
Critiques of the DHS and FBI’s Grizzly Steppe Report - kushti
http://www.robertmlee.org/critiques-of-the-dhsfbis-grizzly-steppe-report/
======
rrggrr
This is theatre. Were Congress to expand tort law to mandate standards and
consequences similar to products liability regulations for other products,
then the attack surface available to state and non-state actors would
meaningfully shrink.

If there is one thing the plaintiff's lawyers excel at, it is inflicting
extensive expenses and pain on parties who negligently or fraudulently create,
fund creation, or use products that injure property or person; thereby
creating effective incentives to harden products.

You will know the USGOV is serious about INFOSEC when they stop issuing
reports and start legislating, regulating and enforcing meaningful standards,
as they already do for automobiles, drugs, machinery, etc.

~~~
AnthonyMouse
> Were Congress to expand tort law to mandate standards and consequences
> similar to products liability regulations for other products, then the
> attack surface available to state and non-state actors would meaningfully
> shrink.

The problem is the organization sizes are the opposite of what works for
products liability. It's not Joe Homeowner buying an appliance from Sears or
GE, it's an insurance company or government contractor getting software from
an individual or a company with nine employees.

You can't use that to force improvements from small entities because they
barely even have lawyers to tell them what they have to do, and nobody will
actually sue them if they have no money anyway.

What you need isn't for the software vendor to be liable, it's for the company
holding all the customer data to be liable to those customers. Then those
companies will start caring about actual security instead of "compliance" and
figuring out how to pass the buck, and software vendors will still have to
make secure software because nobody will buy anything else anymore.

It also forces companies to start treating huge databases as the security
liability that they are. And it conveniently applies to the _large_ tech
companies that are also data warehousing companies like Yahoo or
LinkedIn/Microsoft.

~~~
nickpsecurity
"it's an insurance company or government contractor getting software from an
individual or a company with nine employees."

The good news is high-assurance systems have been built with smaller teams
than that. We also have cases like Bernstein's where one person builds all
kinds of stuff with provably better security using a bit of brains and methods
that work. We also have tools like SPARK for static systems and Rust/Eiffel
for larger ones that can easily eliminate entire classes of attack. Ada &
SPARK have been around decades. Eiffel over a decade. Hardly anyone in
security-critical space using them.

Most of what you see is easily prevented. Even with small teams. They just
don't care or try. A baseline stopping code injection or insecure
configurations would knock out a _ton_ of problems. The next thing that would
happen, as did with DO-178B regulation & TCSEC, would be reusable components
and consulting services designed to meet the standard where the cost & limited
expertise is spread among many customers.

It could be done. Even for smaller players to a large degree.

"What you need isn't for the software vendor to be liable, it's for the
company holding all the customer data to be liable to those customers."

Doesn't solve the DDOS problem which can also be used for extortion,
interfering with government operations, etc. My approach targeting root cause
handles that, too.

~~~
AnthonyMouse
Oh absolutely, it isn't that small teams can't create secure software, it's
that product liability isn't the way to do it. Because when the lawyers come
for the bad coders they just turn their pockets inside out and then go back to
writing bad code, while all the HMOs carry on using OpenSSL and vulnerable XML
parsers.

> Doesn't solve the DDOS problem which can also be used for extortion,
> interfering with government operations, etc. My approach targeting root
> cause handles that, too.

Can you be more specific about your DDOS solution?

~~~
nickpsecurity
"Can you be more specific about your DDOS solution?"

The root cause is 0-days in software or bad configuration of mass-market
products in most cases. The former can be detected automatically by many
tools. The latter can, given the flaws I've seen so far, be spotted in 5
minute review by an amateur consultant. Mandating such things in a regulation
or expecting them as "reasonable, professional standard" during a lawsuit
would be a start. Prevents many DDOS bots as a side-effect.

My main solution to DDOS mitigation in the interim & part of long-term package
is here:

[https://news.ycombinator.com/item?id=13266108](https://news.ycombinator.com/item?id=13266108)

------
showmeevidence
Throwaway because I work in a related field.

This is a public service announcement: if you haven't seen enough information
to prove to you, independent of the claims of the White House, CIA & FBI, that
Russia was behind this, you should file a Freedom of Information Act Request
for sufficient evidence to independently reach that conclusion. Citizens of
the US in particular should do this to hold their government accountable -- we
can not let it be accepted that because POTUS says something, and maybe has
confirmation from "anonymous sources" within the CIA & FBI (e.g. as reported
by the NYTimes[1]), that it must be true.

Muckrock[2] makes it dirt-simple to file a FOIA request. Hold the government
accountable -- they work for us.

1: [http://www.nytimes.com/2016/12/09/us/obama-russia-
election-h...](http://www.nytimes.com/2016/12/09/us/obama-russia-election-
hack.html?_r=1) 2: [https://www.muckrock.com](https://www.muckrock.com)

~~~
jamesgblaine
While there's no harm in filing additional FOIA requests, let's also add some
deductive reasoning to the mix. Is this consistent with Russia's actions in
other countries and contexts (as well as their own)? Yes.
[http://warontherocks.com/2016/11/trolling-for-trump-how-
russ...](http://warontherocks.com/2016/11/trolling-for-trump-how-russia-is-
trying-to-destroy-our-democracy/)

Have individuals close to the Kremlin strongly implied they had a role in this
and have senior Russian officials stated clearly that they had contact with
the Trump campaign during the election? Yes. [http://www.haaretz.com/world-
news/u-s-election-2016/1.752386](http://www.haaretz.com/world-news/u-s-
election-2016/1.752386)

Did Russia even object today on the grounds that the allegations about their
role were false? On the contrary, they were practically doing a victory lap.

There are plenty of debates still very worth having about whether the actions
taken today are appropriate, whether a hostile stance towards Russia is
merited, etc. But I've seen enough to convince me that Russia was engaged in
an information operations campaign to cast doubt about the U.S. election and
help Trump on the margins.

~~~
showmeevidence
Russia has denied involvement with this incident in the past[1].

I would encourage considering applying the same standard that we would apply
to a trial by jury. Simply indicating that someone is a repeat offender, and
would have reason to commit an offense again, does not itself meet a standard
of evidence of actually committing that offense.

1: [http://www.politico.com/story/2016/12/kremlin-denies-
putin-d...](http://www.politico.com/story/2016/12/kremlin-denies-putin-dnc-
hacks-232686)

------
mundo
> But why is this so bad? Because it does not follow the intent laid out by
> the White House and confuses readers to think that this report is about
> attribution and not the intended purpose of helping network defenders.

Looking at the comments in yesterdays' thread[1], this is absolutely true -
many, many people posted some variation of "What? There's no evidence proving
Russian involvement in here at all!"

1\.
[https://news.ycombinator.com/item?id=13279600](https://news.ycombinator.com/item?id=13279600)

~~~
rahrahrah
That's right, I was one of those confused people. I assumed this would be the
WH presenting what evidence they have.

Sooo... still no public evidence that Russia leaked the DNC and Podesta's
e-mails?

~~~
normaljoe
Read the original CloudStrike report. Not the government report but the
private security firm report. The government report is really just a
restatement of that report. You don't track hackers for a decade to suddenly
be wrong because of a governments political stance.

~~~
rahrahrah
No idea why you're bringing politics into this. All I said was no evidence has
been made public by the government.

~~~
ncallaway
> All I said was no evidence has been made public by the government

Except that's _explicitly_ not what you said. You said:

>still no public evidence that Russia leaked the DNC and Podesta's e-mails?

