Wednesday, August 31, 2011

Could the DoJ authorize cyber privateers?

Not only are our cyber laws placing us at a tremendous advantage, but U.S. companies must also be held to a higher standard when it comes to doing business abroad. Today's headline WSJ story (front page, top of the fold) talks about criminal investigation of Oracle for dealings with Western and Central African countries. The handcuffs are called the Foreign Corrupt Practices Act (FCPA) of 1977. Tough to do business when everyone has his hand out. Kind of like my experience in Chicago circa 1973. Don't ask.

Then in the early 1980s, I was sitting in a Washington, D.C. restaurant trying to do business with a high-ranking government official, who said, "We won't be doing business until I get my deal." Don't worry. We didn't do business.

Yep, tough to do business when everyone has his hand out. But in the midst of all the baloney, there is a sliver of hope as I find another precedent buried in the FCPA law. Here, the Justice Department can actually pre-authorize (wink-wink) "bribery" under certain conditions:
The Department of Justice has established a Foreign Corrupt Practices Act Opinion Procedure by which any U.S. company or national may request a statement of the Justice Department's present enforcement intentions under the anti-bribery provisions of the FCPA regarding any proposed business conduct. The details of the opinion procedure may be found at 28 CFR Part 80. Under this procedure, the Attorney General will issue an opinion in response to a specific inquiry from a person or firm within thirty days of the request. (The thirty-day period does not begin to run until the Department of Justice has received all the information it requires to issue the opinion.)  Conduct for which the Department of Justice has issued an opinion stating that the conduct conforms with current enforcement policy will be entitled to a presumption, in any subsequent enforcement action, of conformity with the FCPA. Copies of releases issued regarding previous opinions are available on the Department of Justice's FCPA web site.
I am particularly impressed with the 30-day fast-track (highlighted in red above). The "jailhouse lawyer" in me contends this could be a partial precedent for issuance of a cyber privateering confiscation effort. Or it could at least give a bonding authority the get-out-of-jail-free card to authorize a cyber-looting action.

Just a thought.

Too bad Oracle didn't obtain a DoJ opinion before trying to do business in Africa. Then again, maybe they did and it will come out as they're crafting their defense.

Interestingly, if you want to look at previous FCPA opinions, click here. If you want a real knee-slapper, check out this link, where the U.S. Government got permission (wink-wink) to bribe (er, hire as a director) one or more representatives of a foreign government for a project. Hey Oracle, I hope your legal counsel is reading these things!

Tuesday, August 30, 2011

Sprint was smart to blackball China's ZTE

Back in November, I wrote about Sprint excluding the Chinese company ZTE based largely on security concerns. Now, the WSJ has reported (again, on today's front page below the fold) that Lybian intelligence used ZTE gear to track down (and probably murder) rebels. Good job, Sprint! I might buy my next cellphone plan from you guys.

To be fair to China, the French technology firm Amesys (part of Bull SA) installed the Libyan monitoring center. In the story, a small South African supplier (Vastech) refused to comment on their involvement, but said that they sell only "to governments that are internationally recognized by the UN. and are not subject to international sanctions. The relevant U.N., U.S. and EU rules are complied with." That should be swell consolation to the families of dissidents who got "disappeared" by Gadhafi intelligence goons.

I'd like to see the names of all companies who contracted directly to supply Libyan cybercontrol systems. Maybe the dissidents who have retaken the Libyan data centers will take a close look at the file cabinets for signed contracts, which they will then make public.

Monday, August 29, 2011

"Data exhaust" and predictive analytics

There is some new technology coming. It's beyond simple "data exhaust" analysis, where you can get a forensic report answering questions like:
  1. Which bank transactions are money laundering?
  2. Which of your customers are behaving like terrorists?
  3. Who really launched the DDoS attack on your system?
Predictive analytics can use "data exhaust" PATTERNS to predict what's ABOUT TO HAPPEN, answering questions like:
  1. Which stocks are about to take a significant swing (see the Twitter-based hedge fund story)?
  2. Which foreign government is about to make big bucks by slowing down the "side channel" and how can we skin them at their own game (see my post on the Russians and Chinese rerouting of trade information)?
  3. Based upon telephone/banking/Internet "data exhaust," when is a terrorist action imminent (see my ThinThread story)?
Suppose that there is an analytics company that has delivered over $30 million in off-the-charts-spooky analytical products to the federal government. Suppose they're about to give away a free analytics product allows you to do some pretty freaky Twitter-feed analytics? And like back-alley crack dealers who hook you by giving you a free sample, suppose they will sell you their full-blown products for less than the cost of a seat?

I'm playing with just such a full-blown product right now. Stay tuned for some serious flights of fancy.

Saturday, August 27, 2011

"Data exhaust" from Irene

The Department of Homeland Security (DHS) warned Thursday that, in the wake of hurricane Irene, we should "…be on the lookout for storm-related phishing attacks and other malicious cyberactivity." Given my posting yesterday about cybercriminals waiting until the weekend to loot Fidelity National Information Services of about $13 million via their worldwide ATM network, it is not unrealistic to heed the DHS warning. One interesting question involves who will make the most of Irene along the eastern seaboard: Chinese cyberwarriors or Russian crooks?

Friday, August 26, 2011

Should FIS loot Russian Federation assets?

Krebs blog scooped the press concerning the unreported theft of approximately $13 million from Fidelity National Information Services (FIS), "the world's largest processor of pre-paid debit cards." A similar methodology was used by my previously lauded "young Darth Vader," the Russian who raided the Royal Bank of Scotland but did no jail time for his efforts. Russia gave him probation.

Question to FIS: Why not put some muscle behind an E-petition in the U.K. to legalize cyber privateering. Not only could you go after the crooks' banking assets, but you could also loot the Russian Federation Treasury (see my post by clicking here)?

Thursday, August 25, 2011

Lloyd's justification for looting Chinese government

On August 19th, I suggested a justification to a hypothetical bonding authority—such as Lloyd's of London—authorizing the looting of Russian Federation banking assets by licensed and bonded cyber privateers. Here is the beginning of a similar "Chinese smoking gun," proof that China is involved in state-sponsored cyber attacks. The following screen shot was taken from a Chinese TV ad run in July, and the newspaper translates the labels in the image as "Select attack target" from a pull-down list of Falun Gong sites.
The rest of the article qualifies the story as follows:
That’s because The Epoch Times says the video identifies the software as being written by the Electrical Engineering University of the People’s Liberation Army, while the IP address the video shows as originating the attack,, resolves to the University of Alabama at Birmingham. The university told the newspaper that the address has not been used since 2010, and it believes its network has not been compromised.

While the video may have been seen as propaganda claiming a capability that didn't actually exist, the government-run TV channel CCTV7 has since removed the original video from its Website and replaced it with a more generic slot, leading F-Secure's Mikko Hypponen to agree with the newspaper that the footage is genuine, and was included in the original footage by mistake.
China has consistently denied launching state-sponsored attacks against international targets (as has practically every government accused of espionage of any kind).
Part of the video ad can be seen on the F-Secure website by clicking here

Wednesday, August 24, 2011

Hypothetical Ellison/Hurd conversation

Yesterday I hopped onto the Ellison-has-his-sights-on-HP bandwagon. Having spent as much time as I did with Larry, the following conversation between he and Mark Hurd started percolating in my imagination. I don't know Mr. Hurd at all, but I can actually hear Larry's voice. No, I'm not hearing actual voices. But I can imagine them. So I provide the following for your entertainment.
ELLISON:   Hey Mark, what the pheck is going on with Apotheker at HP? 
HURD:        Which flame-out catches your attention today? 
ELLISON:   Well let's see. Within a month of announcing the HP tablet, he cuts prices twice. Then he decides to exit the PC business and abandon iOS. And that Autonomy acquisition! Those idiots were on the block for years! HP stock is tanking. The sumbich is doing a better job of destroying HP by incompetence that I've been able to do on purpose! 
[Both laugh heartily.] 
HURD:        You have a point, Larry. He got canned by SAP. Maybe he landed on his head when they threw him out. 
[More laughter] 
ELLISON:   HP is a laughing stock. Kind of a shame for such an iconic company. 
HURD:        You could buy 'em. 
ELLISON:   We have less than $30 billion in the war chest. Their stock is going to have to drop a lot further. And even then… 
HURD:        I'll bet I could put together deals to sell off the PC and printer divisions as part of the buyout package. I know exactly who we could call to make this happen. We keep the enterprise division and you get some great storage patents, along with a much-relieved customer base. 
ELLISON:   Nice. I know just the guy who could step back into the saddle and whack some HP costs. 
HURD:        Yes you do. 
ELLISON:   It'd still be a hostile takeover. 
HURD:        Maybe not. Your old buddy Ray Lane is chairman of HP's board and may need to do some face saving. If not to make up for hiring Leo, then at least to mitigate his risks from a shareholder class action lawsuit.  
ELLISON:   Interesting. 
HURD:        Want me to make a couple of calls? 
ELLISON:   Be careful. That guy Josh Kosman at the New York Post has some pretty good sources. He could do the story and blow the lid of things. 
HURD:        Is that a problem? It keeps Apotheker's incompetence in the news. The HP board may come to us and ask for a lifeline. 
[More laughter] 
ELLISON:   Make the calls, Mark.
As the credits rolled in some western movie in my past, one line perfectly encapsulates the above hypothetical dialogue:  "This isn't the way it was. But's the way it should have been."


Tuesday, August 23, 2011

Is Captain Ellison buying HP?

You've got to love the way the leader of my Cyber Privateer Fantasy League team keeps making headlines. Just yesterday, Forbes magazine reported on rumors that Oracle's Larry Ellison has his sights on acquiring HP. Can there be any doubt that Larry truly knows how to wage war? Too bad we can't get him to set his sights on bringing down cybercrime and government-sponsored cyber adventures.

For those of you who want additional insight into Mr. Ellison, click here to see my proposed introduction of him for his upcoming Utah Technology Council Hall of Fame keynote. I'm not likely to be asked to make this introduction, but I couldn't resist writing it anyhow. Enjoy.

Monday, August 22, 2011

WikiLeaks and the trouble with anarchists

The trouble with anarchist adhocracies is well illustrated by today's online Time Magazine story. The bickering between WikiLeaks leader Julian Assange and his former spokesperson Daniel Domscheit-Berg has caused some 3,500 files to be obliterated from the archive. While these "rebels with a cause" have reminded me of my own attitudes in the anti-war sixties, the current internecine squabbling also reminds me why I long ago opted to support change under the "rule of law." Which, I guess, is why I'm trying to go after cyber misbehavior with…The Morgan Doctrine.

Saturday, August 20, 2011

Ten cyber vulnerabilities

Network World did a great summary of the ten "scariest" vulnerabilities discussed at the Black Hat and Defcon conferences. While we're waiting to see if the legalization of cyber privateering makes it onto the U.K. E-petition system, let me take this opportunity to remind the world why we're in such a precarious position. Without some advanced thinking on cyber security, we're well and truly screwed. Here are ten scary (but not anywhere close to my own list) vulnerabilities:

  1. At Black Hat, NSS researcher Dillon Beresford demonstrated how to hack a Siemens S7 computer, gain read-and-write access to the memory, steal data, run commands and shut the computers off. All this is very bad when you consider these devices are used to control machines in factories, utility networks, power plants, chemical factories and the like -- a major security threat. His findings were so troublesome that he pulled out of an earlier conference where he'd been scheduled to present the information until Siemens could patch the vulnerabilities he exposed. And the Department of Homeland Security monitored his talk to make sure it didn't reveal too much.
  2. Botmasters can use VoIP conference calls to communicate with the zombie machines in their botnets, researchers Itzik Kotler and Iftach Ian Amit of security and risk-assessment firm Security Art demonstrated at Defcon. They released a tool called Moshi Moshi that converts touchtones into commands the bots can understand and turns text into speech to capture information on compromised corporate computers and read it into voicemail for the botmaster to pick up later. The techniques enable botmasters to control their hijacked machines from wireless phones and even payphones (if they can find one). The botmasters call in to the conference bridge, the zombies connect via the corporate network and data can flow, the researchers showed.
  3. Independent researchers Dave Kennedy and Rob Simon showed Defcon a device they customized that can tap into home powerlines to monitor and control home alarm and security camera systems. Using the device and broadband-over-powerline technology, burglars could plug the device into an electric outlet on the outside of a house and monitor devices inside the home. They could deduce, for example, that if the alarm system is turned on and security cameras activated then the residents are not at home. The device can send signals that jam signals from the security devices, leaving burglars free to break in without worry that alarms will be set off, the researchers say.
  4. spy drone made from off-the-shelf electronics was demonstrated at both Black Hat and Defcon by its creators, Richard Perkins and Mike Tassey. The model plane -- Wireless Aerial Surveillance Platform (WASP) -- was tricked out with electronics that can crack codes and pick off cellphone calls, and an onboard computer that can execute a flight plan designed to have the plane circle above a target while it does its work. The researchers say that if they can build one, so can just about any country or corporate espionage group that puts its mind to it, so beware.
  5. Car hijack via phone networks: A demo at Black Hat hacked a Subaru Outback car alarm, unlocked the doors and started the vehicle, all using text messages sent over phone links to wireless devices in the vehicle. The same type of exploit could just as easily knock out power grids and water supplies, says Don Bailey, a security consultant with iSec Partners, who presented the research. The common thread is that the car alarm and certain devices on critical infrastructure networks are all connected to public phone networks in ways that are fairly simple to compromise, and the prospect is threatening enough that the Department of Homeland Security wanted a briefing beforehand.
  6. Hack faces to find Social Security numbers: demo at Black Hat and Defcon showed it's possible to acquire a person's Social Security number using nothing more than a photo publicly available in online social-network databases, face-recognition software and an algorithm for deducing the numbers. The point is to show that a framework of digital surveillance that can go from a person's image to personal data exists today, says Alessandro Acquisti, a professor at Carnegie Mellon University, who presented the research. The results will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. "This, I believe and fear, is the future we are walking into," says Acquisti.
  7. Remotely shut down insulin pumps: Insulin pumps that diabetics rely on to keep their blood sugar in balance can be shut off remotely, a researcher demonstrated at Black Hat. Jerome Radcliffe, a diabetic himself, showed how he could pick off wireless signals used to control the pump, corrupt the instructions and send the altered commands to the machine. He could force the wrong amount of insulin to be pumped or shut the device off altogether, either of which could be fatal in the wrong circumstances. The problem, he says, is that the devices weren't designed with security in mind.
  8. Embedded Web server menace: There are embedded Web servers that come in photocopiers, printers and scanners meant to make administering the devices easier, but they lack security, leaving them open to being pilfered for documents recently scanned or copied, Michael Sutton, vice president of security research at Zscaler Labs, told Black Hat. He says he's able to find these Web servers through scripts he wrote to scan huge blocks of IP addresses and recognize telltale Web header fingerprints. "There's no breaking-in required," Sutton says.
  9. Spreading false router tables: A researcher at Black Hat revealed a vulnerability in the router protocol Open Shortest Path First (OSPF) that lets attackers install false route tables on uncompromised routers in an OSPF-based network. That puts networks using the protocol at risk of attacks that compromise data streams, falsify network topography and create crippling router loops. The solution? Use another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel's Electronic Warfare Research and Simulation Center, who discovered the problem.
  10. SAP flaw: A flaw in SAP's NetWeaver software enables hackers to dodge authentication into the ERP system, says researcher Alexander Polyakov of security firm ERPScan, who presented his findings at Black Hat. The implications of this are that attackers could gain access to data and delete it, he says. He was able to Google hack servers that contained the flaw, he says, which was present on about half the servers he tested. SAP says it plans to issue a fix for the problem.
Dare I say that this is just the tip of the iceberg? We should have a yea-or-nay next week on whether or not the cyber privateering E-petition is available for signatures. Stay tuned.

Friday, August 19, 2011

Lloyd's justification for looting Russian government

Yesterday I opined that the U.K. CPBA (Cyber Privateer Bondinging Authority)—such as Lloyd's of London— would not likely sanction an operation if its case weren't air tight. The question is, how do you build an air-tight attribution case? Check out Brian Krebs' story on how Russian cyber criminals actually paid off authorities. This is one giant nail in the coffin a corrupt Russian government. So should the pending E-petition to the HM Government be acted upon, and should the U.K. become the first country to legalize cyber privateering and adhere to the Cyber Privateer Code of Conduct, then per paragraph #2 of the code, Russian government assets could be looted.

I would imagine the Parley Dialogue (see paragraph #3 of the above referenced Cyber Privateer Code) would go something like this:
Russian Ambassador: "You just looted $10 billion dollars US from Russia." 
Privateer Parley Agent: "Yes sir, that is correct." 
Russian Ambassador: "This is an act of war!" 
Privateer Parley Agent: "This isn't the United Nations, so let's cut to the chase. We'll give you half the money back if you immediately arrest the individuals in the cited criminal organizations, the government law enforcement officials to whom they were paying protection, and publicly admit complicity and indemnify our bonding authority for future challenges to this raid." 
Russian Ambassador: "This is outrageous! And if we do not comply with your demand?" 
Privateer Parley Agent: "Then tomorrow we will confiscate another $10 billion of your assets." 
Russian Ambassador: [unintelligible sputtering] 
Privateer Parley Agent: "You have ten hours to comply on this video conference channel. After that, the deal is off the table and pursuant to Cyber Privateer Code paragraphs #1 and #2 we will continue raiding your banking assets for a period of 6 months."
My question now, is how long do you think cyber criminals will continue to function around the world?

Thursday, August 18, 2011

U.K. Cyber Privateer Bonding Authority: Lloyd's

I suggested yesterday that there is an obvious candidate to function as the U.K. CPBA (Cyber Privateer Bonding Authority), should my Brit mates perfect an E-petition that makes it through the screening process and actually goes online. While I'm waiting to see if an E-petition actually makes it to the signature stage, why not share not only the name of the candidate but my pro forma thoughts for a whole new industry?

My suggestion for the U.K. CPBA lead underwriter is…Lloyd's of London. The CPBA is nothing more than an enabling insurance vehicle to make the market in a new financial instrument. Not only could licensed cyber privateers buy their bonds from Lloyd's (no inexperienced yahoos need apply), but individuals and corporations could buy cyber-intrusion insurance coverage if they meet well defined security-audit conditions. Talk about a growth market!

Remember, the bonding authority will protect the world from what I referred to in my November 18th post last year as the "inept French privateer." Because the cyber privateer must operate in conformance with The Cyber Privateer Code. Period. Anybody operating as a cyber privateer had jolly well be licensed and bonded, or they are going to do some serious jail time. Furthermore, if the Bonding Authority blows it and lets a schmuck cyber privateer muck it up and doesn't make restitution within ten days of the parley, then the insurance liabilities to the bonding authority will make Hurricane Katrina's losses seem like a minor cloud burst. I might as well get specific and stop beating around the bush in my June 8th pro forma prediction for the first coordinated cyber privateering adventure. The first shot should yield at least $50 billion US. Which means $25 billion goes into the U.K. Treasury, $22.5 billion to the cyber privateer organization, and a $2.5 billion fee to Lloyd's. But if the cyber privateer blows it, a $50 billion mistake means Lloyd's will be responsible for a $5 trillion restitution.

So, mates, do you think Lloyd's will pull the trigger on anything less than a sure thing?

Neither do I.

Wednesday, August 17, 2011

Awh come on, U.K.!

