Why It's All Snake Oil - And That May Be Ok - Pablo Breuer

uh okay so uh up next we have pablo brewer who is the director at the center for information warfare and innovation all right thanks give him some applause hey thanks thanks for uh thanks for coming out so i'm going to talk to you a little bit about snake oil and and how we're going to live with snake oil and the fact that it you know it may be okay as long as you realize that you're you're buying a little tank snake oil so mandatory disclaimer these views are my own they're not that of my employer not mandatory disclaimer vendors are fine people so if you're a vendor please don't await me with pitchforks and torches

after i'm done with this talk they're infosec professionals just like the rest of us they got to make they do the best they can developing products uh but you know they at the end of the day they also need to make a buck so uh last time i gave this talk at circle citycon a friend of mine that happened to be a foreigner came up to me and went hey great talk but what does snake oil actually mean so for the foreigners in the room let me define snake oil snake oil is an american colloquialism and it's based in the in the days of the wild west when they would sell these fraudulent tonics that may or may not include snake

extract that had very very little if any benefit whatsoever and carried it on and now refers to any product with questionable or unverifiable content or benefit so that that's what i mean when i talk about snake well so you know brief scoping here brief explanation of uh in history of exploitation uh and what i've got is i've got the defensive measures in black and the quote-unquote offensive measures in red and you know in 1971 we've got the creeper virus uh you know two guys in pakistan literally in a mud hut developed this thing just because they could uh not with a malicious intent but just they wanted to develop some self-propagating code and then 1986 dr dorothy denning comes up

with the idea of ids and then 86 who get the brain virus in 87 john mcafee before he decided to become a south american warlord uh you know develops this uh this antivirus thing uh and then you know uh 1991 los alamos actually goes through and develops an ids and checkpoint comes out with the first uh stateful packet inspection firewall uh and then 1996 we get smashing the stack for front of profit it is not the first time that this uh topic was written about but it's the one that most people know you could still go out there and read aleph's paper just remember it's an att syntax which is just maddening to me but there you have

it uh and then here's kind of an interesting thing in 1997 the return to lib c paper is is written and it gets largely ignored and it gets largely ignored because the old smashing the stack thing still worked uh and and so it gets just just remember that gets written in 1997. then you know 2003 uh ids finally becomes commonplace right so suggested in 1986 developed in 1991 2003 you know finally most most companies have this thing uh and then uh 2003 uh metasploit gets gets released publicly and people lose their minds i think my favorite quote about metasploit when it came out was is like the ice cream man handing out dynamite to kids

i still use that one and then 2005 intel develops the the xd bit which is to prevent what a left one talked about in smashing the stack for fun and profit but it's only the intanium servers right so these are you know this is about as close you get to a mainframe without actually being mainframe so you only find it big expensive businesses 2006 rises 64-bit architecture means that we finally have stack smashing protection via the non-executable stacked ad execution prevention and address space layout randomization which is great so in 2006 we finally mitigate the uh stack smashing stuff and now all of a sudden right the offensive folks go hey that return to libsy that guy was on

to something right and so by the time we developed depp and aslr we already have a technique for bypassing uh shortly thereafter the next year we get return-oriented programming which is really just an extension to the return to lip see attack and so what we get is this nice ping-pong back and forth between the offense and the defense so the good news is you're all going to be well employed that's the good news the bad news is we're going to keep buying products that aren't really going to protect us in the way that we would like them to protect us so just kind of keep that in mind as we go through this presentation so why are we here uh most people that

work in infosec are not computer scientists just you know straw poll how many of you have a computer science degree there's a couple of you okay if you had a suffer through automata and you don't know why you'll learn why don't kill me because i'm gonna teach all these folks the salient points of atomic in about 35 minutes okay so you know why does it matter that most infosec pros aren't a computer scientist well computer scientists have to suffer through this class called autonomous i say suffer because that's every major kind of has a weeding out class and and for computer scientists it's automatic it's a very you know math and and notation intensive course about computational theory and

complexity and that computational theory allows us to very quickly figure out if something is snake oil or not if you pardon the the the language it is the ultimate flag uh and you get to throw it a lot when you're talking to vendors uh and so recognizing that snake oil and being applied to computational theory allows you to you know kind of avoid this conversation right so the boss comes in and goes we can't do the breach thing it's too expensive we're losing too much it you got to make it stop right and then what happens is you know joe vendor shows up and says you need a next generation box full of pew pew magic proprietary technology

uh and it's it's full of oda detection and it's going to cure all of your woes uh and then people that aren't computer scientists you know allow themselves to you know hope briefly and when we go really you can detect o days and then we get told yes dnc your email will be totally secure i made these slides up before that whole thing broke it was just a happy coincidence i promise uh and then they go off and they tell us about their patented pew pew and magic sauce and snake oil and you know you get those conversations and you're not really sure how the product works and we'll we'll talk about some of that language

and then we throw a bunch of money at them right and the vendor does this with our money and then you know 90 to you know 180 days later an apt comes along and there's our network where apt is defined by anybody that could bypass your magic box full of pew pew technology right it very well may be a 12 year old with a dollop modem and an aol account but they got past your next generation defense so clearly they're an apt so who's been to a vendor page recently and read a product description right let me know if you haven't seen one of these terms holy crap what does any of that mean state-of-the-art adaptive defense

next generation threat analytic multi-layer hunt and and cyber anything really i feel dirty just saying the word cyber uh virtualized cloud enabled threat centric digital dna big data software enable and i'm going to pick on sans here what the hell is a forensicator i just want to know uh yeah well there's a machine learning one but we're going to get but this you know the first time i gave this talk i gave a very short version of this talk that unfortunately didn't go well at b-side san francisco and it happened to be the same time as rsa and so i went to the rsa vendor area and i couldn't have planned it better i saw

what in the wow world first of all first of all the marketing people didn't think this out through very well right because i don't i don't know that i can say coip and polite company it just sounds dirty right uh second of all cloud somebody else's computer unless you're running novell netware it's probably going to be over ip so it just seems a little redundant to me anybody here running netware or you know ipx spx i'm just curious no all right you still got don't don't laugh i still have wwiv source code in c on a floppy disk i still got it i'm that old um so you know when i see cloud over ip

the first thing i think is yeah you know cloud is made of servers and then i look at the vendor kind of like that right i just i don't even have words for that kind of language so how do we get past the marketing speak well we're going to computer science the hell out of it right we're going to talk about a little computational theory so there's this guy you may have heard of him his name was alan turing right and he developed this thing called a turing machine which is a abstract machine a mathematical model used to prove fundamental limitations on mechanical computing okay and something is said to be turn complete if it's theoretically capable of expressing

all tasks accomplished by computer this is any computer i don't care if it's an ibm mainframe i don't care if it's your iwatch your iphone your android your pc your mac this is all computers and automata is this uh it's this field of discrete math that studies computers and the problems that can and more importantly cannot be solved by computers okay so very roughly speaking automatic breaks up problems in the three categories there are solvable problems these are considered easy they can be solved in what's known as polynomial time there are intractable problems which are hard and there are undecidable problems which are impossible and it doesn't matter how fast your computer is it doesn't matter how much

ram how much hard drive you can reuse the entire aws resource pool and you are not going to solve this problem so i'm not going to talk about the easy problems we're going to talk about a hard problem and an impossible problem and then i'm going to show you how those will those are enough for you to tell that you're buying snake oil from vendors so one does not simply solve an mp hard problem okay so what is an mp hard problem i'm going to describe one to you the most famous one is known as the traveling salesman problem and traveling salesman or tsp as it's known is explained this way given a list of cities and distances

what is the shortest possible route where the salesman visits each city and returns back to the original city seems fairly simple right not that hard remember that there's only one optimal path there is only one correct answer and that it that answer is the most efficient it's not sufficient to be efficient you have to be the one most efficient answer and it turns out that this problem is really hard for computers and the reason is hard is this let's pretend that we have a traveling salesman you just have five cities right you have five cities so when you start out how many cities do you have to choose from you have five cities right you can start

