Security

#Hotmailgate: Where Don’t You Want to Go Today?

Leave a comment

I thought with all the opinions flowing about the Hotmail privacy incident I would throw my hat into the ring. Perhaps most notably Bruce Schneier has done an excellent job warning people not to believe everything Google or Facebook is saying about privacy.

Before I get to Bruce’s article (below) I’d like to give a quick summary of the details I found interesting when reading about the Microsoft Hotmail privacy incident.

How it Begins

We know, for example, that the story begins with a Microsoft employee named Alex Kibkalo who was given a less-than-stellar performance review. This employee, a Russian native who worked from both Russia and Lebanon, reacted unfavorably and stole Microsoft pre-release updates for Windows RT and an Activation Server SDK.

Russia? Lebanon?

Perhaps it is fair to say the software extraction was retaliatory, as the FBI claims, but that also seems to be speculation. He may have had other motives. Some could suggest Alex’s Russian/Lebanese associations could have some geopolitical significance as well, for example. I so far have not seen anyone even mention this angle to the story but it seems reasonable to consider. It also raises the thorny question of how rights differ by location and nationality, especially in terms of monitoring and privacy.

Microsoft Resources Involved

More to the point of this post, from Lebanon Alex was able to quickly pull the software he wanted off Microsoft servers to a Virtual Machine (VM) running in a US Microsoft facility. Apparently downloading software all the way to Lebanon would have taken too long so he remotely controlled a VM and leveraged high speeds and close proximity of systems within US Microsoft facilities.

Alex then moved the stolen software from the Microsoft internal VM to the Microsoft public Skydrive cloud-based file-sharing service. With the stolen goods now in a place easily accessible to anyone, he emailed a French blogger.

The blogger was advised to have a technical person use the stolen software to build a service that would allow users to bypass Microsoft’s official software activation. The blogger publicly advertised on eBay the activation keys for sale and sent an email, from a Hotmail account, to a technical person for assistance with the stolen software. This technical person instead contact Microsoft.

Recap

To recap, an internal Microsoft employee used a Microsoft internal VM and a Microsoft public file-sharing cloud to steal Microsoft assets.

He either really liked using Microsoft or knew that they would not notice him stealing.

The intended recipient of those assets also used a Microsoft public cloud email account to communicate with employee stealing software, as well as with a person friendly to Microsoft senior executives.

When All You Have is a Hammer

Microsoft missed several red flags. Their internal virtual environment as well as their public cloud clearly was not detecting a theft in progress. A poor-performance review could be tied to sensitivity of network monitoring, watching for movement of large assets or pointing to communication with other internal staff that may have been working on behalf of the employee. Absent more advanced detective capabilities, let alone preventive ones, someone like Alex moves freely across Microsoft resources to steal assets.

A 900-lb gorilla approach to this problem must have seemed like a good idea to someone in Microsoft management. I have heard people suggest a rogue legal staff member was driving the decisions, yet this doesn’t sound plausible.

Having worked with gigantic legal entities in these scenarios I suspect coordinated and top-down the investigation and legal teams. Ironically, perhaps the most damaging steps to customer trust might have been done by a team called Trustworthy Computer Investigations (TWCI). They asked the Office of Legal Compliance (OLC) for authorization to compromise customer accounts. That to me indicates the opposite of any rogue effort; it was a management-led mission based on an internal code-of-conduct and procedures.

Hotmail Broken

The real controversy should be that the TWCI target was not internal. Instead of digging around Microsoft’s own security logs and controls, looking at traces of employee activity for what they needed, Microsoft compromised a public customer Hotmail account (as well as a physical home) with the assistance of law enforcement in several countries. They found traces they were looking for in the home and Hotmail account; steps that explained how their software was stolen by an internal employee as well as signs of intent.

The moral of the story, unfortunately, seems to be Microsoft internal security controls were not sufficient on their own, in speed or cost or something else, which compelled the company to protect themselves with a rather overt compromise of customer privacy and trust. This naturally has led to a public outcry about whether anyone can trust a public cloud, or even webmail.

Microsoft, of course, says this case is the exception. They say they had the right under their service terms to protect their IP. These are hard arguments to dispute, since an employee stealing Microsoft IP and using Microsoft services, and even trying to sell the IP by contacting someone friendly with Microsoft, can not possibly be a normal situation.

On the other hand, what evidence do we have now that Microsoft would restrict themselves from treating public as private?

With that in mind, Microsoft has shown their hand; they struggle to detect or prevent IP-theft as it happens, so they clearly aim to shoot after-the-fact and as necessary. There seems to be no pressure to do things by any standard of privacy (e.g. one defined by the nationality of the customer) other than one they cook up internally weighted by their own best interests.

Note the explanation by their Deputy Counsel:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves.

They appear to be defining customers as indistinguishable from Microsoft employees. If you are a Hotmail user, you are now a part of Microsoft’s corporate “body”. Before you send HR an email asking for healthcare coverage, however, note that they also distinguish Microsoft personal email from corporate email.

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business.

So if I understand correctly Microsoft employees are allowed an illusion of distinguishing personal email on Hotmail from their business email, which doesn’t make any sense really because even public accounts on Hotmail are treated like part of corporate body. And there’s no protection from searches anywhere anyway. When Microsoft internal staff, and an external attorney they have hired, believe there is probable cause then they can search “themselves”.

And for good measure, I found a new Google statement that says essentially the same thing. They reserve the right to snoop public customer accounts, even journalists.

“[TechCrunch editor Michael Arrington] makes a serious allegation here — that Google opened email messages in his Gmail account to investigate a leak,” Kent Walker, Google general counsel, said in a statement. “While our terms of service might legally permit such access, we have never done this and it’s hard for me to imagine circumstances where we would investigate a leak in that way.”

Hard perhaps for Kent to imagine, but with nothing stopping them…is imagination really even relevant?

Back to Schneier

Given this story as background, I’d like to respond to Bruce Schneier’s excellent article with the long title: “Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

These companies are doing their best to convince users that their data is secure. But they’re relying on their users not understanding what real security looks like.

This I have to agree with. Reading the Microsoft story I first was shocked to hear they had cracked their own customer’s email account. Then after I read the details I realized they had probable cause and they followed procedures…until I reached the point where I realized there was nothing being said about real security. It begs a simple question:

Should the lack of Microsoft ability to detect or prevent a theft, utilizing their private and public services, a reasonable justification for very broad holes in customer terms-of-service?

Something Just Hit the Fan

Imagine you are sitting on a toilet in your apartment. That apartment was much more convenient to move into compared to building your own house. But then, suddenly the owner is standing over you. The owner says since they can’t tell when widgets are taken from their offices (e.g they can’t detect which of their employees might be stealing) and they have probable cause (e.g. someone says you were seen with a missing widget) they can enter your bathroom at any time to check.

Were you expecting privacy while you sat on your toilet in your apartment?

Microsoft clearly disagrees and says there’s no need to even knock since they’re entering their own bathroom…in fact, all the bathrooms are theirs and no-one should be able to lock them out. Enjoy your apartment stay.

Surveillance, Not Surveillance

Real security looks like the owners detecting theft or preventing theft in “their” space rather than popping “your” door open whenever they feel like it. I hate to say it this way but it’s a political problem, rather than a technical one: what guide should we use to do surveillance in places that are socially agreed-upon, such as watching a shared office to reduce risks of theft, rather than threaten surveillance in places people traditionally and reasonably expect privacy?

So here is where I disagree with Schneier

Google, and by extension, the U.S. government, still has access to your communications on Google’s servers. Google could change that. It could encrypt your e-mail so only you could decrypt and read it. It could provide for secure voice and video so no one outside the conversations could eavesdrop. It doesn’t. And neither does Microsoft, Facebook, Yahoo, Apple, or any of the others. Why not? They don’t partly because they want to keep the ability to eavesdrop on your conversations.

Ok, I actually sort of agree with that. Google could provide you with the ability to lock them out, prevent them from seeing your data. But saying they want to eavesdrop on your conversations is where I start to think differently from Bruce. They want to offer tailored services, marketing if you allow it. The issue is whether we must define an observation space for these tailored services as completely and always open (e.g. Microsoft’s crazy definition of everything as “self”) or whether there is room for privacy.

Give Me Private Cloud or Give Me Encryption…OK I’ll Take Both

Suddenly, and unexpectedly, I am seeing movement towards cloud encryption using private-keys unknown to the provider. Bruce says this is impossible because “the US government won’t permit it”. I disagree. For years I worked with product companies to create this capability and was often denied. But it was not based on some insidious back-door or government worry. Product managers had many reasons why they hated to allow encryption into the road-map and the most common was there simply was not enough demand from customers.

Ironically, the rise of isolated but vociferous demand actually could be the reason we now will see it happen. If Google and Apple move towards a private-key solution, even if only to fly the “we’re better than Microsoft flag,” only a fraction of users will adopt (there’s an unknown usability/cost factor here). And of those users that do adopt eagerly, what is the percentage that the government comes knocking for with a warrant or a subpoena to decrypt? Probably a high percentage, yet still a small population. Given that the cloud providers properly setup key management they should be able to tell the government they have no way to decrypt or access the data.

Economics to the Rescue

This means from a business view the cloud provider could improve their offering to customers by enhancing trust with privacy controls, while at the same time reducing a cost burden of dealing with government requests for data. It could be a small enough portion of the users it wouldn’t impact services offered to the majority of users. This balance also could be “nudged” using cost; those wanting enhanced privacy pay a premium. In the end, there would be no way a provider could turn over a key that was completely unknown to them. And if Bruce is right that the government gets in no matter what, then all the more reason for cloud providers to raise the bar above their own capabilities.

We should have been headed this way a long time ago but, as I’ve said, the product managers really did not believe us security folks when we begged, pleaded and even demanded privacy controls. Usability, performance and a list a mile long of priorities always came first. Things have changed dramatically in the past year and #Hotmailgate really shows us where we don’t want to go. I suspect Microsoft and its competitors are now contemplating whether and how to incorporate real private-key systems to establish better public cloud privacy options, given the new economic models and customer demands developing.

Energy, Food, Security

Mining and Visualizing YouTube Metadata for Threat Models

Leave a comment

For several years I’ve been working on ways to pull metadata from online video viewers into threat models. In terms of early-warning systems or general trends, metadata may be a useful input on what people are learning and thinking about.

Here’s a recent example of a relationship model between viewers that I just noticed:

A 3D map (from a company so clever they have managed to present software advertisements as legitimate TED talks) indicates that self-reporting young viewers care more about sewage and energy than they care about food or recycling.

The graph also suggests video viewers who self-identify as women watch videos on food rather than energy and sewage. Put young viewers and women viewers together and you have a viewing group that cares very little about energy technology.

I recommend you watch the video. However, I ask that you please first setup an account with false gender to poison their data. No don’t do that. Yes, do…no don’t.

Actually what the TED talk reveals, if you will allow me to get meta for a minute, is that TED talks often are about a narrow band of topics despite claiming to host a variety of presenters. Agenda? There seem to be extremely few outliers or innovative subjects, according to the visualization. Perhaps this is a result of how the visual was created — categories of talks were a little too broad. For example, if you present a TED talk on password management and sharks and I present on reversing hardware and sharks, that’s both just interest in nature, right?

The visualization obscures many of the assumptions made by those who painted it. And because it is a TED talk we give up 7 minutes of our lives yet never get details below the surface. Nonetheless, this type of analysis and visualization is where we all are going. Below is an example from one of my past presentations, where I discussed capturing and showing high-level video metadata on attack types and specific vulnerabilities/tools. If you are not doing it already, you may want to think about this type of input when discussing threat models.

Here I show the highest concentrations of people in the world who are watching video tutorials on how to use SQL injection:

History, Security

What Surveillance Taught Me About the NSA and Tear Gas: It’s Time to Rethink our Twitters about Nightmares

Leave a comment

Medium read: 23.45 minutes at 1024×768

Zeynep Tufekci has tweeted a link to a journal of her thoughts on surveillance and big data.

#longreads version of my core thesis: “Is the Internet Good or Bad? Yes.” I reflect on Gezi, NSA & more.

The full title of the post is “What tear gas taught me about Twitter and the NSA: It’s time to rethink our nightmares about surveillance.”

I noticed right away she used a humble brag to describe events at a recent conference she attended:

A number of high-level staff from the data teams of the Obama and Romney campaigns were there, which meant that a lot of people who probably did not like me very much were in the room.

You hate it when high-level people do not like you…? #highlevelproblems?

She then speculates on why she probably would not be liked by such high-level people. Apparently she has publicly caricatured and dismissed their work as “richer data for the campaigns could mean poorer democracy for the rest of us”. She expects them to not like her personally for this.

I said she speculates that she is not “liked” because she does not quote anyone saying they “did not like” her. Instead she says they have publicly dismissed her dismissal of their work.

My guess is she wants us to see the others as angry or upset with her personally to set the stage for us seeing her in the hot-seat as a resistance thinker; outnumbered and disliked for being right/good, she is standing up for us against teams of bipartisan evil data scientists.

Here is how she describes meeting with the Chief scientist on Obama’s data analytics team, confronting him with a hard-hitting ethical dilemma and wanting to tell him to get off the fence and take a stand:

I asked him if what he does now — marketing politicians the way grocery stores market products on their shelves — ever worried him. It’s not about Obama or Romney, I said. This technology won’t always be used by your team. In the long run, the advantage will go to the highest bidder, the richer campaign.

He shrugged, and retreated to the most common cliche used to deflect the impact of technology: “It’s just a tool,” he said. “You can use it for good; you can use it for bad.”

“It’s just a tool.” I had heard this many times before. It contains a modicum of truth, but buries technology’s impacts on our lives, which are never neutral. Often, I asked the person who said it if they thought nuclear weapons were “just a tool.”

The data scientist appears to say a decision on whether the tool is good or bad in the future is not up to him. It’s a reasonable answer. Zeynep calls this burying the truth, because technology is never neutral.

To be honest there is a part of me tempted to agree with her here. That would be a nice, quiet end to my blog post.

But I must go on…

Unfortunately I can not stop here because she does not end her post either. Instead, she goes on to apparently contradict her own argument on tools being non-neutral…and that just happens to be the sort of thing that drives me to write a response.

The reason I would agree with her is because I often am making this argument myself. It’s great to see it made by her. Just the other day I saw someone tweet that technology can’t be evil and I had to tweet back that some technology can be labeled evil. In other words a particular technology can be defined by social convention as evil.

This is different from the argument that technology can never be neutral, but it is similar. I believe much of it is neutral in a natural state and acquires a good/bad status depending on use, but there still are cases where it is inherently evil.

The philosophical underpinning of my argument is that society can choose to label some technology as evil when they judge no possible good that can outweigh the harm. A hammer and a kitchen knife are neutral. In terms of evil, modern society is reaching the highest levels of consensus when discussing cluster-bombs, chemical weapons, land-mines and even Zeynep’s example of nuclear weapons.

My keynote presentation at the 2011 RSA Conference in London used the crossbow as an example of the problem of consensus building on evil technology. 500 years ago the introduction of a simple weapon that anyone could easily learn meant a sea change in economic and political stability: even the most skilled swordsman no longer stood a chance against an unskilled peasant who picked up a crossbow.

You might think this meant revolution was suddenly in the hands of peasants to overthrow their king and his mighty army of swordsmen. Actually, imagine the opposite. In my presentation I described swordsmen who attempted to stage a coup against their own king. A quickly assembled army of mercenary-peasants was imported and paid to mow down revolutionary swords with crossbows. The swordsmen then would petition a religious leader to outlaw crossbows as non-neutral technology, inherently evil, and restore their ability to protect themselves from the king.

The point is we can have standards, conventions or regulations, that define technology as inherently evil when enough people agree more harm then good will always be the result of use.

Is the Internet just a tool?

With that in mind, here comes the contradiction and why I have to disagree with her. Remember, above Zeynep asked a data scientist to look into the future and predict whether technology is bad or good.

She did not accept leaving this decision to someone else. She did not accept his “most common cliche used to deflect the impact of technology”. And yet she says this:

I was asked the same question over and over again: Is the internet good or bad?

It’s both, I kept saying. At the same time. In complex, new configurations.

I am tempted to use her own words in response. This “contains a modicum of truth, but buries technology’s impacts on our lives, which are never neutral.” I mean does Zeynep also think nuclear weapons are “both good and bad at the same time, in complex, new configurations”?

Deterrence was certainly an argument used in the past with exactly this sort of reasoning to justify nuclear weapons; they are bad but they are good so they really are neutral until you put them in the hands of someone.

And on and on and on…

The part of her writing I enjoy most is how she personalizes the experience of resistance and surveillance. It makes for very emotionally-charged and dramatic reading. She emphasizes how we are in danger of a Disney-esque perfect surveillance world. She tells us about people who, unable to find masks when they disagree with their government, end up puking from tear gas. Perhaps the irony between these two points is lost to her. Perhaps I am not supposed to see these as incongruous. Either way, her post is enlightening as a string of first-person observations.

The part of her writing I struggle most with a lack of political theory, let alone science. She does not touch on the essence of discord. Political science studies of violent protests around the world in the 1960s for example were keying in on the nature of change. Technology was a factor then also, and the time before and the time before, so a fundamental question is raised whether there are any lessons learned before. Maybe this is not the first time we’ve crossed this bridge.

Movements towards individualism, opportunity, creativity, and a true thinking and nourishing society appear to bring forth new technology, perhaps even more than new technology causes them. Just like the crossbow was developed to quickly reduce the ability of a swordsman to protect his interests, innovations in surveillance technology might have been developed to reduce the ability of a citizen to protect theirs. Unlike the crossbow, however, surveillance does not appear to be so clearly and consistently evil. Don’t get me wrong, more people than ever are working to classify uses of surveillance tools as evil. And some of it is very evil but not all of it.

Harder questions

Political science suggests there always is coercion in government. Most people do not mind some amount of coercion when it is exchanged for something they value. Then as this value shrinks, and progress towards a replacement value is not rapid enough, it generates friction and a return towards independence. So loss of independence theoretically can be a balance with some form of good.

It is obvious surveillance technology (e.g. Twitter) in many cases has found positive uses, such as monitoring health, natural disasters or accidents. It even can be argued political party hands have found beneficial uses for surveillance, such as fraud monitoring. The hard question is how to know when any act of surveillance, more than the latest technology, becomes evil by majority definition and what oversight is required to ensure we do not cross that point. She seems to suggest the individual is never safe:

[Companies and political parties] want us to click, willingly, on a choice that has been engineered for us. Diplomats call this soft power. It may be soft but it’s not weak. It doesn’t generate resistance, as totalitarianism does, so it’s actually stronger.

This is an oversimplified view of both company and political party relationships with individuals. Such an oversimplification makes it easy to “intertwine” concepts of rebellion and surveillance, and to reference diplomats as some sort of Machiavellian concept. The balance between state and individual is not inherently or always a form of deception to lull individuals into compliance without awareness of risks. There can actually be a neutral position, just as with technology.

What should companies and political parties offer us if not something they think we want? Should individuals be given choices that have not been engineered in any way? The act of providing a choice is often itself a form of engineering, as documented in elections with high rates of illiteracy (where candidates are “randomly” assigned an icon to represent them on ballots).

Should individuals be given a choice completely ignorant of our desires? That begs the very question of the market function and competition. It brings to mind Soviet-era systems that pretended to “ignore” desire in order to provide “neutral” choices by replacing it with centrally planned outcomes. We should think carefully about value offered to the individual by a government or a company and at what point value becomes “seduction” to maintain power through coercion.

Ultimately, despite having earlier criticized others for “retreating” to a neutral ground, her conclusion ends up in the same place:

Internet technology lets us peel away layers of divisions and distractions and interact with one another, human to human. At the same time, the powerful are looking at those very interactions, and using them to figure out how to make us more compliant.

In other words, Internet technology is neutral.

When we connect with others we may become more visible; the connection still has value when visibility is a risk. When we connect we may lose independence; the connection still has value when loss of independence is a risk.

It is disingenuous for us to label anyone that watches us as “the powerful” or to call ways that “make us more compliant” as inherently evil. Compliance can be a very good thing, obviously.

Zeynep offers us interesting documentation of first-person observations but offers little in the way of analysis and historical context. She also gives unfair treatment to basic political science issues and criticizes others before she seems to arrive at the same conclusion.

As others have said, it’s a “brilliant, profoundly disturbing piece”.

History, Security

Ethiopian Troops in Somalia Join AMISOM

Leave a comment

I was reading the news today and noticed “Kevin Knodell in War is Boring” says “Ethiopian Troops Have Returned to Somalia—That’s Not a Good Thing

This move was surprising—perhaps even shocking—as Ethiopia has a long and brutal history with Somalia in the form of border wars, invasions and accusations of torture, rape and executions.

There’s also a fear this has the potential to undo everything AMISOM has accomplished.

Well, I disagree with both; the move is not surprising and is not likely to undo everything. As a long-time student of the Horn of Africa, I am very intrigued by these conclusions. The headline seems overly confident and also pessimistic on the long-standing complicated border-conflict scenario that includes an ongoing rebellion and fractured state with external pressures.

Unfortunately I do not have time to rebut the entire article. Note in 2008 I mentioned how US foreign policy pushed an Ethiopian offensive into Somalia. Then I recommended in 2009, in a post called “Somalia Begs for Invasion,” that an AU-led stabilization force would be the best option to reduce regional conflict and guide foreign influences. AMISOM is the African Union Mission in Somalia. Almost six years later, I will take this opportunity to provide some analysis of how things are shaping up:

Recent Somali depictions of the conflict paint Ethiopia as brutal and meddling in their affairs. This is a sign of a strengthening sense of state and sovereignty by the Somalis; it also is to be expected. Somalia and Ethiopia both tend to trade harsh words at a high level. The fact is Somalia still is actually quite fractured and Ethiopia has many people sympathetic to Somali statehood.

On the one hand if you believe in realpolitik, then you might say this means Ethiopia will continue to destabilize Somalia for its own benefit, whatever that might be. In South Africa the destabilization of its neighbors was to prevent an uprising/invasion against Apartheid. What would Ethiopia’s reason be for weakening Somalia? This is not clear. Although I have written before why the U.S. wants to keep Somalia from forming sovereignty — to allow for “legal” elimination of high-value targets (e.g. terrorists). The more sovereignty Somalia establishes, the more difficult it becomes for the U.S. to ignore human and state rights against intervention.

On the other hand if you believe Ethiopia is worried about the impact to them from a destabilized neighboring state, then you might say it will drive an agenda (again perhaps influenced by U.S. policy) as I wrote about before here. Kenya has a very strong and active intervention policy we can observe.

Sending troops indicates Ethiopia could intend taking an active role in determining the fractured Somalia’s fate in the above two ways. However, the Horn of Africa is not so easily parsed into such neat boxes of one state intervening in another. The key to understanding this latest troop deployment is most likely related to Ethiopian domestic issues; an ongoing conflict over the Ogaden region within Ethiopia.

As I have written about before here, Ethiopia is cracking down on dissent and struggling to control the ONLF rebel group. In other words the move by Ethiopia to add troops to AMISOM may actually be a concern over a majority population in conflict with a minority in control; ethnic and political disputes. Operations/camps located across the border with Somalia would therefore drive Ethiopia to want greater access to defeat opposition. The Ogaden area has been in dispute for a very long time, particularly in 1948, 1964 and 1977, as well as 1996. Each of these events is rich and complex on their own; most relevant to the recent news is that fact Ethiopia invaded in 1996. They sent their military into areas of SW Somalia, on the border with the Ogaden, called Gedo, Bay and Bakool.

Where will the new Ethiopian troops joining AMISOM be stationed? Gedo, Bay and Bakool.

What I’m guessing, therefore, is that Ethiopia has managed to get international backing to put monitors in Somali territory to deal with Ogaden rebels attacking Ethiopia. Instead of invading, they have agreed to help “stabilize” the region while actually looking for anti-Ethiopian rebels. This also is about fighting with al Shabaab, of course, who also are anti-Ethiopian. And on that note it is important to realize that Ethiopia’s military is backing many of the Somali regions already fighting against al Shabaab. So this deployment is not altogether unusual in terms of support. It is unusual in that it may achieve the objectives of 1996 without declaration of war or unauthorized border crossing.

Ethiopian AMISOM troops do not seem entirely out of place. Calling it “not a good thing” is taking an odd position on a complex topic. The specific location of their assignment speaks to a complex and long-time brewing relationship between the two countries, and an Ethiopian internal dispute between Tigrayan leadership and Oromo rebels. This parallels action by Turkey to cross into northern Iraq, for example, to deal with Kurdish rebels. Note that Cheney specifically told Turkey that he wanted them to police northern Iraq. Thus, Ethiopian policing of a border area with rebel activity is not entirely unexpected. And because it’s part of an international effort instead of unilateral declaration of war…well, perhaps there’s some hope for AU control and even increased humanitarian oversight of the disputes. That is probably too optimistic, but AMISOM does claim to have oversight of the Ethiopian forces; better than if Ethiopia simply invaded again.

One final thought. Some want to depict the conflict as an Islamic Somali state against a Christian Ethiopia. The fact is Ethiopia has a largely Islamic population and the Ethiopian Army is led by an Islamic General who himself used to lead a Tigrayan rebel group (TPLF). Depicting all Somalis as opposed to an Ethiopian military presence or support is incorrect. Many Somalis have asked for Ethiopian intervention. Likewise, depicting this along religious lines also is incorrect.

Updated to add: Paul Williams suggested reading the “Providing for Peacekeeping” report by Solomon Ayele Dersso, from the Institute for Security Studies, Addis Ababa Office.
A “Rationale’s for Contributing” section is on page three:

  • Political
  • Economic
  • Security
  • Institutional
  • Normative

A “Barriers to Contributing” section is on page four:

  • Alternative institutional preferences for crisis management
  • Alternative political or strategic priorities
  • Resistance in the military
  • Lack of fit with legislative, procurement and operational timelines