Tuesday, February 21, 2017

Some hard questions for team Stanford

These Stanford panels have gotten worse, is a phrase I never thought I'd say. But the truly painful hour of reality TV above needs jazzing up more than the last season of Glee, so here is my attempt to help, with some questions that might be useful to ask next time. But before I do, a quick Twitter conversation with Aaron Portnoy, who used to work at Exodus. I mention him specifically because Logan Brown, the CEO of Exodus, is the one person on the panel who has experience with the subject matter.

Aaron worked at Exodus before their disclosure policy change (aka, business model pivot). This followup is also interesting.

Let's take a look at why these panels happen - based on the very technical method of who sponsors them, as displayed by the sad printouts taped on the table methodology. . .

At one point Oren, CEO of Area1, is like "Isn't the government supposed to help defend us, why do they ever use exploits?", assuming all defense and equities issues are limited to one domain and business model, his, even though his whole company's pitch is that THEY can protect you?

The single most poisonous  idea to keep getting hammered through these panels by people without operational experience of any kind is the idea that the government will use a vulnerability and then give it to vendors. The only possible way to break through to people how much of a non-starter this is is to look at it from the other direction with some sample devil's advocate questions:

Some things are obvious even to completely random twitter users...yet never really brought up at Stanford panels on the subject?

  1. What are the OPSEC issues with this plan?
  2. How do we handle non-US vendors, including Russian/Chinese/Iranian vendors?
  3. How do we handle our exploit supply chain? 
  4. Are vulnerabilities linked?
  5. What impact will this really have, and do we have any hard data to support this impact on our security?
  6. Should we assume that defense will always be at a disadvantage and hence stockpiling exploit capability is not needed?
  7. Why are we so intent on this with software vulnerabilities and not the US advantage in cryprtographic-math? Should we require the NSA publish their math journals as well?
  8. What do we do when vulnerability vendors refuse to sell to us if their vulns are at risk of exposure
  9. What do we do when the price for vulnerabilities goes up X 100? Is this a wise use of taxpayer money?

Just  a start. :)

Friday, February 17, 2017

Just cause deterrence is different in cyber doesn't mean it doesn't exist

Are there Jedi out there the Empire cannot defeat?

That's a long title for a blog post. But ask yourself, as I had to ask Mara Tam today: Do we always have escalatory dominance over non-state players in cyber?  I'm not sure we do.

What does that mean for cyber deterrence or for our overall strategy or for the Tallinn team's insistence that only States need be taken into account in their legal analysis? (Note: Not good things.)

That said, Immunity's deterrence against smaller states has always been: I will spend the next ten years building a team and a full toolchain to take you on if you mess with our people and we catch you, which we might. Having a very very long timeline of action is of great value in cyber.

Thursday, February 16, 2017

DETERRENCE: Drop other people's warez

I'll take: Famous old defacements for $100, Alex

I had this whole blogpost written - it had Apache-Scalp in it, and some comments on my attempts at dating, and Fluffy Bunny, and was all about how whimsical defacement had a certain value in terms of expressing advanced capability, and hence in terms of deterrence. "Whimsy as a force multiplier!"

But then Bas came over and pointed out that I was super wrong. Not only are defacements usually useless, but they are not the Way. In most domains, deterrence is about showing what you can do. In cyber, deterrence is showing what other people can do.

The Russians and US have been performing different variations on this theme. The ShadowBrokers team is a 10 out of 10 on the scale, and our efforts to out their trojans, methodologies, and team members via press releases is similar, but perhaps less effective overall.

If you are still on the fence over whether the VEP is a good idea: The Russians can release an entire tree of stolen exploits and trojans because:

  1. Our exploits don't overlap with theirs
  2. Our persistence techniques, exfiltration techniques, and hooking techniques that we use in our implants, where they are not public, don't overlap with theirs.
  3. Or maybe they filtered it out so techniques they still use don't get burnt?

Tuesday, February 14, 2017

Cover Visas

There is absolutely no steganography in this picture of a fire!

So the problem with making it so the only way to get from Iraq to the US is being a cooperating asset is that you put our asset's families at risk. We need a huge amount of people who got green cards purely on a lottery or from extended family chains so when we want to offer someone an "expedited magical spy green card" we can, and his/her family won't get automatically kneecapped.

This is one of those strategic dillemas. What if it's 100% true that there's someone bad coming in, because why not? It may literally be impossible to vet people at the border. But if you NEED a permeable border to accomplish building your local HUMINT network, and without one you are completely blind in-country, you may have to just bear that risk?

