Energy, History, Security

Glory to the Modern Propagandists

Leave a comment

The nature of propaganda is that a tiny seed of truth is grown into massive distraction.

People tend to overlook the basic fact that an adversary has used a tiny seed to confuse their whole plans. Any sense of real progress — ultimately a target’s fractured resources are more easily divided or disabled from within than confronted as a whole directly from the outside — falls victim to a tactic that really shouldn’t be so easy.

The problem, to paraphrase Mark Twain, is that it’s much easier to manipulate people than to persuade them they’re being manipulated.

I’ve presented about this many times in the past, such as 2012 when I explained how Vanuatu’s rapid mobile phone adoption made it ripe for a political coup by manipulating voters. Most recently I spoke of the Russian government targeting foreign athletes with psychological warfare to “get in their heads” and reduce competitive performance against weaker Russian athletes.

Some new analysis from the alliance for securing democracy shows how this all works. Their “Hamilton Dashboard” highlights two important findings in a post titled “Why the Jeffrey Epstein saga was the Russian government-funded media’s top story of 2019”

…few topics dominated the Russian government-funded media landscape quite like the arrest and subsequent suicide of billionaire financier and serial sex offender Jeffrey Epstein. In its year-end review, RT named the Epstein saga “2019’s major scandal,” and RT UK media personality George Galloway listed it as his number one “truth bomb” of the year (ahead of all the aforementioned events). Given the lack of any notable connection between Epstein and Russian interests, the focus on Epstein highlights the Kremlin’s clear prioritization of content meant to paint a negative image of the West rather than a positive image of Russia.

The first finding is a somewhat obvious one that Russia actively uses seeds that are meant to destroy positive imagery of the West (i.e. reverse the “Hope” campaigns that had resulted in President Obama). Epstein falls into this category.

The second finding is more subtle and implicit. Russia fails miserably to generate any positive image of itself. Every analysis I have read suggests Putin is both desperate and incompetent at forming a national identity, despite ruthlessly positioning himself as a long-term dictator with total control of all resources.

To put it in some context, Putin is a trained assassin, with little to no evidence he can develop a sense of national interest or ability to convey any leadership story about belonging. In fact, these two positions may be contradictory (inherent weakness of being an assassin) given how anyone forming greater identity and purpose would be assassinated; rise of identity could be seen as potential threat to the man with an artificially inflated sense of self worth above everyone else.

Anyway the graphic for the Hamilton Dashboard of the securing democracy site really caught my eye as a beautifully done rendition of the classic Soviet propaganda art that Putin seems incapable of achieving (a bit like doing the work for him):

The Hamilton 2.0 dashboard, a project of the Alliance for Securing Democracy at the German Marshall Fund of the United States, provides a summary analysis of the narratives and topics promoted by the Russian government and Russian state-funded media on Twitter, YouTube, broadcast television (RT), and state-sponsored news websites.

For comparison here’s some actual Soviet propaganda that celebrates creating a powerful aviation industry (a suspicious claim given staggering death tolls in their airline: in 1973 alone the Soviet aviation industry had 27 incidents and 780 people were killed)

This genre of “positive” spin poster of prosperity was backed by a complete suppression of any and all “unfavorable” communication that would challenge a progressive narrative (e.g. propaganda seeds of despair pushed by running a story about Epstein). Especially suppressed by the Russians were news of crimes against humanity (massacres, famines and energy/environmental disasters on Russian soil).

In other words, two diametrically opposed threads can be tracked in Cold War propaganda, posters of hope by the Soviets and counter-posters of despair by the CIA (the subject of Putin’s study while in the KGB).

Example of a Soviet poster pushing a positive narrative of prosperity from labor:

Map of the Soviet Union highlighting the contributions to the economy of its major cities and regions, each represented by symbols for dams, factories, mines, agriculture, and so on. Quoting Premier Nikolai Bulganin (served 1955-58). Source: Boston Rare Maps

Contrarian example of a CIA poster pushing negative narratives (indirectly via Italian media platforms) of demoralizing labor brutality:

A map flanked by long text notes describing the Gulag’s size — “if consolidated, would make a submerged empire the size of Western Europe” — and its staggering brutality, with an “average mortality rate… exceed[ing] 12% a year.” Source: Boston Rare Maps

In the modern context, being the typical self-promoting KGB agent trained in the art of copying everything the CIA did and trying to use it for his own gain, we see clear evidence in the Hamilton Dashboard that Putin is pushing a despair campaign using today’s social media platforms. He doesn’t, however, seem to be able to come up with any positive sense of identity for his own nation.

And I have to say, despite me being a student of these communication methods (even having a degree related to their usage) my attempts at art in this domain simply pale in comparison to what the Hamilton Dashboard has come up with.

Hats off to them…although really I would expect some despair in their graphic if they wanted to play this game right. I mean it seems a bit counter productive to gift the enemy with banner-level positive glorification imagery that everyone sees when they come to study the enemy.

The same mistake probably should be said for me, in retrospect, as here’s my 2017 image that used to show up in many of my presentations:

“cyberbombs away” 2017

It was a refresh of the 2016 rendition that was even more snarky about the U.S. being way ahead in kinetic yet woefully behind in the more pressing cyber domain…

Security

One CSO and the Three Biggest Breaches of All Time

2 Comments
What if the wolf was blowing hot air from the inside?

Equifax soaks up a lot of news as the example of bad leadership, and there has been a lot said about the CSO role and person. But is it really the example we should focus on the most?

By the numbers, Equifax appears to sit among a wide group of breaches that each lost around 100-150 million accounts:

  • Under Armor
  • eBay
  • Target
  • Heartland
  • Rambler
  • TJX
  • AOL
  • MyHeritage
  • LinkedIn

This group is defined purely by a quantitative measure of the 100-150 million accounts breached. It is unclear how adding qualitative measures (e.g. type of data breached) would change these groups much.

Applying qualitative measures doesn’t explain, for example, why breaches of the most sensitive data will still see a responsible CSO treated incredibly lightly. In fact, the larger breaches arguably align with the more sensitive data when you dig into it. Why are these bigger and more severe breaches ignored, compared to the far smaller breach of Equifax? It doesn’t add up.

Instead, when you look for a correlation of CSO to massive breaches (both in terms of quantity and quality of data lost), all three of the following breaches track back to a single person. This person never did the CSO job before (or even did a similar job at a public or large organization), and is alleged to have facilitated atrocity crimes, and I think it fair to say he never should be allowed to attempt it again:

  1. Yahoo 2013 (undisclosed until 2016) 3 billion breached
  2. Yahoo 2014 (also undisclosed until 2016) 500 million breached
  3. Facebook 2017-2019 over 600 million breached

Equifax doesn’t even appear in the “Information is Beautiful” visualization tool that illustrates the world’s biggest “poor security” failures. Facebook is unmistakably largest:

“…exposed server contained more than 419 million records over several databases that had no password… the latest security lapse involving Facebook data after a string of incidents since the Cambridge Analytica scandal, which saw more than 80 million profiles scraped to help identify swing voters in the 2016 U.S. presidential election. Since then the company has seen several high-profile scraping incidents…”

And yet nothing like the following news cycles seems to exist for such an inexperienced, disgraced CSO that was responsible at Yahoo AND Facebook…

We need to seriously consider whether an Equifax CSO was treated by social media pundits as an outlier and pilloried because she is a woman held to higher ethical standard than men:

[In a study of sexism at work] …average recommended sentence was around 80 days for Jack and around 130 days for Jane. So that was a difference of nearly two months of jail sentence. …females had a 106 percent higher likelihood of being disbarred than males… punished more severely for the same offenses as men.

Why wasn’t the Yahoo/Facebook CSO scrutinized in a similar fashion given his documented/obvious lack of qualifications in organizational leadership, let alone all the other CSO within the “100-150 million tier” of breached companies?

This question remains open. And why did the Equifax CSO “retire” yet the Yahoo/Facebook CSO get shifted upward to a research position for the very thing he spectacularly failed at?

