A new article about the philosopher Wittgenstein’s passion for reading crime stories has an important insight into both the man and his methods, very applicable to recent breach news:

That a crime has been committed, [The Maltese Falcon author] Hammett knew, does not necessarily mean that a plan has been carried out. Plotting and scheming are things people usually do in response to a crime, not in preparation for one. And since most crimes are not clean in the first place, their solutions probably aren’t either. To search for logic in a murder case is to expect to find what was likely never there.

In other words, as the article continues to describe the genius of Wittgenstein, someone seeing pieces of an attack can lead to an urge to paint a picture that may not even exist.

The philosopher achieves clarity, Wittgenstein [in his later writings] believed, by discarding generalizations and focusing instead on concrete circumstances. […] Just because you have pieces does not mean you have a puzzle. It is enough to describe accurately. Attempting to explain only compounds the confusion.

I have to set aside some of the article (ironically) because it seems to draw conclusions askew from the facts and fails to describe accurately.

For example it brings an overly Western perspective that ignores insights and great similarity between Wittgenstein and Islamic and Jewish philosophers, such as this phrase:

His claim was not that these things don’t exist but merely that words can’t touch them.

The claim by Wittgenstein could have been to inspire beauty through attempts to approach what he saw as impossibly hard to achieve.

To come up short in achieving a connection with God, that is to say, does not mean someone “can’t touch” God unless they become stuck in a binary mode where lack of perfection is failure instead of a proof there is need to try for perfection.

I suspect someone more familiar with Talmudic thinking (Judah versus Joseph) would not have described Wittgenstein as saying “words can’t touch them” in such a cold manner emphasizing only failure.

Indeed, three out of four of his grandparents were Jewish, which would have made things far more difficult for him had his family not claimed to be Catholic and paid large ransoms to the Nazis.

All of that being said, I brought it up here to offer a VERY different approach from what I’m seeing in the news.

I mean people like Clarke and other “hawks” seem to suggest the SolarWinds breach is a case of war, when that is not at all what the puzzle pieces of this crime thriller suggest.

As former Bush Administration official Theresa Payton told Fox News, “This vulnerability allowed these nefarious cyber operatives to actually create what we refer to in the industry as ‘God access’ or a ‘God door,’ giving them basically any rights to do anything they want to in stealth mode.”

Ok, ok, stop just a minute. Who says God access or God door? Wat.

We all say got root. Nobody, and I mean NOBODY, says “got God” with the intention of talking about privileged system access.

The closest thing has to be a Microsoft control panel shortcut {ED7BA470-8E54-465E-825C-99712043E01C} that users called God mode, even though it is just a stupid desktop link to the settings a user already is authorized to use.

That’s like saying God mode in your car is when you check the oil using a dipstick.

God doesn’t have an account on systems, and there’s no God mode, since even if you believed in God he wouldn’t need these things. Duh.

What is wrong with Bush Administration people being so nutty that they bring some random God complex into even a computer security topic instead of talking about root and admin or… QSECOFR?

Anyway, back to Clarke doing his usual hawkish Clarke thing:

“This is not just about an espionage attack,” said Richard Clarke. “This is about something called preparation of the battlefield, where they’re now able, in a time of crisis, to eat the software in thousands of U.S. companies.” More than 20 years ago, Clarke was the nation’s first cyber czar, working initially in the Clinton White House and then under George W. Bush. “Sunday Morning” senior correspondent Ted Koppel asked Clarke, “When you hear people talk about this as being purely an intelligence operation, you accept that?” “No, I don’t,” he replied.

Eat the software. Ok since right-wing libertarian venture capitalists infamously said they predict software would be eating the world… does this mean the Russians eating the software would be eating the world?

I’ve heard Russians are starving, but this sounds ridiculous.

Preparation for the battlefield is an interesting twist of language, as that’s surveillance by another name, but the whole eating software concept doesn’t fit a battle narrative.

Clarke then pulls out an old American scare tactic as he clarifies further.

Clarke said, “What has occurred is, again, preparation of the battlefield. There’s not been a lot of damage because of SolarWinds. Maybe some information was stolen, but nothing has been damaged yet.” “Yet!” said Koppel. “But if I didn’t misunderstand what you said before, the Russians are really no more than a few keystrokes away from implementing exactly that kind of damage on, as you put it, thousands of American firms.” “That’s right. And we do not have plans or capability today to quickly come back after that kind of devastating attack,” Clarke said.

A “few keystrokes” takes us all the way back to the “whistle tone” phreaker hysteria of the 414s from the 1980s… as gleefully retold by Kevin Mitnick in his interview with the Russian state propaganda rag.

