Thursday, June 30, 2011

When banks and governments are fair game, Part II

Brian Krebs blog identified the main culprits in the online pharmacy scam, a list of banks that SHOULD have taken the same precautions with pharmacy transactions that they have been mandated to take limiting online gambling operations. Fully 15% of all online pharmacy scams have been processed through Bank of America, with J. P. Morgan Chase coming in at 14.7%:

If cyber privateering were legal, I don't believe a bonding authority would have trouble authorizing the confiscation of bank assets at either B of A or at Chase—well, maybe after one unambiguous warning—along with accessible assets of the rogue government (Russia—no warning required or deserved) that has made a "bargain with the devil" through their tacit look-the-other-way support of this criminal activity. Recent headlines—about Bank of America coming up with $8.5 billion to settle claims from investors in their mortgage backed securities offerings, or J. P. Morgan Chase's $153.6 million settlement on similar "complex investment" tactics—would seem to paint a big red cyber bull's eye on both firms. 


Leaders of the above-referenced banks (along with Russia) should get on their dimpled knees morning and night to thank God that LulzSec and its incarnations have not decided to make public examples out of them by playing Robin Hood with their assets. 

Wednesday, June 29, 2011

Another Larry Ellison quote

You've got to love having Larry Ellison on stage these days. Yesterday's headline: "Google owes us $2.6B." How's that for chutzpah? Of course you see why I have made Larry the head of my Cyber Privateer Fantasy League team. Forget compromise. Wars are to be won and not to become negotiated stalemates!

In my continuing archive of Larry Ellison quotes, I remember back in the early days and Larry's penchant for hiring only the best out of graduating college classes. He once described his hiring strategy to me and to Ken Cohen. Ken disputes the exact names of the first two educational institutions, but we both remember the final punch line. According to Larry (circa 1985):
"If I want to hire someone for the Oracle kernel DBMS development group, I'll go to MIT and hire the guy who got a 5.0 GPA (4.0 was merely an "A" while the 5.0 got "As" in honors classes). If I want someone for the applications division, I'll hire a 5.0 (honors classes again) out of U.C. Davis. And if I want someone to run the mail room, I'll get a 5.0 out of Stanford [loud laugh]."
To be fair, this doesn't (I think) reflect Larry's low opinion of Stanford. It just turns out that the guy then running Oracle's mail room was a Stanford graduate.

I can't wait to see The Amazing Mr. Ellison's next encore on the public stage.

Tuesday, June 28, 2011

Trash talk between hackers

Get out the popcorn and your drink of choice, and take a few minutes to "grock" the obviously adolsecent hacker counterculture. Sigh. The trouble with anarchists is that they're as likely to attack each other as they are to unite in a common cause.

Monday, June 27, 2011

My commitment to LulzSec et al

I made the following commitment on Friday:
But not to worry, all you agoraphobic/OCD/bipolar loners. In my Monday post I think I'll stir the pot and give you a roadmap for continuing mischief. No, I'm not encouraging your breaking the law. But my hope in stating the obvious is to build a case for responsible political entities to realize that bonded and licensed cyber privateers are still our only hope. To that end I'm going to point out the holes in both DNSSEC and even the malware-proof and massively parallel Active Element Machine discussed in #13 above.
You've gotta' hand it to LulzSec. They're doing a masterful job of garnering headlines. Not that anyone (besides the Wall Street Journal) believes for a minute that they're disbanding. But my purpose today isn't to read between the lines or to predict the next hacker A-Team incarnation. My goal is to let "The Man" (ie, the FBI, the CIA, the NSA, and DHS) know that the tide is unstoppable without some serious government rethinking.

The "roadmap for continuing mischief" isn't really complicated. In spite of DNSSEC or supposedly malware-proof hardware architectures, the tools exist today to create The Perfect Virus. The combination of mathematics and physics make anything possible. Whether its a combination of nano-ionic resonance that lets an outsider directly read non-Internet-connected secure files from a non-trivial distance, or the ability to turn a giant botnet into a SETI-like massively parallel system to crack encryption, the tax dollars necessary to counter global hacktivists would make the Afghanistan/Iraq budgets seem like a mere roundoff error. Why?

Even though LulzSec's "crew of six" (or six million), the A-Team, and the alphabet soup of future hacktivists are all likely teenagers—even disfuctional ones who don't like to leave their game dungeons—you are not constrained by your lack of formal college training. You actually have a leg up on the formal pedagogues who so smugly think they are above you. On January 14th this year I shared my thoughts on Stephen Wolfram and his seminal work. After digesting A New Kind Of Science—all 846 main pages along with an additional 351 pages of footnotes—I had to agree with Wolfram that:

  1. Mathematics hadn't seen much innovation since the Babylonians; and
  2. My own college major in mathematics was not so much math as it was taking a very narrow set of problems and then regurgitating non-computational techniques designed reduce those problems to a simple form. In other words, I was a technician, not a mathematician.
So to the somewhat agoraphobic and OCD kids looking A JUST CAUSE on which to focus, all you have to do is pick up a copy of Wolfram's book, read it cover to cover—take notes, and learn the real mathematics behind all modern thinking through his meticulous proof-of-theorem footnotes—and you'll be head and shoulders above academia. Which means you'll be head and shoulders above The Man, since He recruits from academia as a matter of career preservation. It's axiomatic: The more degrees you have, the smarter you must be. 

A SINCERE WORD OF ADVICE:  I beg you to reconsider your extra-legal tendencies. Young meat in a federal prison doesn't live a happy life. Your cell "mates" will show you the true meaning of "hard time." This is the plea-bargain logic The Man will use to get you to double cross your hacking buddies. Of course, when I wrote that the FBI only recruits the dumbest hackers, I should have added that even the smart ones become dumb working for the FBI. That's because when you are NOT true to your own consciences, to your own "guiding lights" of morality, when you double cross people with whom you've made a common cause, then you have to shut down part of your brain. Smart guys become dumb, because the part of your consciousness that realizes of your hypocrisy must separate itself from the rest of your intellect. In the end, your only two options will be to (1) ejoy your life as a prison sex toy, or (2) eventually use one last digit of intellect to get your big toe into the trigger guard of a shotgun and place the barrel in your mouth. Your alternative?

How about focusing your tremendous intellect on persuading your government (wherever it is) to license and bond cyber privateers? Obtain your get-out-of-jail-free card and then make a fortune going after cyber bad guys and their complicit rogue governments. 

Give this alternative an evening of thought. For a whole lot of reasons, it's really the smarter path.

Saturday, June 25, 2011

Audience analytics: June 2011

There's been a rather dramatic change in my readership over the last month. First I'll share demographics, and then the actual subject rankings. Draw your own conclusions. Over the last 30 days, my top-11 audience rankings are distributed as follows:

Top-11 by frequency by readership numbers:
  1. United States
  2. France
  3. United Kingdom
  4. Russia
  5. China
  6. Iran
  7. Malaysia
  8. India
  9. Germany
  10. Canada
  11. Israel (just missed being in the top 10)
Now for the subject matter (hot-linked directly to the post, so you can easily check out the content for yourself):
  1. Defense CIO wants to emulate…Sony and Amazon?
  2. Frank Herbert clearly foresaw our day
  3. Hacker Wars: Jester vs. LulzSec, Round 1
  4. Frank Herbert predicted LulzSec
  5. WSJ: Cyber attack an "Act of War"
  6. IP addresses of Chinese attack servers
  7. Yahoo email gets an "F" in security
  8. Zeus virus scorecard update
  9. Privateer analytics: high-reward/high-risk numbers...
  10. Yes Martha, cyberwar is heating up!
  11. LulzSec takes me back to 1965
  12. One current Mossad technology?
  13. Mathematics behind one alien architecture
Interestingly, the last three were only posted this week, but are shooting toward the top…with a bullet (pun intended). Item 13 is one of my all-time favorite finds. Combine this with the new Secure DNS (DNSSEC) technology, and we may have a whole new ball game. In fact, the only entities with enough developmental and scientific horsepower to mount an effective cyberwar will require government-sized funding. Not good news for the LulzSec et al "rebels with a cause." 

But not to worry, all you agorophobic/OCD/bipolar loners. In my Monday post I think I'll stir the pot and give you a roadmap for continuing mischief. No, I'm not encouraging your breaking the law. But my hope in stating the obvious is to build a case for responsible political entities to realize that bonded and licensed cyber privateers are still our only hope. To that end I'm going to point out the holes in both DNSSEC and even the malware-proof and massively parallel Active Element Machine discussed in #13 above.

So to the man who is self-selecting himself into the-dumbest-U.S.-Senator competition (see article #10 above), I say: "Have a good weekend, Senator Menendez (D-N.J.). Your Philistine intellect is no match for a kid living in his mum's basement." 

Friday, June 24, 2011

LulzSec takes me back to 1965

Sometimes it sucks being right. Earlier this week when I predicted that arrests wold be imminent and that the people being arrested were probably kids living in their moms' basements, it was funny in the abstract. The reality of the U.K. arrest (see a photo of Ryan Cleary's Wickford Essex house, where the 19-year old lived with "his mum" Rita) puts a very human face on the story. An interview with "his mum" adds quite another dimension to the drama. So what's the Calculus of Human History telling us?

I don't know why this wasn't obvious to me before. While I joked about Anonymous and LulzSec et al being kids living in their mothers' basements, that was a gross oversimplification. Back in 1965 as a college freshman just out of Andover (one year behind George W. Bush and a classmate of Darrell Salk, son of polio vaccine inventor Jonas Salk), I remember meeting with SDA and SNCC firebrands out to change the world. If I could have afforded the bus ticket, I'd have been on my way to Selma, Alabama to single-handedly desegregate a diner. Or disable all "The Man's" police cars with some creative incendiary technology. Heck, if a teenager today built the kinds of explosive ordinance I routinely set off in my own teenage years, said teenager would be locked up as a terrorist. The reality of today's teens is that they're (forgive me James Dean) Rebels With A Cause.

It's all Rock-and-Roll, grasshopper. It started in the 1950s with Elvis. Desegregation and anti-war fueled our 1960s rock opera. In the 1970s we rocked to the mini-computer revolution, replacing it in the 1980s with the PC revolution. We rocked into the 1990s to the tune of the Internet, file sharing, and some genius hacking exploits. I remember sentences of guys like Kevin Mitnick where a condition of his parole was that he not have access to computers or modems. Ancient history. Then came the turn of the century and revolution was again in the air. The world become flat, and any teenager with a PC and access to the Internet could talk with any other teenager, anywhere. With THAT genie out of the bottle, government hypocrisy could not hide. Nor would it be tolerated.

After LulzSec "pwned" the CIA website, I wrote that these kids had dramatically miscalculated the risk-reward equation. The consequences of being the "fastest gun" didn't seem to faze Billy The Kid, and they don't seem to faze today's "hacktivists." Heck, back in 1965 I didn't give it a second thought, myself. The idea of getting beaten, castrated, set on fire, and then drug through town behind some bigot redneck's pickup truck was all part of the game back in 1965. So risk-reward takes a back seat to the real battlefield: truth vs. hypocrisy.

I started this blog last October 14th in my own reaction to government stupidity and the venal hypocrisy of the world's politicians. And considering my own 1965 roots, darned if the hactivists and I don't have the same target. Where we differ is that I'm committed to the rule of law. In my opinion, licensed and bonded cyber privateers could preserve freedom and bring down the bad guys.

The bad news for world governments: Today's teenage Rebels With A Cause are unstoppable and will not give up. The only good news for world governments: Legalizing cyber privateering is your only hope to bring order. To be sure, you can't effectively monetize defenses against teenagers out to expose hypocrisy. But you certainly CAN stop cyber crime and rogue governments in their tracks. As for those pesky teenagers, though, I leave you with the same advice Wally Cleaver gave his friend Eddie Haskell in the television series Leave it to Beaver: "Eddie, you know all that stuff you do to irritate people? Just quit doing it."

To all you governments, repressive and otherwise: You might want to cut out the hypocrisy and repression. And get the first-mover advantage of leading the world to cyber privateering legitimacy. Because not even NATO is safe.

Off to nuke some more popcorn.

Thursday, June 23, 2011

Yes Martha, cyberwar is heating up!

Good thing my kids got me the movie entertainment package for Father's Day, as I previously recommended everyone get out the popcorn and Big Gulps for some real entertainment. In my Father's Day movie bag: 1 package each of Sweetly SOUR Belts, Hot Tamales, Junior Mints, Good & Plenty, Milk Duds, and 6 bags of microwavable ACT II popcorn with associated cardboard popcorn holders. The Sweetly SOUR Belts have me puckered up almost as much as recent headlines:
  1. Senate votes to make illegal video streaming a felony, a position certain to infuriate the LulzSec DDoS script jockeys.
  2. Japan Criminalizes Cybercrime: Make a Virus, Get Three Years in Jail. Sorry Sony, Nintendo and Sega. The guys effected by this spend most of their time figuring out video game hacks, so get set for some headline-seeking exploits.
  3. Sega Hacked, 1.3 Million User Accounts Compromised. See #2 above.
  4. Adobe Flash continues to be a prime target for cyber criminals
  5. Extortionist attacks oDesk by lifting their IP credentials. Just the tip of the ice berg. The next cyber criminals will learn from this moron's mistakes.
  6. Pentagon building a cyberwar simulator. Lockheed won the contract. Yup, the same company that got hacked multiple times and lost terabytes of F-35 Joint Strike Fighter data.
  7. Pakistani brags about hacking HP. Another fast gun, a modern day Billy The Kid. There'll be more where he came from. Heck, when you can't hold down a real job, you might as well get superstardom.
  8. UK police arrest LulzSec hacker. Boy, that ought to bring some response.
  9. LulzSec turns on itself. So much for discipline in an anarchist group. This is better than mud wrestling. 
  10. Entering The Dumbest Man in the U.S. Senate Competition is Robert Menendez (D-N.J.), who proposed new cyber security regulations for banks. Heaven help us. How about taking off the shackles and giving banks some you-screw-with-me-then-I-screw-with-you power, Senator?
  11. Bitcoin gets hacked for some serious money. Big bucks are just as easy to steal as small bucks.
  12. Network Solutions, holder of the keys to the kingdom, gets whacked hard. Talk about guys who should know better.
  13. Hack attack cripples thousands of Aussie websites. Not all bad news, since this might motivate them to become the first legal cyber privateer haven.
  14. The Pentagon gets some truly asinine marching orders from the White House. Read the second paragraph and make your own value judgement. Hint: Shall we wait for a presidential meeting in order to make a decision on an enemy whose turnaround timeframe is measured in nanoseconds.
  15. Team Poison is threatening to reveal LulzSec members' “pictures, addresses, passwords, IPs, phone numbers etc”. "Please Mom! I'm busy in the basement; tell those guys in dark suits at the front door that I don't live here."
Yum! I'm about to start on the Good & Plenty box. Next week will definitely be more entertaining than this week. Maybe the U.S. Congress will decide to perform in a Jackass sequel.

Wednesday, June 22, 2011

One current Mossad technology?

Yesterday, I said I'd speculate on currently fielded Mossad technology. Do I know for a fact it's operational? Not really. But let me give you the context of my speculation. My friend of almost two decades is an American/Israeli (dual citizenship) übbergenius who has humbly asked that I nickname him Maravedi (a small-denomination Spanish coin). His motto, by the way, is from Ivanhoe:
Auferte malum ex vobis ("Remove the evil from among you")
With that background, let me tell you about his technology. Imagine Google on steroids, plus everything Microsoft hopes will become the semantic Web, plus Wolfram Alpha. Then multiply by 10. I've been playing with my secret username/password on a system he custom built for me and an academic friend. What can this technology do?
  1. An early precursor to this system got a famous auction site out of the tank and running.
  2. A precursor to this system may (wink-wink) have been used by Lockheed to get a major contract as part of a strategic data service. Important documents and engineering data was online and could be instantly queried whenever a new round of questions came from the procurement process. Many companies have quietly used his hosted applications to remain in business through the last century when competition was fierce. Now he builds what he wants, for whomever he wants to build it.
  3. Given a specific application need, you can enter the GPS coordinates of a point on the earth and get everything that ever happened at or near that point in your databases, plus aerial photos, geological data, current ownership, and dozens of other facts public and private (sometimes VERY private).
  4. When you query a term (single word or complex boolean), a built-in inference engine that has been in the works for 25 years "grocks" a custom lattice and gives you all meanings, themes and motifs and imaginative arcana from which you can drill down.
  5. It has access to out-of-print documents that venal and self-serving historians have long since redacted because they are either politically incorrect or have been eliminated by whoever had the biggest mace with which to beat ideological foes into submission.
  6. You can query for themes and motifs that fit only into certain numeric ranges, notwithstanding measurement systems (cubits are converted into feet, meters, rods, leagues, etc.), combined with ideas and themes and intuitive imaginative thoughts. It uses Swarming Intelligence combined with a savant mechanism modeled from human thinking and language formation methods.
  7. It doesn't use Internet bandwidth spidering of every website in the world to then transfer data to a central server farm repository. Instead, it leaves the data at their exiting repositories and aggregates from those sites directly to you in a remarkable peer-to-peer fashion. Fast, too. Actually, too fast to believe.
  8. You can query an image database to get actual written context. Ditto for facial recognition, location and settings.
  9. You can do conversation aggregation and analysis from telephone intercepts to look for hidden meanings and not-directly expressed intentions. You can also test for intentional confusion and misdirection of meaning in discussions. The savant intelligence mechanism has no intention of its own, no bias, and can locate hidden possible meanings and abstracted ideas, allowing it to project intentions and model personal psychologies.
  10. The Lattace-API allows the savant mechanism to be made smarter by an expert, or even track down an expert all by itself. For example, it can "think like a crisis manager" in a given situation and search a given emergency procedures manual with its savant intelligence servo mechanism.
  11. Oh, yes. All of the above is only the tip of the iceberg.
What makes me think the Mossad has deployed this beast? Simple. When I asked Maravedi if the Mossad had this, he said "No way!" and then laughed his infectious laugh. He denies it. From my previous life as inventor of the Hagoth voice stress analyzer, I have a kind of built-in VSA in my brain. All kinds of alarm bells sounded in his answer, even before his almost hysterical laugh. Alas, my friend Maravedi is a lousy liar. I think.

He prefers not to have his name bantered about in public. To be sure, one or two government "spook shops" know exactly who he is. But I've agreed to help him maintain his privacy. Besides, he's not the least bit interested in money or commercializing his genius. I sincerely appreciate the favors he's doing for me and my academic friend. And oh what favors they are (helping me suspend disbelief in my fiction writing and helping my friend do some research the likes of which the world hasn't yet seen)!

Back to cyber privateering, imagine the Mossad using fully-blown Maravedi technology to isolate patterns from unrelated sources, along with a hack-proof cyberwar engine like The Active Element machine on which I wrote yesterday. 

Actually, I can definitely imagine it. 

Et tu, Stuxnet!

Tuesday, June 21, 2011

Mathematics behind one alien architecture

I studied mathematics in college and have always believed it to be the ultimate science. Yes, I've admired physics—but in a condescending way—and coined the net-net observation:
A physicist is just a mathematician with common sense.
Of course Stephen Wolfram (A New Kind of Science) seems to have blurred the distinction between the two disciplines, but I've steadfastly maintained my bias in favor of mathematics. Last week, I reinforced that opinion during a trip to Palo Alto to hear a keynote speech by Jeffrey L. Walker (the second member of my Cyber Privateer Fantasy League team and the genius behind my derivation of The Perfect Virus). Also present at the meeting was Jeff's chief mathematician and brain trust Bruce Tow. Bruce has worked with Jeff in several iterations over the years, and is best described as:
One of the world's premier modelers and abstract thinkers, and a principal in SynOvation Solutions, which tackles complex, multidisciplinarychallenges - all sizes/types.
It was during a conversation with Bruce that I learned of his friend Michael Stephen Fiske, the mathematician behind the concept of The Active Element Machine. Fisk's 23-page paper (you can read the PDF here) not only describes the mathematics and programming of a malware-proof computer, but it defines the kind of Alien Architecture to which I believe the Chinese are moving in their goal to prevail in an all-out cyber war. The one-two punch of The Active Element Machine for cyber privateers:
  1. You can't subvert the operating system code because you can't find a static access point. Proof? If you're in the top one-tenth of one percent of mathematicians, you can see the proof in the above referenced PDF file. To the rest of you, including the LulzSec crew who didn't have the academic discipline to actually go to college and leave your mothers' basements full of gaming consoles, you'll just have to take my word for it.
  2. The Active Element Machine is massively parallel and can crack encryption schemes for breakfast. Interestingly, Fiske even provides a programming methodology and rigorous proof of its robustness.

Is anyone in the U.S. chain of command paying attention to this technology? My "nose" tells me yes, but I choose not play those cards face up. In tomorrow's post, I'll speculate about one remarkable technology I think the Israeli Mossad has up and running. Heh heh.

Monday, June 20, 2011

Hacker Wars: Jester vs. LulzSec, Round 1

I told you to get your popcorn and goodies ready. First there was Anonymous. Then an apparent LulzSec spinoff that actually published thousands of email usernames/passwords as well as attacking the U.S. Senate and CIA websites. Now we have reports that Jester (a.k.a. Th3j35t3r) is exposing/counterattacking LulzSec members. The best analogy for today's entertainment is the story of Billy the Kid and his nemesis Pat Garrett: the Fast Gun Syndrome! Simply, we have a bunch of loners put want bragging rights above self preservation. They most likely reside in their moms' basements and live a fantasy life of excitement impossible for their Twinkie-filled bloat to manage in real life. Their virtual personae idolize WikiLeaks' Julian Assange, not only for his data leaks but also his well-publicized sexploits.

One big problem with fast guns, however. Sooner or later they really need to prove who is fastest, and they turn on each other. The current love polygon has Anonymous vs. LulzSec vs. Jester vs. The Authorities (an army of Pat Garretts is hot on everyone's trail).

I predict we'll soon have some highly publicized arrests. Want to bet that the bottom-end weight of the arrestees will be well over 250 pounds? Maybe you can find a Las Vegas establishment who'll open a book on such wagers.

Stay tuned.

Update on June 21, 2011: Hello Web Ninjas. Uh, got any Red Vines? Quite entertaining.

Saturday, June 18, 2011

Chinese SCADA software bugs? Gosh!

What a surprise! There are exploitable bugs in Chinese SCADA software:
The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA (supervisory control and data acquisition) software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing, the agency said.
Might I add that these are bugs discovered by outsiders. Naturally there wouldn't be built-in back doors. Would there?

I've been unambiguous in my advice to China, that they should get out front on this. So far, we get the same innocent "Who, me?" response I get out of my dog when I find a pile of poop underneath the grand piano.

"Bad doggie! Bad, bad, bad doggie!" Well, I guess some dogs need more than a whack on the snout with a rolled-up newspaper.

Friday, June 17, 2011

Frank Herbert predicted LulzSec

Time Magazine's Techland blog did a fairly decent job characterizing the motivations behind LulzSec today. They even likened their mentality to Heath Ledger's role in The Dark Knight, although they quoted the wrong line. My favorite line is when Aaron Eckhard said he was going to flip a coin, and either join Ledger's Joker personnae or kill him. To which Ledger replied, "Now you're talking!"

As crazy as it sounds, these yokels attacking the CIA, the U.S. Senate and other high profile institutions makes a certain sense if you consider the calculus of history. When the government becomes completely disfunctional and remarkably illogical, the subsequent vacuum actually creates the countering force. In other words, the USA created LulzSec.

Now don't take this too far, as some whacked-out politicians have suggested that we created the atmosphere in which terrorism was demanded. That's pure hogwash. Jihadists had to invoke terrorist strategies to deflect the attention of their populations from their own bankrupt ideologies. If the USA didn't exist, jihadists would have had to create us as the external focus. Remember, the best rule for pure marketing is "common cause, common enemy."

But we did create LulzSec. Heck, if I didn't belong to a religion that insisted on obedience to the "laws of the land," I'd probably flush a few cherry bombs down the toilets of various federal buildings. Frustration with cyber policy can make smart people do some stupid and self-destructive things. Which is what Frank Herbert predicted in both Dune and in The Tactful Saboteur. Simply put, technology will come to the point where a single individual can bring down everything. And here we are with LulzSec.

We do have some choices, echoing one of my favorite quotes by Henry Kissinger in his book White House Years, "Our task is to rescue the element of choice from the pressure of circumstance." We can make the right choices (not likely in my opinion), or we can buy some popcorn, Milk Duds, Red Vines and an infinitely refillable Big Gulp, then sit back and watch the LulzSec crazies make the DoD look like the Keystone Kops.

Monteizing Internet good behavior with licensed and bonded cyber privateers is a good choice and a good solution.

Thursday, June 16, 2011

Pwning the CIA website too?

Get out the popcorn and the Milk Duds, because the LulzSec crew are making some very public cyber attacks. I suggested yesterday that these guys have got to be pubescent and/or living in their mothers' basements, as their grokking of the risk-reward equation seems flawed. First the U.S. Senate and then the CIA website! Are bragging rights worth the jail time?

There is, of course, another scenario. It's certainly possible that LulzSec is acting as a "beard" to probe our cyber defense capabilities. Heck, if I were China or Russia, I'd want to see what kind of real cyber defense the U.S. had. And the one way I could be sure of figuring it out would be to do some embarrassing public hacks that had our citizens demanding action. Because the party in power does NOT want to have their management of our cyber defenses come into question.

Stay tuned. And don't let the popcorn butter make your keyboard all gooey.

Wednesday, June 15, 2011

Pwning the U.S. Senate

The trouble with a proportional-response/let's-not-over-react cyber policy is that a group of pubescent LulzSec hackers doesn't have a problem taking on the computer systems used by the U.S. Senate. Their Time Magazine (Techland) statement:
We don't like the US government very much. Their boats are weak, their lulz are low, and their sites aren't very secure. In an attempt to help them fix their issues, we've decided to donate additional lulz in the form of owning them some more!
I used the term "pubescent" because they have taken great pains NOT to inconvenience the 200,000+ Brink users and "would like for them to speed up the production of Skyrim." Come on. You're going to "Own" (Pwn) the Senate but please speed up production of a fantasy game? Gotta be teens, or maybe twenty-somethings who still live in their mothers' basements.

The Morgan Doctrine demands overwhelming response to ANY cyber intrusion. But maybe the LulzSec yahoos are doing us all a favor. If they publicly bitch-slap the U.S. Senate, maybe a quorum of our august leaders will take a more rational approach to cyber attacks. A virus is the proper metaphor. You don't get just a little HIV. Somebody purposely infecting you is attempting murder and should be treated accordingly.

Tuesday, June 14, 2011

Chinese, the usual suspects, Part III

And the hits just keep on coming! This time, it's the International Monetary Fund (IMF) hack, with…you guessed it…fingers pointing toward the Orient. In Part II of my get-your-act-together-China diatribe, I talked about the Gmail phishing expeditions aimed at corporate and government executives. In yesterday's Richi Jennings Computerworld story, the reporting is a little soft:
"…commentators are fingering China as the chief culprit…"
What's with the "commentators" stuff? Almost as wishy-washy as "unnamed sources in the government." The closest indictment of China came in one of Richi's reported comments from another blogger that, "China is likely to come under suspicion."

I write today not because I'm jumping on the dog pile (in this "Year of the Rabbit"), but because China's reputation as a world cyber citizen is so tarnished that reputable news organizations are now throwing their name around without anything approaching hard evidence.

So who's next? Maybe Hu's next! He's certainly…on first. And what is China to do if some Iranian jihadist co-opts the Sino Cyber War machine and does some real damage to the U.S. infrastructure? Proving they didn't do it could be a logical impossibility.

Monday, June 13, 2011

When banks and governments are fair game

With all the talk about "attribution" of blame before we send our licensed and bonded cyber privateers into "looting mode," there are certain black-and-white cases where a bonding authority would have few qualms about authorizing money confiscation. In fact, a "Robin Hood" hacker might not find it too difficult to rationalize getting these guys right now, figuring the risk-reward equation would be balanced by getting caught and being tried by a sympathetic jury. So where is this "low-hanging fruit" to be found?

Read the Brian Krebs posting today on the shady bankers who clear credit card transactions from cyber criminals and who operate under the tacit approval of the Russian government. Mr. Krebs characterizes Russian government involvement and that of complicit banks, even U.S. banks, in his concluding paragraph:
As the academic paper and my reporting make clear, the traditional methods of exposing these programs — “outing” the merchant banks and shining a spotlight on the main actors — has little effect when the organizers live in countries that willingly turn a blind eye to this activity. I’ve been eager to write more about this treatise since it was first featured in a New York Times story last month. In a future blog post, I will discuss the potential impact of the main policy alternative outlined in that paper: Convincing a handful of card-issuing banks here in the United States to stop processing payments for a handful of merchant accounts known to be tied to illicit online pharmacies.
How do you convince "…a handful of card-issuing banks here in the United States…" to clean up their acts? You loot them and then make public the "parley discussions" they invoke under the Cyber Privateer Code of Conduct. Ditto for the online parley invoked by the Russian government.

If they had a government-issued Letter of Marque and Reprisal (LoMaR) and the go-ahead from a bonding authority, I'll bet a cyber privateering organization could easily net a billion dollars on this one.

Saturday, June 11, 2011

FBI recruits only the dumbest hackers

Yesterday's post let me vent on U.S. plan-of-battle blundering, wherein the recommendation is to do something less than a proportional response to foreign cyber adventures, as opposed to my suggested overwhelming and mind-numbing response. Similarly, I've been pondering our current OOCB (Order Of Cyber Battle) since Time Magazine's Techland online posting of the June 7th U.K. Guardian story proclaiming that:
One in Four Hackers Works for the U.S. Government
The story goes on to say that the above-referenced hackers were caught and are working for the FBI in exchange for reduced or suspended sentences (just like the Russians failing to jail the young Darth Vader in my February 9th story). Given that these new federal employees are the ones who got caught, we can assume that the smartest 75% of the hackers have eluded that job offer they couldn't refuse.

I contrast this with my cyber privateering initiative. By monetizing cybercrime enforcement, we could get the smartest 25% working for us. Instead of the dumbest.

Friday, June 10, 2011

U.S. government incompetence, part II

I previously wrote that the DOJ thinks the FBI is incompetent. During cyberwar discussions at the Center for Strategic and International Studies (CSIS) in Washington, D.C., a lemming-like mass hysteria overtook the panel as it bent over backwards to self immolate:
Asked about attacks on DOD networks by another country, the panelists said the U.S. should respond, but in most cases, in a limited way. Only if major damage was done should the U.S. consider responding with force, said Judith Miller, former general counsel at the DOD.
I highlighted the phrase "…in a limited way…" as the whole concept of deterrence demands that ALL cyber attacks be treated as acts of war and responded to with massive retaliation. To be sure, massive cyber retaliation as opposed to physical force unless specific but well-defined damages occur. This is called The Morgan Doctrine. Anything less is just plain silly.

And anything less just invites cyber adventurism (or should it be adven-tourism?) from abroad.

Thursday, June 9, 2011

Einstein and cyber privateer physical security

A long-time supporter of this site is Matt, author of his own blog: Feral Jundi. The previous link tells about him. Former Marine, Smokejumper and currently a security contractor. His comments over the last two days have been spot on. Two of his comments to yesterday's posting deserve reiteration:
It is my view that cyber war will have to have a physical component to protect the hacker(s), or to attack and torture/interrogate other hackers. These folks would have the keys to the kingdom, or access to all types of weaknesses in government and business. 
This would be a great RAND project. lol Until then, they are just ideas floating around that have yet to be assembled and presented in a viable theory.
Thanks, and Semper Fi, Matt. He has coined the term "cyber lance" in his blog to refer to the marriage of the physical component with the cyber component. Protection for the hacker(s) is a critical component to successful cyber privateering. Because all the bad guys have to do is snatch one member of a cyber privateer team, and the equation changes significantly (getting a body part every hour discourages creative organizational thinking).

Matt's second comment about making a deep dive into the cyber privateer model into a RAND project is intriguing. I confess that I've had to kind of pull my punches in this blog, because I don't want to give too much of my novel(s) away. I believe my fictional scenarios eliminate the need for a RAND or any other think tank project. I equate this to one of Einstein's "thought experiments" with which he worked out his Theory of Relativity. You see, Albert Einstein wasn't a very good mathematician or physicist, but his relativity "thought experiments" gave the mere technicians a proper enough statement of the problem that they could backfill his concepts with hard science. While I don't pretend to be on the level of Einstein, I am a passable mathematician who has spent his career successfully doing guerrilla warfare for top-tier technology companies.

My technological "thought experiment" contribution to cyber privateering is the derivation of 22 concepts that make up The Perfect Virus. The application scenario, how it all fits together with my Cyber Privateer Code of Conduct and our real-life political processes, is…well…under wraps right now. But my contention is that seeing the picture will pre-empt the need for RAND-type consideration.

As Matt can attest, talk is cheap, and the world is full of wannabes. There's them what does and them that talks about them what does. While Matt is a real Buffalo Bill Cody, I'm merely a Ned Buntline chronicling the adventures of guys like Matt.

But, if ever a lunatic U.S. Congress gives me a LoMaR, you can bet your life I'll put Matt on my security team.

Taman Shud.

