Monthly Archives: January 2013

Security

Active Defense: Is it time to test in court? Correcting the Record!

Leave a comment

by David Willson

On 16 January I did two webinars with Bright Talk.  One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.” 

Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue.  But I am going to do another on 13 March and will manage my time better.  Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion. 

We had a great discussion and I would encourage you to listen if you are interested.  It can be found here: https://www.brighttalk.com/webcast/288/64057. 

On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048. 

Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying.  This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification.  So, now that I am done with my overly wordy intro, here we go.

To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!”  It depends on the facts and circumstances.  For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. 

Similar to when someone robs your house.  If they are gone you have no right to pursue the burglar on your own.  On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

Okay, next comment, “Itching to test this in court.”  Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court.  But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.

Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.”  Security is a MUST.  Anti-virus, despite what Josh Corman says, is a MUST.  Anything that can help protect your network and valuable information is a MUST.  If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.”  Yes, they should.  If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

In the interest of time I will make this my last point.  Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims.  I agree, although this sounds rather ugly. 

Let’s use a physical world example.  Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you.  Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself?  You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him. 

Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues.  The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.

So, there you have it.  Obviously there are many more issues none of them black and white, and this is a very difficult problem.  If it wasn’t there wouldn’t be so much debate about it. 

One last point.  Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.”  Help you do what?  If they are not willing to explore the options then there is nothing for them to do.  Also many articles lately have claimed that “attribution” is impossible.  Stop it.  If it was impossible no one would ever be arrested and prosecuted for hacking.  It is difficult, but not impossible.  So, keep an open mind, think outside the box, and have a nice day ;- ).

Energy, Sailing, Security

It’s the Googles! North Korea Edition

Leave a comment

Sophie Google’s new blog post, ahem, whoops I mean to say Sophie Schmidt‘s new blog post on her trip to North Korea is a fantastic study in culture clash. What a great opportunity she had to travel into a country few Americans get to see.

“In the land of the blind, close one eye” — my Mother

As an aside, I don’t understand why it’s ok for everyone to refer to Sophie as Eric Schmidt’s daughter. Must we put her in that shadow?

In comparison, have you noticed that NO ONE one ever mentions that Audax Health’s CEO (Grant Verstandig), a 23 yr old given $21 million to socialize healthcare, is the well-heeled son of Republican politician (Lee Verstandig)?

Served in the Administration of President Ronald Reagan as Assistant Secretary for Government Affairs at the Dept. of Transportation; Acting Administrator of the Environment Protection Agency; Assistant to the President for Intergovernmental Affairs; Under Secretary at the Dept.of Housing and Urban Development; and Chief of Staff to the First Lady.

That Verstanding power and money connection seems more than just a little bit relevant yet NO ONE ever mentions it. However EVERYONE qualifies poor Sophie as the daughter of Eric.

The only Verstandig reference I have seen is this: “the son of two government employees“.

Why the vague “son of two gov’t employees” statement? I don’t unverstandig.

Does the family have some reason to hide or downplay the rather obvious father-son link related to US national policy? You probably know where I’m going with this…

Son of a gov employee
Kim Jong-un, the “son of a government employee”

But back to the Googles…Sophie’s perspective is totally fascinating to me. She starts off boldly telling us she is sorry that we may have problems and that she’s not doing anything about it:

…blame Google Sites (and this two-column structure idea of mine) for limited functionality…Apologies to folks with f’d up layouts

I could just end my blog post right here. You probably know where I’m going with this…

Son of a gov employee
Kim Jong-un says “…blame my father…Apologies to folks with f’d up experiences”

That’s the short version. But I can’t just leave it there.

When Sophie apologies for Google I feel better about the “limited functionality” delivered to me. In fact, I feel downright lucky to have anything at all so I guess I will just put up with whatever I can get from them. Hey, after all it’s cloud, right? You don’t get to be picky…

And here really begins our journey together with her into North Korea.

While top information security professionals in the US rant about how unsafe it is to take anything into China, Sophie says she was advised to not only take her technology to China but to leave it there to keep it safe:

We left our phones and laptops behind in China, since we were warned they’d be confiscated in NK, and probably infected with lord knows what malware.

North Korea gets bashed for being so far behind, back in the dark ages, that Google is worrying about “lord knows what malware” being placed on the most advanced mobile devices? Nah, no way. More like the US would WANT the North Koreans to put some malware on a device so we can bring it home and study it.

There is little you can really do with a mobile device in North Korea, right? No connectivity means it probably wouldn’t get pulled out of its bag. Hopefully it doesn’t have anything sensitive on it anyway. Other than writing a blog post about how much you hate it there…what would you use it for? So it’s not really a risk of infection that leads one to leave behind mobile devices in this scenario. Confiscation and/or loss of IP are the true risk. Don’t bring anything you do not want to be forced to leave behind in North Korea or expose to them.

On the flip side do not leave behind in China anything you do not want read by various spies from the Americas, Europe, Middle East, and Asia who float around. After all, China does not exactly protect you from being spied on by agents of foreign countries when you are in China.

I find few people realize the ironic reality-twist that US citizens in foreign countries are spied on by US agents because protection from surveillance is reduced compared to back home; it’s something to seriously consider when you’re a US citizen out for a non-sanctioned and very public jaunt into North Korea.

Those devices you left in China? Potentially bugged by agents of the US, for your own good of course.

Back to the story, Sophie gives us a quick summary of how things felt…well, in-authentic:

Our trip was a mixture of highly staged encounters, tightly-orchestrated viewings and what seemed like genuine human moments.

This, in a nutshell, is the ultimate insult by American standards. To be real, to be authentic is to achieve maximum value in our culture; an in-authentic experience is the opposite of what many of us want. That’s why it’s so easy to bash the hipster. How can you trust someone walking today in downtown Mountain View who dresses like a 1890s steam train engineer?

Google New Hires
New hires at orientation, Google 2013

When I read Sophie’s summary of her trip I see a giant warning shot fired across our bow:

Prepare for fake. Prepare to be disappointed. North Korea trips are full of stuff that is not real. The horror.

It was only due to the instruction/vision/guidance of Our Marshall/the Respected Leader/ Awesome-O wunderkid Kim Jong Un that we were able to successfully __________ (insert achievement here: launch a ballistic rocket, build complicated computer software, negotiate around US sanctions, etc.). Reminded me of the “We’re Not Worthy” bit from Wayne’s World. Just another example of the reality distortion field we routinely encountered in North Korea, just frequently enough to remind us how irrational the whole system really is.

In other words you have to suspend belief if you are going to follow the story you supposed to be watching. You want rational? Come to America.

After all we have the Kardashian phenomenon, Disneyland, and the fact that the US leads the world in total cosmetic procedures performed. Yeah! Take that you North Korean distortion fielders.

Although we Americans are quick to look at others from the outside and criticise their foolish lack of authenticity, we also love to show off with our fake and highly staged encounters, tightly-orchestrated viewings…

American Reality Show
Nothing unusual here. Nothing staged or tightly-orchestrated. Not at all.

The difference in who can be most inauthentic and get away with it, of course, is relative to power.

Kim Jong-un, like Lance Armstrong, makes use of extraordinary power and direct influence to keep an inauthentic story running even after people stop believing and want to talk openly and express their doubts or challenge his story.

Power to shut down naysayers and disbelievers is a very real problem in political science, which I don’t want to minimize here. My point is that if you realize America also has a lot of problems from inauthenticity relative to power, you are one step closer to finding the authenticity even in places that try hard to keep you from seeing it. It’s a problem very, very familiar to auditors, let alone anthropologists.

Anthropologists!

Perhaps I’m being too indirect and this could go on forever, given the material Sophie provides, so let me cut to the chase.

Sophie displays a very strong cultural bias in her perspective but no awareness or caution of that bias.

Why do we need an alarm clock to wake up? Why do we need soft beds and rugs? Why do we need to heat every room of every building? What is wrong with empty spaces? Why do we need street lights? Seriously, street lights are stupid abominations of sailing codes (starboard and port, green and red) never meant for roads that give engines a wasteful and unfair advantage over other forms of transportation. We need a better system. Now tell me again how strange it is to see streets without signals for sailboats.

Here’s an example of how things were said in Sophie’s perspective:

My father’s reaction to staying in a bugged luxury socialist guesthouse was to simply leave his door open.

And here is how they might be said if she had looked at it from a more North Korean view:

No need to lock your door. Simply leave it open. There’s no crime risk.

Incidentally (pun not intended) if you’ve ever been to the Google campus headquarters you may know that they spent many years and a lot of money to cover the outside and inside with surveillance, and yet they STILL do not leave their doors open. Eric apparently feels safer in North Korea than within his own castle. (Full disclosure: I’ve been inside the Google SOC several times and it’s very impressive. North Korea probably would be jealous.)

If we play her blog post from an outsiders view, in other words, it could be read like this:

America is great because it is crowded, polluted, wasteful, unhealthy, unsafe and people looked stressed/busy all the time.

Doesn’t it sound strange when you use an inverse of her criticism of North Korea to describe America? With this different perspective in mind take another look at what she presents us with:

North Korea is empty, clean, efficient and people are fit, safe and have idle time.

Perhaps somewhere in-bewteen is a truly authentic experience and a hint as to why closing one eye in the land of the blind is sound advice.

History, Security

This Day in History: 1781 Battle of Cowpens

Leave a comment

The Battle of Cowpens on this day in 1781 is recorded as a turning point in the American Revolution.

Americans were planning cautiously, dispersing into smaller units and contemplating how to minimize direct confrontations with the British. America’s Continential Brigadier General Morgan knew he was being chased by professional soldiers led by a young British Lieutenant Colonel Tarleton. The British leader had a reputation for aggressive and brutal tactics. Morgan then realized Tarleton was nearing them as the Americans approached a river in Cowpens, South Carolina. The Continental General decided it would be wiser to take a stand against the coming British there instead of being engaged as they tried to cross.

Several important factors were in play when Tarleton headed towards the resting American forces.

The British were exhausted and out of food from non-stop marching through the night and crossing rivers in the cold of winter while the Americans waited. The British were confident in their superior numbers, methods and training while the American General set an unsual trap that reduced Tarleton’s advantage from aggression (it not only was a trap for the British but also for the Americans — no way out may have given volunteers and irregulars confidence to stand and fight).

It was in this context that Tarleton predictably and proudly herded his men straight into the American lines. When the Americans fired and withdrew, according to their plan, the British rushed ahead in expectation of an easy victory. However, instead the British ran into additional lines of Americans and flanking movements. These new lines had been obscured by the first line’s retreat. The withering fire from men standing ahead was coupled with the fact that the retreating men stopped, turned, regrouped, opened fire and charged the exhausted British.

The trained British attackers were decimated and broken. Survivors fell into disarray in the face of Americans orchestrating rearward movements, obscure defensive lines, a double envelopment and bold re-engagement.

It appeared to the British, when Howard’s line fell back, that victory was at hand, and so it would have been, had the line been composed of men less inured to battle than were the Continentals of Maryland and Delaware. There was no delay or hesitation when the order to halt, face the enemy, and fire, was given, and there then occurred in a moment a scene of dumbfounded surprise, confusion, and panic seldom witnessed in battle. The outcome resulted in one of the most gloriously unexpected victories of the Revolutionary War.

Unable to regain control of his men, who were disorganized and confused by the resistance and fast becoming unwilling to fight, Tarleton tried to rally. He failed and instead just managed to escape after shooting the horse out from under Colonel William Washington.

Tarleton and Washington
The encounter between Tarleton and Colonel Washington. by E. Benjamin Andrews in 1895, from the Florida Center for Instructional Technology

British General Charles Cornwallis soon after consoled Tarleton. The loss of nearly 80% of their men at Cowpens was given this assessment:

…total misbehavior of the troops could alone have deprived you of the glory which was so justly your due.

Just ten months later the Revolutionary War would end with Cornwallis’ surrender.

Energy, Security

Are you ready for the data innovation boom?

Leave a comment

The Economist has an interesting write-up on predicting innovation. They see things heating up specifically in manufacturing and user interfaces.

Across the board, innovations fuelled by cheap processing power are taking off. Computers are beginning to understand natural language. People are controlling video games through body movement alone—a technology that may soon find application in much of the business world. Three-dimensional printing is capable of churning out an increasingly complex array of objects, and may soon move on to human tissues and other organic material.

This analysis seems to support my guesses on why Kurzweil would join Google. Removing antiquated and disabling interfaces like the keyboard will enable more people to use more technology. Comparing the productivity of humans required to learn the qwerty keyboard with the potential of those who can use free voice and touch is a no brainer (pun not intended).

As I thought about the Economist’s analysis I started to wonder about an important element that I didn’t see them mention. They focus in a usual way at present IT trends in relation to historic trends. They offer electrification as an example.

…the idea that technology-led growth must either continue unabated or steadily decline, rather than ebbing and flowing, is at odds with history. Chad Syverson of the University of Chicago points out that productivity growth during the age of electrification was lumpy. Growth was slow during a period of important electrical innovations in the late 19th and early 20th centuries; then it surged. The information-age trajectory looks pretty similar…

echoing electrification

With that in mind, the Economist then takes their analysis down the well-worn path of productivity worries in relation to obsolescence and redundancy.

…the main risk to advanced economies may not be that the pace of innovation is too slow, but that institutions have become too rigid to accommodate truly revolutionary changes.

Fair enough, technology has a disruptive force when innovation replaces labor. That brings risk and resistance. I’ve experienced this many times. The voice-recognition project I worked on in 1997 for a hospital was overtly said by the administration to be a way to put their transcriptionists out of work. No surprises there.

But once we move beyond a focus on the balance of labor risk what other risks lurk ahead? I mean it is fascinating to look at how the lightbulb put American whalers (e.g. oil for lamps) out of business. It is even more interesting, however, to think about how inexpensive light transformed our abilities. We can see further and go faster with power.

Back to consideration of today’s tech innovation boom, the part to me missing in the Economist analysis is the sunshine effect of electrification. Electrification was really about innovative ways to create and use power. It shone a light, if you will, into dark areas and remote corners of opportunity. A coming boom in tech innovation led by user interfaces and manufacturing, if we pivot the Economist theory, could in fact be a boom in innovative ways to reach, create and use data. Yet the Economist analysis doesn’t mention data at all!

Here is a simple example of what I mean by a pivot:

Industrialized countries are like the urban areas of electrification that saw power first and saw productivity boom at a large scale. Power eventually reached a wider area on smaller scale and created a boom in productivity and markets. Non-industrialized countries are thus like the rural areas that increasingly were able to create and use power.

More people in more areas making more data and using that data is what may really be the fuel for a boom ahead. The innovation is not only in the interfaces, although that’s a crucial piece of enablement, but what so many more people will produce with those interfaces. Big data is a common phrase to capture what seems to be ahead but we could just as well call it a sunshine-like effect of datafication.

Now if I ask “are your headlights on” hopefully you might think about risk in terms of billions of people shining a bright light into darkness because they now have access to powerful data. Reduction of corruption using better data tools is the kind of innovation that really should excite economists.

Of course this puts immense pressure on the security industry. Access to vast amounts of data becomes “a one-click matter,” as a GoodData developer suggested. How safe will a clicker need to be? And this new level of visibility, like brighter lights we flip on with a switch, can shift our definition of “exposure” and privacy. Recently a “near-global view of the universe of public keys” was used to easily uncover weak random number generators. Should we plan for more risk or less as we push away darkness?

Thus, to extend the Economist analysis that suggests innovation will bring better interfaces and better manufacturing tools, the real boom may come from datafication — the process of making it easier than ever to create, access and use data.