Dailydave mailing list archives

"I hunt Sys-Admins"

From: Konrads Smelkovs <konrads.smelkovs () gmail com>
Date: Wed, 13 Jul 2016 11:43:15 +0100

On Tuesday, 12 July 2016, Dave Aitel <dave.aitel () gmail com
<javascript:_e(%7B%7D,'cvml','dave.aitel () gmail com');>> wrote:



Likewise, while it is annoying to have your CERT non-functional, a CNA
attack on a CERT is not life-ending or otherwise special in any way - I'm
not privy to whatever discussion at the UN/Tallinn drove them to the
conclusion that a CERT was something special in the response fabric - one
could as well label "Amazon AWS" as off limits. As much as I love the
people on our CERTs, we have duplicate response effort in many different
agencies (in particular, DHS/NSA/FBI/CIA/DOD). No sane country is going to
take CNE against CERTs off the plate.


Anything that fails a dodgy curry thought experiment (what if your entire
team went for lunch and ate a bad curry which made them sick for a week)
cannot be considered critical infrastructure because you've clearly shown
it isn't important to you that much.

The second part is that UN/Tallinn conference attendees are often working
at CERTs so there may be a certain conflict of interest there.


If what you're saying is: There are some places you should not attack, I
would point out that the translation into cyber world is "There   are some
effects on systems you should try not to have". For example: "Trojan
tanything you want, but don't actually damage the dam system near NY
because we will respond to that as it could cause massive loss of life and
clean water".

The thing that makes Cyber special here is that there is no end to the
thread when you pull on it - there is no red line you can draw around a
hospital or dam system.


This is a very good point. CERTs are supposed to be purely defensive and it
sort of holds true in "peacetime" with some exceptions like the alleged
assistance FBI got from one of the CERTs to do some Tor hacking, but it
cannot possibly hold true in "wartime" -  where defending from an intrusion
would involve perhaps a big DDoS of known C2 nodes or manipulating the
global Internet routing table for some traffic redirection, inspection and
black holing - all offensive actions. Besides, if YOU are the one attacking
and you expect counter measures deployed against you, you might have a
national CERT mitigate those counter measures that



-- 
--
Konrads Smelkovs
Applied IT sorcery.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

"I hunt Sys-Admins" dave aitel (Jul 11)
- Re: "I hunt Sys-Admins" J.M. Porup (Jul 12)
- <Possible follow-ups>
- Re: "I hunt Sys-Admins" Alex Grigsby (Jul 12)
  - Re: "I hunt Sys-Admins" Dave Aitel (Jul 12)
    - Re: "I hunt Sys-Admins" Konrads Smelkovs (Jul 13)
    - "I hunt Sys-Admins" Konrads Smelkovs (Jul 13)
    - Re: "I hunt Sys-Admins" Alex Grigsby (Jul 13)
    - Re: "I hunt Sys-Admins" Mara Tam (Jul 13)
    - Re: "I hunt Sys-Admins" Dave Aitel (Jul 13)
  - Re: "I hunt Sys-Admins" future (Jul 13)