Comments on: Cyberwar

Cyberwar

homunculus — Sat, 06 Aug 2011 01:46:04 -0800

Enter the Cyber-dragon. "Hackers have attacked America's defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war—Operation Aurora! Operation Shady rat!—and learns why Washington has been slow to fight back. Related: Michael Joseph Gross goes inside Operation Shady Rat."

By: Mblue

Mblue — Sat, 06 Aug 2011 02:33:28 -0800

Washington has no comment, post Assage.

By: dibblda

dibblda — Sat, 06 Aug 2011 03:00:55 -0800

It seems like there is some expectation that the US should respond on behalf of american companies. It is inexcusable if government i.t. has been successfully attacked this long but as far as these companies that have sold american jobs down the river....well tough sh*t.

By: atrazine

atrazine — Sat, 06 Aug 2011 03:12:13 -0800

By: Kirth Gerson

Kirth Gerson — Sat, 06 Aug 2011 04:26:27 -0800

There's some really imaginative stuff here.

The U.S. could protest cyberattacks by sending a couple of aircraft-carrier groups to the China Sea for a little gunboat diplomacy, but it would be pretty embarrassing if China were to just repossess the whole fleet as partial repayment of the $1.2 trillion the U.S. owes it. We'd end up having to pay off the whole debt just to get the boats back—plus whatever huge fee there would be for the towing and daily storage fee at the aircraft-carrier impound lot, and that's a lot of money to spend for bit of saber-rattling that would be futile in the real world and irrelevant in the virtual one.

I can't see any of that happening - not the US sending carrier groups, not China attempting to take them as debt payments, not the US acceding to such a demand - none of it.

By: MikeWarot

MikeWarot — Sat, 06 Aug 2011 05:22:19 -0800

I'd guess 99.99% of the programmers, system administrators, and users would say I'm dead nuts wrong for saying this, but I hope to find others who agree with me in stating: Computer security CAN be FIXED. It definitely does NOT have to be like this. The problem is deep and subtle, and the solution isn't easy, but there IS a solution, called capability based security.

By: humanfont

humanfont — Sat, 06 Aug 2011 05:25:17 -0800

Just because I'm carrying a gps enabled, camera and phone assembled in China is no reason to I should panic. I'm going to download some free games from a random website. But fist let me send an email about some company trade secrets.

By: Postroad

Postroad — Sat, 06 Aug 2011 06:10:14 -0800

I suspect we place too much emphasis upon what China and others might be doing to us and ignoring what we in turn are also doing. Take, for example, biological warfare. We worry about that but have a big place set up to not only study how to combat it but also how to make use of it. So, too, with dirty (nuke) bombs--we have tested them right here, secretly. I am sure we have as many people screwing about with cyber spying on Them as they do on Us. Recall the general who as short time ago said any attack on our computers might constitute a military attack and therefore we had the right to go to war? Sor of like "weapons of mass destruction in Iraq" charge--

By: jeffburdges

jeffburdges — Sat, 06 Aug 2011 06:30:02 -0800

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage? Seriously folks! Interesting perspective. I'd agree that espionage plays kinda complementary role to nuclear weapons, i.e. nuclear weapons make traditional conflict untenable while espionage provides a non-violent outlet for the economic incentives driving conflict. I'd agree that the United States' push for less-lethal conflict through more advanced precisely targeted weaponry simply doesn't provide an outlet for said economic competition. In short, there are various foreign powers able to aggressively pursue an economic advantage against the U.S. using their electron espionage capabilities, while the U.S. cannot seek complementary advantage using its military forces. Isn't this analogous to many military advancements throughout history? Vaguely like running round ming better swords while everyone else upgrades to gunpowder. And obviously the empire is being sacked by internal barbarians too.

By: infini

infini — Sat, 06 Aug 2011 06:42:47 -0800

What they should do is hack into Wall Street's computers...

By: LogicalDash

LogicalDash — Sat, 06 Aug 2011 06:54:52 -0800

Computer security can be fixed against-some-thread for-some-time-period given-some-operating-conditions given-some-budget given-some-qualified-personnel. That we can fix it for some installations some of the time is really quite impressive when you think about it.

By: moss

moss — Sat, 06 Aug 2011 07:00:31 -0800

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage? But that would diminish the heroism of our bold cyber-warriors! Don't you understand? If they die fighting a cyber-war while jacked into cyberspace, they die in real life!

By: xetere

xetere — Sat, 06 Aug 2011 07:02:42 -0800

Somehow the contractor-industrial complex and the cyber-defense lobby will be able to monetize this big time.

By: jeffburdges

jeffburdges — Sat, 06 Aug 2011 07:06:46 -0800

You know, any serious efforts towards real security will run afoul of our own espionage and law enforcement establishments. Could you imagine the next Windows or Mac OS X including PGP/GPG? Forget offering users a public key creation dialog when they first launch Outlook or Mail.

By: MikeWarot

MikeWarot — Sat, 06 Aug 2011 07:29:13 -0800

Computer security can be fixed, and it doesn't take specially trained users and administrators... however it does require a re-write of things to work in a default deny environment, instead of default permit... which is definitely non-trivial. Encryption has nothing to do with security, if any code the user runs can do anything, he has to trust each and every bit of code run on his behalf... The closest real world example of how computers operate that I've come up with is this... Imagine I owe you a dollar, and in order to pay you, I have to hand you my wallet, car keys, ID, a power of attorney, all while being sedated (the last bit because of the blinding speed of code vs people)... and hoping you only take a dollar. Imagine doing that every day, every time.... that's what running a PC is like. Virus scanners are equivalent to having a list of known bad people to check before you do the above. If the person hasn't been caught yet, they aren't on the list. In the real world, we hand over a dollar if we have it, or some larger amount, which limits our risk... we never hand over control of our life. We operate in a default deny mode, why can't our computers?

By: fatbird

fatbird — Sat, 06 Aug 2011 08:31:41 -0800

The problem is deep and subtle, and the solution isn't easy, but there IS a solution, called capability based security. No model is going to solve the problem by itself. Some are better than others, but at the end of the day it's how a large organization actually implements it. And large organizations (public or private) do nothing perfectly.

By: Nelson

Nelson — Sat, 06 Aug 2011 08:38:04 -0800

In any earlier era, this kind of state-sponsored espionage and sabotage would be met with military response. Could you imagine if Chinese commandos were regularly breaking into military bases and stealing, say, missile parts? And we caught them time and again, actually inside the base, and just sorta shrugged and said goodbye? And if that same Chinese commando division were also infiltrating US manufacturing companies and stealing all the business documents related to international trade with, say, Korea? I certainly don't want to go to war with China, that would be insane. But I think the US has been ignoring these attacks because being virtual attacks, in computer networks, they seem somehow less important or less real. They're not. The data being stolen online is way more valuable than a crashed airplane. The companies being infiltrated via the Internet are far more damaged than a simple black bag op in an office. What's going on is ugly. I also wonder how far behind the US is in cyberwar. We're not visibly organized, but then we've got a lot of talent. And the occasional event like Stuxnet demonstrates we have some capability, just not disclosed.

By: homunculus

homunculus — Sat, 06 Aug 2011 08:48:37 -0800

Can Darpa Fix the Cybersecurity 'Problem From Hell?'

By: homunculus

homunculus — Sat, 06 Aug 2011 08:51:45 -0800

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage? It's Cyberwar! Let's Play Bingo!

By: jeffburdges

jeffburdges — Sat, 06 Aug 2011 10:09:24 -0800

I'm afraid encryption would necessarily be a major component of any substantial security improvements. Do you think the FBI wants a good digital cash system being widely used to implement your default deny transaction model? There is only one way to do cloud storage correctly, namely you encrypt and decrypt only on the client, and never share the key with the host. I doubt law enforcement appreciates that model. An improved security infrastructure could be developed, but not by any company operating in a police state like China or the U.S. Scandinavia maybe? Nokia just laid off oodles of developers.

By: furiousxgeorge

furiousxgeorge — Sat, 06 Aug 2011 10:15:55 -0800

In other news, Anonymous goes apeshit on the police. Maybe government cybersecurity needs to be prioritized a bit more, yeah.

By: Sphinx

Sphinx — Sat, 06 Aug 2011 10:18:26 -0800

Remember the Google?

