Romanian Hackers

Interesting article from Wired: "How a Remote Town in Romania Has Become Cybercrime Central."

Posted on February 16, 2011 at 6:26 AM • 30 Comments

Comments

AlbertFebruary 16, 2011 7:19 AM

I read the story. Actually it's about a bunch of con-artists and their criminal ring. Not much about actual hacking.

Richard Steven HackFebruary 16, 2011 7:26 AM

I agree the HBGary story is the story of the week. Ars Technica has some very good in-depth reporting on it this week.

Turns out HBGary was compromised because they failed to practice standard security procedures: 1) Don't reuse passwords, 2) salt your hashes, and 3) don't use custom Web software subject to SQL injection. Nothing really special was done to compromise them, just standard hacker tactics.

And since this was a computer security company...well, the shoemaker's kids have no shoes.

And given that HBGary Federal, Barr's bailiwick, a subsidiary of HBGary intended to generate Federal contracts, was running out of cash and not making contracts BEFORE this incident, I'd say that company is history now.

Ticking off hackers is never a good idea.

Dirk PraetFebruary 16, 2011 7:36 AM

Hardly a surprise in a very poor country with an economy in ruins, a thoroughly corrupt government apparatus and zero perspectives for most people. Comedian Sacha Baron Cohen's picture "Borat: Cultural learnings for make benefit glorious nation of Kazakhstan" was partially filmed in Glod, a Roma village in Romania. It's a perfect example of people turning to dishonesty because honesty will get them nowhere and impunity is practically guaranteed as long as folks scam or steal from foreigners only.

Bukarest is also the only airport in the world where I ever had stuff stolen from my luggage by the handlers.

David ThornleyFebruary 16, 2011 8:53 AM

FWIW, the only time my home systems were compromised, that I have any indication of, it was from an IP address attached to a Romanian domain. (I know what I did wrong, and I'm not going to be caught that way again.)

BF SkinnerFebruary 16, 2011 9:41 AM

@Dirk "Bukarest is also the only airport in the world where I ever had stuff stolen from my luggage by the handlers. "

Never flew through JFK or La Guardia?
There were a couple of notorius theft rings there.

Davi OttenheimerFebruary 16, 2011 12:53 PM

I remember an economist about ten years ago pointing to the highest concentration of educated/trained resources available in Romania, which they predicted would feed into criminal activity because it was more lucrative and lower risk than other fields.

In other words, the math/compsci talent entered the workforce and were lured into salaried work from mob/organized crime as it had more promise for them compared with legitimate entrepreneurship.

I haven't found it again but I'll see if I can dig up the reference.

anarchy-xFebruary 16, 2011 1:19 PM

@ Dirk Praet:

You're joking right? My sister got robbed by her jewelry (a small box full of Gold and Silver girlie stuff) by the airport personal in Atlanta Georgia,when she got pulled aside for no good reason (she's a PhD student here) and put in a separate room by US Customs officials.

>> the poor country thing

You only wish to have access to the high speed internet network there (I live in the States and know what I'm talking about) with an only $6 prepaid SIM card.

>> Roma .. (Roma is the capital of Italy ;-))

It's a Romanian Gipsy village. ;-) (those were real gypsies)

>> Bukarest is also ...

It's BUCHAREST, not Bukarest.

And finally, after reading that article, I realized how dumb that writer was. There are no Alps in Romania. They are called the Carpathians.

RSXFebruary 16, 2011 6:36 PM

I can see the introduction paragraph:

"120,000 residents, 80,000 of them hackers - Grandmothers, doctors and waste disposal men. Wireless access points a-plenty, but buyer beware! The city also has no e-commerce, as every major company and carrier has blacklisted the entire community for life. Nigerians are racially segregated, and Apple's name is not to be mentioned for fear of banishment."

Dirk PraetFebruary 16, 2011 7:33 PM

@ Anarchy-x

Apologies for the spelling error. It's spelled with a K in my native language. If you think Romania is a thriving country, I'm afraid you're sorely mistaken. You may wish to take a trip there and check out the country for yourself. For as far as the word Roma is concerned, we don't use the word gypsy over here because it is considered derogatory by most of them. In general the people you call gypsies refer to themselves as Roma. The word gypsy is actually an historical error refering to Egyptian origin, and today is used more often as a reference to a fashion or a lifestyle.

I'm sorry about your sister. I didn't say this is not happening in other airports, just that it only happened to me in Bucharest. My then girlfriend almost wet herself when we got off the plane and were welcomed by two platoons of heavily armed military pointing their AK47's at us. They probably thought that was very funny.

Hope this clarifies.

anarchy-xFebruary 16, 2011 9:01 PM

The AK-47 deal must have been long time ago (immediately after '89). Otherwise, I'll just call it bull. Romania is NOT a militaristic state. BTW, two yrs.ago I saw a fully armed of approximately 10-15 people of French military in Charles de Gaulle Airport. (The dumb asses didn't even bother to keep their guns pointed in a safe direction, but I digress.)

As of gypsies, I can understand where you come from when it comes to political correctness. It's not them who called themselves Roma, but the smooth talking heads in the EU who, for some stupid reason, didn't want to offend the gypsies because of their skin color.

This being said, apologies to the audience, but a few clarifications needed to be done.

Back to the evil, bad Romanian "hackers" now...

cryptodendrumFebruary 17, 2011 5:26 AM

Actually, I showed this article to two colleagues on my security team who are originally from Romania and they had a pretty good giggle at this story, and largely dismissed it. Feedback included:
1.) they believed the wired article triggered the hackerville name - they not only were not familiar with this name (but they know the city well) - they had a look around and could find no Romanian references to this, except references to the Wired story;
2.) they commented online con artists (cybercriminals) are not hackers (HELLO???);
3.) they pointed out that Romania has two national pastimes a.) complaining b.) stealing - and thus they doubt even this city has the highest cybercrime, and suggested it was just the only one targeted (and where busts have been made)
4.) There was news about the fake ID busts in this city, thus see point #3 - but this isn't hacking;
5.) They suggested the cops the author met there were probably as corrupt as the criminals, and made up some of the stuff so they can increase their public spending so they can have bigger fancier cars and kit;

As an American working InfoSec detail in Europe for more than a decade, I'm painfully aware of the fear mongering that goes on back in the US - this appears to be just more of that, and is best taken with a grain of salt.

Richard Steven HackFebruary 17, 2011 7:47 AM

Speaking of fear mongering, TaoSecurity tweeted this about Bruce's interview elswhere:

"'Stuxnet and the Google infiltration are not cyber war - who died?' asked Mr Schneier. http://bbc.in/eyO08Y BS can't imagine war w/o death?"

To which I tweeted that Stuxnet is sabotage and the Google APT is espionage. Sabotage and espionage are part of war and may even precede war, but they are NOT war itself.

Richard Bejtlich seems to have a huge vested interest in "cyberwar". He tweets a lot of stuff about the danger of future China war, etc. Coming from a military background, it's understandable - but completely wrong.

Richard Steven HackFebruary 17, 2011 7:50 AM

Forgot to mention that I also tweeted in response to the question "BS can't imagine war w/o death?" that no, anyone who was in a war like Vietnam or Iraq can't. Because that's what war is - mass death.

Bejtlich must never have served in actual combat operations. Oh, yes, he was in the Air Force - you know, the guys who bomb civilians from the air and never see any blood unless they're unlucky enough to get shot down - or blow their plane up off the carrier like John McCain. Like the jerk in Israel who claimed he felt nothing when bombing civilians except the bump when the bombs left his plane.

Clive RobinsonFebruary 17, 2011 11:06 AM

@ Richard Steven Hack,

"Bejtlich must never have served in actual combat operations. Oh, yes, he was in the Air Force"

You don't have to have been in the blood and guts of a war to be able to appreciate the effects of standard kinetic weapons on their targets. Almost anybody who lived through the early 1970's and saw the night after night footage comming from Vietnam can appreciate that and the effects of other weapons. The question is if they can think forward to what that means to friends relatives and other loved ones of those killed or injured.

Some people have the empathy and some don't, of those that do some can and do make effective members of the military. It is the empathy that often makes the difference between those who can do what is required on the battlefield without overstepping the mark and commiting war crimes.

Then there are those who come after the war who go off of their own backs to clear war zones of various munitions and other dangerous weapons that can and often do kill and maim civilians for many years after the official conflict has ended.

State sanctioned armed conflict does not end gloriously ever, for either side. The waste in resources both human and economic goes on for years and decades afterwards and such conflicts seldom achive much (Empires are as the British and many others before them have proved are to expensive to run).

