|You don't have to believe I know anything about cyber combat or science fiction, but if you read this blog, and haven't read Dune, you're missing out on the philosophy behind how cyber offense works.|
I know that no policy lawyer can read Bratus's paper on Weird Machines. I also know that even Halvar's INFILTRATE keynote on the subject is probably too technical.
But let me tell you something in the Wassenaar Arrangement that is leading the policy world down the wrong path, a sugar coated path of simplicity: The idea that computer code has intent, and even a chain of preferred execution!
The reason Scrippie is a better exploit writer than I am is because he flattens the code out in his head. He reads the whole thing, and then inside his head the input parsing routines and the heap allocation routines and even the KERNEL system call routines are all at the same level, literally as if they are all in a line and he is simply calling them with his data.
Below, I respond to Nicolas Weaver's Lawfare post, but with <sarcasm>, which translates poorly on Twitter.
Ok, so if you're still with me, I want you to think of it this way: Data is also code. I don't mean "Code can be represented as data because everything is just bytes". I mean, the data I pump into your algorithm controls it as much as the executable code itself does. That's how hackers think of your code and it's closer to the true nature of the code than how the regulators and most academics are thinking right now. It's why every time an academic paper comes out on "ROP/JOP/etc" hackers find it redundant and hilarious.
To make this a Koan: Your computer is a state-space, and our data explores it. When it has no input, your computer program is in all potential quantum states - literally anything is possible because it is Turing complete if it has enough complexity. When we give it data, we collapse that waveform into a particular state of our choosing.
Hopefully that helps?