Thursday, March 31, 2011

China, today I unplugged my Linux "honey pot"

I decided the best security for my little Linux server was complete disconnection. Heck, it wasn't serving a useful purpose beyond letting me bait attackers and put together a "payback" list if attacking IP addresses (which I'll probably never use, anyway). Sure, I have the IP list and may share it with some sufficiently bad dudes. Of course, I shared a few of the Chinese attack-server IP addresses in the past. But checking the attack logs just caused me negative thoughts. Given that creativity and negativism can't exist simultaneously, today I voted for creativity. Which may be the worst news I could give China. Because I might come up with an extremely creative way to use those attacking IP addresses. Legal but nevertheless creative. "Hey, Hu's crying now?" Stay tuned.

Wednesday, March 30, 2011

Chinese are "the usual suspects"

To the best of my recollection, the order to "…bring in the usual suspects…" originated in the 1942 movie Casablanca and was uttered by actor Claude Rains. Last night's Register story on  the "mystery hack" that compromised the Australian government carried the following paragraph:
The breach affected parliamentary systems rather the government's more secure intranet. Speculation suggests that hackers possibly from China (the usual suspects in all such cases) may have been after raw intelligence on Australia's lucrative mining industry.
China's growing PR problem in the cyber community has passed from merely whispered speculations to a fait accompli. Just enter "China" in the search box to the left of this column and you'll see my own contribution to the dog pile (even though 2011 is the "Year of the Rabbit"). Honestly though, and with due respect, I've given my best shot at a constructive solution for China (see my "Dear Huawei" post as well as my recommendation—to Russia, although it applies equally well to China—for PR wizard Steve Coltrin).

In a hacking news story somewhere (sorry I can't drill right to it to give the author proper credit), one of the reader comments suggested that cyber criminals could probably make a lot more money doing honest work. To this comment I add, of course that would mean "…getting out of show business…" Which is why I reiterate my advice to China: Clean up your act. It's costing you more than you can imagine.

Or ignore my advice and wait for a licensed and bonded cyber privateer to clean up your act for you. They'll clean out a few bank accounts, too.

Tuesday, March 29, 2011

Cybercrime: an easy-entry career, Part II

It looks like the Incognito 2.0 command and control system for managing cyber criminal networks is alive and well (and under a new name, being ripped off from a previous system called Fragus)…and and available for budding crooks. The Networkworld article calls this an exploit-as-a-service capability. Incognito 2.0 appears to embody several principles of The Perfect Virus:

  1. Oversight (principle #1), a CCS dashboard
  2. Prosumption (principle #11), intended for use by "professionals"
  3. Stealth (principle #14), obviously
  4. Team Isolation (principle #16)
I don't know for sure, as I've not spent any time with the actual tool kit, but there may be other features that qualify for categorization in The Perfect Virus topology. The Securealert blog has screen shots, and a comment identifying other CCS cybercrime systems (Bomba and Blackhole). But since it's not the purpose of this blog to be a tutorial on cybercrime, I'll leave researching these toolkits to others. 

My point in bring this up at all has to do with the obvious justification for legalizing cyber privateers. Simply, the bad guys have turned cybercrime into a cottage industry.

It's time to play whack-a-mole legally and, I believe, quite profitably.

Monday, March 28, 2011

Stuxnet response from Iranian hacker?

On March 3rd I posed the question, "Is the U.S. ready for a Stuxnet response?" It appears the first anemic volley (anemic because this guy could have done sooooooooo much more) came in the theft of online security certificates (as I posted in point 3 last Thursday on the Cyber war proof-of-concept adventures) by an Iranian hacker. I caught the story in TIME, Inc.'s email posting today, which pointed to the actual confession by the hacker on Pastebin. While the so-called 21-year-old hacker establishes his bona fides by describing how he pulled of the SSL certificate heist, I put a question mark in my headline because I'm not totally convinced this isn't a full-blown Iranian government operation. You'll have to read the letter on Pastebin and make your own decision.

Interestingly, the hacker's letter ends in a Persian quote: “Janam Fadaye Rahbar” which I Googled and got:
“Janam Fadaye Rahbar”… means “I will sacrifice my soul for my leader”. 
 If this was indeed an Iranian operation, then it was just a subtle shot across our bow. And now that I think about it, Iran hasn't established much of a record for subtlety. Which builds a case for the lone-hacker theory.

When I Googled the above quote, I found a blog on which I couldn't resist leaving my own calling card:
Here’s a really dumb comment: “I will sacrifice my soul?” Hey, sacrifice your life. But your soul! Good grief man, a soul is for eternity. Your soul and its salvation is what we slog through this veil of tears to preserve. Let’s hope a better translation is, “I will sacrifice my life…” I’ll give you the benefit of the doubt here, as nobody could be this eternally stupid.
As for the Iranian hacker, if you are who you say you are then you have indeed made monkeys out of the RSA spin doctors.

Saturday, March 26, 2011

Cyber privateering readership analytics

I started my cyber privateering blog exactly five months and twelve days ago (according to my Wolfram|Alpha calculation). While it interested me greatly, a collection of the top-ten-visited postings kind of reinforces what interests my many thousands of readers. While these musings simply started out as a kind of displacement activity to help me understand the nuances of legalized cyber privateering, it has definitely taken on a life of its own. And more importantly, the whole concept of licensed and bonded cyber privateers—who operate under a strict code of conduct—appears to be a rather practical mechanism. If readership analytics tell me what I think they do, then you readers also validate my wild-hare fictional premise. Here are the top-ten postings for your own review:
  1. Draft 01: The Cyber Privateer Code is the #1 most-read posting. This is the strict code of conduct, kind of like "the pirate's code" referred referred to in the Johnny Depp Pirates of the Carribean movies. I called it "Draft01" because I thought for sure I'd have to make some modifications. I came up with five rules (Isaac Asimov only had 4 rules of robotics, while our Creator had ten commandments). Five rules? Not bad. I'm still nervous about the 100-to-1 penalty for inept privateering exploits, and may eventually make it only 10-to-1.
  2. The Perfect Virus principle #14: Stealth is an obvious #2 in readership. Almost as popular as the Cyber Privateer Code, this 14th of my 22 Principles for creating The Perfect Virus is kind of the reason people write viruses. They want them to be stealthy.
  3. Stuxnet about to cause an "Iranian Chernobyl" ranks very close to the top two in frequency. While this story was very popular when I wrote it on January 17th, since the tragedy in Japan it has taken on some seriously new interest amongst my readers. I think a lot of people are wondering just how good the Russians' fail-safe protocols are in the technology they've sold to Iran.
  4. Privateer analytics: high-reward/high-risk numbers is a bit of practical arithmetic. Over 78% of our Revolutionary War privateer ships were captured by the enemy. The frequency of readership that gives this topic a #4 ranking shows that people are giving some serious consideration to the risk factors. After all, if you clean out the bank account of a drug kingpin, you could be finding body parts of loved ones all over the place.
  5. How China/Russia can make (are making?) billions by slowing down the side channel shows how truly vulnerable our networked world has become, especially to nation/state-sponsored exploits. And unlike hitting drug dealer bank accounts, Wall Street doesn't appear to have any teeth with which to bite back (of course, a get-out-of-jail-free card issued by our government would quickly change that).
  6.  Federal judge keeps 1-800CONTACTS from hijacking the Internet is in my opinion the most important legal decision of the new millennium. I hope Federal Judge Clark Waddoups is asked to apply his considerable legal genius to a rewrite of our idiotic federal cyber crime laws. And I am delighted that so many of my readers have stumbled onto my analysis of his ruling in this case.
  7. The Perfect Virus: All 22 principles summarized is always in the top ten. The real genius behind these 22 principles is Jeffrey L. Walker, a member of my Cyber Privateer Fantasy League team. I just took his 22 principles for creating "the perfect software application" and applied them  to the world of virus creation. The exercise was essential research for the sequel to my already written novel about cyber privateering (which my new literary agent is gearing up for sale to a New York publisher). Again, various mechanics for creating The Perfect Virus are always high in readership ranking.
  8. How badly are the Chinese and Russians hurting us? is my second-ever blog post. I'm always glad to shine a spotlight and watch the cockroaches run for cover. This story still has legs, and is more relevant today than ever before.
  9. IP addresses of Chinese attack servers is my unrefuted indictment of the biggest nation/state threat to cyber security: China. Perhaps this still gets substantial readership because I frequently hyperlink to it on my postings. Of course, Chinese servers are still attacking my little Linux "honey pot" hundreds of times a day. Which thoroughly irritates me. Now if I had a get-out-of-jail-free card
  10. Infecting an alien architecture, Part II is my seconding posting on what I consider to be the true Holy Grail of The Perfect Virus, principle #7: Black Box Portability. While Stealth ranks #2 in all-time readership, the key to winning a full-blown Cyber War will be our ability to defend ourselves against specialized intrusion engines that have roll-your-own operating systems created by a nation/state with the resources to field a special cyber warfare engine. But at lease this topic remains in the top ten.
The all-time geographic distribution of my audience shows some anomalies.

  1. The United States is naturally the top reader.
  2. The United Kingdom is number two, again no surprise.
  3. Canada is a bit of a surprise, as they should be #2, shouldn't they?
  4. India is also a surprise, as they shouldn't be this high. Maybe Pakistan is getting on their nerves?
  5. Germany, again a surprise. Islamic nervousness maybe?
  6. France only surprises me here because they're ahead of Russia (#8).
  7. Australia. Actually, I'm sorry they're not higher on the list, as they'd be my #2 choice as a legal haven for cyber privateers.
  8. Russia. Seriously, number 8! These guys refused to jail cyber crook Darth Vader, Jr. They probably gave him a high-paying job, instead. Russia is #3 in their commitment to and resources available for cyber warfare, only behind China and the USA.
  9. Japan.
  10. Malaysia! What the heck is going on in Malaysia?
Significantly not on the top-ten list are China, Taiwan and various Middle East entities. Given the attack volume on my Linux server originating in China, it's clear their government is doing a whiz-bang job censoring their access to outside information. Which is good, as far as I am concerned. I wouldn't want them paying serious attention to and investing their substantial resources in actually creating The Perfect Virus. As for Taiwan and the Middle East, if ever some regions would benefit from serious attention to cyber warfare defenses, they certainly could. Go figure.


Friday, March 25, 2011

IP addresses of Chinese attack servers, Part II

In my November 11, 2010 post on IP addresses of Chinese attack servers, wherein I chaffed mightily at the numerous daily attacks on my little Linux "honey pot" server, I wrote "…nothing happens on the Internet without the tacit approval of Chinese authorities…" Today's Computerworld story supports my assertion. And my little Linux box is still getting hammered daily. Too bad I don't have a get-out-of-jail-free card, as I'd be inclined to substantially discourage anybody future probes of my systems. Imagine (metaphorically speaking, that is) a Chinese hacker sitting down to dinner with his wife and one-and-only-allowed child. The hacker gets this funny look on his face just before shrieking in pain as an alien monster blasts out of his chest cavity (see the original Alien movie for the full metaphor). Okay, so the alien monster pops out of his computer (by the way, killing it in the process).

I had a great time taking my kids to see Alien when it first came out. The four of them along with my wife had their hands over their eyes as Tom Skerritt climbed into the space ship's ventilation ducts. So I said, "You know why you can watch and why he won't die? Because he's the star!" They all go "Oh, yeah!" and open their eyes just as Skerritt turns around to see the chomping teeth coming for him. Bad idea on my part, since the family sat on either side of me. Both of my shoulders were black and blue by the time I got home.

Anyhow China, remember that, "He who lives by the virus…" Uh, see my principle #22 attribute of The Perfect Virus. Heh heh. It's called Defense.

Thursday, March 24, 2011

Cyber war proof-of-concept adventures

A combination of cyber weapons-test headlines gives the briefest of hints as to what a full-blown cyber war might look like. Multiply these by 1000 and you get a glimpse of the job facing the U. S. Cyber Command:

  1. Data bombs in key infrastructure systems could not only cause massive disruptions but could actually cause infrastructure meltdown. See Richard Clarke's Cyber War, yesterday's headlines, or the Economist ad I rolled out in my second-ever post to this blog.
  2. Re-routing of Internet traffic through China is described as "accidental" in today's headlines is IMHO a dry-run for targeted exploits on a  government scale.
  3. Lots of ways to skin a cat, including SSL certificate theft by Iran. Compromise everyone's certificate at once and you have a fur ball not easily unravelled.
  4. Remotely infect all our swell new high-tech/Internet-connected cars with an MP3 virus and bring traffic to a screeching halt in major metro areas, possibly tying up police and fire resources as a precursor to attacks—cyber and non-cyber terrorist attacks—in other areas.
  5. See my if-I-were-a-jihadist posts Part 1 and Part 2 for a few other example scenarios.
The above is illustrative and not at all comprehensive. But it underscores my assertion that no amount of tax dollars could create a U. S. Cyber Command capable enough to stem the tide in a full-blown cyber war. The extent to which individuals and governments probe anything that even touches the Internet is illustrated in my post listing the IP addresses of Chinese attack servers whacking away at my own "honey pot" Linux server.

Just like we distribute MIPS in highly computational tasks like the search for extra-terrestrial intelligence (SETI), why not distribute cyber protection by monetizing it through a well-defined army of cyber privateers? I've posted both the legal justification and a surprisingly robust-if-I-do-say-so-myself Cyber Privateer Code.

Wednesday, March 23, 2011

TIME, why did you spike another story?

I guess Time, Inc. has a problem exposing stupid cyber criminals, given that they appeared to have pulled another Techland (a Time subsidiary) story. My email today from Techland reads as follows:
Robbed Victim Posts Video of Laptop Thief Dancing Online Erica Ho | March 22, 2011 at 4:00 pm | 
Is this a victory dance? After being identified as a thief, and having this embarrassing video posted online, I think not. Fortunately, Mark Bao, an 18-year-old student at Bentley University in Massachusetts, knows his way around a computer. When his MacBook Air was stolen, he discovered he could still access several his hard drive and [...]
Read more of this post
Of course, if you click to "Read more of this post" you get the usual "Error 404 - Not Found" message (try clicking on the hot-links above and you'll see). But not to worry. The horse is out of the digital barn. Again. Google—Mark Bao dancing thief—and you get the story anyway, thanks to Security News. There, you can see the YouTube video of a stupid criminal and see the rest of the story.

So Time, that's the second story you've spiked in a week. What gives? I can understand the business reason for killing the story giving jihadists the idea for causing massive disruption by taking over large numbers of new automobiles with an MP3 virus. Automobile advertisers could easily turn your fragile bottom line substantially red. But a stupid computer thief? I'd kind of like to know your rationale.

In a reputation-based economy, truth would seem to be an excellent way to keep people on the high road. My guess is that you determined turning a petty thief into a pariah was a disproportionate response, with a disproportionate effect on his entire life. That, unfortunately, is my own justification for legalizing cyber privateering: the likelihood of a disproportionate response to cyber crime would be a major factor in discouraging criminal activity.

Which means that Time, Inc. will probably editorialize against legalizing cyber privateers, eh? You're probably not alone.

Selah.

Tuesday, March 22, 2011

U.S. bankers build case for cyber privateers

Today's WSJ headline is U.S. Banks Oppose Tighter Money Rules, and deals with political "kleptocrats" stealing vast amounts of money from their countries (or taking kickbacks from criminal activity) and depositing their IGGs (ill-gotten gains) in trust accounts around the world. Why, you might ask, would we be opposed to demanding that financial institutions determine who the beneficiaries of such trusts might be? The last paragraph of the article quotes Robert Rowe, vice president and senior counsel for regulatory compliance at the American Bankers Association, and the net-net answer to my question is:
"It gets to the point where in order to open an account you'd have to hire a private investigator and do a full investigation. Our position is that that kind of use of resources doesn't make sense."
I think the American Bankers Association has made my case for legalizing cyber privateering. Originally, my post of October 15th built a case that "Cyber privateers must be allowed to hit the bad guys' bank accounts."  If Mr. Rowe's argument against tighter money rules holds, them he is inadvertently making a strong case for licensed and bonded cyber privateers. It would save the banks that money while demanding significant levels of proof for legal account looting.

And besides, I wouldn't mind seeing a chunk of the Libyan dictator's cash hoard given to surviving families of the Lockerbie victims.

Monday, March 21, 2011

RSA attack culprit?

I concluded my Saturday post by speculating that the attack on RSA posed some serious legal and tactical problems. We don't know much more than the company's characterization of the event as an "extremely sophisticated cyber attack" (ZDNet ran the story). It seems to me that they owe their customers a little more information, and I'll be anxious to see how this plays out.

But from my own perspective, RSA's countermeasure options are severely limited by existing cyber law. If ever there was a justification for a hot-pursuit cyber doctrine, this would certainly qualify. Look how long it took Microsoft to orchestrate last week's botnet takedown. And that was just for a spam operation. RSA's disclosure transcends mere inconvenience and hints of full-blown cyber war.

Who's the culprit? Or should I say, "Hu's the culprit." Time will tell.

Saturday, March 19, 2011

Ooh-rah, U.S. Cyber Marshals!

On Thursday, I posed the question, "Some cyber privateers did their homework?" I referred to the story that a botnet responsible for half the spam we received last year had gone silent. I suggested three hypothesis:
  1. A white hat Cyber Privateer had done his homework;
  2. A government organization had properly papered up a get-out-of-jail-free card and had taken out the botnet; or
  3. Another criminal organization was holding the botnet hostage.
Yesterday's Wall Street Journal answered the question, and it was sort of my door number two. Microsoft, working with federal authorities, swooped in and seized the command and control servers. Kudos to Microsoft's Digital Crime Unit. Yes, they could have gone further than merely cutting off the head of the command and control system—like maybe backtracking to the source and lobbing their own data bombs at the bad guys—but that would have placed them well outside current law. As it is, they had to do everything (hopefully) by the book.  

It's entirely possible that Microsoft had to violate (wink, wink) existing cybercrime law to identify the botherding servers. Since I don't have access to the legal filings used to paper up the court orders, this is just speculation. Nevertheless, I'm glad to see some positive motion. After all, the botnet itself is composed of an estimated 815,000 Microsoft computers that have been taken over by the criminals. Microsoft truly owed it to us all, not to mention their customers.

I am slightly more interested in pointing out that Microsoft was joined in the action by U.S. Marshals. I have speculated in my own fiction that indeed the U.S. Marshals would be the entity under which legalized cyber privateering would function (a few months ago I even reserved www.USCyberMarshals.com as the working title of a yet-unwritten sequel to my current novel). This makes sense, and I'm optimistic about this evolution.

Who's the next headline? How about EMC's RSA unit, which really got cyberwhacked? EMCs legal and tactical problems are much more complicated.

Stay tuned.

