Monday, April 25, 2016

Bandwidth and the Cyber Weapon of Availability

A key difference between the Immunity mindset on "Cyber Weapons" and the public one is that we see the ability to offer information that cannot be removed from the public Internet as an important, and perhaps the most important type of cyber weapon. If you don't think an AC-130 hurling USB keys full of videos and software into a city isn't a cyber weapon, then you won't agree with our paradigm and you'll have to live with being wrong. :)

Emin Gun Sirer has written two blogposts that should be must-reads by the policy sect or anyone in the security business and this is one of them:

TL;DR summary: "All the databases are going to be available to everyone." Cyber intelligence has long depended on the gap between what people knew was publicly available and what they could access. You know how powerful even a PHONE BOOK DATABASE is when it's not publicly known to be accessible? Try running an Alias for an intel officer who didn't actually have an apartment in Istanbul when she said she did, and I can check in 20 seconds with my stolen DB. This is true for the OPM database, all the airline databases and of course the hospital databases. The same techniques that Twitter uses to figure out what brand of soap to sell you can detect a fake persona without breaking a digital sweat.

Following from these self-evident facts, eventually every service that uses aliases is going to transition to just having to timeslice from normal people with normal jobs, which is going to require they haven't alienated the entire technical community they rely on for access and influence. (In case you wanted a link to the Comey-misteps-of-the-day).

The obvious trendline is that the amount of data that makes a company run is a constant. Mail spools just don't get big that fast, and the important information in them gets bigger even slower. Remember when downloading a movie was a big deal? Now you download 4 in between waking up and heading to the airport onto your Kindle.

In other words: The increase in available bandwidth has completely shifted some equation and made "Offer" cyber weapons more important than they ever otherwise could have been. You only need a tiny dwell time on the main mail server of a company to end that company forever, and that dwell time is now smaller than the target's "Indicators of Compromise" analysis speed. Or as Microsoft's researcher Sasha would say: "You win automatically when your exfil time is less than log aggregation and analysis periods."

On a completely unrelated note, I'm headed to DC today to attend a conference at Georgetown on Cyber Policy. I think part of what annoys everyone in the cyber policy world about the State Dept. fucking up Wassenaar so much is that it has absorbed all the bandwidth available for analysis for two whole years on an important subject. The only silver lining is that by aligning the opposition to their bone-headedness on the subject we may have congealed a multi-cell predator out of the primordial soup. :)

No comments:

Post a Comment