Friday, September 30, 2011

Drudge Report for anarchists: AnonymousAnalytics.com

The PR-savvy anarchists who may have thought twice about being tried as adults have made a positive evolutionary step, semi-legitimizing themselves as investigative journalists. Check out the Anonymous news page.

In fact, I'm interested enough in this unfolding story that I've turned on a top-secret analytics tool in my possession and tasked it to do an hourly Twitter-feed analysis on Anonymous. I think these guys have no fear (typical for the under-twenty-five crowd), as they've just declared war on the Mexican drug cartels. Frankly, I'd rather face an embarrassed and irate U.S. government any day than publicly disrespect and then even moderately inconvenience the Mexican drug cartels.

I ran a trial batch last night, doing hourly analytics on feeds from 7:00pm until midnight. At the time of this writing, I'll fire it up and do the same thing all day today. My conclusion so far:
  1. Anonymous has some seriously gifted PR minds at work.
  2. Quite a few people are seriously worried about the wisdom of "their buddies" taking on the Mexican drug cartels.
  3. Just before midnight, the Sony arrests suddenly transcended the "noise" level in Anonymous tweets.
  4. Attention span of Anonymous tweets/re-tweets/followers quickly shifts, probably due to boredom in the old "Bat Caves" and another shot of Red Bull.
  5. Anonymous is still schizophrenic, as they promise illegal activity based upon the Wall Street protest arrests but in their PR site promise that "All information presented in our reports is acquired through legal channels, fact-checked, and vetted thoroughly before release."
Thus, a "statement of direction" from anarchists is an impossible promise. Because however well meaning one individual or group appears, his compatriots can (and definitely will) go another direction altogether.

BTW, don't forget to review and sign the White House "Morgan Doctrine" petition (click here).

Thursday, September 29, 2011

Next Great Hack: the 2012 presidential election

Just so you know what the stakes are if we don't get a coherent cybercrime national doctrine, you might want to check out the vulnerabilities of e-voting machines. And then sign the White House "Morgan Doctrine" cybercrime petition (by clicking here).

Wednesday, September 28, 2011

Cyberspy attacks on Russia

I've been pondering this story for a week: Cyberspy attacks targeting Russians traced back to UK and US. If you read the story, it's clear the security professionals on the case are bending over backwards NOT to suggest China is the culprit. Attribution is nearly impossible given the Cybersecurity Act of 2009. Yet another good reason for anyone serious about empowering companies to back-trace and cripple attacking servers to sign my White House "Morgan Doctrine" petition (by clicking here). Because we cannot achieve attribution under the current legal framework.

Tuesday, September 27, 2011

4980 signatures still needed on Cyber Doctrine petition

The first 20 signatures have come in for "The Morgan Doctrine" petition on the White House "We The People" website (click here to add your signature). We have until October 22 to hit that magic 5,000 mark. Still looking for a hockey stick in the signature curve.

Monday, September 26, 2011

No "Day of Vengeance" from Anonymous?

The zany folk at Anonymous promised that Saturday the 24th would be a "Day of Vengeance" for them in several cities. Maybe the weather was too nice for someone to spend on the Bat Cave terminal, eh? If something did happen, perhaps the victims haven't discovered it yet? Maybe they can't even access their systems to determine the extent of the damages? Stay tuned.

And in the meantime, please sign The Morgan Doctrine White House petition (click here).

Saturday, September 24, 2011

White House petition takes patience to sign

Patience, my friends. Patience! Turns out, my White House cyber security petition takes more patience to wade through than most expect. The site itself is hellishly slow, and you are required to sign up and then wait for an email confirmation before you can click through and vote. The 5,000 signature threshold is gigantic under these circumstances. Pass the link (http://wh.gov/gki) onto your friends and social communities with an admonition to…BE PATIENT! 

Friday, September 23, 2011

Sign this White House petition TODAY!

As I wrote on September 2nd (just 20 days ago), the White House has initiated an online petition system whereby if a petition gets enough support (right now it's 5,000 signatures), White House staff will review it, ensure it’s sent to the appropriate policy experts, and issue an official response. So what are you waiting for? CLICK HERE to go to the petition site, sign it, and then pass the link onto your friends. Here is how the page looks with just one signature (uh, that would be mine):
Lack of response to my petition may mean I'm smoking my lunch and nobody really thinks that licensed and bonded cyber privateers are a very good idea. Of course, the current petition just sets forth the first phase of cyber privateer authorization. Namely, we need a well-articulated "Morgan Doctrine" similar to "The Monroe Doctrine" to get the ball rolling. Then we get the cyber privateering ordinance locked and loaded.

Thursday, September 22, 2011

"Spies like U.S."

Sorry, but this isn't a Chase/Akroid comedy. Some real families have been put in harm's way.


Imagine that you are part of a network of intelligence professionals, getting together for TGG (The Greater Good). You've done everything right. You've anonymized your Web surfing. You run the latest private-label sandboxed browser. You never reuse passwords, and you change those passwords frequently. You NEVER open documents sent to you online, even if they are from trusted associates. You don't even run a commercially available operating system. You do all that, and then wake up one morning to see your name, email address, and (for some of you) even your home address publicized for the whole world. How did this happen?


Ask Intelligence and National Security Alliance (INSA), whose entire 3,000-name membership list got published by Cryptome (click here to see the list). I would imagine the next organizational banquet dinner will be served on shingles.


My question to you 3,000 who awoke to a NIGHTMARE ON SPOOK STREET is, "Are you sure you want to keep our status quo cyber security laws, or would you REALLY TRULY rather have some licensed and bonded HOUNDS OF HELL going after the people who have put your families at risk?"


Got a better solution? I'd love to hear it. This blog started out as a method to flesh out fictional "suspension of disbelief" for a series of novels I'm writing. It's been almost a year, and I have yet to see a reasonable alternative. Frank Herbert turned out to be your prophet of doom. It is time to deal with reality.

Wednesday, September 21, 2011

Awh, China again? No "Lie!"

China's denial of complicity in the attacks on Japan's major defense contractor (I reported on the attack yesterday) is ridiculous. Even if I didn't think before that China was involved, the wording of their denial puts them back into a list of "the usual suspects" on which I've previously written. The Computerworld story quotes Foreign Ministry spokesman Hong Lei (I wonder if any news broadcasters have pronounced his name with an emphasis on the last vowel in his name—making it Hong "Lie"?) as saying:
"The Chinese government has consistently opposed hacking attack activities. Relevant laws strictly prohibit this," Hong told reporters for Reuters, the Associated Press, and other outlets, during a regular press briefing Tuesday.
"Criticism that China initiated a cyberattack is not only groundless, it goes against development of international cooperation on cybersecurity," Hong said.
I raised my eyebrows yesterday that Time Magazine would use Aljazeera as their source on this story. Now it's making more sense. Time editors may have wanted to point the finger at anyone but China. Who better than jihadists?

Tuesday, September 20, 2011

Aljazeera reports Japan defense hack?

Does it strike anyone as odd that Aljazeera should be one of the first to report the hack of Japanese defense contractor Mitsubishi Heavy Industries (MHI)? Heck, even Time Magazine used Aljazeera as their source for the story! This is a piece of "data exhaust" that deserves some pondering. Don't 'cha think?

Admittedly, one day earlier, the very first report of the attack came from Japanese newspaper Yomiuri. You'll want to hit "translate" on your browser.

But Aljazeera? Quoted by Time? Go figure. Something is going on here.

Monday, September 19, 2011

Low-bidder SCADA systems have doomed U.S.

SCADA (supervisory control and data acquisition) systems run everything from the power grid to sewers and public water supplies (in addition to, heh heh, Iranian nuclear centrifuges). If somebody wants to cause some really bad things to happen in SCADA-dense countries (like the United States), the job doesn't appear to be extremely hard. Today's SCADA-bug story is making the rounds. Don't think of it as an interesting story with distant relevance to your personal life. Think of it as an exclamation point on the need for privatizing national cyber security with licensed and bonded cyber privateers.

Saturday, September 17, 2011

My lunch with "The Godfather of Science Fiction"

I have written repeatedly about the importance of science fiction to both my world view and to our planet in general. I have shared how precient my late friend Frank Herbert (who wrote Dune) was about predicting our day and age. Thursday while in New York City, I was able to spend three hours with the single most influential publisher in the history of science fiction: Tom Doherty (of Tor Books, among many other imprints). We talked about my manuscript for THE MORGAN DOCTRINE novel depicting cyber privateering evolution. We then had a delightful lunch hosted by the daughter of my literary agent and her husband (the Israeli naval commando who gave me the U. S. Navy SEAL Team 6 baseball cap about which I wrote yesterday). To be sure, my novel will have to stand on its own in today's incredibly competitive publishing world.

Interestingly, I don't believe Mr. Doherty has the slightest concept of how much our world owes to his efforts on behalf of the science fiction community (and all the other genres for which he has been the guiding light).  He is gracious. He has no guile. He's a straight shooter. And whether or not he and his team elect to risk an investment in publishing my novel, it was a pleasure to shake his hand and to do the kind of Vulcan mind meld that can only take place in a face-to-face meeting.

Friday, September 16, 2011

Former Israeli naval commando

Yesterday, I had the pleasure to spend the day in New York City with a former Israeli naval commando and his wife. Not only did we visit the World Trade Center site, but he somehow managed to score three U. S. Navy SEAL Team 6 baseball hats, one of which is now in my possession. I am in admiration of the real warriors, and more fully realize that as a writer, I am merely the Ned Buntline reporting on the true Buffalo Bill Codys of the world. Admittedly, the analogy is flawed, because Buffalo Bill was a showman, and the men I idolize today are absolute-real-McCoy heroes who willingly put everything on the line, not for money and not for fame. As nearly as I can tell, they were simply foreordained and put on this earth to keep the lights on for the rest of us. Ooh-rah you guys.

If you see a fellow in the airport tomorrow who is wearing a SEAL Team 6 hat, it could be me.

Thursday, September 15, 2011

Legal defense of Anonymous

Predictably, the legal defense of Anonymous is the modern-day equivalent of 60's political protesters. They haven't played the try-em-as-minors card, so good luck in the prison general population. Cybercrime laws have a lot more teeth than the laws against blocking my college dean's office in 1965.

Wednesday, September 14, 2011

DHS "data exhaust" (spoilers)

I'm on the East Coast this week, among other things doing my annual pilgrimage to attend the technology advisory board meeting of a NYSE-listed company. I had the occasion to take a limo ride for an hour and a half with an executive-protection contractor who'd worked for presidential protection details, corporate surveillance operations, and who'd travelled to Iraq and Afghanistan for the DHS. I couldn't resist asking him the million-dollar question:
"Is it really possible that the terrorists are so incompetent that they haven't been able to mount a successful operation on US soil in the ten years since 9/11?" His answer rather took me aback. Paraphrasing a ninety-minute discussion:
"That's because there is no threat. And if there were a threat, these guys would never uncover it in time to thwart it. All the billions spent on airport security and such are just a way for the old-boy network to get government contracts."

You see why I was taken aback? I did NOT expect this answer. Period. I rather hoped he'd explain that our intelligence capability was so superior that we nipped the bad guys in some unpublic ways and did so with extreme prejudice. Do I believe the above assessment of DHS incompetence? Not entirely. But there's enough "grain of truth" in this data exhaust to give it some credibility.

You might ask, "So, what does this have to do with your cyber privateering initiative?" I owe you an unambiguous answer. There IS a real cyber threat. Unfortunately, the federal government's business-as-usual attitude, of letting the defense contractors line up at the trough, is counter productive to getting the real job done. Not impossible, but the economics are staggering. A reasonable balance to federal largess is to have self-funding monetization of cyberwar and cybercrime threats through licensed and bonded…you guessed it…cyber privateers.

Yeah, we need a real-life Tony Stark strutting down the halls of congress boasting that he's successfully privatized national cyber security.

Tuesday, September 13, 2011

Who'd want to pwn Linux?

Yesterday's Register story about the continuing troubles of Linux.com begs the question, "Who'd benefit the most by roaching the Linux supply chain?" IMHO, the culprit is likely not Anonymous or LulzSec, since Linus Torvalds is the patron saint of anti-establishment forces in the cyberverse. It's more likely that a nation-state is making a concerted effort to sneak their stuff into Linux for their own cyber-domination projection of power. Insert your stuff early enough in the food chain, you own the world.

Given that cyber privateering is not legal anywhere, the above-mentioned nation-state had better beware of well and truly honking off a bunch of open-source acolytes. Again, IMHO, this is the second-best line of defense the world has to cyber criminals and rogue governments: an army of zealous penguins defending their pristine antarctic preserve. Until now, they've had to direct their anger at opponents of WikiLeaks. But give them a government to bring down? Now you're talking!

Be careful, China.

Monday, September 12, 2011

Attribution in cyberwar; advice to China

I've been mulling a recent headline attributing the RSA hack to China, based upon the fact that a virus upload spreadsheet used a Chinese version of Excel. While I'm not convinced that it wasn't China, given that country's bad reputation for cyber citizenship, I might want to point the finger at China if I were another entity who wanted to remain…no pun intended…anonymous. I have previously posted some advice to China on how they might "get ahead" of the international dog pile. I reiterate that with the same kind of advice I gave to LulzSec: Do a Dick Morris. Admit to previous bad acts, indicate a change in national policy, and beg forgiveness. There really is a way to turn your liabilities into assets of equal magnitude. Especially if some outside force is setting you up to take their fall.

Or you can wait for cyber privateers to publicly and profoundly b*tchsl*p you. Your choice. Do it the easy way or do it the hard way.

Saturday, September 10, 2011

Good thing I'm not a bookie

Yesterday's prediction of the BYU vs. Texas outcome based upon "Twitter analytics" was…flawed. BYU lost by one point, BYU's 16 to 17 for Texas. So I shouldn't quit my day job?

Friday, September 9, 2011

BYU/Texas "Twitter data exhaust" prediction

On August 29th I covered the Hedge Fund that uses Twitter to predict the market. I also hinted that some major new analytics tools are in the pipeline. Well sports fans, I have my hands on a pre-Alpha version of one such tool. And just for laughs, I wanted to spike proverbial ball BEFORE Saturday's BYU/Texas football game. "Twitter data exhaust," suggests BYU will win the game. Which would actually surprise the bejeebies out of me, even though I'm a BYU fan (all four of my children went to BYU). Everything I know about football would suggest that Texas will resoundingly spank BYU. But what do I know?

So I'll post this a day in advance of the game, beginning a record of successes and failures using "Twitter data exhaust" to forecast the future. Maybe after the game I'll try my hand at handicapping the terrorist threat level, or ferreting out money laundering activity. That's right. After the game. And as two notes of full disclosure:

  1. I did not look at any other sources of game prediction (Google, ESPN, etc.). This had to be a Twitter-only data feed; and
  2. I am doing some work for the company that created the Twitter-analytics product (full disclosure is always important as you consider the source of any information).

On August 5th I opined that Twitter is the new Cyberwar Dashboard. Let's see if I can use some pretty freaky analytics to see who is tweaking those dials. Heck, on August 2nd I reported that the DoD is spending up to $42 million on Twitter analytics. All I'm spending is a few entertaining minutes with some swell new toys. If they work well, maybe I can convince the creators of this tool to make it available to everyone, free of charge.

POSTSCRIPT:  I just checked the College Football News prediction, and they think Texas will win:
CFN Prediction: Texas 24 … BYU 13

Thursday, September 8, 2011

Wikileaks and anarchists, Part II

Once again, the friendly little gang of anarchists is eating their own.  Wikileaks, the patron saint-site of the modern anarchist movement, is on the receiving end of fellow anarchists who don't agree with their…well…rebels with a cause. The trouble with no constitution and no enforceable laws is kind of obvious. Whereas licensed and bonded cyber privateers could become rich because they follow a strictly enforced code of conduct. In which world—Anarchy99's world in Vin Diesel's movie XXX or our own arguably imperfect smattering of incompetents—would you rather be a citizen?

Wednesday, September 7, 2011

Dmitri Minaev offers Russian Oracle insight

Two great comments today from Dmitri Minaev about the story behind Oracle and Russia. On January 29th of this year, I verified one source for a Larry Ellison quote:
"The only way the ORACLE RDBMS will ever be delivered to Russia is in the nuclear warhead of an ICBM."
Today, Dmitri Minaev posted the following two notes on that January 29th story:
Mr. Ellison didn't know that somewhere in 1987 or 1988 Bulgarian institute Interprogramma together with Soviet company NPO Informatika "developed" a RDBMS called KARS, the exact copy of Oracle. My part in this job was to translate original Oracle manuals (Pro*C, SQL*Plus, SQL*Calc, etc) into Russian.  
BTW, you know what was my worst headache? I didn't know whether the Bulgarian programmers had renamed Oracle's library calls like `ofetch' and `oclose' to `kfetch' and `kclose' correspondingly. No, they didn't :)  
Thanks, Dmitri. Just to let you know that "what goes around comes around," back in 1984 when we were "out-IBMing IBM" at Oracle, we copied the IBM SQL/DS and DB2 manuals for the Oracle product. I mean we LITERALLY copied them. Larry Ellison insisted we even keep the same page numbers.

Anyhow Dmitri, thanks for another little slice of history.

Tuesday, September 6, 2011

CIA, MI6 & Mossad compromised since 2009?

Today's big story is NOT that CIA, MI6 or Mossad SSL certificates were hacked. Nor is it that the same SSL certificate hack opened up 300,000 Iranians to have their Gmail accounts spied upon. The news, buried at the end of the first story referenced above is:
Last week, Helsinki-based antivirus company F-Secure said it had found signs that DigiNotar's network had been compromised as early as May 2009.
The implications might appear too far-removed and esoteric for most of us. So below is a list of other fake certificates that were obtained. Check it out. Maybe you have a stake in this after all. Maybe you should become a proponent of legalized cyber privateering.  You use any of the following services?
*.*.com*.*.org*.10million.org*.android.com*.aol.com*.azadegi.com*.balatarin.com*.comodo.com*.digicert.com*.globalsign.com*.google.com*.JanamFadayeRahbar.com*.logmein.com*.microsoft.com*.mossad.gov.il*.mozilla.org*.RamzShekaneBozorg.com*.SahebeDonyayeDigital.com*.skype.com*.startssl.com*.thawte.com*.torproject.org*.walla.co.il*.windowsupdate.com*.wordpress.comaddons.mozilla.orgazadegi.comfriends.walla.co.illogin.live.comlogin.yahoo.commy.screenname.aol.comsecure.logmein.comtwitter.comwordpress.comwww.10million.orgwww.balatarin.comwww.cia.govwww.cybertrust.comwww.Equifax.comwww.facebook.comwww.globalsign.comwww.google.comwww.hamdami.comwww.mossad.gov.ilwww.sis.gov.ukwww.update.microsoft.com 

In addition, the attacker created rogue certificates for these names:
Comodo Root CACyberTrust Root CADigiCert Root CADigiCert Root CAEquifax Root CAEquifax Root CAGlobalSign Root CAThawte Root CAVeriSign Root CA 

Monday, September 5, 2011

China's lame PR game

Saturday's Wall Street Journal ran the lamest story by Owen Fletcher, the headline of which read, "China Hackers Seek to Rally Peers Against Cybertheft." The lead paragraphs read:

BEIJING—Some of China's most prominent hackers plan to issue a call for their peers in the country to steer clear of commercial cybercrime, a move aimed at cutting down on Chinese cyberattacks that experts say often target foreign Internet users and companies.
While it's unclear how effective such an appeal will be, it is a sign that some with roots in China's hacking culture are concerned that growth in the underground cybertheft industry could draw both louder foreign complaints and tighter domestic restrictions, which could restrict their freedom of action and affect the legitimate network-security sector as well.
The story implies there is some private hacking activity taking place from China that is not government sponsored. It is my contention that all serious hacking taking place from China has at least tacit government approval. And at most, it could not exist in China without full government sponsorship. This silly story is akin to Italian-Americans taking offense at the term MAFIA and making it extremely politically incorrect to suggest that a MAFIA even exists. I expect better journalism from the WSJ.

Saturday, September 3, 2011

Corrupting the Linux supply chain

I have long contended that the simplest way to covertly break into every computer in the world is to build back doors at the earliest possible moment in the supply chain. Whether it's China sneaking keys under the mat of SCADA systems they're exporting, the FBI publicly asking Silicon Valley vendors to build traps into the stuff we sell around the world, or Adobe's "swiss cheese" source code management system that invites stealthy insertion of malware into widely used products such as their Acrobat reader, if the bad guys get into the technology food chain early enough, we are all well and truly jiggered. For example, take this week's headlines about hackers breaking into the Linux source code site. Good idea, really, if you're a bad guy.

When the heck are we going to take off the kid gloves and raise the risk of cyber tomfoolery? When are we going to make the price of unauthorized intrusion simply too high. Licensed and bonded cyber privateers are one proposed solution. I haven't heard a better one.

Friday, September 2, 2011

White House cyber privateering petition soon

Yesterday, the White House announced plans for a citizen-driven online petition system called "We the People." Since none of my U.K. readers have successfully managed to get HM Gov. to allow a cyber privateering petition through the gauntlet, maybe I'll have better luck in the U.S. Stay tuned.

Thursday, September 1, 2011

"Data exhaust" & DoJ right-to-bribe authorizations

Yesterday I wrote how a DoJ FCPA (Foreign Corrupt Practices Act) "enforcement opinion" is the legal way for U.S. companies to bribe the officials of foreign governments. A key provision of the FCPA law states:
Copies of releases issued regarding previous opinions are available on the Department of Justice's FCPA web site. 
Interestingly, very few companies have taken advantage of this "selling of indulgences" provision, as evidenced by the history of such activity since 1993 (click here to see the site). The "data exhaust" moment? Well, in nearly 17 years, the DoJ has issued a mere 34 "licenses to bribe" foreign nationals. There are no statistics detailing how many requests for a get-out-of-jail-free card were declined. If I were on some kind of congressional oversight committee (ie, if I had the patience to deal with acres of idiots), I'd be asking this question. Several possibilities emerge:

  1. The DoJ makes it hellishly hard to get the right to bribe; and/or
  2. The DoJ turns down a lot of requests; and/or
  3. The really smart bribery operations try to stay under the radar; and/or
  4. Major U.S. companies (and their highly paid attorneys) haven't done their homework to "know the ropes"
One thing is for sure: Oracle wasn't one of the firms requesting a get-out-of-jail-free card. While the requests were anonymized and the nature of the business was only vaguely described, none appeared to be a U.S. software company. I once asked Larry Ellison if maybe we should run some of our ads through legal. His answer: "Hell no; I've got a litigation department, so let 'em litigate!"

Well Larry, given the failure of your international law advisors to do their stinking jobs, you're "litigation department" has their work cut out for them.