Dailydave mailing list archives
Re: The uncomfortable whitehat truth
From: Justin F <jnf () asac co>
Date: Mon, 19 Oct 2015 14:04:47 -0400
Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a heads up on various vulnerability pipelines.
Is there a government in the world that does not contain the capability to require SSL keys from CAs or similar? Would this not mean that everything is potentially compromised and things like DANE should be pushed hard instead of defaulting to dependence on a system that is broken by design?
And on the other hand, maybe they are reading your mail,
How many countries do not have a google et al datacenter in them? Is it not reasonable to suspect that the hiring standards of tech companies are significantly lower than the bar for spies et al, and thus is it not reasonable to conclude that anything you store in the cloud (id est email) is likely compromised not by *a* government, but lots of them and probably a lot of other nefarious organizations as well? It's actually amazing how much confidence we put into electronic storage mediums while at the same ignoring that they're so easily compromised by both legal and illegal means-- APT can get to the POTUS email and force the State Departments mail servers down and run circles around OPM for a long period of time, but PRISM is irrelevant and the PRC compromising PRISM is irrelevant and god only knows whom else is in there, thereby rendering the medium unreliable. On Mon, Oct 19, 2015 at 9:00 AM, Dave Aitel <dave.aitel () gmail com> wrote:
I'm not sure how to explain this intuition, but clearly security () everything com is pretty owned. It's a high priority target that is by definition poorly defended. So when people submit bugs to Microsoft or Adobe or really any commercial company, they are sending a signal to various APTs which may or may not act on that signal, depending on their particular OPSEC guidelines. Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a heads up on various vulnerability pipelines. So on one hand, if you're doing statistical analysis you will say "There is a huge overlap in the kinds of bugs we are finding and the kinds of bugs our adversary has! We are making a difference!" And on the other hand, maybe they are reading your mail, and killing the ones you happen to find, like a farmer culling the herd of a sick sheep. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The uncomfortable whitehat truth Dave Aitel (Oct 19)
- Re: The uncomfortable whitehat truth Justin F (Oct 21)