Why U.S. Abandoned Allies in Syria

I’ve been asked repeatedly how it can be that everyone outside the White House disagrees with abandoning U.S. allies in Syria, and yet the White House is proceeding with an abrupt cut-and-run away. What is in it for them?

It’s a fair question. Given everyone across the political spectrum thinks quitting is a bad idea, including those apolitical who think most about national security, what possibly could motivate such an epic bad decision?

While tempting to link the move to personal profit and greed of the cabal in the White House, such as real-estate deals, there’s a larger international relations angle on this that fits into what we’ve seen over the last few years.

First, Putin has been said to want to destabilize Europe by tactically capitalizing on refugees:

Russia has been accused of “weaponising” the refugee crisis as a way of destabilising Europe – a claim recently reinforced by Nato’s top commander in Europe. That assertion may well be disputed. What is beyond doubt is the continuing need to know what Russia is thinking, and what goals it might pursue as it watches the EU confront multiple crises.

Second, that is an expected outcome from the U.S. diminishing its own power and abruptly abandoning its allies, encouraging Turkey to intervene and stir conflict.

Turkey’s offensive is likely not only to damage America’s diplomatic credibility and create a humanitarian crisis; it could lead to the escape of thousands of ISIS prisoners currently being held by Kurdish forces. In one of his more galling statements in a week that was full of them, Trump said this wouldn’t be America’s problem since they would likely be “escaping to Europe. That’s where they want to go.” With northeastern Syria once again an active battlefield, and Iraq engulfed in a new round of political chaos, conditions are certainly ripe for a new resurgence of ISIS or a new organization that takes up its mantle.

Those two points together suggest the U.S. withdrawal hands Turkey more leverage over the democratic nations (Kurds) and states (EU) that threaten an Erdoğan anti-democratic regime. Furthermore it serve Putin’s doctrine of destabilization so he may capitalize on human suffering for political objectives.

In security circles the U.S. abandonment of allies could be called a penny-wise pound-foolish strategy that degrades American foreign policy and its own security. The U.S. administration covers the loss with claims of providing immediate gratification domestically. Clearly however it will cause far wider suffering and higher cost in the near future. Here is why even those immediate gratification claims don’t make any sense:

Given there are so few American soldiers in this draw-down, it can’t be said to be in the name of a troop withdrawal from conflict or ending a war. This is especially true because thousands of troops were just deployed to Saudi Arabia, so the balance stands at greater and less-efficient deployments to the region.

Inversely it can be said while there are so few American troops, Syria was a cost-center that produced a high return on investment primarily in terms of regional and national safety. Yet regional stability no longer is valued as before, as the administration has sought personal alignment with dictators not to mention kick-backs and pocket-linings. Thus troops are being sent to Saudi Arabia as an alignment gesture, whether they stabilize or not.

Saudis regularly pay billions for old American cluster bombs to kill children and disrupt food production with campaigns that cause long-term regional destabilization.

In 2008 an international treaty called the convention on cluster munitions severely limiting the use, transfer and stockpiling of cluster bombs was adopted by 30 countries. By 2018 it had been signed by 120 states. The US, which sells arms to Saudi-led forces fighting in Yemen, was not one of them.

“Cluster munitions went through a proportionality test to measure military advantages gained versus civilian harm of their use,” said Rawan Shaif, the lead Yemen researcher at the open source investigative organisation Bellingcat, of the Geneva conventions relating to the protection of victims of armed conflict. “There’s no military advantage in using a cluster munition in a farm, unless your aim is to make that area uninhabitable for generations of civilians and military alike.”

The cluster bomb that killed Raja was manufactured at the Milan Army Ammunition Plant in 1977. The large site, just north of Jackson in west Tennessee, encompasses 231 miles (372km) of roads and 88 miles (142km) of railways and is nicknamed Bullet Town by residents.

And in terms of national safety, the administration has exhibited a harm externality mindset, where threats of ISIS are foolishly downplayed because harms to self (U.S.) are factored as longer-term and therefore ignored compared with harm being publicly wished as an immediate threat (as promised by Putin) to others (EU).

In conclusion, while there are elements of a White House chasing personal profits and even putting money in pockets of some other Americans, overall this ill-conceived abandonment of allies is to serve the anti-EU policy of Russia that cruelly capitalizes on humanitarian crisis and undermines stability, as directed in this region by Turkey.

One last thought on this is the significance of women in the Kurdish forces and how values that traditionally would be consistent with the U.S. are now bizarrely misaligned. Given both Putin and Trump repeatedly have stated in the open how they disrespect and dislike women, it should not be overlooked how misogyny factors into a decision to suddenly divorce the U.S. from its long-time allies.

Kurdish history is replete with cases of women assuming leadership roles in the realm of religion, politics and even in the military sphere.

A Kurdish female fighter stands guard on Mount Sinjar in northwest Iraq. Photo by Asmaa Waguih, Reuters for a photo report in IBTimes

Austria Espionage Card Index 1849-1868

The neo-absolutist state secret service kept an espionage card index for surveillance of Vienna residents 1849-1868.

Here’s an example I captured from a museum’s archive:

Encyclopedia Britannica explains the living conditions during this period, not terribly far from where some in the U.S. want things to go today:

Freedom of the press as well as jury and public trials were abandoned, corporal punishment by police orders restored, and internal surveillance increased. The observation of the liberal reformer Adolf Fischhof that the regime rested on the support of a standing army of soldiers, a kneeling army of worshippers, and a crawling army of informants was exaggerated but not entirely unfounded. One of the more backward developments was the concordat reached with the papacy that gave the church jurisdiction in marriage questions, partial control of censorship, and oversight of elementary and secondary education. Priests entrusted with religious education in the schools had the authority to see to it that instruction in any field, be it history or physics, did not conflict with the church’s teachings.

California Posts CCPA Proposed Regulations

The California Attorney General (AG) Xavier Bacerra has posted Proposed Regulations to implement the California Consumer Privacy Act of 2018 (CCPA). Bacerra also has posted a Notice of Proposed Rulemaking Action (NOPA) and an Initial Statement of Reasons (ISOR).

Critics already are playing up that they can’t do business if they have to follow regulations set to protect privacy of consumers. These lobbying types are, of course, peddling risk management nonsense in the face of far too many breaches and a long slide downward of consumer confidence in data platforms.

The current round of criticism reminds me of those opposed to food safety regulations even after Upton Sinclair’s 1906 book The Jungle pointed out how rats and workers’ body parts were being ground up and shipped as sausage.

Cloud providers are like sausage factories, especially the largest ones, and for far too long have been allowed to operate without basic duties of care, deliberately avoiding innovation investment because avoiding accountability for harms. And yes, Facebook is the wurst.

Those of us actively innovating in information technology see regulations such as CCPA as welcome guard rails, which spur long overdue innovations in data platform controls and help the data platform market grow more safely.

The proposed regulations set out some clear “shall not” of consumer personal information:

(3) A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
(4) A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.
(5) If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.

They also set out clear timelines for requests to delete data:

(a) Upon receiving a request to know or a request to delete, a business shall confirm receipt of the request within 10 days and provide information about how the business will process the request. The information provided shall describe the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request.
(b) Businesses shall respond to requests to know and requests to delete within 45 days. The 45-day period will begin on the day that the business receives the request, regardless of time required to verify the request.

EU Court: Holocaust Denial is not Protected Speech

General Eisenhower wisely and famously wrote to General Marshal in 1945 that we need to protect the future by carefully documenting the past:

I made the [Buchenwald concentration camp in Thuringia, Germany] visit deliberately, in order to be in position to give first-hand evidence of these things if ever, in the future, there develops a tendency to charge these allegations merely to “propaganda.”

Presidential archive copy of a letter from General Eisenhower to General Marshall, April 15, 1945.

General Patton and others wrote similar records of disgust at what they saw, as well as concern with the German people’s ability to operate around and in these death camps as if genocide was just business as usual.

And now a smart ruling has been heard from the European Court of Human Rights that should have an immediate and serious impact to data platform safety regulation:

Pastoers’ argument that his statements were protected by Article 10, which protects freedom of expression, was “manifestly ill-founded,” given that he “had intentionally stated untruths in order to defame the Jews and the persecution that they had suffered,” the Strasbourg, France-based court ruled on Thursday. His complaint that he was denied a fair trial in Germany was also rejected by the ECHR.

Pastoers had given a speech a day after Holocaust Remembrance Day in 2010…

[…]

The tribunal said the German had deliberately obscured some of his remarks to try to get his message across more subtly.

“The impugned part had been inserted into the speech like ‘poison into a glass of water, hoping that it would not be detected immediately,’” the court said.

An example of hidden Nazi messages in daily communications is one of the most popular blog posts I’ve ever written. Detecting it isn’t the hard part.

Acting upon it has been the bigger issue, as Google, Twitter and Facebook executive management have repeatedly and intentionally declined to block poisonous speech. They operate a philosophically and historically misguided willingness to profit as Americans from dispensing known harms that seriously damage markets around the world.

For example, documented hate group FAIR in the last year alone has spent $934,000 on Twitter ads, $910,000 on Facebook ads, and $111,000 on Google/YouTube ads.

…founder, John Tanton, has expressed his wish that America remain a majority-white population: a goal to be achieved, presumably, by limiting the number of nonwhites who enter the country.

Another way of looking at this is Facebook records income from dispensing poison:

From May 2018, when Facebook began publishing its archive of political and social advertisements, to September 17, 2019, at least 38 hate groups and hate figures, or their political campaigns, paid Facebook nearly $1.6 million to run 4,921 sponsored ads. Some ads call undocumented immigration an “invasion.” Others claim that LGBTQ people are “evil.”

“This is an astounding amount of money that’s been allowed to be spent by hate groups,” Keegan Hankes, interim research director of SPLC’s Intelligence Project, told Sludge. “It reaches a lot of people with some very toxic ideologies. Obviously that’s incredibly worrisome, if not a little unsurprising given Facebook’s track record specifically around these ideologies.”

Even more to the point, Facebook has hired people into executive positions with intent to undermine democracy through dispensing misinformation:

Harbath is Facebook’s head of global elections policy. She literally worked for Rudy Giuliani. I can’t make this up.

And insider threats in data platforms who are virulently anti-democracy and who like to use hate dissemination and misinformation techniques are not something to be surprised about, as I presented at Kiwicon in 2016.

Hate groups flock towards technology positions, and attempt to insert or influence staff there, like criminal syndicates attracted to bank jobs.

When Can You Trust Cloud Providers?

Our first book detailed the infrastructure risks in cloud environments. It gave basic instructions for how to make it safe to build a cloud.

However, I realized right away that a second book would be necessary as I saw operations going awry. People offering data “services” in cloud environments were doing so unethically.

That’s why since 2013 I’ve been working on tangible, actionable solutions to problems in cloud environments like the impostor CISO, the immoral SRE, and the greedy CEO.

It has been a much harder book to write because The Realities of Securing Big Data crosses many functional lines in an organization from legal to engineering, sales to operations. A long-time coming now, it hopefully will clarify how and why things like this keep happening, as well as what exactly we can do about it:

We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://help.twitter.com/en/information-and-ads

…and that led to everyone asking an obvious question.

You may remember a very similar incident last year and wonder why nobody at Twitter thought to test their systems to make sure they didn’t have the same security flaws as a safety laggard like Facebook.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all.

Facebook and Twitter, after flashy high-profile CISO hires and lots of PR about privacy, both have sunken to terrible reputations. They rank towards the same levels as Wells Fargo in terms of customer confidence.

Facebook has experienced a tumultuous time due to privacy concerns and issues regarding election interference, ranked 94th. Wells Fargo ranked 96th. The Trump Organization ranked 98th, considered a “very poor” reputation.

The Drum says even the advertising industry is calling out Twitter for immorality and incompetence:

Neville Doyle, chief strategy officer at Town Square, suggested it was “enormously improbable” that Twitter ‘inadvertently’ improved its ad product with the sensitive data, and blasted the tech giant for being either “either immoral or incompetent”. Either way, he said, it was playing “fast and loose with users’ privacy”. Respected ad-tech and cybersecurity expert Dr Augustine Fou, who was previously chief digital officer at media agency Omnicom’s healthcare division, also branded Twitter’s announcement as “total chickenshit”. Last July, the Federal Trade Commission (FTC) fined Facebook $5bn for improperly handling user data, the largest fine ever imposed on company for violating consumers’ privacy.

The Raft of the Medusa by Géricault depicts service provider incompetence of 1816: “Crazed, parched and starved, they slaughtered mutineers, ate their dead companions and killed the weakest”

The technology fixes ahead are more straightforward than you might imagine, as well as the management fixes.

In brief, you can trust a cloud provider when you can verify in detail a specific set of data boundaries and controls are in place, with transparency around staffing authorizations and experience related to delivering services. Over the years I’ve led many engineering teams to build exactly this, so I’m speaking from experience of what’s possible. I’ve stood in customer executive meetings to detail how controls work and why the system was designed to mitigate cloud insider threats, including executives at the highest levels.

You should be especially concerned if management lacks an open and public resume of prior steps taken over years to serve the privacy needs of others, let alone management that lacks the ability to deconstruct how their control architecture was built from the start to serve your best interests.

What has been hard, especially through the years of Amazon’s “predator bully” subscription model being worshiped by sales teams, is keeping safety oriented around helping others. Tech cultures in America tend to cultivate “leaders” that think of innovation as separation; having no way to relate to the people they are serving.

The tone now seems to be changing as disclosures are increasing and we’re seeing exposure of the wrong things done by people who wanted to serve others while being unable to relate to them. Hoarding other people’s assets for self-gain in a thinly-veiled spin to be their “service provider” should never have been the meaning of cloud.

Study Details Racism in LAPD Traffic Stops

Data in a new LA Times report (and posted to github) reveals that despite whites being found with contraband more often, blacks and latinos are stopped far more often to be searched.

…a black person in a vehicle was more than four times as likely to be searched by police as a white person, and a Latino was three times as likely.

Yet whites were found with drugs, weapons or other contraband in 20% of searches, compared with 17% for blacks and 16% for Latinos. The totals include both searches of the vehicles and pat-down searches of the occupants.

The analysis in the report indicates less evidence was used to prompt a search of latinos and blacks than whites. On top of that, after being stopped and searched, whites also saw better treatment and lower arrest rates.

Blacks and Latinos were more than three times as likely as whites to be removed from the vehicle and twice as likely to either be handcuffed or detained at the curb, the Times analysis found.

About 3% of blacks and Latinos stopped by the LAPD were arrested, compared with 2% of whites.

To put it another way, the city is 9% black yet 27% of people being searched are black; the city is 28% white, yet 18% of those being searched are white.

US Administration Fights to Protect Human Trafficking and Disinformation Platforms

The U.S. already has a reputation for its lax approach to infrastructure regulation that “encouraged the spread of disinformation and supported a powerful forum for harassment and bullying”.

Current occupants of the White House are taking that even further.

American infrastructure is said to be getting legal protections against accountability pushed on foreign trade deals, known as adding in Section 230.

Last year, Congress overwhelmingly approved a bill making it possible to sue online platforms for knowingly facilitating sex trafficking. Lawmakers have raised the prospect of creating additional carve-outs for the online sale of opioids. Critics of Section 230 say they are alarmed by the inclusion of its provisions in trade deals.

In other words despite representatives in U.S. government working to protect the world from clear and documented harms, the White House is headed in an opposite direction by trying to instead protect criminal behavior such as child trafficking operating in the U.S..

This relates directly to other recent news that the American cloud service providers often are abused by men operating them to victimize women and children around the world.

Studies repeatedly show “it’s disproportionately women who are targeted” using cloud services and enslaved.

Seventy-six percent of trafficked persons are girls and women and the Internet is now a major sales platform.

Epstein no longer being protected by powerful American men, found dead in his cell and quickly forgotten, may actually mean he was replaced by technology…and that’s why now it is being made untouchable instead of him.

By allowing lawsuits to proceed as one would normally expect, a court would be able to deliberate and find the right balance between freedoms of expression and clear cases of harm.

“The use of Twitter by the defendants to post allegedly defamatory statements cannot subject the plaintiff to the terms of use agreement and the forum selection clause as it would not subject a plaintiff who did not have a Twitter account to the terms of use agreement,” the ruling states.

Okta SRE Pleads Guilty to Stealing IDs to Violate Women’s Privacy

Once again, cloud services very predictably show why they can be less secure than running your own.

We’ve warned for many years of cloud insider abuse like this, using examples from Uber, Google and Facebook.

In many of these cases it’s male engineers in American technology companies using their power and privilege to stalk and abuse women.

The US Department of Justice has posted details of a 34 year old man who is said to have worked at Yahoo.

In pleading guilty, Ruiz, a former Yahoo software engineer, admitted to using his access through his work at the company to hack into about 6,000 Yahoo accounts. Ruiz cracked user passwords, and accessed internal Yahoo systems to compromise the Yahoo accounts. Ruiz admitted to targeting accounts belonging to younger women, including his personal friends and work colleagues. He made copies of images and videos that he found in the personal accounts without permission, and stored the data at his home. Once he had access to the Yahoo accounts, Ruiz admitted to compromising the iCloud, Facebook, Gmail, DropBox, and other online accounts of the Yahoo users in search of more private images and videos. After his employer observed the suspicious account activity, Ruiz admitted to destroying the computer and hard drive on which he stored the images.

That last sentence is concerning for anyone who has done digital forensics. How was Ruiz tipped off that he was being observed by an internal investigations team?

He wasn’t just a software engineer, he was a Site Reliability Engineer (SRE). And he wasn’t just a Yahoo engineer

LinkedIn profile of Reyes Ruiz, identity thief hired as SRE by Okta

That career path reveals a far worse story than what is being reported right now.

A SRE is a person with deep access inside the cloud provider. They are trusted with the most sensitive data because, in theory, without giving them access a system could become unreliable or go offline.

For example, here’s a single line command in virtual (VMware) environments that exports a copy of an entire server. In a disaster (planning) scenario it could be essential to keeping services running:

Copy-DatastoreItem vmstore:\Datacenter01\StorageArray01\DBNodes\* C:\SREisGod\StolenUserSecrets

Imagine instead, as you can see from the destination path name at the end of that line, any evil SRE just wants to steal ALL the data. SRE staff literally have keys to any kingdom trusting their employer. Even if the data was stored encrypted, using this command it’s decrypted by design.

I’ve repeatedly designed systems to protect against exactly this kind of insider threat and customers need to explicitly ask for proof that one exists. This is a disaster for both Okta and Yahoo if they cannot account for SRE access on their systems, particularly during the hours Ruiz was working.

His eight months at Okta, a widely used identity management company, could be an even bigger problem than Yahoo. Although to be fair the timing is interesting for both cases. Yahoo in 2007 when he joined was the biggest identity provider in the world. In 2018 Okta was claiming to be the leader in this space.

It looks like Okta apparently fired him as soon as the indictments were unsealed that detailed his long-term abuse of being a privileged SRE to game identity management. What Okta hasn’t said is whether they’ve concluded an internal investigation of all his access to identity as an SRE.

This is huge. I can’t overstate enough that an identity management cloud provider, holding the secrets of millions of people, hired an identity thief. It’s like saying a bank hired a bank robber to guard their safe.

Given inside knowledge and access at the service provider he allegedly cracked passwords of thousands of young women, including those he knew and worked with, in order to steal their images. Then he used their identity information to pivot through their cloud accounts that shared the same password to steal more images.

Two lessons here:

One. Okta is a core identity management company that hired a predator who clearly joined companies to commit crimes. Anyone using Okta or a similar service needs to be prepared for this level of insider threat being reported. Although we can pressure Okta on reasons screening didn’t block this hire, we can’t assume screens will be perfect and instead should demand they prove his actions were limited and detected.

Two. Re-use of passwords is what made one evil cloud staff member able to access so many other cloud accounts. Impersonation was possible by Ruiz because users didn’t setup different passwords on each cloud service. Password managers are free and a baseline requirement for users today. Also multi-factor authentication (MFA) would have made SRE theft of user secrets less effective and should be considered another baseline requirement (caveat: nothing is perfect. see new FBI warning on MFA bypass).

There’s a third point about avoiding tipping off suspects during investigations, and preserving evidence, but we don’t have enough details yet on why or how badly that security team at Yahoo was compromised.

Drone Wars in Syria

Russian gas-engine model plane (Orlan-10 drone) downed in Syria with its big red parachute

AINonline offers numbers on drones in battles over Syria. Russia has recorded 23,000 flights of their own and claims 118 opposition drones shot-down, with the vast majority this year.

The following section on “gaps in electronic warfare shield” was particularly interesting as it emphasizes Russia’s current dependence (pun not intended) on primitive jamming systems and kinetic counter-measures.

Russian official, deputy defense minister for military technical cooperation with foreign countries General Aleksandr Fomin, accused U.S. forces of assisting the Syrian rebels in carrying out drone attacks on the Khmeimeem airbase. Speaking at the Xiangshan security forum in Beijing last fall, he said that, “a group of 13 drones moved according to a common plan of combat deployment, under control of a single crew team. That time, a U.S. Navy P-8 Poseidon ASW aircraft was on an eight-hour patrol mission over the Mediterranean Sea. Upon reaching out our electronic warfare shield, the drones retreated somewhat to receive correcting instructions and began using satellite communications channels to receive outside assistance to find and explore gaps in that shield. Then the drones attempted to penetrate through, only to be destroyed.”

Apparently, Fomin was referring to January 6, when Russian forces shot down seven drones with anti-aircraft missiles and crash-landed seven by jamming the drones’ flight control systems.

Unclear why seven and seven was reported as a group of 13 drones.

The rising scale of drone operations by Russia is part of a tale (pun intended) of their newfound ability to turn the U.S. into a dog they hope to wag around.

Google Calculator is Watching You

Go to the Google store and look at their calculator carefully.

Under permissions for their calculator, we see this list:

  • view network connections
  • full network access
  • prevent device from sleeping
  • read Google service configuration
  • measure app storage space

Full network access? For a calculator?

Map of Google calculator network traffic flows

Unfortunately you can’t filter apps in the store by level of permission requested.

A simple filter could get rid of calculators that inexplicably demand full network access, let alone other strange levels (some require access to both local storage and removable storage). Imagine setting a preference in your profile that allows the most private apps to be ranked highest…

Calculators without network privileges do exist, which begs the question why Google’s gigantic security team lacks the ability to remove network access from an app that quite obviously has no need for it.

Here are a couple counter-examples:

Calculator Free

  • This app has access to: control vibration
  • That’s it

Caclulator E Plus

  • This application requires no special permissions to run.
  • That’s it

the poetry of information security