The only people who find glory and profit are those in the short term such as politicians and arms manufactures. Neither of whom care what is to come because for the minute they "are alright Jack".

For some reason (possibly distance and reasonable resources) the US has listened to the War Hawks and those who bang the drum (have a look at just how many times the US has tried to provoke North Korea back into war over the last fifty or so years, and God alone knows how many other nations). The result appears to be that the US has more enemies than just about any other nation on earth, which in of it's self is quite an achivment.

However the US is increasingly vulnerable to "economic warfare" and in many respects it is their own fault. It is a logical conclusion to the basic "short term" "cut and run" rules that come of the "free market" economics that have effectivly ruined the US home industrial base. Which is adventageous to other nations that are building their home industrial base. Over simplisticaly the problem with the "short term view" is that if you outsource your workforce, you leave behined an impoverished home workforce that cannot aford the goods that are now manufactured abroad. But they are not just empoverished financialy due to the skills gap outsourcing engenders the nation drops further and further behind and may not recover peacfully.
As Adam Smith once pointed out the wealth of nations depends on raw resources and the ability to transform them into goods via the utilisation of energy. In this respect little has changed due to cost/distance metrics in the tangable physical world. Thus securing access to raw resources and reliable sources of energy is fundemental to the National Security of any nation. The question is how you go about securing that access when the resources are not within your national borders...

Which brings me back to your comment,

"Richard Bejtlich seems to have a huge vested interest in "cyberwar". He tweets a lot of stuff about the danger of future China war, etc"

Yes he does, and he also has some training in economics as well and that has caused him to rub people up the wrong way with his "economicaly correct" assertions.

However with all that you still need to look at the message not the messenger.

Is China a risk economicaly and politicaly (war is a political act)?

The simple answer is yes (as are other areas such as India/Pakistan with a high population but low natural resource level).

It is a "war on resources" currently and the access to them and how it is being secured longterm.

We tend to forget that unlike the politicos in the West for whom a week in politics can and often is a life time, China's politicos tend to think in tens if not hundreds of years.

If you care to look where China is giving "political aid" and how it will give you pause fof thought.

And I have been warning about China quite a bit longer than Mr Bejtlich has.

However unlike Mr Bejtlich I frequently point out there is a significant difference between the tangable physical world and the intangable information world. Specifficaly I point out that there is effectivly no "cost/distance" metric that has meaning (other than the time delay of the speed of light that is already noticable in some automated trade systems). That is on the internet in human terms everywhere is "local" and this has implications I'm fairly certain Mr Bejtlich has not yet thought through (nor for that matter have the warhawks and most politico's in the west).

Thus I tend to concure that Richard Bejtlich certainly by his actions appears to be jumping on the bandwagon and banging the "war hawk" drum, however his motivation is not as apparent.

Davi OttenheimerFebruary 17, 2011 11:23 AM

@Richard Steven Hack

I have to say I had a lot of respect for Richard Bejtlich (bought his books, attended his presentations, etc.) but recently there has been a change.

I take your point about contact with adversaries and his time in the Air Force, for example.

You also have a very good point about his vested interest.

I brought up conflicts-of-interest (more as a disclosure point since we're in the same field) in my BSidesSF presentation on Dr. Stuxlove, where I tried to show data on threats and vulnerabilities does not support arguments of Stuxnet as a clean and clear outsider attack.

Richard sat a few feet in front of me and did not ask or say anything other than one agreement point about insider threats being more sophisticated and attributable. We met the next day and had a nice discussion about RSA sessions. He didn't mention my presentation at all.

Then I noticed he tweeted:

# taosecurity
Sadly clear that Davi at #bsides is not in sustained contact w/serious adversaries, and as a result doesn't believe ANYONE is fighting them.
4:32 PM Feb 15th

# taosecurity
Davi at #bsides conveniently ignored Stuxnet's mission. Sure, every day we see malware written to control centrifuge rotations? Wake up man. 4:46 PM Feb 15th

# taosecurity
When I hear Davi say "the military doesn't know the threat" I fear he's projecting his own lack of knowledge of the threat. That is sad.
4:42 PM Feb 15th

Back to your points, perhaps he means "serious adversaries" like the ones poisoning our drinking water -- ala Air Force General Ripper in the movie Dr. Strangelove?

I find his tweets to be simple misunderstandings that I would like to clarify. Instead of speaking with me, however, he's just tweeting into his followers. I guess that helps increase exposure of my talk so I'm not complaining but I thought the point was to discuss and clarify, not improvise an explosive tweet and run.

I'll try to bring this up with him when I see him, and I've already tweeted in response. But in short, my presentation attempted to show that attacks remain serious but are not easily attributable -- the 50 year trend of warfare has lower attribution rates (more non-state threats) and lower victory rate (more compromise).

Based on the data (and my work fighting real and serious adversaries) our prediction and response should be moving towards defense against non-state blended threats instead of hyping the China and Romania angle of Cyberwar.

I also showed how the seriousness or sophistication of attack does not necessarily mean outsider-only, although I would go even further and say the seriousness of Stuxnet is arguable.

There is no need for me to question him personally or his experiences. I believe his points fall flat on their own and show his bias. It did not occur to me, however, that you or anyone would criticize him in much the same way he tried to criticize me.

Richard Steven HackFebruary 17, 2011 11:32 AM

Clive: "The question is if they can think forward to what that means to friends relatives and other loved ones of those killed or injured."

I'm also referring to the fact that under the Geneva Convention, dropping "weapons of mass destruction" on a civilian neighborhood is defined as a "war crime". But the US does it EVERY SINGLE DAY in Iraq, Afghanistan and Pakistan.

That is of course what I'm referring to. I don't argue from moral reasons because I don't believe in morality. I argue from correctness. A thing either works to the benefit of the species or it doesn't over the long run.

Conflating "cyber-sabotage" and "cyber-espionage" with real, mass death "war" is just ridiculous. I remind you that Bejtlich asked whether it was possible to have a war without death. There is no other explanation for such a question except someone who doesn't understand what a "war" (as opposed to "conflict") is - or who doesn't care.

As for China, China is not a "risk". It is a country with a billion people who have just as much reason to want access to the world's resources as the US.

Access to and development of resources in a technological world is not a zero-sum game unless a state's politicians wish to make it so.

It is totally and completely incorrect to refer to China as a "threat" or a "risk". The "threat" or "risk" is the inability to manage international relations in a rational way.

The fact that the US is run by the military-industrial and national security complexes is THE greatest risk to the country because it is precisely these people who treat everything as a zero-sum game and who end up getting the average US slob both poorer and possibly dead on the battlefield. (Which is not to say that China doesn't undoubtedly have their own equivalent - most significant states do.)

This cannot continue. As you note, the US is now probably the most hated country in history. That has to end badly, as it has for every other empire.

And I fully expect it to end that way. And since I live here, I take exception to people who want things this way and who hype China or Iran or other nations as "threats" when the only real "threat" is the US government and its ruling elites.

Because they're someday going to get you and/or me killed by way of war, terrorism, or economic collapse.

I ascribe Mr. Bejtlich's motivation based on his repeated China "threat" comments which go beyond China's obvious cyber-espionage. He hypes the threat of China militarily despite the fact that the US spends 47% of the world military expenditures and China spends, what, 7% or so? Do the math. China will never be a significant military threat to the US and wouldn't be if we cut the Pentagon budget in half.

Even when China assumes its likely place as the world's largest economy in X years, it still won't be able to catch up to the US for decades more even if it tries. And by then, it's likely the circumstances will have changed to make it unlikely they will try or need to try. Technology may alter the entire landscape long before then.

That is the biggest hooey about the China "threat" - that the hyperbolics talk about something that anyone can see is not relevant for another two decades, even assuming China can continue its economic growth without screwing up its own economy as the US has done repeatedly over the decades.

Therefore there is a hidden agenda. And that agenda is as I've said - war mongering for war profiteering.

It's exactly the same as Iran. Iran has no nuclear weapons development and deployment program and never did. But the US is running the same old "WMD" playbook it used in Iraq. In fact, the minute Mubarak got kicked out of Egypt, the US dredged up crap about "Egypt's worrying nuclear and chemical problems."

You don't make up crap like this without an ulterior motive. These people know it's crap, they know it will cost the US taxpayer and US military lives and the civilian lives of the target country - but they don't care as long as they profit.

And if Bejtlich can't see that, even if he's not consciously in favor of it, then he has no business making the recommendations he's making. He's just adding to the noise and being part of the problem.

Thank you for your comments. I always appreciate them here.

Richard Steven HackFebruary 17, 2011 11:47 AM

Davi: The tweet of his that set me off was his attack on Bruce for saying "who died" as a result of Stuxnet or the Google APT. Betjlich tweeted "can't he imagine war with no death?"

I tweeted back that no, anyone with experience of Vietnam, Iraq or any other actual conflict can't. Because that's what war is - mass death. Otherwise, it's crime, or terrorism, or sabotage, or espionage, or conflict or whatever.

And while sabotage and espionage are part of war, they aren't actually war itself. War is life and death. No one has figured out a way to wage war and defeat the enemy with no one getting hurt. It would be great if we could, as some sort of international aikido, but I see no evidence anyone is really trying (other than the idea of running robots instead of humans, of course - which begs the question: where will the robots actually fight - in deserts? Or in cities in the middle of US?)

So it is very dangerous to conflate what is currently an issue of sabotage or espionage (economic or otherwise by state or non-state actors) with "war".

As Bruce and others have noted, the Pentagon is angling to take over "infrastructure IT security". This is definitely a bad idea because the Pentagon is not known for "nuance". It's known for large civilian collateral damage. A report was just released that in Iraq there is clear evidence that the US military killed a minimum of six innocent civilians - on average - every single day. For five straight years.

Such an organization cannot be in charge of responding to "cyber-sabotage" or "cyber-espionage" under the rubric of "cyber-war". That is a task for law enforcement and counter-intelligence and diplomacy and private security (hopefully better than HBGary).

Appreciate your comments. I wasn't aware of who he was tweeting those comments about.

Davi OttenheimerFebruary 17, 2011 2:19 PM

@Richard Steven Hack

"As Bruce and others have noted, the Pentagon is angling to take over "infrastructure IT security". "

Yes, agreed. I think many of us have said that on this blog and elsewhere for years. Last year's news in particular showed that after the Air Force had spent years proving the viability and utility of cybersecurity they lost control to the Pentagon. The scare-mongering, which helped fund their team, was then amplified even more to prevent civilian control.

At BlackHat I asked a cyberwar panel about this and was told "no one is worried about military control" and "Howard Schmidt is a civilian". Jeff Moss is letting BlackHat fast become too much of an establishment soapbox. They still play like they are anti but in fact they were compromised long ago.

"No one has figured out a way to wage war and defeat the enemy with no one getting hurt."

I was at the cyberwar panel and watched Bruce live. He sat with Former secretary of Homeland Security Michael Chertoff and former Director of National Intelligence Michael McConnell.

They discussed the harm principle of war, which is probably where Richard's tweets originated. Frankly, I was disappointed that there was so much agreement on the panel, and I told Bruce the same afterwards.

I mean we can thank Chertoff for the body scanner debacle. I figured he and Bruce would set off sparks from the start. Instead it was placid. McConnell sat in between and seemed extremely diplomatic but also (therefore?) disingenuous.

His example of cyberwar's biggest potential harm was disruption of financial transactions between two banks in NYC -- no casualties. His solution was a system of more secure "glass pipes" (fiber optic cable).

As an aside McConnell also brought up the Cold War and deterrence, which he seemed to use to counter Bruce -- an example of a no casualty war. I think it would be more accurate to say many casualties were a result of the Cold War through non-state and proxy combat.

RookieFebruary 17, 2011 2:21 PM

@ Richard Steven Hack - "Oh, yes, he was in the Air Force - you know, the guys who bomb civilians from the air..."
and
"Therefore there is a hidden agenda."

Yes, you just revealed yours.

OT political commentary aside, I agree with others that the article is long on hyperbole and short on facts. I haven't spent time in Romania, but from my time in other Eastern European countries I think some of the same economic pressures are at work, and the countries, along with their citizens, don't universally decide to become criminals.

Richard Steven HackFebruary 17, 2011 5:30 PM

Davi: Agree with that.

Here's a piece on the panel:

Cyberwar Issues Likely to Be Addressed Only After a Catastrophe
http://packetstormsecurity.org/news/view/18666/...

This quote is interesting:

"Chertoff and McConnell say espionage and information theft don’t qualify, but destruction of data or systems do. Designating the latter as an act of war, however, would still depend on the scale and genesis of the attack."

Which is precisely what Bejtlich was contesting when he attacked Bruce for mentioning Stuxnet (cyber-sabotage) and the Google APT (cyber-espionage) as not rising to the level of "war".

The problem with designating the "destruction of data and systems" depends on what is meant by "destruction" of course. As long as your backups work, "destruction" is relative. Do they want to retaliate with military force against China if someone in China, say, brings down the IRS network without destroying the backup tapes. Does a DoS attack constitute "destruction"?

It's this sort of vague terminology that is alarming. There are no "rules of engagement" - and the ones that exist are easily circumvented as has been established in Iraq and Afghanistan, by officers who declared the rules to be "360-degree fire on everyone in the street after an IED goes off."

Does the US bomb Iran if an unknown Iranian hacker defaces the White House Web site or crashes it?

I suggest the rules should be: 1) no physical response to any cyber-attack which does not cause physical casualties; 2) no cyber response until the attacking entity can be narrowed down to the hostile systems actually being used or at least the organization involved - and by "narrowed down" I mean actual evidence, not suspicions; and 3) no response whatsoever without authorization from the White House or at least civilian level DoD authority - exactly the same as the use of WMDs or other attacks with potentially "strategic" consequences must be authorized.

And no responses whatsoever which could cause civilian casualties in the target country absent a real strategic threat to at least a portion of the US civilian population.

Richard Steven HackFebruary 17, 2011 5:36 PM

Rookie: My agenda is not hidden at all. I don't like the military, I don't respect the military, and I don't trust the military. As far as I'm concerned, anyone who joins the military and puts his life at risk for reasons he doesn't understand, on orders from people he does know, on the basis of intelligence he doesn't have access to, in service of a foreign policy that benefits war profiteers and for the hegemonic desires of power seekers, is an idiot.

And if he causes civilian casualties in the process, he is a war criminal and a murderer.

And I say that as someone who served three years in the US Army from 1967-170, including a year in Vietnam.

I wised up. Like Major General Smedley Butler.

Clive RobinsonFebruary 18, 2011 1:30 AM

@ Richard,

First of my appologies for the delay in responding I'm in a different time zone (GMT) and had a busy evening last night.

Part of the problem that Bruce, Davi, you and I have is the dilution of the meaning of words. Bruce has bloged about it with "terrorist" and it came up a on a thread the other day wit "hacker".

Well part of this dilution of the word war is the natural consequence of everyday usage but sadley also the Orwellian dilution is happening with the word "war" just as it is with "terrorism".

Historicaly to those who were born before or around the time of the "Great War" or WWI and concequently served in the Second World War or WWII the concept of war underwent a very significant change and thus had a very very different meaning to that of their forebears.

Part of this was the change to mechanical war with machine guns, tanks and various aircraft during WWI and the nacient use of science with early WMD with the various gas attacks and "deep mines". Subsiquently the use of science and air warfare during WWII gave rise to the notion that war also included the industrial complex and transportation that provided the weapons and other resources to the combatants. Then the legitamisation of targeting the civilians that worked in the factories and the wide area or carpet bombing techniques that built up to fire storms and effectivly alowed for the continuance into the first use of nuclear devices and the concept of all out war.

The fear of "all out war" between combatants with WMD capable of mass annihilation of a million or so people gave rise to the notion of Mutually Assured Destruction (MAD) and thus the "Cold War" which was far from being a "no death" war as infact it gave rise to the idea of "proxie warfare" of which Vietnam was just one of hundreds if not thousands of such events backed by the US, USSR, China or other sufficiently resourced "super power".

However the concept of "no deaths at home" became the idea behind not just "proxie warfare" but "stand off warfare" and "surgical strikes" and is a way for the military and their (supposed) masters the politicians to exert "physical power" "without casualties". However they always neglect to mention that their reality is "without casualties to our side" not to that of the (supposed) enemy who is incapable of defending themselves.

Thus Mr Bejtlich has fallen into the falacy that a war can be prosecuted without injury or harm or loss of life. If nothing else the recent problems caused by the stupidity of the unregulated banking system has made it abundantly clear that even the colapse of a bank or two causes significant harm to the civilian population not just at the time but as we shall find out for two or three generations down the line. This will be seen via reduced life expectations and early death and a significant widening in the first world poverty gap.

An analysis of the way people die will show that the life expectancy of those with the resources is now around 100years and rising but for those without 50 or less years and will continue to decline...

Now these early deaths may not be considered the "casualties of war" in the more traditional sense but they certainly are attributable to "ecconomic destabilization" which appears to be the main attack surface of "cyber warfare" that Mr Bejtlich and the Pentagon cohorts are espousing.

Now I can understand people taking the more traditional "boots on the ground" "blood and guts" view of "war" and saying that such cyber attacks are not war. However I cannot understand those like Mr Bejtlich who deliberatly hide and deny the untimely deaths that will be the result of the economic desturbance that their "deathless cyber warfare" will actually bring.

Interestingly though as has been pointed out to Mr Bejtlich China although a risk to the access of raw resources appears very well aware that it needs the US currently for it's own economic development, both as an investor and market place. Which as you note effectivly reduces the risk of them coming to open warfare with the US.

However the Pentagon and other should be aware that their "high tech" toys of war are based very much on the industrial output of the electronics industry. And with the emphassis on COST/COTS usage have effectivly placed the defence of the US into the hands of the Chinese, Japanese and other nacient industrial powers such as India which produce the chips.

Doug CoulterFebruary 18, 2011 6:59 PM

Wow, Clive -- you really hammered that one. People can be "killed" without kinetic energy just fine, and it doesn't have to be immediate to amount to the same thing.

It's a hard philosophical step to take, as there is no politically correct way to even discuss this very well.

Consider health care. We know that some things give more life or more quality of life, for longer or shorter times, and at different costs. A rational system might decide that a very expensive procedure would be "worth it" on a young person, because it would cure them and they have more life-hours after that than say, a real old person who is only going to live a couple more years at best. There are a lot of possible examples of that, and at some point since funds are limited, someone has to decide -- it's delusional to think we can afford everything for everyone always.

As soon as you mention that, someone tags it "death panels" and all rational thought is ended.

This is the same sort of thing. People will starve who wouldn't have otherwise, due to some shenanigans of people in Wall street, and some pretty innocent investors who bought some very bad paper...pension funds, other banks, you name it, some of whom would have spent at least some of their money preventing deaths by starvation, or by generally creating wealth that would find its way to the poor -- some does (not enough of course).

Again, Clive -- I often agree with you anyway, but this was one of your better insights.

Doug CoulterFebruary 18, 2011 7:07 PM

Forgot to add. Asimov mentions things like "nuclear weapons are unsuitable for conquest on ones own planet, because the object of war is to subjugate the enemy and absorb his resources, not merely kill a few of them".

The fact that we've always needed to kill some to subjugate them (so far) is a secondary consideration to the definition of the word "war" in my book. The object is generally not dead enemy, it's an enslaved one.

In fact, there's quite a lot of scifi alternate universes where merely killing someone is crass, if they can be "re-educated" and thus re-enslaved.
I think that's scary enough, but then I've never been in a real battle as fought these days myself.

Thus, certainly cyber war can be war, even if death isn't involved, in my own definition. Y'all can use the word to mean what you want if you like.

GGMay 13, 2011 2:06 AM

Sorry to tell you , but really you don't have the slightest idea about Romania but you relay a stupid stupid article which tryes to find the Satan where in fact are a bunch of loosers .
As the majority of the so called US cyber security experts aka Aron Barr &Co your points of view are based on stereotypes and you are preaching false statements .
It perfectly true the fact that those loosers that are depicted in the article exist ,its undeniable but you should be more concern about what is happening on US cyber defenses.
The so called "hackers" from Romania are in fact a bunch of script kids , scammers pishers and xss exploiters same as are in US .No more no less
For your knowledge the real Romanian hackers ( those bad guys)will never do what is depicted there because the majority are white hats and they are working in the US IT hubs Oracle , Intel , Google , EA Sport , UBI soft , Bit Defender in Romania etc . Should i reminde you that the Microsoft security solution Microsoft Essential was boughted from Romania - The former RAV antivirus ?
Like a statistic my business its more frequently attacked by US citizens compared with my conationals attacks .
Signed
a romanian cyber defender with 2 business on est coast and 20 years IT&C
Ps.By the way in Romania ~ every kid knows that he must have an antivirus and firewall and that he must not open unknown messages and unknown links sended by strangers in email or messenger or to give private details in facebook . When you will start to learn everybody that in US ?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..