Dailydave mailing list archives

Re: "I hunt Sys-Admins"

From: Alex Grigsby <AGrigsby () cfr org>
Date: Tue, 12 Jul 2016 18:16:52 +0000

I agree with most of the points you raise (esp. with respect to the vagueness of "critical infrastructure") but I'll 
push back a bit on your CERT point. 

You're right that a CERT would likely be a prime target during a conflict, but just because a country would want to pwn 
a CERT doesn't necessarily mean that it should. Over the last 100+ years, countries have agreed to not deliberately 
target certain installations in wartime even if it's in their strategic interest to do so. For example, the laws of war 
prohibit the targeting hospitals or anything with a red cross/red crescent 
(https://en.wikipedia.org/wiki/Protective_sign) even if it would be militarily advantageous for a country to do so 
(i.e. less enemies on the battlefield). Same thing goes for restrictions on certain weapons (e.g. chemical weapons in 
the case of the Geneva protocol or booby traps in the case of the Conventional Weapons convention). 

Countries have agreed to these restrictions largely on the basis of reciprocity--we won't do it to you if you don't do 
it to us. It doesn't necessarily mean that all states will comply, but they create a strong norm in favor of their 
adherence. 

Based on the history of the laws of war, it doesn't seem completely ridiculous that countries could eventually come to 
some sort of understanding that CERTs are off limits. 

Alex

-----Original Message-----
From: dailydave-bounces () lists immunityinc com [mailto:dailydave-bounces () lists immunityinc com] On Behalf Of 
dailydave-request () lists immunityinc com
Sent: Tuesday, July 12, 2016 12:00 PM
To: dailydave () lists immunityinc com
Subject: Dailydave Digest, Vol 56, Issue 1

Send Dailydave mailing list submissions to
        dailydave () lists immunityinc com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.immunityinc.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
        dailydave-request () lists immunityinc com

You can reach the person managing the list at
        dailydave-owner () lists immunityinc com

When replying, please edit your Subject line so it is more specific than "Re: Contents of Dailydave digest..."


Today's Topics:

   1. "I hunt Sys-Admins" (dave aitel)


----------------------------------------------------------------------

Message: 1
Date: Mon, 11 Jul 2016 15:15:12 -0400
From: dave aitel <dave () immunityinc com>
To: "dailydave () lists immunityinc com"
        <dailydave () lists immunityinc com>
Subject: [Dailydave] "I hunt Sys-Admins"
Message-ID: <5fc94935-e035-6b70-5d55-7f16d7f25992 () immunityinc com>
Content-Type: text/plain; charset="utf-8"

Occasionally I like to reflect, as you all do, on the various things that have mis-shaped our understanding of cyber 
war.

For example, take this Intercept article based on the Snowden leaks:
https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/

Viewed in hindsight, this article points very closely at something I'm going to support in depth in an article coming 
out shortly, which is that *the term "Critical Infrastructure" does not apply in cyber the way defense strategists 
think it does*. I mention this, which may seem obvious to the readership of this list, because if you read policy 
papers they go on an on about how nations should avoid "attacking" each others "critical infrastructure" as a "norm". 
They don't, of course, consider defining a lot of terms in any specificity, but they do mention that under no 
circumstances should CERTs be attacked. Which clearly is ridiculous because in cyberwar the CERT is something you will 
have penetrated first so you know when you've been caught everywhere else.
Likewise, CERTs are usually very easy to attack. Likewise, top on your list is secure () microsoft com, and every other 
security contact. And in order to claim those things as "off limits" we have to declare huge swaths of infrastructure 
(often unknown ahead of time) as off limits.

Also visible in retrospect is that people love to focus on the catchy phrases. "I hunt sys-admins". Sure you do! But 
that means your strategic offensive efforts have already failed at least twice. In order to get to the point where "I 
hunt sys-admins" team is involved, you have to get through "I hunt developers", "I hunt other hackers", and "I hunt 
system integrators". And even above them is "I hunt standards developers and cryptographers" (aka, NIST :) ). 

-dave






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160711/97fa7226/attachment-0001.html>

------------------------------

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


End of Dailydave Digest, Vol 56, Issue 1
****************************************

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

"I hunt Sys-Admins" dave aitel (Jul 11)
- Re: "I hunt Sys-Admins" J.M. Porup (Jul 12)
- <Possible follow-ups>
- Re: "I hunt Sys-Admins" Alex Grigsby (Jul 12)
  - Re: "I hunt Sys-Admins" Dave Aitel (Jul 12)
    - Re: "I hunt Sys-Admins" Konrads Smelkovs (Jul 13)
    - "I hunt Sys-Admins" Konrads Smelkovs (Jul 13)
    - Re: "I hunt Sys-Admins" Alex Grigsby (Jul 13)
    - Re: "I hunt Sys-Admins" Mara Tam (Jul 13)
    - Re: "I hunt Sys-Admins" Dave Aitel (Jul 13)
  - Re: "I hunt Sys-Admins" future (Jul 13)