Okta SRE Pleads Guilty to Stealing IDs to Violate Women’s Privacy

Once again, cloud services very predictably show why they can be less secure than running your own.

We’ve warned for many years of cloud insider abuse like this, using examples from Uber, Google and Facebook.

In many of these cases it’s male engineers in American technology companies using their power and privilege to stalk and abuse women.

The US Department of Justice has posted details of a 34 year old man who is said to have worked at Yahoo.

In pleading guilty, Ruiz, a former Yahoo software engineer, admitted to using his access through his work at the company to hack into about 6,000 Yahoo accounts. Ruiz cracked user passwords, and accessed internal Yahoo systems to compromise the Yahoo accounts. Ruiz admitted to targeting accounts belonging to younger women, including his personal friends and work colleagues. He made copies of images and videos that he found in the personal accounts without permission, and stored the data at his home. Once he had access to the Yahoo accounts, Ruiz admitted to compromising the iCloud, Facebook, Gmail, DropBox, and other online accounts of the Yahoo users in search of more private images and videos. After his employer observed the suspicious account activity, Ruiz admitted to destroying the computer and hard drive on which he stored the images.

That last sentence is concerning for anyone who has done digital forensics. How was Ruiz tipped off that he was being observed by an internal investigations team?

He wasn’t just a software engineer, he was a Site Reliability Engineer (SRE). And he wasn’t just a Yahoo engineer

LinkedIn profile of Reyes Ruiz, identity thief hired as SRE by Okta

That career path reveals a far worse story than what is being reported right now.

A SRE is a person with deep access inside the cloud provider. They are trusted with the most sensitive data because, in theory, without giving them access a system could become unreliable or go offline.

For example, here’s a single line command in virtual (VMware) environments that exports a copy of an entire server. In a disaster (planning) scenario it could be essential to keeping services running:

Copy-DatastoreItem vmstore:\Datacenter01\StorageArray01\DBNodes\* C:\SREisGod\StolenUserSecrets

Imagine instead, as you can see from the destination path name at the end of that line, any evil SRE just wants to steal ALL the data. SRE staff literally have keys to any kingdom trusting their employer. Even if the data was stored encrypted, using this command it’s decrypted by design.

I’ve repeatedly designed systems to protect against exactly this kind of insider threat and customers need to explicitly ask for proof that one exists. This is a disaster for both Okta and Yahoo if they cannot account for SRE access on their systems, particularly during the hours Ruiz was working.

His eight months at Okta, a widely used identity management company, could be an even bigger problem than Yahoo. Although to be fair the timing is interesting for both cases. Yahoo in 2007 when he joined was the biggest identity provider in the world. In 2018 Okta was claiming to be the leader in this space.

It looks like Okta apparently fired him as soon as the indictments were unsealed that detailed his long-term abuse of being a privileged SRE to game identity management. What Okta hasn’t said is whether they’ve concluded an internal investigation of all his access to identity as an SRE.

This is huge. I can’t overstate enough that an identity management cloud provider, holding the secrets of millions of people, hired an identity thief. It’s like saying a bank hired a bank robber to guard their safe.

Given inside knowledge and access at the service provider he allegedly cracked passwords of thousands of young women, including those he knew and worked with, in order to steal their images. Then he used their identity information to pivot through their cloud accounts that shared the same password to steal more images.

Two lessons here:

One. Okta is a core identity management company that hired a predator who clearly joined companies to commit crimes. Anyone using Okta or a similar service needs to be prepared for this level of insider threat being reported. Although we can pressure Okta on reasons screening didn’t block this hire, we can’t assume screens will be perfect and instead should demand they prove his actions were limited and detected.

Two. Re-use of passwords is what made one evil cloud staff member able to access so many other cloud accounts. Impersonation was possible by Ruiz because users didn’t setup different passwords on each cloud service. Password managers are free and a baseline requirement for users today. Also multi-factor authentication (MFA) would have made SRE theft of user secrets less effective and should be considered another baseline requirement (caveat: nothing is perfect. see new FBI warning on MFA bypass).

There’s a third point about avoiding tipping off suspects during investigations, and preserving evidence, but we don’t have enough details yet on why or how badly that security team at Yahoo was compromised.

Drone Wars in Syria

Russian gas-engine model plane (Orlan-10 drone) downed in Syria with its big red parachute

AINonline offers numbers on drones in battles over Syria. Russia has recorded 23,000 flights of their own and claims 118 opposition drones shot-down, with the vast majority this year.

The following section on “gaps in electronic warfare shield” was particularly interesting as it emphasizes Russia’s current dependence (pun not intended) on primitive jamming systems and kinetic counter-measures.

Russian official, deputy defense minister for military technical cooperation with foreign countries General Aleksandr Fomin, accused U.S. forces of assisting the Syrian rebels in carrying out drone attacks on the Khmeimeem airbase. Speaking at the Xiangshan security forum in Beijing last fall, he said that, “a group of 13 drones moved according to a common plan of combat deployment, under control of a single crew team. That time, a U.S. Navy P-8 Poseidon ASW aircraft was on an eight-hour patrol mission over the Mediterranean Sea. Upon reaching out our electronic warfare shield, the drones retreated somewhat to receive correcting instructions and began using satellite communications channels to receive outside assistance to find and explore gaps in that shield. Then the drones attempted to penetrate through, only to be destroyed.”

Apparently, Fomin was referring to January 6, when Russian forces shot down seven drones with anti-aircraft missiles and crash-landed seven by jamming the drones’ flight control systems.

Unclear why seven and seven was reported as a group of 13 drones.

The rising scale of drone operations by Russia is part of a tale (pun intended) of their newfound ability to turn the U.S. into a dog they hope to wag around.

Google Calculator is Watching You

Go to the Google store and look at their calculator carefully.

Under permissions for their calculator, we see this list:

  • view network connections
  • full network access
  • prevent device from sleeping
  • read Google service configuration
  • measure app storage space

Full network access? For a calculator?

Map of Google calculator network traffic flows

Unfortunately you can’t filter apps in the store by level of permission requested.

A simple filter could get rid of calculators that inexplicably demand full network access, let alone other strange levels (some require access to both local storage and removable storage). Imagine setting a preference in your profile that allows the most private apps to be ranked highest…

Calculators without network privileges do exist, which begs the question why Google’s gigantic security team lacks the ability to remove network access from an app that quite obviously has no need for it.

Here are a couple counter-examples:

Calculator Free

  • This app has access to: control vibration
  • That’s it

Caclulator E Plus

  • This application requires no special permissions to run.
  • That’s it

Did Enemy General Lee Delay Aid to Wounded U.S. Soldiers?

Yes. Yes he did.

And now for some American history to give much-needed perspective on the kind of information warfare tactics long used by white nationalists.

There have been many sad attempts over the last several decades to attach the term “butcher”, notably deserved by traitor General Lee, instead on U.S. General Grant.

The argument/propaganda tends to go like this: while Grant decisively defeated pro-slavery forces, even capturing multiple armies, too many people died when Grant pressed forward on battlefields to end the war quickly. Somehow Grant should have had fewer casualties while more expediently winning a war that Lee was intentionally making more brutal.

Think about the irony of this propaganda line meant to denigrate Grant.

The pro-slavery militant states seceded by declaring war and then blamed high casualty rates caused by their own leadership tactics (expressly ordering the butchering of U.S. soldiers) on…their sworn target of attack, the United States.

Who was the real butcher?

Also think about the fact that Grant not only was a brilliant tactician, he was the father of the civil rights movement after he ended war. He literally both stopped the pro-slavery Generals butchering Americans and then worked on a foundation of civil rights to protect against the tribal southern militias (e.g. KKK) trying to continue to butcher Americans after emancipation.

Let’s look now at Chernow’s seminal new work. He seems very decisively to neutralize the anti-Grant propaganda with some first-person source material. It establishes clearly how Grant thought deeply both strategically and tactically how to end the war quickly and minimize suffering:

Start with how Grant is described as reflecting upon battles solemnly, highly concerned with the rate of casualties after doing everything he could to be mindful and transparent of the costs.

“Grant” by Ron Chernow, p 406

Conversely then we see pro-slavery Confederate General Lee intentionally delaying aid to wounded soldiers who lay exposed and dying on a battlefield. The traitorous Lee maintained a butcher’s mentality through the war, using inhumane tactics against non-whites as well as dehumanization of those who fought to protect the U.S. from its enemies.

Chernow shows here how Lee thought bureaucratic delays to aid would help him maximize suffering of U.S. men, very overtly butchering them and leaving them to die in the worst conditions because he was “intent on teaching a lesson to Grant”.

“Grant” by Ron Chernow, p 406

I have yet to find regrets or similar thoughts in Lee’s writings that achieve the moral high ground of Grant. Instead I find repeated references to this “teaching a lesson” mantra, such that butchering Americans was a pro-slavery political terror tactic.

It’s easy to see why pro-slavery historians have for so long tried to project this “butcher” label onto the wrong man and away from those who had started a war to expand slavery Westward. Grant clearly had more quickly and decisively defeated Lee compared to anyone before him. The “heritage” revisionists hate Grant for that simple fact alone.

Lee’s leadership not only never managed to capture any forces (frequently murdering prisoners of war instead). His men (i.e. General Nathan Bedford Forrest) were infamous instead for cruelly deceptive and inhumane tactics during war and later starting the KKK to spread terror campaigns nationally after the end of official hostilities (i.e. to this day Forrest, Arkansas is named for the pro-slavery anti-American terrorist).

Let’s look next at General Forrest, known among pro-slavery groups as “The Wizard of the Saddle” (later named first “Grand Wizard” of the KKK). During war his reputation was built around things like escaping from battle by grabbing a “small” U.S. soldier as hostage and using him as a human shield.

His specialty was sabotaging U.S. supplies and communications, using deception tactics and deceit in what he described as “a heap of fun and to kill some Yankees”. Most infamously General Forrest drove over 2,000 pro-slavery forces towards U.S. soldiers in Fort Pillow on April 16, 1864, he twice waved a “flag of truce” at them.

Here two soldiers recall what they witnessed after Forrest stormed the fort and literally butchered hundreds of U.S. soldiers who were surrendering:

“Hymns of the Republic: The Story of the Final Year of the American Civil War”
by S. C. Gwynne, p 19

General Chalmers (Mississippi cavalry who later became known for using violent voter suppression to win a seat in Federal government) reportedly bragged about this event in words similar to General Lee that a butchering at Fort Pillow was intentional and to teach “the mongrel garrison” a lesson.

Harper’s Weekly described the situation in their 1864 news report as murdering women, children and civilians then mutilating the dead:

“Both white and black were bayoneted, shot, or sabred; even dead bodies were horribly mutilated, and children of seven and eight years, and several negro women killed in cold blood. Soldiers unable to speak from wounds were shot dead, and their bodies rolled down the banks into the river. The dead and wounded negroes were piled in heaps and burned, and several citizens, who had joined our forces for protection, were killed or wounded. Out of the garrison of six hundred only two hundred remained alive. Three hundred of those massacred were negroes; five were buried alive.”

General Forrest himself wrote, like Lee and Chalmers said above, that he was intent on being a butcher to send a specific message to the U.S. about white supremacy.

It is hoped that these facts will demonstrate to the Northern people that the Negro soldier cannot cope with Southerners

Fort Pillow Massacre, April 12, 1864 on the Mississippi River in Henning, Tennessee. Scenes of horror as pro-slavery militants butcher to death the U.S. soldiers who had surrendered.

In case it isn’t clear why we’ve slid into discussion of Generals of the pro-slavery rebellion beyond General Lee himself. The massacre at Fort Pillow was clearly widely reported and of much discussion in early 1864.

Widely reported. Clearly about being a butcher.

This run-up of events needs to be extremely clear because in July 1864 it was pro-slavery forces directly under General Lee who butchered Black U.S. soldiers trying to surrender and again afterwards as prisoners. Here are the recollections from the Battle of the Crater in Virginia:

“No Quarter: The Battle of the Crater, 1864” by Richard Slotkin, p 294

Who was the real butcher?

Those who ignore or revise history to denigrate Grant are actually hiding the pro-slavery mentality of excessive cruelty in battle and after. People have unfairly and intentionally attacked Grant’s reputation by projecting the crimes of Lee and his men for their own political gain.

Once people admit Grant is the one who stopped these butchers and their massacres and inherent inhumanity of pro-slavery forces, it could open the door to some other very relevant facts about white nationalists and why they continue to be threats to the U.S. even today.

Grant emancipated his slave before war, then rose through ranks to win the war, then started a civil rights movement and wrote a memoir that admitted faults and fears for a lasting peace to be achieved.

Lee threw away his citizenship so he could start a war to expand the enslavement of humans, and repeatedly left thousands of men dying in great pain for his unjust cause, leaving a legacy of white supremacists who to this day try to defame and denigrate the real American heroes.

Who was the real butcher?

Greenwald provides further analysis of how Grant was brilliant and determined with his strategy, which meant he accepted criticism, while Lee romanticized blunders and infamously would shine his boots sooner than check the welfare of his troops.

Approximately a year earlier, in July 1863, Lee launched a massive assault against Union forces near a small hamlet in southeastern Pennsylvania. That assault, labeled “Pickett’s Charge,” cost Lee’s forces approximately 6,000 men. Yet, that charge has been romanticized and remembered more favorably, and is part of the lore of the fallen Confederacy. Meanwhile, Grant’s assault gave him the moniker “The Butcher.”

Delving even further, Grant had also launched a massive assault against a protruding salient at Spotsylvania Court House. That one broke the Confederate line, ushered in 18 hours of fierce hand-to-hand combat and almost resulted in breaking Lee’s army in half. Grant is not remembered as a butcher for that action.

A “butcher” does not have strategic vision and would continue to batter his head against an entrenched enemy, continue to throw men recklessly against his position. Grant, however, did have a vision: destroy Lee’s army. And if Cold Harbor did not offer that opportunity, then another place of his choosing would.

Grant was no butcher. Chernow closes the case on this, with Grant himself explaining why the title could never fit:

“Grant” by Ron Chernow, p 408

Now if we could just get journalists to stop repeating the “butcher” propaganda, and instead fairly depict Grant for the humanitarian leader and brilliant military mind he really was who earned global respect for his values and achievements.

This “On to Richmond” painting by Mort Kunstler was commissioned by the Army War College Class of 1991. It depicts Lt. General Ulysses S. Grant on the field during the Battle of the Wilderness, Virginia, May 5-7, 1864. Major General George Gordon Meade, commander of the Army of the Potomac, is to the right of Grant. Grant’s horse was named Cincinnati; Meade’s was Baldy (sometimes called Old Baldy). The red, swallow tailed flag is the Army of the Potomac Headquarters flag. Meade’s forces had crossed the Rappahannock River on May 4, but were forced to stop in the area known as the Wilderness to wait for the supply train to catch up. Confederate General Robert E. Lee resolved to attack the Federal forces while they were in the difficult Wilderness terrain. Fighting was so intense the trees and underbrush in many places caught fire, the glow of which can be seen in the background. (Photograph by: Megan Clugh, USAWC Photographer).

Why Your Toaster Has a Firewall

Presentations I have given over many years about cloud safety will reference the fact a ground fault circuit interrupt (GFCI) made toasters safe.

My point has been simply that virtual machines, containers, etc. have an abstraction layer that can benefit from a systemic approach to connectivity and platform safety, rather than pushing every instance to be armored.

The background to the toaster safety story is actually from a computer science (and EE) professor in the 1950s at Berkeley. He was researching physiological effects of electric shocks when applied to humans and animals to (pinpoint exactly what causes a heart to stop).

He narrowed the cause of death enough to patent an interrupt device for electric lines, which basically is a firewall at a connection point that blocks flow of current:

The first regulation requiring GFCI was for electricians working on swimming pools:

GFCIs are defined in Article 100 of the NEC as “A device intended for the protection of personnel that functions to de-energize a circuit or portion thereof within an established period of time when a current to ground exceeds the values established for a Class A device.” Class A GFCIs, which are the type required in and around swimming pools, trip when the current to ground is 6 mA or higher and do not trip when the current to ground is less than 4 mA.

Fast forward to cartoonists today and some obviously have completely missed the fact that selling consumers a firewall for connected toasters is a 50-year old topic with long-standing regulations.

