Dailydave August 2022

dailydave@lists.aitelfoundation.org

12 participants
3 discussions

"Market Failures"
by Dave Aitel 25 Aug '22

25 Aug '22

If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense. Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network. Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now. But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now. In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses. And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs. The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth. As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack. -dave

8 7

Defcon 30
by Dave Aitel 23 Aug '22

23 Aug '22

As you wander the halls of the inaptly named Caesar's Forum, amidst a living sea of the most neurodiverse Clan humanity has ever seen, you cannot help but stop for a second to close your eyes amidst the cacophony and mentally exclaim, "Look. Look at the world we have created!" Sitting in the one cafe in the Paris hotel with food, a tattooed thirty-something who has been to Defcon twice gives you advice on how to do the conference. "Take the unirail." they say. "Also, you should have a hacker name! Mine is 'youngblood''" "Noted!" you respond. These are good ideas. The unirail in particular, probably, because Vegas is overflowing - and decent food options and anywhere to sit that is not beeping at you or showing grungy dystopian TV ads the Cyberpunk 2077 developers would find over-the-top are impossible to come by, making the conference ten times more exhausting than usual. In that sense, you miss the Alexis Park days, sitting with Halvar Flake next to a pool where everyone was more larval than they knew, watching Dildog lauch BO2K to a thousand screaming fans in the same room Dino Dai Zovi explained Solaris hacking an hour earlier. Some of the best talks this year had no attendees at all - Orange Tsai's talk was over Zoom, to a huge room, but with few butts in the seats. There were a hundred "Villages" it seemed like, living a half-life between physical space in the conference room and a Discord channel. Defcon may be the worst and best place to learn anything in that way - the environment is hopelessly chaotic, with two talks happening inches away from each other, and only feet from a DJ pumping out house music. But perhaps the best environment to learn in is the one in which you are most inspired? My friends, we've conquered the world. What's next? -dave

6 5

Phase changes in international relations
by Dave Aitel 22 Aug '22

22 Aug '22

Right now, there is a, to put it mildly, ongoing discussion between proponents of coercion and deterrence in cyber policy, and adherents of a new theory, called *persistent engagement.* Maybe the sum total of the people in the argument is less than a thousand, but as academic circles go, it heavily influences the US Defense Department and IC, and through that, the rest of the world, so it is fun to watch. Also obviously it has added to infosec Twitter drama, which of course is the most important thing in the whole Universe. But while I try to keep this list technical, I wanted to put it into context for people here, so they can better appreciate the Twitter drama. But before I do that, I want to talk about a Defcon talk I attended. I'm not going to say WHICH talk, since it was under Chatham House Rule, but it was about cyber policy. When I pressed someone on an aspect of their policy efforts and how it implicated technical experts without involving their feedback (export control around penetration testing tools) they said "Well, that was more an expression of our country's VALUES and so we didn't need to listen to our technical experts". And I thought that was very interesting! Because the technical community is highly connected and paying attention to these sorts of things in a way that didn't used to be the case. If your message on one issue is going to be "When our values and the technical community's values don't align, we don't bother listening to them" then they will all know immediately, and all your other outreach efforts might as well be wasted air. And this is true across the board - disintermediation via cyber is now a universal truth. I believe you can come at the theories of persistent engagement by looking at it from a different perspective: Instead of saying "Here's a bunch of data about what we see in cyber, and it looks a certain way, and that way requires a new way of thinking" you ask yourself whether the fundamental way of dealing with conflict in international relations literature can be simplified down to coercion and deterrence when the system is a highly connected network. In other words, the game theory math you would use for dyads and bilateral relationships is great for looking at nuclear conflict because that's how the problem is presented, but doesn't scale to the problems we have for cyber conflicts, which are about emergent effects of much more complicated systems. That's why it's not just different, but downright wrong, to talk about offense-defense balances when we look at cyber or cyber-enabled conflicts. It's why the previous international relations work on deterrence and coercion just doesn't apply cleanly, if at all. On one side (the wrong side) you have people saying "Cyber is not strategic because it cannot hold ground like infantry can!" and on the other side you have people building international relations theories based on cycles of attack, on responses and counter-responses to aggression in the cyber domain because you can lead an entire country around by the nose ring that is TikTok. At some level, we are going to have to stop talking about offensive cyber operations as a corollary of SIGINT capability, and going to look more holistically at COGINT. To sum it up: Complexity in connectivity introduces phase changes in systems. We now live in a highly connected world, and this means we need new paradigms of international relations, whether you are under Chatham House Rule or not. -dave

3 2

2024

2023

2022

2021

2020

Dailydave August 2022