![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Dust off and nuke the (web)site from orbit...
It's the only way to be sure, according to this story from Network World. Yes, the US military plans, in its cretinous meat-headed way, to use physical attack on big scary cyberattack.
"In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the United States would consider launching a counterattack or bombing the source of the cyberattack"
Now, once you get past all the paranoia about the threat of an "electronic Pearl Harbor" (it is, after all, these guys' jobs to be paranoid so you don't have to), you still come up against the unrealistic dumbness of bombing an attack source when all the likely attacks are from botnets. Mind you, it's an excuse to carpet bomb or nuke huge swathes of the world, which I bet some of the creaky old ankylosaurs in the Pentagon are gagging to do before they retire.
Here's how a real botnet attack works: I decide to take the whitehouse.gov offline. I get a virus toolkit from my l33t buddies and do a little engineering: first software engineering (naming the target, picking a date, scripting the payload), then social engineering (picking a catchy subject and wrapper message - something to make the average Joe click. "Anna Nicole naked autopsy pics!" will do).
Now I get onto some anonymous accounts using my anonymizer (maybe a couple in series, so that the time taken to subpoena the access logs is greater than the log recycling lag), and I start sending that thing out. I could get an address list - I'd need a compromised mail server for that. Either is pretty easy. I wait for my spam to get its golden shot in some corporate infrastructure, and off it goes. Everyone who clicks the attachment and is running insecure windows gets my bug, which loads into memory and bides its time. And mails itself to everyone in the local address book (this is why corporates can be the golden shot: our address book has about 12,000 entries).
Within a couple of weeks, it'll be dug in like a tick on a few million PCs across the world. Their location is irrelevant and unpredictable; it is most certainly not related to my physical location in any way. Then on such-and-such a date, it starts mindlessly pinging www.whitehouse.gov and its IP addresses; or it starts requesting big files I've identified; or it runs an exploit that commonly harms target servers (IIS buffer overruns, say, that let you execute arbitrary code). My zombie army, like clockwork, rises from its cubicle/bedroom/school grave and lurches to war.
Who you gonna bomb?
"In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the United States would consider launching a counterattack or bombing the source of the cyberattack"
Now, once you get past all the paranoia about the threat of an "electronic Pearl Harbor" (it is, after all, these guys' jobs to be paranoid so you don't have to), you still come up against the unrealistic dumbness of bombing an attack source when all the likely attacks are from botnets. Mind you, it's an excuse to carpet bomb or nuke huge swathes of the world, which I bet some of the creaky old ankylosaurs in the Pentagon are gagging to do before they retire.
Here's how a real botnet attack works: I decide to take the whitehouse.gov offline. I get a virus toolkit from my l33t buddies and do a little engineering: first software engineering (naming the target, picking a date, scripting the payload), then social engineering (picking a catchy subject and wrapper message - something to make the average Joe click. "Anna Nicole naked autopsy pics!" will do).
Now I get onto some anonymous accounts using my anonymizer (maybe a couple in series, so that the time taken to subpoena the access logs is greater than the log recycling lag), and I start sending that thing out. I could get an address list - I'd need a compromised mail server for that. Either is pretty easy. I wait for my spam to get its golden shot in some corporate infrastructure, and off it goes. Everyone who clicks the attachment and is running insecure windows gets my bug, which loads into memory and bides its time. And mails itself to everyone in the local address book (this is why corporates can be the golden shot: our address book has about 12,000 entries).
Within a couple of weeks, it'll be dug in like a tick on a few million PCs across the world. Their location is irrelevant and unpredictable; it is most certainly not related to my physical location in any way. Then on such-and-such a date, it starts mindlessly pinging www.whitehouse.gov and its IP addresses; or it starts requesting big files I've identified; or it runs an exploit that commonly harms target servers (IIS buffer overruns, say, that let you execute arbitrary code). My zombie army, like clockwork, rises from its cubicle/bedroom/school grave and lurches to war.
Who you gonna bomb?
no subject
"What shall I do today? I could go and be a laborer for that company building crap houses for the westerners to buy and screw my economy over a bit more... or I could cyberbomb the US! Darling, bring my my laptop."
You don't carpet bomb RofI or the Basque country because you think there might be seperatists there. I suppose you do carpet bomb Afghanistan, but at least you can go someway to proving more than a passing sympathy between the government and the organisation that blew up your trade centre. The whole world is skating on ice at so many levels, but I'm alright Jack.
no subject
Not like saying "block all network traffic from Afghanistan and bomb TaleCom!" which seems to be what the Yanks are muttering over.
Actually no, I'll correct that: which seems to be what some dumb talking head for the dumb blowy-uppy people is saying; I haven't actually found anyone with a brain who thinks this is anything but implausible blood and thunder.
no subject
Given the examples our government has provided so far, I fear their response would be to bomb everyone.
no subject