MOD (Masters of Data) PodCast: The Big Security Topics of 2019

#bugbounty #privacymatters #govermentshutdown

Many thanks to all those who invited me in to crash the MODcast about “Big Security Topics of 2019“.

Special shout-out to George who kept calling me David.

The conversation has been blowing up my social channels so thought I might as well add some reference here as well.

“People have the right to know what others are doing with their data”

Government Shutdowns, Bug Bountires, and Ethics – what do these have in common? Our first live panel of security experts in 2019.

Click on the image or link above to have a listen, or the embedded player below. Feedback welcome.

Egregious Misconduct Lawsuit For 2014 Yahoo Security Management

It was the 10th of March 2014, the bugles were blaring. A red carpet was unrolled.

Who was this man of mystery coming into view? He came with no prior CSO experience, let alone large operation skills. Suddenly out of nowhere, front and center of Yahoo’s own financial news site was the answer:

Watch out, Google. The rumors are true. Yahoo has officially stepped up its security A-game. It’s called Alex Stamos.

Yahoo announced yesterday that it hired the world-renowned cybersecurity expert and vocal NSA critic to command its team of “Paranoids” in bulletproofing all of its platforms and products from threats that will surely come.

The headline-grabbing hire is widely being viewed as Yahoo’s attempt to restore its reputation for trustworthiness in the fallout of a recent rash of ad-related malware attacks that jeopardized millions of its users’ identifying data.

Watch out, Google? Vocal NSA critic? These seem like battles on two fronts. Is there anyone he doesn’t have a beef with?

Never have I seen a CSO hire being celebrated as a threat to organizations they most certainly will have to work with, even if there are disagreements. Surely that starts the role off with headwinds that reduce his effectiveness. The whole tone of the PR piece seems ignorant of what a CSO is and does.

Let’s take a closer look here. The article, after bizarrely casting shade at Google’s security team, gave a quick run-down that revealed a lack of relevant experience:

Before coming aboard at Yahoo, Stamos served as chief technology officer of Artemis, a leading San Francisco-based Internet security firm that specializes in .secure Top-Level Domain security (TLD), over the last year and 10 months, according to his LinkedIn profile. Prior to his stint at Artemis, he co-founded iSEC Partners “with good friends.” Artemis’s parent company NCC Group acquired the pioneering security firm in late 2010.

Before launching iSEC Partners, Stamos held a two-year post as a managing security architect at @stake, Inc., a digital security company that helped corporations secure their critical infrastructure and applications. Symantec acquired @stake, Inc. in late 2004. Stamos also worked as a senior security engineer for nearly two years at LoudCloud, a software company now called Opsware that operates out of the same city Yahoo calls home base.

Leading what?

Artemis was a leader? I don’t see how anyone could claim that. Note that “according to his LinkedIn profile” is used to qualify because there wasn’t any other source of that kind of nonsense.

Ok, so think back to 2014. Here’s a guy within an unknown “company”, which never achieved solid customer base or a real product, claiming to be an industry leader as CTO. The leap into a CSO role at Yahoo, fighting against BOTH the government (NSA) and non-government (Google)…sounded fishy then, and sounds fishy now. Who wanted him in so badly they’d ignore the lack of quals?

Let’s be clear, since Artemis never was independent of NCC, we’re talking about a guy with a CTO title on a small team and that abruptly folded. This is not a stepping-stone into a large publicly traded operations management. And his record before doesn’t help either, with some security research and consulting in three small teams, with no large organizational/management experience anywhere.

The lack of experience matters not only for the obvious reason of being qualified to do the work, it also begs a question of what is reasonable to expect in terms of conduct (and chances of misconduct). Risk management is the bedrock of a CSO role. In 2014 Yahoo was hiring someone who hadn’t been in that hot seat ever in his career. Lacking a track record in responding to incidents, events and breaches from an operations management position, and yet he was getting a lot of unusual fanfare from his new employer.

More to the point, he had been billing himself as the best person to lead Yahoo, and didn’t seem to mind getting himself framed as someone to make them bulletproof even for future threats. That’s crazy PR talk.

It was the “we’re going to build a wall and make Mexico pay for it” campaign of the infosec industry.

Fast forward to January 23, 2019 and look at the hundreds of millions of dollars in losses from security leadership failures:

According to the S.E.C., “In late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access or acquisition of hundreds of millions of its user’s personal data.” The agency further alleged that “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact or legal implications of the breach” and “did not share information regarding the breach with Yahoo’s auditors or outside counsel.”

Yahoo didn’t disclose the breach until September 2016, when it was negotiating the sale of its internet business to Verizon. Although the transaction was completed, the acquisition price was lowered by $350 million to $4.48 billion.

Guess what happened in between 2014 when this man started his first-ever CSO role and 2016? No, I’m not talking about the $2 million he handed out in “bounties” to his friends in the security research industry. They of course to this day are very happy about what he did for them.

No, I’m not talking about his pre-announcement of encrypted end-to-end email as a product feature he would bring to customers, before he even had a team hired to work on it, and failing to deliver.

Following up on a promise it made during last summer’s Black Hat, Yahoo on Sunday said it’s on track to deliver end-to-end encryption for its email…”Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr.

That kind of awareness is what Heartland boasted about in 2009. Had Stamos been a CSO before, he might have known e2e was widely discussed.

In fact, a more sensible thing would have been for him to say people have talked for too long about e2e, basically everyone can understand it, now someone needs to deliver on their promise in order to earn trust. RedPhone and TextSecure (precursors to Signal) were launched in 2010, incidentally (no pun intended).

It almost seemed like he was trying from the start of his role as an officer to juice the stock price with giant pre-announcements, using user awareness being a goal, allowing hazy engineering delivery requirements to slide around.

During Stamos’s career, Yahoo pledged to offer a fully encrypted email service and moved to add encryption to more of its websites. It’s vague what his departure means for those efforts…

No, none of that. I’m talking about Artemis. He left so abruptly from Artemis, his direct reports weren’t aware. Same was said to have happened at Yahoo, with people claiming they found out day of his departure.

Instead of making Yahoo bulletproof, as his PR would have had everyone believe, he ran for self-cover when shots rang out. I’d love to be wrong about this, but I know Artemis and Yahoo followed the same pattern: Unable to fly his plane, a pilot stands up and waves at his own staff he’s leaving behind, leaps with a golden parachute.

More than a few Paranoids told me they weren’t pleased to hear such a neophyte CSO after he fumbled management of privacy protections was going to the notoriously anti-privacy company Facebook. His words:

I had a wonderful time at Yahoo and learned that the Yahoo Paranoids truly live up to their legend. Their commitment, brilliance, drive and pioneering spirit made it a pleasure to roll up our sleeves and get to work.

Here’s what that translated into almost immediately:

Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

Facebook has been reeling from a series of privacy scandals, set off by revelations in March that a political consulting firm, Cambridge Analytica, improperly used Facebook data to build tools that aided President Trump’s 2016 campaign. Acknowledging that it had breached users’ trust…

What’s most interesting about such a massive failure of the CSO is really the style and type of PR moves. He used them again as he picked up his new role, talking about how he’s the one who can make the data safe at his second CSO job. He hadn’t delivered measurable risk reduction in his first job, yet someone wanted him at Facebook and he had boastful press. Who again?

Did anyone think Yahoo really was playing its “security A-game” when the head of security couldn’t put together enough executive presence to get anyone, literally a single peer, to do the right thing? If a public company is breached at this level, and a CSO can’t move the dial on disclosure, in what sense are they actually performing the job?

This man who ran wordy PR campaigns about “bulletproofing all of its platforms and products from threats that will surely come” turned out to be all hat and no cattle hiding under the mountain of cash he was getting paid and paying others.

In that sense, shareholders and customers are right to be angry about the performance of management. Such high-boasts and failure to deliver should not be taken lightly by regulators.

Sure, if someone takes a CSO role and fumbles it there generally should be accountability. In this case, however, we’re talking about a person who regularly ran high-profile self-promotional events promising future safety above and beyond others. It even seemed harmful to the reputation of the prior CSO, the way PR was used to describe the transition to him as a superior leader. He put himself in a much different situation than any other CSO we see in the industry.

The op-ed in the NYT puts it rather bluntly:

…director and officer liability for cybersecurity oversight is entering new and potentially perilous territory. That is especially so in cases like Yahoo’s, in which shareholders allege egregious misconduct at the highest levels of an organization.

Our security industry soon may be entering a post-Stamos era, where we could build guidelines to prevent someone of his boastful nature from taking a role they are unable to conduct. I’ve heard meetings have been underway for a while, and maybe even standards being drafted.

The 2014 CSO breach management at Yahoo alone was staggeringly awful, destroying trust in the brand. That was when disclosure should have happened. Instead he quietly left and went on to do it all again at his next job. That’s the real case, since there isn’t any related prior work to reference, just a repeat disaster performance.

I’ve seen very few people in security run press using such boastful praise heaped on themselves for an operations job that benefits most from a low profile. It makes little sense. And he did it twice, his only two attempts to be a CSO.

What really gets me, however, is running that kind of “I bring more influence than everyone else” PR story, then claiming the opposite after a breach, he didn’t have the ability to influence, as threats flowed through his celebrated fingers.

Do Walls Work?

Strangely enough I’ve been getting this question lately from people who believe I might have an answer. Little do they realize how complicated the answer really is.

The short answer is (from a political economy view) that walls will be said to work when someone is trying to get them funded, and will be said to not work when the same people (or those who follow their folly) try to get all the other things funded (because walls easily fail, as everyone familiar with security can predict).

