Security

Quiet Professionalism of Defense Can Mean Cyber Offense Gets All the Airtime

Leave a comment

I find an “Unsettled Question of Offense vs Defense in Cyberwarfare” article quite misleading. For example it frames the problem state as this:

…there is the belief that cyber weapons are different in that they favor the offense. Cited for advancing this argument are the plethora of computer vulnerabilities, the low financial cost of hacking, and the lack of penalties for discovered attacks.

Simply turn that around and the attackers are riddled with vulnerabilities, are inexpensive to counter-attack, and penalties are minimal if discovered.

Ok, so the last point may not be true, which is why defensive teams tend to never talk about defensive measures used to counter-attack and “destroy” attackers (where disclosure can sometimes mean destruction of the defensive tactic).

More to the point, it hasn’t been proven beneficial for defensive teams to expose counter-attack methods, and that gives the impression of a debate being unsettled.

While some might say there’s a deterrence possibility for exposing defensive capabilities, a much larger issue is counter-attacks are rendered less-effective when known beforehand. Also any counter-attacks given widespread exposure, or self-defense methods if you will, can get mired in legal and regulatory channels that take a very long time to resolve.

We’ve written about strategic advantages of active defense for almost a decade on this site, so hopefully it’s not news to anyone.

Also I find the article’s cyberwar definition a bit wobbly:

Cyberwar, like its regular counterpart, requires material damage such as destroying assets, disabling weapons that rely on digital components, and disabling the critical infrastructures that power the machinery of war. It is these physical effects, and how they complement military actions, which determine whether a weapon is defensive or offensive in nature.

Physical effects don’t determine defense or offense. Cyberwar doesn’t require material damage any more than a tradewar does.

And I disagree here too:

If the offense has the advantage in penetrating systems, the defense has an offsetting advantage in understanding their own complex systems.

As I said above while the defense may have the advantage in penetrating attacker systems, an attacker also may understand defensive systems better than the defense.

I’ve seen many defensive teams mostly unaware of how their own environment works, while attackers (or auditors for that matter) spend significant time documenting things carefully to prepare their best entry point and cascading damage. Heartland is a great example of this. The exfiltration of cardholder data was masterfully baked into existing business processes and therefore undetected.

Here again, I disagree:

Not only do cyber weapons require specialized skills to deploy, but the operator must also understand the targeted analog system to achieve their desired effect.

Many weapons are commodity based now and used blindly. Metasploit brought the skill level down dramatically, for example. Load a new module to the running platform, fire and forget. Some weapons are so unskilled and untargeted they’re running all the time all over the Internet just hoping someone, like an oil platform or a factory, becomes a victim.

Finally, on this next point I agree somewhat:

…we do not know what effect cyber weapons will have on mechanical military systems, their tactical or strategic value in war, or how lasting those effects will be…

Hard to predict the future, yes. However we have a pretty good idea that any system lacking basic controls by default (e.g. authentication) will be devastated by simple attacks as well as hard to defend against (e.g. people grabbing weak templates and deploying faster than fixes or configurations can be updated).

The chance of widespread outage on weak systems makes cyberweapons of strategic value, both for attackers and defenders. Although I believe we will continue to hear a lot of news about attackers exploiting vulnerabilities, and little to nothing about defenders doing the same.

Case in point, there’s a very recent BBC story in India:

fraudsters had the tables turned on them as YouTuber Jim Browning was able to hack into the call centre and access recordings of scam phone calls and even watch live CCTV footage exposing the criminals at work… Indian police raided the premises of Faremart Travel Private Limited in Gurugram, within hours of the videos being released.

Further back in 2013, there’s a story that nobody reported about the giant PR campaign “skyjack” being vulnerable on launch. Skyjack very proudly accumulated press names like a tin-pot dictator in a polyester suit covered with shiny badges:

Press: Ars Technica TechCrunch BBC NBC Huffington Post VICE Mashable Gizmodo Engadget Gizmag NewScientist The Escapist Tom’s Guide Popular Mechanics Discovery Entrepreneur Washington Times eWeek Hack-a-Day ThreatPost RT PC Mag Slashdot ComputerWorld Mother Jones

That’s a ridiculous amount of air time for a broken perl script.