Friday, March 18, 2011

TIME pulls story: MP3-trojan car-takeover

Ever wonder what would happen if TIME Magazine's online Techland service did a story how an MP3 Trojan could take over your car? What if the automobile advertisers—the same ones who spend hundreds of millions of dollars advertising with you—told them to pull the story or lose the ad revenue? This may be what happened yesterday. I got the Techland feed saying:

Yes, a Trojan MP3 Can Let Hackers Seize Control of Your Car
Guest Author | March 16, 2011 at 7:00 pm | The Battlestar Galactica had no networked computers for the simple reason that they might allow the Cylons to take control of the ship. You might want to think about that next time you pop in a burned CD into your car’s stereo system. Computer security researchers at UC San Diego and the University of Washington [...]Read more of this post
Of course, if you click on the above links to read more of the story, the Techland site claims it can't find it. My guess: GM or Ford or all of the above got on their Bat Phones in one giant hurry and gave Time, Inc. an ultimatum. Unfortunately for the car guys, the Internet train has already left the station. Once something is on the Web, well, you can find it.

Want to see the whole story? Go to the original story in Mobile Magazine (until at least the car companies get to them).  Just in case their story also gets spiked, here's the body copy:

We always knew this day would come. And now, it’s been proven: Cars are susceptible to malware.
 Teams at the UCSD and the University of Washington have managed to hack into an unspecified 2009 vehicle using a trojan virus hidden in an Mp3 disc inserted into the audio deck. The virus allegedly altered the car stereo’s firmware creating an entry point to other components of the vehicle.
The researchers were then able to gather information such as GPS data and the Vehicle Identification Number – and were even able to control the locks, brakes and engine remotely. 
The hack isn’t likely to be taken advantage of on a large scale given that different models of stereos and cars have specialized firmware. 
But the implications are huge: Now that people know it can be done, I’ll be surprised if they don’t do it. 
[via Boing Boing]
Certainly the latest automobile ads showing a father starting his daughter's car from a smart phone application hasn't escaped the jihadists of the world who're probably thinking,  "Yowzer, wouldn't it be cool to launch a cyber attack on all the latest automobiles driven by infidel citizens of The Great Satan?" It makes the hair on the back of my neck stand straight up.

Update on May 20, 2011: Finally this is listed as one of the six big cyber security threats in yesterday's Computerworld story. Threat #5 is "Hackers controlling your car."


Thursday, March 17, 2011

Some cyber privateers did their homework?

Posted from the illustrious Mr. Krebs' site, it appears that the command and control of the world's largest botnet (computers infected to send out SPAM for everything from male enhancement to fake drugs) has been taken out by persons or organization unknown. I'd like to think it was a White Hat cyber privateer who has done his homework, although I would grudgingly applaud a government organization who has papered up a get-out-of-jail-free card (ie; a presidential "finding" on which it acted) to do the deed. Since I don't know the answers, there is a third scenario that could be afoot. Namely, a criminal organization is holding the botnet for ransom. Mr. Krebs' article indicates there are approximately 815,000 Windows computers currently infected with the botnet virus, which still exists on them. However they have no command-and-control connection and have therefore gone dormant.

My preference would be for "door number one" to be the culprit: a lone cyber privateer who did this for altruistic reasons. In which case I would personally contribute to his legal defense fund, should the need arise. As well as lobby for a retroactive Letter of Marque and Reprisal from a grateful government.

Kudos, door number one!

Wednesday, March 16, 2011

If I were a social activist…

The WikiLeaks DDoS attacks along with today's WSJ story about porn sites tricking advertisers by flooding paid-link sites with clicks from people visiting those porn sites brings to mind some social activism scenarios that actually appeal to me. Let me say in advance that I have not tried these, but in my fantasy mind I can see some novel ideas for my fictional characters. This post is intended for your entertainment only and should not be construed as a call to action. I'll share my call to action with you in the final paragraphs, as I'm looking for a law firm gutsy enough to try this.

FICTIONAL SCENARIO ONLY:  Are you as irritated as I am about all the personal injury lawyers advertising on television? Lines like, "My own father died of [name the disease here], so I have a personal interest in seeing you properly compensated." Or this one gets me every time: "If you're a drunk driver, you will answer to me, [name of attorney here]." What the world doesn't realize (my father is still a practicing attorney) is that the client pays 33% of any money gained in a settlement with the insurance company, and if the case goes to trial the fee jumps to 50%. For those of you who may be wondering why your health and automobile insurance are skyrocketing, one of the big reasons is a growth industry known is personal injury law. Forget tort reform. Lobbyists for the trial lawyers have the "fix" well and truly in (remember presidential candidate John Edwards, who made his money as a personal injury superstar attorney?). In my fictional scenario, a group of "activists" who wanted to see tort reform take place from a grass roots level might arrange a massive click-through campaign to Google ads placed by personal injury attorneys. They pay big bucks for certain keywords. They'd target the guys who are also advertising on television and who buy the back covers of the telephone books. A steady trickle of clicks (not a greedy deluge) could bring these firms to their knees. Cleverly done, especially using principles of The Perfect Virus, this could be done without exposing the perpetrators to civil or criminal liability.

