, but
more and more I think the way to really model the amazing efforts of
tiny groups of hackers compared to the larger industry is as hundreds of
tiny interlocking startups.

-dave
[*] Lots of you spent the whole email thinking about the dozens of
preceeding groups. But can you name six groups that came afterwards that
made a similar splash?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave