Pages

Sunday, 21 July 2019

Amy Zegart on Cyberwar

This talk was given four years ago, in July 2015.


At 6 minutes 15 seconds she compares traditional National Security and Cyber threats. The first key difference is that the US is simultaneously the most powerful country in cyberspace, and the most vulnerable. She puts this down to the US being the most "connected", and therefore the country most dependent on communications; but the implication that being "connected" makes you vulnerable and powerful is simply not a necessary one. She goes on to quantify the "attack surface" in terms of only unintended security vulnerabilities in OS code, but these figures are utterly irrelevant if you consider the possibility of subversion of the software development systems in the contractors' own offices. The reason you should consider this is that Roger Schell and his students at the Naval Postgraduate School explicitly warned you about it over a decade earlier. See Subversion as a Threat in Information Warfare, which ends like this:


At 12 minutes 42 seconds "The worst publicly revealed breach in US military history occurred in 2008, ...." and the worst breach that has not yet been publicly revealed, ... well, it was 14 months before the US military realised the extent of the 2008 breach, so .... See Developing Secure Communications, which I posted in April 2015, four months before this talk was given. See YouTube What The Fuck Are You Playing At? and US Pentagon Ranks 19th In P2P Child Pornography Networks and Mikko Hypponen on Security, given December 6th 2014, two months after the North Korean cyber-attack on Sony:


Listen to Mikko's advice at 18 minutes, 10 seconds. Now imagine if the waiter at the Beverley Hills Country Club had called the alarm, and as a consequence a bunch of high-ranking paedophiles had been caught molesting children in a back room, .... and the Pentagon had called in a bunch of tame terrorists to firebomb the whole place and kill all the firefighters who knew about it, and then accused the waiter of being the ringleader, ... That's why moral discipline is important in the armed forces and the police, and it's why you don't want your creepy uncle working at Google, either, ...


... because, in the long run, it's bad for the bottom line, and the Brits end up with a CIA guy as Prime Minister.


Hypponen mentions the Sandworm malware, which first showed up in Ukraine. On October 14th I posted this The Navigator. The North Korean Cyber Attack on Sony was on November 24th, 39 days later. The situation in Ukraine was fully developed by April 2014, see A Story About Cyber Security and Spying. Look at what I was posting throughout April. My aim, in October, in posting that fantasy about a guild of navigators coordinating hackers around the world was just to get the hackers communicating with each other. It was clear to me by then, after having spent six fruitless months and all my money trying to get material support, that the hackers were far better potential allies in creating secure communications than any free and open source software developers would be. Now anyone who thinks that they can pin some hack in Ukraine in April 2014 on me has some real fucking work cut out for them! Good luck! Much better would be to try and pin the Sony attack on me.

Here's Guardian journalist Luke Harding talking about what happened when the Guardian started going through Snowden's archives


At 10 mins 33 secs you get an insight into the level of cybersecurity expertise of British intelligence. At the start there is a video clip of a Guardian computer being cut to pieces to destroy data.

In March 2013, the first post I made on this blog, I publicly outlined a plan to deal with what I considered to be the most serious and urgent computer security problem: from https://code.google.com/archive/p/metaprogramming/
It ... allows us to solve some hard problems such as the one Ken Thompson identifies in his Turing Award speech On Trusting Trust. This is because a meta-programmed system does not actually have any concrete representation in source code, so is not susceptible to any attack that is based on recognising the source code of the target system.
Now I didn't realise it at the time, but what I was describing there was a basically a generalisation of Larry Paulson's 1981 PhD thesis. Sponsored by ARPA:

Cue movie. dong!! .... dong!! .... ding-dang-dong-ding-a-ding-a-dang-dong, ...



Thirty years plus of service, ... why haven't I made Admiral? Well, sir, the US Navy doesn't have a fast-track career path to admiral, ... not one that starts at "bum, junkie, lesbian, Russian spy, ..." at any rate. ... Yes sir! It was my ex-girlfriend that did all this all cyber security shit and saved the US Navy from Microsoft, ....

No comments:

Post a Comment