From the desk of the NSA, a new National Centers of Academic Excellence (CAE) has been formed:

The CAE-Cyber Operations program is intended to be a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises.

“Extensive opportunities for hands-on” is perhaps a subtle way of saying the U.S. is a little behind in its “collection, exploitation, and response” work. Apparently the U.S. Government is having a hard time finding talent.

DHS with great fanfare announced in 2009 that it would hire 1,000 cybersecurity experts. At a House Homeland Security Committee hearing, Philip R. Reitinger, deputy undersecretary for the National Protection and Programs Directorate, admitted that the department has fallen far short, and has only brought on some 260 new personnel. The new goal is 400 by October 2012. This comes at a time when the White House is giving more responsibility to DHS to protect computer networks in not only the civilian departments, but in the private sector as well.

If you think that it is nice of the U.S. Government to train students to fill the gap, you would not be mistaken:

The program is in support of the President’s National Initiative for Cybersecurity Education (NICE)

The NSA program to promote information assurance and cybersecurity was started in 2004, yet there are only 145 CAE (3% of institutions). Almost a dozen states in the U.S. still do not yet have even one CAE.

Aside from the scope of the project there are is the question of effect. Will boosting numbers of CS/CE/EE move the dial for national security on its own? We repeatedly see that human behavior is the source and solution of serious risk. What will the NSA do about training students for the soft power element of smart power?

Take a look at these iPad billboards and what comes to mind?

You can see the contents of the screen. The Apple iPad marketing campaigns have zero confidentiality emphasis…ok, to be fair they include an important but subtle detail. Apple iPad ads ALWAYS involve just one person.

How many hands have you see on the iPad in their ads? How many sets of eyes are looking at the iPad? The implication is a single-user model.

The day I first was given an iPad is still vivid in my memory. A friend who is always buying the latest gadget and somehow acquiring devices before they hit the street handed me their shiny new Apple iPad. It looked light to me but the moment it hit my hand I couldn’t believe how heavy and clunky it felt. I gave it back immediately and said “why so heavy?” She said “yeah, I know, my wrist hurts when I use it. I had to buy a stand”.

The marketing team at Apple obviously wasn’t immune to this because their next version of the iPad dropped 112g (1/4lb) and came with a marketing campaign that clearly emphasized the same point. The new imagery was very powerful. In one simple picture it said to me “sorry about that last one, we’ve fixed it now”

But seriously, there was the mysterious single-user view in the marketing again. I soon became curious enough that I started monitoring iPad marketing images. iPad 1 single-user might have been a rushed product delivery but iPad 2 was also being billed as single-user only. That did not match my experience with mobile devices.

In my experience people are forever handing me their iPad and saying “look at this” or “check out that”. On one flight the executive next to me said “I just bought this because everyone is getting them but don’t know what to do with it. Can you show me?” I showed him how to read a magazine, and play Angry Birds. It was a touching shared moment. Yet when I look at the Apple marketing I see just one pair of hands, one pair of eyes. Here’s a sample of what I’m talking about:

I did not give up until I finally found two examples with more than one user.

One is a parent/child ad, but at least it’s not single-user. It still puts the viewer in the single-user view yet it allows for the possibility of another set of eyes and hands.

The other ad appears to be a sales presentation. At first I was excited to find another multi-user ad. After thinking about it I realized it’s still single-user. The second person is not participating. They are just a stand. It might even be an ad for an iPad-holding service. They tend to be kind of heavy…

If you can find any other examples of multi-user iPad marketing, please let me know. This study has become part of the research I have been asked to do on why people have such strong entitlement view when it comes to BYOD.

Update February 2013: It’s been a year already and Apple has launched a new marketing campaign called… “Together”.

This seems to show more of the real-world that I was talking about.

I have to admit this does show multiple hands.

However, it misses the far more important point I was trying to make about multi-user identification.

A band (four sets of hands) is still a single shared identity versus setting up four musicians with personalized space to protect their own data/tracks, if you see what I mean.

The analysis published on Flame has been amusing. Apparently Stuxnet is no longer considered sophisticated. Surprise.

Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different…Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated.

Many characteristics are shared? Interesting, except that later in the same page you will find this:

Flame has no major similarities with Stuxnet/Duqu.

Perhaps it is too early to ask for clarity. But I have to say my favorite example so far is this:

Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed.

Are we expected to believe that a 12% success rate for catching viruses is a shining success? Is there anyone who would like to argue that the antivirus industry is in need of examples of failure? Seems like everyone already has plenty to go around before hearing of Flame (Flamer, SkyWiper).

Don’t get me wrong, I am an advocate of using black-lists as one control to block threats. I also am an advocate for fences. They serve a purpose. The point is to know the difference between levels of defense, like the difference between a six-sided box and a four-sided box. If you’re running a four-sided box defense (e.g. you black-list wheeled threats) don’t be surprised when attackers jump over and under. Failure is a relative term and we should put anti-virus in its place. Definitely not a cure-all. On the other hand, I look forward to hearing how installation of 20MB of malware was not noticed.

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module

Easier to hide small than large, which is why large was not discovered? Nevermind. I’ll wait for an update on that point too. In the meantime here’s one of the characteristics that makes Flame different. It is described as sophisticated because

recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio

Those two sentences seem to contradict. It’s rather new but other malware does it already? I have a different definition of rather new — audio attacks are as old as audio. I remember malware (Ivar, an extension for Mac System 7) in 1992 that had audio remote control. It used a fake system bomb to get the user to register the extension and then the Macintosh was tapped. I’ve run into examples since then as well, and I’m not just talking about the occaisonal webcam fiasco.

That same article makes the point that 3000 lines of code would take about a month. Of course it takes far less than a month to write 3000 lines if you’re collaborating/borrowing code. I point that out because Flame sounds an awful lot like child monitoring applications on the market. Mixed capability monitoring is par for the course when you are a parent or a civil/corporate investigator. In fact, in 2005 I used a similar tool for a case…

Maybe I am wrong and Flame really is a giant black eye for anti-virus vendors, and maybe I’m wrong and it was developed from scratch in an isolated lab at a very high cost. Even so, for me the most interesting part of this story is not the old debate over whether the code is sophisticated or not.

The part I noticed right away is that Jordan, Yemen, and Eritrea are supposedly unaffected or at least far below the top affected countries. That says a lot about intent if you believe intent is a factor. I keep that in mind when I look at the usual analysis that malware in Iran is spread on a Western-dictated attack path.

The malware is most likely created by a Western intelligence agency or military.

Ok, then why isn’t it in the places that Western intelligence agencies monitor? Does Yemen, a so-called “breeding-ground for terror”, or Eritrea have an anti-virus program we should know about?