Michael A. VanPutte - Walking Wounded: Inside the U.S. Cyberwar Machine

Walking Wounded

Inside the U.S. Cyberwar Machine

Michael A. VanPutte, Ph.D.

Lieutenant Colonel, U.S. Army (retired)

The offices of the Secretary of Defense, Director of National Intelligence, and Secretary of Homeland Security reviewed this manuscript to ensure it did not contain any classified or sensitive Government information and have no security objections to its publication. The redactions throughout this book are information these government agencies censored without explanation. This review, however, should not be construed as an endorsement of the authors views.

I appreciate your suggestions, comments, and criticisms. You can reach me at or my website at
www.mvanputte.com.

Copyright 2016 Michael A. VanPutte

All rights reserved.

ISBN-13: 978-1539945611

ISBN-10: 1539945618

Dedication

To three ladies: Linda, Ashley, and Brianne.

Contents

List of Illustrations

Foreword

Want to learn how to pick a lock?

What was your initial reaction to that question? How would you feel about a lesson on how to hi-jack communications, guess peoples passwords, and exploit computer software?

Initial reactions to these questions almost invariably fall into one of two categories. Some people react with curiosity: Oh! I always wondered how that worked. Other people assume the person asking these questions is a criminal, or at least up to no good. They dont want to learn the skills or even understand how the systems they manipulate work, because only criminals would be interested in how to pick a lock, and these people being asked this question are obviously upstanding citizens right?

It isnt inherently wrong to know (or want to learn) how to pick a lock. After all, this is a technology you use and depend upon every day, so wanting to understand it better is reasonable. Unfortunately, the people who respond as described in the second group are falling into the trap of labeling some kinds of knowledge as bad.

The lock picking questions and skills alone have no intent or morality associated with them. Allowing preconceived notions regarding intent or morality to prevent learning can make it very difficult to make informed decisions later. Buying a lock for your gym locker, home, or bike? Knowing how locks work, their shortcomings, and the different classes of lock types, with their varying benefits and limitations, can come in pretty handy.

I wish I could tell you that most people fall in to the first category and that everyone is open to learning new things. Sadly, its more common for people to allow their stereotypes and assumptions regarding intent and morality to keep them from learning about the world around them. This second, less curious category of student is unsurprisingly somewhat prevalent in the U.S. Government and military complex. After all, people in the government or military are busy people with lots of important decisions to make, and being willing to question their assumptions takes time. Of course, when it comes to matters of security, a total unwillingness to take in new data that challenges your point of view can lead to disaster. Being able and willing to re-evaluate assumptions is important to strong decision-making skills.

###

Today Im going to show everyone how to pick locks, remotely compromise a computer, crash an unknown software application, and Im going to show you how to guess the passwords of everyone else in this room. These were probably pretty close to the first words that Mike VanPutte, then a Captain in the Army Corps of Engineers, heard from me in 1999 at the Army War College in Carlisle PA. A year later he would hear more things like this, again from me, in front of a group of officers at the Naval Postgraduate School in Monterey CA.

I wanted to teach these future government and military leaders how to be hackers.

To many people, the word hacker has strong criminal connotations. A hacker to them is some geeky, gangly teenager in his parents basement trolling people, breaking into corporate computers, and generally trying to cause global thermo-nuclear war. This is a misconception and a perversion of the original definition of a hacker. A hacker is simply a person who can take a system, be it complex or simple, and figure out how to make that system do things it had not been intended to do by the people who built it or by the people who normally make use of it. Hacking can happen in all types of domains from the arts to the hard sciences. Tinkerer, explorer, maker, experimenter, and inventor: these are all synonyms for hacker, as I use the term. Unfortunately, to many, the synonym for hacker is criminal.

The immediate, short-term goal of lecturing these classes was to teach young officers in the Department of Defense (DoD) some core skills of computer security hacking and how to critically examine assumptions about software and systems. We covered how to pick locks and how to exploit buffer overflows, race conditions, information leaks and object re-use. The more important longer term strategic goal, however, was to identify true hackers within the DoD, encourage them, and hope they would take the hacker way of looking at problems with them into more and more significant leadership positions in the United States Government: Influence them positively early in their career and hope for the ripples of change to become waves years later. This is where Mike VanPutte comes in. While Mike has been kind enough to credit me and a few others for being the ones to open his eyes so he could see how a hacker sees the world, think how a hacker thinks, the fact is Mike was already a hacker. He just did not know it yet.

Mike was one of the (few) people at the time who took in the new information without prejudice. In fact, thats an understatement. Mike ravenously consumed the new information and was very enamored with the different thought processes that allowed him to look at new problem sets, new technologies, and new situations and see them differently from his peers.

I kept bumping in to Mike as he progressed through the ranks over the years from Captain, to Major, to ultimately a Lieutenant Colonel (then retired) and fellow Program Manager at DARPA.

Mike was early to the game of full spectrum Computer Network Operations (CNO), a Department of Defense term that is commonly used to cover all aspects of DoD cyber, not just defense. Luckily he had figured out that the more data he took in, without prejudice, the more novel conclusions and solutions he could achieve later. The key to a great strategy is to have multiple options, is how I have lived my professional life. Mike has made use of this strategy as well.

Even people who may think that they excel in challenging assumptions and thinking critically usually have a significant blind spot. Most blind spots stem from the fact that its easy to challenge assumptions that other people make, but it can be downright frightening to challenge your own beliefs when new information comes to light. People of all walks of life and intelligence level can fall into this trap.

Mike spent a lot of his professional life in the U.S. military, both as a soldier and a civilian. This is an institution that rewards, even requires conformity and homogeneity. Free thinking, exploratory tinkering, hypothesis challenging, and other characteristics that I looked for in the people I trained were not typically the most rewarded traits in the DoD. Being in this environment most likely impeded some of Mikes ability to explore and critique, but the fact that Mike not only survived, but flourished, implies that the attributes Im describing were more of an asset than liability.

Both Mike and myself have both been honored with the highest medal that can be bestowed by the Office of the Secretary of Defense upon a civilian. We are very different people; one of us comes from a long military career followed by civilian service, the other a long haired liberal-leaning hacker. What we have in common is that we fall into the first category of people: curious, open to taking in new data, and trying to never ascribe intent or morality to context-less information.