Dailydave mailing list archives
Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos
From: Alex Stamos <alex () stamos org>
Date: Fri, 1 Nov 2019 17:25:11 -0700
Hi, Dave- I'm glad you enjoyed the keynote, and I appreciate the risks from 0-day. I would disagree with Nathan that I'm a naive empiricist. I learned something really important when I took the CISO job at Yahoo, my first big-company VP position under a very experienced Silicon Valley executive named Jay Rossiter. Jay told me "Son, you are coming from a world where you could focus on really specific and interesting challenges but now your job is now all about portfolio management. You have an infinite set of problems and very finite resources, your entire role here is to try to apply your limited human and financial capital to the problems that hurt us the most. That's it." Ok, maybe I imagined him calling me "Son" or that he was chewing grass while he said this or the warm yellow glow of the setting midwest son that bathed us in warm companionship while we repaired our combine in time for the harvest and perhaps even the smell of Ma's apple pie wafting from the picnic. But he definitely told me that stuff about portfolio management, and boy was he right. He was super duper right at Yahoo, where security was as well resourced as you would expect at a company fighting to survive via quarterly MAU/revenue and where we were facing a massive cliff of tech debt that started in 1997. So I agree with you in the world where the portfolio of resources the greater security and safety community had to apply to the problem set of "computers hurt people" was restricted to people who attend Infiltrate and find new bugs all day. These people should definitely exist and do their damndest, and I don't think redeploying Tavis to work on authentication would make the situation better (he also interpreted my talk to be about people in his line of work). However, I'm really worried about some other follow-on effects from security research and I would say that the sub-portfolios that are really being mismanaged right now are: *Internal Corporate Teams* - Too many CISOs and Directors (where the real work happens) are enamored of the high-end threat because it makes them feel like they are players on the global stage. Maersk was a victim of an act that would fit in the broadest definition of "international cyberwar" but *in the worst possible way*, as collateral damage caused by practices equivalent to moving to northern Syria and getting a real good deal on a used white Toyota pickup and driving it around the desert without taking that weird black flag off because it looks really metal. They got owned because of really weak basic practices and couldn't recover because they had never practiced respondoing to a disaster this large. I can't speak as to what their focus *was*, but it wasn't on the realistic threats. *Academic CS Security Research* - I originally gave a version of this talk at USENIX, and I was really focused on how InfoSec in Computer Science departments is warped by a need to make any individual problem "CS Hard". CS Hard problems tend to have really complex solutions that also happen to be unique. Real solutions to real problems usually need to be simple and preferably based upon some fix that has been deployed in a different but related context. This is a salient problem in the academy right now; I'm trying to get help from CS grad students and even if they are interested in my problem space they are struggling to figure out how to publish on these problems in a way that will get them academic jobs. *New Startups / Venture Capital* - Probably the absolutely worst balanced area in security is the startup space, where 90% of the money and effort are applied to the top 10% of the pyramid I used in that talk. Walk the floor at RSA this February and try to imagine how most of those products could be deployed by the 15 person security team at a not-sexy but critical company, like a large manufacturer of heavy equipment (like the combine Jay and I were fixin') that happens to have big competitors in the PRC. The reverse-takeover of FireEye by Mandiant was not recognized at the time for what it really was, a demonstration that products focused on the super-high-end threat would, by definition, generally be unusable by most of the enterprise security TAM due to lack of customer resources. Most of the companies on the RSA floor won't exist in a decade, and normally the VC world would take huge losses and readjust. That process is going to take a long time because of all of the spectacular dumb money in the market and the fact that VCs with absolutely no practical defensive experience are raising nine-figure funds focused on security. If you are looking to invest in security, find the next Tanium or Cloudflare: companies focused on real operational challenges that just happen to provide security benefits to organizations with limited security staff. So what does this half to do with the "research community"? While I agree that research at the cutting edge of risk is critical, it also has an outsized influence on all three of these other areas. VCs, CISOs, academics all take their cues from people on stage at BlackHat/Defcon/Infiltrate/Recon/CanSec etc..., which should be a terrifying thought. I still believe that a good defense should be based upon understand offense, but that should be offense as it is really practiced that not the kinds of hypos I discussed like side-channel. Anyway, I guess I agree with you, Dave, in the small-picture but I think I was addressing a larger problem. Thanks for the shoutout. Peace, Alex On Fri, Nov 1, 2019 at 8:18 AM Dave Aitel <dave.aitel () gmail com> wrote:
Ok, so you can/should watch it here: https://www.youtube.com/watch?v=uohyx7OIugY Alex is a great keynote speaker and I really like a lot of his talk (especially where he delves into how disintermediation has broken all social systems without ever using the word disintermediation) but also I think he's super wrong about something so I'm going to spam this at him (and all of you) to annoy him, specifically in a section about priorities as a community, which is followed by a whole section on how the technical companies all emulate Steve Jobs and pretend everything they do is perfect. [image: image.png] "Even in a position where we faced the best attackers, I only saw true 0day deployed twice" [image: image.png] [image: image.png] """If you have Superman vision and you're able to zoom in to the screen you would see that every pixel on the screen is actually comprised of sub pixels right of red green blue sub pixels *this sub pixel represents all of the human harm ever caused by side-channel attacks in the history of information security.* This is what dominates discussion in the security research community - super complicated esoteric issues for which there's almost no demonstration ever or even good theoretical purposes in which this would be the best way for somebody to leak out information or somehow otherwise compromise the system. And so this is the fundamental issue - that if you actually look at what people are working on that pyramid is inverted. People are spending way more than a sub-pixel thinking about super esoteric side-channel attacks in Intel processors. That doesn't mean we shouldn't research. It doesn't mean we shouldn't fix it. But it shouldn't be the thing that we think way more about..... I want to read way more about how people are making it easier for real enterprises to patch their systems. I want to read way more about how people are designing their systems to not be able to be easily abused to cause harm and a variety of really horrible ways then I read about more side-channel attacks. I certainly don't want people coming up with with damn names and domains just for their side channel attack. That drives me totally insane.""" So here's two things: 1. The security research community is tiny. We get a not insignificant subset of it at INFILTRATE every year. The reason the material the research community puts out gets attention is precisely because it turns conventional wisdom on its head. You study the latest heap overflow because it fills in your knowledge of how weird machines work in the real world. You learn about HTTP Desync attacks because they reflect a larger problem in parsers in general, in that you cannot ADD two parsers together to get a more secure solution (which is also what weird machines tell you). Hey it turns out WAFs and AVs can only make you LESS secure, not more. That's a USEFUL thing to know! You study side channel attacks because it answers the question "If I can't trust the silicon what can I trust?" and the answer is a dried leaf you found in your driveway and an old walnut stick, and not the latest blinky box from a company set up by a conglomerate that also does *government contracting* "on the side" for a government that is not yours. :) 2. There's lots of hackers out there who use ONLY 0day. This is one of those things that's obvious every time you talk to a group of old ones about their favorite bugs and everyone's favorite was one that nobody detected for decades. Kaspersky finds someone using Chrome 0day about once a month now. And that's because advanced attacks have strategic impact, and even if you solved the entire rest of that pyramid, one good 0day can tumble a society. How would one detect side channel attacks exactly? What it looks like is someone (me maybe) buying a bunch of VMs in your hosting provider and then using their CPU for a little bit. I don't think Maersk had issues with patching. The issue is that no matter how good at patching you are, it doesn't matter in the face of a worm that uses Active Directory to traverse around, and they probably did not listen to the Bloodhound researchers talk about the many many ways AD is a risk all by itself. Every attacker (Avast <https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/> and the Indian Nuclear <https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/> hackers, this week alone) seems to have Domain Admin but the security engineering community hasn't asked why yet... -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Dave Aitel (Nov 01)
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Arun Koshy (Nov 01)
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Don A. Bailey (Nov 01)
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Nathan Landon (Nov 01)
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Arun Koshy (Nov 01)
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos Alex Stamos (Nov 01)
- <Possible follow-ups>
- Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos frank pound (Nov 19)