Tuesday, May 31, 2011

WSJ: Cyber attack an "Act of War"

In one sense, today's top-of-the-fold/front-page Wall Street Journal story brings us one step closer to The Morgan Doctrine. Unfortunately, the direction taken by the Defense Department is seriously flawed in several respects:

  1. "The strategy will also state the importance of synchronizing U.S. cyber-war doctrine with that of its allies…" This least-common-denominator approach to doctrine is just plain silly. I predict the outcome will provide no real deterrent to criminal cyber adventures. Furthermore, it's irrelevant whether an attack is launched by a criminal enterprise or it is motivated by tacit approval from a foreign government who wants plausible deniability in their "test" of our defenses. We need one doctrine of overwhelming response to ANY attack.
  2. The word "equivalence" appears in the doctrine, implying "proportional response." My assertion is that the threat of overwhelming and disproportionate response is the only workable deterrence. 
  3. "Pentagon officials believe the most-sophisticated computer attacks require the resources of a government." Translated, "Our Beltway Bandit buddies need to be reassured that the big contracts will keep on sloshing their way." Pure balderdash! The whole idea of The Morgan Doctrine is to monetize cyber security as to feed the federal till, not tap into it with the same control-from-the-top mentality that gridlocks all political processes.
In the same issue of the WSJ, Lockheed and PBS attacks illustrate the futility of centralized cyber command and control. What we truly need are licensed and bonded cyber privateers who can sell insurance policies to the likes of Lockheed, PBS and dear old Sony. Let market forces cull the cyber criminal herd.

Monday, May 30, 2011

Frank Herbert clearly foresaw our day

More than any other science fiction author, Frank Herbert has the most prescient understanding of what advanced technology means to the modern body politic. Be it his jihadist denizens of Dune, whose monopoly on the space-travel spice melange made them enemies to the rest of planetary civilization (analogous to today's oil dependency on the Middle East), or his "Tactful Saboteur" Jorj X. McKie, responsible for putting a check in the swing of a too-efficient/too-stupid government, Frank nailed our dilemma today. To us, the third-world whack job is a terrorist. To that terrorist, we're the evil empire. There'll be no happy endings here as long as we try to legitimize our right to his oil (ie; melange spice).

Below is a 1980 photo of Frank with me in Massachusetts , just after I'd had my head handed to me in a Washington State congressional race (I won Frank's district, though) and needed to find work at Data General, where I helped Tom West roll out the MV/8000.
I'd like to have introduced Frank to Tracy Kidder, whose Soul of a New Machine made Tom famous and earned Kidder a Pulitzer. After all, a great deal of my fun in life is putting interesting people together and then becoming a "fly on the wall" during their high-bandwidth conversations. Alas, Frank's schedule was too tight for Kidder. I did manage to give three autographed copies of Frank's non-fiction computer book Without Me You're Nothing to Tom West and his team. 

So on this Memorial Day 2011, as I sit here weighing less and in far better shape than I was 31 years ago, it's only appropriate I remember departed friends and acknowledge their contribution to my world view. Just like Tom West (who died on May 19th), I suspect Frank has found definitive answers to the philosophical questions that occupied us in our many late-night conversations.

I lift a protein/banana/blueberry shake to you, Frank. Let's see if I can't motivate some cyber privateers to provide venal politicians with plausible deniability while my hearty swashbucklers save the world from cyber thieves and rogue governments.

Saturday, May 28, 2011

Utah Cyber security center, Part II

As posted on January 6th, the massive NSA cyber security center in Utah would appear to be an ideal target for an EMP or a nuke. Not good news for those of us living with a 10-mile blast radius. A few cycling buddies and I took a 45-mile bike ride today, and went right by the facility. Nevertheless, this week's headlines build a strong case for getting the cyber war center up and running quickly. What with the high-minded Russian software firm Elmsoft cracking iPhone and Blackberry security—good guys that they are, the $128 cracking kit is only available to "law enforcement, forensic and intelligence organizations and select government agencies"—we need the NSA center like yesterday. And not only are the Chinese selling counterfeit Cisco gear, but they're even getting their prison inmates into the act by forcing them (naturally the government is not into this, wink wink) to play Internet games so prison guards can accrue hard currency. 

Upcoming headlines you can expect? How about jihadists getting extra-virgin-points from creative attacks on The Great Satan's infrastructure? As of this writing, www.EarnVirgins.com is available. Could be a whole new growth industry.

Friday, May 27, 2011

R.I.P. Tom West, righteous hacker, friend

Tom West, friend and genius—immortalized in Tracy Kidders Pulitzer prize winning book Soul of a New Machine—died on May 19th. Tom and his team literally saved Data General back in the early 1980s by creating the MV/8000. I met Tom in 1979 after losing my race for Congress in the state of Washington. I sold my company to pay for the campaign, and needed work. Impressed with the ads I wrote and the publicity I garnered for my voice stress analyzer invention, Data General hired me to lead advertising and PR efforts for this breakthrough technology designed to go head to head with Digital Equipment Corporation's VAX. Interestingly, the marketing director with whom I worked was Ed Zander, who later became president of Sun Microsystems and then eventually CEO of Motorola. But this story is about Tom West.

West and I became immediate friends, as I was really a mathematician/engineer who got into advertising because I liked intellectual "vertical integration" (something that later endeared me to Larry Ellison). I used to roam the bat caves of Data General late at night, chatting up engineers on the real technical challenges of knocking off Digital's VAX. Actually, the best source of advertising metaphors I've seen then or thereafter were the comments put into operating system source code. Yeah, they let me look at source code.

This story has never been reported, anywhere. So enjoy yourselves:

The title of today's epistle calls Tom West a "righteous hacker friend." That's because of one of our midnight adventures back in 1980 Massachusetts (Ye gads, thirty-one years ago!). One of my shooting-the-breeze conversations with Tom concerned the MV/8000's ring security system and cacheing mechanism as it compared to the much less-robust VAX design. I said, "Heck, that would seem easy enough to verify and exploit. Why don't we get some time on a VAX and test this little code snippet?"

Tom's eyes lit up and he said, "I have a buddy at the [unnamed university] computer science lab. I'll bet he'd give us half an hour on their VAX at 2:00 AM sometime soon." And sure enough, Tom's friend let us pay the VAX an oh-dark-thirty visit the very next week. It only took twenty-five minutes for us to drop in the code, execute it, and verify that the VAX indeed had a gigantic hole. An architectural hole, if you will.

I contend Tom West was a "righteous hacker" because companies like DEC and Data General hadn't yet dreamed up all the contractual tricks later used by Oracle and Siebel. We didn't violate any contracts signed by DEC's university customer. We just ran some code. We probably couldn't do that today. Oracle still has a no-benchmark clause in their contracts. And Siebel used to have a you-can't-say-anything-bad-about-us clause in their agreement. Your recourse with Siebel was to get your money back, which is why Siebel could get away with their "100% customer satisfaction" advertising slogan. Unsatisfied customers were made ex-customers. Simple. Effective. Period.

To Tom West's credit, he never used this VAX flaw against them. Neither did I. Because if they fixed it, they could do a lot better on benchmarks against the MV/8000. We satisfied ourselves with the success of Data General in the marketplace. I did, however, learn the value of market momentum. Digital Equipment Corporation created a whole new Data General just from their annual earnings each year. Eventually, Data General lost the R&D war and went away. Of course, later so did Digital. I took the momentum lesson with me when I moved to Silicon Valley and started my ad agency. One of my first customers was Oracle's Larry Ellison, and you'll agree we played the momentum game in spades.

Two headlines this week caused me to reflect on Tom West and his legacy. The first story posted on May 24th reported over 400,000 email addresses were discovered on hard drives of confiscated Rustock servers. The second story came out today, reporting that 5% of all Windows PCs are infected with some kind of virus. You might be asking about now, "What does a 31-year-old VAX architectural flaw have to do with infections of Microsoft hardware today?" My answer is that Microsoft's architectural flaws today were born with the VAX. You see, a fellow named Dave Cutler was one of the software engineers on the operating system that would power the VAX 11/780. He would later lead Microsoft's development of Windows NT. And propagate the same idiotic operating system philosophy. And DECnet became TCP/IP, the biggest single hole in today's Internet architecture. There are a lot of etceteras in this chain of stupidity, and they're being exploited daily by Russian cyber criminals and China's Blue Army.

So my reflections this week are more asking, "What if?" What if Tom West's hardware and software genius had made today's PCs and operating systems more MV/8000-like than VAX-like? What if the BEST architecture had won, rather than the one with the overwhelming market momentum? Fighting the mini-computer wars of the 1970s was a lot like religion, and the PDP-11 instruction set was just a lot more elegant than Data General's.  Data General didn't find 32-bit religion until it was too late. Kind of like the religious council held in 325 A.D. Nicaea. The victors didn't prevail because they were right, but because they had swords at everyone's throats.

Today's world conflicts are nothing more than the same religious wars that have been going on for thousands of years. Today's computer security hiccups are the result of bad ideas prevailing over good ones.

Rest in peace, Tom. While we're still fighting the cyber wars, a lot of your religious questions have probably been answered by now.

Thursday, May 26, 2011

My head cyber privateer now bulletproofing Amazon cloud

Given that Amazon's EC2 cloud was used to hack Sony PSN, the headline that Amazon is now using Oracle for cloud database services signals to me that Amazon is saying to hackers, "Hey, you, get off of my cloud!" Of course the leader of my Cyber Privateer Fantasy League team is the logical go-to mogul for Amazon. I predict there will be more to this story. SQL-injection attacks are one thing with MySQL, but quite another with Oracle. Stay tuned for the further exploits of Larry Ellison.

Wednesday, May 25, 2011

Obama + Netanyahu = The Morgan Doctrine

President Obama laid the basis for a rational cyber doctrine last week. Israeli Prime Minister Benjamin Netanyahu's address to a joint session of the U.S. Congress yesterday was unambiguous in articulating Israeli defense priorities. Given that Israel has just as much right to state the same cyber defense strategy as did President Obama for the United States, and given the far less "diplomatic-speak" tone of Mr. Netanyahu, I renew my suggestions (April 8th and before that on November 20, 2010) that it makes a whole lot of sense that Israel become the first cyber privateer world power. First-mover advantages would be staggering.

See update based upon WSJ story of May 31, 2011.

Tuesday, May 24, 2011

Hiding your virus in plain sight

I used Google previously to deduce that the Sony PSN debacle probably wasn't initiated by Anonymous. I'll reprise my assertion that "Google makes us all geniuses" in a little different way, by sharing an observation I penned on that great and terrible day of global destruction predicted for May 21, 2011. I'll then relate my experience to principle #14 of The Perfect Virus, Stealth:

The World Ended on May 21, 2011 
I joined about a dozen biking buddies to spend the supposed last day of Planet Earth (May 21st at 4:00 PM our time, according to a self-proclaimed New York prophet of doom) riding 105 miles, from the Salt Lake Fairgrounds up to and around Antelope Island and then back to the Fairgrounds. It was a beautiful day, and we all achieved record average speeds. 
About 62 miles into the ride, as we returned across the causeway after a jaunt around Antelope Island, we formed a tight train of drafting riders, tucked like migratory birds in the vortex of three strong riders who took turns leading the silent pack. They expended 30% more energy than the rest of us, who tucked into their slipstream about 10 inches behind the rider in front of him. Even into that headwind, we averaged over 23 miles per hour across the causeway, the only sound coming from well-oiled chains swooshing around the teeth of the big front chain rings. The sun beamed gently, moderated by the cool breeze across the calm waters of the Great Salt Lake. A glorious day, if indeed it were to be our last on Earth. 
In one split second, we passed a sight that melted my heart. A brightly colored bird stood just a foot off the road, chirping to a grayish-brown bird at its feet. Undeterred by proximity to the tornado blasting so close, the burgundy striped bird seemed intent only on reviving its unconscious mate. With only inches between my front wheel and the rear tire of the rider ahead of me, I dared not look back at the scene, lest I overlap wheels with the rider ahead of me and cause a rather bad crash (five previously broken collar bones—one of which required major surgery, a titanium plate, and eleven screws for a year—taught me this lesson the hard way). But I remember the sound of the bird. Was it scolding, mourning, or praying? I can’t tell you. And I can’t tell you what caused the fallen bird’s death, whether it hit a car crossing the seven-mile bridge or whether a cyclist brought it down. Yet that bird’s cry stays with me. 
I Googled “birds of the Great Salt Lake” and then went to links where I could hear their sounds. And yes, some devoted ornithologist had indeed captured the call. My beautiful burgundy striped mourner was a female called a Wilson’s Phalarope. Unlike other breeds, the female is the more brightly colored. The downed bird, dark headed with grayish-brown body and a touch of chestnut on the upper breast, was her male mate. The females not only court but defend their mates and fight off other females. 
Clearly, this female was not intimidated by close proximity to us passing humans. And while she could defend her mate against predators as well as other females, she could not defend against death. On March 21, 2011, the world ended for one of Wilson’s Phalaropes. But a loving God certainly took note of this passing. And humbly, so do I. 

Okay, what does this have to do with the stealth principle? Those bird calls I Googled, just like JPG or PDF images, can let a virus hide in plain sight. Roach the reader/display/audio mechanism, and you can do zero-day infections until the…crows?…fly home. Which probably explains why Adobe is such a juicy target for hackers. Because if you can get into their source-code-management system and install the right back-door code—which you can trigger with an image file that gives "going viral" a whole new meaning—then you can own the world.

While Adobe has to issue patch after patch after patch to plug security holes, I suggest that all our video CODECS and streaming audio utilities ought to face some serious Holy-Moses-Martha,-what-the-heck-happened-to-our-car-when-you-put-in-that-song? scrutiny. Maybe even all that public-domain freeware to decompress files or view images isn't so benign after all.

Have a nice day and enjoy your iTunes on your new Ford's Microsoft-embedded control system.

Monday, May 23, 2011

Qakbot invasion undeterred since mid-2009

As reported in Friday's Register, the Qakbot worm can invade PCs and cleverly extend online banking sessions to loot the accounts. A detailed Symantec report on Qakbot shows a map of worldwide infections as well as an in-depth discussion of how it operates. The purpose of this post is not to regurgitate these reports, but to simply point out that no real deterrent to this criminal behavior exists. Licensed and bonded cyber privateers would put a check in the swing of anyone considering a life of cyber crime. And looking at the map of Qakbot global penetration, I suspect that the thieves are operating under the protection of at least one rogue government. Which would make the assets of that government fair game for retaliatory cyber privateer looting (see my Cyber Privateer Code). In my fantasy life, as the architect of The Morgan Doctrine, I'd love to do a Tony Stark victory lap during a Senate hearing and exclaim:
"Ladies and gentlemen, I have successfully privatized international cyber security!"

Saturday, May 21, 2011

Baldacci fiction mimics the real ThinThread

Interestingly this week, the story of Thomas Drake's super-secret ThinThread Internet aggregation technology came out simultaneously with my finishing David Baldacci's 21st novel The Sixth Man. The full ThinThread story is well reported in the extensive 10-page New Yorker Magazine article by Jane Mayer. Baldacci's fiction is eerily similar to the actual ThinThread technology.

ThinThread can allegedly aggregate worldwide Internet traffic and find patterns of nefarious activity. It got killed not only because of supposedly illegal spying on U.S. citizens—Drake, who is under criminal indictment for breaking numerous secrecy laws, says that reading email from U.S. citizens could easily have been filtered out of the processes—but ThinThread was too cheap to sufficiently line the palms of all the "Beltway Bandits" who want big projects paid for by U.S. tax dollars. Baldacci's fictional E-Program relied on one super-intelligent individual to aggregate data feeds from every single intelligence agency. It was also too cheap and too effective for the competing D.C. power bases. Baldacci's super-intelligent individual was a savant without the idiot adjective preceding it. To help us suspend our disbelief of such super intellect, Baldacci's character can not only memorize the license plate numbers of every car they pass in a multiple-hour drive on the freeway, but he can describe each individual in those cars and total each state represented by the license plates. The key to his value, though, is that he can absorb everything he sees—forever—and then isolate patters from vastly unrelated data to infer unfolding events. Basically, ThinThread with skin and eyeballs.

The Sixth Man is a great read, worthy of Baldacci. And the ThinThread investigative journalism piece might garner Jane Mayer a prize or two were it not for the fact that she can achieve no corroboration from anyone in the intelligence community. Is the ThinThread accurate in what it reveals about the workings of the intelligence community? The answer is a possible "Yes," given what I've observed with H3 nano-ionic resonance technology and it's lack of adoption by the intelligence community. The H3 is just too cheap to make much money for the mega-billion dollar suppliers to the federal government. On the other hand, ThinThread may have been scrapped because we have something much better.

Golly Miss Molly, I hope it's the second scenario.

Friday, May 20, 2011

Obama moves toward The Morgan Doctrine

You know, President Obama almost got it right in his declaration this week:
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country."
What we're missing is the solid articulation of consequences that began The Morgan Doctrine dialogue in the first place:
"…any foreign cyber attack on US-based computers is an act of war, and retaliation (ie, looting) may take place on the perpetrator of that attack, wherever he/she/it may be located."
Notwithstanding the diplomatic mushiness of the president's statement, I view this as a solid step forward in building a competent cyber security national policy. Because there must be a publicly articulated policy before the rest of the deterrent force can be put into effect.

Maybe we're not going to be playing defense-only games after all.

Thursday, May 19, 2011

Projected Larry Ellison opinion on Microsoft+Skype

I've had a week or so to mull the Microsoft acquisition of Skype. Then out of the blue David Bryce, a BYU professor acquaintance of mine who'd just written an article for the Harvard Business Review, asked me my opinion on the acquisition. I figured he needed an unpolluted opinion, so I sent him the following before reading his HBR article:
Microsoft has entered the Novell-state-of-continuous-decline, and Skype is technologically bankrupt and only worth the acquisition for their customer base. Larry Ellison (Oracle) once said of CA's acquisition of Ingres and ASK, "Well, every ecosystem needs a bottom feeder." Alas, Microsoft has become a bottom feeder. Of course, with their existing base of zombies, they can do a perfect job of ratcheting down for another generation, just like Novell has done. I've been using Internet telephony for a decade, and the top of the technology heap is a company called 8-by-8 (formerly Packet8). Given Skype's enormous security holes, they're a perfect partner for Microsoft (still the number-one target for cyber criminals). Microsoft's security problems are architectural, as are Skype's. Which may well demonstrate the adage, "The bigger they are, the harder they fall." That said, as a stockholder, I'd applaud the acquisition (just as Bill Gates has done), because it will buy the poor devils some time.
Even in yesterday's news story (1 in 14 downloads have Microsoft-targeted malware attached), Microsoft is the number one target for cyber criminals and rogue governments.  Add to that Skype's stellar security record, and you have that metaphorical bull's eye just waiting for mischief. Hop into your time machine and visit Novell two decades ago. Visit Microsoft in two generations and you'll have today's Novell. After reading the HBR article, I added this note to my professor friend:
The "kicker" is that what Microsoft SHOULD do with the added time this acquisition gives them is to totally rewrite a new operating system (built for security), fork it to a compatible cloud architecture, and slowly jettison their old OS (like Apple did with MAC OS vs OS X). There is a precedent: This is probably before your time, but Microsoft's Excel blew Lotus 1-2-3 out of the water by cleverly seeing where the price/performance curve on processors and operating systems was going. Lotus kept doing business as usual and look what happened. Microsoft is making the same mistake. Larry Ellison and I have had a number of conversations on this over the years, so I can't claim full credit for the insight.
When I had the above-referenced conversation with Ellison, I think I commented to him that he sounded like Mao Tse Tung in his burn-it-to-the-ground-every-year mentality. He agreed, saying that he was never EVER satisfied with the status quo. He then laughed and shared with me that Bill Gates had called him and invited him to join a Redmond brain-storming session about the future. He said, "Do you think I'm going to let Bill Gates and his team pick MY brain? Get serious!" 

So if my "Vulcan mind meld" with Larry Ellison is still functional after lo these many years, I believe his advice to Microsoft would be as follows:
Give a billion dollars to a wholly owned subsidiary with the charter to "destroy Microsoft, Oracle, Google, Apple, and Facebook. Give them cross-licenses to ALL patents under your control, indemnify them against future lawsuits Microsoft may lodge against them, and then get the hell out of their way. If they win, you and your stockholders win. And if they burn all the money, you've only squandered a billion. Chump change considered the 8-plus billion you're blowing at the 30-times multiple for Skype. Oh yes, and another billion should go to 1000 CYBER PRIVATEERS who can rat out cyber criminals to you and to the FBI. Or you can do business as usual and become another Novell.
And for the record, Larry has followed the above advice, investing in companies that could put Oracle out of business. He's made a lot of money for his stockholders on those investments as well as keeping Oracle on its toes. 

 Taman Shud.

Wednesday, May 18, 2011

Sony needs U.S. Navy SEAL Team Six. Now!

Doggone it! My sons, son-in-law, grandsons, and one granddaughter just got our SOCOM4 disks and have played all the single-player missions. We were ready to go online BIG TIME, planning ambushes via a separate IP telephone connection, and darned if the network didn't get hit again (see the Time/Techland report today). As I commented 8 days ago, I still think this is an inside job from ex-employees with a big beef.  Sure, Sony will probably find the word "Anonymous" left in conspicuous places, but it's IMHO a blatant misdirection.

Again, given that PSN is an online gaming universe, I say, "Let the games begin." Put a significant bounty on the bad guys and give the rest of us a get-out-of-jail-free card so we can land some hard cash. Turn your gaming community from a bunch of petulant adolescents bent on further embarrassing you into an army of cyber privateers who want the "street cred" of a public reward for landing the bad guys.  The legal ducks seem to be lining up in your favor, so…?

So…come on SEAL Team Six. You've got some well-deserved down time. How about making the cyber world safe again for all of us wanna-be SEALS? You probably have some Cyber War tools not available to the rest of us. In fact, you're probably Alpha testing DARPA's C.R.A.S.H.-crashing technology, anyway! Paraphrasing one of my favorite movies of all time, I say,
"Warriors, come out and play! Oh Warriors, come out and play-yay!"
Now, before I post this, I'd better try to log onto PSN and verify that Time/Techland haven't shot themselves in the foot.

Back from the PS3. Alas, my password needs to be changed and they said they sent me an email on how to do this. Since it's been half an hour since then, and since I haven't received my email…well…I'll go take an after-my-bike-ride shower and then see if the email comes. If it doesn't, I'll assume that…the kite has gone up again. Stay tuned.

Yecch! Got the email and followed the link, which brought up the following message:
Site Maintenance Notice
The server is currently down for maintenance.
We apologize for the inconvenience. Please try again later.

I guess the kite has gone up. Drat!

Okay, SEAL Team Six. Rules of engagement:

  1. Do not shoot them in the head. We need a live, suffering (probably ex-Sony employee) bad guy to parade through the virtual streets.
  2. Do not dump his body in the ocean (even if you do shoot him in the head). We need to stuff him and mount his carcass in the Smithsonian. Probably need to put a spit-plate in front of the taxidermy.
PC Mag reports today that Sony CEO Stringer calls the outage a "hiccup." I'm not sure I'd use that word. I'd recommend he yell "Game on!" and outline a set of rules that would set the cyberworld abuzz with excitement and energy. I know that's what Larry Ellison would recommend (that is if my "Vulcan mind meld" is still active with his vibes). More suggested reading: Kurt Vonnegut's Cat's Cradle. In that novel, a ruler and his best friend live in a stagnate society. The ruler suggests his friend start a "religion of meaningless lies," and that practice of that religion will be punishable by death. They do this, and suddenly, the society isn't stagnate anymore. 

With due respect, Mister Stringer, you need to define the battlefield or you are well and truly hosed.

Tuesday, May 17, 2011

Yahoo email gets an "F" in security

In analyzing the sources for various phishing attempts and downright fraud attacks, one service shows up again and again as a vehicle for mischief: Yahoo email. I've previously posted on messages from my dead friend Jeff Menz. Somebody got into his Yahoo mail account and tried repeatedly to sell me pharmaceuticals. Subsequent complaints to the FBI were ignored. And while the pharmacy botnet was taken down (see my post Jeff Menz may now rest in peace), Yahoo is still a fertile field for criminal activity. Just yesterday, I got the following message from an acquaintance of mine who promotes bicycle races:
Hope you get this on time, I made a trip to Edinburgh, Scotland and had my bag stolen from me with my passport and personal effects therein. The embassy is willing to help by letting me fly without my passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately for me, I can't have access to funds , I've made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that I can give back as soon as I get in. I really need to be on the next available flight.

I can forward you details on how you can get the funds to me.

I await your response....
Naturally I deleted his name. No use embarrassing him. The Yahoo email address was just one of his, so I sent the following note to another of his accounts:
Somebody from [account deleted for prvacy]@yahoo.com sent this. Hoping it's a scam, I'm not biting. But if you get back to the US and want to give me a call, I'd be glad to apologize in person if this is on the level. In the meantime, I suggest you call your family members and have them bail you out. 
Within half an hour, he responded:
Spammed.  Thanks.  Working on it.

Granted, this is a fairly low-tech and shop-worn scam, and pales in comparison to the malefactors who used Amazon cloud services to successfully bring down Sony's PSN network (which I still think is an inside job by recently-fired SOE employees who wanted to misdirect the investigation by planting the word "Anonymous" in the infecting code). But similarly strange email and telephone calls could soon be coming your way courtesy of gaping Android security holes or even not-so-proud-owners of Cisco phones.

Which is too bad, as it is not my nature to deny help to people who need it. Heck, I even give money to panhandlers on the street, trusting that they're doing their best with what they have available to them. I've even started a war against charities who pay their management team big salaries and who funnel very little of their donors' contributions to the cause for which it is being raised. If you want to be entertained, check out my work-in-progress website:  www.ZeroOverheadCharities.com.

I prefer to live in a world based upon trust. One way to bring about such a world would be to have misconduct yield substantial and instantaneous consequences. For companies involved in charity scams, public humiliation and social ostracism might be the answer. In the world of cyber crime, I contend that licensed and bonded cyber privateers are one answer. If you have a better solution, let me know. We're surely getting bupkis out of the politicians (see today's New York Times story).

Monday, May 16, 2011

If I were a jihadist, Part III

The Bloomberg revelations in The Register that Amazon's EC2 cloud service was used to crack the Sony PSN network is just the tip of the proverbial ice-suppository. The story also reported the cloud service was used by a German researcher to crack Wi-Fi passwords as well as by cyber criminals as a command and control channel to loot bank accounts. Given the automated nature of cloud service customer acquisition, I predict we haven't seen anything yet. Adding a question to my If-I-were-a-jihadist posts (Part I and Part II): "Why build my own cyber warfare infrastructure when I can have one of The Great Satan's Minions build it for me?"

Saturday, May 14, 2011

Game theory demands more than just defense

Friday's WSJ story [p.A5] on the White House "bipartisan" effort to pass a cybersecurity bill needs the proper metaphor. Given the vitriol and strong emotion against Sony in the last little while, the best metaphor that should be applied is game theory. Simply put, to focus absolutely on defense is to guarantee you'll lose. There's no deterrent. No real incentive for the invading team to hold back resources for protection of their own home base. True, it takes a three-to-two attacker-to-defender ratio to generally assure victory, but good defense is not sufficient to win the game. Because you don't win unless you actually attack the enemy. Unless, like a Washington politician, you declare that your testicles pummeled the attacker's feet until they were bloody stumps on which the enemy could no longer walk.

So my simple question on this glorious Saturday just before I take off on a 58-mile bicycle ride that climbs 3300 vertical feet over four mountains is, "When the heck are the geniuses in Washington going to wake up?"

POSTSCRIPT:  Here is the 58-mile elevation profile of today's bicycle ride. We beat each other up rather badly, and hit heavy rain all the way from the tallest peak until we got home. I had a lot of time to think about cyber warfare. At about mile 24 we even rode by the future site of America's cyber warfare defense facility. I remember thinking to myself, "Man, I hope they can work on some offensive capability there, too!"
During the ride, I remembered what guru Peter Drucker once wrote in his seminal book on Management (I'm paraphraising what I remember, since I read this book 38 years ago and cant seem to Google the exact quote): "It cannot be part of your business strategy that your people will always be smarter than those of the competition. That strategy will inevitably fail." I now change that just a little, but it still rings true: "It cannot be part of your strategy that you will succeed by only playing defense, because the enemy needs to destroy that defense just once."

Come on, team! We need government-level resources applied to crafting…The Perfect Virus. I've even suggested who could run the project.

Friday, May 13, 2011

Military sci-fi: the key to The Perfect Virus

Yesterday, I posted a review of John Ringo's newest book. Then, for the first time in my history with Google/Blogger, the site went down. Hard. When it came back, all the posts of yesterday were lost. So…

Was the Google/Blogger outage a weird accident, or was it due to my post yesterday (which I had to repost today because they lost "all" of yesterday's blog postings)? Well, if some "alien presence" takes issue with that post, then maybe they'll bring down Google/Blogger again today to keep things quiet. Of course it might just be someone from Argentina who didn't like my putting the "skunk on the table" in my review of John Ringo's The Hot Gate (in yesterday's blog, which, again, I reposted today).

Not being the paranoid type, Google/Blogger could have gone down any day and one could have looked at the provocative nature of my posts and drawn an erroneous conclusion aimed at the subject of my focus. So no, my Chinese and Russian readers, I'm not paranoid. But it was fun to think my efforts were more than that of a fiction author's research in suspending disbelief for his next novel.


