Can Facebook Be Made Safe After Stamos?

The hits keep coming against Facebook’s CSO, as details of his breaches expand dramatically. Here’s the screenshot forwarded to me by a concerned reader:

Apparently two weeks passed with fiddles playing while the vulnerability languished. This hints at an organization awash in staff and money unable to execute on safety. One could say it is the legacy of one man, Alex Stamos.

I’ve written about this quite a bit and maybe here I should add that this really is about managing security mindset at the top of the pyramid.

Mark Zuckerberg built not just a business, but a company culture with the fervor of a messianic sect

When the messiah doesn’t make customer privacy a priority, a CSO is collecting paychecks and getting rich while people suffer. It is like being a doctor for a cult leader who runs a hospital and doesn’t believe in soap, so you sit there watching germs spread among those you provide “care”, killing women who give birth.

That seems worse than just being bad at the job, because it implies knowing things aren’t getting any better yet staying on claiming things are fine, just fine.

So what comes next? Show me a cult leader who was able to recognize an external authority, and we might have clues to the answer.

Many people may have speculated that CEO of Facebook was traveling around meeting people in order to run for some political office. This overlooks the fact that he has no interest in quaint concepts of democracy or election. Do you see anything democratic in a Facebook management organization when black hires sit at zero percent?

Zuckerberg profits from a cult-like obsession with knowing everything about his followers in order to get their likes. He apparently sees little or no value in protecting his followers from harm. In reality he has been researching how his confession-like service would be modified to increase his control over users:

Christian publications interpreted Zuckerberg’s remarks in different ways; some said he was suggesting the social network should draw inspiration from the church, while others fretted he was envisioning a future where Facebook replaces the church. […]

“As I’ve traveled around and learned about different places, one theme is clear: Every great community has great leaders,” he said.

“Think about it. A church doesn’t just come together. It has a pastor who cares for the well-being of their congregation, makes sure they have food and shelter.”

Food and shelter. Is there a pastor who cares for privacy?

And so it came to pass that in every town where the CEO of Facebook visited, he went inside their religious centers looking for ways to convert followers of others to his own sect.

These are not the actions of a man who is thinking about things like granting privacy to people. Safety of his flock in terms of privacy remains an open question, but at least the ruse of security was forced out by regulators.

Transit Management Leaders: Copenhagen Bans Cars; Sweden Halves Pedestrian Deaths

Copenhagen is estimating a $1-2 million gain every day — that’s right, EVERY DAY — when people in the city ride bicycles instead of drive cars. Since the biggest friction to cycling is the fact that cars kill those around them either immediately (crash) or slow and painfully (disease), a great deal of money and time is being spent by the Danes to isolate cars and reduce societal harms.

In other words, restricting the violence of cars enables Copenhagen’s population to flourish in multiple ways:

The city’s investment in impressive cycling infrastructure is paying off in multiple ways. For not only are there many health benefits to getting more people to use bikes, there are some serious economic gains too. Cycling is a great, low-impact form of exercise which can build muscle, bone density, and increase cardiovascular fitness. Figures from the finance minister suggests that every time someone rides 1 km on their bike in Copenhagen, the city experiences an economic gain of 4.80 krone, or about 75 US cents. If that ride replaces an equivalent car journey, the gain rises to 10.09 krone per km, or around $1.55. And with 1.4 million km cycled every day, that’s a potential benefit to the city of between $1.05m and $2.17m, daily.

That’s the World Economic Forum reporting these numbers, and perhaps even more impressive is the risk management graph they offer readers. Apparently Copenhagen has invested an average of $10m each year over 13 years in cycling infrastructure, which is now believed to return benefits of $300-600m each year. Here is what the investment return looks like in terms of safety and ridership:

As distance ridden on bicycles goes up, health risks go down significantly across the population. That is just health risk related directly to cycling, as there will be additional health risk reductions in terms of physical and mental fitness. The World Economic Forum turns to UK data on this point:

…a single ‘cycling city’ worth £377 million to the National Health Service in healthcare cost savings

I wrote the other day about a cities around the world that are banning cars altogether in their city center, some on an accelerated 5-year timeline such as Oslo and Madrid.

Given all the data above, it should come as no surprise Copenhagen is considering the same road forward and banning cars entirely from some neighborhoods.

Don’t worry Americans, we also have a few car-free neighborhoods, believe it or not. My favorite part of a study of where to live in America without danger from cars is the disclaimer at the beginning of the list:

New York City is not included in this listing. If it was, neighborhoods from that city would dominate the entire list. In fact, you could place the whole of Manhattan on this list as only 5% of residents use a car for their daily trips

With the most-successful city out of the running, the list then goes on to recommend being in the Tenderloin of SF. The author clearly hasn’t tried riding down the infamous Golden Gate corridor of Tenderloin cars parked or driving in the bike lanes.

Why anyone would eliminate the best option in America and then recommend living in a filthy run-down neighborhood with awful bike and pedestrian access options…is beyond this blog post. But it definitely shows American analysts often don’t understand this transit topic.

First, they don’t factor for overall health improvements as a function of car-less urban spaces. They just draw a circle around transit stations and measure nothing else. That isn’t how this works.

Second, based on the radius of the circle they think like car drivers and assume you are better off living directly above a subway as if it’s a straight substitute for having a car in your garage. Remember at the start of this post how the distance traveled by foot/bike leads to multiple facets of financial and health improvement?

Forget about the model where you roll out of bed and stumble into an elevator that drops you into a car so you can avoid using a muscle. Wrong quality of life model.

Notice that the author admits these errors in analysis, without even realizing it:

…this area of San Francisco is known for drugs and crime, it is surrounded by very desirable places to live. It’s also lies adjacent to the rapid transit line, BART

Yeah, go live in the desirable places surrounding the transit line, not inside the train station. Moreover, let’s be honest here, the author also regurgitates an old American white supremacist trope, probably without even knowing.

All of San Francisco is known for drugs, and crime is widespread. You literally can’t go to a neighborhood in SF and find it free of drugs. This tracks to the rather sad fact that Nixon’s racist “war on drugs” still lives on, giving people the impression urban areas are dangerous because “drugs and crime” (Nixon’s propagandist way of saying blacks and pacifists).

We knew we couldn’t make it illegal to be either against the war or black, but by getting the public to associate the hippies with marijuana and blacks with heroin. And then criminalizing both heavily, we could disrupt those communities [by turning them into rubble and building highways through]

In fact, the only reason Highway 101 abruptly ends at Octavia and does not cut through the Haight (a formerly black neighborhood) and Golden Gate Park as planned is because civil-rights protests blocked “disruption” for white-flight-suburb road construction. There is no highway to this day running through urban SF because quality of life protests against it meant the successful rejection of white supremacist propaganda, which meant streets and houses instead of overpasses and parking lots.

Tenderloin is not more dangerous than the Mission area, which also lies “adjacent to the rapid transit line”, and it certainly is not more dangerous than the Marina if you are measuring getting raped by white football player who just moved to SF to party and “get some” before getting appointed to Vice President or the Supreme Court.

Nixon was elected because he said things like blacks can’t handle drugs, and he enacted policies to incarcerate blacks and not whites for the same behaviors. And that’s just a modern version of America First, which in the early 1900s under President Wilson argued non-whites (Irish, German, Blacks…) couldn’t handle liquor.

Prohibition was passed to destroy black lives, while whites could continue producing and drinking because notes from wealthy/connected doctors cited “medicinal” reasons.

Anyway, if you want to cite SF, look at the SOMA neighborhood sitting at the head of the CalTrain station, adjacent to the new high-speed rail station, and also on the new north-south local transit line, which will feed into BART, not to mention on the water with easy access to the ferry.

SOMA has far superior pedestrian, cycle and transit options to the Tenderloin or any other neighborhood in the city. This tracks historically to SOMA having amazing trolley grids before the car enthusiasts ripped it all up to drive up air/noise pollution and cause traffic jams as their preferred lifestyle.

Ok, back to the Scandinavian leaders in transit management. Sweden in 1997 set about trying to cut down to zero the number of pedestrians killed by cars. The strategy used has produced impressive results, yet nowhere near the kind of zero-death safety they had targeted:

Since the scheme began, road deaths have almost halved: 270 people died in road accidents in Sweden in 2016. Twenty years earlier the figure was 541.

America lags so far behind on this topic, its numbers are in a completely different ballpark. While Sweden is annoyed that it only has seen a 50% reduction in death from cars, some states in the US are actually tracking increases. Texas, for example, apparently is aborting human life at an alarming rate by repeatedly failing to address cars as a threat to health.

NSC estimates traffic fatalities in Texas have jumped 7 percent from 2015 to 2017

This is not normal, or acceptable, and could easily be going the other direction. NY proves to the rest of America what needs to be done, by deploying solutions similar to those proven in Denmark and Sweden:

NSC estimates traffic fatalities in New York fell 3 percent last year and have dropped 15 percent over the last two years. Safety advocates say the decline may be due to New York City’s push to eliminate traffic deaths by lowering speed limits, adding bike lanes and more pedestrian shelters.

“Changes like those being made in New York can save lives,” said [Deborah Hersman, CEO of the National Safety Council]

When NYC releases the financial and healthcare benefits that derive from fewer cars, maybe it will help steer the discussion forward in Texas. Seems unlikely, though, as Texans do not seem to be pro-life as much as they think their success is measured by ability to collect and carelessly operate things that kill others.

American cities in places like Texas paint a stark contrast to the quality of life stories around the world, and especially Scandinavia, that highlight enabling people with the freedom to live, without being unjustly harmed. The automobile industry is going through a transformation that will be wise to learn from the leaders, gaining trust in urban areas committed to freedom and justice through respect for diverse ideas and modes of movement.

American transit managers of the southern states who watch their neighbors and friends be killed by drivers without feeling any guilt should in the near future be about as common as politicians today who would look the other way when they see slave drivers.

Postdiction: Setting Perceptions of an Earlier Event

Everyone knows about prediction, because we often discuss how best we can accurately see into the future. Who predicted this? Consider also the opposite, postdiction, where we discuss how best we can accurately see into the past. Who postdicted this?

Researchers at Caltech are calling their emerging research in this area an insight into time-traveling. Really it’s just manipulating integrity of stored data. With prediction we would say someone has true clarity of what will come. With postdiction the brain can have true clarity of what has been.

Caltech researchers have developed two new illusions that reveal how the senses can influence each other — in particular, how sound can give rise to visual illusions. These illusions occur so quickly that they illustrate a phenomenon called postdiction (as opposed to prediction) in which a stimulus that occurs later can retroactively affect our perceptions of an earlier event.

[…] how does the brain determine reality with information from multiple senses that is at times noisy and conflicting? The brain uses assumptions about the environment to solve this problem. When these assumptions happen to be wrong, illusions can occur as the brain tries to make the best sense of a confusing situation. We can use these illusions to unveil the underlying inferences that the brain makes.

In brief, the experiments manipulate the brain by associating a sound to only two of three images. The brain later believes it saw only two images because it heard no sound for one of the three images; a simple trick to make things seem invisible when they lack the data of other things.

This seems to be an inverse method to distraction, which nets the same result. Instead of drawing someone’s attention away for a single event, add a stream of data for all events, then remove it during an attack to hide it.

A History of Rubber-Hose Cryptanalysis

Lately I often have been asked about cloud counter-measures to rubber-hose risks, and as I begin to explain I get interrupted with “wait, hold on, but why is it called rubber-hose?”

It is a fair question and, as a historian, I am eager to indulge those willing to ask a “how did we get here from there” security question.

Rubber-hose implies a means a type of physical torture used to extract a secret without leaving evidence of torture.

Physical Torture to Break American Cryptography

To understand why this phrase is so commonly used in America, we have to remember first that slave rebellions in 1830s led to a reign of brutal white-supremacist terror escalating until they started a full Civil War in 1861.

New York abolished slavery in 1827, around the same time many countries around the world were doing the same. Abolition and/or laws prohibiting slavery spread quickly:
1824 – Mexico
1831 – Bolivia
1831 – Brazil
1833 – England
1835 – France
1836 – Portugal

An important footnote here is that the Mexican abolitionist movement greatly angered white immigrants to Mexico. These settlers to the “wild” Texas territory demanded they be allowed to keep slaves.

This came to a head at the Alamo in 1836 when violent secession formed a new nation for slavery. That is right, every time you hear someone say “Remember the Alamo” think of white supremacists expressing pride at preserving slavery while globally it was condemned.

This fits a pattern more widespread, that between 1831 and 1861 many US slaveholders thought a “reign of terror” was their best method of preserving white power.

In case you are wondering, encryption was very present in America during the next 30 years, and needed key management that could withstand physical torture by those who did not want slavery to end.

Had the US not declared independence from the King of England, slavery arguably would have ended in the US by 1834 if not earlier.

Alas, this was not to be the case under a pro-slavery President Jackson who had been elected in 1829. By 1835, around the time of Texas seceding to preserve slavery, Jackson was harshly criminalizing speech in order to prevent even the discussion of abolition (his federal Postmaster General Kendall was ordered to intercept and inspect mail).

As you can imagine, encryption becomes very useful for those working towards freedom under a white supremacist President inspecting all mail.

The punishment for anyone discussing abolition was severe. Abraham Lincoln famously gave a speech in 1838 condemning the surveillance and torture methods used upon Americans who believed in the kind of freedom found in other nations:

Thus went on this process of hanging, from gamblers to negroes, from negroes to white citizens, and from these to strangers; till, dead men were seen literally dangling from the boughs of trees upon every road side; and in numbers almost sufficient, to rival the native Spanish moss of the country, as a drapery of the forest.

Turn, then, to that horror-striking scene at St. Louis. A single victim was only sacrificed there. His story is very short; and is, perhaps, the most highly tragic, of any thing of its length, that has ever been witnessed in real life. A mulatto man, by the name of McIntosh, was seized in the street, dragged to the suburbs of the city, chained to a tree, and actually burned to death; and all within a single hour from the time he had been a freeman, attending to his own business, and at peace with the world.

Such are the effects of mob law; and such are the scenes, becoming more and more frequent in this land so lately famed for love of law and order; and the stories of which, have even now grown too familiar, to attract any thing more, than an idle remark.

Sadly a great many Americans, from large plantation owner to poor white laborers, aspired to dreams of sudden wealth by harming others. America, long after the rest of the world was moving in a better direction, continued to think of an expansion of slavery practices as their get-rich-quick scheme.

Certain American men, as well as their enablers, kept arguing that the Constitution “enriched” whites by giving them the exclusive right to torture and murder without penalty as long as they were preserving their right to leisure time and preference for avoiding work by playing golf instead. There is a simple reason why many golf courses to this day market themselves by highlighting pro-slavery terrorists:

When Southwick G.C. in Graham, North Carolina first opened in 1969, it was known as Confederate Acres G.C. for no apparent reason other than to appeal to golfers who might be [pro-slavery].

Mountaintop G. & Lake C. in Cashiers, North Carolina one of the newest members of America’s 100 Greatest Golf Courses, has in its clubhouse suites named in honor of Confederate generals such as Robert E. Lee, Stonewall Jackson and Turner Ashby, all of whom fought [to preserve slavery] alongside early Cashiers resident General Wade Hampton

Yes, golf courses around America are out in the open about being pro-slavery, as if it is comforting to golfers if they can celebrate men who tortured and murdered Americans to enrich themselves. But I digress…

Managing secrets in the 1840s context of Americans surviving torture and murder by violent pro-slavery militants, even Edgar Allen Poe by 1843 entered the fray, publishing instructions in a story set in South Carolina to help increase the use of cryptograms. It was his most popular story during his lifetime.

In 1844 President Adams was elected and overturned the Jackson ban on free speech, but torture and murder by pro-slavery terrorists continued to rise. Although Texas agreed to annexation by the US in 1845 they came with the stated hard requirement that slavery remain legal (foreshadowing their second secession, remembering the Alamo by declaring a war on abolitionists again in 1861).

It was because John Brown witnessed the wholesale torture and murder of abolitionists at this time that he became compelled to answer with force the literally burning question “are we free or are we slaves under Southern mob law?” His forceful attempts ended with his execution in 1859. And his demise was thought by slaveholders in 1860 as a great victory; sort of a proof at the highest federal levels that brutally murdering abolitionists and slaves carried no consequences, while resistance to slavery would continue to be fatal.

And yet the situation worsened further, with abolition demands of course growing. By 1861 the white mobs who had for three decades been torturing and murdering fellow Americans raised their violence even further and declared an all-out war to preserve slavery.

At this point I just want to mention key management in American history continues to be documented. Now it is soldiers in the US Army talking about fighting to preserve the Union, deploying encryption that has to withstand attacks by people who would torture anyone just to continue slavery practices.

Here’s an example from “The Military Telegraph During the Civil War in the United States: an Exposition of Ancient and Modern Means of Communication, and of the Federal and Confederate Cipher System” by code-breaker Captain William R. Plum

Fast Forward to the Rubber Hose Years

With the 1860s encryption in mind, we need to skip 100 years ahead to the 1960s. The American south still had white supremacists infiltrating departments of authority such as the police as a means to perpetuate their unjust power over non-whites, through violent means including torture.

Freedom riders gives a good snapshot of the situation at hand, no pun intended:

Freedom Riders is the powerful harrowing and ultimately inspirational story of six months in 1961 that changed America forever. From May until November 1961, more than 400 black and white Americans risked their lives—and many endured savage beatings and imprisonment—for simply traveling together on buses and trains as they journeyed through the Deep South. Deliberately violating Jim Crow laws in order to test and challenge a segregated interstate travel system, the Freedom Riders met with bitter racism and mob violence along the way, sorely testing their belief in nonviolent activism.

Those savage beatings were with rubber-hoses, as well as with phone-books and other soft materials that caused maximum pain with minimum evidence.

Cyber-security-historian protip: we won’t ever say phone-book cryptanalysis to refer to physical torture methods because that becomes confused with logical brute force techniques (use of the contents of a phonebook to reveal secrets).

Thus one can read about torture techniques used by white supremacists during the 1950s and find exact reference to the rubber hose method as a subset of “third degree” questioning. For example, in a History of Torture text, you can read about US police methods used to force confessions and reveal secrets:

There you have it. The rubber hose is an American torture method commonly used in attempts to gain access to secrets without being held accountable. Cryptography withstanding a rubber-hose really refers to politics of torture in America from the mid-1800s resurfacing in the mid-1900s as rubber hoses became a common product.

Bringing It Back to Cryptanalysis Today

This is not just about the past, unfortunately, as I implied at the start of this post. People considering cloud computing are asking daily lately about the rubber-hose. There still is a real threat of torture. World Affairs vividly explains this situation in a political analysis of American traditions:

Decent people and decent countries do not engage in [torture] under any circumstances, whatever the consequences, and that’s really all there is to it.

[…]

Ideals are one thing, the reality of American history quite another. There is, in fact, a well-established American tradition of torture. The definitive text on it is Torture and Democracy by Darius Rejali, himself an opponent of torture. He sees “a long, unbroken, though largely forgotten history of torture in democracies at home and abroad.” What the torture techniques of democracies have in common is that they leave no lasting marks on the victims, no proof. Rejali calls this “clean torture.”

Electroshock began in democracies, and it was in the United States that interrogators first used rubber hoses to administer beatings that left no bruises. Sleep deprivation and stress positions (the “third degree”) were once common practices of American police.

It’s not only the police who have tortured or used other harsh methods. The U.S. military has, too. During the war in the Philippines at the beginning of the twentieth century, American troops employed the “water cure,” a forerunner of waterboarding. During the Vietnam War, torture was probably even more extensive. Whatever its professed ideals, the United States has tortured in the past. It has tortured in the near-present. And should needs arise and circumstances dictate, it will probably torture in the future.

My only addition to this analysis is that “water cure” was treated as a war crime by the US and cited in its court cases against the Japanese during WWII. I spoke about this in my RSAC presentation “Security Humanitarianism: Extraordinary Examples of Tech Improving Lives

It is a sad footnote to history that war crime cases before 1945 and prosecuted in 1946 were sealed after WWII and the US then began engaging in the exact practices they earlier had argued were a clear violation of human rights. As the quote above warns: “ideals are one thing, the reality of American history are quite another.”

If you seek a more contemporary example, November 2003 was when the US Army tortured to death an Iraq army general who had served under Saddam Hussein. General Abed Hamed Mowhoush died aged 56, beaten and then suffocated to death by Americans using methods including a rubber hose to forcibly extract secrets. Case details were revealed in 2005 court-martial proceedings for two men, without getting into details of government agencies giving orders.

Conclusion

Rubber-hose cryptanalysis is rooted (pun not intended) in American traditions of torture to disclose secrets and preserve power. Despite white supremacists losing their war of aggression against own country, their history of torture methods still seems nowhere near being abolished. And perhaps most dangerously, despite being proven ineffective, some groups may still see themselves as maintaining or gaining power with old “reign of terror” practices.

Hopefully now you can see how we got here from there. This is why when helping with key management solutions for cloud workloads running in America, I increasingly hear requests from people to discuss models that address threats like rubber-hose cryptanalysis techniques.

Binocular Night Vision Goggle II

One deep dark night on a dirt road on a remote mountain of an even more remote island, I rode swiftly downhill, passenger of a pickup truck. The driver shut our lights off. We sat in silence as the truck skidded and careened along the dusty road.

I barely could see the driver’s hands rolling quickly back and forth on the steering wheel to keep us from driving off the cliff ledge to our left. He didn’t slow down after lights-out, and when I turned my head more towards him he said warmly l’appel du vide or something like that and smiled broadly at the barely visible road ahead.

While the road itself is seen better with headlamps, by shutting them off we actually expanded our visibility further and were safer overall. And of course we revealed ourselves less dramatically (noise and dust still were emitted), which can reduce blindness in oncoming vehicles.

With so many experiences like this in the past, I often see lights as pollution and wonder how much longer we must accept theories of Victorian street-lamps as safer?

Apparently, the original lighting in London was so poor in 1763 that James Boswell was able to have sex with a prostitute on Westminster Bridge. The shadows and gloom of the pre-electrified world not just provided privacy for Mr Boswell’s actions but it was also a haven for crime.

To be fair I have seen couples having sex in the broad daylight on the eastbound platform at Charlton Station (CTN) in London, so it might not just be about visibility. Anyway, developing better vision integrated directly into the windshield, or our glasses seems like a much more sane and modern idea than trying to increase lumens everywhere. We wear sunglasses while driving, why not a night glass?