MY REAL-LIFE CALL TO ACTION:  For a couple of years now, I've been trying to convince an attorney friend of mine (a non-advertising/non-ambulance-chasing attorney I might ad), to take on the greedy personal injury attorneys in a new kind of go-viral-in-a-big-way online video attack. The simple visual would mimic the Macintosh-vs-Windows ad look-and-feel, only there'd be just one spokesman standing on an all-white background. I'm going to use my friend's name, since he's not the typical greed-head personal injury lawyer. If some of you need an attorney, his name is unusual enough that you could easily Google him. Here's what his television commercial would say:
My name is Denver Snuffer, and I'd like to tell you the truth about all the personal injury attorneys who are advertising on television, trying to get your business. For those of you who have been injured in an accident, had a faulty hip replacement, or had a loved one die of an asbestos-caused disease, what good old "Siefried and Roy" or the "One-call-does-it-all" yahoos aren't telling you is that they'll take from thirty-three to fifty percent of your award as their legal fee. That's one third to one half. Well, I don't advertise on TV or buy the back cover of the phone book. But I'm an agent of change. And just like literary agents, my fee is only fifteen percent of your out-of-court settlement Twenty percent if we have to go to trial. Literary agents get twenty percent if they sell international rights or do a movie deal. That's what an agent of change should charge. My name is Denver Snuffer. I am an agent of change. 
Well, unfortunately Denver doesn't charge the 15-20%. But I'll bet he'll negotiate in that neighborhood. Because he owns the building in which is practices law, and he doesn't advertise on television or on the back covers of the phone book. And he'd rather scrap it out in court rather than take the easy money settlements that keep the big-name guys rolling in dough. Denver is a warrior.

If enough of you call Denver and negotiate these lower rates, maybe his business will metamorpihize into that model, after which I'll film the above viral ad with him. It would be fun to watch all the personal injury cockroaches run for cover.

In the meantime, my fictional scenario above could give me an entertaining throw-away plot element in the sequel to my novel.

Heh heh.

Tuesday, March 15, 2011

Adobe still the best ad for cyber privateering

Once again, a zero-day hole in Adobe products demonstrates:
  1. My assertion that Adobe could use the threat of reprisal cyber attack to mitigate use of their products for malware exploits.
  2. The most stealthy exploits will use zero-day holes (I wrote at length about Stealth principle #14 of The Perfect Virus).
Let's face reality. Suppose we re-architect the entire Internet to eliminate flaws in TCP/IP security. Suppose anonymity is impossible to achieve in this brave new world. There's still nothing to prevent an agent provocateur or disgruntled insider from planting a virus in his company's trusted cloud service. Yes, the source of the virus would eventually be isolated. The company itself would have to do a mea culpa and probably take a big hit in both public trust and increased insurance premiums.

In short, a world without legal and bonded cyber privateers would still be a very insecure place. I see no alternatives for security enforcement. Again Australia, think about the power of a first-mover advantage. Translating the following "motto" into Latin might give it sufficient gravitas, but it's certainly much more compelling in English:
Light up a barbie for a hacker and you keep him warm for an afternoon. But throw him on the barbie and you keep him warm for a lifetime.

Monday, March 14, 2011

A brief history of malware

PC Magazine just put together a brief history of malware slide show, from 1971's Creeper all the way to 2010's Stuxnet. They've missed quite a few recent and more sophisticated examples, so I didn't get any new fodder for updating my Perfect Virus Report Card. If you want to know what's coming, my 22 principles for creating The Perfect Virus might be sobering. And they might motivate some country to take extraordinary measures and legitimize cyber privateers. Maybe?


If one of my readers is with such a government, please take a look at (a) my legal justification for cyber privateering and (b) my Cyber Privateer Code, both of which should ease your heartburn a bit and give you a vision of the possibilities. Considering where cyber crime and Cyber War technologies are headed, I can't think of a better solution to those future problems. Can you?

Saturday, March 12, 2011

I'm finally getting China's attention?

In the last 24 hours and after yea all these months, this blog is finally getting attention from mainland China. It's certainly possible that clever people in China have been using proxy servers located in other countries, but these are the first hits directly attributable to them:
Indeed, China is number seven in audience numbers for the day.
  1. United States
  2. Brazil
  3. France
  4. United Kingdom
  5. Philippines
  6. Canada
  7. China
  8. Israel
  9. Iran
  10. Malaysia
One might draw a number of conclusions about this mix of readers, and wonder what the heck the boys from Brazil are up to, but I'll wait to see what else shakes out. Israel and Iran? Philippines and Malaysia? And the UK dropping to 4th from their usual #2 spot? Some interesting scenarios present themselves.


