Category Archives: History

US Senator Argues for Jailing Facebook Execs

From a recent interview with Oregon’s Senator Wyden

Mark Zuckerberg has repeatedly lied to the American people about privacy. I think he ought to be held personally accountable, which is everything from financial fines to—and let me underline this—the possibility of a prison term. Because he hurt a lot of people. And, by the way, there is a precedent for this: In financial services, if the CEO and the executives lie about the financials, they can be held personally accountable.

Often in 2018 I made similar suggestions, based on the thought that our security industry would mature faster if a CSO personally can be held liable like a CEO or CFO (e.g. post-Enron SOX requirements):

And at Blackhat this year I met with Facebook security staff who said during the 2016-2017 timeframe the team internally knew the severity election interference and were shocked when their CSO failed to disclose this to the public.

Maybe the Senator putting it all on the CEO today makes some sense strategically…yet also begs the question of whether an “officer” of security was taking payments enough to afford a $3m house in the hills of Silicon Valley while intentionally withholding data on major security breaches during his watch?

Given an appointment of dedicated officer in charge of security, are we meant to believe he was taking a big salary only to be following orders and not responsible personally? Don’t forget he drew press headlines (without qualification) as an “influential” executive joining Facebook, while at the same time leaving Yahoo because he said he wasn’t influential.

To be fair he posted a statement explaining his decision at the time, and it did say that safety is the industry’s responsibility, or his company’s, not his. Should that have been an early warning he wasn’t planning to own anything that went awry?

I am very happy to announce that I will be joining Facebook as their Chief Security Officer next Monday…it is the responsibility of our industry to build the safest, most trustworthy products possible. This is why I am joining Facebook. There is no company in the world that is better positioned to tackle the challenges…

There also is a weird timing issue. The start to the Russian campaign is when Facebook brings on the new CSO. Maybe there’s nothing to this timing, just coincidence, or maybe Russians knew they were looking at an inexperienced leader. Or maybe they even saw him as “coin-operated” (a term allegedly applied to him by US Intelligence) meaning they knew how easily he would stand down or look away:

  1. June 2015: Alex Stamos abruptly exits his first ever CSO role after failing to deliver on year-old promises of end-to-end encryption, and also failing to disclose breaches, to join Facebook as CSO. Journalists later report this as “…beginning in June 2015, Russians had paid Facebook $100,000 to run roughly 3,000 divisive ads to show the American electorate”
  2. October 2015: Zuckerberg tries to shame investigators and claim no internal knowledge… “To think it influenced the election in any way is a pretty crazy”
  3. January 2017: US Intelligence report conclusively states Russia interfered in 2016 election
  4. July 2017: Facebook officially states “we have seen no evidence that Russian actors bought ads on Facebook”
  5. September 2017: Facebook backtracks and admits it knew (without revealing exactly how soon) Russian actors bought ads on Facebook
  6. September 2017: Zuckerberg muddies their admission by saying “…investigating this for many months, and for a while we had found no evidence of fake accounts linked to Russia running ads”, which focuses on knowledge of fake accounts being used, rather than the more important knowledge Russia was running ad campaigns
  7. September 2017: Zuckerberg tries to apologize in a series of PR moves like saying “crazy was dismissive and I regret it” and asking for forgiveness
  8. October 2017: Facebook’s Policy VP issues a “we take responsibility” statement
  9. October 2017: Facebook admits 80,000 posts from 2015 (start of Stamos becoming CSO) to 2017 reached over 120 million people. Stamos brands himself as both the officer in charge with a definitive statement yet also denied a voice who wasn’t allowed to speak. It does somehow come back to the point that the Russian Internet Research Agency allegedly began operations only after Stamos’ joined. Even if it started before, though, he definitely did not disclose what he knew when he knew it. His behavior echoes a failure to disclose massive breaches while he was attempting his first CSO role in Yahoo!

Given the security failures from 2015 to 2017 we have to seriously consider the implications of a sentence that described Stamos’ priors, which somehow are what led him into being a Facebook CSO

At the age of 36, Stamos was the chief technology officer for security firm Artemis before being appointed as Yahoo’s cybersecurity chief in March 2014. In the month of February, Stamos in particular clashed with NSA Director Mike Rogers over decrypting communications, asking whether “backdoors” should be offered to China and Russia if the US had such access.

There are a couple problems with this paragraph, easily seen in hindsight.

First, Artemis wasn’t a security firm in any real sense. It was an “internal startup at NCC Group” and a concept that had no real product and no real customers. As CTO he hired outside contractors to write software that never launched. This doesn’t count as proof of either leadership or technical success, and certainly doesn’t qualify anyone to be an operations leader like CSO of a public company.

Second, nobody in their right mind in technology leadership let alone security would ask if China and Russia are morally equivalent to the United States government when discussing access requests. That signals a very weak grasp of ethics and morality, as well as international relations. I’ve spoken about this many times.

If the U.S. has access it in no way has implied other governments somehow morally are granted the same access. Moreover it was very publicly discussed in 2007 because Yahoo’s CEO was told to not give the Chinese access they requested (when Stamos was 28):

An unusually dramatic congressional hearing on Yahoo Inc.’s role in the imprisonment of at least two dissidents in China exposed the company to withering criticism and underscored the risks for Western companies seeking to expand there. “While technologically and financially you are giants, morally you are pygmies,” Rep. Tom Lantos (D., Calif.)

If anything these two points probably should have disqualified him to become CSO of Facebook, and that’s before we get into his one-year attempt to be CSO at Yahoo! that quickly ended in disaster.

In 2014, Stamos took on the role of chief information security officer at Yahoo, a company with a history of major security blunders. More than one billion Yahoo user accounts were compromised by hackers in 2013, though it took years for Yahoo to publicly report…Some of his biggest fights had to do with disagreements with CEO Marissa Mayer, who refused to provide the funding Stamos needed to create what he considered proper security…

Let me translate. Stamos joined and didn’t do the job disclosing breaches because he was campaigning for more money. He was spending millions (over $2m went into prizes paid to security researchers who reported bugs). While his big-spend bounty-centric program was popular among researchers, it didn’t build trust among customers. This parallels his work as CTO, which didn’t build any customer trust at all.

The kind of statements Stamos made about Artemis launching in the future (never happened) should have been a warning. Clearly he thought taking over a “dot secure” domain name and then renting space to every dot com in the world was a lucrative business model (it wasn’t).

I’m obviously not making this up as you can hear him describe rent-seeking with a straight face. His business model was to use a private commercial entity to collect payments from anyone on the Internet in exchange for a safety flag to hang on a storefront, in a way that didn’t seem to have any fairness authority or logical dispute mechanism.

Here is a reporter trying to put the scheming in the most charitable terms:

In late 2010, iSEC was acquired by the British security firm, NCC Group, but otherwise the group continued operating much as before. Then, in 2012, Stamos launched an ambitious internal startup within NCC called Artemis Internet. He wanted to create a sort of gated community within the internet with heightened security standards. He hoped to win permission to use “.secure” as a domain name and then require that everyone using it meet demanding security standards. The advantage for participants would be that their customers would be assured that their company was what it claimed to be—not a spoof site, for instance—and that it would protect their data as well as possible. The project fizzled, though. Artemis was outbid for the .secure domain and, worse, there was little commercial enthusiasm for the project. “People weren’t that interested,” observes Luta Security’s Moussouris, “in paying extra for a domain name registrar who could take them off the internet if they failed a compliance test.”

Imagine SecurityScorecard owning the right to your domain name and disabling you until you pay them to clean up the score they gave you. Dare I mention that a scorecard compliance engine is full of false positives and becomes a quality burden that falls on the companies being scanned? Again, this was his only ever attempt at being a CTO (before he magically branded himself a CSO) and it was an unsuccessful non-starter, a fizzle, a dud.

From that somehow he pivoted into a publicly traded company as an officer of security. Why? How? He abruptly quit Artemis by taking on a CSO role at Yahoo, demanding millions for concept projects more akin to a CTO than CSO. He even made promises upon taking the CSO role to build features that he never delivered. Although I suppose the greater worry still is that he did not disclose breaches.

It was after all that he wanted to be called CSO again, this time at Facebook. That is what Wyden should be investigating. I mean I’m fine with Wyden making a case for the CEO to be held accountable as a starting point, the same way we saw Jeff Skilling of Enron go to jail.

It makes me wonder aloud again however if the CFO of Enron, Andrew Fastow, pleading guilty in 2004 to two counts of conspiracy to commit securities and wire fraud…is an important equivalent to a CSO of Facebook pleading guilty to a conspiracy to commit breach fraud.

Stamos says he deserves as much blame as anyone else for Facebook being slow to notice and stamp out Russian meddling in the 2016 presidential election

Ironically Stamos, failing to get anywhere with his three attempts at leadership (Artemis, Yahoo and Facebook) has now somehow reinvented himself (again with no prior experience) as an ethics expert. He has also found someone to fund his new project to the tune of millions, which at Blackhat some Facebook staff reported to me was his way to help Facebook avoid regulations by laundering their research as “academic”.

It will be interesting to see if Wyden has anything to say about a CSO being accountable in the same ways a CFO would be, or if focus stays on the CEO.

In any case, after a year of being CSO at Yahoo and three years of being CSO at Facebook, Stamos’ total career amassed only four years as a head of security.

Those four years unmistakably will be remembered as one person who sat on some of the biggest security operations lapses in history. And his 2015 tout he was taking an officer role because “no company in the world is better positioned” to handle challenges of safety continues to produce this legacy instead:

Another month, another Facebook data breach.

Update September 7th, 2019:

In another meeting with ex-Facebook staff I was told when “CEO and CSO are nice people” it should mean they don’t go to jail for crimes, because nice people shouldn’t go to jail. That perspective makes me wonder what people would say if I told them Epstein had a lot of friends who said he was nice. I mean it suggests to me a context change might help. I first will raise the issue in my CS ethics lectures with an example outside the tech industry: Should the captain of sunken ship face criminal investigation for saving self as 34 passengers died in an early morning fire?

Chinese drone company reports 98% kill-rate

A Chinese/German drone collaboration is delivering micro-dose poison at 14 hectares/hour and achieving a 98% kill-rate on armyworm.

Specifically, the drone atomises the pesticides into micron-level droplets, so the chemicals can evenly adhere to the surface of maize plants with higher coverage rate. The strong downdraft generated by the propellers can significantly reduce liquid drifting and increase pesticide deposition, which means that both sides of the leaves and the central part of crops can be more precisely targeted. Such mechanism can not only increase fall armyworm’s exposure to chemicals but also cut down a large amount of pesticide use and better conserve the beneficial insects.

Targeting sounds like it’s more of a “bracketing” spray than an injection into each worm on a leaf, although the drone company suggests they are looking into worm-recognition capabilities.

Targeting the individual worms instead of plant-level dosing still seems cost-prohibitive in this story. To achieve that accuracy I think we’d be talking Integrated Pest Management (IPM) with technology-augmented insects, or micro-drones, instead of these sprayers.

Perhaps soon there will be Integrated Drone Management (IDM) appearing in agricultural operations centers where augmented bugs are deployed from drones like static-line parachute jumpers.

Many years ago when we were starting research on how to stop drones setup as biological weapons, we looked at them as flying bombs in the same way the Italian fascist military dropped mustard gas on field-hospitals and ambulances.

Chinese agriculture, however, clearly is being driven to develop more highly-efficient low-dose toxin delivery at a micro-target levels. That kind of emphasis in tooling accuracy means drones soon may advance past U.S. bladed assassination missiles, innovating so quickly we will have to update the risk discussions.

To be fair, five years ago any kind of anti-drone methods to stop weaponized versions meant a specific audience where examples needed to be general. Today it seems a general audience is open to hearing what harms may be ahead and more specific examples are more welcome.

Unfortunately what I must emphasize most today isn’t just how drones rapidly move towards highly-targeted assassination methods for something labelled pest. I must also point out members of our security community actively have been found labeling non-whites as pests. Beware people advertising themselves as deserving authority to protect humans from harm, who may in fact be enabling and promoting harm through technology.

DEFCON27: Would the White House Use Executive Privilege to Back Door Your Crypto?

I said I would write up my notes from DEFCON27, where I had the “opportunity” to meet General Flynn’s residual guy with cyber in his title, so here it is.

DEFCON always has been for me about meeting with the Federal Government. Since the mid-1990s it has felt like the place government staff come to party with reduced accountability and oversight.

This year I stepped into the “Ethics Village” and listened to Joshua Steinman present his vision. To be honest in my decades of experience in security and working with the government I never had heard of Josh. When he began speaking I kind of realized why. He said very emphatically to the moderator:

Please don’t ever say cyber security. It’s just cyber.

This was like telling us not to say Internet security because just saying Internet somehow magically implies security. Yeah, not going to happen.

Few things self-reveal someone inexperienced in security like their overuse of the term cyber, leaving off modifiers needed to clarify, or lacking a sense of irony.

He also gave an intro of his background where he claimed to be a world-class expert on Al Qaeda before 9/11, issuing a national security report based on all available evidence (I later found out this was just a short paper he wrote in high school, and I am not kidding).

He also said he was a big supporter of the Republican candidate for President and that pulled him straight into the White House after victory.

And finally he called himself entrepreneurial (I later found out he started a knitting company to make socks for men, and again I am not kidding).

While he definitely puffed out himself in presenting his background as someone believing he is on the right side of history and ahead of his time, something about his self-promotion seemed off, especially compared to the quality of other speakers in prior sessions in the Ethics Village.

For the next 30 minutes or so Josh rattled randomly about personal life philosophy like basic water-cooler tactics and how surprised he was to find out the 1800s-era White House is physically small.

For someone repeatedly claiming he was able to see into the future, it was the opposite of substance. Imagine travelling all the way to a conference, sitting down to hear the “head of cyber” for a national government, and getting a presentation like this:

Usually I like to stand around in the break room area by the coffee. That’s where I hear conversations others are having and can find out what’s happening in the White House. Sometimes I join their conversation.

This was by no means a comforting talk to hear from the person purporting to be the policy making leader of our industry. I’m also paraphrasing here as Josh said several times “Raise your hand if you are a reporter. There are no reporters here? What I’m saying is off the record.” It appeared he was joking about this, although nobody laughed.

What caught my attention, among the rambling stories of hanging around and doing nothing tangible, was Josh said with the utmost confidence “executive privilege is right there in the Constitution. Go read it to see for yourself.”

I’m no constitutional lawyer but as a historian who studied cold-war machinations of Presidents I’m well aware that the executive privilege line most definitely is NOT something you can read in the Constitution. Furthermore, as a security professional, I’m well aware of the danger of executive privilege being used to suppress evidence/speech and deny freedoms necessary to avert suffering at massive scale.

Perhaps Constitution Daily put it best:

One of the great constitutional myths is the principle of executive privilege. Though the term is not explicitly mentioned in the Constitution, every President has called upon it when necessary.

I really have no idea why Josh would say “go read it” for something that doesn’t exist in writing. He’s supposed to be a policy expert. Moreover you can imagine there is a big issue with oversight for that qualifier “when necessary”, since it’s for a privilege that is going to be argued as above all oversight.

Ronald Reagan infamously invoked executive privilege, while carefully avoiding use of the exact phrase, in attempts to avoid accountability for illegal arms deals:

The alternative language used by Mr. Reagan’s lawyers appears to reflect a desire to avoid the negative connotation associated with the term, which over the years has come to be thought of by critics as a legal ploy invoked by Presidents seeking to deflect embarrassing inquiries.

The legal skirmish is taking place in advance of Mr. Poindexter’s trial, which is scheduled to begin on Feb. 20. He faces five criminal charges, including accusations that he obstructed Congressional inquiries and made false statements to Congress about the Government’s secret arms sales to Iran and about efforts to aid the Nicaraguan rebels, or contras, at a time when such assistance was banned by Congress.

That reference to legal ploy comes from Richard Nixon, who similarly claimed he had such an executive privilege to conceal his guilt. He thought he could block White House tape recordings being revealed during the Watergate Scandal.

During the Bush Administration, executive privilege was argued to be not only non-specific but also quite limited. Note the reference to Kavanaugh (now on the Supreme Court) lying to Congress.

Predictably, the White House is claiming executive privilege and refusing to cooperate with the legitimate Congressional investigations, one springing from Mr. Bush’s decision to spy on Americans without a warrant and the other from the purge of United States attorneys. The courts have recognized a president’s limited right to keep the White House’s internal deliberations private. But it is far from an absolute right, and Mr. Bush’s claim of executive privilege in the attorneys scandal is especially ludicrous. […] Nor can it be used to shield an official who might have lied to Congress. The Senate Judiciary Committee has asked the Justice Department to investigate Brett Kavanaugh, a former White House official who told a Senate hearing on his appointment to a federal judgeship that he was not involved in forming rules on the treatment of detainees. Recent press accounts suggest that he was.

That’s a far more restrictive interpretation of executive privilege theory versus a Washington Post article from 1986 that spells out how proponents had wanted to use it under the Reagan Administration:

While serving in effect as lawyer for Attorney General Edwin Meese III, Cooper also advises the Justice Department, other federal agencies and inquiring members of Congress on a wide range of legal questions. Most of his opinions remain confidential, but some that have surfaced have generated headlines. In one opinion, Cooper argued that employers may fire persons with AIDS because of fear that the disease may be contagious, even if that fear is irrational. In another, he said that President Reagan must support an executive privilege claim by former president Richard M. Nixon to keep Nixon’s White House papers secret. […] In addition, department sources say, Cooper has been advising Meese on the U.S. decision to allow arms to be shipped to Iran in connection with efforts to free American hostages. Meese, in turn, has provided assurances to the White House that the shipments were legal.

Perhaps most importantly for this Ethics Village talk, that comment on AIDS is more significant than you might realize. Ronald Reagan claimed executive privilege could block the Centers for Disease Control from issuing a pamphlet on the AIDS crisis despite tens of thousands of Americans dying.

First, let’s set the context of how Reagan handled a threat to Americans that started in 1981. After it already killed nearly twice the number of 9/11 casualties Reagan used his authority to stay silent on the issue:

One of the most prominent stains on the…Reagan administration was its response, or lack of response, to the AIDS crisis as it began to ravage American cities in the early and mid-1980s. President Reagan famously…didn’t himself publicly mention AIDS until [Sept 17th] 1985, when more than 5,000 people, most of them gay men, had already been killed by the disease.

Even in 1985, Roberts (now on the Supreme Court) wrote an infamous memo that recommended the President keep quiet for self-benefit, avoid reassuring people with science, and wait instead for hyperbolic commentators to be proven wrong by scientists.

I would not like to see the President reassuring the public on this point, only to find out he was wrong later. There is much to commend the view that we should assume AIDS can be transmitted through casual or routine contact…

AIDS can not be transmitted through casual or routine contact. It is known today as it was already known then.

After years of intentional silence on the subject by an American President the threat went on to be the greatest public health catastrophe of the twentieth century and kill approximately 650,000, the same as number of Americans estimated killed during the Civil War.

…for the first four years in office, the nation’s top health officer was prevented from addressing the nation’s most urgent health crisis, for reasons he insisted were never fully clear to him but that were no doubt political.

Imagine executive privilege being used to prevent experts from addressing the nation’s most urgent security crisis, then look at this graph of Reagan’s policy of censorship and silence on harms.

Data on American death was suppressed by Reagan until 1987. Source: National Center for Health Statistics

So this prompted me to ask Josh about the large and vague theory of executive privilege. Already we can see Josh was wrong about executive privilege being written in the Constitution. Now I wanted to know if he supported its use to block discussion of a bug that can kill hundreds of thousands of Americans.

I stepped up at the end of his presentation and asked 1) where executive privilege was written and 2) whether Ronald Reagan’s interpretation of it would enable the White House to secretly harm Americans with backdoors in encryption, much in the same way he avoided public accountability for export death (illegal arms shipments to Iran) and domestic death (blocking AIDS scientific alerting).

As I asked my question he shook his head disapprovingly. Perhaps my question, like my blog posts, was rambling and lacked clarity.

I was thinking of how to ask about executive privilege in terms of the AIDS epidemic because in computer security terms it would be a virus that easily could be remotely controlled. If the executive privilege theory means the White House can block scientific discussion for political self-benefit, leading to masssive harms of citizens, is the White House cyber policy head also saying secret government backdoors in encryption could be within this privilege?

Josh didn’t answer directly and instead said in a long statement that encryption was complex as a topic, there were many sides, and the market would decide backdoors. He also invited everyone to speak with him after as he could easily show where in the Constitution executive privilege was written (it’s not).

When he finished and got up to leave I walked up to him and he quickly exited towards the back of the room, passing directly by me. Several people said “he must not have seen you” so I rushed out the door and caught him in the hallway. He looked me directly in the eyes, turned and ran away.

Eisenhower’s “proud confederation of mutual trust and respect”

On January 17, 1961 President Eisenhower gave a phenomenal speech about the future of technology, especially Internet authorization models. Consider his words in context of today’s social networks and data platform controls:

Down the long lane of the history yet to be written America knows that this world of ours, ever growing smaller, must avoid becoming a community of dreadful fear and hate, and be, instead, a proud confederation of mutual trust and respect.

Video of the speech is available via C-SPAN

Many people reference this speech due to its stern warning against a congressional-military-industrial-complex diverting public funding to itself and away from education and healthcare.

People also tend to leave out the congressional role related to Eisenhower’s warning, probably because it was inferred and not explicit. Fortunately a professor of government explains how and why we still should include Congress in that speech:

When the president’s brother asked about the dropped reference to Congress, the president replied: “It was more than enough to take on the military and private industry. I couldn’t take on the Congress as well.”

Perhaps we can agree in hindsight that Eisenhower’s warnings were right. There is over-centralization in the American communications industry as well as a state of near-perpetual warfare. This means we should have also expected the “congressional-military-industrial-complex” to expand naturally into a “cyber” domain.

Of course, just like in 1961, we have more than one path forward. The tech industry should be moving itself away from power abuses and more towards something like Eisenhower’s prescient vision of globally decentralized “mutual trust” confederations.

Meanwhile, “For Nato, a serious cyberattack could trigger Article 5 of our founding treaty.”

President Reagan’s Racist Speeches and Recordings

It’s been interesting to read growing confirmations that Reagan was obviously a racist and intentionally harmed Americans who did not have white skin.

One of the best explanations I’ve seen so far is how latent racism in Reagan’s campaigns elevated his popularity, while his opponents actually suffered when they tried to call it out without directly addressing Reagan as a racist.

Josh Levin writes about Carter being chastised for opposing racism, and also how Reagan escaped any condemnations at the same time.

Carter is said to have given a Neshoba County Fair speech with some strong words about fighting hatred:

“You’ve seen in this campaign the stirrings of hate and the rebirth of code words like states’ rights in a speech in Mississippi,” Carter said, adding that “hatred has no place in this country.”

And then Carter is said to have had to go on the defensive, denying he was calling Reagan a racist, while Reagan just went right on signaling with “stirrings of hate…code words”.

Moreover, Levin points out Reagan (like the present occupant in the Whitehouse) gave Nixon’s racism the appearance of being less extreme, which is no small feat.

I thought of the Neshoba County Fair and its aftermath this week when the Atlantic published a previously unknown snippet of a conversation between Reagan and President Richard Nixon. On the morning of Oct. 26, 1971, Reagan, who was then the governor of California, told Nixon that African nations were to blame for the United Nations’ vote to eject Taiwan and welcome in mainland China. “Last night, I tell you, to watch that thing on television as I did,” Reagan said in audio captured by Nixon’s White House taping system, “to see those, those monkeys from those African countries—damn them, they’re still uncomfortable wearing shoes!” Nixon cackled in response. A few minutes later, the president called Secretary of State William Rogers to report, in the words of the Atlantic’s Timothy Naftali, “that Reagan spoke for racist Americans, and they needed to be listened to.”

On that tape, Reagan’s racism is direct and undeniable. Nixon, whose own racism is extraordinarily well-documented, immediately rejoices in it, laughing as Reagan talks about African “monkeys.” In his call with Rogers, by contrast, Nixon distances himself from the racist commentary, attributing it to someone more prejudiced than he is. (He also tells Rogers, erroneously, that Reagan had called the African leaders “cannibals.”) At the same time, Nixon categorizes Reagan’s views as a valuable political data point, a sentiment that needs to be understood and nurtured, not rejected.

In today’s terms, this analysis is not only historically interesting, it also impacts our debate about the safety of artificial intelligence.

When machines use only straight reasoning, devoid of the truth about Reagan’s signaling and racism, they will accelerate the harms from hatred. I spoke about this briefly in my RSA Conference Presentation earlier this year:

Trailer for General “Harriet” Tubman

She sometimes went by the name Moses on the Underground Railroad, which meant pro-slavery terrorists in America often were searching for a man.

Militant abolitionist and patriot John Brown, who fought to protect those who escaped slavery, even may have referred to her as a man when he said “I want him — General Tubman — leading my right flank.”

This November a new movie will be released documenting the amazing story of the first American woman to plan and lead a military campaign: Harriet Tubman.

2019 BSidesLV: “AI”s Wide Open

My 2019 BSidesLV presentation on AI security will be briefly in the “I Am The Cavalry” track and then again more in-depth in the “Public Ground” track:

When: Tuesday, August 6 (14:30:14:55 and 16:00-17:55)
Where: Tuscany, Las Vegas
Cost: Free (as always!)
Event Link: BSidesLV Schedule
Title: “AIs Wide Open – Making Bots Safer Than Completely $#%cking Unsafe”

Abstract (I Am The Cavalry track):

Bladerunner was supposed to be science fiction. And yet here we are today with bots running loose beyond their intended expiration and with companies trying to hire security people to terminate them. This is 2019 and we have several well-documented cases of software flaws in automation systems causing human fatalities. Emergent human safety risks are no joke and we fast are approaching an industry where bots are capable of pivoting and transforming to perpetuate themselves (availability) with little to no accountability when it comes to human aspirations of being not killed (let alone confidentiality and integrity).

This talk will frame the issues for discussion in the Public Ground track later. Perhaps you are interested in building a framework to keep bot development pointed in the right direction (creating benefits) and making AI less prone to being a hazard to everyone around? Welcome to 2019 where we are tempted to reply “you got the wrong guy, pal” to an unexpected tap on the shoulder…before we end up on some random roof in a rainstorm with a robot trying to kill us all.

Download Presentation Slides (6MB PDF)

RIP Rutger Hauer, the actor who turned down a role as an actual Nazi to instead play a futuristic robo-supremacist leader of renegade replicants in Bladerunner. He passed away this month aged 75

“Rutger read [my] speech and then went on with a couple of lines about memories in the rain,” co-screenwriter David Webb Peoples told THR in 2017. “And then he looked at me like a naughty little boy, like he was checking to see if the writer was going to be upset. I didn’t let on that I was upset, but at the time, I was a little upset and threatened by it.

“Later, seeing the movie, that was a brilliant contribution of Rutger’s, that line about tears in the rain. It is absolutely beautiful.”

Hauer said he turned down a role in Wolfgang Petersen’s Das Boot (1981) to work on Blade Runner, which he noted “wasn’t about the replicants, it was about what does it mean to be human?” The late Philip K. Dick, whose novel served as the basis for the film, called the actor “the perfect Batty — cold, Aryan, flawless.”

Basically a haiku

All those moments will be – 6
Lost in time like tears in rain. – 7
Time to die. – 3

6+7+3 = 16

Simply Southern Nazi Tees

Some friends recently were saying my examples of KKK signaling in the open are just a theory. It’s true, I am proposing theories meant for dialogue, rather than saying I’m the final word on hidden signaling.

Nonetheless, hidden signaling by hate groups is a very real thing. It takes training and some careful observation to reveal the obfuscated messages without looking like you’ve lost your eyesight. Trust depends on establishing some clear explanations.

Let me now relate to you the type of behavior that I believe needs greater scrutiny. It’s the kind of behavior that sometimes even makes it into the news.

PBS NewsHour profiled a woman volunteering for the campaign who had prominently visible tattoos of widely recognized white power symbols.

In the segment, which was first flagged by Gawker, PBS profiles Grace Tilly, who is shown making calls at a Trump campaign phone bank in North Carolina.

Her symbols were a Celtic Cross and the number 88. Would you immediately recognize those as hate symbols?

I’m definitely not the first to write about Nazi tees hiding in plain sight. A descendant of Nazis literally already sent me a Mel Magazine article about Neo-Nazi apparel and asked me if there was anything I wanted for Christmas:

At a cursory glance, the T-shirt looks like an ad for Sea World. An orca, triumphantly jutting out of the sea, splashes water above the words “Antarktis-Expedition.” It takes just a second longer to notice the bold text hovering above the orca: “Save the White Continent.”

The shirt was created by the German label Thor Steinar, one of a few clothing brands that cater to neo-Nazis. Like Ansgar Aryan and Erik and Sons, Thor Steinar uses coded references to obscure events in Nazi history, veiled threats and playful imagery to flout German hate-speech laws, which forbid explicit references to the Third Reich.

So let’s just say I’ve been, and remain, in the right circles to know when I see something fishy (both puns intended). And that is why, while walking through an airport the other day, I could not help but notice someone wearing a giant 5th SS Panzer-Division symbol on a T-shirt.

First, I will explain the Nazi symbolism I am referencing. There are three parts: the SS, the Wiking and the Panzer-Division. An easy way of explaining these three symbols is to look at the marketplace of Neo-Nazi merchandise.

You perhaps can see how a SS, Wiking, and Panzer-Division ring has been segmented into the three parts around the finger, which makes it kind of unwieldy and large.

Now I will explain these three symbols on the ring, left to right:

  • SS (schutzstaffel) = a criminal militant organization of the Nazi Party directly involved in numerous war crimes and crimes against humanity
  • Wiking = “Nordic” volunteers who helped commit crimes for Nazi Germany
  • 5th Panzer-Division = the SS Wiking group of motorized (tank and artillery) infantry

Here’s an example of the SS Wiking symbol on a tank, for some historic perspective, as it rolls its way towards committing war crimes

And here is a pamphlet from the same time period

Second, I was walking through an airport just the other day when to my great surprise I saw someone wearing a Nazi symbol.

And here is a closer view, where a 5th Panzer symbol becomes less clear as a Nordic-looking SS becomes more apparent. Unlike the ring, however, three symbols have been combined into a single giant one. Not what I was expecting. I had to find out who was wearing this thing and why

“Does this obfuscated swastika make my…”

Most people I’ve explained this to call it an unfortunate oversight, or poor (ignorant) choice in design.

One guy thought it couldn’t possibly be intentional as the words surrounding the “Nazi rune” (his words) were so peace inspiring. I found that logic to be a bit like saying a hunter isn’t going to shoot a deer because a camouflage suit seems so nature-loving.

Nazi Germany infamously broadcast “make peace” propaganda into France right before invasion:

Excerpt from Article on Radio in Propaganda, Harpers Magazine, August 1941

And Nazi propaganda cells convinced groups of Americans to protest for peace with Hitler, giving him little or no resistance, even during WWII. Note how “America First” (AFC) disinformation campaigns now are described by historians:

Hitler’s dictatorship repudiated both democracy and human rights. The Nazi empire was the arena in which Hitler’s master race philosophy was to be put into practice. Censorship prevented the German press from exciting the conscience of the nation. There could never have been a successful passive resistance movement against the Nazis. The inability of members of the AFC to recognize this, especially men like Hutchins of Chicago, and Norman Thomas, is remarkable.

Inability of Americans to recognize harms from promoting Nazism definitely is remarkable, then and now. It’s probably fair to say it’s almost as bad as inability of Americans to recognize harms from promoting symbolism for white-supremacist “Confederate” states that Nazi Germany had used as inspiration.

Of course I had to walk up to this woman and ask her “what’s with wearing a giant Nazi symbol?” She gasped and said “Oh no. Oh my god. Don’t look. I don’t mean to offend anyone” and then walked away.

If all that isn’t enough. Simply Southern is, like the PBS profile of Grace Tilly, based in North Carolina. The company describes itself as a “brand to reflect the values of a southern lifestyle“. In their “giving back” section of the website they curiously depict black children next to marine animals.

I’ve written before about this kind of “giving” imagery.

So after greater scrutiny, what’s your call?

Epstein’s Counterfeit Austrian Passport

There is some excellent reporting from the Daily Beast, as they lay out the details of a police search:

…U.S. attorney’s office said that the travel document “contains numerous ingress and egress stamps, including stamps that reflect use of the passport to enter France, Spain, the United Kingdom, and Saudi Arabia in the 1980s.”

The passport—which was Austrian but listed a Saudi Arabia address—was found in a locked safe…

A few notable points here:

  • Locked safe contents
  • False identity
  • France, Spain, UK and Saudi Arabia in 1980s

The locked safe is notable because the false identity passport was very old, yet never had been destroyed. Why keep an old document locked in a safe unless it still serves some purpose? Let’s look at what it may prove for those gaining access.

This triad of European countries with Saudi Arabia immediately should be recognized as an arms trade group.

It was less than a year ago this was discussed in the news:

UK, France and Spain to maintain arms sales to Saudi Arabia

The word “maintain” is a big clue. We are talking here about passport stamps from the 1980s, when those arms sales initiated.

An older news story from the 1990s thus becomes more relevant to perhaps explain why this passport still was locked in a safe.

…Mark Thatcher, 41, helped broker a British arms deal to Saudi Arabia worth a reported $35 billion in the mid-1980s.

According to a long report in the London Sunday Times, middlemen in the arms deal–which involved aircraft, warships and ammunition–received about $360 million for their services.

Both the Sunday Times and the Independent on Sunday said Mark Thatcher earned a $19-million commission for helping secure the deal.

Whenever arms trade, or similar black market dealings, come to light there usually are signs of an effort to make large payments untraceable. The Daily Beast offers exactly these details from the police search.

Also found in the safe was $70,000 in cash and 48 small diamonds that prosecutors contend are often kept on hand by someone who needs to make a quick getaway.

I understand why prosecutors right now are saying diamonds are evidence of quick getaway plans. They have a job to do and they probably are right about flight risk.

Yet quick getaway plans don’t match up with a long-expired counterfeit passport, which is why I am reminded here of a similar story from Frontline in 2002 of arms payable in diamonds

U.N. arms expert Johan Peleman…got a lucky break. Peleman learned of a cocaine bust in Milan, where Italian police discovered four prostitutes in a hotel room with a Ukrainian businessman named Leonid Minin. The police also discovered more than $35,000 in cash, a half-million dollars in diamonds, and more than 1,500 documents detailing a tangled web of business dealings in oil, diamonds, timber and gun shipments to Africa.

A police search based on drugs and prostitution uncovers cash, diamonds and…arms deals.

What may come to pass is the current investigation into Epstein’s history of sex crimes also may now implicate him in serving Israel funneling European arms to Saudi Arabia during the Reagan Administration.

When Reagan came to power he wanted to undo humanitarian embargo policies that Carter had enacted, avoid Congressional worry about oil embargo/power, and return to the prior era of executive-privilege like Nixon/Kissenger secret arms deals.

The explosive growth of major cash sales of weapons to Third World nations—especially those in the oil-rich, but politically volatile Middle East and Persian Gulf region—stimulated a growing congressional desire to be better informed, and consulted with, on such sales that had serious potential consquences for American national interests.

New Yorker Cartoon, 31 May 1974

More to the point, Nixon had spent the early 1970s secretly building up Iran’s military capabilities and Reagan wanted to spend the mid-1980s using executive power to expand Iraq’s military capabilities in a war with Iran.

Here’s “National Security Decision Directive (NSDD) 99, signed on July 12, 1983″, which clearly explains everything in Reagan’s mind.

1985 seems to be the crucial turning point in strategy, as Reagan normalized relations with Iraq he also backtracked on direct arms sales to the Saudis (claiming personal responsibility while also saying he didn’t know what was going on).

You can see the result of that shift was arms deal numbers jumped for France, UK and Spain:

That’s a graph I made from the SIPRI database of 1980s arms transfers to Saudi Arabia. Who brokered them?

The answer in part might be a guy who founded his own financial firm in 1982. His peculiar Austrian passport with a fake name, a Saudi address and stamps from France, UK and Spain now just needs to be held up to a 1980s calendar of major arms deals:

Maybe the target of this current investigation also will be linked directly with infamously unpopular American-made secretive arms deals to both Iran and Iraq to manipulate and destabilize them (see also: Iran-Contra Scandal of 1986).

The Shadow World and BAE Files have a Compendium at Tufts that summarize the significance of this passport to already documented history:

An investigation by the UK government’s Serious Fraud Office (SFO) uncovered ‘commission payments, or bribes, totaling as much as GBP 6 billion paid by BAE Systems to members of the Saudi royal family and others.


The [1985] Al Yamamah deal resulted from the reluctance of the U.S. Congress in the early 1980s to allow sales of major combat aircraft to Saudi Arabia, fearing they may be used against Israel.

General reporting about the 1980s may call out a “reluctance of the U.S. Congress” to sell arms, and I often see talk about Thatcher’s “intent to create jobs” (lining the pockets of her own son) by selling arms into brutally repressive regimes. Andrew Feinstein even goes so far in his book “The Shadow World” to phrase the deals like this (p91):

Such were the benefits of Al Yamamah to Thatcher fils that some refer to the deal as ‘who’s ya mama’.

I have yet to find anyone discussing however whether Epstein was given an Austrian passport by the US or Israel to broker European arms into Saudi Arabia and thereby fuel Iraq in its war with Iran.

In other words, people talk about Epstein’s strange and shadowy accumulation of wealth in very similar terms to Thatcher, without any of the transparency. Maybe they should look into whether his counterfeit passport was within or near a nexus of arms payments between Reagan, Thatcher, Prince Bandar “Bush” bin Sultan, Saddam Hussein and Shimon Peres.

To help, I’ll give a couple examples of what money laundering and arms trade accountability has looked like for Mark Thatcher.

First, consider his conviction for laundering a diamond mines and oil coup d’etat led by an ex-SAS officer:

…son of former British Prime Minister Margaret Thatcher pleaded guilty Thursday to unwittingly helping bankroll a botched coup plot in oil-rich Equatorial Guinea…[after] he paid $275,000 in two installments last year to charter an Alouette III helicopter to be used in the takeover attempt…

I say laundering because his “unwittingly” helpful role since has been proven to be formally approved as necessary by British Prime Minister Thatcher, his mother.

On his release from prison, [ex-SAS officer] Mann said he could never forgive Sir Mark, who he claimed was a key participant in the military adventure rather than a mere investor, for failing to come to his aid.

And second, given the above secretive laundering role, there’s a direct parallel to Epstein’s track record in “financial services” versus reality:

For years mystery has surrounded the way in which Mark Thatcher suddenly acquired great wealth in the 1980s, when his mother was in office. He repeatedly has refused to answer journalists’ questions about the subject but is reported to have told friends he made his fortune offering “financial services.


The Sunday Times said Thatcher was one of a group of people who helped broker the deal, and who received among them a $360 million commission from the Saudis. It said his share was $18 million.


The Sunday Times quoted Saudi arms dealer Adnan Khashoggi as saying that Mark Thatcher’s value to the Saudis during the negotiation was that he could go to his mother and get an answer to any question they raised.

That leaves quite a lot for Epstein. Given records saying the Saudis expected sexual favors as part of the bribery system (e.g. the UK inflated cost of its jets 30% before signing the deal), it’s not a stretch to see how human trafficking through private jets and private islands became Epstein’s 1980s self-enrichment plan, thanks to his special passport.

Now we just need the Daily Beast to give us some dates from his passport stamps and the name in the passport to see if the above international history analysis holds any water.

Inventor of Cloud Computing Dies Aged 93

There’s something not quite right about a BBC article about the death of Fernando Corbato.

First, the meat of the story describes sharing models of compute.

Using computers during the 50s was an exercise in frustration because the huge, monolithic machines could only handle one processing job at a time.

In a bid to overcome this limitation, Dr Corbato developed an operating system for computers called the Compatible Time-Sharing System (CTSS).

Rather than have the machine dedicated to one person, CTSS divided up the processing power of a computer into small slices so it could do little bits of work for lots of people.

Given all that…the BBC decided to run their story with a title of “Computer password inventor dies aged 93”.

Password inventor?

A lot of people think of the late Corbato this way, yet I’m not sure why that’s a good idea to keep saying it. The BBC could do better.

We are in an age where sharing systems are wildly popular and everyone hates passwords. Perhaps people think focusing on the password story will get more clicks? I don’t like how it distracts from the bigger picture.

It’s a bit like calling the guy who invented police (another sharing system) the inventor of the nightstick. Why focus on the latter when the former was their actual intent and more notable contribution? Even if there were other sharing systems around that time, Corbato’s sharing system work was seminal and very influential.

Second, the BBC describes antique compute power as “so fast”.

Even in the 50s and 60s computers were so fast that no user noticed they were only getting a small portion of a machine’s processing power at any one time.

WE have both “an exercise in frustration” because jobs had to be stacked, and yet at the same time “no user noticed they were only getting a small portion”. I find it hard to reconcile how frustration drove a user to solve something that no user noticed. Was it frustrating or was it invisible?

Also the story at this point ignores the development of batch processing in the late 1950s.

Anyway Wired describes the situation entirely differently, suggesting that slow speed actually led to hacking passwords.

In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn’t nearly enough time to run the detailed performance simulations he’d designed for the new computer system. So he simply printed out all of the passwords stored on the system.

That makes more sense.

And finally, third, this whole narrative misses the point that Dr Corbato himself describes the use of a secret to gain entry as an obvious solution for shared systems.

He was reluctant to take credit for passwords, which begs the question why people are so intent on sticking it to him, instead of credit for a compute sharing model that can uniquely authenticate people.

I’ve seen some people reference IBM in the 1950s, when really there should be an investigation into Philco, RCA, ERA, NCR, GM NAA, Tymshare, National CSS, Dial Data and Fairchild computers from that time.

Many computer systems under development in the late 1950s were serving the US military. So by way of example, here is a page from a 1956 US Army FM26-5 booklet on the language used to handle access to an “internal” shared resource: