bashing your head against nation-state social engineering

[Troy Benjegerdes]

the recent bash exploit seems to have all the hallmarks of a sophisticated
nation-state attempt to insert backdoors into debian and lots of embedded
devices.

Any thoughts? How do you defend against an adversary that uses social
engineering and psychology to convince developers to add a new feature to an
'essential' package that can then be exploited?

To any of you in the NSA and NNSA with clearances, here's a question for
you: how many US government systems have bash installed, and can your admins
running the world's largest supercomputers run them without having a pre-loaded
exploit train pre-installed?

This is like the mother-of-all advanced persistent threats, so it would be a
good idea to figure out a way for those of you might know, but can't publicly
disclose to figure out how to let the rest of us know how to defend against
this.

Maybe DARPA will post some interesting new RFPs?

-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash