Given that we're in a "state of play" here (I don't even pretend to know all the ramifications of my cyber privateer doctrine, which is why I'm kind of thinking out loud on a day-to-day basis in this blog), why not have a Fantasy Cyber Privateer League, much like those fantasy sports leagues? What kind of personality and experience level would lend itself to leading a concerted cyber privateering effort? What kind of person would I trust to wipe cyber criminals off the planet? To hit rogue governments so hard their ancestors would bleed? Beat 'em like a gong? My first pick is Oracle founder and CEO Larry Ellison. I met with Larry at least once a week for over six years, during which he constantly amazed me with his unique world view. We'd recite movie dialogue to each other, again in a state of play, and somehow ads got produced. Ellison is, in my opinion, the prototypical cyber privateer.
I once asked him if maybe we ought to run our ads through legal for an opinion. He snorted, "Nothing doing. I've got a litigation department; let 'em litigate!" We never did "run an ad through legal." We simply set out to attack the competition. Never getting personal, we always used technological intimidation. We were never sued by the object of our attacks. Larry set out to destroy Ask Computing, Ashton-Tate, Cullinet, Ingres and Informix. They no longer exist as independent entities. When his proteges successfully created their own large and successful companies (Siebel and PeopleSoft), Larry took them over. And Oracle is currently and quite publicly bitch-slapping SAP and HP. Needless to say, when Larry goes after you, you've got a fight on your hands.
Larry is the real-life version of Iron Man Tony Stark. Ellison won the great database wars. This year, he won the America's Cup yacht race. I predict its only a matter of time before he owns an NBA basketball team and leads them to the championship. And one of the greatest moments in any U.S. confirmation hearing would be watching Larry do a Tony Stark in the Senate: "Ladies and gentlemen, I have successfully privatized international cyber security!" Whereupon he will raise his hands in victory and waltz out of the hearing room.
Mike Wilson once wrote a book called The Difference Between God and Larry Ellison (in which I was quite favorably treated). The answer to the question posed in that title was, "God Doesn't Think He's Larry Ellison." Maybe a new book should be called The Difference Between Larry Ellison and Tony Stark. And the answer will be, "No difference at all."
So I hereby name Larry Ellison the leader of my Fantasy Cyber Privateer League. Come on, Larry. You've saved the world once already (only Larry will know what I'm talking about here; I've told him that if I ever get the chance to introduce him to a large audience, I'd share that story). So how about saving the world once again? You can pull off the job long before we get around to re-engineering the Internet to eliminate the bad guys. And I'd love to say, "Aye aye, Captain Ellison."
Selah.
Saturday, October 30, 2010
Friday, October 29, 2010
"This site protected by cyber privateers"
Computerworld, 28 October 2010 - Adobe today confirmed that hackers are exploiting a critical unpatched bug in Flash Player, and promised to patch the vulnerability in two weeks.
Yesterday's Computerworld story brought my fantasy cyber privateer team to mind. The question for today: Would cyber criminals be much less inclined to exploit published vulnerabilities if they knew some highly motivated cyber privateers were ready to pounce on them? What if that little old lady from Pasadena—with her banking passwords in her computer's address book and who logged into an infected site—turned out to be the Destroying Angel group? Maybe the privateers would leave a calling card after draining the bank account of a much larger parent criminal organization:
Dear Bad Guys:
Mabel Johnson's bank account was
Admittedly, Destroying Angel is my own alter ego creation, named after a novel I wrote back in 2000. I envisioned a computer genius named Black Madonna who spoke only in palindromes and created a self-aware cyber entity named Black Dragon. Hence comes the name under which I post on this blog: Destroying Angel. I even had bicycle racing jerseys printed up with my Destroying Angel logo on the back. And of course I own the domain: www.DestroyingAngel.com. Maybe someday it'll be worth something.
Now consider the plight of Adobe. They have a known Flash Player flaw. It's going to take them two weeks to plug it. What a nightmare for corporate management, not to mention millions of Web sites who rely on Flash. What if those sites had a similar logo to the one above discretely located on their landing pages? What if Adobe products themselves also had such a warning label? It doesn't stretch the imagination to project a follow-up news story in which a large amount of money was confiscated from the bank accounts of a dozen Chinese college student/hackers before they could empty their accounts. Would this be valuable, today, for Adobe?
Back to the first-mover advantage of a country that legalizes and welcomes cyber privateers. Not only would the cyber privateers pump a fortune into their economy, but every major software provider or Internet superpower in the world might establish a de facto home office in that first-mover country. Along with a first-mover financial institution who wanted to write "bonding insurance policies" for recognized cyber privateer organizations.
You get the picture. The first country that moves on this wins big. I kind of hope it will be the United States. But crackie! Australia makes sense, too. Any other countries come to mind?
Thursday, October 28, 2010
Meet Captain Black, my 2nd "ultimate cyber privateer"
In my October 23rd post on The Ultimate Cyber Privateer, I introduced Mrs. Black. She was my 3rd creation for BigFix. My 2nd creation (her husband in my fantasy league of super cyber privateers) attacked everyone in sight: Microsoft, IBM, Symantec, Altiris, and McAfee. One of the reasons competitors acquire my clients is to shut me up (well, and to plug gaping holes—bullet holes in this case—in their products). IBM bought BigFix this year.
Let me know is you want a hi-res PDF file of this ad, suitable for framing. The illustration is by my old friend Daryl Mandryk.
Let me know is you want a hi-res PDF file of this ad, suitable for framing. The illustration is by my old friend Daryl Mandryk.
Wednesday, October 27, 2010
First-mover advantage in cyber privateering: Australia?
The first country to issue Letters of Marque and Reprisal to cyber privateers tasked with "looting the looters" could become the most dynamic computing power on the planet. At the onset of this blog, I just assumed it would have to be the United States. But maybe some "lateral thinking" is in order. Better late than never you say? Okay, my personal experience gives me a metaphor from which to draw a conclusion.
I once sat on the board of directors of a public company that really had a new paradigm for applications development. Not only could they cut development time by 90%, but the applications were absolutely bug free (just like a spreadsheet is bug free, in that it does what you tell it to do perfectly, every time, without crashing the system or giving you the infamous "blue screen of death"; no assembly language or C coding; anybody can immediately see if their applications works, just like they do with an Excel spreadsheet.). The company figured body shops like Anderson Consulting or the Oracle Applications Division would jump on the productivity edge. But we miscalculated. Software consulting companies want billable hours, period. Give them a way to cut billable hours by 90%, they'll ask why and then throw you out. All we needed was a first mover to start the dominos, and we never got that first mover.
In the U.S., I suspect special interest groups have set up a system with too much inertia to overcome. Banking institutions had enough muscle to get significant bail-out money, and they're the same institutions that will convince the Treasury Department that we do not want cyber privateers looting the accounts of either criminals or rogue governments (see my Monday posting). The energy lobby doesn't want to risk someone setting off data bombs throughout the power grid in retaliation for some real or imagined cyber slight, and they'll make a pretty valid point the with State Department. Right now, according to Richard Clarke who I quoted in my last two blogs, both Treasury and State must explicitly approve going after the bad guys' bank accounts.
So what's the answer? Australia! Historically and geographically, they may be the only country on the planet with the ideal personality and infrastructure to host (and profit from) authorized cyber privateering. So how about it Ms Prime Minister Gillard? How'd you like to save a world on the brink of cyber war? How'd you like to toss a bunch of Chinese "citizen hackers" on the barbie? Or empty the bank accounts of the so-called Russian mafia? Or put a stop payment on jihadist paychecks? Crackie!
If you are the first government to make this first move—and gain what I call the 'first-mover advantage'—the rest of the world will circle the wagons and publicly condemn you (while privately rooting for your success). Sure, you may want to keep a close eye on any boats coming your way from that intellectual dwarf in North Korea, but chances that one of his nuclear missiles could actually hit a meaningful target in your vast country are about the same as that of Paris Hilton joining a convent and spending the rest of her celebate life helping Bulgarian orphans.
I'm thinking out loud here, so help me with the stumbling blocks. Since you're a Constitutional Monarchy with Queen Elizabeth II as your head of State, is Australia bound by the Paris Declaration of 1856? Are you prepared to waive extradition of bonded, authorized cyber privateers to countries out for their heads? And how badly do you want credit as the country that saved the world from being hacked back into the stone ages? Not to mention, Ms Prime Minister, how'd you like to split about $200 billion or so 50/50 in the first year with some very smart people? Set up the right infrastructure of privacy and protection, and your employees could work from their Silicon Valley basements.
If not Australia, then who? If not now, then when?
I once sat on the board of directors of a public company that really had a new paradigm for applications development. Not only could they cut development time by 90%, but the applications were absolutely bug free (just like a spreadsheet is bug free, in that it does what you tell it to do perfectly, every time, without crashing the system or giving you the infamous "blue screen of death"; no assembly language or C coding; anybody can immediately see if their applications works, just like they do with an Excel spreadsheet.). The company figured body shops like Anderson Consulting or the Oracle Applications Division would jump on the productivity edge. But we miscalculated. Software consulting companies want billable hours, period. Give them a way to cut billable hours by 90%, they'll ask why and then throw you out. All we needed was a first mover to start the dominos, and we never got that first mover.
In the U.S., I suspect special interest groups have set up a system with too much inertia to overcome. Banking institutions had enough muscle to get significant bail-out money, and they're the same institutions that will convince the Treasury Department that we do not want cyber privateers looting the accounts of either criminals or rogue governments (see my Monday posting). The energy lobby doesn't want to risk someone setting off data bombs throughout the power grid in retaliation for some real or imagined cyber slight, and they'll make a pretty valid point the with State Department. Right now, according to Richard Clarke who I quoted in my last two blogs, both Treasury and State must explicitly approve going after the bad guys' bank accounts.
So what's the answer? Australia! Historically and geographically, they may be the only country on the planet with the ideal personality and infrastructure to host (and profit from) authorized cyber privateering. So how about it Ms Prime Minister Gillard? How'd you like to save a world on the brink of cyber war? How'd you like to toss a bunch of Chinese "citizen hackers" on the barbie? Or empty the bank accounts of the so-called Russian mafia? Or put a stop payment on jihadist paychecks? Crackie!
If you are the first government to make this first move—and gain what I call the 'first-mover advantage'—the rest of the world will circle the wagons and publicly condemn you (while privately rooting for your success). Sure, you may want to keep a close eye on any boats coming your way from that intellectual dwarf in North Korea, but chances that one of his nuclear missiles could actually hit a meaningful target in your vast country are about the same as that of Paris Hilton joining a convent and spending the rest of her celebate life helping Bulgarian orphans.
I'm thinking out loud here, so help me with the stumbling blocks. Since you're a Constitutional Monarchy with Queen Elizabeth II as your head of State, is Australia bound by the Paris Declaration of 1856? Are you prepared to waive extradition of bonded, authorized cyber privateers to countries out for their heads? And how badly do you want credit as the country that saved the world from being hacked back into the stone ages? Not to mention, Ms Prime Minister, how'd you like to split about $200 billion or so 50/50 in the first year with some very smart people? Set up the right infrastructure of privacy and protection, and your employees could work from their Silicon Valley basements.
If not Australia, then who? If not now, then when?
Tuesday, October 26, 2010
More from Richard Clarke on Cyber War and China
Yes, I'm smarting after looking today at my Linux server's error logs and the attacks from IP addresses in China. I only use the server in my "state of play" and, honest to gosh, there's nothing on it I wouldn't give to anyone who asked for it. Just a couple of experimental marketing technologies and some Web landing pages that allow me to experiment with Flash and HTML 5, etc. But if China has the infrastructure to pay such close attention to me and my $450 eMachines dinosaur, then "Katie bar the door, because something wicked this way comes." In his Cyber War book quoted in yesterday's post, Mr. Clarke states:
So the question I ask is, "Why the heck can't we defend ourselves?"
Since the late 1990s, China has systematically done all the things a nation would do if it contemplated having an offensive cyber war capability and also thought that it might itself be targeted by cyber war; it has
created citizen hacker groups
engaged in extensive cyber espionage, including of U.S. computer software and hardware
taken several steps to defend its own cyberspace,
extablished cyber war military units, and
laced U.S. infrastructure with logic bombs.
So the question I ask is, "Why the heck can't we defend ourselves?"
Monday, October 25, 2010
Cyber privateers must be allowed to hit bad guys' bank accounts
The possible deal killer for legalizing cyber privateering is best articulated by Richard A. Clarke and Robert Knake in their book CYBER WAR: The Next Threat to National Security and What to Do About It. Clarke writes:
"…In the real world, my own attempts to have NSA hack into banks to find and steal al Qaeda's funds were repeatedly blocked by the leadership of the U.S. Treasury Department in the Clinton Administration. Even in the Bush Administration, Treasury was able to block a proposed hacking attack on Saddam Hussien's banks at the very time that the administration was preparing an invasion and occupation in which over 100,000 Iraqis were killed. Bankers have successfully argued that their international finance and trading system depends upon a certain level of trust.
"The U.S. decision to withhold attacks narrowly targeted on the financial sector also reflect an understanding that the United States might be the biggest loser in a cyber war aimed at banks. Even though the financial services sector is probably the most secure of all the major industry verticals in the U.S., it is still vulnerable. 'We've tested the security at more than a dozen top U.S. financial institutions, as hired consultants, and we've been able to hack in every time,' one private-sector security consultant told me. 'And ever time, we could have changed numbers around and moved money, but we didn't.'"
Net-net, the politicians have put banking off limits because, well, that is our greatest vulnerability. Kind of the equivalent of the nuclear M.A.D. (Mutually Assured Destruction) philosophy. Two serious arguments against this philosophy as far as privateers are concerned:
"…In the real world, my own attempts to have NSA hack into banks to find and steal al Qaeda's funds were repeatedly blocked by the leadership of the U.S. Treasury Department in the Clinton Administration. Even in the Bush Administration, Treasury was able to block a proposed hacking attack on Saddam Hussien's banks at the very time that the administration was preparing an invasion and occupation in which over 100,000 Iraqis were killed. Bankers have successfully argued that their international finance and trading system depends upon a certain level of trust.
"The U.S. decision to withhold attacks narrowly targeted on the financial sector also reflect an understanding that the United States might be the biggest loser in a cyber war aimed at banks. Even though the financial services sector is probably the most secure of all the major industry verticals in the U.S., it is still vulnerable. 'We've tested the security at more than a dozen top U.S. financial institutions, as hired consultants, and we've been able to hack in every time,' one private-sector security consultant told me. 'And ever time, we could have changed numbers around and moved money, but we didn't.'"
Net-net, the politicians have put banking off limits because, well, that is our greatest vulnerability. Kind of the equivalent of the nuclear M.A.D. (Mutually Assured Destruction) philosophy. Two serious arguments against this philosophy as far as privateers are concerned:
- International criminal organizations and rogue governments use the banking system extensively; and
- As Willie Sutton pointed out, "That's where the money is." The only way for a cyber privateer to "monetize" the assets of target organizations is to go after their liquid assets.
One of the questions I often ask in creating guerrilla warfare marketing programs for clients is, "What is the worst thing a competitor could do to you?" The first response is generally bravado and claims that they fear nothing a competitor could do. Of course, I always have a follow-up question: "Oh, then it wouldn't worry you if they did this…" Whereupon I suggest what I'd do to them if I were a named competitor. I'm instantly greeted with silence, and a lot of very bright people suddenly find something quite interesting about their own shoes. One prominent international icon forcefully told me to keep the idea to myself forever and never ever let it fall into the hands of a competitor. In another case, years after the fact, I shared my idea with someone I'd recommended targeting. That individual actually changed his name so no one else could ever use the play on words I'd suggested. Maybe I'll share that story in this blog someday.
Which brings me to rules of privateering engagement as they relate to international banking. Banking is our biggest vulnerability. It's certainly not North Korea's, nor is it particularly important to the jihadists sitting in caves with laptops powered by portable generators and linked to the Internet via satellite phones. They're going to go after our banking assets as soon as they can figure out how. But international cyber criminals are using banks to launder their money. Rogue governments are stashing kickbacks and paying their minions using the banking system. In fact, by declaring international banking inviolate, we're just handicapping ourselves. You know the bad guys don't have any problem looting bank accounts where appropriate. Further, it could be argued that international banking is complicit in criminal activity.
Thus, our hands-off attitude toward international banking could be the single biggest obstacle to fighting the cyber war and to legitimizing cyber privateering.
Saturday, October 23, 2010
The ultimate cyber privateer
I've been attacking McAfee's, Symantec's, Altiris's, LANDesk's and Microsoft's vision of cyber security since 2007, when I finally found a client (BigFix CEO Dave Robbins and his totally crazy SVP David Appelbaum) who had a sufficient taste for blood to go for a public execution. I then found Daryl Mandryk, a Canadian science fiction illustrator whose work truly resonates with me. We did a series of ads about cyber privateers. The first two were men, but after polling the female BigFix employees to make sure they wouldn't be offended, I created "Mrs. Black" and turned her lose. I've signed all my ads since the beginning, including everything I ever did for Oracle during their first $15 million to $1 billion annual revenue ramp up (notice the TRBA in the bottom right hand corner). Too bad BigFix got purchased by IBM. I had some great attack ads planned targeting China! Alas, there's not a company on the planet that has guts enough to do what truly needs to be done there. Which brings me to my motto: "God hates cowards."
Let me know if you want a high-resolution PDF of Mrs. Black suitable for framing, and I'll email it to you. Mrs. Black rocks.
Let me know if you want a high-resolution PDF of Mrs. Black suitable for framing, and I'll email it to you. Mrs. Black rocks.
Friday, October 22, 2010
Sequel to Eastwood's Hereafter: email from beyond?
Since Clint Eastwood's new movie Hereafter opens today, I couldn't resist the metaphor.
Imagine my surprise at getting email from my dead friend Jeff Menz. Did God finally allow an ISP to hook up in the great beyond? Alas, my departed pal simply wanted to recommend pills. And double drat, while the email came from my friend's Yahoo email account (great security guys; no wonder you're getting your butt handed to you by Google), the ISP was registered in China. Okay, somebody was hacking my friend's account for profit, a pretty dumb exploit by a petty criminal. So over the last week, I've had a very enlightening adventure.
I got Jeff's email on October 13th. Since there were other of his friends on the CC list, I replied to ALL with "Since Jeff Menz is dead, who the hell is using his Web site and username?" On October 19th, I clicked on the email link, only to find it was now dead. So I did a WHOIS on the domain and saw that ownership had been changed the day after the email exploit. I sent the new owner an email with the subject line, "Your domain has been involved in criminal activity". Imagine my surprise upon checking the WHOIS data again yesterday, where the domain had been updated to be private and without an owner contact email.
Conclusions:
Imagine my surprise at getting email from my dead friend Jeff Menz. Did God finally allow an ISP to hook up in the great beyond? Alas, my departed pal simply wanted to recommend pills. And double drat, while the email came from my friend's Yahoo email account (great security guys; no wonder you're getting your butt handed to you by Google), the ISP was registered in China. Okay, somebody was hacking my friend's account for profit, a pretty dumb exploit by a petty criminal. So over the last week, I've had a very enlightening adventure.
I got Jeff's email on October 13th. Since there were other of his friends on the CC list, I replied to ALL with "Since Jeff Menz is dead, who the hell is using his Web site and username?" On October 19th, I clicked on the email link, only to find it was now dead. So I did a WHOIS on the domain and saw that ownership had been changed the day after the email exploit. I sent the new owner an email with the subject line, "Your domain has been involved in criminal activity". Imagine my surprise upon checking the WHOIS data again yesterday, where the domain had been updated to be private and without an owner contact email.
Conclusions:
- My dead friend isn't connected from beyond (what a disappointment).
- The offending Chinese ISP is close enough to a major university that it's highly probable the culprits were taking a Hacking 101 course (for which they should get a failing grade, since they couldn't possibly erase the money trail and were too stupid to register their domain with privacy settings).
- The China-based Internet registrar lets them be a bit too nimble for an arm's-length relationship; I can only conclude that this is part of a larger criminal effort, which brings into play possible RICO implications if the U.S. Congress ever issues Letters of Marque and Reprisal to cyber privateers. The bank accounts of the registrar might be fair game for looting.
- It's more difficult for me to give China the benefit of any doubt about being the source of the criminal activity, like maybe criminals from some other country were using the Chinese ISP to host their email-hijacking SPAM exploits. Still not an impossibility, but in my mind not the most likely scenario.
This morning I got another note from Jeff, again suggesting a source for my pharmacy needs. The link is live (at this moment) and redirects me to a pharmacy site supposedly in Canada. However, the domain is registered in Moscow. Given the pings this blog has been getting from the Chinese ISP address, I would conclude that the student who failed his last class is trying to redirect my attentions to Mother Russia. Maybe for extra credit? Maybe to salvage a miserable grade?
No, I haven't sent any more emails to the "Contact Us" link on the "Canadian Neighbor Pharmacy" site registered to a Moscow ISP, to the FBI, or even to Yahoo who should cancel Jeff's email address (cambriasail@yahoo.com) and let the poor guy rest in peace. But if going after petty cyber thieves ever becomes legal, I'd like to request that whoever stings these guys let me in on the details.
Thursday, October 21, 2010
No word from the Chinese ISP or the FBI (see my posting of Oct 16)
Surprise surprise. The domain contact for the Chinese ISP that has been hitting my Linux server has not answered my query. Nor has the FBI, who I cc'd on the query and to whom I sent a separate note. Not that I expected either party to get back to me.
As far as the FBI is concerned, multiply my complaint by millions and you can understand how woefully under gunned the authorities are in this brave new world of cyber crime and (dare I say it again) cyber war. We simply need a new model. Not bigger federal budgets. Not bigger contracts to the "beltway bandits" who have profited so handsomely from business as usual. At least cyber privateers would be self-funding and self-liquidating. Which as I think about it may be why the idea will never fly. Decentralization. Big money going to those who bring in…big money, and not to those who have D.C.-based sales organizations wining and dining their long-time buddies.
Stay tuned.
As far as the FBI is concerned, multiply my complaint by millions and you can understand how woefully under gunned the authorities are in this brave new world of cyber crime and (dare I say it again) cyber war. We simply need a new model. Not bigger federal budgets. Not bigger contracts to the "beltway bandits" who have profited so handsomely from business as usual. At least cyber privateers would be self-funding and self-liquidating. Which as I think about it may be why the idea will never fly. Decentralization. Big money going to those who bring in…big money, and not to those who have D.C.-based sales organizations wining and dining their long-time buddies.
Stay tuned.
Wednesday, October 20, 2010
Privateer analytics: high-reward/high-risk numbers
Following is a Letter of Marque signed by soon-to-be-president James Monroe in 1812. Yes, the Revolutionary War was in 1776, but the evolution of the Monroe Doctrine makes this particular document an interesting part of history.
Not a lot of legal jargon in this document. A more readable copy of this letter can be found at http://library.mysticseaport.org/initiative/PageImage.cfm?PageNum=3&BibID=29754.
How did privateers contribute to the Revolutionary War? An excellent summary can be found at http://www.usmm.org/revolution.html and shows that the Continental Navy had a mere 64 ships, compared to 1,697 privateer ships. The navy had 1,242 guns while the privateers had 14,872 guns. The Continental Navy captured only 196 ships while the privateers captured 2,283 ships. The risk, however, cannot go unreported. While it's unclear how many navy ships were captured by the enemy, 1,323 privateer ships (that's 78%) were captured by the enemy.
Which brings us to the question of risk to modern-day Cyber Privateers. What happens when a licensed privateer with a valid Letter of Marque and Reprisal absconds with several million dollars from a criminal organization, like maybe the so-called Russian mafia? Will we find body parts from that privateer, along with those from friends and family, strewn in various public places?
I reach one conclusion from this possibility. Access to the details of any privateering exploit must be protected. Is that possible in today's Freedom-of-Information-Act world?
Not a lot of legal jargon in this document. A more readable copy of this letter can be found at http://library.mysticseaport.org/initiative/PageImage.cfm?PageNum=3&BibID=29754.
How did privateers contribute to the Revolutionary War? An excellent summary can be found at http://www.usmm.org/revolution.html and shows that the Continental Navy had a mere 64 ships, compared to 1,697 privateer ships. The navy had 1,242 guns while the privateers had 14,872 guns. The Continental Navy captured only 196 ships while the privateers captured 2,283 ships. The risk, however, cannot go unreported. While it's unclear how many navy ships were captured by the enemy, 1,323 privateer ships (that's 78%) were captured by the enemy.
Which brings us to the question of risk to modern-day Cyber Privateers. What happens when a licensed privateer with a valid Letter of Marque and Reprisal absconds with several million dollars from a criminal organization, like maybe the so-called Russian mafia? Will we find body parts from that privateer, along with those from friends and family, strewn in various public places?
I reach one conclusion from this possibility. Access to the details of any privateering exploit must be protected. Is that possible in today's Freedom-of-Information-Act world?
Tuesday, October 19, 2010
Call to define rules of cyber war
The BBC reported on October 14th that former DHS head Michael Chertoff called for definition of the rules of cyber war. Combine this with the 2009
C-SPAN video on privatization of U.S. intelligence, and I get the distinct impression that the concept of modern-day privateers may be an idea whose time has come. The key Chertoff statement that resonates with me is that it must be "…very clear to an adversary the consequences of [a cyber attack]." My current opinion is that if the U.S. Congress issues a single Letter of Marque and Reprisal, the mere existence of that authorization may significantly reduce international cyber criminal activity. Yes, online theft by international criminals is a far cry from state-sponsored cyber war, and privateers' looting of a drug lord's bank accounts significantly differs from dipping into the treasury of a rogue government, but both scenarios require the same cyber toolset and definitely draw a line in the sand.
C-SPAN video on privatization of U.S. intelligence, and I get the distinct impression that the concept of modern-day privateers may be an idea whose time has come. The key Chertoff statement that resonates with me is that it must be "…very clear to an adversary the consequences of [a cyber attack]." My current opinion is that if the U.S. Congress issues a single Letter of Marque and Reprisal, the mere existence of that authorization may significantly reduce international cyber criminal activity. Yes, online theft by international criminals is a far cry from state-sponsored cyber war, and privateers' looting of a drug lord's bank accounts significantly differs from dipping into the treasury of a rogue government, but both scenarios require the same cyber toolset and definitely draw a line in the sand.
Monday, October 18, 2010
War or just "good, clean fun"?
Over the weekend, I've gotten some serious pushback from a 19 year old hacker in the Netherlands. You might say my last posting (on the attack from China) had the same general effect on him as does a full moon on a werewolf (hats off to the late Hunter Thompson for the metaphor, which I plagiarized years ago for my own Web site). Besides being in a serous state of denial about any current state of cyber war, I got the impression that a vast body of so-called hackers view all IP addresses as fair game, kind of mountains to be climbed for recreation. Therefore my report of a China-based IP address taking a concentrated 83-shot volley against my Web server in just 12 seconds was nothing for me to be alarmed about. I should use better security and "change my SSH".
I'll talk in later blogs at some length as to whether or not we're really into a cyber war. Right now I need to draw my own line in the sand, with due respect to a rather large community of recreational cyber enthusiasts who regard the challenge of hacking into an IP address as good, clean fun. If you break into my house, pick the lock so to speak, I can legally employ lethal force. Such rights of self-defense do not exist in the cyber world. If you break into my computer and I burn you from my computer to your computer, I have some serious legal liability. I don't care whether or not you are some 300-pound bipolar sysadmin from the Netherlands out on a 48-hour manic marathon of cyber mountain climbing, or a Chinese government-sponsored agent mapping the US infrastructure and planting data bombs in utilities. You try to break into my computer, you're fair game for me.
I haven't heard back from the Chinese IP contact in my last post, nor have I heard from the FBI to whom I reported the incident. I'll let you know when I do.
Now, to stay on message about the legitimate use for legally authorized privateers to (a) help fight cyber crime, and (b) help pay the US national debt, I refer you to an article in today's Computerworld about Zeus botnet targeting Charles Schwab accounts. Some serious thieves are at work here. So how about the US Congress issuing some Letters of Marque and Reprisal to … dare I say it … a few enterprising hackers who have the know how and patience to loot the accounts of Zeus thieves? How about we allow them to split the proceeds 50/50 with the US Government? It'll create jobs and help pay down the national debt.
I'll talk in later blogs at some length as to whether or not we're really into a cyber war. Right now I need to draw my own line in the sand, with due respect to a rather large community of recreational cyber enthusiasts who regard the challenge of hacking into an IP address as good, clean fun. If you break into my house, pick the lock so to speak, I can legally employ lethal force. Such rights of self-defense do not exist in the cyber world. If you break into my computer and I burn you from my computer to your computer, I have some serious legal liability. I don't care whether or not you are some 300-pound bipolar sysadmin from the Netherlands out on a 48-hour manic marathon of cyber mountain climbing, or a Chinese government-sponsored agent mapping the US infrastructure and planting data bombs in utilities. You try to break into my computer, you're fair game for me.
I haven't heard back from the Chinese IP contact in my last post, nor have I heard from the FBI to whom I reported the incident. I'll let you know when I do.
Now, to stay on message about the legitimate use for legally authorized privateers to (a) help fight cyber crime, and (b) help pay the US national debt, I refer you to an article in today's Computerworld about Zeus botnet targeting Charles Schwab accounts. Some serious thieves are at work here. So how about the US Congress issuing some Letters of Marque and Reprisal to … dare I say it … a few enterprising hackers who have the know how and patience to loot the accounts of Zeus thieves? How about we allow them to split the proceeds 50/50 with the US Government? It'll create jobs and help pay down the national debt.
Saturday, October 16, 2010
Who's trying to hack my Linux server today?
My Linux security logs have recorded thousands of attempts to crack my passwords and take over my system. This morning for example, somebody from the IP address 219.235.4.123 tried 83 different username/password combinations in just 12 seconds. Conclusions:
1) Obviously, this was an automated attack. Nobody types that fast.
2) The IP address (219.235.4.123) is located in China. Owner of the domain is Shanghai QjanWan Network Co, Ltd. located at No 2601 (2), Songhuajiang Load, Shanghai , China, Shanghai B&T Network and Telecom Inc
3) Email address of the domain contact, Gu Honghai, is hhgu@hotmail.com (yeah right, a hotmail account for a legitimate business).
Yes, I could launch a counter attack at that domain, take it over, and do some pretty awful things to everyone who has ever touched that system. Then I could wait for a knock on my door and be perp walked to a waiting squad car. I'm not inclined to do that.
So instead, I'm going to send Gu Honghai an email and see what kind of response I get. Oh, and also copy the FBI to see how they respond. Stay tuned.
Friday, October 15, 2010
Constitutional basis for cyber privateers
Susan Brenner is a law professor who blogs on cybercrime and cyberconflict. She does an excellent job of discussing the legalities at: Marque and Reprisal: Constitution article 1 secion 8 She also raises some practicality issues worth discussing.
How badly are the Chinese and Russians hurting us?
Following is an ad I created for BigFix and which ran in The Economist (before BigFix was acquired by IBM). I think it says it all:
Thursday, October 14, 2010
Welcome to "black hats", "white hats", and 21st Century "cyber swashbucklers"
The Revolutionary War was fought, financed, and pretty well WON by bonded privateers, legalized pirates who were given Letters of Marque and Reprisal by the Continental Congress and authorized to attack, capture and monetize British ships. The purpose of this site is to explore the possibility of a modern-day doctrine much like the Monroe Doctrine, by means of which the U.S. government could legally and, more importantly, effectively stop international hackers. Current cybercrime law is not only ineffective, but downright stupid. My Linux servers are attacked hundreds of times a day (mostly from China and former USSR domains), yet if I retaliate against those servers with some creative technology at my disposal (I know some VERY smart guys), then I am in violation of federal law and subject to some onerous penalties. We need more than a new law. We need a new international doctrine. I call it The Morgan Doctrine, named after Morgan Rapier, a fictional character I've created (hey, this is my way of establishing ownership of the concept, should it ever see the light of day).
Why a new international doctrine? Simply, nothing else will work. Introduced on December 2, 1823, the Monroe Doctrine told the world to keep their hands off the Americas. Combine this with current legal thinking on "hot pursuit" of fugitives. In 1917 the US Army went into Mexico after Pancho Villa. More recently, in 1960 Israeli Mossad agents abducted Adolf Eichmann from Argentina. Granted, much of the world regards the Eichmann adventure as a violation of international law. I don't share that opinion and therefore use it as the third leg of my Monroe-Pancho-Aldof platform for The Morgan Doctrine.
If someone comes into your home and attacks or attempts to rob you, you may shoot them dead. You may do so as long as they expire on your property. But what about cyber criminals? They attack you in your home from their homes. Retaliate in kind, and you go to jail. The Morgan Doctrine states simply that if you attack my computers (or my banking assets held in US-based computers), then under a certain set of well-defined conditions, a licensed and bonded "cyber privateer" may attack you in your home country and split the proceeds with the U.S. government. For the sake of argument, let's call it a 50-50 split (heh heh).
Right now, American law enforcement is completely unequipped to deal with the sheer number international cyber hackers. Sure, I could report each of the thousand daily attacks to the FBI, as could the millions of other attackees in the USA. But the volume of such reports would make any meaningful resolution laughable. Not to mention that the FBI has no jurisdiction outside the USA. Yet to make such "enforcement" profitable to recognized (ie, "bonded" "deputized") privateers, as Heath Ledger's Joker said in his last role, "Now you're talking!" You raid our bank accounts, we raid yours. You make money from off-shore child pornography, we're going to loot your bank accounts and, with some REALLY creative black hat operations, you will be taken off the grid worldwide to the extent that you'll not even complete a cell phone conversation for the remainder of your miserable depraved life. Okay, that last part probably won't fly, but you get my drift.
The purpose of this site is to explore the mechanics, legalities and practicality of The Morgan Doctrine.
And I will be the sole arbiter of whether or not your comments get posted. As Mel Brooks wrote, "It's good to be king."
Why a new international doctrine? Simply, nothing else will work. Introduced on December 2, 1823, the Monroe Doctrine told the world to keep their hands off the Americas. Combine this with current legal thinking on "hot pursuit" of fugitives. In 1917 the US Army went into Mexico after Pancho Villa. More recently, in 1960 Israeli Mossad agents abducted Adolf Eichmann from Argentina. Granted, much of the world regards the Eichmann adventure as a violation of international law. I don't share that opinion and therefore use it as the third leg of my Monroe-Pancho-Aldof platform for The Morgan Doctrine.
If someone comes into your home and attacks or attempts to rob you, you may shoot them dead. You may do so as long as they expire on your property. But what about cyber criminals? They attack you in your home from their homes. Retaliate in kind, and you go to jail. The Morgan Doctrine states simply that if you attack my computers (or my banking assets held in US-based computers), then under a certain set of well-defined conditions, a licensed and bonded "cyber privateer" may attack you in your home country and split the proceeds with the U.S. government. For the sake of argument, let's call it a 50-50 split (heh heh).
Right now, American law enforcement is completely unequipped to deal with the sheer number international cyber hackers. Sure, I could report each of the thousand daily attacks to the FBI, as could the millions of other attackees in the USA. But the volume of such reports would make any meaningful resolution laughable. Not to mention that the FBI has no jurisdiction outside the USA. Yet to make such "enforcement" profitable to recognized (ie, "bonded" "deputized") privateers, as Heath Ledger's Joker said in his last role, "Now you're talking!" You raid our bank accounts, we raid yours. You make money from off-shore child pornography, we're going to loot your bank accounts and, with some REALLY creative black hat operations, you will be taken off the grid worldwide to the extent that you'll not even complete a cell phone conversation for the remainder of your miserable depraved life. Okay, that last part probably won't fly, but you get my drift.
The purpose of this site is to explore the mechanics, legalities and practicality of The Morgan Doctrine.
And I will be the sole arbiter of whether or not your comments get posted. As Mel Brooks wrote, "It's good to be king."
Subscribe to:
Posts (Atom)