on cyber attack attribution

Whenever an attack is traced back to Russia (like this one) or China, the attribution decay is very fast. One cannot be very sure of whether this is an attack that was initiated from “within” these countries, or whether they were used as hops conveniently pointing to the usual suspect. Another interesting observation is that although

“states that deny involvement in a cyberattack, but refuse to open their investigative records to the victim-state, end up casting doubt on their willingness to stop cyberattacks and cannot expect to be treated as a state living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are unwilling to prevent cyberattacks and have declared themselves a sanctuary state“†

this does not seem to (openly) apply to super-powers.

Update: It seems that this specific incident of critical infrastructure failure was not a cyber attack:

The failure was due to a faulty command inputted by a contractor several months ago who accessed the system remotely while travelling through Russia on personal business. Over time, his mistake caused greater and greater errors until, several months later, the pump failed.”

We should never attribute to malice what can be attributed to a mistake.

[†] – Solving the Dilemma of State Responses to Cyberattacks

So What Do You Do? – sowhatdoyoudo.jpg

Originally I had seen this image in this post, but it is no longer available there. I searched for it for I am mentioning it here, but anyway I believe it deserves yet another post on its own.

If anyone knows the creator of the image for proper attribution, I would be grateful. Maybe this post?

“you ALWAYS pay”

Lately I find myself frequently pointing to this USENET post by Vladimir Butenko. Since it is a rather long post, I quote here the parts that really make it worthwhile, without having to read the whole thread:

If you need something, you pay. Either in cash, or in your own time, or in consequences of not having what you really need.
:
Bottom line: you always pay. You need a simple thing – you pay a small amount, you need a big thing – you pay more.

People tend to underestimate the value of their personal time invested.

Update (2011/12/10): Spotted this comment on LinkedIn by Valdis Krebs:

When choosing “free” software consider how much your time is worth. Unless you have a friendly local mentor who loves spending time with you at all hours of the day, you will spend many many hours learning and making mistakes… alone… while waiting for on-line groups to respond to your pleas for assistance. In the end, software is never free. It always requires an investment to use it correctly.

Observations from a house broken into

Schneier’s Law holds for households. No matter where you’ve hidden it, the burglars will find it. They’ve seen it before.
If you want a post assessment on what inside your house has some street value, just make a list of what is missing.
A friend observed that people probably do not upgrade their locks as frequently as their software.
Why did this happen to me? Why not, indeed.
Every day you discover another thing missing. Confusion: Was it stolen or is it just misplaced?

11/11/11

The date is not 11/11/11. It is 2011/11/11. Have people forgotten Y2K? Do they really try to find meaning in every number, even if this means devising it? The only dates that matter are (reasonable) deadlines.

In other news, today Lucas Papademos assumes his new post, as Prime Minister of Greece, charged to do the impossible. And he is to do so by using the same bloated, inefficient (even after downsizing) and resisting to change Public Sector machine. So the question arises:

– If he succeeds, what does this tell us about all our previous leaders?

“Welcome to the University of Chicago.”

By Andrew Abbott. Also known as “The Aims of Education“. Sent to me by John Allen.

Read it!

“I deliberately try not to fill my calendar”

Good argument for learning to say “No”:

“I deliberately try not to fill my calendar. I choose not to say yes to everything. Doing so would make me too busy and less effective at achieving my goals”

[via titanas]

On separate networks and air-gaps

If anything, Stuxnet and Duqu have proved that separate (via air-gap) “more secure” networks do not exist. There exists only one network, the Internet, with some parts labeled as classified and with various degrees of slow connectivity to the rest of the World. And yes sometimes the networking device is just a human with a (USB) stick.

This and exceptions that I have to deal with daily drive me closer to a firewall-less world. I am not there yet though.

06:16

Δεύτερος. Και με το χαρτάκι Α002 στις 08:03.

– Παιδιά σήμερα έχει Α και Β. Α για επισκέψεις, Β για φάρμακα και επισκέψεις, λέει μετά μια φωνή.

Κρατάς το Α μια και δεν εντάσσεσαι σε καμία κατηγορία. Ο υπάλληλος σε λέει αγράμματο γύρω στις 08:07. Ο φύλακας για να προλάβει την ένταση σου δίνει το Β032. Πλέον υπάρχει και χαρτάκι πάνω από το μηχάνημα. Και παρατηρείς πλέον τον κόσμο να κόβει χαρτάκι Α και χαρτάκι Β για να πάει όπου του κάτσει η σειρά.

Άντε λοιπόν εγώ είμαι αγράμματος μια και δεν είμαι στο μυαλό σας. Η δικιά σου δικαιολογία μια και στα πρώτα δέκα λεπτά δεν έχει προλάβει να σε κουρδίσει κανένας ποια είναι; Δε μπορεί να είναι όλοι αγράμματοι και να κόβουν και από τα δύο χαρτάκια. Φυσικά κάποιος που στοιχειωδώς αντιλαμβάνεται ουρές αναμονής θα έγραφε:

– Α μόνο για επισκέψεις, Β για οτιδήποτε άλλο (συμπεριλαμβανομένων και των επισκέψεων εάν έχεις και από αυτές). Το έχεις ξανακάνει άλλωστε και έχει δουλέψει καλά.

Αλλά είπαμε, δεν ξέρω γράμματα.

(previous) (next)

It does not compute

Really it does not.