Risky Bulletin – Between Two Nerds: Getting Pinged and the Fog of War
Podcast: Risky Bulletin
Host: Tom Uren
Guest: The Grok
Date: January 26, 2026
Episode Overview
In this episode of "Between Two Nerds," Tom Uren and The Grok dive deep into the evolving dynamics of public disclosure around state-sponsored cyber operations—specifically, the increasing openness of Chinese state media and cybersecurity firms about being hacked. They explore the strategic calculus behind revealing or concealing knowledge of adversary intrusions, drawing parallels to traditional counterintelligence, and discuss how uncertainty after an attacker loses access ("the fog of war") shapes the responses and costs on both sides.
Key Discussion Points & Insights
1. Shift in Chinese Disclosure Practices
- Historical Secrecy: For years, Chinese entities denied or ignored intrusions, often only accusing the U.S. of hacking.
- Recent Changes: In the past couple of years, Chinese state media and cybersecurity firms have become more public—and even technical—about attacks where China is the target.
- "It reflects what happened in the West, but for a long time, they basically said nothing... And more recently... those announcements have appeared in Chinese state media." (A, 00:14–01:13)
2. Counterintelligence: To Disclose or Not?
- Value of Secrecy: Grok explains how, analogous to human intelligence, knowledge of an adversary's implant or spy can offer strategic advantage—as long as the adversary doesn't know they've been detected.
- "As soon as we announce that we've detected them, we lose that advantage." (B, 02:31)
- The Human Spy Analogy: Monitoring a compromised spy (or cyber implant) can provide ongoing insight into enemy operations, tradecraft, and help spot additional threats.
- "If you monitor him, you can find out how bad things are for you... By monitoring them, you will learn their tradecraft, which will allow you to then detect other people." (B, 04:40–05:34)
3. Operational Considerations After a Breach
- Immediate Ejection vs. Monitoring: In traditional cybercrime (e.g., ransomware), defenders eject attackers immediately; in state espionage, there's value in silent monitoring—but tooling for this is lacking.
- "I've not heard of people really thinking about, okay, we've pinged them... it's just an automatic... victim, get them out, get them out, get them out." (A & B, 06:11–06:23)
- "Wrapping in Cotton Wool": The idea of isolating but not alerting attackers so that further intelligence can be gathered—rare in practice due to technical constraints.
4. The Attacker’s "Fog of War"
- Uncertainty: When attackers lose access ("get pinged"), they are thrust into uncertainty. Was it detection, an unrelated outage, or dumb luck?
- "As an attacker, when you lose access, that's all you know, right?... You have no idea what that means..." (B, 07:26–08:06)
- Anecdote: Grok shares a pen-tester’s story where losing access was wrongly attributed to blue team detection, but turned out to be a fiber cut:
- "So he phones up and the CTO goes... 'Abaco cut the fiber to our data center. Why?'" (A, 10:01)
5. Cost and Ambiguity for Attackers
- Analysis Paralysis: Attackers must decide how to react: retooling, changing infrastructure, or assuming it's a local-only issue. Each option carries opportunity costs.
- "Each of these questions has an operational response that has a cost, whether you take it or you don't take it. And if you choose wrong, the costs are even worse..." (B, 10:38)
- Persistent Anxiety: Grok describes the psychological toll of "not knowing"—the fog of war for the attacker.
- "You'll always be left with this idea of like, did I do enough?" (B, 13:46)
6. Impact of Publication
- Information Leakage: Public or technical reports partially resolve attacker uncertainty, but also provide defenders with detection means and burn the attacker’s tools/infrastructure.
- "When a publication comes out, you resolve some of that... But at the same time it now means that those things are absolutely burned." (B, 28:12)
- Cumulative Burn: Every public disclosure increases cost and risk for the attacker, not just by revealing IOCs, but by identifying tactics, tradecraft, and even targeting.
- "Every time you get discovered, these costs pile up. It’s a cumulative game… Every time you lose, the costs are worse." (B, 17:56–18:01)
- Task Lists: Publication often dictates a "job list" for attackers—starkly described by Tom:
- "It's like management by publication, where a publication is actually like a task list for the other side." (A, 29:21)
7. The Chinese Strategic Shift
- Internal and External Motivations: The shift toward disclosure in China may signal a calculated decision—the benefits of publicizing outweigh the costs, especially given the normalization of publication in the West.
- "They must think at this point that they're getting more benefit out of publication than they are out of just keeping quiet about it." (A, 19:47)
- Political vs. Operational Goals: Early Chinese disclosures were about countering U.S. accusations, not degrading NSA operations—a difference from technically explicit Western publications.
- "They were not intended to impact the operational capability of NSA. The strategy behind it was very much a political one..." (B, 20:49)
8. Case Studies: Full Disclosure in Practice
- FSB’s Snake Malware: The U.S. published comprehensive details about a long-lived Russian malware platform, burning twenty years of infrastructure and knowledge.
- "It basically listed the first committers, like the first committers firstborn by name... They really, like, they burned it to the ground. Like that was comprehensive." (B, 23:01)
- SolarWinds & OPM: Even when attacks are purely state-on-state, significant technical publication occurs—a feature of Western disclosure culture.
- Kaspersky & iPhone Exploits: Russia has also begun publishing detailed technical information on U.S. attacks, indicating a trend toward normalization across major cyber nations.
Notable Quotes & Memorable Moments
-
On the Psychological Game:
"This is a sort of psychological part of hacking that I find very interesting... when you lose access, that's all you know... you have no idea what that means..."- Grok, 07:26
-
On Costs for Attackers:
"It's like, was I detected or was it a coincidence? If I was detected, was it by an internal team, by a vendor, by the state... And if you choose wrong, the costs are even worse."- Grok, 10:35
-
Disclosure as Management:
"It's like management by publication, where a publication is actually like a task list for the other side."- Tom Uren, 29:21
-
Case Study Story (Pen-Testing Fail):
"So he phones up and the CTO goes, 'Oh, hey, look, I can't talk now. Abaco cut the fiber to our data center. Why?'"- Tom Uren, 10:01
-
On State Publication Normalization:
"So it seems like we've got at least two states where publishing is okay or sometimes even encouraged. And then China is gradually joining the party."- Tom Uren, 28:06
Timeline of Major Segments
- 00:03–01:30 – Introduction, recap of Chinese media changes
- 02:00–05:34 – Counterintelligence responses: secrecy, monitoring, and costs
- 06:10–07:26 – Cyber evictions vs. surveillance, challenges of cyber-analogous practice
- 07:26–10:01 – The psychological stress and anecdotes about confusing outages versus evictions
- 10:10–14:09 – "Fog of war" costs for attackers; operational uncertainty
- 14:09–18:48 – Impact of publication: partial clarity and cumulative costs
- 19:06–21:59 – The Chinese internal calculus and political vs. operational motives
- 22:18–26:49 – Case studies: Snake/FSB disclosure, Western approaches to attack publication
- 27:22–29:28 – Russian and Western openness: triangulation case, shifting norms
- 29:21–End – Publication as a task list for the adversary, final reflections
Tone and Style
The episode is technical, conversational, occasionally irreverent, and often self-reflective—balancing deep intelligence philosophy with practical anecdotes and wry humor.
This summary captures the dense, insightful conversation, providing a comprehensive outline for listeners and readers alike.