On top of the massive confidentiality breaches under the Facebook CSO, his legacy also is some of the biggest data integrity failures in history (given 50 million accounts breached, failed to block unfiltered harmful content and is alleged to have facilitated political destabilization and atrocity crimes).

The bottom line is one person attempted to be CSO twice, with no prior experience, and seems to have a track record now of nearly 4 billion accounts compromised with highly questionable disclosure practices. Yet this man seems to have escaped all the scrutiny applied to a woman.

Update Feb 3, 2020:

Vice reports “penalties for data breaches and lax security are often too pathetic to drive meaningful change”.

Update Feb 10, 2020:

While Facebook pivoted its CSO role to an external academic appointment at Stanford, and thus continues to be embroiled in breaches, Equifax went the other direction and has stayed above board.

Statement from the new Equifax CSO, announcing criminal charges, shows a clear resolution, far above the lingering dumpster fire legacy of CSO at Facebook and Yahoo:

This morning, the DOJ identified the perpetrators who attacked Equifax in 2017. With breaches, identification of the attackers (or “attribution”) can be incredibly difficult—even impossible. Being able to share this information is the result of an enormous amount of work by authorities. We cannot thank the U.S. Department of Justice, Federal Bureau of Investigation (FBI), and so many others enough for their tireless efforts to achieve this result.

In parallel, Equifax has been transforming our security program—embedding security into our DNA by driving cultural change, implementing advanced controls tailored to the specific threats we face, achieving relevant certifications, and—just as importantly—sharing what we’ve learned with our customers, partners, and authorities.

Equifax partnered with authorities right from the beginning, and two-way information sharing remains a key part of our security program. The importance of partnering with authorities cannot be overstated. If your security team doesn’t know who to contact at the FBI and the Secret Service, change that today.

At Equifax, we are doing our best to make sure that this never happens again and to support others who want to learn from our experience.

Again, nothing even close to that for Facebook has appeared, only more breaches. Yet the person who said he would lead security has not been held to account for doing the opposite.

Update April 28, 2020:

Insiders at Facebook over the past few years have revealed to me that staff asked to be reassigned away from reporting directly to the CSO, as he lacked basic leadership skill and experience. By the time he was forced to resign he had nobody left under his remit.

This has now been exposed publicly as his legacy not only is the largest breaches in history, but also discredited methods and a group “dissolved and dispersed“.

“Facebook has dissolved and dispersed its security group over the last two years, the people said. The latest cuts are part of a change in philosophy on security efforts, spurred by infighting and long-running issues within the department, they said.”

It boggles the mind how Equifax CSO was getting so much attention instead of this one, a global catastrophe of far greater impact both quantitatively and qualitatively.

Security

What if “Something You Are” Can Be Impersonated?

Leave a comment

In multi-factor authentication systems, you typically are dealing with three data categories to establish uniqueness: something you know, something you have or something you are.

While you can create knowledge, create a thing to hold in memory, it is that third category of “being” that often raises the most concern.

A print of abolitionist U.S. President Abraham Lincoln was in fact a composite, a fake. Thomas Hicks had placed Lincoln’s unmistakable head on the distinguishable body of Andrew Jackson’s rabidly pro-slavery Vice President John Calhoun. A very intentionally political act.

The fakery went quietly along until Stefan Lorant, art director for London Picture Post magazine, noticed a very obvious key to unlock Hick’s puzzle — Lincoln’s mole was on the wrong side of his face. Source: Atlas Obscura

There’s an inherent contradiction in treating a thing you expose everywhere (one that in theory never changes because it is “what you are”), as some kind of uniqueness that can’t be replayed or impersonated by someone else.

Think of it as fingerprints left all over the things in public you have been touching.

This state of “being” tends to be the opposite of secrecy, inherently observable as a function of being, else you would cease to exist.

You’ll be hard pressed to avoid leaving your fingerprints all over the place while at the same time using your fingerprints all over the place to prove you do exist and uniquely.

