Before there were words, calculated as the softmax of a list of possible
tokens, there were just vectors of nano-electrical potential in cells
soaked in a hormonal brew of electrolytes, operating on a clock cycle of
"slow, but fast enough". In this sense, as we now know
<https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10472538/>, we generate words
and we know, in our heads, what we are, in the same way as we generate
limbs, with each cell knowing from its electric field what to be next. A
tumor is in that way of thought a *confabulation *or as we now say, a
*hallucination.* But then, also, so are you.
Recently I spent some time reading this year's Research Handbook on
Cyberwarfare
<https://cybersecpolitics.blogspot.com/2024/08/a-quick-research-overview-of-…>.
One of the forms I filled out recently asked me if I was a certified Master
Operator, which of course, I am not, any more than an Archaeopteryx is a
certified Bald Eagle, even though both know the smell of the sky and the
taste of freshly caught fish. But I do occasionally pay attention to the
"state of the art" academic view of cyberwar and the Handbook was a good
way to catch up.
For example if you read Nadiya Kostyuk and Jen Sidorvova's Handbook paper
on *Military **Cybercapacity* they will say that "a cyber attack may
provide a defender or third party with a good estimate of the attacker's
capabilities, but it is not clear how many of these capabilities the
attacker has in their arsenal". This is, to my primitive cyberwarfare mind,
so old that I still use "screen" instead of "tmux", a bit of a misstep when
it comes to how cyberwar works and what a capability is. I don't know how
to say it any clearer than this: Behind every wooden horse is a woodshop.
An example in my head is that right now the Ukrainian army is rumored to be
sitting on top of a major gas terminal in Kursk, one responsible for
supplying Russian gas to Europe. You have to assume that, having learned
from the Russian attacks against their electrical infrastructure, the
Ukrainian Army is traveling not just with a screen of FPV drones but with a
few USB keys containing implants for the specialized equipment that runs a
gas network.
It's hard to disconnect OT networks that are presumed to be segmented
physically, and temporary physical control can easily translate to
permanent cyber control. And cyber control, despite what Quentin E.
Hodgson's Handbook paper (*Cyber coercion as a tool of statecraft: how
often, how effective?*) wrongly concludes, is extremely useful for state
coercion.
Perhaps the problem with the Handbook, like all academic writing on
cyberwar, is that it is meant to be sterile. But that's not how cyberwar
works, held in the space that is a melange of electrons and intentions. As
tumors confabulate within flesh, so too do our digital dreams hallucinate
new worlds, both the virus and the firewall, the wooden horse, and the
workshop that births it. Certified or not, we are masters of a domain we
cannot fully comprehend, sailing on seas of raw data, guided by stars we
ourselves ignite.
DefCon is a study in cacophony, and like many of you I'm still digging
through my backlog of new research in multifarious browser tabs, the way a
dragonfly keeps track of the world through scintillated compound lenses. In
between AIxCC (which proved, if anything, the boundaries
<https://dashboard.aicyberchallenge.com/collectivesolvehealth> of automated
bug finding using current LLM tech?), James Kettle's timing attack research
<https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-…>,
and even more PHP ownership
<https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>, you unfortunately
do have to pay attention to the outside world.
One of the things that lit up my sensors was the Windows Remote Desktop
Licensing service that came out from a sort of "Post QiHoo360" exploit
community, led by Dr. Zhiniang Peng (aka @edwardzpeng), an absolute legend
of exploitation. A remote unauthenticated heap overflow in the latest
Windows via an MSRPC endpoint, bypassing modern defenses by just calling
LoadLibraryA("\\webdav\owned.dll") on a fake object. An unexpected burst of
pure beauty really, like the iridescence of a Morpho moth flitting across a
concrete parking lot. The exploit
<https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38…>
is public, but the original paper is now mysteriously deleted, I assume for
political reasons. If you have a copy of it, please shoot it my way. It's
telling that all the best exploits I know have "Exploitation less likely"
as their rating from Microsoft.
Anyways, it's interesting what merits attention, and what doesn't.
-dave
Cordyceps Analysis Report on PRANA Network Hack and Leak Operation:
https://docs.google.com/document/d/1oOJbBTUwyK85ZKYAAdwWqxk-sMvqrBqzJYX1ozi…
Lately I've been reading a lot of academic papers, mostly the Research
Handbook on Cyberwarfare
<https://www.elgaronline.com/edcollchap/book/9781803924854/book-part-9781803…>.
Some of them are good papers! JD Work has a paper in it! But also some of
them get wrapped around the idea of "Cyber War vs Cyberwarfare" (!??!) or
fall in love with "hacktivists" or stomp furiously around all the real
issues in the domain without ever stepping on the green.
The thing about Persistent Engagement and Integrated Deterrence and Defend
Forward is that yes, as Paul Wither's points out in "Do we need an
effects-based approach for cyber operations?
<https://kclpure.kcl.ac.uk/portal/en/publications/do-we-need-an-effects-base…>"
or as the Grugq points out in his latest keynotes
<https://www.youtube.com/watch?v=P6PnhDfWvx0>, we do need to look at
"effects" in a broad way when talking about cyber operations. But the goal
of your offensive counter-cyber operations is not to "reduce the number of
incoming operations", as Jay Healey would try to measure, but to mitigate
strategic effects!
In other words, if the Chinese are hacking as much as possible in the LLM
space, but somehow don't manage to launch their own market-leading LLM
because for some reason their experiments on Huawei Ascend chips all
mysteriously have weirdly wide bands of error, that is Defend Forward
working! Did nobody in all of cyber policy academia read the Three Body
Problem?
Academics should love this part of the theory, really, because arguing
about strategic effects is 90% of what they do, usually without ever
opening up a Neo4j Database filled with stolen mail spools to see what's
really happening on the wire.
Anyways, if you like the kind of reporting in our PRANA report, we offer
paid reporting as well. :)
Thanks,
Dave Aitel
