Archive for the ‘Hagakure’ Category
ウェブ忍者が失敗する : Dox-ing, Disinformation, and The Fifth Battlespace
Digital Ninja Fail: ウェブ忍者が失敗する
The recent arrests of alleged key members of LulzSec and Anonymous have been called into question by the ‘Web Ninja’s‘, a group of would be hackers who have been ‘DOX-ing” the anonymous hierarchy for some time now. Yesterday, they posted the following on their page concerning the arrest of a man from the Shetland Islands who is purported to be ‘Topiary‘ by the Met and SOCA.
Now, this is a bold statement for anyone who really knows what they are doing in the intelligence analysis field. So, it is my supposition that these guys have no clue about what they are doing by making bold assertions like this. The data they have is tenuous at best and by making such bold statements, I have to wonder if indeed the so called ‘Ninja’s” themselves might not be a tool of anonymous to in fact sow that disinformation.
Here are the facts as I see them;
- To date, the federal authorities have not questioned anyone who was DOX’d by the Ninja’s that I am aware of
- The individuals who were DOX’d that were investigated by the authorities were in fact outed by LulzSec/Anonymous themselves
- Adrian Chen has spoken to the person that the Ninja’s have fingered and claims that he (said person) went to the authorities himself. So far he is still not a suspect.
So, taking into account these facts, I would have to say that the Ninja’s have failed in their stated mission so far and I would suffice to say that if they are indeed a part of a disinformation campaign, then that too has failed. After all, the police seem to be ignoring the data put on the interent by the likes of the Ninja’s in favour of other tried and true tactics. The primary tactic as I see it, is grab one individual and then get them to roll over on their compatriots in the face of massive jail time.
This pretty much works all the time as we, as human beings, are most willing to sacrifice others for the self. In the case of the likes of LulzSec skiddies, I would have to say that the ages of the players, and their generational tendencies will allow them to cut deals pretty quickly. It’s my assessment that they are in it for the self gratification and lulz, not for the altruism that the LulzSec and Anonymous press releases have been trying to have one believe. My assumption is that if indeed the 19 year old guy they popped in Scotland is involved with LulzSec, and is in fact Topiary, he will roll over soon enough.
I also believe that these are all untrained operatives and they have made and will make more mistakes. I am pretty sure that the alleged “leaderless” group has leaders AND that unlike a true guerrilla warfare cell, will know the other players personal details. Essentially, they have had no compartmentalisation and they will all fall eventually though interrogation and deal making. As I said before, the insider threat to the organisation is key here, and it was this idea I think the Ninja’s had.. Well, at least that was the original idea of the Ninja Warrior. They were spies who infiltrated the ranks and destroyed from within.
So far with these guys.. Not so much.
Welcome To Spook World: Disinformation Campaigns and Intelligence Analysis
Now, on the whole disinformation thing, I know that the Lulz and Anonymous have said that they are using disinformation as well to try and create a smoke screen. Frankly, all of the intelligence out there that is open source is suspect. Maltego map’s of end user names as I have shown in the past can be useful in gathering intelligence… Sometimes. For the most part, if a user keeps using a screen name in many places and ties that name to real data, then they can be tracked, but, it takes a lot of analysis and data gathering to do it. Though, many of the foot soldiers within the Anon movement are young and foolish enough to just keep using the same screen names for everything so there is a higher likelihood that the data being pulled up on Maltego and with Google searches is solid enough to make some justified conclusions.
With the more experienced people though, there has been some forethought and they have protected their identities as best they could. What became their real downfall was that they could not rise above petty infighting and dox-ing each other. Thus you have the start of the potential domino effect on the core group as well as anyone who has any peripheral affiliation with the Lulz. Be assured, those who have been pinched are giving up as many names as possible as well as whatever is on their hard drives, Anon hacker manuals or not. All of these scenarios lead to the conclusion of more arrests by the authorities and even more skiddies getting into legal trouble around the globe. Meanwhile though, if the core group has been smart, then perhaps the leaders will skate for a time, using the masses as canon fodder.
Gee kids.. Did you know that you were all expendable?
On another tac, I would like to speak about the potential of the disinformation campaigns being perpetrated by the authorities as well. Consider that the trained professionals out there who are hunting these characters (Topiary, Sabu, et al.) are also adept at using not only the technologies of the fifth battlespace, but also the training afforded them in ‘spook world’ This means disinformation campaigns, mole hunts, and insurgencies of their own, getting to the inner core of Anonymous and Lulz. Now, that there were six (alleged) lulzer’s it would be more difficult to do, especially if those LulzSec folks really do know one another (as they claim they do not, which, I just don’t buy.. Remember the compartmentalisation issue) The agent provocateur’s are out there I am sure and with each rung of the ladder, they get closer to the core group.
That is unless the core group falls apart on their own and DOX’s each other out. In the end, I am going to suggest that the authorities will use all of the tricks of the trade on the Anon/Lulz folks to bag them… And with concerted effort by government resources, they will get their men/women.
Untrained, Unruly, and Unprofessional Operators:
“Discretion is the better part of valour” as they say, and in the case of the Lulz and Anon crews, they seem to not have a clue. Perhaps the Lulz think that by being unruly and unpredictable to a certain amount, will be just the cover they need, but, I think that their lack of discretion will be their undoing as well as their hubris. Had many of these folks had some real training, they might have just stood down for a while (not just a week or so) after setting sail into the sunset.
As I have said before, it was a bad idea to recruit and have comm’s out in the open on IRC servers even if they had ‘invite only’ channels. As is being seen now, someone (jester perhaps) has taken down their servers again after other outages due to Ryan Cleary’s attack and pressure from the government on those connection sources that the Anon’s were using. I am sure the idea was to have a movement that could also serve as diversion for the core users as well as to LOIC, but this all failed in the end didn’t it? The LOIC is what has given the FBI the 1,000 IP addresses as a hit list, so to speak, that they are now using to collect people and charge them for the DD0S attacks.
Had these people been trained or not been so compulsive, they might have had more of a chance to keep this up for a much much longer time. As I write, the Lulz do continue, but they have slowed quite a bit since the arrests started again. This I think is because the cages are starting to get rattled and people are finally coming to the conclusion that some discretion is needed to not end up Bubba’s play pal in prison. It’s a learning curve, and likely going to be a painful one for the kiddies.
Unprofessional actions within this area of battle will end up with your being put in jail kids.
To end this section I would also like to add this thought. My assessment of the Lulz core group is this;
- They were drunk on the power of their escapades
- The more followers they had and more attention, the less risk averse they became
- They seem to have compulsion disorders (don’t say it.. Aspergers!) that seem to not allow them to lay low (until now it seems)
- The ego has eaten their id altogether
- Base ages are within the teens with a couple over 20
Technical Issues Within The Fifth Battlespace:
Another BIG issue within this battlespace is the technology. The Anon’s and Lulz have been ascribing to the idea of “Proxies, we haz them! So we’re secure!” and to a certain extent they are right. There are always ways around that though and certainly leaks in data (such as the TOR leaks that have happened) that could lead someone to locate the end user behind the proxy, so they are not fool proof. Certainly not if the fool in question is some skiddie 12 year old using LOIC un-proxied and not obfuscated while they D0S Paypal.
The problem is that the technology could fail you as well as the untrained operative could make small and large mistakes that could lead authorities right back to their IP and home accts. On the other side of that equation is that when properly done, it is damn hard to prove a lot in hacking cases because of obfuscation, as well as mis-configured end systems that have been hit. I cannot tell you how many times I have seen incidents play out where the target systems had no logging on as well as being completely un-secured, thus leaving practically nothing for a forensics team to find and use.
