Thursday, March 31, 2011

All Reading Is Not Equal or Fast

Four years ago I posted Reading Tips, where I offered some ideas on how to read technical books.

Recently I've received emails and questions via Twitter on the same subject.

In this post I'd like to offer another perspective. Here I will introduce different "types of reading." In other words, I don't see all reading as equal, and what some people might call "reading," I don't consider to be reading at all!

After reading this post you may find you can adopt one or more (or really all) methods in your own knowledge journey.

The key to this post is to recognize that different types of reading exist, and you have to decide how you are going to approach a book, article, or other printed resource.

My list follows.

  • Proofreading is a very intense activity where the reader scrutinizes every aspect of a book. The reader pays attention to technical accuracy, grammar, production value (quality of screen captures, etc.) and all other customer-facing elements. This is usually a paid activity because it can be very demanding and time-consuming!

    I doubt most people find themselves in this situation, but I have been hired in the past to do this sort of work.

  • Reading for correctness is a subset of proofreading where the reader focuses on the accuracy of the written material.

    For example, is the author correct when he says the TCP three way handshake (TWH) is SYN ACK -> SYN ACK -> ACK? Wrong! (True story.) Here the reader is trying to see if the author knows what he is talking about. I usually enter this mode when I smell blood in the water. In other words, when I encountered the wrong TWH in a book years ago, I continued hunting errors until I was mentally exhausted.

    This is an unpleasant form of reading reserved for error-prone books. Once an author proves he or she knows the material I usually don't enter this mode. I only read for correctness as preparation to write a book review of a technically inaccurate book.

  • Memorization is another intense reading form, usually reserved for academic classes. If you've had to study for a biology test, you've probably read for memorization purposes. If reading for memorization, I will likely heavily mark the text and create independent, supplementary materials like flash cards. Yes, on real index cards! The act of writing the material helps activate other areas of the brain to memorize information.

    Thankfully I haven't had to do this sort of reading in years, or at least not regularly. I have had to memorize information for amateur radio license tests, and I like creating flash cards for that information.

  • Reading for learning is one of my common modes. With this approach I mark up a text (generally underlining or bracketing key terms and sections) and add comments or questions in margins.

    You might think the previous (and possibly the subsequent) reading modes are all about learning too, but simple learning for me is a more relaxed endeavor compared to memorization or correctness.

    The goal of learning is to be able to remember a subject, preferably well enough to at least describe it (but not teach it) to a third party.

    Reading for learning is as fast as you are able to absorb material.

  • Reading for practice is closely related to learning, but it involves material that has an operational aspect. For example, reading a programming book for practice, for me, involves trying the code examples, and even better trying the sample exercises.

    Practice is a more active form compared to learning. With learning I might be able to explain a pointer, but with practice I could write a program using one.

    Due to the hands-on manner, this is a slow form of reading.

  • Reading for familiarization is another one of my more common reading forms. Here I am just trying to understand the author without necessarily planning to implement his or her concepts in real life. For example, I plan to read a book on Windows internals in April, but I do not plan to become a Windows kernel programmer.

    Reading for familiarization is probably the fastest way to read a technical book and still derive value from it. I may or may not mark up a book for familiarization purposes.

  • Reading for reference starts to enter the gray area of possible "fake reading." If you only read a few sections or chapters of a book, have you really "read it?" For example, I've relied on the massive book Unix Power Tools, but because I've only referenced parts of it, I've never formally reviewed it.

    In my opinion, unless you heavily reference a book over time, you're not really reading at the level the warrants a review.

  • Sampling is not reading. Top Amazon book reviewer frauds, this means you. Looking at the front cover, back cover, index, table of contents, and a few sample pages doesn't make you qualified to write a book review. The sorts of people who write more than a few book reviews per day are the fakers who consider "sampling" to be "reading."

  • Reading for entertainment is not generally an approach I take with technical books! Sure, I enjoy them, but it's not like reading a classic fiction book. When reading a nontechnical work, I tend to devour pages. I'm not sure if that's good or bad, but it's exceptionally fast since the emotional component engages additional brain components that would allow me to later describe the content should I wish to do so.


How does reading for reviews fit in? In my view, as long as you're not "sampling" or reading for reference, any of the methods above qualify for writing a review. I suggest adding one component to your reading process to assist with review writing: keep a separate notebook and take notes as you read. Be very specific, e.g., "p 121 had this quote... etc." The more notes you take, the easier your review will be to write.

So what does this mean if you want to know "how does Bejtlich read so many books?" The answer is to decide just how you want to read a book. When I read a book on C or Windows Internals in April, I will likely be reading for familiarization. I don't plan to be a C coder or Windows developer, but I do want to be conversant in certain topics. If I get really motivated I will turn to my PC and try some examples. (In fact, I'll probably do that for a book on coding for Windows, since I've never done that before.)

What this means is that I, reading for familiarization, will probably read faster than someone else reading for practice, or memorization, or another time-consuming purpose. It all depends on your goal! On another day I may be reading for practice because I really want to know more about a topic, and then I'll be slower and more engaged.

Incidentally, the more you read, the faster you will likely become. I don't think improving your reading is limited to children, either (although my daughters are pretty scary in terms of speed).

Don't overdo it though. I would not be surprised to learn that chemical reactions are involved with reading, especially the more intense learning modes. In some cases I can feel my ability to absorb material shutting down, and at that point there is really no reason to continue. Take a break.

I also advise against reading in bed, although this is a truly personal opinion. For some people, it works great. I don't make it past five minutes!

If you have questions on this post, please comment here. I have to moderate everything so it may take me a while to notice them. Thank you.

Review of Hacking Exposed: Web Applications, 3rd Ed

Amazon.com just published my four star review of Hacking Exposed: Web Applications, 3rd Ed by Joel Scambray, Vincient Liu, and Caleb Sima. From the review:

This is the third Hacking Exposed: Web Applications (HE:WA) book I've reviewed, having reviewed the second edition in 2006 and the first edition in 2002. While I gave the earlier editions each five stars, I don't think HE:WA3E quite meets my expectations of a five star web application security book -- at least not one bearing the Hacking Exposed (HE) series name.

In my opinion, the winning formula for a good HE book was set by the first in the series, back in 1999: 1) explain a technology of interest; 2) show exactly how to exploit it; 3) recommend countermeasures. For me, these three steps MUST be followed, and any book with HE in the title that fails to follow this recipe is likely to fall flat. The reason I like this approach is simple; in many cases, defenders first encounter a new technology only after a researcher or intruder has broken it! In other words, the offensive side is usually far ahead of the defensive side, because offenders often specialize in a promising new area and pursue it relentlessly until they break it. Good HE books help redress this imbalance by getting the defender up to speed on a new technology, showing how to break it, and then suggesting defensive measures.


Review of iOS Forensic Analysis Posted

Amazon.com just posted my three star review of iOS Forensic Analysis by Sean Morrissey. From the review:

I've read many forensics books over the last decade and written one as well. I believe that iOS Forensic Analysis (IFA) offers some useful information, but the manner in which the author presents it is not as effective as it could be. If the author were to write a second edition that structures the material in the way I recommend, I believe it would merit a four or five star review.

Review of Computer Incident Response and Product Security Posted

Amazon.com just published my three star review of Computer Incident Response and Product Security by Damir Rajnovic. From the review:

When I first learned that Cisco Press was publishing a book about product security (Computer Incident Response and Product Security, or CIRAPS), I was excited to see what they might create. Cisco's Product Security Incident Response Team (PSIRT) is one of the best in the industry, with a long history and mature processes. Furthermore, no published book currently provides extensive coverage for companies trying to design, build, and run their own PSIRT. Rather than focusing on this topic and thoroughly examining it, however, CIRAPS spends only 100 pages out of a 215 page book talking about PSIRT issues. While there are parts of CIRAPS that I found interesting, I don't think they justify reading the whole book.

Review of pfSense: The Definitive Guide Posted

Amazon.com just posted my five star review of pfSense: The Definitive Guide by Christopher M. Buechler and Jim Pingle and published by Reed Media. From the review:

I have to admit that pfSense: The Definitive Guide (pTDG) caught me off guard. I expected the book to mainly discuss installing and using the pfSense firewall appliance, which would have been enough for me to enjoy the book. However, I was pleased to see coverage of many issues related to network security and firewall design and operation. For me, these features elevated the entire book to five star status. If you're interested in learning how pfSense can help your organization, and what it means to deploy firewalls, pTDG is the right book.

Mini-Review of The Book of Pf Posted

Because I wrote a three star review of the first edition of The Book of Pf by Peter N.M. Hansteen, Amazon.com won't allow me to write a review of the second edition. So, I added the following comment to my old review indicating that I think the second edition deserves four out of five stars:

Amazon won't allow me to write a review of the second edition of this book, so I'm adding this comment. I'm pleased to say that I believe the author accepted much of the feedback in my first review as well as feedback from other reviewers. He's improved the book so much that I think it warrants 4 out of 5 stars. He spends more time explaining key concepts rather than simply including them in the text. For example, the author introduces features like macros (p 18) whereas in the first edition he just started using them. The book is also fairly up-to-date, with coverage of OpenBSD 4.8, FreeBSD 8.1, and NetBSD 5.0. Reading how to use Pf on all three platforms was very helpful. One request for a future edition is to include more "tips and tricks" that an experienced firewall administrator is sure to have. For example, when working remotely on a firewall ruleset, what methods does the author use to test configurations and ensure that if he makes a mistake he isn't locked out of the system? Finally, I think this book is a fine companion to PfSense: The Definitive Guide by Buechler and Pingle.

Friday, March 25, 2011

Review of Kingpin Posted

Amazon.com just posted my four star review of Kingpin by Kevin Poulsen. I read this book by checking it out of my library! From the review:

I've read and reviewed almost all of the non-fiction computer crime and espionage books written since the 1980s. Kingpin by Kevin Poulsen is one of my favorites. I will recommend this book to fellow digital security professionals and those who would like insights into our world. Kingpin's coverage of Max Ray Butler's (MRB) constant entanglement with the dark side is a lesson for anyone contemplating using their skills for evil.

On a related note, in late 2007 I posted Max Ray Butler in Trouble Again and followed that in 2010 with Max Ray Butler Sentenced (Again).

Thursday, March 24, 2011

Report on Declarations of War

Similar to my post Report on Instances of US Forces Abroad, I again thank Steven Aftergood for his post No-Fly Zones: Considerations for Congress. He points to a new report titled Declarations of War and Authorizations for the Use of Military Force: Historical Background and Legal Implications (.pdf). This is a good resource for those trying to determine what is war, what isn't war, and what happens in each situation. From the report summary:

From the Washington Administration to the present, Congress and the President have enacted 11 separate formal declarations of war against foreign nations in five different wars. Each declaration has been preceded by a presidential request either in writing or in person before a joint session of Congress. The reasons cited in justification for the requests have included armed attacks on United States territory or its citizens and threats to United States rights or interests as a
sovereign nation.


Congress and the President have also enacted authorizations for the use of force rather than formal declarations of war. Such measures have generally authorized the use of force against either a named country or unnamed hostile nations in a given region. In most cases, the President has requested the authority, but Congress has sometimes given the President less than what he asked for.

Not all authorizations for the use of force have resulted in actual combat. Both declarations and authorizations require the signature of the President in order to become law. In contrast to an authorization, a declaration of war in itself creates a state of war under international law and legitimates the killing of enemy combatants, the seizure of enemy property, and the apprehension of enemy aliens.

