Re: Yawps from the rooftops

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

So I can't help but notice MOVEit, an "old enterprise file sharing system"
is getting a ton of press
<https://techcrunch.com/2023/06/05/microsoft-clop-moveit-hacks-victims/>,
after ransomware crews found/bought an 0day and then went hog wild. I mean
this is the sort of thing only predictable if you listen to Risky Biz or
the invite-only more hardcore uncensored podcast "Risky Life", where there
are whole episodes devoted to the hilarity that is the machine learning
world still passing Python pickle files around like it's 1999, or the
software distribution channels being so broken for nearly everything that
PyPI itself had to just "stop accepting new stuff
<https://www.bleepingcomputer.com/news/security/pypi-temporarily-pauses-new-users-projects-amid-high-volume-of-malware/>"
because security wasn't so much an afterthought as an anti-pattern, and
"Cthulhu help you" if you used NPM.

Any alien species coming to Earth would take one look at our technology
ecosystems and just shake their head-appendage and say "You LIVE like
this?" with the same tone of voice Marie Kondo has walking into a hoarder's
kitchen, "Let me get this straight - at your biggest, most professional
companies, you can correctly patch a bug only 50% of the time?"

I love this for us. I love the chaos and the self-aggrandizement, and the
shared helplessness and in the face of that, the misplaced optimism and
hope, the "Advisories" and "Alerts" and "Reporting". It's not that we can't
do better, it's just that if doing better requires that we don't take
ourselves so seriously, we just won't.

-dave

On Fri, Mar 31, 2023 at 9:32 AM Dave Aitel <dave.aitel () gmail com> wrote:

> [image: image.png]https://twitter.com/thezdi/status/1638617627626176513
>
> [image: image.png]
> Yawps
>
>
> So one thing I have as a "lessons learned" from the past 20 years is that
> security is not a proactive sport. In fact, we are all experts at running
> to where the ball _was_as opposed to where it is _going_.
>
> Like, if you listen to Risky Biz this week, Patrick asks Metlstorm whether
> it's time to go out and replace all the old enterprise file sharing
> systems
> <https://twitter.com/vxunderground/status/1641629743534559233?s=20> you
> have around, proactively. And the answer, from Metl, who's hacked into
> every org in Oceania for the past 20 years, is "yeah, this is generating
> huge return on investment for the ransomware crews so they're just going to
> keep doing it, and being proactive might be a great idea." But what he
> didn't say, but clearly had in his head was "but lol, nobody is going to
> actually do that. So good luck out there chooms!"
>
> At some level, STIX and TAXII and the whole CTI market are about passing
> around information on what someone _might_ have used to hack something, at
> some point in the _distant past_. It's a paleontology of hackers past - XML
> schemas about huge ancient reptiles swimming in the tropical seas of
> your networks, the taxonomies of extinct orders we now know only through a
> delicate finger-like flipper bone or a clever piece of shellcode.
>
> -dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org