├── README.md ├── rules_for_radicals.txt ├── chess.txt ├── quotes_gq.fortune ├── moscow_rules_full2.html ├── downclimb.txt ├── murphys_laws_of_war.md ├── moscow_rules_full.html ├── fortune.txt └── murphys_laws_of_combat.md /README.md: -------------------------------------------------------------------------------- 1 | # quotes 2 | quotes i like. 3 | -------------------------------------------------------------------------------- /rules_for_radicals.txt: -------------------------------------------------------------------------------- 1 | Rules for radicals 2 | 3 | 1. "Power is not only what you have but what the enemy thinks you have." 4 | 2. "Never go outside the expertise of your people." 5 | 3. "Whenever possible go outside the expertise of the enemy." 6 | 4. "Make the enemy live up to its own book of rules." 7 | 5. "Ridicule is man's most potent weapon." 8 | 6. "A good tactic is one your people enjoy." 9 | 7. "A tactic that drags on too long becomes a drag." 10 | 8. "Keep the pressure on." 11 | 9. "The threat is usually more terrifying than the thing itself." 12 | 10. "The major premise for tactics is the development of operations that will maintain a constant pressure upon the opposition." 13 | 11. "If you push a negative hard and deep enough it will break through into its counterside." 14 | 12. "The price of a successful attack is a constructive alternative." 15 | 13. "Pick the target, freeze it, personalize it, and polarize it." 16 | -------------------------------------------------------------------------------- /chess.txt: -------------------------------------------------------------------------------- 1 | % 2 | Chess is the struggle against the error.” – Johannes Zukertort 3 | % 4 | “I don’t believe in psychology. I believe in good moves.” – Bobby Fischer 5 | % 6 | I used to attack because it was the only thing I knew. Now I attack because I know it works best.” – Garry Kasparov 7 | % 8 | When you see a good move, look for a better one.” – Emanuel Lasker 9 | % 10 | Chess is rarely a game of ideal moves. Almost always, a player faces a series of difficult consequences whichever move he makes.” – David Shenk 11 | % 12 | Half the variations which are calculated in a tournament game turn out to be completely superfluous. Unfortunately, no one knows in advance which half.” – Jan Timman 13 | % 14 | Even a poor plan is better than no plan at all.” – Mikhail Chigorin 15 | % 16 | Tactics is knowing what to do when there is something to do; strategy is knowing what to do when there is nothing to do.” – Savielly Tartakower 17 | % 18 | In life, as in chess, forethought wins.” – Charles Buxton 19 | % 20 | Nobody ever won a chess game by resigning.” – Savielly Tartakower 21 | % 22 | “The blunders are all there on the board, waiting to be made.” – Savielly Tartakower 23 | % 24 | “One doesn’t have to play well, it’s enough to play better than your opponent.” – Siegbert Tarrasch 25 | % 26 | “If your opponent offers you a draw, try to work out why he thinks he’s worse off.” – Nigel Short 27 | % 28 | Chess is a battle between your aversion to thinking and your aversion to losing. 29 | % 30 | A reporter once asked Spasky if he preferred chess or sex more. He replied "It very much depends on the position" 31 | % 32 | You must take your opponent into a deep dark forest where 2+2=5, and the path leading out is only wide enough for one'' - Mikhail Tal 33 | % 34 | In the game of chess, you must never let your adversary see your pieces" — Zapp Brannigan 35 | % 36 | If we hit that bullseye, the rest of the dominoes should fall like a house of cards. Checkmate. — Zapp Brannigan 37 | % 38 | You from the school of hard knocks? I'm from the college of kicking doors down! 39 | % 40 | The winner of the game is the player who makes the next-to-last mistake. - Tartakower 41 | % 42 | Chess is a struggle against one's own errors. - Tartakower 43 | % 44 | "If you can't win, make sure you don't lose" - Johan Cruijff 45 | % 46 | -------------------------------------------------------------------------------- /quotes_gq.fortune: -------------------------------------------------------------------------------- 1 | Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. 2 | % 3 | You can't fight a meme with an exploit. 4 | % 5 | Cyber warfare isn't chess, it's calvinball. 6 | % 7 | An APT is not a toolchain. You can't download your way to parity with Ft Meade. 8 | % 9 | OPSEC is a process, not a tool set 10 | % 11 | Finding the right level of paranoia is an operational challenge 12 | % 13 | 0days are offensive security by obscurity. 14 | 15 | Just as fragile for attackers as “security by obscurity” is for defenders. 16 | % 17 | “If you want to conceal something, don’t swear people to silence, tell as many alternative stories as possible.” -- SOE rule 18 | % 19 | I think the American way of cyberwar is: “it is statistically impossible to make mistakes 100% of the time, plus law of large numbers, so…” 20 | 21 | % 22 | 23 | grugq’s law is: don’t attribute to exploits what can adequately be explained by password theft. 24 | 25 | % 26 | 27 | The P in APT doesn’t stand for “Pathetic” 28 | 29 | % 30 | 31 | Relying on attacker incompetence is no way to go through life 32 | 33 | % 34 | 35 | Offensive cyber’s real strategic (ie. continuing) advantage is a "true positive" success signal. Defenders must deal with this 36 | 37 | % 38 | 39 | Only break one law at a time. 40 | 41 | % 42 | 43 | Never lie by accident. 44 | 45 | % 46 | 47 | ProTip: you’re not worth an 0day. 48 | 49 | % 50 | 51 | Fear of 0day is like being terrified of ninjas instead of cardiovascular disease. 52 | 53 | % 54 | 55 | I’m not going to advise you on how to break the law other than to suggest that you shouldn’t. 56 | 57 | % 58 | 59 | Cyber is really only effective as an offensive capability. Defence has mitigation, detection, resilience, etc...but at the end of the day, cyber is a domain that favours the offensive (of course, once on someone else's network, you're on the defensive) 60 | 61 | % 62 | 63 | Make compromises: cost more; yield less; harder to use; easier to find. Analyze them, & stay awake 64 | 65 | % 66 | 67 | Fetishising 0day means that people think once a vulnerability is public there's some sort of automagic immunity. 68 | % 69 | 70 | It's surprising how critical good phishing technique is with these APT attacks. Effective phishing is more important than 0day. 71 | 72 | % 73 | 74 | I think I understand the US strategy against Chinese APT. It’s to flood the APT with so much data they won’t have analysts to review it all. 75 | 76 | % 77 | 78 | The APT that can be named is not the real APT. The way of APT is vast and unknowable. The APT is everywhere & nowhere 79 | 80 | % 81 | 82 | APT: repeatable success, interchangeable operators of low to mediocre skill. Easy to train techniques. Consistent results. 83 | 84 | Like infantry. 85 | 86 | % 87 | 88 | Metcalfe’s Law is a bitch. 89 | 90 | % 91 | 92 | Limit the number of people involved to the bare minimum. 93 | 94 | % 95 | 96 | “The less written down, the better” or, “never say or email anything you don’t want read out in a court of law” 97 | 98 | % 99 | 100 | Never write if you can speak; 101 | Never speak if you can nod; 102 | Never nod if you can wink. 103 | 104 | -- OPSEC maxim 105 | (Martin Lomasney) 106 | 107 | % 108 | 109 | If you think, don't speak. 110 | If you speak, don't write. 111 | If you write, don't sign. 112 | If you sign, don't be surprised. 113 | 114 | -- Russian joke. 115 | 116 | % 117 | 118 | A ruse is the subtlest means of attaining one's ends 119 | - the subtle ruse, arab philosophy 120 | 121 | % 122 | 123 | winning wars without battles. 124 | - T.E. Lawrence 125 | 126 | % 127 | 128 | -------------------------------------------------------------------------------- /moscow_rules_full2.html: -------------------------------------------------------------------------------- 1 |

The Moscow Rules

2 |

1. Assume nothing.
3 | 2. Technology will always let you down.
4 | 3. Murphy is right.
5 | 4. Never go against your gut.
6 | 5. Always listen to your gut; it is your operational antennae.
7 | 6. Everyone is potentially under opposition control.
8 | 7. Don’t look back; you are never completely alone. Use your gut.
9 | 8. Go with the flow; use the terrain.
10 | 9. Take the natural break of traffic.
11 | 10. Maintain a natural pace.
12 | 11. Establish a distinctive and dynamic profile and pattern.
13 | 12. Stay consistent over time.
14 | 13. Vary your pattern and stay within your profile.
15 | 14. Be non threatening: keep them relaxed; mesmerize!

16 |

Moscow Rules - Spy Tactics

17 |

15. Lull them into a sense of complacency.
18 | 16. Know the opposition and their terrain intimately.
19 | 17. Build in opportunity but use it sparingly.
20 | 18. Don’t harass the opposition.
21 | 19. Make sure they can anticipate your destination.
22 | 20. Pick the time and place for action.
23 | 21. Any operation can be aborted; if it feels wrong, then it is wrong.
24 | 22. Keep your options open.
25 | 23. If your gut says to act, overwhelm their senses.
26 | 24. Use misdirection, illusion and deception.
27 | 25. Hide small operative motions in larger non threatening motions.
28 | 26. Float like a butterfly; sting like bee.
29 | 27. When free, In Obscura, immediately change direction and leave the area.
30 | 28. Break your trail and blend into the local scene.
31 | 29. Execute a surveillance detection run designed to draw them out over time.

32 |

Moscow Rules 02

33 |

30. Once is an accident; twice is a coincidence; three times is an enemy action.
34 | 31. Avoid static lookouts; stay away from chokepoints where they can reacquire you.
35 | 32. Select a meeting site so you can overlook the scene.
36 | 33. Keep any asset separated from you by time and distance until it is time.
37 | 34. If the asset has surveillance, then the operation has gone bad.
38 | 35. Only approach the site when you are sure it is clean.
39 | 36. After the meeting or act is done, “close the loop” at a logical cover destination.
40 | 37. Be aware of surveillance’s time tolerance so they aren’t forced to raise an alert.
41 | 38. If an alert is issued, they must pay a price and so must you.
42 | 39. Let them believe they lost you; act innocent.
43 | 40. There is no limit to a human being’s ability to rationalize the truth.

