Category Archives: Poetry

History, Poetry, Sailing, Security

Chinese Attacks Raise Concerns

Leave a comment

Let’s just get out of the way that there are many examples of wrongdoing by Chinese nationals. Take today’s clash with South Korea, for example:

A South Korean coastguard commando has been stabbed to death and another injured by Chinese fishermen detained for illegal fishing in the Yellow Sea.

Some might look at this story and say it’s an isolated example. Maybe we even can agree that these few fishermen, a tiny fraction of the total number of Chinese on the Yellow Sea, are the ones who do most of the damage. I phrase it that way because of a story I noticed today by the Associated Press: “A Few Chinese Hacker Teams Do Most US Data Theft

As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.

This should be good news, right? Only 12 groups in China? Does that equate to something like 0.0001 percent of all the different Chinese groups?

I guess you could say “largely backed or directed by the government” is supposed to add an element of legitimacy, but anyone familiar with China knows that everyone there still is largely backed or directed by the government.

Now here’s the bad news. Despite the tiny number of suspects, officials in the U.S. are not hopeful that they can prove anyone in China actually guilty.

It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people.

Always difficult to provide “ironclad proof”? They say it like it is a bad thing. Even if we accept that China has a small number of suspects and that it is always difficult to prove someone guilty I don’t follow the logic to the next part of the article. Enter the U.S. military:

“Right now we have the worst of worlds,” said [James Cartwright, a retired Marine general and former vice chairman of the Joint Chiefs of Staff]. “If you want to attack me you can do it all you want, because I can’t do anything about it. It’s risk free, and you’re willing to take almost any risk to come after me.”

The U.S., he said, “needs to say, if you come after me, I’m going to find you, I’m going to do something about it. It will be proportional, but I’m going to do something … and if you’re hiding in a third country, I’m going to tell that country you’re there, if they don’t stop you from doing it, I’m going to come and get you.”

First of all, this is a deterrence model, which I covered in my Dr. Stuxlove presentation based on the Dr. Strangelove movie by Stanley Kubrick. Deterrence is known to be far from a slam-dunk security strategy. It can create risks of its own which are larger and even much worse than the original threat of attack.

Second, he lost me at the “I’m going to find you”. If it is impossible to prove guilt in the first place then who are they going to find and threaten, people who aren’t proven guilty? I know it’s frustrating to follow loose threads but saying “I’m going to come and get you” can actually create a game in itself, as anyone familiar with Smurf attacks will remember. Someone could purposefully stage attacks to kick-off a premature and misguided escalation (i.e. back to the plot of Dr. Strangelove). The fix to Smurf redirects, incidentally (pun not intended), was not to threaten everyone with massive retaliation but to reduce risk through immunization that prevented the forwarding/relaying of attacks.

Back to the article, I noticed another strange comment that might be driven by an unfamiliarity with Chinese culture.

One of the analysts said investigations show that the dozen or so Chinese teams appear to get “taskings”, or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list, and compete to be the first to get it, or the one with the greatest haul.

Motivated by what? It is tempting to say a paradigm of competition is a universal hacking mantra; perhaps the Chinese are now emulating the American system of competition. Again, however, it sounds very unlike Chinese philosophies and writing, such as the vision of success through following orders and looking backwards, as expressed in The Way of Lao Tzu. 

I have three treasures. Guard and keep them.
     The first is deep love.
     The second is frugality,
     And the third is not to dare to be ahead of the world.
Because of deep love, one is courageous.
Because of frugality, one is generous.
Because of not daring to be ahead of the world,
One becomes the leader of the world.

I also am curious about who really believes it makes sense for China to hold a competition of only two groups out of twelve. If China has almost unlimited human resources, and can launch attacks “risk free”, why would they hold such tiny attack competitions? Why hold back? There must be some risk or there would be far more than twelve groups..if you add up all the arguments in the article, it really does not make much sense.

In any case, perhaps it helps some to compare the twelve groups in the AP article to the nine evil fishermen of the Yellow Sea. Always proceed with caution in building a response so as not to lose control of the situation. The risk of ruthless and underhanded attack has to be factored when investigating and responding to breaches; death of the South Korean commando is tragic. At the same time an opportunity to approach and win insider support from any/all remaining Chinese groups, the ones not attacking, should not be overlooked or underestimated.

History, Poetry, Security

Sudanese Freedom Rap and Guns of Brixton

1 Comment

Zoul4Revolution posted an interesting video of Sudanese protest music on YouTube:

But it was a comment on a Clash song from the same account that really caught my attention:

i’m from Sudan, we’re uprising against the fascist government of NCP, i’ve always sided with the peaceful uprising, been arrested and tortured many times, everytime I play [Guns of Brixton] I think about picking up a gun to join the armed revolution side

That led me to a quick search and the discovery of a nine video set that captures Guns of Brixton covers in numerous styles from around the world.