Wednesday, June 8, 2011

Cyber privateer pro forma financials

I received a comment on yesterday's post on "attribution" from Matt (which I posted and answered but which got me thinking).  Here's Matt's question:
Hey Rick, I was just curious if you have ever come across any economic theories that support the concept of privateering? Something that provides a calculation as to how fast it would expand, or how much money would be required to provide adequate incentive. That type of thing? Or is their similar industries that have the same dynamics of your vision of cyber privateering? Thanks.
My answer (typed from bed late at night on my iPad):
The numbers I've run are a reverse hockey stick, meaning that in my most likely scenario, the first hit would be a Godfather-like "This is the day we take care of all Family business." Paccino statement. After a well publicized parley dialogue, most of the cyber thieves will roll up their operations and run for cover. Deterrence is key. And it will take government-scale resources to do it right.
Matt deserves a little more thoughtful answer. I love playing with pro forma financial statements, especially since I specialize in helping start-up tech companies and want to help them be realistic yet optimistic.  So let me thoughtfully take down Matt's multiple questions in order:
  1. Economic theories that support the concept of privateering: The closest I've come is to look at actual privateering analytics from the Revolutionary War (see my post on the subject). My net-net on the high-risk/high-reward business model showed VERY high rewards with a 78% kill-or-capture rate on their efforts.
  2. How fast will it expandThere are multiple dependencies here, which I'll address below. It appears that the Revolutionary War incentives to enter privateering were so substantial as to cause an explosion in interest that dwarfed the ability of the Constitutional Congress to raise men, ships and arms.
  3. How much money would be required to provide adequate incentiveI have proposed a 50/50 split between the privateer and the government issuing the Letter of Marque and Reprisal. Assuming that the bonding authority would demand 10% of the total take to buy the bond (yes, I pulled this out of the air using the current bail bond amount demanded by those guys with offices near pawn shops, bars and jails), the cyber privateering organization would end up with 40% of the take. How they incentivize their privateers would probably follow Silicon Valley equity formulae for compensation. Which brings us to the final question posed by Matt…
  4. Are there similar industries that have the same dynamics? Yep. In the 1970s it was the mini computer explosion. In the 1980s it was PC explosion. In the 1990s it was…yep, you guessed it…the IPO bubble. In this century, it's the Internet explosion. All are technology plays, and all attract the very best and brightest people.
My point #4 above almost answers Matt's question #2: "How fast will it expand?" Here is where the dependencies come into play.

First, which government will get the first-mover advantage. Australia? Switzerland? The USA? Each case offers vastly different dynamics. The USA is my preference and probably offers the fastest path to fame and fortune for first-mover cyber privateers.

Secondly, how many Letters of Marque and Reprisal will be issued in the first round? Let us assume the USA bites the bullet and proceeds. If they proceed cautiously and grant just one LoMaR (hey, a new acronym), it will probably be to Very Big Organization, possibly even another government (like Israel's Mossad).  That being the case, the initial raid would be truly gigantic and cause such a worldwide reaction as to stop cyber crime cold. Hence the hockey stick analogy in my original answer to Matt's post.

A more likely but (in my mind) far less desirable USA implementation would be to award half-a-dozen "Beltway Bandits" LoMaRs. Assuming they could find a bonding authority that would indemnify them, they'd probably screw it up anyway.

A more desirable approach would have LoMaRs issued to guys like Oracle's Larry Ellison or Salesforce.com's Marc Benioff (two of my Cyber Privateer Fantasy League nominees), among others. This would stand the highest chance of success.

Finally, in my fantasy world (after all, I am doing this as research for several in-progress novels), the Senate Select Committee on Intelligence would grant me a top-secret LoMaR and simply publicize the fact that "one had been issued to an unnamed entity." Just the existence of such a vehicle would cause come cyber criminal and rogue government consternation. I would, of course, use some resources available to me to open up a giant can of whup-ass. I'd probably screw it up, but it surely would be fun until somebody grabbed me and started pulling out fingernails.

Tuesday, June 7, 2011

Who's really behind the attack?

If you read the myriad analyses of the recently stated Pentagon cyber war doctrine, all the pundits see the same flaw: attribution. In other words, who really launched the attack? Whether in the Cyber war sabers rattle article or in the Big questions about cyber war story, both in today's Network World and just illustrative of dominant thinking throughout newsdom, the authors bring up two scenarios:

  1. Finding out who really launched the attack needs to take into account intentional spoofing by one criminal/government to implicate another; and
  2. If the attack was launched from the United States, how do we prove we didn't do it?
Two good questions. Heck, if I were a jihadist who wanted to plunge the world into war, I'd actually hack into and co-opt China's cyber war machine so it launched the attack. Then they would have problem #2 above, proving that they didn't do it. Try proving a negative sometime, and you'll see why atheists are such a miserable lot. 

If we must assume that the current state of publicly available cyber security tools, then the foregoing two points pretty well pound a stake into the heart of legalizing cyber privateering. However, I've built several fail-safe elements into my proposals:
  1. Compliance with my Cyber Privateer Code carries severe penalties for "getting it wrong."
  2. This means that the legal bonding authority must be pretty sure of all who-did-what-to-whom evidence before they authorize confiscation of funds.
  3. The Ultimate Cyber Privateer Tool Kit will have far greater capabilities than current cyber warfare systems have demonstrated, which means they can back-track and infect all attack vectors until they hit the source of the attack.
  4. Monetizing cyber privateering means that licensed and bonded cyber privateers will pick the low-hanging fruit, namely following the money trail left by criminal organizations.
Of course, if someone did have access to The Perfect Virus, they'd most certainly be tempted to co-opt China's cyber war machine and have the world blaming them for some truly awful stuff. All of which is a very good reason why control of any country's cyber war machinery should be protected with as much diligence as we protect the nuclear launch codes in that football that follows POTUS. Building that ultimate virus will take government-size resources. 

Monday, June 6, 2011

WSJ: China again

Today's WSJ story, page A4, is a high-altitude summary of increasing Chinese cyber militancy. Which makes it hard not to laugh out loud when reading last week's UK Register story quoting Chinese generals saying, "We really need to get into cyber warfare." Of course, the ridiculous lengths to which China will go to deny reality are not only illustrated in their Time Magazine-reported denial of misbehavior, but in the reader comments to the above-mentioned WSJ story by an individual named Falcon Huang. One of Mr. Huang's many incredulous comments ended:
"My conjecture was recently vindicated when the legend of Tiananmen massacre was finally proven to be an American ingenious but maliciously made lie believed by the world for 22 years."
This is almost as amusing as Iranian President Mahmoud Ahmadinejad's assertion that there never was a Jewish Holocaust. 

