To get notices of new blogs via email, click here:

Saturday, July 30, 2011

ZERO DAY exploit auction sites?

Facebook has joined Google to pay hackers a $500-and-up bounty for reporting bugs. Google says they've already paid out over $300,000 for bug reports. My question: "Why so little?" Shouldn't it be 10 times that amount?

If I were truly enterprising and far less ethical, I'd start an online auction site kind of like eBay but for Zero Day exploits. I would be the arbiter, get a 10% cut, and be the sole decision maker of whether or not the buyer's winning bid is transferred to the seller. As of the time of this writing, all the cool domains are available:

  • ZeroDayAuction.com
  • ZeroDayAuctions.com
  • 0DayAuction.com
  • ZeroDayExploits4Sale.com
  • ZeroDay4Sale.com
  • ZeroDaysRUs.com (you'd hear from the Toys 'R US attorneys, huh?)
You get the idea. Of course, I'm not going to reserve any of these URLs. But a good Zero Day exploit is worth a heck of a lot more than $500. I'll bet Microsoft and Adobe would pay at least $50,000 in an auction. Of course the reverse-engineering provisions in their licensing agreements might give them legal ground for a U.S. court injunction, but if the auction and payment were to take place outside the U.S.…

Friday, July 29, 2011

"The cloud will not burst!" claim Feds

Actually, what FEMA CIO Richard Spires said was, "I am a believer that we are going to, over the next few years, really solve a lot of the cybersecurity concerns that we have with cloud-based services." 


Way to take one for the team, guy. Actually, Mr. Spires is sucking up to FED CIO Vivik Kundra, who is madly dashing to "…make cloud adoption a priority for federal agencies." 


THE GOOD NEWS:  They may have a point. I'd much rather trust cloud capabilities offered by one of my Cyber Privateer Fantasy League team players Marc Benioff (Salesforce.com), than leave it up to our defense contractors to maintain even rudimentary network security (ManTech is the latest defense contractor to fall to Anonymous). Hopefully Marc's "death star" security will be better for DHS than leaving it up to a bunch of government employees to maintain even the remotest semblance of security best practices. 


THE BAD NEWS:  The feds will probably rely on their "beltway bandit" buddies (aka, existing defense contractors) to supply the specifications and "certify" cloud vendors. Gosh, now where could that go wrong? Ask Lockheed, who managed to lose the plans to our newest jet fighter. I covered this in my very second blog and have been harping on it ever since.

Thursday, July 28, 2011

Stuxnet payback will be a b*tch!

You know what they say: "Payback is a b*tch!" The Black Hat guys are demonstrating why you probably don't want to enable the remote activation capabilities of your swell new car ("Momma, why is the car doing this?"). The Iranians are probably in possession of enough Stuxnet technology to do a little payback. The Iranians are really looking for some payback. Finally, we're not ready for that Stuxnet response. We are sooooooooo not ready!

Wednesday, July 27, 2011

Significant criminal innovation: automation

Every once in a while, we need to consider cyber privateering with a greater sense of urgency, before the wheels come off the Internet completely. Consider the following "data exhaust" from recent news stories:

  1. A recent study of concludes that cyber attacks take place every two minutes. I can verify those numbers from my own "honey pot" Linux servers. The final paragraph of the article says it all: "The way hackers have leveraged automation is one of the most significant innovations in criminal history. You can't automate car theft, or purse stealing. But you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact."
  2. Our head cyber spook just threw in the towel. No reason given. No reason necessary, as we are truly losing this war.
  3. Hacker groups are taking on governments with more impunity. Latest casualty: Italy.
  4. The hackers themselves are basically anarchists who are as likely to turn on each other as on perceived external threats. To understand their mentality and devotion, you've got to go back to, well, me, in the 1960s.
  5. The SpyEye online looter of people's bank accounts is alive and getting smarter. So much for Microsoft's "best and brightest" having any lasting effect taking down this very sophisticated botnet.
To paraphrase Harold Hill in The Music Man, "We've got trouble, right here in cyber city…"

Tuesday, July 26, 2011

The Cyber Privateer Bonding Authority

Key to the viability of cyber privateering legalization and success is a viable bonding authority. Just as Revolutionary War privateers were licensed and bonded, there must be some effective method of liability control for modern-day cyber privateers. As implied by the Cyber Privateer Code, the "right of parley" along with a "100-to-1 restitution clause" should someone's assets be improperly impounded, there would necessarily need to be a bonding authority involved. The Cyber Bonding Authority would:

  1. Authorize confiscation activity by licensed cyber privateers; and
  2. Be responsible for paying the onerous fees that might arise from a botched job.
As Sony is experiencing in the reluctance of the Zurich American Insurance Company to indemnify and defend them against numerous putative class action lawsuits that arose from their well-publicized data breach, this is not a simple problem to solve. Not only must the government that issues Letters of Marque and Reprisal give the cyber privateering organization a get-out-of-jail-free card, but they'd also better cut off the trial lawyers at the knees with some pretty strict lawsuit guidelines. The good news is that long-overdue tort reform might be the byproduct of cyber privateer legalization. But this needs to be addressed up front.

There does seem to be a precedent to such tort limitations, as healthcare lobbies have made some minor inroads. Another solution might simply involve mandatory binding arbitration.

Comments?

Monday, July 25, 2011

Privacy in the age of BIG DATA ANALYTICS

For those of you who think privacy is either (a) a basic right, or (b) remotely achievable, I suggest you face up to the fact that pattern based analytics is a nasty reality. Pretty much everything you do in life can be inferred and even predicted based upon data, much of which is beyond your individual control. Given that I spent the better part of the last two days with an Israeli-born ├╝bergenius to whom I am under NDA, this is all I can say on the subject for now. Except that my continuing assertion that PrivacyRights.org is just plain barking mad. Selah.

Saturday, July 23, 2011

Jesuit/Rabbinical advice to Anonymous/LulzSec

I'm neither Catholic nor Jewish, but the most relevant advice I've ever received that might apply to the discussions taking place amongst the Anonymous/LulzSec crowd came from a Jesuit and a Jewish intellectual. I think it was back when Daniel Ellsberg leaked the Pentagon Papers, which proved the Johnson administration systematically lied to congress and to the American people. Given that my conversations took place over 40 years ago (gosh, about the same number of years Moses had to tromp around in the wilderness, waiting for a generation of idol worshipers to die), I'm probably taking significant liberties with what really occurred in my conversations. I am pretty sure the conversations took place, but you'll have to attribute the terseness and cogent logic more to the fact that I've internalized these ideas than to my perfect memory. I will therefore create a conversation between myself, a Rabbi and a Jesuit, that may or may not have taken place on a transcontinental airline flight between Boston and Seattle. I do remember sitting between these two gentleman.

Me:  "I think Daniel Ellsberg should be shot for treason."

Rabbi: "That's a very strong opinion. What part of his transgression would warrant death?"

Me:  "He leaked top-secret information in a time of war!"

Rabbi:  "And what were these secrets? Who was injured by their revelation?"

Me: "It doesn't matter, does it?"

The Jesuit jumped in: "Actually, it does matter. Who were we trying to keep these secrets from?"

Me:  "Our enemies, of course!"

Jesuit:  "Actually, our enemies knew these facts. Our military knew these facts."

Me:  "Huh? Then who were we trying to keep in the dark?"

The Rabbi and the Jesuit together: "The American people. Period."

Now let's jump to WikiLeaks, Anonymous/LulzSec hacking of NATO and various other email repositories (like H.B. Gary, etc.). What would my long-ago-internalized Jesuit and Rabbi say about these hacks? Full disclosure demands that I confess my own bias, first. I long ago made the decision that my personal moral compass demands obedience to the law. Hence my desire to legalize cyber privateering. That being said, my composite Jesuit/Rabbi would ask, "From whom are the secrets being kept?"

If the answer is, "From our enemies," then the recent Anonymous claim that they would be irresponsible if they leaked their full treasure trove of NATO documents is a good decision. Bravo, guys.

On the other side of the coin, if our enemies know the details, and if our only reason for keeping things secret is to avoid public knowledge of a situation—like the WikiLeaks disclosure of diplomatic cables proving that the Russians are selling shoulder-mounted ground-to-air missiles to third-world rebels—then to hell with that secret. Somehow, that leak should be retroactively protected by some kind of whistle-blower law (again, my bias toward the rule of law). This may indeed be your defense if you find yourself in the slammer.

[As a side note, I never miss the opportunity to "mix it up" with Jesuits on long airplane flights. Those self-proclaimed "God's own storm troopers" can take either side of an argument and do it justice. Ditto for Rabbis. Or the head of my Cyber Privateer Fantasy League team, Larry Ellison. In fact, Larry Ellison routinely picks religious fights with Rabbis and wins them. One of my Rabbi friends once walked out of such a confrontation with Ellison and said, "Damn, I know I was right. But Larry still won the argument!"]

So my idealistic young friends—who remind me of myself in 1965—I won't talk risk/reward equations. We've had that discussion. You know where I stand. You have my advice. I do however urge you to use my Jesuit/Rabbi filter as you decide which dirty laundry to publicize. If the secrets just keep inflammatory truth from the public, if they're just covering up venal corruption, then they don't pass the test of worthiness and shouldn't be kept secret. To be sure, we disagree on the whistle-blowing process. I dare not continue to beat that drum. But do consider my Jesuit/Rabbi filter. You don't want innocent blood on your hands.

Friday, July 22, 2011

U.K. Register goads Anonymous/LulzSec

The Anonymous/LulzSec Wild West Hacking Show is getting all the free publicity the media can dish out.

 First, Anonymous claims they hacked NATO email. Then they say they won't release most of it because it would be "irresponsible." Interesting, given their WikiLeaks hero's lack of similar compunctions. Whereupon the U.K. Resister reports that LulzSec says it will "partner" with media on release of Murdoch emails. But the "skunk on the table" is that The Register then goads Anonymous/LulzSec by mocking the low security classification of the supposedly leaked NATO documents, and says "…Anonymouse/LulzSec will have to do better than this."

The question: Is LulzSec the remora on the back of the U.K. Register's shark-like body, or is the Register acting as remora to suck headlines out of LulzSec? Either way, get your popcorn, BigGulp and Hot Tamales ready, because we're in for some non-stop entertainment.

And to think in 1965 I would have been quite content to desegregate a diner in Selma, Alabama. If I wouldn't have given two thoughts to the risk-reward outcome of getting beaten senseless by some redneck with an axe handle, then I predict this modern-day version of holding hands and singing protest songs will not see an end anytime soon. Their response to FBI arrests says it all:
"Dear FBI: You cannot arrest an idea."
Please sir, no butter on my popcorn, thankyouverymuch.

Elvis has left the building.

Thursday, July 21, 2011

Another alien architecture: MPT

I just heard from my ├╝bergenius friend Kevin Howard, the brains behind Massively Parallel Technology's "Blue Cheetah" computer architecture. Here's Kevin's note to me:
Lol...good to hear from you Rick...we are currently using our product...Blue Cheetah CUB...loading it with lots and lots of math, CFD codes, biotech codes, nano-tech codes etc. CUB uses our new automatic coding/automatic parallel processing techniques. Its job is to remove most of the complexity surrounding programming in general and parallel processing in particular. In addition to decreasing programming to 1-2 orders of magnitude decrease in time to market, we also greatly increase the quality of that software. Our automatic programming model has been shown to generate code that is less than 1% slower than hand tuned serial code. This is the holy grail. He who can program the fastest and the "bestest" is the one that always wins the real performance game. After all if it takes you 2 years to program and runs in 2 seconds...your first run still took 2 years and 2 seconds.
 A standard binomial tree gather with a single communication channels can merge the data from 8 servers in 4 merge steps. Our latest system can with a single communication channel merge 11,110 servers in 1.3 merge steps (those silly fractals)...this is using the same speed communication channels...so for searches etc there is nothing even close...when you combine this with our automatic programming, automatic code sharing, and automatic parallel programming techniques those pesky communist and socialist do not stand a chance.

You hear that, China. You don't stand a chance. And I like Kevin's statement that if you take 2 years to program and only 2 seconds for the run, your supercomputer still takes two years and two seconds to solve the problem. Kevin's "automatic-coding/automatic-parallel-processing techniques" really are "the holy grail" solution.

Unlike the malware-proof alien architecture on which I previously wrote, Kevin Howard's stuff is up and running, today. Ooh-rah!

Tuesday, July 19, 2011

A step toward licensed cyber privateers: avreward@microsoft.com

Yesterday's posting of Microsoft's $250K reward offer by their Digital Crimes Unit puts us just two steps away from some interesting times:

RUSTOCK REWARD 
July 18, 2011 
In order to determine the identities of the John Doe defendants principally responsible for the control of the Rustock bot-net, Microsoft Corporation is offering a $ 250,000.00 dollar reward (USD) for any new information that results in the identification, arrest and criminal conviction of whoever is responsible for the control of the Rustock bot-net. Anyone with such information should contact Microsoft Corporation by email to avreward@microsoft.com. Microsoft Corporation reserves the exclusive right to review and evaluate the legitimacy of all leads submitted, and further reserves the right to provide such leads to United States law enforcement. 
This modern equivalent to a WANTED: DEAD OR ALIVE poster needs just two more underpinnings to be totally effective:

  1. The public articulation by POTUS (President Of The United States) of our doctrine of hot pursuit similar to The Monroe Doctrine and which I have lovingly dubbed The Morgan Doctrine; and
  2. The establishment of congressional Letters of Marque and Reprisal in order to license and bond legal cyber privateers (I call this the Get Out Of Jail Free card).
How will this eventually play out? I predict that if the BICH (that's Botherd In CHief) happens to be a Russian, then the culprit won't see any jail time. Nevertheless, a conviction will still net the informant $250K. And the BICH will become a valued member of the Russian cyber war national team. Just like young Darth Vader. In fact, wouldn't it be ironic if Russia's Yevgeny Anikin just happened to be the culprit?

Monday, July 18, 2011

More from the JCS on cyber offense

Adding to my Saturday report on JCS vice chairman General Cartwright, he appears to understand the problem. He just doesn't appear to be getting his brain around a workable solution. Aviation Week ends their article with the following three paragraphs:

“Every time somebody spends a couple hundred dollars to build a virus, we’ve got to spend millions. So we’re on the wrong side of that. We’ve got to change that around,” he said.

He said part of the answer was in building up the military’s offensive response capabilities.
“How do you build something that convinces a hacker that doing this is going to be costing them and if he’s going to do it, he better be willing to pay the price and the price is going to escalate, rather than his price stays the same and ours escalates,” Cartwright said.
One parting thought, General. If you want to change the risk/reward equation and make probing governments (as you say) "…pay the price…," invoke The Cyber Privateer Doctrine and create a couple of instant hacker billionaires. 

Saturday, July 16, 2011

Even the JCS thinks DoD's cyber plan is stupid

The U.S. DoD cyber security game plan is still dedicated to playing defense and only defense, as outlined in yesterday's asinine quote of the day by Deputy Secretary of Defense William Lynn:
"Our strategy's overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries' incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place," Lynn said. 
To be fair, you can read the entire Department of Defense Strategy for Operating in Cyberspace by clicking on that link.  One quote on page six of the report (the report has only 13 pages, but that includes a swell cover and a couple of blank pages inside, obviously added to give this lightweight tome some badly needed gravitas) says it all. But to be unambiguous, I'll write what they said and then edit it the way it should have been written:

“Defending against these threats to our security, prosperity, and personal privacy requires networks that are secure, trustworthy, and resilient.”
My rewrite would read as follows:
“Defending against all threats to our cyber security requires a deterrent strategy that promises assured and disproportionate cyber retaliation.” 
As I said on May 14th, game theory demands more than just playing defense.

Evidently General James E. Cartwright, vice chairman of the Joint Chiefs of Staff, agrees. As reported in Thursday's New York Times:
“If it’s O.K. to attack me, and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy,” General Cartwright told reporters on Thursday.
I'll bet General Cartwright turned the air blue with invective when he read the deputy defense secretary's comment about "denying the benefit of an attack." Gosh I'd love to have been a fly on the wall.

Friday, July 15, 2011

PrivacyRights.org & cyber privateers on same team?

A statement yesterday about the realities of privacy deserves some logical parsing:

"…We believe that people have a right to know what information is being collected about them and control over how that information is being shared," said Amber Yoo, director of communications at Privacy Rights Clearinghouse.
Does your religious system allow for the possibility of some kind of Judgement Day? A day where all men's evil acts will be shown on some kind of cosmic big screen for all to see? Forget for a moment the practicalities, like how long such a show might take. Perhaps in the next life our comprehension will be so supercharged that we will be able to simultaneously (ie; multi-thread) billions of such…revealing…exhibits of humankind's depravity.

Well, guess what? Judgement Day is here. Not only do social sites like FaceBook and LinkedIn pretty well bare voluntary admissions, and not only is self-destructive behavior likely to put your Weiner in a sling, but pattern-based analytics can pretty well pound those last nails in humanity's privacy coffin.

A new morality might be in order. I call it The Grandma Rule. Simply put, you shouldn't do anything in your public or private life that you wouldn't do with your grandmother's knowledge. Naturally, she wouldn't be standing right there on your honeymoon night, but she'd certainly have been to the wedding and have a pretty good idea you might be starting a family one of these nights really really soon.

Similarly, pattern-based analytics wouldn't necessarily have a video camera in your bedroom (unless you were recording the activity over a "hacked" Internet device), but most of those clinical details would be "grokkable" to a mathematician with sufficiently advanced analytic tools and access to a sufficiently large pile of Big Data.

This new reality is so axiomatic that it should make legalization of cyber privateering one of the main goals of PrivacyRights.org. Again, from "data exhaust" available to me, I predict a public demonstration of this reality will soon make headlines. After which it might be a lot easier to get the U.S. Congress to seriously consider legalizing (ie; monetizing) cyber privateering. Again, violations of privacy could fall under the domain of you-invade-my-privacy-then-I'll-loot-you-in-a-profoundly-disproportionate-response economics dictated by my Cyber Privateering Code of conduct.

This proposal might well have the same general effect on privacyrights.org as would a full moon on a werewolf. Then again, privacy makes for some, uh,  strange bedfellows.

Thursday, July 14, 2011

"Data exhaust" indicates the Internet is doomed

The term "data exhaust" refers to an ability to predict future events (or even the current status quo) from existing but unrelated data (MIT/Stanford held one "data exhaust" event in January of 2010). Three headlines combine with the entirety of my other postings to give such a "data exhaust" foundation for prediction. First, U.S. Missile Defense CIO talks about why he is "sold on the cloud." The second talks about a general race to "the cloud" by the rest of the U.S. government. Then the third Computerworld headline this week caught my eye:

IT, security can't keep up as consumer device use grows
Remember the history of spreadsheets? Well, you old IT dudes will. The young breed represented by Anonymous and LulzSec will have to do some Googling to verify it. Remember how VisiCalc and Lotus 1-2-3 found their way into corporate America and world IT structures? People bought their own computers, their own spreadsheet software, and brought them to work. Whereupon the IT departments reluctantly had to support them.

Now look at today's proliferation of smart phones and tablet computers. Ain't no way IT or even draconian institutional policies can keep them out of our infrastructure institutions. Heck, the GSA and White House security couldn't even get President Obama to part with his BlackBerry. Mix this with "the cloud," which the head of my Cyber Privateer Fantasy League team (Larry Ellison) says is nothing but hype for online networks anyway, and you have a recipe for Armageddon.

In short, without a substantial change in our view toward cyber adventurers and rogue governments—and with the complete corruption of our regular IT supply chain (I reported on this as recently as two days ago)—it doesn't take a rocket scientist to predict we're in serious trouble. The "data exhaust" suggests imminent collapse. That's the bad news.

The good news? Analysis of random and unrelated streams of "data exhaust" will probably let some very smart mathematicians predict misbehavior well enough in advance to mitigate damages or even prevent major terrorist, cyber crime, and cyber war disruptions. Call this the equivalent of hedge fund "quant shops" as applied to national security.

But we could certainly use the legalization of cyber privateers to buy us some time. Remember, playing defense at the exclusion of instant and disproportionate offense is not a good game plan.

Wednesday, July 13, 2011

Infecting an alien architecture, Part VII

In my last article on infecting an alien architecture (May 13th), I relied again on my favorite science fiction authors for a road map. I spent yesterday at a remarkable tour de force of another non-fiction kind, where author Curtis Linton talked about infecting another kind of alien architecture: eliminating any learning achievement gaps caused by ethnic, cultural, economic or language barriers. What my friend Mr. Linton doesn't realize is that the same philosophical toolset required for achieving equity in education is identical for constructing a computer virus that meets the Black Box Portability standard I outlined in principle #7 in creating The Perfect Virus (click here for all 22 principles). The book is called Equity 101 and is published by Corwin Press.

I have two purposes for mentioning this book.
  1. For those of you who don't think educational equity is achievable in any school district in the country (or world), where equity is defined as eliminating achievement "gaps" of any kind, you're simply wrong. Don't worry, as this came as a giant surprise to me, too. I didn't realize I had so many ingrained social/racial/economic/cultural biases that were just downright wrong, either.
  2. For those of you interested in understanding Black Box Portability as it applies to cracking an alien computer architecture, IMHO the principles in this book can be extrapolated to that task. I'll say no more, because (once again) I'm not playing these cards face up.
Have a nice day. And congratulations to Curtis Linton, who has turned this right-wing reactionary into a bomb-throwing liberal when it comes to public education and the possibilities for doing it right.

Tuesday, July 12, 2011

One alien architecture, part II

I previously posted on a mathematician who proposed a fundamentally malware-proof computer architecture. Being an ad man, I'm intrigued with a thing called "the elevator pitch." How would you describe this architecture to a non-technical person going into a meeting and who was expected to get you funding for development? Here's the elevator pitch:
This "alien architecture" addresses the malware problem in a fundamental way—new pure mathematics ideas applied to a non-register machine.  From a pure math perspective, register machines and Turing machines are fundamentally insecure.
Selah, Mister Fiske.

Chinese malware into our electronics?

Must have been a slow news day, yesterday. In a regurgitation of old news, really old news actually, the Computerworld headline read:
We're doomed: Shocking "Chinese" malware claim by DHS bigwig
Click on the headline and read the story for yourself. I've written many times about supply chain security and the likelihood that foreign suppliers would engineer elaborate trap doors into network and computer gear delivered to us. After all, low bidder is low bidder. It's probably difficult for U.S. diplomats to muster up enough righteous indignation and complain to the usual suspects and keep a straight face, since FBI director Mueller has publicly asked U.S. tech companies to build the same kind of trap doors into the products we ship around the world.

I've given the Chinese advice. I've given the Russians advice. I've even given LulzSec advice. This whole project of mine is to suggest some alternative thinking to cyber misbehavior: licensed and bonded cyber privateers and hold them to my posted Cyber Privateering Code.

The misbehavior will stop. Everywhere. You can take that to the bank. The risk is minimal, since we appear to be in the midst of a cyber war already.

Monday, July 11, 2011

Zombie killer advice

Suresh Madhavan, a member of my Cyber Privateer Fantasy League team, just sent me some thoughts on the RIGHT way corporations should attack email and file security. If you click on the above link and then to his bio, you'll see he was a roommate of Stephen Hawking and is an off-the-charts genius. His company, PointCross, delivers…well…unbreakable security. Here are two cogent paragraphs that deserve some serious attention:
Most publicly traded companies and those dealing with sensitive technology and intellectual property will admit privately that they are not just being hacked by outside attacks but also from within. Some will report hundreds of attacks from on any given day - and not all are from malware, either. The IT approach of putting up more defensive barriers is also getting a lot of push back from the business users who want to increasingly access their content from remote mobile devices, including phones and tablets, using any network that is available. Ideas like separating data into separate infrastructure as commonly suggested is not going to work if we take a longer view of security, compliance, and convenience.

The proven principles and decades of experience with defense security classification of information should be applied for a sustainably secure information environment. To accomplish unbreakable security a very highly granular RBAC (Role Based Access Control)—well beyond what is available in typical enterprise applications and data bases and well beyond the guidelines of NIST—is required. ACLs (Access Control Lists) are a major weakness in security systems. Instead, classifying information based on business sensitivities and providing mapping to business and project roles is far more scalable and secure. Current implementations of RBAC just don't cut it. The separation of information must not rely on separate infrastructure - far from it, it must use a virtualized, abstracted data representation above and beyond what the traditional RDBMS databases can provide. Information—whether structure data or unstructured content—must be stored and transmitted with a self-declarative wrapper that carries encrypted information about the payload. Existing facilities for encryption, DRM, PKI are all well and good and they will continue to be exploited. But it is how information is classified—how it is stored, how it can be searched and the authorization rules mapping a user's right to view those results—require some extraordinary technology above and beyond the limited, slow, RDBMS world. It is very possible to control and manage a secure enterprise information network even when malware and malicious people lurk within the network. What it requires is a lot of common sense and less IT widgeting.
If you read between the lines, it just might dawn on you that Mr. Madhavan has cracked the Zombi killer code. Which I why he's on my Cyber Privateer Fantasy League team.

Saturday, July 9, 2011

North Korea has nothing to lose

I occasionally ask my readers if you have a "Plan B" in case the Internet goes down hard. Most journalists (just Google "cyberwar" for a sampling) seem to think nation states have too much to lose, economically. Not to mention that a counter attack would cripple their own infrastructure. This of course assumes that the initiator of the attack has something to lose. As night-time satellite pictures show, North Korea barely has electricity. Which means their Internet infrastructure isn't worth the price of a Hyundai from their southern neighbor. And unlike ICBMs or even the lowest-yield nuclear weapons, international cyberwar is a damn-low-cost-of-entry way to get some swell loot.

So, you got a Plan B? Because sooner or later  the NKs will graduate from DDoS attacks.

Friday, July 8, 2011

A summary of Larry Ellison quotes

Just so there can be no doubt why Larry Ellison leads my Cyber Privateer Fantasy League team, following are my previously reported quotes from him. You can click on the link to get them in context. I'll add to this list in subsequent posts:

  1. "He who controls the data rules the world."
  2. "If I want to hire someone for the Oracle kernel DBMS development group, I'll go to MIT and hire the guy who got a 5.0 GPA (4.0 was merely an "A" while the 5.0 got "As" in honors classes). If I want someone for the applications division, I'll hire a 5.0 (honors classes again) out of U.C. Davis. And if I want someone to run the mail room, I'll get a 5.0 out of Stanford [loud laugh]."
  3. "You know, if the U.S.S.R. had Oracle and some decent computing power, they'd never have lost the cold war. A small number of people could run a very large gulag."
  4. "If you had a modern jet fighter, it might take you the better part of a year to learn to fly it, but you could kill everyone in your neighborhood in one pass. On the other hand, you could learn to use a machine gun in a few minutes, but it would take you the better part of a week to eliminate all your neighbors. Also, you would undertake the slaughter at great personal risk to yourself (Can you spell SWAT?). It takes the resources of a government to produce jet fighters and weapons of mass destruction, and that’s why those things easily fall under the realm of disarmament and the United Nations. But anybody with a machine shop can build an assault rifle, and no serious United Nations effort can or will ever be mounted to include such weapons in under the disarmament umbrella. Cyber warfare can’t possibly fall under the realm of the United Nations and disarmament—nor should it be trusted to a government-only solution—because single individuals with nothing but laptops and Internet connections can (and will) create and launch weapons of mass-cyber destruction."
  5. "The only way the ORACLE RDBMS will ever be delivered to Russia is in the nuclear warhead of an ICBM."
  6. "I'll be damned if I'm going to get out-lied by a bunch of professors from Berkeley!"
Larry, master of the "calculated overstatement," is disciplined and single minded in the way he sets out to achieve his goals. Which is why I'd vote for him if he ran for President of the United States. We need a proven warrior in the cyber arena. Everything else comes in second. 

[As a personal note to Larry from me: I'd really like to head up the NSA if you do become president.]

Thursday, July 7, 2011

Who's really behind the attack? Part II

Attribution is a problem? I've posted on this before (click here for my June 7th post). One solution?

Imagine sucking in random data from disparate sources and, without applying any of your own domain expertise or understanding any data models, having a system present data relationships with cause/effect probabilities. One example would suffice.

You're a jihadist (that's my polite word for terrorist). You have been working in one of a dozen totally isolated cells to pull off a "big event." No cell phone or email communications. You're never alone, thus preventing any unauthorized contacts or dead drops. Your munitions supplier has been outfitting you in a triple-blind/three-way/trusted-cell network. The mission "Go" signal came from a watermarked image posted by a major U.S. news network. The time and date coordination came from another watermarked image posted by, of all sources, a White House news briefing (this because of the irony). Foolproof? Maybe. But not damn-fool proof. Because when each squad shows up to "pull the pin," they are met by (check all the apply) U.S. Navy SEALs/Interpol/Mossad/FBI agents who'd been in place for 24 hours. Did you have a rat? A snitch? Nope. The data killed you. The mathematics killed you. Next stop: a bullet to the head and realization that those 72 virgins might not be your species.

The same technology could be applied to the "attribution" dilemma. The reason Larry Ellison homed in on databases is his often-stated axiom that:
"He who controls the data rules the world." 
Larry's a prophet. And mathematics once again prevails.

For my own interests, I'll bet I can use a cloud data feed to not only predict future cyber attacks, but to backtrack those attacks to those who launched them. Does this technology exist?

Ask the Mossad.

Wednesday, July 6, 2011

LulzSec "School of Rock" Graduating Class

On June 24th I wrote how LulzSec takes me back to 1965. Alas, hacktivism is today's rock'n roll. Where else can energetic loners engage in righting the wrongs of the world than from their own homes?

  1. You don't like Arizona's immigration laws? Bring down their state systems.
  2. You don't like Florida's feeding the homeless policies? Bring down their state systems.
  3. Ditto for the CIA, the FBI, FOX News, etc.
There's even an online school for hacktivists, put on by the folks at Anonymous. And according to yesterday's Network World story, the first School of Rock hacktivism graduates will be coming online in the next 30 days. Of course, you don't have to subscribe to the Anonymous feeds for your hackucation. As I've said before, "Google makes us all geniuses." Just spend some time on the Web and articles from reputable publications will give you a great tutorial on LulzSec tools (like yesterday's Information Week story that deconstructs some of their hacktivism tools). Cybercrime (excuse me, hacktivism) is indeed a low-barrier-to-entry career

I've been cynical and downright derogatory in my assessment of current political processes. After watching an edited version of the movie 300 yesterday with a grandson (the second half of a double feature that began with Zombiland and a larger audience of grandchildren), I'm particularly negative on not only the I.Q. but of our politicians' actual motivations to make a difference. Because law enforcement is no match for a bunch of adolescents who want to be cultural heroes. Besides, our congress is more likely to opt for policies that garner them campaign contributions and less likely motivated to do the right thing, especially if "the right thing" irritates some large campaign contributors on the D.C. beltway.

In case you haven't yet harkened back to your own teenage years (as did I in my 1965 above-referenced advice to LulzSec), please ask yourself, "What would I have done as a teenager if The Man threatened me?" In my experience, those kinds of motivation translate into a double-dog dare. I'd have been proud to have the Secret Service announce they'll be investigating my Fox News hack

Hence this broken record echoing of mine since October  2010. Monetize enforcement with a well-articulated doctrine of instantaneous and overwhelming (ie, non-proportional) response to cyber incursions. Self preservation will prevail, even amongst teenage boys, who would no more invite the wrath of highly paid cyber "bad asses" than they would flip off a San Bernardino pack of Hells Angels from the rear window of their mother's minivan. There's "crazy" and then there's "just plain stupid."

Of course, the U.S. Congress knows all about "just plain stupid" don't they?

Selah.

Tuesday, July 5, 2011

Dear Scotland Yard, check out your EPROMs

A July 4th article in the U.K. Register reported that Scotland Yard still has no idea why their network "fell over." One paragraph triggered a high-probability hypothesis: EPROM tampering in their printer procurement supply chain.
The MPS had recently acquired a fleet of Canon printing devices and it was thought their addition to the existing infrastructure could be part of the problem, but this has now been discounted, said the spokesman.
If I remember cyber lore correctly, isn't it rumored we substantially brought down the Baghdad air defense system in the first Desert Storm operation with a computer virus slipped into some printer EPROMs? Interestingly, The Register discounted this story on March 10, 2003, but you can't prove a negative (which is why atheists are such an unhappy lot). IMHO, the Register story tracing the history of this "rumor" is highly suspect. Possibly misdirection even.

I've written at length (ie, my January 12, 2011 article on government-reported threats) on supply chain security. Heck, I've even insulted the Chinese (see February 11th of this year).

Which is why my sincere advice to Scotland Yard is, "Check out your printer EPROMs."

Monday, July 4, 2011

Happy 4th of July in Zombiland!

Happy Independence Day. My chief copy editor and I wish you the very best. Tonight I'm going to simultaneously light off several grand finale aerial fireworks displays. For the first time, they're actually legal in my state. To those of you for whom July 4th is just another day at the office (or a day of mourning for my UK readers), maybe we can declare independence from restrictive cybercrime laws and make July 4th synonymous with cyber privateering enlightenment. Come on, folks. Some legislative body somewhere in the world could at least pass a statement-of-direction resolution to consider licensing bonded cyber privateers! Australia maybe? There's still time today.

Remember zombi killer rule #1: CARDIO (see all my zombi killer rules in my December 8th article).  I had an early morning bike ride on my Litespeed VORTEX over two mountains with a few buddies, and then came home and put my editor in the basket of my Ellsworth TRUTH mountain bike and rode in a neighborhood parade. This afternoon, I'm going to watch a language-edited version of Zombiland with a few kids, their spouses, and some grandkids. Really, this is a classic! Highly recommended for zombi killers everywhere. 

Saturday, July 2, 2011

Advice to LulzSec

Okay kids, listen up. Apparently the FBI is about to pounce on a few of you, and your alternatives are (a) to cooperate and become an FBI snitch/hacker, or (b) do a G. Gordon Liddy. Given your age, you probably don't know who G. Gordon Liddy is. Google him.

The net-net: G. Gordon Liddy refused to rat out his Watergate co-conspirators and took his full sentence. He subsequently secured himself several key roles in the Miami Vice television series, wrote a bestseller novel and has spent years as a radio talk-show host. That's "door B" for you. Door A, becoming an FBI snitch/hacker may give you some short-term benefits, but I challenge you to come up with any historical heroes from the world of cowards.

My advice is to take your medicine like a man and turn a tremendous current liability into an asset of equal magnitude. I have a friend who achieved the singular distinction of making the cover of Time Magazine for two consecutive weeks. Dick Morris made the Time cover on September 2, 1996 as man responsible for Bill Clinton's success. Exactly one week later, on September 9th, Dick had to resign in disgrace after letting a prostitute listen to his private conversations with President Clinton from a hotel room's extension phone.
After I lost my 1988 race for the U.S. Congress (yup, before you were born, ya little scamps), I went to work for Data General (see my monograph on the Great Tom West) doing advertising and public relations. Data General president Ed deCastro also assigned me to spend $248K getting tax limitation passed in Massachusetts (he also told me that if it didn't get passed, that I would be fired from Data General). Working with the Massachusetts Hi Tech Council, we hired Dick Morris to help us with the campaign. Dick and I became friends. In fact, he introduced me to the late great Tony Schwartz, and together they taught me guerrilla warfare. But I'll always remember one of Dick Morris's diatribes. Morris ran half a dozen House and Senate campaigns, and waxed poetic.

He said, "I always tell my candidates that if they ever get caught with their zippers open, they should NOT try to lie their way out of it. They should immediately fess up and face the music, because Americans love to forgive reformed sinners." Dick took his own advice. He weathered the storm and is now a popular television commentator and best selling author.

So listen up, LulzHopper. You're about to be arrested. Your "mum" is going to freak out and sell everything she has to get you a legal defense. The FBI/Interpol/ScotlandYard et al are going to play good-cop/bad-cop and make you that deal you can't refuse. Use the examples of G. Gordon Liddy and Dick Morris. Refuse that stinking deal! Take your lumps and come out the other side stronger than ever.

The alternative is to become a snitch, a coward who embarked on high-risk behavior but who couldn't take the consequences. I grew up in Wyoming, working summers on a cattle ranch. My advice to you: "Cowboy up!" Don't try to lie your way out of it and become another Weiner, a laughing stock with his disgraced genitalia forever on public display. Don't make your "mum" lose her house or her life savings (mothers are genetically disposed to do that for their kids; they can't help themselves and will give up everything).

When you come out the other side, you'll have the street cred to get anything you want out of life. You'll be famous, and have a public platform to bring about the kind of change you thought you could achieve by sneaking around the Internet. Then you can use the law that you have heretofore disregarded with youthful impunity. Heck, you might even decide to get behind legalizing cyber privateering. And in the process, you'll earn that most valuable commodity: a get-out-of-jail-free card. Oh yeah! Also, you'll get rich. Legally.

Friday, July 1, 2011

Zombiland for real

Five million Windows PCs in a botnet described as "indestructible" means we all need to sit through the movie Zombiland and consider real Plan-B scenarios. Our "best and brightest" can't agree on a foolproof mechanism for killing the zombie that's eaten your computer's brain. Microsoft's final advice after some prodding by one reporter:
"Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems," said Jerry Bryant, general manager of with Microsoft's Trustworthy Computing group, in an e-mailed statement.
Let's see if I get this right? Lightning-fast zombies are attacking your neighborhood ("Sorry to interrupt your 'manwich,'" said Woody Harrelson as he whacks a zombie with his car door) and the best advice law enforcement (ie, Microsoft) can give you is to "Call 911!" Right. Five million phone calls to Microsoft. A minimum of five million.

Then, without stretching the metaphor too much, Symantec says, "Let the zombie eat your brain, and then download our free (wink-wink, as long as you own our anti-virus tools) eaten-brain-repair kit—presumably downloading it into the same brain that's been eaten by a zombie—and we'll fix you up just fine." Okay, the exact wording in the article is:

Symantec offers a tool to help users do that.
Named "Norton Bootable Discovery Tool," the free download creates a boot disc for starting up the PC without accessing the hard drive -- and thus without loading the infected MBR. Once the Windows machine boots using the recovery disc, the tool downloads new malware signatures -- the digital "fingerprints" antivirus software uses to detect threats -- sniffs out signs of infection and if necessary, cleans the MBR.
Meanwhile, more U.S. Senators have joined auditions for a movie sequel to Jackass. Vermont Senator Patrick Leahy has been joined by Senator Charles Schumer and Ben Carin in the competition to be named dumbest man in the U.S. Senate:
One piece of legislation being introduced, The Data Security and Breach Notification Act of 2011 by Sen. Patrick Leahy (D-Vt.) and co-sponsored by Sen. Charles Schumer (D-N.Y.) and Ben Cardin (D-Md.) would mandate organizations that possess personal information to put in place "reasonable" security procedures to keep that data secure.
So your options in today's Zombiland-for-real (did you get out the popcorn yet?) are:

  1. Dial 911;
  2. Pay for a brain transplant after the zombie has made a midnight snack of your brain; or
  3. Don't worry, we've declared it illegal for banks to get taken over by zombies ya-da-ya-da-ya-da, so please send your campaign contributions to the wonderful folks who are keeping the world safe from zombies.
  4. Find your local fifteen-year-old/agoraphobic/OCD/savant/ex-LulzSec hacker (fifteeen years old in case he gets caught, so he can be tried as a juvenile), and give him a few unmarked/untraceable/no-fingerprints-on-them $100 bills to go zombie hunting (Harrelson wielding a machete: "I think we'll take a little off the top.").
Yeah, none of the above options make any sense whatsoever. What we really need is a Plan B. Do you have a Plan B? Several thousand of you know that I do. Sure, I'll package it sometime this summer as fictional entertainment. Stay tuned.