bashing your head against nation-state social engineering

Troy Benjegerdes hozer at
Sat Sep 27 09:03:04 PDT 2014

the recent bash exploit seems to have all the hallmarks of a sophisticated
nation-state attempt to insert backdoors into debian and lots of embedded

Any thoughts? How do you defend against an adversary that uses social
engineering and psychology to convince developers to add a new feature to an
'essential' package that can then be exploited?

To any of you in the NSA and NNSA with clearances, here's a question for
you: how many US government systems have bash installed, and can your admins
running the world's largest supercomputers run them without having a pre-loaded
exploit train pre-installed?

This is like the mother-of-all advanced persistent threats, so it would be a
good idea to figure out a way for those of you might know, but can't publicly
disclose to figure out how to let the rest of us know how to defend against

Maybe DARPA will post some interesting new RFPs?

Troy Benjegerdes                 'da hozer'                  hozer at
7 elements      earth::water::air::fire::mind::spirit::soul

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash

More information about the cypherpunks mailing list