[Dailydave] The best bugclass is whatever the defender is most mentally invested in

Laura laura.m.eise at gmail.com
Wed Mar 25 00:03:26 UTC 2020


ESSAY: What if AI waged war?

The Fatal Flaw
<https://jessicaanneeise.files.wordpress.com/2019/05/what-if-ai-waged-war_eise_creative-writing.pdf
 >,
by Jessica Eise (Short Story)

On Mon, Mar 23, 2020 at 10:23 AM Konrads Smelkovs <
konrads.smelkovs at gmail.com> wrote:

> Big shame most of list don’t read In Russian else I would recommend works
> by Victor Pelevin who in his fiction describes sharply a variety of ways
> how to screw up a society using weaponised narratives.
>
> In one of his works - “Heavenly sutras of Al-EfesBee” he describes AI
> drones who must produce a small talk show using virtual hosts who agnosise
> over the drone strike justifying it and disagreeing - all to placate public
> at home. Al-EfEsbee then proceeds to write paradoxical statements on the
> battlefield
> In large type which are machine read and that crashes the advanced,
> agonising AI of the drone.
>
> This story tells us two things:
> - Advanced AI is unexplainable and can act in ways that you don’t
> anticipate
> - China can do full auto drones because they don’t have to explain
> anything to anyone back at home.
>
>
> On Thu, 5 Mar 2020 at 08:59, Dave Aitel <dave.aitel at gmail.com> wrote:
>
>> A decade or so ago I got pneumonia and then tried to give a talk about why
>> attackers tend to win
>> <https://www.youtube.com/watch?v=p1zSlUBfSUg&list=PLIrw3NtUvbxPffyw9LvE-NnWwxPJarF2V&index=1>
>> at cyber stuff. The usual answer you will hear, the *RSAC* answer, if
>> you will, is total BS. If someone says "Attackers only need to get in once,
>> but defenders need to succeed every time!" then they are officially a moron
>> and it's ok to sell them blinky-light systems which protect them from APTs
>> or whatever, maybe after discussing some ballgame scores with them first
>> that have all the narrative joy of a set of random numbers, but I wouldn't
>> take their advice on information security.
>>
>> But the sign of a truly great attack in our space is often that you could
>> write it in every blog and newspaper in the land as the top headline, and
>> defenders would still not be able to adjust to it because they are so
>> mentally invested in the alternative. CRYPTO-AG is an example of this, as
>> were the original ENIGMA and PURPLE breaks during WWII.
>>
>> But my favorite one is maybe "patching". People will take a remotely
>> accessible system that has a newly published RCE, one they have basically
>> no telemetry on, and then patch that bad boy up and go on with their lives
>> as long as it doesn't have some sort of malware that changes the login
>> screen. Oh lordy the scripts to find out if your Citrix VPN was popped last
>> month...just comedic genius.
>>
>> My second favorite might be WAFs. We know they don't WORK, but they KINDA
>> WORK sometimes and are easy to write metrics around and maybe that's enough
>> to justify their existence even though they also introduce security flaws
>> of their own?
>>
>> My third favorite one is SOCs with humans in them. You can, quite
>> literally, say "Hey, attackers are always going to move faster than you
>> because they are going to invest in automation, which is clearly the
>> answer..." but five thousand blogs on "Threat Hunting" later, here we are.
>> I mean, I know Jason Healey and Dmitri Alperovitch argued recently that
>> offensive innovations are in actuality quite limited
>> <https://www.youtube.com/watch?v=Dgr4A1feV5Y&t=33s>, but it's probably
>> wisest to assume that the offensive community you see is just the foot of
>> the mountain range, and that above the permafrost is an entire cloud city
>> of strange and glorious creatures, working on telnetd remotes
>> <https://appgateresearch.blogspot.com/?m=1>.
>>
>> This brings us to a few national-level policies which are just as funny.
>> When you listen to defense department innovators
>> <https://www.youtube.com/watch?v=wA0epN0L1fc&t=9s> talk about automation
>> on the battlefield they are super careful to point out that a "human will
>> always be in the loop for any use of force". But of course, any of our
>> adversaries (c.f. China) who has pushed their AI to be fully automated on
>> the battlefield will have a massive advantage over anyone who has not. They
>> are either lying and they know it, or, MORE HILARIOUSLY don't even know it.
>>
>> The same is true about the Air Force's bizarre reaction to Elon Musk this
>> week pointing out that obviously fully automated drones are the
>> near-future. The air force, predictably, pushed back
>> <https://www.military.com/daily-news/2020/03/04/air-force-generals-elon-musk-fighter-jet-era-isnt-over-yet.html?utm_medium=Social&utm_source=Twitter#Echobox=1583360352>.
>> Their paychecks depend on a system full of human butts in expensive
>> airframes, as useless in the wars they were designed for as a human
>> querying a time-series database for an IoC.
>>
>> In other words, the reason attackers win has not changed, and maybe never
>> will.
>> -dave
>>
>>
>>
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
> --
>
> -K
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20200324/ebea10ce/attachment.html>


More information about the Dailydave mailing list