Once again, this brings us back to the insider threat, whether they be the insider who decides to go turncoat, or, the agent provocateur (i.e. Jester and the Ninja’s as well as others from the authorities) who infiltrate the Lulz and then gut them from the inside. What it really boils all down to is that in the end, it will be the foibles of the Lulz core and the actions of spooks that will bring them down.. And I think they are learning that very fact now.
JIN; One Must Know The Enemies Mind To Be Victorious:
As a last note, I would like to say to the Ninja’s, you need to learn and practice your Kuji-in. It is obvious to me that you have failed on the ‘Jin’ (knowing the opponents mind) with your dox attempts. Until such time as I see people being hauled in that directly relate to your documents posted, then I am going to consider the following to be the case:
- DOX-ing is mostly useless and takes quite a bit of analysis before just releasing names
- The Feds are not taking your data as gospel, nor should the general public or media
- You yourselves may in fact be a tool of Anonymous/Lulz and as such, spewing disinformation
- You could be right, but by releasing it to the public at large, you are letting the Lulz know to destroy evidence and create obfuscation that will hinder arrests later.
Ninja’s got results.. Not so much for ‘Web’ Ninjas. At least Jester, if his claims are true, is breaking their C&C channels lately.. Which has its own problematic issues.. Just like his meddling in the Jihadi area, but, that’s a story for another time.
K.
Top 5 ways to destroy a company.. But Will They Sign Off On That?
I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”
The truth of the matter for me comes down to a few different factors:
- A lack of understanding the results that you present them
- A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
- A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client
Nickerson too gets to this and asks;
Well why does that happen?
- What we give them isn’t important. Managers don’t care about shells!
- They don’t care about what we care about!
What do they care about?
- The product line
- The Brand
- The Employees
- The Bottom Line
I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.
Top 5 ways to destroy a company
- Tarnish the brand
- Alter the product
- Attack the employees
- Effect financials directly
- ** Your turn! **
The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?
The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)
The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.
Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;
“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”
It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.
So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:
- Profile the business overall, where they are in the market, and their history
- Profile their business model and their product or products
- Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
- Profile the employees and C levels (are they engaged? Do they buy in on security?)
- Formulate scenarios that would cause varying levels of damage (targeting them)
- Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits
Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.
I think that is what he was driving at through all of the ranting…
So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.
CoB
The Information Security Business.. AKA The Cassandra Syndrome
I had an incident today that kind of epitomizes the security business for me… Well, one aspect of it that is. I call it the “Cassandra Effect” and it is more common than one might think. In my case, I am Cassandra and my prophetic insights are often unheeded or misunderstood as the rantings of a paranoid personality.
That is until the prophecies come true.. But by then its too late.
Today it was a manager within the company that I have been working for as a consultant who shrilly pushed back on findings that the company (X) did not have an incident response process in place that was documented and audit-able. Nevermind that my finding stemmed not only from asking for the documentation and them telling me they had none, but also by the fact that an incident had recently occurred and I watched as their incident response was muddled and likely would not have happened at all had I not been there to alert them to the malware causing the incident.
But… According to this manager, there was no need to document a process for incident response because they would not be audited by anyone like say for a SOX audit and be required to show their audit-able incident response documentation/processes.
Of course the SOX regs might say different huh?
Thankfully, I stopped myself from arguing this any further and trying to explain that this was indeed the case and that even if the SOX folks did not ask because they often suck at auditing, the PCI folks certainly would… I could hear the name whispered as the incident response post mortem call went on however.
“Cassandra”
Am I the only one who feels this way or is treated as such by clients who ask for security services? I mean, you go in, you do your job and document all the deficiencies, state the gaps and map them to regulations and still you get pushback saying
“Well, we don’t need to fix that”
Hell, this even happens after you exploit systems and steal their data and show them. They still look at you and say;
“Well, you do this professionally, this won’t ever happen in the real world”
Why? What is it that causes these cases of self delusion in certain C level execs? I really don’t understand their reasoning here. I certainly did not understand this person’s need for their responses being so confrontational. I mean, is it just that they feel that their job is on the line? Is it that they are not willing to spend more time and money? Because really, the only investment here would be time. Time to write the incident response plans and have them published.