Infecting an alien architecture, Part VI (repost)

This got blitzed yesterday in the 

google blogger outage

THURSDAY, MAY 12, 2011

Infecting an alien architecture, Part VI

Hurray, we're back to military science fiction! John Ringo's latest masterpiece The Hot Gate (preceded first by Live Free or Die and then with Citadel) continues the tradition of Frank Herbert (Dune), David Drake (Hammer's Slammers), David Weber (any of the Honor Harrington series), and the ultimate treatise on infecting an alien architecture, Piers Anthony's Macroscope. I have maintained all along that The Holy Grail of virus creation is my principle #7 for The Perfect Virus, Black Box Portability. This is the ultimate retaliatory defense in our cyber arsenal and will mean victory or defeat in the inevitable Cyber War we're going to be fighting with China and/or Russia and/or—let me here make a "calculated overstatement which I will later clarify in context with one of Ringo's major literary elements—jihadists? Forget the jihadists, as some contend that they haven't had a technological breakthrough since the invention of our numbering system. But I'll address this last sentence two paragraphs hence.

In my fifth diatribe on infecting an alien architecture, I pointed out that the Chinese are rapidly weaning themselves from dependence on Western cyber technology. Therefore Black Box Portability will be a critical weapon in our arsenal. So when I read Ringo's newest installment on our response to a truly alien invasion, all kinds of lights went on. Because The Hot Gate not only deals with an alien race that completely misunderstands our psyche, but it deals with our own cultural blind spots. Specifically, Ringo does a credible job of dramatizing the difficulty of working in a military partnership with…well…Argentina. Without spoiling your entertainment by giving away a major part of the book, let me just predict that The Hot Gate will not be selling well in Argentina. In fact, paraphrasing the late Hunter S. ThompsonThe Hot Gatewill have the same general effect on an Argentine as a full moon on a werewolf. John Ringo will have infected that alien [Argentine] brain with the next best thing to a terminal virus. Their cumulative reaction to The Hot Gatewill probably resemble the howling of the damned on Easter Sunday in hell.

Which brings me to my "calculated overstatement" at the end of the first paragraph: "Forget the jihadists, as some contend that they haven't had a technological breakthrough since the invention of our numbering system." I don't believe this to be a true statement, but it is designed to demonstrate the ease with which one can launch a pretty good data bomb in the psyche of another culture. Besides, the Iranians seem to have done a passable job in their initial response to Stuxnet (although I suspect the guy claiming to be an Iranian was really an elite gaggle of Iranian government programmers trying to save face). John Ringo, other the other hand, carefully builds a plausible viral infection that should cause some measurable blowback from our neighbors down south. And for that reason, I wouldn't think that Baen Books will spend a cent translating this into Spanish. Call me silly, but…!

Beyond causing a giant rush of pus to hit the average Argentine brain, The Hot Gate also gives some Macroscope-like technical hints for achieving Black Box Portability in a computer virus. And for that I thank (and congratulate) John Ringo. What are those technical hints? Sorry, but my professional gambler father always told me not to play my cards face up.

So thanks, John. I can't wait for your next installment. Heaven help the Rangora!

Wednesday, May 11, 2011

Zeus virus scorecard update

Thanks to release of the Zeus source code, I've been able to update The Perfect Virus Scorecard with new Zeus information. While Zeus is currently used primarily to loot bank accounts, there is no reason it couldn't be doing a whole bunch of other things. I'm still including SpyEye and Zeus in the same matrix, as it's most likely that the public source code revelation will allow accelerated SpyEye integration with Zeus. While you can go to the now-modified original Scorecard matrix, I'll summarize the changes to it here:
  1. Zeus cannot spawn or replicate to other computers,  principle #2, Feral Fertility. Zeus is spread via spam in most cases. Therefore it gets a zero for this matrix item. Of course, this means Zeus is ideal for a more targeted attack, since it does not behave in a measurably procreative fashion.
  2. I give Zeus a partial score for principle #4, Performance, since the control panels appear to optimize for at least the botnet operating system. And I'm assuming that Zeus itself is tightly coded for the target computer to reduce cycle usage and the possibility of detection.
  3. Zeus gets partial credit for principle #6, Mutation Control, since it dynamically checks for new versions of the configuration file as well as for newer versions of itself. It doesn't get full credit because it has no capability for Feral Fertility.
  4. Zeus gets partial credit for principle #13, Stratification, in that it has limited Mutation Control, a partial for Performance, and full credit for Prosumption.
  5. The control panel gives Zeus partial credit for principle 15 (Complete Life Cycle Management), principle #16 (Team Isolation), and principle #17 (Operational Sophistication). Not bad. It's a long way from full credit, but not bad for an underground virus effort not supported by government-scale resources. Then again, given that the Russian government didn't throw young Darth Vader into jail, maybe government-scale resources have been applied here.
  6. Finally, Zeus gets partial credit for principle #19 (Simultaneity), principle #20 (Individuality), and principle #21 (Institutional Memory). Simultaneity may be a "light partial," because the target Windows operating system is multi-threaded.
Based upon what I've been able to "grok" from the public Zeus revelations, this appears to be a formidable criminal tool which could be easily provisioned for activities other than looting bank accounts. Because of this, the urgency of workable legal and technical countermeasures cannot be understated. We need a credible deterrent force. As of yet, we don't have one.


Tuesday, May 10, 2011

Dear Sony, it probably wasn't Anonymous!