We save immense amounts of energy when we choose to leverage starlight and ambient heat, and reveal so much more…fortunately the US military is a big investor in technology along these lines and the latest iteration sounds quite nice:

The BNVD amplifies the small amount of existing light emitted by stars, the moon’s glow or other ambient light sources, and uses the light to clearly display objects in detail in very dark conditions. The COTI uses heat energy from the Marine’s surroundings to add a thermal overlay which allows the image to be viewed more clearly.

This seems light years ahead of driving with a common joint electronics Portable Visual Detecting or Range and Bearing, Search (AN/PVS)

LADA Registration Unlocks GRU Database

Researchers looking into the recent GRU arrests have uncovered a trove of information because sloppy Russian spycraft. Speculation already is that GRU is severely breached.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car. […] By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address.[…] The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers.

That’s a GRU-some breach with a LADA data!

LADA VAZ 21093, named after the goddess of beauty in Slavic mythology

I used to give talks about medical data (zipcodes of doctors) being connected in this way to de-anonymize people using big data. This new example is superior in so many ways, not least of all because it highlights Russian experts at actively poisoning information, let alone people, haphazardly failing at their own game.

Password Safe (psafe3) and Password Gorilla Import to KeePass

Password managers have become something of a religion, which is a very good sign in theory. People getting passionate about protecting their stored secrets sounds like a win for infosec management. On the other hand, discussions may get heated about an exact password manager one should worship. Imagine office rules soon may be updated to say it is inappropriate to discuss politics, sports and password databases.

Of course for those who see all the religions as roughly equivalent in spirit, none of them being perfect and all having some virtues, they may seek easy conversion paths to embrace options. Come along and don your pope robe, grab a yarmulke, put on your tilak, etc. and covert your belief secret tomes by sliding easily between password databases.

null
For example, just a few years ago a couple of computer science researchers credited PasswordSafe as the most…

Wait for it…safe implementation.

It seems fair to require that a password manager that asks users to authenticate themselves with a password, at least provides secrecy and data authenticity. This is currently only achieved by a single password database format, namely PasswordSafe v3. As a general rule, a password manager should be explicit about the security offered by the underlying database format.

Thus in 2015 one might rightly be expected to worship the psafe3 scriptures as holier than thou. Now that we are in 2018, however, others have rightly pointed out that PasswordSafe and the cross-platform version PasswordGorilla have seen few updates. As other password managers are iterating more rapidly, the believers wonder when will PasswordGorilla 1.6 drop and can their faith last until such prophecy comes true?

KeePass in particular has been developing a large following, and I’ve been told there’s an entire plugin movement devoted to the art of bringing other faiths under their big tent. This makes it one of the better examples for those looking into multi-platform solutions with flexible options. Apparently the conversion steps are simple.

Prerequisite: This conversion presumes you have a psafe3 file on a running Windows system, such as PasswordSafe installed on a virtual machine easily downloaded from Microsoft.

A) Conversion from psafe3 (version 1, 2, or 3) to kdb (version 1)

  1. Download the old version 1.09 zip file of KeePass (max supported conversion version)
  2. Download the PwSafeDBImport plugin zip file
  3. Extract the KeePass 1.09 zipfile to a new directory
  4. Extract the PwSafeDBImport.dll to the same directory
  5. Start KeePass.exe
  6. Select the Tools drop-down and then Plugins
  7. Right-click on the PwSafeDbImport plugin and choose Enable
  8. Exit KeePass
  9. Start KeePass (to load the PwSafeDBImport plugin)
  10. Click on the New Database icon and set a strong master key (KeePass recommends 96 bits or more)
  11. Select the File drop-down, then choose Import from and select PwSafe database (option at bottom, do not select psafe2 TXT file)
  12. Select the psafe3 database you want to import from
  13. Enter your psafe3 database password
  14. Review KeePass folders to verify integrity of imported secrets
  15. Click on the Save icon and set a kdb filename

B) Conversion from kdb (version 1) to kdbx (version 2)

  1. Start KeePass
  2. Select Database drop-down and then select Import KeePass 1 Database
  3. Select kdb file and enter master key
  4. Click on the Save icon and set a kdbx filename

Can I get an Amen?

In my next post on this topic, we will discuss hosted databases and why nobody expects the cloud inquisition.

This Day in History: Munich Agreement

Ondřej Matějka, the deputy director of the Institute for the Study of Totalitarian Regimes (ÚSTR) provides a fascinating interview on the 80th anniversary of the infamous Munich Agreement:

…the problem wasn’t that the Czechoslovak state couldn’t hold the borders. The problem was more within the society living there, where the pressure from the Sudetendeutsche Partei towards our citizens and people who were sympathetic towards other political parties, especially social democrats and communists, was big. I think the Sudetenland is an extraordinary example of the making of a totalitarian society, where one power, through terror and social pressure, is taking over power in the society

The agreement led to annexation of Czechoslovakian border territory by an expansionist Nazi regime, and the designation of this area as “Sudetenland”.

