Re: fog of cyberwar

[Amrit Williams <johndoe321 () gmail com>]

Hey Gadi,

Well you have a lot of different concepts wrapped up in that article, let's
see if we capture them all

- Was China responsible for the attack on Google?
- Why has the current criminal element in China been allowed to continue?
- Should we take the offensive in the fight against cybercrime?
- Did Google break into Taiwanese servers?
- Should the Google action (if true) be legal?
- Demands that Google must disclose what they did
- Suggestions that Microsoft is both irresponsible and unethical
- Advise that alternative browsers should be used until Microsoft announces
a new policy for patching software
- Suggestion that we write our representatives and the press to call on
Microsoft to act responsibly
- Reminder that this isn't a new threat
- Espionage, unlike cyberwar and cybercrime, should not call upon security
experts for answers

I'll skip the inflammatory China "stuff" and whether or not Google broke
into Taiwanese servers except to ask why you feel they must disclose what
they did publicly (if they did anything)?

The concept that the current situation is untenable therefore we should take
the offensive doesn't seem like a viable alternative even if there was a
higher level of confidence in the fidelity of the data that would feed such
a decision. However even if the data was righteous it is extremely dangerous
to allow corporations to perform offensive actions. How would we
realistically support a doctrine of offensive computing by the private
sector?

As for calling Microsoft irresponsible and unethical - what evidence exists
to suggest that they acted under ignorance, negligence or with malice? As
many of us know software development cycles are dynamic and it can be quite
disruptive and logistically challenging to inject an out of band fix and
release. Not to mention the hell from the large organizations that have
built a strong foundation around patch Tuesday but struggle with
high-profile out of band events. Balancing the priorities of a
mega-corporation and structuring public communications is not as easy as
some may think.

Many have noted that this isn't a new threat. There are multiple vectors
that were apparently used that have been in the headlines in the past decade
and the targeted nature of the initial malware distribution is neither new
nor terribly interesting. What is troubling is the difficulty most
organizations appear to have implementing even a base level
of technical controls, and even those that do are challenged with the lack
of efficiencies and ineffectiveness of many widely used tools - how many
will be up late and through the week distributing patches, ensuring no
conflicts with COE, and scrambling to resolve any fires, corruptions,
operational failures, etc, how many will be using Microsoft to manage and
patch microsoft...wouldn't these FTEs be better allocated to actually
improving service delivery and implementing broader enabling technologies?

btw - I did note the humor in your request to "fellow security professionals
worldwide to refrain from creating fear when speaking of this incident" when
the article refers to "the fog of war" and computers as "weapons"

$.02

Amrit

On Thu, Jan 21, 2010 at 7:39 PM, Gadi Evron <ge () linuxbox org> wrote:

> I just wrote a blog on this:
> http://darkreading.com/blog/archives/2010/01/fog_of_cyberwar.html
>
> In short:
> While we are all talking of Google's morals and US/China diplomacy,
> there are some questions that mostly remain unasked:
>
> 1. Did Google hack a Taiwanese server to investigate the breach? If so,
> good for them. Our ethics need to catch up to our morals. But, for now,
> it's still illegal so some details would be nice.
>
> As you know, I have been calling for more than "get slapped, write
> analysis" response to cyber crime for a long time, but we need to be
> careful not to start an offensive the Internet can't win (criminals
> willing to play scorched Earth--we're not, and our legal/ethical
> limitations).
>
> 2. Is Microsoft, while usually timely and responsible, completely
> irresponsible in wanting to patch this only in February? While they
> patched it sooner (which couldn't have been easy), their over-all policy
> is very disturbing and in my opinion calls for IE to not be used anymore.
>
> 3. Why are people treating targeted attacks as a new threat model? Their
> threat models are just old.
>
> Oh yeah, and this is espionage, not cyber war. Computers are just new
> tools/weapons for an old motive.
> Espionage unlike cyber crime and cyber war is well established in law
> and diplomacy both. Security experts should not spread fear, and they
> definitely shouldn't be the ones people look to for answers on this.
>
> Thoughts?
>
>        Gadi.
>
>
> --
> Gadi Evron,
> ge () linuxbox org.
>
> Blog: http://gevron.livejournal.com/
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.