Predator's Ball
This New York Times op-ed points to research which reveals the frequency of predators in finance.
"Studies conducted by Canadian forensic psychologist Robert Hare indicate that about 1 percent of the general population can be categorized as psychopathic, but the prevalence rate in the financial services industry is 10 percent. And Christopher Bayer believes, based on his experience, that the rate is higher."
The author then goes on to describe a mindset that has become commonplace in corporate boardrooms:
"Enron, BP, Goldman, Philip Morris, G.E., Merck, etc., etc. Accounting fraud, tax evasion, toxic dumping, product safety violations, bid rigging, overbilling, perjury. The Walmart bribery scandal, the News Corp. hacking scandal -- just open up the business section on an average day. Shafting your workers, hurting your customers, destroying the land. Leaving the public to pick up the tab. These aren't anomalies; this is how the system works: you get away with what you can and try to weasel out when you get caught."
The standard counter-argument goes something like this: sure, there are a few bad apples. But, there are a lot of honest, hard-working, executives in the workplace too. Deresiewicz responds by observing that ethical behavior is purely optional. I would further add that institutional forces also drive executives to behave as if they were psychopaths.
"There are ethical corporations, yes, and ethical businesspeople, but ethics in capitalism is purely optional, purely extrinsic. To expect morality in the market is to commit a category error. Capitalist values are antithetical to Christian ones. (How the loudest Christians in our public life can also be the most bellicose proponents of an unbridled free market is a matter for their own consciences.) Capitalist values are also antithetical to democratic ones. Like Christian ethics, the principles of republican government require us to consider the interests of others. Capitalism, which entails the single-minded pursuit of profit, would have us believe that it's every man for himself."
The "job creators" claim they're merely "doing god's work." -BB (2012-05-13)
The Danger of a Bad Precedent
In this essay Glenn Greenwald explains (once again) why it's dangerous to make exceptions to the rule of law, even when it seems justifiable:
"Julius Caesar... noted that Roman law forbids the execution of Roman citizens even for heinous crimes, and that executing the conspirators would thus require the creation of a radical and dangerous precedent: dangerous because to vest the power in the State to kill its own citizens, even if justified in the specific case where it is first done, would be to vest the power generally and thus ensure its inevitable abuse."
The same dynamic is at work with the Glomar Doctrine, a policy which:
"Allows government agencies to respond to requests under the Freedom of Information Act, or FOIA, by refusing to confirm or deny the existence of the records that have been requested."
When the Glomar Doctrine was first established, there seemed to be a legitimate reasons. But now...
"The C.I.A. has grossly abused it, in cases relating to the targeted killing program and other counterterrorism operations. It is invoking the doctrine not to protect legitimately classified information from disclosure, but to shield controversial decisions from public scrutiny and to spare officials from having to defend their policies in court."
In order to govern and make constructive decisions, citizens need access to accurate information. -BB(2012-05-08)
The Deindustrialization Of America
Author Michael Snyder laments that:
"We are witnessing the deindustrialization of America. Tens of thousands of factories have left the United States in the past decade alone. Millions upon millions of manufacturing jobs have been lost in the same time period. The United States has become a nation that consumes everything in sight and yet produces increasingly little."
If a manufacturing country like China wants to engage us in a trade war, what do you think would happen? We don't make anything... -BB (2012-05-06)
IMF Study on U.S. Economic Inequality
This IMF report describes a process of economic extraction that has been utilized over the past few decades:
"The poor and the middle class seem to have resisted the erosion of their relative income position by borrowing to maintain a higher standard of living; meanwhile, the rich accumulated more and more assets and invested in assets backed by loans to the poor and the middle class. Consumption inequality that is lower than income inequality has led to much higher wealth inequality."
In other words, profits made on behalf of stagnating wages, cutbacks, and increased efficiencies have been invested... so that they can loan it back to us and charge us interest on it.
Paul Krugman points out the ultimate culprit:
"The real structural problem is in our political system, which has been warped and paralyzed by the power of a small, wealthy minority. And the key to economic recovery lies in finding a way to get past that minority's malign influence."
Our Republic has suffered a Corporate Coup d'Etat. - BB(2012-05-04)
The Economic Game Plan of the 1%
The GOP's Paul Ryan spells it out:
"Cut income tax rates and simplify the code, privatize Medicare, shrink the food-stamp and Medicaid programs and turn almost all control over to the states, and reduce domestic federal spending to its smallest share of the economy since World War II."
This op-ed warns that:
"The slow start for the economy in 2012 - an annual rate of 2.2 percent in the first three months of the year - is evidence that the recovery is too weak to push joblessness much lower than its current 8.2 percent, and too fragile to withstand the kinds of budget cuts Congressional Republicans are proposing."
Noam Chomsky further explains that:
"The reason is that state governments are much more under the control of private business than the federal government is. The federal government's big enough so that, you know, it can somehow stand up against private power to some extent. State governments, it's hopeless. I mean, even middle-sized businesses can play one state against another."
For good measure, Paul Krugman choke slams Mitt Romney:
"Not long ago, conservatives gushed over Ireland's economic policies, especially its low corporate tax rate; the Heritage Foundation used to give it higher marks for 'economic freedom' than any other Western nation. When things went bad, Ireland once again received lavish praise, this time for its harsh spending cuts, which were supposed to inspire confidence and lead to quick recovery. And now, as I said, almost a third of Ireland's young can't find jobs."
At least the Democrats try to assume a low profile when they cater to the 1%. -BB(2012-04-30)
No Moral High Ground Here
As usual, the universal apology ("national security") is brought out by decision makers to explain away torture.
"But we did the right thing for the right reason. And the right reason was to protect the homeland and to protect American lives. So yes, I had no qualms."
Another approach is to re-direct our attention to an equally disturbing practice:
"We don't capture anybody any more, Lesley. You know their default option of this Administration has been to kill all prisoners. Take no prisoners."
Nevertheless, even the Inspector General of the CIA conlcuded that there's no solid proof that torture works (see page 89):
"There is limited data on which to assess their [Enhanced Interrogation Techniques] individual effectiveness."
Senator John McCain agrees that not only is torture ineffective, but it also robs us of any sort of moral authority. -BB (2012-04-30)
They Get Bailed Out, We Get Sold Out
With homage to Chomsky, Rob Urie takes this meme and applies it to our military campaigns in the Middle East:
"The wars in Iraq and Afghanistan are wars over resources, primarily oil. In the minds of war architects they may serve a broader geopolitical purpose, but that purpose is at its core economic --maintaining a ready supply of oil for multinational oil companies. The wars were estimated some years ago to cost several trillion dollars. This amount is to be borne by taxpayers, not to mention the human toll in lives and lost possibilities. Another way to phrase this is: 'oil companies and military contractors got bailed out, we got sold out.'"
With regard to implementing this purpose, the tip of the spear is well-protected by state sanctioned secrecy:
"The rest of the world has had few illusions about where American wealth comes from. The CIA has long functioned as an oil mafia undermining democratically elected and democratically functioning governments to control oil for private interests. The American military has been a tool of private American interests for most of its existence. And these government agencies are economies unto themselves receiving 'black' budgets over which there is little oversight or accountability."
Witness the efficacy of corporate extraction and exploitation. -BB (2012-04-29)
Heywood, Hakluyt, and Shell Oil
According to the New York Times Neil Heywood, the British businessman who was allegedly murdered in China, had ties to Hakluyt & Company, a private-sector spook outfit established by former MI6 officers.
"The private intelligence firm Hakluyt, founded by former officials with MI6, the British secret intelligence service, said Mr. Heywood had occasionally worked as one of its associates, helping prepare due-diligence reports on Chinese companies for investors. That association, even if it had ended months before his death, inspired speculation that he was a spy, although an official with the Foreign Office in London effectively denied that."
There are mixed stories about Heywood's final hours. The Wall Street Journal has him acting like a hunted animal. On the other hand, The Telegraph characterized him as being happy.
There are whispers that Hakluyt is still on Shell Oil's payroll. This isn't necessarily suprising, as Shell has made use of Hakluyt's clandestine services before. Shell Oil has done business in Chongqing, the city where it is believed that Mr. Heywood was murdered. The Wall Street Journal recently reported that Shell "signed the first production-sharing contract to explore, develop and produce shale gas in China." This deal was signed with China National Petroleum Corporation, which has ties to several people involved in this scandal. -BB (2012-04-28)
More Cyber Worst-Case Scenarios
Yesterday in a hearing of the House Subcommittee on Oversight, Investigations, and Management (OMI), Cyber- Hype got some air time:
"The US government, critical infrastructures, American business institutions and our personal data are being compromised by nation states and hacker groups. The intent is to conduct cyber warfare, possibly paralyzing our infrastructure, stealing our intellectual property, conducting espionage, and gaining access to our credit card, bank account and social security numbers."
It's no surprise that the legislator who made these statements, Michael McCaul (R-TX), has received campaign money from the likes of Raytheon, Boeing, VeriSign, and Lockheed Martin.
In accordance with Ferguson's Investment Theory of Politics, McCaul is merely catering to the wants and needs of his constituents (e.g. defense contractors).
Forget Cyberwar. Let's focus on serious threats, like greedy bankers. -BB (2012-04-25)
Who's Afraid of the SEC?
According to 60 Minutes, Lehman execs have relative immunity from SEC prosecution:
"There is one plausible explanation why the SEC hasn't gone after top Lehman executives. As it turns out, some of Lehman's most egregious accounting shenanigans took place right under the noses of government regulators."
It probably didn't help that the regulators in the SEC were outgunned with respect to grasping the rocket-science internals of derivatives.
"They may not have had the expertise necessary to understand the material they were receiving. They were getting the material. Whether they understood it is another question."
All of this complexity is a shroud that bankers hide behind. Once more, because officials in DC see these execs as being privy to the inner workings of certain opaque financial products, Washington brings the execs back to clean up the mess that they created. Sensible minds would have reinstated the Glass-Steagall Act. No such luck. -BB (2012-04-23)
Emmanuel Saez and Thomas Piketty Speak
These world-class economists, who documented the growth of economic inequality in the United States, broach the subject of taxation:
"Their proposed corrective remains far outside the bounds of polite political conversation: much, much higher top marginal tax rates on the rich, up to 50 percent, or 70 percent or even 90 percent, from the current top rate of 35 percent."
"Mr. Piketty and Mr. Saez argue that history is on their side: Many countries have higher tax rates -- and the United States has had higher tax rates -- without stifling growth or encouraging the concentration of income in the hands of the very rich."
The Heritage Foundation and its ilk would warn that this would deter investment and hurt the economy. Warren Buffet easily dispels this myth:
"I have worked with investors for 60 years and I have yet to see anyone - not even when capital gains rates were 39.9 percent in 1976-77 - shy away from a sensible investment because of the tax rate on the potential gain. People invest to make money, and potential taxes have never scared them off."
Related: According to a report from Mother Jones :
"Between 2008 and 2011, 26 major American corporations paid no net federal income taxes despite bringing in billions in profits."
Related: The 2 America's: Big vs. Small Business.
"When big corporations use offshore tax havens, small businesses pay the price -- literally. If they were to cover the cost of corporate abuse of tax havens in 2011, the average U.S. small business would pay $2,116."
Related: It Pays to Lobby.
"280 profitable Fortune 500 companies collectively received $223 billion in tax breaks between 2008 and 2010 while contributing $216 million to Congressional candidates over the last four election cycles."
Thanks to front men like Grover Norquist, the gridlock we see in Congress is not an accident. -BB (2012-04-17)
'Information Sharing' is a Euphemism
The San Jose Mercury News has published a report on the emerging concept of public-private partnerships to fight cybercrime.
"On Monday, in a sign these concerns are shared at the highest levels of the Obama administration, Homeland Security Secretary Janet Napolitano will make a personal pitch for help to tech companies in San Jose. And Congress is mulling several bills to encourage government and business to share intelligence about the computerized threats."
"Also sounding alarms is Gen. Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, which guards military networks. At an October conference he appealed for the private and public sectors to work together because 'this is something that we cannot do by ourselves.'"
Related: The EFF states that:
"The bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight--effectively creating a 'cybersecurity' loophole in all existing privacy laws."
Take action: here. -BB (2012-04-15)
China's 1% Duke It Out in Public
This L.A. Times article exposes a rift in the upper echelons of China's ruling class. The implications are disturbing.
"Last month, Bo [Xilai] lost his job, fired over what was described in a Communist Party statement released through state media this week as 'serious discipline problems.' The statement also said Gu [Bo's wife] and a family aide were under arrest as suspects in the November death of Neil Heywood, a 41-year-old British businessman and a longtime family friend."
It would appear that, similar to the basic dynamic in the United States, rule of law breaks down as one ascends the power structure. Recall the case of Viktor Bout. Are Chinese officials only willing to enforce the law now that Bo has outlived his usefulness? Would this murder have been investigated as rigorously if Bo had chosen not to rock the boat? All animals are equal, only some are more equal than others. Especially in China - BB(2012-04-11)
Related: this New York Times article observes that:
"In the view of some analysts and party insiders, that same scandal has raised the notion of high-level misconduct among China's elite to a level that some say could have far-reaching and unpleasant implications for stability. It could cast a long shadow over one of the party's linchpins: the notion that a handful of all-powerful officials and retired elders are better qualified to pick their successors than are ordinary citizens."
Colleges Run Screaming From Metrics
This article reveals how Universities have become concerned that people may begin to evaluate the quality of their programs. Educators contend that:
"I'm not sure any standardized test can effectively measure what students gain in problem-solving, or the ability to work collaboratively"
Of course, there's no reason to shell out $80,000 to learn how to problem solve or work collaboratively. The best way to acquire these tools is through direct experience in the field, not in a classroom. Organic chemistry and quantum mechanics, now that's a different story...
"In 2008, the Consortium on Financing Higher Education, a group of some of the nation's most prestigious colleges and universities --including all of the Ivy League-- issued a lengthy manifesto saying that what its students learn becomes evident over decades and warning against a 'focus on what is easily measured.'"
Would you join a weight loss program that didn't believe in scales? The people who ran such a business could shower customers with a litany of alleged benefits without having to demonstrate any sort of concrete results. The ivy league institutions, in particular, face the unpleasant prospect of people realizing that the diplomas that they sell are merely pricey ornaments made of paper. -BB (2012-04-08)
Final Words of Dimitris Christoulas
"The Tsolakoglou government has annihilated all traces for my survival, which was based on a very dignified pension that I alone paid for 35 years with no help from the state. And since my advanced age does not allow me a way of dynamically reacting (although if a fellow Greek were to grab a Kalashnikov, I would be right behind him), I see no other solution than this dignified end to my life, so I don't find myself fishing through garbage cans for my sustenance. I believe that young people with no future, will one day take up arms and hang the traitors of this country at Syntagma square, just like the Italians did to Mussolini in 1945."
Think Tank Beats War Drums
The New York Times has covered a monograph released by the Brookings Institute:
"At a seminar last week at Tsinghua University in Beijing, where Brookings finances a study center, Mr. Lieberthal said there was an increasing belief on both sides that the two countries would be 'antagonistic in 15 years.' That would mean major military expenditures by both countries to deter each other, and pushing other countries to take sides."
The tone of this content is very telling. In the late 1970s, a decorated CIA officer named John Stockwell went public. In his book, The Praetorian Guard, he stated that:
"Enemies are necessary for the wheels of the U.S. military machine to turn."
The Times article above also makes reference to cyber operations originating (e.g. IP address) from within China.
"American law enforcement officials see an alarming increase in Chinese counterespionage and cyberattacks against the United States that they have concluded are directed by the Chinese authorities to gather information of national interest."
Some concrete proof might be nice, the kind that stands up in a court of law.
Richard Clarke, in a separate Times op-ed, believes that traffic inspection is the way out:
"The Department of Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. And under the Intelligence Act, the president could issue a finding that would authorize agencies to scan Internet traffic outside the United States and seize sensitive files stolen from within our borders."
Yet, it's dangerous to institute the tools of a Police State and simply assume that they'll never be abused. Classified Executive Orders seem to be in fashion at the moment... -BB(2012-04-03)
Flawed Cyber Legislation and Security for The 1%
The EFF discusses Senator Joseph Lieberman's Cybersecurity Act of 2012 (S. 2105) and McCain's SECURE IT Act (S. 2151):
"As written, these bills could provide immunity to ISPs and other private and government actors for all of the egregious behavior outlined above involving the monitoring, blocking, and modification of data packets."
This post also highlights an aspect of cybersecurity that's traditionally ignored by lawmakers:
"The intelligence community within the government benefits from keeping attacks secret so that they can be deployed against our enemies, and very likely stockpiles zero-day exploits for this offensive purpose. There is then pressure to selectively harden sensitive targets while keeping the attack secret from everyone else and leaving popular software vulnerable. This is 'security for the 1%,' and it makes the rest of us less safe. "
Elected officials want to avoid laws that might offend their investors (software vendors) in the private sector. -BB(2012-03-25)
Update (2012-04-02): An article at Forbes reports that iOS exploits garner the highest payday.
Emmanuel Saez: Income Gap Is Getting Worse
Professor Saez has updated his paper "Striking it Richer: The Evolution of Top Incomes in the United States" to include data up to the end of 2010. His conclusions are not encouraging.
"In 2010, average real income per family grew by 2.3% (Table 1) but the gains were very uneven. Top 1% incomes grew by 11.6% while bottom 99% incomes grew only by 0.2%. Hence, the top 1% captured 93% of the income gains in the first year of recovery."
The political operatives of the 1% think this is a good thing:
"There is income inequality in America. There always has been and hopefully, and I do say that, there always will be."
Perhaps these apologists should visit the Third World to see exactly where we're headed. The kind of inequality we're witnessing is a threat to our republic -BB(2012-03-14)
What Scientist Shortage?
Beryl Benderly exposes the myth of the skill shortage:
"For years that the US produces ample numbers of excellent science students. In fact, according to the National Science Board's authoritative publication Science and Engineering Indicators 2008, the country turns out three times as many STEM degrees as the economy can absorb into jobs related to their majors."
The reports which claim that we don't have enough grads in the hard sciences are driven by greedy corporate interests that want access to cheap labor. I applaud the Columbia Journalism Review for honestly covering this topic. -BB (2012-03-02)
Related: don't let the recent unemploymet figures fool you. As Dave Lindorff remarks:
"The US economy is in the same swamp that it has been in for the past four years, and the American people are still being screwed by a system that is all about shifting wealth from the bottom and the middle up the top 1%."
WikiLeaks Releases Global Intelligence Files
"Today, Monday 27 February, WikiLeaks began publishing The Global Intelligence Files -- more than five million emails from the Texas-headquartered 'global intelligence' company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defense Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment-laundering techniques and psychological methods."
This demonstrates that nation states don't have a monopoly on intelligence collection and analysis. - BB(2012-02-27)
The 1% Paints Anonymous as Existential Threat
They're back at it again, the Cult of Cyberwar has revealed a new marketing twist on their standard doomsday message: switching from China to Anonymous. George Smith breaks it down:
"One of the central features of cyberwar/cyberattack scaremongering is argument from authority. Us officials have abused it for personal and political agendas for well over a decade. In the process, they've destroyed any legitimacy, relying totally on fantastic and apocalyptic claims, never backing anything up other than with assertion one had better listen up because very important people are all repeating the same claims. Noam Chomsky called it manufacturing consent. Now it's gulling the rubes for personal gain."
Related: The Atlantic questions:
"Ask yourself if Anonymous should be deemed a terrorist group. Who has Anonymous hurt? What kinds of laws have they broken? Are they pursuing weapons? Do they sell drugs? Do they have guns? What credible evidence do we have that they are trying to hurt regular citizens? If not, what is gained by lumping them in along with real and persistent threats to Americans?"
For all to see... this is the rain dance of the 1% - BB(2012-02-23)
Lost Chapter Now Available
There are reasons why an open debate about the role of money in politics has been stymied. It goes without saying that a truly honest conversation about the formulation of public policy is bound to make the vast majority of elected officials uneasy. The relatively small group at the top of the income spectrum is in a position where they can exert their leverage, directly or indirectly, to muddy the water and silence dissent. In some cases the mere threat of reprisal is enough to quell voices of opposition.
The 1st edition of The Rootkit Arsenal, published back in the summer of 2009, included a short epilogue that raised questions about the underlying integrity of the political system in the United States. It used the metaphor of a malware infestation to discuss aspects of popular participation and means of control. In preparing the forthcoming 2nd edition, this material has been extended and explores territory that has just barely received attention from the major news outlets. Though the publisher has opted not to include this content, it has been made available here.
The War Logs and "National Security"
In this article from the Daily Beast we see the U.S. government admitting that the Significant Activity reports in question (the documents contained in the Iraq and Afghan war logs) did NOT contain information that would compromise our key sources.
"Would a SIGACT, if it was released, compromise our key sources?"
"No sir."
National security is the perfect apology, an all-purpose justification used to marginalize us and give free reign to those who would abuse it. -BB(2011-12-18)
The 2012 National Defense Authorization Act
This op-ed, written by two retired four-star Marine generals, notes that U.S. legislators believe that we must choose between our safety and our ideals:
"One provision would authorize the military to indefinitely detain without charge people suspected of involvement with terrorism, including United States citizens apprehended on American soil. Due process would be a thing of the past. Some claim that this provision would merely codify existing practice. Current law empowers the military to detain people caught on the battlefield, but this provision would expand the battlefield to include the United States -- and hand Osama bin Laden an unearned victory long after his well-earned demise."
For details, see section 1031 of this bill. The very fact that something of this nature has been attempted should raise a red flag. As Dave Lindorff observes:
"A hollowed-out country like the this one, which is under-funding education, health care, infrastructure investment, research, and environmental protection, while its governing class steadily disenfranchises, disempowers, and impoverishes the public while systematically taking away their right to protest, is ultimately doomed."
Dana Priest has reported, on the vast domestic security apparatus that was built up in the wake of 9/11. Re-visit the above op-ed one more time and consider this development. Then consider who funds all those lobbyists in D.C. -BB(2011-12-17)
Putting a Face on the 1%
Sylvia Allegretto, a labor economist from Berkeley takes a look at the Forbes 400 and compares it to the Survey of Consumer Finances (SCF).
"The Forbes list reveals that six Waltons -- all children (one daughter-in-law) of Sam or James 'Bud' Walton the founders of Wal-Mart -- were on the list. The combined worth of the Walton six was $69.7 billion in 2007 -- which equated to the total wealth of the entire bottom thirty percent!"
Six people own more than the bottom 30%. Can you imagine the political influence these six people have? Somebody funds all those lobbyists. It's only natural that these people have moved to cut back on employee benefits. -BB(2011-12-15)
Related: The Guardian reports that the top one percent received 27-40% pay hikes last year. How are you doing?
Old School Journalists Line Up
Julian Assange has recently become a target for columnists like David Brooks and Marc Thiessen . They say he's an "old-fashioned anarchist" and that WikiLeaks is a "criminal enterprise." Really?
David Samuels provides a degree of clarity to what's really at stake.
"The fact that so many prominent old school journalists are attacking him with such unbridled force is a symptom of the failure of traditional reporting methods to penetrate a culture of official secrecy that has grown by leaps and bounds since 9/11, and threatens the functioning of a free press as a cornerstone of democracy."
"The result of this classification mania is the division of the public into two distinct groups: those who are privy to the actual conduct of American policy, but are forbidden to write or talk about it, and the uninformed public, which becomes easy prey for the official lies exposed in the Wikileaks documents"
John Young of Cryptome chimes in about the media's double standard:
"This scapegoating of WikiLeaks and Assange by the New York Times counsel commences a defense against prosecution for conspiracy. Expect all those who have profited from the WikiLeaks salacious material and worldwide consumption of it, including the WSJ, will do the same. Official secrecy is the biggest cause of leaks, and nobody leaks more than governments and lawyers in their own interest, under guise of national security, law and order, fair play, and other dissimulation."
The media relies heavily on the government as a source of information. You can expect the major outlets to tow the line. -BB(2011-12-14)
Why They Occupy
While critics have claimed a lack of focus, this is just misinformation. As Robert Fisk explains, people are outraged because:
"They have for decades bought into a fraudulent democracy: they dutifully vote for political parties which then hand their democratic mandate and people's power to the banks and the derivative traders and the rating agencies, all three backed up by the slovenly and dishonest coterie of 'experts' from America's top universities and 'think tanks', who maintain the fiction that this is a crisis of globalization rather than a massive financial con trick foisted on the voters."
Mark Shields adds:
"I think the message, which is, people say, unclear is a lot stronger than the messenger... It cuts across partisan, religious, racial, age divisions. So I think that is a direct consequence of the movement. I think the movement's message has been very effective in getting across."
Internet Freedom Hypocrisy
Our Secretary of State proclaims the following during a speech at the Hague:
"This is an urgent task. It is most urgent, of course, for those around the world whose words are now censored, who are imprisoned because of what they or others have written online, who are blocked from accessing entire categories of internet content, or who are being tracked by governments seeking to keep them from connecting with one another."
Glenn Greenwald points out the obvious double standard:
"What Hillary Clinton is condemning here is exactly that which not only the administration in which she serves, but also she herself, has done in one of the most important Internet freedom cases of the last decade: WikiLeaks. And beyond that case, both Clinton specifically and the Obama administration generally have waged a multi-front war on Internet freedom."
Once again, Clinton wields the unspoken assumption of American exceptionalism. -BB(2011-12-09)
Related: WikiLeaks has published an information pack on the banking blockade.
The Oligarchy Spells Out Its Endgame
Henry Ford paid his workers enough so that they could buy the cars they produced. Alan Nasser points out that this dynamic has changed:
"Conventional economic wisdom teaches that it is not in the interests of employers to drive wages down to desperation levels, since most consumers are wage earners and consumption demand generates from 66 to 72 percent of the Gross Domestic Product. Were employers to drive wages too low they would at the same destroy their customer base, which is good for neither capital nor labor. This line of reasoning assumes that capitalism is organized such that each nation's labor market is both entirely domestic and the sole source of the demand for its economy's output. But capitalism is a global system and its sovereign components are not closed economies."
The emergence of demand in other countries will allow business leaders to profit by hollowing out of the American middle class. Our loss is their gain because they don't care what we can or cannot afford. After all, they can always give us loans so that we can purchase what they tell us we should have.
These people at the top are pressing their advantage and they're in this game to take it all. -BB(2011-12-03)
The U.S. Financial System and Drug Money
Years ago I read about this in Michael Ruppert's book Crossing the Rubicon, but wasn't sure what to make of it. Here we see that Mr. Ruppert was indeed right on target:
"Banking powerhouse Wachovia Corp. last year agreed to pay $160 million in forfeitures and fines after U.S. federal prosecutors accused it of 'willfully' overlooking the suspicious character of more than $420 billion in transactions between the bank and Mexican currency-exchange houses - much of it probably drug money, investigators say."
As Ruppert points out, any business with access to cheap raw materials (capital, in the case of banking) has an notable advantage. Large banks might just overlook half a trillion dollars worth of drug-related business because it serves shareholders.
Notice how no one goes to jail for fundamentally enabling an industry that results in untold misery and destruction. Again, this just goes to show you who really runs this country. -BB (2011-12-02)
Related: check out Roger Ebert's review of Ruppert's 2009 documentary.
The International Mass Surveillance Industry
There's a whole industry that caters to police states. WikiLeaks is helping to expose it.
"'Who here has an iPhone?' Assange asked attendees of the press conference in London. 'Who here has a Blackberry? Who here uses Gmail? Well you are all screwed. The reality is intelligence contractors are selling right now to countries across the world mass surveillance systems for all of those products.'"
Assange also warns that:
"SSL is no longer safe and alleged that intelligence agencies have compromised Certificate Authorities (CAs). CAs issue digital certificates used for SSL. Hundreds of intermediate CAs can issue SSL certificates linked back to a root CA."
This is not a good sign. -BB(2011-12-02)
Bailout Secrets Revealed
Again, we see how secrecy is used to marginalize us.
"The Fed didn't tell anyone which banks were in trouble so deep they required a combined $1.2 trillion on Dec. 5, 2008, their single neediest day. Bankers didn't mention that they took tens of billions of dollars in emergency loans at the same time they were assuring investors their firms were healthy. And no one calculated until now that banks reaped an estimated $13 billion of income by taking advantage of the Fed's below-market rates."
"The amount of money the central bank parceled out was surprising even to Gary H. Stern, president of the Federal Reserve Bank of Minneapolis from 1985 to 2009, who says he 'wasn't aware of the magnitude.' It dwarfed the Treasury Department's better-known $700 billion Troubled Asset Relief Program, or TARP. Add up guarantees and lending limits, and the Fed had committed $7.77 trillion as of March 2009 to rescuing the financial system, more than half the value of everything produced in the U.S. that year."
Lawmakers weren't aware of details. Even they were marginalized. This fact, all by itself, demonstrates who wields the real power in this country. -BB(2011-11-29)
Secrecy and Soft Money in D.C.
A couple of weeks ago, 60 Minutes ran a story that examines ideas presented in a book written by Peter Schweizer of the Hoover Institute. Schweizer contends that:
"The fact is, if you sit on a healthcare committee and you know that Medicare, for example, is considering not reimbursing for a certain drug that's market moving information. And if you can trade stock off of that information and do so legally, that's a great profit making opportunity. And that sort of behavior goes on."
"The buying and selling of stock by corporate insiders who have access to non-public information that could affect the stock price can be a criminal offense, just ask hedge fund manager Raj Rajaratnam who recently got 11 years in prison for doing it. But, congressional lawmakers have no corporate responsibilities and have long been considered exempt from insider trading laws, even though they have daily access to non-public information and plenty of opportunities to trade on it."
"In mid September 2008 with the Dow Jones Industrial average still above ten thousand, Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke were holding closed door briefings with congressional leaders, and privately warning them that a global financial meltdown could occur within a few days. One of those attending was Alabama Representative Spencer Bachus, then the ranking Republican member on the House Financial Services Committee and now its chairman."
"These meetings were so sensitive-- that they would actually confiscate cell phones and Blackberries going into those meetings. What we know is that those meetings were held one day and literally the next day Congressman Bachus would engage in buying stock options based on apocalyptic briefings he had the day before from the Fed chairman and treasury secretary. I mean, talk about a stock tip."
They say that the grandfather clock in the Skull-and-Bones Tomb at Yale is set 5 minutes fast. There's something to this, as financial institutions profit by being first, being smarter, or by cheating. Offering access to information, which can then be monetized, is a more subtle means of influence peddling. Compare this to the brazen tactics of a lobbyist like Grover Norquist, who'll threaten to unseat Republicans who don't sign his pledge. As Cryptome's John Young explains.
"Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access."
This may help to explain why the founders of the CIA were heavily involved in finance. -BB(2011-11-27)
Against the Corporatocracy
Reading a DHS threat assessment of the Occupy Pittsburgh campaign, authorities seem to think that the protests are primarily "focused on the banking and finance sector."
This merely hints at the core goals of this movement, which aims to instigate a "soft regime change" to "end the pervasive corruption at the heart of our political system, in which corporate money wins elections, drafts laws and trumps citizen desires."
It's not just indignation at the all-consuming greed of certain financial institutions. It's a desire to fundamentally alter our political institutions to remove the influence of big money. -BB (2011-11-25)
EU Enters its Endgame
In this New York Times op-ed Ross Douthat describes how the 'Groupe de Francfort (GdF)' is reminding everyone who's really in charge:
"There were few tears in Italy and Greece for Silvio Berlusconi and George Papandreou, the prime ministers -- respectively corrupt and hapless -- whose downfalls were engineered by the Brussels-Berlin-Paris axis. But their forced departures, however welcome, open a troubling window on what a true European state would look like. Stability would be achieved at the expense of democracy: the rituals of parliaments and elections would endure, but the real decision-making power would pass permanently to the forces represented by the so-called 'Frankfurt Group' -- an ad hoc inner circle consisting of Germany's Angela Merkel, France's Nicolas Sarkozy and a cluster of bankers and E.U. functionaries, which has been spearheaded European crisis management since October."
You can expect to see more of this as decision makers encourage us to passively accept what's transpiring. -BB(2011-11-20)
Financial Lobbying Firm Proffers Attacks Against OWS
Lobbyists see a chance to cash in.
"A well-known Washington lobbying firm with links to the financial industry has proposed an $850,000 plan to take on Occupy Wall Street and politicians who might express sympathy for the protests...The proposal was written on the letterhead of the lobbying firm Clark Lytle Geduldig & Cranford and addressed to one of CLGC's clients, the American Bankers Association."
This is a novel trench-level view of the 1%'s propaganda machine. -BB(2011-11-19)
Related: Read about the "Lower Manhattan Security Initiative." The decision makers have been quietly coordinating their own strategy.
Rootkit Arsenal Plagiarism
Very interesting...
"The InfoSec Institute (infosecinstitute.com) offers a variety of training on security topics such as penetration testing and reverse engineering. After it was discovered that ISI took large portions of material from Corelan.be without credit or license, additional review was performed of available material. This included a presentation from founder/owner Jack Koziol and other contract instructors. It became clear that the Corelan incident was not a one-off, and likely not the work of a rogue contractor as ISI claimed."
Greetings to Reddit and attrition.org. -BB(2011-11-19)
The Growing Edifices of the Security State
In the wake of 9/11 our decision makers funneled hundreds of billions of dollars into our intelligence apparatus. Yet, as Richard Clark explains:
"We're all very glad that bin Laden has finally been caught, but it was a handful of people. It wasn't this enormous, bloated, tens of thousands of people apparatus that we've set up. It was a small, highly-skilled, highly dedicated group of intelligence analysts. That's who found him, not all of these contractors, not these giant agencies and giant centers."
This point raises other questions. Dana Priest, for example, asks:
"Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?"
Perhaps Chris Hedges can shed some light on the topic:
"George Orwell wrote that all tyrannies rule through fraud and force, but that once the fraud is exposed they must rely exclusively on force. We have now entered the era of naked force. The vast million-person bureaucracy of the internal security and surveillance state will not be used to stop terrorism but to try and stop us."
As Miles Copeland has observed, our security services are firmly a part of the establishment. -BB(2011-11-15)
Related: City Councilman Ydanis Rodriguez would probably agree.
Politics: "The Shadow Cast on Society by Big Business"
Chomsky describes how the elite have given up on the social contract that emerged after WWII. Now they're just out to save themselves.
"In the past 30 years, the 'masters of mankind,' as Smith called them, have abandoned any sentimental concern for the welfare of their own society, concentrating instead on short-term gain and huge bonuses, the country be damned -- as long as the powerful nanny state remains intact to serve their interests."
The New York Times just published an op-ed by Jeff Sachs where he offers a few ideas on how to implement change:
"Shareholders, for example, should pressure companies to get out of politics. Consumers should take their money and purchasing power away from companies that confuse business and political power."
Is this realistic, given that large segments of shareholders might actually have a vested interest in lobbying elected officials? Will we, as consumers, be able to act as a countervailing force? It may not be so simple. The people that actually control this country have demonstrated in the past exactly how far they'll go to maintain control and criminalize dissent. -BB(2011-11-14)
Related: The Miracles of Modern Propaganda
"Ronald Reagan beat out Franklin Delano Roosevelt as the former president Americans would like to see in the White House during these trying economic times."
National Security, Secrecy, and Viktor Bout
Viktor Bout is an international arms dealer who hails from Russia. He was extradited to the United States in 2010 from a prison in Thailand. Earlier this month he was convicted of conspiracy to kill U.S. citizens and provide aid to a terrorist organization.
Daniel Estulin traveled to Thailand to interview Bout before he was extradited.
The New York Times points out that:
"Irbis Air [Owned by Bout] landed in Baghdad 92 times between January and May 2004, while also conducting deliveries elsewhere in Iraq. Mr. Bout earned $60 million between 2003 and 2005 -- in addition to the free fuel that the United States military gave to regular cargo operators."
"Mr. Bout's client list in Iraq made for intriguing and damning reading: The United States Air Mobility Command, Federal Express, Fluor and KBR, among others. At the time Mr. Bout was supposedly wanted by the F.B.I. and the C.I.A., as well as being the subject of an Interpol arrest warrant."
Apparently the law does not apply to people who are useful to decision makers. Our rulers conveniently turn a blind eye and then shroud what's going on under the veil of national-security-imposed secrecy. The decision makers themselves are likewise immune. -BB(2011-11-12)
The Danger of a Band-Aid Solution
In an article that's been published by The Economist readers are told that:
"Braver politicians would focus on two things. The first is tackling the causes of the rage speedily. Above all that means doing more to get their economies moving again."
In a sense, there's misdirection taking place. The state of our economy is not a root cause, only a symptom. The markets upon which our economy is based are governed by rules that our legislators establish. Starting in the 1970s, industry leaders got organized and executed what is essentially a corporate coup. The market crash of 2008 is merely a natural result of this.
Talking about the economy is easier, it saves people from facing a more painful reality about who runs this country and how they operate. Better to stick to band-aid solutions that placate Main Street without really threatening Wall Street. This is tragic, because the fundamental problem and its consequences will continue to plague us despite how we address its symptoms. -BB(2011-11-09)
The Intellectual Corruption of The 1%
NYC Mayor Michael Bloomberg shows his true colors when explaining the cause of the mortgage crisis:
"It was not the banks that created the mortgage crisis. It was, plain and simple, Congress who forced everybody to go and give mortgages to people who were on the cusp."
Matt Taibbi reveals this for what it is: a pathetic conservative talking point.
"This was an orgiastic stampede of lending, undertaken with something very like bloodlust. Far from being dragged into poor neighborhoods and forced to give out home loans to jobless black folk, companies like Countrywide and New Century charged into suburbs and exurbs from coast to coast with the enthusiasm of Rwandan machete mobs, looking to create as many loans as they could."
"They lent to anyone with a pulse and they didn't need Barney Frank to give them a push. This was not social policy. This was greed. They created those loans not because they had to, but because it was profitable. Enormously, gigantically profitable -- profitable enough to create huge fortunes out of thin air, with a speed never seen before in Wall Street's history."
Later on he adds that:
"The whole game was based on one new innovation: the derivative instruments like CDOs that allowed them to take junk-rated home loans and turn them into AAA-rated instruments. It was not Barney Frank who made it possible for Goldman, Sachs to sell the home loan of an occasionally-employed janitor in Oakland or Detroit as something just as safe as, and more profitable than, a United States Treasury Bill. This was something they cooked up entirely by themselves and developed solely with the aim of making more money."
Personally, I'm amazed that Bloomberg was able to keep a straight face while he offered up his twisted version of reality. I mean, c'mon, who do you think spends all that money lobbying congress? Could it be any more obvious who owns these politicians? -BB(2011-11-04)
Related: Nobel Prize winner Paul Krugman takes on those attempting to discredit the recent CBO findings:
"The usual suspects have rolled out some familiar arguments: the data are flawed (they aren't); the rich are an ever-changing group (not so); and so on. The most popular argument right now seems, however, to be the claim that we may not be a middle-class society, but we're still an upper-middle-class society, in which a broad class of highly educated workers, who have the skills to compete in the modern world, is doing very well."
"It's a nice story, and a lot less disturbing than the picture of a nation in which a much smaller group of rich people is becoming increasingly dominant. But it's not true."
"Workers with college degrees have indeed, on average, done better than workers without, and the gap has generally widened over time. But highly educated Americans have by no means been immune to income stagnation and growing economic insecurity. Wage gains for most college-educated workers have been unimpressive (and nonexistent since 2000), while even the well-educated can no longer count on getting jobs with good benefits. In particular, these days workers with a college degree but no further degrees are less likely to get workplace health coverage than workers with only a high school degree were in 1979."
As one commentator from The Economist stated:
"If we don't agree that rich people have more political power than poor people and that they use that power to pursue their economic interests, then we've really got a communications problem."
Duqu C2 Moves to Belgium
This story demonstrates that identifying the geographic origin of an attack doesn't necessarily result in attribution...
In a recent report, the Office of the National Counterintelligence Executive (ONCIX) admits this flat out.
"US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC [intelligence community] cannot confirm who was responsible."
Nevertheless, officials will make a lot of noise about this, perhaps blaming China despite the fact that they don't really know who's actually responsible, because they need to frame what's happening such that it will benefit them in terms of control and federal funding. -BB(2011-11-03)
How The 1% Implements Social Control
Noam Chomsky speaks out in an interview published by Guernica:
"About 80% of the businesses in Mexico are involved in one manner or another with the drug racket. Now once you start publishing things like that and looking into it, you're getting to the power centers of Mexican society, and they're simply not going to want to be exposed. If they can use the drug assassins to stop it, they will."
"The drug problem is in the United States, not in Mexico. It's a demand problem and that is to be dealt with here, and it is not being dealt with. It's been shown over and over that prevention and treatment are far more cost effective than police action, out-of-country action, border control, and so on. But the money goes in the other direction and never has an impact."
"Only two plausible answers to that. All the leaders are collectively insane, which we can rule out, or else they are just pursuing different goals. Abroad, it's a counterinsurgency campaign, cover for counterinsurgency in Colombia. At home, it's a way of getting rid of a superfluous population."
"Governments are not in the business of catering to their citizens. It's as old as Adam Smith. The governments work for their main constituencies. When the Republicans come into office with plans to increase benefits for the wealthy -- like making sure that the super wealthy get tax cuts, making sure that the insurance companies and the financial institutions are unconstrained in their operations -- that's not for the benefit of U.S. citizens. That's for the benefit of their constituency. Same when Obama poured money into the banks. That's his constituency. In fact, that's the main source of his campaign funding. The things governments are doing here that have harmful effects abroad are not being done for the benefit of the citizens here."
Being from a state that tends to spend more on prisons than on education, I'm inclined to agree with Professor Chomsky. -BB(2011-10-30)
CBO Report Released
Eugene Robinson states in a Washington Post op-ed:
"The hard-right conservatives who dominate the Republican Party claim to despise the redistribution of wealth, but secretly they love it - as long as the process involves depriving the poor and middle class to benefit the rich, not the other way around. That is precisely what has been happening, as a jaw-dropping new report by the nonpartisan Congressional Budget Office demonstrates. Three decades of trickle-down economic theory, see-no-evil deregulation and tax-cutting fervor have led to massive redistribution. Another word for what's been happening might be theft."
It should be interesting to see how the commentators at Fox News try to discredit this report. -BB(2011-10-28)
Related: Ralph Nader, in a Couterpunch article, states that:
"Each new protest gives the protesters new insights. The protestors are learning how to challenge controlling processes. They are assembling and using their little libraries on site. They are learning the techniques of open, non-violent civil disobedience and building personal stamina. They are learning not to be provoked and thereby win the moral authority struggle which encourages more and more people to join their ranks."
Nothing Beats a Fixed Fight
Bernie Sanders laments the state of our financial system. He warns that:
"Not only do they run the banks, they run the institutions that regulate the banks."
This approach seems to be working out very well for the 1%. What this means is that the Occupy Movement has its work cut out for it, going up against an entrenched and formidable power structure. As one participant notes, they seem to have, at least for the time being, avoided a common pitfall:
"The good news is that even those Occupiers who do not identify as anti-capitalist/radical/revolutionary seem to recognize that the political system as presently constituted is irredeemably broken and that, consequently, selling the movement out to Democratic Party would be, at best, a gross exercise in futility"
Where to go from here? They can't bide their time forever. Perhaps they can learn something from the Civil Rights Movement. -BB(2011-10-20)
Related: This is who Occupy Wallstreet is up against. An economic "super-entity" that spans nations in such a manner that "a large portion of control flows to a small tightly-knit core of financial institutions." In short, the United States has been rooted. The only thing that will save us will be to rebuild the system.
A comedian, of all people, realized this years ago.
Duqu Red Herring
Symantec describes a Remote Access Trojan (RAT) that doesn't self-replicate. It also lacks industrial control system features. Though, according to Symantec, parts of Duqu are indentical to Stuxnet. Additional details can be gleaned from Wired.
George Smith cautions against hysteria and presumption:
"Once a thing is in world circulation it is not protected or proprietary property. Such malicious code may contain hindrances to copying or reverse engineering but these can be overcome given enough effort. Add to this the fact that source code for malware has never been secure. It always becomes something coveted by many, often in direct proportion to its fame. Therefore, it would not be surprising given the Byzantine and secretive interlinked nature of this world, that Stuxnet code had leaked, even if only in bits and pieces."
If I were running a black bag op and wanted to misdirect investigators, this is definitely an approach that I would consider. Nothing beats muddying the waters. -BB(2010-10-19)
Related: For all the hype surrounding cyberwar, even the United States resists the temptation because:
"Administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress."
Oh, and while you're fixated on this RAT, never mind the rise of the Plutonomy...
Striking at The Root
Lawrence Lessig explains why people are occupying Wall Street:
"As every financial analyst not dependent upon the corruption that is Wall Street has screamed since the bill was passed, financial reform changed nothing. We are more at risk of a major financial collapse today than we were a decade ago. And the absolutely obscene bonuses of an industry that pays twice its pretax profits in salaries are even more secure today."
Then he continues on to explain how the political rootkit maintains control:
"Neither party dares to cross Wall Street, since both parties know they could not win control of Congress or the White House without Wall Street's money. So they feed the addiction, and ignore the real work that they should be doing."
The idea that we live in a representative democracy is a misconception. It doesn't matter who gets elected if the lobbyists simply buy off whoever happens to be in office. -BB(2011-10-05)
Related: Mother Jones has published a couple of instructive articles on economic inequality and the state of unions
The DHS Examines Stuxnet
"'The virus was brought back in here and run in a contained facility against actual control system equipment so that we could study those effects to release mitigation measures to the general public,'... Edwards would not reveal details of the analysis because it was sensitive information."
In a sense, this report appears to contradict claims that the United States created Stuxnet. Would the DHS really spend all this effort dissecting Stuxnet if they could get their hands on technical specifics the easy way? Or, perhaps the right hand doesn't know what the left hand is doing in the body politic of US Intelligence? -BB(2011-09-30)
Measuring Risk: Cybergeddon or Goldman Sachs?
In a truly incredible fit of candor, a trader being interviewed by the BBC stated that:
"Most traders we don't really care about having a fixed economy, having a fixed situation, our job is to make money from it... Personally, I've been dreaming of this moment for three years. I go to bed every night and I dream of another recession... This is not a time right now for wishful thinking that governments are going to sort things out... The governments don't rule the world, Goldman Sachs rules the world."
Faced with such honesty, detractors have tried to scream hoax. To no avail. The BBC stands by its story, and a group of pranksters known as the "Yes Men" have also denied involvement. The Yes Men web site comments:
"Who in big banking doesn't bet against the interests of the poor and find themselves massively recompensed - if not by the market, then by humongous taxpayer bailouts? Rastani's approach has been completely mainstream for several years now; we must thank him for putting a human face on it yesterday."
For all of the media hype that's accompanied the notion of cybergeddon and the fear-mongering that another nation will bring down our banking system, the raw numbers speak volumes. In terms of actual loss I think people would be well advised to much more frightened of Goldman Sachs. -BB(2011-09-26)
Related: The New York Times reports that "protesters say they so distrust their country's political class and its pandering to established interest groups that they feel only an assault on the system itself can bring about real change."
Wall Street Market Manipulation
"A Wall Street regulator said industry complaints about market manipulation and trade reporting have spiked this year, raising questions about the adequacy of banks' internal controls over their traders."
Related: Senate report on the 2008 collapse.
"This Report is the product of a two-year bipartisan investigation by the U.S. Senate Permanent Subcommittee on Investigations into the origins of the 2008 financial crisis. The goals of this investigation were to construct a public record of the facts in order to deepen the understanding of what happened; identify some of the root causes of the crisis; and provide a factual foundation for the ongoing effort to fortify the country against the recurrence of a similar crisis in the future."
Related: This New York Times article claims that "A Secretive Banking Elite Rules Trading in Derivatives."
"In theory, this group exists to safeguard the integrity of the multitrillion-dollar market. In practice, it also defends the dominance of the big banks. The banks in this group, which is affiliated with a new derivatives clearinghouse, have fought to block other banks from entering the market, and they are also trying to thwart efforts to make full information on prices and fees freely available."
All the destruction of a WMD without the radioactive aftertaste - BB(2011-09-21)
Moving Towards a Garrison State
Many thanks to Bruce Schneier for directing me towards this report.
"An ACLU report release to coincide with the 10th anniversary of 9/11 warns that a decade after the attacks, the United States is at risk of enshrining a permanent state of emergency in which core values must be subordinated to ever-expanding claims of national security."
Remember, there's a reason why Orwell is censored in China. Silent weapons are being deployed in a quiet war against the state's most dangerous enemy, it's own population. Control versus Liberty: choose. -BB(2011-09-12)
Related: Dick Destiny adds a few words along this line.
"Arms control agencies, any public information source that didn't directly serve the war on terror by finding new threats, any threats, went silent, were marginalized or ceased to exist. It's a matter of economics and capitalism. There is no money in not feeding the fear."
DigiNotar Hacker Speaks
It appears that a hybrid (Ring-0/Ring-3) rootkit may have been used in the DigiNotar hack.
"a) I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain."
"b) This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together), signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet, I have so much to explain, but later... You have to wait!"
It would be interesting to see exactly how this was done. -BB(2011-09-07)
Related: GlobalSign freaks out.
APT Origins
Infiltrated.net offers a welcome antidote to the growing misconception that China is the world's source of all APTs:
"We often forget that not too long ago that the boogeyman was Russia. That threat came during the arms race (Cold War) and it was business as usual then too. Many companies profited heftily during this period and I am sure many companies stand to profit handsomely from a Cyber Arms Race. This is nothing more than history being repetitive however, the platform has changed to a computing based battleground. Based on 'evidence' smack dab in front of our faces and under our noses, what else do we see or know of in regards to experts' explanation of APT? Not much. We have these experts consistently relying on word of mouth of each other and of IP addressing. Completely ignoring the fact that IP is a horrible identifier. Every security professional knows that IP addressing is not an identifier rather well, yet many are quick to fist pump and shout: 'APT, China!!! Look at that IP' even though FACTUAL evidence proves otherwise."
False flag operations are as old as warfare. I'd argue that in cyberspace they're even easier to execute. -BB (2011-08-31)
Cornel West: Cui Bono?
The New York Times features an op-ed by Cornel West:
"The age of Obama has fallen tragically short of fulfilling King's prophetic legacy. Instead of articulating a radical democratic vision and fighting for homeowners, workers and poor people in the form of mortgage relief, jobs and investment in education, infrastructure and housing, the administration gave us bailouts for banks, record profits for Wall Street and giant budget cuts on the backs of the vulnerable."
Perhaps this is to be expected. As Matt Taibbi explains, Goldman Sachs was Obama's number-one private campaign contributor.
This, in turn, unearths an even more unsettling reality. In the United States, our two-party system is really just a single-party system: the corporate party. -BB (2011-08-26)
An Apocalypse of Our Own Creation
Rep. Ted Poe offers his solution for dealing with intellectual property theft:
"It's time to get tough on China. And that's just the way it is."
Really Ted, some details might help. Personally, I think it's constructive to put this into perspective.
"American businesses... downsized and outsourced their manufacturing to Asian labor, effectively turning themselves into artisan custom shops for the plutocracy. In this bargain, repeated all across US non-military domestic production, the American companies gave up their intellectual property and trained the Chinese to make their goods for the sake of the short term bottom line."
"And it is only logical that some Chinese, maybe many, would see no point in maintaining licensing agreements with American multi-nationals once they could copy the goods on their own."
"Comments left on the Chinese sales site, and many YouTube vidoes, show young American men who have no problem buying fakes of US premium goods. Since wages have been destroyed, this too is a logical development."
"And American companies, individually and collectively, do not have the resources needed to combat the problems brought upon us by the great trade imbalance."
It's ironic that businesses are now complaining about a trend that they themselves were instrumental in creating. -BB(2011-08-24)
Warren Buffet and The Mega-Rich
In Warren Buffet's recent New York Times op-ed he notes that:
"While the poor and middle class fight for us in Afghanistan, and while most Americans struggle to make ends meet, we mega-rich continue to get our extraordinary tax breaks... These and other blessings are showered upon us by legislators in Washington who feel compelled to protect us, much as if we were spotted owls or some other endangered species. It's nice to have friends in high places."
I, for one, particularly enjoyed his scathing rebuttal of a well-known conservative talking point:
"Back in the 1980s and 1990s, tax rates for the rich were far higher, and my percentage rate was in the middle of the pack. According to a theory I sometimes hear, I should have thrown a fit and refused to invest because of the elevated tax rates on capital gains and dividends."
"I didn't refuse, nor did others. I have worked with investors for 60 years and I have yet to see anyone - not even when capital gains rates were 39.9 percent in 1976-77 - shy away from a sensible investment because of the tax rate on the potential gain. People invest to make money, and potential taxes have never scared them off. And to those who argue that higher rates hurt job creation, I would note that a net of nearly 40 million jobs were added between 1980 and 2000. You know what's happened since then: lower tax rates and far lower job creation."
What this essay underscores is how unhealthy our political system has become. The three or four thousand families at the top of the income spectrum appear to have a special relationship with legislators. Why is that? -BB(2011-08-16)
Mudge Speaks on Malware
At Black Hat USA Peiter Zatko (aka Mudge), a program manager at DARPA, touched on the nature of offensive software:
"Zatko analyzed 9,000 samples of malware code and found that, on average, each consisted of 125 lines of software code. That's not a lot of cost, time, or engineering effort. By comparison, the most sophisticated cyber protection software uses about 10 million lines of code. And, based on research by IBM, there are one to five bugs introduced in every 1,000 lines of code, Zatko said."
"Malware writers thrive by finding bugs and exploiting the vulnerabilities that the bugs introduce. Modern day operating systems may consist of 150 million lines of code, which means that each new OS can introduce 150,000 bugs to exploit. These numbers make it seem like keeping up with the bad guys is a losing game, Zatko said."
You may recall that this most recent patch tuesday included roughly 40 MB of updates for Windows Server 2008. Rather than treat the symptoms of the problem, why not address the underlying cause and find ways to build better software? -BB(2011-08-11)
Cofer Black: Visions of Cybergeddon (Must be the Heat)
Cofer Black appeared at Vegas this past week, ominously warning that "he sees parallels between the terrorism threat that emerged before the September 11 attacks a decade ago and the emerging cyber threat now."
That's interesting... I see parallels also: I see yet another former government official who's trying to drum up business by shamelessly leveraging the attacks of 9/11. On second thought, I supposed this should come as no surprise, given that Mr. Black was a Vice Chairman at Blackwater USA. It goes without saying that the aftermath of 9/11 was a gold rush for these people.
Cofer Black sanctimoniously claims that "Men's minds have difficulty adapting to things which they have no personal experience." This, no doubt, is a variation of "I could tell you, but it's classified" argument; typical of ex-agency types who fall back on the veil of secrecy when they've got nothing better to buttress their sales-pitch with. As former CIA agent John Stockwell can attest, "it's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"
Never mind the billions of dollars we actually lose every year to cybercrime, espionage, fraud, identity theft, and the like. In the tradition of Mike McConnell and Michael Hayden, Mr. Black would rather fixate on Cyberwar because... well, because none of the truly immediate (and far more tangible) threats will divert federal funding to his private sector interests. -BB(2011-08-07).
Related: Consensus Reality and Cybergeddon
Why do hypothetical stories of Cybergeddon garner so much bandwidth when reports of million dollar cyber-heists appear almost every day?
Perhaps, as this article from the Columbia Journalism Review suggests, this is a result of PR firms filling the void left by shrinking news rooms. As Arthur Brisbane queries: "Is it a concern to you that The Times relies to some extent on P.R. professionals for story ideas?"
The Vampires of Silicon Valley
At first blush this recent article in the San Francisco Chronicle reads like a late night infomercial for local hi-tech firms. My, my, my. Look at all the attractive, hip, 30-somethings from out-of-town being pursued by eager corporate suitors and showered with any number of tantalizing recruiting perks. Local Bay Area talent, one can only hope, has seen this sort of mating dance before and knows how it ends.
Closer inspection of this story yields a picture that is far more telling. There's a sinister punch line waiting for those who are able to see beyond the carefully constructed mirage: as workers, we are viewed by the decision-makers as disposable cogs. Contrary to the propaganda from human resources, the people at the top could care less about your long-term well-being. You're just a means to an end, and one with a conspicuously limited shelf-life at that.
As Wharton's Peter Cappelli explains, if the folks in HR had the guts to be honest they'd probably admit that: "We don't want to have to train anybody, and when those skills become obsolete we don't want to have to retrain them."
Like any successful black widow, they'll lure you into their web with a well-practiced sales pitch, bleed you for everything that you've got, and then toss your withered cadaver into the dumpster outside when they're done. Heck, when food gets scarce enough the Jackals in the executive suite will gladly turn on each other. Why should corporate America care? After all, they can simply throw a few more cocktail parties and round up yet another herd of fresh meat. -BB(2011-08-04)
Related: Cryptome's analysis of NSA help-wanted propaganda ...
"Recruiters are devious as they must be or nobody would join the secretkeepers if they knew the truth of what was in store for them to give up control of their lives and minds forever, and remain compelled to lie, lie and lie some more, and, to be sure, recruit noobs by writing noobish nonsense."
Telling Truth to Power
You may have heard of the story of Tom Drake, a high-ranking NSA employee who warned of mismanagement and waste in the agency on a massive scale. Specifically, he told of a failed project called "Trailblazer" which consumed $1.2 billion before being cancelled. As a result he was charged with the Espionage Act of 1917 and threatened with a 35-year sentence. Drake claims that this was done to send a message:
"To other whistleblowers, to others in the government, not to speak up or speak out. Do not tell truth to power. We'll hammer you."
The ensuing trial, where Drake was sentenced to a a year of probation and 240 hours of community service, has proved very interesting. The presiding Judge, Richard D. Bennett, stated that:
"I don't think that deterrence should include an American citizen waiting two and a half years after their home is searched to find out if they're going to be indicted or not. I find that unconscionable. Unconscionable. It is at the very root of what this country was founded on against general warrants of the British."
As in the case of Glenn Greenwald, WikiLeaks, and HBGary Federal, what we're seeing is the lengths that powerful institutions will go to in order to silence whistle-blowers. -BB(2011-07-30)
Cyber-Weapons and The Hegelian Dialectic
Though attention seems to be focused on nation-state players the true facilitators here are often corporate entities. Keep in mind that these same private-sector interests have no inherent sense of national loyalty. They exist strictly to serve shareholders and financial backers, period. If they could make a buck off of it I doubt if they'd have a problem with offering their services to both sides of an altercation. As the author of this article from Business Week observes:
"U.S. companies don't appear to face export restrictions, as the Pentagon's manufacturers of bombs and fighter jets do. In fact, companies like Endgame have cropped up all over the world. Appin Technologies, to cite one example, is a New Delhi company that offers a wide variety of computer security services, including helping countries analyze attacks and, if needed, respond in kind."
"...And so the unregulated cyber-weapons makers flourish, selling to the highest bidder. Business is great."
In other words, these companies help to both create incidents and then help clean up the mess afterwards. It reminds me of certain U.S. banking interests during WWII who did business with the Germans. You see, it doesn't matter who wins or loses, what matters is conflict and the lucrative business it generates. To actually address of the root cause of incidents (e.g. buggy software ) might impact the bottom line. As Tom Henderson notes:
"They aren't financially compelled to stop the problem before it starts. There is no motivation for an ounce of prevention that prevents the hideous pounds and costs of cure."
The unpleasant reality is that there's a lot of money to be made in selling offensive weaponry and, as a result, it's convenient to get policymakers to simply side-step much more effective preventative measures. -BB(2011-07-24)
Inside the Hunt for the CIA's "John"
In this article recently published by The Observer we see the power of open source intelligence as Cryptome's John Young demonstrates how easy it is to follow up on the clues provided by the Associated Press and leverage the Internet to discover the identity of the man in charge of tracking down Osama bin Laden. Young asserts that there's a hidden agenda at play:
"Putting this guy in the picture was no accident. To show him directly behind Panetta? I think they wanted to reward this guy's hard work and get some favorable publicity and it worked. It's one of the few successes they can crow about..."
"I think they shopped him to Obama with his height and his basketball background and his looks, and Obama fell in love with him... C.I.A. John is a very marketable product now... I think he'll be on the lecture trail. First it will be private briefings, and slowly he'll ease out. Isn't he a great role model? Tall, athletic. They're going to make the most of this."
There's definitely something to be said for this train of thought. As good PR is a valuable commodity in the political realm that often leads to funding. At the same time, could there be a degree of risk associated with this sort of self-congratulatory disclosure?
"John could be in serious danger if exposed, not from Al-Qaeda, necessarily, but from rogue elements of the Pakistani intelligence agency, the I.S.I., who have made common cause with Al-Qaeda and have access to greater resources."
That's an interesting point, even if it's moot in the context of this story. What's the use of spending billions of dollars to destroy a terrorist threat when the organization that spawned it will simply create another? - BB(2011-07-15)
Kaspersky Speaks on Attribution
The founder of Kaspersky Lab admits that tracking down the origin of a cyberattack can be an extremely difficult (if not impossible) task:
"viruses unfortunately don't carry ID cards. We can at least usually identify the originator's language, and that's at the moment the inventor communicates with his virus and gives it a command..."
"...I have no information pointing toward China as the actual originator. Professionals do their work through proxy servers. They can be located in China but controlled from the United States. Perhaps it was just competitors -- but people then pointed the finger at China. Anything can happen in our business."
How difficult do you think it would be for a small group of skilled developers to use internationalized tools to develop malware that appears to have been created from another country? Putting your faith in the veracity of embedded strings is utter foolishness.
If Stuxnet is truly the "super weapon" that the media says it is, do you honestly think the engineers who built it would be sloppy enough to give themselves away so easily? False flag operations are a time-honored practice in the wilderness of mirrors. -BB (2011-07-14)
An Electronic Pearl Harbor
George Smith elaborates on how worst-case thinking causes us to focus too heavily on perceived threats rather than addressing tangible ones. Smith laments that:
"The world economy was put in a tailspin by Wall Street financial systems in 2008. It has yet to recover.
And while Wall Street has done nicely since then, Main Street America has not. And by all accounts, no significant protections against Wall Street's predations have been put in place in the intervening period.
The argument that the US financial system ought to be protected from electronic Pearl Harbor would, if all Americans actually knew of it, strike them as ridiculous.
It's easily observable that people are much more interested in protection from the racket that's the American financial system. Cyberwar and hack attacks on it, when compared to the damage inflicted by Wall Street misbehavior, are absurdly small things."
Yet we hear much more about these perceived threats because certain corporate entities stand to profit handsomely from the hysteria that they produce. Such is the madness of crowds. -BB (2011-06-28)
Homeland Security Threat Assessment: 2008-2013
This is one of the reports pilfered by LulzSec. It has more than a couple of gems related to cybersecurity. For example:
"Foreign nations are the most capable and resource-rich cyber threat actors. The most advanced nations have established active and robust information operations (IO) or CNO organizations. Some nations' military and intelligence agencies have created distinct directorates to carry out aspects of IO, such as CNE, CND, and CNA."
I assume that a list of such nations would include the United States? In fact, I would wager that in terms of sheer efficacy, we're near (or at) the top of the list. As General Hayden commented, other countries are scared of us:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one."
In this sense, the nature of international relations could be characterized as anarchic. With very few exceptions, everyone spies on everyone else. This is something to keep in mind when reading Cyberwar stories. We're hardly an innocent bystander. It's probably closer to the truth to say that we're an active participant. - BB (2011-06-24)
Recurring Themes: The Fannie Mae Scandal and CyberWar
New York Times columnist David Brooks offers a blistering commentary on the Fannie Mae scandal:
"The scandal has sent the message that the leadership class is fundamentally self-dealing. Leaders on the center-right and center-left are always trying to create public-private partnerships to spark socially productive activity. But the biggest public-private partnership to date led to shameless self-enrichment and disastrous results..."
"The final message is that members of the leadership class have done nothing to police themselves. The Wall Street-Industry-Regulator-Lobbyist tangle is even more deeply enmeshed."
This dynamic isn't limited to the financial sector of our economy. Look around at the media's coverage of recent cyberattacks and, even more telling, the solutions that government officials propose . -BB (2011-06-18)
Cryptome.org asserts that David Brooks' conclusions are:
"Equally applicable to the cybersecurity gov-mil-spy-media industry where deliberately inept, weak security -- to allow spying and data gathering -- is obscured by blaming hackers and foreign agents with demand for increased budgets and contracts."
Related: Agent.btz thrives and still no word of conclusive attribution.
Related: Check out the NSA's "Site M," a $5.2 billion centralized cyber-command center.
False Flags, Killswitch Tech, and The Easy Way Out (...Just Blame China)
This is an excellent piece on the idea of an Internet killswitch and the inherent shortcomings associated with it.
"Creating a killswitch for the Internet would never work because of the flaw in attribution. Who is attacking? Seriously, ask yourself, who is attacking?
This is at the core of why most of these ridiculous ideas will fail. Because we cannot attribute an identifiable aggressor, then who are we cutting ourselves off from? Not to mention, because of the flaws associated with attribution, an attacker can pretend to be anyone he or she or Country Y wants to be. In fact, should a killswitch ever be implemented, an attacker can cause huge financial fall-out by simply pretending to be a country of his or her or Country Y's choice. Imagine having an entire banking infrastructure disconnected because of a bunch of script kiddies. For every step this government (the United States) takes, they seem to take the same redundant steps backwards."
This essay might also shed some light on Richard Clark's recent op-ed in the Wall Street Journal. Chinese Generals claim they need to protect themselves against the US Military. American officials point to the Chinese and offer similar dire warnings. Methinks the two sides keep each other in business. - BB (2011-06-16)
Related: Does this seem like a veiled threat to you?
Alan Paller: Stop Blaming the User, Build Better Software
A few days ago, Alan Paller (the director of research at The SANS Institute) made a few comments about cyber-security on the PBS News Hour:
"For too long, the corporations and governments have been what we call blaming the users... It's very much like automobiles 50 years ago. We said that the drivers had to be safe drivers, and that would solve all the problems. But we didn't solve most of the -- we didn't do as well on automobile safety until we fixed the cars and we fixed the roads. We haven't done enough to make software that people buy safe"
The current state of affairs is something that the software industry, as a whole, doesn't want to face. You can educate users all you want and lock down your servers like Fort Knox, but a skilled attacker armed with weaponized zero-day exploits will waltz right through your defenses and sink your battleship. Once that happens, short of turning the damn things off, you're out of luck.
This is not a problem that you can buy your way out of with expensive, high-end, security products (contrary to the subliminal whispers of the marketing execs). Nor can we deal with it by falling back on the threat of conventional military force or spending a few billion on cyberweapons. To evolve beyond our current state of cyber-insecurity we need to invent better ways to build secure software. -BB (2011-06-06)
The Futility of Sabre Rattling
Today the Wall Street Journal published an article describing a Pentagon report which depicts cyberattacks as acts of war and discusses the option of responding with conventional military force. As one anonymous official stated, "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
This may seem sensible, until you consider how difficult it is, in practice, to tackle the issue of attribution. As I've stated many times in the past, our government funded projects like TOR to ensure that we could perform operations online that could never be traced back to us. Is it unreasonable to assume that other nations have developed similar technology?
Can you imagine what would happen if we accused another country of committing a cyberattack and bombed them, only to discover later on that we were wrong?
Even more unsettling is the idea that this sort of military strategy could allow a nation-state to attack itself and then use the staged event as a pretext to launch a conventional military attack? Doesn't anyone remember Operation Northwoods?
According to James Bamford, in his book Body of Secrets:
"Operation Northwoods, which had the written approval of the Chairman and every member of the Joint Chiefs of Staff, called for innocent people to be shot on American streets; for boats carrying refugees fleeing Cuba to be sunk on the high seas; for a wave of violent terrorism to be launched in Washington, D.C., Miami, and elsewhere. People would be framed for bombings they did not commit; planes would be hijacked. Using phony evidence, all of it would be blamed on Castro, thus giving Lemnitzer and his cabal the excuse, as well as the public and international backing, they needed to launch their war"
The Wall Street Journal also reports that "Pentagon officials believe the most-sophisticated computer attacks require the resources of a government."
I don't necessarily agree with this. As many venture capitalists in the Bay Area will tell you, talent and skillset are important factors. Given the right group of ten people, you could build a formidable cyberweapon for a few million dollars. This is well within the reach of private corporate interests, who could then sell their technology to the highest bidder... putting the kibosh on the notion that "the best way to deter major attacks is to hold countries that build cyber weapons responsible." - BB(2011-05-31)
A Grifter's Utopia
In the wake of the 2008 financial collapse, the standard account provided by free market ideologues is that our banks sold mortgages to people who should've known better, the tools they used to quantify risk were flawed, and that federal regulators couldn't keep up with the flood of work that inundated their offices. Our capitalistic system runs in cycles, so they say, and this is just one of those occasional low points that we should all come to expect.
The service that Matt Taibbi does for us in his latest book is to expose this explanation for what it is: a cover story. Free market apologies aside, core components of this nation's power structure have been subverted by a relatively small group of moneyed interests that have used their leverage to buy off anyone who stands in their way. The rules that dictate how our markets operate are being rigged by a veritable army of corporate lobbyists. The benefactors of this hostile takeover, the economically privileged families at the top of the income spectrum, have witnessed exorbitant gains. Everyone else has had to make do with treading water.
As Taibbi explains: "While the rest of us argue about Mexican babies before the midterms, hotshot DC law firms like Skaden, Arps, Slate, Meagher & Flom may have as many as a hundred lawyers working on unresolved questions in the Dodd-Frank bill. And that's just one firm. Thousands of lobbyists will be employed; millions of lobbying dollars will be spent."
Let retired officials-turned-management-consultants trade in their credibility to peddle inflated tales of Cybergeddon . As far as our financial infrastructure is concerned, the clear and present danger that we face comes from within. Most of the propaganda that's jettisoned into the public arena is an effort to conceal this fact, to re-direct our anger and outrage away from responsible parties. As Taibbi warns, the people who played pivotal roles in creating this crisis are the same individuals who've been recruited to prevent it from happening again. "We have to trust these people to do the right thing, but we can't, because, well, they're scum. Which is kind of a big problem, when you think about it." - BB (2011-05-28)
Related: To see how these recent developments fit into a historical trend that began back in the early 1970s, you might also want to read the book Winner-Take-All Politics . For additional details on the mortgage crisis, I'd strongly recommend viewing the movie Inside Job
More On Our Double Standard
The New York Times reports that the founder of Blackwater, Erik Prince, has been hired by the crown prince of Abu Dhabi to form an 800-member mercenary force. This article states that these troops "could be deployed if the Emirates faced unrest in their crowded labor camps or were challenged by pro-democracy protests like those sweeping the Arab world this year."
This article also mentions that:
"In recent years, the Emirati government has showered American defense companies with billions of dollars to help strengthen the country's security. A company run by Richard A. Clarke, a former counterterrorism adviser during the Clinton and Bush administrations, has won several lucrative contracts to advise the U.A.E. on how to protect its infrastructure."
As Chomsky has noted:
"In the real world, elite dislike of democracy is the norm. The evidence is overwhelming that democracy is supported insofar as it contributes to social and economic objectives, a conclusion reluctantly conceded by the more serious scholarship."
"Elite contempt for democracy was revealed dramatically in the reaction to the WikiLeaks exposures. Those that received most attention, with euphoric commentary, were cables reporting that Arabs support the U.S. stand on Iran. The reference was to the ruling dictators. The attitudes of the public were unmentioned. The guiding principle was articulated clearly by Carnegie Endowment Middle East specialist Marwan Muasher, formerly a high official of the Jordanian government: 'There is nothing wrong, everything is under control.' In short, if the dictators support us, what else could matter?"
Q&A With Ralph Langer
He makes some interesting statements:
"We concluded that the U.S. is the leading force behind Stuxnet development. They didn't do it on their own; they had help from nation states. But it's clearly the work of the U.S."
"If you look at the facts, it is pretty clear that the attackers had substantial Siemens insider information. Just by looking at the attack code, you can infer this because it would take an outsider years to discover the vulnerabilities that were exploited by Stuxnet by just reverse engineering."
If someone goes around throwing rocks through other people's windows, it's kind of hard to be sympathetic when they complain about someone else doing it to them... -BB(2011-05-11)
Assange Points Out The 'Appalling Spy Machine'
There's no need for oppressive arm-twisting. People are literally opting to be monitored. Really, I have to admit, it's an extremely clever approach. Recall how the former executive from HBGary Federal leveraged social networking as an intel resource. Yet most people don't recognize this, they're too enamored by stories that cast social networking as a tool for political change in the Middle East. They fail to see the vast potential for abuse...
...and pundits want me to trust "The Cloud" with my data. Ha! -BB (2011-05-06)
Related: Some people may consider the Internet itself to be a massive tool for surveillance. There's something to be said for this train of thought. With regard to the hunt for Osama Bin Laden, the New York Times published a story that describes how our leaders "turned to one of their greatest investigative tools - the National Security Agency began intercepting telephone calls and e-mail messages between the man's family and anyone inside Pakistan."
Related: According to the Federation of American Scientists, domestic surveillance grew in 2010.
Rogelio Hackett: One More Drop in the Bucket
"A federal search warrant executed on the defendant's residence on June 30, 2009 located 676,443 stolen credit card accounts on the defendant's computers and in his e-mail accounts. Credit card companies have identified tens of thousands of fraudulent charges on these accounts totaling $36,624,815.52"
There's no denying that cybercrime is a credible and well-documented threat. Yet, for whatever reason (ahem), this concrete threat tends to be overshadowed by vague intimations of cyberwar that often have only one foot in reality. -BB(2011-04-22)
Related: As usual, the media is rife with stories that describe data breaches and wire fraud. On the other side of the fence are somewhat dubious accusations of cyberwar and attempts to paint other countries as the boogeyman. This is what happens when federal funding is at stake and certain business interests stand to gain from fear mongering.
Update: Here are a couple of articles that focus on this trend (with thanks to Bruce Schneier).
Uncle Sam's Button Man
This article describes Mr. Rizzo as an "elegant 63-year-old who wears cuff links and pale yellow ties." Though, I think that his interview banter is far more telling.
"How many law professors have signed off on a death warrant?" he asks.
If you'd like to address this rhetorical question, I suppose you could stop by for a chat and take this up with Mr. Rizzo. -BB(2011-04-12)
Internet Samizdat Takes on Corruption
This New York Times article looks at a web site run by Aleksei N. Navalny. There's also a New Yorker piece on this story as well.
Navalny admits to ambitions towards holding public office. He's also been accused of being a CIA plant. According to the NYTimes report, he supplied his wife with "a list of phone numbers to call if he disappeared... other lawyers, journalists and opposition politicians."
With billions of dollars at stake, it will be interesting to see how Aleksei's crusade evolves and even more interesting to see how the corporate power structure responds. -BB(2011-03-31)
They Never Wanted Attribution To Begin With
According to Michael G. Reed, a researcher at the Naval Research Laboratory who helped to develop TOR, the motivation behind the creation of this technology was to enable spooks to shield themselves from attribution.
"The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries."
This is why ridiculous ideas like cyberwar deterrence and international treaties are nothing more than philosophical hubris. When faced with an organized intrusion set, trying to track down their identities would be an exercise in futility. Governments have funded research efforts like TOR to ensure that this is the case. -BB(2011-03-25)
Legislators Call for Investigation
The plot thickens as Hunton & Williams faces increased scrutiny. -BB (2011-03-02)
"A group of House Democrats is calling on Republican leaders to investigate a prominent Washington law firm and three federal technology contractors, who have been shown in hacked e-mails discussing a 'disinformation campaign' against foes of the U.S. Chamber of Commerce."
"In a letter to be released Tuesday, Rep. Hank Johnson (D-Ga.) and more than a dozen other lawmakers wrote that the e-mails appear 'to reveal a conspiracy to use subversive techniques to target Chamber critics,' including "possible illegal actions against citizens engaged in free speech."
Related: The House Armed Services Subcommittee on Emerging Threats and Capabilities on Wednesday asked the Defense Department and its intelligence arm - the National Security Agency - to hand over copies of any contracts they may have signed with HBGary Federal, Palantir Technologies and Berico Technologies.
Related: Anonymous takes aim at the Koch brothers. This article from the New York Times may help explain why.
Send Lawyers, Guns, and Money
Here's an article from Salon on Hunton & Williams, the law firm that BofA hired to deal with their Wikileaks problem (by way of a Dept. of Justice recommendation). H&W, in turn, called up their fixers and, well, you know the rest. -BB (2011-02-16)"What makes Hunton's involvement in the anti-WikiLeaks scheming so striking is that the firm represents some of the biggest names in corporate America. Hunton's website touts its representation of Wells Fargo, Altria (aka Phillip Morris), the telecom Cingular, and defense contractor General Dynamics, among many others."
RELATED: the inside scoop on how Anonymous hacked HBGary Federal.
RELATED: Check out this op-ed from Wired. Paul Roberts observes "how effortlessly and seamlessly the focus on 'advanced persistent threats' shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment - but its up to the FBI to handle that, not 'a large U.S. bank' or its attorneys ...What threat to all of our liberties does that kind of IT security firepower pose when its put at the behest of corporations, government agencies, stealth political groups or their operatives?"
Inside The Campaign Against WikiLeaks
Wired provides additional backdrop on the affair. It's interesting to see how quickly companies like Palantir and Berico backpedal once this plot comes to light. Would they have done so otherwise? -BB(2011-02-15)
RELATED: Glenn Greenwald, who was to be targeted as a part of the campaign, offers his comments:
"The real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former."
"That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented. And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its 'private partners' able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity in lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks."
Defense Contractors: Too Big To Fail
"Why should the Pentagon be talking up the stocks, even implicitly, of the companies it buys from? ...The answer, I eventually learned, has to do with something that happened a very long time ago, and goes under the category of 'Be careful what you wish for.' Let's just say that banking isn't the only industry where the government has allowed a handful of companies to become too big to fail."
Defense spending is currently around $700 billion, roughly half of the discretionary spending in our budget. You can bet that this industry is looking for new reasons for us to keep spending... -BB (2011-02-12)
Documents on Wikileaks from HBGary Federal and Palantir
Here is a version of the report that HBGary Federal compiled on Anonymous. Is this the genuine article or just grist for another spook paper mill?
Even more interesting is this synopsis of "The Wikileaks Threat" written up by the likes of Palantir Technologies, HBGary Federal, and Berico Technologies. It would appear that members of the establishment have started talking to the corporate equivalent of hired guns.
"Together, Palantir Technologies, HBGary Federal, and Berico Technologies bring the expertise and approach needed to combat the WikiLeaks threat."
Looks like we know who lost the first round... -BB (2011-02-10)
The Shortest Path to the Executive Washroom
"In the years after the Sept. 11, 2001, terrorist attacks, officers who committed mistakes that left people wrongly imprisoned or even dead received only minor admonishments or no punishment at all, an Associated Press investigation has found ...many officers who made significant missteps are now the senior managers fighting Obama's spy wars."
Years ago, in 1997, I recall a Control Data veteran confiding in me that you weren't considered material for upper-level management until you had at least one really big failure under your belt. - BB (2011-02-09)
Turmoil In Egypt
"In a stunning collapse of authority, most police have withdrawn from major cities, and soldiers fired shots into the air in an effort to control the crowds, seized by growing fears of lawlessness and buoyed by euphoria that three decades of President Hosni Mubarak's rule may be coming to an end."
Related: This study released by the USAF Institute for National Security Studies "challenges the current US policy towards Egypt and its underlying assumption that regime stability supercedes a US interest in true political development."
Related: Wikileaks reports that "As recently as February 2010, as indicated in 10CAIRO213, an activist implored the United States diplomats to get closer to the Egyptian government in order to combat torture and reduce the growing brutality of the police. The answer from Vice President Biden is that the political leader, the highest authority in the country, is not a dictator. The answer from the U.S. is silence, and dismissal of the Egyptian people's desire to create a better future."
I think it's important to note that Egypt, which is a recipient of billions of dollars of US Aid, was our first partner in the CIA's rendition program in the mid-1990s. - BB(2011-01-30)
Interesting Historical Records
One can only guess what the unofficial conversations were like. The following are declassified snippets from various formal meetings during the reign of the Ford administration.
Richard Helms (former CIA Director) speaking with President Ford on the Church Commission:
"If allegations have been made to Justice, a lot of dead cats will come out. I intend to defend myself. I don't know everything which went on in the Agency; maybe no one really does."
Commentary: That's an interesting conjecture. Nobody really knows everything that goes on. Plausible deniability in action.
Henry Kissinger (then Secretary of State) adding his two cents in a different conversation along the same lines:
"Hoover did things which won't stand scrutiny, especially under Johnson. We will put these out in generic terms as quickly as possible. The Bureau would like to dribble it out. This will divert attention and show relative cooperation with the committee."
Commentary: How was Hoover able to survive, if not thrive? If there was a solid argument for an organization like Wikileaks, this is it. There are instances when all of our celebrated checks and balances break down...
William Colby (then CIA Director) speaks with President Ford and Henry Kissinger:
"They have asked for all the records of our relations with PanAm, [edited out] ITT and others. If we acknowledge a relationship, we will kill these companies and our ability to place agents and get cooperation."
Commentary: If you look at the key players in the CIA's history, you'll find that there are strong ties with this country's financial engine. -BB (2011-01-25)
What Do We Still Manufacture?
With the demise of the steel industry and other manufacturing sectors in the US, George Smith addresses this question.
"From 2009, another appalling graph produced from data taken by the US Census, part of Commerce, on military production in the US versus everything else (and originally shown in the NY Times):"
"While what production of durable goods in the US that remains is charted, it along with the fortunes of the middle class and mass unemployed cratered in 2009. However, military production did not. It went through a minor dip and then soared. This is immoral. It destroys any argument on fairness and shared burden and consequences being a part of US society. It broadly and mercilessly insults the intelligence of all those who must listen to, see or read about the Department of Defense making nibbles around the edges to trim its budget in the coming time of austerity."
The risk to our nation from cyberwar is dwarfed by the economic hole that we've been digging. The Chinese have been there, gladly, helping us do just that. Perhaps this is a function of our collective short-term view. Our leaders only look towards the next business quarter or the next election cycle. All the while, a culture that measures time in terms of 200-year dynasties looks on and quietly smiles. -BB (2011-01-20)
OECD Report: Risk of Cyberwar Exaggerated
A study done by researchers from Oxford and the London School of Economics concludes (among other things) that:
"Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An 'attack' or an 'incident' can include anything from an easily-identified phishing attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions...Cyberespionage is not a 'few keystrokes away from cyberwar.'"
"It is unlikely that there will ever be a true cyberwar."
"Large numbers of attack methods are based on faults discovered in leading operating systems and applications. Although the manufacturers offer patches, their frequency shows that the software industry releases too many products that have not been properly tested."
Of course, I could have told you that. -BB (2011-01-18)
Wikileaks and The Propaganda Model
Is the mass media a watchdog or merely a cheerleader?
"As Columbia University digital journalism expert Emily Bell argues, it [Wikileaks] forces journalists and news organisations to demonstrate to what extent they are now part of an establishment it is their duty to report. In other words, WikiLeaks exposes the degree to which normal journalism has lost its watchdog role. Mainstream journalism stands accused of failing to be critical enough of those in authority. Over the economic crash of 2007 and over intelligence and the Iraq war, it failed to challenge the conventional wisdom. It was not a conspiracy or a failure of resource. It was because journalism can be too responsible, balanced and passive. Sometimes journalism needs to be disruptive, critical and even partial."
Aside: To see just how passive the media can be, I'd strongly urge you to view Bill Moyer's eye-opening documentary Buying The War. You won't find this kind of in-depth analysis elsewhere, which is why I support PBS. -BB (2011-01-16)
The PhD Shortage Myth
Contrary to what the corporate decision makers have been telling us, there is no shortage of talent in the United States. In fact, there's a surplus! According to this recent article in The Economist:
"In a recent book, Andrew Hacker and Claudia Dreifus, an academic and a journalist, reports that America produced more than 100,000 doctoral degrees between 2005 and 2009. In the same period there were just 16,000 new professorships. Using PhD students to do much of the undergraduate teaching cuts the number of full-time jobs."
Without a doubt, the claim of a "talent shortage" is merely a pretext for offshoring and H-1B initiatives. In a nutshell, it's all about access to cheap labor. Universities benefit as do business interests. All the while executive salaries continue to skyrocket. What will this do to the United States over the long run as people realize that no one wants to hire an American with a PhD in the hard sciences? Would you like some fries with that? -BB (2011-01-08)
Related: Proponents of offshoring and H-1B often use the free market argument as a convenient ideological excuse. As John Cassidy's recent article in The New Yorker demonstrates, the idea of a free market is also somewhat mythical.
"During the half century after Lincoln's Presidency, the business-backed Republican Party was in power for most of the time, and tariffs on manufactured goods remained at forty to fifty percent, the highest levels anywhere. It was during these years that the US economy grew to rival the economies of Britain and Germany in industries such as iron and steel and chemicals ...The fact is that not one of today's economic powers practiced free trade during its developmental stage."
In other words, state intervention to protect US domestic interests enabled the United States to emerge as a financial powerhouse, not free markets. Large multinationals dust off the free market argument when it suits their interests, not ours. -BB (2011-01-09)
Related: Another New York Times article on China's "indigenous innovation" policy. -BB (2011-01-12)
The Bureaucratic Nature of the CIA
While the popular image of the CIA conveyed in books and movies is often that of a rogue organization. It's probably much closer to the truth to say that the CIA, as Chomsky has characterized it, is "basically just an obedient branch of the White House."
This view is supported by a Top Secret interview with David Cohen, the former Deputy Director for Operations for the CIA. In this interview, he notes that:
"When you take an action on the edge and you don't think leadership will stand with you, you soon decide to stay far from the edge. The DO had many years in which they thought that the White House endorsed action, only to find out that the White House was not supportive in the end. CIA is as risk-taking as the policy environment will support. Just having case officers asked by senior officials, 'why did you do this?' sends a message that risk-taking is not supported."
I suspect that the White House would prefer to maintain the CIA's rogue elephant image so that a certain degree of plausible deniability can be exercised when need be. If something unpleasant comes to light, the White House can claim "we didn't do it, it was those loose cannons over in the CIA." Then they feed a couple of CIA officials to the wolves and wash their hands. -BB(2010-12-31)
Update: Former NSA Director, General Bill Odom disagrees. He claims that "The CIA currently does not work for anyone - it pretends to work for the President but is in fact out of control."
Bruce Sterling on Wikileaks
Mr. Sterling offers his synopsis of Wikileaks and Assange.
"While others stare in awe at Assange's many otherworldly aspects: his hairstyle, his neatness, his too-precise speech, his post-national life out of a laptop bag, I can recognize him as pure triple-A outsider geek. Man, I know a thousand modern weirdos like that"
Reading this essay, I cannot help but detect a hint of offhand dismissal. "Never you mind" says Mr. Sterling, "just another cyber misfit, they're a dime a dozen." As an author, I can heartily testify that you can spend your life reading books, or you can go out and live a life that someone will want to write a book about. For better or for worse, Julian Assange falls into the latter category. Merry Christmas, Wikileaks. -BB (2010-12-25)
Is Wikileaks a CIA Front?
In this article, Michel Chossudovsky makes his case:
"On the surface, nothing proves that Wikileaks was a CIA covert operation. However, given the corporate media's cohesive and structured relationship to US intelligence, not to mention the links of individual journalists to the military-national security establishment, the issue of a CIA sponsored PsyOp must necessarily be addressed... It is in the interest of the corporate elites to accept dissent and protest as a feature of the system inasmuch as they do not threaten the established social order. The purpose is not to repress dissent, but, on the contrary, to shape and mould the protest movement, to set the outer limits of dissent."
In other words, if you control both of the prize fighters in a boxing match you'll profit regardless of who wins. -BB (2010-12-19)
Update: Over the past several days I have received mail from a number of government employees who've protested that Wikileaks couldn't possibly be a CIA psyop because the Wikileaks staff are "far too competent." -BB (2010-12-23)
More on The Quandry of Attribution
Jeffrey Carr, in this Forbes article, questions the notion that Israel is responsible for Stuxnet.
"The appeal of a U.S. or Israeli cyber attack against first Bushehr, then Natanz, was just too good to pass up even though there was no hard evidence and very slim circumstantial evidence to support a case for either country. The best that Ralph Langner, CEO of Langner Communications (and the leading evangelist for this scenario) could point to was an obscure Hebrew word for Myrtus and a biblical reference for a date found in the malware that pertained to Persia; both of which could have been explained in a half dozen alternate ways having nothing to do with either Israel or the U.S."
"As far as China goes, I've identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China's unique role as Iran's ally and customer, while opposing Iran's fuel enrichment plans. There's still a distinct lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets however based solely on the known facts, I consider China to be the most likely candidate for Stuxnet's origin."
In this white paper, he also questions the assumption that Stuxnet is a state-sponsored project.
"The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with certain unique skill sets and several months for development and testing. The obvious conclusion is that this team was sponsored by a nation state, however certain multi-national corporations have the same or better resources than many governments. In some countries, the government has a controlling interest in their largest corporations such as China's national champion companies (i.e., Huawei) or France's majority ownership of Areva."
It's been months, now, and we still don't have the answers we need. This demonstrates the truck-size hole that exists in the flawed strategy of cyberwar deterrence or the idea that we can limit problems with treaties (that we can't enforce). -BB (2010-12-17)
Cyberwar Treaties
Yet again, the central issue of attribution rears its ugly head. Even if you succeed in tracing an attack back to a specific geographic location, there's really no fool-proof way to ascribe responsibility. Such is the nature of contemporary anti-forensic technology (and the internet in general). There's nothing to prevent a determined (e.g. state funded) attacker from breaking the terms of a treaty and then shielding themselves with plausible deniability or, even worse, framing a 3rd party.
Let's not forget the possibility that the intel services of a treaty participant could simply pay one of the more sophisticated criminal groups to do their dirty work for them. The aforementioned outlaws would probably have no idea who really hired them, providing an extra layer of obfuscation.
Whenever I read about the idea of cyberwar treaties, I think back to the Biological Weapons Convention that the US and USSR signed in 1972. The Soviets seemed to interpret the treaty as an opportunity to accelerate their weapons program. -BB (2010-12-04)
Related: Attribution cuts both ways. "Recall as well that the main technical tool used to anonymize submissions to WikiLeaks, Tor (The Onion Router), came out of a US Naval Research Laboratory project to protect clandestine activities overseas. In fact, members of the military are some of the most vocal opponents of current attempts in the US to require person-level attribution of data packets online."
Gary McGraw: Cyberwar and Influence Peddling
One of the world's leading experts on developing secure software speaks out against the hype surrounding cyberwar in this Q&A from CNET.
"There is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here's another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S. The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google's intellectual property got sucked down by the Chinese? The answer is no. What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security."
I couldn't agree with him more. -BB(2010-12-01)
Brzezinski on CableGate: Catastrophic, But Not Serious
Last night on PBS, Zbigniew cut to the chase pretty quickly:
"I think the most serious issues are not those which are getting the headlines right now. Who cares if Berlusconi is described as a clown. Most Italians agree with that. Who cares if Putin is described as an alpha dog? He probably is flattered by it."
"The real issue is, who is feeding Wikipedia on this issue -- Wiki -- Wiki -- WikiLeaks on this issue? They're getting a lot of information which seems trivial, inconsequential, but some of it seems surprisingly pointed...It's, rather, a question of whether WikiLeaks are being manipulated by interested parties that want to either complicate our relationship with other governments or want to undermine some governments, because some of these items that are being emphasized and have surfaced are very pointed. And I wonder whether, in fact, there aren't some operations internationally, intelligence services, that are feeding stuff to WikiLeaks, because it is a unique opportunity to embarrass us, to embarrass our position, but also to undermine our relations with particular governments."
Wikipedia? Was that a Freudian slip? All joking aside, I think he's alluding to an issue that is worth some thought. Just as intelligence services have long standing back channels with the press, as pointed out by editors like the New York Time's Max Frankel, have interested parties devised ways to influence Wikileaks? This is the danger of being an information chokepoint. -BB (2010-11-30)
Iran Admits to Malware Issues
"Mr. Ahmadinejad publicly acknowledged, apparently for the first time, that Iran's nuclear program had recently been disrupted by a malicious computer software that attacked its centrifuges. 'They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,' he said at the news conference."
This New York Times article implies that the malware was indeed Stuxnet. Though it isn't stated explicity. In fact, the article mentions that "Mr. Ahmadinejad did not specify the type of malware or its perpetrators." Assuming that Stuxnet was to blame, questions still remain: Who wrote Stuxnet? Was Iran an intended target?
Related: Another New York Times article provides additional information concerning the Google attacks:
"China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."
Keep in mind that this is based on information from a "contact." Before we invaded Iraq, our Secretary of State stood before the UN Security Council on May 27, 2003, and (based on intel from a contact) alleged that Iraq had developed mobile production facilities for biological weapons.
Another thing to keep in mind is that China isn't the only nation-state that ventures into other peoples networks. I'm fairly confident that we do it just as much (if not more so). -BB (2010-11-29)
CableGate: First Batch of US Diplomatic Cables Released
The cables, which date from 1966 up until the end of February this year, contain confidential communications between 274 embassies in countries throughout the world and the State Department in Washington DC. 15,652 of the cables are classified Secret. The embassy cables will be released in stages over the next few months.
The The New York Times, Der Spiegel, and The Guardian were all given access to these cables and have dedicated portals.
The White House has responded:
"Such disclosures put at risk our diplomats, intelligence professionals and people around the world who come to the United States for assistance in promoting democracy and open government. These documents also may include named individuals who in many cases live and work under oppressive regimes and who are trying to create more open and free societies."
The New York Times thinks otherwise:
"The cables tell the unvarnished story of how the government makes its biggest decisions, the decisions that cost the country most heavily in lives and money. They shed light on the motivations and, in some cases, duplicity of allies on the receiving end of American courtship and foreign aid. They illuminate the diplomacy surrounding two current wars and several countries, like Pakistan and Yemen, where American military involvement is growing. As daunting as it is to publish such material over official objections, it would be presumptuous to conclude that Americans have no right to know what is being done in their name."
Regardless of how government officials and the press view the release of these documents, one thing is certain: leaders are probably now aware that they may one day be held accountable for what they do and say. The veil of secrecy has been pulled back. This will impact how our government operates and how we interact with other countries. Perhaps this is one of the ulterior motives of cablegate? -BB (2010-11-28)
Life in The Wilderness of Mirrors
This New York Times book review looks at a number of recent books that have been authored by former CIA officers. These sort of memoirs tend to fall into two categories. On one side you'll find people like Miles Copeland, an officer in both the OSS and CIA, who asserts that the general public has a biased view of the CIA because we only hear about the failures (an argument that rests heavily on the secret nature of intelligence operations). In his book, Without Cloak Or Dagger, Copeland explains that:
"Unless you can believe that even a government as wasteful and inefficient as our own would tolerate the existence of a vast and costly facility which is inactive and ineffective, you must believe that it accomplishes something. More than that, you must believe that most of what it does is successful. No Government, even our own, would tolerate for long a costly agency that has more failures than successes."
The current slew of publications seem to claim just the opposite. They paint a picture of an unwieldy bureaucracy that's mired in the security of administrative rituals which place an emphasis on quantity over quality. Some former officers even go so far as to suggest that we start over with a clean slate. This definitely doesn't jibe with Copeland's description of the indoctrination process that CIA officers undergo during training.
"Even the most anti-Government cynic comes out with the conviction that the nation faces dangers to national security which are more awful than even the gloomiest columnist imagines, and that the machinery of which the CIA is a part has means of combating them which are so sophisticated and powerful as to be beyond the comprehension of all but those who are a part of them."
How's that for hyperbole? So, who do you believe: the old stalwart or the groans of disenchantment that point to the conspicuous absence of intelligence "slam dunks?"
Perhaps Lindsay Moran can offer some insight. In her book, entitled Blowing My Cover, she recalls a warning from a grizzled rank and file CIA veteran who advises her not to let the job consume her, as the higher-ups in the beltway pay much more attention to failure than success. -Barry Bennington (November 27, 2011)
Ever Wonder How Government Officials Really Feel?
According to this article in the Washington Post, Wikileaks is gearing up to release US State Department documents. The current administration appears to be bracing for impact. The article reports:
"U.S. officials are concerned that some of the leaked cables could include details of conversations in which senior foreign politicians offer candid appraisals of their governments. Those assessments could prove embarassing, not only to the United States but to the politicians and governments concerned."
Elizabeth King, the Assistant Secretary of Defense for Legislative Affairs recently sent an e-mail to Senate and House Armed Services Committees asserting that "The publication of this classified information by WikiLeaks is an irresponsible attempt to wreak havoc and destabilize global security. It potentially jeopardizes lives."
Julian Assange is no stranger to this sort of critique. In a correspondence sent to volunteers[at]lists.wikileaks.org in March of 2008, he stated that:
"The first ingredient of a democracy is the people's right to know, because without such understanding no human being can meaningfully choose to support anything, let alone a political party. Knowledge is the driver of every political process, every constitution, every law and every regulation... Since knowledge is the creator and regulator of all law, it must be placed beyond law."
As the clock ticks down to the release date, which the Pentagon suspects may be as soon as November 26th, I wonder if the State Department will simply weather the oncoming storm. Or, (as Wikileaks has intimated ) "the coming months will see a new world, where global history is redefined." Either way, I cannot help but notice the admonishment by Wikileaks to "Keep us strong." Says Cryptome: "it's the patois of whispering promises of manifold return on investiment for riches to come. Open your wallet." -BB (2010-11-24)
NSA Assurance Director: Focus on Defense
In this article from Network World, the NSA's Information Assurance Technical Director, Dickie George, acknowledges the issues posed by attribution. He states, "Back then, if the Soviets fired a missile you knew it was the government and could tell where it was fired from... Today, it's bits and you don't see them coming through the air." In other words, how can you rely on a policy of deterrence when you can't even tell who attacked you? Correct me if I'm wrong, but it's been months now and we still don't have any concrete evidence that will tell us who, exactly, built stuxnet.
In this arena, Dickie claims that we need to "make ourselves harder targets." The best defense isn't a good offense, contrary to what you may hear from retired government officials who now represent corporate interests in the defense industry. The best defense is... a solid defense.
These are similar to some of the basic arguments that I touched on this past October during an event at San Francisco State University. -BB (2010-11-21)
RELATED: A recent Senate hearing on Stuxnet. Notice who provided the witness testimony. Do you think they might have a vested interest in painting an ominous picture?
More Details Emerge on Stuxnet
Researchers at Symantec have uncovered more details with regard to what this malware does. Specifically, they discovered that "Stuxnet requires particular frequency converter drives... [and] changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process."
Note that Details over who created Stuxnet and why they created it are still sadly absent. Though this didn't stop anyone in the press from taking almost comical speculation about Stuxnet and presenting it as fact. -BB (2010-11-13)
Identifying The CPU: Towards Hardware-Oriented Malware
"This technology is very easy to build since it does not rely on deep analysis of chip logical gates architecture. Floating Point Arithmetic (FPA) looks promising to define a set of tests to identify the processor or, more precisely, a subset of possible processors."
This is the first step towards building malware that targets a specific chipset, as opposed to a specific OS. Once you know the chipset, you can look for hardware-specific exploits. Finding a hardware-level flaw... that, dear reader, is the challenging part. -BB (2010-11-11)
U.S. Dept. of States Warns Against Using AES
If this doesn't raise an eyebrow, I don't know what will:
"The Bureau of Information Resource Management's Radio Programs Branch (IRM/OPS/ITI/LWS/RPB) provides all overseas missions two-way radios equipped with Digital Encryption Standard (DES) or Advance Encryption Standard (AES). These encryption algorithms provide limited protection from unauthorized interception of voice communications and are only approved for the transmission of Department of State Sensitive But Unclassified (SBU) and Department of Defense For Official Use Only (FOUO) communications. Under no circumstances should DES- or AES-equipped radios be used for the transmission of classified information, as defined by Executive Order 12958."
If there are flaws in AES that make it undesireable as an encryption algorithm for classified information, then it's probably not a good standard. Unless of course, for whatever reason, you want people to rely on an algorithm that allows you to eavesdrop. Someone has some explaining to do... -BB (2010-11-07)
Another Leak Source Is In The Works
The Wall Street Journal reports that "a group that includes former WikiLeaks staffers who left the organization after disagreements with founder Julian Assange is pursuing plans for a rival document-leaking venture, said people familiar with their plans."
It's interesting to examine how the WSJ frames this story. They present it as if it were a bad thing. The reality is that having multiple outlets makes it more difficult for opponents to subvert the flow of information to the public. A single outlet represents a choke point that becomes an attractive target for prosecution, bribery, and disinformation campaigns. Don't think "competition," think "failover." - BB (2010-11-05)
RELATED: Here are some notes from a recent event at the NYU School of Law. "Wikileaks should be seen as one of many counter-authority initiatives stretching back three millennia, the numbers increasing rapidly via the Internet, including those using public benefit initiatives to hide the authoritarian -- every authoritarian allows a controlled counter for gloss." I find the last part of the previous sentence to be particularly disturbing. Every power structure tolerates a token amount of resistance to help legitimize itself. - BB (2010-11-06)
The Press, Intel Agencies, & Wikileaks
New York Times Op-ed: "Some say that what's important is the material itself. Whether or not Julian Assange is a rogue with a political agenda, what matters most is that The Times authenticates the information."
Cryptome: "This is the Times's vainglorious argument: we will take the information, for free, thank you very much, then transform it into our 'reputable' product. The same with spies. In the end there is little difference among thieves who steal open and leaked information and bump up the price as if exploiting sweat labor."
The Drive Towards National Operating Systems
Reliance on Windows has motivated countries like Russia, India, and China to think about building their own OS. The basic premise being that it may not be a wise to base your core digital infrastructure on an OS that you don't own, control, and audit. Who really knows what's in that special sauce? Is that a genuine kernel bug or a cleverly disguised back door? Can you say "plausible deniability?"
Perhaps these governments should chat with Joanna Rutkowska. There's definitely something to be said for her disposable VM concept. Though I wonder how this would impact a forensic investigation?
One might speculate that certain problems we have regarding cyber security may be rooted in the short-term mindset of our culture in general. Executives focus on the next business quarter, politicians focus on the next election cycle, and as a result we never step back to see that there's a long-term endgame being played out; one that will require us to make investments that may not yield significant returns (or appear attractive) over the short-term but will be necessary for us to function as years turn into decades. -BB(2010-10-27)
Wikileaks Releases Second Round of Documents
"At 5pm EST Friday 22nd October 2010 WikiLeaks released the largest classified military leak in history. The 391,832 reports ('The Iraq War Logs'), document the war and occupation in Iraq, from 1st January 2004 to 31st December 2009 (except for the months of May 2004 and March 2009) as told by soldiers in the United States Army. Each is a 'SIGACT' or Significant Action in the war. They detail events as seen and heard by the US military troops on the ground in Iraq and are the first real glimpse into the secret history of the war that the United States government has been privy to throughout."