Before I go much further, let me briefly turn to the philosophical question of walls. One of the most famous Muslim scholars in the world, Muhammad Ali, probably best exemplified the answer to any questions about walls “working”. Here’s a eulogy to his wisdom, worth a watch in its entirety. For purposes here I’ve started towards the end at the relevant quote:

…life is best when you build bridges between people, not walls.

So if the celebrated genius of a fighter Ali tells us life is best with bridges, why build walls at all? And if security experts (defenders and attackers) so easily predict failures, why spend money on them? These are the kinds of questions every CSO should be well-prepared to answer. It’s basically the “why should I fund your project to disable connections, when the point of business is to enable them” meeting.

This goes to the heart of the Anti-Virus (AV) industry, and the current derivatives (Clownstrike, Cylance…you know who I’m talking about).

In the beginning days of viruses (early 1980s) there were theories about positive security models, which measured system integrity in a way today we talk about “whitelists”. If you want to run something on a computer you boil it down to the essence, the most efficient model and description, such that anything out of that ordinary baseline could be flagged as unusual or even adversarial.

Such a model of safety isn’t revolutionary by any stretch of the imagination. It was a simple case of people with some knowledge of the healthcare industry saying computer viruses could be detected by looking for what is abnormal, and emphasizing a thorough scientific understanding of what is normal.

Well, in healthcare there is motivation to spend on establishing such knowledge because “healthy” is valuable state of being. In computers, however, there was a giant loophole preventing this kind of science being developed. Companies like McAfee realized right away that if you just scare people with fear, uncertainty and doubt about imminent invasion by caravans of viruses you can get them to throw money into a wall (even though it doesn’t work).

I would make the usual snake-oil reference here, except I have to first point out that snake-oil has real health benefits.

…snake oil in its original form really was effective, especially when used to treat arthritis and bursitis.

The concept of a snake-oil salesman refers to some shady American guy stealing Chinese ideas and using cheap counterfeits to profit on harm to customers. Thus the McAfee model of building walls (today we talk about “blacklists” being ineffective, when really we could say fake snake-oil) for huge amounts of money started around 1987. At that time McAfee the man himself created a company to collect money for delivering little more than a sense of safety, while attackers easily bypassed it.

Unfortunately consumers bought into this novelty wall sold by McAfee, despite being mostly nonsense. The oportunity cost was massive and the security industry has taken decades to recover. Innovators trying to compete by achieving any kind of security “science” in operations were obviously far less profitable compared to the raft of snake-oil McAfee marketing executives.

Consider for example in 1992 McAfee told the world an invasion was coming and they needed him to build some more walls.

McAfee was blamed for creating a false threat to sell more of his anti-virus elixir – which he did. McAfee’s anti-virus software sales reportedly “skyrocketed” that year, with more than half of the companies in the Fortune 100 having purchased McAfee software. Of course, this only furthered the theory that McAfee had just made up the whole damn thing.

He retired after this, scooping up millions in profit by building walls that didn’t work for a threat that didn’t exist.

To be fair, threats do exist, and walls do have a role to play. Hey, after all we do use firewalls too right? And firewalls have proven themselves useful in a most basic way too, by having attackers shift to an application layer when all the other service ports are down.

In other words firewalls work in the way that building a wall could end up dramatically increasing threats coming through airports, seaports and even underground. Basically air, sea and land threats could increase and be detected less easily by building a wall. When I used to pentest utilities for example, we rated walls as significantly less effective at stopping us versus six-sided boxes (buildings, if you will).

True story: on a datacenter pentest I approached two layers of walls. The first was easily bypassed and then I used some engineering to get through the second one. It was only at that point I realized I was in the wrong location. Datacenters used to be careful to avoid having any outward logos or markings, even obfuscating their address. In this case it worked! After getting myself through two walls without much thought, I was looking right at an ICE logo and a bunch of guns.

Yes, I accidentally had tested the Immigration and Customs Enforcement (ICE) facility…and immediately began egress. Getting out quickly took some creativity, unlike getting in, and ended up being a better skills test. In the end it was fine, a laugh for everyone, including the datacenter (which I did test immediately after).

So in the strictest sense, walls have some work to do, and they may be capable of delivering. This is very different from saying walls work, however, when people are thinking in the broader sense of being safe from harm. A con-man like McAfee can vacuum up money to get rich while delivering almost no value, because “walls work” is a tiny grain of truth in his giant cake factory shipping nutrition-less lies about health (risk and safety).

1600s: Que ne mangent-ils de la croûte de pâté? (let them eat forcemeat crust!)

1700s: Qu’ils mangent de la brioche! (let them eat cake!)

1990s: Let me install AV!

2019: Let me build a wall!

Almost a decade ago I did a small speaking tour about cloud security on this topic, although I used the Maginot line as an example. This massive defensive wall was named after 1930s French Minister of War André Maginot, and constructed along the country’s border with Germany.

I pointed out that one could argue the Maginot line forced attackers to shift tactics and use other entry methods. In that sense those walls did some actual work, like a firewall or AV will do for you today.

However, expectations of the French were for the wall to prevent the very thing that happened (rapid invasion past their borders). In fact, the forces at the wall became so irrelevant, they still stood ready and willing to fight even after the French government capitulated to the Nazis. Let’s face it, had the French military leadership simply listened to all the active warnings about Nazis going around the line, France likely would have ended up saying the wall did a job to help focus their active response (they could have directed defenses to neutral country borders that had no walls).

The French leadership failed to notice something was not normal (enemy troops moving through the Ardennes Forest and violating neutral countries). And that is why their expensive wall continues to be almost universally remembered as a huge failure. (Some do still argue, as I did too, that Maginot’s plans worked within an extremely narrow assessment).

I don’t think any French to this day would say their wall worked however, given how it was billed to them at the time of funding (for an extremely high cost, which weakened more modern/important security needs like detection and radio/aero/rapid response).

For the French, the greatest failing of the Maginot Line arguably lay not in its conception, but in the opportunity costs that its construction imposed. The 87 miles of fortifications that were completed by 1935 cost some 7 billion francs ($8 billion in 2015 terms), over twice the initial estimate when the effort began in 1930. Depending on the source, the entire French defense budget in 1935 was between 7.5 (John Mearsheimer) and 12.8 billion (Williamson Murray) francs. As a result of this stupendous outlay, French military development in all other areas, from tanks to aircraft, suffered.

In other words, the current US regime is looking at data suggesting airports are the vulnerable path for entry and yet is proposing money be spent on something completely unrelated to airports. France in this scenario would be looking at data suggesting forests and neutral countries are the vulnerable paths for entry and blowing its budget on a wall elsewhere.

Terrorists trying to infiltrate the U.S. across our southern border was more of a theoretical vulnerability than an actual one…the figure she seems to be citing is based on 2017 data, not 2018, and refers to stops made by Department of Homeland Security across the globe, mainly at airports.

Does a wall on the border help with the real vulnerability in airports? No. The wall expense actually hurts, making the US materially less safe. One might conclude that shutting the government down, reducing active defenses at airports, to force a redirection of security funds to a useless wall is a very cynical plot that any hostile adversary would dream about.

To put a finer point on it, the expensive shutdown and the demand for an expensive wall both reflect the self-harming anti-American mindset of the current regime, and present grave dangers to US national security.

The long answer is thus that walls work at a very primitive level, which tends not to be worth the cost except in very particular cases where the predicted results are known and wanted. In the present context of the US border, there is no imminent threat and there is little to no chance of success without massive investment in detecting other methods of entry predicted (again, for a non-imminent threat).

There’s a reason AV is mostly free today. And it’s the same reason building a wall on the US border has been pitched as extremely expensive response to a fantasy threat, meaning it has little to no real value. Someone is trying to redistribute wealth and quit before people realize the walls are a distraction, where wasting time and money turns out to have been the objective (to hurt America).

History is pretty useful here, as we can easily prove things like walls have for thousands of years failed to prevent people climbing up (and down) them.

It is believed that the idea of a ladder was used over 10,000 years ago. We know this because pictures of them were discovered in a cave in Spain.

The ladder is also mentioned in the Bible. Jacob had a dream and in the dream he saw a ladder reaching from Heaven to earth.

Fun fact, ladders are much older than wheels. That’s right, ladders are more than twice as old as the wheel! And we obviously can say walls came before ladders. Thus always remember, when someone asks you which is older the wheel or the wall, go with the ladder (pun intended).

It remains to be seen, however, whether this sort of wall debate and debacle making the US less safe is going to force the US regime leader to step-down.

Incidentally, the Maginot example was not my only one on that speaking tour. Since I was invited to speak in England as well as the US, I thought it only fitting in 2010 that I use castle walls as an example of technology shifts, like a cannon, sawzall or a hypervisor escape vulnerability…the kind of inexpensive and fast-moving thing that makes wall builders shudder:

At Least Five LiDAR Challenges for Vehicles

Sensors Online has a nice summary of the current product management view for LiDAR manufacturers. They spell out these five concerns:

  1. Size
  2. Cost
  3. Reliability
  4. Range
  5. Eye Safety

Conspicuously missing from the list (pun not intended) is integrity of the data.

