Home page logo

dailydave logo Dailydave mailing list archives

Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: Kyle Maxwell <krmaxwell () gmail com>
Date: Tue, 25 Mar 2014 14:03:41 -0500

In my mind, the question is less "does the Chinese government sponsor or
affiliate itself with or carry out cyber attacks?" and more "is this
*particular* group associated with this *particular* designation and this
*particular* incident?"

Yes, of course the Chinese carry out CNA/CNE operations (as does the US).
And drawing a circle around a set of incidents and saying "we believe that
a single adversary carried out these attacks" can be validated with
relative ease, at least in theory, assuming access to relevant data and
indicators. But then connecting that adversary label to a human or a
defined organization requires further analysis and, because it's more
complicated, will inevitably run up against appropriate analytic
questioning to avoid falling prey to things like confirmation bias and

The issue of trust comes up here as well, because things changed sometime
after the APT1 report release. Many of us in this community have even more
trouble than we might have had before in accepting assertions based solely
on "NSA" and "DoD" and "US government" labels, to the extend we ever *did*
accept them.

The idea of reproducibility is a key part of inquiry, whether in science or
intel analysis or anything else where critical thinking matters. We're not
shamans. In the 21st century, we should expect to have our conclusions and
methodology challenged (as I do every day). In any case, if one's response
to criticism is to withdraw from the discussion, onlookers will not draw
good conclusions. The audience is listening, as I believe I've heard once
or twice.

On Tue, Mar 25, 2014 at 10:39 AM, xgermx <xgermx () gmail com> wrote:

From Saturday's NYT article on the NSA owning Huawei:

"The N.S.A., for example, is tracking more than 20 Chinese hacking groups
-- more than half of them Chinese Army and Navy units -- as they break into
the networks of the United States government, companies including Google,
and drone and nuclear-weapon part makers, according to a half-dozen current
and former American officials."


Is anyone on this list really shocked by this? If we can so readily accept
this, why is so hard to accept the APT1 attribution? Being younger, I'm not
nearly as experienced in all of these domains, but it seems to a be salient
question. In my eyes, APT1 is just that, one out of MANY. And yes, lets not
forget it works both ways, as evidenced by the NSA's sheer ownage of the
Chinese non-mil/gov targets.

Kyle Maxwell [krmaxwell () gmail com]
Twitter: @kylemaxwell
Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]