Category Archives: History

Sudanese Freedom Rap and Guns of Brixton

Zoul4Revolution posted an interesting video of Sudanese protest music on YouTube:

But it was a comment on a Clash song from the same account that really caught my attention:

i’m from Sudan, we’re uprising against the fascist government of NCP, i’ve always sided with the peaceful uprising, been arrested and tortured many times, everytime I play [Guns of Brixton] I think about picking up a gun to join the armed revolution side

That led me to a quick search and the discovery of a nine video set that captures Guns of Brixton covers in numerous styles from around the world.

1) Hardcore

  • Analena
  • Dropkick Murphy’s
  • rtz global

2) Acoustic

  • calexico
  • Arcade Fire
  • Déportivo

3) Chillout

  • nouvelle vague
  • pre-school

4) Dub

  • Santogold – Guns of Brooklyn
  • radici del cemento & Fermin Muguruza

5) Polish

  • Analogs – Strzelby z Brixton
  • Alians – Bomby domowej roboty

6) Punk

  • Unwritten Law
  • The Blaggers Ita
  • Evilsons

7) Spanish

  • la furia – Armas de barrio
  • mundo livre sa

8) Rockabilly

  • Honeydippers
  • Rancho Deluxe

9) Ska

  • los fabulosos cadillacs
  • Inner Terrestrials
  • Union Jack

And of course there are many, many more cover versions…not least of all is a hit British song that borrowed only the bass line:

But after all that, I have yet to hear a Sudanese version.

Naming names, BOF and the Chinese APT

One of the great legacies of Roman Emperor Justinian the Great (527 to 565) was a uniform revision of law. It has remained the basis of civil law in many parts of the world. In his Byzantine IUSTINIANI DIGESTA of the year 533, for example, it was written:


Paulus libro 69 ad edictum

Ei incumbit probatio qui dicit, non qui negat.

My Latin is a little rusty. Yet I am fairly certain that translates to a man named Paulus (Julius Paulus Prudentissimus, the most quoted Roman jurist in the Digest) saying the following:

Burden of proof (incumbit probatio) is on he who asserts (qui dicit), not on he who denies (qui negat)

Naming names

That old rule of law was the first thing that came to mind when I read the screeching opinion from CSO Publisher Bob Bragdon on “Naming names in APT

Let’s call a spade a spade: China is the greatest threat to international cyber­security on the planet.

I’m tired of pussyfooting around this issue the way that I, and many others in security, industry and government have been for years. We talk about the “threat from Asia,” the attacks perpetrated by “a certain eastern country with a red flag,” network snooping by our “friends across the Pacific.” I swear, this is like reading a Harry Potter book with my daughter. “He-Who-Must-Not-Be-Named” just attacked our networks.

Let me be absolutely, crystal clear here. In this scenario, China is Voldemort. Clear enough?

Crystal clear? Spade a spade? China is Voldemort? This article must be tongue-in-cheek because it is so obviously self-contradictory it can’t possibly be serious.

The author then offers us an example from a report by NPR. It names China as one of two great threats to business information in the U.S.:

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

The author’s example in the article thus contradicts his complaint about naming names. The fact is China has been explicitly named in security reports for a long time, as I have written about before. Here is what I found in just a few seconds of searching:

So naming names is hardly a problem for “many others in security, industry and government” and should be set aside. China is obviously getting named both officially, unofficially and even when there is only suspicion.

Burden of proof

What if we accept the author’s argument, setting aside the naming names complaint, that “China is Voldemort”? Now we face a problem of proof.

I’m not talking about proof that China meets the Dictionary definition of Voldemort. I mean why doesn’t the author drop in a couple examples to show that China, even under any other name, is the “greatest threat to international cybersecurity on the planet”. Incidentally, I have to wonder what is the greatest threat off the planet but I’ll leave that alone for now.

Let’s look again at the one example provided.

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

This report fails to say that China is the greatest threat to international cybersecurity. Is China a threat to U.S. economic interests? Obviously, as mentioned in CSO before in an article on “Byzantine Hades” (coincidental name, no?). There are many, many examples. One of the economic and social conflict areas between China and the U.S. most interesting to me is the Sudan, as I have written about before. Does anyone think it is a coincidence that the successful American effort to split a country in Africa into separate nations with a clear border was led by a U.S. General?

I see border dispute, tension, and conflict as a very tangible and long-standing indicator of threat. Take as another example the 2009 prediction in the Indian Defense Review.

China will launch an attack on India before 2012.

There are multiple reasons for a desperate Beijing to teach India the final lesson, thereby ensuring Chinese supremacy in Asia in this century. The recession that shut the Chinese exports shop is creating an unprecedented internal social unrest. In turn, the vice-like grip of the communists over the society stands severely threatened.

The arguments made were interesting because they actually went so far as to try and prove the foundation of Chinese aggression and thereby predict an escalation. Even more interesting was the response and attempt to disprove the arguments for aggression, as illustrated by an article in ChinaStakes.

Mr Verma’s reasoning rests on a lack of documentation. Looking into the past 60 years, China has no record of launching a war to divert public attention from anything. Moreover, while Mr. Verma supposes the Chinese Communist Party has no cards to play other than “invading India,” the Party, widely experienced in dealing with domestic disputes, will hardly in only three years have run out of all options facing potential social instability. Moreover, even if Chinese leaders considered such an option, they would certainly be aware that an external war would severely jeopardize domestic affairs.

