Saturday, April 30, 2011

The two smartest Russians I know

I can't disagree with Richard Clarke's Cyber War assertion that the Russians are ahead of the Chinese in the cyber arms race. Notwithstanding the recent headlines about Chinese cyberthieves hitting small-to-medium-sized company bank accounts, my own anecdotal experience leads me to believe that the Russians are far more clever than either the Chinese or us Americans. My late friend, science fiction author Frank Herbert  coined the term "genetic memory" to imply the passage of actual experience from generation to generation via human cells themselves. Maybe surviving Joseph Stalin and the dark years of Communism just weeded out the unclever Russians in a kind of Darwinian supercharging. In any case, let me tell you about two VERY clever Russians.

Ilya Druzhnikov and Andre Stoica met at Stanford. Andre graduated in 1997 and was a Phi Beta Kappa. Together, they started a spectacular company called ConnectAndSell. This is where I met them. ConnectAndSell solves a most interesting marketing problem in a creative and unique way. A clever way, actually. They connect a company's sales people to a continuing stream of live conversations with the very people the company wants to sell to (hence the name, ConnectAndSell). So instead of having 1 or 2 live conversations with prospective customers every hour, ConnectAndSell customers can have 12 to 15 conversations an hour. And Ilya and his partner Andre have patents on this stuff, so nobody else in the world can knock them off. How's that for clever? [Full disclosure demands that I let you know I own stock in this company.]

Of course, Oracle's Larry Ellison has always known the Russians were damnably clever. Years ago during one of our ad-creation meetings, Larry contrasted the sophisticated electronics of the American F-15 to the get-the-job-done-cleverness of the Russian MIGs. The F-15 weapons system had an all-digital range and locking apparatus, whereas the Russian counterpart electronics were analog. The MIG display had an arrow showing the direction of the threat, and the length of the arrow denoted the distance to the target. Not sophisticated. Just clever. Which probably explains Ellison's reluctance to give Russia access to Oracle. Why give an inherently clever people a level technological playing field? And I have previously quoted Larry as saying that if Russia had Oracle, the Berlin Wall might not have fallen, because you can run one hell of a large centralized economy with Oracle technology.

So if Ilya and Andre are representative of Russian cleverness, then the Chinese had better brace themselves should cyber war break out. Because while the Chinese have been persistent in their attacks on my Linux server, my system logs of those exploits do NOT demonstrate anything approaching cleverness. They're just brute-force attempts to find username/password combinations, or to swamp my system with requests that trigger memory overflows.  The stuff from Russia, on the other hand, is downright scary in its street-wise slyness.

So best wishes to Ilya and Andre. Please put in a good word for me with your overseas buddies. And politely ask them to lay off my bank account. Thanks.

Friday, April 29, 2011

DOJ: "FBI's core cyber security…basically incompetent"

From today's IT World:
Despite its growing digital surveillance capabilities and increasing responsibility for investigating and countering cyber attacks on the U.S., the FBI's core cyber security division turns out to be basically incompetent, according to a critical report from the Dept. of Justice.
 A "redacted" version of the PDF report can be seen at this location. Given my own frustration with the FBI's responsiveness to my requests, I'm hoping the DOJ can have somebody looking closely at alternatives. They are certainly the organization under which my cyber privateers would function. It's even my contention that a 50-50 split with licensed and bonded cyber privateers could completely pay the DOJ annual budget! Well, at least for the first year. After that, the deterrent effect of actual privateers with government-backed teeth (ie, a get-out-of-jail-free card), would stop cyber crime in its tracks.

My only remaining question is, "Who will be the first government to pull the pin and start writing Letters of Marque and Reprisal?" Australia? Japan? Israel? Gosh I wish it could the the USA!

Thursday, April 28, 2011

Dear Japan, call Larry Ellison

Dear Mister Prime Minister Kan, yesterday I wrote:
"…the history of Japan in 2011 may well look like a series of biblical plagues."
You deserve the best I can come up with, which means you deserve advice from my first Cyber Privateer Fantasy League nominee Larry Ellison. I'm going to tell you some things you probably don't know about him and which I think qualify him as a trusted advisor in your current "perfect storm" of history:

  1. Larry not only understands your culture, but he has fully embraced it. From the name of his previous racing yachts to the Buddhist shrine in his office, he is the embodiment of your Samurai genetic memory.
  2. In the news today, Associated Press announced that Sony is going to get hit with a class-action lawsuit over the PSN hacking. In my humble opinion, the [insert your own adjective(s) here; my personal favorites have to do with inter-species reproduction] attorneys who joust for the title "King of Torts" need the Ellison treatment. Just before Oracle was to file for their IPO, a Canadian customer sued for fraud and even talked R.I.C.O. grounds. Larry had no choice but to disclose this suit in his red herring document, and it galled him. So he really did something about it. He countersued and won, eventually owing all the assets of the firm that sued him. Then he sued the Canadian law firm that represented the plaintiff for malpractice. And won. And drove them out of business. He then went after the California law correspondent law firm for malpractice. You get the idea. 
  3. Larry is the kind of a guy we took along with us in college to crash fraternity parties. While our fearless reconnaissance soldier walked into the Phi Delta Theta party (Phi Delts were the jocks at my campus, physically formidable but not exactly the sharpest tools in the box), the rest of us Betas were standing out front and singing (to the Battle Hymn of the Republic melody), "Phi Delta Theta we are … on your lawn, Phi Delta Theta we are … on your lawn …" Okay, the Betas were the party animals, maybe one academic step about the Animal House indies. While these American idioms probably don't mean much to you, you need do do a "Vulcan mind meld" with Larry Ellison at your earliest convenience. This is war and you need to wage it.
  4. As I wrote when I nominated Larry as the captain of my Cyber Privateer Fantasy League team, "I once asked him if maybe we ought to run our ads through legal for an opinion. He snorted, 'Nothing doing. I've got a litigation department; let 'em litigate!'" This brings me to my you-should-consider-authorizing-cyber-privateers-to-go-raid-the-criminals-who-raided-Sony point. You don't worry about international law. You go make it. President James Monroe articulated The Monroe Doctrine. You should articulate an equivalent of The Morgan Doctrine. Give the world time to mull it. Give the criminals a chance to "come clean" before you hold them fully accountable, along with their host government. 
  5. Even  as a young pre-billionaire, Larry fearlessly took on the U.S.S.R. with statements like, "The only way the ORACLE RDBMS will ever be delivered to Russia is in the nuclear warhead of an ICBM." How's that for guts?
  6. Finally, Larry owes you. Back in the early 90s you saved his company for him. I believe he would honor a request from you for advice. A lot of people thought I was joking when I suggested he should run for President of the U.S. I wasn't joking. When things start hitting the fan, Larry is one of the few people I'd trust to wage…war.
In short, some brilliant people from Tesla Motors have successfully dubbed their CEO and founder as the real-life inspiration for Iron Man's fictional Tony Stark. Balderdash! Larry Ellison is the real-life Tony Stark, which is why he rated the cameo appearance in the last movie. You need Larry, and Larry could use the challenge of helping you.

The dog pile from [again, insert your own adjective(s) here] attorneys needs to be turned upside down. Sony needs air cover in this lawsuit. And they need a nod from you, Mister Prime Minister, to win the suit and then hold the American law firm accountable for their behavior. That's my two-cents worth.


Wednesday, April 27, 2011

Japan, I have a solution for you and Sony

Dear Mister Prime Minister Kan, the history of Japan in 2011 may well look like a series of biblical plagues. Not only has the tragedy of your natural disasters been compounded by financial crisis, but your flagship electronics giant has been stopped cold by cyber criminal activity. I refer of course to the 70-plus million Sony PSN customers who may be under attack by data thieves. With respect, I believe you could invoke your "Samurai DNA" (my old friend, the late science fiction author Frank Herbert calls it genetic memory) and turn a tremendous liability into a transcending asset. This could be done by issuing Letters of Marque and Reprisal to a few trusted "Samurai Cyber Privateers" and publicly indemnifying all Sony PSN customers against criminal loss. By applying my Cyber Privateer Code to the perpetrators, and by splitting the resultant spoils 50-50 with them, you could benefit from a substantial (and badly needed) capital infusion. This is especially true if you discover that the Sony data piracy was the sponsored by a foreign government, since your cyber privateers could also confiscate the accessible assets of that host government. In which case they could leave an equivalent of the following notification (per paragraph 5) of the Cyber Privateer Code:
And see tomorrow's post for one more action item: You should call Larry Ellison!

Sincerely yours.

Tuesday, April 26, 2011

Washington still doesn't "get" cyber war

Today's story (What we learned from Stuxnet) begins:
If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies, the head of the U.S. Department of Homeland Security said Monday.
 My net-net assessment is that current cyber law makes it impossible for the private sector to "respond quickly," because:

  1. The response needs to be in milliseconds and not hours or days, which means
  2. The response needs to be automated, and
  3. The response needs to be based on a publicly stated doctrine that unambiguously spells out a counter-attack doctrine, which means
  4. Current cyber law must be dramatically changed to allow counter-attack measures.
In other words, the private sector needs a get-out-of-jail-free card if certain cyber attack scenarios unfold. The only workable solution I've been able to come up with is…yeah, I'm a broken record. Got a better idea? Let me hear it!

Monday, April 25, 2011

Wardriving, the new easy entry career

If I were writing an ad for someone offering better security practices, I'd use the headline:
Got WEP Wi-Fi? Then you're toast.
Want to see how easy it is to hack into a Wi-Fi system that uses WEP security keys? Just go to YouTube and search. You'll soon find a crackling-voiced and probably pimple-faced adolescent showing you how to do it in just a few minutes (sorry, I'm not going to do your homework for you). Then charge up the battery on your laptop and go driving around neighborhoods populated with luxury homes. Pretty soon you'll be accessing some really rich people's banking and credit files. And if you're lucky enough to find a mansion with a few newspapers lying on the driveway (indicating the target is on vacation), you can probably write yourself a nice check from their online bank account (hint: their passwords are sitting unencrypted in their address book under the name of their bank).

Most of the currently reported wardriving exploits go after larger retail establishments through their Wi-Fi systems (see today's news story), since today's cyber criminals are going after quantity, not quality. Why risk getting caught in a sting directed at larger criminal organizations (law enforcement would rather go after lower hanging fruit than the one-off targeted thief), when you can have a nice little boutique thievery operation that flies below The Man's radar?

Yes, my solution will sound like a broken record:
Licensed and bonded cyber privateers could sell insurance policies to the private banking operations of larger institutions, who could in turn indemnify their best (rich guys) clients. And those banking operations could act as their own bonding authority, thereby streamlining the approval processes.
I defy you to come up with a better, more efficient, and highly deterrent approach.

Saturday, April 23, 2011

Defense CIO wants to emulate…Sony and Amazon?

Let me get this straight. The Defense Department of CIO wants to move her $33 billion IT operation to the cloud and to mobile devices? The reason I ask this question is the double whammy this week of two major cloud players—Sony and Amazon—getting publicly embarrassed by outages. Today, Sony has finally admitted their PlayStation Network was "affected" by external attackers. Amazon's "cloud burst" is currently being billed as a runaway replication problem (wink, wink). Let's hope that somebody in the DoD CIO's office knows something about cloud security. My own best advice is to suggest they consult with the inventor of the cloud (and a member of my Cyber Privateer Fantasy League team)'s visionary founder Marc Benioff. He's managed to keep the SFDC "death star" up and running, doing mission-critical stuff, very reliably. Sure, they've had minor hiccups (like in 2009 or in 2010). And only 28 minutes of outage in 2011 is laudable. But compared to Sony and Amazon, sheesh, it's but a single drop of rain compared to hurricane Katrina. So my advice to DoD's Teri Takai: Have lunch with Marc Benioff.

Friday, April 22, 2011

A nod to Frank Herbert and Earth Day

I've previously posted on the importance of science fiction, military and otherwise, on my formative processes. One of the biggest influences in my life was the late Frank Herbert, whose Dune novels and characterization of the planet as a living organism, strongly influenced the formation of Earth Day. Since Frank talked me into running for Congress back in 1978 (I even carried his district although losing the race), I've been pondering that friendship on this Earth Day. After all, we are the sum total of all the cumulative experiences and friendships, as well even as Frank's concept of "genetic memory" constructs. It's my own personal belief that our planet is a living, conscious entity. Here's to you Frank.

Impossible to underestimate IQ of Congress

Just the day after I review my friend Charlie Engar's new novel about "…jihadists, insane Russians, expansionist Chinese, and venal U.S. politicians…" the latest headline confirms the "venal U.S. politician" part. ZDNet reports that Congressman Ed Markey (D-Mass) sent Steve Jobs a letter demanding answers to iPhone location-tracking database functionality. Too bad Vin Diesel probably won't do a reprise of his role in the movie XXX and steal Ed Markey's car and drive it off a bridge while singing "An ass is an ass unless of course that ass is Mister Ed…Markey, that is…" I can't Google up a single instance where the good Massachusetts Democrat has expressed the least curiosity about Russian and Chinese cyber attacks on the U. S. infrastructure, let alone their daily attacks on my own Linux server. The congressman does have a record of holding corporations' feet to the fire over privacy issues, but his electronic footprint is nonexistent when it comes to foreign attacks on our IT infrastructure. Oh well.

Thursday, April 21, 2011

Novel by former FBI agent Charlie Engar

Two days ago, I received, hot off the press, a novel by my good friend Charlie Engar. Titled Eat, Drink and Be Merry (click on the book title to go to the ordering site), this action thriller has the usual villans: jihadists, insane Russians, expansionist Chinese, and venal U.S. politicians. But most unique and valuable is the FBI/CIA/bureaucratic organizational insight offered by the former FBI agent author. Back in 1976, Charlie Engar was the first man to get to the bodies of the FBI agents murdered by Leonard Peltier (and at least seventeen other people) on the Pine Ridge Indian Reservation in South Dakota. Charlie got the plumb assignment to play human target (ie; draw fire) and scout the scene to determine if the site was safe for the other agents in the area. Once you understand just who this author really is, his "voice" in the novel has that incredible ring of authenticity. The career-law-enforcement-professional-versus-the-jackass-politician interplay alone is worth the price of the book. And amazingly, the global forces at work are right out of today's headlines. Which is amazing, since Charlie started the his novel 12 years ago.

If ED&BM (my acronym for the book title) has a flaw, it's only in the first twelve chapters, where the first-time author relies on too much exposition and too little dialogue. But twelve out of ninety-five chapters is forgivable, especially since the final eighty-three chapters blast forward like an out-of-control freight train. I couldn't put the book down, literally. I had to get up for a volunteer assignment at 4:15 AM this morning, yet I read until almost midnight so I could finish it last night. Now I badly need a nappy-poo.

I don't want to spoil the plot development or resolution, but let me assure you that ED&BM is a worst-case scenario of today's global dynamic. This shouldn't have surprised me, given my longstanding friendship with the author. We started riding bicycles together back in 1995, and I've put between 4,000 and 7,000 miles a year on the bike since then, thousands of them riding with Charlie. You get to know a guy pretty well as you race up and down Utah mountains, trying to psych each other out and win the race to the next highway sign or to the summit of a hill. It is the nature of Charlie, this former FBI agent—who always drew the short straw to become target practice for the bad guys—to anticipate the worst possible situation and yet not shirk from facing it head on. I've written elsewhere that someone dies at the end of a "chick flick," whereas people die throughout a "guy flick." This is definitely the "guy flick" genre. In spades.

Chuck got to know me pretty well, too, given the note he wrote on the title page of my copy:  "To my riding buddy Rick—the inspiration for the main character." Yeah, his main character is Senator Rick Benson (pretty close to Rick Bennett, eh?). No wonder I like Senator Rick so much. He acts like I would on this roller coaster ride of a novel. I recommend it highly.

Wednesday, April 20, 2011

Cyber privateer response to Oak Ridge attackers?

Today's story on how Top-secret US lab infiltrated by spear phishers—again—as a result of a successful phishing attack and subsequent installation of data-stealing malware—suggests a scenario by means of which I can demonstrate how my fictional cyber privateering organization, Destroying Angel, would function. Let us assume:
  1. The Oak Ridge penetration was the result of government-sponsored espionage (see one my first posts about Russia and China).
  2. The espionage contractor to that government is a major commercial entity (ie, China's Huawei).
Pursuant to Paragraph 5 of The Cyber Privateer Code, the following is my video of an "unambiguous notification" that would be magically appear (ie, using The Perfect Virus that's part of the cyber privateering toolkit) on every computer or workstation in the espionage contractor's network, on all executive branch computers and workstations of the sponsoring government, and which would be sent NON-VIRALLY as a release to major news organizations:

If only, eh?

Tuesday, April 19, 2011

Iran accuses Siemens of helping with Stuxnet

Iran sure is slow on the draw! They didn't get around to accusing Siemens of complicity in the creation of Stuxnet until yesterday. On December 6, 2011 I wrote:
I BELIEVE THE STUXNET VIRUS was created by a lone male individual who is at least 60 years old and is working for British Intelligence, supported by U.S., German and Israeli intelligence.
Sorry Iran, but you can bet your cherished goat that Siemens wouldn't have aided the effort without a get-out-of-jail-free card from the German government. My supposition about British involvement still needs to bear fruit, and I'm not sure that piece of the puzzle will ever become public. Because the Brits truly know how to keep secrets. As opposed to certain notoriously self-promoting American and Israeli w├╝nderkinder who are likely putting Stuxnet on their resumes.

Monday, April 18, 2011

U.A.E. snoops email? Huawei more transparent?

Interesting WSJ story today (p. B3) on the United Arab Emirates curbs on secure email. While they "didn't give a reason for [the] decision," it seems obvious that all Middle Eastern unsecured email is being read by increasingly nervous governments.

On the same page as the above story in today's WSJ, Chinese Huawei "…for the first time—provided a list of its board members…" The WSJ also pointed out that founder and CEO Ren Zhengfei has "never granted an interview with international media." How dare we be suspicious of this company's "close ties to the Chinese government…?" Announcing the names of their board is a far cry from transparency. Paraphrasing a line from the movie Top Gun, "I'm not getting that loving feeling, yet."

On April 5th I opined that Huawei had made a "smart move" in their partnership with Symantec. I did not mean to imply that they didn't have a long way to go.

Saturday, April 16, 2011

Readership analytics show dramatic changes

There has been a dramatic change in readership over the last 30 days. Not only has Russia spiked substantially, but China almost made the top-10 list.  Here is the map, followed by the top-10 list:
Readership by frequency is:

  1. United States
  2. Germany
  3. United Kingdom
  4. France
  5. Russia
  6. India
  7. Canada
  8. Brazil
  9. Iran
  10. Malaysia
Interestingly, China is #11. Quite a jump from nearly zero a month ago. So what's happening? First, the FBI and Microsoft shutting down two botnets has probably gotten significant Russian attention. And my (hopefully) constructive suggestions to China and Russia may have percolated up the cyber consciousness of those respective countries. The Iranian interest scares me a little bit, as they could play a part in some particularly scary scenarios. Brazil is also a question mark? I need to become more informed on that dynamic. Any email to enlighten me would be appreciated.

Friday, April 15, 2011

End of the criminal botnet?

With Wednesday's Register story about the U.S. government seizure a criminal organization's IP addresses to shut down the Coreflood botnet (2.3 million infected computers, 1.8 million of them in the U.S.), the question arises: "Is this the end of the criminal botnet?"

My answer:  "Definitely not." The cyber criminals of the world will just come up with better command-and-control mechanisms. Besides, Coreflood has been around since 2002. Which means it's taken our geniuses almost 10 years to take this action. In contrast, a savvy group of cyber privateers could probably have done this in 10 days, not to mention looting some very big criminal and rogue government bank accounts in the process.

So which scenario appeals more? Inconveniencing the bad guys like the feds have just done? Or costing them more money and freedom than they could ever imagine by having a licensed and bonded cyber privateering organization levy a vastly disproportionate response against them and the governments that protect them? Take a peek at the Cyber Privateer code (here or printed out on the website), and then make a decision. After which you may want to send a note to your favorite D.C. political representative.

Thursday, April 14, 2011

Terrorist hunting: Dear Sony Entertainment, Part II

In my January 11th post on how to recruit cyber privateers through online gaming, I did not consider the obvious flip side of the coin: Terrorists (cyber and otherwise) can use the peer-to-peer voice and message capabilities of existing online games to communicate under the radar of DHS, the CIA, the NSA, and the FBI. Today's Computerworld story goes into "the dark side" in some detail. Which leads me to again make the recommendation to Sony Entertainment that you might want to ever-so-slightly change your online user agreements to permit mining of terrorist-like gaming/messaging behavior. And then you can award some cyber-crime/terrorist bounty hunters with get-out-of-jail-free cards so they can do some serious skulking. What think ye?

Wednesday, April 13, 2011

Russian drug scam didn't stay down for long

Looks like the Russian drug-scam botnet didn't stay down long. The subsequent disclosures that Microsoft and the U.S. Marshals hit the command-and-control system had me hoping that "the best and the brightest" had a little more firepower in their arsenal. Alas, I got an email today for "Online Pharmacy" that linked to (you probably shouldn't go to these links unless you have a bullet-proof/sandboxed browser or use a security product like that of safecentral.com which (after asking me to "click here if I'm a human") passed me through to health-drug/ru. I naturally dropped a note to the domain contact telling him his URL was being used by spammers. Sure, that was a waste of time. About as futile as reporting the spam to the FBI or, evidently, to the geniuses at Microsoft whose 815,000+ infected computers are once again cranking out spam.

Too bad some cyber privateering organization hasn't been given a get-out-of-jail-free card. I'll bet they could take these guys down for good. Come on, Microsoft; put a bounty on the bad guys!

Tuesday, April 12, 2011

Dear Senator Whitehouse: Consider this!

Today's Computerworld story headline reads, "U.S. needs cyber-emergency response, lawmaker says." Regretfully, Rhode Island Senator Sheldon Whitehouse seems to have what I call the "Andy Hardy mentality" about solutions. Those of you who are really old might remember the old Mickey Rooney and Judy Garland Andy Hardy movies. They all had the same plot. Whatever the problem, the solution was, "Let's put on a show." In the case of Senator Whitehouse, his solution appears to be, "Let's hire a bunch of smart people, paid for with tax dollars."

Respectfully Senator Whitehouse, how about turning loose a bunch of capitalist cyber privateers who will split their loot fifty-fifty with the U.S. treasury? How about setting up a bonding authority who will enforce the Cyber Privateer Code? How about explicitly stating a nanosecond-response doctrine that will truly strike fear into cyber criminals and rogue governments alike? I call that framework The Morgan Doctrine.

Monday, April 11, 2011 is now operational

Announcing: is now operational. Naturally, the first item to go up is…The Cyber Privateer Code. Strategic proposals from governments and bona fide  organizations are invited (sorry, but no inquiries from HotMail, MSN, Yahoo or GMail accounts will be considered).

Saturday, April 9, 2011

Cyber privateering could save political careers

Item #2 of the Cyber Privateer Code should resonate with both Republicans and Democrats in today's tight-money/deficit-spending environment. Especially this morning, after last night's political shenanigans. It reads:
If it is determined that the attacker is acting under explicit instructions from a larger organization or government, the assets of that organization or government are also forfeit to the extent that an authorized cyber privateer may confiscate them within a six month period of the original motivating attack. All assets.
In other words, after the United States officially proclaims "The Morgan Doctrine" and gives a date after which it will be strictly enforced by Letters of Marque and Reprisal to licensed and bonded cyber privateers, heaven help the country that allows government-sponsored cyber criminal activity. I would fully expect that within a week after the final deadline, a massively coordinated exploit—run from the dashboard (Prosumption principle #11) of The Perfect Virus by independently operating teams of industry specialists (Team Isolation principle #16) and incorporating a multi-pronged/staggeringly-lethal set of defenses (principle #22)—could make an historic contribution to deficit reduction. Even after splitting half the loot with a licensed and bonded cyber privateering enterprise (ie, the first organization to get an iron-clad get-out-of-jail-free card).

Many regard the Revolutionary War privateers as a last-ditch all-or-nothing effort. It is my contention that  cyber crime and global government misbehavior threatens to destroy us today. Furthermore, in the time between officially stating "The Morgan Doctrine" and the day on which we pull the trigger, the privateer bonding authority could be given enough PROOF to authorize each and every element of the above-mentioned privateer exploit.

So all you politicians running for cover after last night's budget compromise might regard legalized cyber privateering is a career-saving move. Really.

Friday, April 8, 2011

Israel the first cyber privateer haven?

In my November 20, 2010 post I suggested everyone may be underestimating the Mossad. I take that back. Based on Wednesday's Register article, everyone may be underestimating Israel. The headline reads:
Israel mulls creation of elite counter-cyberterrorist unit
The word "counter" in "counter-cyberterrorist" implies something that bites back. To Major General Isaac Ben-Israel, who is slotted to head up the unit, let me suggest several reasons why Israel should consider monetizing their security by splitting the loot with licensed and bonded cyber privateers:

  1. Since it's pretty difficult to differentiate between hacking, cyber crime and outright espionage, why not lump it all together and turn loose the hounds of hell?
  2. A government-issued get-out-of-jail-free card means air cover from a no-nonsense government with a world-wide reputation for getting results in spite of political correctness trends.
  3. Russia and China, the world's two biggest state sponsors of cyber crime and cyber espionage, aren't your friends anyway. So it's not like you're going to lose friends.
  4. Looting the financial assets of criminal organizations and rogue governments could substantially fund your complete cyber defense budget, even if you split the proceeds fifty-fifty with the cyber privateers.
  5. Adhering to my proposed Cyber Privateer Code could mitigate the risks of negative public opinion, since you could make parley videos a matter of public record.
  6. Issuing Israeli Letters of Marque and Reprisal could create a massive influx of smart and rich immigrants to your country (for a change).
  7. There mere existence of Israeli-sponsored cyber privateering could deter 90% of the hacking attacks your country faces. Crime is quite Darwinian, and the potential threat of a hacking miscalculation to bring total financial ruin could make "the bad guys" think twice. Should work better than lamb's blood on the door to deter the destroying angel from taking Egypt's firstborn.
  8. Finally, setting up a world-wide cyber privateer bonding authority could be a major new financial instrument. In fact, it could be the major new financial entity of this brave new millennium. 
Major General Ben-Israel, consider the possibilities. What better way to counter-attack your enemies than to loot their world-wide financial assets? And the best part is that you wouldn't have to train your cyber army. Or even fund them (they'd pay you from their successful exploits). You just have to make sure they play by the rules.

Thursday, April 7, 2011

Announcing "The Real Hack of the Century"

Monday's headline announced "Epsilon breach: hack of the century?" The question mark signals a tongue in the author's cheek, because Epsilon is by no stretch of the imagination the "hack of the century." Of course the qualification sentence in the article is much less provocative:
When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet.
In spite of the above obvious stretch to get a good headline, let me go out on a limb and announce The Real Hack of the Century:

  1. It has already happened.
  2. It has not been publicly reported, and that includes Stuxnet or any data bombs the Chinese have placed in our utility infrastructure.
  3. When it is reported, it will be a zero-day exploit and NOT an inside job.
  4. Unlike the plebeian Epsilon breach, it will NOT be discovered until after the ultimate goal of the exploit (ie, monetization or acquiescence of the target government) has been achieved.
  5. It may also earn its architect (if he's a U.S. citizen) a presidential pardon (the proverbial get-out-of-jail-free card). Getting a pardon may not be a stretch as it could be the negotiating card—the quid pro quo—the hacker uses to undo some serious damage. Kind of like Russia's letting Young Darth Vader off the hook with no jail time. Naturally, The Real Hack of the Century will make the young Russian's banking exploits equate to knocking over a child's lemonade stand. 
So print out this prediction, seal it in an envelope, and put it in your desk drawer.

Want a real superlative headline that can be backed up with cold, hard logic? Read my post asserting "The most significant legal decision of the first decade of the new millennium." Taman Shud

Wednesday, April 6, 2011

Symantec's Enrique Salem is a class act

After yesterday's post extolling the genius of Symantec's joint venture with China's Huawei, I received the following email from Symantec CEO Enrique Salem:
Hi Rick,
Thanks for the positive write up. It is a very complex political dynamic.
Given my history of frontal assaults on Symantec for BigFix, along with my unambiguous criticism of his company and the industry in general, Mr. Salem is not only a class act but an international force to be reckoned with. If the U.S. can avert a last-man-standing cyber war with China, I hope Mr. Salem can make a contribution to the process. My own best thinking is that licensed and bonded cyber privateers could accelerate his success.

Tuesday, April 5, 2011

China's Huawei makes a smart move

Today's Wall Street Journal reports, "China's Huawei Is Finalist at U.S. Cellular." The story also details several politicians who are opposed to the idea of letting Huawei into the U.S. infrastructure. I have previously opined on tactics that might help Huawei overcome the obstacles in such a way as to turn their affiliation with China and China's military into an incredible marketing asset. My comment to the WSJ story today is:

Huawei has actualy done a very smart move in partnering with Symantec to produce mid-range arrays. They might argue that a partner like Symantec would assure their honesty. That still gives them a big mountain to climb, and has risks for Symantec as well. But to their credit, these guys appear to be systematically working the problem. I have suggested that Huawei offer $1 million to anyone who can find back doors into their systems. Symantec could be the indemnifying entity. Well Symantec, the ball is in your court.
 The specific story about Symantec and Huawei partnering to produce mid-range arrays is in yesterday's Computerworld. Yes, I've been critical of Symantec's and McAfee's security technology (Good thing Symantec and McAfee don't manufacture condoms) as I created attacks for and in behalf of former client BigFix (who has since been acquired by IBM). Lots of attacks, actually.

But notwithstanding my public criticism, my Cyber Privateer Fantasy League nominee Marc Benioff ( founder) assures me that Symantec CEO Enrique Salem is a "pretty good guy." I agree that Mr. Salem is no slouch, and that his joint venture with Huawei demonstrates elements of genius. But only if he follows through to help his partner turn a flat out liability into a spectacular asset.

So Mr. Salem, as I said in my WSJ comment, "…the ball is in your court." If you want a road map for execution, I suggest New York genius Steve Coltrin and his firm, who represented Huawei in the battle they won against Cisco's accusation that Huawei stole their intellectual property.

Monday, April 4, 2011

"Momma, why is the car acting funny?"

Boy, it surely is a good thing that bad guys can't take over our brand new cars on the highway by infecting the onboard computers via an MP3 music virus. But just to be safe, we don't want to download music from anyone but iTunes, or click on banner ads from reputable vendors like Spotify. Then again…

…then again, my fellow consumers…then again…shouldn't licensed and bonded cyber privateers be considered as a deterrent to the evermore adventurous cyber criminals making today's headlines? If you have a better idea, I'd like to hear it.

Saturday, April 2, 2011

What a cyber war with China might look like

Thursday's Computerworld carried the story What a cyber war with China might look like. Specifically, the story linked to a paper written by Christopher Bronk for the U.S. Air Force's Strategic Studies Quarterly. They actually invite readers' comments be sent to them. Since my general mode of interaction with people is to leave them better than I found them, I offer some humble observations (which I will forward to the above-linked email address). I use the world "humble" because I am, after all, a novelist playing with fictional constructs. Mr. Bronk deserves acknowledgement of his serious work.

