The Code War Arms Race

pacopico writes "A story in Bloomberg Businessweek gives the first in-depth look at a wave of new start-ups selling cyber weaponry. The story describes this as the evolution of the defense industry in response to a wave of brazen attacks against Google, the Pentagon, the IMF and thousands of companies. It's pretty scary stuff, especially considering that these new weapons are not regulated at all."

That can't go wrong...

[lordSaurontheGreat]

President, we have ascertained the location of the hackers!

Good, where are they coming from?

They're hacking in from 192.168.0.1!

Excellent! Unleash our counterattack now!

Re:That can't go wrong...

[ColdWetDog]

Yeah, yeah. Old stuff. Now, for the Chiba clinics and we're all set.

Re:That can't go wrong...

Death to IPv4!

Re:That can't go wrong...

[ColdWetDog]

Crap. Caffeine insufficiency. Old Stuff

Re:That can't go wrong...

[Penguinshit]

The attack originated from 127.0.0.1!
"Have you checked the children?"...

Re:That can't go wrong...

You have our PERSONAL guarantee. We at SkyNet Corporation stand behind every product we sell!

Re:That can't go wrong...

[Opportunist]

Forget about them hacking, they have really good porn there!

Cyber Weaponry?

Really? Good god, slashdot.

Re:Cyber Weaponry?

[WrongSizeGlass]

Really? Good god, slashdot.

Your cyber disgust has been cyber recorded for further cyber review.

Re:Cyber Weaponry?

[dunng808]

FUD stuff. Sounds like Daily Show material to me.

Re:Cyber Weaponry?

[PC+and+Sony+Fanboy]

Really? Good god, slashdot.

I KNOW. The description which says

It's pretty scary stuff, especially considering that these new weapons are not regulated at all

OH NOES, UNREGULATED WEAPONS ....

Re:Cyber Weaponry?

[cvtan]

You forgot the iCyber aspects of the cyber story.

Re:Cyber Weaponry?

Yep, this is ridiculous.

Re:Cyber Weaponry?

[Runaway1956]

Backtrack Linux. They are giving away the entire aresenal - for FREE! Just download it, and you've got ALL THE FREAKING WEAPONS! Mass mayhem, for free, no regulation at all. It must be the endtimes, or some such drivel.

Re:Cyber Weaponry?

Did you even read the article? That was about the least FUD containing article on the subject I've seen.

What even makes you think you're even qualified to decide whats fud in this arena and whats not?

So, the article goes into how endgame systems by rouland-- whom i reported to when i worked for the ar&d team at iss, has rolled out a series of services that are essentially threat assessments and the 0day to break into foreign government computers-- IIRC they use the a Russian finance ministry as a demo for potential clients.

A little background there, rouland is the guy who headed up and basically made what used to be of the iss team what it was. Directly answering to him were neel, mark, john et cetera. The same guys whose bugs powered most of the big worms in the 90s, the same guys who scored that 1 of 2 remote vulns in openssh and named it 'sshutuptheo', the same guys who keep smacking microsoft with win7 kernel 0day, et cetera.

Coupling that with Pete Allor (IIRC that's his last name), who was more or less their public interface and whose office looked like what I imagine a shrine to reagan would look like-- american flags everywhere, pictures of him in vietnam as a green barrett, and a computer on his desk with access to my SF86 form turned in at a prior employer. Spooky. ISS sold 0day to the government for years under their PSS group-- your box is still vulnerable to bugs that never saw the light of day there. Rouland moved on from ISS to start this new company.

So basically, we have the people whose bugs drive the insecurity industry, the spooks who pay them and the executives who put the two together who've already worked together for some time, now just publicly stating that yeah, they're doing it.

So again, what makes you think you're even qualified to register an opinion of value on the subject?

Re:Cyber Weaponry?

Happy to post AC but name other people? Nice.

Re:Cyber Weaponry?

[PC+and+Sony+Fanboy]

Read an interesting book (was reviewed here on slashdot) called Backtrack 4: Assuring Security by Penetration Testing. Look into it, if you need to learn ... or would like to see what the next gen of script kiddies will be using to turn to the dark side.

Looks like a great way to make some money.

The clowns buying these services haven't a clue, but they do have fat checkbooks.

So you're telling me...

That the future of cyber warfare is a bunch of script kiddies in military uniforms clicking "Attack" on some shitty VBasic GUI?

Re:So you're telling me...

Yes, because VB is the tool for 1337 |-|4x4|2
ass

Re:So you're telling me...

[DigiShaman]

Na, it would be like that computer virus scene from the movie Swordfish. Tell the DoD that, you've got yourself a contract to bank on.

http://www.youtube.com/watch?v=vO_O4AD1MhI

Re:So you're telling me...

[Opportunist]

Well, technically they're what I call noisemakers.

Submariners might get the hint what they will be used for.

The difference

[Synerg1y]

The difference between hacking and warfare is the former requires out side the box thinking and creativity. Find me a US general with just one of those traits. Army culture is the exact opposite, not a stereotype.

Re:The difference

And that is based on what? Your many years watching documentaries on the history channel?

Re:The difference

It's probably based on the idea that routine based discipline hones a fighting force but doesn't encourage deviation. AKA outside of the box thinking.

Re:The difference

I have no box. Of course that may be the reason my career of 14 years is rather stagnant.

Re:The difference

[Penguinisto]

Find me a US general with just one of those traits.

Arnold (before he turned traitor at the behest of his Tory girlfriend)
Lee (before he fought for the Confederates - see also the Mexican-American War)
Sherman
Grant
Roosevelt (Theodore, not Franklin)
Pershing
Patton
Bradley
Eisenhower
MacArthur

...the lineup kind of craps out after Korea (esp. w/ Westmoreland), though Schwartzkopf got pretty creative back in 1991 (though to be fair he was facing a pretty crap army).

Long story short, well... your point doesn't stand.

/P (who, as a USAF veteran, is wondering why the hell he's defending the frickin' *army*...)

Re:The difference

[Opportunist]

You might notice that some of the most successful military actions were based on out of the box thinking. If anything, this is able to catch the enemy by surprise.

Lately it has been sorely lacking. I have to give you that. And behold the success the US army has against a vastly inferior foe, too...

Re:The difference

[Dahamma]

Considering all of those generals in your list are long dead, I think his point does stand...

Re:The difference

[Architect_sasyr]

I would think the true measure of a foe is how long they can go without you killing them, in which case the current [insert-"terrorist"-here] are pretty damned superior foes. Technology means shit if it's not implemented correctly and with properly trained people - Just because you're rocking around in a marauder doesn't mean a skinny can't come up behind you and crack your head open with a rock.

Re:The difference

[Runaway1956]

The general may or may not be capable of thinking outside the box - but I guarantee that he has troops who are capable. I was Navy, rather than Army. We spent a lot of time thinking, inside, outside, under and over the box. Of six commanding officers, one was a VERY imaginative person, two more were only slightly less imaginative, and the others were more or less average in that respect. Box thinkers, but capable of following a train of thought that left the boxy station.

Clue - military people are like civilians, in that everyone is an individual. You can't summarize how military people think - especially if you're not even a military person.

Re:The difference

[Penguinisto]

He never specified the presence of a pulse. ;)

Re:The difference

[Dachannien]

Petraeus.

Re:The difference

Marine General Paul Van Riper showed exactly that sort of creativity, and he was fucked over by Rumsfeld for it

Re:The difference

[liamoshan]

Marine General Paul Van Riper showed exactly that sort of creativity, and he was fucked over by Rumsfeld for it

(forgot to log in, posted this originally as AC)

Re:The difference

You are 14 years old?

Re:The difference

[sgt+scrub]

I think you underestimate Schwartzkopf. He forced laser guided missile technology to the fore front. He used it to barrage the enemy with surgical strikes on communication priorities instead of traditional battle line troop bombing. He used the traditional Hun style semi-circle enclosure; but, implemented drop troops to prohibit the enemy from retreating to the better strategic fall back points. And. He did all of this with sociopaths in the white house and media people riding along with his army.

Endgame = PMC

FTFA, the Endgame company seems like a PMC at this point. They offer strategic intel, attack vectors to any individual or international group willing to pay. But hey, at least they say they won't attack the U.S.!

Hakkers!? I haz idea!

[Tyr07]

Launch all zig and make hackers hack themself! Set gateway IP to 127.0.0.1!...

Wait...why we haz no internetz?

Re:Hakkers!? I haz idea!

[Penguinisto]

Pedant pick: "Take off every Zig"

Scary

It's pretty scary stuff, especially considering that these new weapons are not regulated at all.

As opposed to the regulated weapons of war which are made with bunnies, flowers, and candy.

Sensationalism for nerds?

[BitHive]

Stopped caring at "cyber weaponry".

Re:Sensationalism for nerds?

Stopped caring at "cyber weaponry".

I agree. No sources + hopped up sensationalism = us wagging it around to show how big we are.

Sounds like someone might feel insecure now that Anon & Lulz have been getting all the press.

Sensationalized Bullshit

The only "Arms Race" is the race to shut down the internet in the name to prevent "Cyber War". The more articles like this posted, the more likely the treasonous congress will pass something to lock even more down right in your face.

And you know what "Cyber War" is code for? It's code for "Stop! You are getting too close to the truth of the reality of the world".

"Hacking" in it's purest form is exploring, probing, questioning, thinking, about a solution to a problem.

The problem is deception, trickery, falsehoods, lies, and most of all; greed.

Sometimes the solution requires some "Scary Stuff"

Pussy.

Re:Sensationalized Bullshit

[Runaway1956]

"Hacking" in it's purest form is exploring, probing, questioning, thinking, about a solution to a problem.

Thank you. I've often pointed out at places like CNN and other news forums, that the world's most famous "hackers" include Bill Gates, Steve Jobs, and LInus Torvalds. Even here, on slashdot, where people should know better, half or more of the idiots assume that hacking is or should be a criminal offense, punishable by death.

Irony even when done for commercial purposes

[Paul+Fernhout]

http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html
"Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. "

Spam is ironic too in this way, with some few destroying email in order to make some small (relative to global scale) profit on it, and meanwhile making it harder to use email to bring abundance to everyone.

There needs to be a general term for this. Selfishness disease? Or is is better to just call it a "Racket"?
    http://warisaracket.org/racket.html

The biggest crime is not even in the theft -- it is in forcing everyone to spend a lot of time worrying about theft,.

We could build much more secure systems, especially based on free and open systems like GNU/Linux, and we had the opportunity, but the US Congress made it hard twenty years ago to build good encryption into everything and bad standards stuck, and now with effectively infinite copyrights and overly broad patents, cooperation has been made harder to make good systems for everyone. Richard Stallman's points on freedom are making more and more sense every day.
    http://shop.fsf.org/product/free-software-free-society-2/

So we see another arms race sucking up so much time and energy and the lives of smart people to produce what? Meanwhile the singularity (if it is to happen) draws nearer every day.

Re:Irony even when done for commercial purposes

"Spam is ironic too in this way, with some few destroying email in order to make some small (relative to global scale) profit on it, and meanwhile making it harder to use email to bring abundance to everyone.
There needs to be a general term for this. Selfishness disease? "

The proper well-known general term is "tragedy of the commons", or informally "assholery".

Re:Irony even when done for commercial purposes

[Paul+Fernhout]

Good point on the tragedy of the commons, AC. Thanks. So, arms races like this with advanced technology can be seen as a "tragedy of the commons". What does that tell us about thinking about them or dealing with them?

So, see also:
    http://en.wikipedia.org/wiki/Tragedy_of_the_commons#Modern_solutions
"Articulating solutions to the tragedy of the commons is one of the main problems of political philosophy. In absence of enlightened self-interest, some form of authority or federation is needed to solve the collective action problem. In a typical example, governmental regulations can limit the amount of a common good available for use by any individual. Permit systems for extractive economic activities including mining, fishing, hunting, livestock raising and timber extraction are examples of this approach. Similarly, limits to pollution are examples of governmental intervention on behalf of the commons. Alternatively, resource users themselves can cooperate to conserve the resource in the name of mutual benefit."

And:
    http://en.wikipedia.org/wiki/Tragedy_of_the_commons#Application_to_evolutionary_biology
"A parallel was drawn recently between the tragedy of the commons and the competing behaviour of parasites that through acting selfishly eventually diminish or destroy their common host."

And more from that article: "The commons dilemma is a specific class of social dilemma in which people's short-term selfish interests are at odds with long-term group interests and the common good. In academia, a range of related terminology has also been used as shorthand for the theory or aspects of it, including resource dilemma, take-some dilemma, and common pool resource. Commons dilemma researchers have studied conditions under which groups and communities are likely to under- or over-harvest common resources in both the laboratory and field. Research programs have concentrated on a number of motivational, strategic, and structural factors that might be conducive to management of commons. In game theory, which constructs mathematical models for individuals' behavior in strategic situations, the corresponding "game", developed by the ecologist Garrett Hardin, is known as the Commonize Costs â" Privatize Profits Game (CCâ"PP game)."

One irony is that "the commons" were generally well cared for in England.

And also related as the inverse:
    http://en.wikipedia.org/wiki/Anti-commons
"The tragedy of the anticommons is a neologism coined by Michael Heller to describe a coordination breakdown where the existence of numerous rightsholders frustrates achieving a socially desirable outcome. The term mirrors the older term tragedy of the commons used to describe coordination breakdowns arising from insufficient rightsholders. The concept provides a unifying framework for a range of coordination failures including patent thickets, submarine patents, nail houses, and more generally bureaucratic red tape. Overcoming these breakdowns can be difficult, often violent, but there are assorted means including eminent domain, Laches, patent pools or other licensing organizations."

Why we need intrinsic/mutual security

[Paul+Fernhout]

The article is pretty scary. I'm not sure the people at these well-funded companies even realize the potential for these tools to be used accidentally to do all sorts of nasty things. Or what is going to happen when script kiddies get a hold of them or they are reverse engineersed, like Stuxnet is a blueprint for worse. It is just insanity. It shows the folly of current US defense posture relying primarily on extrinsic security (defending things by soldiers or hackers) and unilateral security (trying to scare your opponents into submission by being the meanest nastiest SOB around). We need to move back to a defense posture that emphasizes intrinsic security (systems that can take abuse) and mutual security (cultivating allies through diplomacy wuth everyone watching each other's back). US security used to be more like that before WWII, but it is a lot less profitable for defense contractors because, unlike security theater, intrinisic and mutual security actually work and don't lead to expensive arms races!

Re:Why we need intrinsic/mutual security

Or what is going to happen when script kiddies get a hold of them or they are reverse engineersed, like Stuxnet is a blueprint for worse

The "tools" are primarily snarfed from code and ideas freely shared in the "hacker underground". Basically, these "companies" troll for info and howto's. They repackage it to sell to companies that have fallen for the hype and fear mongering. One of the worst of these twits was mentioned in the article. He left IBM, not only because he was a twit, but because his companies products are pure repackaged trollz.

Re:Why we need intrinsic/mutual security

[Paul+Fernhout]

Interesting point AC, thanks.

Why, Obviously Perfectly Riskless

[enaso1970]

No way this could ever backfire. No sir.

Scary WITHOUT regulation?

Regulation always makes things so much friendlier.

AHAHAHAHAHAHA!!!!

[DeeEff]

They can't get me, officer! I have norton!!!

Re:AHAHAHAHAHAHA!!!!

[Tasha26]

I once wondered what the Norton Scan button really does in the background? I know it ain't scanning for viruses but what is it computing, Pi?

Re:AHAHAHAHAHAHA!!!!

[Ancantus]

Don't you know?! Bitcoin mining is the only thing that could waste that much CPU power.

What could and what will happen

[Opportunist]

What WOULD render this ineffective: Teaching people how to secure their machines against the threats by exposing them.
What WILL happen: A crackdown on "hacking tools" with the false idea that without tools there will be no hacking.

For those that don't know why this is no solution: Try to outlaw them in China, and try to audit your machines for security holes without them.

Re:What could and what will happen

[ka9dgx]

I disagree. I trust the users to make intelligent use of the computers they have accounts on. On the other hand, I don't trust programs, nobody should.

When a program is run, the only limits on its actions are set by the security settings of the system with respect to the account that launched it. These permissions are usually assigned by an administrator, and out of the users control. Default permissive environments are the root cause of our current lack of security. A program gone rogue can do as much damage as a malicious user on their worst day, in the blink of the eye, without even showing any symptoms of trouble.

The user, and the scanning tools are scapegoats here. Sure, some users make mistakes, and do stupid things, but it is impossible to determine if a non-trivial program can be trusted. Blaming users for failing at an impossible task is foolish, at best. Tools are just tools, to try to help increase transparency in terms of known vulnerabilities.

The solution is a default deny environment for programs, in which the user gets to decide which, if any, of their resources are given to a particular instance of a program. If it's not in the list, the program doesn't get it, and doesn't even know about it. This lets the user decide what they want to work with, and strongly limits the side effects of a program gone rogue.

It's not a very hard thing to conceptualize, nor to plan out. The hard thing is the massive amount of investment in our current code base, and mind-set, which need a subtle tweak, and some clever hacks.

There are positive signs, but I fear it will be another 10-20 years or more before a system which is default deny becomes the more popular choice. That's a lot of time and effort thrown away, that could be better utilized.