By: humanfont

humanfont — Sat, 06 Aug 2011 10:24:48 -0800

The problem is impossible and anyone who says otherwise is acting out of hubris. There are too many vectors and actors involved. We can make them slightly more secure, but once the data is in the machine it is just a matter of time before it gets out.

By: Rockear

Rockear — Sat, 06 Aug 2011 10:29:52 -0800

I use a simple heuristic to help reduce the noise level in my life when it comes to technology. It's widely applicable, from government policy to breathless public reporting to dealing with non-techie relatives who have been reading said breathless public reporting. It goes as follows: If they prefix anything with the word "cyber-", then they don't know what they're talking about and can be safely ignored. This comes into play more often than you might imagine, and it has never failed me.

By: infini

infini — Sat, 06 Aug 2011 10:54:18 -0800

An improved security infrastructure could be developed, but not by any company operating in a police state like China or the U.S. Scandinavia maybe? Nokia just laid off oodles of developers. Nah, they put undergrad script kiddies on the job and then test it out on hapless middleaged non white women for the lulz

By: JHarris

JHarris — Sat, 06 Aug 2011 13:58:28 -0800

Rockear: (Re: cyber- as prefix) This comes into play more often than you might imagine, and it has never failed me. That sounds very useful and I will probably be pressing it into service. (My own favorite such heuristic is, if a company uses pictures of smiling people as space-fillers on their website, whether using products, answering phones, or just doing nothing, they have a non-zero evil value. Hasn't steered me wrong yet.)

By: jeffburdges

jeffburdges — Sat, 06 Aug 2011 14:47:32 -0800

There have been a few interesting security articles from DefCon BlackHat talks, including : - Lockpickers Open Card-And-Code Government Locks In Seconds - Microsoft Office documents are still exploitable - Get Cyber-Mercenaries Suggests Ex-NSA, current CIA Director - NSA Hiring At BlackHat

By: scalefree

scalefree — Sat, 06 Aug 2011 15:05:23 -0800

Sooner or later we'll all be working for mudge.

By: smoke

smoke — Sat, 06 Aug 2011 15:43:20 -0800

Could you imagine if Chinese commandos were regularly breaking into military bases and stealing, say, missile parts? And we caught them time and again, actually inside the base, and just sorta shrugged and said goodbye? Actually, Nelson, what you describe is pretty much the standard response to espionage, globally; the history of the cold war is wonderfully illustrative of this. Domestic espionage is punished far more severely than foreign because nobody wants to start a war, especially between nuclear powers. There have been literally hundreds of examples of foreign espionage being exposed to little consequence. May it ever be so; the more information both sides have, the less the chance of war.

By: Kirth Gerson

Kirth Gerson — Sat, 06 Aug 2011 17:04:30 -0800

...because nobody wants to start a war... I don't know about that; recent history seems to contradict it.

By: jeffburdges

jeffburdges — Sat, 06 Aug 2011 17:38:10 -0800

Imagine s/he wrote "nobody wants to start a war they're going to lose". It's pretty nice beating up on poor countries like Afghanistan or Vietnam, give all that money to your friends in the defense industry.

By: gemmy

gemmy — Sat, 06 Aug 2011 18:06:35 -0800

Oh good. I'd been meaning to put something together, given all the stuff that's becoming public lately, but now I don't have to! The Vanity Fair article is pretty good at laying out what's going on in general, but I would definitely prefer less of the "cyber war!" rhetoric and for people say what it really is, which is just plain old espionage + industrial espionage in a new guise and at a much grander scale. I don't think most people can even begin to fathom the scope of the problem, though. I don't know anyone here in D.C. who hasn't had a brush with the initial spear-phishing type emails, and I personally know more than a dozen people from well-known think tanks, government agencies, and the defense industry who have had their computers compromised - in at least one case I know it wasn't discovered for months. I'm not a security researcher, but I knew a few. Seeing the logs from their monitoring of owned computers is mind-boggling. You can see the attackers logging in, browsing directories, then creating .rar files for exfiltration. And the owned computers are in all kinds of places - energy companies, think tanks, schools, law firms, government agencies... Even notifying law enforcement and the companies themselves might not really have much of an effect - it might stop that one operation from succeeding, but there are just SO many others that it doesn't really make a dent... If you are interested in this topic, may I suggest a few places to read more. The Dell Secureworks blog has a writeup of the RSA issue, and a few other APT-related analyses. Jim Lewis from CSIS is mentioned in the VF article, and he has a good handle on the issue. The Contagio blog is great to see what's out there in malwareland. Infowar Monitor is great too. A few more general blogs include Krebs on Security, the F-Secure blog (also check out this great TED talk on viruses from F-Secure's Mikko Hypponen). There's a lot of info out there, and I'm glad (like I've said before) that more people are paying attention to this issue lately.

