Re: Blitzkrieg Server -- For Real?!

[Rick Smith <rick_smith () securecomputing com>]

At 5:59 PM -0500 5/6/98, arager () McGraw-Hill com wrote:

>     Came across these links on CNN and the May98 issue of Signal Magazine.
>
>     see:
>     http://www.us.net/signal/CurrentIssue/May98/make-may.html
>
>     Article describes new technology developed by a Quantum Physics
>     theorist. It's called the Blitzkrieg Server, and seems to be a highly
>     advanced AI engine and counter-attack engine for network security.
>     The counter-attack supposedly viraly infects the entire network that a
>     hacker originates from.....somemhow.  Seems to have sparked some
>     interest from the CIA and such.

It just goes to show that the CIA is diligently checking out *anything*
they can, no matter how silly it might look. And Signal should never be
confused with a refereed journal.

It is somewhat difficult to wade through the idiosyncratic terminology, but
it really doesn't look as if Blitzkrieg is doing anything unusual. You can
probably get comparable or better results with intrusion detection and
security systems produced by reputable vendors that use the same
terminology as everyone else.

It doesn't look to me as if the "viral infection" mechanism is used to
attack the hacker's network. Instead, it's an intentionally lurid term used
to describe how the system installs itself in the system being *protected*.
It "attacks the attackers" only by interfering with their activities on the
protected network. It doesn't reach out into outside networks to attack the
attackers -- such behavior is arguably illegal, anyway.

In plain geek-speak, it looks like the Blitzkrieg server sends kernel
patches to all the hosts within a network being protected. This produces a
distributed computing system comprised of all the hosts that contain these
patches. The overall system can monitor or control the security status of
individual "patched" hosts since the kernel patches provide access to host
security configuration and status. The patches interact with each other and
the server via "encrypted" data links. The patches themselves are evidently
"encrypted" themselves whenever a given patch isn't operating (a property
of conventional "stealth" viruses). The patch software implements a "state
machine" that executes "variable length string transformation rules." These
rules are "self programmed," so we're probably looking at intrusion
detection based on behavior profiling.

I regret to declare that I see no magic here, no emerging machine
intelligence that will solve our security problems for us. This "quantum
physics theorist" hasn't repealed the laws of computation. The halting
problem looks safe for now, anyway.

Incidentally, the Web site contained *nothing* about Blitzkrieg.

But that's just talking about the basic technology claims. The article also
describes a Clancy-esque information warfare attack on the US by "Japanese
nationals" that happened some time "recently." Allegedly the attack was
predicted, specifically identified, and successfully battled back by the
Blitzkrieg system. It seems that this could be deconstructed into the story
of the recent NT attacks with various other things added for flavor, as
retold by Weekly World News.

Rick.
smith () securecomputing com