While a formal declaration was once deemed a necessary legal prerequisite to war and was thought to terminate diplomatic and commercial relations and most treaties between the combatants, declarations have fallen into disuse since World War II.

The laws of war, such as the Hague and Geneva Conventions, apply to circumstances of armed conflict whether or not a formal declaration or authorization was issued. With respect to domestic law, a declaration of war automatically triggers many standby statutory authorities conferring special powers on the President with respect to the military, foreign trade, transportation, communications, manufacturing, alien enemies, etc. In contrast, no standby authorities appear to be triggered automatically by an authorization for the use of force, although the executive branch has argued, with varying success, that the authorization to use force in response to the terrorist attacks of 2001 provided a statutory exception to certain statutory prohibitions.

Most statutory standby authorities do not expressly require a declaration of war to be actualized but can be triggered by a declaration of national emergency or simply by the existence of a state of war; however, courts have sometimes construed the word “war” in a statute as implying a formal declaration, leading Congress to enact clarifying amendments in two cases.

Declarations of war and authorizations for the use of force waive the time limitations otherwise applicable to the use of force imposed by the War Powers Resolution.

This report provides historical background on the enactment of declarations of war and authorizations for the use of force and analyzes their legal effects under international and domestic law. It also sets forth their texts in two appendices.

The report includes an extensive listing and summary of statutes that are triggered by a declaration of war, a declaration of national emergency, and/or the existence of a state of war. The report concludes with a summary of the congressional procedures applicable to the enactment of a declaration of war or authorization for the use of force and to measures under the War Powers Resolution.



Friday, March 18, 2011

Requesting Comments on Open Information Security Foundation

Thank you to anyone who voted for me to join the board of the Open Information Security Foundation. They are most famous for their Suricata intrusion detection engine, but I expect additional outputs as time passes. I appreciate those of you who supported my goal to join their board. I will try to provide fair and useful input to the project.

I believe we will have our first board phone call next week. Are there any issues you would like me to raise, or consider for future meetings?

I am personally interested in OISF because I think they bring a level of enthusiasm, openness, and innovation to the open source network security monitoring space, alongside tools like Bro and Snort and others I mentioned in my January post Seven Cool Open Source Projects for Defenders.

OISF is also a US nonprofit, a 501c(3) group, so I like the idea of helping that sort of organization.

Thursday, March 17, 2011

Initial Thoughts on RSA "APT" Announcement

Today RSA's Art Coviello announced the following:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA...

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products.

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack...


This is one of the problems with debates over terminology. If we all accepted the actual definition of APT as created by the Air Force in 2006, we would know what Mr Coviello is describing. Without that clarity we're left wondering if he means any threat on the planet that he and RSA choose to describe as "APT."

Without knowing anything more than what is printed in the RSA announcement, I can offer the following opinion. It is not outside the realm of APT methodology and targeting to attack RSA in order to access internal details on their authentication technology. We know APT actors have attacked other technology companies to steal their intellectual property, ranging from software to algorithms to private keys, all to better infiltrate other targets.

As I Tweeted on March 10th, it's public knowledge that validated APT actors have targeted public key infrastructure for several years. Besides PKI, enterprises of all types rely heavily on two-factor systems such as those created by RSA. Stealing technology and examining it for weaknesses, or identifying ways to exploit the supply chain, or otherwise gain an advantage over RSA users are all valid APT interests.

Hopefully we will learn more about this issue as time passes.

Bejtlich Joining MANDIANT as CSO and Security Services Architect

In June 2007 I posted that I was joining General Electric as Director of Incident Response. Since then I helped build and lead GE-CIRT from an "army of one" into a team of 40 analysts. It was an honor and a privilege to work with my team, but today I am announcing that I've accepted a new challenge.

Effective 1 April I will be Chief Security Officer and Security Services Architect for MANDIANT, where I will build teams, tools, and capabilities to provide managed detection and response services. You can read the press release at the MANDIANT Web site or Businesswire if you're so inclined, as well as a MANDIANT blog post.

I am really looking forward to this new opportunity. I worked for Kevin Mandia in 2002-2004 with Foundstone and for Travis Reese in 2004-2005 at ManTech International Corp.'s CFIA division. When I left ManTech to concentrate 100% on TaoSecurity, the first consulting I did was for Red Cliff, the precursor to MANDIANT. I also know many current members of the MANDIANT team from those three roles and subsequent relationships.

I believe in MANDIANT's mission and vision, which is important to me. While I enjoyed defending one enterprise with my old team, at MANDIANT I will be able to assist multiple organizations. As a member of the MANDIANT executive team I will also help set the direction for the company and will be able to work with the product, consulting, training, and managed services groups.

While many of you are familiar with MANDIANT's famous incident response consulting force, you may not be aware that the company continues to build a managed services team to provide dedicated, long-term detection and response options. By the end of the second quarter I expect my colleagues and I in the security services group to be announcing new job opportunities for those who enjoy hunting digital intruders. MANDIANT is already hiring aggressively for security talent, so keep your eyes on the job site for more information.

As you might expect, I plan to continue writing TaoSecurity Blog and sending TaoSecurity Tweets. I will still provide training such as TCP/IP Weapons School, but I expect to keep the same low number of classes as was the case with my previous employer. Currently I will be teaching at GTEC in DC on 31 May - 1 June, and then at Black Hat USA 30-31 July and again on 1-2 August. Two classes for USENIX this summer are still in coordination.

I enjoyed interacting with all of you over the last four years wearing my old hat, and I look forward to staying in touch via social media and at conferences in my new role! Thank you.

Wednesday, March 16, 2011

Report on Instances of US Forces Abroad

Thanks to Steven Aftergood's post Instances of US Forces Abroad I learned of a new Congressional Research Service report of the same name -- Instances of Use of United States Armed Forces Abroad, 1798-2010 (pdf). From the introduction:

Eleven times in its history the U.S. has formally declared war against foreign nations. These eleven U.S. war declarations encompassed five separate wars: the war with Great Britain declared in 1812; the war with Mexico declared in 1846; the war with Spain declared in 1898; the First World War, during which the U.S. declared war with Germany and with Austria-Hungary during 1917; and World War II, during which the U.S. declared war against Japan, Germany, and Italy in 1941, and against Bulgaria, Hungary, and Rumania in 1942.

Some of the instances were extended military engagements that might be considered undeclared wars. These include the Undeclared Naval War with France from 1798 to 1800; the First Barbary War from 1801 to 1805; the Second Barbary War of 1815; the Korean War of 1950-1953; the Vietnam War from 1964 to 1973; the Persian Gulf War of 1991; global actions against foreign terrorists after the September 11, 2001, attacks on the United States; and the war with Iraq in 2003. With the exception of the Korean War, all of these conflicts received Congressional authorization in some form short of a formal declaration of war. Other, more recent instances often involve deployment of U.S. military forces as part of a multinational operation associated with NATO or the United Nations.

The majority of the instances listed prior to World War II were brief Marine or Navy actions to protect U.S. citizens or promote U.S. interests. A number were actions against pirates or bandits. Covert actions, disaster relief, and routine alliance stationing and training exercises are not included here, nor are the Civil and Revolutionary Wars and the continual use of U.S. military units in the exploration, settlement, and pacification of the western part of the United States.


The report includes 28 pages (!) summarizing over 200 years of US military activities on foreign soil. It's quite a read. For example, the first entry for China reads:

1843: China. Sailors and marines from the St. Louis were landed after a clash between Americans and Chinese at the trading post in Canton.

The first entry for Russia is:

1818: Oregon. The U.S.S. Ontario, dispatched from Washington, landed at the Columbia River and in August took possession of Oregon territory. Britain had conceded sovereignty but Russia and Spain asserted claims to the area.

This is a good resource for military historians.

Wednesday, March 09, 2011

Bejtlich Teaching Special Session of TCP/IP Weapons School at GTEC DC

Through a custom arrangement with Black Hat I am pleased to announce that I will teach a special session of TCP/IP Weapons School 3.0 at the Government Technology Expo & Conference (GTEC) on Tuesday 31 May and Wednesday 1 June 2011 in Washington, DC.

The conference organizers set the price for my class at $2200. I am not sure if the price increases as we get closer to the class date. This is a good opportunity for people in the DC area to attend my TWS 3 class without having to pay for travel to Las Vegas, where I will teach two sessions of TWS 3 at Black Hat USA this summer. I recommend registering soon because I expect this class to fill quickly due to the DC location.

Please let me know if you have any questions by posting a comment or sending email to training [at] taosecurity [dot] com. Thank you.

Monday, March 07, 2011

Experts Talk US-China Security Issues, Part 2

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011. The conference consisted of a series of speakers discussing various aspects of US-China national defense and security.

Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics.

I took several pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record."

In this post I will summarize my second page of notes.

Please see Experts Talk US-China Security Issues, Part 1 if you want to see what I discussed prior to this post.


  • Tai Ming Chung discussed Chinese innovation, specifically the nation's maturation from "imitation to innovation," specifically "architectural defense innovations." He described three models present in China:

    • Techno-nationalist "strategic mobilization," such as the Chinese lunar landing program

    • "Shanzhai," or "guerilla innovation," in the form of pirating/copying and reverse engineering

    • "Collaborative modularity," meaning the "absorption" and integration of foreign technology in joint ventures with the West



  • James Mulvenon was the resident digital security expert. I knew him from another China-centric forum I try to attend. He is really sharp and was incidentally the most entertaining speaker. Mr Mulvenon noted the Chinese and Russians are comfortable using digital means to exploit US weaknesses, while relying on plausible deniability to shield their activities. In contrast, the US can't even begin to have a public conversation about offensive digital activities.

    The Chinese see digital attacks differently than US planners. Chinese military planners saw one of the weaknesses of Saddam Hussein's "defense" of Iraq in the first Gulf War as his reluctance to strike US forces during their six month build-up in the desert. Chinese planners instead plan to deny and degrade US capabilities by attacking logistics trains prior to actual physical combat. Chinese planners also see "cyber" as a "bolt out of the blue" attack, on its own, and not as a "force multiplier" as US planners do.

    The Chinese sometimes launch attacks with hop points within the US so as to confuse US incident responders and to rely on US law to frustrate investigations.

    Mr Mulvenon advised attendees (some of whom wore uniforms of US and allied countries) to "look beyond the intrusion set." He said to play the Chinese "long game," which focuses on attacks against the US supply chain. Assume the adversary is already in our "core networks" and plans to stay. Disregard promises by Chinese vendors to allow inspection of their hardware. The Chinese will "ship clean" and then introduce malicious software via upgrades, maintenance, and other post-buy actions.

    Beyond the supply chain problem, Mr Mulvenon described a "longer game" whereby the Chinese seek to minimize US influence over Internet governance. They want to shift decision making from largely private bodies to government-controlled ones, i.e., from ICANN to the UN ITU. The Chinese want to remove inputs from non-governmental players and transition to a state-centric influence model where China excels at buying national votes.

    Unlike the US, China is executing a "coordinated national strategy" to achieve its ends.

    I found this comment very interesting: There is a huge disconnect between cleared and uncleared data sources on the Chinese military. In other words, if you're on the "outside," you're likely in the dark! This is dangerous for policymakers who rely on uncleared advisors.

  • Dean Cheng explained China's goal to become a "full space power." He started by discussing the Chinese idea of deterrence, which is not just disuasion (the US view) but also coercion by imposing a cost-benefit decision upon the adversary. China recognizes that information dominance requires space dominance, and it must hold at risk what the US values while challenging the US' ability to operate as it sees fit.

