Summary6 min read

Risky Bulletin – Between Two Nerds: Getting Pinged and the Fog of War

Podcast: Risky Bulletin
Host: Tom Uren
Guest: The Grok
Date: January 26, 2026

Episode Overview

In this episode of "Between Two Nerds," Tom Uren and The Grok dive deep into the evolving dynamics of public disclosure around state-sponsored cyber operations—specifically, the increasing openness of Chinese state media and cybersecurity firms about being hacked. They explore the strategic calculus behind revealing or concealing knowledge of adversary intrusions, drawing parallels to traditional counterintelligence, and discuss how uncertainty after an attacker loses access ("the fog of war") shapes the responses and costs on both sides.

Key Discussion Points & Insights

1. Shift in Chinese Disclosure Practices

Historical Secrecy: For years, Chinese entities denied or ignored intrusions, often only accusing the U.S. of hacking.
Recent Changes: In the past couple of years, Chinese state media and cybersecurity firms have become more public—and even technical—about attacks where China is the target.
- "It reflects what happened in the West, but for a long time, they basically said nothing... And more recently... those announcements have appeared in Chinese state media." (A, 00:14–01:13)

2. Counterintelligence: To Disclose or Not?

Value of Secrecy: Grok explains how, analogous to human intelligence, knowledge of an adversary's implant or spy can offer strategic advantage—as long as the adversary doesn't know they've been detected.
- "As soon as we announce that we've detected them, we lose that advantage." (B, 02:31)
The Human Spy Analogy: Monitoring a compromised spy (or cyber implant) can provide ongoing insight into enemy operations, tradecraft, and help spot additional threats.
- "If you monitor him, you can find out how bad things are for you... By monitoring them, you will learn their tradecraft, which will allow you to then detect other people." (B, 04:40–05:34)

3. Operational Considerations After a Breach

Immediate Ejection vs. Monitoring: In traditional cybercrime (e.g., ransomware), defenders eject attackers immediately; in state espionage, there's value in silent monitoring—but tooling for this is lacking.
- "I've not heard of people really thinking about, okay, we've pinged them... it's just an automatic... victim, get them out, get them out, get them out." (A & B, 06:11–06:23)
"Wrapping in Cotton Wool": The idea of isolating but not alerting attackers so that further intelligence can be gathered—rare in practice due to technical constraints.

4. The Attacker’s "Fog of War"

Uncertainty: When attackers lose access ("get pinged"), they are thrust into uncertainty. Was it detection, an unrelated outage, or dumb luck?
- "As an attacker, when you lose access, that's all you know, right?... You have no idea what that means..." (B, 07:26–08:06)
Anecdote: Grok shares a pen-tester’s story where losing access was wrongly attributed to blue team detection, but turned out to be a fiber cut:
- "So he phones up and the CTO goes... 'Abaco cut the fiber to our data center. Why?'" (A, 10:01)

5. Cost and Ambiguity for Attackers

Analysis Paralysis: Attackers must decide how to react: retooling, changing infrastructure, or assuming it's a local-only issue. Each option carries opportunity costs.
- "Each of these questions has an operational response that has a cost, whether you take it or you don't take it. And if you choose wrong, the costs are even worse..." (B, 10:38)
Persistent Anxiety: Grok describes the psychological toll of "not knowing"—the fog of war for the attacker.
- "You'll always be left with this idea of like, did I do enough?" (B, 13:46)

6. Impact of Publication

Information Leakage: Public or technical reports partially resolve attacker uncertainty, but also provide defenders with detection means and burn the attacker’s tools/infrastructure.
- "When a publication comes out, you resolve some of that... But at the same time it now means that those things are absolutely burned." (B, 28:12)
Cumulative Burn: Every public disclosure increases cost and risk for the attacker, not just by revealing IOCs, but by identifying tactics, tradecraft, and even targeting.
- "Every time you get discovered, these costs pile up. It’s a cumulative game… Every time you lose, the costs are worse." (B, 17:56–18:01)
Task Lists: Publication often dictates a "job list" for attackers—starkly described by Tom:
- "It's like management by publication, where a publication is actually like a task list for the other side." (A, 29:21)

7. The Chinese Strategic Shift

Internal and External Motivations: The shift toward disclosure in China may signal a calculated decision—the benefits of publicizing outweigh the costs, especially given the normalization of publication in the West.
- "They must think at this point that they're getting more benefit out of publication than they are out of just keeping quiet about it." (A, 19:47)
Political vs. Operational Goals: Early Chinese disclosures were about countering U.S. accusations, not degrading NSA operations—a difference from technically explicit Western publications.
- "They were not intended to impact the operational capability of NSA. The strategy behind it was very much a political one..." (B, 20:49)

8. Case Studies: Full Disclosure in Practice

FSB’s Snake Malware: The U.S. published comprehensive details about a long-lived Russian malware platform, burning twenty years of infrastructure and knowledge.
- "It basically listed the first committers, like the first committers firstborn by name... They really, like, they burned it to the ground. Like that was comprehensive." (B, 23:01)
SolarWinds & OPM: Even when attacks are purely state-on-state, significant technical publication occurs—a feature of Western disclosure culture.
Kaspersky & iPhone Exploits: Russia has also begun publishing detailed technical information on U.S. attacks, indicating a trend toward normalization across major cyber nations.

Notable Quotes & Memorable Moments

On the Psychological Game:
"This is a sort of psychological part of hacking that I find very interesting... when you lose access, that's all you know... you have no idea what that means..."
- Grok, 07:26
On Costs for Attackers:
"It's like, was I detected or was it a coincidence? If I was detected, was it by an internal team, by a vendor, by the state... And if you choose wrong, the costs are even worse."
- Grok, 10:35
Disclosure as Management:
"It's like management by publication, where a publication is actually like a task list for the other side."
- Tom Uren, 29:21
Case Study Story (Pen-Testing Fail):
"So he phones up and the CTO goes, 'Oh, hey, look, I can't talk now. Abaco cut the fiber to our data center. Why?'"
- Tom Uren, 10:01
On State Publication Normalization:
"So it seems like we've got at least two states where publishing is okay or sometimes even encouraged. And then China is gradually joining the party."
- Tom Uren, 28:06

Timeline of Major Segments

00:03–01:30 – Introduction, recap of Chinese media changes
02:00–05:34 – Counterintelligence responses: secrecy, monitoring, and costs
06:10–07:26 – Cyber evictions vs. surveillance, challenges of cyber-analogous practice
07:26–10:01 – The psychological stress and anecdotes about confusing outages versus evictions
10:10–14:09 – "Fog of war" costs for attackers; operational uncertainty
14:09–18:48 – Impact of publication: partial clarity and cumulative costs
19:06–21:59 – The Chinese internal calculus and political vs. operational motives
22:18–26:49 – Case studies: Snake/FSB disclosure, Western approaches to attack publication
27:22–29:28 – Russian and Western openness: triangulation case, shifting norms
29:21–End – Publication as a task list for the adversary, final reflections

Tone and Style

The episode is technical, conversational, occasionally irreverent, and often self-reflective—balancing deep intelligence philosophy with practical anecdotes and wry humor.

This summary captures the dense, insightful conversation, providing a comprehensive outline for listeners and readers alike.

Loading summary

Transcript106 lines

[00:04]
A
Hello, everyone. This is Tom Uren. I'm here with the Grok for another between two nerds. G', day, Grok.
[00:09]
B
How are you? Good day, Tom? I'm fine. And yourself?
[00:11]
A
I'm very well. This week's edition is brought to you by Push Security, who bring security to the browser, the place where it actually really matters. Find them@PushSecurity.com so over the last couple of years, there's been this trend of the Chinese state, initially Chinese state media, and more recently Chinese cybersecurity companies being a lot more public about state hacking. State hacking, where they're the victim.
[00:46]
B
Right.
[00:47]
A
And so for a change. So this is, in a way, it reflects what happened in. In the west, but for a long time, they basically said nothing. They would just say, we never hack. The US Is the biggest hacker of all. And then it became more concrete, I guess they would say, the NSA has done this to us, and they would cite a particular hacking incident. And more recently, in the last year or two, off the back of that, those announcements have appeared in Chinese state media. So you can bet, like, it's a sanctioned thing off the back of those publications, there have been cybersecurity companies that have actually published a bit more technical detail about what's actually gone on.
[01:31]
B
Right, right.
[01:33]
A
And that, in a way, reflects what happened in the West. For a long time, there was very loose, weak acknowledgement that it was going on. And then it's changed. This phenomena, this change, particularly in China recently, has made me think about the kind of costs and benefits.
[01:52]
B
Right.
[01:53]
A
Of both sides, because the people who were not talking about hacks where they were victims, like, they had their reasons.
[02:02]
B
Yeah, absolutely. So I've actually, I've been thinking about this a fair amount over the years, and I put together some notes on it because I think once you know about, like, offensive counterintelligence, basically the use of counterintelligence techniques to impose costs, for example, on the other side, you look at, how do you respond to an intrusion from a counterintelligence point of view, which is we now know something that they don't know that we know, which is we know that they like. Right, right. They're unaware that we have detected them. That gives us an advantage in knowledge. As soon as we announce that we've detected them, we lose that advantage. Like we're giving away that piece of intelligence.
[02:47]
A
So this is in the context of spy versus spy, like real human assets. That's offensive. Counterintelligence is a concept or a practice.
[02:59]
B
So the problem is counterintelligence it's almost an umbrella term for a lot of things, from making sure you have a safe to put your secret documents to recruiting spies in the other spy agency to ask them what they know. So it's sort of all of everything. So offensive tends to be things that you do deliberately to attack the other side, whether it's try and recruit from them or try and monitor, you know, do a technical penetration to monitor their stuff, et cetera, like just more aggressive things that directly hurt them. And I. I do think that there's an offensive counterintelligence component to publication, for example. Right. Like, you directly impose costs because you are burning their tools and their infrastructure and.
[03:49]
A
Yeah, yeah. So to put that into a human context, I guess I thought that was.
[03:54]
B
Perfectly legible to literally anyone who's, you know, been reading espionage books for the last 10 years.
[04:00]
A
So what I was thinking is that an example might be, you know, you identify a Russian spy, and rather than immediately arresting them and revealing that, you know that there's an opportunity there for you to do some other operation that might take advantage of that knowledge. So there's a benefit to having them to keeping that knowledge secret, and there's a potential benefit and cost on the flip side to arresting them or expelling them or whatever. And so I guess, yeah, in the cyber context, it's exactly the same. It's just that there's different costs and benefits.
[04:40]
B
Right, right. So just to run through very briefly, if you have detected a spy, if you announce that they're going to send another spy, but this one you haven't detected, so it puts you at a disadvantage. Again, if you have detected him, he probably has people that he's recruited. So if you monitor him, you can find out how bad things are for you, because he's going to be talking to other people. Additionally, by monitoring them, you will learn their tradecraft, which will allow you to then detect other people, because you'll know sort of things to look for. And also, you could start doing, as you've said, you could start doing operations where if you can find someone that they've recruited, you could then use them to feed information into this enemy spy apparatus.
[05:34]
A
I mean, this actually maps sort of surprisingly well onto what you might do with absolutely an implant or operation you detect.
[05:43]
B
Right, yeah, exactly. I think it probably requires tooling that doesn't necessarily exist, unfortunately. But.
[05:53]
A
And I mean, this applies in the context of state espionage. I don't think it applies in the.
[05:59]
B
Context of ransomware is. Now we'll find out what they want to do. Oh, they wanted to wipe all of our servers.
[06:12]
A
Yeah, but I've not heard of people really thinking about, okay, we've pinged them. It's just an automatic. Well, it's a victim.
[06:23]
B
Get them out, get them out, get them out. Yeah. There's no right. So, like, the term, at least that used to be used is you wrap them in cotton wool. So you basically make it so that they don't know that anything's changed, but that they can no longer do any harm. And then you use that sort of, here's the thing that you know about and it's not going to hurt you anymore, so you can just leave it in place and allow the enemy to waste resources trying to get information. All that stuff. I don't know of any tooling in cyber that would do the same sort of thing that would basically allow you to leave an infection in place without alerting the other side they've been discovered, but without giving them access to anything as well.
[07:14]
A
I guess that kind of shifts it to the publish and reveal, or just silently, ideally. Silently, I guess, cut them off so that they're unaware, I suppose. Yeah.
[07:27]
B
And so this, this is a sort of psychological part of hacking that I find very interesting that as far as I know, people haven't really talked about, which is that as an attacker, when you lose access, that's all you know, right? Like, you went from, I had access and then you come back into work the next day and you don't.
[07:51]
A
Yeah, my implant was pinging me and now it's not Right.
[07:54]
B
And it's. You have no idea what that means, right? Like, does it. Does it mean that you were discovered or does it mean that there was a hardware failure and. And it's going to come back up.
[08:06]
A
Someone changed a firewall randomly, right?
[08:09]
B
Someone made a hardware change to increase their disk size and they ended up reinstalling a new version. And now, you know, your implant has been removed accidentally. So a friend of mine was telling me sort of a funny story that relates to this. So his company had been hired to do some pen testing against some other company. And they were doing all of their stuff. They had, you know, a lot of implants and, and these would be in like multiple places over different protocols and, and all that stuff. And they come in on the Monday and it's just completely dead. Like nothing is. Nothing's responding. So then from the office, they try and they try and go like, oh, is it us or is it them? And so they tried pinging the servers Just regularly. And that's getting blocked as well. Like they're pinging into nothing. And so they figure out this incredibly embarrassing thing has happened, that the, the blue team has detected them and just black holed their entire IP list. And they're going to have to call the CTO and be like, hey, you know, we got found out but we haven't finished our pen test. Could you have them un black hole us so we could just finish the job for you? So this guy is facing this very embarrassing phone call of like, yeah, I know I told you we were elite, but obviously your guys found us and the measures they've taken have just blocked us entirely. Could you please undo that? So he phones up and the CTO goes, oh, hey, look, I can't talk now. Abaco cut the fiber to our data center. Why?
[10:01]
A
So I guess if you're nsa, you're not going to ring up the Chinese and say, hey, yeah, we will be, but you will be in the same situation of not knowing.
[10:10]
B
Exactly.
[10:11]
A
Right.
[10:11]
B
So you're in this state of uncertainty and this imposes costs. And it all comes with this fact that you sort of like you're in this fog of not knowing what's going on. Right? So you're facing all of these problems about like, were you detected deliberately? Like, were they hunting for you or was this a coincidence where someone just went, oh, that's funny.
[10:35]
A
Yeah. And what do you do about it? I guess more to the point, Right.
[10:39]
B
So it's like each of these questions has an operational response that has a cost, whether you take it or you don't take it. And if you choose wrong, the costs are even worse because you haven't remediated the actual problem. So it's like, was I detected or was it a coincidence? If I was detected, was I detected by an internal team, by a vendor, by the state who is aware of me and is going around to companies and looking for stuff, or is there like a group of vendors that has started working my operation specifically and is hunting me directly?
[11:17]
A
Right, yeah, yeah.
[11:19]
B
Then if you were detected, how were you detected? Is it your tooling? Like, do they have a match that your tools now ping? Do they have access to your infrastructure and they're just looking at everything you're doing? Did they learn how to spot your tradecraft and now they have like matches for types of things that you do? Or was it dumb luck and you don't need to worry about it? And then it's how big is the impact of this? Like, was it this one company that found you and they just replaced the machines that you're on, they're not going to tell anyone because it's going to impact their business and it goes nowhere. Or is there now a vendor who has a file on you and is going to be looking at you, looking for you with the stuff that they know everywhere?
