Re: Hacking critical infrastructure.

[Konrads Smelkovs <konrads.smelkovs () gmail com>]

If game theory is invoked, then it is worth discussing consequences
for transgressions against critical infrastructure. As Schenier once
said - if you want to make people obey a security policy, you need to
publicly fire someone, but there isn't anything as obvious in the
world of big country diplomacy. Works for smaller countries, e.g. I
was told that IDF would now and then fly close to beirut and take the
lights out of the lighthouse near Beirut to make a point about
unapproved activities, but I can't imagine US retaliating in kind -
e.g. ransomwaring a data historian at the three gorges dam.  I once
asked a NATO senior officer when will they send jets after hackers,
they said once [provable] loss of life happens, but even if some kid
in St Peterburg causes serious fireworks at some power distribution
station in Michigan, that any hardware will cross the Russian border.

Until there are consequences, writing rules makes no sense.
--
Konrads Smelkovs
Applied IT sorcery.


On Tue, Mar 15, 2016 at 3:10 PM, Andrew Ruef <munin () mimisbrunnr net> wrote:
> some would probably argue that this is a game theory equilibrium where
> you wouldn't place the tokens willy-nilly precisely for this reason.
> they would probably try to resurrect examples from the cold war or
> something where this game theory and top down policy / control "worked"
> once before.
>
> cynically, I think this presupposes more self control than any modern
> government or organization has. the stakes/risks (either perceived or
> actual) just aren't high enough for an adult to wake up and tell
> everyone what to do.
>
> if such a system were actually implemented, I'd wager that it would play
> out the way you describe - the existence of these "don'thackmebro!"
> tokens would not be a well kept secret, they would leak, and every
> mid-level manager from here to lightbulb factories in Kansas would
> demand, steal, or forge these tokens until they were on everything from
> nuclear power stations to red light traffic cameras. there's just no
> will to control it any other way.
>
> On 03/15/2016 09:44 AM, Konrads Smelkovs wrote:
> > The logical conclusion of placing "don'thackmebro!" tokens on
> > sensitive computers is that every GOV computer even remotely concerned
> > with the notion of the critical infrastructure will have it leaving
> > your adversary no choice to ignore them.
> > --
> > Konrads Smelkovs
> > Applied IT sorcery.
> >
> >
> > On Mon, Mar 14, 2016 at 3:31 PM, dave aitel <dave () immunityinc com> wrote:
> > > http://cybersecpolitics.blogspot.com/2016/03/cyber-norms-futility-of-blacklisting.html
> > >
> > > If you disagree with this post, please spam here instead of twitter,
> > > which has only terse horribleness as its argument protocols. :)
> > >
> > > -dave
> > >
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunityinc com
> > > https://lists.immunityinc.com/mailman/listinfo/dailydave
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave