Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

These are references to some extra material related to ZeroNights 2014 keynote talk. Please also refer to the main web page for the talk, although some of these extra topics were only brought up in the conversation with the audience (and were not specifically referred to in the non-slides).

Related talks by FX and Sergey Bratus
Especially H2HC 10 Keynote (PDF) and Information Security War Room (USENIX Security 2014 Keynote, PDF)

LANGSEC: Language-theoretic Security

GameSec: Conference on Decision and Game Theory for Security (takes place each November, varying locations)

Evolutionary game theory (Wikipedia)

<solardiz> Can evolutionary game theory answer how we evolve in terms of order vs. anarchy, infosec vs. antisec?
<maradydd> @solardiz that's one of the questions that's been eating my head for a few years now.
<solardiz> @maradydd I thought someone was on it already, but I couldn't find much, except e.g. https://www.schneier.com:443/blog/archives/2012/01/applying_game_t.html http://www.infosecisland.com/blogview/19990-Game-Theory-Anonymous-Causality-and-2012.html

<solardiz> Evolutionary game theory applied for a national security aspect, but not for infosec yet: https://www.sciencedirect.com/science/article/pii/S1877050912006357
<solardiz> Predicting adversary's behavior, by @maradydd: https://bsideslv2014.sched.com/event/6c2dd728abc42ccafc9db82727bb5e43 https://www.slideshare.net/maradydd/strategies-without-frontiers https://www.youtube.com/watch?v=jWxtTsRJOYg h/t @sergeybratus
<solardiz> @sergeybratus Wow. @maradydd's talk is indeed closely related, especially starting with slide 43, "Games in the transparent society".

<daniel_bilar> @solardiz My answer: GT is not rich enough to capture adversarial dynamics where game is implicit and emerges, rules & goals are not know
<daniel_bilar> @solardiz See 2012 a case study using conficker viz env/defenses as an example paper https://www.docdroid.net/agqw/2013-bilar-adversarial-dynamics-pdf ppt https://www.docdroid.net/h5gw/bilar-slides-81v3-pdf

Evolutionarily stable strategy (Wikipedia)
It is an evolutionarily stable strategy for most individual people to accept the complexity growth in IT as a given (with its associated security and robustness risks), rather than try to avoid it - but is it also an evolutionarily stable strategy for our society? It's a local minimum (or maximum, depending on what we measure) that we're trapped in.

Wassenaar Arrangement

<violetblue> I think the Wassenaar "Arrangement" is a prickly, inconvenient reminder that we're part of someone else's long con.
<sergeybratus> @violetblue We argue that WA could lead to worse overall effects on computer security than even 1990s Crypto-wars: https://www.usenix.org/system/files/login/articles/02_bratus.pdf
https://www.usenix.org/publications/login/august14/bratus_wassenaar

An "evil" company trying to meet WA requirements:

http://www.vupen.com/english/services/lea-index.php
"As of December 4th 2013, exploits are regulated and export-controlled as a "dual-use" technology listed in Category 4 ("intrusion software") of the Wassenaar Arrangement.

Access to this service is thus highly restricted, and is only available to approved government agencies (Intelligence, Law Enforcement, and Defense) in approved countries. We automatically exclude:

- Countries which are subject to the European Union Restrictive measures in force (Article 215 TFEU) - Countries which are subject to international embargoes adopted by United Nations - Countries which are subject to international embargoes adopted by United States"

The company has since decided to move out of France (some interpret it as a success at regulation curbing evil behavior, some others as an example of how regulation is bypassed by evil players anyway, some as being unrelated, and some don't find the behavior evil):

<cBekrar> The US didnt include "Intrusion Software" to their list of controlled dual-use tech as of today. Funny to see USA as a heaven for exporters
<graham_steel> VUPEN confirm they're leaving France due to legal uncertainties and red tape https://lexpansion.lexpress.fr/high-tech/les-mercenaires-de-la-cyberguerre_1623549.html (French)
<jedisct1> VUPEN leaves France for Luxembourg or Singapore https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Flexpansion.lexpress.fr%2Fhigh-tech%2Fles-mercenaires-de-la-cyberguerre_1623549.html&edit-text=&act=url
<botherder> "We shall therefore liquidate the company before the end of this year" @cBekrar on relocation of @VUPEN outside of France.
<cBekrar> @botherder "Nevertheless, the righteous will hold to their ways, and those with clean hands will grow STRONGER" Job 17-9 ;-) VUPEN #America
<cynicalsecurity> For those speculating about @VUPEN's leaving France: @cBekrar clearly states it is because getting paperwork done in France is a nightmare.

Other regulation-related material:

https://blog.cyberwar.nl/2013/12/intrusion-software-now-export-controlled-as-dual-use-under-wassenaar-arrangement/

http://trade.ec.europa.eu/doclib/press/index.cfm?id=1166
http://lukatsky.blogspot.ru/2014/11/blog-post_12.html (Russian)

https://www.justsecurity.org/16706/international-agreements-and-disagreements-on-cybersecurity/
Maybe there's a difference in what's included in "infosec" in Russia and China (and some other countries) vs. the West - does it include (dis)information campaigns? coordination of activities in a society (e.g., protests)?

An older initiative related to the possibly different meaning of "infosec":

https://arstechnica.com/tech-policy/2011/09/russia-china-tajikistan-propose-un-code-of-conduct-for-the-net/
https://www.armscontrol.org/act/2011-11/china-russia-submit-cyber-proposal
https://www.internetgovernance.org/2011/09/20/russia-china-propose-un-general-assembly-resolution-on-information-security/
https://web.archive.org/web/20111128131504/http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf

Dinah Shore - Yes, My Darling Daughter (YouTube)
Fragment used in the game starts at 1:49

Yes, My Darling Daughter - song origin and 3 versions (Ukrainian, English, Yiddish) (YouTube)

4188