Likewise, the skyjack videos start with the camera pointed at the author’s face and mostly are him being a talking head. Social entry feels like an understatement for attacker motivation here.

In any case within hours or release, he was forced to update the code when Afan Ottenheimer spotted bugs in the code and easily knocked skyjack out.

I tweeted about it December 4 of 2013 and while that led to a fix and initial credit, the author then removed credit to others and covered up that flaws were reported by defenders publishing the incredibly stupid class of bugs in skyjack:

As I said before, attackers are riddled with vulnerabilities, are inexpensive to counter-attack, and penalties…well, they may be minimal if discovered but you can be sure attackers also don’t give anyone else the kind of credit they crave.

Update March 4th: A defense analysis article called Error 404 reminds us of a 2007 infiltration of computer systems to disguise kinetic measures.

A cyber attack was delivered into the Syrian IADS which presented a false live recognised air picture to Syrian air defenders which masked the radar tracks of the incoming Israeli jets.

History, Security

1942: British Get a Good Laugh From Rommel’s Crude Propaganda Attempts

Leave a comment

PsyWar hosts a photo gallery with some interesting history, such as this one from WWII:

Indian troops in the Egyptian desert get a laugh from one of the leaflets which Field Marshal Erwin Rommel has taken to dropping behind the British lines now that his ground attacks have failed. The leaflet, which of course are strongly anti-British in tone, are printed in Hindustani, but are too crude to be effective. (Photo was flashed to New York from Cairo by radio. Credit: ACME Radio Photo)

The Australian War Memorial gives a sample of the crude work. Here’s a leaflet dropped by Nazis on 22nd August 1942 at El Alamein meant to unsettle Australia’s 9th Division.

The platapus boomerang is a dubious choice for leaflets meant to hurt morale as it simply reinforced the official blazon of the 9th as you can see here plainly:

Australian 9th Division Cavalry Regiment. British Vickers Tank, Light, Mk VIB

Update September 2021: Armchair Historian gives us his perspective on India in WWII

See also, headlines from Operation Bertram and Operation Torch reporting how easily and badly Rommel was routed by the British:

Rommel was impatient, hot-headed and disagreeable. His work often was beset by predictability, simple planning failures (e.g. communications and supply) and lack of accountability.

His troops ultimately were crushed by Allied forces in Summer of 1942 and, perhaps most notably, he abandoned them by 1943. A good thing too, given his personal role in spread of horrors from an unthinking devotion to fascism:

…empowered to “take executive measures against the civilian population”, Nazi jargon for robbery, murder and enslavement.

Here’s a perfect example:

“The Germans expected to seize Lyon quite easily,” Fargettas recounted. “But on the morning of June 19, they faced very strong resistance, in battles lasting for several hours. After the Wehrmacht won the first battles in the afternoon, they executed French as well as African prisoners. But on the next day – after the last pockets of resistance were defeated – they divided the prisoners into two: The French on one side, the Africans on the other. They led the latter down an isolated road. They were sent to a field and machine-gunned.” During these massacres, some French soldiers were also executed or wounded for trying to intervene.

Mass executions of POW and obvious violations of war conventions in the Chasselay Massacre was not the exception. Rommel was directly involved in an illegal execution of a French Colonel in 1940.

Hiding such obvious failures of leadership while cooking up a “famous reputation” for the Nazi General was propaganda by its military intelligence. In other words there was a concerted effort by Rommel and his peers to conceal their ongoing atrocities from the Allies. Such propaganda was spread around Europe in an attempt to hide reality and “morale boost” its troops facing an unavoidable defeat.

I mean by 1942 it was very clear that Germany had no chance to win — it became a question only of how long the Germans would continue to make terrible life choices.

Source: “Images of War: The Armour of Rommel’s Afrika Korps” by Ian Baxter. Rommel’s men show utter disgust with him as their leader, while the “unbeatable and unbearable” General Montgomery outsmarts them at El Alamein.

An interesting footnote on how Rommel was routed so quickly by Montgomery is that the former tried to blame his failures on obedience to Hitler or at least interference, while the latter made no excuses when he refused to listen to Churchill.

