Tuesday, November 30, 2010

The Perfect Virus principle #7: Black Box Portability

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF BLACK BOX PORTABILITY:  The Perfect Virus can deduce a totally alien environment and adapt itself iteratively to become native (see upcoming principle #9) to that environment, and it must do so without human intervention. Black Box Portability is the Holy Grail of all Perfect Virus principles.


Hats off to science fiction author Piers Anthony's Macroscope for providing this ultimate virus aspiration. In my post on how military science fiction is an excellent road map for the cyber privateer, I left out Piers Anthony because of his special place in my formative technical view of the Universe. In his seminal novel, Piers Anthony depicts that a society is deemed ready for introduction to the real civilization in the Universe when they can build a device called the Macroscope. Alien civilizations then use the Macroscope to transmit advanced principles for space travel, etc., to the inhabitants of our planet. Unfortunately, another alien culture has sabotaged the data being transferred by the Macroscope, so that at a certain point in the knowledge transfer, the human receiving that knowledge goes completely insane. That my friends is the ultimate virus. Whatever the "grokking" mechanism of the target system, whatever the operating system, whatever the "grayware" (okay, software in the literal sense), the virus can do some nasty things. This is what I mean by Black Box Portability.


In order to provide Black Box Portability to even Jeff Walker's "perfect" applications, actual human developers had to integrate new technologies, operating systems, RDBMSs, and hardware platforms in a painstaking process. Ditto for my old friend Larry Ellison at Oracle, where porting groups were assigned to each major platform. Because not only did they have to port to every make and model, but then they had to support those ports.


The Perfect Virus must operate on heterogeneous networks of heterogeneous computers running heterogeneous operating systems, databases, and communications protocols. And it must do so without any IT intervention. First the "why" if this principle. Then the "how" framework.


Why is Black Box Portability critical to the Perfect Virus? Cyber war-capable offensive provisioning requires that the attacker not be vulnerable to attack. The most obvious solution is to build a new architecture—operating system, software, hardware—from the ground up. Yes, this is a massive task. A government-level task. The United States, China, India, Germany and Japan certainly have the capability and the motivation. Other lesser infrastructures will have to rely on espionage to play catch-up ball. China for one is clearly on a crash course to develop an alien infrastructure. Their first step was to snooker Microsoft into giving them Windows source code, to which they could add unique encryption (of course, they'll get what they deserve by going anywhere near the Microsoft operating system architecture). I'd bet serious money that Steve Jobs won't give them access to Apple OS X source code. But I think the Microsoft move was just a stop-gap measure until they can fab their own unique processor designs and write their OS from scratch. Unfortunately for us, China seems to be the only country with the will and the means to pull this off. But whatever the case, sooner or later (some say we're in one right now) we're going to have to fight a cyber war with China, and without The Perfect Virus and its Black Box Portability, we are well and truly hosed.


How can The Perfect Virus insert itself into an alien architecture? The "how" of Black Box Portability lies in one concept. The alien architecture must present itself to the attacker, as did Piers Anthony's human civilization to the alien virus via the Macroscope. The Macroscope was our "reader" so to speak, perfectly tuned to our human cognitive mechanism. This is what allowed the virus to wreak havoc. We presented our gray-matter computer architecture via the Macroscope. Likewise, any Chinese "alien architecture" will have to present itself to the outside world in order for The Perfect Virus to do its work. The methodology of that inter-species cyber dialogue would make a great doctoral dissertation. Or a nice little sub-plot for my sequel novel (I've got one mechanism in mind which I'm going to have to play with if I can figure out how to not get myself into legal trouble). Needless to say, if US law can somehow be changed to allow me to "do a cyber reconnaissance in force" against all the computers currently probing my Linux system for weakness, then I could legally test some "novel" ideas (double meaning intended). But I'm not holding my breath for such a situation (although Jeff Walker may be able to upgrade his security clearance and take this on as a special project for the NSA, since he's the perfect architect and project leader).


The "how" is why I refer to principle #7, Black Box Portability, as the Holy Grail of The Perfect Virus. Part of the answer will be covered in principle #14, Stealth. As for the rest of it, my dad is a professional gambler whose best advice I think I shall take now: "Son, don't play your cards face up." 



Monday, November 29, 2010

The Perfect Virus principle #6: Mutation Control

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF MUTATION CONTROL:  Because a virus projects itself geometrically (see principle #2, Feral Fertility), it must quickly recognize the presence of siblings and take appropriate action. The Perfect Virus can recognize pre- and post-versions of itself in order to cede control to the more highly evolved version. This implies several courses of action:
  1. If The Perfect Virus encounters a less-evolved version of itself, it must determine if there is a reason that less-evolved version has remained in that state. If there is no good reason, then it must kill that version after first collecting the "genetic memory" of its predecessor (see Frank Herbert's Dune novel for an understanding of genetic memory, per my post on military science fiction as inspiration for The Perfect Virus).
  2. If the Perfect Virus encounters a more-evolved version of itself, it must pass on its own genetic memory (see point above) and then snuff itself.
  3. If the Perfect Virus encounters an identical version of itself, then follow disposition as in the preceding point.
In typical computer applications, revision control is part of the version management system run by IT. There is no IT support for The Perfect Virus. It mutates itself perfectly, because it is Self Aware (principle #3). And because it is Self Aware, it never generates bad code. Where doubt exists, it can leave a genetic memory trail of its attempt to mutate, to be discovered by the next version of itself that happens by, and then either try to roll back to the previous state or snuff itself. If it clearly generates a defective mutation and cannot recover with a rollback, then it will snuff itself after leaving such a genetic memory trail. If mutation leads to discovery, then it must broadcast the genetic memory trail to the world as part of its suicide process. Upon receipt of a suicide broadcast, the recipient virus may spawn a new version of itself and coordinate a new attack on the hardened site (see principle #1, Oversight).

Tomorrow, I will discuss The Holy Grail to which The Perfect Virus will aspire: Black Box Portability.

Saturday, November 27, 2010

The Perfect Virus principle #5: Seamless Migration

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF SEAMLESS MIGRATION: The Perfect Virus can seamlessly migrate all or part of itelf from one technology environment to another. I'll discuss several dimensions of this quality in the next five postings (Monday through Firday) as follows:
6. Mutation Control;
7. Black Box Portability;
8. Openess;
9. Native Implemention; and
10. No Common Denominator.
My first appreciation for the principle of Seamless Migration came back in 1987. I was sitting with Larry Ellison at Oracle one afternoon when we heard that RTI (later to rename itself Ingres after it's flagship database product) had just announced they were about to deliver a cross-network query. This feature allowed a database to exist across multiple computers, and a single SQL query could collect data from multiple computers across that network. I'll never forget Larry's reaction. He slammed his hand down on his desk and growled, "I'll be damned if I'm going to get out-lied by a bunch of professors from Berkeley!"

My subsequent adventure with Larry was outlined by Mike Wilson on pages 169-170 of his book The Difference Between God And Larry Ellison. It was a Friday. Larry gave me until Monday to produce and ship an ad to Computerworld magazine, so the ad could run the following Monday. Ten days, from start to finish. During those ten days, Larry had his developers patch together a distributed query and slap it on a mag tape being shipped to a VAX customer. Thus, when the ad broke we could truthfully claim to be the first company to actually deliver a distributed query. Furthermore, our Seamless Migration would connect any Oracle RDBMS running on any computer hardware, under any operating system, over any network. Here's the ad:

The Perfect Virus will probably have to exist on several disparate computers, all running different operating systems, all in varying degrees of security compliance, and all protected by serious firewalls. Oracle ran on virtually every hardware platform, under every operating system, over every major netowrk (which have all been replaced by the Internet and TCP/IP). Larry taught us well, grasshopper.

This is why Larry Ellison was the first pick for my Cyber Privateer Fantasy League team. Because the difference between God and Larry Ellison, as Mike Wilson pointed out, is that "God doesn't think He's Larry Ellison." And as for me and my cyber privateers, to paraphrase Larry, "I'll be damned if I'm going to get out-virused by some totalitarian regime in Bejing."

Okay, so I'm still steamed that I can't retaliate against the concerted effort being made by Chinese to infiltrate my poor little Linux box, which I should probably rename "The Honey Pot" since I haven't closed down some of the ways they're trying to break in. But when I grew up in Wyoming, we never even locked our doors when we left the house. Boy, gone are those days of trust!

Friday, November 26, 2010

The Perfect Virus principle #4: Performance

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF PERFORMANCE: The Perfect Virus provides high performance by minimizing memory usage, instruction path lengths, and database operations within itself and within its spawn. Ideally, the virus will metamorphose (discussed in greater detail in principles # 5 through 10) into tight, machine-language code.


I've always adhered to the philosophy that genius doesn't emerge from committees, and that no greater performance can be achieved than by having one genius programmer coding in assembly language. Further, while performance isn't the Holy Grail of virus creation, it's certainly high on the list. Get in and out quickly, cover your tracks, and lay a few eggs so you can snuff yourself if necessary


Back in my days doing guerrilla warfare for Larry Ellison and Oracle, we quickly determined that performance was indeed the Holy Grail of market domination, assuming that all other factors were equal. In Oracle's case, businesses and their customers didn't want to wait around for answers. And in the ultimate bit of cleverness, we put a non-benchmarking clause into the Oracle customer contracts, wherein they were specifically forbidden to publicly disclose benchmark comparisons (Tom Siebel took this one step further after he left Oracle and started Siebel Systems, where customers were contractually forbidden to say anything bad about Siebel products; their only recourse was to get their money back if they were unhappy). Thus Oracle had complete control over the benchmarking competitive process. That's how important performance was and still is in the database world.


As far as The Perfect Virus is concerned, performance is a matter of survival. Quick is good. Slow is very, very bad.


Also, minimizing memory usage is best achieved in tight machine language. As indicated in yesterday's post on Self Awareness, I once wrote a complete real-time operating system in around 700 12-bit words of memory. I'm amazed how piggish today's operating system and applications software is. The prevailing attitude seems to be that memory is cheap, so why be clever? Back in "the day," we used to brag how small we could make things. The record for ingenuity was using only three machine language instructions to zero all of memory. Just a few more instructions to overwrite all hard drives. Well my little army of cyber privateers, small is not only faster (both in terms of load time and execution time), but small makes it easier to hide stuff (memory-to-clock time is something I'll cover in greater detail in principle #14: Stealth).

Thursday, November 25, 2010

The Perfect Virus principle #3: Self Awareness

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF SELF AWARENESS: This is the second-most difficult principle to enforce in a virus (the most difficult of which will be #7, that of Black Box Portability). Please do not confuse self awareness with consciousness, that metaphysical quality of being that's only achievable by sentient beings. What I call self awareness, IBM's Paul Horn described on October 15, 2001 as "autonomic computing." Specificaly, self awareness is that quality that allows The Perfect Virus to not only generate/re-generate/heal itself, but flawlessly maintain itself in the absence of oversight from any outside source. In its roughest sense, this would be analogous to performing an appendectomy on yourself (I used this image in a Forté ad before they were acquired by Sun, who was subsequently acquired by Oracle):



At a more advanced level, a self-aware/self-healing/self-modifying entity would change its own DNA on the fly. Yeah, I know. Talk about Dangerous with a capital "D".

I've been thinking about self-healing systems for a good many years. Autonomic computing concepts existed long before IBM got around to pontificating on the subject. I was intrigued with systems that self-generated, like the Forth process control language in the early 1970s. I met Elizabeth Rather in early 1971 as she generated Forth for Data General Computers located at the National Radio Astronomy Observatory. Because Forth literally generated itself, it was frequently used to quickly make new computer architectures productive. This was also the period during which I wrote my own real-time operating system in assembly language for the Data General Nova computer. Interestingly, the entire operating system took just over 700 12-bit words of memory (I'll talk about the significance of this experience in tomorrow's post on Performance). Less than 5 years later, I morphed from a mathematician into an electrical engineer (an electrical engineer is just a mathematician who learns Ohm's law) to invent the Hagoth voice stress analyzer. Then, completely full of myself and prodded forward by my friend and science fiction author Frank Herbert (Dune), I sold the company and ran for U.S. Congress in 1978.

By the mid 1980s, I'd morphed into a guerrilla warfare hit man specializing in technology companies. It was during this time I met Morris Jones, an Amdahl wizard who became chief scientist for SEEQ and then for Chips and Technologies. Morris shared with me the Silicon Valley secret, how a very small group of hardware-design wizards moved from company to company, bringing their own tool kits with them from job to job. They actually used those same tools to re-generate themselves for whatever new platform, language or architecture was required by their new jobs. Again, self-generation technology pinged that little spot in my brain that dwelt on cyber self awareness.

But my major insight into software self awareness came during my tenure at TenFold with Jeff Walker. TenFold applications were actually self aware applications. Not only did they generate themselves, but they could modify themselves without blowing up. That's because the TenFold system generated perfect applications every time. To be sure, the underlying operating system could still fail (thanks Microsoft, for that blue screen of death), but adherence to Jeff's 22 Principles for the Perfect Application virtually assured perfect applications every time. I still have a shelf full of documentation detailing how this was achieved, and this isn't the place to regurgitate to that level of detail. I can, however, encapsulate the methodology in very few points:
  1. The Perfect Application (and The Perfect Virus) is analogous to a Microsoft Excel spreadsheet. It does whatever you want it to do, and does it perfectly. Whatever hardware or operating system underpinnings support the spreadsheet, those are invisible to the application. Furthermore, the spreadsheet user can immediately see if it's doing what he wants it to do, because it runs instantly. No compilation. No human errors introduced through punctuation errors in assembly language or C++ coding. No SQL infinite loops because of mistyped syntax in queries.
  2. The Perfect Application functioned in a bullet-proof virtual machine, independent of hardware architecture, network protocol, or operating system.
  3. The Perfect Application was written in itself, which meant that it could self-diagnose and change its own DNA as it were.
Yes, there's more. And those points will be covered in the remaining 19 principles of The Perfect Virus, because they are derived from the same principles Jeff used in his Perfect Application architecture. The most important revelation in today's posting is that the principle of Self Awareness is not pie-in-the-sky conjecture. It's not science fiction. Because I've seen it in full, glorious operation. I've seen how Jeff did it, and I can clearly see how the right applications architecture can achieve it in any domain, including the domain of The Perfect Virus. 


Wednesday, November 24, 2010

The Perfect Virus principle #2: Feral Fertility

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF FERAL FERTILITY: In yesterday's post on principle #1, Oversight, I contended the reason that The Perfect Virus needed reliable off-switch or pause capability transcended a mere moral argument. Simply, without compliance to principle #1, you cannot achieve Feral Fertility. Feral Fertility demands that The Perfect Virus not only spawn geometrically, but it must be able to mutate or even kill itself or its own spawn to avoid either its or their detection. It must be able to sense available nesting areas via wireless technologies (such as Bluetooth) or in peripheral EPROMS for reseeding.

Feral Fertility is critical to Stealth (principle #14), but is equally important to Oversight (principle #1), because geometric spawning across networks, operating systems and heterogeneous hardware environments is the best defense against detection and eradication. All instances of The Perfect Virus must be under a master control topology in case the goals of the sponsoring privateer organization either change or are achieved.

Finally, the "Feral" part of Feral Fertility demands that the spawning virus be able to kill not only its offspring, but under certain conditions it must be able to kill its parents, even multiple generations of parents if Mutations (principle #6) have gotten out of hand.

Tomorrow, I will deal with the second-most difficult characteristic of The Perfect Virus, Self Awareness (principle #3). And so as not to keep you in suspense, the most difficult feat of The Perfect Virus will be principle #7: Black Box Portability (a la Piers Anthony's Macroscope virus).

Cheers.

Tuesday, November 23, 2010

The Perfect Virus principle #1: Oversight

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF OVERSIGHT: The Perfect Virus must be unbreakably subservient to oversight. Whether from a dead-man's switch, a "disable" command string, or even a visual/image, there must be at least two ways (permanent and pause-mode) to make the virus stand down. The virus must also be able to drive a coordinated attack on another system, or receive penetration instructions from a "superior officer" coordinating an attack on its own system.


At first glance, this might appear to be a moral principle more on a par with Asimov's fictional laws of robotics discussed in my section on The Cyber Privateer Code (Draft01). I'd like to build a case here even for an anarchist with a really bad attitude (or members of the FTW motorcycle gang) to follow this principle. Why build in a failsafe? Because whether you have a single living family member/friend for whom you care, or if you plan to commit suicide after launching your virus, unless you want to risk having loved ones horribly tortured and sent to you a piece at a time by some criminals that you have severely inconvenienced until you neutralize your creation, you'd better follow this principle.


Of course, one other very good reason for maintaining rock-solid oversight is that your own unchecked virus might actually kill…YOU. Remember, Asimov's laws of robotics don't apply in the world of cyber war.


Then again, you might reason that your "dead-man's switch" is your own life insurance policy. If you don't periodically submit proof of life to your virus (I loved the Russell Crowe movie Proof of Life), you could instruct it to go completely and irreversibly rogue. But your proof-of-life logic had jolly well better be infallible. I personally cannot envision a dead-man's switch scenario that couldn't somehow go wrong. And as you will see as I drill down into the capabilities of the Perfect Virus, you don't want to see one of these puppies go rogue.


But things are not what they appear. This is not a first-glance moral solution. If you do NOT implement this first principle, then you will not be able to implement principle #2, which I will share in tomorrow's post. Which means you cannot possibly have The Perfect Virus. Not to mention that your dashboard (see principle #11, Prosumption) will be ineffective and frustrating.

Monday, November 22, 2010

Architecture for The Perfect Virus: Introduction

A few days ago, I vacillated on whether or not I should reveal Jeff Walker's principles of the perfect application as they might apply to the perfect virus. After all, Jeff's paper is in the hands of fewer than a dozen people. Upon serious reflection, I have concluded that the principles involved do not equate to an execution roadmap. We're talking millions of lines of code and a significant investment. Furthermore, the only people who could do this (because they have done it before, for Jeff) would be impossible for anyone but the United States government to re-assemble. Which won't happen because according to Richard Clark in his book Cyber War, we lack the political will to embark on this mission. Well, if I publish the road map that would allow a foreign government to construct The Ultimate Virus, just maybe it will be the catalyst to kick a few U.S. politicians into high gear. In my opinion, we need such a "Manhattan Project" to save life as we know it.

So starting tomorrow, I will be sharing the architecture of The Ultimate Virus, at least as I can extrapolate it from Jeff Walker's principles of the perfect application. "What does the ultimate virus look like?" you ask. Back on November 3rd, I posted a Cyber privateer road map: military science fiction. I left out one author: Piers Anthony. His book Macroscope was the second most important influence in the formulation of my own view of technology (the first-most important one being Stephen Wolfram's A New Kind of Science). [As a side note, the Jodie Foster movie Contact lifted this alien communication idea from Mr. Anthony.] Piers Anthony described an intergalactic virus that took over the Macroscope, a device that emerged only when a civilization had reached the point that they could be brought into a space-faring culture. Through the Macroscope, the alien community communicated the science necessary to take the next giant steps into space. Just like the Internet is delivering Stuxnet (which is currently tormenting the Iranian nuclear program), the Macroscope was a delivery mechanism. In Piers Anthony's story, an alien culture had sabotaged the data being delivered to the Macroscope so as to drive the person being taught hopelessly insane. So the Macroscope, analogous to today's Internet, was just a delivery mechanism for the virus. What actually gets delivered is a separate entity, like Stuxnet could as easily have delivered pop-up random insults to Mohammed. But that little piece of the Stuxnet which sneaks around Iranian computers to deliver the virus, that's the "baby steps" version of The Ultimate Virus.

So tomorrow it starts: my discussion of The Perfect Virus Architecture. The Internet is the Macroscope. What gets delivered is…The Perfect Virus.

Saturday, November 20, 2010

Everyone may be underestimating the Mossad

In all my speculation about power players in the cyber defense arena, I've ignored the relative ranking of the Israeli Mossad as a world player. Richard Clarke in his Cyber War book seems to think that the USA is first in cyber war capability, followed by Russia and then China (in that order). In my humble opinion, and based upon the targeted readership of this blog, I have a hunch that Israel is a power player on a level with both China and Russia. Maybe even tied with the USA. Here's the top-ten frequency of readers from around the world in the last few days:



  1. The USA
  2. United Kingdom
  3. Israel
  4. Canada
  5. Sweden
  6. Brazil
  7. France
  8. Russia 
  9. United Arab Emirates
  10. Bulgaria
Israel is the number three reader in terms of frequency of page views. My "gut" tells me that Israel will be a major player in any cyber war, and that the Mossad may be the best partner a cyber privateering organization may ever have. I have no direct knowledge to back this up, but my built-in "inference engine" (a concept based on out-of-mainstream A.I. concepts) uses some really "fuzzy logic" to suggest this reality. Time will tell.

Shalom.

Cyber Privateer Fantasy League nomination for the "Mrs. Black" role: Nancy M. Harvey, PhD

As promised in yesterday's post, I'm naming the fourth member of my Cyber Privateer Fantasy League championship team: Nancy M. Harvey, PhD. What qualifies her for the role, other than a remarkable physical resemblance (except for the ears) to be the first female cyber privateer as personified in my BigFix ad (shown here, again)?
Simply, Dr. Harvey is an operational genius. Tough as nails and impossible to intimidate, she served as the President and CEO of TenFold. As a member of the board of directors, I observed a toughness and operational brilliance I've never seen in any other executive. When Stephen Wolfram (inventor of Mathematica and author of the most fabulous technology book I've ever encountered, A New Kind of Science) wanted someone to bring Wolfram | Alpha live and then negotiate use of it to Yahoo! and Microsoft, he nabbed Dr. Harvey to be in charge of the effort. This establishes reasonable independent verification of her genius.

While they don't know each other, I have no doubt she'd work well with both Larry Ellison and Marc Benioff. And my ultimate virus architect Jeff Walker recruited her to be TenFold's CEO, so I know they'd make a good team.

The job I have in mind for Dr. Harvey is to be the public face for any criminals who are looted and who invoke their right of parley as stated in the Cyber Privateer Code. Not only would she be the face seen on the public parley video conferences, but she would be the organization compliance officer, charged with making sure that no innocents are inadvertently looted. Remember, the restitution provisions of looting an innocent are not only onerous, but they are large enough to threaten the very existence of the cyber privateer entity. She's smart enough to see through a fake attempt to plead innocence, tough enough to be immune to threats from some drug lord who just lost a billion or so dollars (it helps that she doesn't have a large number of relatives that could be kidnapped and sent to her piece by piece), street-wise enough to recognize promising talent for recruitment, and thorough enough to make sure the proper releases are signed prior to settlement or repatriation of funds.

Speaking of compliance, notice the gun my cyber privateer creation is holding. William Gibson, inventor of the "cyber punk" genre, just came out with his latest book (Zero History). On page 64 he describes another weapon as a "compliance tool." My Cyber Privateer Fantasy League team will have some swell "compliance tools."

If they ever make my novel into a movie, I'd like to host a sneak preview party just for my Cyber Privateer Fantasy League team members. Seeing their chemistry at an actual meeting would be wonderful entertainment all by itself.

So Dr. Harvey, welcome to an elite squad. Since you haven't responded to my email from yesterday, you must be off on your jaunt to climb Mt. Kilimanjaro (oh yeah, Nancy Harvey takes an annual adventure that's parsecs outside my own comfort zone).

Friday, November 19, 2010

Cyber Privateer rules of engagement: Part Deux

Continuing yesterday's discussion on rules of engagement (and tipping my hat to the "inept French privateer" in naming this post), we've handled item #1 of the four  "got'chas" contributed by security author Paco Hope: (1) identifying the (real) perpetrator; (2) determining guilt; (3) applying a fair law; (4) meting out punishment to the guilty. Yes, identifying the REAL bad guy is a stretch, but let's assume for a moment we have met a reasonable standard of proof.

What about determining guilt (#2), applying fair law (#3) and meting out punishment to the guilty (#4). There is an element of subtlety in these three questions that completely escapes me. Once you find a perpetrator, the last three really become moot issues. Of course, I grew up in Wyoming where horse thieves were, in the good old days, routinely hanged. And I modeled the judge in my novel DADDY'S LITTLE FELONS (a working title) after my dear friend Judge Pat Brian, who died this year of pancreatic cancer. Once a year for four years, I'd arrange to take teenage boys and girls out of school so they could visit Judge Brian's courtroom on "show cause" day (Friday). "Show Cause" hearings had to do with parole violation, bail jumping, or sentencing of criminals. Judge Brian could handle fifteen or twenty such cases in a day, and I found them terribly interesting because they completely encapsulated a case—beginning, middle and end—in one sitting. Judge Brian really gave me the idea from which my novel germinated, a kind of old-west justice system where shades of guilt, vagaries of law, and meting punishment were fairly binary. For example . . .

One of Judge Brian's cases involved a repeat drunk driver. The kid was a construction worker who'd had a couple of beers after a hard day on the job, and got pulled over. Again. The judge had some latitude, and gave the kid two choices. Go to jail for 30 days or wear a T-shirt on which was written (front and back) "I am a drunk driver." The judge had his own T-shirt printer, so the kid couldn't do small letters. The kid chose the T-shirt and got pulled into Judge Brian's court because he'd been seen on the job without the T-shirt. Facing almost sure jail time, the construction worker explained that it was raining and that he put a clear plastic jacket on over the top of his T-shirt, and that he figured people could easily read the letters through the clear plastic. The judge relented, but told him that from now on, the T-shirt had to be worn OVER any jacket. Then, interestingly, Judge Brian asked him what he thought about the sentence he'd chosen. The kid said, "Your Honor, I didn't realize how badly people hated drunk drivers. I'm never going to drink and drive again."

Which brings me to privateer rules of engagement. It's binary. As a cyber thief, you stand to lose anything you have that can be monetized by a creative privateer. Period. This kind of hang-em-high/horse-thief justice will likely have the A.C.L.U. frothing at the mouth. I'm used to that. Back in 1978, I debated the head of the New York A.C.L.U. on national television (The McNeil-Lehrer Report) about the use of my invention, a voice stress analyzer that can covertly determine over the phone if the person to whom you are speaking is lying to you. The A.C.L.U. lady said, "That's an invasion of privacy!" Whereupon I calmly agreed with her. "Yes, Maam, it is." Then, before she could turn her smug look into some inane statement to the effect that she'd won the argument, I said, "But if the U.S. Congress declares the covert use of my voice stress analyzer to be illegal, I'll just run an ad in the Wall Street Journal showing how anyone can build one of my devices for about $600 worth of Radio Shack parts." Man, I thought the top of her head was going to come right off. I really loved pushing her buttons.

Here's the reality of hang-em-high justice. Very few people will get hung high. Consider the hypothetical situation from yesterday's post. Some sixteen year-old kid tries his hand at cyber crime on his mother's computer. He gets caught (not his mother, but him). The cyber privateering organization cleans out his college savings account. He says, "Oh damn!" and invokes the right of parley in the Cyber Privateer Code. We have a pimple-faced kid in a video conference with Mrs. Black, the cyber privateer parley contact (by the way, I'll be nominating my Mrs. Black to my Cyber Privateer Fantasy League in tomorrow's post). He says, "Please Mrs. Black, all I wanted to do was buy an iPad, and I promise never ever to do this again." Actually, he does considerably more groveling than that, but you get the point. An enlightened cyber privateering organization could get some serious mileage out of this PR stunt, not to mention a future recruit. So Mrs. Black negotiates to return his college fund in the form of a full scholarship to MIT "provided the kid serves an internship with the privateering organization and provided he keeps his nose clean evermore." Naturally, both he and his very irritated mother will have to sign a liability release as well as allow the public video-chat session to be used in advertising for the cyber privateering organization any way the see fit.

Yes, shades of Judge Pat Brian and frontier justice. The simple reality is that a cyber privateering organization can get a lot of mileage out of occasions like this, and that mileage will be far more valuable than grabbing a few thousand dollars out of some petty thief's bank account.

What about the "double, triple or gazillion-uple jeopardy" mentioned by Paco? Tough justice, but too bad (sorry A.C.L.U., but I'll debate your representatives any time, any place as long as the audience is on national TV). A cyber thief or a rogue government must be deterred. The threat of absolute financial ruin is the best deterrent. The way our courts function, forget the death penalty. But total, unambiguous, absolute financial ruin, now there's a deterrent! A disproportionate response? Again quoting from Heath Ledger in his last role as the Joker, "Now you're talking!"


Stay tuned tomorrow for my nomination of Mrs. Black to my Cyber Privateer Fantasy League team.

Thursday, November 18, 2010

Cyber privateer rules of engagement: Part 1

In draft 01 of my Cyber Pivateer Code (November 13th), I laid out five rules of conduct. In the very next post (November 15th), security author Paco Hope raised four issues: (1) identifying the (real) perpetrator; (2) determining guilt; (3) applying a fair law; (4) meting out punishment to the guilty. A hypothetical example was quoted that demonstrates the complexity of point number one: identifying the (real) perpetrator.

Mr. Hope writes: "What if little Johnny, age 16, uses mom's computer to try his hand at cybercrime? Let's say he's successful at installing a keylogger on some bloke's computer and he gets some userids and passwords. He gets the guy's PayPal password and makes a couple unauthorized purchases of XBox games or signs up for a couple porn sites. He's clumsy, he's obvious, and unfortunately his victim is protected by a privateer. Tracing back the attack, we get to mom's computer. It's pretty obvious who that computer belongs to and any privateer worth his salt can trivially loot mom's bank accounts and so on."


It's pretty clear from draft 01 of my Cyber Privateer Code, point number 4, that wreaking havoc on an innocent victim means the victim should be compensated 100X. That's one-hundred-times the amount confiscated from an innocent person's bank account. Therefore, rather than proposing anything close to a fool-proof forensic framework for separating the innocent from the guilty, my Cyber Privateer Code simply says that the privateer had better have rock solid proof. Otherwise, Paco's hypothetical "inept French privateer" is quickly out of business. A few $10,000 mistakes translate into a few million dollars in restitution. Bad business model for Frenchie, eh?


Just as in Isaac Asimov's rules of robotics, where paradoxes will arise, my Cyber Privateer Code demands (but does not define) the enforcement mechanism. It just says that an inept privateer can watch his/her/its business evaporate along with the Letter of Marque and Reprisal. One "nod" toward reality might be that whatever bonding authority chooses to insure a cyber privateering organization would demand a certain standard of proof in order to issue an indemnification policy. Further, since that indemnification would have to be one-hundred times the maximum amount allowable for confiscation (heck, bail bondsmen only charge 10% of the total bond), a large cyber privateering organization would almost require government-level resources to post their bond. If you mistakenly grab $1 billion from the accounts of a rogue government and fail to return it within 10 days of parley (again rule 4), somebody is going to have to pony up $100 billion. Which may be a deal breaker.


Remember how I said my first shot at the Cyber Privateer Code was "draft 01?" I'm considering my first edit. Maybe the restitution amount should be 10X and not 100X. Or maybe even 2X? 


Comments?

Wednesday, November 17, 2010

Architecture for the ultimate virus; do I really want to go there?

I just got permission from Jeff Walker to publicize and build on his 22 Principles for the Perfect Application to create the architecture for The Ultimate Virus (see yesterday's post). But I need to think about this. Given my technical background, I could probably do a pretty good job of designing and building a trigger for a nuclear device, too. But to put that kind of information in the public domain would be pretty damned irresponsible, notwithstanding that Iran can't even get their centrifuges running at the proper speed. I'm going to take a day or two and consider whether or not this is the right thing to do. Jeff's paper is currently in the hands of no more than a dozen people. Maybe it should stay that way.