So whats the deal here?
I attribute much of it to the fact that security, much like the appearance of a UFO to Neanderthal man instills fear into their hearts and minds. Simply, they see it all as magic and beyond their comprehension moving some to disbelief of what they see before them.
It could never happen here!
This is just too arcane!
Who’d want our data anyway?
Well, I have news for you, this is the future and the future is security my friends and we.. We are doomed.
I wonder what will happen tomorrow when I send them the links to the SOX requirements on documented processes such as incident response….
CoB
Losing the War with Japan… Or was it Losing The War With China…Maybe Ourselves…
A keiretsu (系列?, lit. system, series, grouping of enterprises, order of succession) is a set of companies with interlocking business relationships and shareholdings. It is a type of business group.
Recently, I came across an old episode of PBS’ Frontline that was titled “Losing The War With Japan” (click link to see it on YouTube) In this 1991 report we see how the country was concerned with the rise of Japanese business and their “unfair” practices of Keiretsu and Zaibatsu. Of course the report calls it “Predatory Capitalism” but I would just say that they were being smart. I guess one man’s smart is another losers 1-800-WAAA, but we are a country of laws are we not? So sure, I can see my way clear on some of the charges in unfair practices. However, now that nearly twenty years have passed what have we learned?
Obviously not much…
Lets run down whats happened since the Frontline piece.
1) Japan took over the car market and the US Auto industry learned nothing. They remained bloated and making poorly thought out, bloated, gas guzzlers and are now in bankruptcy or near to it.
2) Japan got too close to America and took on too many of her ways. Soon there was a meltdown in their economy and a slew of admissions of malfeasance by corporate entities.
3) America had a boom and bust over “internet stocks” basically vaporware Greed was indeed good and the Ivan Boesky set began to plan for even bigger schemes that would come to roost in our current “credit default swaps” fiasco and near depression. The net effect, we began to not make anything here except maybe “intellectual capital” that is currently being stolen and reverse engineered in China.
4) America began the great outsourcing of all the things we no longer “make” in order to have better bottom lines on balance sheets from cheaper labor in third world countries.
5) China buys great quantities of our debt.. They now effectively “own” us.
6) The “Great Recession” comes post 3 front wars for many years and an abdication of any kind of regulation on business, banking, stocks, etc. Even though, we were warned that the big banks were playing fast and loose with our money and selling us magic beans.
7) Now China looms as a new kind of super power that deems to attack us on cyber and economic fronts in order to become the pre-eminent super power. Basically, they have us by the short and curlies economically as well as technically (e.g. cyber warfare)
So, how did we not learn from history? How is it that this country just went on its merry way and learned not one thing from its near miss with Japan? Did greed and self absorption just blind us to it all?
In a word.. Yes.
We have failed ourselves by not paying attention and our government has failed us for not being able to comprehend what was going on. We elected the morons in office and they let go of the tiller that controlled the business world’s ethical rudder. Of course, we the people didn’t help either as we were rolling in the new money that was rolling in from tech stocks, or ponzi schemes that had been all the rage.
There’s a line from “Rising Sun” that always struck me as true and now that I look back it is absolutely so.
John Connor: We’re playing that most American of games.
Web Smith: Which is what?
John Connor: Catch-up.
Lets face it, we are playing catch up because we have been too intellectually incurious to see what has been happening all these years. Can we catch up now I wonder? Or will we continue down the same path of blind faith in the system and personal greed?
Of course one would have to also hope that the “system” i.e. our government would not let themselves be led down the primrose path again like they have with all of this credit default swaps and “too big to fail” banks falderall… I hold out little hope.
Take as look at the Frontline stories and ponder…
CoB
Musashi’s Last Duel: Sasaki Kojirō
In April 13, 1612, Musashi (about age 30) fought his most famous duel, with Sasaki Kojirō, who wielded a nodachi. Musashi came late and unkempt to the appointed place — the remote island of Funajima, north of Kokura. The duel was short. Musashi killed his opponent with a bokken that he had carved from an oar while traveling to the island. Musashi fashioned it to be longer than the nodachi, making it closer to a modern suburito.
Musashi’s late arrival is controversial. Sasaki’s outraged supporters thought it was dishonorable and disrespectful while Musashi’s supporters thought it was a fair way to unnerve his opponent. Another theory is that Musashi timed the hour of his arrival to match the turning of the tide. The tide carried him to the island. After his victory, Musashi immediately jumped back in his boat and his flight from Sasaki’s vengeful allies was helped by the turning of the tide. Another theory states he waited for the sun to get in the right position. After he dodged a blow Sasaki was blinded by the sun. He briefly established a fencing school that same year.
Miyamoto Musashi’s last duel ends much like his first at age 13, but in this case he kills with less fury than he did on the occasion of his first duel. This last duel though was the epitome of his arts being perfected. The arts of not only swordsmanship, but also tactics.
It seems to me lately, that the art of tactics has been pretty much lost on our society. Perhaps its the Eastern mindset that we just lack here in the states, but, overall I think its a cultural thing more than anything. In Japan, the tactics of “business is war” have been practiced since post WWII, but here in the west (US) that only came to our collective consciousness in the 80’s when they started to kick our collective economic asses.
Of course now Japan is still in decline as an economic power while China rises. However, what I am aiming at here is not just about economics. I am actually attempting to further this thought process to the area of “cyberwar” and our predicaments where our national security is concerned.
Back to Musashi and on to Cyberwar:
Musashi was a consumate swordsman but like I said, also a great tactical warfare fighter. He created the two sword technique (“Ni-Ten Ichi Ryu”) that in the end, would be, in his hands, unbeatable. He used this technique in tandem with psychological warfare to unbalance his opponents and gain utter dominance. He had the tools to win the battle before it was really fought in essence.
The same can be said about cyber warfare. If you have the tools and the mindset, you can effectively render your opponent impotent and win the battle without actually needing to wage all out war. The Chinese tactician Sun Tzu said much the same in his treatise on war “The Art of War” and I feel that both of these men have much to say that should be applied to todays cyber threat-scape.
Throughout my career working in information security, I have always noticed a certain lack of understanding on the part of corporations as entities as well as that which comprise them. The people who run them where technical security is concerned are either not able to comprehend the issues at hand, or, more likely, to not really see these things as a real danger. Is it a lack of awareness or is it a lack of care? Perhaps a little of both. Whats more, in todays environment, I have seen companies accept risks that are known and should be mitigated because it would cost too much or burden the end users to fix them. This to my mind is not seeing and understanding the tactical threat-scape.
Musashi and Sun Tzu both taught being aware of the battle space, yourself, and your enemy. Japanese “salary men” still today use these tenets to wage business and are often successful at it. I suggest that we too apply these approaches to the work of information security, its application, and the process of teaching its precepts to everyone involved. After all, when individuals and companies cannot as a whole understand the basic threat that an un-secured network printer in a secured area presents, there is a fundamental disconnect that needs to be removed.
This is a failure to understand and be aware of your threat-scape… And it will lose the battle for you.
APT and Snake Oil Cure All’s
Within the last weeks I have seen a trend in twitter and in blogs on the internet from security practitioners about the APT and cyberwar problems. Howard Schmidt claimed that; “There is no cyberwar” and, as the new Tsar of the cyber area for this country, has been taken to task on this statement. I myself have written of my lack of faith in Howard’s understanding of not only the threat-scape, but also his own newly acquired title. The essence though here is that there are many pundits, salesmen, and interested parties looking to cash in or have their say on this. It’s really signal to noise at this point.
Meanwhile, the anti-virus, NAC, SIM, and other vendors have begun their putsch to promote their products that can stop APT in their tracks. This has been of concern to many of the security wonks on the blogs too. You see, the fact is the APT is not a malware one trick pony that a behavior based or signature based model can always detect. The APT or Advanced Persistent Threat is not just the tools they use, but the people who create and use them… And they are more than likely familiar with the precepts of war that Sun Tzu and Musashi taught.
