[Dailydave] The best bugclass is whatever the defender is most mentally invested in

Konrads Smelkovs konrads.smelkovs at gmail.com
Fri Mar 6 00:40:17 UTC 2020


Big shame most of list don’t read In Russian else I would recommend works
by Victor Pelevin who in his fiction describes sharply a variety of ways
how to screw up a society using weaponised narratives.

In one of his works - “Heavenly sutras of Al-EfesBee” he describes AI
drones who must produce a small talk show using virtual hosts who agnosise
over the drone strike justifying it and disagreeing - all to placate public
at home. Al-EfEsbee then proceeds to write paradoxical statements on the
battlefield
In large type which are machine read and that crashes the advanced,
agonising AI of the drone.

This story tells us two things:
- Advanced AI is unexplainable and can act in ways that you don’t anticipate
- China can do full auto drones because they don’t have to explain anything
to anyone back at home.


On Thu, 5 Mar 2020 at 08:59, Dave Aitel <dave.aitel at gmail.com> wrote:

> A decade or so ago I got pneumonia and then tried to give a talk about why
> attackers tend to win
> <https://www.youtube.com/watch?v=p1zSlUBfSUg&list=PLIrw3NtUvbxPffyw9LvE-NnWwxPJarF2V&index=1>
> at cyber stuff. The usual answer you will hear, the *RSAC* answer, if you
> will, is total BS. If someone says "Attackers only need to get in once, but
> defenders need to succeed every time!" then they are officially a moron and
> it's ok to sell them blinky-light systems which protect them from APTs or
> whatever, maybe after discussing some ballgame scores with them first that
> have all the narrative joy of a set of random numbers, but I wouldn't take
> their advice on information security.
>
> But the sign of a truly great attack in our space is often that you could
> write it in every blog and newspaper in the land as the top headline, and
> defenders would still not be able to adjust to it because they are so
> mentally invested in the alternative. CRYPTO-AG is an example of this, as
> were the original ENIGMA and PURPLE breaks during WWII.
>
> But my favorite one is maybe "patching". People will take a remotely
> accessible system that has a newly published RCE, one they have basically
> no telemetry on, and then patch that bad boy up and go on with their lives
> as long as it doesn't have some sort of malware that changes the login
> screen. Oh lordy the scripts to find out if your Citrix VPN was popped last
> month...just comedic genius.
>
> My second favorite might be WAFs. We know they don't WORK, but they KINDA
> WORK sometimes and are easy to write metrics around and maybe that's enough
> to justify their existence even though they also introduce security flaws
> of their own?
>
> My third favorite one is SOCs with humans in them. You can, quite
> literally, say "Hey, attackers are always going to move faster than you
> because they are going to invest in automation, which is clearly the
> answer..." but five thousand blogs on "Threat Hunting" later, here we are.
> I mean, I know Jason Healey and Dmitri Alperovitch argued recently that
> offensive innovations are in actuality quite limited
> <https://www.youtube.com/watch?v=Dgr4A1feV5Y&t=33s>, but it's probably
> wisest to assume that the offensive community you see is just the foot of
> the mountain range, and that above the permafrost is an entire cloud city
> of strange and glorious creatures, working on telnetd remotes
> <https://appgateresearch.blogspot.com/?m=1>.
>
> This brings us to a few national-level policies which are just as funny.
> When you listen to defense department innovators
> <https://www.youtube.com/watch?v=wA0epN0L1fc&t=9s> talk about automation
> on the battlefield they are super careful to point out that a "human will
> always be in the loop for any use of force". But of course, any of our
> adversaries (c.f. China) who has pushed their AI to be fully automated on
> the battlefield will have a massive advantage over anyone who has not. They
> are either lying and they know it, or, MORE HILARIOUSLY don't even know it.
>
> The same is true about the Air Force's bizarre reaction to Elon Musk this
> week pointing out that obviously fully automated drones are the
> near-future. The air force, predictably, pushed back
> <https://www.military.com/daily-news/2020/03/04/air-force-generals-elon-musk-fighter-jet-era-isnt-over-yet.html?utm_medium=Social&utm_source=Twitter#Echobox=1583360352>.
> Their paychecks depend on a system full of human butts in expensive
> airframes, as useless in the wars they were designed for as a human
> querying a time-series database for an IoC.
>
> In other words, the reason attackers win has not changed, and maybe never
> will.
> -dave
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-- 

-K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20200306/f25677e5/attachment.html>


More information about the Dailydave mailing list