I really enjoy reading non-infosec books, audiobooks, articles and the like, consuming them with a mental exercise: finding out what lessons could be learned and applied to security.  My specific interests are in forensics, penetration testing, vulnerability analysis, exploit development, and profiling attackers.  Currently, as an occasional escape from technical material, I’m looking at some of Paul Ekman’s books on deception, with an eye for how it applies to topics like social engineering engagements, and even interactions with others in the infosec community.  Even with the controversy surrounding the research, there are some lessons to be learned, tricks to pick up, and things to think about.

As much as infosec professionals quote Sun Tzu’s The Art of War, I thought that I ought to check it out.  I downloaded a translation of it onto my iPod Touch and read through it in my spare time.  I felt as though I must have missed something, as I really didn’t see how most of it applied to security in anything more than a superficial way.

Now, at least I know that if I missed something, attrition.org missed it too.  They’ve posted a very well-reasoned analysis of the use of Sun Tzu’s work in infosec, pointing out all the places that it really doesn’t make sense.  Many of these are sticking points I also had when I tried to make the connection myself.  I especially agree with a fundamental point that the Attrition.org folk make: Defenders in infosec are strictly defenders, with their hands tied behind their backs when it comes to attacking the other side.  This is kind of a buzzkill for much of Tzu’s advice.

As with most Attrition.org articles, they pull no punches and call out people specifically.  This makes some readers uncomfortable, though I do think that it’s a fair and honest assessment.  Give it a shot if you’re looking for a good (and very different) read.

(Disclaimer: I have cooperated with the attrition.org guys on a couple of their writeups (though nothing compared to their original research), and I am pretty partial towards them and many of their views.  I just hope that if I ever stray into the danger zone of their “charlatan” list that I’ll have earned some kind of warning first ;) )

  4 Responses to “Attrition.org on The Art of War”

  1. Dude! Reading you is like reading a post written by me in a twilight dimension or something. Paul Ekman rocks! Did you see the TV series “Lie to Me”? It’s based on his research and he’s actually a consultant for the actors and screenwriters.

    Sun Tzu also rocks, but in a different way. I’m about to read Attrition’s post so not much to say yet… although I think it’s important to mention that some of it might have been lost in the translation… you know from 6 century BC parchment traditional Chinese calligraphy to iPhone.

    Keep up the good blog!

  2. Thanks Dario. That feeling isn’t a complete anomaly. I actually subscribe to your posts in that twilight dimension, and that’s where I plagiarize all my content ;)

    I’m a big fan of “Lie to Me”. Ekman maintains a blog that discusses what’s right and wrong with each episode that makes for an interesting read: http://www.community.fox.com/drpaulekman/blog/

    As far as Sun Tzu goes, I think that Richard Bejtlich makes a good point that, while most references to Tzu in infosec aren’t very meaningful, it might have some application to honest-to-god cyberwar. Essentially, a situation where the players involved have the ability to strike back and go on the offensive.

    Thanks for the comment!

  3. Thank you for your site! I’m subscribed and I’ll keep on reading!

  4. Wow. I’ve read the Art of War about ten different times over the past 15 years, and I’m really surprised that it’s infiltrating white hat security sites as a trendy quotemine. The Art of War is generally very literal, referring to attacking from high ground, etc. It was literally meant as an instruction manual. Reading through it to find applications to security is kind of pointless, as the Attrition post points out; it’s just a cheap way to add gravitas to stale writing. Most of quoted portions strike me as relevant to social engineering, at best.

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha