Dailydave mailing list archives
Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology
From: "Timothy R. Chavez" <tim.chavez () linux vnet ibm com>
Date: Wed, 22 Aug 2007 13:08:06 -0500
So what about attacks _with_ information? I think the US would be more susceptible to information warfare attacks, in this regard, if it were more reliant on _homogeneous_ sources of information. Neil Stephenson brings up a good point in his book Cryptinomicon that even when the British cracked the Enigma code, they still had to constantly ask themselves if the Nazis knew they knew and if not, how they could effectively use the information they intercepted without giving themselves away. For the defender of this information, integrity of the technology carrying it is of utmost importance, for the attacker of this information, integrity of the information, itself, is of utmost importance. So I'd argue, if anything, that by meddling with the affairs of others, we make ourselves more susceptible :) -tim On Tue, 21 Aug 2007 16:53:48 -0400 "Dave Aitel" <dave.aitel () gmail com> wrote:
http://video.zdnet.com/CIOSessions/?p=165 If you listen to Colonel John Hayes in the above interview, he says that oddly enough, they found that one of the most important applications they implemented for mission support was "Text Chat". He also noted that although he spent a lot of money building up wireless, people aren't using it. That's probably because wireless never works. Ever sat next to the door in your hotel because that's the only place you could get connectivity? Anyways, back to the main point: busting a myth. Myth: The US is more vulnerable to information warfare because it is more reliant on information technology. Some people like to say the US is "uniquely vulnerable". I hear this all the time from various weblogs and every time I hear it I wonder why people keep repeating it. For background, the IATAC has this to say: """ The United States is vulnerable to Information Warfare attacks because our economic, social, military, and commercial infrastructures demand timely and accurate as well as reliable information services. This vulnerability is complicated by the dependence of our DoD information systems on commercial or proprietary networks which are readily accessed by both users and adversaries. The identification of the critical paths and key vulnerabilities within the information infrastructure is an enormous task. Recent advances in information technology have made information systems easier to use, less expensive, and more available to a wide spectrum of potential adversaries. The security of our nation depends on the survivability, authenticity, and continuity of DoD information systems. These systems are vulnerable to external attacks, due in part to the necessary dependence on commercial systems and the increased use of the Internet. The survivability, authenticity, and continuity of DoD information systems is of supreme importance to the Warfighter. """ My intuition strongly disagrees with the idea that the US is specially vulnerable. So with that in mind, let's go through a little exercise in iconoclasty. Counter arguments: 1. Hacking has an economy of scale. 2. The US is a hard system to model. 3. Complexity breeds resilience. 4. Technology is adopted quickly in the US, making it a fast-moving target. 5. Having a "target rich environment" overwhelms an attacker's analytical capability. 6. Everyone repeats this Myth yet no one has any data to back it up. Some details: 1. Hacking has an economy of scale. 10 hackers working together are more productive than 10*1 hacker. Less advanced countries have easier technology to hack - NT 4.0 has unpatchable remote roots on it. Management software is more easily used on modern stuff than old crusty stuff. Technology rots, in other words. And rotted stuff is easy to break. We all know very well how to write Windows 2000 heap overflows. Nico is just getting Vista heap support into Immunity Debugger now. Of course, you only get an economy of scale when all your hackers can talk to each other. If Clay Shirky[1] was commissioned to tell you what kind of tools you need to maintain compartmentalization while still getting that kind of economy of scale the results would be quite interesting I think. Someone at DARPA needs to do that. 2. The US is a hard system to model. Hacking is easiest when you can model your target. Modeling a MIG is easier than modeling an F-22 because you can purchase an old one on eBay and fit it up to act like whatever your target looks like. Likewise with information systems that drive things you'd want to target with IW attacks. Owning a Cray is hard. Why? Because you have to own a Cray. MMM,vector'd shellcode. :> 3. Complexity breeds resilience. People say that hacking the United States and causing damage is easier because more of what the US does is connected, in many cases, to the Internet. However, it's also more resilient - a SCADA system in a country that is less dependent on network technology is harder to reach initially, but you're more likely to find a single point of failure once you do reach it. 4. Technology is adopted quickly in the US, making it a fast-moving target. Hacking is a continual treadmill. New techniques have to be invented constantly to cope with changing technology. The US's technology treadmill is set on 10 with a 15 degree incline. Countries that change less will be easier to hack. There's a number X for any given system, network, or organization where X is how fast things you've owned get updated and your knowledge about them, exploits, and trojans become worthless. [2] 5. Having a "target rich environment" overwhelms an attacker's analytical capability. Even understanding one branch of the US military's IT infrastructure is too large a project for even the most well funded non-US attacker. 6. Everyone repeats this Myth yet no one has any data to back it up. This isn't a "classification" problem necessarily. Very few people have experience hacking at all, let alone on a scale that would afford them the ability to make generalizations like this. _________________________________________________________ [1] Clay Shirky is the person you read when you want to know how people react to social software. He can be found here. http://many.corante.com/archives/authors/Clay.php [2] This number X is something I was looking for in the John Arquilla's Networks and Netwars. Although the book started off really well, it veered far from anything to do with hacking. Maybe one of his other books has something on it. http://www.amazon.com/Networks-Netwars-Future-Terror-Militancy/dp/0833030302 (I don't necessarily recommend it unless you are very interested in the Zapatistas). _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Dave Aitel (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jeffrey Denton (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology sai (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Timothy R. Chavez (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jake Brodsky (Aug 23)