Anything strike you, the seasoned InfoSec professional, as odd about this batch of headlines? For over a decade, I have been speaking out against bullshit news articles when it comes to security and hackers. It got so bad in the past, I had to stop updating the ‘Media’ section of Errata, because so many articles were full of crap. Usually, it is one or two articles a day, some with minor issues that aren’t worth the time trying to explain. After all these years of ignoring, and seeing the same trend, tonight appears to be different. Based on the headlines alone, I know there are serious issues and at least 4 out of 5 are crap. For fun, let me dissect them and see if I am right.
All ‘dong’ jokes aside, you have a five paragraph puff-piece that has absolutely no real information. Skipping past the translation errors, and assuming they mean “elite white hat hackers”, this is a joke. There are two kinds of white hat hackers for the most part; ex-black/gray hat hackers who converted because they like the paycheck and virtually no risk of prison, and the white hat ‘hackers’ who go through training from ISC2 or EC-Council to obtain some laughable certification that says they know security. The latter, are not hackers. I can assure you, “nurturing” exam-crammers will not prepare you for any security incident, let alone the implication of Cyberwar. You want to recruit “students” to do all this? You are doomed already.
I read about this earlier yesterday. When I skimmed the article I first read (which I can’t find now), I honestly dismissed it as an Onion parody site. The entire article read as pure science fiction with a healthy dose of humor, because reality was not to be found. Surprise, later tonight it pops back up on ISN, and a search shows several other articles about it.
First, anyone in security for more than a few years have seen this academic shit before. These super-smart fucktards holed up in a lab have magically found a solution for real-world problems! The same problems they have never been subjected to, or been a part of fixing. They get news, and likely grants to do more bullshit research, while the real world suffers. There was an article, pretty sure in Time magazine that illustrates this problem. I can’t find the article because like most companies, Time can’t implement technology correctly and their search engine is absolutely worthless. Anyway, the gist of the article is that doctors fight to get grants, to do pedestrian research that is designed to help them get the next grant. Nothing they do is really designed to cure anything. History shows us that only radical research, a break from the norm, will lead to breakthrough research that may help us dramatically. The same problem exists in academia when it comes to InfoSec. I can’t remember a single time when the ivory tower dipshits actually solved anything.
So looking at this new miracle system, what is really there? They have developed a “watchdog” service that is not new. In fact, it is an old reliable mediocre offering in service. Instead of watching for “attacks” and “deflecting” them, it watches for anomalies. Welcome to 1992 bitches. Your first clue that this entire research is bullshit? Why is this specific to “networked control systems – which are used to coordinate transportation, power and other infrastructure across the United States”? Hint: IT ISN’T. Those systems suffer from the exact same classes of attack as any other system on the Internet. Overflows, DoS via saturation, SQL injection, XSS, etc. Don’t believe me? Go look at a comprehensive list of SCADA vulnerabilities and tell me which one is unique to SCADA.
How sure am I? I just sent off the following email to this “doctor”. Further, I bet that in 1, 3, 5 .. whatever years, we will have the same problems as we do now. Full paper is titled “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS“.
And really, many of us in the industry know what all that fancy math crap means. You are either doing pure crypto and it is badass, or it is absolutely theatrics to hide the fact you know shit.
(Credit: unknown. Linked to me by addelindh.)
[UPDATE: I mixed up my ‘million heist’ articles. I thought this was the “How I ‘stole’ $14 million from a bank: A security tester’s tale“. While that article did not go out on ISN, making it 3 out of 5 that were crap, my response is to that article. Oops! Thanks to Oliver Lavery for pointing this out.]
Honestly, I wouldn’t have even noticed this one 12 hours ago. That monkey Ira Winkler has been claiming he could steal billions from any company for over a decade, so any fluff in media about dramatic thefts don’t even register. However, shortly after this piece was published, someone messaged on Twitter saying it was bullshit.
Who is right? No clue. I haven’t been able to vet either of them. But I know that when a news article comes out with some ‘super hacker’, and someone unknown to me that has no apparent reason to lie speaks up, I am likely to believe them, not the media whore. I can’t expect evidence to be produced on that short order, but I told Oliver Lavery that it would require such to document the alleged fraud of Nish Bhalla. I know who I believe, and it isn’t Bhalla.
Oh jeez, where to begin. First, let’s put this in the terms more people can understand. This is what has been titled “Linux Kernel kernel/events/core.c perf_swevent_init Function perf_event_open System Call Local Privilege Escalation” by OSVDB, who issued ID 93361 for the vulnerability. Second, notice the date of the article is 2013-05-13, when the actual fix for this vulnerability was released 2013-04-15. Yes, the fix has been out for almost a month. Uh, wait, why is this news? Linux vulnerabilities are a dime a dozen. Thirteen days after this vulnerability was another local privilege escalation.
Uh, squirrels! I lost focus here. Why is this an issue again? Is it because of a “silent” fix? Or is it because developers fix a metric fuckton of bugs, most of them not security related, every single week… and this time they forgot to mention security implications? Why is THIS bug more severe than any other Linux Kernel privilege escalation vulnerability again? If you look the last five similar bugs before this one     , you see they were fixed same day as far as any mainstream announcement or publication of the vulnerability.
Oh, do you want outrage? Jump back to the vulnerability disclosed on 2013-02-25, that was discovered on 2012-07-14, and fixed a day after disclosure. That breaks the trend of the Linux Kernel group to be sure.
Look, anyone who knows me will verify I am the last to apologize for software vendors. I have been riding their collective asses for over a decade. If I stand up for a vendor, any vendor at all, you should at least examine the evidence. When it comes to transparency, the Linux Kernel team has blazed the trail for many years. They have mail lists and kernel commits and contribute to the oss-sec list. They aren’t interested in politics, or hiding vulnerabilities. If you take the time to read through commits and bug reports for the Linux vendors (p.s. I HAVE), you will see these developers quickly, and publicly take responsibility for their fuckups. They are quick to fix the issue and get things squared away as fast as possible. These are not the developers you should be worried about, when other companies will go over 1,000 DAYS before fixing a vulnerability sometimes.
So really, is this news? Is anyone at risk, more than usual? Any Linux admin who waits on mainstream releases, will be vulnerable for days / weeks anyway. Admins who keep up with the new patches, will be safe. This is BUSINESS AS USUAL IN THE LINUX WORLD.
Every single night, I think the InfoSec industry has hit a new low. On a good night, I think the industry kept even. They didn’t improve, they didn’t get worse.
Tonight is evidence that we can collectively sink much lower, in leaps and bounds.
Don’t believe me? Just witness this ivory tower math bullshit that completely backs my wild theory that I have spoken the truth. Call the press!