Up until the last sixty days, I kind of thought my cyber privateering proposal was excellent fodder for a new novel, but that there was little chance a major country would literally adopt the policy. Yesterday's video by George Friedman, founder of the Stratfor intelligence think tank, significantly changed the battle ground. Listen his analysis for the world political economy, and you'll see some "data exhaust" that might make you a believer, too. His net-net, to which I wholeheartedly agree:
[Paraphrasing him]: "We have a crisis in virtue, and a complete loss of faith and trust in our financial elite which has now spread to our political elite. London rioters contend their own criminality has been legitimized by the criminality of both the financial and political leaders. The financial and political elite seem to be making record salaries while the little guy is paying the price."
Net-net: The people we trust have profoundly lost that trust. There has never been a better time to take cyber security completely out of the proven-incompetent hands of the politicians. The Chinese are continuing their global misconduct. Whole countries are falling victim to brilliant cyber assaults. Rebels with a cause—like Anonymous—aren't missing any opportunities to protest in evermore disruptive ways. The "Young Darth Vader" doesn't even get Russian jail time for stealing $10 million from the bank of Scotland. All the while, the financial elite are earning record bonus checks. And the politicians are more interested in scoring points against their opposition than in solving the core problems.

For this reason, if the cyber privateering E-petition to HM Government can somehow be resurrected (see yesterday's post where HM Gov rejected a first pass at it) goes online, I predict it will garner the 100,000 signatures needed for the politicians to actually put this skunk on the table. Because having to go out and actually work for a living may not appeal to such a large body of proven incompetents.

Besides, as I pointed out in my note to Australia on the first-mover advantages, the rest of the world will "circle the wagons but silently cheer you on." Furthermore, my speculation on the pro forma financials is that the first cyber privateer raid sanctioned by the legal bonding authority could put BILLIONS into the U.K treasury. BILLIONS.

I have a pretty good idea who I'd recommend to be the U.K. Cyber Privateer Bonding Authority. Hint: The first Bonding Authority could turn the entire financial world on its collective ear. Want to take a guess? Which would make the LSE and AIM the other two legs of a remarkable world financial leadership platform. Come on, HM Gov! This is your chance to turn the tide.

Tuesday, August 16, 2011

U.K. rejects privateering E-petition

Not sure why Mr. Hopkindon's E-petition to legalize cyber privateering was rejected by the HM Government E-petition site. Here's the link for the following (anybody want to take another shot at this?):


Legalise Cyber Privateers

Responsible department: Foreign and Commonwealth Office
Because world-wide law enforcement is completely unequipped and under staffed to fight the wave of cyber crime and hostile invasion by various governments, it is proposed that cyber defense be privatized as follows: HM Government must rescind the UK signature on the Paris Declaration of 1856 that outlawed privateering (which I assume could be applied to cyber privateering, too). HM Government would license and bond CYBER PRIVATEERS who would loot criminal enterprises and the treasuries of rogue governments, and split the proceeds 50-50 with the UK Treasury. The CYBER PRIVATEERS would be bound by "The Cyber Privateer Code" of conduct outlined at A legal justification under international law can be found at:

This e-petition has been rejected with the following reason given:

E-petitions cannot be used to request action on issues that are outside the responsibility of the government. This includes:
  • party political material
  • commercial endorsements including the promotion of any product, service or publication
  • issues that are dealt with by devolved bodies, eg The Scottish Parliament
  • correspondence on personal issues
E-petitions cannot be used for freedom of information requests.

Monday, August 15, 2011

U.K. E-petition in the queue

Within hours of my Saturday prediction based upon "data exhaust" that there would likely be an E-petition submitted to U.K. Gov to legalize cyber privateering for the protection of individuals and governments around the world, I received notification that two different U.K. citizens were moving theirs ahead. I will report to you when the Cyber Privteering E-petition goes live. I'll also write at some length about the irony of the U.K. leading this effort. Given that the U.S. Revolutionary war was substantially financed an won by high-sea privateers preying on British shipping, wouldn't it be ironic if our war against cyber crime and waging of world cyberwar were to be led by licensed and bonded British cyber privateers? Stay tuned.

Saturday, August 13, 2011

Get set for a U.K. cyber privateering E-petition

For the last week, the #1 country reading The Morgan Doctrine has been the U.K. Must have had something to do with my call for one of my Brit readers to start an E-petition to HM Government legalizing (er, legalising) cyber privateering. Over the last month, worldwide audiences frequency has looked like this:
Top readership looks like this:

  1. United States
  2. United Kingdom
  3. France
  4. Germany
  5. Ukraine
  6. China
  7. Russia
  8. Malaysia
  9. India
  10. Singapore

So in the last week, the U.K. has exceeded U.S. readership on a daily basis anywhere from 16-to-1 to a mere 2-to-1. If I were to make a prediction based upon "data exhaust," I'd say we'll have an E-petition up and gathering signatures soon. Stay tuned.

Friday, August 12, 2011

New cyber warfare equation

The U.K. Register headline reads: "Q: Why do defenders keep losing to smaller cyberwarriors?" In the article, San Francisco author Dan Goodin reports on a particularly inane reports on a "prominent security consultant" trying to debunk the new order of cyberwar battle. Goodin accurately reports on the consultant's talk, and then astutely (as would any reader of the quotes he uses) points out that the speaker "…seemed to digress into asides that undermined his premise." I agree. Defenders keep losing (and will keep losing) to smaller cyberwarriors. Which means the whole warfare equation has changed.

Whether you're playing the board game RISK or spend time online playing SOCOM on your PlayStation (or PSP), conventional warfare wisdom is that the attacking force must outnumber the defender by a 3-to-2 margin. Not so in cyberwar, where a pimple-faced/if-you-catch-me-you-must-charge-me-as-a-minor kid and his buddies can (to name just a few recent examples) deface the CIA, shut down a credit card operation, pwn a major news organization with fake stories, or release personal information on law enforcement officers. As I've said before, my old friend and science fiction author (the late) Frank Herbert perfectly predicted our day and the new order of (cyber)battle

It used to be common wisdom that one well-dressed man who didn't care about sacrificing his own life could kill the president. Today's reality and the corollary anticipated by Frank Herbert is:
One sufficiently intelligent minor can bring down The Man without much to fear in the way of consequences.
Given this new cyber warfare equation, I propose an axiom for the new order of (cyber)battle:
Licensed and bonded cyber privateers are the only salvation for our modern age.
Yes, there will always be that penniless anarchist, kindred spirit to the FTW motorcycle gang, who sets out to destroy things just because he can. Ditto for the emotional pygmy dictator who wants to take the world down with him. After all, North Korea really has nothing to lose. But the brainpower and technology unleashed by legalized cyber privateers armed with The Perfect Virus could not only mitigate against the above referenced freaks, but that brainpower and technology could bring all other cyber misconduct to a screeching halt.

Taman Shud.

Thursday, August 11, 2011

China NOT a victim

Does the following Network World quote (about China's being hit with 480,000 trojan horse attacks in 2010) raise any questions about the veracity of their claim?
China's National Computer Network Emergency Response Technical Team (CNCERT) released some of the figures on Tuesday from an upcoming annual report. Of the 221,000 attacks that originated outside of China, 14.7 percent came from the U.S., while another 8.8 percent came from India.
Read it again. Any questions? Okay, now compare this to all the anti-American signs you see during riots and demonstrations in the Middle East. Notice that those signs written in English, rather than Urdu or Arabic, etc. Definitely intended for consumption by American media. Finally, consider the Russian acronyms: KGB and GRU. We know what those organizations do, thanks to a wealth of spy fiction from the likes of Tom Clancy and Robert Ludlum. KGB stands for Komitet Gosudarstvennoy Bezopasnosti, or Committee for State Security. Similarly, GRU stands for Glavnoye Razvedyvatel'noye Upravleniye, or Main Intelligence Directorate. These are Russian terms that do not translate directly into their literal English acronyms. Now, read the Network World paragraph again.

Does it seem strange that the acronym CNCERT is for English-language consumption and quite literally stands for China's National Computer Network Emergency Response Technical Team? Even the Russians, another major haven for cyber crime and cyber espionage, aren't this stupid or patently transparent.

Sorry China, but I'm still waiting for an explanation of the IP addresses I previously published on November 11th of last year identifying the Chinese attack servers hitting my Linux systems. 

Wednesday, August 10, 2011

My introduction of Larry Ellison

Larry Ellison—founder of Oracle Corporation and the leader of my Cyber Privateering Fantasy League team—is scheduled to give the keynote address at the 13th Annual Utah Technology Council Hall of Fame Celebration. For years, I've petitioned Larry to let me give this introduction. Especially in the state of Utah (which you will see from the introduction), I think this would bring down the house. You be the judge:
I’ve known Larry Ellison for almost 30 years. Since this meeting of the Utah Technology Council is predominantly attended by Mormons, I wanted to share  an audience-specific insight to your keynote speaker.
 Mike Wilson wrote the best-selling book The Difference Between God And Larry Ellison* — with an asterisk after the title explained at the bottom of the page: “God Doesn’t Think He’s Larry Ellison.” You’ll better understand the religious overtones of the title once you realize that Mike Wilson was the religion editor for the St. Petersburg Times.
I spent several hours being interviewed by Mr. Wilson as he wrote the book. He understood that I was a Mormon, and I shared with him my personal opinion—I had to make sure Mike knew I was in no way speaking for the whole Church—and only my personal opinion, that Larry Ellison was the fulfillment of Old Testament prophecy. You can see exactly what Mike wrote on page 172 of the book. He never got past the “redeem the dead” part of our three-fold mission on the planet, and therefore never asked about the biblical backup, so I never got to tell the whole story. But I’m going to tell you, now.  
Of course, most of you can recite from memory the last two verses of Malachi, the very last book of the Old Testament:
Behold, I will send you Elijah the prophet before the coming of the great and dreadful day of the Lord: And he shall turn the heart of the fathers to the children, and the heart of the children to their fathers, lest I come and smite the earth with a curse. 
If Mike had looked at this prophecy, quite literally the last phrase in the Old Testament—“…lest I come and smite the earth with a curse.”— he  would certainly have penned a much stronger title. Because the world’s largest genealogy repository, the Mormon Church, depends upon Oracle, and because fully one third of our mission is to redeem the dead, my own introduction is somewhat more cosmic in nature:
I therefore introduce to you:

  • Not only one of the richest men in the world;
  • Not only the founder and heart of Oracle;
  • Not only the owner of The America’s Cup championship racing yacht;
  • And not only the future owner of an NBA-championship basketball team  (another prophecy of mine);
I introduce to you  the man whose vision and persistence and dedication have saved the earth from destruction. I present to you, Lawrence J. Ellison.
[If you're interested in a summary of my posted quotes from Larry Ellison, click here.]

Tuesday, August 9, 2011

Prize for UK cyber privateer E-petition

Yesterday I put out a call for one of my U.K. readers to submit an E-petition to HM Government that would legalize (legalise to you Brits) cyber privateering. I said I'd come up with a swell prize for the first person that enters the E-petition. And a "sweller" prize if we get the 100,000 signatures necessary for the measure to be debated in The House of Commons. Well, the prize for the U.K. citizen who initiates the E-petition will be a signed hard-cover copy of my novel Destroying Angel. In fact, chaps, I'll even pay for shipping and handling anywhere in the world.

You computer wizards will especially like one of my characters named Black Madonna. She's a computer genius who speaks only in palindromes (sentences that read the same backward as they do forward). Black Madonna writes a computer virus that achieves consciousness and takes over the Internet. As an author, the reason I created this character and have her speak only in palindromes is that I wanted to "suspend desbelief" by showing how innately smart she was. It took me twenty years to write the novel, because sometimes one line of dialogue would take me and a pair of computers an entire week to craft. After all, I couldn't cheat. For example, when she is trying to complement a person with whom she is chatting online, and yet warn him of danger, she writes: "Part Allah, eh? The hall a trap!" Like I say, sometimes a single line of dialogue took a week to write.

Here ya go. Cover price of $30, with all postage and shipping paid. Of course, you can get it directly from Amazon new for a mere $22.80. Or used for $2.51. But if you create the E-petition, I'll sign it and personalize the message. Truly a collector's item, if you have a sense of history.

I'm still working on a SPECTACULAR prize to the E-petition initiator should your submission achieve 100,000 signatures and get debated in The House of Commons. Suggestions for such a prize would be welcomed.

Monday, August 8, 2011

Wanted: 1 U.K. cyber privateering advocate

Today I have a respectful request of at least one of my British readers: How about sponsoring an E-petition to legalize cyber privateering in the U.K.? Thanks to The Register, I just learned about the August 4th launch by your government of E-petitions. What a…no offense…revolutionary idea! As I understand it, if a given petition garners 100,000 signatures, then it "could be debated" in The House of Commons. I've even taken the liberty of drafting the first petition page for you (I couldn't go further, as I am not a U.K. citizen nor do I spend much time at all in England):
The three legal elements in the above petition are:
  1. HM Government must rescind the UK signature on the Paris Declaration of 1856 that outlawed privateering (which I assume could be applied to cyber privateering, too).
  2. HM Government would license and bond CYBER PRIVATEERS who would loot criminal enterprises and split the proceeds 50-50 with the UK Treasury.
  3. The CYBER PRIVATEERS would be bound by "The Cyber Privateer Code" of conduct outlined at
My "gut" tells me this would be a "Ministry of Defence" initiative, although they'd have to work closely with Treasury. The benefits of a first-mover advantage to the U.K. would be enormous, and you are free to use the entirety of this blog to fuel the debate.

I'd like to come up with some swell prize to the first of you Brits who enter the petition, and an even "sweller" prize if we manage to land 100,000 signatures and the issue is debated in The House of Commons.

Any prize ideas?

Saturday, August 6, 2011

Are the Chinese into YOUR computer?

In a story I reported earlier this week, virtually every major company infrastructure has been compromised by (probably) Chinese intelligence operatives. No surprise. In November of last year, I published the IP addresses of the Chinese attack servers that declared war on MY little Linux honey pots. And while I criticized McAfee for watching the attack logs of one Chinese command and control system since 2006 and yet doing nothing about it, they did at least cooperate with Seculert, who will tell you if your infrastructure IP addresses have shown up on the Chinese command and control log. The Computerworld story is here. To see if your system has been compromised, click here. You may want to check all your company IP addresses at the preceding link. If you're with Microsoft, Sony, IBM, Oracle, or PG&E, don't bother. You've been penetrated.

One of the more laughable responses to the revelation came from China:
China even responded, saying in its official People's Daily newspaper on Friday that linking every cyberattack to the country is "irresponsible."
If you parse the statement carefully, it must have been written by a diplomat. No guys, we're not linking every cyberattack to you. Just the ones that show up in this command and control log file. Plus the IP addresses I reported above of Chinese servers attacking me, personally. Plus my second-ever article reporting how you stole the Joint Strike Fighter plans from Lockheed.  Plus yesterday's post on your involvement in the RSA certificate heist. Not to mention my posts on China as "the usual suspects." So no, you're not in on every cyberattack. But until you start acting responsibly on the international cyberstage,  you'll continue to entertain the world with your carefully worded denials.

And for your information, no one has ever rebutted my publishing the IP addresses of your stinking attack servers. If anybody in the U.S. Congress ever wakes up and lets my licensed and bonded cyber privateers loose, I'll be sure they leave a calling card starting with those IP addresses. You can take that to the bank. I know I will.

Friday, August 5, 2011

Twitter, the new cyberwar dashboard

A year ago I figured it was only a matter of time before "the bad guys" figured out that Twitter was the ideal command and control dashboard for cyberwar. Well, that train has left the station, big time. We now have a twitter-controlled botnet. No wonder the Pentagon is forking up $42 million to focus on Twitter.

Thursday, August 4, 2011

RSA culprit: China and not Iran

On March 28th I wrote that a supposed Iranian "student" took responsibility for the RSA certificate heist. The referenced bragging might well have been a bit of Chinese misdirection, based upon today's revelation from John Stewart at Dell SecureWorks tracing the command and control of  that penetration to…yep…the usual suspect: China.

As I commented on July 7th, attribution is a key component of cyber retaliation. I now reiterate that our current cybercrime laws tie our hands and make it impossible to do "aggressive back tracing" on attacks. Some wonker claimed to be an Iranian student when he took credit for the RSA cyber exploit. It took over four months to come up with a much more likely culprit. It doesn't need to be this way.

Wednesday, August 3, 2011

Cyberwar "Pearl Harbor?"

My second article back on October 15, 2010 dealt with the reality of not-so-trivial attacks by Russia and China. Heck, on November 11, 2010 I publicized the IP addresses of the Chinese attack servers hitting my own Linux "honey pot." Unlike the professional "observers" of history who write articles like today's Time/Techland story asking if we fumbled "the world's largest cyber attack," my goal all along has been to propose a workable solution to ever-smarter crooks and evermore thorough rogue governments. The situation today? McAfee's vice president of threat research Dimitri Alperovich net-nets it in the last paragraph of the Time story:

"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact," said Alperovitch. "In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know."
One thing is clear, though. McAfee must have a get-out-of-jail-free card. Quoting the same article:
Alperovitch says McAfee "gained access to one specific Command & Control server used by the intruders," and began gathering log-based evidence in mid-2006 (though noting the attacks could have begun earlier).
So my question to McAfee is rather obvious. You guys have watched "one specific operation" steal "petabytes of data" in 2009, why in blazes didn't you work with NSA or DoD to launch your own virus countermeasures and shut the operation down? Either we were too politically stupid to act, or too technologically stupid the be able to act. Or both.

ZDNet's headline today: "Has the United States already suffered its cyberwar Pearl Harbor?"

My own headline is closer to reality, since the U.S. is not smoking in a pit of blown computers and SCADA utility meltdowns: "Since 2009, McAfee has watched a foreign government steal petabytes of data (logs going back to 2006) and did nothing about it?" 

Tuesday, August 2, 2011

"Data exhaust" from the DoD and my granddaughter

My infatuation with pattern based analytics (Freakonomics authors Dubner and Levitt liken these data to looking at the rapidly dissipating contrails from high-flying jet aircraft)—and finding correlations between pieces of unrelated "data exhaust"—leads me to muse once again on privacy and our future. Consider the DoD and…my granddaughter:

  1. The Department of Defense is looking to fund up to $42 million in research to use Twitter as an intelligence resource
  2. Last night at a family barbeque, I looked over my granddaughter's shoulder as she wanted to show me some of her friends on Facebook. I was absolutely stunned by her deft navigation and lightning-quick filtering of hundreds of flashing pages over just a few seconds. The kid obviously knew her way around the social cyberscape.  
What correlations do I find in this "data exhaust?" Simply, ego and vanity seem to trump privacy in this brave new world of ours. Which means mining of social media feeds is the already in-progress Gold Rush Of the New Century (GRONC if you like acronyms). I suspect that aggregating data across just three networks—Twitter, LinkedIn and Facebook—is the next big growth industry.


Monday, August 1, 2011

Homeland Security plays cards face-side up

Where the heck is Jack Bauer when we need him. First, the geniuses at the FBI publicly ask Silicon Valley software execs to build back doors into the technology we export worldwide. Now, the DHS (Department of Homeland Security, which should be know as "Departure of Homeland Security") let it slip that we're scrapping plans to scan incoming cargo containers for nukes. Hopefully this is simple misdirection.
BTW, the URL is available!
One question, though, has to do with the overall strategy of basing nuke scanners in the ports. Shouldn't we be scanning cargo ships on the high seas, before they can come into port? Seriously, doesn't letting a nuke get all the way into a major port kind of defeat the purpose of a port-based scanner?

My own preference would be to fly over inbound sea lanes with an airborne scanner. That would give us time to stop and board suspect cargo ships before they came anywhere near major infrastructure assets.

Well, it's a good thing DHS isn't responsible for our cyber threat protection. Oops. Wait. DHS is kind of the overall intelligence umbrella. Awh heck!