Category Archives: History

Repeal the Internet

Robert Samuelson wrote in the Washington Post “If I could, I would repeal the Internet

He’s kidding, right? This is some kind of funny snarky sarcastic opinion piece meant to ridicule FUDslingers, right? It is supposed to make us conscious of the dangers of isolationists, right? Doesn’t seem like it.

He mentions several past threats that were “hyped” and it even seems like he believes Mandiant’s marketing engine. Uh-oh.

…the Internet creates new avenues for conflict and mayhem. Until now, the motives for hacking — aside from political activists determined to make some point — have mostly involved larceny and business espionage. Among criminals, “the Internet is seen as the easiest, fastest way to make money,” says Richard Bejtlich, chief security officer for Mandiant, a cybersecurity firm. Recently, federal prosecutors alleged that a gang of cyberthieves had stolen $45 million by hacking into databases of prepaid debit cards and then draining cash from ATMs.

Anyone who has been reading this blog (hi mom!) knows I can be somewhat opposed to the messaging of Mandiant and Bejtlich. I believe they relentlessly magnify threats into bogeymen of unbelievable proportions while at the same time oversimplifying them. Even worse, they peddle secrecy and fight against transparency in our industry.

Samuelson’s theory is possibly the fruit of their labor; an economist is scared of the Internet and banging a drum about risk in a major newspaper; a frightened result of Mandiant marketing. He doesn’t explain trends in financial theft online; just repeats the old line that attackers get progressively more dangerous and so right now, this very instant, they are more dangerous than ever.

Look at what he says about “‘infrastructure’ systems (electricity grids and the like)”, for example.

In the mid-1980s, most of these systems were self-contained. They relied on dedicated phone lines and private communications networks. They were hard to infiltrate.

That’s quite an exaggeration and misrepresents the industry. Dedicated lines and private networks in many cases made containment a nightmare — easy to infiltrate. Do you have any idea how difficult it was to search for analog lines to ensure no back-doors existed? By the 1990s countless nights were spent wandering halls and fiddling with toneloc scripts because we were in a race with attackers to hit a dial tone that *shouldn’t* be there. Containment failures wasn’t a new concept in the 1990s; phreaking for access was at least 20 years old by then and certainly a problem in the mid 1980s.

Remember the 414 Gang in 1983?

Pranksters disrupt a hospital, and nobody is laughing

Here’s a clue from 1983 that should really illustrate how “self-contained” systems were:

The flurry of recent, highly publicized incidents involving young systems hackers accessing government and commercial data bases has refocused attention on a variety of proposed and recently enacted computer crime laws, both state and federal.

Testimony of both victim and attacker in front of US Congress emphasized just how easy it was to infiltrate.

[Jimmy McClary, from the Los Alamos lab’s operational security and safeguards division] and Mr. Patrick [one of the Milwaukee teen-agers who broke into dozens of large computer systems] said that because someone using a home computer could enter another computer just by dialing the wrong number, the law should differentiate between those who enter computer systems without malicious intent and those who deliberately attempt to alter or damage a system.

The fact is businesses are always clamoring to share information and they often install all kinds of rogue technology. Containment is violated as soon as the ability exists, which predates the 1980s. If anyone thinks executives are neatly standing in rows and following orders of their computer managers then they haven’t done an assessment of containment in their life.

In other words take a quick look at real news from the mid-1980s. A similar situation of scaremongering and fear was bubbling up in America. It is dangerous to forget that we’ve seen these political machinations before. The movie Wargames released in 1983. The intel/mil community (e.g. 1980s equivalent of Bejtlich) was warning back then that they should be allowed to take control of the Internet away from civilians to protect us from harm.

As I presented to Bejtlich and others in 2011, electricity grids and the like have been proven easy to infiltrate for many, many years and this is not any reason to freak out. Bejtlich’s response, a tweet during my presentation, was that I don’t understand “sophistication” of attackers, and that I haven’t seen what he has seen.

My problem with this logic is that Einstein told us “If you can’t explain it simply, you don’t understand it well enough”. So if Bejtlich wants to argue that he isn’t able to explain it simply and he doesn’t want to share the data…well, that’s good entertainment material for security horror films but it doesn’t actually make it real. Does it?

During the mid 1990s it was obvious to auditors that infrastructure could be infiltrated. A big difference back then was that the energy industry thought they could dissuade anyone from trying. On one engagement alone for a multi-state bulk energy distribution company I looked at thousands and thousands of routers on the Internet all managed with clear-text authentication and no integrity monitoring. This seemed like the logical progression from the analog/modem risks earlier and, as usual, our ability to fix it was hampered by economics. To make a finer point the network admin running systems was begging for help from external assessors. He couldn’t convince management to budget for better security controls.

We did our best to raise infiltration issues. Upper management reminded us we were just a portion of a larger “financial” risk model and strict laws for prosecution were sufficient disincentive. In other words we were working under a US gov position that since financial backers ran the energy business, if financiers were willing to accept risk then the gov would too. As I remember it, the financiers (e.g. banks) responded they were confident that systems were not connected to the Internet…. Yet there we were looking at evidence to the contrary. We ran into a dead-end because of politics and economics, not any real failure of technology.

This is a frequent issue in defense. You find gaps and then have to set about convincing people to make change in terms that are mired in human decision. I easily could end up on the same side as Mandiant in many ways. Of course I want fewer holes, tighter controls, etc. to improve the state of technical defense capabilities. However, I pull away from them when I see how they want to change opinions with a “sky fall” marketing push, especially when coupled with secrecy and lack of accountability. Crying wolf can have dire consequences for our industry.

Information technology isn’t the only place this happens. Let me try to put things in terms of another historic event. President Eisenhower, born in Kansas, had an ambitious plan in the mid 1950s to connect the US with a system of high-speed roads called the Interstate. You might think his home state of Kansas would be his biggest supporter. It wasn’t.

I grew up not far from a town in Kansas that was a few hills from where Eisenhower grew up. This town objected to the Interstate coming near. They had fears very similar to what I see in Robert Samuelson’s post about the Internet infrastructure. Highways were not thought of as a breakthrough but rather a means for unwanted outsiders to reach them, to reduce their happy containment.

Avoiding access to the Interstate sounds insane today, right? The Interstate has become the economic engine of towns in rural and urban America. It is the link to the world that helps economies thrive by delivering people and supplies. An economist surely can see how this flow is critical to success. Dismissing information on the Internet, access to knowledge, as “shallow”…is hard to believe is a serious argument.

Of course we couldn’t be as successful without access to knowledge. Innovation is a function of exposure. There are risks to exposure. Yet good can easily outweigh bad exposure when cost-effective controls are applied. Sometimes those controls are economic as well. This race we’re in is not just between offense and defense, it is between health and disease, education and ignorance….

About 50 years after the Interstate was built (30 miles south of that little town) residents had to admit their mistake. They widened the artery and increased speeds; they knew the value of outsiders coming faster and more frequently was worth the risks. Don’t forget, attackers are always evolving. The threats today are worse than ever.

Every business knows there is friction in supply-chains. Should we treat everything as threatening when one bad guy drives into town and robs a bank? Obviously not. Is there “shallow” value to Interstate traffic? Yes, mixed in with the high value. Can we handle threats? Yes, if we approach them rationally. Compare this with how isolationists fare.

I firmly believe connectivity is the future. We need more, not less, access to data to be successful in emerging markets such as clean energy and bioscience. Where we see risk we need more sophisticated solutions than just isolation or militarization.

The Internet’s virtues are far, far from being overstated. We only are beginning to achieve potential benefits of better information exchanges. To shut off our connections now or put in the hands of the intelligence or military (or their advocates) would be a huge setback for America. We need to keep our networks open and under civilian control to focus on growth, unless under extreme danger (e.g. war); and if we ever must give up control we must have a clear and quick deadline for return.

Sailing Safely after the America’s Cup Death

I would like to write about the America’s Cup as I have not yet found a good source of information on recent events.

I am by no means an insider although I admit I’ve been racing high-performance catamarans for over a decade that are similar to AC boat designs and I work in risk management.

Perhaps there’s someone out there who can provide a more authoritative perspective, but in the meantime here’s my amateur and unqualified opinion on what recent accidents may mean for sailing in America.

It is too easy to say loss of life is a reality in high-risk events. Likewise it is too easy to say precautions are the obvious answer. The difficult question is whether the America’s Cup authority, known for bias and gerrymandering for self-serving victories, should be trusted with assessment and decision on risk.

Are multi-hulls dangerous?

For as long as I can remember sailors in the Bay have discussed that multi-hulls capsize ungracefully and permanently. Trimarans and Catamarans were banned in some of the large coastal races I’ve done (Monterey Bay) specifically because event sponsors and support wanted to minimize risk. Believe me, I would have sailed a multi-hull if the option were allowed; we would have cut our race time in half and less time on the water is arguably more safe. Subsequently, over the past three years at least, there has been discussion of whether someone will die when a 72ft carbon platform flips over.

Don’t get too worked up about multi-hulls, however. Speed is an essential ingredient in survival (boats can run from danger) and amateurs on multis in heavy weather have proven they can fare better than monohulls. We also have to admit boats with one hull are statistically more deadly. There are many, many years of data on monohulls involved in tragic and fatal accidents; not least of all was the recent and local Farrallones Tragedy.

Mining the data on events like the 1979 Fastnet disaster (15 deaths, 69 monohulls retired) and the 1998 Sydney-Hobart disaster (5 boats sank, 66 boats retired from the race, 6 sailors died, and 55 sailors were taken off their yachts, most by helicopter) has taught us a lot about risk.

One lesson is that chances of survival in difficult weather are significantly higher for boats over 35 feet long. This is related to the engineering. Larger boats are typically made to handle off-shore conditions and more continuous use than day-sailors.

If we dig a little deeper into lesson one, we find lesson two: pushing boats into heavy weather conditions creates unfair or at least unintended competition. Survival conditions impose a completely new set of criteria for success. Sailors of any experience know this well. I can think of at least a dozen hair-raising experiences I have had on boats and even some near-death moments. Here are a few relevant examples:

In 2003 a storm blew through Louisiana that decimated the A-Class Catamaran North American Championships. It was my first major race on a new boat and suddenly I found myself sitting among the top ten competitors in America. Why? I had grown up sailing so it was natural for me to drop into survival mode — get my boat across the line and to shore in one piece. It was sad for me to watch far better sailors, even Olympic medalists, crash and burn. They pushed on with their prior competition as I pulled back, sailing through an asteroid field of broken boats. Only 11 of us finished among more than 40 boats. It was a victory I didn’t want.

Similarly, I found myself crossing the finish line in 17th place at the 2005 A-Class Catamaran World Championships after the wind disappeared. Nearly 100 boats drifted. Again I switched into survival mode, pegged a line of breeze and swooped to a bitter-sweet victory over sailors usually far better than me. Although very exciting to be just seconds from top 15 in the world, it still was not a wanted victory.

First Place at SCYC
Me sailing an International A-Class Catamaran in light wind

I have many more examples but in 2012 I took a different role. I rode a rescue jet ski at the A-Class Catamaran North American Championships. I could barely operate the jet ski the sea state was so rough. Within just a few hours I had I rescued one of the best sailors in the world, who had become separated from his boat, as well as towed four capsized, dismasted and exhausted top-tier international competitors to shore. From this experience I wrote a detailed explanation on how to use tow lines and a power-boat to carefully rescue turtled (upside-down) high-performance catamarans.

Perhaps you can see why I want to articulate my thoughts on what is happening after the Artemis catamaran disaster. I’ve been thinking about multihull risk management for a long time.

Why does baseball stop when it rains?

Sailing has weather guidelines. Don’t sail when it’s too windy, don’t sail when it’s not windy. It should be as simple as canceling a tennis match or a baseball game. Instead it’s a complicated debate about who can “handle” risky conditions.

People talk about the Artemis accident in terms of boat sea-worthiness yet that’s not the correct focus of inquiry.

Here’s what I believe to be the real story on the America’s Cup accident. Team Artemis made a critical risk calculation error early in their campaign related to structural design. The boat was compromised when they tried to work around the rules. This led to an eventual critical failure and death.

What was the error? AC rules specify a limited number of days sailing on the water for the first 72 foot platform. This could in theory reduce research and design costs. Instead it created control evasion as teams wanted to source design data.

To get around the “sailing” rule Artemis put their AC72 “big red” on the water without a wing attached. They set out to accumulate data on hulls. Although this avoided using up precious days “on water” it required a different power source. Powerboats were attached by line to pull the platform at speed.

Preparation and study of load is where things went awry; the design of the boat was for wing strain, not arbitrary tow lines. As some might have expected the introduction of intense power loads damaged big red’s structure — the main beam that was designed to sit beneath a wing was cracked. The ultimate failure of “big red” on its last day on the water was related to the main beam failing…again.

Thus I think the Artemis accident should be seen as an unfortunate design failure, but not directly related to sailing. It was a failure to anticipate tow line strain coupled with continuing to sail on a damaged structure. It had nothing to do with abilities of any sailor on board (unlike the Oracle capsize, which was the result of pilot error during extremely difficult weather).

In fact it is easy to see how a wing, due to stiffness and subsequent efficiencies, actually puts less load on the structure than the cloth sails we used to use. So I hope people see why it is important to see that beam damage from being under tow should not be misrepresented as wing load risk or even foiling risk.

If we want to avoid a structural failure risk in future we must consider the Artemis disaster in terms of load edge-cases. Whether it is a tow line or a force 10 gale, applying unanticipated amounts of stress on untested structure is a recipe for surprise. You could say the same for airplanes or any structure. A massive storm, a line tied to the end of a wing…these are dangers to face outside normal operating conditions.

Tragedy and leverage

This leads me to the most controversial aspect of what has happened since the incident. There is a conflict of interest with a competition authority that is paid by the defending competitor. When they rule on design changes we have to ask if they are making decisions based on competitive advantage.

Plus we know that Oracle has been playing catch-up with their design. Their boat clearly was not designed to foil above the water. That is my guess why every time you see Oracle 17 in pictures they’re flying a hull, yet the other AC boats are flying level. If you’re foiling you don’t need to sail at any angle, right? You already have your hulls out of the water.

Oracle Hulls Unbalanced
Oracle Hulls Unbalanced

ETNZ Hulls Balanced
ETNZ Hulls Balanced

This is not to say the Oracle design team is entirely off target. I see some design innovation advantages (i.e. the giant pod beneath the mast assists with flow, effectively extending the force of the wing). The fact remains, however, that a defender playing catch-up to challengers is going to be under pressure to eliminate the gaps. Oracle already has demonstrated they are not above cheating to catch up.

It appears to me at first look that findings, supposedly related to safety, are aimed at eliminating challenger technology that Oracle sees as a threat to their victory. Safety is in danger of being used as an excuse to help the defender win instead of directly addressing real risks.

If Oracle plays a corruption card to win they deserve not only to lose the cup, they should be ashamed for doing exactly what they promised would end with their leadership. The cup has been steeped in a history of cheating and spying for advantage. Using the Artemis tragedy and safety for competitive leverage will take us to a new low.

The burden therefore is upon the defender and their race authority to transparently and clearly explain any required changes in terms of real risk. This is a critical moment of big data analysis of risk for Oracle; it can help or seriously hurt American sailing. I hope they use it wisely.

This Day in History: 1781 Battle of Cowpens

The Battle of Cowpens on this day in 1781 is recorded as a turning point in the American Revolution.

