The real purpose.

August 14, 2008

So I was pondering the content I have posted here and thought back to the original reason for why I wanted this blog.  It was about hacking the constructs of security itself, not the actual tools, and methods for how people hack.  I want to use this site as a thought incubator and (Patent idea – preestablisher).  This content will be more or less an evolving stream of conciousness on some of the things I have been evaluating of late.

Infowar Construct Meme #1 – TAR and FEATHER results in digital mob effects

Why in the hell do you hear alot about what attack tools do against vulnerabilities and what the effects were in real world situations, and you always here about the “Authorities”  that are on the “case”, but you NEVER see the bad actors actually SPLASHed in the global media conciousness.  Ok so it think its already preestablished that you can use technology and code to pretty much do anything you want.  So there goes any time of theory about how LEET you are because you developed some kick ass piece of code.  Back in the day, hacking for reputation and props was the modus operandi. 

Now with cyberespinage and cybercrime we need to reconsider the concept of NOT identifying the perpertrators and start to SERIOUSLY expose every part of them, their lives, their networks, and their belongings to EXTREME scrutiny.  With Internet mob effects, there would rapidly result in a large drop in activity or at least drive it underground more, or deter their actions in to more legitmiate activities, or spend their resources protecting themselves more vs doing bad things.  

This is a thought exercise in the concept of using extreme justice (Namely Total personal privacy exposure of the attacker on a global “read Internet” scale) in order to advance the deterrent effect.  Attackers are people too, they live places, the use technology, they have friends and family, they have jobs, they need to eat, they need to learn and go to school, they have reputations, and they have Bank accounts, and credit records. It is highly unlikely that these people would enjoy having their lives ripped apart through identity theft and other actions. 

In the old days if you did antisocial behaviors you where ostricized, discriminated against, and pilloried in the community.  We need to establish a series of digital actions that can be leveraged against targets that are known bad actors.  And I am not talking about giving then F#$ing book deals, movie deals, intel or computer security jobs.  I am talking about a series of digital and real world actions similiar in the vein of how a penetration tester will perform target recon on a organization, its systems, processes and people.  But this will be in the context of personal destruction from a digital, reputation and real world side of things.

I guess an example of things would start like this.  Identification of the real name, address, social security or national id number, identification of digitial identifiers, such as email, IM, social network and user accounts, where they work, what they do, what they own, how much money they have, where they conduct business, digital images of where they live, their health records, their credit records, they military histories, job histories. 

Every single thing that “Personalizes a target“  This information is gleaned from a billion data sources and real world actions and exposed, dosseier style on the open web.  Along with it are the proven actions that they have done, to who, and how long they where involved in that activity.  This is called target intelligence except its done in the open forum of the Web, reachable by everyone and providing a very real and unwanted look in to the personal lives of the attacker.   Not to many people can stand this kind of scrutiny without seriously reconsidering their future actions.

THESE ACTIONS if levyed against anyone will support a very very very Real detterent affect which is the entire point. There are no detterants to current cybercrime/espinonage at the moment that would put a real dent in the problem. This is a step in the right direction. 

Targets would need to be selected carefully such as the most prolific spammers, phishers, identity theives, industrial espionage, paedophiles, bot herders, denial of service attackers, and ransomware users.  Its blatently obvious that digital attacks are not see or treated like real crimes and you could reference a whole host of bullshit penalties from some of the most egregious sitations.  Many individuals and companies never report their incidents for a number of reasons.  This is a serious inequity of justice that is out of balance due to victims not being empowered to strike back at their attackers. and even being legally prevented from doing so. 

The fallacy here is that legally you can’t do “BAD things to BAD people, even though they deserve it”  which will be a second or third stage area of research after researching another vexing problem.  Target identification through attack attribution.  Atribution is one of the hardest research problems there is due to the advanced ways of cloaking your identity and actions via anonymity software, proxies, multihops, encryption, and obfuscation. 

Researchers who discover flaws, and developers who write code are irrelevant, these things are just considered tools, like a real world gun is,  CYBER activity should be evaluated on what you do with the tools, what your intentions are, and what the actual effects where.  This is the equation that should be used in determining the level of digital retribution

This is a RAW concept, not fully refined and should be taken as such and used as a starting point for further research and possible tool development.  This can be lumped onto social network research currently used in Law enforcement/Intel against organized crime, white collar crime, and terrorist organizations.