With respect, Mr. Huang, I've published the IP addresses of Chinese attack servers. And throughout my writing over the past eight months, I've tried to keep my anti-Chinese rhetoric civil and constructive. The world is flat and we are globalized into mutual dependence. The adage that "an armed society is a polite society" is simply hogwash, as illustrated by your shrill WSJ comments and those of the poor saps egging you on. Just maybe some licensed and bonded cyber privateers could make things a bit more civil. Or not.

Saturday, June 4, 2011

Why the bad guys are winning

In his June 1st Computerworld story, blogger Michael Horowitz wrote an article titled "Why the bad guys are winning." He listed thirty-four reasons, the last of which I hope to help him with:
34. Judging by the stats I get, virtually no one reads this blog.
To my thousands of readers, I strongly endorse Mr. Horowitz's blog (you can link to his work by clicking on his name in the Computerworld article).

My goal today is to do a Venn Diagram showing where our two efforts intersect. Namely, Michael's first two points are the crux of my own efforts in diving into The Morgan Doctrine. His list starts as follows:
  1. The game is rigged in favor of the bad guys: To avoid breaches, the good guys have to succeed 100% of the time. The bad guys only have to succeed once. 
  2. TCP/IP, the underpinning of the Internet was never designed with security in mind. Ditto Ethernet, the underpinning of almost all local area networks. You may recall that on the Internet, no one knows you're a dog.
I've harped on these two points again and again. 

1.  The deck is indeed stacked against the good guys.

As I wrote yesterday, our cybercrime laws make it impossible for us to really identify the bad guys. Which is why Microsoft looks like a bunch of idiots. They can't even identify the author profiting from the Rustock botnet. Of course, it doesn't help that they gave the Chinese access to Windows source code. It is my opinion that licensed and bonded cyber privateers (guys with a get-out-of-jail-free card) and who are bound by my Cyber Privateer Code of Conduct are the only truly workable solution. 

Paraphrasing Vin Diesel in the movie XXX, "Ya gotta treat this like a Playstation. Let's blow up some stuff!" And yes, I've given similar advice to Sony on multiple occasions (do a search in the box to the left). 

2.  TCP/IP was never designed with security in mind.

In my memorial tribute to the great Tom West, made famous by Tracy Kidder's Pulitzer-winning book The Soul of a New Machine, I pointed out that TCP/IP is just an outgrowth of DECnet and was originally designed to help academic institutions keep in touch. If we'd told TCP/IP designers that sane people would actually be using this technology to do online financial transactions, and that a whole industry called "The Cloud" would depend upon it for on-demand business communication, I'm sure their response would have been profanely incredulous.

The good news here is that "the bad guys" are constrained by the same architectural weakness as "the good guys." Which means we can turn the tables on them with the same technology they use. We can do this, that is, if the U.S. law is modified to allow us to turn those tables. And my twenty-two principles for The Perfect Virus are the technological road map. 

And if we do not change U.S. law?

Not to worry, Grasshopper. It will take just one sovereign entity (ie, Australia, Israel, Switzerland) to take a public stand and implement cyber privateering as a solution to Internet security. The first-mover advantage could net them trillions of dollars.

Friday, June 3, 2011

WSJ: "You can infect anybody on the Internet"

Wednesday's WSJ front-page story on Mideast governments "hacking" Skype to keep track of dissidents has a most telling assessment of Internet security by David Vincenzetti, CEO of Milan-based HackingTeam:
"You can infect anybody on the Internet," he says. "When the infection has taken place, you get full control" of their device, "and that means you can extract any information from that device."
Notwithstanding that the above quote comes from an Italian whose company name is HackingTeam, I think the U.S. cybercrime laws are forcing us to play the Internet commerce game with a stacked deck. Our laws are certainly making Microsoft look like a bunch of complete idiots (see my Wednesday post).

My own "net net" question to U.S. lawmakers:  "Let me get this straight: You're okay letting repressive governments and foreign entrepreneurs use cyber defense tools explicitly illegal to U.S. companies?"

Thursday, June 2, 2011

Chinese, the usual suspects, Part II

Ah sigh. China again. Google reported the successful phishing of Gmail passwords from "…U.S. government officials, Chinese activists and journalists…" by China-based hackers. Yep. the usual suspects. Again. Back on November 11, 2011 I identified the IP addresses of Chinese attack servers waging war on my little "honey pot" Linux server. I contended then, and do so now, that this was either an official Chinese government operation or one tacitly approved by them. I have also postulated that Cyber War with China is inevitable, and that principle #7 of The Perfect Virus—Black Box Portability—will be critical to our survival. Because China is weaning itself from Western technology as fast as they possibly can  (see my March 1, 2011 posting).

At best, The Morgan Doctrine postings will get the U.S. Congress off the dime in time. At worst? I once served as chairman of the audit committee for a public company. The Morgan Doctrine will provide an audit trail to condemn institutional stupidity as we are forced into a "Plan B" rebuilding-from-the-ground-up of a completely destroyed U.S. technology infrastructure.

Thus saith The Destroying Angel.

Wednesday, June 1, 2011

Microsoft makes the case for cyber privateering

Brian Krebs' reported today the best possible justification for legalizing bonded cyber privateers when he revealed that the best and brightest from Microsoft couldn't even identify the author of the Rustock spam botnet. Of course, by one chain of logic you might argue that if the "great and powerful Oz" couldn't even nail down one bad guy, then maybe the whole premise for cyber privateering is moot. If you can't identify the cyber criminal, then you can't raid his organization or loot his bank accounts. I don't buy this thinking.

I contend that because Microsoft is playing by the rules, obeying current U.S. law, they can't really mount an aggressive countermeasure defense as I outline in The Perfect Virus principle #22. Without a get-out-of-jail-free card, they can't infect attacking systems down the chain until they can pop the proverbial Alien monster out the chest of one very surprised sleazebag.

Which is why I believe that Microsoft's experience(s) fully justify giving the U.S. Congress a boot to the head so they'll let us…take care of business.