By: jeffburdges

jeffburdges — Sun, 07 Aug 2011 09:04:47 -0800

DARPA Commits To Funding Useful Hacking Projects (ml /.)

By: scalefree

scalefree — Sun, 07 Aug 2011 15:42:52 -0800

DARPA Commits To Funding Useful Hacking Projects Yeah, that's mudge. And the #hack World Domination plan proceeds apace.

By: homunculus

homunculus — Sun, 07 Aug 2011 17:44:09 -0800

Researchers: Anonymous and LulzSec Need to Focus their Chaos

By: mdelaney

mdelaney — Sun, 07 Aug 2011 20:25:04 -0800

I think its also confusing for these outlets to be running with the CyberWar label when the industry is divided on whether these are APTs at all (original Symantec analysis here, PCWorld coverage here). As many above have mentioned many of these issues are addressable, and dressing things up as a big state sponsored boogie man only helps people avoid fixes.

By: jeffburdges

jeffburdges — Mon, 08 Aug 2011 10:09:40 -0800

Building A Better 'Anonymous'?

By: homunculus

homunculus — Mon, 08 Aug 2011 10:35:18 -0800

Syrian Ministry Of Defense Website Hacked By 'Anonymous'

By: jeffburdges

jeffburdges — Wed, 10 Aug 2011 10:18:49 -0800

Why the US will lose a cyber war (/.) Yeah, the article is all wonky talking about synchronicity vs. causality, but I agreed with the original thought that our focus on real world weapons systems will prevent the U.S. from dealing effectively with electronic espionage. As I said upthread, nukes dissuade conventional warfare, but conventional warfare doesn't dissuade espionage.

By: scalefree

scalefree — Wed, 10 Aug 2011 19:40:22 -0800

Full Disclosure: DEF CON 19 - hackers get hacked!

By: homunculus

homunculus — Sun, 21 Aug 2011 10:06:01 -0800

In other news: Hacked cybersecurity firm HBGary storms back after ridicule fades

By: furiousxgeorge

furiousxgeorge — Sun, 21 Aug 2011 11:02:33 -0800

Not surprised, they have been publicly revealed to be incompetent but so have a lot of contractors. In the end, the lawbreaking of all the businesses and organizations involved here was completely ignored as it always is. The leaked mails revealed they were going after enemies of our government, Wikileaks, Greenwald, Unions...there is always money for someone willing to do that.

By: jeffburdges

jeffburdges — Mon, 22 Aug 2011 08:00:46 -0800

Interesting they claim that HBGary's Razor product has few competitors. Or perhaps their clients simply have trouble shopping around in such a niche industry? There are definitely other companies in the intrusion detection game. Isn't big fish Dell's Secure Works? I donno if they offer a competing product. There are also many free open-source intrusion detection systems. Anonymous should probably comb Razor's source for code violating the GPL or whatever.

By: jeffburdges

jeffburdges — Mon, 22 Aug 2011 09:24:41 -0800

Anonymous Breaches Another US Defense Contractor

By: jeffburdges

jeffburdges — Tue, 23 Aug 2011 17:08:07 -0800

Chinese military propaganda accidentally reveals a Chinese military university class engaged in cyberwarfare against Falun Gong in the United States.

By: jeffburdges

jeffburdges — Thu, 25 Aug 2011 06:39:16 -0800

Australia passes flawed cybercrime bill despite report from their own committee

By: homunculus

homunculus — Sat, 27 Aug 2011 17:05:13 -0800

The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive