Sunday, October 14, 2018

How to irregular cyber warfare

Somebody (@thegrugq) pointed me to this article on "Lessons on Irregular Cyber Warfare", citing the masters like Sun Tzu, von Clausewitz, Mao, Che, and the usual characters. It tries to answer: an insurgent, which is in a weaker power position vis-a-vis a stronger nation state; how does cyber warfare plays an integral part in the irregular cyber conflicts in the twenty-first century between nation-states and violent non-state actors or insurgencies
I thought I'd write a rebuttal.

None of these people provide any value. If you want to figure out cyber insurgency, then you want to focus on the technical "cyber" aspects, not "insurgency". I regularly read military articles about cyber written by those, like in the above article, which demonstrate little experience in cyber.

The chief technical lesson for the cyber insurgent is the Birthday Paradox. Let's say, hypothetically, you go to a party with 23 people total. What's the chance that any two people at the party have the same birthday? The answer is 50.7%. With a party of 75 people, the chance rises to 99.9% that two will have the same birthday.

The paradox is that your intuitive way of calculating the odds is wrong. You are thinking the odds are like those of somebody having the same birthday as yourself, which is in indeed roughly 23 out of 365. But we aren't talking about you vs. the remainder of the party, we are talking about any possible combination of two people. This dramatically changes how we do the math.

In cryptography, this is known as the "Birthday Attack". One crypto task is to uniquely fingerprint documents. Historically, the most popular way of doing his was with an algorithm known as "MD5" which produces 128-bit fingerprints. Given a document, with an MD5 fingerprint, it's impossible to create a second document with the same fingerprint. However, with MD5, it's possible to create two documents with the same fingerprint. In other words, we can't modify only one document to get a match, but we can keep modifying two documents until their fingerprints match. Like a room, finding somebody with your birthday is hard, finding any two people with the same birthday is easier.

The same principle works with insurgencies. Accomplishing one specific goal is hard, but accomplishing any goal is easy. Trying to do a narrowly defined task to disrupt the enemy is hard, but it's easy to support a group of motivated hackers and let them do any sort of disruption they can come up with.

The above article suggests a means of using cyber to disrupt a carrier attack group. This is an example of something hard, a narrowly defined attack that is unlikely to actually work in the real world.

Conversely, consider the attacks attributed to North Korea, like those against Sony or the Wannacry virus. These aren't the careful planning of a small state actor trying to accomplish specific goals. These are the actions of an actor that supports hacker groups, and lets them loose without a lot of oversight and direction. Wannacry in particular is an example of an undirected cyber attack. We know from our experience with network worms that its effects were impossible to predict. Somebody just stuck the newly discovered NSA EternalBlue payload into an existing virus framework and let it run to see what happens. As we worm experts know, nobody could have predicted the results of doing so, not even its creators.

Another example is the DNC election hacks. The reason we can attribute them to Russia is because it wasn't their narrow goal. Instead, by looking at things like their URL shortener, we can see that they flailed around broadly all over cyberspace. The DNC was just one of their few successes, among a large number of failures. We then watched their incompetent bungling of that opportunity, such as inadvertently leaving their identity behind in Word metadata.

In contrast to these broad, opportunistic hacking from Russia, China, North Korea, and Iran we have the narrow, focused hacking from the U.S. and its allies Britain and Israel. Stuxnet is really the only example we have of a narrow, focused attack being successful. The U.S. can succeed at such an improbable attack because of its enormous investment in the best cyber warriors in the world. But still, we struggle against our cyber adversaries because they are willing to do undirected, opportunistic hacking while we insist on doing narrow, well-defined hacking. Despite our skill, we can't overcome the compelling odds of the Birthday Attack.

What's interesting about the cyber guerillas we face is their comparative lack of skill. The DNC hackers were based primarily on things like phishing, which unsophisticated teenagers can do. They were nothing like the sophisticated code found in Stuxnet. Rather than a small number of talented cyberwarriors, they are more accurately using the infinite monkeys approach of banging away on keyboards until they come up with the works of Shakespear.

I don't know about the real policy makers and what they decide in secret, but in public, our politicians struggle to comprehend this paradox. They insist on seeing things like the DNC hack or Wannacry as the careful plans of our adversaries. This hinders our response to cyber insurgencies.

I'm a hacker and not a student of history, but I suspect those famous real-world insurgencies relied upon much the same odds, that their success is the same illusion as hacker successes. Sure, Che Guevara participated in the successful Cuban revolution, but was a failure in other revolutions in Africa and South America. Mao Zedong wasn't the leader of China's communist revolution so much as one of many leaders. He's just the one of many who ended up with all the marbles at the end.

It's been fashionable lately to quote Sun Tzu or von Clausewitz on cyberwar, but it's just pretentious nonsense. Cyber needs to be understand as something in its own terms, not as an extension of traditional warfare or revolution. We need to focus on the realities of asymmetric cyber attacks, like the nation states mentioned above, or the actions of Anonymous, or the successes of cybercriminals. The reason they are successful is because of the Birthday Paradox: they aren't trying to achieve specific, narrowly defined goals, but are are opportunistically exploiting any achievement that comes their way. This informs our own offensive efforts, which should be less centrally directed. This informs our defenses, which should anticipate attacks based not on their desired effect, but what our vulnerabilities make possible.

Thursday, October 04, 2018

Notes on the Bloomberg Supermicro supply chain hack story

Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.

Friday, September 28, 2018

Mini pwning with GL-iNet AR150

Seven years ago, before the $35 Raspberry Pi, hackers used commercial WiFi routers for their projects. They'd replace the stock firmware with Linux. The $22 TP-Link WR703N was extremely popular for these projects, being half the price and half the size of the Raspberry Pi.

Monday, September 10, 2018

California's bad IoT law

California has passed an IoT security bill, awaiting the governor's signature/veto. It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.

Wednesday, August 29, 2018

Debunking Trump's claim of Google's SOTU bias

Today, Trump posted this video proving Google promoted all of Obama "State of the Union" (SotU) speeches but none of his own. In this post, I debunk this claim. The short answer is this: it's not Google's fault but Trump's for not having a sophisticated social media team.

The evidence still exists at the Internet Archive (aka. "Wayback Machine") that archives copies of websites. That was probably how that Trump video was created, by using that website. We can indeed see that for Obama's SotU speeches, Google promoted them, such as this example of his January 12, 2016 speech:

And indeed, if we check for Trump's January 30, 2018 speech, there's no such promotion on Google's homepage:
But wait a minute, Google claims they did promote it, and there's even a screenshot on Reddit proving Google is telling the truth. Doesn't this disprove Trump?

No, it actually doesn't, at least not yet. It's comparing two different things. In the Obama example, Google promoted hours ahead of time that there was an upcoming event. In the Trump example, they didn't do that. Only once the event went live did they mention it.

I failed to notice this in my examples above because the Wayback Machine uses GMT timestamps. At 9pm EST when Trump gave his speech, it was 2am the next day in GMT. So picking the Wayback page from January 31st we do indeed see the promotion of the live event.

Thus, Trump still seems to have a point: Google promoted Obama's speech better. They promoted his speeches hours ahead of time, but Trump's only after they went live.

But hold on a moment, there's another layer to this whole thing. Let's look at those YouTube URLs. For the Obama speech, we have this URL:

For the Trump speech, we have this URL:

I show you the complete URLs to show you the difference. The first video is from the White House itself, whereas the second isn't (it's from the NBC livestream).

So here's the thing, and I can't stress this enough Google can't promote a link that doesn't exist. They can't say "Click Here" if there is no "here" there. Somebody has to create a link ahead of time. And that "somebody" isn't YouTube: they don't have cameras to create videos, they simply publish videos created by others.

So what happened here is simply that Obama had a savvy media that knew how to create YouTube live events, and make sure they get promoted, while Trump doesn't have such a team. Trump relied upon the media (which he hates so much) to show the video live, making no effort himself to do so. We can see this for ourselves: while the above link clearly shows the Obama White House having created his live video, the current White House channel has no such video for Trump.

So clearly the fault is Trump's, not Google's.

But wait, there's more to the saga. After Trump's speech, Google promoted the Democrat response:

Casually looking  back through the Obama years, I don't see any equivalent Republican response. Is this evidence of bias?

Maybe. Or again, maybe it's still the Democrats are more media savvy than the Republicans. Indeed, what came after Obama's speech on YouTube in some years was a question-and-answer session with Obama himself, which of course is vastly more desirable for YouTube (personal interaction!!) and is going to push any competing item into obscurity.

If Trump wants Google's attention next January, it's quite clear what he has to do. First, set up a live event the day before so that Google can link to it. Second, setup a second post-speech interactive question event that will, of course, smother the heck out of any Democrat response -- and probably crash YouTube in the process.

Buzzfeed quotes Google PR saying:
On January 30 2018, we highlighted the livestream of President Trump’s State of the Union on the homepage. We have historically not promoted the first address to Congress by a new President, which is technically not a State of the Union address. As a result, we didn’t include a promotion on for this address in either 2009 or 2017.
This is also bunk. It ignores the difference between promoting upcoming and live events. I can't see that they promoted any of Bush's speeches (like in 2008) or even Obama's first SotU in 2010, though it did promote a question/answer session with Obama after the 2010 speech. Thus, the 2017 trend has only a single data point.

My explanation is better: Obama had a media savvy team that reached out to them, whereas Trump didn't. But you see the problem for a PR flack: while they know they have no corporate policy to be biased against Trump, at the same time, they don't necessarily have an explanation, either. They can point to data, such as the live promotion page, but they can't necessarily explain why. An explanation like mine is harder for them to reach.

Sunday, August 26, 2018

Provisioning a headless Raspberry Pi

The typical way of installing a fresh Raspberry Pi is to attach power, keyboard, mouse, and an HDMI monitor. This is a pain, especially for the diminutive RPi Zero. This blogpost describes a number of options for doing headless setup. There are several options for this, including Ethernet, Ethernet gadget, WiFi, and serial connection. These examples use a Macbook as an example, maybe I'll get around to a blogpost describing this from Windows.

Monday, August 20, 2018

DeGrasse Tyson: Make Truth Great Again

Neil deGrasse Tyson tweets the following:
When people make comparisons with Orwell's "Ministry of Truth", he obtusely persists:
Given that Orwellian dystopias were the theme of this summer's DEF CON hacker conference, let's explore what's wrong with this idea.