Monday, December 24, 2012

Will 2013 be "The Year of the Cyber Privateer?"

Here's wishing you the best from "The Pirate's Cottage" on a Utah mountainside. Maybe 2013 will be "The Year of the Cyber Privateer."

Wednesday, December 12, 2012

Laugh for The Day: Yahoo Takes Aim at Gmail

You've got to hand it to the PR flacks at Yahoo. The Time Magazine Techland headline (read the full story here) reads: "Yahoo Revamps Email in Bid to Catch Up With Gmail." It's like Yahoo has a chance to catch up with anybody, given their horrible security track record. I have yet to get spam or malware from someone whose Gmail account has been hacked. Yet I get many such emails each day from friends (and former friends who are now dead) on Yahoo. The likelihood of Yahoo doing anything to close the gap with Gmail is on a par with North Korea declaring and winning a war against…oh, let me think of a good one…Katmandu. Ok, make it Taiwan. Or Philadelphia. That's it! Philadelphia. "I Kim Jong Un hereby claim this here Liberty Bell…Wahoo!" No, that's "Yahoo!" you idiot.

Tuesday, December 4, 2012

Yahoo Still the Gang That Can't Shoot Straight

For several months now, I've been marveling at how many of my acquaintances Yahoo email accounts have been hacked. No one I really care about uses Yahoo email, since they've since migrated away from them, and I've debated blocking all email originating from Yahoo accounts. Reason: Only idiots use Yahoo email. Alas, I haven't yet. Probably for the same reason I haven't blocked AOL. You see, my mom uses AOL. She's 87 years old and the prospect of getting her to change just isn't worth the wear and tear on our relationship. Oh, I've tried. I got her her own domain name, and even set up the email account for her. That was a couple of years ago, and she still insists that the only way she can get onto the Internet and to her email is with the AOL browser. Simply put, getting people to change their daily routine is nearly impossible. Malcolm Gladwell calls it "stickiness" in his seminal book, The Tipping Point. And yep, AOL sticks. To some lesser extent, so does Yahoo.

I apologize for kicking Yahoo so much (type "Yahoo" in the Search box to the right of this screen and you can see my devotion to them). Today's Computerworld story (read it here) reconfirmed that Yahoo deserves every single piece of bad press that has chronicled their downward spiral. Why apologize, then?

Computer security in the U.S. is analogous to being the man with no arms who is playing dodgeball with a sadist. You can't throw your own shots at him. All you can do is yell "Nyah-nyah-nyah-nyah, Nyah-yah!" until he finally clocks you in the noggin. So while I can single out Yahoo today for riducule, fear, and loathing, I'm still the dodgeball player with no arms. Sooner or later, simply playing defense is going to get me nailed, too. Paraphrasing John F. Kennedy, "Ich bin ein Yahooer!"

Wake up, Congress!

Friday, November 9, 2012

A 2nd Righteous Hack: Biological BLACK BOX PORTABILITY

Back in January of 2011 I reported how Bill Aho and MediaPlay had done a successful AND LEGAL hack of Hollywood (see the story here). This week I went to the premier of the movie Doctored—produced by my old friend Jeff Hays (see his website here)—where he attacks "big pharma's" and the AMA's rejection of cures in favor of life-long (and highly profitable) drug regimens. To be sure, Jeff is early in the battle, and the outcome is anything but assured at this point. But the one take-away from Doctored is the "hack" of the human genome by bio-hackers who sport quite a few arrows in their backs. While this isn't a computer software hack, it qualifies for inclusion in my 22 Principles for Creating the Perfect Virus under Principle #7, Black Box Portability (see all 22 principles here). Remember, my little army of cyber privateers, bits and bytes aren't the only way of opening doors into secure systems.

Wednesday, October 17, 2012

Data Exhaust: Romney's Life is in Danger

While only one passing mention of cyber security came up in last night's presidential debate (Romney mentioned Chinese cyber attacks in a compound sentence), my handy-dandy Quantum Leap Buzz social media analytics notification came alive with Obama supporters actually making threats on Romney's life. I'm rather surprised the news hasn't covered this. Then again, social media analytics is constantly putting me onto trending stories that NEVER make mainstream media newscasts. Below is my "buzz furball" for the "kill Romney" movement.
Hopefully SOMEBODY in the Secret Service candidate protection detail is paying attention. I now return to my regularly scheduled Cyber Privateer dialogue.

Tuesday, October 16, 2012

Cybercrime & Tonight's Presidential Debate

In February 2011, I opined (see it here) that cybercrime was indeed an easy-entry career. Given today's Computerworld story (read it here) how cyberthieves looted $400,000 from a Bank of America client, it appears that it's also a lucrative career. Especially when current cybercrime law in the U.S. forces us to play only defense. Yes, it's too much to hope that either presidential candidate gets the big picture, here. Which is too bad. Selah.

Friday, October 12, 2012

DOD finalizing offensive "rules of engagement"

The final paragraph of today's New York Times story (read it here) is the only element of hope on the horizon of an otherwise bleak future.
The Defense Department is finalizing “rules of engagement” that would put the Pentagon’s cyberweapons into play only in case of an attack on American targets that rose to some still unspecified but significant levels. Short of that, the Pentagon shares intelligence and offers technical assistance to the F.B.I. and other agencies.
Unfortunately, U.S. Secretary of Defense Leon Panetta has the same set of blinders as every other administration and legislator has worn. Namely, he just assumes that the only way to deal with cyber threats is to line the pockets of "Beltway Bandits" and insist that the government should be the only source of offensive cyber capability. And that is the reason why blocking the latest cyber security bill makes sense.

The "rules of engagement" should be…you guessed it…The Morgan Doctrine and rigid adherence to my Cyber Privateer Code (read it here). Otherwise, we really will have what Panetta calls a cyber equivalent of a Pearl Harbor from which we will not easily recover. Right now, we're guaranteed to lose because we're playing the game with our hands tied behind our backs.

Too bad this subject won't come up in the presidential debates.

Thursday, September 27, 2012

Who has "Black Box Virus Portability?"

Today's New York Times article—Cyberwarfare Emerges From Shadows for Public Discussion by U.S. Officials (read it here)—seems to have done a credible job summarizing a growing public discussion about government involvement in cyberwarfare. The problem however, is the underlying assumption that only government-level resources are fit to play this game. From the only intelligent individual quoted in the article:
Matthew Waxman, a law professor at Columbia and former Defense Department official, said speaking openly about cyberwarfare policy was important because it allowed the United States to make clear its intentions on a novel and fast-emerging form of conflict.
Professor Waxman essentially makes my point about a publicly stated "DOCTRINE" for cyberwar. Unfortunatey, in the context of the current governments-only mindset, this translates to playing with our hands tied behind our backs. Whereas licensed and bonded cyber privateers operating under strict government authority would be the only viable answer.

Which brings me to my question of the day: Who has "Black Box Virus Portability?" As I have stated in my 22 Principles for the Perfect Virus (see here),  the HOLY GRAIL of the Perfect Virus is Principle #7 (see here, upon which I articulated almost two years ago), BLACK BOX PORTABILITY. Because it DEFINITELY DOES take government-level resources to build an alien architecture that's immune to "grokking" by technology that assumes it knows what it is going up against). So my budding cyber privateers, does anyone have black box portability?

My answer: "No government has it." To be sure, at least two governments probably DO HAVE black box architectures engineered for Cyber Armageddon (the U.S. and China), but I don't believe they've cracked the Piers Anthony Macroscope code to infiltrating another black box. I also believe that they are "sniffing" for black boxes in the wild, because they'd be crazy not to. Finally, the odds are non-trivial that at least one private party HAS achieved black box virus portability. Further, I'm betting that this party is hiding in plain sight and (hopefully) has altruistic motives. Maybe like riding in on a big white cyberhorse and stopping the inevitable all-out cyberwar cold.

I know. I'm such an optimistic sucker.

Tuesday, September 18, 2012

NY Times Op-Ed on Cyberwar is Quite Humorous

I got quite a knee-slapper this morning from my Quantum Leap Buzz "data exhaust sniffer" (get your own by clicking here) when I got a message equating cyberwarfare with the nuclear arms race. A New York Times Op-Ed piece (see here) actually suggests the nuclear metaphor. My problem with that logic is that nuclear weapons development (as the Iranians are proving) is no small task. Compare that with cyberwarfare, where a single brilliant individual with a laptop, a power source, and a satellite phone can bring the world to its knees from a cave in some third-world country. The final quote from this contestant in the 2012 Intellectual Special Olympics gave me two laughs for the price of one:
Cyberwarfare is not to be entered into lightly, and governments need to be more open about their capabilities. Disclosure is imperative to prevent attacks that may cost lives and potentially snowball into major global conflicts.
Translated: "My little security firm in Finland is way behind the curve, and I'd sure like someone to tell us where all that cool stuff is coming from and who has a corner on the zero-day exploit market."

Thursday, September 6, 2012

The "Ultimate Cyber Privateer Platform"

Back in January of 2011 (read here) and again in March of that year (read here), I declared Android to be the ultimate cyber privateer smart phone. I now update that based on today's Network World article (read here): Android is the ultimate cyber privateer platform. Sure, it's also the most popular malware target these days, but that's because it's open and easily programmed. Nevertheless, to cyber privateers, your handy dandy Android is a portable war machine of immeasurable power. Crank up The Perfect Virus (outlined here) and consider the possibilities:

  1. Take a tour of the White House and wirelessly install malware on every computer within Wi-Fi/Bluetooth range. Heck, you might even get the nuke codes from the president's "football."
  2. Tour our local power utility and drop cyber bombs into SCADA devices.
  3. Wardrive around the ritzy neighborhoods and capture passwords and contact lists from every Wi-Fi system dumb enough to broadcast their SSIDs.
  4. Walk the halls of any major NYC office building and do major corporate espionage.
  5. Ditto for the halls of Wall Street merger/acquisition firms, so you can get insider information for upcoming deals.
In short, the Android smart phone is a cyber privateer's best friend. Naturally, it is also the cyber criminal's best friend, which explains why so much malware development is now focused on the Android platform.

Too bad our current cybercrime laws make it impossible to do a "reconnaissance in force" whenever such a device "tickles" one of our systems.

Thursday, August 30, 2012

Coming soon? An "active deterrence protocol."

Could a "long shot" connection with the Romney Campaign be yielding fruit? Take a look at the GOP platform as reported in today's Computerworld (see story here). They use the phrase "active deterrence protocol" which, if I might be so bold, means we're going to stop playing defense and put some teeth into deterrence. Not a stretch to suggest things could be getting interesting.

Monday, August 27, 2012

How to handle a digital-certificate fraud incident THE RIGHT WAY

Today's kneeslapper from NetworkWorld is their story (read here) on How to handle a digital-certificate fraud incident. Their net-net is to have a policy document knowing who to tell, what to tell them, and how to issue new certificates fast. Kind of a waste of ink, but hey, it's the dog days of August, and who reads this crap anyway? If Congress knew security from shineola, licensed and bonded cyber privateers following The Cyber Privateer Code (read it here) would bring a biblical curse upon the culprits as recorded in 1 Samuel 3:11:
And the LORD said to Samuel, Behold, I will do a thing in Israel, at which both the ears of every one that heareth it shall tingle.
Cyber privateers would certainly be the antidote to slow-news-day journalism. Selah.

Wednesday, August 22, 2012

10 ways to say, "Welcome to Hell!"

It's the Dog Days of Summer. Journalists in every discipline are scrambling for new headlines to garner readership. Cosmo is done with the how-to-look-good-in-your-swimsuit-in-just-21-days articles—although they still manage to have the word "sex" on almost every cover—and they're now doing everything from sex surveys to the 10 reasons men cheat (could it be that men attracted to Cosmo readers are prone to cheating?). The tech press is torn between the 10 rumored features of the new iPhone 5 and the iPad, with the big "list-of-10"security story being CIO's "10 Ways to Easy Public Cloud Security Concerns" (see story here). Welcome to Hell. Paraphrasing Dante's Divine Comedy, "Abandon hope all ye who enter here." Abandon hope all ye who take seriously any of the above lists of complete and utter tripe. As to CIO's article on easing your concerns about cloud security, let me convert their "10 Ways" into appropriate Hell Welcome Mats:

  1. Select the Right Apps for the Public Cloud. Right. This means selecting only apps that require absolutely no security. Welcome to Hell.
  2. Evaluate and Add Security, If Necessary. If  the world expert in IP security and mission-critical systems, Network Solutions, can't keep their infrastructure up and immune from attacks, what chance does the average IT schmoe have (see my story here)? Welcome to Hell.
  3. Identify and Use the Right Third-Party Auditing Services. Translated, you can't do #2 above, so maybe you'll feel better outsourcing responsibility for your inevitable doom. Welcome to Hell.
  4. Add Authentication Layers. This wonderful advice begins: "Most CSPs provide good authentication services…" I added the color to the word "good." Hey, don't you want "perfect" or "unbreakable" authentication? To hell with "good" authentication. Welcome to Hell.
  5. Consider How Additional Security Will Affect Integration. Translated: "Your peformance will go to hell, your users will be irate with all the hoops you make them jump through, and you'll still get cracked on a daily basis by the Chinese." Welcome to Hell.
  6. Put Security at the Forefront of Your SLA.  "SLA" means Service Level Agreement. A realistic SLA should contain the following: "Security is a joke, because US law makes it impossible for us to attack the attackers. So if you trust your mission critical applications to us, you'd better have a jim-cracking-dandy insurance policy, because you will most definitely have to use it." Welcome to Hell.
  7. Insist on Transparent Security Processes. That way, you can see time-lapse photographs as the crap storm wipes you off the planet. Welcome to Hell.
  8. Streamline Logging and Monitoring. "Comparing one CSP's logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that's provided." Sure. Like you know dittley squat about logging practices. Welcome to Hell.
  9. Add Encryption. Then, "…only the customer and the third party know the key…" And how long do you think it will take a clever phisher to worm the key out of one or the other of you? Welcome to Hell.
  10. Spread Risk with Multiple, Redundant CSPs. I'll bet the Iranians got their biggest laugh out of this one. Shamoon, Flame, Duqu, Stuxnet, Gauss, et al. All you need is one to work, and all your systems will be compromised. Welcome to Hell.
The solution is at Forget playing defense. Make a public example out of anyone stupid enough to so much as probe your system. Give them a proper sendoff…to Hell.

Friday, August 17, 2012

Finally, Google does it right: $2 million bug bounty for Chrome

In March of 2011, I publicly named Chrome as my "browser of choice" (see my story here) in this Mad Magazine world of cyberspy vs. cyberspy. At the time, I lamented not being able to run Chrome on my iPhone and iPad. That has since changed. Now, in today's Network World story (see here), Google is doing what EVERYONE SERIOUS ABOUT SECURITY should have been doing, and raised their show-us-our-flaws bug bounty to $2 million.

Too bad we don't have coherent cybercrime law that would allow someone to have a similar contest for identifying and crippling cyber thieves.

Saturday, August 11, 2012

Today's Network Solutions DDOS attack proves my point

No wonder my email today has been virtually nonexistent. I just got a text from my former Israeli commando friend telling me that his email to me is getting bounced. So I called the Network Solutions tech support hot line and got a recorded message that they are currently under a DDoS (Distributed Denial of Service) attack. Given that these guys are as good as it gets, and if they cannot defend against these attacks, then doesn't it stand to reason that our DEFENSE-ONLY cyber security legal framework is positively and absolutely idiotic?

Come on, Congress! Don't you remember the days when we only sent amateur athletes to play basketball in the Olympics? We got creamed. But when the USA is NOT forced to play with our hands tied behind our backs, we prevail. Ditto for cyber security.

You force us to play defense only, we are guaranteed to lose big time. How about leveling the playing field and NOT forcing us to play with BOTH hands tied behind our backs? The answer is licensed and bonded cyber privateers who live by…THE CODE (see here).


Wednesday, August 1, 2012

Huawei vulnerabilities accidental or by design?

Former Cisco employee Dan Kaminski was quoted in the Network World article (read the article here)  as saying:
If I were to teach someone from scratch how to write binary exploits, these routers would be what I'd demonstrate on.
According to the article, "Huawei equipment powers half the world's Internet infrastructure…" Given the "data exhaust" of China's documented "bad Internet citizenship," it is not a gigantic leap of logic to suggest that those security holes are no accident.

NYTimes Passion + Google Zombies = Cyber Privateers

Today's New York Times story "Cybersecurity at risk" (see here) passionately suggests we need a solution. Unfortunately, their ignorance of the real issue makes their support of current legislation laughable. However, there is a synthesis of ideas that they should consider: Google's "Kill Zombies and Get a Job" program (see article here). Aren't cyber intruders the metaphorical equivalent of honest-to-goodness real-life zombies? So with due respect to the well-meaning but flatulently ignorant editors at the New York Times, licensed and bonded cyber privateers (Zombiekillers, if you will) really turn the financial equation on its head and make for a sustainable, scalable, damn near foolproof mechanism. Come on Times! Playing defense only (holding hands and singing Kumbaya) while we wait for a bunch of bureaucrats to reach consensus is NOT a solution that stands the remotest chance of success.

Friday, July 27, 2012

Latest cyber security bill equivalent to The Maginot Line

The latest incarnation of cyber security—the bill designated S.3414.PCS (read it here)—spends hard-earned tax dollars to build a toothless bureaucracy while at the same time making it harder for businesses and individuals to protect themselves. Where licensed and bonded cyber privateers would be a positive net revenue generator to a sponsoring government, this law could best be described as, "Let's play defense only and make it really hard to let the world know who the bad guys are." Heaven forbid you should share/publish the identities of the people/organizations/governments that are attacking you.

No wonder cyber attacks are up (as the New York Times reports today). Our "best and brightest" are still trying to build the cyber equivalent of The Maginot Line. 

Tuesday, July 17, 2012

Yahoo security breach "Shocks Experts?" Gimme a break!

I've been biting my tongue since July 13th when the Network World story (see here) "Yahoo security breach shocks experts" invaded my personal data exhaust analytics processor. I've been carping on Yahoo's lack of security for almost two years (type "Yahoo" in the search bar to the left and see for yourself). Two words in the ludicrous headline—"shocks experts"—are an oxymoron. Any so-called expert who is shocked is no kind of expert at all. In my opinion, Yahoo deserves every single bad thing that has happened to them because they are persistently incompetent. Selah.

Tuesday, July 10, 2012

"Incident Response" is a really stupid concept

I just got a white paper announcement from one of the major IT publications from a sponsor touting scenarios for "incident response" teams. My fellow cyber privateers, when the balloon goes up there isn't time for a group of people to sit around a table and reach a consensus. You don't have a day, an afternoon, or even an hour. Your response to intrusions should be within milliseconds, it should be unambiguous, and it should be absolutely disproportionate. Which means it should be advertised to the point that no individual or government wants to come near your site. See Principle #22 on Defense (here) of the Perfect Virus. My idea of "incident response" is a PR firm issuing a press release explaining why no one in Beijing can complete a cell phone call for the next seven days. An object lesson for the government-sponsored intrusion into company XYZ's systems, courtesy of licensed and bonded cyber privateers operating under The Cyber Privateer Code of Conduct (see here). How's THAT for incident response?

Monday, June 4, 2012

Flame virus and its "data exhaust"

Within a week of finding out about the Flame virus currently turning every computer in the Middle East into a multi-media international broadcast station, the Obama administration "newspaper of record" (see the New York Times story here) confirms that the Bush and Obama administrations have been waging cyberwar on Iran. Clearly, this story ran with administration approval. One might draw several conclusions from this "data exhaust" news:

  1. The Obama administration thinks they're going to turn this militancy into a political asset for the 2012 election, logic going something like: "Since the Russians and the Chinese already knew full well the source of Stuxnet, Duqu, Flame, and probably a dozen other still-covert cyber adventures, they only entity we were really keeping in the dark was the American public."
  2. The Israelis are about to drop the hammer on the Iranian nuclear program, and the Obama administration wanted their "newspaper of record" to build the case that, "Doggone it, we did everything we knew how to do to keep this terrible day from coming."
The trouble with the above logic is that Clinton had a pretty good idea with his "don't ask, don't tell" policy on gays in the military. President Obama should have applied it in the cyberwar arena. Since we haven't publicly debated our cyberwar doctrine, we have lost the moral high ground and opened the door to every third-rate jihadist with a laptop and a satellite link to yell, "Allah game on akbar!" Not to mention that it's doubly hard for us to keep a straight face as we condemn China's cyber adventurism or Russia's deification of their own underworld Darth Vaders (see my post one such culprit here).

I know, I know. My answer is, of course, that we should publicly debate the merits of licensed and bonded cyber privateers to keep the peace. But beyond my continuing campaign to consider such possibilities, I have a prediction. Simply, the above "data exhaust" suggests that Israeli bunker busters are much closer than they appear in Iran's rearview mirror. Selah.

Tuesday, May 29, 2012

My invitation to Larry Ellison today

Since Larry Ellison is the head of my Fantasy League of Cyber Priviteers, and since tonight is the meeting in Palo Alto of the 100 people who put Oracle on the map back in the early days, it is only appropriate that I sent Larry the following invitation to the festivities:

Tuesday, May 15, 2012

Stephen Wolfram's NKS holds the key to THE PERFECT VIRUS

Hats off to Stephen Wolfram and his update today (see here) on the future of A New Kind of Science (or NKS). Simply, my own experimentation on Principle #7 of the Perfect Virus (Black Box Portability) strongly suggests that clever use of cellular automata and the extrapolation of Wolfram's concept of computational equivalence are the key to my Holy Grail of Black Box Portability. While I am legally constrained by current cybercrime law, my imagination can still run wild with Einsteinian "thought experiments" that will not get me thrown into a federal prison. So thanks, Stephen. To you, to Piers Anthony whose seminal novel Macroscope gave me a vision of The Perfect Virus, and to my late friend and science fiction author Frank Herbert (Dune) who talked me into running for Congress just so I could get a taste of a future in which politicians should be recognized for the imbeciles they truly are.

Friday, May 11, 2012

FBI Director Mueller flunks another IQ test

Don't get me wrong. I don't think the Republicans have any better handle on cyber security than the Democrats. That said, FBI Director Mueller has certainly had his share of spectacularly stupid ideas. His latest bumble is this week's testimony (see here) before the House Judiciary Committee and reported by Network World:
[Mueller] took a swipe at the tech industry for "lacking the capability to intercept communications undertaken with their products," or basically offering technologies that can be wiretapped at will, should a major threat to the United States arise.
He's sung this asinine aria before  (see my January 8, 2011 post here) when he asked Silicon Valley to build back doors into the software they export around the world. Talk about putting a "check into the swing" of our world-wide hi-tech sales forces. Who'd want to buy from a country with the stated objective of building spying back doors into it's products? Oh, wait! That's China's policy, too. And look how well it's worked for Huawei (see one of my many Huawei posts here).

As Joseph from Spain has proved (see my last post here), it would seem that the FBI's stupidity rolls downhill.

Saturday, April 28, 2012

Joseph from Spain nails the last detail in FBI unsolved case

On 16 November 2011 I shared Joseph from Spain's solution to a case that the FBI's "best and brightest" couldn't solve (see here). Just today he entered the final comment as to the exact house location where Ricky McCormick buried his "treasure" before being murdered. If anybody in Missouri wants to do some legwork, we'd both appreciate your dropping us a note. I've pasted Joseph's final note below (you can see the whole thread at the above link):

Hello from Spain.
+ Six months ago i said that i was looking for a house with the NUMBER 35. (see November 22,2011)
+ Finally i have found the house in the place i had predicted to 36 and 29 miles from Chouteau Avenue 1400, St Louis (MO), is this:
+ 6035 Missouri 94, Portage Des Sioux, MO 63337 EE UU
+ I used Google Maps ans Street View.
(The calculation of the distance is a rough estimate)
+ Anyone can check and see the home next to the northern entrance of Marais Temps Clair C.A. (MO).
+ This show that i was right and i deciphered correctly the Mccormick´s notes.
+ I can not longer do anything. If the FBI wants to dig up the case or not, that is up to them.
+ I have finished my work.
Greetings from Spain.

Friday, April 27, 2012

House passes CISPA; The Perfect Storm builds.

On Wednesday I talked about The Perfect Storm forming from Russian-speaking hackers, Chinese cyber militarism and the whacky new religion of Kopimism. What else could breathe energy into that category 5 cyber storm? Jihadists? Iran? North Korea? No, my little cabbage heads. The Internet "planet killer" event was fueled by none other than the US House of Representatives passing CISPA (the Cyber Intelligence Sharing and Protection act, reported HERE by Time Magazine). IMHO, CISPA is a kind of "legislative IQ test" the approval of which disqualifies politicians from future public service. Since it's going to the Senate now, I'll be anxious to see how my guys vote. Utah House member Rob Bishop voted "No," while mental midgets Matheson and Chaffetz proved they were well and truly lobbied (SAIC, Lockheed Martin). Well Senator Hatch? You're up for re-election this year. Hopefully you have someone on your staff who knows bit from shineola.

Wednesday, April 25, 2012

Prediction: Russian-speakers, China, and Kopimists form The Perfect Storm this summer

It's going to be a hot summer in the cyberverse. Network world reported today (see here) that:
Russian-speaking hackers earned an estimated US$4.5 billion globally using various online criminal tactics and are thus responsible for 36 percent of the estimated total of $12.5 billion earned globally by cybercriminals in 2011, Russian security analyst firm Group-IB said in a report published on Tuesday.
In addition, China stays at the top of my state-sponsored cyber intrusions into anything and everything connected to the Internet. Finally, those zany anarchists have stumbled upon the swell idea of turning hacking into a state-recognized (a la Sweden) religion: Kopimism (see my essay on the process of Rhetorical Wargaming, wherein you can use social and traditional media to test ideas for staying power). Forget about the North Koreans, Iranians or dyed-in-the-wool jihadists. With the world's policy makers stuck in their Maginot-line/we-must-be-in-control mentality of getting all the power mongers around a table to have "their say" in all cyber-attack-escalation decisions (as opposed to having a well-published sub-microsecond response in the can and ready to rain hell on attackers), I predict this is going to be ONE HOT SUMMER.

You know my solution, Grasshopper. Have a nice day.

Friday, April 13, 2012

One step beyond mass sentiment analysis: INDIVIDUAL INTENT ANALYSIS

Just got an interesting glimpse into the future of "spook shop" media trolling. Everybody worth the powder to blow them to hell claims some sort of social "sentiment analysis" capability.  But the next step in analytic tagging of the media fire hose is "intent analysis." After all, clumsy sentiment analysis is a simple thumbs-up/thumbs-down/neutral indication with pretty abysmal accuracy ratings (the algorithms can't distinguish sarcasm from honest opinion). That's why I've relied on Quantum Leap's PBA (Pattern Based Analytics) to give me a more accurate picture of really trending themes. I can do a pretty good job of predicting GROUP INTENT based upon Quantum Leap Buzz, and regard it as a cool (even indispensable) tool to have in myt bag of predictive marketing tricks.

But what about the "spook shops" and their deep dive into a single thread, a single document, a single thought in context? How do you determine the INTENT of a single author? I just got an enlightening monograph today from Israeli/American friend of mine, and he gave me permission to publish it. If I were a Cyber Privateer who wanted a "Dead Man's Switch" (which I describe in Principle #1 of The Perfect Virus, Oversight), I'd implement it with an INTENT ANALYSIS CCS (Command and Control System) and then turn it loose on mankind. This Dead Man's Switch would make my continued health an important consideration to a world at the mercy of my Perfect Virus.

So thank you Michael S. Pincus (, founder and president of Mnemotrix Systems, Inc., for an important addition to my Perfect Virus Oversight Module: a "dead man's switch" that can sniff out my enemies long after they've put a bullet into my head. Here's Mike's monograph in its entirety:

There is in the private sector developed and owned by Mnemotrix Systems, Inc., an intelligence sensemaking automaton that can connect-the-dots from Internet scraped data and obtained memos, reports, and conversation transcripts based on metaphoric and semiotic reverse inferencing exposing both expressed but hidden intentions and underlying subconscious thoughts in social media, reports, articles, news and other material from bad guys.

One of the greatest advantages this technology provides for the community is it can take metaphors and apply it to social media. Scraping millions of tweets and blogs through metaphors and being able to distill INTENT is a vital key to locating real threats without bias. The automaton's reasoning is based on a human savant model of the neural linguistic patterns in the human subconscious. Analysts using the automaton to help connect-the-dots have reported that it helps to awaken their subconscious through reflections in the data teaching the analyst to think like the subconscious mind "thinks." It helps the analyst augment those behind-the-scenes thought processes that are always running but frequently buried by pervasive thoughts and bias helping the analyst to locate INTENT in data.
This is not a research project waiting for funding. It is fully complete technology already in place, in places.
The following examples are real from a recent study of the system done by an analyst in the Pentagon.

The analyst sent the following:
The SISMA automaton will augment analysis capabilities by allowing the analyst to type in something like "sudan reaction to action" and it comes up with "South Sudan accuses Sudan of Airstrikes". Bingo. The query "Mali civilian crisis" comes up with "in the face of the deteriorating security situation in the north of Mali, and the looming food crisis in the region, I urge all parties to take care of the civilian population and ensure respect for human life" where the keywords are "Mali" "crisis" and "civilian". While that might not seem impressive, it came from an article entitled "EU suspends development operations in Mali". An analyst might not have found this information if he was looking for EU reactions to the Mali coup.

Thought is not linear, usually. Of course, one must be careful of mirror image bias, but one must always be. The analyst
working in the Pentagon also ran a non-specific query "reaction to a threat" into the 5-day Forecast, and got articles with some of the interesting lines (with the analysts comments in **), but to preface, in the first article (Headline: Insight: Valentine's Day mission gives BOJ new personality, Tokyo Reuters) the only 2 'words' the savant automaton drew out of "reaction to a threat" were 'challenge' and 'action'; an analyst would not find the below concepts with other search engines: 
In another query "reaction to a threat" it found from other material: "The governor had just been publicly heckled by politicians over seemingly endless deflation and a yen near record highs" (*this is the threat*). "Bold steps were needed to restore the BOJ's standing, and quickly" (*this sets up the reaction to that threat*) - "...working that weekend at the BOJ knew surprise would be the key to success and so abstained from the usual practice of leaking plans to the media to massage expectations." (*a reaction to a threat*) - "So the BOJ very deliberately sent investors and politicians the signal they have been waiting for -- that it was ready to deploy unconventional weaponry to lead Japan out of deflation" (*a reaction to a threat*) - "Those who have worked with him say he is particularly uncomfortable doing something just for psychological effect (*reaction to a threat*) and in his view that includes feeding more cash to banks that have trouble absorbing the funds already available to them (*the threat, or problem that the reaction might create*) - "Indeed, the central bank has found itself playing down the impact of it's February move to temper expectations of further bombshell steps." (*another reaction to a threat*) 
There are many more instances of reactions to threats in this article. Perhaps the article would be found looking for " 'bank*' AND 'japan*' AND 'BOJ' AND 'deflation' but you might get myriad other responses.
Indeed when this search string "reaction to a threat" is put through Google it comes up with a lot of things that are close, and some that aren't. However, I would challenge the analyst to decipher, in simple terms, the overall theme of the reporting. Sure, in time one could come up with it, deflation is high and the BOJ is doing something about it - but to say "the BOJ may react X way to currency deflation" and discover this immediately saves a lot of time, especially if Japanese economy is one's area of interest. 
In another Reuters article, under the same search query "reaction to a threat", the automaton found this particularly illuminating hit: "Bahrain's Sunni Muslim minority, fearful of Shi'ite political assertiveness (*this is the threat*), is spawning factions that rail against compromise with the island's sectarian majority (*this is the reaction to the threat!*), while nursing their own grudges against its Sunni ruling family (*a tertiary reaction to the threat!*). Within the same article: "'It's obvious they're trying to harm the economy to pressure the government' Ge said, warning of a possible violent response if Wefaq gained cabinet seats in the current climate" ; "warning" and "response" were the words the Automaton pulled out of the search query, but the article is loaded with reactions to threats, including vigilantism, and different threats/demands. 
Another query of "reaction to a threat" found "India is particularly keen to strengthen its maritime capabilities (*reaction*), given China's pursuit of a powerful 'blue water' navy which Delhi sees as a threat to key shipping routes in the Indian Ocean and Indian energy assets in the South China Sea" (*the threat*). 
The query "impending action" came up with some very interesting hits as well; including "dangerous times", and " auction on Wednesday added to worries that the impact of the European Central Bank's one trillion euro injection of cheap three-year funds into the banking system may be coming (*impending*) to an abrupt halt (*action*)".
This kind of augmened Sensemaking IS the future for intelligence and it is here now. 
What I find eerily interesting is that this post is dated Friday the 13th. Coincidence? Time will be the judge of that.

