History, Security

Twitter’s “Ghost of Kyiv” Campaign

Leave a comment

Task & Purpose offers readers an analysis of a war campaign running on Twitter

…with six air-to-air kills, the heroic pilot of a Ukrainian MiG-29 became the first air combat ace over European soil since World War II.

They call him ‘the Ghost of Kyiv’…real enough — for now.

The “real enough” morale-boosting aspect of this story reminds me of the larger-than-life ghost “King” Ned Ludd of the Luddites.

“It has been said that more British soldiers were fighting the Luddites than were fighting Napoleon on the Iberian Peninsula”

On a similar note, mythical planes are like the “Night Witches” of WWII. Nazis were so afraid of Soviet women dropping bombs on them, and unable to fight back, that they had to cook up a mythology instead of admitting reality.

Today’s Ghost pilot in the news also should be filed as a “deep fake” story, according to Newsweek.

…the Ukraine armed forces shared a video, claiming that it showed a Ukrainian MiG-29 taking down a Russian fighter jet in a dogfight. However, that clip was first uploaded onto video-sharing platform YouTube and was titled “GHOST OF KIEV KILL.” The uploader claimed in the clip’s description box that the footage was made using a digital combat simulator. “This footage is from DCS, but is nevertheless made out of respect for ‘The Ghost of Kiev.’ If he is real, may God be with him; if he is fake, I pray for more like ‘him,'” the user wrote.

That’s an almost exact repeat of the disinformation platform analysis presented in a blog post I wrote in 2018.

So, perhaps most importantly, the technical aspect of this story from Kyiv about a heroic pilot also reminds me of Twitter accounts recently embellishing the story of British Spitfire pilots who knocked down Nazi drones.

On the other hand it is VERY different from the “Ghost Camaro” of Bosnia, which seems to have suffered from a lot of puff and largess.

Energy, Security

Colonial Pipeline PR Reacts to Post About Bob Jones

Leave a comment

Already I have heard from a Colonial Pipeline PR firm in Washington DC about my blog post yesterday pondering an overt promotion of Bob Jones University in a press release supposedly about security.

I was told on the phone by Sara Sendek, Senior Director, Crisis Communications (and former Nevada communications director of the Republican National Committee, former press secretary of Ron Johnson), “you think someone is racist because they went to Bob Jones”.

This wasn’t a fair depiction of my thoughts, but it’s expected.

It’s like being told that I think something is vulnerable when I ask why it has Log4j in its manifest. What is the meaning of Log4j when you see it?

Seeing Log4j might not be proof today that someone is vulnerable, but the burden is upon those with Log4j to demonstrate they have closed gaps by being anti-vulnerability. Code is never completely free of vulnerabilities (e.g. can be misleading to say something is not vulnerable), so we really just want know whether someone is committed to fight against serious flaws, including in their own code.

Even more to the point, everyone treated Log4j differently before 2022 so any claims today from the past are colored by what we think now relative to safety.

I therefore actually that think someone has invited a burden of proof to demonstrate they are anti-racist when their Bob Jones degree from 2000 is being promoted by a PR firm; trying to get people to notice Bob Jones in a promotional piece invites integrity assessments.

Again, the question always should not be about whether someone is racist or not, but whether they are anti-racist as Ijeoma Oluo wrote in 2019.

The beauty of anti-racism is that you don’t have to pretend to be free of racism to be an anti-racist. Anti-racism is the commitment to fight racism wherever you find it, including in yourself. And it’s the only way forward.

Bob Jones University very clearly existed as an attack on integrity since it was created by racists to perpetuate racism. Bob Jones took their case all the way to the Supreme Court arguing that claims of “faith” should allow them to avoid fixing their obvious racism (in other words invoking “God” as a loophole to avoid compliance with U.S. public safety laws).

The PR firm representative said she had hoped to explain to me how a PR statement works so that I wouldn’t react to the meaning of the words used in it, to which I replied that my blog post asks why the obvious racist meaning to Bob Jones didn’t block it from being included in a release.

When I was told by the PR firm that everyone has their academic background listed in an unmistakable “that’s the way we do things around here” tone, I asked whether they gave the CISO an option to not list Bob Jones.

Would she release vulnerable code to production just because that has been the way things were done before?

Did the CISO consent to having this specific information shared?

She refused to answer.

Energy, History, Security

Colonial Pipeline Spills Details on First CISO

Leave a comment

Update March 1: Colonial Pipeline PR Reacts

Let me begin by saying the first ever chief information security officer (CISO) hire anywhere ever was a PR invention of Wall Street back in 1994.

This position was officially rolled out in a news campaign by Citicorp in order to offset panic when they disclosed their security breach.

From a computer terminal in his apartment in St. Petersburg, Russia, a Russian software engineer broke into a Citibank computer system in New York and with several accomplices stole more than $10 million by wiring it to accounts around the world, according to court documents and the U.S. attorney’s office. Citibank said all but $400,000 of the stolen funds have been recovered. Six hacking suspects have been arrested, including the engineer, Vladimir Levin, who is being held in Britain and is fighting extradition to the United States.

Citicorp sounded bullish talking about law enforcement and government actions. Yet they were far more subdued about technology and management changes made, phrasing it in papers like this.

…the bank has upgraded it security since discovering the intrusions in June, 1994.

The bank upgraded.

Behind closed doors, meanwhile, Citicorp customers were being invited to meet with a chief of security, someone who had been running JPMorgan security since 1985; and he was recruited without being told that they were going to drop the whole thing on his lap, along with a blank check.

You can imagine how easy it was for someone with a decade of experience and a blank check on his desk to give people future leaning statements about how he intends to fix anything and everything.

Thus in terms of history a CISO title is mostly a political act of creating a rug for things to be swept under, which runs tightly coupled to the marketing side of the business. In that sense it’s not unlike other C-level roles, however it has the important distinction of being tied to externally established public policy (safety).

Remember that phrase.

Now fast forward to this week…a somewhat related announcement is that Colonial Pipeline hired their first ever CISO, nearly a year after disclosing a massive mishandling of security.

Allow me to rewind the Colonial breach just a little so that we can end on an interesting footnote about an important detail in their CISO announcement text.

Colonial, an awkward name for a power company to say the least, was founded 60 years ago in 1962 as a joint venture of nine oil companies (political extremist Koch Industries today holding the largest stake).

About four years ago Colonial received at least one scathing 90 page audit report for its rather typical American energy habit of running a “patchwork of poorly connected and secured systems”, as reported later by the Associated Press (AP).

We found glaring deficiencies and big problems. I mean an eighth-grader could have hacked into that system.

The AP also buried its lede in reporting that Colonial’s chief information officer (CIO) Marie Mouchet sat on the advisory board of the firm that Colonial hired to be an “independent” security auditor. Mouchet is non-technical, with a background that reads like decades of evading regulations.

Mouchet began her career with Southern Company in 1981 as an assistant analyst for the company’s rate and economic services division. She progressed through positions of increasing responsibility before being named supervisor of regulatory research in 1986. A year later, she became supervisor of market intelligence and was later named as manager of market intelligence in 1988. In 1990, Mouchet was named assistant to the vice president of public relations. She transferred to Southern Company’s Georgia Power subsidiary in 1992 to serve as a senior regulatory affairs representative.

Assistant to the VP of PR and lobbyist is who Colonial hired to be their CIO? And she was in charge of security too? Predictable disaster.

When asked about the conflict of interest with a CIO on the board of an outside firm auditing the information systems, the firm said it didn’t pay Mouchet to advise them. Talk about missing the point.

Hint. Hint. Corruption. Bias.

Unlike electrical utilities, the pipeline industry is not subject to mandatory cybersecurity standards…

Uh-oh. So the industry with no security standards or established public policy has this giant company that hires a anti-government lobbyist to be their CIO overseeing security?

We should also keep in mind that the risks here go far beyond information security and into a lack of basic standards of care about humanity.

Smallwood’s study was not a cybersecurity audit. It focused on ensuring smooth operations… He cited, for example, Colonial’s inability to locate a particular maintenance document. “You’re supposed to be able to find it within 15 minutes. It took them three weeks.” Locating such a document could be crucial in responding to an accident or keeping up-to-date pipeline inspection records to prevent leaks, Smallwood said. Colonial experienced one of the worst gasoline spills in U.S. history last August, contaminating a nature preserve north of Charlotte . After it was discovered by two teenagers, the spill’s severity was not immediately clear as Colonial’s initial reports indicated a far lower volume. North Carolina environmental regulators angrily called the company’s failure to promptly provide reliable data unacceptable.

Let’s be honest. One of the worst gasoline spills in U.S. history was discovered by some kids and completely mishandled by Colonial, a classic hacking story with a terrible ending.

…two teenagers riding their ATVs through the woods in Huntersville, North Carolina, noticed a strange liquid bubbling from the earth. They stopped to take a look. The pair, who soon informed their local fire department, had no clue of the scale of the disaster they were looking at. And thanks to the craftiness of Colonial Pipeline, the rest of the country wouldn’t, either. […] Instantaneously, it became one of the largest nontanker spills in modern American history. And even with the 1,600 pages of documentation, there was still a great deal of missing information. […] Colonial has been here before. The company also holds the record for largest gas spill in the neighboring state of South Carolina [in 1996] pleaded guilty to criminal negligence and coughed up over $50 million

So many important questions went unanswered.

Colonial initially estimated the spill at about 60,000 gallons, but that proved to be way off. In January, it raised that to about 1.2 million gallons. As of this week, Colonial has recovered 1.225 million gallons of gasoline. And there’s still more in the ground.

That was truly serious breach in 2020 (that nobody heard about, despite being a repeat of 1996) and in retrospect the environmental catastrophes offer very accurate and ominous foreshadowing in cyber security.

You may recall instead the far more public outcry in May of 2021, when Colonial tripped over their clown shoes into a basic ransomware attack.

It’s what allegedly prompted them to make a highly political decision to shutdown 5,500-miles of pipeline (nearly half the fuel supply on the East Coast of the U.S.) and donate 75 Bitcoin ($4.5m) as ransom to the “DarkSide” Russian cartel.

That ransom payment was widely criticized not least of all because the decryption key it produced was too slow to be useful, especially relative to Colonial’s own restore process from its backups. This complete failure of common sense came after long-time advice from the FBI to never pay the ransom.

The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data.

Colonial would have been far better served giving $5m to the FBI to investigate Russians, instead of to the Russians. Except there’s at least two problems with the logic of such a company helping the federal government to help protect Americans.

First, the ultra-right political organization Koch Industries is the majority holder in Colonial and paid nearly $100K to Devin Nunes to undermine FBI investigations into Russian crimes.

[Nunes argued] the FBI’s process was not a good-faith attempt to investigate Russian influence; rather, the memo says, it was a politically motivated operation to spy on someone affiliated with the [Koch funded] campaign.

Seems unlikely that those running Colonial were going to be cooperating with the U.S. government when their wealth comes largely from fighting with the U.S. government.

Second, Koch is the name derived from Fred Koch who made his fortunes in the Soviet Union building oil refineries for Stalin (1929 to 1931) and then in Nazi Germany for Hitler. This family has consistently aligned with both foreign and domestic anti-American hate groups.

You know what else looks bad? Financing the publication of Holocaust denial literature over the course of several decades. Which is exactly what Charles Koch did between the 1960s and the 1980s. […] Fred hired a dogmatic Third Reich sympathizer to nanny his sons at home [who today run Koch Industries]. […] In 1977, Charles Koch founded the libertarian Cato Institute think tank, and brought in his brother David Koch as a shareholder. […] Barnes, who called Jews “swindlers of the crematoria” who “derive billions of marks from non-existent, mythical and imaginary cadavers,” had died back in 1968. But the Cato Institute resurrected his work and published it again anyway.

Speaking of resurrecting work, their father Fred Koch returned to Russia in 1956 to continue his business ties there, while becoming a founding member of the notorious American hate group known as John Birch Society.

The main thesis of Birchers tends to be they fear government is going to steal a god-given privilege from white men, while claiming they don’t believe in the very things that they say they are losing. It’s really fascism, a modern variation of the more latent “let white men rule” KKK platform of the 1868 Presidential campaign.

And speaking of notorious hate groups, I couldn’t help but notice this line promoted by Colonial in their otherwise fluffy CISO announcement:

[Colonial’s new CISO] Tice earned a Bachelor of Science degree in Information Systems Management in 2000 from Bob Jones University in Greenville, South Carolina.

Graduating in 2000 from Bob Jones “garbage” University is not something to be proud of or mention in public… unless maybe you’re trying to impress Koch Industries or their Cato Institute?

President Bob Jones III said Wednesday [March 2000] he wanted to show that nothing had changed about his views on Catholicism [by calling it a cult]… “Unfortunately they still treat Catholic bashing as an intramural sport,” Patrick Scully, spokesman for the New York-based Catholic League for Religious and Civil Rights, said Wednesday. Scully says Jones “has an absolute right to teach this type of garbage, but we have the right to shine the light of truth on it.”

I’ll say it again, graduating in 2000 from Bob Jones “garbage” University is not something to be proud of especially when talking about safety and security.

There was a tradition in the hate-filled Jones family, apparently similar to the Koch family, that became the fundamental ethos of their education system.

Jones was not only a purveyor of fine painting but also of the hoariest anti-Catholic tropes, calling the church of Rome “a satanic counterfeit,” for example, and “drunk with the blood of the saints.”

Bob Jones University thus is perhaps best known for overt acts of hate, such as the fact that exactly zero black students were admitted to this “deep South” school between 1926 and 1971… by design!

…the 76-year-old Jones—who was born five years after the completion of Reconstruction and who was the son of a Confederate soldier—took to the airwaves on Easter Sunday [in 1960] to make his case from Scripture about why [Civil Rights for Black Americans] was not something to be welcomed and celebrated but rather to be rejected and condemned. After the address aired, Jones had the talk transcribed and printed as a booklet, which became the school’s primary statement on race and integration throughout the 1960s and 1970s, and into the 1980s.

Why were Blacks finally admitted in 1971? The school’s founder had died three years earlier.

Even then, the school strictly prohibited Blacks socializing with whites, actually requiring all Black students to be married to a Black person before they could “mix” with whites.

The racist school fought hard to continue promoting hate, attempting to falsely litigate that integrity failures should be protected under the Constitution (Bob Jones University v. United States (461 U.S. 574)[1983]).

Chief Justice Warren E. Burger, writing for the eight-justice majority, found that … the government’s purpose of eliminating discrimination in education was so fundamental to public policy that it overrode Bob Jones University’s religious convictions.

Such hate-driven litigation to promote racism ended with the Supreme Court declaring Bob Jones University a place of worship that is “contrary to established public policy” and thus technically the opposite of “charitable”.

One more time, graduating in 2000 from Bob Jones “garbage” University is not something to be proud of especially when talking about safety and security.

Only in 2008 (!) did Bob Jones University weaken its hate, by claiming their racism was due to them being “victims” of the American culture of racism that they fostered.

I swear I am not making any of this up.

For almost two centuries American Christianity, including BJU in its early stages, was characterized by the segregationist ethos of American culture. Consequently, for far too long, we allowed institutional policies regarding race to be shaped more directly by that ethos than by the principles and precepts of the Scriptures. We conformed to the culture…

These wealthy white men claiming to be “victims” of racism had used their huge endowments and giant legal teams to fight bitterly all the way to the Supreme Court to preserve and expand racism.

To be fair, they did also then finally confess to the system of education at Bob Jones University lacking integrity, being intentionally hurtful.

…failed to accurately represent the Lord and to fulfill the commandment to love others as ourselves…we allowed institutional policies to remain in place that were racially hurtful.

And this is exactly how America remains extremely racist, despite believing that it is not racist.

Psychologists refer to this kind of broad bias in perception as “motivated cognition” — that is, most Americans want to live in a society that is more racially equal, and so they engage in mental actions that ignore, discount or downplay contradictory evidence to maintain coherence between belief and reality.

I am imagining Colonial to someday soon announce that they allowed institutional policies to remain in place that were hurtful, because they were victims of an American culture of weak security practices (one that they fought hard to promote).

Colonial believed it was operating safely, despite copious evidence allegedly proving the opposite. It seems like they even hired people to compromise or otherwise taint external reports and block regulation rather than make significant changes to documented unsafe practices.

See now why it seems weird as a PR exercise to announce a CISO has been appointed with a degree from a school dedicated to increasing harm by operating “contrary to established public policy”?

Why did Colonial take so many years to hire someone technically qualified and capable in security. Were the Koch brothers holding the line, insisting on someone who would reject basic concepts of public safety let alone justice?

And then why list Bob Jones on any announcement related to leadership or integrity? That just doesn’t make sense. Had Colonial not mentioned it, this blog post probably never would have been written to ponder why a CISO is being promoted as a Bob Jones believer.

And thus it all begs the question of whether this CISO is someone who can take to heart the poorly-worded mea culpa of his school in an attempt to change, in some way using a blank check in order to stop Colonial from being intentionally hurtful in the ways he was taught (no longer transferring large cash donations to fascists, even those in Russia).

History, Security

“Military Telegraph During the Civil War: The Federal and Confederate Cipher System”

Leave a comment

William Plum published a book in 1882 called “The Military Telegraph During the Civil War in the United States: an Exposition of Ancient and Modern Means of Communication, and of the Federal and Confederate Cipher System“.

Inside you will find gems of history such as page 185: the time when a U.S. Army operator let a cipher key fall out his pocket as he took a drink at a spring.

The story actually ends with “…the key was returned to the operator by a member of Howard’s staff, who found it at the spring.”

The Union had developed basic cipher to protect its signals and believed the Confederates never broke it.

By comparison, the bumbling Confederates used the same key for all high-level communication.

A whole series of messages had been deciphered by using the names of Confederate generals as key words!

In other words (pun intended), it was three bored teenagers hanging around the Union HQ during Civil War who easily defeated Confederate cryptography.

In addition to poor implementation, Confederate design wasn’t good either. The messy transmission on telegraph wires resulted in them weakening ciphers instead of developing integrity checks.

Spending 12 hours to reconstruct a message calling for immediate reinforcements is peak integrity failure, followed by a confidentiality disaster of weakening the cipher. Bad decisions all the way down.

To be fair Confederates allegedly did not cipher much.

But clearly they still encoded things like an 1864 request to take Bishop Polk’s corpse from the top of Pine Mountain where Sherman swiftly and easily killed the traitor.

See also my 2011 post called “Civil War Vignere Cipher Code Decrypted“.