-------------------------------------------------------------------------------- /downclimb.txt: -------------------------------------------------------------------------------- 1 | Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. 2 | https://twitter.com/thegrugq/status/563964286783877121 3 | -- 4 | 5 | You can get 25% off a Mandiant incident response with the code: ITWASCHINA. 100% off if you just use that code as the report. 6 | https://twitter.com/thegrugq/status/600345075562909696 7 | -- 8 | 9 | Fear of 0day is like being terrified of ninjas instead of cardiovascular disease. 10 | https://twitter.com/thegrugq/status/851001030019907588 11 | -- 12 | 13 | Ransomware is not about encrypting data. It is the _current_ implementation of a methodology that coerces the victim to act as an agent for the criminal (typically to acquire BTC.) Encrypting data just an implementation detail; it’s the “coerced agent” part that matters. There are infinite ways to coerce someone once you have access to their data. People will pay more to keep their secrets from their friends than to regain access to their data. 14 | https://twitter.com/thegrugq/status/933540391055273984 15 | -- 16 | 17 | APT28 still going through about 2 0days a month, they don't stockpile, they burn. 18 | https://twitter.com/thegrugq/status/864274606130995201 19 | -- 20 | 21 | W/ the MySpace hack, people will understand that passwords are like condoms. You aren't supposed to use them at more than one place. 22 | https://twitter.com/thegrugq/status/736492040335155200 23 | -- 24 | 25 | Trust relationships are the foundations of compromise. 26 | https://twitter.com/thegrugq/status/705088675915239424 27 | -- 28 | 29 | That marketing cycles around major conferences dictate when research is released tells you everything you need to know about infosec. 30 | https://twitter.com/thegrugq/status/702765131562749952 31 | -- 32 | 33 | People that need their software to work in order to make money invest more into engineering than those who don't. Think about that next time you buy enterprise security software. Unless you pay only after it has stopped attacks ;) 34 | https://twitter.com/thegrugq/status/770849174589804545) on malware authors A/B testing, localizing and testing their work before deployment 35 | -- 36 | 37 | An important lesson to learn is not to deploy tools before they are ready. The risk is revealing capability before you can exploit it 38 | https://twitter.com/thegrugq/status/707273816058109955 39 | -- 40 | 41 | That’s pretty amazing discipline from the attackers. They discard 5 9's of infections to focus on a tiny subset. No chance that’s criminals 42 | https://twitter.com/thegrugq/status/912960298998366208) on the CCleaner hackers 43 | -- 44 | 45 | 46 | when your attribution is based exclusively on forensic artifacts, you're using only adversarial controlled data 47 | https://twitter.com/thegrugq/status/548490283046797312 48 | -- 49 | 50 | Drop 0day, not bombs. 51 | https://twitter.com/thegrugq/status/643844416537526272 52 | -- 53 | 54 | Are there any #pwn2own winners that aren’t sponsored by massive Chinese Internet companies? It’s the equivalent of a Google team winning. No doubt the teams are skilled, but this is just marketing for the Chinese audience. 'Tencent wins hacking competition!' 'Baidu wins...' Is it time to accept that #Pwn2Own has outlived its usefulness to the community? Companies paying each other for marketing... *yawn* 55 | https://twitter.com/thegrugq/status/578467834054852609 56 | -- 57 | 58 | AirCnC: It’s like AirBnB for botnets. Have a compromised host you don’t use all the time? Need a host but can’t afford the maintenance? 59 | https://twitter.com/thegrugq/status/657508423332814849 60 | -- 61 | 62 | Long uptime for security. No one ever tests their exploits against browsers with a week of uptime. Heap feng shui? More like heap makeover 63 | https://twitter.com/thegrugq/status/584356859777159168 64 | -- 65 | 66 | You are going to be phished long before you are going to be hit with CIA 0days. Enable 2FA and get a password manager. 67 | https://twitter.com/thegrugq/status/839471981120495616 68 | -- 69 | 70 | a key signing party is basically "bring your children over to get infected with chicken pox", but for grownup's laptops 71 | https://twitter.com/thegrugq/status/831363157176184832 72 | -- 73 | 74 | There are people with Tor browser 0day. This is a perennial truth. Learn to be secure even if the adversary has exploits. Because they do. 75 | https://twitter.com/thegrugq/status/720334344036818944 76 | -- 77 | 78 | A great way to mitigate TAO is to not be the elected leader of a nation state, #protip 79 | https://twitter.com/thegrugq/status/692793830945337344 80 | -- 81 | 82 | Journos assume we know to say 'off the record' and we assume they know not to click on 'Secret Doc.PDF.exe' 83 | https://twitter.com/thegrugq/status/654293293879070720 84 | -- 85 | 86 | In none of the targeted attacks me and @CDA observed against Iranian civil society we found a 0day used. Mostly no "exploit" at all in fact. Besides the usual .scr, we see a variety of Office tricks, and embedding of PowerShell in a variety of file formats (e.g. LNK) as well as repackaging of legitimate software. [...] Surely, there's a lot of human mistakes involved, but as long as we enable e.g. executing embedded EXEs through PowerPoint animations the human mistakes seem more tolerable, and development and employment of exploits way less "profitable". Most of the tricks I observe used for infection also have the "advantage" of requiring way less situational awareness from the attacker which significantly reduces costs and improve success rate for attackers [...] In some sadistic way, I wish we'd be in a place where exploits were really required, at least it would sensibly increase costs for attacks. 87 | https://twitter.com/thegrugq/timelines/764512283099697152 88 | -- 89 | 90 | less Twitter more committer! Keep coding 91 | https://twitter.com/thegrugq/status/533620917469855749 92 | -- 93 | 94 | Software is eating the world. Software rots. This is a very scary thing to think about. 95 | https://twitter.com/thegrugq/status/633306726142337025 96 | -- 97 | 98 | Everybody that's been breached or has security patches to release? Today is _the_ day to bury infosec news! 99 | https://twitter.com/thegrugq/status/618028615054159873) on the day of the Hacking Team hack. 100 | -- 101 | 102 | New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it 'advanced' or 'sophisticated.' 103 | https://twitter.com/thegrugq/status/658991205816995840 104 | -- 105 | 106 | Don’t make me sudo. You wouldn’t like me when I’m root. 107 | https://twitter.com/thegrugq/status/614305448540311552 -------------------------------------------------------------------------------- /murphys_laws_of_war.md: -------------------------------------------------------------------------------- 1 | 1. Friendly fire - isn't. 2 | 1. Recoilless rifles - aren't. 3 | 1. Suppressive fires - won't. 4 | 1. You are not Superman; Marines and fighter pilots take note. 5 | 1. A sucking chest wound is Nature's way of telling you to slow down. 6 | 1. If it's stupid but it works, it isn't stupid. 7 | 1. Try to look unimportant; the enemy may be low on ammo and not want to waste a bullet on you. 8 | 1. If at first you don't succeed, call in an airstrike. 9 | 1. If you are forward of your position, your artillery will fall short. 10 | 1. Never share a foxhole with anyone braver than yourself. 11 | 1. Never go to bed with anyone crazier than yourself. 12 | 1. Never forget that your weapon was made by the lowest bidder. 13 | 1. If your attack is going really well, it's an ambush. 14 | 1. The enemy diversion you're ignoring is their main attack. 15 | 1. The enemy invariably attacks on two occasions: When they're ready or when you're not. 16 | 1. No PLAN ever survives initial contact. 17 | 1. There is no such thing as a perfect plan. 18 | 1. Five second fuzes always burn three seconds. 19 | 1. There is no such thing as an atheist in a foxhole. 20 | 1. A retreating enemy is probably just falling back and regrouping. 21 | 1. The important things are always simple; the simple are always hard. 22 | 1. The easy way is always mined. 23 | 1. Teamwork is essential; it gives the enemy other people to shoot at. 24 | 1. Don't look conspicuous; it draws fire. (For this reason, it is not at all uncommon for aircraft carriers to be known as bomb magnets.) 25 | 1. Never draw fire; it irritates everyone around you. 26 | 1. If you are short of everything but the enemy, you are in the combat zone. 27 | 1. When you have secured the area, make sure the enemy knows it too. 28 | 1. Incoming fire has the right of way. 29 | 1. No combat ready unit has ever passed inspection. 30 | 1. No inspection ready unit has ever passed combat. 31 | 1. If the enemy is within range, so are you. 32 | 1. The only thing more accurate than incoming enemy fire is incoming friendly fire. 33 | 1. Things which must be shipped together as a set, aren't. 34 | 1. Things that must work together, can't be carried to the field that way. 35 | 1. Radios will fail as soon as you need fire support. Corollary: Radar tends to fail at night and in bad weather, and especially during both. 36 | 1. Anything you do can get you killed, including nothing. 37 | 1. Make it too tough for the enemy to get in, and you won't be able to get out. 38 | 1. Tracers work both ways. 39 | 1. If you take more than your fair share of objectives, you will get more than your fair share of objectives to take. 40 | 1. When both sides are convinced they're about to lose, they're both right. 41 | 1. Professional soldiers are predictable; the world is full of dangerous amateurs. 42 | 1. Military Intelligence is a contradiction. 43 | 1. Fortify your front; you'll get your rear shot up. 44 | 1. Weather ain't neutral. 45 | 1. If you can't remember, the Claymore is pointed towards you. 46 | 1. Air defense motto: shoot 'em down; sort 'em out on the ground. 47 | 1. 'Flies high, it dies; low and slow, it'll go. 48 | 1. The Cavalry doesn't always come to the rescue. 49 | 1. Napalm is an area support weapon. 50 | 1. Mines are equal opportunity weapons. 51 | 1. B-52s are the ultimate close support weapon. 52 | 1. Sniper's motto: reach out and touch someone. 53 | 1. Killing for peace is like screwing for virginity. 54 | 1. The one item you need is always in short supply. 55 | 1. Interchangeable parts aren't. 56 | 1. It's not the one with your name on it; it's the one addressed "to whom it may concern" you've got to think about. 57 | 1. When in doubt, empty your magazine. 58 | 1. The side with the simplest uniforms wins. 59 | 1. Combat will occur on the ground between two adjoining maps. 60 | 1. If the Platoon Sergeant can see you, so can the enemy. 61 | 1. Never stand when you can sit, never sit when you can lie down, never stay awake when you can sleep. 62 | 1. The most dangerous thing in the world is a Second Lieutenant with a map and a compass. 63 | 1. Exceptions prove the rule, and destroy the battle plan. 64 | 1. Everything always works in your HQ, everything always fails in the Colonel's HQ. 65 | 1. The enemy never watches until you make a mistake. 66 | 1. One enemy soldier is never enough, but two is entirely too many. 67 | 1. A clean (and dry) set of BDU's is a magnet for mud and rain. 68 | 1. The worse the weather, the more you are required to be out in it. 69 | 1. Whenever you have plenty of ammo, you never miss. Whenever you are low on ammo, you can't hit the broad side of a barn. 70 | 1. The more a weapon costs, the farther you will have to send it away to be repaired. 71 | 1. The complexity of a weapon is inversely proportional to the IQ of the weapon's operator. 72 | 1. Field experience is something you don't get until just after you need it. 73 | 1. No matter which way you have to march, it's always uphill. 74 | 1. If enough data is collected, a board of inquiry can prove anything. 75 | 1. For every action, there is an equal and opposite criticism. (in boot camp) 76 | 1. Airstrikes always overshoot the target, artillery always falls short. 77 | 1. When reviewing the radio frequencies that you just wrote down, the most important ones are always illegible. 78 | 1. Those who hesitate under fire usually do not end up KIA or WIA. 79 | 1. The tough part about being an officer is that the troops don't know what they want, but they know for certain what they don't want. 80 | 1. To steal information from a person is called plagiarism. To steal information from the enemy is called gathering intelligence. 81 | 1. The weapon that usually jams when you need it the most is the M60. 82 | 1. The perfect officer for the job will transfer in the day after that billet is filled by someone else. 83 | 1. When you have sufficient supplies & ammo, the enemy takes 2 weeks to attack.When you are low on supplies & ammo the enemy decides to attack that night. 84 | 1. The newest and least experienced soldier will usually win the Medal of Honor. 85 | 1. A Purple Heart just proves that were you smart enough to think of a plan, stupid enough to try it, and lucky enough to survive. 86 | 1. Murphy was a grunt. 87 | 1. Beer Math -> 2 beers times 37 men equals 49 cases. 88 | 1. Body count Math -> 3 guerrillas plus 1 probable plus 2 pigs equals 37 enemies killed in action. 89 | 1. The bursting radius of a hand grenade is always one foot greater than your jumping range. 90 | 1. All-weather close air support doesn't work in bad weather. 91 | 1. The combat worth of a unit is inversely proportional to the smartness of its outfit and appearance. 92 | 1. The crucial round is a dud. 93 | 1. Every command which can be misunderstood, will be. 94 | 1. There is no such place as a convenient foxhole. 95 | 1. Don't ever be the first, don't ever be the last and don't ever volunteer to do anything. 96 | 1. If your positions are firmly set and you are prepared to take the enemy assault on, he will bypass you. 97 | 1. If your ambush is properly set, the enemy won't walk into it. 98 | 1. If your flank march is going well, the enemy expects you to outflank him. 99 | 1. Density of fire increases proportionally to the curiousness of the target. 100 | 1. Odd objects attract fire - never lurk behind one. 101 | 1. The more stupid the leader is, the more important missions he is ordered to carry out. 102 | 1. The self-importance of a superior is inversely proportional to his position in the hierarchy (as is his deviousness and mischievousness). 103 | 1. There is always a way, and it usually doesn't work. 104 | 1. Success occurs when no one is looking, failure occurs when the General is watching. 105 | 1. The enemy never monitors your radio frequency until you broadcast on an unsecured channel. 106 | 1. Whenever you drop your equipment in a fire-fight, your ammo and grenades always fall the farthest away, and your canteen always lands at your feet. 107 | 1. As soon as you are served hot chow in the field, it rains. 108 | 1. Never tell the Platoon Sergeant you have nothing to do. 109 | 1. The seriousness of a wound (in a fire-fight) is inversely proportional to the distance to any form of cover. 110 | 1. Walking point = sniper bait. 111 | 1. Your bivouac for the night is the spot where you got tired of marching that day. 112 | 1. If only one solution can be found for a field problem, then it is usually a stupid solution. 113 | 1. All or any of the above combined. 114 | -------------------------------------------------------------------------------- /moscow_rules_full.html: -------------------------------------------------------------------------------- 1 |
  1. Assume nothing. Commentary
    2. 2 |
  2. Technology will always let you down. Commentary
    3. 3 |
  3. Murphy is right. Commentary
    4. 4 |
  4. Never go against your gut. Commentary
    5. 5 |
  5. Always listen to your gut; it is your operational antennae. Commentary
    6. 6 |
  6. Everyone is potentially under opposition control. Commentary
    7. 7 |
  7. Don’t look back; you are never completely alone. Use your gut. Commentary
    8. 8 |
  8. Go with the flow; use the terrain. Commentary
    9. 9 |
  9. Take the natural break of traffic. Commentary
    10. 10 |
  10. Maintain a natural pace. Commentary
    11. 11 |
  11. Establish a distinctive and dynamic profile and pattern. Commentary
    12. 12 |
  12. Stay consistent over time. Commentary
    13. 13 |
  13. Vary your pattern and stay within your profile. Commentary
    14. 14 |
  14. Be non threatening: keep them relaxed; mesmerize! Commentary
    15. 15 |
  15. Lull them into a sense of complacency. Commentary
    16. 16 |
  16. Know the opposition and their terrain intimately. Commentary
    17. 17 |
  17. Build in opportunity but use it sparingly. Commentary
    18. 18 |
  18. Don’t harass the opposition. Commentary
    19. 19 |
  19. Make sure they can anticipate your destination. Commentary
    20. 20 |
  20. Pick the time and place for action. Commentary
    21. 21 |
  21. Any operation can be aborted; if it feels wrong, then it is wrong. Commentary
    22. 22 |
  22. Keep your options open. Commentary
    23. 23 |
  23. If your gut says to act, overwhelm their senses. Commentary
    24. 24 |
  24. Use misdirection, illusion, and deception. Commentary
    25. 25 |
  25. Hide small operative motions in larger non threatening motions. Commentary
    26. 26 |
  26. Float like a butterfly; sting like bee. Commentary
    27. 27 |
  27. When free, In Obscura, immediately change direction and leave the area. Commentary
    28. 28 |
  28. Break your trail and blend into the local scene. Commentary
    29. 29 |
  29. Execute a surveillance detection run designed to draw them out over time. Commentary
    30. 30 |
  30. Once is an accident; twice is a coincidence; three times is an enemy action. Commentary
    31. 31 |
  31. Avoid static lookouts; stay away from chokepoints where they can reacquire you. Commentary
    32. 32 |
  32. Select a meeting site so you can overlook the scene. Commentary
    33. 33 |
  33. Keep any asset separated from you by time and distance until it is time. Commentary
    34. 34 |
  34. If the asset has surveillance, then the operation has gone bad. Commentary
    35. 35 |
  35. Only approach the site when you are sure it is clean. Commentary
    36. 36 |
  36. After the meeting or act is done, “close the loop” at a logical cover destination. Commentary
    37. 37 |
  37. Be aware of surveillance’s time tolerance so they aren’t forced to raise an alert. Commentary
    38. 38 |
  38. If an alert is issued, they must pay a price and so must you. Commentary
    39. 39 |
  39. Let them believe they lost you; act innocent. Commentary
    40. 40 |
  40. There is no limit to a human being’s ability to rationalize the truth.Commentary
41 |

