[cryptography] Attack Driven Defense - infosec rant [was: What is Intel(R) Core™ vPro™ Technology Animation]

coderman coderman at gmail.com
Mon Sep 23 19:45:36 EDT 2013


On Mon, Sep 23, 2013 at 4:17 PM, coderman <coderman at gmail.com> wrote:
>...
>> the source code provides "hard coded" keys/passwords or pointers to
>> files where interesting bits lay,


someone asks: "how do you find the interesting sources?"

this is something i pride myself on, having dealt with scores of large
enterprise systems and ERP deployments over many years.  i'm going
give hints, rather than specifics, but it will be sufficient for the
motivated party. (people ask why i rarely distribute code myself - it
is because i need every strategic advantage i can get, and custom
software, builds, and configurations are part of that operational
security.  maybe one day...)

orienting yourself in a large code base:
0. you must know how to code in, and what frameworks, libraries, and
toolkits are common for, the language at hand.
1. filter all the third party components and sources out. these are
not interesting.
2. keyword search for password handling, private keys, hardcoded secrets, etc.
3. keyword search for the public interfaces of interest, or API calls
exposed, etc.
4. keyword search for business specific terms, e.g. where does the
meat of their business logic reside?

as you become more familiar with how various institutions implement
large systems, you get a "sixth sense" or "intuitive" ability to focus
in on the relevant parts and identify where shortcuts and oversights
are most likely to occur.

rinse, repeat, again and again, and eventually you'll find yourself
10x more effective at these tasks, having combined your increasingly
accurate intuition with custom scripts and techniques for maximum
effectiveness.

it's an almost spooky ability when you look at a piece of code and
just "know" where the bugs are, and sure enough, you find them right
where you expect.


More information about the cryptography mailing list