Category Archives: Food

Food, Security

Chinese Crackdown, U.S. Outgunned

Leave a comment

The Wall Street Journal just ran a cover story with the title called “U.S. Outgunned in Hacker War”.

Run for the hills!

No, wait, let’s take a closer look. My first reaction was to look for details on who is out gunning the U.S.. My second reaction was to look for definition of a “Hacker War.” Unfortunately, the story comes up short on both accounts.

The reader is left without clarity who is shooting or what was meant by the term war. That is unfortunate because it is not hard for them to write a more balanced (e.g. include a counter-point) and substantive (e.g. include some data) story. Here is how I tried to make some sense of this story using a few simple steps.

The WSJ uses a quote from the FBI to start their story.

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Could this be in terms of U.S. criminals who are plundering U.S. assets? Why would I ask that? Let’s jump right past all the glaringly obvious examples of Bernard Madoff, Kenneth Lay, Jeffrey Skilling, Andrew Fastow, Bernard Ebbers, Scott Sullivan…and look at some of the latest data on IT threats from a security solution vendor.

  • More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
  • Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
  • On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week…

Also, as I explained in my presentation on breach data at the RSA SF 2012 conference, the U.S. shows up in many reports as the #1 source of threats. Sophos lists America as the top Spam producing country (China is the most attacked, according to them), while McAfee says 73% of malicious online content is hosted in the U.S. In other words, the U.S. currently is allowing attackers to attack the U.S.. So, if we add in this detail to the story, can we conclude the U.S. is out gunned by the U.S.?

Before I answer that, you may say this data is from vendors and of course they are stoking fear. That is true but it at least gives us some quantitative detail to assess on our own and verify. The Wall Street Journal mentions no data at all.

More to the point we could make a similar argument about the Wall Street Journal source that starts their story. The perspective they cite actually is from a person leaving to a private sector consulting practice. Clearly Henry stands to profit more, and help his consulting firm win clients, when he stokes generic security fear.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.

…operators at Mr. Henry’s firm are standing by to sign you up for a new service. You can have all the major change he says you need for the low, low price of just $$$K/month.

So the first technique I recommend when reading these scare stories is to seek transparency; get to the data and verify the analysis. Always factor and account for bias. We should not be satisfied with stories of a threat mired in sophisticated or advanced details, especially from those who stand to profit with obfuscated services. As Einstein once said “if you can’t explain it simply, you don’t understand it well enough.”

Now back to the question of the U.S. out gunning the U.S.. The Wall Street Journal suddenly and without explanation brings up China.

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them.

As Richard Bejtlich must know a vast majority of companies don’t realize they are breached until someone else told them, full stop. The new Verizon DBIR says 92% of incidents were discovered by a third party. That data point has nothing to do with China or the Chinese.

I have commented before on errors from those with an anti-Sino fixation. It is not clear to me why the Wall Street Journal is so eager to follow their fixation without question.

Breach data, referenced above, shows that the Chinese are not the most likely source of attack. That is not to mention that when I read Bejtlich’s latest opines I ponder how the person who names his book The Tao of Network Security Monitoring, his company Tao Security, and his twitter handle @taosecurity (using the yin-yang symbol as his company logo) has become the person trying to convince us that the Chinese are stealing ideas from America.

I’m not saying the U.S. should not accuse the Chinese of copying ideas, since obviously attacks can come from anywhere and a Bernie Madoff could be born in any country; but those in the U.S. who worry about transfer of knowledge should be careful to put their accusations in perspective. Noodles, gunpowder…so many things popularised as American are obviously not from America. The issue of “who” is complicated but focusing on outsiders may be a distraction from more likely threats. We should be careful before we de-emphasise or fail to account for the risk from insiders.

The answer to my first question about the WSJ title, I would argue, is that the U.S. is actually out gunned by the U.S.. This includes outsiders granted insider access. It also includes threats from trusted insiders — those supposed to be protecting other insiders.

The second technique I recommend when reading these scare stories is to seek details on the vulnerabilities. Once we identify who is involved we also need some idea of their capability to cause actual damage. Ironically, I can’t think of a better example than China to illustrate this point.

News has been flaring up that there has been a crackdown in China on expression. The Chinese are upset about the Chinese and restricting speech they consider harmful.

Authorities also closed 16 websites and detained six people, Xinhua reported, for allegedly spreading rumors of “military vehicles entering Beijing and something wrong going on in Beijing,” a spokesperson for the State Internet Information Office told Xinhua.

This is a case where an authority sees a threat so great that they take action to reduce risk. As Americans we most likely disagree with the Chinese government’s assessment of vulnerability. We live in a country where freedom of speech is said to make us stronger (still with some exceptions).

However, if you look past the question of who is the threat and on to the question of capability then the Wall Street Journal story really comes down to the FBI calling for more “guns” to fight a “Hacker War” so they can increase their capabilities, perhaps to the level that the Chinese are demonstrating with their latest crackdown.

Americans reading the Wall Street Journal story might be distracted by the Chinese tangent and think this is an us versus them war. But the reader is wise to think much more carefully about whether and when they trust an increase of power in authority to crack down on threats that may actually be on the inside.

Alas, we’re now back to the question of what they mean by “Hacker War”. If we try to define war without any notion of internal threats then it becomes more of a discussion of whether and where the U.S. is working on ways to undermine or bypass sovereignty again. But it should hopefully be clear now that the threat is not just external.

Perhaps the best way to look at this is with regard to healthcare risk news. If the Wall Street Journal ran a story on the latest data on eating well they probably would have titled it “U.S. Outgunned in Sugar War.” So the question becomes why are we allowing ourselves to do so much damage to ourselves? Or maybe the question, in terms of Bruce Schneier’s new book, is how much damage is acceptable before we are willing to give more fire power to authorities if we know how much it can reduce our freedom.

Food, Poetry, Security

Big Data Integrity

Leave a comment

At the Structure:Data presentation last week Dave Aspery and I discussed some of the common and new integrity issues with big data. One of them was the issue of data tampering and pollution related to marketing campaigns and product placement.

Dave’s diaper example was classic. I apologize again to the audience for saying it sounded like a messy clean-up. It would be more fair to say that the damage really depends.

Soon after leaving the presentation I saw this, which nicely illustrates what we were talking about.

Energy, Food, Security

Harvard Study: Bacon Kills

Leave a comment

A new study says people who eat red meat have a far higher risk of premature death. The study reviewed more than 100,000 cases over 20 years, which really is just a tiny amount of data. Nonetheless, here’s the news from the LA Times:

…adding an extra daily serving of processed red meat, such as a hot dog or two slices of bacon, was linked to a 20% higher risk of death during the study.

You might be thinking the researchers are nuts, and you might be right.

Eating a serving of nuts instead of beef or pork was associated with a 19% lower risk of dying during the study.

Not much is said in the article about researcher bias or data integrity issues. This is their best effort at a disclaimer:

…there can be a lot of error in the way diet information is recorded in food frequency questionnaires, which ask subjects to remember past meals in sometimes grueling detail.

But Pan said the bottom line was that there was no amount of red meat that’s good for you.

With that out of the way the reporter then highlights the cost savings from reducing risk.

…a plant-based diet could help cut annual healthcare costs from chronic diseases in the U.S., which exceed $1 trillion. Shrinking the livestock industry could also reduce greenhouse gas emissions and halt the destruction of forests to create pastures, [UC San Francisco researcher and vegetarian diet advocate Dr. Dean Ornish] wrote.

No word yet on whether eating less bacon could have a far greater impact on healthcare costs than patching Windows faster.

Food, History, Security

Breaking the Law with Corn Syrup: 1910 Edition

Leave a comment

A tip by one of my readers has uncovered a fascinating report from 1910 in the Journal of the American Medical Association

One of the first breaches made in the defenses raised in the interest of the public by the passage of the national Food and Drugs Act, was that secured by the manufacturers of glucose. While the pure food law demands that the label shall tell the truth, the makers of glucose protested that they should be permitted to call their product by the more euphemistic term “corn syrup.” Permission to do this was granted, though the reason for such a liberal interpretation of the law in favor of the manufacturer and so evidently against the interests of the consumer, is not known.

Fortunately for the consumer, however, some of the states are not so accommodating to special interests. The state of Wisconsin, for instance, has a pure food law which requires that the label shall contain the naked truth rather than the skilfully adorned euphemism.

Speaking of compliance and consumer interests, today I presented an abridged history of meat packing plants and the Food and Drugs Act to one of the largest cloud providers. Now I am contemplating turning it into a full-blown presentation. Not sure if anyone else sees the connection, though, between VLANs and ground beef.

An ABC News investigation has found that 70 percent of ground beef sold in the U.S. contains “pink slime,” a meat filler that was once used only in cooking oil and dog food.

Yuck. And no, VLANs will never be sufficient on their own.

Speaking of history, in 1910 Wisconsin was influenced heavily by German political thought. It not only passed a pure food law but also elected the first Socialist mayor of any major US city, Emil Seidel. Called a “sewer socialist” for a preoccupation with keeping the city clean, he used regulations to close down brothels and casinos while creating parks, public works and a fire and police commission.

He left office after just two years when the Democrats and Republicans combined their votes into a single candidate and campaign effort. Milwaukee’s infrastructure improvements lived on but the moderate socialists and a pure food law that banned corn syrup are just a distant memory.