Monthly Archives: April 2011

History, Security

Lewis Thumbs Cyber Nose at Chinese

Leave a comment

Reuters gives us a story that says America is losing the “cyberspy vs. cyberspy” competition to China. They provide some amusing evidence to show how the scores are being tallied:

In mid-2009, representatives of the China Institutes for Contemporary International Relations, a nominally-independent research group affiliated with China’s Ministry of State Security, contacted James A. Lewis, a former U.S. diplomat now with the Center for Strategic and International Studies.

Lewis said that in his first meeting with his Chinese counterparts, a representative of the China Institutes asked: “Why does the Western press always blame China (for cyber-attacks)?” Lewis says he replied: “Because it’s true.”

Lewis followed-up with “na-na-na-na China sucks” and “we are rubber you are glue…”.

He does not even bother to go into the superficial international political analysis that I have warned of before.

Seriously, though, does a US Diplomat sound prepared, let alone diplomatic, in the above quote?

Call me biased but if you ask the Saudis why they say birds are working for Mossad I would expect some to say “because it’s true”.

I did not expect this from Lewis. The litmus for evidence in the Bush Administration’s hunt for WMD comes to mind. America can surely show better leadership than this. Or maybe not…

Before Bush was fixated on “proving” WMD in Iraq, conservatives in the US government often had China on their mind. Lewis is likely calling them back from the terrorist distraction more than he is signaling any new development.

I remember a picnic in 2001 when a CIA official went on and on about China having their fingers in every market, every conflict. He warned that the US was not focusing itself enough on a fight with China. The best anecdote of what he meant could be the Bush and Cheney (both Dick and Lynne) reaction to the Hartman-Rudman report of January 2001.

Lynne Cheney tried to insist that China was the top threat to America. She was leading the commission at the time. Others failed to agree with her and proposed things like terrorists as a greater threat. Instead of proving her case or demonstrating something believable, she just picked up her ball and quit the commission.

The commission had 14 members, split 7-7, Republican and Democrat, as is de rigeur for bodies of this type. Today Hart told me that in the first few meetings, commission members would go around the room and volunteer their ideas about the nation’s greatest vulnerabilities, most urgent needs, and so on.

At the first meeting, one Republican woman on the commission said that the overwhelming threat was from China. Sooner or later the U.S. would end up in a military showdown with the Chinese Communists. There was no avoiding it, and we would only make ourselves weaker by waiting. No one else spoke up in support.

The same thing happened at the second meeting — discussion from other commissioners about terrorism, nuclear proliferation, anarchy of failed states, etc, and then this one woman warning about the looming Chinese menace. And the third meeting too. Perhaps more.

Finally, in frustration, this woman left the commission.

“Her name was Lynne Cheney,” Hart said. “I am convinced that if it had not been for 9/11, we would be in a military showdown with China today.” Not because of what China was doing, threatening, or intending, he made clear, but because of the assumptions the Administration brought with it when taking office. (My impression is that Chinese leaders know this too, which is why there are relatively few complaints from China about the Iraq war. They know that it got the U.S. off China’s back!)

Today Lynne Cheney and her allies outside the commission might have to admit their mistake in dismissing it. Tom Donnelley at the Project for the New American Century gave the following perspective in 2000 on Cheney’s behavior and what he called the commission’s “bias”.

The first bad sign was the resignation of commissioner Lynne Cheney, former head of the National Endowment for the Humanities and wife of former defense secretary Dick Cheney, in a dispute over the panel’s first report. Cheney was unhappy with the suggestion that American power was bound to decline: “Emerging powers will increasingly constrain U.S. options regionally and limit its strategic influence. As a result, we will remain limited in our ability to impose our will. . . .”

It sounds fairly accurate to me. Keep in mind that at the time Donnelley was holding this up as an example of a mistake in planning — how America should focus itself on conflict with China instead of worrying about the threat of non-state and emerging state actors like al Qaeda.

Here is another example where Donnelley likewise blasts the commission for predicting what in fact has turned out to be true.

..a close reading of the Hart-Rudman strategy report shows that the commissioners’ bias is for stability over liberty. The report whines that “America must not exhaust itself by limitless commitments,” especially military ones, in regard to which “a finer calculus of benefits and burdens must govern.”

The key to why Bush fumbled this crucial piece of threat analysis is found in the phrase “the assumptions the Administration brought with it when taking office”. It would be so much easier if China were the only bad guys as Bush and the Cheney family had wanted to believe. A simple view is not always the correct view, unfortunately.

The revolutionary thinker Friedrich Nietzsche suggested in Also sprach Zarathustra: Ein Buch für Alle und Keinen (Thus Spoke Zarathustra) why some could insist on initiating a war (against something they brand as evil) in order to feel good about themselves. He pointed to Zarathustra (11th or 10th century BCE) as the first to see that all things related to one another through a struggle between good and evil. This bipolar view of threats in the world grew in popularity before being adopted by the later religions as they were revealed, such as Christianity.

Assumptions are once again being floated and we are being led to believe the Chinese are the only bad guys. I think it is fine to toss forward a few assumptions to get the discussion started, but if nothing can be provided to substantiate a point….

American diplomats and officials should be able to produce better analysis and explanations than “because it’s true” when discussing national security threats. Otherwise, they have no business complaining about the lack of critical thought in China.

Security

Skype Vulnerability on Android

Leave a comment

The Skype blog gives some good security advice for those using Android

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

This is related to a recent Google take-down notice for the infamous 21 apps cited by the Android Police for malicious intent.

I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.

Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the “rageagainstthecage” root exploit – binary contains string “CVE-2010-EASY Android local root exploit (C) 2010 by 743C”. Don’t know what the apps actually do, but can’t be good.

