1. 16

  2. 8

    Are we being trolled?

    Security is war. The major powers and a few belligerent other state actors have been engaged in an undeclared world “cyber” war for about 25 years now, and it shows no signs of going away.

    1. 4

      I have had similar thoughts to the author. It actually really bothers me how much military language there is in Cyber. Derek running Splunk queries for a small insurance company is not a cyber warrior who has been fighting a proxy war with China for 15 years. I feel that the military language needs to be left to the actual military and intelligence community. To me it feels like a bunch of nerds wanting to play soldier otherwise.

      1. 1

        I think the author might be holding out bait to entice the enemy, so to speak.

      2. 4

        I’m having a hard time sympathizing with this one.

        There have been periods of time where states weren’t very good at or interested in defending their citizens from violence. During these periods of time those citizens have needed to take matters of defense into their own hands. The occasional citizen decides to take advantage of the situation and go on the offense, typically for nefarious ends.

        This describes the wild west, fudal japan, the roman empire (kind of). It also describes the current state of computer security. The modern internet is a sprawling metropolis where leaving your door unlocked will lead to a break-in. It is a violent society, and metaphors to other forms of violence seem completely appropriate.

        The author objects to the term “military-grade encryption”, among many others. Let’s ignore the validity of claims of “military-grade encryption” and focus on the term itself. If you lived in a city where people openly carried battering rams you very well might appreciate a “military-grade front door”. The military must deal with threats much stronger and violent than you or I are likely to encounter, and they deal with those threats on the very same internet that you and I use. It seems prudent to defend yourself with some of the same tools they use.

        Confusingly, the author also objects to terms which are primarily used by the actual military.

        1. 4

          I sympathize with being bored of overly bellicose language from the security folks, but I think it’s important to point out a few things:

          The worse outcome of computer-related drama/problems probably doesn’t imply entire populations dying, being tortured, millions of refugees, camps, … Odds are that you won’t save actual lives by deploying a firewall:

          Unprotected SCADA systems at a water treatment plant or switching substation could indeed result in something very much like this happening. It would in fact be a cyber attack.

          a metric fuckton of assorted military-inspired bullshit terms

          A lot of these terms, frankly, make perfect sense. I understand that cyber-kill-chain as a term comes from a methodology that Lockheed Martin peddles, which given their status as a major defense contractor kinda makes sense.

          The complaint about cyber dirty bombs (which initially caused my eyes to roll) links to an article about Stuxnet, a very real precision malware attack which the authors there point out will likely have descendants far more indiscriminate–much as you’d see were somebody to repurpose fissile material from a proper strategic weapon and instead turn it fallout-optimized dirty bombs.

          “Military-grade encryption” seems silly too, unless you know about like ITAR and the US export regulations that Zimmerman ran afoul of with PGP.

          1. 2

            Can’t say that I’ve seen anything like this in my own languages. Is it a regional thing?

            1. 2

              Maybe we hobby computer security people (i.e. no official position, just people who pay attention that stuff is patched and that attackers don’t have easy targets) are completely out of the loop here. Because 10-20 years ago that’s what “computer security” meant.

              As in, I’m not working in the - current - “field of computer security”, I’m just a guy who reads CVEs, patches servers, and tries to avoid putting security holes in software.

              nmap is not a cyber weapon, it’s a network diagnosing tool. There’s no cyber war, there are rare script kiddie attacks.