And lately researchers have been putting into practice a machine version of the very thing seen in Lincoln’s print. For example https://thispersondoesnotexist.com/ will dump out a face that mashes up photos into a “fake” one.

Although here again, for example, you can easily see an error in the lower right corner of an artificially generated image (just like Lincoln’s mole being backwards).

Imagined by a GAN (generative adversarial network): StyleGAN2 (Dec 2019) – Karras et al. and Nvidia: Don’t panic. Learn how it works [1] [2] [3]. Code for training your own [original] [simple].

On top of these exposure contradictions in biometric secrecy, there also is a complexity and cost consideration in the biometric business.

Challenge quality is intentionally lowered (look for a couple spots that match instead of every detail and thousands of points) to maintain higher profit/margin. Those economic decisions usually are why we see decades of simple bypasses — a low bar has meant easy impersonation of “what you are”.

Nonetheless, despite the contradictions of exposure and the economics of bypasses, stark warnings still do appear about the lack of security in biometrics.

Consider the “lasting damage” about privacy violations claimed in an analysis of Digital ID applications:

In Zimbabwe, we spoke to people who did not know why the government was transitioning from the old metal ID to a biometric ID. There were theories about the ID system’s connection to national security and surveillance but little knowledge of the government’s intentions or the purpose of collecting biometric data (i.e., unique physical measurements such as fingerprints and iris scans)–which isn’t essential for providing legal identity. This type of data is forever associated with a person’s body, meaning that these systems can lead to privacy violations that cause lasting damage.

Meanwhile in RPI research news, we see the march of science challenging our sense of reality by printing “complete” skin:

Scientists have created 3D-printed skin complete with blood vessels, in an advancement which they hope could one day prevent the body rejecting grafted tissue. The team of researchers at Rensselaer Polytechnic Institute in New York and Yale School of Medicine combined cells found in human blood vessels with other ingredients including animal collagen, and printed a skin-like material. After a few weeks, the cells started to form into vasculature. The skin was then grafted onto a mouse, and was found to connect with the animal’s vessels.

In related news, scientists also now can “knit” an artificial skin.

“We can sew pouches, create tubes, valves and perforated membranes,” says Nicholas L’Heureux, who led the work at the French National Institute of Health and Medical Research in Bordeaux. “With the yarn, any textile approach is feasible: knitting, braiding, weaving, even crocheting.”

This suggests we are entering an entirely new level of impersonation possibilities, which both are bad (unwanted) and good (wanted). You could knit a new set of fingerprints that even have blood-flowing in them when you’re tired of “being” the old set, or the old set has failed (e.g. too much hand wringing over privacy concerns).

Somehow I doubt the scientists considered as part of their research the impact of medicine bypassing biometric authentication systems, yet we’re clearly approaching a time when you can really do an about face. If I ran marketing I’d sell new skin as giving the finger to biometric authentication vendors.

It all begs the ancient philosophical questions of whether modern quaint notions of authenticity really are something to hold a hard line on (e.g. authorize authenticity policing), or instead we should go back to the focus on harms and virtue ethics.

For a simple quiz I give my CS graduate students studying ethics, would you sooner criminalize actors doing modern voice impersonations or appearance impersonations? Here’s an example of someone doing both, but is it even criminal?

History, Security

Czech Patton Museum Comes to America

Leave a comment

The 75th anniversary of liberation from Nazi occupation is giving Americans a chance to see memorials to them that usually are found only in Czechia.

The exhibition, entitled Liberation of Pilsen, will be unveiled at Czech Centre New York on Wednesday afternoon. It outlines the advance of Allied troops from Normandy to Pilsen, the role of General George S. Patton and other historical circumstances.

Ivan Rollinger of the Patton Memorial Pilsen museum, who curated the exhibition, says it also maps the many memorials to civilians and soldiers in the region of Pilsen.

“Even today, 75 years after the end of the war, there are still new monuments being erected to the victims of the Second World War, including fallen US soldiers.

“We still come across new information about the individual victims in the region, for instance in the Washington National Archive or in daily reports, and then we unveil new memorials to them.”