The Gentlemen Hackers interview: The Grugq
Thaddeus E. Grugq is a longtime cybersecurity dude who is reasonably clear thinking about the issues.
The Gentlemen Hackers interview: The Grugq
Thaddeus E. Grugq is a longtime cybersecurity dude who is reasonably clear thinking about the issues.
The Grugq: Yes, absolutely. The operating systems that we have on mobile devices are so much more secure than what we have on laptops. It’s much, much harder to break into an iOS device than a macOS device. Of course, if someone really cares about you, then they’ll break in anyway, but in terms of just straight-up security, absolutely, tablet, way better, much safer.
Mik: Why are mobile systems so much more secure?
The Grugq: A number of reasons, but it’s fundamentally that when they started out developing it, it had a security paradigm of being locked down for kind of bad reasons. They don’t want other people to be able to take advantage of their market share and things like that. But because the approach was, “How can we restrict this? How can we make it limited? How can we reduce things that the user can do so that it’s less likely to break?” All of those things compound to make mobile devices at this point in time very, very secure comparatively. I travel with an iPad, not a laptop for these reasons. If someone wants to break into whatever I’m doing enough to go after an iOS device, then it doesn’t matter what I’d be doing.
Mik: We’ll switch gears. Let’s talk a little bit about nation-states because you’ve done a lot of work with nation-state security as well. What’s your opinion on the cyber doctrines? East and the West have very different cyber doctrines. Who’s right? Why?
The Grugq: None of the above. Both the East and the West are wrong, but for different reasons. The East is, I think they’re closer, like they are less wrong. They’re closer to the truth. The sort of differences are, in the Eastern approach, they tend to think about information, the information sphere and the information domain as the battlefield. This is where it’s all going on and that cyber is within that. It’s just a subset of information operations. I think that this is very good because their concept of information includes what we would call the cognitive domain. It’s the minds of the people that you’re interacting with. It’s not just the information that you’re giving out, it’s the information that they’re taking in and processing. That’s part of what you’re affecting and interacting with. That’s very, very useful because that gives you things like the 2016 disinformation campaigns, both in the Brexit and in the US with the election. The cyber doctrine encompasses that sort of thing. The West, on the other hand, is much more focused on CNO, like computer network operations, then CNA, computer network attack, and CND, computer network defense.
He has a Simple Security Guidelines document over at github that expands a bit on how to keep more secure:
I checked all the boxes for using iDevice !!!
2013 interview on Hacker OPSEC:
Between Two Nerds: How bureaucracies deal with super talented people
Between Two Nerds: The great game, cyber edition
Fed this podcast through openai-whisper and then cleaned up with GPT-4o. Maybe @jdougan can highlight some excerpts?
Between Two Nerds Discussion
Tom Muran: Hello everyone, this is Tom Muran. I’m here with Grugq for another Between Two Nerds discussion. G’day Grugq, how are you?
Grugq: I’m good, Tom, yourself?
Tom Muran: I’m well. This week’s episode is brought to you by RunZero. I have an interview with RunZero’s Rob King about how they keep up with developments in various lists of vulnerabilities and how you can make use of that. So catch that interview on the channel out this week.
Tom Muran: So Grugq, you sent me a tweet the other day and it actually comes from a thread that Shashank Joshi posted on X. Shashank is The Economist’s defence editor, and he often tweets interesting stuff but occasionally he strays onto the cyber patch. And it was an interesting thread. He attended the Oxford Cyber Forum run by the European Cyber Conflict Research Initiative, which is run by Max Smeets.
Grugq: It sounds like it was a good meeting. Shashank’s got quite a long thread, and I thought we could just pull out a few of the elements that we either had opinions about or thought were particularly interesting.
Tom Muran: As far as I can gather from the thread, it seemed to be about the state of how cyber operations are used in the grand game, the conflict or competition between states. So, the piece that we’ll kick off with is this kind of back and forth about what zero days are good for or how people see zero days.
Grugq: What I found interesting was the way they phrased their state. The first statement to me indicates that they have wrong thinking. They said, “Our theories rest on the idea that zero days are scarce, so countries are hesitant to use them.” What, they asked, could change that assumption?
Tom Muran: This meeting was held under the Chatham House rule, which means you can’t name people. You can talk about what they said, but you can’t name them. So that’s why in our discussion, there might be a bit of they, them, person said.
Grugq: There were a couple of replies to that. Heather Atkins, who’s at Google, said, “I was at the forum and I don’t think that this was a prevailing narrative.” She favors the view that the cyber domain is currently premised on competition, where the only way to successfully compete is through persistent initiation, i.e., constant hacking.
Tom Muran: That sounds a lot like persistent engagement.
Grugq: Exactly. So you disagree with the view that Shashank first relayed. He did caveat that by saying that one official noted it. So as Heather says, maybe that’s not a persistent view.
Tom Muran: And then Brodie, who works at CrowdStrike and is a mate, replied and said, “My assumption based on thousands of observations is zero days are largely unnecessary. So countries are reluctant to use them unnecessarily.” It’s the exact same observables, but a completely different interpretation.
Grugq: Right. On one hand, you have, they’re so precious and rare that you never use them. On the other hand, the occasions where you need to use them are so precious and rare. It’s perfect for a kind of pick and choose approach.
Tom Muran: If you’re focused exclusively on zero days, you’re going to miss all of the other things that are actually important.
Grugq: Yeah, there are lots of ways to gain access. Zero days are just one of them. If all you’re worried about is how to gain access, that’s not going to get you very far in terms of cybersecurity. The understanding is completely wrong on that one.
Tom Muran: I think it’s interesting that you say the understanding is completely wrong. The very first thing you started with was that they’re taking the same data set and arriving at very different conclusions. So what’s the data or information or what’s the special source that you and I and Brodie are taking to get from that data to a very different conclusion?
Grugq: I don’t know. Beyond actual experience. That doesn’t feel like a good answer because it shouldn’t be like, you know… Just because I know and you don’t. Excuse me, but I happen to be an authority, so…
Tom Muran: Well, there’s a whole landscape of things that are happening all the time and the vast majority of them don’t rely on zero days and therefore it can’t be the be-all and end-all.
Grugq: Exactly. If you just look at business email compromise (BEC), which costs millions, even billions every year, zero days are not an issue. Those guys are doing huge amounts of hacking with just email access and phones.
Tom Muran: Going back to the tweet, it’s our theories rest on the idea that zero days are scarce, so countries are hesitant to use them. I suppose there’s two parts. Are zero days really scarce? It depends on what player you are, right?
Grugq: It’s sort of like fully automatic firearms are scarce. If you’re in the suburbs of Japan, they’re very scarce. If you’re in Donbass, they’re not.
Tom Muran: And then the second part is, so countries are hesitant to use them. If zero days were the only way that you could get access, then yes, you would be hesitant to use them. But there are so many options. It’s a smorgasbord.
Grugq: Exactly. And why order the filet mignon when you can just get a hamburger? And it’ll be just as good most of the time.
Tom Muran: Right. It’s like the only way of getting protein and nutrition is through filet mignon. So people are hesitant to get filet. But is that true?
Grugq: Do you think what Heather said, that the cyber domain works by constantly engaging, which she calls persistent initiation, is the way to get an advantage in the cyber domain?
Tom Muran: I think what she was getting at is that while what this person said was an interesting comment to note, it was not a reflection of the broader consensus at that conference, which I’m happy to hear. And yeah, I think she’s right.
Grugq: This is something that we’ve talked about a lot. You need to stay sharp and active, not just in terms of competition. Your skills atrophy and rust quickly. You can have theories that depart from reality very quickly. It’s good to have some grounding in experience.
Tom Muran: There’s actually a part of Shashank’s thread that touches on this. One person argued that the West was still better at offensive cyber. Some of the actors we count among the top of the line don’t even have that much operational experience. We talk a lot about the Chinese, but they have far less operational experience than we do.
Grugq: To me, this depends on what you describe as offensive cyber. I wrote a paper on offensive cyber. The definition from US, Australian, UK doctrine talks about it being disruptive, you know, degrade, deny, destroy. Whereas in the broader community, offensive cyber is anything hacking.
Tom Muran: If you’re saying that China doesn’t have a lot of cyber espionage experience, then you’re delusional. It must be the other one.
Grugq: If you’re looking for operational experience, Russia has actually used cyber disruption in a shooting war, which counts for something better than a glowing symphony.
Tom Muran: Probably in a tweet, we’re not getting the entire context. There might have been some nuance. Another part of Shashank’s thread mentioned European officials seeing a lot of positioning on critical infrastructure, with some of those being Chinese and many being Russian.
Grugq: If you’re talking about those as your adversary, you would probably argue that the Russian forces actually have the greater and more recent operational experience. Not just with gaining access, but with being detected and kicked out, which is useful to know.
Tom Muran: It’s interesting that someone would argue that. Maybe with the Chinese, but Iran almost certainly does not have the same operational experience as the US.
Grugq: It also depends on what you think you’re trying to do with that. The US would try and get surgical strikes integrated with conventional military. Chinese forces might not be able to pull that off or even care.
Tom Muran: In a possible invasion of Taiwan, if you’re going to disrupt critical infrastructure, you need a time and a date and a plan. It’s not a particularly high bar to clear.
Grugq: Right, it’s not like making sure that the centrifuges degrade by exactly 88% every 27 days. That’s a very specific sort of thing that’s hard to achieve. Turning out the lights at 8 PM on Saturday, a lot of people can hit that one.
Tom Muran: Another interesting point from Shashank’s thread was about European cyber defenders operating within an ancient system of peacetime-crisis conflict. They have shiny cyber commands in many allied countries with no mandate to operate during supposed peacetime.
Grugq: Cyber operations are really useful in peacetime. You can’t use military force in peacetime, but you can hack everything. If your cyber commands are doing nothing during peacetime, they’re standing by when they could be the most useful.
Tom Muran: It’s gross negligence to have a cyber command and not use it during peacetime.
Grugq: It’s like purchasing a fighter aircraft and then parking it on the runway, expecting it to fly when you need it after years of inactivity. Cyber is similar in that it needs to be constantly maintained and practiced on.
Tom Muran: People get hung up on the idea that if it’s military, it must be used for destruction. The value in those organizations in peacetime is trying to disrupt adversaries. There’s no shortage of adversaries that you can go after that are absolutely fair game.
Grugq: If you’re not responding or trying to counter adversaries within your legal boundaries, you’re not partaking in the great game at all. You’re just sitting by doing nothing.
Tom Muran: That reminds me of a funny thing that happened right after the Russian revolution in 1917. The Russians were fighting Germany during World War I. The revolution happened, and the Soviet government decided to stop fighting because they believed it was a war between capitalists. So they didn’t negotiate for peace with Germany; they just walked away. Germany advanced, taking more ground until the Russians had to come to the table to negotiate peace.
Grugq: Exactly. It’s like they just decided they’re not fighting, and the other side didn’t agree.
Tom Muran: There’s another tweet in the thread that actually says, “We cannot out resilience our adversaries. Every kid in the schoolyard who’s bullied knows if you want to make the bullies stop, you have to stop them.”
Grugq: Those tweets go together. One of the things Shashank mentions is that in Israel, there was concern about Russia passing advanced cyber tools and tradecraft to Iran. But in Oxford, one person noted that it would be surprising because Russia has a history of infecting Iranian infrastructure for fourth-party collection, piggybacking on Iranian spying.
Tom Muran: Those things aren’t inconsistent. Why would they make the Iranians better at spying if they’re already stealing everything the Iranians steal themselves?
Grugq: Exactly. The logic works the other way—they’ll give them advanced tools so that they can piggyback off better spying.
Tom Muran: Similarly, there’s confusion where they talk about how we’re worried that Russia and China are getting better, but they don’t use the tools or have the experience. It seems like cognitive dissonance.
Grugq: There’s a perfect Mulla Nasruddin joke about this. Mulla goes to market and buys a liver. Someone gives him a recipe to have the best liver. A crow steals the liver, and Mulla shouts, “You won’t enjoy it, I have the recipe.” This sounds similar: “You might have the best cyber actors and capabilities, but you won’t enjoy it, I have the recipe.” They’re missing the point.
Tom Muran: It sounds like it was a good conference. I appreciate Shashank wrapping it up like this. The point of those conferences is to share information, and a thread like this gives us something to talk about.
Grugq: They really would have benefited from having a couple of nerds.
Tom Muran: Thanks a lot, Tom.
Grugq: Thanks a lot, Greg.
Unfortunately, when I mentioned the episode on defensive cyber, I referenced the wrong one. I’ve been listening to a lot of cyber security stuff during exercising, and I got them confused.
As for this one, is there anything unclear?
The first 20 minutes or so are infosec nerds talking about CrowdStrike. Summarizes what we think we know so far. Last 13 minutes are a sponsor interview.
Risky Business #756 – Move fast and break everything