Full Disclosure mailing list archives

Re: What the f*** is going on?

From: coderman <coderman () gmail com>
Date: Tue, 22 Feb 2011 17:47:25 -0800

On Tue, Feb 22, 2011 at 1:13 PM, jf <jf () ownco net> wrote:

...
In ~2005, I was a defense contractor watching NIDS when they came looking for someone who could reverse; I knew 
enough assembly to write up shellcode, but this was my intro to windows reversing and therein lay your first bad omen 
as to their actual ability. Over the course of a weekend we got the algorithm out, wrote up a program to read the 
pcap's and got to work on analysis. Come Monday, we dropped bombs and from the fires emerged a request for our 
report/tools from another agency and I got to redact my first report, and then another and another. Everyone had this 
problem, and had it for *years* with little to no discernable progress. They hadn't even identified how $they were 
getting in, like what bug. So we identified that too, and wrote up a binary patch for it (that went 100% unused 
except on my machine), et cetera. And then that long string of office 0-days in 2006 started, and eventually I ended 
up with the private SSL keys for a few absurdly large american companie

 s (ended up on a machine of ours), and then the documents started cleaning themselves and this happened multiple times 
a week for the ~2 years with countless 80-100 hour weeks and all of you telling me my life was a myth/lie/CIA 
fabrication/et cetera.

hey, ZDI started that year. this when you funnel pcap 0day to ZDI payday... ;)

These three aspects make it really potent, and my concerns relate to how such lines of thought will develop as they 
mature as they all circumvent fairly fundamental aspects our fairy tale.

Anyone from the AV industry got a big set and want to step up and talk about your aurora attacks?


make the operating environment hostile and resilient to attackers. no
AV product can do that from within the system that must be resilient
against attack.

(not to say AV is worthless, but more akin to crowd based negative
reputation assignment of known malicious payloads rather than any
protection against same...)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: What the f*** is going on?, (continued)
- - - Re: What the f*** is going on? Michele Orru (Feb 23)
    - Re: What the f*** is going on? Chris Evans (Feb 24)
    - Re: What the f*** is going on? Fredrick Diggle (Feb 24)
    - Re: What the f*** is going on? jf (Feb 22)
    - Re: What the f*** is going on? Pietro de Medici (Feb 23)
  - Re: What the f*** is going on? jf (Feb 22)
    - Re: What the f*** is going on? Michal Zalewski (Feb 22)
    - Re: What the f*** is going on? jf (Feb 22)
    - Re: What the f*** is going on? Michal Zalewski (Feb 22)
    - Re: What the f*** is going on? jf (Feb 22)
    - Re: What the f*** is going on? coderman (Feb 22)
    - Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
  - Re: What the f*** is going on? Chris Evans (Feb 22)
- Re: What the f*** is going on? Paul Schmehl (Feb 24)
  - Re: What the f*** is going on? jf (Feb 24)
    - Re: What the f*** is going on? coderman (Feb 24)
    - Re: What the f*** is going on? jf (Feb 24)
    - Re: What the f*** is going on? Michal Zalewski (Feb 24)
    - Re: What the f*** is going on? jf (Feb 24)

(Thread continues...)