Although we can write this off as unique to Skype, and even Skype only on Android, the problem is actually much more broad. Communication systems are either attacked in real-time or after a session closes and leaves behind residue and logs. This case shows how residue can be exposed to other applications without explicit authorization.

More troubling is that attackers continue to show a predilection for using back doors on systems that do not practice effective monitoring, let alone back door compromise prevention. Given the huge number of weak backdoor paths I have found in “data center” environments recently, I might have to turn this into a full-blown presentation.

Data centers, in others words, should take care in selecting which doors to punch into their walls.

Security

The Breach Bully Dilemma

Leave a comment

A wise and weathered security executive many years ago told me a picnic is nice with people who have their head in the clouds but the group’s food is safer with at least one person who watches the ants.

CSO Online reminds me of this when they strike out in a recent post and condemn the tone and style of comments on Barracuda Networks. Apparently they don’t want anyone to mention the ants. They are critical of those who are critical (of Barracuda Networks).

to skin a vendor alive in the twittersphere because imperfections were exposed is something that doesn’t necessarily lead to a more secure product.
If anything, it’s like a group of misfits in the schoolyard beating up on another kid just because he’s even more awkward and ugly than they are. That’s a typical human failing: When we’re insecure about ourselves, we take comfort in someone else’s misfortune. We may be pathetic, but at least we’re not as bad as the next guy.

Although I am tempted to ask whether they are just defending one of their advertisers, I want to set motive aside entirely. Instead I wonder about consequences — whether a critical view of critics and the chill of negative opinion is good advice for a CSO tasked with risk management.

Some philosophical issues come to mind when I look at the CSO Online complaint.

First, they ask us to be aware that bad things happen to everyone, even those they hold up as industry leaders. This must be a variation of “if you don’t have anything nice to say, don’t say anything”, which itself is based on a gross and dangerous oversimplification to manipulate feelings. It usually fails a simple logic test.

Chairs are white, I am wearing white, and therefore I am a chair. Successful companies have been breached, Barracuda was breached, and therefore it should pat itself on the back as a successful company?

This is not about the feelings of school yard children, it is about discipline to protect data. Points of breach differentiation need to be held up, reviewed in detail and dissected to reduce the chance of oversimplification and repetition.

I suggest a better consequence, that could acknowledge some or all of the CSO Online stylistic concerns, would come from the command “if you don’t have anything nice to say, stick to the facts”. That probably is not even necessary, however. Barracuda is surely prepared and able to perform an investigation while easily defending its reputation (able to cooperate with investigators whether or not they consider them nice, or congratulatory).

Second, the “it could happen to anyone” sympathy card in response to a breach could undermine efforts in an industry that hopes to modify behavior. Shame is a form of regulation. Shaming a company for inadequate security is crude but arguably has the consequence of an informal method of compliance. Asking the industry to avoid communication that carries the message of shame has what consequence? What benefit does CSO Online see in resisting the human instinct to shame, to fail to make an example of a breached company?

John Locke, the famous philosopher, gives the following insights to shame in Some Thoughts Concerning Education.

Esteem and disgrace are, of all others, the most powerful incentives to the mind, when once it is brought to relish them. If you can once get into children a love of credit and an apprehension of shame and disgrace, you have put into them the true principle, which will constantly work and incline them to the right. (§56)

CSO Online gives us the analogy of a school yard bully to consider. They equate negative commentary and shame to bully behavior, although they give no examples of speech they consider bullying. Their analogy is so broad as to be unacceptable at face value (a call to silence all negative opinions). But, setting that aside, I will take a stab at why their analogy actually undermines their position.

Let’s say a kid in the school yard is vulnerable to pneumonia if exposed to rain. One day it starts pouring rain and the kid, who actually sells umbrellas and rain coats, catches pneumonia. The umbrella fails. The rain coat fails. Other kids make fun of this situation and therefore the kid feels shame. Should the kids who laugh and point be called bullies? Are they asserting domination or control, a typical element in the definition of bullying behavior? They may be practicing only a form of shame and disgrace, behavior that philosophers of ethics say will “constantly work and incline them to the right”.

CSO Online thus advocates an overly broad regulation of speech. While they give examples of friends of theirs who communicate how they like, they should know already that positive-reinforcement is not the ideal model in regulation and compliance. If they want to define breach bullies, to point the finger at bad actors, they should provide a test to know whether and when we will offend the sensitive ears of CSO Online.

Professional sports, for example, provide rules to regulate bad behavior. Boxing does not allow a contender to be hit after a fall to the mat, hockey stops a fight when a skater is not standing, no hits are allowed after the whistle in football, and so forth. The rule tends to center around someone who is down and no longer able to defend, or is in a compromised state relative to their attacker.

Would CSO Online have us believe that Barracuda is so vulnerable now that commentary with even an unpleasant tone or style should be stopped? The security company seems not only capable of response on its own, but in a reasonable position to defend itself with a simple apology. If CSO Online wants to jump into the game and throw the red card for foul play they should focus their judgment and ire at the actual attackers and not upon heckling fans. If I were a player on the field and fans started booing my team after a loss, I would ask myself how to improve or avoid another loss rather than focus on silencing the rowdy but legal crowd. Stopping rowdy fan behavior is like trying to stop the rain.

Moreover, is it really necessary or desired to regulate a security community discussion separately from any other industry? America has a legacy of free speech principles that apply here and applying CSO Online’s vague rules of etiquette can have more negative consequences to risk management than positive.

Risk is measured in likelihood and severity of an attack. Thus, for me it is less about whether the tone of everyone in the peanut gallery is to my liking and more about a factual discussion – how and why did a security company miss one of the most common attacks (likelihood) and was exposed customer information sensitive (severity). Silencing those who talk about the ants at a picnic may make the organizers less annoyed but it does not make the food safer.