References[edit]

42 | -------------------------------------------------------------------------------- /fortune.txt: -------------------------------------------------------------------------------- 1 | % 2 | 3 | Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. 4 | 5 | https://twitter.com/thegrugq/status/563964286783877121 6 | 7 | % 8 | 9 | You can't fight a meme with an exploit. 10 | 11 | % 12 | 13 | Cyber warfare isn't chess, it's calvinball. 14 | 15 | % 16 | 17 | An APT is not a toolchain. You can't download your way to parity with Ft Meade. 18 | https://twitter.com/thegrugq/status/786339349847609344 19 | 20 | % 21 | 22 | Think of it like this: 23 | 24 | 0days are offensive security by obscurity. 25 | 26 | Just as fragile for attackers as “security by obscurity” is for defenders. 27 | 28 | % 29 | 30 | “If you want to conceal something, don’t swear people to silence, tell as many alternative stories as possible.” -- SOE rule 31 | https://twitter.com/thegrugq/status/1037577891150585856 32 | 33 | % 34 | 35 | I think the American way of cyberwar is: “it is statistically impossible to make mistakes 100% of the time, plus law of large numbers, so…” 36 | https://twitter.com/thegrugq/status/811330599424135169 37 | 38 | % 39 | 40 | grugq’s law is: don’t attribute to exploits what can adequately be explained by password theft. 41 | 42 | % 43 | 44 | The P in APT doesn’t stand for “Pathetic” 45 | 46 | % 47 | 48 | relying on attacker incompetence is no way to go through life 49 | 50 | % 51 | 52 | offensive cyber’s real strategic (ie. continuing) advantage is a "true positive" success signal. Defenders must deal with this 53 | 54 | % 55 | 56 | Only break one law at a time. 57 | 58 | % 59 | 60 | Never lie by accident. 61 | 62 | % 63 | 64 | ProTip: you’re not worth an 0day. 65 | 66 | % 67 | 68 | Fear of 0day is like being terrified of ninjas instead of cardiovascular disease. 69 | 70 | % 71 | 72 | I’m not going to advise you on how to break the law other than to suggest that you shouldn’t. 73 | 74 | % 75 | 76 | Cyber is really only effective as an offensive capability. Defence has mitigation, detection, resilience, etc...but at the end of the day, cyber is a domain that favours the offensive (of course, once on someone else's network, you're on the defensive) 77 | 78 | % 79 | 80 | make compromises: cost more; yield less; harder to use; easier to find. Analyze them, & stay awake 81 | 82 | % 83 | 84 | Fetishising 0day means that people think once a vulnerability is public there's some sort of automagic immunity. 85 | % 86 | 87 | It's surprising how critical good phishing technique is with these APT attacks. Effective phishing is more important than 0day. 88 | 89 | % 90 | 91 | I think I understand the US strategy against Chinese APT. It’s to flood the APT with so much data they won’t have analysts to review it all. 92 | 93 | % 94 | 95 | the APT that can be named is not the real APT. The way of APT is vast and unknowable. The APT is everywhere & nowhere 96 | 97 | % 98 | 99 | APT: repeatable success, interchangeable operators of low to mediocre skill. Easy to train techniques. Consistent results. 100 | 101 | Like infantry. 102 | 103 | % 104 | 105 | Metcalfe’s Law is a bitch. 106 | 107 | % 108 | 109 | Limit the number of people involved to the bare minimum. 110 | 11:09 PM - 4 Aug 2015 111 | https://twitter.com/thegrugq/status/628598651951054848 112 | 113 | % 114 | 115 | “The less written down, the better” or, “never say or email anything you don’t want read out in a court of law” 116 | 2:58 AM - 11 Jul 2016 117 | https://twitter.com/thegrugq/status/752230475029057536 118 | 119 | % 120 | 121 | Never write if you can speak; 122 | Never speak if you can nod; 123 | Never nod if you can wink. 124 | 125 | % OPSEC maxim 126 | (Martin Lomasney) 127 | 11:11 PM - 4 Aug 2015 128 | https://twitter.com/thegrugq/status/628599130160431105 129 | 130 | % 131 | 132 | 133 | Encryption is a law enforcement problem, not an intelligence one. 134 | 1:56 AM - 22 Jan 2016 135 | https://twitter.com/thegrugq/status/690246691232944128 136 | 137 | % 138 | 139 | OH: International law is colonialism by other means. 140 | 12:45 PM - 22 Jan 2018 141 | https://twitter.com/thegrugq/status/955315437914353664 142 | 143 | % 144 | 145 | "Only break one law at a time." 146 | 147 | "Never lie by accident." 148 | 149 | Conducting influence campaigns isn’t that hard. It doesn’t require state-spectrum investment or capabilities. All you need is a plan, an audience, time, and an achievable goal. Keep good records, never lie by accident, iterate fast, use themes for guidance. 150 | Yes. Accidental lies can totally blow your operation. Only lie when you know what and why. It must be purposeful 151 | More of a “one law at a time” thing. You want to be in control of your messaging. Lies can confuses things or completely sink the ship. 152 | A) A riot in Boston D.C. killed 7 153 | B) A riot in DC killed 7 154 | 155 | It’s clear to the target audience “A” fishy, but “B” is not self evidently wrong 156 | Similarly to one lie at a time is one operation at a time. If your hijacking TV to inject fake data don’t also try to add satirical commentary to the news caster. The two ops would get jumbled and risk exposing each other. Everything must be deliberate 157 | 158 | % 159 | 160 | Laws make criminals. Repeal more laws, you get fewer criminals, they can use the law courts to settle contractual disputes rather than violence. 161 | 162 | % 163 | 164 | snowden argues the same techy bullshit argument other geeks have: that tech can defeat law, so ignore policy 165 | it's complete bullshit. It makes geeks feel powerful while not actually doing anything useful. 166 | 167 | % 168 | 169 | They violate the primary rule of maintaining security against a nation state - don’t break the law. 170 | 171 | % 172 | 173 | until geeks realize that people execute law code and not automatons, it’s kinda messy. 174 | 175 | % 176 | 177 | “An APT is more than just a tool chain, you can’t download your way to parity with Fort Meade” 178 | https://twitter.com/thegrugq/status/1063239079284760576 179 | 180 | % 181 | 182 | Not everything is APT and not every APT is sophisticated. Focus on practicing basic IT governance — asset management, patching, network segmentation, least privilege, 2FA, logging... drop in some @ThinkstCanary. Make them work to earn their pay 183 | 184 | % 185 | 186 | Real APT: we need to read their emails and steal their spreadsheets. 187 | Fantasy APT: we need to hack their baseband…because reasons! 188 | 189 | % 190 | 191 | Hey aspirational B team APT. You guys really need to learn that mission success is about the escape and evation, not the execution. 192 | 193 | % 194 | 195 | Yeah, I’m just being stupid about bureaucracy and organizations these days. Wondering if there’s units that work to enable the dev teams (hack for certs, hack for source, hack for infrastructure) and so on. Just like an army isn’t all infantry, what elements make up an APT group? 196 | 197 | % 198 | 199 | 17 Malware Analysis Techniques That Work For Any APT Campaign. 200 | #infoseccosmo 201 | 202 | % 203 | 204 | cyber pathogen profilaxis is a common complication from APT infections. 205 | 206 | % 207 | 208 | The phrase for today is: collection bias. We see only the ops that get caught in the sector that is being monitored. The view port on APT activity is limited and skewed. Our data sets suck. 209 | 210 | % 211 | 212 | Wonder how much the style of attacks has to do with provenance. That is, pen testers mimic old school hackers, APT is repeatable success. 213 | j 214 | % 215 | 216 | Criminals and other APT groups will happily use anything that works, even if it is known. 217 | 218 | % 219 | 220 | Which APT Campaigns Are Hot This Summer! 221 | 222 | #infoseccosmo 223 | 224 | % 225 | 226 | Interestingly the North Koreans are probably the only APT that views cyberwar in the same terms as the US, but they aren’t constrained 227 | 228 | % 229 | 230 | TBF, there’s not much a civilian group can do to protect against an APT. 231 | 232 | % 233 | 234 | Does anyone except Russian crooks & pen testers still do “Step 1: hack the server“ style pen tests? The world has standardized on APT right? 235 | 236 | 237 | 238 | 239 | This is like the APT starter pack: Flash, win33k, old Java *and* old office, everything a gov contracting house runs on every workstation! 240 | 241 | % 242 | 243 | If I’m understanding this correctly, “cyber” is something you catch from a Chinese if you have unprotected APT? 244 | 245 | % 246 | 247 | in peace, prepare for apt 248 | 249 | % 250 | 251 | WTF is wrong with people? The opposition will use the cheapest most reliable tool every time they can. Yes, the GRU uses phishing (and 0day) 252 | 253 | % 254 | 255 | Russia can afford to kill the opposition’s 0day, regardless of how good, because they don’t care much about stealth or preserving exploits. 256 | 257 | % 258 | 259 | APTs use what works. But it’s kinda embarrassing if you don’t make them at least burn 0day... 260 | 261 | % 262 | 263 | Fetishising 0day leads to bizarre situations where ppl think that making more vulnerabilities known to more people reduces risk. 264 | 265 | % 266 | 267 | Yes. 0day are for hardened HVT. Like spices, you don’t want to over use them, just enough 268 | 269 | % 270 | 271 | I’ll concede it isn’t perfect or feasible in every case, but I think “decruitment” is a totally viable offensive technique in a variety of situations. It is a variant of “countering violent extremism” in a way. Provide an off ramp, throw in incentives (if possible) 272 | 273 | % 274 | 275 | actually not a stupid question. 276 | 277 | 278 | 279 | Any competent offensive cyber team is going to need to detect whether they’ve popped a compromised box. They need a simple operational tool that works and doesn’t leak intelligence about what they know regarding other teams’ tooling —because it is run on a compromised host. 280 | 281 | % 282 | 283 | Reminder to everyone: [bug bounties use] market forces to secure things by raising the cost of offensive ops, not the cost of defence. 284 | 285 | % 286 | 287 | Create infrastructure that requires only a new $5 VPS and a “rake deploy” to replicate to a new system. Offensive DevOps 288 | 289 | % 290 | 291 | APT groups operational characteristics are the result of organizational make up which is the result of politics & history. 292 | 293 | % 294 | 295 | Defender's strategic advantage is visibility at vantage points & scale unavailable & unknown to attackers. Denial of certainty of stealth. -- @dinodaizovi 296 | 297 | In addition to attacker vulnerabilities, 298 | 299 | % 300 | 301 | Modern day alchemy: turn a nothing burger wiki dump into an information operation. 302 | 303 | % 304 | 305 | Phrack, uniformed, etc are the alchemical grimoires of cyber security. Practitioners scribbling down what they knew from experiments and presenting the knowledge to their peers. They’re presented authoritatively, rich w/ arcane detail, on the path to professional discipline 306 | As an industry we still don’t know how to produce “hacker enlightenment” other than walking the old paths. Some of the Services have developed private colleges for professionalized training, but even they aren’t reliable at creating “master” hackers. 307 | Hacking is beyond the “alchemy” phase, but it’s not yet “chemistry.” Is it just gonna take more time? What would we need to bridge that gap? 308 | 309 | % 310 | 311 | cyber is calvinball. The only rule is that it’s never played the same way twice. 312 | 313 | % 314 | 315 | We're only at the Alchemy stage of security - it's not a real science yet. 316 | 317 | % 318 | 319 | If a nation state is after you, you’re going to have a bad time. 320 | 321 | % 322 | 323 | The Internet is the Wild West. We thought we were the cowboys but it turns out we're the indians. Fuck. 324 | 325 | % 326 | 327 | Learning good OPSEC requires internalizing the behavioural changes required to continually maintain a strong security posture. 328 | 329 | % 330 | 331 | Attackers are resource constrained too. -- @dinodaizovi 332 | 333 | % 334 | 335 | Attackers have bosses and budgets too. -- Phil Venables (@philvenables) 336 | 337 | % 338 | 339 | Your perimeter is not the boundary of your network but the boundary of your telemetry. 340 | 341 | % 342 | 343 | The future of CNO is the Morris Worm from 1988. 344 | 345 | % 346 | 347 | Core offensive methodologies exploit human factors. Decades of success prove they aren't going away. 348 | 349 | % 350 | 351 | [a cyber offence framework] does not cost an aircraft carrier as Aitel says, it costs a submarine. 352 | 353 | % 354 | 355 | A key signing party is basically "bring your children over to get infected with chicken pox," but for grownup's laptops. 356 | 357 | % 358 | 359 | "Happy birthday @miaubiz!" -- the birthday attack. 360 | 361 | % 362 | 363 | No one's going to jail for you. 364 | 365 | % 366 | 367 | The ultimate goal of strategem is to make the enemy quite certain, very decisive, and wrong. -- Bart Whaley 368 | 369 | % 370 | 371 | Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life. 372 | https://twitter.com/thegrugq/status/563964286783877121 373 | 374 | % 375 | 376 | You can get 25% off a Mandiant incident response with the code: ITWASCHINA. 100% off if you just use that code as the report. 377 | https://twitter.com/thegrugq/status/600345075562909696 378 | 379 | % 380 | 381 | Fear of 0day is like being terrified of ninjas instead of cardiovascular disease. 