Can’t See the Forest for the Trees? That’s Your Brain on Big Data

Red Necked Falcon by Rajbir Sunny Oberoi
Red Necked Falcon by Rajbir Sunny Oberoi

Quanta Magazine quotes a study that reveals how our brains process data, which seems to be both obvious yet also insightful.

The brain prioritizes the detection of objects that are more important for us to see, and those tend to be smaller. To a hawk hunting for its next meal, a mouse suddenly darting through a field matters more than the swaying motion of the grass and trees around it. As a result, Tadin and his team discovered, the brain suppresses information about the movement of the background — and as a side effect, it has more difficulty perceiving the movements of larger objects, because it treats them as a kind of background, too.

I easily can see why our brain would make a priority case for small moving objects against a distant background. Nobody likes getting hit in the head by a baseball.

David Hume famously warned however how this tends to make us prone to poor ethical decisions:

There is no quality in human nature which causes more fatal errors in our conduct than that which leads us to prefer whatever is present to the distant and remote

In the security industry we pour investment into bounties for people who overspecialize to the point of repeatedly finding tiny flaws (like the little bird scanning for their next mouse, the dog catching a ball), while claiming nobody can possibly afford to remain a generalist.

That’s a bad long-term investment strategy, because we become blind to bigger looming directions while we celebrate tiny movements. Admittedly I say this from the position of an inexpensively trained generalist.

Generalists have been proven to reliably predict future events, while specialists increasingly go blind as consequence of improving discovery only within an extremely narrow band.

Also I’m reminded of perception flaws proven by the Monkey Business Illusion. What do your eyes focus on?

Jeff is a Very Smart Person

This description of Jeff Bezos is…odd.

Jeff is a very smart person (recent infosec issues notwithstanding, he’s probably smarter than you are).

Why is it still allowed to call him very smart if there are infosec issues on shared infrastructure?

Are we seeing a case of Jeff has no clothes on yet his staff are too terrified of his emperor-like “bruising” management style to tell him?

“I’m starting to think Jeff knows he’s not wearing clothes and just wants us to see his penis.”

And which of the many infosec issues are they referring to? Amazon has built a reputation for playing dumb.

As far as I can tell, Amazon only even acknowledged the mistake because Zack Whittaker wrote an article on it. That pretty much forced Amazon’s hand to respond.

Would someone building and maintaining bridges over water that then collapse still be called smarter than you are “notwithstanding” the collapses? Seems unfair, as if to say you can be smart at engineering and yet do harm.

If you are smart enough to avoid a collapse doesn’t that make you smarter and in the most important way (abiding by core engineering ethic of do no harm)?

I’ll be teaching a CS course on ethics again this year and can’t wait to hear what students think of how smart it is for the CEO of a tech company to do harm and play dumb.

Secrecy and Machine-gun Tracer Rounds

Burning bullet powder ignites a small pyrotechnic charge to “trace” fired rounds

Back in 2011 the US Army announced it was researching how to replace the high-visibility tracer rounds with something only they could see.

Tracer rounds today are used primarily with fully automatic firearms; they give off a “large flame behind them during flight allowing observers, including the target, to see where the tracer was fired from. With non-combustible tracers, only the rear of the bullet is emitting light directly at the shooter which greatly reduces the ability of others to determine the shooter’s location. This increases survivability of our forces,” explained Daniel De Bonis, a materials engineer in ARL’s Weapons and Materials Research Directorate.

He said creating a non-combustible, low observable tracer (LOT) round solution, would eliminate the pyrotechnic material that give traditional combustible rounds their ‘fireworks-like effect.’

Presumably this research has faded significantly because a new announcement just has been made that tracers should be replaced entirely.

USSOCOM is seeking 7.62mm x 51 NATO spotting rounds to replace tracers for adjusting machine gun fire, both day and night, producing a flash and /or smoke signature visible at 800m-1200m. Current tracers allow gunners to observe the trajectory of the rounds and make aiming corrections without observing the impact of the rounds fired and without using the sights of the weapon. However, these rounds give away the gunners position, burn out before the maximum range of the machine gun and draws enemy fire. Replacing tracers with marking or spotting pyrotechnic rounds enables the gunner to directly control the impact on to the target, shows target coverage, and does not disclose the shooters location. This will increase the accuracy of machine gun fire, save ammunition, and increase gunner survivability.

Survival is a trade-off. The shooter has to see, yet not reveal themselves. It’s a tall order to make targeting work from one side’s view only when we’re talking about high rate of powerful weapon fire. Disclosure of information about the position of a soldier, and their need to see where they are aiming, is tough to reconcile with the simple fact that a high power weapon firing at a fast rate is oozing data.

Image: Hensinger, April 1970: “An entire Army base versus a lone Viet Cong”

US Drone Airbase in Somalia Successfully Blocks Suicide Bomber

Too often the news focuses on the attacks that succeed and not enough on those that fail. We should balance. There are several lessons to be learned from the most recent al Shabab suicide bomb attacks that failed in Somalia.

Let me back up a step first. This isn’t exactly history, but I find it hard to believe half a decade has passed since I was warning about social fitness networks in the cloud, such as Strava.

They immediately seemed to me a dangerous surveillance system with serious confidentiality risks.

To be fair, given closed networks with data ownership and the person generating given reasonable boundaries, I also made a point how heatmaps could be safely used like any performance monitoring tools.

However, we’ve been talking about the realities of securing big data for nearly a decade here, which tends to mean at public services scale where confidentiality is not well protected let alone understood.

On that level I was warning directly about cloud services being in a position to destroy privacy for thirsty valuation-focused executives who were giving little to no thought about the consequences to the entire information market when trust collapses.

Please excuse the snark here, but my point was we fast were approaching total information awareness. I was giving a lot of talks about the risks at this point with maps like these:

All of this is background to the fact that Strava was instrumental in leaking Joint Special Operations Command (JSOC) presence. JSOC likely was unintentionally giving away their secrets so that Strava could generate heatmaps of people jogging around a military airfield in Baledogle, Somalia used for drones (also by 2015 it was disclosed by FP).

Somali government and AMISOM sources confirmed the existence of a second clandestine American cell in Baledogle, the site of an abandoned Cold War-era Air Force base in Somalia’s sun-blasted Lower Shabelle region. These sources estimated that between 30 and 40 U.S. personnel are stationed there, also carrying out counterterrorism operations that include operating drones.

Unlike parsing heart rate and body temp to pinpoint someone in San Francisco, however, Americans running in Somalia kind of stood out the minute their Strava data uploaded.

Even a view from space could reveal Americans wearing their surveillance devices in Somalia (white dot)

See what I mean?

Again to be fair, I was doing some of this publicly in 2014 to other countries as well:

Why is this so significant in today’s news? Reuters is quoting sources who give credit to failed suicide attack planners for having good intelligence about American movements on that base.

The attack showed al Shabaab maintains a good intelligence network and can mount complex operations, said Hussein Sheikh-Ali, a former national security adviser and founder of the Mogadishu-based security think-tank the Hiraal Institute.

The attack hit a part of the base that houses U.S. special forces, who supervise Somali forces on operations, he said.

“It implies they have a high intelligence and a degree of capability just to get close to that place,” he told Reuters.

I’m not going to argue against the source, just qualify that good intelligence network might in fact mean someone has a browser and Internet connection to monitor US soldier Strava data that is not being protected by the service provider or that service provider’s service providers.

The point remains that the attack failed completely. Not only did the dual suicide bombers cause zero casualties — blowing up selves at outer perimeter defense system — their entire terror team of 10 was killed.

Somali state news agency SONNA reported that all the militants who took part in the assault had been killed.

“In response to this attack and in self-defense, U.S. Africa Command conducted two airstrikes and used small arms fire targeting al Shabaab terrorists,” a U.S. military statement said.

Some secrets still are safe for that perimeter to have worked.

Interesting also is the qualification of self-defense in this event. It suggests the attackers were pursued outside the defense perimeter to be engaged and eliminated. That’s not yet been reported, it’s just a guess based on the qualified statement.

If you think my warnings in 2014 were accurate, even foreshadowing, I mention the defense perimeter angle here because of its relationship with recent domestic “hunt” legislation that in a very remote sense (pun not intended) could be abused to authorize drone strikes as self-defense almost anywhere.

the poetry of information security