Reliability in the above list refers only to environmental risks (“replace the moving parts with a solid-state alternative with each component able to meet Grade 1 temperature and qualification”) instead of the sort of overconfidence in imagery I’ve spoken about in the past (August 2014 “Babar-ians at the Gate: Data Protection at Massive Scale,” Blackhat USA)

To be fair, the article is kind of a hidden marketing pitch, written by a company promoting its new line of products:

…patented flip-chip, back-emitting VCSEL arrays that combine high pulsed power arrays, integrated micro-optics, and electronic beam steering on a chip.

So it makes sense they aren’t going to talk about the more fundamental flaws in LiDAR that their company/product isn’t solving.

EV Charging Station Vulnerability

Anyone else read this article about the bug in a Schneider product?

At its worst, an attacker can force a plugged-in vehicle to stop charging

At its best, an attacker can give away power for free.

That’s basically it. A hardcoded password meant the power could be disabled, although really that means it could be enabled again too. Breaking news: a switch installed in public places could be switched without special switching authorization.

It’s kind of like those air pumps at gas stations that say you need to insert $0.25 when really you just have to push the button, or at least yell at the person in the station booth “hey I need some air here, enable the button so I can push it” and you get air for free.

Breaking news: I got some air for my tires without inserting a quarter. Someone call TechCrunch journalists.

Seriously though, it would be news if someone actually had to pay for a plugged-in tire to start filling.

If a gas station owner insists that you have to pay for air even after you’ve used the pump, stand your ground. If that doesn’t work, here’s the form to report the station to state officials.

That’s right, and speaking of denial of service…an attacker could even run off with a gasoline pump hose (they have safety release mechanisms) or an air hose. Such a brazen attack would leave cars that have tires and gas tanks without services when they pull into a station.

Fuel host disconnects do happen fairly often, by the way. So often there are even videos and lots of news stories about why and where it happens (protip: bad weather is correlated):

And yet TechCrunch wants us to be scared of EV cables being disconnected:

…unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.

Safety first, amiright? Design a breakaway and attackers can walk away with the cable…for safety.

Such a “vulnerability story” as this EV one by TechCrunch makes me imagine a world where the ranking of stories has a CVSS score attached…a world where “news” like this can theoretically never rise above stories with a severity actually worth thinking about.

An attacker could disable or enable a charging point, where charging status is something easily monitored and on a near-continuous basis. Did your car just stop charging? It’s something you and the provider ought to know in the regular course of using a power plug.

This ranks about as low as you can go in terms of security story value…yet a journalist dedicated a whole page to discuss how a public power-plug can be turned on and off without strong authentication.

Dust-sized battery-free AI sensor with RF-free wireless

The title of this post is the announcement I just received in a CES invite to assess product security. Well, technically it was a “VIP lounge” invite more than a “please break our product” invite, but I treat them the same if you know what I mean.

Perhaps most infamously when I went to CES many years ago and met with 3Com to review their brand new wifi access points (first to market), I immediately pointed out that hard-wired WEP keys was a VBI (very bad idea). 3Com product managers were unapologetic, citing usability as their ace card. “Nobody will use wifi if we make key management hard” they said like a blackjack player scooping all the chips into their lap. We both were right, but they no longer exist (acquired 2010 by HP and never heard from again).

I suppose today what stands out to me most about this new announcement is the “dust-sized” marketing.

Some may remember I have presented in by “big data security” talks specifically on the paranoia that should accompany any developments in dust level of tracking devices, as well as the ironic fact that if you walk in an obfuscating level of dust (more probably sand) it leaves obvious tracks.

Cretaceous period (127m year old) dust printsCretaceous period (127m year old) dust print

I’m looking forward to breaking this new product to point out the VBIs, and maybe even coming up with something like “sweep deprivation” models.

IBM Watson Sued by LA County for Secretly Tracking Users

Let’s get one thing out of the way. IBM’s Watson was instrumental to the Nazi Holocaust as he and his direct assistants worked with Adolf Hitler to help ensure genocide ran on IBM equipment.

When IBM’s director of worldwide media relations, John Bukovinsky, was asked about the disclosures in 2001 and 2002 of the company’s involvement in facilitating the extermination of millions of Jews, Gypsies and others, he replied, “That was six years ago [sic].” When a reporter pointed out that the Holocaust itself was some 60 years ago, Bukovinsky quipped, “So what. What is the point?”

The idea that IBM would want to market their big data system after the man notorious for meeting with Nazi leaders to deliver counting machines for genocide…it’s a pretty big sign that the evils of Watson are something to keep an eye out for even in the present day.

As Edwin Black wrote in “IBM and the Holocaust: The Strategic Alliance between Nazi Germany and America’s Most Powerful Corporation“:

Thomas Watson was more than just a businessman selling boxes to the Third Reich. For his Promethean gift of punch card technology that enabled the Reich to achieve undreamed of efficiencies both in its rearmament program and its war against the Jews, for his refusal to join the chorus of strident anti-Nazi boycotters and isolators and instead open a commercial corridor the Reich could still navigate, for his willingness to bring the world’s commercial summit to Berlin, for his value as a Roosevelt crony, for his glitter and legend, Hitler would bestow upon Thomas Watson a medal — the highest it could confer on any non-German.

Fast-forward to today and IBM’s Watson has been charged with user location tracking using an innocent-sounding weather app.

In a complaint filed Thursday in California state court, the city alleges IBM used detailed location data from users for targeted advertising and to identify consumer trends that might be useful to hedge funds, while at the same time telling consumers their location would only be used to localize weather forecasts. The suit doesn’t allege personally identifiable information was sold.

“Unbeknownst to many users, the Weather Channel App has tracked users’ detailed geolocation data for years,” the complaint alleges, calling the Weather Channel’s actions “unfair and fraudulent.” The complaint also says the Weather Channel profited from the data, “using it and monetizing it for purposes entirely unrelated to weather or the Weather Channel App.”

Again, it’s hard to fathom that IBM would want to name a big data machine Watson. It’s even harder to fathom that someone in IBM thought lying about user location tracking to monetize ill-gotten data was a good move…but then I just go back to them naming their machine Watson.

Arizona Rush to Adopt Driverless Cars Devolves Into Pedestrian War

Look, I’m not saying I have predicted this exact combat scenario for several years as described in my presentations (and sadly it also was my Kiwicon talk proposal for this year), I’m just openly wondering at this point why Arizona’s rabidly pro-gun legislators didn’t argue driverless cars are protected by Waymo’s 2nd Amendment right to bear arms, like consumer-grade armored tanks that also carry people or goods inside. AZ Central reports:

People have thrown rocks at Waymos. The tire on one was slashed while it was stopped in traffic. The vehicles have been yelled at, chased and one Jeep was responsible for forcing the vans off roads six times.

Many of the people harassing the van drivers appear to hold a grudge against the company, a division of Mountain View, California-based Alphabet Inc., which has tested self-driving technology in the Chandler area since 2016.

The one or two people operating the tens of thousands of weapons (driverless cars) on public roads are counting on their surveillance capabilities as much as their armored weapons to keep the upper hand in this fight. AZ Central continues:

The self-driving vans use radar, lidar and cameras to navigate, so they capture footage of all interactions that usually is clear enough to identify people and read license plates.

According to police reports, Waymo test drivers rarely pursue charges and arrests are rare. Haselton was charged with aggravated assault and disorderly conduct, and police confiscated his .22-caliber Harrington and Richardson Sportsman revolver.

“Haselton said that his wife usually keeps the gun locked up in fear that he might shoot somebody,” Jacobs wrote in the report. “Haselton stated that he despises and hates those cars (Waymo) and said how Uber had killed someone.”

Let’s be clear here. The grudge being referenced is related to people in a neighborhood being upset about the rollout of armored weaponry.

Tense scene unfolds in Arizona 2018 as locals resist the Waymo rolling displays of unregulated power

Think of the irony that Arizona residents have a grudge against driverless cars because they are in effect weapons being wielded unsafely in a public space, killing people (this is the infamous state that won’t even hear an argument about regulating guns).

Waymo is like someone taking their gun off the gun range and not being able to keep their pistol holstered, let alone rounds unchambered, wandering around waving it in everyone’s face. You think the neighborhood is just going to look the other way while that barrel points at their family and friends?

Compare that grudge with some poignant analysis just a year ago that was titled “Arizona is a heaven for test new cars – USA TODAY” (which at some point changed its title to “Why automakers flock to Arizona to test driverless cars”. TL;DR:

  • relatively light regulatory environment of the past two and a half years
  • weather allows for year-round testing of vehicles, and low rainfall means minimal disruptions…low winds and a temperature range that is conducive to completing regulatory tests almost every day of the year
  • desert offers car manufacturers a remote and private testing location that’s away from the prying eyes

Allow me to translate this analysis into technology ethics: lawless and opaque makes for easy hurdles, and low standards means quick money for investors. The desert has no actual environmental risk. Testing in a vacuum chamber means your product is ready for use in a vacuum, not public streets. And testing with zero outside observability/validation of claims means you aren’t anywhere close to ready for deployment.

Desert vehicle development is about as sane as developing moon vehicles and saying it’s the wrong type of planet when they can’t move with earth’s gravity.

To put it another way, the Governor of Arizona scoffed at other states where leaders held human life up as a value worth protecting and preserving. The money hungry Arizona official literally said he is happy to promote profit over safety.

In August 2015, Ducey signed an executive order allowing the testing of autonomous cars on public roads, hoping the cars will fuel “economic growth, bring new jobs, provide research opportunities for the state’s academic institutions and their students and faculty, and allow the state to host the emergence of new technologies.”

It looks like Ducey didn’t think very hard about how selling out human life for a boom in weapons sales might backfire. Nothing in that list of benefits says there is an ounce of care for public safety or health, amiright?

Mo’ money, mo’ problems.

August 2015: regulations are dropped, standards are non-existent. Anyone wanting to develop weapons for public roads is invited to Arizona

December 2017: newspapers describe Arizona as “Heaven” for developing weapons to wave around in public without need of any safety training or controls

Wait for it…

March 2018: “The governor of Arizona has suspended Uber’s ability to test self-driving cars on public roads in the state following a fatal crash last week that killed a 49-year-old pedestrian”

Uber using an automatic weapon to kill one person and getting regulated in Arizona compares oddly to the 68% of all homicides in the state committed with a gun and the nearly 1,000 people killed a year in Arizona by guns that get zero regulation discussion (see above).

Oh, but who could have predicted that removing regulations and allowing weapon development to launch straight to the streets would invite bad corporate behavior? Not only me, giving public presentations about this problem, also internal engineers who documented how “there were a lot of warning signs” yet Arizona’s “Heaven” meant they were neither attended to internally to pass regulations nor exposed to regulators:

“A car was damaged nearly every other day in February,” Miller said. “We shouldn’t be hitting things every 15,000 miles.”

Miller pointed to an incident in November 2017, when an Uber car had a “dangerous behavior” that nearly caused a crash. The driver notified his superiors about the problem, Miller wrote, but the report was ignored. A few days later Miller noticed the report and urged the team to investigate it.

But Miller says his request was ignored—and when he pressed the issue with “several people” responsible for overseeing the program, they “told me incidents like that happen all of the time.” Ultimately, Miller said it was two weeks before “anyone qualified to analyze the logs reviewed them.”

So there you have it. 2015 effort to reduce safety control levels so weapons can flood the market. 2017 weapons entering market are causing harm and at frequent intervals, indicating escalation to wider and more severe conflict.

Doesn’t it seem obvious that this ended with a meek 2018 effort to put the weapon genie back in the bottle…yet any historian can tell you once battle lines have been drawn and people are angry about their clan being attacked, they are going to harbor some hostility.

So with all that in mind the big question now becomes as the weapons manufacturers switch to their all-encompassing surveillance systems to undermine the nascent groups of resistance, whether they also will claim their manufacture and sale of automatic high-power weapons is protected behavior anyway under the 2nd Amendment.

We have seen some of that messaging already, as Uber and Tesla used to be fond of saying their particular brand of automatic weapons will reduce deaths on the streets, much in the same way that totalitarian governments would argue how top-down centrally controlled armored divisions are the way to keep the public safe from itself.

And in that sense, are Arizonan’s really crazy if they read the Uber story of deaths for profit and then think of themselves as preventing harm to their fellow citizens by stepping out into the street early to disable the Waymo weapon systems rolling into and over neighborhoods?

RIP Simcha Rotem

Simcha Rotem has passed at 94. He was only 15 when Germany invaded Poland. He and his mother were wounded by German bombing raids that killed his brothers and grandparents. By the time he was 19, he served under Marek Edelman to resist Nazi incursions, leading to the outbreak of combat.

The insurgents preferred to die fighting instead of in a gas chamber at the Treblinka death camp where the Nazis had already sent more than 300,000 Warsaw Jews.

Speaking at a 2013 ceremony in Poland to mark the 70th anniversary of the uprising, Rotem recalled that by April 1943 most of the ghetto’s Jews had died and the 50,000 who remained expected the same fate.

Rotem said he and his comrades launched the uprising to “choose the kind of death” they wanted.


As the Germans pounded the Ghetto and the uprising faltered, Rotem was instrumental in helping fighters flee to safety through the Warsaw’s sewer system to forests outside the city.

He continued to fight alongside Polish partisans and in 1944 participated in the Warsaw Uprising. After the war he joined avengers group Nakam, which was dedicated to exacting vengeance on Nazi war criminals.


Why the US South Needs You to Send More $50 Grant Bills

The Washington Post has a well researched and written story about why the US Republican party is defined by their racism. Oh, maybe I should say spoiler alert:

…slavery’s enduring legacy is evident not only in statistics on black poverty and education. The institution continues to influence how white Southerners think and feel about race — and how they vote. Slavery still divides the American people

That’s right, the GOP uses racism to win, according to scientists who look at the data and patterns of voting. What they key in on is evidence that white children in racist families of the US south aren’t being educated away from their racism, and cling instead, which means racist sentiment will last many generations.

It is no coincidence that Jefferson Beauregard Sessions III, with his ties to the Klan in Georgia, was named Attorney General of the US in 2016 by the son of a Klansman.

In case it isn’t clear what that name represents…three generations of traitor-ship founded on racism:

The question is who today would vote white supremacists into office to represent all people, given hateful statements and overt support from Klansmen. And the answer is clearly Republicans, using a signaling method called “personal responsibility” that denies slavery was a hardship, let alone requires restoration.

GOP doctrine on the importance of personal responsibility, together with elevated rates of black poverty and unemployment, help some Republicans rationalize their belief that people of color are inferior — beliefs they probably developed in childhood.

Today this is much easier to discuss than just eight years ago. Back then people were still trying to say Republicans had things to say that weren’t necessarily racist in foundation. Take for example this story from 2010:

Shame on the 14 Republican congressmen who last week proposed substituting Ronald Reagan for Ulysses S. Grant on the $50 bill. Their action suggests they need a history lesson about the Northern general who won the Civil War and went on to lead the country.

That’s a great piece by a historian that doesn’t mention Republicans being racist.

To put this into context, a black president is elected in 2008. White Republicans then set about trying to remove President Grant from the $50 (despite being famous for being the greatest General in American history, one of the top three presidents in American history, and globally respected as a champion for human rights) and replace him with President Reagan, a man notorious for ties to white supremacists, campaigning on white supremacy, denigrating civil rights leaders like MLK (until he was forced to concede), and that’s not to mention supporting genocidal dictators. Here’s your Republican icon history right here:

Reagan chose [theme of violent white resistance to integration] to kick off his Deep South presidential campaign in 1980

Let’s look a little closer at the people trying to push Grant off the $50.

Rep. Patrick McHenry, R-N.C…introduced the legislation last month. He says it’s not about Grant but about honoring Reagan in the same fashion as Democratic presidents…

You have to marvel at the fact that McHenry doesn’t know that Grant was a Republican. Then you have to marvel at the fact McHenry is saying that pushing Grant off the bill isn’t about Grant. Do you think he meant that? Check out his own words, when he tried to explain:

…it has very little to do with Grant and so my response is very simple. I believe that Ronald Reagan, as most historians do, was the better president…

That means it absolutely is about Grant. McHenry is touting a white-supremacist line that Grant wasn’t a better president than Reagan. Grant won the civil war, introduced civil rights, created the DoJ, created the national parks, wrote an amazing autobiography in a race to finish before death from cancer…I mean his long list of accomplishments and massive popularity at his death should speak for themselves.

Reagan (perhaps most infamous for being absent minded, a figure-head and aloof while in office) has nothing on Grant, which we’re only talking about here because McHenry tried to argue Grant wasn’t better than Reagan, while saying it’s not about Grant. Reagan literally was almost removed by his own aides for being inept at his job, as they had to give him competency tests:

Most high-level White House aides believed that President Reagan was so depressed, inept and inattentive early last year in the wake of disclosures in November 1986 about the Iran-contra scandal that the possibility of invoking the 25th Amendment to remove him from office was raised in a memo to Howard H. Baker Jr., who was just taking office as Reagan’s chief of staff.

Former Baker aide James Cannon, confirming facts reported in a newly published book, said in an interview yesterday that he wrote a March 1, 1987, memorandum based on the aides’ concern and raising the possibility of applying the amendment.

Baker took the recommendation seriously and, with Cannon and two of his own aides, spent part of a day observing Reagan’s behavior before concluding that the president was sufficiently competent to perform his duties, according to the book.

Reagan is not a man who has any business threatening the amazing legacy of Grant, the warrior and patriot who reluctantly became president to continue to help save the nation and fight for freedom for all by destroying the KKK.

I combine the Washington Post story above with this one about their attempts to erase Grant from their own party to replace him with a barely competent Reagan who feted dictators and funded genocides… and it seems what the maps of the poor south really need is an infusion of Grant bills.

Send Grant back into the areas that are to this day being oppressed by the present-day Republicans who are perpetuating America’s racist legacy among their children and who refuse to end their family battle against civil rights.

Also let’s get Jackson off the $20 already…sheesh, talk about an awful legacy that should be deprecated ASAP.

“United States history is not Andrew Jackson vs. Harriet Tubman,” the Tennessee Republican said.

This week’s announcement that Jackson, a white slave owner from Tennessee, will be booted to the back of the $20 bill to make room for Tubman, a black anti-slavery activist, has left many in Jackson’s home state feeling that the change [will] diminish Jackson’s legacy [and] celebrate Tubman’s accomplishments.

That’s right. A Republican actually said US history is not about a white supremacist president who actively perpetuated slavery to expressly deny rights to black Americans, versus a black American who wanted rights.

That is so patently wrong. US history literally is about Jackson perpetuating slavery 30 years longer than the rest of the world. It is about all the moves he made from a white supremacist power position to block Tubman, and anyone else like her in the underdog reformer and freedom advocate seat, from being successful.

Time to send some Grant, send some Tubman, and tell the children in the US south all the real history of America that will help people be realists about how and why the Republican party is so racist.

the poetry of information security