They should have called it Operation Sloppy Joe.

McAfee is stirring cyberwar book authors into high alert again. Expect to see the authors issue new warnings, recommend the purchase new products (probably made in China), and tell you to buy their book(s) and give lots of attention to a report titled: “Global Energy Cyberattacks: Night Dragon”

I will cover this in my presentation next week at BSidesSF (Dr. Stuxlove or how I learned to stop worrying and love the worm) but here’s a sneak preview.

McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were “company men” working on a regular job, rather than freelance or unprofessional hackers.

That is not the conclusion I would draw from the same data. They are making some funny and highly improbable assumptions:

1. The attackers are male (Ok, cheap shot, I know, but srsly “company men?” Is this 1950?)
2. The attacks correspond to 9-5 daytime in Beijing, so they must be related to a regular Joe. Get it? Sloppy Joe. Why not assume the opposite — night-time attacks from freelance or unprofessional hackers? Heck, why not assume professional night-time hackers using Beijing proxies? And they might not be sloppy so much as cost-effective. They still went undiscovered for a good long time, and saved money over more secretive methods.
3. The attackers used Chinese language attack tools, therefore they must be Chinese. This is a reverse language bias that brings back memories of L0phtCrack. It only ran in English. I mean if you ran L0phtCrack, it made you an American, right? Neat how that works. It used to be so hard to get Chinese citizenship. Now you just run Hookmsgina and blammo! You start waking up as a company man for 9am Beijing time — metamorphosis.

Seriously, though. The evidence continues to show that innovation is still alive and well as a form of imitation, as I have written before. Competitors will try to get inside information to copy and improve upon their own processes and products without the cost of invention. This has been a risk since the beginning of competition. Are we at cyberwar yet?

There is a reason the iPhone adopted the Garmin-like touch screen and form-factor and added a Google-like scrolling interface…it could be the very same reason someone is trying to study critical infrastructure in America. Or they might want to get insider information so their next round of surveillance/control is more sophisticated. Or they might want to get more power and money for anti-Chinese cyber programs. The problem is that the report gives a lot of room for interpretation and pot stirring instead of a clear case.

Economics and philosophy arguments aside, the fact is that if you take apart a pair of $199 Sennheiser headphones you can instantly upgrade them to a model that is sold for $350.

Aside from the aesthetic differences, the only physical difference was an additional piece of foam inside the cheaper HD555 headphones, blocking about 50% of the outside-facing vents. Since both the HD 555 and HD 595 are designed to be “open” headphones, reducing the vent with foam would not be in the designer’s original interest and this is where the HD 555′s have been “crippled”. So to save yourself $150, open your HD 555′s up and remove the foam. Done.

Now if you could only make them look the same on the outside…

Sennheiser might be more clever next time they want to hide their “crippling” device.

Even more to the point, a less-expensive model might already sound the same as a more expensive one. Does removing foam really improve the sound $150 worth? The site does not do any tests to show a measured change. Where did they find the “designer’s original interest”?

Performance is not easily measured when it comes to aesthetics like audio, and so manufacturers will push perceived value and marketing to the limits rather than invest in independent test results. Monster Cable has certainly proven that time and again. They even tell consumers that the way to know you are buying a fake product is by looking at the price.

If a price for a product being sold as Monster from a non-authorized dealer seems “too good to be true,” most likely it is

At least they said “most likely”. Who would dare sell quality for less than the sales department at Monster Cable, right?

Here are the differences I found in the technical data as published by Sennheiser for their 555 and 595. All that from a piece of foam?

Beth Pariseau at Tech Target echoes some excellent risk concerns regarding virtual firewalls by VMware. She paraphrases much of what was already said by “Scott Drummonds, an EMC Corp. vSpecialist and former VMware technical marketing director”.

1. vShield Manager can introduce a single point of failure
2. A failure can disable the network
3. Network access is required fix the problem
4. Solutions are non-trivial

She then concludes that non-trivial solutions violate the “cost and consolidation objectives for virtualization projects”. I disagree. She also uses a sensationalist start to her report, which I question:

raised eyebrows among potential users, who appear to be putting deployments on hold

I looked for evidence of deployments on hold but found none. Who has the raised eyebrows? The closest thing was this anonymous quote:

“While vShield Zones sounds good in theory, it introduces a VM through which all the protected traffic is funneled,” said a data center supervisor working in the higher education field. “I worry about congestion and [vShield Manager] becoming a single point of failure.”

That is a business-as-usual quote, in my book, not a “wait a minute”. Data center supervisors know that a firewall funnels traffic, which can introduce congestion and failure risks. Their job is to plan around them to make sure deployments do not get put on hold.

I could give numerous examples of deployments that have charged ahead despite single-failure risks. They used to happen all the time in the traditional nuts, bolts and wire environments. Here are three examples of what has changed and what hasn’t.

Congestion

Performance of firewalls was something of an art when buying hardware. A depreciation schedule of at least three years meant you had to keep a crystal ball handy in negotiations with vendors. Compare it to the resource pool concept of virtual devices. Additional memory, for example, is just an easy configuration change. The worst-case is you power off a virtual firewall, reconfigure, and restart. Most importantly, perhaps, is that virtual systems actually enable users to start with the smallest possible configuration. Even a company that expects phenomenal growth can initially spend only on low-throughput devices because virtual systems can be easily and inexpensively expanded in a cloud configuration.

Advantage: VMware

Failure

Like congestion, failure (often due to congestion) has budget implications. A failure usually ends up with security managers trying to find money in a hurry to perform a production swap of hardware and hire talent to manage delicate rule migrations in multiple physical locations. Not for the faint of heart — some liked to describe it as changing the tires on a moving car. Recovering from failure thus can be much harder to do in the physical world than virtual, as you can imagine.

Take VMware’s vShield Manager as a specific example, since that seems to have become the subject of controversy. A vShield App is installed on a virtual interface. Firewalls used to give console access, serial, etc. after a failure. Management (service console) communication separated from vmkernel, as it should be, would still allow an administrator to power down the virtual machine, do cold migration and then power up the same host with a new vShield App. The failed firewall would be replaced, but replacement is far easier than in the physical world of keeping expensive spare/redundant parts and traveling at a moment’s notice to remote locations.

Advantage: VMware

Cost and consolidation

This can be argued several different ways, but take the usual cloud objective of elasticity. A firewall failure due to congestion (denial of service attack, for example) in the physical world raises cost and consolidation problems that are difficult to solve in the short and long term. Sufficient changes to the infrastructure to withstand a serious attack was not only substantially expensive and complex but raised all kinds of long-term financial obligations and implications. A virtual environment hosted in the cloud, on the other hand, lowers the barrier to resilience — it offers lower cost and better consolidation options for firewall and network security.

Advantage: VMware

Ultimately VMware brings a new set of options to the table for availability at less cost. That is why you always find disaster recovery projects and managers talking about how they want to leverage virtual systems to reduce downtime.

I am curious to know what potential customer would put a project on hold when they work through the above issues. A company might decide that the cost of downtime is not high enough to justify the expense of removing single points of failure; but removing single points of failure can be far less expensive in a virtual environment.

A Flickr account by CIAgov has some entertaining photos of technology that mimics nature. There are robots that look like a catfish, or a dragonfly, and then there is the rock and stick “seismic intruder detection device”:

This Cold War-Era intrusion detector was designed to blend in with the terrain. It can detect movement of people, animals, or objects up to 300 meters away. The device is powered by tiny power cells and has a built-in antenna. Its transmitter relays data from the device findings via coded impulses.

I will never look at dog poop the same way again.