  1. In the last paragraph of page 4, a statement is begun, "While the goal is not to get bogged down on the particulars of why such a conflict would come to pass…" Wow, talk about ignoring the real global reality! The myriad possible scenarios yield as many ways such a cyber war would manifest itself. In fact, a reasonable topology of the "whys" motivating a cyber war would then yield a corresponding set of response scenarios that could not only nip cyber war in the bud but which could generate the cyber equivalent of M.A.D. (Mutually Assured Destruction) publicly stated doctrines. Like, for example, my Morgan Doctrine. The absence of such publicly stated doctrines indeed invites and makes cyber war inevitable. The novel I've just finished deals with several specific, independent, but mutually interacting scenarious in what I hope is a compelling and entertaining manner. The market will have to be the judge of that.
  2. In the first full paragraph on page 6: "But in the days running up to the war, that activity spiked enormously." In my mind, this is unlikely that China would telegraph the first moves of an all-out cyber war. That would be downright stupid. Just like Pearl Harbor, the Japanese goal was to take out the biggest part of our Pacific fleet in a surprise attack. Again on page 9: "The cyber attack had a rolling start, rather than being a bolt from the blue." Pure balderdash.
  3. Interestingly, two paragraphs later the characterization of a "…small piece of data, only 256 bytes long…" accurately describes the behavior of one of many probes possible from The Perfect Virus. Unfortunately, Mr. Bronk's paper doesn't even scratch the surface of other exploits. Perhaps it's because he didn't want to give our cyber enemies any new ideas. Unfortunately because of this constraint, this picture of cyber war is rather one dimensional.
  4. Page 8's scenario of a Chinese defector waltzing "…into the Australian consulate in Tokyo…" is entertaining, since I believe Australia will play a major role in world cyber security. Only they don't know it yet. 
  5. On page 10: "…Guam was the sole location of an electromagnetic strike by the Chinese…" In a full-blown cyber war, EMP weapons make excellent sense in multiple locations. Especially in hardened locations tuned for retaliation and defense actions at the outbreak of cyber war.
  6. Mr. Bronk's depiction of our reaction to the ways in which the Chinese wage this war is again one dimensional, probably because he doesn't have the advantage of considering the topology presented by my 22 principles of The Perfect Virus. I'm torn about expanding on this, but I'll leave that exercise to the eventual publication of my novel.
  7. On page 16 Mr. Bronk makes a compelling case for cyber privateers. He says the FBI will lead the charge "[e]nlisting the hacker community…" in the effort. I believe this is wrong minded, using coercion to recruit versus using monetization of the process to licensed and bonded entities. I hope this blog and my arguments will correct a fearful misdirection of effort. 
  8. On the next page, again Mr. Bronk builds a case for a new paradigm, since "decisions by conference" is a doomed idea. Unfortunately,  the closest convergence to my cyber privateering idea comes on page 18: "Civil defense in the cyber domain must be considered a necessity." 
  9. Finally, Mr. Bronk's paper does nothing whatsoever to deal with the specifics of our response to and strategies with which we will turn the tide and win the cyber war. In fact, it seems to assume that we will simply defend against the attacks until the enemy wears down without our mounting a withering retaliation. How can you seriously suggest that this paper is a picture of our cyber war with China? I realize you don't want to telegraph our own playbook, but this paper is definitely not a picture of any kind of cyber war. 
To the U.S. Airforce cyber defense brain trust, I beg you to distribute your brain power MIPS now and not wait until you're in the midst of a full-blown cyber war. Let's face it: Cyber war will be pretty well automated and occur in minutes and not days or weeks. The response must also be systematized and does not lend itself to a committee of men with lots of stars on their shoulders, especially if those military leaders must wait for step-by-step authorization from political leaders. And finally, we need stated doctrines that unambiguously detail our automated response to the nanosecond-by-nanosecond realities of cyber war (my point number 1 above). Not to do this pretty well guarantees a cyber Armageddon from which we will not be able to quickly rebuild.

Friday, April 1, 2011

The Perfect Virus could help the FBI

Tuesday's Network World carried the story of the FBI asking for crypto help in solving a 1999 murder. The victim, 41-year old Ricky McCormick of St. Louis, had these notes in his pocket. According to his family, the street-wise drop out had used a secret code for making notes since he was a boy, but nobody in the family ever learned his system. The notes are said to be written up to three days before his death. If you want to see a larger version of them, go to the FBI site here. Below are the notes:

Principle #7 of The Perfect Virus, BLACK BOX PORTABILITY, might well be part of the decryption answer. Unfortunately, since Ricky McCormick is dead, the presentation and ACK/NACK process to virally infect Ricky's "alien architecture" can't move forward. Nevertheless, as I develop my fictional "suspension of belief" technology scenarios, Ricky McCormick's secret code gives me some intellectual displacement activity. Along those lines, should any of my ├╝berhacker readers crack the code, I'd appreciate your cc'ing me in your correspondence with the FBI. And if my Wolfram|Alpha and/or Mathematica experiments bear fruit, I promise to post my solution in this blog (right after I send my note to the FBI, assuming the solution doesn't compromise the FBI's nabbing the murderer).

NOTE: Solved by JOSEPH from SPAIN and reported in my post of 16 November 2011.