at any of the five cities you can all right i'm going to pick my starting point i have five cities and then how many you have left left to choose from we have four and then we got three and then two and then one what mathematical function does that look like looks like a factorial right so it turns out that the running time is is factorial so that is non-polynomial time right number of cities is n and the running time is a factorial of the sample size that i have so the running time for this thing seems relatively simple but it's a factorial time so let's think about this if you have to generate the

most efficient path to go from new york to san francisco there are 19 354 cities in the united states and you have to try every possible combination in order to get the optimal answer if you do that factorial and you do one calculation per millisecond it takes you 110 centuries to solve right almost 111 millennia who wants to hang out for that anybody no one there's always one right um so a deceptively simple problem it's certainly easy for me to describe but there are a lot of calculations involved so you know why do i care about tsb well you care about tsb because tsp is analogous to a lot of problems that we want to solve in computation

optimal routing right i want my packs to get from point a to point being the most optimal path well that's a tsp problem detection of man in the middle of race conditions that's a tsp problem resource use optimization search algorithms crypto problems basically anything where you want optimization is going to be reduced to a tsp problem yes sir if you don't know the optimal routing how do you know that you don't have a man-in-the-middle attack yeah okay so uh if solving traveling salesman problem is hard then you know solving all of these problems is also hard to do via computation so right at this point somebody goes hey look i drove here from wherever and i used to gps and it got me here and

it definitely did not take 110 millennia so let's let's examine how that happens right so gps works because it makes a bunch of assumptions on your behalf and so some of those assumptions make sense right you're not going to start your starting point is going to be right where you are it's not going to be any of those 19 000 cities your starting point is where you are and it's going to make assumptions that interstates are faster than rural routes and rural routes are faster than farm roads and then you're going to tell don't show me toll roads and don't show me fairies and it's going to assume things like loops are bad and so those assumptions drastically

reduce your calculation space they drastically reduce the sample space and so you get a workable solution notice i said workable it's not optimal well in the security space if it's not the most optimized solution you're going to have type 1 and type 2 errors that means you're going to have false positives and you're going to have false negatives right so who's ever you know followed their gps and they end up with something like this right where he goes yeah turn left here and you're looking at a building right so that's when when those assumptions fail and it's okay most of the time because most of us aren't playing pokemon go or we're following gps directions and we can actually look left

and see the building right so we don't actually turn into it so traveling salesman is hard but you can solve it if you make some assumptions right those assumptions have to be good assumptions but how does that saying go about assumptions yeah i'm not going to say that because i'm being recorded but yeah something like that so if the vendor tells you that they're solving a hard problem they're making assumptions you probably need to figure out what those assumptions are so ask the vendor so that's a hard problem who wants to see an impossible problem turns out that the impossible problem is actually easier to explain in theory now remember when i say impossible problem this means that

no computer ever following the turing model will be able to solve this period it's not a moore's law or house's law problem it's not a resource problem it's not a quantum computing problem until we do something fundamentally different than what turing suggested we're not going to solve it so here it is given m a machine m an arbitrary turing machine with an input alphabet sigma let omega be an element of all possible strings well will m halt on input string omega who remembers this from automata awesome the rest of you are looking at me like this all right let me draw your picture i'm going to draw a picture here it is so there's your picture there's your you

know turn machine m and your input uh omega you're going to compute and then you've got a decider state so given the reduction state if the turing machine state is decidable then you know this is a decidable problem no no no standing ovation all right kiss principle keep it simple stupid here we go given a computer program and input you will not be able to determine via computing methods alone whether it will ever finish running so i give you a program i give you an input to the program you feed it to some analysis computing machine it's never going to be able to definitively tell you if the program will finish running with that input why is that

well let's consider the options right so you've got this big analysis computing machine running on you know the aws cloud there somewhere and you feed it the computer program you feed at the input and it finishes woohoo success but what if it doesn't finish well it might be stuck in an infinite loop it might be running properly and it just needs more computing time and you never really know if it needs more computing time so you wait an hour and you pull it maybe it needed an hour and ten minutes you wait a week maybe it needed a week in one day so you never really know or you know possibly just haven't accepted the upgrade to windows 10. i'm not sure

but either way you don't know why it didn't finish running you just know that it hasn't finished running right so this is basically a logic problem there's no way to get around this and it's not a computing issue you're always going to i'm always going to be able to develop some program and some input that's going to run a little bit longer than you're willing to wait okay so certain problems are provably undecidable therefore impossible by computing and so they're going to require substantial assumptions to be made same thing for heart problems and so vendors are going to come to you and they're going to tell you that they solve one of these hard or impossible

problem so can anybody tell me what the halting problem is analogous to yeah antivirus this code is definitely bad it's definitely malware well if you've got a signature then sure it's malware but if you don't then i i don't know i can't tell if it's going to halt let alone if it's bad so you know when they clean they solved a difficult problem right harder impossible let's just let's assume that they have i'll give you the benefit of the doubt right you're you're all fine individuals you're infosec professionals like i am and then i'm gonna imagine that i'm gonna i can take that vendor solution and i can package it in a chip okay and then i'm gonna use that chip to

see if i can solve an undecidable problem and if i can use your proposed solution to solve an undecidable problem then i'll have a proof guy contradiction because i know i can't solve an unsolvable problem and if your algorithm solves an unsolvable problem you also didn't solve your problem right so the vendor says we detect oh days now let's be fair the vendors i've i've not heard actually that's not true i've heard one vendor actually tell me our new product our new next generation product solves all o days fines all o days normally vendors are a little bit smaller smarter than that they you know they leave themselves out and they say we detect odays we want

to hear we detect all odays but they rarely say that so let's assume that's true let's assume they've got this oda detector with his oday detector with this magic inside and then we're going to put that magic oda detector inside of the halting machine and i'm going to define all halting states as safe code and all non-halting states as malware cool i solve the halting problem but i can't i can't solve the halting problem if i can't solve the halting problem then you can't give me an o day detector that's just not how it works so that's what's called a proof by contradiction except that right earlier this year right april 19th mit releases this thing saying mit

builds an artificial intelligence system that can detect 85 percent of attacks mit's got some smart folks who believes that anybody here believe that all right so i i got forwarded this like by 600 people maybe not quite that many but you know i i've given this talk before and i got forward this hey look the mit guys they figured stuff out they're smaller than you and i went okay yeah they're smart i didn't go to mit i went to you know a different school but let's read the fine print so i went to the mit maybe i went to the mit homepage because i thought surely the mission is accomplished and i'm out of a job now

and i read their assumptions and it says it presents its findings to a human analyst and the human then identifies which events are actually real events and which ones aren't so i'm just imagining like this big box with blinky lights and there's like a inside of it that like takes a slip of paper and goes no this one's real and this one's not so really you too mit come on i i just can't but never mind the details right let's let's just go with that 85 thing 85 is pretty good that's a solid b so let's say one 100th of one percent of people on the planet can write you one o day a year

seems like a reasonable number 1 100th of one percent 100 day a year so let's look at china who has 1.35 almost 1.3 6 billion people one hundredth one percent write you an o day eighty-five percent of them are detected right so they write thirteen thousand uh thirteen and a half thousand o days a year we detect eighty-five percent that's eleven thousand that leaves two thousand and thirty-six unidentified and unmitigated 0 days a year and that assumes that we block 100 percent of known attacks that those humans that get that input make instant decisions and they're always right because humans are infallible that's why we have computers so 85 is really not so good so what about malicious traffic and tcp

i picked on av let's let's talk about tcp so you know those next generation firewalls how many how many next generations are we up to this is actually my third next generation so we had the first generation that we had next generation which were second generation i can't wait for the next next generation uh it turns out the tcp is turn complete and turn complete means the halting problem applies and if the halting problem applies you can't look at packets and positively identify all bad traffic you just can't it's a halting problem and so that next generation firewall it's going to make things a little bit better right and but it's just not a panacea

it's just different kinds of signatures that are going to be bypassed in new and different ways now we're in old and known ways but if that wasn't bad enough we've got this thing called the von neumann architecture so most commercial systems and there are one or two exceptions have this key feature in their architecture where instructions and data share the same code space and on top of that instructions and data are represented with the same assembly level language so given an arbitrary hex 41 and x86 architecture it may be a capital a or it may incriminate the ecx register and every exploit every exploit takes advantage of the fact that you're expecting data and i'm feeding you

instructions in the case of returning and programming the instructions i'm feeding you are jump instructions where i'm going to find arbitrary gadgets of assembly code already existing in your memory space from completely legitimate programs and i'm going to dynamically build my payload on the fly so even data execution prevention and address-based layout randomization they're not going to stop they're not going to stop us and that's just kind of where we're at today so it's pitch black and you're likely to be eaten by gru for you old people there was this tax gain called zoric you should look it up so here's where we're at we can't optimize resources because traveling salesman problem says we can't

we can't identify malicious truck logic because halting problem says we can't we can't tell if our program will even stop let alone give us a correct answer because that's also the halting problem and it's worse we can't even tell if what we're reading in memory space is data or if it's an instruction so anybody want to give up and the bar is right over there the bar's right over there so how do we live with no odate detection um the vendors will claim they can do detect some zero days using signatures and heuristics which are really just statistical models uh which is which is fine the way that they're doing that is they're making assumptions

uh and they're making those assumptions so they can reduce the problem space so they can give us a workable solution again remember that workable solution is non-optimal so you're still going to get those false positives and false negatives so we as consumers of those products we need to talk to the vendors and we need to ask them what assumptions are you making then we need to validate that the assumptions that they're making are sound and make sense in our operating environment so let's walk through an example vendor walked into my office a couple of months ago and said they have this next generation vector-based algorithm for behavior-based network modeling that can detect all malicious activity

on the network what does that mean all right next generation meaningless marketing term means nothing right it's a null behavior based modeling means heuristics or statistical model and vector-based algorithm means it's directional okay so is it a valid claim absolutely not they are not going to detect all malicious traffic can they detect some malicious traffic yeah probably is it useful i don't know it depends on your operating environment but let's see let's talk about an ics scada system why are we going to talk about an ics scada system they are a physical system so there's a computer component and there's a physical component uh i don't know anybody that has anything nice to say about the state of

security in ics scada it is horribly horribly broken ics scada systems are still learning rules that the pc industry figured out in the early 1980s they're difficult to patch if they're ever patched and they're missing traditional defense so when you look at ics scada these are all you know old motorola controllers in some places old arm controllers they don't have data execution prevention they don't have address-based randomization they don't have anti-virus they don't have ids they don't have any of that stuff that protects us on our windows and mac networks and the protocol while it's well as understood is still turing complete so basically these ics scada networks are as bad as they're going to get so let's

see if we can make it a little bit better so what are the protocol assumptions well again we understand the protocol but it is turing complete so halting problem is we're not going to detect all bad traffic but ics is still a fairly robust protocol we are probably not going to use all of the ics protocol messages in our own unique implementation so let's just look for the ones that we're not going to use and cast those out as malicious traffic i'm also going to make the assumption that my ics data network is my ics scada network and so i'm not going to see a whole lot of internet surfing i shouldn't see any internet surfing

i shouldn't be seeing managed code like java or flash or shockwave or all those things that get you pwned on a daily basis and i'm going to assume that i'm not going to have any pokemon go on this thing so there's my protocol assumptions uh and then these ics scada has a component as well and so these physical components are pumps and their valves and their pipes and their generators i mean these are big honking industrial systems and those things are engineered to very precise failure tolerances and they have physical limitations they're when they're engineered they're engineered to work within certain heat ranges to work within certain pressure ranges to work within certain speed ranges to

heat up and cool down at very very precise rates and so anything outside of that would be anomalous and i should keep track of that and then i'm going to make these operating assumptions as well i've got these sops the industrial process is going to be well understood again these are large very expensive factories very large and expensive machinery and so we have these standard operating procedures and actions uh and anything outside of those actions should be anomalous now there are times when we go into emergency response procedures uh and that allows us to break out of our normal sops but again we should know that we're doing something anomalous and not every component in my industrial

complex needs to talk to every other component if the wrong valve is trying to send a message to the wrong pump we've got a problem and so when you put those three operational circles together with your physical constraints and your valid protocol messages and your procedural constraints it turns out that really this is the space that we need to operate in that is really all we need to monitor which is a heck of a lot less space than all of this so that vector based that heuristic engine it might be okay it might make things a little bit better so key lessons uh almost no security problem of real interest can be solved optimally by automation

alone we're going to need security analysts we're going to need smart people that read our ids's and ips's and understand what's really going to go on we need people that understand the technology and it can actually make sense of what our sensors are telling us we can solve portions of these problems by making assumptions and understanding the risk but we make those assumptions we need to understand that there is some inherent risk in making those assumptions uh different vendors are going to make different assumptions that's actually a good thing for us because i know we've all been hearing defense in depth for a long time but if you buy multiple vendors and they all make different assumptions then maybe

vendor b can catch an assumption from vendor a makes it harder to manage things i understand that but it does make things safer and security is not free understanding fundamental limits of computing are going to help you identify snake oil really you can get by normally on tsp von neumann and in the halting problem if you understand those three uh you can sit across from a vendor and when they tell you that they detect all low days you can go really halting problem and if they don't know what that means tell them to bring you an engineer or computer scientist that does and automation is great it's going to help you reduce the noise but it's just

not going to solve the problem for you so for the vendors please please please be honest in your claims you know send me an engineer or a computer scientist i have questions sales people are great for touching base with your contacts they're great for making new connections they're great for maintaining connections but if i'm going to spend a lot of money on a product i want to talk to somebody that can tell me what's under the hood because i'm going to peek under it and i want to kick the tires your assumptions and methodologies they're not secret sauce if you need to have your vendor sign an nda to tell them so that you can tell

them how your product works and what assumptions you make then by all means i've got no problem signing an nda but if you're not telling me these things i'm probably not going to buy your product and for goodness sakes quit selling me marketing speak i am tired of reading an entire book full of literature and not understanding what your product actually does after it that next generation cloud-enabled software-defined heuristic-based virtualized threat-centric multi-year end-to-end analytics adaptive cyber defense cloud over ippu not not worth the glossy paper it's reading on um and if you think that's overkill please please go read some of these vendor pages you will get really excited after reading about two pages of text

and realize that you still have no idea what that product does so for those of us that buy these products the vendors actually have some pretty smart solutions right but you have to understand what the limitations are if they're making claims that are too good to be true they probably are ask them how they're reducing the problem space and ask them what assumptions they make and then more importantly validate those assumptions make sure that the assumptions that they made make sense in your operating environment learn which problems can't be solved by computers and which can be uh can't be solved easily uh and realistically human operators and hunting combined with defense and depth it's still your best solution it's going

to be your best solution in 10 years it's going to be your best solution in 20 years so the next time a vendor comes to you and tries to sell you brondo the old day mutilator you know ask them to tell you again how they solve the halting problem so with that are there any questions

so i think one of the previous speakers mentioned the benefit of [Music] combined machine and human analysis how does that play into the assumptions and you know account help uh balance out what the machine's doing and improve the overall um outcomes i i absolutely agree i was actually here for that presentation and that that's actually right here in this slide where i talk about you know the good system what he talked about was automation with a good system so here's your good system of understanding the assumptions and understanding what the machine's going to decide for you for you and then those human operators actually going through and validating what the sensor is telling you so i

absolutely couldn't agree more so the idea would be that the machine is um acting as a kind of first level filter to prioritize things for the human yeah yeah so absolutely the machine is is a first layer filter to reduce the noise and and allow the human operator to spend time looking at things that really uh they need to spend time looking at the low hanging fruit by all means please let the automation take care of that and then the the people can spend their time chasing down worthwhile threats

do humans suffer from the same problems that the machines do as far as um the halting problem and such humans suffer from different problems humans suffer from so so no i mean uh the human can make the decision that if you haven't told me that this thing is halted by now i'm not interested in it a human can make that decision the machine really can't the machine can do it if a human tells it to the problem that humans have is they they suffer from boredom and they suffer from in some cases a lack of education and training and in some cases they they suffer from most of us a lack of sleep uh and and so you know it again it's one

of those things that the assumption of the machine and the assumptions of the human operator kind of back each other up because we suffer from different problems yes sir yeah thanks for the talk [Music] uh i i think you're not really going far enough in your criticism of these products so i think one big aspect that you haven't mentioned at all is that that these products can introduce risks and these risks increase over complexity and because what we're seeing with a lot of these next generation things is that the these scanning engines become so complex that that introduces a whole lot of vulnerabilities there was some interesting stuff by tavis ormendi where he found that some

antivirus was kind of emulating what the program would do and then it would if it cannot emulate the function it would call the one from the system and thereby you could get code execution through the antivirus um and also like um you're totally right that you're hitting these theoretical borders if you're trying to get a perfect detection but i don't think you're hitting any theoretical borders to trying to build a system that just doesn't execute foreign code so my question would be if the whole detection approach isn't the wrong way of going but instead we should design a system that just that is secure by design and i think there's a lot of interesting research

coming from the langstech community which doesn't nearly get the amount of attention it should get yeah so i agree with just about everything you've said so as code becomes more complex and that's any code it's not just antivirus you're going to have more mistakes because people write the code it's funny when you look at antivirus they actually use a lot of techniques used by exploit code so library call hooking and you know root kernel interrupts and those kind of things that i mean that was all developed originally by malware authors it's now being used by antivirus firms a lot of the things that emmett does for microsoft and i'm a big fan of emmett but it uses a lot of malware techniques

in order to detect malicious code to answer the other question about the detection the langsec is doing some great things but until i can tell the difference between an instruction and data because i've got two entirely different memory setups for those we're just chasing up the wrong tree as soon as i mix data and instructions they're both represented in the same language i'm stuck and so now i can't tell the difference between data and instructions and so your program expects data i actually feed it instructions and convince the colonel to execute those instructions on my behalf that that's the real crux of the problem with the von neumann architecture no we just need to change the you know

construction and architecture of every computing platform we currently use but no it's not unsolvable none of these uh no no no i i agree with you it's just a matter of you know somewhere along the line we chose to do it this way for a reason we need to go back and re-verify that you know the reason that we chose to go down that path that those assumptions are still valid i don't think when they chose to build the von neumann architecture they were really thinking about the future of infosec i think they were just trying to think about how do we crunch numbers as quickly as possible with as little hardware as possible so you're right this may be a time to go

back and you know re-examine those assumptions please so i'm going to break up the the tech talk with a sort of a soft skills people question related to this yes please so you mentioned about um you know demanding to talk to an engineer and so so i'm just curious then so again for tips for people if you have to deal with this so if the offender is reluctant to do that so what's considered a deal breaker when do you pursue it harder you know how how do you deal with the the push back if they don't want to cooperate with that so more like the soft skills how do you deal with it so great question i have found that as

soon as i tell the vendor okay i'm done talking to you i'm not going to consider your product they're pretty much willing to give me whatever i want now i have had some vendors go look i'll discuss this with you but you need to sign an nda or i'll suggest look if we need to if you need me to sign an nda i'm happy to do that but normally vendors are pretty good once they realize that they're not going to get any further with you if you're a small business it's much harder uh but if you're a larger corporation um yeah it's it's amazing what they'll do when there are hundreds of thousands or millions of dollars on the line and

i've never had one significantly pushed back on that not even in government and that's saying something any other questions okay well with that here's your vendor bingo card to go out there and go through the vendor space thank you so much and i will see you around