Dailydave mailing list archives

Re: The new model of insecurity

From: Sergio 'shadown' Alvarez <shadown () gmail com>
Date: Tue, 1 Apr 2014 07:53:08 +0200

Hi Dave,

Completely agree with you on this.

On the top of that, if you ever had any sort of discussion with Cisco you will also know that they will get pretty sure 
that you will never present anywhere what ever security related issues you've discussed with them, and if they manage 
to do that it goes to their "problem solved" branch.

They don't really care about security, they care about what ever might go public and try to make it look as inoffensive 
as possible. That's all they do.

I'm wondering if people who uses their products realize that they lack a way to check if their products have been 
compromised. Cisco and Huawei among others fall into this category. On other platforms you can do OS level hardening, 
add host IPS and stuff like that, to do all sort of monitoring. On these routers and switches they don't have anything 
beyond the features bundled with their system. Some people believe that by forcing a core dump they will have a clean 
memory dump that will allow them to check if they've been compromised or not, which is the very first thing anybody 
would patch to hide.

I guess that's what you get when you relay on stuff that has been designed 20 years ago, cross your fingers and pray so 
that nothing goes wrong. xD

That's what makes Cisco, Huawei, Extreme Networks, among others so much fun to play with. ;-)

Cheers,
  Sergio

On Mar 31, 2014, at 11:16 PM, Dave Aitel wrote:

http://www.rsaconference.com/videos/126/the-new-model-of-security

Cisco's keynote starts with the traditional eyeball gouging "humorous" video making fun of how it's hard to get
different security solutions to work together. Wouldn't it be easier if everyone just bought everything from Cisco?
I'm sure it would! The video ends with all the actors cursing at the audience, which is telling, and then Christopher
Young apologizing for the video, like it's the first time he's ever seen it and he's sorry for subjecting the
audience to the cursing parts of it, or, you know, any of the "jokes".

After that it is a painful sit-down between Christopher Young (SVP of Cisco's Security Business Group) and Padmasree
Warrior (CTO/Chief Strategy Officer of Cisco). Why do companies do these sit-down style keynotes? It's like someone
did a study on the most unlikely way to capture an audience's attention, and then implemented it as relentlessly as a
Chinese SSHD password brute forcer.

At one point Padma says "I'm not a security expert and you are, which is why I hired you". The Chief Strategy Officer
of Cisco is not a security expert?! Lovely.

These things are scripted to sound unscripted, but instead they sound like horribly written scripts delivered by
people who hate what they are saying. That, or there was some sort of contest on the least funny way to say "Internet
of Things" eighty times in 24 minutes - and let me tell you, they *found* it.

Open APP ID gets announced to no applause whatsoever. "The policy can be dynamic. We need a community working on
that. " Or in other words, "Please somebody do our work for us so we can catch up to whoever the market leader is in
this space". Marty might have to explain this to us all in better terms on the list here, cause Padma and Christopher
chew their explanation up like a three year old eating a Lima bean and Brussels sprouts salad. They want to build
controls for applications except the mobile systems they want to control are not under enterprise control at all
(they "assume the devices are untrusted"), and the network traffic will be encrypted. So how are they controlling
things again?

In the end, these people got on stage to demonstrate that they have a muddled thought process and no clear vision for
the future. Look, after watching this you can't help but feel sorry for everyone involved in the production of this
keynote, and the entire marketing team the CEO of Cisco fired after watching it on YouTube. I'd worry if I was either
Padma or Christopher as well because they've clearly lost sight of both the forest and trees, if this keynote is
anything to go by.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Re: The new model of insecurity Sergio 'shadown' Alvarez (Apr 01)
- <Possible follow-ups>
- Re: The new model of insecurity Marty Roesch (maroesch) (Apr 01)
- Re: The new model of insecurity Andreas Lindh (Apr 01)