Murder Your Darlings

Despite my best efforts to stop the practice of using such a phrase, I find people sometimes still say cloud computing is all about “cows not pets”. What they mean to say is in the harsh world of cloud you shoot the vulnerable instead of caring for them.

The truth about cows is the opposite, however. Ranchers spend a ton of money on veterinarian science and care about cattle health improving because if they can fix one they can translate that to tens or hundreds of thousands of others saved.

It’s a lot of money on the line when looking at cattle health because typically there are many to one owner.

This is very unlike pets where most people have a few at most and put them down before they’d spend $500 on care.

It’s a harsh truth but proof of it is in how little is actually known about domestic cat health.

Unlike cattle health being rigorously studied in universities around the world and funded for obvious macro economic reasons, researchers rarely if ever find a pet owner willing to pay for science studies that would improve the lives of cats… owned individually by other people.

Anyway, while the cows not pets saying drags on incorrectly in tech circles, I ran across a Cambridge lecture by Arthur Quiller-Couch in January 1914 (“On the Art of Writing”) that has a particularly famous phrase in it:

If you here require a practical rule of me, I will present you with this: Whenever you feel an impulse to perpetrate a piece of exceptionally fine writing, obey it—whole-heartedly—and delete it before sending your manuscript to press. Murder your darlings.

Suddenly a thought occurred to me… instead of trying to untangle economics about cows and pets I should instead propose people adopt this Quiller-Couch phrase to explain cloud.

Comparison of WebEx Security Versus Zoom Shady Practices

Recently I pointed out in a blog post that the Zoom CEO was the VP of Engineering at Cisco who left to start a direct competitor because, according to him, he was unhappy about the speed he could operate at.

Being secure, to be frank, is about flaw management practices such as transparency and handling much more than being devoid of flaws. How one educates users about a serious bug should be in the spotlight right now and Zoom is failing catastrophically.

Reading between the lines it looks a bit like the CEO didn’t like being told to do the right thing (follow safety processes) by Cisco management, and he allegedly saw it as an opportunity to exit and do a much easier thing — get rich doing what’s wrong, then apologize and hope for no accountability.

So let’s put this business management theory to a simple product security management test.

Here is a 2020 WebEx security vulnerability advisory:

I’d rate that security page and overall site as excellent and extremely useful to keeping everyone safe.

It stems from the main cisco.com/security page, where you can easily query and sort on WebEx vulnerabilities.

Let’s now compare that level of transparency and operational excellence to the Zoom outfit, run by the celebrated billionaire CEO.

First, the zoom.com/security page is a lot of marketing material fluff. We know already that these marketing materials are deceptive (e.g. end-to-end encryption is claimed, yet in reality it’s client server using a shared key that’s half the strength claimed and distributed in China…but I digress).

You have to scroll all the way to the bottom (it’s long) to find anything about security practices, like patches and advisories. Even then, security practices appear at first glance to be severely lacking, hosted at this oddly complicated US support URL.

https://support.zoom.us/hc/en-us/sections/201728933-Security

Second, I will test this support page using Patrick Wardle’s announcement (“The ‘S’ in Zoom, Stands for Security: uncovering [local] security flaws in Zoom’s latest macOS client“) from March 30, 2020.

Patrick kindly has updated his own announcement page in April that “Zoom has patched both bugs in Version 4.6.9 (19273.0402)”. Was the Zoom response well done? No.

Look very closely and very carefully at the Zoom security practices page:

A huge security news story, details about the vulnerability, announcement of the patch… none of it, nothing at all can be found anywhere in this support page or the top-level security page.

How would you know to update for a security flaw or even who it affects and how bad it is when it doesn’t appear anywhere except an obscure security researcher’s personal blog page?

I’d rate that as awful, and way below industry practices (again, look above at WebEx). This company supposedly obsessed with technology being “easy and fast to use” has a terribly convoluted hidden security site with CVE tossed in like a mixed bag among some random thoughts by their support team that hasn’t been updated in half a year.

It’s April 2020 and given the news so far this year there should be far more CVE on this page (even if only placeholders, we’ve seen one for Windows and one for OSX).

That’s just to begin with, as this really should elevate to a zoom.com/security URL and be easily sorted and searched as well as linked to product release/fix notes. I would imagine a truly sorry CEO would put up a giant box on the top level security page that says the industry standard WARNING: SECURITY FLAW.

Do it now Zoom, if you really are interested in moving fast.

Third, pop over to the release notes for the version Patrick mentions, which aren’t even linked from this page, you won’t find the word security mentioned anywhere.

This is unbelievable levels of bad management practice. Both the security page and the release page are far below acceptable. The practices are truly below baseline and should fail regulations and audits.

Please, anyone, someone explain to me why these release notes don’t use the word security anywhere, let alone don’t have a CVE with details and aren’t connected to the security advisory page.

There’s really not a need at this point for me to get into interesting and messy details of CVE, CWE, CVSS, etc when it’s obvious just how far below a safe baseline Zoom is operating.

I’ve shown enough already how Zoom practices may be a danger to society.

My take on this is the CEO has not enabled his security team (buried in US support), is not listening to his security critics (2020 vulnerabilities not listed), and does not yet take security seriously (sends out apologies to get sympathy without making necessary changes).

I may be forced to look further.

It’s like watching a dumpster burning and hard for me to take my eyes off at this point. Ok, ok let’s go just a little bit onward.

Fourth, I drop down into Security: CVE-2019-13450 shows Zoom has a severity score of 3.1 out of 10 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N):

HOLD ON TO YOUR HATS everyone because… wait for it… NIST shows this vulnerability officially filed as 6.5 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), more than double what Zoom wrote on their security support pages!

Here are the calculations side-by-side, which shows how Zoom ended up publishing a false score in their useless security page (Attack Complexity High, Confidentiality Low) while everyone in the world will pull an official higher risk number from NIST’s database:

Zoom: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
NIST: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Look, I’ve spent a lot, and I mean a lot, of time inside the sausage factories called software development working on CVSS scores like these. There can be endless debates and fights and it isn’t always easy. I get that, trust me. I even established one of the first 70 CVE Numbering Authority (CNA) in the world for a major software vendor to pump out vulnerabilities that had been obscured.

But I will tell you right now that Zoom claiming complexity is high and confidentiality is low is completely and utterly wrong. It’s deceptive and it’s harmful. Here is the excellent NIST text explaining a CVSS score of 6.5:

…attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled…

That is a text book case of high confidentiality loss. Does it really get any higher than to be spied on from your camera? And it has a reliable service (text book case of low complexity) that remains vulnerable even after a user tries to remove it? Come on Zoom people.

From there I drop into another CVE they have listed and another, and see problems everywhere…

Their last update on vulnerabilities is from six months ago called “Security: 2019-11 Zoom Connector for Cisco, Poly, and Lifesize” which has a CVSS of 8.1 and no CVE number assigned. I get that they might not be a CNA, or have trouble getting a CVE, but it doesn’t say anything at all.

In the meantime, with no CVE and no advisories page and no links from the main security pages, who exactly is expected to know they need to patch a CVSS 8.1 from October 2019?

There are a million more examples I could give but honestly it’s just so bad I think people need to understand that a major product security and safety overhaul is overdue at Zoom.

I’m not saying anyone should use WebEx, but at least take a look at what they’re doing right to understand just how far off the mark Zoom is. I do not see anything approaching a safe product with proper management practices at Zoom.

And I don’t know if any of this yet means the CEO has to go, or that the AG and FTC should be breathing fire.

However, I can tell you as a long-time product security leader that so far everything I’m looking at from my perspective shows very broken software lifecycle; it’s substantial evidence of misleading and deceptive practices, which clearly harm customers.

Only YOU can prevent video conferencing fires.

COVID19 Security Slogans

Years ago I won the TSA competition for security slogans.

I’m not proud, especially because I didn’t enter it and nobody told me my slogan had won until an external investigator pointed out that someone borrowed it from my 2006 blog post and claimed the prize for themselves.

Anyway I’ve written a little here about the strange dearth of security slogans, a missed opportunity, during COVID-19.

Now I’m really getting curious why US officials are trying to encourage things like mask wearing, yet nobody has come up with basic jingles to promote it.

A quick search has only turned up a 1918 example from San Francisco.

Obey the laws, and wear the gauze. Protect your jaws from septic paws.

Seems applicable today. If I don’t find posters of this soon I may just start making them myself. With luck, someone at TSA will notice and then submit to their next competition as their own.

Speaking of being owned, while reading the news about security flaws in popular video conferencing my mind wandered onto the rhyme… gloom and doom for a chat room vacuum. How soon could it ruin the zoom boom?

Not quite “loose lips sink ships” but maybe if I work at it a little I could get closer with chat room vacuum ruins zoom boom. The problem is it’s too specific to one company, but hopefully you get my drift.

Speaking of drift, the US Naval History Blog in 2019 posted a very graphic warning about pandemic risks, and it starts by quoting a 1918 children’s rhyme:

I had a little bird,
And its name was Enza.
I opened the window
And in-flu-enza.

Ok, I couldn’t resist. Here’s a simple security education poster from WWII, which I’ve updated simply to reflect COVID-19:

It’s become infuriating to me every time I hear someone say they’ve seen 0 deaths so far, or who ask why worry if they don’t know someone personally affected. Education campaigns are sorely missing here.

Security professionals ought to be good at predicting likelihood and severity of harms. Prediction is what the industry is supposed to be doing in order to put controls in before it’s too late (as well as clean up afterwards, but let’s not go there). So let’s have some slogans going and get word out maybe?

A simple viz shows why the 0-deaths-so-far-crowd need quickly to get a clue, but it doesn’t make for a pithy phrase or poster.

Let me know if you can think of any good way to condense that graphic into a rhyme…

Safer Alternatives to Zoom

Zoom has become known for being in a hurry to grow revenues, not for being safe or honest about its safety features. Have their customers been treated like dummies?

It’s pretty clear from a series of rapid and unfortunate missteps by Zoom that there’s something fundamentally wrong with the company.

We already knew the origin story didn’t sound great.

A VP of Engineering at WebEx, after being acquired by Cisco, didn’t like working for the parent company and left to start a direct competitor to move faster. The new company also was funded by an one of the WebEx founders using money from the Cisco acquisition.

…he knew how to write computer code, and he landed an engineering job with the videoconferencing software company WebEx. WebEx sold to Cisco for $3.2 billion a decade later (the platform is now known as Cisco Webex). Yuan became the tech giant’s vice president of engineering, earning compensation in the “very high six-figures.” But he was unhappy. […] In Yuan’s opinion, the product didn’t evolve quickly enough, making it a chore for customers to use. (In fact, Yuan told CNBC earlier this year that Cisco was still using the same buggy code he wrote for WebEx roughly two decades ago.)

The article goes on to say that claim by Yuan about WebEx is false, a lie.

…senior vice president and general manager of Cisco’s team collaboration group, says the company has “redesigned Webex from the ground up” since Yuan’s tenure…

It’s very weird for Zoom’s CEO to suggest WebEx is bad code because he wrote it. Does that make you want to use his new product when he’s shaming his old product? I mean it really opens the door to people (like me) pointing out this guy is willfully allowing bad code into production because that’s “his way” of doing things.

Is it time yet to use one of the safer alternatives to Zoom?

Clearly something seems off kilter in Zoom executive management ethics related to product safety. Security appears to have been treated as a non-feature and afterthought. Just look at these recent examples:

  • Zoom security flaw exposes email addresses, full names and profile photos, as well as allowing non-invited attendees to initiate a chat
  • Zoom security flaws in OSX allow (local) installer priv-esc vulnerability to root, (local) injection flaw allowing access to mic & camera
  • Zoom security flaws of weak encryption and suspicious key traffic to China
  • Zoom security flaw of disclosing Windows user passwords and local file execution
  • Zoom security flaw in meeting identification facilitated unauthorized access
  • Zoom security flaw allows any website to enable your camera without your permission
  • Zoom security flaw allowed unauthorized command execution on Windows, Mac and Linux
  • Zoom security architecture allows interception of traffic, opposite of marketing materials claiming end-to-end encryption
  • Zoom weak security default left private recordings exposed to the public
  • Zoom secretly was recording user information without authorization
  • Zoom secretly was recording device information without authorization and forwarding to Facebook

I’ll stop to point out, perhaps for those who haven’t worked in product security, that this kind of “scientists crapping all over Zoom” list (also known as audit findings) is exactly the kind of pressure that helps an internal team fight more effectively for safety fixes earlier in the development lifecycle.

For example, the cryptography analysis found this:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video.

That’s just straight up deceptive practices and delivering a known unsafe product to market. The centralized management of a single key by Zoom, and decryption capability of meeting traffic by Zoom, violates both the spirit and letter of end-to-end encryption.

And if I understand the Zoom architecture correctly, any time someone uses a mobile device to dial into a video chat (which is basically all the time) Zoom is decrypting the meeting on their servers. The very thing that Zoom’s CEO said he started a new company to solve, by moving faster than he was allowed to at WebEx, is this mobile device compatibility architecture decision that undermines privacy while deceptively marketing it as safe.

And on top of weak key management, that key is routed through China even when nobody in a meeting is in China.

With this kind of obviously bad decision-making, deceiving customers about encryption (calling it end-to-end when it is not), it brings front and center the fact that Zoom has issued no transparency report (PDF) about who is in fact getting access to the data.

A lack of transparency or access to internal data, coupled with a lack of external pressure to force it, allowed Zoom to run far afoul of basic security principles.

New transparency from researchers is bringing external pressure that should have been applied internally all along. One can hope late is better than never, yet experience suggests all these flaws are mere symptoms.

Zoom has said they will now stop feature development to focus on privacy, which is just another symptom. Remember the CEO comment about WebEx running his buggy code? He went into this knowing right from wrong and developed code the wrong way anyway. Privacy is a feature just like usability, so to see it called something that stops feature development… is part of a wider leadership ethics problem.

It goes back to that questionable origin story. A company was founded on impatience and greed (masked as usability from highly responsive user-focused engineering), which typically doesn’t mix well with safety values.

Making “Zoom bombing” a crime may help dissuade some abusers taking advantage of the safety weaknesses inherent to Zoom. However, that doesn’t fix the problem of Zoom itself being an untrusted company.

Right now shifting to a different product may be the easiest and most secure measure relative to Zoom’s problems. Consider the many options that may be in a better position right now, including of course WebEx:

  • WebEx
  • Jitsi
  • BigBlueButton
  • GoToMeeting
  • Avaya Spaces
  • Microsoft Teams
  • Apple Facetime
  • Google Meet
  • Skype
  • UberConference
  • Wire
  • Wickr Pro
  • Join.me
  • Discord

Also a quick caveat about Zoom’s buggy code because it found its way into the hands of a lot of people. Here are some of the major brands who run it under the covers and also tend to be vulnerable to security exploits:

RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, & Accession Meeting

One of the most interesting options is Jitsi because it is open source (like BigBlueButton) and allows you to run your own server for meetings. While end-to-end encryption is difficult to implement given the nature of video conferencing protocols and features, moving to a hosted server means you can have more confidence that any necessary decryption is done within a trusted zone.


Update April 6: a serious security issue was just reported in Jitsi: https://github.com/jitsi/jitsi-meet/issues/5720

TL;DR – meeting password protection can be bypassed by simply showing up in a meeting room before the host arrives

A benefit of open source over proprietary projects is how security flaws like this can be so easily raised and monitored. That being said, this is a pretty awful bug. No software is devoid of flaws so it really comes down to how this entered the product (e.g. how symptomatic is it of wider issues), how the response goes and how it is communicated.

I give more details on the Zoom handling of flaws by comparing them to WebEx in a new post.

Red and Green Ballots: How the CIA Poisoned Vietnam’s 1955 Presidential Elections

Today is National Vietnam War Veteran’s Day, set on March 29th because in 1973 it was the last day American combat troops were in the Republic of Vietnam. The White House in 2012 gave a Presidential Proclamation to create a national day for Vietnam War veterans.

NOW, THEREFORE, I, BARACK OBAMA, President of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim March 29, 2012, as Vietnam Veterans Day.

Congress then wrote a “Vietnam War Veterans Day Act” for March 29 recognition, which in 2017 was signed into law.

The bipartisan bill was sponsored by Sen. Pat Toomey, R-Pa., and Sen. Joe Donnelly, D-Ind. The bill passed the Senate last month and the House last week.

In an odd twist the a man who signed it was gifted five deferments from service in the Vietnam War; four were academic and one was lying about his fitness.

“They were spurs,” he said. “You know, it was difficult from the long-term walking standpoint.”

He played football, tennis, squash and golf through his deferments; he even later boasted about his health as “perfection” and “bone spurs” being not an issue, yet somehow he pulled the 1-Y “disability” deferment (qualified for service only in time of war or national emergency) a year before the lottery draft system began.

The 1-Y status kept him out of the draft until 1971 when that classification was abolished generally. He was then given a 4-F “disability” (unable to meet physical, mental or moral standards) and no longer eligible; soon after his business was sued by the Nixon administration for widespread racist practices (violating the Fair Housing Act).

This is the same guy who in 2018 at the Aisne-Marine American cemetery cancelled with no warning because allegedly he didn’t want to be in the rain, instead of paying respects to the 1,000 Marines killed in the important Battle of Belleau Wood.

They died with their face to the foe and that pathetic inadequate [long-term walking spur] couldn’t even defy the weather to pay his respects to the Fallen.

Anyway, today got me thinking about presidential election tampering, and in particular reminded me of the corrupted 1955 national referendum in Vietnam that arguably is what set America on a path to war.

A man named Ngo Dinh Diem essentially was chosen by Americans in 1954 to lead the country, and his access to American aid helped position him as Prime Minister under the ruling “French Puppet” Bao Dai, who he then deposed.

Diem was no champion of representative democracy. His political philosophy was a not entirely intelligible blend of personalism (a quasi-spiritual French school of thought), Confucianism, and authoritarianism. He aspired to be a benevolent autocrat…Diem’s idea was to create a cult of himself and the nation. “A sacred respect is due to the person of the sovereign,” he claimed. “He is the mediator between the people and heaven.” […]

To secure his winnings, Diem called for a referendum to determine whether he or Bao Dai, the former Emperor, should be head of state. Diem won, supposedly with 98.2 per cent of the vote. He carried Saigon with 605,025 votes out of 450,000 registered voters. [CIA’s Major General Edward] Lansdale’s main contribution to the campaign was to suggest that the ballots for Diem be printed in red (considered a lucky color) and the ballots for Bao Dai in green (a color associated with cuckolds)… this simplified Nhu’s instructions to his poll watchers: he told them to throw out all the green ballots.

Throw out all the green ballots.

On top of that, Diem used legal threats to prevent Bao Dai from running any campaign material, while his own campaign mostly ran personal attacks and smears including false claims like Bao Dai had a “preference for gambling, women, wine, milk, and butter“.

Just to re-iterate, their 1955 anti-communist campaign platform was that red meant go, green meant stop and… a preference for milk and butter is immoral just like gambling, booze and sex.

If all that isn’t crazy-sounding enough, apparently 150,000 more votes were cast in the capital city of Saigon than the actual number of people listed on the electoral roll.

Diem declared himself President with much public fanfare as a result of an obviously fraudulent “election”, labelled anyone else claiming rights or power to be a dangerous threat to stability, and slid South Vietnam into a cruel and undeniable totalitarian state.

Thousands of Vietnamese suspected of disloyalty were arrested, tortured, and executed by beheading or disembowelment. Political opponents were imprisoned. For nine years, the Ngo family was the wobbling pivot on which we rested our hopes for a non-Communist South Vietnam.

This election was a crucial turning point as President Eisenhower the following year ordered the first American military advisers into South Vietnam to train Diem’s conventional Army, used in harsh repression of the country, while the French prepared to exit completely by 1956.

Getty Images 4/24/1955-Saigon, South Vietnam: “Troops of American backed Premier Ngo Diem and the rebel Binh Xuyen sect fought a breif street battle with machine guns. A nationalist soldier stands guard over a suspect after the fighting had died down. At least three persons were killed and eight wounded in the short clash. The fighting took place on the opposite side of the European residential district from the boulevard Gallien, meanwhile the general anarchy increased as gangs of thugs roamed the streets of Saigon kidnapping civilians and extorting ransoms.”

Repression by the new government fomented and grew resistance within South Vietnam and eventually a small faction on July 8, 1959 opened fire in an Army mess hall. The first American casualties in South Vietnam were two advisers (Maj. Dale Ruis and Master Sgt. Chester Ovnand) killed while watching a movie at Bien Hoa.

In 1960 JFK narrowly defeated Nixon (Eisenhower’s Vice President) at the polls, and all candidates said they would deliver anti-communism by supporting South Vietnam’s regime.

While Eisenhower of course had been an early proponent of information warfare, given his success in WWII’s North Africa campaigns. JFK’s strategy expanded involvement with Diem further into novel direct military counter-insurgency training, including American boots on the ground working in rural communities.

You can imagine why for Diem that represented a major difference between support from Eisenhower and JFK. The latter was literally enabling South Vietnamese people, especially minority groups, to defend themselves from an oppressor, not simply backing top-down regime tactics.

Thus, despite overall expanding commitments and years of increased aid from America, not to mention escaping multiple prior coup attempts, on 1 November 1963 Diem’s brutally repressive autocratic regime was abruptly deposed by South Vietnam’s own military and he was assassinated.

It was Diem personally losing the support of America, within JFK’s administration but not necessarily including LBJ, that often frames how the South Vietnam regime ended and when and why America threw itself deep into a Vietnam War.

The ultimate effect of United States participation in the overthrow of Ngo Dinh Diem was to commit Washington to Saigon even more deeply. Having had a hand in the coup America had more responsibility for the South Vietnamese governments that followed Diem. That these military juntas were ineffectual in prosecuting the Vietnam war then required successively greater levels of involvement from the American side. The weakness of the Saigon government thus became a factor in U.S. escalations of the Vietnam war, leading to the major ground war that the administration of Lyndon B. Johnson opened in 1965.

It had to be Vice President LBJ who opened the major war, as by that point he had become President. 21 days after Diem’s assassination, JFK himself was assassinated.

The dramatic power shift in both countries escalated American involvement in South Vietnam and brought ever more direct military intervention that eventually accounted for 58,220 U.S. military fatal casualties, over 150,000 wounded… before the March 29, 1973 final day of withdrawal.

As a footnote, the Vietnam War very nearly ended five years earlier in 1968. Nixon at that time cruelly campaigned on ending the war, while he also scuttled American peace talks to intentionally increase casualties.

Unclassified tapes have since proven his secret strategy was more Americans should die because it would help him get elected President.

Once in office he escalated the war into Laos and Cambodia, with the loss of an additional 22,000 American lives, before finally settling for a peace agreement in 1973 that was within grasp in 1968.

Election interference is definitely not new territory for the US, whether it be abroad or at home or some combination of the two. This National Vietnam War Veteran’s Day is perhaps a good time to reflect on what that means in the past as well as future.


Update March 30th: The man in the White House today openly stated that he believes suppression of votes gives him power and will continue to do so:

…admitted on Monday that making it easier to vote in America would hurt the Republican party. …made the comments as he dismissed a Democratic-led push for reforms such as vote-by-mail, same-day registration and early voting as states seek to safely run elections amid the Covid-19 pandemic. …Republicans have long understood voting barriers to be a necessary part of their political self-preservation.

Kipling on COVID-19 in America: “You Can Not Hustle the East”

The Works of Kipling
All the talk I hear in America lately about the necessity of naming a virus for Asian origins — to play racist blame games instead of saying COVID-19 or even 2020 pandemic (both obviously superior choices) — has started to remind me of the 1960s CIA “training” for Vietnam with Kipling’s book “Kim” and how they got it and another of his works completely wrong:

Americans back home became impatient for results in Vietnam, proponents of the war were always quoting—or, rather, misquoting—a little-known poem of Kipling’s (just four lines, written as a chapter heading for “The Naulahka”), saying that “you cannot hurry the East.” The phrase, Benfey writes, “wormed its way into the very highest levels of decision-making.” But what the poem actually says is that you cannot “hustle” the East, and even then, Benfey demonstrates, the word had connotations of cheating and deception. You come away from his book thinking that it might be a good idea to stop your ears whenever someone in authority starts invoking Kipling, unless it’s to quote from his “Epitaphs of the War”

If any question why we died,
Tell them, because our fathers lied.

The doctor who was principle architect of aggressive and successful South Korean response to COVID-19 put it like this, when reviewing the current US and UK approach to a pandemic:

…refusal to implement mass testing for the coronavirus in the United States will have “global repercussions” […] “The United States is very late to this,” he said. “And the president and the officials working on it seem to think they aren’t late. This has both national and global repercussions […] We in Korea were thinking, ‘Are these people in their right mind?'”

See also the new Center for Strategic and International Studies (CSIS) timeline of South Korea’s response.

White House Proposes America Try To “Sundown Town” COVID-19

Modern “Sundown Town” sign by a county’s “elected sheriff…in the position for 23 years who personally paid for the $553 sign, which includes an image of the county’s official seal.” Source: RawStory

I see reporters trying to find a normal angle when they write about a very abnormal announcement today on American risk management during a pandemic:

…a new plan to reopen swaths of the country shuttered by the coronavirus pandemic via a targeted, county-by-county mitigation effort…administration would categorize counties as “high risk, medium risk and low risk.” This would allow areas less impacted by the virus to put in place looser restrictions than ones that have been ravaged by the illness. It’s uncertain how effective such labels may be in containing the virus, however, given that asymptomatic carriers may move from region to region undetected…

Uncertain? It’s pretty clear just like using racist taunts to distract from a global pandemic this is not about containing the virus, it’s about restructuring power in America.

Looser restrictions in a county would encourage movement into it by the most contagious people (the asymptomatic). ScienceNews warns, for example. “Coronavirus is most contagious before and during the first week of symptoms“. Low risk counties would allow movement of the most high risk, which sounds plain stupid and dangerous.

So it begs an all too important question of how counties surrounded by high risk could even be expected to enforce tests of the asymptomatic at borders; how would they stay low risk while encouraging those most at risk to move about more? But wait one minute, what if that’s the wrong question entirely and there’s no intent to stop the spread of the virus?

Who gains new enforcement powers, and why, is the real key to this story.

The idea of county authority being used to stop the spread of a virus, thus bypassing the legal authority of states in favor of its counties, makes no sense until you move into a completely different frame of reference.

The White House giving a nod directly to county law enforcement for the special position to trap and keep people away who pose a “threat” to their jurisdiction…has a particular significance in politics and in American history.

America’s Black Holocaust explains how someone accustomed to exclusionary thinking might settle on counties being the preferred unit to handle boundary enforcement powers in America.

Beginning in about 1890 and continuing until 1968, white Americans established thousands of towns across the United States for whites only. Many towns drove out their black populations, then posted sundown signs. Others passed laws barring African Americans after dark or prohibiting them from owning or renting property. Still others just harassed and even killed those who violated the custom. Some sundown towns also kept out Jews, Chinese, Mexicans, Native Americans, or other groups. Sundown towns range in size from tiny villages to cities. There are also many “sundown suburbs” and neighborhoods -– and even entire counties.

Even entire counties.

How have counties handled enforcement of borders, especially when it comes to keeping non-whites out? The answer is a colonial-era concept of the Sheriff, an elected and very political position without accountability.

Don’t believe anyone who suggests Sheriffs are automatically somehow representative of their county population’s best interests, given they may be elected without any real qualifications at all. Also, when we look across America, the data says 80% are white and only 41 out of 3,000 are women.

Here’s an example of a Sheriff’s bizarre response to the pandemic:

…the government had forced the unnamed [infectious COVID-19] man to stay in his home. But this week, Nelson County Sheriff Ramon Pineiroa told the Kentucky Standard that deputies will park outside of the man’s home for 24 hours a day for two weeks.

Parking multiple deputized people outside a man’s home 24 hours a day is a taxpayer-funded protest, not a quarantine. They might as well be burning a cross on his lawn to send him a message about what happens if he leaves his home.

In case you missed the other news in the past year or so, it has been that Sheriffs in America are agitating for even more unaccountable power. They sometimes have a particularly virulent strains of extreme right-wing thinking and see themselves as militants at war with other Americans.

With his red “Make America Great” hat prominently displayed in his office here in Titusville, Ivey is part of a wave of county sheriffs who feel emboldened by [the White House occupant’s] agenda, becoming vocal foot soldiers in the nation’s testy political and culture wars.

The 2018 National Sheriffs Association event also recently brought forward some gushing commentary about how the White House and American political seats of county law enforcement are in lock-step.

“[Shaking hands with the White House occupant] was a highlight of what I have been doing all these years,” [Dickson County Sheriff] Bledsoe added. “It was a privilege and honor to be a part of that and meeting other sheriffs and having some common goals…”

A Sheriff having common goals with the current White House should concern everyone in America, if history is any guide.

Of course you might say not all Sheriffs are bad in America, and you’d be right. But think of it this way instead, Sheriffs who are the most loyal to the White House agenda would get discretionary powers while Sheriffs who don’t offer enough fealty get ranked as high risk until they are voted out.

I’ve written about problems like this here before in regard to a particular 2019 Sheriff in Iowa who arrested two men as they were working on a security project, because he didn’t like being audited and didn’t respect any higher authority than himself:

Sheriff Arrested Coalfire’s Pentest Team. Was it a Case of Posse Comitatus?

I’ve also written about it here before in regard to a particular 1960 Sheriff in Arkansas who murdered an innocent black man, fabricated a story about it with fake evidence and intimidated witnesses into silence, and faced no consequences:

1960 Police Murder of Marvin Williams. How is This Not a Movie?

And I’ve even written about it here before in regard to a particular 1917 Sheriff in Arizona engaging in militant “culture war” (ethnic cleansing):

Ethnic Cleansing in America: 1917 Bisbee Deportation

A bonus reference is that last blog post includes yet another example, the 1897 Lattimer massacre:

…Polish, Slovak, Lithuanian and German miners killed by being shot in the back by a Sheriff who decided to end legal protests by murdering everyone.

Sure there are good Sheriffs, but this is really about shifting dramatic new amounts of power to the bad ones.

There’s little positive outcome I see ahead from an America First platform of the White House when it uses a cover of pandemic concerns to propose more labeling and discriminatory power go directly to counties for their Sheriffs to enforce. Let’s be clear here that America First in 1916 meant KKK, in 1936 it meant Nazis…today it still means the same things.

America First political rally participants in their traditional garb.

These are the people who thrive on social unrest coming from high unemployment and who use fear-laced xenophobia to seize excessive powers through militant actions in what they see as their “culture war” (ethnic cleansing) to preserve white supremacy.

…a neo-Nazi movement leader based in northern Europe, said that he welcomed the pandemic as a necessary step to help create the world that his group wants to see. …it’s possible that a member of the target audience will decide to take action and commit an act of violence.

To me the announcement today has every appearance of turning America backwards 150 years towards the kind of white police state organized at the county-level that extremist right-wing violent groups like “Posse Comitatus” and “Citizens for Constitutional Freedom”, let alone America First, have very long dreamed about.

Ari Ne’eman, a scholar at Brandeis University, put it best when she said:

What this is really about at the end of the day is whether our civil rights laws still apply in a pandemic. I think that’s a pretty core question as to who we are as a country.

Anyone who knows a little Sundown Town history, or has spent time inside white supremacist groups, probably heard some very familiar and distinct sounds being whistled today.

Published 2018 by The New Press
ISBN:1620974347
(ISBN13: 9781620974346)

“…although many former sundown towns are now integrated, they often face ‘second-generation sundown town issues,’ such as in Ferguson, Missouri, a former sundown town that is now majority black, but with a majority-white police force.”

And now this…

The Influenza, 1890

A poem written in 1890 by Winston Churchill

Oh how shall I its deeds recount
Or measure the untold amount
Of ills that it has done?
From China’s bright celestial land
E’en to Arabia’s thirsty sand
It journeyed with the sun.

O’er miles of bleak Siberia’s plains
Where Russian exiles toil in chains
It moved with noiseless tread;
And as it slowly glided by
There followed it across the sky
The spirits of the dead.

The Ural peaks by it were scaled
And every bar and barrier failed
To turn it from its way;
Slowly and surely on it came,
Heralded by its awful fame,
Increasing day by day.

On Moscow’s fair and famous town
Where fell the first Napoleon’s crown
It made a direful swoop;
The rich, the poor, the high, the low
Alike the various symptoms know,
Alike before it droop.

Nor adverse winds, nor floods of rain
Might stay the thrice-accursed bane;
And with unsparing hand,
Impartial, cruel and severe
It travelled on allied with fear
And smote the fatherland.

Fair Alsace and forlorn Lorraine,
The cause of bitterness and pain
In many a Gaelic breast,
Receive the vile, insatiate scourge,
And from their towns with it emerge
And never stay nor rest.

And now Europa groans aloud,
And ‘neath the heavy thunder-cloud
Hushed is both song and dance;
The germs of illness wend their way
To westward each succeeding day
And enter merry France.

Fair land of Gaul, thy patriots brave
Who fear not death and scorn the grave
Cannot this foe oppose,
Whose loathsome hand and cruel sting,
Whose poisonous breath and blighted wing
Full well thy cities know.

In Calais port the illness stays,
As did the French in former days,
To threaten Freedom’s isle;
But now no Nelson could o’erthrow
This cruel, unconquerable foe,
Nor save us from its guile.

Yet Father Neptune strove right well
To moderate this plague of Hell,
And thwart it in its course;
And though it passed the streak of brine
And penetrated this thin line,
It came with broken force.

For though it ravaged far and wide
Both village, town and countryside,
Its power to kill was o’er;
And with the favouring winds of Spring
(Blest is the time of which I sing)
It left our native shore.

God shield our Empire from the might
Of war or famine, plague or blight
And all the power of Hell,
And keep it ever in the hands
Of those who fought ‘gainst other lands,
Who fought and conquered well.

And a map of “Impact of the Russian Flu on the United States, 1889-1890” by Tom Ewing

E. Thomas Ewing, Veronica Kimmerly, and Sinclair Ewing-Nelson, “’Look Out for La Grippe’: Using Digital Humanities Tools to Interpret Information Dissemination during the Russian Flu, 1889-1890.” Medical History Vol. 60, Issue 1 (January 2016), pp. 129-131. DOI 10.1017/mdh.2015.84

Bicycles Deemed Best NYC Transit During Pandemic

Proper bike lane on NYC Chrystie Street between Canal Street and 2nd Street. Image: Gothamist, NYC DOT

Nearly a decade ago I wrote about the increase in bicycle sales after disasters.

I won’t go into why people moved away from these logical options for transportation and to the illogical gasoline automobile. Kunstler does a good job of that in The Geography of Nowhere. Instead, I want to point out here that the recent tsunami devastation in Japan is showing a sudden uptick in two-wheeled commuters.

At no point in that post or since have I thought about the use of bicycles during a pandemic. I suppose my assumption was breathing would be elevated, increasing risk of infection or spreading the virus faster somehow.

I’ve also more recently written about the ridiculous state of bicycling in NYC, according to the data, ranking them near the bottom of America.

The city has a pollution-loving history with a huge “we’re busy trying to get rich/famous, leave us alone” lobby that claims doing the right thing for “others” is economically unfeasible in their list of priorities.

Color me completely surprised, therefore, when I read that NYC in pandemic disaster mode is accelerating bike lanes and recommending people cycle.

In early March, de Blasio encouraged commuters to “bike or walk” to reduce the spread of COVID-19 if they had to travel, and New Yorkers listened: According to the city’s Department of Transportation, bike traffic over its bridges has dramatically increased this month compared to the same time last year. Citi Bike also saw demand surge 67 percent in early March.

Very few cars are on the road, streets are mostly empty. Thus the risk of being hit and killed has suddenly evaporated. On top of that the air is incredibly clean now. And if that wasn’t enough, studies show cycling boosts your immune system.

Since cyclists tend to use physical distancing measures anyway when they ride, now that I think about it, the pandemic shelter in place instructions (keep 6 feet separation) are natural and easy to abide.

With all that in mind, the Big Apple is really ramping up their bike infrastructure right now.

DOT spokesperson Brian Zumhagen says the agency is looking at “using cones or movable barriers” to create temporary bike paths with space from traffic lanes, and may designate new parking for bikes on sidewalks and in pedestrian plazas. DOT is also working with Citi Bike to add more docks in parts of Manhattan.

On March 20, de Blasio announced that the city is rolling out new, temporary bike lanes on Second Avenue in Manhattan between 34th and 42nd streets and on parts of Smith Street in Brooklyn that doesn’t already have a bike lane.

“We’ll be looking for other areas all over the city that need them,” de Blasio told reporters at a Friday press conference announcing the new lanes. “Certainly want to encourage people to use bikes as much as they can at this moment…

Amazing. In just a week, due to the shift from selfish to societal impact values, NYC has flipped from dangerously car-heavy bottom-ranked streets for cycling to a Mayor encouraging bikes as much as possible.

Add pandemics to the list of disasters that lead to increased bicycle sales.

And yes, bike stores in NYC are staying open as some make the wise claim that repair shops qualify as “essential” (given that automotive repair is listed).

“Please Inform Your Readers”: Best and Worst Visualizations of COVID-19

I’ve written several times about big data and visualization issues for the COVID-19 pandemic.

  • March 3: Visualizing Coronavirus Spread: Many Tools, Results Vary Widely
  • March 8: America Admits to Cooking its Numbers on Coronavirus
  • March 11: Why Big Data Missed Early Warning Signs of COVID-19

As a long-time researcher of big data security, the most important problem space always has been one of data integrity, no matter how many times the market tries to shift everyone’s focus onto confidentiality (encryption, encryption, encryption).

Why do we care about data integrity here, or more specifically about test results on a dashboard? A recent Guardian article explains the significance with a simple metaphor to tell us how badly the White House is mismanaging security science:

Trying to combat the disease without testing is like running through a forest blindfolded – it’s not going to end well.

I would only add to that we’re entering a situation where we don’t control the running part, a virus does. The speed of movement is more like being caught in an avalanche and there’s a quote that always runs through my mind when I’m on steep terrain in deep snow:

…sparse trees do nothing but provide things for you to hit as you’re swept away.

First, the Worst.

America’s CDC has one of the worst, if not the worst, dashboard in the world. I’m embarrassed to even post it here. Don’t look. It’s pointless. Until they figure out that Alaska is part of the US, I’ve given up even trying to rationalize how badly CDC is doing.

Instead, I offer you a visualization by Buzzfeed News of small data about the White House itself, which shows spread of the virus due to obvious failure in leadership (lack of proactive distancing and testing).

Next, an honorable mention in this worst category is the much celebrated Johns Hopkins University dashboard. A good attempt, yet perhaps a dangerous lesson in failures.

It sadly appears to be broken and untrustworthy while being heavily cited as a success. In the three links at the start of this blog I’ve warned about their issues before (e.g. with everyone predicting NYC being a hot spot yet their map failing to represent growing cases). I also just noticed there’s a site that depends heavily on the dashboard, which now carries a very disturbing warning at the top.

Johns Hopkins university, the source of almost all of the charts, maps and tables below, is currently experiencing technical issues. The visualizations that show cases in the US, in China and worldwide over time are therefore incorrect. If you’re using them in your articles, please inform your readers about the issue.

Dear reader (hi mom!) consider yourself informed… again.

To be fair it’s a little unfair to call it the John’s Hopkins University dashboard when a graduate student (Ensheng Dong) built it for (or with) Lauren Gardner, Professor of civil and systems engineering.

Also I have to give a shout out to Splunk. They tend to be known for over-priced proprietary data quicksand, yet they’ve very nicely announced removing their usual red flags by offering an app via github for COVID-19 data.

While we will continue to expand our app and add features, we understand that others have their own ideas of how to visualize this data. Feel free to clone this app and create your own version, or get in touch with us… to collaborate and submit data and visualizations that you think others may find useful in the publicly available app.

There’s just a little problem. Can you understand this chart?

It reminds me of this old National Geographic chart of “Vaccine Victories” but gone completely wrong.

Hate to be cynical in the face of a gift horse, yet that default visualization for a flagship dashboard is so illegible… no wonder they’re giving it away and asking for community to do better. It just maybe is why they’re pushing the general public to post ideas so they can then commercialize it and make money off pandemic volunteers. I know, too cynical.

By the way, does anyone really want to use “Day 62.5” in a chart?

Second, the Best.

Singapore is unquestionably the best national site. It baffles me why the US federal government couldn’t grab Kibana and put this together in a week at most.

The first cases come around January 20th and growth is contained. It’s all very easy to see, and they offer numerous ways to pivot the data by demographics and region over time. It’s so good, I just imagine a competent White House would have had a same or better one by end of January at the latest.

On a more local level, and also in the US, Washington State Hospital Association has posted a fascinating new map by Albert Froling using Tableau.

The “testings” donut on the lower right is my favorite widget, although it tells us 8% of tests are positive when we really should want to know what percentage of the total population has been tested and when. Anyway, the whole thing feels masterful after playing with so many bad examples.

Meanwhile the White House is attacking Washington state leaders using cheap name-calling and jealous taunts.

In remarks that many found confounding and frightening, [White House occupant] described the governor of Washington state as a “snake”, praised his own expertise and falsely claimed that anyone who wants a coronavirus test can get one. Pence was later forced to correct this.

It only stands to reason that the federal and Washington state visualizations of virus test results are complete opposite ends of the spectrum.

Third, the Tactical.

Washington Post has done a great job capturing and applying the classic contagion lessons of big data visualizations.

They’ve taken the vaccination simulations, everyone knows all too well in visualization templates and games to learn from, and made an extremely useful point about why social distancing action was needed immediately after the first cases were confirmed.

Perhaps even more importantly the above illustration shows why quarantines aren’t as effective as social distancing.

The same article shows Jan 21 was the first confirmed case and distancing wasn’t started, tests were not being done at scale, due to sheer incompetence of US government leadership. Hundreds of thousands of Americans are likely to die based on unnecessary delays and indecision by the White House.

Let’s be honest here, it’s March 14 and tests still are not done at scale. The White House only started to actually pay attention after financial markets reacted to the White House lack of reaction and everything crashed; by then it was far too late to turn back the clock and start effective early virus response. It’s such a tragedy to see very clearly in the visualization here how an easily predictable and well known exponential curve was ignored until too late.

The Washington Post sends a warning simply and clearly:

If the number of cases would continue to double every three days, there would be about a hundred million cases in the United States by May. That is math, not prophecy.

China is right now counting about 81,000 cases, for perspective.

Now let’s go back up and marvel again at how math is driving the Singapore dashboard, and the very clear and transparent fact that they have a flat line instead of an exponential curve.


Update March 15: I’ve been asked to list some of the other sites considered, beyond those already mentioned in the previous blog posts (e.g. NYT, Hong Kong). Here is a short-list for review. Let me know if you agree or disagree with my worst/best results.

the poetry of information security