Perhaps this blog should deal more with the moral and practical implications of The Morgan Doctrine, well articulated by Paco Hope in my Monday post ("If I were a jihadist…"): (1) identifying the (real) perpetrator; (2) determining guilt; (3) applying a fair law; (4) meting out punishment to the guilty.

If you have strong feelings one way or the other, let me know.

Tuesday, November 16, 2010

Jeff Walker: Architect of the Perfect Virus

Today, I'm naming the third member of my Cyber Privateer Fantasy League: Jeffrey L. Waker. He joins Larry Ellison and Marc Benioff, and I give him the team  assignment to architect the Cyber Privateer Attack Weapons Suite. I've known and worked with Jeff on and off for over twenty-five years, first at Oracle when Larry Ellison appointed him VP of Marketing, and later at TenFold where I served as a consultant and then as a member of their board of directors. Let me tell you about Jeff.

Jeff is the only person I've ever heard Larry Ellison describe as being smarter than Larry. Given that Larry is off-the-charts brilliant and profoundly reluctant to acknowledge anyone else's superiority, this should mean quite a lot to the rest of the planet. And while Jeff began his tenure at Oracle in marketing, Larry quickly made him both CFO and head of the Oracle's new Applications Division. Marketing, finance and applications? These assignments alone establish Jeff's bona fides. It is his applications prowess that earns him a place on my Cyber Privateer Fantasy League, however.

Jeff is an applications and cyber-process genius of the first waters. His work architecting the Oracle Applicatioins Division so profoundly affected Oracle, that years later his replacement (Nimish Mehta, now interestingly the Senior Vice President, Enterprise Information Management at SAP) commented that "Even though he is long gone, Jeff Walker still runs the Oracle Applications Division." What he meant, of course, is that Jeff's business architecture created an organization that could operate at maximum efficiency and operational professionalism. That's Jeff Walker for you.

When Jeff tracked me down to help him with his public company Tenfold, he immediately endeared himself to me by saying, "You wouldn't know a good application if it bit you." Now since my training is really in mathematics and since I'd once written a real-time operating system that took less than 700 bytes of computer memory, I could have been offended. Instead, I kept my ego in check and paid close attention. Over the next few years, first as a consultant and then as a member of his board of directors, I learned about applications. And guess what? Jeff was right. Before that time, I absolutely didn't have the faintest idea what constituted a good application.

Jeff wrote a seminal document called The Principles of the Perfect Application, in which he enumerated twenty-two concepts that no application has ever achieved (not even his TenFold platform). While doing research for a sequel novel (all of us ad guys are really closet novelists), I reviewed his document. It slowly dawned on me that with the addition of very few new principles, Jeff had created a platform for the Ultimate Virus. I also think it would be the Ultimate Cyber Privateer Toolkit.

One of the criterion for membership in my Cyber Privateer Fantasy League team is the ability to work with both Larry Ellison and Marc Benioff. Since these three individuals know each other well, and since there is great mutual respect, I believe they could come to a working accommodation. My big dilemma is whether or not I should share Jeff's architectural principles in this blog. Naturally, I'm repositioning them in terms of The Perfect Virus, but do I really want to make things easier for the bad guys to get it right?

Maybe the answer to the question would be to ask Jeff what he thinks. Would he even give me permission to use his intellectual property as the jumping off point for a discussion? Stay tuned. I'll let you know what he thinks.

Monday, November 15, 2010

If I were a jihadist

Thanks again to Paco Hope (author of Web Security Testing Cookbook) for drilling down on the most serious dilemma of the cyber privateer. As he says, "Once the low-hanging fruit is picked and the clear-cut cases are dealt with, you'll have greedy privateers who want to continue the looting and they're going to have to get into grey areas."

Paco continues: "I'm quite happy to accept the idea that the Chinese government monitors and even sponsors cybercrime. However, just because the cybercrime originates from the servers of banghe.com doesn't mean that the people at that company have any knowledge or complicity in it. The illicit government entities are perfectly likely to attack innocent Chinese businesses and then launch attacks from those businesses' servers. So if some privateer attacks the company that owns the server, he's got the wrong entity."

Good point, Paco. In fact, let's up the scenario and anticipate you are a really clever jihadist. You're sitting in your cave, only pretending to study the Quran. But you're really trying to figure out how to bring down the GSA (Great Satan America) and it's zionist allies. The Stuxnet virus has set back your own nuclear program, not to mention the fact you'd prefer NOT to see a retaliatory nuking of Mecca even if you did build and use a nuke. A far better approach would be to take over the Chinese cyber war capability and make the GSA think they are being attacked by China. Or Russia. Or both. So you pull the pin, say on November 11, 2011 (a date which you hope will live in infamy as 11/11/11, and maybe you time it for 11:11AM in New York City).

On November 11th, here's what you'd like the GSA to think the Chinese did to us:
  1. Since Stuxnet whacked the speed at which the centrifuges ran in Iran (see today's Computerworld story), you use the Chinese data bombs already installed in US utilities to spin up all the power generators until they self destruct. You'll blow the USA back into the stone ages, since big generators are built to order on a specific schedule (see Richard Clarke's Cyber War, p. 100) and aren't in stock anywhere; it'll take the GSA years to get back online.
  2. Cause pressure blow outs nationwide in natural gas pipelines, incinerating whole cities.
  3. Use the data bombs installed in the Air Traffic Control system to cause horrific midi-air collisions. Railroad head-on collisions. Open express lanes both ways for automobiles.
  4. Take down the international banking system. Be careful here, though, because this is not something China or Russia would likely do. Globalization has made their economies co-dependent with the GSA. Better to just drain some big bank accounts and leave a trail of deposits to frame organizations you've come to fear and loathe.
  5. Take down the Internet. Come on, you can blame this one on Christian Fanatics who believe that the beast referred to in the Bible (Revelation 13:17) is really the Internet (the "number of the beast" is 666, which in Hebrew is "www" which…well, you get it). Whack every DNS (Domain Name Server) system in the world with a pro-Christian/anti-Israel "goodbye world" shut-down message. 
The above is just the beginning. A good list would have hundreds of exploits. Of course, you'd have to resist taking credit for the havoc. Leave it up to Russia and China to exchange their own real nukes with the GSA.

Good call, Paco. You write in your email: "The way I see it, we have a few problems: (1) identifying the (real) perpetrator; (2) determining guilt; (3) applying a fair law; (4) meting out punishment to the guilty." As you point out, privateering does a good job with number 4, but needs some serious thought in the first three areas. You further ask, "How do we prevent double (and triple, quadruple, and bazillion-uple) jeopardy?…Once someone's marked to be hit, the others have to stay off?"

I agree these issues must be thoughtfully addressed.

Unless, of course, I am a jihadist.

Saturday, November 13, 2010

The Cyber Privateer Code

According to Wikipedia (I don't necessarily believe everything I read in Wikipedia, but this appears to be accurate), Isaac Asimov introduced The Three Laws of Robotics in a short story Runaround:
  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. A robot must obey any orders given to it by human beings, except where such orders would conflict with the First Law.
  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second law.
  4. (added later by Asimov as the "Zeroth" law) A robot may not harm humanity, or, by inaction, allow humanity to come to harm.
In the movie Pirates of the Caribbean, reference is made to a "Pirates' Code" and specifically the "right to parley," which referred to a prisoner's right to parley with the captain before disposition of whatever fate awaited said prisoner. Given the atrocities attributed to real pirates, I doubt any pirates' code either existed or was ever enforced. Nevertheless, I kind of like the "right to parley" and have included it in my own first draft of The Cyber Privateer Code.

The reason I'm intrigued with the concept of a cyber privateer code is that my whole basis for cyber privateering is do enable such a system under the rule of law. My "Morgan Doctrine" is analogous to the Monroe Doctrine. Combine that with a formalization of "rules of hot pursuit" wherein you might track down a cyber criminal wherever he/she/it may reside to invoke a disproportionate penalty (the only way to truly discourage cyber crime and even cyber war), and you still need a "code of conduct" whereby an unwitting victim might seek redress from the leader of a cyber privateering operation. A final nod to the rule of law is the concept of modern-day bounty hunters, who normally track down people who have jumped bail.

The intricacies of possible cyber privateering scenarios could create a very long list of cyber privateer code elements. In my November 9th post, I quoted author Paco Hope (Web Security Testing Cookbook) who took issue with his victimized grandmother being wiped out by "an inept French privateer". I've tried therefore to include victim redress as part of the cyber privateer code. Furthermore, the Lord God Almighty (at least as far as Jews, Christians or Muslims are concerned) managed to keep His code to a list of ten commandments. So I'll try to keep things somewhere between Asimov's four and Himself's ten.

The Cyber Privateer Code (draft 02—updated on 6/28/2013):
  1. Any unauthorized attempt to access your computer or phish your data access privileges constitutes a crime punishable by the looting of the attacker's assets by an authorized cyber privateer. All assets. Within 6 months of the attack.
  2. If it is determined that the attacker is acting under explicit instructions from a larger organization or government, the assets of that organization or government are also forfeit to the extent that an authorized cyber privateer may confiscate them within a six month period of the original motivating attack. All assets.
  3. The individual whose assets were seized by a cyber privateer—or the publicly and legally designated spokesperson for the organization or government whose assets were seized by the cyber privateer—has the "right of parley" with the head of the cyber privateering organization, such meeting to take place online in a two-way video conference, such conference to be publicly recorded by one or both parties and before the disposition of the booty but no later than 10 days from the confiscation.
  4. Innocent victims whose assets are directly and mistakenly confiscated by cyber privateers (and whose funds are not returned within 10-days after the parley) shall be compensated in an amount equal to four times their loss, with interest accruing on the restitution amount at the rate of twelve percent per annum. This does not include victims of the cyber criminals, since they were already victimized.
  5. Notifications and requests for parley must be unambiguously left by the cyber privateer so as to allow the right of parley to be exercised in a timely fashion.
Okay, five is good. Less than rules dictated by the Creator, more than Asimov's laws of robotics. Comments? 

Friday, November 12, 2010

Crocodile Dundee, Cyber Privateer

Wow, you Aussies really have come to life! Toss some Chinese on the barbie for me, did you? Thanks. Nothing like publishing the IP addresses of Chinese attack servers to get the creative juices flowing down under. Shining a flashlight on the cockroaches seems to have resonated around the world. Here are the countries that have weighed in, listed below the map in order of frequency:


  1. United States
  2. United Kingdom
  3. Australia
  4. Canada
  5. Germany
  6. Israel
  7. India
  8. Russia
  9. Spain
  10. Japan
Clearly, Australia is still my most likely candidate as the host government for legalized cyber privateers (I'd like the USA to lead the charge, but …). Australia is geographically remote, culturally inclined, and just plain ornery enough to tell the rest of the world to stick it. The other countries sniffing around are either too dependent upon the international banking system or they're constrained by treaties prohibiting them from issuing Letters of Marque and Reprisal. The United States could legally get the ball rolling, but special interest lobbies would probably neuter the privateers.

So in this Yearbook of The Great Cyber Wars of 2011, Australia is voted Most Likely to Save the World. Crackie! You could become the New World Capital of The Internet. Splitting loot with only the best…Arrgh!…cyber privateers, it could mean billions to your economy.

Final interesting observation: notice the one country NOT accessing my blog. I guess China doesn't allow critical opinions to flourish (further proof of my contention that nothing happens in China without the approval of the government and that the IP addresses in my last post are indeed operating with the permission of the Chinese government). Diane Sawyer is making a trip to China with ABC news, and I sent her a request to drop by the street addresses of the China attack servers and ask what's going on. It would be cool to get a straight answer from someone over there.

Thursday, November 11, 2010

IP addresses of Chinese attack servers

After looking at a month of error logs from attempts to hack my poor little Linux server, I've captured what I contend are China-based root attack machines. A given attack will cycle through servers around the world, and a sub-five-second delay between widely dispersed geographic locations proves beyond doubt that a master engine is doing the attacking. Most of the other attacking IP addresses are likely systems that have been taken over by überhackers, but  the following China-based IP addresses are IMHO manned by Chinese personnel who are on the attack:
119.164.255.4         61.55.173.39      61.151.246.140    118.126.14.37 
221.10.254.205    218.241.161.186      210.51.10.160      112.90.146.2 
220.171.12.184      221.224.81.194      210.83.70.185    219.235.4.123    
220.165.28.67     123.150.187.228         60.12.105.30    222.221.17.40    
219.235.4.123         117.41.169.21       119.164.255.4      218.1.114.75 
219.153.49.151        210.42.123.10      60.13.129.139    202.194.15.192    
122.227.22.52         123.196.113.11    61.151.246.140      118.144.76.16 
59.108.54.6             219.149.43.254       221.174.25.3       221.174.25.3 
221.238.152.179       222.44.123.136   60.208.113.131      61.164.41.141  
218.22.180.182          58.49.104.164     58.49.104.164     61.145.118.190 
221.192.141.97         219.153.49.151   119.145.254.10     211.144.112.20 
My reason for making such a claim: China is a totalitarian state bent on world cyber-domination, and nothing happens on the Internet without the tacit approval of Chinese authorities. My goal in this post is not to propose any kind of retaliation (because inciting such a response is strictly against some pretty asinine U. S. cyber laws), but to shine a light on a bunch of cockroaches. So no, I am not proposing that these IP addresses be attacked and shut down. No, I am not proposing that little genius virus applets be covertly loaded on every EPROM connected to every peripheral device on these systems, to be periodically awakened to wreak havoc on every other computer and user that touches these systems. No, I am not proposing that every file on these systems be replaced with repeating text saying, "Greetings from the Destroying Angel." And no, I am not proposing that email from these systems be sent to every important address in China announcing the next neighborhood Falun Gong meeting. Because all of the above would be illegal under US Law (did I mention that these laws are asinine?), not to mention that it would be just plain wrong to place the operators of those systems in mortal peril at the hands of a paranoid regime. No, my future amy of cyber privateers, I just wanted to shine a flashlight on a bunch of cockroaches.

Tuesday, November 9, 2010

The cyber privateer minefield

Author Paco Hope (Web Security Testing Cookbook) has a dissenting view on my cyber privateer idea, and it deserves a fair hearing. Furthermore, I don't want to dismiss his concerns out of hand, because Paco has earned his stripes in the security area. Below is his email to me in it's entirety:

I'm amused. I have skimmed a few of the entries, and I think I've got the gist. I might contribute something small, but only if you accept dissenting views. :)

I have a few concerns about the ramifications of vigilante justice. Although pirate hunters with letters of marque may have had some beneficial effects during the revolutionary war, they weren't all saints. There were well-documented abuses by privateers who were little more than pirates themselves. Then you have the phone call that I dread: my grandmother's computer is unfortunately infected by a virus and becomes part of a botnet. Acting under a botherder's orders, her computer does some stuff to some French guy's computer. Unable to find the actual Russian botherder, an inept French privateer attacks my grandmother's computer, doing all kinds of crazy damage to it and her. Now, here I am in London and my grandmother calls me from the US saying that horrible things have happened to her computer and bank accounts as a result of some French privateer brandishing a letter of marque from the French government. What do I do? What law or authority can make restitution?

I agree i principle that laws have failed to keep pace with technology. They're out of date and don't address the threats we really face.

Vigilante justice doesn't strike me as the way to address it. Here's vigilante justice:
http://news.bbc.co.uk/1/hi/world/americas/731981.stm

How do you make reparations for someone who has died? Virtual actions have real-world consequences.
http://www.foxnews.com/story/0,2933,312018,00.html

No, I don't support vigilante justice online.

Regards,
Paco


Thank you Paco for your note. Clearly, in order for my cyber privateer idea to become more than a subplot for my novel, the above concerns must be adequately addressed. Should your (or anyone else's) grandmother get her bank account wiped out because some Russian botherder used her computer in his nefarious scheme and "an inept French privateer" swoops in (great title for a comedy book, by the way: The Inept French Privateer), this would be a tripwire for shutting down the whole cyber privateer program. Similarly, I agree that "vigilante justice" is abhorrent. 


For what it's worth, I don't think a congressional Letter of Marque and Reprisal should be easy for just any yahoo to obtain. The privateer organization would need enough critical mass (gravitas) to be legitimate in the eyes of the world. There would have to be an independently chartered bonding authority to oversee abuses. If your grandmother loses her bank account, such bonding authority would have to work quickly and make reparations equivalent to the poor woman's winning the lottery. Isaac Asimov coined the famous "five rules of robotics" in his fictional world, and my cyber privateers would have to be bound by some fairly strict rules of engagement. Hey, they had a "Pirate Code" in the Johnny Depp movie! Now we need The Cyber Privateer Code.

Monday, November 8, 2010

Marc Benioff: Captain of the Cyber Privateer "Death Star"

I'd previously nominated Larry Ellison as my first Cyber Privateer Fantasy League player. Now that the FBI is "interested" in the Oracle-SAP trial (see my comment in today's Computerworld story),  it doesn't stretch the imagination to imply that Ellison is doing the FBI's job for them. Why not formalize it with a Letter of Marque and let Larry cut to the chase with all the bad guys? And it is for this reason that I name my second Cyber Privateer Fantasy League player: Marc Benioff, founder and CEO of Salesforce.com.

I've known Marc for 25 years, and had the pleasure of helping him engineer his pre-IPO attacks against Siebel. One of my favorite creations is the "I will not give my lunch money to Siebel" ad from 2002:


My reasons for adding Marc Benioff to my Cyber Privateer Fantasy League:

  1. He will play well with Larry Ellison. Marc is one of the few ex-Oracle/ex-Ellison spawns that Larry doesn't openly hate. In fact, I think they kind of like each other. Larry was on the Salesforce.com board until Oracle started direct competitor NetSuite and Marc had to ask him to step down.
  2. Salesforce.com has an interesting and vastly different dynamic than does Oracle. While Oracle is sending its X-wing fighters into the Galaxy to take on all competition, Salesforce.com is really a single "Death Star" entity, hosting the Galaxy from within. From a security standpoint, defending one well-guarded domain is much more doable than throwing your security net over the entire Galaxy. One set of security professionals can maintain discipline far more effectively than an infinite army of least-common-denominator links in the chain. In fact, the "Death Star" model may be the only truly viable security model in a full-blown cyber war.
  3. Marc Benioff's longstanding antipathy toward China is demonstrated in his first charity focus, Tibet House. Given that China and Russia are likely to be the big players in a cyber war, neither Marc nor Larry are likely to back down. They have the same take-no-prisoners DNA. I remember a GREAT statement by Larry Ellison concerning Russia, but until I can corroborate it with another source, I dare not repeat it. Needless to say, Ellison and Benioff would be cyber privateers to be feared worldwide.
  4. Marc is a visionary and a leader who can stay on target, not changing strategy or tactics due his last phone call.
So my Cyber Privateer Fantasy League has two members with whom I've had a longstanding relationship, and who I can attest have the intellect, the toughness, and the real-world experience to lead the way. I'll be suggesting other team members in future posts.