[12:09]
A
Yeah. People quite often talk about the advantages attack has over defense.
[12:15]
B
Right.
[12:15]
A
But people very rarely talk about this sort of flip side, which is the. Although there are some advantages if you're dealing with a. I guess it has to be an enduring intelligence target. Right, Right. Just a one and done. But you know, you want to be there again and again. Right. There are quite a lot of decisions where you, you know, you get pinged. What do I do about that? I probably need to change something, but what is that something? And how much time and effort do I devote to changing things?
[12:45]
B
Right.
[12:45]
A
And then it's just things.
[12:47]
B
Right. And so you don't know what to replace. You don't know how much to replace. You don't know where it needs to be replaced. Like, is this, is this a countrywide problem and you don't need to go and replace all of your other infrastructure or is this a worldwide problem and you now have to go and connect to every single implant that you have and upgrade it to your new version? And then you don't know, is this the first of these that's going to come out? Like, is this the first loss that I have or is it the first of many? And then overall you just have this general anxiety of not knowing when the shoe is going to drop. Like, you know that you've lost access, but you don't know how bad it is. And so whatever remediation you take, you'll always be left with this idea of like, did I do enough? I think this actually this is a very good corollary to our discussions of how the attacker advantages. You have immediate feedback.
[13:47]
A
Right.
[13:47]
B
Like something works or it doesn't work. This is the inverse of that because you have absolutely no feedback.
[13:54]
A
Yeah.
[13:54]
B
Right. So it sort of plays into the same category of issue, like how much information you have. And in this case you just have absolutely none. And that can be like, that's very stressful just in itself. Right.
[14:09]
A
Yeah. Yeah. So I was thinking about how in the world prior to where publication was kind of normalized.
[14:21]
B
Yeah.
[14:21]
A
I think all those are advantages. And then once publication is normalized, I don't know that all of those go away, but.
[14:29]
B
Right.
[14:30]
A
Well, it's because I think publication Usually happens quite some time after the incident. So you're still dealing with that. And mostly I don't think they probably don't tell you enough to know exactly the. They tell you some of what they know, but they don't tell you everything. Right. So it's not as if it's a total lost if you. Yeah, so, and I'm talking about technical publications that say, you know, we, we found this actor yada yada, not the.
[14:54]
B
Ones where it's like a threat actor was found on a, you know, in the telecommunications, food, aviation, energy, retail, you know, whatever government sector that has been associated with denial of service, economic theft, trade secrets and intelligence collection. So yeah, like it collapses some of the uncertainty, obviously not all of it. It does resolve. Like, were my tools burned or not? Because there'll be IOCs and things and it's how much of my infrastructure do they know about or do they tell me that they know about? I guess, but even so, I think again, there's an offensive counterintelligence side to this that is not very often acknowledged. So, you know, people are very, very aware that like when you publish stuff, it, it is a benefit to defenders because it increases their knowledge and etc. But it's actually burned capability as well to the attacker and it, it hits them in a bunch of ways. So like, there's direct costs of like the infrastructure, the tradecraft and the tooling that gets burned. There's the direct cost of like you have to now replace all of that stuff. Like you know what you have to replace, but you have to go and do it now as well.
[16:23]
A
Yeah, right.
[16:24]
B
So that's a cost. It still has some uncertainty, as you said, like you're not entirely sure.
[16:32]
A
I guess it, it reduces the chance that you'll do too little work.
[16:40]
B
Right. But I think the more important ones in a way is that it imposes constraints on your tasking. Right. So if you are a state hacker and your job is to read the President's emails of some country, even if you get caught, your tooling gets burned and everything, your job is still to read those emails. And you can do a lot of technical things, right? You can get new tradecraft, entirely new tooling, new infrastructure, but there's only one exchange server. It doesn't actually change what you're ultimately trying to do. And so because the adversary, like the defenders are now aware that you get onto that exchange server, they know to monitor it and to look for things just because that's what you have to do. So they're going to know where to look and they're going to be more suspicious and they're probably going to harden it and they're going to take additional steps to make things, you know, to make your life more difficult overall. Like, because this is like iterated, like every time you get discovered, these costs pile up. It's a cumulative game. Right. Like you, you. Every time you lose, the costs are worse.
[18:02]
A
Yeah. I think if I remember rightly, there was a blog post by Scott Piper, who's a cloud security person a long, long time ago and he was sort of making this a similar point that once you detect something, you can key off that and find more and more stuff. And it's, it's actually I guess maybe not exponentially bad, but it's not like linear because if you haven't changed stuff and you get detected again, like there's more. Now you have surface area or.
[18:34]
B
Yeah, now you have a double. Like you've doubled the number of things to look for.
[18:40]
A
Yeah. And I suppose that's an argument for doing more work when you're detected.
[18:44]
B
Yeah, but there's an opportunity cost for that as well. Yeah.
[18:49]
A
Right.
[18:49]
B
Like if you, if you retool, that's fine, but while you're retooling, you're not, you know, hacking and you're not collecting.
[18:59]
A
Yeah. So going back to the Chinese change in. Is it strategy in. In.
[19:06]
B
I think so, yeah.
[19:07]
A
Openness. It seems like to me that cyber security companies have reported more technical detail off the back of the of state media. Like in the west, the dynamic is that cyber security companies publish technical stuff to display their chops. It's like PR or marketing exercise. I don't know if that's the same dynamic in China and it seems like they were maybe restrained by. Well, firstly, if you're a Chinese company, you're never going to admit that the Chinese state has been hacked unless it's okay to.
[19:44]
B
Yeah, that's very obviously been been approved by state.
[19:48]
A
So they must think at this point that they're getting more benefit out of publication than they are out of just keeping quiet about it.
[19:54]
B
Right. So I think maybe they've been looking at the last however many years that they've been getting hacked, that they've known about it and tried to figure out what benefit did we get out of keeping silent. So I remember sort of like their first tentative steps into saying like we were getting hacked by the US were really. They were not intended to impact the operational capability of nsa. Like the strategy behind it was very much a Political. One of the US accuses us of hacking all the time. But as you can see here from like the Shadow Broker leaks, they hacked us in 2010 one time. Which just. Just shows who the real villains are, if you think about it.
[20:43]
A
Yeah, yeah. So it's international political move, rather operational.
[20:50]
B
Yeah. It wasn't focused on degrading their technical capability or their ability to operate in any way. It was just trying to impose costs on the state that employs them. And I don't think it was very effective in that. But here's the thing is, I think they probably realized that as well after a while is that it's not. There's no benefit that they're getting from this. Like, there's some, like, if you're very cautious about, like, how much do we reveal? I think the timeline here would match an incredibly cautious approach to that where you're like, okay, 10 years ago we, you know, made this minor reveal that was okay. It wasn't great. Now we could maybe do a little bit more, you know, like, it wasn't the end of the world.
[21:35]
A
Right. Yeah.
[21:36]
B
You know, and I wonder if there's.
[21:37]
A
Some internal dynamic where it's just unacceptable to tell Xi Jinping or whoever is at the top that, oh yeah, we, we did get hacked.
[21:46]
B
Right.
[21:48]
A
It's not until you cross that hurdle and it's acceptable to say that, that you can even.
[21:54]
B
I would be, I would be shocked if it came as a surprise that the NSA is like listening to their.
[22:00]
A
Phone calls or that story about the presidential plane used to be Boeing. I'm not sure if it still is. And they sent it over to the US to get maintained or a major service or something like that.
[22:15]
B
It came back trailing wires.
[22:19]
A
Exactly. And this was published somewhere. I can't remember that.
[22:25]
B
That sounds so plausible. I absolutely.
[22:28]
A
What newspaper? But yeah, very funny. So the other thing this discussion makes me think of is that way back in BTN 36, we spoke about the US releasing this really in depth report about the Russian Foreign Intelligence or Internal security intelligence. The FSB's Snake malware.
[22:53]
B
Yeah, yeah.
[22:53]
A
And they've been using this malware for 20 years, something like that. And this report went into a tremendous amount of detail.
[23:01]
B
It basically listed the first committers, like the first committers firstborn by name, and then listed the school that they graduated from. Right. Like there was everything in there. They really, like they burned it to the ground. Like that was comprehensive.
[23:20]
A
So that, that, that at the time it was quite clear that like we're publishing everything so that you have to like just totally abandon it. It's like something that's not.
[23:30]
B
Nothing can be salvaged from this.
[23:32]
A
And it makes me think about like, why would you make that? Like, what point in time do you make that decision? Because it's not after 20 years apparently. And I mean they must have had like 95% of that information for I don't know how many months beforehand. It's not as if they went, ah, we've got the final piece of information.
[23:57]
B
Finally we know that it's called Snake we can publish. Right? Yeah, I mean, because that's the other thing is like the information that they put out was like, it wasn't just technical, it was about like, here are the different teams that use it and here are where they are located inside of Russia.
[24:16]
A
Yeah.
[24:17]
B
That's not like you don't learn that on the first weekend after discovering something. Right. Like, that's a lot of like that, that shows that they were monitoring this for a long, long time. So my, my guess is given the information that they had, they probably got a lot of value from, as we were saying at the beginning, monitoring what the. Like knowing that you can see them and then monitoring them. It's like this sort of strikes me as if there's a guy who believes is invisible and no one tells him that they can see him. Just to see the crazy stuff he gets up to, You know, like you could, you could all just watch him doing crazy stuff and being like, he doesn't know, does he?
[25:07]
A
So it seems to me that the idea of publishing, it seems like there's a sort of rough consensus, at least to a greater or lesser degree, that publishing is on whole good. Even for some of the sneakiest attacks that have gone on and have affected the US government. There's been a fair amount of technical detail published about them. Like I'm thinking about Solar Winds and.
[25:36]
B
I was thinking opm, like, right. That's the sort of thing because, because it's not an attack against a commercial thing, that's just a pure espionage. You would have no reason to report that like from a political point of view. You're not going out and saying like it's not the APT1 report which was very much here's state sanctioned economic espionage for, you know, it's very much against norms, etc. This was, here's the state stealing state secrets from us. That's bad. You know, you can't get that political leverage. But they still came out with it.
[26:14]
A
Anyway, which I think that was like a Senate report or something. The one I've read that was very comprehensive was the Senate report. Right, right. So it feels like there's just a culture or a system where those kind of reports can happen unless there's efforts to suppress them. And that the default is that they, when they become very significant, you do, you do get them trickling out over time. And it's not really a sort of measured decision on publishing to. As a counterintelligence. But it's just the default.
[26:49]
B
Yes, it's. There's probably so many actors involved in terms of like senators and their aids and all that get briefed and they could leak it, for example, if they felt that that was beneficial to them. So I think you. Yeah, you'd have to make a deliberate counterintelligence decision. This needs to be kept secret and then you can, you know, classify it and work on making sure it's not leaked. Yeah, but that's probably not the default. Right.
[27:22]
A
Yeah. Well, I was thinking also about Kaspersky and triangulation where they did a similar kind of very in depth report about. I'm presuming it was an American implant for or, or technique for iPhone compromise. And so again it's. We've got at least two countries because you can be sure Kaspersky didn't publish it without.
[27:46]
B
Yeah. Given the amount of government stuff like the number of people who were in government who got hacked, there's no way that the state didn't have a say in whether it was going to be made public or not.
[28:00]
A
Yeah, yeah, yeah. So it seems like we've got at least two states where publishing is okay or sometimes even encouraged.
[28:07]
B
Right.
[28:07]
A
As a.
[28:08]
B
Right.
[28:09]
A
And then China is gradually joining the party.
[28:13]
B
Basically. To sum up what I've been thinking about is sort of that there's this offensive counterintelligence aspect to incident response and it begins with sort of eviction. Like as soon as you've evicted someone, there's an offensive counterintelligence aspect, like you've started imposing costs. And those are primarily about uncertainty where they have to figure out what the correct reaction is. And if they over or underreact, it could basically impact them further down the line. So there's this fog of uncertainty, this anxiety and all this stuff. And then when a publication comes out, you resolve some of that suddenly, you know, okay, how, how was I discovered? How big is the compromise to my infrastructure? What do they know? But at the same time it now means that those things are absolutely burned. For sure. You have to remediate, you have to do something about it. And obviously you're not entirely sure if they've published everything that they know.
[29:22]
A
It's like management by publication, where a publication is actually like a task list for the other side.
[29:29]
B
Right. There you go.
[29:30]
A
Crowdstrikes just released their report. Here's your job list. Except it's an incomplete task list.
[29:42]
B
Right. We could replace reports with JIRA tickets. That's right. Thanks a lot, tom. Thanks. Crude.