    Mr Cheng wondered how well the PLA executes on its strategy compared to its writings, especially since the Chinese military hasn't fought a shooting war since 1979.

    Mr Cheng noted the Chinese are becoming more vulnerable in space (like the US) as the transition from regional power projection to expeditionary and global power projection. James Mulvenon interjected that he doesn't think the Chinese recognize how vulnerable they are becoming.

  • Kurt Campbell explained how the US hosted Chinese military visitors in the 1996-1998 timeframe. US officials took a "Texas approach," basically showing how powerful the US military was. Initially the Chinese reacted with shock and awe, then as they finished each visit the US delegates could sense the Chinese had decided to respond by growing their own might. In other words, by saying "look how powerful we are; don't mess with us," the US had convinced the Chinese it was time to strengthen the PLA.

    China tends to rely more on hiding its strengths and shielding capabilities, following an "unpredictability" strategy. The PLA says "you don't know how strong we are" until they feel ready to provide a show of force, like destroying a satellite or testing a stealth fighter. Mr Campbell emphasized the need for "agreed areas of predictability" rather than "trust-building."

  • Dennis Blasko discussed the PLA. He described how "20-30%" of PLA training time is occupied by "political education." Crucially, 40% of a recruit's training time is spent listening to political education! (What a waste; good for us, bad for them.) In a nod to the Soviet model, Chinese units have two commanders; a military leader, and a "political commissar." The PLA also hosts a "uniformed civilian cadre" that sounds like a cross between US reservists and government civilians.

  • Ken Allen described the PLA Air Force. They operate decent technology but their people, culture, training, and operations are weak. For example, they rely on O-6s and O-5s to serve as air traffic controllers -- jobs done by enlisted people in the US. The PLAAF operates over 100 "air force academies." ("But none so fair that they can compare to the Air Academy." Sorry, my brainwashing came through. Yes, I know it's a stolen Army jody.)


A few other people spoke, but the notes I summarized here and in my previous post captured the most compelling comments I heard.

Experts Talk US-China Security Issues, Part 1

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011. The conference consisted of a series of speakers discussing various aspects of US-China national defense and security.

Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics.

I took two pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record."

In this post I will summarize one page of notes.

For the second page please see Experts Talk US-China Security Issues, Part 2.

  • Arthur Waldron cited three ways to view events in China: 1) nothing new is happening; 2) something is happening, but if we had an "expert" in the White House we would be able to deal with it better; or 3) something is happening, but because we're not sure exactly what, it doesn't matter who is in charge. Mr Waldron advocated option 3. He emphasized that China sees itself as "country #1. China has no concept of 'equal states.'" When talking with Chinese leaders one will hear them mention "those little countries" like Indonesia (population 230 million)! China likes to use "disciplinary action" with its neighbors, and usually creates "an environment" for action with "statements, complaints, etc., followed by instantaneously decisive force." In fact, China has a "highly optimistic view of using force," meaning they act when they believe victory is guaranteed.

  • Willy Lam noted China saw the global economic crisis as "a strategic window of opportunity" to assert Chinese values and power. He cited a number of Chinese leaders and thinkers.

    • Yuan Peng says "China wants to change the rules of the game" of global interactions.

    • Liu Jiahua says "As America shrinks, China expands." The US increasingly needs China as the US' ability to "contain" China decreases.

    • Dai Bingguo says China must "maintain socialism, national security, government and territorial integrity, and sustain economic and social development."

    • Han Xudong recommends only "advertising" national interests and capabilities as the Chinese military develops their ability to defend them.

    • General Yang Yi sees a "zero sum game in the military sphere." This helps explain why the Chinese see no value in military-to-military relationships with the West.