382 | https://twitter.com/thegrugq/status/851001030019907588 383 | 384 | % 385 | 386 | Ransomware is not about encrypting data. It is the _current_ implementation of a methodology that coerces the victim to act as an agent for the criminal (typically to acquire BTC.) Encrypting data just an implementation detail; it’s the “coerced agent” part that matters. There are infinite ways to coerce someone once you have access to their data. People will pay more to keep their secrets from their friends than to regain access to their data. 387 | https://twitter.com/thegrugq/status/933540391055273984 388 | 389 | % 390 | 391 | APT28 still going through about 2 0days a month, they don't stockpile, they burn. 392 | https://twitter.com/thegrugq/status/864274606130995201 393 | 394 | % 395 | 396 | W/ the MySpace hack, people will understand that passwords are like condoms. You aren't supposed to use them at more than one place. 397 | https://twitter.com/thegrugq/status/736492040335155200 398 | 399 | % 400 | 401 | Trust relationships are the foundations of compromise. 402 | https://twitter.com/thegrugq/status/705088675915239424 403 | 404 | % 405 | 406 | That marketing cycles around major conferences dictate when research is released tells you everything you need to know about infosec. 407 | https://twitter.com/thegrugq/status/702765131562749952 408 | 409 | % 410 | 411 | People that need their software to work in order to make money invest more into engineering than those who don't. Think about that next time you buy enterprise security software. Unless you pay only after it has stopped attacks ;) 412 | https://twitter.com/thegrugq/status/770849174589804545) on malware authors A/B testing, localizing and testing their work before deployment 413 | 414 | % 415 | 416 | An important lesson to learn is not to deploy tools before they are ready. The risk is revealing capability before you can exploit it 417 | https://twitter.com/thegrugq/status/707273816058109955 418 | 419 | % 420 | 421 | That’s pretty amazing discipline from the attackers. They discard 5 9's of infections to focus on a tiny subset. No chance that’s criminals 422 | https://twitter.com/thegrugq/status/912960298998366208) on the CCleaner hackers 423 | 424 | % 425 | 426 | 427 | when your attribution is based exclusively on forensic artifacts, you're using only adversarial controlled data 428 | https://twitter.com/thegrugq/status/548490283046797312 429 | 430 | % 431 | 432 | Drop 0day, not bombs. 433 | https://twitter.com/thegrugq/status/643844416537526272 434 | 435 | % 436 | 437 | Are there any #pwn2own winners that aren’t sponsored by massive Chinese Internet companies? It’s the equivalent of a Google team winning. No doubt the teams are skilled, but this is just marketing for the Chinese audience. 'Tencent wins hacking competition!' 'Baidu wins...' Is it time to accept that #Pwn2Own has outlived its usefulness to the community? Companies paying each other for marketing... *yawn* 438 | https://twitter.com/thegrugq/status/578467834054852609 439 | 440 | % 441 | 442 | AirCnC: It’s like AirBnB for botnets. Have a compromised host you don’t use all the time? Need a host but can’t afford the maintenance? 443 | https://twitter.com/thegrugq/status/657508423332814849 444 | % 445 | 446 | Long uptime for security. No one ever tests their exploits against browsers with a week of uptime. Heap feng shui? More like heap makeover 447 | https://twitter.com/thegrugq/status/584356859777159168 448 | 449 | % 450 | 451 | You are going to be phished long before you are going to be hit with CIA 0days. Enable 2FA and get a password manager. 452 | https://twitter.com/thegrugq/status/839471981120495616 453 | 454 | % 455 | 456 | a key signing party is basically "bring your children over to get infected with chicken pox", but for grownup's laptops 457 | https://twitter.com/thegrugq/status/831363157176184832 458 | 459 | % 460 | 461 | There are people with Tor browser 0day. This is a perennial truth. Learn to be secure even if the adversary has exploits. Because they do. 462 | https://twitter.com/thegrugq/status/720334344036818944 463 | 464 | % 465 | 466 | A great way to mitigate TAO is to not be the elected leader of a nation state, #protip 467 | https://twitter.com/thegrugq/status/692793830945337344 468 | 469 | % 470 | 471 | Journos assume we know to say 'off the record' and we assume they know not to click on 'Secret Doc.PDF.exe' 472 | https://twitter.com/thegrugq/status/654293293879070720 473 | 474 | % 475 | 476 | In none of the targeted attacks me and @CDA observed against Iranian civil society we found a 0day used. Mostly no "exploit" at all in fact. Besides the usual .scr, we see a variety of Office tricks, and embedding of PowerShell in a variety of file formats (e.g. LNK) as well as repackaging of legitimate software. [...] Surely, there's a lot of human mistakes involved, but as long as we enable e.g. executing embedded EXEs through PowerPoint animations the human mistakes seem more tolerable, and development and employment of exploits way less "profitable". Most of the tricks I observe used for infection also have the "advantage" of requiring way less situational awareness from the attacker which significantly reduces costs and improve success rate for attackers [...] In some sadistic way, I wish we'd be in a place where exploits were really required, at least it would sensibly increase costs for attacks. 477 | https://twitter.com/thegrugq/timelines/764512283099697152 478 | 479 | % 480 | 481 | less Twitter more committer! Keep coding 482 | https://twitter.com/thegrugq/status/533620917469855749 483 | 484 | % 485 | 486 | Software is eating the world. Software rots. This is a very scary thing to think about. 487 | https://twitter.com/thegrugq/status/633306726142337025 488 | 489 | % 490 | 491 | Everybody that's been breached or has security patches to release? Today is _the_ day to bury infosec news! 492 | https://twitter.com/thegrugq/status/618028615054159873) on the day of the Hacking Team hack. 493 | 494 | % 495 | 496 | New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it 'advanced' or 'sophisticated.' 497 | https://twitter.com/thegrugq/status/658991205816995840 498 | 499 | % 500 | 501 | Don’t make me sudo. You wouldn’t like me when I’m root. 502 | https://twitter.com/thegrugq/status/614305448540311552 503 | 504 | % 505 | 506 | The Russians are playing chess and the Americans are playing “how far does this crayon go up my nose?” 507 | https://twitter.com/thegrugq/status/766337166406393856 508 | 509 | % 510 | 511 | “The more security, the more bizarre the method of escape must be.” 512 | -- Forrest Tucker, bank robber, stickup man, prison escape artist 513 | 514 | % 515 | -------------------------------------------------------------------------------- /murphys_laws_of_combat.md: -------------------------------------------------------------------------------- 1 | 267 |

Laws of War for Helicopters

268 | 303 |

Laws of War for Tanks

304 | 310 |

Laws of the Marine Corp

311 | 315 |

Law of Fighting Airplanes

316 | 330 |

Saddam's First (and last) Law of War:

331 | 335 |

Laws of Desert Combat:

336 | 346 |

Laws of War in Iraq:

347 | --------------------------------------------------------------------------------