At some level, building cover traffic is important, and also one of the most difficult things in SIGINT. Keep in mind as far as anyone can tell, public research into stegonography died as soon as digital watermarks clearly were not the answer to DRM for the big media labels - for the simple reason that the way to remove any theoretical digital watermark on a song is to mp3 encode it.

Saturday, February 11, 2017

The TAO Strategy's Weakness: Hal Fucking Martin the Third

I want everyone to watch the video above, but think of it in terms of how to build a cyber war grand strategy. 21-year-old aggressive-as-fuck me thought that the whole strategy of TAO was stupid. But I couldn't say why because I was all raw ID the way 21 year olds all are. "Scale is good" people intuitively think  - we need to be able to do this with a massive body of people we can train up.

40 yo me has proposed an insane idea - as different from the way we do things now as a Eukaryota is from the Bacteria and Archaea that we evolved from. I cloak it in "hack back" or "active defense", but the truth is that it stems from a single philosophy I've held my whole life, one that dates to when TESO and ADM were ripping their way through the Mesozoic Internet.

It is this simple phrase: You should not use the exploit if you cannot write it. The truth is, I cannot write the exploits that Scrippie writes. But I for sure understand them. Let that be our bar then - a nucleus composed of small teams of people who understand the exploits they are using, but don't share them or any of their other infrastructure with other teams.

We talk a little bit about dwell time here. But we are now in an age when the dwell time of a hacker in your system who doesn't have full access and analysis and exfiltration of your data is zero. How does your strategy of "hunting" handle that era? And this applies to our and other country's cyber offense teams more than anywhere else. We have a knife made out of pure information and all the SAPs in the world can't save us with the current structure we have.

In summary, how many separate exploit and implant and infrastructure and methodology chains do we really need to obtain dominance over this space? "So many", as Bri would say.

Friday, February 10, 2017

Shouting into the void *ptr;

Getting old people off Office is less a technical problem than a political one.

So a couple other hackers with deep expertise in exploitation and offensive operations and I often go to a USG policy forum which will remain unnamed and we propose strange things. One of those strange things can be best titled: Insecure at any price, the Microsoft story.

What this means is exactly what you're seeing in the latest EO: Get off Microsoft on your desktop. You cannot secure it. Despite Jason Healey's obsession with innovations from Silicon Valley, sometimes you have to say: There are things we cannot build with.

I will list them below:

  • Microsoft Office (Google Docs 100 times better anyways)
  • Microsoft Windows
  • OS X
  • PHP
  • ASP (ASP.NET good, old ASP bad)
  • Ruby on Rails (not sure how they made this so insecure, but they did)
  • Sharepoint. NEVER USE SHAREPOINT. It's a security nightmare because XSS exists.
  • Wordpress.
But it is also true about protocols. SMTP needs to be almost no part of your business. If you regularly use SMTP and email in your business structure, you are failing, and we already have replacements in the messaging space that do everything it does, but better. 

Imagine two hackers sitting with policy lawyers and we say "Use Chromebooks, Use iPads" and that's what you're reading in the latest EO. That's how you solve OPM-hacking type issues. Of course, it is likely to simply be a coincidence. You never know where the info from these policy meetings ends up. It is only slightly more substantive than literally shouting into the void.

Tallinn 2.0 is the Bowling Green Massacre of Cyber War Law

Above is the Atlantic Council livestream of the Tallinn Manual 2.0 launch. Look, no-one can deny that Mike Schmitt is a genius, but the Tallinn Manual is more mirage than oasis. Let me sum it up: They can't AGREE on whether the Russian IO work on the US Election was anything in particular, and they already acknowledge that they don't have solidity on what state sovereignty means in cyberspace. In other words, wtf does the Treaty of Westphalia have to do with information warfare, if anything, is still an unanswered question, no matter how many of "the best lawyers in the world" you put in a room in Tallinn.

Literally, that means that despite his opening statement at EVERY EVENT HE'S EVER AT, the Internet is literally an ungoverned space, with a sort of militant "rule of the strong" applying at best. That's what the Russian efforts this fall mean.

That doesn't mean his efforts are wasted - The US DoD and other states LOVE a manual that can allow them to rationalize their actions, and that's why this is on the desktops of specialist lawyers across the space. Right now CYA in cyber costs fifty bucks on Amazon. Deep down, if you can't agree on the lines or definition of anything, then you don't have a process that produces consistent results.

"We captured all reasonable views and put them in the manual." What is this, the Talmud of cyber war?

But these are just my opinions (and yes, they are shared among the high level International Law specialists in this space I've talked to at the pool), and the hard part of this release is how little criticism processes like this have. These sorts of events are love-fests, not working groups.