It also setback plans to overthrow the fascist dictator of Nazi Germany.

Opponents of the Nazi regime leader, such as the head of the German Army, perceived the Munich agreement as foreign states having weak appetite for more permanently ending the Nazi terror and social pressure.

$1.63 Billion Breach Fine Discussed As Facebook CSO Legacy

At Blackhat this year people sometimes asked me if I was familiar with the “Charlatan Security Officer” situation at Facebook. I was not sure what they meant, and then they showed me threads online and invited me to meetings where this was the topic. Screenshots like the following one about ex-Yahoo CSO and current Facebook CSO Alex Stamos were aplenty, often with titles like “someone is having a bad day”:

Apparently the keynote intro this year was a harsh retribution of last year’s keynote by Stamos. I can’t say I hear that, but many people after the keynote were discussing it with me because they said they had seen my recent posts:

In one group conversation I was told by several people Alex Stamos had written his own biography in the third person and posted to wikipedia, then convinced them to lock his words to prevent his detractors in the community from editing what he thought about himself. Sounds crazy yet several people confirmed this and showed me what looked like a Russian-style ruler waving flags of his face in a parade he threw himself.

It was in such a context, after several days of hearing and seeing this kind of strange report from several groups, I was implored to consider writing another blog post about the Trump-ish man working in infosec. So here we are.

Clearly I have been a vocal critic of the Yahoo and Facebook breaches, based on how security has been handled. They stem directly from the fact Stamos never had been a CSO in his life, let alone having any experience managing any large organization or working within a CSO office. He abruptly donned a big title, the way any monarch or patronage member might, and failed at it spectacularly.

People at Blackhat were nudging me to accept the CSO acronym now starts with “Charlatan” thanks to Alex Stamos, the crest-fallen attempted Chief.

Stamos stands by his “flair” startup, where he tried to sell vanity domains as proof of care about online security. Nobody bought it, so he tried to be a CSO instead

I think I can see the acronym shift now for a post-Stamos CSO, and here’s why:

It is no secret as the CSO of Facebook that Stamos carried a libertarian anti-governance anti-regulatory hubris. He hated representative government in a similar way to his hatred of security vendors. It wasn’t that he thought they were all shit and should be evaporated as much as he thought they all should be replaced by his superior intellect and ideas.

This angered many principals of international relations who saw him as a reckless and naive dictator. The theory became that his self-serving speeches and impatient approaches to data protection (he pre-announced in 2014 he would deliver end-to-end encryption with Yahoo mail by hiring a new team, but failed to do either) was fueling a backlash. Widespread concerns among privacy experts and seasoned safety professionals ultimately meant new drafts started for old laws designed to protect the vulnerable from giant anti-privacy bullies like Facebook.

Well, some of this backlash theory bubbled over into reality this weekend as yet another massive breach is said to have been announced. Shortly after the infamous fog of Stamos was lifted from Facebook, news came out that users had become less safe during his tenure. A failed attempt to be a CSO at Yahoo in 2014 seems like old news. Yet his second attempt to be a CSO at Facebook took a similarly dark turn; and this brings right back to mind how increasingly terrible things get revealed after he leaves a job. His only two CSO attempts, ever, have ended with stories of massive harm to users right under his nose, and revealed not by him but others or much later.

History books someday may link the massive disasters under this single CSO’s brief career directly to the sobering topic of GDPR fines:

Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.

The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

In other words, the massive GDPR fine that Facebook faces today was the predictable outcome of Stamos’ arguing with EU regulators that he wanted to end privacy in order to protect it. This really is an excellent time to look back at why Blackhat months ago had been so abuzz about whether Facebook had a charlatan in charge.

Let us examine, for example, how as CSO he floated a snarky thought piece that he is the one who cares about “real” privacy, and not the EU regulators that Facebook “of course” agreed to comply with…

Earlier this month, the court issued an interim ruling, and today we received the order from the BPC impacting how we can use the datr cookie in Belgium. Our legal team plans to appeal this ruling. […] I met recently with the Belgian Privacy Commission to share these details…. As the organization that’s responsible for safeguarding the data of Belgian citizens, we hoped they would appreciate the real privacy and security benefits that tools like the datr cookie provide. We also explained that when these requirements are applied to other websites in Belgium, people may lose access to useful features such as maps, videos, and share buttons…. In the absence of the datr cookie, we will have to treat any visit to Facebook from an unrecognized browser in Belgium as potentially malicious.

Yes, he actually said “we hoped they would appreciate the real privacy and security benefits” as if the BPC privacy order was not based in reality, and then gave “maps, videos, and share buttons” as some kind of serious weight to the decision. It’s a lot like saying people need to lose their privacy just to look at a map or watch a video. Crazy talk.

This stuff is neither new nor rocket science and Stamos wasn’t doing himself or the infosec industry any favors by trying to argue that tracking everyone is the future for EU privacy. Come on man.

And his argument for treating unrecognized browsers as malicious? That is just naive Trump-like talk. He literally was responding to requests for privacy from the government with the opposite, that everyone who doesn’t surrender privacy to Facebook and submit to being tracked will be treated as an outsider threat.

And so…infosec experts at Blackhat were telling me that the infosec industry now should refer to him as the:

Charlatan. Security. Officer.

His comments to the BPC were from December 2015, only months after he naively asked the US government if he should sooner work with Russia, China…and then ran away from the Yahoo breaches rather than disclose them. Anybody and everybody familiar with the Yahoo! CEO testimony to Congress knows how oddly uninformed Stamos sounded for asking the US government whether they want him to treat all countries the morally equivalent and work with the Chinese more.

The NSA wasn’t going to push back openly, but Stamos was making the kind of fundamental mistake in attacking governments that soon would come back around.

Russian media gleefully reports NSA is under attack by the guy who soon will let them run propaganda campaigns

So after Stamos’ pushy post of December 2015 the European Parliament moved to adopt GDPR in April 2016. Was it a response? I don’t think anyone has the kind of evidence to say there was a direct connection from Facebook CSO hubris to privacy-law, given how Google had already been generating heat, only that there was overall a temperature increase and Stamos’ hot air arguments definitely contributed to distrust in Facebook.

Distrust in Stamos’ vision of safety turned out to be wise as regulators had set the scene for his reputation to be cemented as a someone who doesn’t disclose harm in a timely manner, let alone prevent it. I’ve been told the Russians didn’t overlook his behavior (see above RT news) and typically only need to drop a few coin in operating such a person towards their objectives.

Around this time there were giant glaring integrity breaches that Stamos apparently did not believe constituted a serious enough security concern to disclose:

Facebook has been roundly criticized for being slow to acknowledge a vast disinformation campaign run by Russian operatives on its platform and other social media outlets before the 2016 presidential election.

[…]

Outside the United States, the impact of disinformation appearing on Facebook and the popular messaging service it owns, WhatsApp, has been severe. In countries such as Myanmar and India, false rumors spread on social media are believed to have led to widespread killing.

This is verging on crimes against humanity. And so…social science experts at Blackhat were telling me that the geopolitical security industry now should refer to him as the:

Charlatan. Security. Officer.

Now Facebook’s latest vulnerability in the news was said to have been introduced July 2017, under the Stamos fog.

Was it potentially exploited through low-and-slow methods? That is unclear of course, because of the fog. If it was known it was never disclosed (similar to how Stamos did not disclose the breach at Yahoo). We do know that a Product Manager, and not even an officer or security role, is the one who disclosed the breach based on evidence of a sudden spike on September 16th, 2018 (a month after Stamos was pushed out and took a role at Stanford to redirect naive students into venture-backed get-rich schemes instead of graduating).

It is important to remember in this context that Stamos had continued his leave-it-to-me mindset long past the vulnerability and even through 2018, arguing that unauthorized access to Facebook user data did not constitute a breach because any “reasonable” definition.

“The recent Cambridge Analytica stories by the NY Times and The Guardian are important and powerful, but it is incorrect to call this a ‘breach’ under any reasonable definition of the term,” Stamos says in one screenshot. “We can condemn this behavior while being accurate in our description of it.”

Yeah, that kind of stupid really burns. It suggests things would be worse now if he still was CSO. I mean Facebook at that time was handed a whopping £500,000 for lack of transparency and failing to protect users’ information. Stamos was way off base. His legacy potentially will be a fine in the billions, but the company at least may feel better about removing the Yahoo who probably would be claiming no breach happened, or that he is the only one with a real and reasonable sense of what privacy means. Facebook investors might take comfort in the fact Stamos has been booted, but if Yahoo is any guide the survival of the entire company becomes ever less certain as more breaches are revealed to have happened under his fog.

Charlatan. Security. Officer.

One might say Facebook health warning signs were there since the middle of 2015, when a certain person with no CSO experience other than a short stint at Yahoo, suddenly popped-up spouting all kinds of strange self-promotional ideas about what is “real” and “reasonable” to people who know better. In other words, regulators realized the time is now for the kind of fines that would hopefully prevent any Charlatan Security Officer from causing widespread harm to public safety from massive-scale data privacy breaches. And for some reason a lot of people think I should blog about this…again.

the poetry of information security