Insurgent Groups Exhibit Learning Curve

Interesting research:

After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that "insurgents pretty much seemed to be following a progress curve—or a learning curve—that's very common in the manufacturing literature," says physicist Neil Johnson of the University of Miami in Florida and lead author of the study.

Paper here.

Posted on July 12, 2011 at 7:13 AM • 38 Comments

Comments

phred14July 12, 2011 8:00 AM

I just wish there could be some sort of article about the security industry learning and getting better at preventing attacks. Instead we seem to get articles about the security industry learning how to get more money and be more intrusive into ordinary life. But then again, if the goal is to make more money and increasing security/safety is only the means, what do you expect? Or as they say, follow the money.

Richard Steven HackJuly 12, 2011 8:09 AM

Stupid article.

They've discovered people get better with practice.

DUH!!

How much grant money did they get for this crap?

And predictive value? They can predict, "Hey, some more people will die in the next seven days!"

I can predict that, too! Give me a grant!

When they can predict where AND when AND by whom AND how, they might have something. And as soon as that becomes clear, the smart terrorist will alter his approach. Which will make all the predicting to date worthless.

Morons.

bobJuly 12, 2011 8:26 AM

@Richard Steven Hack
Any moron can guess, just as any moron can post. It takes intelligence to prove something, just as it take intelligence to post something worth reading.

KeithJuly 12, 2011 8:53 AM

Since this is true, then terrorists will certainly benefit from the volumes of techniques in manufacturing improvement. I can see the overreaction coming: "TWI and Taiichi Ohno literature to become controlled materials."

alJuly 12, 2011 9:14 AM

@Keith

haha, yeah. And they (terrorists) could also start tracking nonfinancial performance indicators such as customer and employee satisfaction;-P

science101July 12, 2011 9:24 AM

If a frequency of attack curve is a learning curve, it represents the combined learning of both attackers and targets with the suspect conclusion the attackers learn faster.

TamJuly 12, 2011 9:33 AM

@Hack

I can understand your emphasis on wanting tactical predictions. But with respect that's missing the point entirely.

It's about understanding how an unconstrained group will behave so we can tell (roughly) how effective we are being in our counter-efforts. Are we above or below the curve? This is strategic intelligence on counter-insurgency which goes beyond simple body counts.

I'd say it was interesting and worthwhile, even if it doesn't magically solve all our problems.

SJuly 12, 2011 10:07 AM

@ keith, al

Fancy joining my new startup? We're going to be the first six-sigma, ISO9001-certified terrorist group in existence!

NobodySpecialJuly 12, 2011 10:22 AM

You could always supply the terrorists with PowerPoint until they completely lose their effectiveness!

This was (allegedly) one of the reasons behind the Northern Ireland peace process. The lead terrorists/freedom fighters on both sides realised that they were young firebrands in the 1960s but were now looking toward a pension - and there were a lot of violent younger guys who had grown up in the drug/bank robbing/funding area of the organisation who might decide to short circuit the committee structure in their promotion bids.

oldnewsJuly 12, 2011 10:47 AM

This article is a terrible example of science. I'm not sure what's worse, the fact that they're getting a lot of media attention for something Aaron Clauset showed two years ago

http://arxiv.org/abs/0906.3287

or that these authors think a few terrorists can get 100 times better with a little practice. I thought scientists, especially fancy ones like physicists, were supposed to try to "falsify" their theories before they published them. Why do attacks become more frequent over time? More terrorists.

BF SkinnerJuly 12, 2011 10:58 AM

@RSH "Which will make all the predicting to date worthless."

Which is to say "tactics change?" So do we stop meeting the tactical changes because they aren't the same twice?

But learning curves sound consistent.

It gives a reason to the Israelie targeted assassination program. Kill off the skilled enemies and it takes them time to reaquire the skills to be the same level of threat.

So we tactical predictions are good but strategies better?

@oldnews "getting ... attention for something Aaron Clauset showed two years ago"

Science tests it's knowledge through repeatability does it not? Who was Elisha Gray and should we care? Did Edison create all of his inventions?

kingsnakeJuly 12, 2011 12:11 PM

S: *laugh*

Problem is, the successful guys won't make it to "black belt" ... ;-p

Dirk PraetJuly 12, 2011 2:05 PM

I wonder if these guys actually thought for a minute that contrary to monkeys, terrorists would not exhibit some form of learning curve. For me, this is just proving the obvious. It would have been a much more interesting read if someone had published a study to the contrary.