Your original claim was that there was _no public evidence_. When that claim
was challenged, you pretended your claim was about what evidence was provided
by the government.

~~~
rahrahrah
Sorry, my intention wasn't to move the goalposts, I actually misspoke the
second time. Obviously I don't care where the evidence comes from. I did mean
"no public evidence" and then the parent made it political, somehow.

I did read the RPT-APT28 report by FireEye on APT28 (all fifty-something
pages, surprise!). It did convince me that APT28 has political motivations.
What's the connection between that and DNC/Podesta? I don't know, because
there's no public evidence on that (that I know of).

------
j_m_b
Still lacking any evidence that voting machines were hacked or any part of the
electoral process was hijacked. The worst damage? Emails related to the actual
rigging of the Democrat Party primaries and the collusion of the media with
the Democrat party. Its very hard for me to believe that a state actor is
behind such seemingly altruistic actions. Voters saw the worst of Trump and
Clinton and choose the lessor of two evils. Wikileaks and "the Russians"
simply provided a level playing field.

~~~
ohwello
How on earth did a leak of DNC emails, but no corresponding RNC leak, help
people figure out the lesser of two evils or provide a level playing field?

Seems obvious that leaks assisting the pro-Putin candidate were not
altruistic.

~~~
AnthonyMouse
Assuming Clinton had those dirty secrets and Trump had nothing equivalent,
that's what a level playing field looks like.

If you want to assume there were also some dirty Trump secrets that didn't
come out then it seems like the only way to "level the playing field" would be
for e.g. Venezuela to hack the Republicans and air their dirty laundry too.

And people are running around saying how terrible this is and asking "what if
everybody did this?" But it seems like the answer to that question is, then
people would know more relevant information about their political candidates.
Or politicians would get better at computer security. Which of those is
supposed to be bad?

~~~
coolgeek
> Assuming Clinton had those dirty secrets and Trump had nothing equivalent

Those are two rather incredulous assumptions considering that:

\- Clinton released all of her tax returns, whereas Trump didn't release any

\- The Clinton Foundation has been audited by at least three well respected,
independent, organizations (garnering top ratings from all), whereas we know
comparatively little about the Trump Foundation (or whatever it's called), yet
it's admitted within the last six months to several inappropriate expenditures
or donations, and is likely being investigated for more

\- Trump sits atop a network of literally hundreds (if not thousands) of
"independent" corporations designed solely to evade disclosure, liability,
taxes or some combination thereof

------
slitaz
So it was just spearfishing, the poor man's hacking technique.

The techniques that NSA and MI6 use are far more advanced. Taking advantage of
the networking equipment and injecting traffic.

~~~
bsder
> So it was just spearfishing, the poor man's hacking technique.

Just because someone walked in through an unlocked window does not make them
any less an effective burglar.

------
sigmar
The white house and the document itself never list attribution as the goal.
Robert M Lee seems to think because it refers to the attackers as Russia, it
is confusing readers. The summary at the beginning makes it clear to me that
the document is presupposing the attacker is Russia as to be consistent with
all future public reports.

I don't think this is the best written report, but his conjecture around
completely leaving out attribution if it doesn't include evidence seems rooted
in playing to the lowest common denominator (ie poor media coverage of what
this report entails)

~~~
Gargoyle
The timing of the release of this document, at the same time as the
announcement of sanctions on Russia for the hacking, can't be overlooked.

It's quite reasonable to assume the release of this report was intended to
create the impression of evidence for attribution, even if it actually
contains no such thing. Otherwise why not release it on any other day to avoid
confusion? It looks to me like the confusion was quite intentional.

~~~
sigmar
White House stated pretty clearly why the Grizzly Steppe report went out: "to
better help network defenders in the United States and abroad identify,
detect, and disrupt Russia’s global campaign of malicious cyber activities."

[https://www.whitehouse.gov/the-press-
office/2016/12/29/fact-...](https://www.whitehouse.gov/the-press-
office/2016/12/29/fact-sheet-actions-response-russian-malicious-cyber-
activity-and)

Attribution is sexy and the media likes to talk about it. I don't believe the
confusion was intentional. The White House is pretty bad at PR and 'never
ascribe to malice that which can be explained by incompetence'

~~~
Natsu
> The White House is pretty bad at PR

They have a press secretary whose job is, literally, to manage the media. I'm
honestly not sure if your post was intended as satire.

The meat of the report might as well have been copy pasted from OWASP. So if
it's not to provide political cover for the yet-to-be-proven claims that
Russia did it, they didn't get the message out.

------
eduren
I agree with the assessment. While parts of this official communication were
well written and intentioned, it feels like others weren't.

> at least in a vendor report you usually only get 1 page of marketing instead
> of 8

That was also my reaction when I scrolled down past page 4-5. It almost feels
like they could have split this particular report into:

1)public-and-media-facing high level technical overview

2)actionable intelligence information for defenders

With 3) being the attribution and evidence coming at some point down the road.

------
memracom
Seems to me that the DNC had really sloppy security and that many groups could
have compromised their servers. If the government has proof that Russian
actors did so, they do not appear to have any proof that the info was used
maliciously.

The whole report, and media coverage, and statements by public officials are
so confused and confusing that they are useless in regards to security.

I have to compare this to the FDA's HIPAA regulations which mostly are just
instructions on how to correctly secure servers and applications. However, I
wish that HIPAA did not have these regs in it because they are susceptible to
falling out of date.

Rather, I think the public would be better served by an official security
standard that can be updated weekly with new advice and requirements. Then an
org like the FDA can have one regulation covering security that says something
like "all systems must be secured according to Federal Infosec Guidelines
level B3 or higher". The specifics of what B3 might mean and higher levels of
securing servers and apps, can be in a single document that would, I am sure,
become a core part of the curriculum for developers and system administrators.

Moaning and whining about water under the bridge is a waste of energy and of
public funds. This is a fixable problem if only someone in leadership is
willing to act. Not grandstand or apportion blame, but act to improve
infosecurity for everyone.

A well drafted set of infosec guidelines by industry experts along with a
process for keeping it up to date will have incredible multiplier effects
throughout industry as well as government, because it makes it much easier for
management to order that things be secured, and it makes it much easier to get
a consultant to validate that the guidelines have been correctly implemented.

~~~
equalunique
Such federal standards have existed for decades now. Have you heard of the
NIST Special Publication 800 series? They are quite comprehensive, although
prohibitively complex for smaller agencies to implement stand-alone.

------
yarou
Has Scheiner written anything on this report?

I will say this; the Podesta emails revealed a lot about the internal politics
of the DNC. Why are we not treating this type of leak with the same level of
respect as the Ellsberg leaks? Or for that matter, the Snowden leaks? Who is
really controlling the narrative here?

~~~
firasd
What was the public interest in his lobster recipe? Or creating a paranoid
frenzy that got shots fired at a Pizza place?

Randomly dumping personal emails isn't the same as Ellsberg and Snowden
working with reporters to blow the whistle on specific transgressions in war
and mass surveillance.

Interesting article exploring this issue of exercising discretion and
developing new ethics in the age of leaks:
[http://www.nytimes.com/2016/11/05/opinion/what-were-
missing-...](http://www.nytimes.com/2016/11/05/opinion/what-were-missing-
while-we-obsess-over-john-podestas-email.html)

~~~
yarou
Obviously the pizzagate stuff is stupid and unfounded. It does a great
disservice to people that were victims of real sexual abuse.

But can't you see the vast amount of corruption? The DNC rigged the primary
for one candidate. We need to hold our political parties accountable for their
actions.

~~~
mullingitover
They preferred a candidate, but 'rigging' implies fraudulently manipulating
the votes, which didn't happen.

I'd like to see the RNC's emails now. What kind of dirt do the republicans
have? Is it not being released because it's being used to blackmail them?

~~~
wavefunction
Rigging doesn't specifically mean manipulating votes. It means taking what is
presumably an open and fair contest and taking some actions to ensure it
isn't.

The big things that came out of the leaks for me is the explicit and cosy
relationship with specific members of the media who were instructed to produce
and disseminate certain messaging against Bernie Sanders.

They also asked those "media resources" to prop up Trump, Cruz and Carson
because they naively believed that Trump would be a push-over, for example.

