So InfoSec Really Does Boil Down to Mossad/Not Mossad…
Published:
I just came across this insane story where the Lebanese Islamist political party and paramilitary suffered a wide scale attack where the pagers the members used to resist Israeli infiltration literally blew up.
We don’t know how it works yet nor who’s responsible but given the current geopolitical conflict in that region, we can make some good guesses. This attack reminded me of the essay This World of Hours [PDF: 1.7MB] from hilarious computer scientist James Mikens which argues that a lot of Information Security research overlooks how all the fancy mathematically resillient algorithms are no match for being scammed or, more relevant in this instance, being attacked by Mossad.
According to Mikens, threat models boil down to whether an adversary is Mossad or Not Mossad (emphasis and paragraphs mine),
The “threat model” section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad.
If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.
If the Mossad wants your data, they’re going to use a drone to replace our cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere.
Given that we’re literally seeing it in action, it’s safe to say that Mikens had a point. I’ve been meaning to write up something on all of his essays and as shocking as the pager attack is, I’m glad it gave me the oppurtunity to talk about it.