    Xi Jinping (the next president) has closer ties to the PLA than his predecessors. The PLA, in fact, is the power base of the "Gang of Princelings" gaining power in China. Mr Lam worried that Chinese development interests remind him of pre-war Germany's "lebensraum," with Chinese interests stated as ranging from the South China Sea to the Yellow Sea, and even into outer space (i.e., mineral development on other planets.) Mr Lam also noted China's tendency to play countries and regions against each other (e.g., the US vs the EU), to pit companies against each other (e.g., Boeing vs Airbus), and increasing use of "rare earth diplomacy" (e.g., with Japan) in order to get its way. Mr Lam dismissed notions that President Hu was ignorant of the J-20 stealth fighter test, partly because he is one of the 12 members of China's Central Military Commission.

  • Michael Green discussed international relations. China has been surprised in 2010 to learn that "Asia has an appetite for a balance of power." Mr Green said 2010 was the "worst year in Chinese diplomacy since 1989." In fact, Japan started the year with its new government trying to cozy up to China, only to end the end closer to the US after numerous debacles. South Korea was similarly upset after China failed to condemn North Korea's shelling of Southern territory and killing of Southern citizens. The ASEAN forum transformed from an exceptionally boring event (minus the dress-ups and skits) to a complaint shop against China. Even outside Asia, China is seen as dangerous: more Europeans than Americans feel threatened!

    Mr Green is worried about the rise of the PLA. He said it operates without oversight, very differently than the US military. Chinese civilian leaders don't see what the Chinese military does at sea or in the air. Mr Green concluded by noting Asia's growing trade dependency on China and security dependence on the United States. He recommend a rebalancing act led by US-Asia trade.

  • Shuai Hua-Ming, Legislator, Foreign Affairs and Defense Committee, Republic of China (Taiwan) could not get his .pdf slide presentation to work. It kept crashing Acrobat 9 on Windows XP. Yes, you know what I'm thinking. On the policy front, he advocated the US holding the Chinese government accountable for PLA actions. He was not optimistic about US-Chinese military discussions, calling them a "secondary tool."


In my next post I'll summarize my second page of notes.

Review of Cyber Attacks Posted

Amazon.com just posted my three star review of Cyber Attacks by Edward Amoroso. From the review:

Writing a book isn't easy, especially when you're trying to develop a framework and solutions that apply to a topic as vast as protecting national infrastructure. I applaud Dr Amoroso's efforts in Cyber Attacks, but I fear he is solving yesterday's problems with yesterday's answers. This book might have been more relevant in 2006 when one could have plausibly pointed to botnets as "clearly the most important security issue on the Internet today" as Dr Amoroso oddly says on p 12. Unfortunately for readers, Cyber Attacks does not have the perspective needed to provide workable solutions to modern problems.

Saturday, March 05, 2011

Bejtlich Teaching Two Sessions at Black Hat USA 2011

In January I taught the first TCP/IP Weapons School 3.0 class at Black Hat DC 2011. This is a completely new class written from the ground up. I'm very pleased with how it has developed and the students enjoyed the new content. For example, one of the feedback comments was the following:

"I felt that the pace and level of difficulty was well managed, and the defense-then-offense aspect was a great way to learn!"

I'm happy to announce that registration for TCP/IP Weapons School 3.0 at Black Hat USA 2011 is now open. I will teach two sessions, on 30-31 July and 1-2 August in Las Vegas.

Black Hat has four remaining price points and deadlines for registration.

  • Early ends 30 April

  • Regular ends 15 June

  • Late ends 29 July

  • Onsite starts at the conference


Seats are filling -- it pays to register early!

While keeping the distinctions from other offerings that I described last year, I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform.

The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs.

Defensive aspects of the labs emphasize how to discover suspicious and malicious activity in network and log evidence. Offensive aspects of the labs offer the student a chance to do the same sorts of actions that caused the suspicious and malicious activity in the labs. I encourage students to keep an open mind and feel free to expand their interaction with the labs beyond the required material. Take advantage of this time away from the office to enjoy defensive and offensive aspects of the digital security arena!

I do not have any other classes scheduled, although my training page lists a few other possibilities.