Dailydave mailing list archives

Re: The uncomfortable whitehat truth


From: Justin F <jnf () asac co>
Date: Mon, 19 Oct 2015 14:04:47 -0400

Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a 
heads up on various vulnerability pipelines.

Is there a government in the world that does not contain the
capability to require SSL keys from CAs or similar? Would this not
mean that everything is potentially compromised and things like DANE
should be pushed hard instead of defaulting to dependence on a system
that is broken by design?

And on the other hand, maybe they are reading your mail,

How many countries do not have a google et al datacenter in them? Is
it not reasonable to suspect that the hiring standards of tech
companies are significantly lower than the bar for spies et al, and
thus is it not reasonable to conclude that anything you store in the
cloud (id est email) is likely compromised not by *a* government, but
lots of them and probably a lot of other nefarious organizations as
well?

It's actually amazing how much confidence we put into electronic
storage mediums while at the same ignoring that they're so easily
compromised by both legal and illegal means-- APT can get to the POTUS
email and force the State Departments mail servers down and run
circles around OPM for a long period of time, but PRISM is irrelevant
and the PRC compromising PRISM is irrelevant and god only knows whom
else is in there, thereby rendering the medium unreliable.


On Mon, Oct 19, 2015 at 9:00 AM, Dave Aitel <dave.aitel () gmail com> wrote:


I'm not sure how to explain this intuition, but clearly security () everything com is pretty owned. It's a high 
priority target that is by definition poorly defended. So when people submit bugs to Microsoft or Adobe or really any 
commercial company, they are sending a signal to various APTs which may or may not act on that signal, depending on 
their particular OPSEC guidelines.

Obviously in some cases this is institutionalized - Governments (and not just "friendly" ones) can and do ask for a 
heads up on various vulnerability pipelines.

So on one hand, if you're doing statistical analysis you will say "There is a huge overlap in the kinds of bugs we 
are finding and the kinds of bugs our adversary has! We are making a difference!"

And on the other hand, maybe they are reading your mail, and killing the ones you happen to find, like a farmer 
culling the herd of a sick sheep.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


Current thread: