Re: IT Underground trip report

[Paul Wouters <paul () xelerance com>]

On Mon, 18 Oct 2004, Dave Aitel wrote:

> The particular location in this case is a dumpling house in Old-Town. Warsaw 
> tends towards small, finely decorated places. Prices range from 10 Zloty to 
> 15 Zloty for a plate. (3.5 Zloty to a Dollar).

Though I have to say that Polish cuisine is best described as "flavoured fat & 
oil". After three days I had a craving for clearasil for the first time in my life.
But the vodka applejuice combination was very good! Anyone remember which Polish
we drank?

> Overall, the conference went quite well, I think. A large part of this was no 
> doubt because they had 2 translators in each of the three rooms, and so you 
> could understand what the speaker was saying in Polish or in English, no

It is the first time I had to work with translators. It was fun to play jokes
with them, though I really noticed I was talking way too much in half sentences,
which I then dropped for another sentence. I felt quite bad for the translators.

> Robert Lee Ayers is a Director for Critical National Infrastructure Defense 
> for Northrop Grumman Mission Systems Europe
>
> A former US DoD official, Bob now is a UK citizen. He did the keynote:

I realised a few things after listening to him.

- I tend to dislike keynote speaker personalities.
- Calling something 'national critical infrastructure' is another way of
  giving the military control of something civilian, and should always be
  treated with extreme skepticism. (They tried it with the AMS-IX too)

> Interestingly he differentiated between a conventional war and a logical 
> war. In his words, there is a clear indication of victor in a 
> conventional war. As well, a conventional war is, as Clausewitz would agree, 
> between nation states, whereas a logical war is not.

I guess you could just call it 'open warfare' and 'hidden regime change'. I don't
really think the word 'logical' is appropriate here. It can be logical to fight a
conventional war. Also, is the war in Iraq (or in Vietnam) a war with clear
victor? I don't think so.

As for 'nation states', they are sooooo yesterday :)

> He uses this terminology, which some people may not be familiar with:
> Strategic warning: You are going to be attacked
> Tactical warning: You have been attacked

But he didn't mention the process of when strategic turns into tactical. Or
in other words, pre-emptive versus Retaliation/self-defense

> He claims that logical attacks have no strategic warning and that tactical 
> warning requires rapid data collection and effective reporting mechanisms, 
> which are almost always missing.

I don't understand this one either. I could see an increase in say worms, viri
or ddos attacks, and still not know who or what is attacked. But it is
definitely a warning signal. I think Robert thinks too much in black and white.
(or red, orange, yellow).

> He also claimed that all of the major internal switches (Cisco boxes) were 
> compromised and concocting a sniffing operation for up to 4 years in 
> 1992-1994. He says CERT had published a report on this, but I can't find it.

that part of his talk just sounded completely bogus, that's why I asked for more
information. First of all, if this was a bug over four years ago published by CERT,
and of such importance, why couldn't he tell us what kind of bug this was? Only
after pushing him for details did he admit it 'had to be cisco', but even so, in 
four years time there were a LOT of different cisco's and IOS'es out there.
But he made it even more unlikely when he said those compromised machines were
running 'custom programs'. He suggested these intrusions were not all the same
exploit and the same backdoor or harvesting code, but consisted of custom made
programs per compromised sites. I think he even mentioned things like 'passing
along documents'. He also said the hackers were never identified or found. Again,
this is extremely unlikely if they were so widespread and actively (and specifically)
looking and harvesting information. Even if they couldn't trace this online, which
seems just impossible, then surely they could inject one document to these attackers
that would lure them out somehow to identify them.
I'm sorry, this bit undermined the credibility of everything in his talk.

> One weird statistic he posed is that 50% of all corporations have 
> "offensive attack programs" ready to use. He claims a large percentage of 
> them are hacking back. I don't see it. I think some of them are hiring 
> outside companies that do DoS attacks on phishing companies, but I don't see 
> a hack back strategy.

I don't buy that either. It is a lot easier to defend then to attack. And
even if you would attack, who would you be attacking and what would you
gain for you money?  Money is much better spent defending.  It reminds
me of the talk I saw at BlackHat Amsterdam (I think it was Sensei? some
south african company) where the guy had attacks like 'putting a |
symbol into the dns to execute commands on the attacking machine that
is checking the logs'. I didn't really get a good answer to my question
"Apart from pipe symbols not getting through any DNS server/resolver,
you have just nuked a victim's machine. Now what?".

> I would comment on his talk with two things I think are incorrect:
> 1.He claimed that there is no mobilization cost to Logical war.

Obviously, doing something very hidden is definitely expensive.

> 2.He claims there is a low cost of entry to logical war.

I'd say that might be true, if you compare it to the cost of sending a aircraft
carrier to the other end of the planet.

> nation states, they are fundamentally between ideologies. And powerful 
> non-religious ideologies are just as warlike  Communism, for example.

Darn, why didn't you see 'free market ideas and capitalism' :)

> Thinking of war as a purely nation-state endeavor is to think of the rightful 
> collection of power as a purely nation-state endeavor.

Robert Morgan wrote a nice book called "Market Forces". He describes the
commercialisation of war, not fought by nation states, but by stock broker
companies, whose sole interest in war is short term shareholder value.

> Joanna was one of the stand-outs from the conference.

She was. I'm pretty sure we'll hear more from her. I hope she will translate her
talk and present it at the CCC at the end of the year.

> She noticed that the infosec community is quite Gossipy which

Information wants to be free :)

It was a lot of fun, though I didn't get to see much or Warsaw. And when
I landed at Amsterdam, the trains were not running because of a stupid
general purpose "we want more money" strike. I think my 35 euros (140 Zloty)
would have riven me from Warsaw to Berlin :P

Guess we Dutch people DO need to work harder for our euros.

Paul
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave