Monday, February 28, 2011

NY Senator: "Switch to HTTPS"

Just a tip-of-the-iceberg realization today from NY Senator Charles Schumer, who suggested to online companies that they go to HTTPS. Bad news, Senator. That won't cut it. All transactions with Amazon et al are HTTPS already. As I've said before, we need a from-the-ground-up redesign of the Internet, scrapping TCP/IP because it is inherently flawed. I've had several notes from hackers chiding anyone who thinks the Internet is secure (or should be). Well, if you want a secure Internet then you'd better design one that's secure. Until then, cyber privateers could buy us some time. Because a brand new Internet will take some time. And some money.

Saturday, February 26, 2011

RANT: FBI now running a 3rd-world orphanage?

I saw this Computerworld headline on Thursday and have been shaking my head for two days: US cybercrime complaints fell 10% in 2010. I can't make up my mind whether I'm more astounded that some PR flack at the Internet Crime Complaint Center (IC3) would issue such a preposterous statistic or that any responsible news organization would run the story without critical comment by a responsible statistician. Heck, I'd have been satisfied with the story had they asked for comment from anyone—anyone at all—who'd read either Freakonomics or Super Freakonomics by Levitt and Dubner. The one source quoted in the article said, "…the overall number of complaints may be down because companies are getting better at dealing with fraud." Pure hogwash!

It should be obvious to anyone who spends any time on the Internet that cyber crime is up. From my own experience:

  1. Email hijacking is up. 
  2. Fraudulent phishing is up. 
  3. Spam from bogus sites is up. 
  4. And if you actually have a server running on the Web, break-in attempts have never been more numerous. 

    I have no doubt that IC3 cyber crime complaints fell by 10%. That's because we're just tired of filing complaints to which the authorities do not respond. Our environment is kind of like a Romanian orphanage in which you don't hear a sound. No crying babies. And it's not because they don't have the babies, but because babies only cry when it brings love and relief and help. No help, no love, no relief, and the babies stop crying, resigned to their fate in an inhospitable environment. Silicon Valley surely doesn't have a lot to be thankful for from the FBI after Director Mueller publicly asks U.S. software companies to build back doors into their products.

    Let's face it. We're living in a 3rd-world orphanage. The only way I've come up with to fix the problem is to monetize cyber security with…surprise…licensed and bonded cyber privateers. If you have a better idea, let me hear about it. Please. I beg you.

    Friday, February 25, 2011

    Dear Switzerland: How about the Lockerbie families?

    If the families of the PanAm Lockerbie Flight 103 victims had access to licensed and bonded cyber privateers, and if the bonding authority authorized the action, those families could split Gadhafi’s billions with both the cyber privateers and with the government that issued the Letter of Marque and Reprisal. I’d especially love to see Muammar invoke his “right to parley” under my Cyber Privateer Code, trying to get his money back. Now there's a video that would go viral! In the absence of such bonding authority, I think it would do wonders for Switzerland, who has ordered the banks to freeze Gadhafi's assets, to earmark a billion or so for the surviving families of the Lockerbie victims.

    Thursday, February 24, 2011

    Jeff Menz may now rest in peace.

    Thanks to Brian Krebs security email, I finally have closure on the pharmacy recommendations I was getting from my dead friend Jeff Menz's email account at Yahoo! I mentioned the Russian arrests in my post yesterday. Today, Brian outlined the $150 million operation that included the "Canadian Pharmacy" recommended to me by my late friend (the subject of my October 22nd post). And like I said yesterday, I haven't received any more "Canadian Pharmacy" promotions for at least two weeks, for which I am extremely thankful. I didn't realize what a softie I was, but I felt real heartache whenever I'd get email from Jeff's still-active account. I would like to thank Mr. Krebs for his research, and confess my absolutely unhealthy interest in learning the fate of the perpetrators. In the meantime, R.I.P. Jeff Menz.

    Wednesday, February 23, 2011

    Dear Russia: I have a solution for you!

    Dear President Putin,

    Being the guerrilla warfare guy that took Larry Ellison and Oracle from $15 million to over $1 billion in annual sales, and who did Marc Benioff's pre-IPO attacks against Siebel, I'd like to respectfully offer you solutions to what I perceive are two serious problems Russia now faces in the cyber-security/cyber-war arena. Yesterday, I took this opportunity to help China's Huawei turn their greatest liability into their greatest asset. Today, I'd like to do the same for you.

    My motives? Anybody can be a professional "accuser" in today's talking-head media environment. Heck, it's a way of life in the diplomatic corps of our respective countries. And I've taken my share of shots in your direction, too (just type "Russia" into the search box to the left and you'll see what I mean). But it's my basic nature to be a problem solver, as suggested by the overriding theme of this cyber privateering blog. Your two problems:

    1. You have a PR problem. Not only are your countrymen considered a real cyber crime threat, but you appear not to take law enforcement very seriously (as illustrated by my February 9th post on letting Mr. Anikin off without any jail time). 
    2. Unlike China, you do not appear to be making any investment in IT infrastructure, choosing instead to buy or steal intellectual property from other countries. This will not serve you well in the long run, which is probably why Oracle's Larry Ellison has said some fairly inflammatory things about Russia. I've even accused you of being in the protection racket.
    I believe both these problems are rather easily solved. Yes, advice is worth what you pay for it, and all sources of advice are not equally valuable. I'm just a guerrilla warrior spouting off, so it won't hurt my feelings if you ignore me. But I did happen to learn guerrilla warfare from the very best practitioners of the art. Old friends Dick Morris (the guy behind Clinton early on) and his former partner Dick Dresner (who later ran Boris Yeltsin's successful campaign in Russia) introduced me to the late Tony Schwartz (who destroyed Barry Goldwater's presidency in 1964 with the famous Daisy television ad). The three of us worked on passing tax limitation in Massachusetts in 1979. But enough self promotion. Back to solutions for your problems.

    Your PR problem, first. Until a couple of weeks ago, I was getting tons of email from my supposed friends (whose email accounts had been hacked) recommending online pharmacies. I even got email from a dead friend. At the end of my post on the subject, I requested:
    But if going after petty cyber thieves ever becomes legal, I'd like to request that whoever stings these guys let me in on the details.
    Lo and behold, I got a note from Brian Krebs ( that "Russian Cops Crash Pill Pusher Party."  And you know what? I haven't received an online pharmacy offer for a couple of weeks. Way to go!

    By the way, Mr. Krebs is the real deal, having just been honored by at the Social Security Blogger Awards at the RSA security conference as the blogger they thought best represents the security industry today. I'm just a novelist beating the cyber privateering theme to death, but Mr. Krebs and his blog are a great source of cyber crime and security news. The reason I mention him and his story on Russian cops crashing the pill pusher party, is that nobody else in the media is covering this story. That's a mistake, since it indicates you are serious about stopping cyber crime. You ought to be shouting your commitment to snuffing the bad guys. And I can't think of a better guy to help you do this than another old friend of mine, New York City PR superstar Steve Coltrin (who also happens to be very close to Mitt Romney, but that's another story). I served with Steve on the board of directors of a public company, and certify to you that there is no more capable and straight-shooting guy on the planet. He can help you change the perception that your country is full of crooks who operate with the tacit approval of the government.

    Your second problem is a bit more difficult to solve, and involves creating a base for technology innovation. As of the time he wrote Cyber War, Richard Clarke figured Russia was ahead of China in your cyber war capabilities. I don't see that continuing without your fostering innovation, rather than stealing it. My humble suggestion is that you consider making Russia the world-wide hub for…legalized and bonded cyber privateers. You see, we now live in a world without borders. It's called The World Wide Web. The first country that recognizes this and sets up a Web integrity enforcement system—a self-monetizing one at that—will become the overnight cyber superpower, the de facto ruler of the world. I've spent a lot of time in my various blog posts outlining the legal basis for cyber privateering, and a cyber privateer code that protects the innocent and will give your treasury billions by looting the bank accounts of the bad guys.

    I'd hoped the USA could be that cyber privateer superpower. My second choice was Australia. Switzerland was a third possibility. But then I asked myself what I'd do if your "poor Russian b*st*rds" asked for by best advice. This is my best advice. 

    Tuesday, February 22, 2011

    Dear Huawei: I have a solution for you!

    Several of my posts have been less than positive about my trust for Chinese computer/tablet/cellphone manufacturer Huawei (just do a search for "Huawei" in the left-hand search box and you can pull up my previous epistles). It's not my nature to be "an accuser" in life, so my diatribes against Chinese and Russian individual and government misconduct have been provided reluctantly. As any who know me will attest, I always try to leave people (and companies) better than I found them. Even if it's only one meeting, I tend to throw my bread upon the waters and give my best constructive net-net assessment of their situation. I have not done that with Huawei, only hinted at solutions for Russia, and I've taken a fairly uncompromising/unconstructive line with regard to China (do the searches and you'll see what I mean).

    Yes, this sinner needs to repent, starting with Huawei. The question I asked myself:
    If I were hired by Huawei to help them overcome the lack of trust reported in both the US and the UK, as well as my own lack of confidence in the security integrity of their products, what would I do?
    Actually, I've been contemplating that question since my very first post on you. The thought generally starts with the term, "Wow, you poor b*st*rds…" Clearly, though, what would I do to help you turn around and penetrate Western markets like they never thought possible? Assuming your quality is good, and knowing in advance that your prices will undercut pretty much everything else out there, how could you turn your biggest liability (would distrust of China's cyber goals) into your greatest asset? That concept, turning a liability into an asset of equal proportion, is something motivational speakers and so-called "life coaches" have been doing since…well…since the theme occurs fairly routinely throughout the Bible, the Torah, and even the Koran (probably Buddha and Lao Tse, too). So what's the answer. Three steps, gentlemen:

    1. Huawei, you must face the problem head-on. It's not good enough that you offer their source code to potential large customers. As I've said before, it's easy to hide two or three-way combination locks in plain sight. Source code doesn't make any difference. Facing it head-on means recognizing you have a problem and solving it forthrightly.
    2. Google's offering a mere $20,000 to the first CanSecWest attendee who can crack their Chrome browser is downright insulting. It certainly doesn't bespeak infinite confidence in their product. If you want to make you point, offer $1 million to the first person who can find a trap door unique to your products.
    3. Don't just make the offer, but put the actual $1 million in escrow with a trusted third party to whom you have also given the right to make the decision as to whether or not the identified trap door is legitimate. You should also make it part of the contract with that trusted third party that their decision about disbursing the $1 million must be made within a very short time. Maybe 30 days.
    You won't have to spend another dollar…er, Yuan…on either marketing or advertising. The press will be staggering. Not only will everyone from major corporations to lowly consumers buy your product, but every hacker and whacker will want your product, too. You get the picture.

    And even if you have to pay out the $1 million—even several times—the newsworthiness of the event and honest "Gosh,-we-really-didn't-have-any-idea,-and-that-employee-who-was-acting-as-an-agent/spy-has-been-publicly-terminated" will further instill confidence in your integrity.

    This is the best I have. Yours free for the taking. Yes, because I'm basically a good guy having a little intellectual joust at your expense. But also because you have a lot of families depending upon you for their jobs and sustenance. Why not make them proud to work for such an honorable employer? Heck, you might even consider giving internal whistle blowers a bounty. Adam Smith's "invisible hand" could deliver…financial freedom.

    Monday, February 21, 2011

    Huawei withdraws from 3Leaf acquisition

    I think Huawei's withdrawl from the 3Leaf acquisition smartly saved the U.S. from having to nix the deal and the subsequent inevitable face-saving retaliation that China would have to launch. My guess is that a lot of behind-the-scenes diplomatic action brought about this outcome. Yes, I've previously stated that I wouldn't use a Huawei cell phone or tablet computer even if they gave them away, largely because of my security suspicions. But that was the calculated overstatement necessary to make an important point. However, should the U.S. authorize and allow bonded protection by licensed cyber privateers, and should such an organization sell me a "security policy" for my hardware/software purchases on a name-by-name vendor basis, I would not only use Chinese-manufactured products but I would not object to a Huawei/3Leaf acquisition. I don't mind letting Adam Smith's "invisible hand" turn into a fist when necessary. Cyber privateers could provide the checks and balances necessary to avoid future, bigger diplomatic dust ups that might well lead to all kinds of war, cyber and otherwise.

    Saturday, February 19, 2011

    February's top-10 cyber privateer blogs

    Going into Presidents Day Weekend (I'm sure there's a politically appropriate message here), you might be interested in the most-read cyber privateering blogs for the last month. The mathematician in me loves to analyze trend data, and the guerrilla warrior in me wants to know where I've drawn the most blood. While I'm not at all surprised by the results, the hairs on the back of my neck do stand up a bit at the mathematical likelihood that (a) we are in the midst of a rapidly escalating cyber war, and (b) none of our leaders have the slightest clue what to do about it. Here are my top-10 most-read blogs for the last month:
    1. How China/Russia can make (are making?) billions by slowing down the side channel. No surprise here, given the publicity over the last month on hiccups and hacks in international financial systems. Sure, I poured a little cyber privateer gasoline on the fire with my online comments to the Wall Street Journal and London Telegraph articles. This topic had nearly double the readers of topic #2.
    2. China, I wouldn't even take a FREE Huawei cell phone or tablet. While this topic had only half the readers of #1, it nearly doubled the readership of #3 that follows. Yeah, again I drew a fairly unambiguous line in the sand. I also baited the Hounds of Hell in my comments to WSJ and Telegraph articles.
    3. Privateer analytics: high-reward/high-risk numbers. This is a bit of a surprise, although combined with #s 4 and 5 makes perfect sense. The first two indicate the "pain level" of the world, while #s 3, 4, and 5 indicated that readers are taking a good hard look at my proposal to legalize cyber privateering.
    4. Cyber privateer code: 100-to-1 restitution. This is the "got'cha" for the inept privateer. Screw up even once, and you could be off the financial grid for the rest of your life.
    5. Draft 01: The Cyber Privateer Code. This is my equivalent to Asimov's Rules of Robotics. I proposed these five rules of cyber privateering on November 13, 2010. Surprisingly, I haven't felt to need to modify them. Yet.
    6. Russia doesn't jail young Darth Vader. I couldn't resist the analogy of the "evil empire" letting off a guy named…Anikin (pretty close to Anakin Skywalker). Again, this indicts Russia pretty thoroughly as a purveyor of cyber shenanigans.
    7. The Perfect Virus: All 22 principles summarized. Once we get past current events and the mechanics of cyber privateering, it's logical that the toolset for the efficient swashbuckler should come into play. This is one of two intellectual tours de force to which I can claim authorship credit (the other is #8 below). The inspiration came from Jeffrey L. Walker, the member of my Cyber Privateer Fantasy League team who wrote a monograph on "The Perfect Application" and on which I built my own treatise on The Perfect Virus.
    8. How to recruit cyber privateers: Dear Sony Entertainment. My second intellectual tour de force is the idea that online gaming is a perfect way to identify people ideally suited to be cyber privateers. Naturally, once people are hooked on the viability of cyber privateering and on the technology necessary to pull it off, they inevitably become curious as to how they might build an organization. Well, here you go.
    9. Stuxnet about to cause an "Iranian Chernobyl." The Russian warning got some serious international news coverage, and the Telegraph story was well reserched. My online comments caused a flurry of interest in cyber privateering.
    10. Infecting an alien architecture, Part IV. Last but certainly not least is my four-part discussion of what I call "The Holy Grail" of The Perfect Virus, principle #7, Black Box Portability. Putting this point #10 into context, the all-time most popular document in my blog, not just this month but for all time, is principle #14, Stealth. But over the last month, I'm glad to see my readers are putting Stealth into context, and realize that the biggest threat to our cyber world is most likely a proprietary and alien architecture that China is probably developing as its ultimate cyber weapon. If we can't infect and neutralize that technology, then we will have lost The Great Cyber War.
    So welcome to Presidents Day. There is a whole lot for presidents—of corporations and of coutries—to be considering this weekend.

    Friday, February 18, 2011

    Cyber privateering argument from UK security minister

    Today's story in's security newsletter has a fairly cogent (if unintended) argument for legalization of cyber privateering. The headline reads, "Why crooks won't be doing time for cybercrime." The answer, of course, is that "The prosecution figures are dwarfed by the activity itself." In other words, law enforcement is way outgunned. But UK Security Minister Baroness Pauline Neville-Jones cut to the chase:

    And it won't all be passive - law enforcement and the security services in this country will hit back, Neville-Jones implied, turning the tools of the cybercriminal back on themselves and presumably using methods such as DDoS attacks to cut off their internet access and malware to scramble their systems. "I think [the key to tackling cybercrime] is going to be through much better defences and disruption - for example, screwing up their network. Much as the intruder can screw up the company network, the reverse can happen," said Neville-Jones. The decision not to make locking up cybercriminals the main focus of UK computer crime-fighting polich is a reflection of the time and resources it takes to track down and prosecute those responsible.
    The question I have for the Baroness is, "Who better to do the disruption of the cybercriminals than cyber privateers?" Not only can you issue the contracts to trusted enterprises, but they can pay themselves by looting the cybercriminal organization and splitting the booty with the UK government.

    Of course, the UK will have to renounce signing the Paris Declaration of 1856, which outlawed privateering (and presumably cyber privateering).

    Thursday, February 17, 2011

    RSA: "Act now on cyberwar"

    News today from the RSA conference in San Francisco is a consensus agreement that "The time to act on cyber war is now…" Of course, nobody is really clear on what we ought to do about it beyond defining "…the right legislative framework…" You might have the temerity to ask, "What kind of framework?" Good question. After all, "The very nature of the Internet makes it hard to impose the same sort of rules that exist in the physical realm…" Alas, what are chances of a coherent solution, versus just waiting for the sky to fall in? The last line of the article would turn Mother Teresa into a cynic: "The odds are we, will wait…" Oh golly Miss Molly.

    I hate throwing up these softballs. Legalized cyber privateers would be my short-term answer. Let the market monetize finding and correcting the problem. Two other stories today prove my point.

    The first story, again in Compterworld: "China denies role in reported government of Canada hack." The most laughable quote in China's denial came from Foreign Ministry Spokesman Ma Zhaozxu: "The Chinese government is firmly opposed to hacking and other criminal acts…" If this were from a press conference, I'd have to ask:

    1. Did the Foreign Ministry Spokesman keep a straight face when he gave this quote? and
    2. Did the room break into laughter, or did the journalists just nod politely and look down as they wrote this ludicrous swill?
    China is at the center of cyberwar activity. They're sure hammering my Linux box on a daily/hourly basis.

    The second news story seems to prove, perversely and ironically, that allegations against China are well founded. I say "ironically" because China isn't mentioned at all. Symantec (Norton) is publishing a daily CYBERCRIME INDEX, wherein they use their supposedly vast resources to quantify sources of everything from ID theft to fraud to malware to spam. Who are the top-15 phishing sites? Notice the absence of China. And China is only number 9 on the worst BOT infected countries, although I suspect they appear there at all only because the people running those bots are…yep…based in China and probably operating under government sponsorship. Because as I contend in my post giving the IP addresses of Chinese attack servers, nothing goes on in China without at least tacit approval of the government. Of course, my appreciation of Symantec is eternal, as you can tell from the BigFix ad I did last year:
    Just a few months after this ad ran, BigFix was acquired by IBM. Does IBM "get it" so to speak? Time will tell.

    What do we do to prepare for (or wage, as many believe it's going on right now) cyberwar? 
    1. As I posted on Tuesday, our "Plan B" had better get the U.S. cracking on a redesigned, built-from-the-ground-up secure Internet replacement, before the lights go out.
    2. Change some laws to take off the handcuffs of people whose computers getting hit by cyber criminals and rogue governments.
    3. License a few test-case cyber privaters, provided they agree to and are bound by the cyber privateer code.

    Wednesday, February 16, 2011

    Cyber privateer code: 100-to-1 restitution

    Saturday, I posted a tongue-in-cheek note on the cyber security gang that couldn't shoot straight. The New York Times story was picked up and continued in today's Computerworld, HBGary Federal quits RSA over Anonymous WikiLaks eamail. In today's story, Computerworld shares reader comments on the HBGary Federal fiasco, and I can't help but be entertained. Gosh it must be embarrassing for a security company to be so badly spanked in public, and I should be ashamed of myself for jumping on the dogpile. Except I'm not. Because if the exposed emails are authentic, then "the gang that couldn't shoot straight" actually proposed illegal actions. So their "not shooting straight" is a double entendre. All along, I have made it clear that cyber privateers should be legally bonded, and must follow the cyber privateer code of honor.

    That said, the acts of the Anonymous group who unveiled the HBGary Federal emails are also illegal and cannot be justified. Ditto for WikiLeaks. But I confess a certain amount of schizophrenic interest in the fruits of this thievery. Amusement at the stupidity of the approach recommended by HBGary Federal, and embarrassment at the culpability of US diplomats in hiding the truth about some of the world's bad guys. From whom are we trying to keep secrets? Certainly not the bad guys, who know that we know. No, as a matter of policy we're trying to spare the bad guys from public scrutiny. We're keeping secrets from the public, because public opinion might force a more coherent policy making process.

    My own attitude is that we ought to shine the light on the world's cockroaches. Nevertheless, that end does not justify the means used by Anonymous or purveyors of WikiLeaks. Which is again why I call on an above-board legalization of cyber privateers, who will be held to a strict code of conduct and authorized by a bonding authority who won't take kindly to 100-to-1 restitution metrics. I'm intrigued that my first draft of the cyber privateer code seems to stand up, even after three months of kicking it around. Draft one! Not bad, friends. Not bad.

    Go figure.

    Tuesday, February 15, 2011

    Internet meltdown: 'Plan B' from science fiction?

    In yesterday's post (If I were a jihadist, Part II), I argued for the inevitable malicious destruction of our existing Internet. I also promised that today I would consider the contribution of several science fiction authors to getting our brains around a "Plan B" for climbing out of the ashes of such an Internet doomsday. I've previously talked about military science fiction as the cyber privateer road map, and credited Piers Anthony's Macroscope as my inspiration for principle #7 of The Perfect Virus, namely Black Box Portability. My question today:
    Have you ever considered what you would do if the Internet were absolutely, instantly, and irretrievably destroyed? I'm not talking for an hour, or for a week or month, but for at least a year? Do you have a "Plan B" for your life, your livelihood, and for your family?
    For those of you with any kind of acute anxiety disorder, one or more schizophrenic personalities prone to violence, psychotic paranoia, or even a mild neurosis that causes insomnia, I suggest you quit reading, close this window, and delete your browser history file and all bookmarks to this site. Because however bad you think it will be, let me assure you it's going to be a whole lot worse. There are quite a few data points in the world of science fiction that have affected my own thinking. These are only illustrative and not at all intended to be a complete bibliography of the field. In fact, I'll add to this list as I get email from various science fiction fans.

    1. My first vision of the future came from the late Frank Herbert, author of Dune. We became friends after I referenced him in an ad for one of my inventions. Over many lunches and while floating in his Port Townsend, WA swimming pool, I "grokked" that is idea of the future was fairly daunting, where technology was so advanced that any individual could destroy a government or even a planet. He said I reminded him of another of his characters, Jorj X. McKie, in his short story The Tactful Saboteur. McKie was kind of an non-violent IRA type who was hired by the BuSab (the Bureau of Sabotage) to slow down a legislature who had too much technology and too much ability to pass laws before they could consider the unintended consequences of those laws. Frank even talked me into running for the U.S. Congress from Washington in 1978. I lost the race, even though I carried Frank's district. But his lessons stuck, and I went into guerrilla warfare marketing. You can see where this is going, eh? His desert Freemen (jihadists) in Dune combined with Jorj X. McKie in my psyche to yield my own best solution to a serious modern dilemma: cyber privateers.
    2. My next seminal influence was Piers Anthony and his book Macroscope, mentioned above as the genesis for Black Box Portability, of which I have blogged several times on the topic of infecting an alien intelligence, the last of which was Part IV on Feburary 2nd (links to parts I, II and III are in that blog.
    3. When it comes to the end of the world as we know it, however, top honors go to Larry Niven and Jerry Pournelle for their seminal book, Lucifer's Hammer. Several well-placed meteorites take out the whole planet and most (but not all) the people. How do you rebuild from zero? Heck, how do you eat? I am amused that some religious zealot got converts by forcing cannibalism on his growing army, thus making them pariahs to civilized people evermore. More importantly, though, is the problem faced by the good guys, of how to build an infrastructure from…zilch. You know, the Internet going down is one thing, but a sufficiently effective EMP-based attack could completely fry everything electronic (see my post on the new cyber security center being built about 10 miles from my house). By the way, I spent some time with Jerry Pournelle in his SoCal home, and have never before or since seen a more magnificent personal library. His shelves-upon-shelves of books were a magnificent maze. 
    4. I have previously posted on David Drake's Hammer's Slammers and David Weber's Bolo series. But I have just finished John Ringo's second installment, Citadel, about our recovery from an alien invasion in Live Free or Die. And I'm anxiously awaiting the third installment, The Hot Gate on May 3rd. Talk about a "Plan-B" mentality! Not only did entrepreneur Tyler Vernon have to come up with an infrastructure, but he had to figure out a method of commerce that aliens would accept in order to provide him with Galaxy-class technology with which to battle other colonizing aliens.
    The above are just a few examples of the problem mind-set we'd face if we lost the things we take for granted. Today's Computerworld reports that President Obama is seeking "a big boost in cybersecurity spending." At the risk of echoing past rants, what he wants to spend my hard-earned tax dollars on is silly and stupid. How about a new, built-from-the-ground-up, super-secure Internet (I posted on the UUU)? Let's not only have cyber privateers buy us some time on today's Internet, but they could also dump a serious amount of cash into our deficit-ridden treasury. Because the extended collapse of my Internet window to the world would leave me rather…as my Canadian friends might say…seriously hosed.

    Monday, February 14, 2011

    If I were a jihadist, Part II

    In my November 15th "If I were a jihadist" post, my 5th scenario for a game spoiler was to "Take down the Internet." Specifically, I said:
    Take down the Internet. Come on, you can blame this one on Christian Fanatics who believe that the beast referred to in the Bible (Revelation 13:17) is really the Internet (the "number of the beast" is 666, which in Hebrew is "www" which…well, you get it). Whack every DNS (Domain Name Server) system in the world with a pro-Christian/anti-Israel "goodbye world" shut-down message.
    The item from my daily technology bible, Kurzweil News,  pointed at the New Scientist Tech story: The cyberweapon that could take down the Internet by the University of Minnesota's Max Schuchard and his colleagues. Unfortunately, their conclusion that an Internet meltdown is not necessarily inevitable is, to me, just silly. For enough money, the guys who rent out their botnets would do it. But more likely, a rogue government like North Korea would do it in a heartbeat, especially since they don't as thoroughly depend upon the Internet for Infrastructure communication as do the countries who actually have lights that can be seen from a satellite in the dark. It is also conceivable that the Iranians would consider this, especially after seeing what student-led demands for democracy have accomplished in Egypt (I do not believe that Iran is in as much control of the Egyptian meltdown as do some of the conservative commentators).

    Iran may, in fact, resort to the (cyber) nuclear option when their own social meltdown begins. Accentuating this hypothesis is Friday's New York Times story further detailing the extent of Stuxnet penetration in five Iranian sites. Put yourself in Grand Ayatollah Seyyed Ali Hoseyni Khamenei's position. His compound is surrounded by a mob of angry students, the military is taking their game plan from the Egyptians and holding back (giving some students rides on their tanks), and President Mahmoud Ahmadinejad is calling every two minutes, yelling explicatives and pulling out large tufts of his beard. Chances are one of the top five "goodbye world" options would be to bring down The Great Satan's Internet. And there are easier ways to bring down the Internet that the mechanism suggested by Dr. Schuchard and his buddies.

    The ability of Stuxnet (as reported in the New York Times article) to report on the location and type of each computer infected allows me to give Stuxnet a partial-compliance mark in maintaining Institutional Memory, which is principle #21 of The Perfect Virus. I have there updated my Virus Report Card of February 7th accordingly. 

    For those of you who are musically inclined, you might sing the following lyrics to Bobby Darin's If I Were A Carpenter:

    If I were a jihadist, 
    and you were al qaedis
    Would you tarry in Te-hr-an?
    And help me kill babies?

    If I soaked my hands in blood,
    would you still love me?
    Would you help me pull the plug?
    And sign it Khamenei? 
    So take your pick. One way or another the Internet is probably going to cease to exist as we know it. Either because of a physical pygmy in North Korea or a mental pygmy in Tehran. And remember, in a world full of emotional pygmies, the patient man is king. And while we're being patient, we might come up with a "Plan B" for climbing out of the ashes after Internet doomsday. Several military science fiction authors have dealt with this scenario, which I will cover in tomorrow's post.


    Saturday, February 12, 2011

    The cyber security gang that couldn't shoot straight

    Today's New York Times article, Hackers Reveal Offers to Spy on Corporate Rivals, should have been subtitled Dumb and Dumber. My Thursday post on how cybercrime is an easy-entry career could well have gone one to point out the flip side of the coin: There surely are a lot of idiots who currently offer cyber security services. I would have started at the top, with Symantec and McAfee, and eventually hit the bottom feeders. Luckily, the New York Times covered the bottom feeders for me. Good article; good read.

    Want to know what a "hoser" is? Canadians know. The rest of us can get a clue by renting or buying the video Strange Brew. Beauty, eh?

    If you are evaluating competent help to analyze cyber threats, my advice is quite simple:
    People who talk about their cyber exploits really don't know how to do them, and people who really do something about cyber security don't really talk about it (beyond offering a free penetration study).
    How do you find competent cyber security help? In the absence of referrals from a trusted source, I would recommend offering a get-out-of-jail-free card to pre-cleared organizations who want your business and who will do that FREE penetration study. Even then, you'd better do some reference checking, verify the ownership of the organization (ie; that it's not China, Inc. installing back doors into your system), and then satisfy yourself of their liability insurance coverage.

    Of course, a licensed and bonded cyber privateer is what you truly need.

    Friday, February 11, 2011

    China, I wouldn't even take a FREE Huawei cell phone or tablet

    Yesterday's Wall Street Journal story about the U.S. government Committee on Foreign Investment reviewing, and likely to recommend reversing, the Huawei 3Leaf Systems acquisition leads me to believe that the feds aren't as stupid as I thought they were. Time will tell, however, if (a) the feds make the right recommendation, and (b) if we do indeed reverse the transaction.

    China, they way you've been attacking my Linux server, I wouldn't trust you with any control over my infrastructure or with the supply chain of my infrastructure. Which is why I'm amazed at the announcement that Huawei is going to be introducing both a cell phone and a slim tablet at next week's Mobile World Congress show in Spain. Guys, I don't care how many colors it comes in, I'm not buying a phone that could conceivably be hot miked, twinned, or give you punks a back door into my address book. Ditto for the tablet. And I'll be taking a darned close look at the supply chain of computer components for any future electronics purchases.

    Adam Smith's invisible hand may turn into a fist, as far as China is concerned. Until they start behaving like responsible world citizens (among my more notable posts are the IP addresses of their attack servers, how China/Russia could be behind attacks on our financial institutions, and the data bombs China and Russia are installing on our utility infrastructures), they do not deserve a place at the technology table.

    This isn't jingoism or profiling. It's just plain common sense. So shape up, China. I wouldn't take a computer or cell phone from you if you were giving them away. This brings to mind an ad I did for Larry Ellison at Oracle in 1989. We heard Digital Equipment Corporation was going to start shipping their Rdb database free with every VAX computer. Since VAX was Oracle's bread and butter platform, we quickly drove a stake into their heart with the following ad (within a year, DEC abandoned Rdb to Oracle):
    So to my Chinese friends, at least for today, I wouldn't take a Huawei cell phone, tablet, or computer even if you were giving them away. You're going to have to earn my trust.

    Thursday, February 10, 2011

    Cybercrime: an easy-entry career

    For those of you who think the government, any government (pick yours), can handle cyber criminals through conventional law enforcement means, you really need to read today's Security News report. Their contributor Linda Rosencrance nails the reality of cyber crime in her first two sentences:
    In just four years, cybercrime has evolved from a craft practiced by a few hard-core hackers to something resembling an easy-entry career. Sophisticated pieces of malware can be bought “off the shelf,” ready to use, making it simple for anyone to launch an online life of crime. Stolen data and criminal services that were once hard to find have become cut-rate commodities.
    Of course, the article falls down in the end when we don't get a very good answer to the question, "So how can you avoid becoming a victim?" Yeah, you should use anti-virus software, create a separate administrator account only for installing software, and use common sense in your email, online purchasing and dealing with your bank. None of these solutions, however, stand a chance against targeted, non-signature attacks, let alone against anything approaching the capabilities of The Perfect Virus. What is the answer, then?

    How about getting a few more politicians a little concerned about their job security? More government employees and more tax dollars aren't the answer. Legalized cyber privateering is really the only answer I can come up with. My own multiple requests for help from the FBI have yielded dittley-squat.

    Let's raise the bar a bit on the newest easy-entry career.

    Wednesday, February 9, 2011

    Russia doesn't jail young Darth Vader

    Did you hear the story about Russian hacker Yevgeny Anikin (hey, doesn't the fictional Anikin, er Anakin, become Darth Vader?) who was convicted of stealing $10 million from Royal Bank of Scotland accounts but isn't going to be doing jail time? Well, they do say he is quite repentant. There is some buzz that Russia was behind the NASDAQ Director's Desk penetration (see my posts from Saturday and again yesterday). It's not too big a leap to figure out that Anikin has agreed to tutor the Russian cyber criminals on his penetration technology. After all, Richard Clarke in his book Cyber War asserts that the Russians are ahead of even the Chinese in their cyber warfare capabilities. My guess is that they want to stay there. "Luke, I'm your father! Follow the force."

    Tuesday, February 8, 2011

    NASDAQ penetration spoils? The SEC should know!

    Comments to my postings on cyber criminal penetration the NASDAQ Director's Desk system and subsequent dramatic increase in my posts on the Cyber Privateer Code as well as my Legal Justification for Cyber Privateering demand that I revisit this topic ever so briefly. One reader with "over three decades as a top-notch engineer" doesn't believe that (a) cyber privateers could actually find the real bad guys; and, in a separate reply, (b) disputes the validity of a latency attack because it "has the same problems that caused so many day traders to lose their shirts." I responded to his "point a" by giving the links above. As for latency attack viability, I refer you to my post on the likelihood that China and Russia are already doing this.

    Regarding the NASDAQ Director's Desk penetration, I think the real benefit to a hostile government would be to obtain inside information with which they could place bets in advance of public M&A activity disclosures. I became quite familiar with the dynamics of M&A disclosure technology when I worked with IntraLinks to create a market for their secure virtual deal rooms. The following billboard ran outside the Oracle headquarters in Redwood Shores, CA:
    It invited Larry Ellison to go to the IntraLinks Web site and learn how their secure virtual deal room could accelerate the M&A process. Interestingly, the billboard company refused to let me run my original headline "KILL BILL" because they said it somehow put out a "hit" on Bill Gates. That's okay. The semiotic of copying the movie poster look-and-feel did its job, and we had thousands of Web hits from all over the world. Notice that beneath the headline, "Craig" is already crossed out, since Oracle had acquired PeopleSoft and booted their CEO Craig Conway. Marc Benioff of is still in play (and one of my Cyber Privateer Fantasy League team members). And Larry Ellison is currently beating SAP like the proverbial gong, with Henning Kagermann long gong…er…I mean long gone. I also created a Wall Street Journal ad for IntraLinks that showed their virtual monopoly of virtual deal room technology:

    I just assumed the NASDAQ Director's Desk offered some class-A document security, since insider training is such a serious threat to the integrity of public markets (see today's WSJ). Given the SEC's ability to trace major trading activity prior to public disclosure, it should be a fairly simple matter to determine whether or not foreign governments and/or their agents have made use of the NASDAQ penetration data to "make a killing."

    So I extend this challenge to ace WSJ reporter Devlin Barrett, who broke the original story: Did anybody use their confidential knowledge of NASDAQ Director's Desk documents to gain an unfair advantage in our public markets? Forget asking the Justice Department. Forget asking NASDAQ. Just ask your contacts within the bowels of the SEC. They routinely collect this kind of data. Hey, there could be a Pulitzer in it for you. Or a Russian hit squad looking to put your head on a stick?

    Monday, February 7, 2011

    Virus Report Card: Stuxnet and Zeus/SpyEye

    [NOTE: This article was updated on February  13, 2014 — yegads, nearly three years later — and can be seen by clicking here. There is still valuable stuff below, but I've added the Mask/Careto virus in the new matrix.]

    Computerworld's report on next-generation banking malware has links to Zeus and SpyEye screen shots of the command and control dashboards used by criminals to hit banks. These links, combined with information reported on the Stuxnet virus, give me enough information to extrapolate these virus tools against the template of The Perfect Virus. There are still attributes for which I don't yet have answers, but I throw my current assessment out there in hopes "someone who knows" might help me flesh out The Virus Report Card. Here's my understanding of these virus delivery systems as of today:

    As more viruses are publicly identified and quantified, I'll expand the above chart to include them. And I simply can't wait to see how the Russians (?) broke into the NASDAQ Director's Desk to spy on confidential information shared between leaders of publicly held companies. I advise NASDAQ not to wait for the Feds to do too little, too late. My comment on the WSJ site:
    Access to confidential information shared between corporate executives would give a phenomenal advantage to traders in upcoming M&A transactions between public companies. Even if this wasn't the trading system itself, the damage to the integrity of the system cannot be underestimated. Again, I urge NASDAQ to put a bounty on the heads of the attackers and get serious about kneecapping them. Don't wait for the Feds to do too little too late. You guys own this one. Make it happen. The Morgan Doctrine
    In the meantime, if any of my readers have information to update the above chart, or if you have links to other virus technology, please drop me a line.

    Update: Principle #21, Institutional Memory, was updated to a "partial" for Stuxnet in my Valentine's Day post.

    Update: Principle #22, Defense, was update to a "partial" for Zeus/SpyEye on Wednesday, March 9, 2011.

    Major update on Wednesday, May 11th, with the release of the Zeus source code. Zeus/SpyEye is looking pretty formidable, since it could just as easily be provisioned to do many other nefarious jobs than just cracking bank accounts. I also used this occasion to update the Stuxnet part of the matrix, based upon now-publicly available information. Net net: While Stuxnet and Zeus/SpyEye don't rise anywhere close to The Perfect Virus in capability or lethality, they're certainly emerging as a clear and present danger.

    Duqu was added to the report card on Friday, October 28, 2011.

    Saturday, February 5, 2011

    NASDAQ penetrated. Feds clueless? Dear John:

    Dear John:

    (That's John Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee),

    Last night's online WSJ carried a story, "Hackers Penetrate Nasdaq Computers." I've got to hand it to Devlin Barrett, the story's author. He absolutely nailed the salient issue in his first sentence:
    Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.
    Good stinking grief, John! Repeatedly penetrated? During the past year? And the real knee slapper: "…federal investigators are trying to identify the perpetrators and their purpose…" In the immortal lyrics of Aerosmith, "Kiss off the devil and [honk] off a saint!" In my Monday post from National Defense Magazine, I contended that the Navy's being short of tools to detect and nab cyber-intruders built my case for authorizing legally bonded cyber privateers. But that story absolutely pales next to the NASDAQ story. The feds have been trying to figure this out for the past year? Last night in my comment on the WSJ site, I suggested:
    If I were head of NASDAQ security, I'd put a bounty on the culprits. And law enforcement should give the cyber privateer "bounty hunters" a get-out-of-jail-free card.
    One reader, Frank Blank, replied, "That's actually a good idea." And William Clark asked, "Curious about how that would work. Would the NASDAQ release log data to a group of qualified bounty hunters and then let them go to work?" I answered his question with a link to my Cyber Privateer Code and then said:
    They would get the logs and then be released for the job by a "bonding authority" and authorized by a Letter of Marque & Reprisal authorized br Article 1 Section 8 of the US Constitution. Gotta' be done right & legally.
    I then shared with him my blog on the legal precedents for cyber privateering.

    NET-NET: WE DON'T NEED BIGGER BUDGETS FOR MORE FEDERAL SLEUTHS; WE NEED TO SIC THE DOGS OF HELL ON CYBER CRIMINALS!  A few reader comments on the article correctly "grokked" that our government will use this as a rallying cry for more tax dollars to throw at the problem. At the risk of harping on the obvious, the feds can't begin to address the problem. Never could. Never will. I think I built my case in yesterday's posting. You know my solution. With all its warts, risks and flaws, I've not heard a better approach than licensed and bonded cyber privateers. Not only will it not cost the government a cent, but my cyber privateering concept could generate billions in confiscated funds for the US Treasury.

    There seems to be some real resistance to going after the bad guys' bank accounts (see my October 25th post). The profoundly misguided logic is that we shouldn't do that because this is OUR greatest vulnerability. Alas, that train has already left the station. Furthermore, NASDAQ needs to quickly get in front of this and forcefully reestablish confidence in our financial institutions. For a short time, I served on the board of directors of a public company as chairman of their audit committee. To John D. Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee (and who is also on the executive committee and the governance committee of the board), I suggest you better get cracking. Because no Directors and Officers (D&O)  insurance policy can possibly cover you for the potential class action liabilities from the from irate investors in our public markets. And you absolutely know your board is going to be under tremendous pressure to underestimate your liability exposure. Sir, your liability is…well…astronomical. I'd be surprised if your auditors don't run for cover on this one. Specifically, I suggest:

    1. NASDAQ must be totally forthright about the extent of the penetration. NOT to do so could be a criminal offense. Today's follow-up WSJ story talked about unidentified "malware" files. If you know it's malware, then you'd better disclose exactly what the malware did, with whom it communicated, and its complete activity history from time of installation.
    2. NASDAQ should immediately announce a $20 million bounty on the head(s) of the attackers, payable to pre-approved cyber privateers.
    3. If a rogue government (such as China) is found to be responsible, the it will be the job of the cyber privateers to loot the assets of that rogue government wherever they may be found, and then
    4. The cyber privateers should take that rogue government and its citizens off the Web until POTUS decides they have learned their lesson and gets an appropriate treaty ratified by the Senate.
    5. NASDAQ will indemnify the cyber privateer(s) against all civil and criminal consequences, and if the US Attorney General balks at the legality, then he should be replaced by someone who will go to Congress and get the necessary legal waivers.
    Does this sound draconian? Mr. Markese, it's your skin at stake here. Our financial institutions are indeed our greatest vulnerability. Unless you consider this "nuclear option" seriously, the end of the financial world could beat that Mayan 2012 doomsday calendar by a good year.

    Friday, February 4, 2011

    Hey Google, put up $1 million!

    In this year's Pwn2Own hacking challenge, Google has put up $20,000 to the first person who can crack their Chrome browser at the CanSecWest security conference March 9-11. I'd be much more impressed if these fat cats put up $1 million. Because if they had enough confidence to put up $1 million, even if only for the first day's competition, you've gotta believe that the entire marketplace would switch to Chrome en masse. Don't get me wrong. I like the sandbox approach to security (a la SafeCentral). But when the heck is someone going to have the guts to behave like…well…Larry Ellison?

    Thursday, February 3, 2011

    Government no match for individual cyber warriors

    Part of my justification for licensing and bonding cyber privateers is the assertion that tax dollars and big government programs are no match for individual initiatives. Today's New York Times story reports how about 500 hackers banded together to shut down Egyptian government Web sites. This wasn't a bunch of teenage "script monkeys" launching a Distributed Denial of Service (DDoS) attack for which they could be easily traced and prosecuted. These were real hackers using sophisticated tools in a targeted attack. No government will ever be a match for this. Not now. Not ever.

    LARRY ELLISON'S DIFFERENCE BETWEEN A JET FIGHTER AND AN ASSAULT RIFLE:  Years ago, during one of our afternoon ad-creation meetings, Larry Ellison made a point about government-funded defense efforts and tactics.  I have since expanded that discussion to include the reality of cyber war and the futility of ever-increasing federal budgets to address cyber crime and, yes, even cyber war. But thanks to Larry for the analogy:
    If you had a modern jet fighter, it might take you the better part of a year to learn to fly it, but you could kill everyone in your neighborhood in one pass. On the other hand, you could learn to use a machine gun in a few minutes, but it would take you the better part of a week to eliminate all your neighbors. Also, you would undertake the slaughter at great personal risk to yourself (Can you spell SWAT?). It takes the resources of a government to produce jet fighters and weapons of mass destruction, and that’s why those things easily fall under the realm of disarmament and the United Nations. But anybody with a machine shop can build an assault rifle, and no serious United Nations effort can or will ever be mounted to include such weapons in under the disarmament umbrella. Cyber warfare can’t possibly fall under the realm of the United Nations and disarmament—nor should it be trusted to a government-only solution—because single individuals with nothing but laptops and Internet connections can (and will) create and launch weapons of mass-cyber destruction.

    My old friend, the late Frank Herbert (Dune), wrote many science fiction novels in which advanced technology became so generally available that any single, determined individual could destroy an entire city or even planet. In many ways, his vision is becoming a reality where cyber warfare is concerned. You can see why military science fiction has had such a big influence on my cyber privateer thinking, and why Pier's Anthony's Macroscope pointed the way to my Perfect Virus principle #7, Black Box Portability.

    From another news story in today's Network world, the DoD has defined what they call an "Advanced Persistent Threat' to cyber security. In my opinion, this is just another bit of marketing justification for bigger budgets and more tax dollars to be spent "shoveling sand against the tides" of cyber reality.

    Licensed and bonded cyber privateers are the only workable solution. If ANYONE has a better one, I'd sure like to hear it.

    Wednesday, February 2, 2011

    Infecting an alien architecture, Part IV

    In my posts on infecting an alien architecture (parts I, II and III), I devoted the first to Stephen Wolfram, author of A New Kind of Science and one of the seminal geniuses of our time. I was delighted this morning to receive my daily technology bible from which referenced an article by Stephen Wolfram entitled 'Jeopardy!,' IBM, and Wolfram|Alpha. As far as IBM's Watson rises above run-of-the-mill search engines, Wolfram«Alpha towers over Watson in its vision, execution, and capability. Which is why IBM plans for Watson 2.0 include its access to Wolfram|Alpha. And which is why I made specific reference to Wolfram|Alpha in discussing creation of The Perfect Virus under principle #14: Stealth. The difference between IBM's Watson and Wolfram|Alpha is shown in Stephen's diagram of the two architectures:
    I highly recommend the complete article hyperlinked above. But net-net, and in Stephen's own words:
    …Wolfram|Alpha fully understands every answer it gives. It’s not somehow serving up pieces of statistical matches to documents it was fed. It’s actually computing its answers, based on knowledge that it has. And most of the answers it computes are completely new: they’ve never been computed or written down before.
    Simply, if I'm trying to "grok" an alien intelligence—either computational intelligence or sentient gray matter—Wolfram|Alpha is an indispensable tool (actually, Wolfram's Mathematica is equally indispensable for the harder "grokking" jobs). And for those of you who don't feel you have the time, or if the English language doesn't come easily to you, you should at least consider Stephen Wolfram's section on the Principle of Computational Equivalence as you face the daunting task of infecting an alien architecture. Because Black Box Portability (principle #7 of The Perfect Virus) is not only possible, but it may be the difference between winning or losing the next cyber war.

    As far as my future fiction writing goes, insights gained from A New Kind of Science and specifically Wolfram's section on the Principle of Computational Equivalence have combined to give me some seriously good ideas that, at their worst, will help the reader "suspend disbelief" on the topic. At their best, if I can score myself a get-out-of-jail-free card regarding attacks on my Linux server, there may be a nasty surprise just waiting for the chance to badly startle a rogue government or two.

    Tuesday, February 1, 2011

    To Russia with love

    Dear Babushka Buddies in Russia:

    Wow, you've just passed the United Kingdom to rank #2 in readership for the last week. So I need to speak with you honestly, sincerely, and with no intention to cause insult. We're about to be well and truly screwed in the Middle East, and you cyber wizards might be the key to world rescue. As you can see from the map below, you guys more than double (see the bold colors?) UK readership:

    The top-10 sources for my audience in the last week are listed below:
    1. The United States
    2. Russia
    3. United Kingdom
    4. Malaysia
    5. Ireland
    6. India
    7. South Korea
    8. Singapore
    9. Australia
    10. France
    Sure, I've been playing with your heads a little bit by resurrecting one of the more interesting Larry Ellison quotes about Russia  (I have notebooks full of them after spending one or two afternoons a week with him for six years). But that was just playing with how to Infect an Alien Architecture (parts I, II and III), namely, your noggins. Reality is though, if Richard Clarke is correct in his book Cyber War, and if you do indeed exceed China in your cyber war capabilities, then this Moscow airport terrorist bombing really has to be a wake-up call that you're playing with fire by enabling Islamic (read that Iranian) nuclear aspirations. So to all you fledgling cyber privateers, who by the way have a lot more legal flexibility in plying your trade than we do under US law, here is my respectfully submitted net-net:
    1. Current developments in Egypt could morph the Middle East into one big jihadist terrorist state and do so almost overnight.
    2. The flow of oil from the Middle East (and definitely through the Suez Canal) could be badly disrupted (especially if you deploy and trigger data bombs like the ones you and China have secretly planted in US utilities to disrupt or catastrophically cease the oil transportation infrastructure in the Islamic world).
    3. Which means that, at $140 US per barrel, you stand to capitalize handsomely on your spectacular Siberian oil reserves.
    4. So your top priority now should be to bring Iranian nuclear programs to a screeching halt. Yes, you'll be working at cross purposes with your own government's desire to make some serious cash by supplying the Iranians, but the alternative—seeing those close to you, friends and family, obliterated by an Islamic nuke or sentenced to a painful death by a dirty bomb going off in Moscow—would not seem worth the price (We're pretty good putting dollar values on tragedy in America, which is why we sue each other so frequently and which is why we're not likely to get tort reform approved over here).
    I'd rather hoped Stuxnet was your baby and that you'd cleverly made the world think America and the Israelis conspired to impede-but-not-stop the Iranian nuclear program. But alas, the "expiration date" on the virus almost certainly points to "the US lawyers" liability-limitation mentality. 

    IF I WERE WRITING A NOVEL:  Before something really bad happens in the Moscow airport, what if you got Mr. Putin's agreement and your own get-out-of-jail-free card from him to seriously hinder or even bring Iran's nuclear program to a dead stop (double meaning intended)? And while you're at it, what if in some fictional world you practiced your craft on a bunch of Chinese attack servers that are hammering everything in sight (including my harmless little Linux sugar pot server)? The most I can legally do is occasionally ping these guys, and even then I'd better not ping them very often or I could be accused of launching a DDoS attack. 
    Legal Disclaimer: I am only considering fictional possibilities, and nothing said in this blog should be interpreted as inciting others to commit acts that are illegal under US law. So there.