Monday, April 9, 2012

CISPA still spells "defense" which still means FAILURE

The new "son of SOPA" is CISPA (the Cyber Intelligence Sharing and Protection Act), the latest brainchild of Rep. Mike Rodgers (R-Mich.), who introduced the bill along with Rep. Dutch Ruppersberger (D-Md.) and now has about 100 co-sponsors. Notwithstanding that it bloats up another level of defense-only bureaucracy, complete with demands for participants to get security clearances and offering response scenarios measured in days/weeks and not microseconds, my real issue is unchanged: defense only. Guys, anyone who has ever played a first-person shooter game knows that no one ever wins by playing defense only.

Gosh, I wish I knew a smart politician.

Monday, April 2, 2012

Dear INTERPOL, you continue to ignore practicality

Today's Networkworld story (see here) continues to ignore the reality of cybercrime and cyberwarfare in general. While you're looking for more international laws, your methodology of getting "signoff" from prosecutors by going country to country is curiously quaint:
Noble said in order to overcome legal hurdles involved with Operation Unmask, INTERPOL went directly to prosecutors in the countries concerned to ensure that available evidence would be admissible in court.
You take days and weeks to get sign off for responses to a war that takes place in milliseconds? Get serious. What you truly need is one country to authorize immediate and disproportional response by licensed and bonded cyber privateers who abide by the Cyber Privateer Code (see here). Period.

Tuesday, March 27, 2012

China hacks every major US company; former CIA/NSA director's idea for "cyber mercenaries" should be revived.

Wow, a watershed day with three postings! The latest from ZDNet today, where Cyber War author Richard Clarke is reported as saying (see here) that every major U.S. company is being regularly hacked by China. Think I'm exaggerating? Here's the verbatim:
“I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” Clarke said during an interview with the Smithsonian. “Every major company in the United States has already been penetrated by China…"
All of which brings to mind a rather old (July 29, 2011) Aspen Security Forum video where former CIA/NSA director General Michael Hayden suggested that cyber mercenaries "might be one of those big new ideas in terms of how we have to conduct ourselves in this new cyber domain." Granted, Hayden is just one of the old Beltway hacks trying to drum up business for his fellow pigs at the trough. But my Morgan Doctrine could be that "big new idea." Here's General Hayden's YouTube video:
Have a nice week.

My SECRET WEAPON for social media analytics: Free Quantum Leap Buzz

I've spent the last month looking at every social media analytics product I could find, trying to get my brain around the landscape. Net net: Quantum Leap Buzz (Free Edition) is really my workhorse dashboard. Not only do I get situational awareness dashboards that put me far ahead of the mainstream news media, but this sucker is free (as compared to products that cost tens of thousands of dollars and require a significant IT infrastructure).  AND I get text message alerts on my cell phone, no matter where I am.

So I figured I'd share my SOCIAL MEDIA ANALYTICS MATRIX with the world (and invite anyone with corrections to let me know). I count a total of 50 products, with dozens more not covered but which are more campaign marketing platforms.

Australia not the least bit PC concerning China cyber threats

This New York Times story pretty well sums up the continuing world concern over China's continuing threat to the cyber world. Looks like Huawei will not be allowed to bid on Australia's $38 billion nationwide broadband network. Thirteen months ago, I suggested a way for Huawei (and China) to get out ahead of this dilemma (see here). A month before that I even got poetic about China attacks on my Linux server (see here). And on 11 November 2010, I even published the IP addresses of Chinese attack servers (see here).

The good news in all this? Globalization has made China and the United States rather co-dependent on many levels. But the bad news is that Australia can't truly use the same umbrella of protection. Which is why their terribly politically incorrect "bearding of the lion in his own den" could have consequences. So maybe my 27 October 2010 premise that Australia could get first-mover advantage as a sponsor for licensed and bonded cyber privateers (see my story here) might get some new legs.

Dear Australia: I have said before (see here), simply "playing defense" is a surefire guarantee you will eventually lose the war.

Monday, March 19, 2012

15 months ago, I predicted the authorship of Stuxnet & Duqu

Egads, 15 months ago—on December 6, 2010—I posted the following:
I BELIEVE THE STUXNET VIRUS was created by a lone male individual who is at least 60 years old and is working for British Intelligence, supported by U.S., German and Israeli intelligence. One of the features of any A.I. inference engine is the ability to ask it "why" it made such an inference. So in keeping with that protocol, I'll answer the "why" question. Of course, you'll see just how fuzzy my logic truly is. First, the location and frequency of countries following this blog leads me to those players: the USA, the UK, Israel and Germany, in that order. Of course, hackers from other countries could be using compromised servers in my suspect countries to make their queries, but I'm placing my bet on these four main players. My second reason for asserting that a single individual wrote Stuxnet is my long experience in the software business. Nothing truly genius ever came out of a committee or even a team. Nothing. And by all accounts, Stuxnet is not just good. It's genius. The kind of genius, by the way, that had to evolve with the industry since the beginning of the minicomputer revolution. Which would make my virus genius at least 60 years old. Finally, my assertion of male gender. Sorry ladies, but I have yet to see, meet or hear about a decent female hacker. And certainly not a world-class hacker. If I'm wrong, let me know and I'll make a public and abject apology. As my mother never said (but should have), I'm frequently wrong but never in doubt.
Either it's a slow news day, or the media is recycling old stuff because they don't have a new story. Computerworld reports today that a Kaspersky Labs researcher says Duqu may have been written by "experienced, old school programmers." I may have been wrong about an old-school Brit being the author, as the time-out of both Stuxnet and Duqu smacks (according to Richard Clarke) of American Congressional legal oversight, but "old school" rings true. Heck, my greatest programming achievements were in assembly language, and I don't think the new generation has the least appreciation of the real genius that can be unleashed by a gifted bit-diddler who's "gone native" with assembly language.

My old buddy Joseph from Spain is on the case. He solved the FBI's "unsolvable problem." It's only a matter of time before this Genius of the First Waters unveils the Duqu "old guys." Eh, Joseph?

Monday, March 12, 2012

"10 scariest hacks" from BlackHat don't even begin to cover the threat landscape

With due respect to Network World reporter Tim Greene, his summary today on the "10 scariest hacks from Black Hat and Defcon" don't even begin to cover the real threat of NOT articulating a guaranteed-response Morgan Doctrine to cyber miscreants. The "twitterverse" top influencer (as illustrated by my cyberwar dashboard) says it all:

Friday, March 9, 2012

Duqu "alien architecture" still a mystery

As I wrote on January 7th, the Duqu virus seems to spring out of the guts of target computers like an Alien monster. That's probably because it was created with an alien architecture. In today's Computerworld Security online alert, a telling paragraph raises a question that seems to have an obvious answer:
"When we checked Duqu it looked totally unknown and that was very curious, because it's unclear why something very custom was developed and used," said Vitaly Kamluk, chief malware expert with Kaspersky Lab's global research & analysis team.
The key statement: "…it's unclear why something very custom was developed and used…" Nothing unclear about it. As I've said on repeated occasions, the Holy Grail of the perfect virus is principle #7, Black Box Portability. Net net:

  1. A "Black Box" is an alien architecture.
  2. An alien architecture will take government-level resources to develop and maintain and evolve.
  3. The vision of cracking all future architectures is critical to future world dominance.
Given Joseph from Spain's previous success in unravelling a mystery the FBI's "best and brightest" couldn't hack, maybe he'll come up with an answer to this conundrum. Who is the architect and what is the alien architecture? Joseph? Answers?

Saturday, January 7, 2012

Duqu "hints" of an alien architecture

My Quantum Leap Buzz "cyberwar dashboard" fired off a new alert to me about the Duqu command and control servers being "…written in a language the researchers had never seen before…"
The link cited an article, in which I found the following paragraph:
Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.
I've written multiple times about the "holy grail" of The Perfect Virus being Black Box Portability (principle #7). From this latest bit of intelligence (I really like running my own news-aggregation/analysis dashboard, rather than leaving it up to any news organization to tell me what THEY think is important), I make the following inferences:

  1. The creators of Duqu have made a government-level investment in attack architecture.
  2. The creators of Duqu are a Western goverment (most likely the U.S.).
  3. This may explain the slacking off of China's cyber misbehavior (ie; "There's a new sheriff in town.").
  4. If I were one of the whacky anarchists attacking supporters of SOPA (the Stop Online Piracy Act), I'd think twice about using extra-legal means, as hard prison time for a late-teen/twenty-something prisoner could have some nasty experiences in the general population of a federal prison.
Net net: You wild and zany guys from Anonymous/Lulzsec might line up some legal heavyweights. And when you decide to file lawsuits challenging SOPA, you might seriously considering filing in the jurisdiction of the only federal judge who knows dittley-squat about cyber law. That would be Judge Clark Waddoups in Utah, about whom I've opined over a year ago (see my article on how Judge Waddoups kept 1-800Contacts from hijacking the Internet).

I just got an email obviously sent by Anonymous to all of the Stratfor subscribers giving me George Friedman's mobile and home phone numbers, along with a spoof "butthurt" incident report website. While I am ashamed of myself for laughing so hard, especially since I think George Friedman and Stratfor have been pretty on the money in their analyses, I'm afraid that some hard jail time for the anonymous culprits will give their concept of "butthurt" a whole new meaning.

Oh, yes. And for those of you who are the least bit paranoid, I'd recommend getting your own BUZZ dashboard going and sending you cell phone text messages whenever the H5N1virus starts trending into your state. If you wait for the evening news to figure out there's a story afoot, it could be way too late for you and your family.