![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
It's the only way to be sure, according to this story from Network World. Yes, the US military plans, in its cretinous meat-headed way, to use physical attack on big scary cyberattack.
"In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the United States would consider launching a counterattack or bombing the source of the cyberattack"
Now, once you get past all the paranoia about the threat of an "electronic Pearl Harbor" (it is, after all, these guys' jobs to be paranoid so you don't have to), you still come up against the unrealistic dumbness of bombing an attack source when all the likely attacks are from botnets. Mind you, it's an excuse to carpet bomb or nuke huge swathes of the world, which I bet some of the creaky old ankylosaurs in the Pentagon are gagging to do before they retire.
Here's how a real botnet attack works: I decide to take the whitehouse.gov offline. I get a virus toolkit from my l33t buddies and do a little engineering: first software engineering (naming the target, picking a date, scripting the payload), then social engineering (picking a catchy subject and wrapper message - something to make the average Joe click. "Anna Nicole naked autopsy pics!" will do).
Now I get onto some anonymous accounts using my anonymizer (maybe a couple in series, so that the time taken to subpoena the access logs is greater than the log recycling lag), and I start sending that thing out. I could get an address list - I'd need a compromised mail server for that. Either is pretty easy. I wait for my spam to get its golden shot in some corporate infrastructure, and off it goes. Everyone who clicks the attachment and is running insecure windows gets my bug, which loads into memory and bides its time. And mails itself to everyone in the local address book (this is why corporates can be the golden shot: our address book has about 12,000 entries).
Within a couple of weeks, it'll be dug in like a tick on a few million PCs across the world. Their location is irrelevant and unpredictable; it is most certainly not related to my physical location in any way. Then on such-and-such a date, it starts mindlessly pinging www.whitehouse.gov and its IP addresses; or it starts requesting big files I've identified; or it runs an exploit that commonly harms target servers (IIS buffer overruns, say, that let you execute arbitrary code). My zombie army, like clockwork, rises from its cubicle/bedroom/school grave and lurches to war.
Who you gonna bomb?
"In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the United States would consider launching a counterattack or bombing the source of the cyberattack"
Now, once you get past all the paranoia about the threat of an "electronic Pearl Harbor" (it is, after all, these guys' jobs to be paranoid so you don't have to), you still come up against the unrealistic dumbness of bombing an attack source when all the likely attacks are from botnets. Mind you, it's an excuse to carpet bomb or nuke huge swathes of the world, which I bet some of the creaky old ankylosaurs in the Pentagon are gagging to do before they retire.
Here's how a real botnet attack works: I decide to take the whitehouse.gov offline. I get a virus toolkit from my l33t buddies and do a little engineering: first software engineering (naming the target, picking a date, scripting the payload), then social engineering (picking a catchy subject and wrapper message - something to make the average Joe click. "Anna Nicole naked autopsy pics!" will do).
Now I get onto some anonymous accounts using my anonymizer (maybe a couple in series, so that the time taken to subpoena the access logs is greater than the log recycling lag), and I start sending that thing out. I could get an address list - I'd need a compromised mail server for that. Either is pretty easy. I wait for my spam to get its golden shot in some corporate infrastructure, and off it goes. Everyone who clicks the attachment and is running insecure windows gets my bug, which loads into memory and bides its time. And mails itself to everyone in the local address book (this is why corporates can be the golden shot: our address book has about 12,000 entries).
Within a couple of weeks, it'll be dug in like a tick on a few million PCs across the world. Their location is irrelevant and unpredictable; it is most certainly not related to my physical location in any way. Then on such-and-such a date, it starts mindlessly pinging www.whitehouse.gov and its IP addresses; or it starts requesting big files I've identified; or it runs an exploit that commonly harms target servers (IIS buffer overruns, say, that let you execute arbitrary code). My zombie army, like clockwork, rises from its cubicle/bedroom/school grave and lurches to war.
Who you gonna bomb?