The government obviously labeled me with these terms, like “terrorist”, and they locked me up in solitary confinement because they said I could whistle into a telephone and launch nuclear weapons. Basically, I became the example, and they created this myth of Kevin Mitnick to scare the public. But if the truth be known, I was fascinated with technology and telephone systems, and I became a hacker more for the exploration, for the seduction of adventure and pursuit of knowledge. I was able to compromise a lot of stuff, like, for example, most of the telephone companies in the U.S. and stuff like that, but it wasn’t to do damage or to sell to a foreign power or anything like that; it was more for my intellectual curiosity – and I ended up getting in a lot of trouble for it, I ended up getting sent to prison for 5 years. Four of those years were without trial.

Four years in jail without trial is the scary part of that story and probably why the Russians like spreading it around so much.

Now in direct comparison, think about Clarke being a self-proclaimed proponent of poisoning upstream American technology in the supply-chain because Russia was stealing. He kinds of tells it like “serves those evil Russians right” that a gas pipeline exploded the in 1980s.

Just to be clear here, I’m not saying that was an actual cause-effect. In fact there has been much disputed about the facts.

What I’m saying is that I stepped into an elevator with Clarke once and asked him to explain the ethical differences between the Trans-Siberian pipeline explosion in June, 1982 and the San Bernadino explosion in 2010 (not the 1989 one, of course).

Seriously, it was me and him riding down four floors and that was the first thing I blurted out…

Clarke was visibly angry and dismissed my question quickly by assuring me he knows very well how the US absolutely was behind the Russian pipeline blowing up, duh.

His logic to me appears blinded from over-emphasis on trying to build a picture he wants us to see rather than looking at the actual pieces of puzzle in our hands (and may in fact never achieve that picture he wants).

He jumps right towards painting the worst risks of gaining high-level authorization, the kind of slippery leap which has some pretty big negative precedents in national security games domestically and internationally.

If someone has achieved root access, he suggests to us, then direct preparation for war is happening if not becoming an act itself. That’s wrong on the face of it, right?

Clarke pushes a war alarm repeatedly like he’s auditioning for a remake of Dr. Strangelove.

This whole thing is counter-factual when you apply even a simple case of a house and door with a key. Someone has infiltrated the lock factory, such that they can produce a key and walk through your home without you knowing. Nothing is damaged, nothing is destroyed.

Interesting history tangent here: A mole in the CIA was suspected when a lock in a Russian apartment door was turned and the owner had to break into his own place…

As soon as Gordievsky landed in Moscow, he picked up signs that he had gambled wrong. On the front door of his apartment, someone had locked a third lock he never used because he had lost the key; he had to break in. Clearly the KGB had searched his flat.

Did the intruders put a secret door in, or a hidden way to bypass your locks, so they could come back later and burn your place down, or prevent you from getting in (e.g. ransomware)?

Was the act of entering and achieving high authorization the same as one of war?

Reminder: “slippery slope” is a logical fallacy. Please don’t start arguments by saying there’s a slippery slope as it’s self-invalidating. I hate seeing that. People seem to think it makes their argument better, like starting with “here’s a straw man I built and now am going to burn.” Just stop that.

I don’t think anyone can, or has, proven yet such regularly invasive acts of surveillance rise above espionage into far worse things, given all that has been said so far about the SolarWinds Breach details.

At best they’re saying the places entered are untrustworthy and must be rebuilt, something less like Stuxnet (which did actual damage), and more like… well more like every day business continuity planning.

It’s true that if someone enters your house they can surveil or they can burn it down but you don’t treat them as equally possible just because someone has entered your house.

It would be like describing Pearl Harbor as devastating because of a fly-over event in preparation for bombing, instead describing the actual bombing as the disaster.

Pearl Harbor was the day that dropping bombs and shooting crossed the line, right?

To be historically accurate (as I’ve blogged about here before), Pearl Harbor’s incoming attack planes were detected by the latest technology but nobody talking about Pearl Harbor is really going into detail about that.

At best people call the ignored radar signals and missed footsteps very unfortunate, not unexpected.

To put it another way, a capability to rebuild an environment is desperately needed right now to restore trust, and the US government was supposedly ensuring that everyone is doing disaster recovery planning anyway.

Thus environments are untrusted mainly because they haven’t been routinely cleaned up fast or often enough, allowed to rot in the open.

And so here comes the real issue as documented already by many other security experts: the US is using surveillance and espionage all the time including (sometimes necessarily) privilege escalation and root-level authority in order to protect itself (not necessarily preparing the battlefield for attack).

