Good stuff with an SF Major on the panel here:

http://www.youtube.com/watch?v=buY3I4PkK98

That MAJ works out here at Carson, very knowledgeable guy to talk to.

He also received some front page real-estate on th3j35t3r's wordpress blog in regards to his speech at AFCEA and also a SANS paper he wrote detailing th3j35t3r's attack methodolgy.

Interesting stuff.

That MAJ works out here at Carson, very knowledgeable guy to talk to.

He also received some front page real-estate on th3j35t3r's wordpress blog in regards to his speech at AFCEA and also a SANS paper he wrote detailing th3j35t3r's attack methodolgy.

Interesting stuff.

That's where I found it. :)

Good stuff, the Maj. is definitely spot on with regards to the fact that cyber-warfare is indeed asymmetric, established "fortress doctrine"/defense in depth theories do not work here, and he does a great job of driving that home. Thanks for the post RL!

Paper is here: http://www.sans.org/reading_room/whitepapers/attacking/jester-dynamic-lesson-asymmetric-unmanaged-cyber-warfare_33889

It's a good analysis of what the th3j35t3r's past activities, but I am not entirely convinced of his capabilities overall.

When you to understand how much *security* costs vs. the security that is actually provided, the business culture vs. security: is security an integral part of the business and product development or check the box compliance? you will begin to understand why companies like Sony and STRATFOR and government agencies like the CIA, FBI, (Infragard) were so easily breached.

The definition of asymmetric here isn't a David vs. Goliath: these aren't lucky shots or one off attacks against hard static defenses; the defenses aren't very hard, nor very static and the shots were well aimed at some *hardened*, *secure* COTS black box or software package which turned out to be as secure as 2 1/2 ft. picket fence.

End rant...My .0002

He is a great guy to talk to but damn I hope you had your coffee that morning. Man knows his way around pen-testing and network security. He had a different job for a while before coming out to tenth group that was similarly impressive.

Wish I could make metasploit my bitch like he does.

He is a great guy to talk to but damn I hope you had your coffee that morning. Man knows his way around pen-testing and network security. He had a different job for a while before coming out to tenth group that was similarly impressive.


QP no-hertz,

Oh I had my coffee alright :D The man definitely knows his stuff, and th3j35t3r may too. My point was that the skill level required to break into major corporations using *secure* COTS software isn't very high. Like Metasploit, these days its point, click, pwn; there aren't many (like the Maj.) who really know what goes on behind the scenes. MSM and "experts" looking for their 15 minutes usually end up attributing more skill than deserved to the likes of Anonymous, Lulzsec etc. I guess it's all subjective though, I have been called "hacker, security expert, researcher etc" by SC, PC World, ZD Net, CNET etc. and I don't even consider myself more than a professional who knows a things or two, but far from expert ;)

Wish I could make metasploit my bitch like he does.

It's been a while since I played with/wrote modules for Metsploit. Time to get my head back in that game, I should probably update some of my modules to deal with DEP and ASLR. All in due time... :lifter