1) Hardcore

  • Analena
  • Dropkick Murphy’s
  • rtz global

2) Acoustic

  • calexico
  • Arcade Fire
  • Déportivo

3) Chillout

  • nouvelle vague
  • pre-school

4) Dub

  • Santogold – Guns of Brooklyn
  • radici del cemento & Fermin Muguruza

5) Polish

  • Analogs – Strzelby z Brixton
  • Alians – Bomby domowej roboty

6) Punk

  • Unwritten Law
  • The Blaggers Ita
  • Evilsons

7) Spanish

  • la furia – Armas de barrio
  • mundo livre sa

8) Rockabilly

  • Honeydippers
  • Rancho Deluxe

9) Ska

  • los fabulosos cadillacs
  • Inner Terrestrials
  • Union Jack

And of course there are many, many more cover versions…not least of all is a hit British song that borrowed only the bass line:

But after all that, I have yet to hear a Sudanese version.

Poetry, Security

Risk Lessons from the Startup Genome Project

Leave a comment

The findings are in from a business analysis project that models itself after genome research.

The first finding:

Most successful startups pivot at least once. Startups that pivot once or twice raise 2.5x more money, have 3.6x better user growth, and are 52 percent less likely to scale prematurely than startups that pivot more than two times or not at all. A pivot is when a startup decides to change a major part of its business

Pivot? Sounds fancy. If I read that correctly a business that reacts to correct a mistake is more likely to be successful than one that does not correct its mistake. Likewise, a business that corrects fewer mistakes is going to be more successful than one with many mistakes. In other words there is going to be at least one major mistake in a startup plan, which will have to be corrected, but there should not be too many because the cost of correction is high.

Perhaps the same could be said of anything. Take rock climbing for example. A climber that can react quickly to a mistake will climb 2.5x times higher and have 3.6x better time to the summit, and be 52 percent less likely to burn out prematurely than climbers that make more than two mistakes or do not react to their mistake.

The third finding:

The major reason for failure of startups is premature scaling. About 70 percent of our dataset showed up as premature scaling or inconsistency. One driving factor for inconsistency is too much capital, teams that are too large, bad team compositions, too little testing, etc. – pretty much everything a large company does, anticipating high certainty in their planning.

I smell a tautology. What is failure? Premature scaling. What is premature scaling? Failure. So you can avoid failure by avoiding failure, which is like avoiding scaling too soon because of course it is too soon. But seriously, this conclusion equates bad with failure. I suspect some might have reached the same conclusions without the study. You should not need a “Genome” project to state that a bad team will give bad results.

Based on the above findings the solution to startup failures should be obvious — simply reverse the statements. Have just the right amount of capital, teams that are sized just right, teams that are composed just right, testing that is just right…it is starting to feel like they could have called it the Startup Goldilocks Project.

Oh, and I think this qualifies for the most non-humble statement award:

It has been extremely humbling for us to be able to touch the lives of thousands of entrepreneurs living around the globe.

How is that humbling? It’s like saying “it is extremely humbling for us to achieve more than we expected and to be really successful”. New definition?

The whole project appears to be anything but modest. By their name they affiliate themselves with a scientific effort to “complete mapping and understanding of all the genes of human beings“. Yet the findings on risk that they have published seem far from attempting the same kinds of analysis.

Understanding the human genome will have an enormous impact on the ability to assess risks posed to individuals by exposure to toxic agents. Scientists know that genetic differences make some people more susceptible and others more resistant to such agents. Far more work must be done to determine the genetic basis of such variability.

In other words will the Startup Genome Project explain the variability in startups that cause some to be more susceptible to risk — pressure by large companies? What external and internal factors cause one startup grow before it is able to sustain itself but another startup to hold back?

They could assess, for example, whether it helps reduce pressure from large companies to expand if the startup founder has X amount of personal/family wealth and at least one attorney in the family. I use that example because they mention Bill Gates as a successful entrepreneur. It makes me wonder if they collecting the kind of data and searching it for factors like those revealed by the WSJ about the very beginning of Microsoft?

The family support was one reason Mr. Gates decided to move Microsoft to Seattle, where he settled into a house not far from his parents. Mrs. Gates arranged to have a maid clean her son’s house, and made sure he had clean shirts for his big meetings. […] Mr. Gates Sr., drawing from his own experience as a lawyer guiding small companies, helped find Seattle businesspeople to serve on the Microsoft board. […] The father’s law firm would also end up representing Microsoft, which became the firm’s biggest client.

Clean shirts for his big meetings is the key phrase. Someone should decode it properly.

The Startup Genome Project, if it were directed at the human body, so far reads more like a study that concludes premature death is a leading cause of a short lifespan. It’s a new collection of information with some interesting synthesis, but it’s not exactly illuminating an unknown or unmapped world with clues to help us understand how to manage risk.