• “Everybody Spies in Cyberspace. The U.S. Must Plan Accordingly.”
• “It wasn’t a cyberattack in international relations terms, it was espionage… problem is that both espionage and cyberattacks require the same computer and network intrusions, and the difference is only a few keystrokes.”

Both of the above references are well-reasoned analysis worth reading.

Saying SolarWinds is breached also begs the uncomfortable question of whether the US already had secret access into SolarWinds (let alone all the other American “monitoring” and database companies) or will now use the same access for its own purposes.

More broadly, cleaning upstream vulnerabilities from dependencies and getting service and support doors (some call them back doors) out of products is a long-time herculean task in security for American technology, which may be impeded by American surveillance efforts, and not some sudden exceptional state we stumbled upon.

It is the stuff of repeated internal warnings, like Facebook being a disaster in 2014 and then hiring someone manifestly unqualified who then caused even greater harms to the world and got rich doing it.

Nothing here is really surprising except how little emphasis has been on tearing things down (Facebook really should no longer be allowed to do business and their disgraced ex-CSO should be in jail). Focus needs to shift to building better than such existing Fawlty Towers.

Like the industrialization dangers we look back on with horror today, SolarWinds being a danger is the norm for a lot of American tech that jumps into shortcuts and margin boosters in a cut-throat race driven by mathematicians counting beans more than philosophers explaining why they just don’t add up.

Microsoft’s founder famously said he didn’t want security because it didn’t make him money and admitted in 2001 he ignored years of prior warnings (getting towards the true foundation of the SolarWinds breach, Microsoft’s anti-government big margin low quality pedigree).

“In the pre-2001 days [when disasters were constant, yet not named things like CodeRed], Gates was the biggest reason why Microsoft was having so many security problems,” said John Pescatore an analyst at Gartner Inc…”I think they expected an overnight shift in terms of perception [when they suddenly confessed to decades of intentional harms]. It didn’t happen,” [Forrester analyst] Kark said. “It’s been more than six years, and it’s only now that we are starting to see Microsoft being recognized as a company that values and understands and is responding to security issues.”

The Grover Shoe Factory disaster is a great comparable study in how badly America managed safety in its manufacturing processes for industrialization, and what really changed afterwards.

Hint: it was not only the ability to more quickly transition off faulty technology, found during required quality audits, it also was partly the ability to remove, restore or build new a bigger factory after any disaster predicted or experienced.

Back to Clarke, he also says something about the past worth holding onto: a Bush administration in 2002 blocked efforts to fix infrastructure because it was opposed to big government and fundamentally removed trust in government.

“The kind of things that we need to do now, we could have done 20 years ago. Twenty years ago, however, there wasn’t a real understanding in the Congress or in the White House. There wasn’t a willingness to spend the kind of resources. People were worried about privacy concerns and ‘Big Brother’ controls. They didn’t trust the government to defend them against this sort of thing.”

It resonates with what I remember at the time, when I was doing assessments of woefully insecure American infrastructure (across many US states thousands of power company routers on the Internet using telnet and clear-text scripts). Raising security issues to government level in the late 1990s was met with “let the big banks figure it out, they run the power companies and understand business risk best”.

So this really seems like a great time to remember how the Bush administration absolutely was willing to spend huge resources for big government to start war with Iraq on false pretenses. They pushed hard for that picture, against the fact that puzzle pieces didn’t fit together.

Yet also they ran with the narrative that resources shouldn’t be spent to improve infrastructure/resilience because that would be big government. Instead let the “market” prove it can’t self-regulate, over and over and over again.

American tech is like a never-ending crime thriller, so the really insightful question — in terms of Wittgenstein’s brilliance — becomes whether as investigators we are choosing to be a lofty British Sherlock laying out masterful plans or the more tangible American hard-boiled detective who sticks to the facts.

Have you been to a theater lately? Probably not because of the pandemic, but if you remember when we all used to go (including movie theaters, of course) we would watch performance art and… like it (assuming it was well done and believable, of course).

However, I sure see a lot of people getting very upset about something they call Deepfakes.

Why is there such a disconnect between all the people paying money and spending time to be entertained by the performing arts (the act of information deception) and the people decrying our future will be ruined by Deepfakes (the act of information deception)?

I call this the chasm of information security, which I’ve been sounding the alarm on here and in my presentations around the world since at least 2012. It is the foundation of my new book, which I started writing at that time and has expanded greatly from just a warning call to tangible solutions.

We are long past the time when security professionals should have been talking about the dangers and controls of integrity risks. It is evidence of failure that people can both be entertained by information deception without any worry on one hand and on the other hand decry it as a dangerous future if we allow it to continue.

Is the court jester the end of the kingdom? Obviously not. Is the satirist or political comedian the end of the future? Obviously not.

When an actor changes their voice is it more or less concerning than when they change their appearance to look like the person they are attempting to represent accurately?

Watching a Deepfake for me is like going to the theater or watching a movie and I fear it very little, perhaps because I study intensely all the ways we can protect ourselves against willful harm.

Integrity is a problem, a HUGE problem. Yet let me ask instead why are people so worried that performance art, let alone all art, is being artistic?

A headline like this one is not concerning for me any more than usual:

A college kid’s fake, AI-generated blog fooled tens of thousands. This is how he made it.

“It was super easy actually,” he says, “which was the scary part.”

Yes, a college kid’s fake blog is called Wikipedia. Lots of people with free time on their hands generate fake content there and fool millions. This should not surprise anyone. Using technology to generate the content makes it faster and easier, sure, but it’s not far from the original problem.

The bigger problem is that people don’t often enough describe GPT-3 as a fire-spewing dumpster fire that was created without any sense of fire suppression. It’s a disaster.

Philosophers know this. They write academic papers about the kind of obvious classes of vulnerabilities that engineers should have been modeling from day one if not earlier. Here’s a good example of the kind of thing every security team needs to stick in their quiver:

When I was in Japan trying to solve for information system risks I couldn’t raise insider attacks using the old and usual talking points because everyone there told me dryly that no such thing existed.

Their culture was explained to me as deeply ingrained trust and honor systems such that they confidently believed they could detect any deviations (and hard to argue given how they marched into the room and sat by rank and respect from middle to end of the table, only spoke when allowed).

So instead I watched a history documentary about how Osaka castles had been destroyed by invaders and the next meeting I brought up the dangers of fakes and imposters, deceptive identities inside their organization.

This hit a big nerve.

Suddenly everyone was waving money at me saying take it and help them protect against such imminent dangers. Why was a deep fake so motivating?

It is a massive failing of the security industry how people worry about data integrity and feel afraid like they have no tangible answers, yet they surround themselves with art all day every day and “like” it.

We may in fact have the answers to this failing, and right in front of us.

Again, that’s the chasm of information security today. I hope to explain in great detail what needs to be done about this fear of theater, in my upcoming book.

Few remember how America’s 31 May 1951 OPERATION STRANGLE in the Korean War…

…dropped 600K tons of bombs on DPRK and 2 million civilians perished. It had reverse effect of expected and cauterized resistance.

However, one person who definitely remembered was double-agent for the Soviet Union George Blake, one of the most well-known yet least connected stories to such “cauterized resistance”.

Blake emphasized to the press…

…that he decided to switch sides after seeing civilians massacred by the “American military machine.” “I realized back then that such conflicts are deadly dangerous for the entire humankind and made the most important decision in my life – to cooperate with Soviet intelligence voluntarily and for free to help protect peace in the world”.

Here’s another version of events:

…despatched to Seoul in 1950, to set up an anti-Soviet operation on Moscow’s eastern flank…the North Koreans invaded the South and Blake, like many other western diplomats, was interned – and during his three-year period of captivity he changed sides. George Blake was no “Manchurian Candidate”, tortured and brainwashed into working for the communists while a prisoner of war. it was, he insisted, the spectacle of a helpless civilian population being attacked by mighty US bombers that had changed his world-view: “It made me feel ashamed of belonging to these overpowering, technically superior countries fighting against what seemed to me quite defenceless people.” He quietly informed his KGB captors that he was ready to work for them. In 1953, Blake and his fellow detainees were at last released and he returned to London as an SIS hero.

This UK “hero” was then caught spying for the Soviets (due to a Polish intelligence officer).

The suspected spy was unmasked by a tip from a defecting Polish intelligence officer who told the CIA that two Soviet agents were operating in Britain, one at a royal navy research centre, the other in SIS. They were codenamed Lambda-1 and Lambda-2. Quickly, Lambda-1 was identified as Harry Houghton, but it was months before Blake, then on temporary assignment in Lebanon to learn Arabic, became the prime suspect for Lambda-2.

He confessed and pleaded guilty, was sentenced to a long jail term but soon escaped (with the help of Irish inmates perhaps enamored with Soviet life) from “maximum security” to the open arms of Russia where he continued to intentionally put hundreds of people in harms way.

Dozens are alleged to have been executed in Russia from his actions, and he denied responsibility for their lives while simultaneously taking credit and awards.

He has just died aged 98, feted by Russia.