Re:What could and what will happen

Friday night so this will never get noticed... but your what will happen is actually a perfect scenario. The army has already established that these tools are weapons for us.

Thus establishing I have a second amendment right to possess Nessus and aircrack until a court rules otherwise.

Re:What could and what will happen

[VortexCortex]

I mostly agree with you, but here's the thing though: The "ammunition" and "weapons" in a cyber war are security exploits. So, Instead of releasing bug reports and/or patches "Cyber-Warfare" benefits by keeping the exploits secret and unpatched.

Instead of creating superior weaponry and advancing the state of the art, Cyber Warfare seeks to ensure that the state of the art is retarded. Cyber-Weapons only exist only if we all have unpatched security vulnerabilities.

Additionally, I run all my programs as their own user and in appropriate groups (Pulse Audio hates this). This way, FireFox has no access to data needed by Gimp or my Apache test server except the files I've explicitly marked as "everyone".

Re:What could and what will happen

[Opportunist]

You do. Germans don't.

Sadly, the article isn't available in English, it seems.

Re:What could and what will happen

[sgt+scrub]

So to fix it is for the government to stop insisting on holes for them to peek through and the tools to make sure they, and anyone else with the skills, are not peeking? I believe that stands true in the US/UK/AU ad nausium... too.

Linux not mentioned at all

...... WTF.
So "computers" == "windows"

There's your problem.

Chinese military viruses?

[Dahamma]

That Kuang Grade Mark Eleven is a hell of a program...

Re:Chinese military viruses?

That Kuang Grade Mark Eleven is a hell of a program...

Ya Mon! as I turn on classic Zion Dub

The consequences will never be the same!

I dun backtraced it! and I am calling the Cyber Defense Force!

Is it scary?

Yes it is scary because the number of evil geniuses and clueless retards crying cyber that cyber this is increasing day by day. You can see the regular pattern here: scare the public witless and you can push any law you need. They also can start a new dot.com bubble in this frenzy.
The number of clueless retards buying this crap is also scary because they are the vote bank for the ones chanting Cyber this Cyber that.

Flawed Premise

Calling any of that shit "weaponry" is bullshit.

I'd try to provide a more coherent rebuttal, but the story really didn't give me anything else to work with..

.

Re:Flawed Premise

[cmarkn]

It didn't give you anything to work with because it refuted your thesis. The example of a weapon in the article is the Stuxnet worm which, wait for it, destroyed the machinery in the factory that produced the nuclear material needed for Iran's nuclear program. Something that destroys a factory is a weapon, whether it's a F-117, a B-52, a truckload of fertilizer, or a fancy bit of code. Whichever way the strike comes, the result is the same - broken machine, no production.

This is some great stuff!

[Whuffo]

It wasn't enough to have imaginary "property", now we have imaginary "weapons" to defend it with.

This is just more inane posturing by idiots who have no clue as to what they're talking about. Here's an example: they come after me with their "cyber weapons" and I respond with hardware; say .45 caliber hardware. Care to bet on how that exchange would turn out?

By now, the concept of vulnerabilities and how they get exploited should be well established. The bad guys don't always wear uniforms or work for a governmental unit; most of them are just after as much as they can grab for themselves. The solutions are pretty well known, too.

Discussions of how best to secure our end-terminal devices against an ever-more-sophisticated group of black hats is a good thing - but describing cracking tools as "cyber weapons" is a clear sign of someone who has no clue.

War on hackers

[prefec2]

Beside the fact that people who break into systems are crackers and not hackers, this military jargon sucks. Today everything is filled with this vocabulary. War on terror. War on drugs. A worm is not a gun or a bomb it is more a digital lock pick. As the Internet is a (meta)medium it allows all scams and tricks which could be done only locally in the past. now they can be done around the globe.

We should learn that Information is not always true. Not only from governments, but also inside organizations. We should act accordingly. Meaning: Don't trust information which makes no sense. And when someone is standing in front of you and he or she claims something. Just don't dismiss him or her just on the basis, because the computer said so. Ok this is the old "Think before act" rule, but it seams necessary.

article is total cyber bullshit !

[doperative]

"A story in Bloomberg Businessweek gives the first in-depth look at a wave of new start-ups selling cyber weaponry"

And yet in the opening para we have some guy in a ski mask breaking into some offices. This, another article from the school of bad fiction and total cyberbullshit