Thursday, January 31, 2013

New York Times Hit by Chinese Zombies

My August 1, 2012 story suggesting that the dawning passion of the New York Times for cyber security was still misplaced (read my story here) has just had a postscript. I chided them for buying into the current U.S. mindset that we can play defense only. Hence today's story about their being attacked for the last four months (see their story here) because of an October 25 story exposing the nepotism of China's prme minister Wen Jiabao. Most laughable was the Times assertion:
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
What makes the above laughable is the admission three paragraphs later:
Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.
Yeah, right. Much of the story highlights how clever "security experts" and the NYT were in playing defense. The rest of the story outlines other cyberwar exploits. None of the story recognizes the obvious. With due respect, a game plan dedicated 100% to playing defense is flawed on too many levels to enumerate. Too bad "America's newspaper of record" hasn't considered a dialogue about offensive options beyond a bloated federal bureaucracy that can't even secure itself. Too bad we can't publicly debate the merits of unleashing the real creativity and strength of America—licensed and bonded privateers (a la the Revolutionary War) who adhere to the Privateer Code (see—to put a stop to hackers and bad-cyber-citizen governments and their exploits.


Tuesday, January 29, 2013

Java could out-Google Google

On August 17, 2012, I congratulated Google on being the only company that's really "doing it right" in uncovering bugs (see story here). Today, they just raised the ante from $2 million to $3.14 million. Which brings me to the almost-daily headlines about holes in Java and the animosity generated by the piggybacking Ask toolbar "crapware" foisted during Java updates. The one way that Oracle could "out-Google Google" would be to (wink, wink) encourage a similar competition to identify and cripple cyber thieves who use Java exploits. The rewards could be paid anonymously from a country without an extradition treaties with the U.S.…like Taiwan. How about a $10-million bounty pool? Somehow Oracle needs to turn around this PR tailspin before Java becomes the next Flash (pun intended) in the pan.

Tuesday, January 15, 2013

Solution to Oracle's Java Security Problem

Today's Network World article "77 More Great Ideas for Running a Security Program" (read 'em here) is a decent defense-only playbook of ideas. Given the security pressure on Oracle's Java toolset, I hereby nod to the Captain of my Cyber Privateering Fantasy League Team (meet 'em here) Larry Ellison. So Larry, how about you find a small country that doesn't have an extradition treaty with the United States, and get them to set up an aggressive Cyber Privateering response mechanism? You could fund the whole operation from loot collected from cyber thieves worldwide, and make Java-exploit miscreants your poster children for what happens bad Internet citizens. Find somebody to run the operation who has worn out his welcome in the U.S. and fund him (wink wink) with a gift to his ailing mother. Taiwan immediately comes to mind and makes sense for a lot of very good reasons. Think about it. The 78th Great Idea for Running Java Security!

Monday, January 14, 2013

Alien Architecture "In The Wild" Yet?

In June 21, 2011 (see here), I posted Michael Fiske's landmark work on a roach-proof and totally secure computer architecture. Michael just sent me an update on his recently published paper titled Turing Incomputable Computation (see here). This would appear to be The Perfect Architecture for launching a cyber attack of global proportions. I have no evidence that such an architecture exists "in the wild" yet, but I would be quite surprised if at least three countries hadn't funded or aren't well into building their own quantum random active element machine. Naturally, The Perfect Virus would, by definition, be able to "grok" the mathematics behind and "crack" this alien architecture. How? Hint: Stephen Wolfram's A New Kind of Science. Boy oh boy, but 2013 could be interesting.

Tuesday, January 8, 2013

Dear CIA-nominee John Brennan

Congratulations on your nomination yesterday by President Obama to head the CIA. You've been a vocal advocate of stronger infrastructure-protecting cybersecurity legislation. With due respect sir, leaving this important job to government employees or to hackers dumb enough to get caught and plea bargain services in exchange for suspended jail time is not a wise strategy. You want to motivate the people who DON'T get caught to join the team. To my mind, the best way to do this is to incentivize the process by creating the next big monetization gold rush: licensed and bonded cyber privateers.

I would be delighted to have a lively conversation with you on the subject. Because stronger infrastructure-protection legislation does nothing to protect our real crown jewels: America's small business and commerce engine. We're getting hit hard and often, and will continue to get slaughtered if you keep our hands tied and insist we play defense only.


Monday, January 7, 2013

So-called "Experts" Recommend Deception and NOT Counterattack.

It didn't take long for the stupidest thought of the new year to emerge. Today's Network World story (see it here) has the headline: "Thinking of a counterattack? Deception is better, say experts." Alas, the "experts" rationale is yet another defense-only concoction guaranteed to fail:
There is no such thing as a bulletproof firewall against digital attacks. And it's risky, and probably illegal, to "hack back," or try to launch preemptive strikes against attackers who are trying to steal your intellectual property or the identities and confidential information of your customers and employees.
I added the red to the above quote. Hell yes it's illegal! So we have yet another offhand justification for the status quo? When the heck is someone going to whack Congress in the side of the head and let us take off the kid gloves. Licensed and bonded cyber privateering could be the big money industry of this still-young decade.

The other last-of-the-stupid headlines of 2012 came on Christmas Day from the New York Times with the headine: "Iran suggests attacks on computer systems came from the U.S. and Israel" (see story here). The word "suggests" (which I put in red) is the knee slapper. Since the administration actually bragged about it before the election, I think the word "suggests" is just silly.

Okay, I'll now turn the network over to your regularly scheduled programming.