RHJuly 12, 2011 2:29 PM

Along Dirk Praet's lines... can anybody think of a single example where we have a system of successive events, with knowledge from each event passed on to future events, where a learning curve does not occur? I think all they managed to prove was that terrorists learn. This separates them from lesser entities, such as rocks and dirt, which does not seem to learn.

tommyJuly 12, 2011 6:01 PM

What I said @ the Irish bank-robber thread,
http://www.schneier.com/blog/archives/2011/07/organized_crime.html#comments

still applies:

"A frequent topic here is how as IT defenses have improved, malware has adapted accordingly, and morphed into new forms not yet defended against. Here, banks and cash couriers improved their defenses, so malpeople adapted accordingly, to new forms not yet defended against.

"Not only is the analogy perfect, but since malware is created by malpeople, it's actually the same topic. At the risk of repeating myself, physical and electronic security are not two different things. The malpeople are adapting, whether in physical attacks or electronic ones."
***********
These are just more malpeople adapting with time and experience. Crackers who used to hit one machine at a time are now hitting hundreds of thousands. Hacking a few thousand dollars is now hacking $millions.

I agree that counter-terrorism should focus on the leaders and the most experienced, but that's pretty obvious anyway. And the little fish can lead you to the big fish.

No, it's not surprising that learning curves exist, although Bruce has blogged about the apparent incompetence of ter*or*sts. Knowing what they know, and what they don't know, is useful intel.

JonJuly 12, 2011 6:05 PM

"I wonder if these guys actually thought for a minute that contrary to monkeys, terrorists would not exhibit some form of learning curve."

Well, perhaps it's not as dumb as it sounds. What chance does a suicide terrorist have to 'exhibit some form of learning curve'? Is that the same or different to a terrorist organisation that /uses/ suicide terrorists?

WWI- and WWII-era armies were in a somewhat similiar predicament. The turnover of the really FRONT frontline guys was so high that their ability to learn - in any army - wasn't that meaningful. However, the headquarters and staff systems were more long-lived, and 'good' armies made use of that to distill lessons and get better at their jobs of organising and managing battles as time advanced and experience accumulated. That was so even if the riflemen and tank drivers didn't get all that much better, and arguably got worse as pre-war or between-campaign training and experience was diluted through mass-mobilisation and lost to casualties.

Jon

AndrewJuly 12, 2011 6:08 PM

@RH - Ah...the old insult is renewed: "That [named thing] is dumb as a box of rocks."

I find myself agreeing with the dissent on this comment train. This study doesn't appear to have "taught" us anything we haven't "learned" before. It's scientific value seems dubious at best, respecting the somewhat majority opinion here that suggests that the science here was valuable at least for science's sake.

Respecting @Tam's comment, yes okay so we can agree that tactical value is just about nil, but I'm not reading any strategic value here either. The conclusions ought to provide some manner of insight, but it's only confirming what is already generally intuited by battle managers from the action reports. Now while this has "some" value, and is scientifically valid as a result, how does it help? It...really doesn't.

Yeah, screw cost-benefit. If it were privately funded, I'd care very little. But, if this was gov't/military funded research, then I *facepalm*. This research isn't going to tangibly help insurgent-facing personnel "learn" how to better defend themselves and reduce casualty rates. And, it probably has diverted resources that might have otherwise been employed to do precisely this.

You want to be able to start to answer the "why?" and the "how?" questions to get insight valuable to defending insurgent-facing folks.

Setting this matter aside, and thus departing the topic, one way (for the US military) to get some positive results almost immediately would be to finally withdraw from these conflict zones where our forces are being exposed to insurgents. Our past interference is cited as reason justifying further interference to "fix" the situation precipitated by that past interference.

But this sort of mentality tends to lead managers right off a cliff. It creates a locked-in mentality that is generally only aborted by catastrophic loss or complete depletion of resources (we're fresh out of men, money, equip., will, rule-of-law, political support, etc.). And...well that's precisely the strategy the insurgents are aiming for...running out the clock on us. The only thing this study is saying strategically is that they're getting more efficient at that aim.

