RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2015.12.27 – 2016.01.03:
To receive a weekly email notification of this newsletter, email


“I am routinely astonished at how little people understand the concept of “cyberwar”, and, subsequently, “cyberweapon”. Remember that anything that gives access to another machine w/o consent from the author can be turned into a cyberweapon in an instant. This includes, crucially, auto-update features - in a “real”, serious conflict, update-signing keys are valid weapons. With the right signing keys, any firmware updater turns into a hardware-destroying “weapon”. Control of the software and update infrastructure are the most crucial strategic weapons a nation can acquire. I don’t need a windows exploit if I have control of a good part of the backbone / traffic and the MS update signing keys.” halvarflake


“‘APT reports serve as attacker QA’ is a valid reason for not going full disclosure if u cant shut down the attacker” ‏@pinkflawd


“It’s much easier to train users if there’s no way they can get it wrong.” Matthew Garrett


“Any sufficiently advanced antivirus is indistinguishable from mediocre malware.” Carlos Pizano Uribe


“All the insults thrown at me from the Apple corner does not change that the fastest way to get 0day is to just recheck what they say fixed” Stefan Esser


“If you have more certs than years of experience on your resume, you are doing it wrong #getrealworldexperience” Laughing_Mantis


“2015: your SSN was stolen multiple times and even the companies with two factor still use it for account recovery. “ Greg Castle


Top stories

A History of Hard Choices

This post describes some history of deprecating SSL technologies such as MD5, 1024-bit keys, and most recently SHA1. Specifically it points out the repeated non-compliance of Symantec. This exposes the scary world of certificate authorities which all Internet trust is based around. It is a broken system.

Yandex worker stole search engine source code, tried selling for just $28K

This post describes how an employee at Yandex (Russia’s version of Google), tried to sell the source code of the company for as little as $28K. This post shows that although companies themselves and many outsiders may view certain assets as valuable, their actual value on the market is quite low. For example, Yandex apprises their source code to be worth around $14M, but the inside threat was unable to sell it for even $28K.

Newspaper News

  • Database with 191 Million US voters’ personal data exposed online: A lot of news was made over publicly accessible data of 191M US voters, that provided names, addresses, and voter status. Unfortunately, this data is made publicly available by law, so it’s not actually wrong for this data to be exposed online. This company has been making the data available for free since 2012, so it’s unclear what, if anything, is “wrong” about this. I’ll admit, I don’t like that this data is available, but it’s not a breach or misconfiguration.

Conference materials and publications


  • osxlockdown: I wrote a tool to check for and remediate security configuration settings on OSX. These are more aggressive settings that disable various features to reduce the attack surface of the system.
  • CrowdStrike/travel-laptop: This open-source project uses coreboot to load the GRUB2 bootloader from the firmware, as opposed to the hard-drive, to better ensure it’s protection for encrypted laptops.

Other reads

“The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP.” Tavis Ormandy, where PuP means something that should be considered to be flagged as malware.