1 / 42

Piracy, Privateering

... and the creation of a new Navy

SOURCE Dublin 2013 Keynote

thomas.dullien@googlemail.com

2 / 42

Strange title for a talk ?

Keynote talks are not supposed to be technical

I don't know much outside of technical stuff

My approach: Sit back and reflect about where we're headed. Turn these musings into a talk.

3 / 42

My views

Former IRC kid in the 90's

Reverse engineering since '97 or so

Vuln-dev etc. since '99

Been around for a while, seen a few things

4 / 42

"building a new Navy"

Television Guy: "Isn't hiring 1000 computer experts terribly expensive ?"

Dave Aitel: "On the one hand, yes - but not really if you are building a new Navy, which is what is happening here."

5 / 42

Wait, what ?

What does hiring hackers have in common with building a Navy ?

6 / 42

Waterways

The cheapest way to transport physical goods is shipping

Control of shipping lanes is control of the flow of goods - and hence money

7 / 42

The internet

The cheapest way to transport bits is the internet

Control of the network means control of transport lanes for "digital goods"

8 / 42

Thesis of this talk

We witnessed, during our lifetimes, the digital equivalent of the "La conquista" - but instead of a new continent that was discovered, this new continent was built.

As the world's trade flows are becoming dependent on computers, we will see the rise of "new Navies".

9 / 42

The Spanish Main

10 / 42

History: 1500's

Spain is the dominant superpower

Discovery of the new world - but until the 1520's, it's a backwater

With the 1520's, silver mining in Mexico starts

It isn't until the 1570's that other countries catch on (more later)

11 / 42

History (pre-2000)

Pre-2000-hackers are mostly explorers - not law-abiding, but not primarily goal/profit-driven

Trade volume on the internet is low

With the first dot-com boom, trade rises

With trade come opportunities for profit, both legal and illegal

12 / 42

The internet pre-2000

Nearly complete legal vacuum

Not important enough to divert resources for policing it

Law of the strongest - but on a very low level

13 / 42

Situation in 2001

15 year-old Canadian teens controlled then-huge DDoS networks

Networks presumably controlled by the authors of TFN and Stacheldraht at the time: Much larger

14 / 42

Situation in 2001

"Internet-ending" 0day routinely in the hands of a few teenagers

Significant percentage of the Internet compromised by amateurs

Relatively little of "serious" nature happened: Not much money yet, hackers didn't know what to do with their warez

15 / 42

Similarities

The pre-2000 internet is very similar to early 1500's Spanish Main

Frontier area, but hardly anyone has recognized the future economic importance

Lawless zone, but not by structure - by choice (e.g. disinterest)

16 / 42

Boucanier (Buccaneer)

Non-spanish, illicit settlers on Hispaniola

Name derives from "boucan", a wooden grill used for smoking meat

Traded in smoked meat initially - until they figured out that they can raid Spanish ships

17 / 42

History: 1600's

Spain vs France, vs Britain, vs Holland

France, Britain, and Holland draw on existing Boucanier community to ramp up sea power

Transformation: Small-scale pirates transform into large-scale privateering outfits

At the same time: Ramp-up of regular Navies

18 / 42

Hackers

Unintended, illicit settlers on the early internet

Traded in ways of exploring more of the new world

Some identified ways of profiting off their exploration, sometimes criminal, but generally small-scale

19 / 42

2001-2013

Rapid economic and societal change through widespread adoption of the Internet

Rise of Internet Giants: Amazon, Google, Facebook

Expanded defense spending after 9-11

20 / 42

Rise of privateering

Governments realize importance of the Internet

Large powers draw on existing Hacker community to ramp up network capability

Hacker community splits up into interesting fragments

Parallel ramp-up of surveillance / monitoring

21 / 42

Fragments

Navy: Full-on government employment

Privateers: Hackers working as private industry, but backed by government policies

22 / 42

Fragments

Mercenaries to merchants: Hackers working to protect the new trade routes / ports for internet giants

Piracy: Enterprises without government or commercial backing

23 / 42

"Letters of Marque"

Allowed privateers to attack ships of other nations independently

Often "in retribution for losses suffered"

New York Times, two days ago:

"As Chinese Leader’s Visit Nears, U.S. Is Urged to Allow Counterattacks on Hackers"

24 / 42

Privateers

Clearly, there's a lobby for allowing privateering

Government-backed, but private enterprise

Mixing military and economic objectives

25 / 42

Francis Drake

Financed his raids on the Spanish main through third-party investors

Britain could not openly support such raids without risking war with then-superpower, Spain

Among the investors was Queen Elizabeth

26 / 42

Francis Drake

Ridiculously profitable: First big raid yielded 50% of the annual British Crown's income from one Spanish ship

27 / 42

Sounds familiar ?

Will the architects behind industrial espionage operations be eventually knighted in their respective home countries ?

Is the supposed Chinese economic espionage much different from the policies Britain had toward Spain in the late 1500s ?

28 / 42

Piracy without home port

Most pirates that refused to align with a government, and that could not rely on a home port, were eventually executed

29 / 42

Piracy without home port

Wikileaks and TPB may be modern-day examples of "pirates" that did not have government backing.

30 / 42

Privateering risks

Henry Morgan led a raid on Porto Bello as British privateer

Plunder from that raid alone: 300m USD in today's money

British made peace with Spain, depriving him of his hobby

31 / 42

Privateering risks

Arrested him in April 1672, shipped him to London

His luck: War with the Dutch broke out, he was back in demand & freed

Many unemployed privateers turned to piracy, and were then prosecuted & killed

32 / 42

Other amusing similarities

The then-superpower Spain used privateers sparingly, and mostly relied on regular troops

The challengers to Spanish hegemony used privateers freely

Compare: "Western" approach to computer attacks vs. presumed Russian/Chinese approach

33 / 42

Future: Short-term

Short-term: The next 10 years

"There are only two levels of difficulty in mathematics: Trivial and not understood"

(Alan T. Huckleberry)

"There are only two sorts of source code in IT: Trivial and code execution for the attacker"

34 / 42

Future: Short-term

Right model to think about security?

Any opening of any document is equivalent to granting the attacker the ability to run arbitrary code

Sandbox things tightly

35 / 42

Future: Short-term

Will sandboxing become sufficiently robust in the next 10 years to obsolete most bugs ?

Transitive trust is the silent killer

Compromise all large vendors now and steal their update signing keys

36 / 42

Future: History

Frontal, sea-side assaults on ports became impossible eventually

Attacks on big ports in the Spanish Main happened mostly overland

Why exploit if you can update ?

37 / 42

The future

Small trading outposts are abandoned, commerce is moved into defendable large ports

Specialized convois transport goods under protection

"Cloud"

38 / 42

The future

Eventually, Navies take over

Navies perform tight surveillance of sea lanes and ensure safety for commerce

Threats of conventional war & economic damage forces governments to rein in privateering

39 / 42

The future

This can take a long time

Navy-style surveillance will probably mean full-packet capture for the internet

~20 Exabyte / month - Utah Datacenter: 5 Zetabyte storage

40 / 42

The future

This can be expensive

Pompey eradicated piracy in the mediterranean in Roman times

Rome dedicated 50% of their entire defense budget to this task (albeit only for a few monts)

41 / 42

The future

"Pax Britannica", but under the aegis of a different superpower ?

Which one ?

42 / 42

Any questions ?