@cR0w @buherator I wish a company that decided to rebuild their edge device code in Rust would be handsomely rewarded by the market, but I know that almost nobody actually cares about these vulns, and even fewer about true systemic fixes.
@cR0w @mttaggart @buherator the first time i saw this was with fireeye, way way way back when. then sonicwalls, then some others, now its like, everybody who has php on a firewall with the one exception of pfsense, who i just never hear about, ever.
but yeah, this sentiment is absolutely dead on. way too many people who have no clue wtf theyre doing, and will scream gatekeeping at you over the mere suggestion they be 'even remotely qualified'
@cR0w @mttaggart @buherator imagine someone who was formerly a florist in an operating room during a neurosurgeons job, screaming gatekeeping at the head of medicine for the hospital because the head of medicine suggested that maybe the florist, i dunno, attend medical school? learn some stuff about surgery or medicine?
thats where we're at
@cR0w @mttaggart @buherator im not sure if 44con published the talk, but it was massive news at the time. some german researcher guy figured it out
- send one email through with a 7zip that uncompresses to absolute paths, have it overwrite the python script which parses a file format with python meterpreter
- send a second email through with an attachment for that fileformat (he used rtf). that will trigger the parser.
meterp rootshell on fireeye appliance via 2 emails
it was bananas
@cR0w @buherator I'm in agreement with you. Rust is just the only real game in town for memory-safe code at the moment. But it's not about that; as you said, it's about process. But yeah, there is zero incentive at all to improve. Nor will there be, especially as we lose the CSRB and CISA gets gutted even beyond its prior state of toothlessness.
@cR0w @mttaggart @buherator that musta been like.. 2014 maybe? i forget, but it blew my mind. i was in the room for the talk
@cR0w @mttaggart @buherator they made 'fuck fireeye' stickers for like 2 years afterwards
@da_667 @cR0w @mttaggart @buherator yeah once that german dude showed people how to trivially get shells on the things, a buuuuunch of other folks dove in :D
@buherator @cR0w @da_667 @mttaggart yup, this was it :D - good times!
@cR0w @buherator @mttaggart But customers often don't really care either? Cost of doing business and stuff