I like @NobodySpecial's insight regarding the N. Ireland conflict. This "winning hearts and minds" strategy by imposing external force generally _as_ lethal and oppressive as that threatened by insurgent groups is and has been only successful at piling up bodies on all sides.

A fundamental shift is required, it starts by withdrawing military abroad to defend the home territory only, as it was originally intended for.

What would follow after this step is a whole other topic entirely (so I stop now). But research into it could have _real_ value for this whole insurgent problem, as it goes right to the heart of why insurgent groups rise in the first place. And at any rate, practical experience (two semi-permanent conflicts running longer than any single war in the history of the USA, no (real) end in sight, and the genesis of a third) has more than shown that a radical shift of strategy is warranted, as the cost of continuing the present course will be pyrrhic now even assuming the best case.

(Sorry about the OT comments, but the topic just naturally leads me to 'em.)

BacopaJuly 12, 2011 6:36 PM

Jon, the air forces of the UK and US sought to avoid the problems you mentioned. Bomber crews were rotated out of combat missions after a set number of missions. Casualties were high, so a lot of crews didn't make it, but those who did became trainers for fresh crews.

I don't think the US is attacked enough for there to be much opportunity for terrorists to learn very much.

AndyJuly 12, 2011 6:42 PM

Can't you stop the insurgents learning new stragies by not improving your baseline or increases you defense(implement them), but reasech privately multipe steps ahead.
One, in one step you release the private stagies and the steps is to large to overcome, or have the baseline as a stable line, were the offense stragies against you will be measureable against the denfinses.

You can't changes someone easily but you can changes yourself easily.

Richard Steven HackJuly 12, 2011 10:03 PM

Bob: "Any moron can guess"

I'm not talking about guessing, I'm talking about knowing your adversary will get better at what he's doing, assuming of course that he has any brains at all (which many terrorists - as well as many security people - don't.)

"just as any moron can post. It takes intelligence to prove something, just as it take intelligence to post something worth reading."

Thank you for proving my point.

Tam: "It's about understanding how an unconstrained group will behave so we can tell (roughly) how effective we are being in our counter-efforts. Are we above or below the curve? This is strategic intelligence on counter-insurgency which goes beyond simple body counts."

OK, here's a valid point to discuss. The problem with this is precisely the notion of a "learning curve". The assumption here is that the curve will be along lines we can understand and predict. But the definition of terrorism is attacking in ways that are by definition unpredictable. To the degree a terrorist follows that rule, no amount of analysis of his previous assaults will tell you anything more than that he hasn't finished hurting you in ways you can't predict.

As Dick Marcinko said once, "Security works from checklists. Once something has been checked, it is crossed off the list and not checked again. Terrorists do not work from checklists, they hit targets of opportunity. So we’d wait until a
location had been visited by security, then we’d hit it, confident that no one would be waiting for us."

This is the same result you get from trying to predict a competent terrorist from his previous actions. You end up defending against an assault he won't use again - until and unless you stop defending against it (or can't defend against it.)

The sort of prediction described here works only against large scale insurgent groups who have a "tactical doctrine" and a specific environment to execute it in, i.e, Afghanistan, Iraq, etc.

It's utterly worthless against competent urban terrorists who have endless targets to attack and endless ways to attack them, or insurgents who understand the concept of changing tactics and targets.

BK Skinner: "So do we stop meeting the tactical changes because they aren't the same twice?"

The question is how can examining the previous tactical changes help you predict the next tactical change. I submit that doesn't work unless your enemy is by nature very predictable. If he HAS a "learning curve" by definition he isn't predictable.

"But learning curves sound consistent." They sound like it. They aren't.

"It gives a reason to the Israelie targeted assassination program. Kill off the skilled enemies and it takes them time to reaquire the skills to be the same level of threat."

Two points here: First, finding and killing your enemies is the only thing that works (aside from changing your policies to avoid having enemies - something the religious fanatics in Israel don't comprehend.)

Second, even if you kill off the skilled enemies, it's not certain that their replacements will need the same time to acquire the same skills. In fact, the learning curve is reduced for subsequent operatives provided they were paying attention to those they replaced, or the "organizational memory" is being maintained by the organization.

