The Morgan Doctrine

Wednesday, May 8, 2013

China: "We don't hack, but the USA is guilty, too."

I love it when the diplomats issue press statements. The very best sophistry, rhetorical manipulation, and what logician/author Lewis Carroll called "invalid syllogisms" are employed. Today's New York Times story is an excellent example (read it here). Instead of the headline, "China Blasts Hacking Claim by Pentagon," they really should have used a version my headline from above: "China Claims They Don't Hack, But That the USA is Guilty, Too."

Quoting H.L. Mencken,

Nobody ever went broke underestimating the intelligence of the American public.

The New York Times story would be an excellent exercise for dissection and analysis by high school classes.

Friday, May 3, 2013

Dutch Legislation a First Step Toward Cyber Privateering

Hey cybercriminals, do you hear footsteps behind you?

[What's that noise?]

Dutch legislation (see Computerworld story here) could open the floodgate of legalized "hot pursuit" in the cybercrime arena. Of two interesting paragraphs in the article, the first is reminiscent of my Cyber Privateer Code of Conduct (see here) and involves safeguards and oversight authority:

The bill foresees strict safeguards for the use of the new powers such as a the approval of a judge, the certification of software used and keeping logs of the investigation data.

The second interesting thought comes from opponents to the bill. They're actually right on the money. If the bill becomes law, their prediction is a vast understatement of the "viral" consequences:

Moreover, the pending Dutch legislation could set an example for other governments which could start an arms race between hacking governments, [said Simone Halink of Dutch digital rights organization Bits of Freedom].

Next step: Privatization of the process, which will start a high-tech gold rush the likes of which will relegate the dot-com boom to a mere blip in the history books.

Wednesday, May 1, 2013

Larry Ellison Vignette in DESTROYING ANGEL

Note: I made Oracle's Larry Ellison the head of my Cyber Privateering Fantasy League team (see my nomination of Larry here). I couldn't resist giving Larry a cameo in Destroying Angel and include it here. Interestingly, the comparison between M16 ease of use compared to the F16 fighter is actually an analogy that Larry made in a conversation with me. Enjoy

[Following is an excerpt from Destroying Angel.]

Larry Ellison, founder and CEO of Oracle, the world’s largest producer of database management software, stood in front of the New York investment analysts’ symposium. Long past his horse race with Bill Gates for the title “world’s richest man,” the six-foot-two-inch Ellison looked every bit the part. Tailored to perfection, his clothes covered the lean, muscular body flawlessly.

Ellison made this semiannual pilgrimage to Gotham—during his hiatus from the Americas Cup yacht race or his attempts to buy an NBA basketball team—to prognosticate on the state of his industry and to reassure money fund managers that their substantial investments in Oracle stock would continue to ride high. One of the analysts had just asked about a Computerworld story criticizing database state of the art and the movement toward NoSQL “Big Data” solutions.

“Some tools are easy to learn but take longer to get the job done. Others take a long time to learn but obliterate the problem instantly. Kind of like an M16 assault rifle and an F16 fighter. You can learn to use an M16 assault rifle in an afternoon. It might take you the better part of a week to kill everyone on your block, but you could get the job done. On the other hand, you could take a year learning to fly an F16 fighter. But once you learned it, you could take out your block in one pass. We have both kinds of tools. We tell our customers to choose their weapons.”

The round of laughter confirmed that Larry had scored a bulls-eye with the analysts. The next question came from a broker who’d invested heavily in object-oriented technology that competed with Oracle’s relational database systems. Ellison’s handling of this question could determine whether the investors would stay with him another year or quietly abandon ship. He decided to out-object the object-oriented industry.

“Let’s talk evolution. The old hierarchical data structures are a subset of relational database methods. And relational is a subset of object technology. We’re always moving to higher ground, and we will give our customers a seamless, painless path toward object-oriented databases. For those of you who are confused about these different technologies, let me give you an analogy that will let you get your brains around the issues.”

The pens came out. Notwithstanding investors’ tendency to follow the herd, Larry Ellison’s reputation for concisely explaining emerging technology to the layman had made his followers a lot of money. He’d out-IBMed IBM with their own relational blueprint. He’d gotten presidents of several major competitors fired by using advertising to point out their tactical and strategic stupidity. And his no-nonsense one-liners had earned a Pulitzer Prize for the one journalist who decided to follow up on one of Larry’s “what if?” scenarios.

“I would liken the days of flat files and hierarchical databases to flying into Kennedy airport and catching a cab. You get into the taxi and tell the driver you want to get to the Hilton. You then tell him how to get there, for example via the Midtown Tunnel and across to 52nd street. That’s the old way of doing things. Now comes relational.

“A relational database knows all the navigation necessary to get to the data, simply from the data’s value. Take our cab again. I fly into Kennedy, find a cab, and simply tell the cab driver to get me to the midtown Hilton. Period. The driver, or the relational engine, knows the best way to get me there. I just sit back and read Steve Militich’s analysis of my company’s earnings.”

Steve Militich, the Paine-Webber software analyst, got a laugh by standing and taking a bow. Larry used the opportunity to sip from a glass of water at the speaker’s podium.

“Now let’s talk about object technology. Same airport. Same goal. Objects are self-directing. They carry their rules for usage with them. They can be independent, free-floating mechanisms. I fly to New York. During the flight, my secretary object gets me a reservation at the midtown Hilton.” Larry made quote marks with his hands before and after his mention of the secretary object. “Then she calls a limo service and has a driver object waiting as my flight unloads, holding a sign with my name on it. I step off the plane, see my name, and go with the limo driver. I don’t have to find a taxi stand or wait in a line. Maybe I turn down the driver object because I’ve made arrangements with my girlfriend object, no sexual reference intended, to pick me up, no pun intended.”

He waited for the laughter to die down. “As you can see, objects are self-directed and independent. I could even have chartered a helicopter object to get me to the Hilton, or spotted a free Hilton Courtesy Car object, or walked. You see, I am a CEO object and can choose as much or as little independence as suits my mood. Questions, anyone?”

Again Steve Militich, the foremost software analyst in the business—especially after his competition for the title decided to quit Wall Street and become the road manager for a rock group—raised his hand. An Oracle press intern brought the microphone back to him. “Larry, it seems to me objects have some security problems, especially with Oracle taking over the Web. What would happen if your limo driver turned out to be a kidnapper?”

“Good point, Steve. The government went gung ho down that path with Ada and implementation of the Strategic Defense Initiative. Maybe it’s lucky the current president finally nuked SDI after all.”
The SDI-nuking comment got the biggest laugh of all.”

Yeah, good thing SDI got turned off,” agreed Militich, who then whispered to himself, “But what if Larry Ellison single-handedly rules the Web?”

Tuesday, April 30, 2013

Gone Phishin' in China

Today's Network World article on phishing tactics (see it here) caused me to reminisce about the Joe Pesci and Danny Glover movie Gone Fishin'. Some "phishing" datapoints:

Basically, the best phishing holes are in China, at least if you count up the registrars who issue phishing licenses worldwide.
Phishing tactics give "catch and release" a whole new meaning, what with the proliferation of the 89,748 unique compromised hosting domains used.
Phishing with dynamite is the new trend; mass break-in techniques were used in 58,100 attacks. Toss in that stick of dynamite and get out your nets as all the stunned phishees float to the top.
Shared hosting environments have become the "Phishing boats"of choice, particularly WordPress, cPanel and Joomia installations.

Unlike the movie, though, there's not a whole lot of laughing going on, at least as long as we're constrained to play defense-only/hands-tied-behind-our-back security management. We're just dumb fish on a pond, waiting for that next stick of dynamite to knock us senseless and into the nets of phishers who, by the way, are having a lot of fun.

Friday, April 19, 2013

Infecting an Alien Architecture Now on both Nook AND Kindle devices

DESTROYING ANGEL just went live on the Nook (see here) as well as on the Kindle (see here).

I believe the hyperlinks to the 22 Principles of the Perfect Virus—as well as to music videos and movie clips—will significantly change the print publishing industry.

Infecting an Alien Architecture

Destroying Angel is an ebook-formatted novel with hyperlinks to music, videos, and the 22 Principles for the Perfect Virus. It's available on both the Kindle (Amazon here) and the Nook (Barnes & Noble here) for a paultry $2.99. A computer genius who speaks only on palindromes helps a very old hacker discover that he's…The Destroying Angel.

Science fiction writer Jerry Pournelle calls it a "Tour de Force."

Former Clive Cussler and Robert Ludlum editor Alan Rinzler says it is "…wonderful fun to read, from start to finish…convincing and compelling for even a skeptic like me…a winner here…thoroughly credible…a wonderful vision…a splendid conception, brilliantly executed…deep, spiritual piece of work…"

Background: Welcome black hats, white hats and cyber swashbucklers

The Revolutionary War was fought, financed, and pretty well WON by bonded privateers, legalized pirates who were given Letters of Marque and Reprisal by the Continental Congress and authorized to attack, capture and monetize British ships. The purpose of this site is to explore the possibility of a modern-day doctrine much like the Monroe Doctrine, by means of which the U.S. government could legally and, more importantly, effectively stop international hackers. Current cybercrime law is not only ineffective, but downright stupid. My Linux servers are attacked hundreds of times a day (mostly from China and former USSR domains), yet if I retaliate against those servers with some creative technology at my disposal (I know some VERY smart guys), then I am in violation of federal law and subject to some onerous penalties. We need more than a new law. We need a new international doctrine. I call it The Morgan Doctrine, named after Morgan Rapier, a fictional character I've created (hey, this is my way of establishing ownership of the concept, should it ever see the light of day).

Why a new international doctrine? Simply, nothing else will work. Introduced on December 2, 1823, the Monroe Doctrine told the world to keep their hands off the Americas. Combine this with current legal thinking on "hot pursuit" of fugitives. In 1917 the US Army went into Mexico after Pancho Villa. More recently, in 1960 Israeli Mossad agents abducted Adolf Eichmann from Argentina. Granted, much of the world regards the Eichmann adventure as a violation of international law. I don't share that opinion and therefore use it as the third leg of my Monroe-Pancho-Aldof platform for The Morgan Doctrine.

If someone comes into your home and attacks or attempts to rob you, you may shoot them dead. You may do so as long as they expire on your property. But what about cyber criminals? They attack you in your home from their homes. Retaliate in kind, and you go to jail. The Morgan Doctrine states simply that if you attack my computers (or my banking assets held in US-based computers), then under a certain set of well-defined conditions, a licensed and bonded "cyber privateer" may attack you in your home country and split the proceeds with the U.S. government. For the sake of argument, let's call it a 50-50 split (heh heh).

Right now, American law enforcement is completely unequipped to deal with the sheer number international cyber hackers. Sure, I could report each of the thousand daily attacks to the FBI, as could the millions of other attackees in the USA. But the volume of such reports would make any meaningful resolution laughable. Not to mention that the FBI has no jurisdiction outside the USA. Yet to make such "enforcement" profitable to recognized (ie, "bonded" "deputized") privateers, as Heath Ledger's Joker said in his last role, "Now you're talking!" You raid our bank accounts, we raid yours. You make money from off-shore child pornography, we're going to loot your bank accounts and, with some REALLY creative black hat operations, you will be taken off the grid worldwide to the extent that you'll not even complete a cell phone conversation for the remainder of your miserable depraved life. Okay, that last part probably won't fly, but you get my drift.

The purpose of this site is to explore the mechanics, legalities and practicality of The Morgan Doctrine.

And I will be the sole arbiter of whether or not your comments get posted. As Mel Brooks wrote, "It's good to be king."