When the APT saw that their malware was being detected by AV, they looked at the threat-scape to them and adapted their stratagem to defeat it. The looked at the castle and saw that the weakness lay with the way things got out of the castle as well as the natures of those who live within. Just as I have written before about the War for Troy and the Trojan Horse, so too have the APT thought things through seeking the weaknesses and exploiting them. In the case of the APT, they basically saw that they could ex-filtrate the data out of the environment through the weak point of regular traffic. They basically stegged the flow with signal to noise.
So now, we have the vendors in a lather trying to sell solutions to a particular vector of attack while the APT will move on to look once more at the threat-scape and change the battle plan to once again evade their new “products” and go unseen while they take the data and win the battle. In essence, the vendors and the clients have failed to understand the nature of the APT and the battle space on a level that is key to winning. They lack the mind set it seems as a whole to this problem in favor of a quick fix solution that will “cure all”, much like the sideshow snake oil salesmen of old.
APT, Cyberwar, Government, and YOU
In the end, I am advocating that we as a whole begin to understand the threats and the technologies better and not be so reactive after the fact. Our government needs to understand the threats as well as the technologies in order to create appropriate responses and proactive measures to prevent us having to be reactive. So far, our governments answers have been lackluster to the point of the president having a big red easy button to shut down the internet should there be a threat. This is no answer, and thankfully it was struck from the bill this week.
The government also needs to listen to the experts in the field and employ them to help mitigate our vulnerabilities without the usual “Washington Two Step” that is so prevalent. This whole flap over Schmidt’s lack of understanding or using a company line to allay the fears of the masses is just one case in point. Schmidt needs to be able to speak the truth if he knows it as well as have a position that carries some gravitas. Thus far it seems that he is in fact a neuter.
Schmidt’s comment on cyberwar also needs to be looked at from the perspective of tactics. There is no cyberwar is not an answer. Cyberwar means more than actual physical warfare as well as it not should be merely perceived as espionage. Cyberwar is more than just malware and thievery, it’s a tactic in a larger warfare scheme and we as a country are still unable to comprehend this outside of certain military purviews. Where this really becomes an issue is that most of our infrastructure in this country is held privately and thus its up to the owner to protect them.. Or, not as the case has been.
Lastly, there is the element of you, the general public. Employees of those same companies that run the infrastructure. Private citizens who are on the same internet as the rest of the companies and countries who do not understand the precepts of computer security as well as OPSEC. How many people today have way too much of their lives open to the internet? How many of those now household machines you use to connect to the internet are not secure? Lack virus scanning utilities? Have kids as well as yourselves opening every e-card they get and wondering afterwards why their systems are now slow and their bank accounts drained?
The general public today is not aware of the precepts of security in computing never mind many of the issues surrounding their daily operation. They just turn them on and they work. Both of these knowledge bases should be inherently taught at some level just as you need a license to drive a car today. I say this because now, you and your machine could be just one in many systems that comprises a botnet that DDoS’s a government entity or a business at great cost or as a pre-cursor to other attacks. You, are a part of the problem and you must be cognizant of that fact.
End Game
In the final analysis I am just putting this article forth to those who would read it. Perhaps the Western mind is just inherently unable to understand Eastern thought. Perhaps we are just a fat and lazy self interested country who’s apathy and arrogance just gets in our way of comprehension. Who’s really to say? However, we as a country have to learn that the issues above must be learned about and proactively worked on. Otherwise someday we may find ourselves in the dark without power to run those nifty machines that we rely too much on. The same machines that the government relies on too and will also collapse should there be a successful attack against our infrastructure.
Now is the time for proactive moves…Do we have the fortitude to move forward?
Musashi went from being a 13 year old rage filled boy with a stick to a master swordsman and tactician. Can this country do the same and protect itself?
Krypt3ia 