Worse, it's not clear that their replacements WILL use the same tactics, which means YOUR learning curve starts over again!

The POINT of this "learning curve" business is that such curves are NOT predictable. That you can predict that your adversary WILL get better does not help predict HOW he will get better.

Bottom line: Here is what one CAN learn from past COIN operations: COIN doesn't work. It can't work. It's impossible. By which I mean COIN implemented by foreign forces in an occupied country. COIN can ONLY work IF it is implemented by a government which is 1) native (i.e. indigenous to the country), 2) supported by the majority of the population, and implemented by a security force which is 1) native, 2) supported by the majority of the population, 3) understands both the language and the culture to the same degree as the local population, and 4) is deployed throughout the local population such that you have a security force in virtually every neighborhood which is deeply in touch with the people and environment.

NONE of this applies to US forces deployed anywhere in the world outside the continental US. Therefore, no matter what David Petraeus or any other "COINdinista" would have you believe, US forces are utterly incapable of implementing an effective or successful COIN strategy or tactics anywhere at any time. They never have. They never will.

And when it comes to foreign or domestic terrorists operating in urban environments on a lower level, this sort of research is next to worthless.

Go back and reread those quotes from Dick Marcinko I posted some threads back. They show how "learning curve" is not even relevant to what a motivated and imaginative assault team can do to a security apparatus.

As Marcinko said once, "The only way to train to be a terrorist is to do it." His SEAL Teams operated out in the field as "faux terrorists" against US military targets in order to learn what security vulnerabilities existed which needed to be fixed. It's the same thing as pen-testing (but with real weapons.)

This is far more effective than studying what your enemy USED to do - study what any enemy COULD do. Then assume he will do something ELSE.

Bottom line: "Defensive security" does not work. Either change your policies so you don't have those enemies - or find and kill them before they kill you. It's that simple. If you can't do the latter, you'd better do the former.

AndyJuly 12, 2011 10:22 PM

@RSH, "Bottom line: "Defensive security" does not work. Either change your policies so you don't have those enemies - or find and kill them before they kill you. It's that simple. If you can't do the latter, you'd better do the former.".
That proable wouldn't work.. to go out and kill some emeny, as a emeny is not a fixed piont, ever time you change tack you will create a new emeny and new freind.
If you had a old freind, but you then went out and killed your emenys, how sure are you that they will still be your freind...and not become a new emeny.

A learn curve can be pretable, if I drive down a road and not crash, I proable want change anything about my driveing untill a external force makes me re-ass the situiation.
If there no external force, but i reseve a ticket for say smoking in public, my driving is not going to change, but i will keep recive tickets for smoking even if I quit.

Holes yes but maybe a new light, if you're stuck in a rut do the oppoiste,repiar the damage and see if your changed course

Richard Steven HackJuly 12, 2011 10:28 PM

Off topic, but probably relevant. I just found this which is pretty brilliant:

On The Sophistication of Attacks:
http://forensicir.blogspot.com/2011/04/on-sophistication-of-attacks.html

Quote:

If they appear unsophisticated, you will believe that they are not capable of more.

If you believe that is all they are capable of, you will assume they are not dangerous.

If you don't see them as dangerous, Your arrogance will cause you to look down on them.

In your arrogance, You will underestimate them.

If you underestimate them, then you have already lost.

You have been losing for 20 years, and you didn't even know it.

End Quote

Late Night Thoughts
http://forensicir.blogspot.com/2010/12/late-night-thoughts.html

Quote:

We're in an OE we created and don't control.


Cyber is the new Urban and the adversary is the insurgent.


The adversary looks like the populace, sounds like them, lives in their midst, and hides his activities among the normal and legitimate activities of the populace.

Regular tactics don't work against irregular adversaries.

Know your doctrine, study the adversary's.

If someone punches you in the face, you're in a fight.

If you stand still you will continue getting punched in the face.

Espionage is a peacetime effort to us. To them, it's used as an opening salvo to position the pieces to control the center.

There is a lot of room for deception in the modern computing environment.

A mix of unorthodox and orthodox strategies is the only way to succeed.

Know and understand the needs, capabilities, tactics, tools and methodologies of the adversary. This is asymmetry.

Predictive capability can only come from studying history, yours and theirs. [MY NOTE: This is where he goes wrong - except in the sense that history proves you can't predict successfully.]

The use of malware, viruses, worms and other destructive software is encouraged, and condoned. This is killing with a borrowed knife.

If I was in a different country, I would be expected to use my computer as a weapon.

The siegfried line was overrun through cunning and persistence.

The maginot line was flanked.

A hardened structure can only protect you from that which it is hardened against.

Siege warfare mentality no longer applies, yet it is practiced.

A stationary target will always succumb to cunning and persistence, if it remains stationary.

Counter offensives launched from stationary positions will hardly be effective.

You must move as quickly as the adversary.

Your culture has shaped your entire life. Study a different culture and adapt.

When a country only wants to buy two of your products, it's so they can reverse engineer and copy them. Russia learned this the hard way.

The farewell dossier event occured nearly 30 years ago.

Master your own perception before manipulating the adversary's.

If the adversary is hungry. He can be easily manipulated.

Learn to build snowmobiles.

The world is non-linear. Think in conceptual spirals.

True intelligence is the result of synthesis.

Once a target, always a target. Once a target, always a victim. Once a victim, always a victim.

End Quote

Richard Steven HackJuly 12, 2011 10:31 PM

Andy: "That proable wouldn't work.. to go out and kill some emeny, as a emeny is not a fixed piont, ever time you change tack you will create a new emeny and new freind."

That's why it's better to change your policies. Killing the enemy only works when he's small, local and not supported or sympathized with by others.

And you really need to stop posting from a cell phone. It makes my eyes bleed. :-)

AndrewJuly 13, 2011 2:44 AM

@RSH Great material and great thoughts. This thread has been at-once fun, aggravating and sobering to read. A success, then.

Dirk PraetJuly 13, 2011 4:00 AM

@ Jon

"What chance does a suicide terrorist have to exhibit some form of learning curve?"

None. The individual being sacrificed doesn't learn, it's the collective that does.

@ Andrew

"as the cost of continuing the present course will be pyrrhic now even assuming the best case"

As illustrated by a current $14.3 tn in debt and a $50bn trade deficit. Could be an interesting starting point for a study exhibiting that contrary to monkeys and terrorist organisations, the USG is not showing any form of learning curve, especially when it comes to foreign policy.

@ RSH

"Your culture has shaped your entire life. Study a different culture and adapt."

The US's Achilles heel and probably the prime reason for the utter failure of both the Iraq and Afghanistan wars.

GreenSquirrelJuly 13, 2011 4:25 AM

@phred14

"Instead we seem to get articles about the security industry learning how to get more money and be more intrusive into ordinary life."

Not all the Security Industry (me for example :-( ), but I see your point.

I think the problem is that as soon as fear took over security became profitable enough for sharks to get involved. Rather than leave it as a business where everyone can earn a good living providing good advice, the big consultancies have slashed their way through making it harder and harder for anyone else to compete - all the while salaries have plummeted while profits (and charge out rates) have increased.

Someone more inclined to prophecy may be inclined to predict a point when this will finally collapse, but I dont have enough faith in humanity.

@RSH

"Bottom line: "Defensive security" does not work. Either change your policies so you don't have those enemies - or find and kill them before they kill you. It's that simple. If you can't do the latter, you'd better do the former."

I disagree but I think this could be an argument based on perception of timescales.

Crucially, I think the mistake here is that you present it as an exclusive option to changing policy.

The reality is that no matter how much you change your policies there will always be people who want to do you harm and take what you have.

Killing your enemies is never going to work either, for exactly the same reason.

The only solution is to adopt an approach that includes all three. Dont annoy everyone else, be strong enough to defend against the nut-cases and when all else fails be prepared to prosecute war.

Clive RobinsonJuly 13, 2011 5:46 AM

@ tommy,

"At the risk of repeating myself, physical and electronic security are not two different things."

Err not quite true.

I regard physical security is actually a subset of information security of which electronic security forms a larger subset.

Physical security has some hiden assumptions underlying it that do not apply to information security.

1, locality.
2, time.
3, energy.

That is in the physical world a tangable object or entity (1) can only be in one place at one time, and (2) that the number of attacks a tangable object or entity can attack is limited by the (2a) time it takes to perform an attack and (2b) the time it takes to move to the next target and (3) any force multipliers required to improve the preceading asspects requires an energy input of some form that is either a direct cost or directly equivalent to a cost.

Now if you look at an information attack, it does not involve the use of physical or tangable objects or entities (although it is assumed one initiated the attack). Importantly is the zero cost (to the attacker) of duplication and communication.

So for an information attack even the small energy/cost for storage and communication is actually carried by the targets which effectivly means (3) the attacker has a zero cost of force multiplication, which in turn means that (1) the attacker can effectivly launch the payload of an attack at all places at the same time and that (2b) there is zero time between attacks.

Thus a mass information attack unlike a mass physical attack can be by "an army of one". Which is why speaking of "cyber warfare" is such a dangerous thing to do.

Much in the ways of "physical security" and the majority of the mind set behind it is actually not about prevention, but delaying attackers from their goal untill other deterant forces that can stop them are brought to the location of the attack and deployed.

This physical security mind set has evolved from the knowledge that you can only reliably defend a very small perimeter, and that it is not practical to have such a small area heavily defended as what you are defending becomes unusable.

However because in the tangable world you assume only one or two attacks can occure at any one time it can be seen that you don't need to have a strong perimeter only one that reliably detects an attack and sufficiently slowes it that strong defence can be deployed at the point of attack.

Therefore for external attacks you end up increasing the perimeter vastly and rely instead on a small set of highly mobile defenders who can get to any point on the perimeter in sufficient time to stop or significantly delay the attack.

When a perimeter is sufficiently large, it is not possible to use just one small force of defenders due to the deployment time limitations, so you look at using three or more groups placed a distance away from the center of a defended area to reduce the distance travelled.

Similar logic can be applied to insider attacks.Because you dont know where in a given defended area an attack will occure you tend to deploy defending forces closer to areas of what you consider greater risk.

You have effectivly moved from a reactive defence driven model to a predictive model based on available intelligence.

And this is an important step that few if any physical security models take forward. The reason for this is it is generaly a "single entity" defence model that is used. Municiple authorities by definition cannot use "single entity" defence models and it is thus they that have need of risk models based on intelligence.

With a little further thinking you will realise that with information based attacks only one reactive defence model works and that is to be stronger at all points than any attacker. Which we know from experiance just does not work.

Thus you need to consider intelligence lead defence. Which is a little awkward in that there are two basic types. One is a non agressive mode in which you "destructivly test" to find weaknesses before the attackers. The other is an aggressive mode where you attack those you percieve as pottential attackers either by espionage or by sabotage.

And it is this latter "probing" path that is the one that many sufficiently large municipal organisations (Governments and large corporations) appear to be using.

Which is from the perspective of those being "probed" is effectivly a "cyber-warefare" attack as they have no way to differentiate one from the other.

And it is from our "physical world" perspective that we will assume that any mass probe will be war declared or otherwise.

And this indistinguishablity between probe / war that makes APT such an issue.

GreenSquirrelJuly 13, 2011 6:27 AM

@Clive

I find myself slightly disagreeing with you here.

I think Physical Security is a subset of "security" but then I also think "information security" is as well. Infact, "information security" is such an abused term, I am not sure it conveys any proper meaning any more.

One other point:

"Physical security has some hiden assumptions underlying it that do not apply to information security."

They are there with information security as well - if you make it impossible for an attacker to touch your systems, they cant attack it - in the same manner as with a physical security measure.

One difference with "IT" based attacks is that the route to touching your fence is different than in the real world, but the principle remains.

BF SkinnerJuly 13, 2011 7:03 AM

RSH "Two points here: First, finding and killing your enemies is the only thing that works (aside from changing your policies to avoid having enemies - something the religious fanatics in Israel don't comprehend.)

Second, even if you kill off the skilled enemies, it's not certain that their replacements will need the same time to acquire the same skills. In fact, the learning curve is reduced for subsequent operatives provided they were paying attention to those they replaced, or the "organizational memory" is being maintained by the organization."

While I agree on the first part of your first point. On the second part there is no policy Israel could or should adopt that would make it cease to exist. (The only acceptable outcome for many in the region)

Regarding your second point that it's more certain in my thinking than uncertain. There are people who are irreplaceable; ask Google.

It would be a case for interesting further study.

phred14July 13, 2011 7:55 AM

@GreenSquirrel
"The only solution is to adopt an approach that includes all three. Dont annoy everyone else, be strong enough to defend against the nut-cases and when all else fails be prepared to prosecute war."

Stop trying to bring common sense into the argument. We're after the One True Silver Bullet here, particularly the most profitable Silver Bullet.

The real problem comes when overemphasis on the profit motive obscures the more basic need to, "Get the job done, and done well." That can be applied to far more than just the security industry.

Clive RobinsonJuly 13, 2011 8:28 AM

@ Greensquirrel,

"They are there with information security as well - if you make it impossible for an attacker to touch your systems, they cant attack it - in the same manner as with a physical security measure."

If your attacker knows where something is either in the geographical or virtual world then they can get at it. Attacking it is then simply a question of resources.

Some years ago I got into thinking about how to subvert voting machines. I worked out how to cross airgaps via USB in both directions and other little tricks such as using directed "fire and forget" malware.

I actually got into a couple of arguments with people at Cambridge Laps on their lightbluetouchpaper blog, and gave sufficient detail of how to use "fire and forget" to get a payload across air gaps (this was some time prior to the earliest date for stuxnet). Likewise I also argued on another thread on that blog that code signing could quite easily be subverted in a number of ways, again it would appear prior to stuxnet.

So I was not overly surprised with anything stuxnet offers (in fact some one I know pulls my leg that I was responsible for it).

I have also argued that the size of various botnets shows that "fire and forget" is a very viable way to become an "army of one" and that the main limit on their growth above 1million+ machines is that the bot hearders do not know how to capitalise on the bots. Thus they use them inappropriately for SPAM / DoDS and thus advertise the machines infected state simply by the large volumes of traffic it spews out. The conciquence of more covert usage is the worst possible form of APT for any defender that uses commodity OS's.

Since then I have thought further and have conciquently worked out ways to cross the air gap using application level data that gets effectivly interpreted, as well as some methods using problems in protocols (which as I keep pointing out are the worst form as protocols are almost always "forever" with backwards compatability being a major driver in comercial software production.

You will also note from some of my previous posts I'm also accutly aware of the use of side channels of various forms to get data in and out of computers through non obvious routes. And in this respect have mentioned methods that I was playing around with thirty years ago that the accademic community has only just started to pick up on (RF Fault injection).

Thus I feel reasonably safe to say that it is almost (but not quite ;) impossible "to keep the barbarians from the gate" as Rome amongst others found.

A couple of pieces of advice from Bob Morris Snr who past away just recently,

"The only way to have computer security is, to never own one, never use one and never turn one on."

"Never underestimate the resources a determined adversary will use to be party to your activities and communications"

And arguably, he as one of the NSA's chief scientists was in a better position to know than I.

Richard Steven HackJuly 13, 2011 9:37 PM

Green Squirrel: "The reality is that no matter how much you change your policies there will always be people who want to do you harm and take what you have."

Of course. But then there's history. If you've spent most of your time killing people and taking what they have, you tend to make more enemies than you would have had in other circumstances.

This is precisely the US position. US policies at this point are entirely opposed to real US interests, as distinct from the interests of certain sectors of the US which profit from these policies in ways involving either money or power or both.

That's what I'm talking about, not the generality that everyone has enemies.

"Killing your enemies is never going to work either, for exactly the same reason."

Reminds me of this dialog from "The Magnificent Seven":

Chris Adams: It's only a matter of knowing how to shoot a gun. Nothing big about that.
Chico: Hey. How can you talk like this? Your gun has got you everything you have. Isn't that true? Hmm? Well, isn't that true?
Vin: Yeah, sure. Everything. After awhile you can call bartenders and faro dealers by their first name - maybe two hundred of 'em! Rented rooms you live in - five hundred! Meals you eat in hash houses - a thousand! Home - none! Wife - none! Kids... none! Prospects - zero. Suppose I left anything out?
Chris Adams: Yeah. Places you're tied down to - none. People with a hold on you - none. Men you step aside for - none.
Lee: Insults swallowed - none. Enemies - none.
Chris Adams: No enemies?
Lee: Alive.

In other words, there are enemies and there are enemies. You just kill the ones who could kill you. The rest don't matter.

Translated into practical terms, if US foreign policy was different, Al Qaeda wouldn't be attacking the US. Again, that's the real point, not some generality about having enemies.

"Dont annoy everyone else, be strong enough to defend against the nut-cases and when all else fails be prepared to prosecute war."

That's exactly what I'm saying. But Afghanistan and Iraq and US foreign policy in general as well as the "War on Terror" and lame attempts at counter-terrorism at home reflects a failure of all three.

BK Skinner: "On the second part there is no policy Israel could or should adopt that would make it cease to exist. (The only acceptable outcome for many in the region)"

Actually, there is: cease to be a "Zionist Jewish state" and become a bi-national state with equal rights for Jews and Palestinians. While this would be extremely difficult due to the history of the conflict, it will only become more difficult the longer it is put off. It might already be impossible, but that is not certain. The alternatives are ethnic cleansing or genocide of either Palestinians or Jews - a much worse outcome - or an apartheid state of oppressed Palestinians forever, not exactly a great outcome and almost certainly unsustainable due to demographic pressure, which leads right back to ethnic cleansing or genocide.

The critical historical point is that Israel as a "Jewish state" in legal fact has no right to exist. The UN itself admitted it had no legal right to partition Palestine as it did in 1947, and the Israelis had no particular legal right to establish the state of Israel. It definitely had no legal right to do what it did since in terms of oppression of the Palestinians and seizure of Palestinian lands - this has been established by the international courts.

The only solution to the issue thus is to change the terms of engagement. Stop supporting the Zionist religious and political fantasy of a "Fortress Israel" and become a true democratic state encompassing both Jews and Palestinians.

Clive RobinsonJuly 14, 2011 10:31 AM

@ Richard Steven Hack, Greensquirrel,

Irrespective of who thumps who and how, the problem with the Middle East as Paul Wolfozit put it "It floats on a F**king lake of oil", which he forgot to mention is rapidly running out.

Since the first world war the US and Russia had a simple policy sow as much trouble and discontent in the area as possible to secure access to the oil.

Both sides with the british and french kicking at the touchlines have been fighting for one thing and one thing only and that is to control the energy flow.

As I've remarked before the study of water rights throughout history will give you a very good idea as to what is going to happen.

For many people in the US the knowledge of nuclear power is something that upsets the balance of power.

Thus virtually the sole intent of the US is to stop nations it regards as second world and below gaining any kind of energy independance.

The whole buy in to the Iranian Nuclear "weapons" argument is to stop them or other Middle East nations other than the chosen ones getting nuclear or any other kind of energy independance.

Then within 20years when the Arab nations have no more oil it's "pay back time" and the US etc will bleed the middle east back to a desert with no resources so that the land grab can go forward. And those arabs left will be left holding out the begging bowl to the US...

Hopefully I won't be alive to see the conciquences but that is the most likley high level strategy and why the US does every thing it can to stop peace in the Middle East.

To understand this the study of history is important, and you have to understand that energy=money=power and that soon the only readily available soruces of energy will be in the short term nuclear supported by some "green technologies". However "green technologies" in the Norther climbs suffer from the problem that they are not reliable and we currently have no viable storage solutions (other than lakes at the tops of mountains). This makes the unpopulated desert look highly attractive for reliably predictable energy...

Richard Steven HackJuly 14, 2011 7:48 PM

Clilve: Yup. You're spot on in every respect.

Actually the best solution to energy needs is the late Professor Richard Smalley's nanotech initiative. Basically, spend another ten to fifty cents for gas and put the money into researching nanotech batteries, nanotech wire power delivery, and nanotech solar power satellites. He demonstrated that neither nuclear nor any other "green" technologies could deliver the necessary double present power needs by 2050. But his initiative can.

Check his presentation here:

Dr. Richard Smalley: "Our Energy Challenge" (Part 1 of 7)
http://www.youtube.com/watch?v=CpYTVMhPUzc

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..