Re: The difference between a monkey and a gorilla

[Chris Wysopal <weld () vulnwatch org>]

On Tue, 19 Jul 2005, Dave Aitel wrote:

> As Jared Diamond (http://www.pbs.org/previews/gunsgermssteel/) says,
> humans are basically just a strange sub-species of chimpanzee. Likewise
> I wonder if security researchers are tamed and channeled hackers, or if
> hackers are the bizzare sub-species that consumes more resources than
> you'd expect, and create more art than you'd imagine. In a bit of
> meta-irony, Weld Pond is the one who introduced me to Jared Diamond.

I'm not sure what makes this ironic, let alone the irony be ironic, but
I'm sure Dave will explain it to me. :)  In any case I think a much more
interesting application of Diamond's concepts to this list is applying
them to cyberwar.  What can the geography of cyberspace or perhaps more
importantly, the geography of its inhabitants tell us about who will win
in cyberwarfare.

Diamond's fundemental theory about the last thousand years of world
history and how Europeans were able to conquer multiple continents is
based on geography.  The east-west arrangement of Europe vs the
north-south arrangement of the Americas and Africa allowed people and
technology, like farming and steel making, to flow more easily. This is
due to the fact that the same latitude has a similar climate eats-west and
is in the same season.  When a new crop was developed or animal
domesticated, that knowledge spread more quickly across Europe.  The same
held true for other technological inventions, the spread of disease and
later the resistance to disease.  Europeans weren't smarter or braver than
South Americans. Chance had put them in a place where civilization could
develop more quickly.  Check out the series on PBS or better, read the
book (now on the NYTimes paperback best seller list).

The question I have is can these principles be applied to cyberspace?
Are there fundemental structures akin to the concepts in Lessig's "Code
and Other Laws of Cyberspace" that are the geography of cyberspace and
does that geography favor the citizens of one country over another?  When
people collide in cyberspace who will win at cyberwarfare?  I am defining
cyberwarfare broadly here as controlling information, commerce/money, and
the physical world connected to the internet.

Access to hardware is certainly favorable.  Sure if you are a good hacker
you can find a box to own of the type you want somewhere on the net but
there really is no substitute for your own hardware lab.  Countries that
have corporations throwing out old equipment that you can grab for free
(or very cheap) are going to be favorable to places where your only
computer access is in a library or cybercafe.  If you are going to do
research or build something, dedicated access is a big plus.

A couple of data points.

Back in 1998, Richard Clarke from the NSC visited the L0pht with a couple
of other govt. intelligence types. After a tour of our several rooms full
of equipment (mostly online) and our hardware lab, he went over into a
corner and was whispering with his collegues.  Mudge thought this was a
bit rude and asked them, since they were guests in our place, to speak
openly.  Clarke did.  He said that they were discussing the fact that we
were able to amass such a hardware capability with no budget (we dumpster
and corporate closet dived) was going to cause them to change their threat
model.  The US intelligence community values access to hadware.

Shift forward to the GhettoHackers in 2002.  I visited their space and it
was more impressive than what we had at the L0pht.  They had more hardware
and they used it more effectively.  They had dozens of machines with
different architectures and OSes (and versions) loaded.  This gave the
GhettoHackers a decisive advantage when it came to hacking at events like
Defcon's Capture the Flag. They had to start running the event because
they had won so often.

Another factor is the culture of the country.  Does it favor exploration?
Is there a history of invention and research? Is there an ethic of
rebellion that allows progress in spite of laws like the DMCA which outlaw
certain areas of research?  Perhaps a country with lawless cyberspace is
beneficial.

Is there free speech and its counterpart, free access to the speech of
others?  Is the written language the same as the one that is used in
programming languages, API descriptions, documentation, security
information, etc.?  In the current environment, reading and writing
English would seem like a big plus.

What is the education environment for math, engineering, computer
programming like? Is there funded security research going on?

I am undoubtably Americentric in my experience.  But it would seem to me
that people in the US and similar countries have an advantage in the
cyberwarfare of the future.


-Chris


The rate of human invention is faster, and the rate of cultural loss is
slower, in areas occupied by many competing societies with many
individuals and in contact with societies elsewhere.
   - Jared Diamond
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave