Category Archives: History

History, Security

Ransomware “Officially” Kills a Person

Leave a comment

There undoubtedly have been deaths in the past caused by computer attacks. I once made a list of physical impact from network and system attacks going back to 1992.

What has just changed is someone is willing to go on the record saying a death happened and was directly related to computer security.

We know, for example, that hospital outages and patient deaths have been in warnings posted to American mainstream news since at least 1983:

Time Magazine in 1983 with stern warning that network attacks on computers will kill someone.

By comparison, the latest news coming from Europe is that a delay in care due to ransomware has caused a particular patient’s death and that it should be treated as negligent homicide.

…ransomware attack crippled a nearby hospital in Düsseldorf, Germany, and forced her to obtain services from a more distant facility…

That’s is less news to me and more a chilling reminder of the talk I gave in 2017 in London about preventing ransomware attacks in healthcare.

Slide from my presentation at MongoDB Europe 2017

As someone who parachuted into the front-lines of solving this burning problem at massive scale (personally leading significant security enhancements for the database company most affected by ransomware attacks — infamously insecure MongoDB) I have many thoughts.

Many, many thoughts.

Suffice it to say here, however, when I was building and running hospital infrastructure in the 1990s my mindset about this risk wasn’t much different than it is today.

If anything, it seems to me we’re seeing healthcare industry becoming more honest with the public about its hidden operational risks.

Reading news that an arsonist burned a hospital down — forcing a fatal diversion of patients — should prompt people to ask if failing to install sprinklers is negligence.

And then people should ask if a hospital construction company was building them with sprinklers that were optional or even non-operational, and whether THAT was negligent.

Those are the deeper questions here.

While there are cases of people driving around in circles intentionally to kill the person they’re supposed to be taking to the hospital (e.g. assassination, even more than negligence), they seem a targeted exception risk rather than the pattern.

It is a hospital’s burden of high availability (let alone a region or network of hospitals like the NHS) to plan for intentional low capacity (and their vendors’ responsibility) that should remain the focus.

Update Sep 28: A reader has emailed me an important reference to the case United States v. Carroll Towing Co., 159 F.2d 169 (2d. Cir. 1947), which formed a test to determine negligence (Burden greater than Loss multiplied by Probability).

It appears from the foregoing review that there is no general rule to determine when the absence of a bargee or other attendant will make the owner of the barge liable for injuries to other vessels if she breaks away from her moorings. However, in any cases where he would be so liable for injuries to others, obviously he must reduce his damages proportionately, if the injury is to his own barge. It becomes apparent why there can be no such general rule, when we consider the grounds for such a liability. Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner’s duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i. e., whether B > PL.

Update November 12, 2020: German police say their exhaustive investigation found no connection between attack on the hospital information systems and human death.

After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victim’s medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. “The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.

Hitting a dead body with a car is not the analogy I was expecting, but I suppose it makes the point.

History, Sailing, Security

Captain Morgan Hated Being Called a Pirate Because He Hated Democracy

Leave a comment

Someone just suggested to me that the Spanish loved pirates while the British hated them.

This isn’t even remotely true and it reminded me how a Spanish city official (Don Juan Pérez de Guzmán, a decorated veteran of wars in Flanders) once called Britain’s Captain Morgan a pirate, using that term to insult him as those aspiring to monarchy hated pirates.

The story then goes Morgan indeed hated the exchange and was so enraged that he planned a devastatingly brutal siege of the Spanish city Guzmán defended, torturing residents and pillaging the area for weeks just to prove he was no pirate.

Here’s how one historian has referred to Morgan’s style of leadership:

Behind him were smoldering ruins, pestilence, poverty, misery and death.

A first-person’s account of Morgan’s battles was written by Alexandre Exquemelin, a doctor serving him, in a book called Buccaneers of America. Exqumelin wrote that Morgan lashed together Spanish nuns and priests to use as human shields while he attacked the Spanish military, and that he regularly imprisoned and raped women.

Painting that Morgan commissioned of himself, documenting his boyish and elitist clean-shaven look, while “under arrest” in London after 1672. Source: National Trust of the United Kingdom
Captain Morgan’s vicious retort to his critics — as in the violent argument he waged upon the Spanish, burning their cities to the ground — was that he was a proud privateer in service of the British monarchy during a war (Governor of Jamaica in 1667 gave Morgan a letter of marque to attack Spanish ships).

Morgan thus ran an autocratic and ruthless mercenary operation on behalf of a Crown authority. He was accused by his own men of “cheating” them of promised wages and benefits as he pillaged cities, a military campaign he wasn’t even authorized to do (again, just to be overly pedantic, his letter of marque was to attack ships only, nothing on land).

The privateer life meant public forms of immoral service to a monarchy of questionable values (ultimately atrocity crime charges against him were dismissed and instead he received a plush reward by appointment to government, which also is where Morgan proudly owned hundreds of slaves that operated Jamaican sugar plantations).

Thus, how dare anyone accuse him of being a liberal pirate or try to imply he was fair to his followers or a representative/elected leader?

He would surely have tortured and killed someone if they did accuse him of being so democratic.

In that sense, pirates seem to have been operating somewhat as entrepreneurs challenging the brutality of unjust political systems of monarchy.

Pirates fought against those who had expressly denied human rights and trafficked in human exploitation. They weren’t going to fight in wars that benefited only a few elites, because Pirates also were known to use a democratic system of leadership based on votes and qualifications (given nobody was born into office or summarily appointed by royalty).

Privateers functioned almost in the exact opposite way to pirates while appearing similar; business operators appointed by authority who served awful political systems to exploit high-risk and unregulated markets. Privateers like Morgan operated as ruthless mercenaries in privileged positions of milking their own corrupt system for large personal gain.

It’s a significant difference between an owner-operator business in highly distributed undefined territory (pirate) versus exploitative vigilantism (privateer).

Confusing? Somehow pirates have become associated with the latter when historically they have operated far more as the former.

The important difference perhaps is best explained in Chapter 8 of “The Invisible Hook: The Hidden Economics of Pirates” by Peter T. Leeson

The Captain Morgan brand of liquor thus has popularized a man who promulgated human trafficking, rape, theft, murder and authoritarianism. Don’t call him a pirate.

It reminds me of Hitler wine.

History, Poetry, Security

Does “Knowledge Wins” Mean Privacy Lost?

Leave a comment

The U.S. Army JFK Special Warfare Center and School has released a video called “Knowledge Wins Episode 4 – Great Power Competition – Part 1

The video starts by asking for a definition of competition, and the answer is…open. There are many different and relative definitions of competition, although in my research so far I’ve found universally that knowledge competes with privacy.

The video starts with this war-time poster encouraging people to gain knowledge:

And that reminded me of two posters below that hinted at war-time issues of privacy, information and knowledge.

This is one of my all-time favorites:

If I remember right, I found this one in Bletchley Park:

In the late 1930s the US government sponsored Works Progress Administration (WPA) developing silk-screen techniques to simplify serial production of colorful posters. The WPA handbook How to Make and Reproduce Posters (1943) promoted poster-making as a democratic activity, declaring “Anyone can make a poster”. Anyone with knowledge…

Energy, History, Security

This Day in History: 1945 US Dropped Atomic Bomb on Hiroshima, Japan

Leave a comment

Executive summary: Soviet advances opened Japan to surrender, and NOT the atomic bomb. The best and most logical explanation relates directly to Stalin’s commitment he would enter the Pacific War three months after the surrender of Nazi Germany, as he had promised Allied leaders. The 1945 atomic bomb was a distraction, had little effect versus a reality of Stalin’s forces threatening to completely and quickly overrun Japan. Perhaps at best the bomb provoked the Soviets to get there before everything was destroyed (already 68 cites in Japan had been completely burned to the ground by months of napalm such that targets for atomic bombs had to be the somewhat unknown and insignificant cities — the only places still standing). The Soviets started to roll over Manchuria so quickly that in only a couple of weeks the thoughts of negotiated peace evaporated. Abruptly losing in a few months most of the territory they had conquered over the entire war, and facing a very real possibility of Russians walking onto Japanese mainland, Japanese peace factions rushed towards quitting the war and military leaders wilted.

Japanese cities destroyed by strategic bombing in World War II before the atomic bombs were dropped. Source: “Tokyo vs. Hiroshima,” Alex Wellerstein, September 22, 2014

Long form: The usual story told in American history classes is that dropping two atomic bombs on Japan saved American lives. This is mostly false. There was no reason for America to invade and the country had lost its air force, navy and even resources like oil to defend itself.

Military leaders like MacArthur, Nimitz, Eisenhower, even Patton opposed use of the atomic bomb so there was little to no truth to any invasion casualty concern claims. The Soviet Union in fact was quickly en route to rout Japan on land, sustaining minimal casualties with huge gains.

Studies now show the opposite kind of analysis, that the atomic bombs killed more Americans than if Japan had been invaded on land. Nearly as many Americans died from nuclear radiation and fallout during development of the bombs as the number of Japanese who died from the bombs being dropped.

Source: “Some Unintended Fallout from Defense Policy: Measuring the Effect of Atmospheric Nuclear Testing on American Mortality Patterns,” Keith Meyers, University of Arizona

One might still argue soldiers at that time had two bombs doing the hard work for them and reducing risk, even if Americans were killed at shockingly high rates for decades afterwards.

The problem with this theory is these atomic bombs didn’t force surrender, thus didn’t directly replace the purpose of a land invasion.

Nonetheless a story told in America has been that dropping two bombs on Japan proved to them such a level of superiority in warfare (“assured destruction”), it somehow suddenly compelled the Japanese to immediately give up… not to mention a story also told that atomic bombs held the Soviets at bay afterwards.

All this unfortunately is false history (see “Hidden Hot Battle Lessons of Cold War“, for additional perspective).

Here is Truman’s famous June 1st, 1945 speech calling on Japan to surrender, just to set the context of what the public was hearing at the time:

Take note that the warning was after massive bombing campaigns like March 9-10, 1945 where some 330 B-29 bombers burned 40 square miles of wood-built Tokyo to the ground killing over 100,000 civilians.

Source: “A Forgotten Horror: The Great Tokyo Air Raid,” Time, March 27, 2012

However Japan didn’t fear civilian casualty loads and couldn’t have really understood at the time why this new bomb mattered in August after a long summer of entire cities being destroyed. In a chillingly ironic manner US military leaders also didn’t fear civilian casualties.

Source: “Dar-win or Lose: the Anthropology of Security Evolution,” RSA Conference 2016

Japanese leaders instead greatly feared Soviet declaration of war on them. They thought Stalin’s shift to formal enemy would very negatively alter the terms of surrender (Soviets no longer would mediate a surrender that Japan had been asking about for weeks before the bombs were dropped).

I don’t write these things to be provocative, rather to help us better educate people about the past and also to plan for the future. Perpetuating a false narrative doesn’t do America any favors. And most of what I’m writing here is old news.

In 2013 for example Foreign Policy published “The Bomb Didn’t Beat Japan … Stalin Did

Japanese historians contended it was the USSR declaring war against Japan that convinced their Emperor and gov that surrender was the only option.

In fact American propaganda dropped into Japan at that time (translated here to English) emphasized the Red Army invading, a “ring of steel” approaching with no mention of bombs at all.

Source: “Paper Bullets: a Brief Story of Psychological Warfare in World War II” Leo J. Margolin, 1946

Japan referred to atomic bombs like a “single drop of rain in the midst of a hurricane”, given that they already had seen months-long fire-bomb raids of Tokyo that left it over 50% destroyed with 300,000 burned alive and 750,000 injured.

The reason Tokyo wasn’t targeted with atomic bombs was it was too destroyed already — atomic effect wouldn’t have been measurable (125,000 were killed in atomic attacks on Hiroshima and Nagasaki, which would mean it was similar in effect or even less than a single night of the fire bomb raids hitting Tokyo for months)

Two years before the Foreign Policy piece, a 2011 article in Boston papers offered the following insightful analysis in “Why did Japan surrender?

“Hasegawa has changed my mind,” says Richard Rhodes, the Pulitzer Prize-winning author of “The Making of the Atomic Bomb.” “The Japanese decision to surrender was not driven by the two bombings.” […] “The bomb – horrific as it was – was not as special as Americans have always imagined. …more than 60 of Japan’s cities had been substantially destroyed by the time of the Hiroshima attack, according to a 2007 International Security article by Wilson, who is a senior fellow at the Center for Nonproliferation Studies at the Monterey Institute of International Studies. In the three weeks before Hiroshima, Wilson writes, 25 cities were heavily bombed. To us, then, Hiroshima was unique, and the move to atomic weaponry was a great leap, military and moral. But Hasegawa argues the change was incremental. “Once we had accepted strategic bombing as an acceptable weapon of war, the atomic bomb was a very small step,” he says. To Japan’s leaders, Hiroshima was yet another population center leveled, albeit in a novel way. If they didn’t surrender after Tokyo, they weren’t going to after Hiroshima.

It’s very hard to argue with these common sense points. Massive civilian casualties were mounting and having little effect. Did novelty of a bomb that was a secret suddenly change minds? Even common sense would say no, and the historical record increasingly confirms this.

Or as DW puts it in their documentary, why did American drop a second bomb on Nagasaki if that Hiroshima one supposedly could send a message to surrender?

Video F18ODD8YyuE deleted from YouTube

Or here’s the BBC “accounts of American justification” for dropping a second bomb.

Civilian suffering had never coerced Tokyo to change tactics, and these bombs also failed in that sense. Hiroshima was the 69th city in Japan destroyed by bombing and Nagasaki wasn’t even the primary target (chosen after primary target had unfavorable weather) so it was destroyed just for the sake of bombing someplace at all.

In the end, America dropped these bombs most probably to see what the effects of dropping atomic bombs would be (expressed in the now deleted DW video above as “…my mother fell apart like dry sand when I touched her foot…”) and then the US Air Force created a supporting narrative to justify continuing the program.

Historians have been trying to explain the false stories away ever since.