I have a new one-liner axiom, a net-net for our age:
"Google makes us all geniuses."                                             Rick Bennett, 10 May 2011
As you might surmise from my recent blogs, I've been extremely curious about the plight of Sony. The extreme invective oozing out of the comments accompanying every single news article about the PSN outage and the news about future attacks on Sony got me curious. There's more at work here than just a bunch of adolescents looking for an excuse to go on a spray painting binge. And as much as one might disagree with the tactics of the Anonymous crew, they'd have no reason to lie about their non-involvement in the continuing Sony debacle. If they were indeed behind it, they'd be bragging. So what other hypotheses might be considered and tested?

Thanks to Google, all things are pretty well public (sorry Bing and Yahoo!, I just don't see a reason to spend much time with you). Keeping it simple, my first Google search gave me what I consider to be a high-probability answer (in the AI world, we call this "fuzzy logic"). Try it yourself. No quotes are needed. Just three Google search words:
Sony SOE layoff
After all, a sophisticated root-kit attack is most often an inside job. My hypothesis was that one or more ex-Sony SOE employees might be yea verily unhappy. Make sense? Well, looking at the second result, it makes sense to me. Here's the search image just as I found it:

And the second link kind of says it all. The news came out on March 30th that SOE laid off about a third of its workforce. They also closed three studios. Like I said yesterday, "Oh golly Miss Molly!" Of course, there are a lot of hits on that particular three-word query, and I suggest the curious amongst you read a few of the stories. Especially the reader comments. As it became obvious to me, the gamer community sure does take this little universe seriously! In fact, the invective—the trash talk directed not only at Sony but at other commenters deemed guilty of even minor etiquette infractions and flamed accordingly—make the fist fights in third-world parliaments seem mild.

Since Sony management must be aware of their internal dynamics far more thoroughly that I am, I wonder at their publicly naming Anonymous as the prime suspect in their witch hunt. My guess is that their statements are a misdirection, designed to let them track down the real culprit(s).

Again, my advice to sony is, "Call Larry Ellison." You've got a war on your hands and you'd jolly well better have your best and brightest on the front lines. So far, you're still flailing. Not to mention that you're continuing to irritate your customer base, which unfortunately, is so filled with adolescent testosterone that they need to be enlisted as insiders. Hopefully, you have a therapist on your staff who can help you design the appropriate vehicle. Hint: the vehicle needs to have a BFG your customers can play with.

Monday, May 9, 2011

Dear Sony, watch Zombieland & AVP!

Good golly Miss Molly, the PSN is still down! And here I have my U.S. Navy SEAL baseball cap proudly sitting in the rear window of my car. My sons, son-in-law and grandsons (and even one granddaughter) are anxiously waiting to play SOCOM4 on our regular Tuesday night plan-our-ambushes-via-IP-telephony slaughterfests. Hopefully you've fired the incompetent swine who set you up without proper security protocols (or if you're following the job-for-life management philosophy, why not have them cleaning toilets for the next decade?). Your assignment today, or maybe this evening as you're decompressing from another nightmare day of damage control (or is it damn-age control) is to watch a couple of movies.

My previous posts on elements of The Perfect Virus (principle #14 on Stealth and principle #22 on Defense) build a case for a fairly aggressive retaliatory strategy as the best course of action. And to get yourself into the proper frame of mind, I strongly suggest you watch Woody Harrelson in the movie Zombieland. Check out Alien vs. Predator, which chronicles a terrific winner-kill-all game scenario. Specifically,

  1. You've really got to "double-tap" the bad guys (Zombie Killer Rule #2). Any IP address that attacks you is fair game for slagging. If it's a botnet (aka zombie), the unsuspecting owner needs to start from scratch anyway. 
  2. If they can't figure out a way to be a good webcitizen, you'll get'em again. Quite Darwinian, actually. It's also Zombie Killer Rule #1 for them: Cardio. Idiots and lard-butts should get slagged first. 
  3. Numbers 1 and 2 above also accentuate Zombie Killer Rule #18: Limber up. You need to limber up and put your best and brightest on the task. 
  4. You need your Japanese-issued get-out-of-jail-free card ASAP. This complies with Zombie Killer Rule #22: When in Doubt, Know Your Way Out. 
Hey, you're a game company for crying out loud! Half the battle you're fighting will be a PR battle, so make it a grand game. Alien vs. Predator comes nicely to mind. Naturally, you're the Predator, going after the mindless Alien culture that has been infecting your PSN with root kits that turn your customers' PS3 into zombies and have popped out of your corporate chest cavities like so many nasty, mindless little monsters bent on reproduction and domination.

So what's your next step (after getting backing by your government to…play for keeps)? Any game has to have rules. Publish your rules (see my own Cyber Privateer Code of conduct for a few ideas). If you want to give the zombies a sporting chance, before you slag an offending computer you could freeze it with a message to the owner offering to eradicate (with their permission) the offending zombieware. A simple "click here if you agree" will suffice. 

Oh yes. And call Oracle's Larry Ellison (as I've recommended on previous occasions). He could probably loan you one or two of his warriors to help you pull this off.