A couple years after Rommel’s disasters in North Africa and Europe he followed stupid orders to kill himself, citing to his family a fear of living in a world without Nazism (and also Hitler threatened to shoot dead Rommel’s entire family unless he committed suicide immediately).

Such fealty was spun as propaganda into bogus claims that the retreating General who swallowed poison was in fact loved by Nazis.

Even more laughable was their propaganda that he died from battle wounds, a sad twist since he had walked away from battle and then Hitler killed him with a pill.

Curiously, American soldiers to this day sometimes buy into widespread propaganda and lies about the Nazi Rommel, very similar to American pathetic attempts to believe in the failure and fraud Confederate General Lee.

Even more to the point, and another interesting footnote in history, Winston Churchill in 1941 had told the Allies to name tanks with real words instead of “gibberish” designations. The M3 “General Lee” was named for one of the worst military leaders in history, assigned to the American variant, while the British chose M3 “General Grant” for their own model. The Grant was shipped from America to face Rommel and became a prominent factor in General Montgomery’s crushing defeat in the first battle of El Alamein.

British Prime Minister Churchill then pressured the U.S. to call their next tank the M4… Sherman.

Fast forward to today and here’s the view from a U.S. M2 Bradley during the Iraq War, where a Nazi portrait has been attached inside the “fighting vehicle” in a completely tone-deaf fashion.

Source: Iraq War Footage

Surprised there isn’t a picture of General Lee next to it.

Anyone stepping into that vehicle should sadly “get a laugh” at the bad propaganda, just like 1942 Indian or Australian troops in the Egyptian desert.

History, Poetry, Sailing, Security

Inarticulate Grief

Leave a comment

Spoiler alert. Inarticulate Grief is a poem by Richard Aldington about WWI that is still relevant today.

Let the sea beat its thin torn hands
In anguish against the shore,
Let it moan
Between headland and cliff;
Let the sea shriek out its agony
Across waste sands and marshes,
And clutch great ships,
Tearing them plate from steel plate
In reckless anger;
Let it break the white bulwarks
Of harbour and city;
Let it sob and scream and laugh
In a sharp fury,
With white salt tears
Wet on its writhen face;
Ah! let the sea still be mad
And crash in madness among the shaking rocks —
For the sea is the cry of our sorrow

Now read Inarticulate Grief, by Sean Patrick Hughes, a beautiful prose about America’s endless Bush-Cheney Wars.

No deployment I had was hard enough to make me deal with the pain it caused. Someone always had it harder. No loss suffered; no trauma absorbed was bad enough to acknowledge. Someone always had it tougher. Acknowledging it, in some way, dishonored them.

Security

That a16z Defensive Moat Around Your Jail Cell Doesn’t Make It Any Less of a Jail Cell

Leave a comment

Please demote anyone today who tries to claim that installation of a “defensive moat” is a way for monarchs to prevent people from escaping taxation.

The Benin Wall and its moat (Nigeria) built by Oba Oguola 1280-1295 were allegedly four times longer than the “Great Wall” of China. Source: hotels.ng

In a bizarre screed about their view of technology futures, a16z literally advocates for the least ethical data practices as their “best” strategy to profit with AI. They refer to your data being difficult to remove from a castle as a “defensive moat”, which doesn’t make it any easier to justify as unlawful incarceration:

Great software companies are built around strong defensive moats. Some of the best moats are strong forces like network effects, high switching costs, and economies of scale.

That investment moat definition is basically a way of rationalizing insiders being prevented from leaving, historically the opposite of what “best moats” were actually engineered to do (protect against outsiders harming the residents sheltering inside).

Lock all your users’s data up and throw away the key seems to be the thinking behind this “best moat” definition for AI, although I’m sure people will argue locking up everyone inside a moat so they can’t leave when they want is somehow a rational defensive mindset for AI castle leadership.

Abolition of the unjust moats sounds like a good response to investor posts calling for forced incarceration of your body of data for their AI machine profits. Crossing a moat to leave should be your right, not denied by a castle that wants your body of data to pay for their moats and jails.

Choose liberty for your data, and walk away from for-profit prisons by giant “defensive moat” development barons.