More Mildly Condescending Comments

Pete has responded to my previous post. Pete says:

"I actually believe the REAL threat exists. While everyone else works on the manufactured stuff, I want to protect my assets against true threats.

Regardless of my level of confidence, however, I don't claim to have evidence and I refuse to manufacture it. And I find general 'cloak and dagger' statements that security professionals make to be lacking any impact whatsoever...

If you really do know and can't say, why would you hang the entire Internet out to dry by keeping in-the-wild exploits against undercover vulnerabilities a secret while you encourage the wheel spinning of research and disclosure?"

Many readers in the DC metropolitan area will recognize that I am in a delicate position here. All I can really do is point to some publicly available documents to try to change Pete's world view. He can then make up his own mind. These are all open source, Internet-available documents hosted on completely public .mil sites for the benefit of visitors.

That's all I can say on the matter. I'm not trying to be devious, but there are lines that cannot be crossed. I hope Pete appreciates the picture of Gamera I managed to find for him.

Comments

Anonymous said…
Some interesting things to consider (and I'm really enjoying the fact that I've never been TS/SCI cleared, and none of the following information is violating any of the non-disclosure agreements I've signed, and on a side note these things generally invoke a warm and fuzzy feeling in my stomach, do too my uncanny sense of morbidly tragic humor) :

1. NULLs only terminate string-based copy operations.
2. Heap overflows allow you to overwrite arbitrary memory addresses
3. There are huge chunks of writable memory in the BSS segments of the process structure of various (dare I say ALL moderately relevant) architectures that have a nice tendancy of not moving within the address space across versions and patch levels (M$ might have got better with this, it's not my forte)
4. It's relatively easy to footprint attack payloads
5. It's relatively easy to spring board search the area in memory likely to contain said footprint, in a small amount of code.
6. There are publicly available methods of creating covert execution channels, Here, and Here.
7. While we've yet to see a remote kernel-based attack released to the public, it's both naive and ignorant to assume they don't exist, in one shot multiplatform format (How many Operating Systems have TCP stacks based on 4.4BSD, someone remind me, heh ;PPPpppPppPppPPP)

What do you think our (and for the benefit of good argument, other) government has been researching for the past 8 years.

Granted, security research isn't something you can just throw money at to generate progress.... Wait, did I just say that? I must be high.

It's probably a safe bet that multiple governments have thrown Billions, yes with a B and most definitely plural, and needless to say if they spent even 1% of that budget allotment wisely, they are light years ahead of anything that's going to hit the shelves anytime soon.

This should add a bit of scope to Mr. Bejtlich's point here. And while it may have been done in an undesirable fashion, I myself have never been one to concern myself with the impact of the information I release to the public domain, as it's the essential philosophical stance of the entire security industry.
9:30 AM
Anonymous said…
re: My World View. My world view is that there is a real threat out there. You are valiantly attempting to change that by making unsupported comments and pointing me to policy docs and press releases, but I refuse to believe it has ALL been manufactured.

I will continue to believe that the threat is real and that the white hat discovery/disclose cycle is distracting and we should be focused on the real problem.

Pete Lindstrom
9:43 AM
Anonymous said…
Speaking of unsupported comments and claims, where do you suggest we go about discovering these "real" threats. AFAIK Blaster managed to drop 25% of our country's power grid last year.

You have to have a FIRM Grasp of the threat model, to identify any potential solution, you seem to have apparently identified neither. The WhiteHat(tm) disclosure model is in fact inherintly flawed, but not for the reason you are specifying.

S1nc3r3ly Urz,
Th3 M4d 4nt1-H4tt3R
10:28 AM
Anonymous said…
Richard,

Pete's got a point. I went over and took a look at his blog...and his point about those who really DO know shouldn't be saying is well taken. And since I am aware of the sensitive position that you point out, I agree with his stance even more.

For someone to stand up and say, "Hey, I'm in the know, and I DO know...but I can't tell you anything about what I know" is complete BS. If you're covered by TS/SCI clearances or something even higher, and you're not supposed to talk about Fight Club, then you DON'T TALK ABOUT FIGHT CLUB! It's that simple...just telling someone that you know about it is talking about it, even if you don't give away the precious details.

It's just grandiose posturing in order to seem self-important.

Besides, you were in the military...you know as well as I do how some people go out of their way to classify their lunch schedule and their golf tee times.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
12:57 PM
Richard Bejtlich said…
There does not seem to be a reasonable way to discuss this issue without causing trouble for the parties involved. Consider the issue closed.
1:48 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more