Americans were planning cautiously, dispersing into smaller units and contemplating how to minimize direct confrontations with the British. America’s Continential Brigadier General Morgan knew he was being chased by professional soldiers led by a young British Lieutenant Colonel Tarleton. The British leader had a reputation for aggressive and brutal tactics. Morgan then realized Tarleton was nearing them as the Americans approached a river in Cowpens, South Carolina. The Continental General decided it would be wiser to take a stand against the coming British there instead of being engaged as they tried to cross.

Several important factors were in play when Tarleton headed towards the resting American forces.

The British were exhausted and out of food from non-stop marching through the night and crossing rivers in the cold of winter while the Americans waited. The British were confident in their superior numbers, methods and training while the American General set an unsual trap that reduced Tarleton’s advantage from aggression (it not only was a trap for the British but also for the Americans — no way out may have given volunteers and irregulars confidence to stand and fight).

It was in this context that Tarleton predictably and proudly herded his men straight into the American lines. When the Americans fired and withdrew, according to their plan, the British rushed ahead in expectation of an easy victory. However, instead the British ran into additional lines of Americans and flanking movements. These new lines had been obscured by the first line’s retreat. The withering fire from men standing ahead was coupled with the fact that the retreating men stopped, turned, regrouped, opened fire and charged the exhausted British.

The trained British attackers were decimated and broken. Survivors fell into disarray in the face of Americans orchestrating rearward movements, obscure defensive lines, a double envelopment and bold re-engagement.

It appeared to the British, when Howard’s line fell back, that victory was at hand, and so it would have been, had the line been composed of men less inured to battle than were the Continentals of Maryland and Delaware. There was no delay or hesitation when the order to halt, face the enemy, and fire, was given, and there then occurred in a moment a scene of dumbfounded surprise, confusion, and panic seldom witnessed in battle. The outcome resulted in one of the most gloriously unexpected victories of the Revolutionary War.

Unable to regain control of his men, who were disorganized and confused by the resistance and fast becoming unwilling to fight, Tarleton tried to rally. He failed and instead just managed to escape after shooting the horse out from under Colonel William Washington.

Tarleton and Washington
The encounter between Tarleton and Colonel Washington. by E. Benjamin Andrews in 1895, from the Florida Center for Instructional Technology

British General Charles Cornwallis soon after consoled Tarleton. The loss of nearly 80% of their men at Cowpens was given this assessment:

…total misbehavior of the troops could alone have deprived you of the glory which was so justly your due.

Just ten months later the Revolutionary War would end with Cornwallis’ surrender.

Does your company actually need a security department?

Gunnar Peterson prompted us yesterday in Dark Reading with this provocative question:

Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no

It’s easy to agree with Gunnar when you read his analysis. He offers a false dichotomy fallacy.

Standing up a choice between only awful pointless policy wonks in management and brilliant diamonds found in engineering, it’s easy to make the choice he wants you to make. Choose diamonds, duh.

However, he does not explain why we should see security management as any more of a bureaucratic roadblock than any/all management, including the CEO. Review has value. Strategy has value. Sometimes.

The issue he really raises is one of business management. Reviewers have to listen to staff and work together with builders to make themselves (and therefore overall product/output) valuable. This is not a simple, let alone binary decision, and Gunnar doesn’t explain how to get the best of both worlds.

A similar line of thinking can be found by looking across all lines of management. I found recent discussion of the JAL recovery for example, addressing such issues, very insightful.

Note the title of the BBC article “Beer with boss Kazuo Inamori helps Japan Airlines revival

My simple philosophy is to make all the staff happy….not to make shareholders happy

Imagine grabbing a six-pack of beer, sitting down with engineering and talking about security strategy, performing a review together to make engineers happy. That probably would solve Gunnar’s concerns, right? Mix diamonds with beer and imagine the possbilities…

Inamori had interesting things to say about management’s hand in the financial crisis and risk failures in 2009, before he started the turnaround of JAL

Top executives should manage their companies by earning reasonable profits through modesty, not arrogance, and taking care of employees, customers, business partners and all other stakeholders with a caring heart. I think it’s time for corporate CEOs of the capitalist society to be seriously questioned on whether they have these necessary qualities of leadership.

Gunnar says hold infosec managers accountable. Inamori says hold all managers accountable.

Only a few years later JAL under the lead of Inamori surged ahead in profit and is now close to leading the airline industry. What did Inamori build? He reviewed, nay audited, everything in order to help others build a better company.

An interesting tangent to this issue is a shift in IT management practices precipitated by cloud. Infrastructure as a Service (IaaS) options will force some to question whether they really need administrators within their IT department. Software as a Service (SaaS) may make some ask the same of developers. Once administrators and developers are gone, where is security?

Those who choose a public cloud model, and transition away from in-house resources, now also face a question of whether they should pursue a similar option for their security department. Technical staff often wear multiple hats but that option diminishes as cloud grows in influence.

In fact, once admin and dev technical staff are augmented or supplanted by cloud, the need for a security department to manage trust may be more necessary than ever. This is how the discrete need for a security department could in fact increase where none was perceived before — security as a service is becoming an interesting new development in cloud.

Bottom line: if you care about trust, whether you use shared staff or dedicated services, dedicated staff or shared services, you most likely need security. At the same time I agree with Gunnar that bad management is bad, so perhaps a simple solution is to build the budget to allow for a “beer” method of good security management.

I recommend an Audit Ale

This style had all but disappeared by the 1970s, but originated in the 1400s to be consumed when grades were handed out at Oxford and Cambridge universities…. At 8 percent ABV, it has helped celebrate many a good “audit” or soften the blow of a bad one.

This Day in History: 1900 Carrie Nation Vandalizes Wichita Saloon

Carrie Nation was married to an alcoholic and faced economic hardship. These apparently were a primary cause of her desperate attempts to ban alcohol in Kansas, although she claimed a religious pretense.

PBS provides this quote about Nation, said to be her self-description

…a bulldog running along at the feet of Jesus, barking at what he doesn’t like…

Her crusade, although based on her own struggles, also resonated with others who believed widespread use of alcohol during the Civil War (to boost morale, deaden pain or fight disease) was to blame for the “problem” of alcohol after conflict ended.

Reflecting upon those seeking temperance, and noting their arguments, [Confederate physician William Henry Taylor] wrote, “These may be formidable objections to the use of alcohol, but the military surgeon of my day would have thought that they were offset by the fact, demonstrated by innumerable instances, that it promptly rallies the deep sunk spirits of the wounded soldier, and snatches him from the jaws of imminent death.”

In reality, while General/President Grant was well-known for being the most heralded officer and leader in America and not afraid to take a drink, veterans were not necessarily more likely to drink and there were several economic and cultural factors that were behind the rise of alcohol consumption.

Heavy taxation ended after the war, which made alcohol more affordable. A huge boom of immigrants from Ireland and Germany brought a strong drinking culture with them in the mid-1800s. These two elements combined were a significant influence on the direction of American social customs by 1900. A large consumer base emerged and saloons opened and inexpensive beer was brewed to support them.

In this context Nation soon became famous for violent outbursts and her irreverence for damaging property. Few men dared challenge her strong-arm antics, which eventually helped ignite the prohibition movement.

The following newspaper clipping, found in the Kansas State Historical Society in Topeka, KS shows the headline “Carrie Nation Wages War”; from The Wichita Daily Eagle (1890-1906), December 28, 1900, Page 6, Image 6

Mrs. Carrie Nation of Medicine Lodge walked into the Carey annex and commenced the demolishing of the fixtures in that place. She was armed with two short pieces of iron. She also had some rocks.

In short, prohibition was an attempt by social conservatives to block changes in American culture, despite obvious underlying economic and cultural foundations. Today it is easy to see why prohibitionists not only failed to stop the trend towards consumption but actually refined American ingenuity to circumvent regulations.