Skip to content


To Cyber or Not to Cyber…That is the RSAC Talk Analysis

I don’t know where you are, but the data analysis of the RSA Conference by the prestigious Cyentia Institute is amazing. They wrote algorithms to tell us what the “most important” talks are each year from 25 years of security conference data, and illustrate our industry’s trend over time. Who can forget “A top 10 topic in 2009 was PDAs”?

This is the slide that made everyone laugh, of course:

Trends going up? GDPR, Ransomware, Financial Gain and Extortion. Big Data exploded up and then trends down over the last five years.

Trends going down? BYOD, SOX, GRC, Hacktivism, Targeted Attack, Endpoint, Mobile Device, Audit, PCI-DSS, APT, Spam…

Endpoint going down is fascinating, given how a current ex-McAfee Marketing Executive war is going full-bore. RSAC 2018 Expo Protip: people working inside Crowdstrike and Cylance are hinting on the show floor how unhappy they are with noise made about a high-bar of attribution to threat actors given their actual product low-bar performance and value.

That’s just a pro doing qualitative sampling, though. Who knows how reliable sources are, so consider as well the implication of qualitative analysis.

Some cyber companies talk threat actor in the way that Lockheed-martin talks when they want to sell you their latest bomb technology. Is that bomb effective? Depends how and what we measure. Ask me about 1968 OP IGLOO WHITE spending $1B/year on technology based on threat actor discussions almost exactly like those we see in the ex-McAfee Marketing Executive company booths…

Posted in History, Security.


RSA Conference 2018: Fun Telco History in SF

Welcome to SF everyone! As the RSA Conference week begins, which really is a cluster of hundreds of security conferences running simultaneously for over 40,000 people converging from around the world, I sometimes get asked for local curiosities.

As a historian I feel the pull towards the past, and this year is no exception. Here are three fine examples from hundreds of interesting security landmarks in SF.

Chinese Telephone Exchange

During a period of rampant xenophobia in America, as European immigrants were committing acts of mass murder (e.g. Deep Creek, Rock Springs) against Asian immigrants, a Chinese switchboard in 1887 came to life in SF (just before the Scott Act). By 1901 it moved into a 3-tier building at 743 Washington Street. Here’s a little context for how and why the Chinese Telephone Exchange was separated from other telephone services:

Today when you visit Chinatown in SF you may notice free tea tastings are all around. This is a distant reminder of life 100 years ago, even for visitors to the Chinese Telephone Exchange, as a San Francisco Examiner report describes in 1901:

Tea and tobacco are always served to visitors, a compliment of hospitality which no Chinese business transaction is complete

At it’s peak of operation about 40 women memorized the names and switching algorithms for 1,500 lines in five dialects of Chinese, as well as English of course. Rather than use numbers, callers would ask to be connected to a person by name.

The service switched over 13,000 connections per day until it closed in 1949. Initially only men were hired, although after the 1906 earthquake only women were. Any guesses as to why? An Examiner reporter in 1901 again gives context, explaining that men used anti-competitive practices to make women too expensive to hire:

The Chinese telephone company was to put in girl operators when the exchange was refitted, and doubtless it will be done eventually. The company prefers women operators for many reasons, chiefly on account of good temper.

But when the company found that girls would be unobtainable unless they were purchased outright, and that it would be necessary to keep a platoon of armed men to guard them, to say nothing of an official chaperon to look after the proprieties, the idea of girl operators was abandoned.

“They come too high,” remarks the facetious general manager, “but in the next century we’ll be able to afford them, for girls will be cheaper then.”

Pacific Telephone Building

One of the first really tall developments in SF, which towered above the skyline (so tall it was used to fly weather warning flags and lights) for the next 40 years, were the Pacific Telephone offices. At 140 Montgomery Street, PacTel poured $4 million into their flagship office building for 2,000 women to handle the explosive growth of telephone switching services (a far cry from the 40 mentioned above at 743 Washington Street).

By 1928, the year after 140 New Montgomery was completed, the San Francisco Examiner declared “with clay from a hole in the ground in Lincoln, California, the modern city of San Francisco has come.”

It was modeled after a Gottlieb Eliel Saarinen design that lost a Chicago competition, and came to life because of the infamous local architect Timothy Pflueger. Pflueger never went to college yet left us a number of iconic buildings such as Olympic Club, Castro Theater, Alhambra Theater, and perhaps most notably for locals, a series of beautiful cocktail lounges created in the prohibition years.

AT&T Wiretap

Fast-forward to today and there are several windowless tall buildings scattered about the city, filled with automated switched connecting the city’s copper and fiber. One of particular note is 611 Folsom Street, near the latest boom in startups.

Unlike the many years of American history where telco staff would regularly moonlight by working for the police, this building gained attention for a retired member of staff who disclosed his surprise and disgust that President Bush had setup surreptitious multi-gigabit taps on telco peering links.

“What the heck is the NSA doing here?” Mark Klein, a former AT&T technician, said he asked himself.

A year or so later, he stumbled upon documents that, he said, nearly caused him to fall out of his chair. The documents, he said, show that the NSA gained access to massive amounts of e-mail and search and other Internet records of more than a dozen global and regional telecommunications providers. AT&T allowed the agency to hook into its network at a facility in San Francisco and, according to Klein, many of the other telecom companies probably knew nothing about it.

[…]

The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.

“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”

[…]

Klein was last in Washington in 1969, to take part in an antiwar protest. Now, he said with a chuckle, he’s here in a gray suit as a lobbyist.

In some sense we’ve come a long way since 1887, tempting us to look at how different things are from technological change, and yet in other ways things haven’t moved very far at all.

Posted in History, Security.


US discusses authorizing cyber attacks outside “war zone”

In a nutshell, traditional definitions of war linked to kinetic action and physical space are being framed as overly restrictive given a desire by some to engage in offensive attacks online. The head of NSA is asking whether reducing that link and authorizing cyber attack within a new definition of “war” would affect the “comfort” of those holding responsibility.

“[On offense] the area where I think we still need to get a little more speed and agility — and as Mr. Rapuano indicated it is an area that is currently under review right now — what is the level of comfort in applying those capabilities outside designated areas of hostility,” Rogers asked out loud.

“I don’t believe anyone should grant Cyber Command or Adm. Rogers a blank ticket to do whatever you want, that is not appropriate. The part I am trying to figure out is what is the appropriate balance to ensure the broader set of stakeholders have a voice.”

Rapuano also referenced challenges associated with defining “war” in the context of cyber, which can be borderless due to the interconnected nature of the internet.

“In a domain that is so novel in many respects, and for which we do not have the empirical data and experience associated with military operations per say particularly outside areas of conflict, there are some relatively ambiguous areas around ‘well what constitutes traditional military activities,'” said Rapuano. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs; so that’s an area we’re looking at to understand the trades and implications of changing the current definition.”

While I enjoy people characterizing the cyber domain as novel and border-less, let’s not kid ourselves too much. The Internet has far more borders and controls established, let alone a capability to deploy more at speed, given they are primarily software based. I can deploy over 40,000 new domains with high walls in 24 hours and there’s simply no way to leverage borders as effectively in a physical world.

Even more to the point I can distribute keys to access in such a way that it spans authorities and bureaucratically slows any attempts to break in, thus raising a far stronger multi-jurisdictional border to entry than any physical crossing.

We do ourselves no favors pretending technology is always weaker, disallowing for the prospect of a shift to stronger boundaries of less cost, and forgetting that Internet engineering is not so much truly novel as a revision of prior attempts in history (e.g. evolution of transit systems).

My recent talk at AppSecCali for example points out how barbed wire combined with repeating rifles established borders faster and more effectively than the far more “physical” barriers that came before. Now imagine someone in the 1800s calling a giant field with barbed wire border-less because it was harder for them to see in the same context as a river or mountain…

Posted in History, Security.


Lessons in Secrets Management from a Navy SEAL

Good insights from these two paragraphs about the retired Rear Admiral Losey saga:

Speaking under oath inside the Naval Base San Diego courtroom, Little said that Losey was so scared of being recorded or followed that when the session wrapped up, the SEAL told the Navy investigator to leave first, so he couldn’t identify the car he drove or trace a path back to his home.

[…]

…he retaliated against subordinates during a crusade to find the person who turned him in for minor travel expense violations.

Posted in Sailing, Security.


Holding Facebook Executives Responsible for Crimes

Interesting write-up on Vox about the political science of Facebook, and how it has been designed to avoid governance and accountability:

…Zuckerberg claims that precisely because he’s not responsible to shareholders, he is able instead to answer his higher responsibility to “the community.”

And he’s very clear, as he says in interview after interview and hearing after hearing, that he takes this responsibility very seriously and is very sorry for having violated it. Just as he’s been sorry ever since he was a first-year college student. But he’s never actually been held responsible.

I touched on this in my RSA presentation about driverless cars several years ago. My take was the Facebook management is a regression of many centuries (pre-Magna Carta). Their primitive risk control concepts, and executive team opposition to modern governance, puts us all on a path of global catastrophe from automation systems, akin to the Cuban Missile Crisis.

I called it “Dar-Win or Lose: The Anthropology of Security Evolution

It is not one of my most watched videos, that’s for certain.

It seems like talks over the years where I frame code as poetry, with AI security failures like an ugly performance, I garner far more attention. If the language all programmers know best is profanity, who will teach their machines manners?

Meanwhile, my references to human behavior science to describe machine learning security, such as this one about anthropology, fly below radar (pun intended).

Posted in History, Poetry, Security.


Supply Chain Accountability: Will There Be a Cyber Toyota War?

Back in 2015 there was some serious consideration of why Toyota were so often used by terrorist groups the US considered their enemy. Here’s some manufacturers-gonna’-manufacture rationalization:

All of this is to show that any sort of dark alliance between Toyota and the Islamic State is completely specious. The Toyota happens to be the vehicle with the greatest utility; the color of the pickup truck is driven by Asian tastes and the fact that desert heat dictates that white cars are simply more comfortable than black ones; and that Toyota trucks are driven by ISIS is dictated more by the sheer numbers produced and a reputation for quality than some nefarious plot by a well-respected Japanese automaker to supply a terroristic organization.

Simply put: It’s practically guaranteed that any paramilitary force in the Middle East will standardize on white Toyota pickup trucks.

It’s not an unreasonable argument to make. My main quibble with that article is it says nothing about Chad. If you’re going to talk about Toyota at war, you have to at least make mention of the US role with Toyota pickups sent into battle January 2, 1987:

…no one would have ever guessed that the Toyota pickup truck would come to play an important role in warfare history. This is the little-known story of how an army comprising 400 Toyota pickups outgunned, outsmarted, and outmaneuvered a superior force equipped with tanks and aircraft.

[…]

In the brutal engagement with 1,200 Libyan soldiers and 400 members of the Democratic Revolutionary Council militia, the Chadian army and its Toyota pickups made mincemeat of the Libyan stronghold in Fada. At the end of the day, the Libyan armored brigade in Fada had lost 784 soldiers, 92 T-55 battle tanks, and 33 BMP-1 infantry fighting vehicles.

Chadian losses, on the other hand, were minimal: 18 soldiers and 3 Toyota pickup trucks. January 3 and 4 saw the Libyan Air Force try to annihilate the Chadian soldiers and their trucks, but all bombing attempts failed thanks to the outstanding mobility of the Toyota Hilux.

Ok so let’s be frank. It is preposterous to say no one would have ever guessed superior technology would come to play an important role in warfare history. That is literally what happens in every major conflict. Warriors don’t ignore advantages. So there’s a very good argument against that perspective up top, which is that Toyota have for many decades been supplying exactly the technology desired in warfare, and watching the global purchases turn into military purposes.

“Don’t worry about transport, my good bud Habre, we’re flying Toyotas in tonight for you by C-130”

Whether Toyota can or should stop product flow somewhere along the route is another story. Consider for example that their pickup trucks get assembled in San Antonio, Texas and Baja California, Mexico. Hyundai converted into VBIED were said to have been the result of a local manufacturing plant simply overrun by military forces. How difficult control of Toyota’s supply chain is further can be demonstrated by American companies who lately have been boasting of re-directing Toyota machines straight into warfare:

Battelle, an applied sciences and technology company based in Columbus, Ohio has put out a video explaining how it turns ordinary vehicles into extraordinary ones. According to the company, it’s been creating what it calls “non-standard commercial vehicles” since 2004. Battelle sources Toyota HiLux pickup trucks and Land Cruiser sport utility vehicles, as well as Ford Ranger pickups as a baseline to create their “non-standard” vehicles.

Non-standard sounds far better than dark alliance or nefarious plot, I have to admit. Ultimately, though, it comes backs to Toyota being on top of its total supply chain and helping investigate use cases of their supply that violates law or its values.

On the one hand releasing product into the wild (e.g. right to repair) creates freedom from corporate control, on the other hand corporations have duty to reduce harms that result from their creations. Balance between those two ends is best, as history tells us it’s never going to be perfect on either end of the spectrum.

See also: “[Recipient of President Reagan’s product shipments] sentenced to life for war crimes

“As a country committed to the respect for human rights and the pursuit of justice, this is also an opportunity for the United States to reflect on, and learn from, our own connection with past events in Chad,” [Secretary of State Kerry] said, apparently referring to U.S. support for Habre in the 1980s to help assuage the influence of Libya’s Moammar Gadhafi.

Posted in History, Security.


UK Army Museum Reveals Hidden World of the Special Forces

The National Army Museum in Chelsea, London has freshly opened a new exhibit for you to see if you can see what you’re not supposed to see:

The exhibition looks at the work of [five elite] units as well as the skills and dedication needed to make the cut.

From real-life events, like the Iranian Embassy Siege, to portrayals in popular culture, come and explore the hidden world of the Special Forces.

With just 85 views so far of their promotional video, I’m going to sneak out on a limb here to say coming out of the shadows might be harder than the museum thinks.

Posted in History, Security.


Will Facebook CSO Face Jail Time?

Russell Wasendorf allegedly stole over $215 million from his customers and falsified bank statements to cover it up. Bernie Madoff was arrested for losing $50 billion while running ponzi schemes. Jeffrey Skilling was initially sentenced to 24 years in prison and fined $45 million for recording projected future profits as actual profits.

Is the Facebook CSO becoming the new Enron CFO story?

After all, the CSO in question is known for declaring projected future plans as actual security features. When he joined Yahoo to take his first ever job as CSO (also breached catastrophically during his short time there) he pre-announced end-to-end encryption was coming. He never delivered and instead quietly quit to take another shot at being CSO…at Facebook.

It’s serious food for thought when reading about the historic breaches of Facebook that began around the time he joined and continued for years under his watch. It’s been said he’s only giving lip service to users’ best interests (given his failed Yahoo delivery) and more recently it’s been said adversaries to the US targeted him as a “coin operated” asset (given his public hostility to US government).

At this point it will be interesting to see if standing idly for so long and allowing mounting harms to customers, personally profiting from damages done, will lead to any kind of penalty akin to Skilling’s.

Today, given what we know… I think we understand that we need to take a broader view of our responsibility,” [CEO] said.

“That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well.”

[…]

Facebook has now blocked the facility.

“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” Mr Zuckerberg said.

The last several years represent the tenure of the CSO in question. “Today, given what we know?” That responsibility was no secret before he joined, and it should not have taken so many years to come to the realization that a CSO is meant to stop harm instead of profiting from it. So the question becomes what is next for the man whose first and only two attempts at being a CSO have ended in the largest breaches in history.

Posted in Security.


Cyclists Defeat Cars in Urban Speed Challenge

This should be obvious to anyone who rides a bicycle in a city. Alas we also have studies to prove it true, year after year:

Since the event began in 2009, one mode has ruled supreme in terms of speed.

“People on bikes have beaten their car-driving counterparts more than two-thirds of the time,” Jane says. “A lot of people are surprised by that, because they don’t realize how fast and convenient cycling for transportation can be.”

This is confirmed by a 2017 study from the German Federal Environmental Agency, which determined that–in an urban setting–bikes are faster than cars for trips up to five kilometres. As it turns out, drivers vastly underestimate time spent sitting in traffic, searching for parking, and walking to their final destination.

Two-thirds is a crushing defeat for cars, and that’s simply measuring performance. When you add in the health and environment benefits it begs the question what people really value when riding in a car in a city.

Posted in Energy, Security.


Cyberspace Intervention Law and Evolving Views

I’m putting two opinion pieces by the esteemed Michael Adams together and getting an odd result.

While reflecting on “detailed analysis that is being conducted at USCYBERCOM, across agencies and at events like the Cyber Command legal conference”, Michael opines that the US has taken no position on whether it would come to the aid of a victim, or side with an aggressor, when confronted with cyberattack.

The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual.

Meanwhile, an earlier opine tells us taking action with fire-and-forget remote missiles hitting a far away target while not trying to “use the law as a shield”…deserves something akin to his respect:

…from the perspective of a lawyer who has advised the highest levels of military and civilian officials on literally thousands of military operations, there is something to be said for a client that refuses to use the law as a shield for inaction and that willingly acknowledges that other factors weighed most heavily on his or her decisions.

Maybe I’m reading too much into the theme across work here, but I get a sense if the aggressor is far enough removed from accountability, let alone retaliation, then long-distance attack wouldn’t bring an urge to bother with any shields including the law. This surely is the attraction to “swivel-chair” aggressors of using missiles and keyboards. Perception of their inaction in a lawyer’s eye is erased simply by pushing a button even when a chance of success is as remote as their targets.

Posted in Security.