funsec mailing list archives
Re: fog of cyberwar
From: Amrit Williams <johndoe321 () gmail com>
Date: Thu, 21 Jan 2010 21:23:59 -0800
Hey Gadi, Well you have a lot of different concepts wrapped up in that article, let's see if we capture them all - Was China responsible for the attack on Google? - Why has the current criminal element in China been allowed to continue? - Should we take the offensive in the fight against cybercrime? - Did Google break into Taiwanese servers? - Should the Google action (if true) be legal? - Demands that Google must disclose what they did - Suggestions that Microsoft is both irresponsible and unethical - Advise that alternative browsers should be used until Microsoft announces a new policy for patching software - Suggestion that we write our representatives and the press to call on Microsoft to act responsibly - Reminder that this isn't a new threat - Espionage, unlike cyberwar and cybercrime, should not call upon security experts for answers I'll skip the inflammatory China "stuff" and whether or not Google broke into Taiwanese servers except to ask why you feel they must disclose what they did publicly (if they did anything)? The concept that the current situation is untenable therefore we should take the offensive doesn't seem like a viable alternative even if there was a higher level of confidence in the fidelity of the data that would feed such a decision. However even if the data was righteous it is extremely dangerous to allow corporations to perform offensive actions. How would we realistically support a doctrine of offensive computing by the private sector? As for calling Microsoft irresponsible and unethical - what evidence exists to suggest that they acted under ignorance, negligence or with malice? As many of us know software development cycles are dynamic and it can be quite disruptive and logistically challenging to inject an out of band fix and release. Not to mention the hell from the large organizations that have built a strong foundation around patch Tuesday but struggle with high-profile out of band events. Balancing the priorities of a mega-corporation and structuring public communications is not as easy as some may think. Many have noted that this isn't a new threat. There are multiple vectors that were apparently used that have been in the headlines in the past decade and the targeted nature of the initial malware distribution is neither new nor terribly interesting. What is troubling is the difficulty most organizations appear to have implementing even a base level of technical controls, and even those that do are challenged with the lack of efficiencies and ineffectiveness of many widely used tools - how many will be up late and through the week distributing patches, ensuring no conflicts with COE, and scrambling to resolve any fires, corruptions, operational failures, etc, how many will be using Microsoft to manage and patch microsoft...wouldn't these FTEs be better allocated to actually improving service delivery and implementing broader enabling technologies? btw - I did note the humor in your request to "fellow security professionals worldwide to refrain from creating fear when speaking of this incident" when the article refers to "the fog of war" and computers as "weapons" $.02 Amrit On Thu, Jan 21, 2010 at 7:39 PM, Gadi Evron <ge () linuxbox org> wrote:
I just wrote a blog on this: http://darkreading.com/blog/archives/2010/01/fog_of_cyberwar.html In short: While we are all talking of Google's morals and US/China diplomacy, there are some questions that mostly remain unasked: 1. Did Google hack a Taiwanese server to investigate the breach? If so, good for them. Our ethics need to catch up to our morals. But, for now, it's still illegal so some details would be nice. As you know, I have been calling for more than "get slapped, write analysis" response to cyber crime for a long time, but we need to be careful not to start an offensive the Internet can't win (criminals willing to play scorched Earth--we're not, and our legal/ethical limitations). 2. Is Microsoft, while usually timely and responsible, completely irresponsible in wanting to patch this only in February? While they patched it sooner (which couldn't have been easy), their over-all policy is very disturbing and in my opinion calls for IE to not be used anymore. 3. Why are people treating targeted attacks as a new threat model? Their threat models are just old. Oh yeah, and this is espionage, not cyber war. Computers are just new tools/weapons for an old motive. Espionage unlike cyber crime and cyber war is well established in law and diplomacy both. Security experts should not spread fear, and they definitely shouldn't be the ones people look to for answers on this. Thoughts? Gadi. -- Gadi Evron, ge () linuxbox org. Blog: http://gevron.livejournal.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: fog of cyberwar, (continued)
- Re: fog of cyberwar phester (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 23)
- Re: fog of cyberwar Gadi Evron (Jan 23)
- Re: fog of cyberwar Jason Lewis (Jan 24)
- Re: fog of cyberwar Dan White (Jan 24)
- Re: fog of cyberwar phester (Jan 24)
- Re: fog of cyberwar steve pirk [egrep] (Jan 24)
- Re: fog of cyberwar Rich Kulawiec (Feb 01)
- Re: fog of cyberwar Valdis . Kletnieks (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 24)