Category Archives: Security

History, Security

Book Review: “The Mission, the Men and Me”

1 Comment

Pete Blaber’s book “The Mission, the Men, and Me: Lessons from a Former Delta Force Commander” gets a lot of rave reviews about business practices and management tips.

It’s hard not to agree with some of his principles, such as “Don’t Get Treed by a Chihuahua”. This phrase is a cute way of saying know your adversary before taking extreme self-limiting action.

Who would disagree with that?

But I’m getting ahead of myself. The book begins with a story of childhood, where Pete reflects on how he topographically mastered his neighborhood and could escape authorities. That gives way to a story of his trials and tribulations in the Army, where during training he was tested by unfamiliar topography and uncertain threats.

It is from this training scenario that Pete formulates his principle to not jump off a cliff when a pig grunted at him (sorry, spoiler alert).

Maybe a less cute and more common way of saying this would be that managers should avoid rushing into conclusions when a little reflection on the situation is possible to help choose the most effective path. Abraham Lincoln probably said it best:

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

How should someone identify whether they are facing only a Chihuahua-level threat, given their other option is to run and blindly climb a tree?

Pete leaves this quandary up to the reader, making it less than ideal advice. I mean if in an attempt to identify whether you are facing a Chihuahua, wild pig or a bear you get mauled to death, could you sue Pete for bad advice? No, because it was a bear and instead of being up a tree you are dead.

Michael Shermer covered this dilemma extensively in his book “The Believing Brain: From Ghost and Gods to Politics and Conspiracies — How We Construct Beliefs and Reinforce Them as Truths.”

Given his lessons learned in joining the Army, Pete transitions to even more topographical study. He masters mountain climbing with a team in harsh weather. It’s a very enjoyable read.

I especially like the part where money is no object and the absolute best climbing technology is available. There’s no escaping the fact that the military pushes boundaries in gear research and keeps an open mind/wallet to technology innovations.

From there I can easily make the connection to the climax of the book, where he leads a team on a topographically challenging mission and minimizes their risk of detection. It really comes full circle to his childhood stories.

However, there are a few parts of the book that I found strangely inconsistent, which marred an otherwise quick and interesting read.

For example, Pete makes a comment about religion and culture that seems uninformed or just lazy. He refers to Cat Stevens as the “most renowned celebrity convert to Islam”:

I’m not claiming to be an expert in celebrity status or Islam, just saying it should be kind of obvious to everyone in the world that Muhammad Ali (nee Cassius Clay) is far more renowned as a celebrity convert to Islam. I don’t think Cat Stevens even breaks into top ten territory.

Afer winning the Olympics in 1960, the hugely popular Clay not only went on to convert he also refused serving US armed forces in Vietnam because a “minister in the religion of Islam”. As the FBI puts it in their release of surveillance files:

…famed Olympian, professional boxer and noted public figure. This release consists of materials from FBI files that show Ali’s relationship with the Nation of Islam in 1966.

Pete’s comment about the popularity of Cat Stevens suggests that despite the no-holds-barred approach to piles of rock, he may lack knowledge in human topics essential to conflicts he was training to win. A quick look at discussion of Islamic celebrities backs up this point:

Worldwide celebrity searches, past 12 months.

Pete was wandering on that flat line at the bottom while giant mountains of culture stood right above him, unexplored, despite his access to the best tools. When Pete doesn’t mention any ethnic or religious diversity values in childhood it perhaps comes as foreshadowing, leaving him inexperienced and unprepared his whole life to properly identify an Islamic Chihuahua.

Perhaps also important to note, in terms of celebrity status, white Muslims are the most prevalent in America

No racial or ethnic group makes up a majority of Muslim American adults. A plurality (41%) are white… and one-fifth are black (20%).

The famous three-time Golden Globe-winning actor Omar Sharif, for example, was a Catholic who converted to Islam in 1955.

“Though Sharif was Egyptian, his ethnic good looks were used in a less-globally aware Hollywood to represent different nationalities.”

There are at least two more examples of this class of error in the book. I may update the post with them as I have time.

History, Poetry, Security

The Psychology of “Talking Paper”

Leave a comment

Sometime in the late 1980s I managed to push a fake “bomb” screen to Macintosh users in networked computer labs. It looked something like this:

There wasn’t anything wrong with the system. I simply wanted the users in a remote room to restart because I had pushed an “extension” to their system that allowed me remote control of their speaker (and microphone). They always pushed the restart button. Why wouldn’t they?

Once they restarted I was able to speak to them from my microphone. In those days it was mostly burps and jokes, mischievous stuff, because it was fun to surprise users and listen to their reactions.

A few years later, as I was burrowing around in the dusty archives of the University of London (a room sadly which no longer exists because it was replaced by computer labs, but Duke University has a huge collection), I found vivid color leaflets that had been dropped by the RAF into occupied Ethiopia during WWII.

There in my hand was the actual leaflet credited with psychological operations “101”, and so a color copy soon became a page in my graduate degree thesis. In my mind these two experiences were never far apart.

For years afterwards when I would receive a greeting card with a tiny speaker and silly voice or song, of course I would take it apart and look for ways to re-purpose or modify its message. Eventually I had a drawer full of these tiny “talking paper” devices, ready to deploy, and sometimes they would end up in a friend’s book or bag as a surprise.

One of my favorite “talking” devices had a tiny plastic box that upon sensing light would yodel “YAHOOOOOO!” I tended to leave it near my bed so I could be awakened by yodeling, to set the tone of the new day. Of course when anyone else walked into the room and turned on the light their eyes would grow wide and I’d hear the invariable “WTF WAS THAT?”

Fast forward to today and I’m pleased to hear that “talking paper” has become a real security market and getting thinner, lighter and more durable. In areas of the world where Facebook doesn’t reach, military researchers still believe psychological manipulation requires deploying their own small remote platforms. Thus talking paper is as much a thing as it was in the 1940s or before and we’re seeing cool mergers of physical and digital formats, which I tried to suggest in my presentation slides from recent years:

While some tell us the market shift from printed leaflets to devices that speak is a matter of literacy, we all can see clearly in this DefenseOne story how sounds can be worth a thousand words.

Over time, the operation had the desired effect, culminating in the defection of Michael Omono, Kony’s radio telephone operator and a key intelligence source. Army Col. Bethany C. Aragon described the operation from the perspective of Omono.

“You are working for a leader who is clearly unhinged and not inspired by the original motivations that people join the Lord’s Resistance Army for. [Omono] is susceptible. Then, as he’s walking through the jungle, he hears [a recording of] his mother’s voice and her message begging him to come home. He sees leaflets with his daughter’s picture begging him to come home, from his uncle that raised him and was a father to him.”

Is anyone else wondering if Omono had been a typewriter operator instead of radio telephone whether the US Army could have convinced him via print alone?

Much of the story about the “new” talking paper technology is speculative about the market, like allowing recipients to be targeted by biometrics. Of course if you want a message to spread widely and quickly via sound (as he’s walking through the jungle), using biometric authenticators to prevent it from spreading at all makes basically no sense.

On the other hand (pun not intended) if a written page will speak only when a targeted person touches it, that sounds like a great way to evolve the envelope/letter boundary concepts. On the paper is the address of the recipient, which everyone and anyone can see, much like how an email address or phone number sits exposed on encrypted messaging. Only when the recipient touches it or looks at it, and their biometrics are verified, does it let out the secret “YAHOOOO!”

Security

RSA Conference 2018: Tuesday Keynotes

Leave a comment

Keynotes on 30 second delay stream to public

RSA Announcements

Women in tech

Message of diversity

Microsoft Announcements

Call for a digital Geneva convention (https://twitter.com/BradSmi/status/831553031422386176)
– No targeting
– Assist private sector
– Limit offensive ops
– Restrict cyber weapons
– Non-proliferation
– Report vulns

Shipping a secure linux kernel because “Microsoft now is a Linux company”

Tech Sector Accord
– protect all users and customers everywhere
– oppose all cyberattacks on innocent citizens and enterprises
– provide tools and info to help community protect self
– deepen co-operation & information sharing between companies

Five-eyes are collaborating on blaming attack on North Korea

Message of unity: “It about trust…we need the world to come together”

Message of diversity. Bring different kinds of people together: “learn, change and grow” to “build a safer world”

Award Stuxnet: Michael Assante
Award Public Policy: Admiral Michael Rogers
Award Math: Ran Canetti, Rafail Ostrovsky
Award Humanitarian (created by yours truly): Tim Jenkin

McAfee

An ode to the Skyjacking Threatscape security evolution
1961 became a crime after Cuban revolution
1972 peak of hijacking, nuclear threat
1973 passenger and bag screening
2001 post-sept slow and long lines
2006 3-1-1
2009 underwear scans

User the airline model: “if you look to the air travel industry, obsessive about safety and security”

“Think about what you can take back from this to our offices…try to drive a culture where security gets prioritization it deserves.”

Cryptographer Panel

Moxie
Paul
Whit
Adi
Ron

Interesting year

Ron
– elections interest. central to democracy. crit infra.
– spectre attack

Adi
– lack of preciseness in research. crypto has theorem/proofs. no cyber equivalent. need quantitative

Whit
– memory of wife, elder of cryptography, partner enthusiasm. everyone loved mary. marty’s fondness
– mayland doyle. most influential cryptographer at RSA (sig sally pivotal to development of cryptography). worked on KI-1. designed crypto for KY-3 used for 30 years. KG-30 designed, long-cycle decrypters.

paul
– performance security tradeoffs. security gains have equalized with performance

moxie
– shift in perception of technology. connecting the world no longer utopian. cyber now seen as weapons not connecting

Bitcoin

Adi
– pronounce differently

Whit
– spell differently

Ron
– hashing for crypto far greater than for security

Whit
– space heaters based on crypto, amortized cost of hashing

Blockchains

Ron
– not pixie dust. interesting decentralized, public, immutable. fail at scale, throughput and latency
– really bad for voting because centralized and secretive. electronic database doesn’t allow verification by voters. paper is better choice

Adi
– overhyped. post-quantum world ensure security of digital signatures. 50 years valid guarantee of digital signatures. generated today before quantum computers available. doesn’t matter if new tech comes, show early generation of signature

Whit
– when you don’t have to have secrets you shouldn’t

Paul
– commercial applications

Moxie
– distributed nature is valuable, not many applications of that in real world. consumers see as zero value. distributed systems tend not to work. like P2P craze of 2000s

Quantum compute

Adi
– Microsoft talk, prediction of his boss. first qbit by end of year. computer in five years. distanced self from prediction.
– 82 proposals, 64 remain. three main groups. 26 proposals based on lattice. 19 based on coding theory. 9 based on multivariate. 3 based on hash-based. all schemes had to be nailed-down, fully specified. surprised by speed. most few milliseconds. some hundreds of microseconds. key sizes 1 and 10 kbytes.

Ron
– how many came from proofs?

Adi
– proofs were fairly weak. NIST will have hard time within three years professing a winner. took 15 years for RSA to be accepted. took 15 years for eliptic (1985 to 2000s). hard to design and tricky. fortunately one suggestion time-tested. post-quantum RSA

Whit and Adi get into a fight

Paul
– don’t omit looking for hash-based solutions for digital signatures

Adi
– NIST will choose one of the hash-based because evaluated a long time
– only incremental progress on computers, long away from something that will break crypto

Adi
– would accept improvement in any area. instead, silence

System level bypass

Paul
– found old presentation and noticed the exploit. noticed google had done same. found twice within a few months.
– who can fix hardware in process, who can notify? press leaks ended up in panic end to embargo. decision was made to release early. failed twice with embargo. need ethicists to create a roadmap

Adi
– worried we get to point massive amount of processors would be bricked. huge disaster

Paul
– we have a huge mess. guidance is instructions on all your paths. slow and tools don’t exist. lots of work to be done.
– in context lots of bugs. hardware bug doesn’t change aggregate issues

Ron
– hard to avoid leakage on shared systems

Paul
– we have to start bifurcating and dedicating hardware
– build systems with primary security objective

Apple iCloud hosting in China, with keys there

Adi
– not exceptional when everyone has access

Paul
– China in for surprise when their data gets hacked. won’t end well

Ron
– EU commission report in favor of strong encryption. back doors bad for security, as well as privacy

Moxie
– it’s easier to say i can’t instead of i won’t. hard to resist

Broader implications beyond China

Ron
– FBI wants access, but they didn’t try very hard to get into SB phones

Paul
– idea that you suck up all the data to make sense of it. these kinds of processes create risk by putting tools/data in one place. corporate level trade-offs easy to see. nation-wide scary

Adi
– telegram told give keys to russia. refused. telegram became illegal. banning schemes they don’t have master key for

Moxie
– easier to say i can’t than i won’t. if design without key, then can’t give

Facebook

Paul
– wasn’t in their interest to protect our data. risks we incur are not us. facebook made decision to hurt users. didn’t build system to protect users. companies that benefit won’t help

Whit
– economics. more money means weaker processors. same for databases

Paul
– Bain conclusions on cost to society

Moxie
– Facebook is the Exxon of our time. indispensable tool everyone despises. as much as everyone hates Exxon, dumps oil in ocean. Exxon is civilization and Facebook is the Internet. Facebook going through Exxon moment and people thinking better tech investment time

Adi
– EU fines for GDPR huge (4%). plan B of EU to tax american companies (couldn’t get it one way, so get it other way).
– interesting issues there. look into it because can impact

Moxie
– GDPR can entrench monopoly. good for them because refuse service if don’t consent, but they’re the internet

Adi
– goes beyond. privacy by design, default, mandatory encryption, right to erasure

Silver Linings in Cloud of Security

Ron
– we’re in era we feel attackers are winning. where are they focusing, what will we defend. 2/3 people on paper ballots. voting the hard way is the silver lining

Adi
– moving at high velocity. didn’t mention forward or backward. silver lining is our job security guaranteed

Whit
– don’t have to find new job

Paul
– band on the titanic is small silver lining. complexity growth will lose us the battle. better hardware is optimistic. more things than just crypto being robust. make a chip of low-chance of buggy

Moxie
– privacy and crypto tech less about shards of info, more like infrastructure for the world we want

History, Security

To Cyber or Not to Cyber…That is the RSAC Talk Analysis

Leave a comment

I don’t know where you are, but the data analysis of the RSA Conference by the prestigious Cyentia Institute is amazing. They wrote algorithms to tell us what the “most important” talks are each year from 25 years of security conference data, and illustrate our industry’s trend over time. Who can forget “A top 10 topic in 2009 was PDAs”?

This is the slide that made everyone laugh, of course:

Trends going up? GDPR, Ransomware, Financial Gain and Extortion. Big Data exploded up and then trends down over the last five years.

Trends going down? BYOD, SOX, GRC, Hacktivism, Targeted Attack, Endpoint, Mobile Device, Audit, PCI-DSS, APT, Spam…

Endpoint going down is fascinating, given how a current ex-McAfee Marketing Executive war is going full-bore. RSAC 2018 Expo Protip: people working inside Crowdstrike and Cylance are hinting on the show floor how unhappy they are with noise made about a high-bar of attribution to threat actors given their actual product low-bar performance and value.

That’s just a pro doing qualitative sampling, though. Who knows how reliable sources are, so consider as well the implication of qualitative analysis.

Some cyber companies talk threat actor in the way that Lockheed-martin talks when they want to sell you their latest bomb technology. Is that bomb effective? Depends how and what we measure. Ask me about 1968 OP IGLOO WHITE spending $1B/year on technology based on threat actor discussions almost exactly like those we see in the ex-McAfee Marketing Executive company booths…