Friday, March 11, 2011

My browser of choice is now Chrome

The reports I've been seeing from this year's Pwn2Own hack match are summarized by this line from the Computerworld story:
"If Chrome comes out unscathed, as it now appears it will, the browser will have survived three consecutive Pwn2Owns, a record."
By all appearances,  Google's Chrome is the most secure browser. I'm just sorry I can't run it on my iPhone/iPad. But the rest of my computers (Macs, PCs & Linux) all get Chrome. Congrats, Google. And I think my next phone will be an Android, for reasons stated in other blogs.

Thursday, March 10, 2011

Good thing Symantec & McAfee don't manufacture condoms

Another strong argument for legitimizing cyber privateers to monetize enforcement is reported by NSS Labs, who measured effectiveness of 10 security products' malware detection. The results: 36% effectiveness detecting email malware unless a company runs a centralized, server-based product, in which case the protection rate soared to a whopping 74%. The NSS Labs report is $995, which I didn't pop for. And even if I did, I'd probably be in violation of their purchase license to name names. However, one critical conclusion kind of seems obvious: 74% protection would certainly put a condom manufacturer out of business.

In my opinion, the threat of some brilliantly evil enforcers with a get-out-of-jail-free card from the government—and backed by a bonding authority who would make sure innocent victims were recompensed a hundredfold (see The Cyber Privateer Code)—could do more to prevent cyber crime than all the politicians placed end to end (and they should handily beat the 36-74% number from the billion dollar industry that's doing such a…bang-up…job).

Wednesday, March 9, 2011

Report Card: Zeus/SpyEye update

As I've said before, Brian Krebs is the "real deal" in security intelligence. His post today updates (a) the effectiveness of Zeus/SpyEye thwarting by ISPs using available tools, and (b) the reaction of the Russian mobsters who use these products to loot people's bank accounts. Good reading!

Thanks to Mr. Krebs, I was able to at least give Zeus/SpyEye a partial credit for defense, although it's a gift, since the defense is not integrated into Zeus/SpyEye but to the Russian mobsters' independent attacks on the service publishing information for ISPs to detect and thwart use of botnets that are propagating these attack systems. My updated Zeus/SpyEye and Stuxnet report card can be seen by clicking here.

Tuesday, March 8, 2011

French followup

For those following my reference yesterday to hackers targeting French government computers, a followup story appeared today. Net net: China denies involvement. I tend to believe the denial, since the Chinese aren't this sloppy. At least I don't think the Chinese top-tier talent is sloppy enough to get caught like this. Maybe an undergraduate hacking class assignment went awry?

Too bad the French are signatories to the Paris treaty of 1856 that outlawed privateering. I wonder if they might reinterpret the treaty in such a way that would allow them sponsor cyber privateers?

Monday, March 7, 2011

Is The Cyber War of 2012 starting a year early?

Okay, so I'm schizophrenic. On one hand, I ask whether or not we've started The Great Cyber War yet? Then I claim it has already begun. My real problem is the time between finishing my novel and getting it published. I'm thinking The Great Cyber War of 2012 has a nice ring to it, especially when combined with the myth of the Aztec calendar. Also, it's a presidential election year, and many outside forces may have an interest in influencing the outcome of the election. I won't speculate on scenarios here, as myriad cases may be made for and against either political party. Today's WSJ story on the Taiwan spy case involving China leads me to one conclusion: China will almost certainly be at the center of any cyber war hostilities. Similarly, today's Computerworld story on hackers targeting French government computers leads me to a corollary conclusion: Agenda-driven hackers may be a wild card to produce unpredictable "flash points" in the (pick one) current/upcoming cyber war.

In my "If I were a jihadist" posts (Part I and Part II), I speculated that certain Middle Eastern factions might have an interest in bringing things to a boil. But who's to say that some other "agent provocateur" might not WANT it to look like a jihadist had pulled the pin on a major attack? For example, if I were a Russian national I might just want to get China on my side badly enough that I'd make it appear that a nuke detonating on Russian soil—but quite near the Chinese border and with fallout spreading across China—was part of a jihadist plot. Clearly, China would be an important ally in a cyber war, and a most formidable foe.

I would advise conspiracy theorists to…well…stay on your meds and be sure to sleep in your tin foil helmets.

Saturday, March 5, 2011

South Korea sites NOT attacked by virus!

Sorry for the pickiness, but today's New York Times story has a misleading (indeed bogus) headline: "In Cyberattack, Virus Infects 40 Web Sites in South Korea." Normally, the NYT has a fairly high journalism standard. I attribute this story to sloppy weekend fact-checking/editing. If you read the story, the sites were subjected to a DDos (Distributed Denial of Service) attack. This ain't a virus, and it's certainly not competent hacking. That I bring up this story at all isn't because readers of this blog don't know the difference between a virus and DDoS attacks, but because the NYT "everything that's fit to print" promise was stretched a bit. Come on guys, get with more professional reporting!

Friday, March 4, 2011

Ellison: "Too bad the U.S.S.R. didn't have Oracle."

In my post of Tuesday, Infecting an alien architecture, Part IV, I mentioned that one of the contributors to China's Wophone project was none other than the Chinese government. Looks like they have more than alien architecture in mind. Apparently, Beijing plans to track people's movements via their mobile phones, too.  Which is why you might want to stay away from a swell Wophone deal from ZTE, Huawei, TCL, Beijing Tianyu Communication Equipment, Taiwan's Inventec Appliances, HTC, South Korea's Samsung Electronics, and even Motorola in the U.S.

I remember kicking around an ad idea with Larry Ellison some years ago. It never saw the light of day for obvious reasons. Larry said,
"You know, if the U.S.S.R. had Oracle and some decent computing power, they'd never have lost the cold war. A small number of people could run a very large gulag."
Well sports fans, China has sufficient computing power. They have Oracle. And they seem intent on using new technologies to keep pretty close tabs on their people. Without the capability to infect an alien architecture (principle #7 of The Perfect Virus), we might as well throw in the towel right now, because we're doomed to lose the inevitable Great Cyber War.

Too bad China DOES HAVE Oracle.

Thursday, March 3, 2011

Is the US ready for a Stuxnet response?

Great question in today's Computerworld headline: "If Stuxnet was act of cyberwar, is U.S. ready for a response?" And the article gives the right answer: No. Heck no! And how unprepared are we? In Networkworld, a sister publication, the headline reads, "Hackers needed to save the world—at least America." The comments to the article are more revealing than the story itself. Basically, one anonymous contributor pretty well builds the case that no really good hacker would EVER consider going to work for the U.S. government. Naturally, I put in my two cents, as the story absolutely builds a case for cyber privateers. My comment:

No gifted hacker will ever apply for the job.
Becoming a federal employee [or even a contractor, a comment I added later] is a nightmare to which no proficient hacker would allow himself to aspire. We really must monetize hacking talent in a way that encourages the best and brightest to legally loot bad guys' (and rogue government) bank accounts. And there really is both (a) a legal basis for congress issuing letters of marque and reprisal, and (b) a workable cyber privateer code of conduct that will protect the innocent.
No really good talent would put up with being a federal employee. Which, uh, explains a lot of our predicament today. Doesn't it?
In my opinion, Stuxnet really didn't START the cyber war. That happened during Operation Desert Storm (when little nasties planted in printer EPROMS took out the Iraqi air defense system). China (for one) got the message loud and clear. According to Richard Clarke in his book Cyber War, they saw how cyber dominance could make up for a lot of expensive military hardware they didn't have (and wouldn't have for a generation).

Do you have a "Plan B?" I do. But alas, I give the same answer I give security system telemarketers who ask what kind of a system I have: "Sorry, my dad told me never to play my cards face up." You can do a search (in the left-had box) by typing in "PLAN B" (without quotes) to see several posts that may entertain you. If you don't have a Plan-B scenario, an off-the-cuff suggestion would be to block out your Saturday nights for knocking off liquor stores. But be sure to hit them early, because that may be a lot of other people's Plan B, too.

Wednesday, March 2, 2011

The ultimate cyber privateer smart phone, Part II

The Android is still my pick for the ultimate cyber privateer smart phone, warts and all. The Washington Post report today that Google has pulled some serious malware apps from their supposedly reputable Android Market indicates the power of Android for serious all-around work. You'll quite naturally want to be careful of the applications you grab for your Android. Actually, the discerning cyber privateer will want only one other application besides his cell phone-supplied apps. And I'm not inclined to tell you what that application is, although I expect to be reporting on it in future posts. But it's an application that no how, no way, will ever run on my iPhone. Other than that, the only applications that a serious cyber privateer would ever run on the Android are ones he develops and installs himself. After all, we're talking about the Android as the cyber equivalent of a WMD.

Tuesday, March 1, 2011

Infecting an alien architecture, Part V

In my February 2nd post, Infecting an alien architecture, Part IV, I continued my suggestion that Black Box Portability (principle #7 of The Perfect Virus) would become quite important to our cyber defenses as China developed home-grown architectures and operating systems. Today's Computerworld story on China's new Wophone initiative contains a rather telling paragraph (I have added the bold/italic/underline for emphasis):
China Unicom said its Wophone software is Linux-based and entirely developed by itself and partners, including some Chinese government offices, but does not rely on Android.
Linux-based means it's not totally alien architecture. But the trend is consistent with my hypothesis that China is trying to ween itself from Western technology as rapidly as possible. For a lot of reasons, including economic and technology leadership. But there's another skunk on the table, too. We'd better pay attention.