After review of those two sides of the argument I neither believe that China will invade India before 2012 (easy to say now) nor that a lack of a record launching attacks prevents China from changing policy and taking a more aggressive stance. And while I discount both I find myself reviewing the arguments and contemplating a third option.

What if 60 years of American past is what China is actively studying to weigh strategic options? What if they are drawing lessons from the American long-range missile pre-emptive strike doctrine as well as the deterrence doctrine? I have no doubts that there are hawks in the Chinese government studying a history of similarly hawkish plans abroad and trying to find a best-fit for their own country. Whether they can achieve a fit or even emulate/fake one is another story.

Now I’m off talking about awesomely scary missile and invasion conspiracy theories. How did I get here? Oh, right, the Chinese get blamed in name. At least in border disputes, strike plans and missile-tests, there is an effort to provide evidence by authors to prove their point. Before I get too far into reality, let’s pull back to the the CSO article.

The author offers the reader nothing even remotely resembling an argument and thus ends up just name-calling in an article against name-calling. Greatest threat to cybersecurity on the planet? Let’s see some evidence or at least an argument to back that up. I’m not asking for predictions, just something Paulus might have approved — something that we can actually argue for or against.

Quoted in Inc.

A writer for IncInc. has quoted me in an article called “New Ways to Keep Hackers Out of Your Business

While you might think of encryption as something we’ve been using only since the advent of computers, it’s really a rather old practice. “Encryption is based upon a secret,” says Davi Ottenheimer, expert on the Focus network and founder of San Francisco-based security consulting firm flyingpenguin, who likes to cite Julius Caesar and Thomas Jefferson as examples of historical figures who have hidden things by using cryptography.

Caesar used a substitution cipher to communicate with his generals that involved replacing the letters in a message with a shifted alphabet. For instance, a shift of three would make all the As in message Ds; Bs would become Es, and so forth.

Jefferson used a type of wheel cipher during the Revolutionary War that involved 36 disks stacked on an axle, each with a different version of a scrambled alphabet on the outer edge. When both the sender and receiver had the numbered disks in the same order and rotated them in the right way, an understandable message would appear.

“People have historically improved encryption during times of conflict or war,” Ottenheimer says. “It’s all about secrecy, really, confidentiality. It doesn’t require super-sophisticated technology as much as it requires people being fairly intelligent about how they can keep a secret.”

BayThreat 2011: Sharpening the Axe

I will be presenting “Sharpening the Axe – How to Chop Down a Cloud” at BayThreat 2011

…the 2nd annual information security conference in the South Bay at The Hacker Dojo, December 9th, 10th & 11th.

My title is in reference to President Abraham Lincoln who was said to have once quipped:

If I had eight hours to chop down a tree, I’d spend six hours sharpening my axe.

The runner-up quote from Lincoln was

If this is coffee, please bring me some tea; but if this is tea, please bring me some coffee

…but I couldn’t figure out how to make it into a full presentation, let alone a title. Perhaps “if this is cloud, please bring me on-premise; but if this is on-premise, please bring me cloud”?

The axe title works fine, though, and also is in reference to Theseus’ paradox, sometimes known as the Ship of Theseus or my grandfather’s axe, which seems appropriate given this year’s badge.

At BayThreat this year, we’re giving attendees circuit board badges. These badges are plain boards to start, but on Sunday we will have a soldering workshop where everyone can work on their badges. We will have kits available for the badge.

The presentation is based on some of the material you will find in my new book soon to be published by Wiley on security in virtual environments. Hope to see you there.


Facebook FAIL: ID mixup leads to lawsuit

An established German company named Merck in the 1880s sent one of its chemists to New York to import drugs to the American market and capitalize on the fast-growing economy. Things went so well that just ten years later they began to look for ways to avoid high import tariffs and manufacture drugs in America; by 1900 they expanded operations into the remote and open space of New Jersey.

The company then was caught up in the divisiveness of WWI. German companies on U.S. soil, including Merck, were confiscated and auctioned to American owners. German Merck became a completely separate and distinct entity from Merck operations in America due to the terms of reconciliation and the Treaty of Versailles in 1918. After the forced split the American company eventually grew to be much larger than the German Merck.

Fastforward to today’s news. Facebook staff made the extremely awkward, if not completely ignorant, decision to hand the American Merck control over a page setup by the German Merck.

Facebook Inc said on Monday that it made a mistake in letting Merck & Co take over a page on the social networking website from its German rival Merck KGaA.

The takeover prompted an unusual November 21 filing by Merck KGaA with a New York state court.

In it, Merck KGaA sought to force Facebook to explain how it lost the page,, and the ability to administer it to Merck & Co, a separate company.


“The transfer of the vanity URL from Merck KGaA to Merck & Co was due to an administrative error,” Facebook said in a statement. “We apologize for any inconvenience this may have caused.”

This issue of impersonation is one of the most difficult problems in identity management, to be fair. How many John Smiths are there on Facebook and what can Facebook really depend upon to distinguish them as unique users? I mean which Budweiser brewer is the real one?

More to the point, how can a provider tell husband access from wife, or parent from child? The courts are usually the best answer. If a divorce court rules that a wife gets the shared Facebook account, then Facebook will have some justification to act.

This case is odd because Facebook apparently made a decision without authority to favor the American company over the German one.

Users need assurance that a company like Facebook, entrusted with sensitive data, can handle this kind of situation without making an historic blunder. Merck is lucky to have the legal team and resources to file a formal complaint but it begs the question how many similar mistakes are being made at a lower profile. It also begs whether Facebook staff do even the most basic review or follow a transparent and monitored process before taking action.