"The reports detail 109,032 deaths in Iraq, comprised of 66,081 'civilians'; 23,984 'enemy' (those labeled as insurgents); 15,196 'host nation' (Iraqi government forces) and 3,771 'friendly' (coalition forces). The majority of the deaths (66,000, over 60%) of these are civilian deaths. That is 31 civilians dying every day during the six year period. For comparison, the 'Afghan War Diaries', previously released by WikiLeaks, covering the same period, detail the deaths of some 20,000 people. Iraq during the same period, was five times as lethal with equivallent population size."
According to the Washington Post, main outlets like the The New York Times, The Guardian, and Der Spiegel, were granted early access to the War Logs and have established portals focusing on different aspects of the reports. -BB(2010-10-23)
RELATED: The New York Times reports that Afghan President Hamid Karzai has admitted that he accepts "bags of cash" from the Iranian government.
RELATED: PBS News Hour included a segment last night that addressed what we've learned from the leaked information. John Mearsheimer, a West Point graduate, former Air Force officer and professor at the University of Chicago had this to say: "It's quite clear from the documents that numerous cases are found where Americans were reporting these abuses. The problem is that people further up the chain of command, both the military and civilian individuals, didn't do anything to stop it. There is no question that the Americans knew what was going on. It's not like this was happening in the dark, and we only suspected it and didn't really know about it. We knew about it, and we didn't do anything to stop it. We effectively turned a blind eye. And this was strategically foolish and, I think, morally bankrupt."
RELATED: I thought the following excerpt from an article published by Der Spiegel summed things up nicely. "In one respect, the US Armed Forces, which compiled these documents, and the website WikiLeaks, which is now publishing them, share a common interest. Both organizations view the documents as an inside look at the Iraq war -- the most precise, detailed and comprehensive proximity to the bloody truth yet."
Fear and Loathing In San Francisco
This Thursday, October 21st, our primary investigator and resident heretic will appear at San Francisco State University to speak on the gilded hyperbole of Cyberwar. Come see what drives the media frenzy behind this term and learn how the power brokers in our society manipulate our institutions to manufacture consent. -R. James (10/18/2010)
The Cyberwar Echo Chamber
Former DHS secretary Michael Chertoff repeats a message originally promoted by former DNI Mike McConnell: deterrence. As I've pointed out, this is a flawed approach that could lead us to initiate hostilities against the wrong country. Anti-forensics has progressed to the point where it would be entirely feasible for one nation-state to frame another. Currently there seem to be any number of former government officials talking about Cyberwar, and this fact hints at the reasons why this idea has achieved so much momentum. -BB (2010-10-15)
RELATED: A Reuters article notes that "The Pentagon's biggest suppliers -- including Lockheed Martin Corp, Boeing Co, Northrop Grumman Corp, BAE Systems Plc and Raytheon Co -- each have big and growing cyber-related product and service lines for a market that has been estimated at $80 billion to $140 billion a year worldwide"
RELATED: The truth finally starts to come out. The BBC reports on the UK's recently published National Security Strategy. This document claims that Cyberwar is right up there with nuclear weapons and pandemics. These assertions have been made in light of annual cuts of 8% to the defence budget over the next four years.
Myrtus or MyRTUs?
John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel's Unit 8200. According to Markoff, "Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."
Really? Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.
It may be that the "myrtus" string from the recovered Stuxnet file path "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs," as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.
As you can see, the media's propaganda machine is alive and well. -BB (2010-10-01)
UPDATE: Elinor Mills of cnet tries to separate fact from theory in this reality check. For example: there's no solid evidence as to who's behind the malware or even what country or operation was the intended target, and it's unknown if any serious damage has been done.
RELATED: As the frenzy over Stuxnet plods onward, The FBI has released details on Operation Trident Breach. According to the FBI's press release, criminals made off with roughly $70 million.
I'm sure you can see a pattern here. While we're distracted with a litany of ominous sounding potential threats to our welfare, actual losses caused by tangible crimes are occurring on a daily basis. As Bruce Schneier has pointed out, the solutions that we turn to depend on how we frame what's going on. Will we focus on Cybergeddon or will we focus on more mundane events that have an actual cost which we can directly measure?
Stuxnet: Despite Rumors and Hyperbole, Questions Remain
RELATED: George Smith observes that "the lack of substantial proof of success in offensive malware operations won't stop anyone in the business of insisting just the opposite... Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical"
RELATED: Cybercrime Continues As CyberWar Fizzles - "In a rash of dawn raids, police in the United Kingdom nabbed 19 people suspected of stealing more than $9 million from online bank accounts."
RELATED: Yet Even More Cybercrime - "The FBI and the U.S. Attorney's office in southern New York announced charges today against 37 people accused of being part of an international crime ring that stole $3 million from bank accounts." No rumors, no hype, no anonymous sources. Just hard facts. Cybercrime is the domain where we are suffering death by a thousand cuts.
The issue of attribution once again comes to the forefront. This morning an Associate Press article declared that "Government experts and outside analysts say they haven't been able to determine who developed it [Stuxnet] or why." Keep this in mind because there are any number of interests that stand to gain by planting the seed of suggestion.
Another thing that I found interesting was the admission by commercial researchers that this might not be the work of a nation-state. Rather, it might just be a "well-funded private entity." Trust me, there are plenty of these out in the wild (just take a look at how Presidential elections are financed in the United States). Contrary to popular belief, you don't necessarily need a billion-dollar budget to develop cyber weapons. Though I'm sure there are contractors who would insist that this is the case. Charlie Miller has asserted that paralyzing the United States would requires two years of effort and less than 100 million dollars. In the case of Stuxnet, the estimate seems to be a team of 5-10 people. In my opinion, this kind of effort would easily be in reach of a private organization that has a few million dollars to throw around.
Finally, despite all the media buzz that reflects on what could have happened, according to Siemens: of the 15 industrial control plants that Stuxnet found its way into, none have been adversely affected. -BB (2010-09-26)
Not So Cutting-Edge Aspects of Stuxnet
Despite certain facets of this malware that are definitely notable (e.g. employing multiple 0-day exploits, the use of code signing certificates, auto-update with an option to use P2P channels in the event that the C2 node goes down), there are aspects of the implementation that surprised me as being slightly dated.
For example, to map DLLs into memory Stuxnet relies on a well-known hook-based approach that alters a handful of lower-level APIs used by the Kernel32.LoadLibrary() routine. This strategy generates forensic artifacts by virtue of the fact that a DLL loaded in this manner ends up in memory, and in the system's runtime bookkeeping, while failing to show up on disk (a telltale sign, just ask the response team at Guidance Software). In other words, the absence of an artifact is itself an artifact.
A less conspicuous strategy is to use what's been called "Reflective" DLL injection, which is what contemporary suites like Metasploit use. Essentially, reflective DLL injection sidesteps the Windows Loader entirely in favor of a custom user-mode loader (an idea that was presented years ago by researchers like the Grugq, e.g. Data Contraception).
Stuxnet also uses DLLs packed with UPX. Any anti-forensic developer worth their salt knows that UPX leaves a signature that's easy for a trained investigator to recognize. A brief glance at the file headers is usually enough. Once recognized, unpacking is a cake walk. Now, I would expect that if the engineers who built this software took the time and care to implement the obscure PLC features that they did, they'd also have the resources and motivation to develop custom packing components. I mean, if you're going to pack your code, at least make it difficult for the forensic guy wading through your payload. C'mon! It's not that much work.
Why even use DLLs? Why not create some special-purpose file format that relies on a shrouded address table and utilizes an embedded virtual machine to execute one-of-a-kind bytecode? Really, if you have a federal budget backing you up why not go full bore? Heck, I know I would. Ahem.
What all of this seems to indicate is that the people who built this in some respects took the path of least resistance. They opted to trade development effort for a forensic footprint. Is this the super weapon that the media is making Stuxnet out to be? -BB(2010-09-24)
We've Met the Enemy and He Is...
When reading stories about espionage in the press there can be a tendency to adopt a mindset that frames incidents in terms of one nation-state versus another, and this often lends itself to tacitly assuming a sort of moral high ground. Or, put more mildly, it gives the general impression that a specific nation-state is an offender in this arena more so than other nation-states (e.g. man, it's those darn Canadians again!).
While certain intelligence agencies have been known to establish "special relationships," for the most part everyone spies on everyone else. Such is life in the theatre of international relations. As in the genre of noir fiction, everyone is dirty to some extent (even the protagonist). While most of the stories I've read seem to point to China or Russia as the usual suspects, I think it's interesting to note something that retired Air Force General Michael Hayden said during an interview on the Jim Lehrer News Hour program:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one.
The Chinese were a close second, but we were number one, which I think is simply a reflection that we are a technologically agile country, and we have very good intelligence services, and the rest of the world is kind of responding to that reality."
RELATED: Recall the Crypto AG story reported by the Baltimore Sun. If these allegations had been leveled at another country, you can imagine the outrage that we would have voiced.
"For four decades, the Swiss flag that flies in front of Crypto AG has lured customers from around the world to this company ...Some 120 nations have bought their encryption machines here. But behind that flag, America's National Security Agency hid what may be the intelligence sting of the century. For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents."
A Cyberwar Gulf of Tonkin Incident?
An article by SecurityWeek offers opposing viewpoints on the Pentagon hack.
Chester Wisniewski, Sophos Chief Security Adviser: "Why would a foreign intelligence agency attack the U.S. government with such a low-powered weapon? ...In his words, 'Either it wasn't put there by a foreign government or it wasn't agent.btz.'"
Tom Conway, McAfee's Director of Federal Business Development: "Why reveal your trade craft if something that's widely available on the black market will do the job?"
Comments: I'm inclined to side with Chester. The fact is that the agent.btz worm didn't "do the job." In an age of custom firmware rootkits, rogue hypervisors, and circuit-level subversion, a payload that "does the job" wouldn't have been discovered!
"Never ascribe to malice that which is adequately explained by incompetence" - Napoleon Bonaparte
If intel agencies from other countries had wanted data from top secret networks, I have a very hard time believing that they'd be anywhere near this sloppy. It sounds more like someone is exaggerating a pedestrian malware infestation as a means to bolster funding and then shielding themselves against further scrutiny by using the standard secrecy argument: "I can't tell you, it's classified." -BB (2010-09-05)
The Best Defense isn't a Good Offense
The decision makers at the Pentagon are at it again. According to an article published by the Washington Post, officials are considering preemptive strikes as a way to protect us. The difference is that it's being dressed up with new jargon; in this case it's being referred to as an "active defense." Oh, that's rich.
This suffers from the same basic problem as the doctrine of massive retaliation: attribution. If you can't identify the actual origin of an attack, it's an exercise in futility to build up a huge stockpile of offensive capabilities (unless of course you're in the business of building offensive weaponry). Furthermore, are we prepared to live with the consequences when we attack the wrong country? Correct me if I'm wrong but did we just spend close to a trillion dollars to protect ourselves from imaginary weapons of mass destruction? Think of what that money could have done here in the US if we had directed it towards health and human services.
In what military officials are calling the fifth domain, the best defense is not a good offense. We'd be much better off focusing on, well, defense. -BB (2010-09-02)
More Cyberwar Fear Mongering
In this Foreign Affairs article, Deputy Secretary of Defense William Lynn hypes an incident with a thumb drive that occured back in 2008:
"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control"
Reports from Wired appear to counter his assertions.
"Agent.btz is a variant of the SillyFDC worm... Agent.btz's ability to compromise classified information is fairly limited. SIPRNet, the military's secret network, and JWICS, its top secret network, have only the thinnest of connections to the public internet. Without those connections, intruders would have no way of exploiting the backdoor, or, indeed, of even knowing that agent.btz had founds its way into the CENTCOM network... What spy service would launch such a lame attack?"
Another thing to keep in mind, dear reader, is that Foreign Affairs is a publication of the Council on Foreign Relations. -BB (2010-08-26)
UPDATE: The New York Times has printed an article on this. According to the Times, Lynn composed his Foreign Affairs essay to "to raise awareness of the threat to United States cybersecurity ...and partly to make the case for a larger Pentagon role in cyberdefense."
I'd pay close attention to the second half of that previous sentence. -BB(2010-08-26)
WikiLeaks Releases Another Red Cell Memo
"This CIA 'Red Cell' report from February 2, 2010, looks at what will happen if it is internationally understood that the United States is an exporter of terrorism..."
"The report looks at a number cases of US exported terrorism, including attacks by US based or financed Jewish, Muslim and Irish-nationalism terrorists."
RELATED: A WSJ article that looks at how WikiLeaks conceals funding information. The empire strikes back, so to speak. -BB (2010-08-26)
Cryptome's John Young: The Single Greatest Threat to Democracy
"Secrecy hides privilege, incompetence and deception of those who depend on it and who would be disempowered without it...
A vast global enterprise of governments, institutions, organizations, businesses and individuals dependent upon the secrecy of abuse of secrecy has evolved into an immensely valuable practice whose cost to the public and benefits to its practitioners are concealed by secrecy...
Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access and to punish those who violate these laws."
This may sound a bit overblown. But consider this: according to the Top Secret America project, some 854,000 people (more than the entire city of San Francisco) hold top-secret security clearances. In the greater DC area, 33 buildings for top-secret intelligence work are under construction or have been built in the aftermath of September 2001. These structures consume the same amount of space as three Pentagons - roughly 17 million square feet.
Does John Young really sound so far off of the mark? -BB (2010-08-23)
International Bankers Deem Themselves Above The Law
"Barclays Bank PLC, a United Kingdom corporation headquartered in London, has agreed to forfeit $298 million to the United States and to the New York County District Attorney's Office in connection with violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA)"
"According to court documents, from as early as the mid-1990s until September 2006, Barclays knowingly and willfully moved or permitted to be moved hundreds of millions of dollars through the U.S. financial system on behalf of banks from Cuba, Iran, Libya, Sudan and Burma, and persons listed as parties or jurisdictions sanctioned by OFAC in violation of U.S. economic sanctions."
Though this may seem like a lot of money at first blush. It's just a slap on the wrist, which Barclays will probably accept as the cost of doing business. At best, this is a symbolic victory. -BB (2010-08-18)
FRONTLINE to Explore the Subversive Effects of Secrecy
"The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies duplicate the same work."
"The major function of secrecy in Washington is to keep the U.S. people and U.S. Congress from knowing what the nation's leaders are doing. Secrecy is power. Secrecy is license. Secrecy covers up mistakes. Secrecy covers up corruption." - Major John Stockwell
Apologies for Big Brother
In this New York Times op-ed, Richard Falkenrath applauds the United Arab Emirates for its recent decision to suspend BlackBerry service within its borders. The Canadian company that developed the technology, Research In Motion, has resisted modifying its infrastructure to enable authorities to easily intercept the data streams of selected users.
Falkenrath concludes: "In the end, it is governments, not private industry, that rule the airwaves and the Internet. The Emirates acted understandably and appropriately: governments should not be timid about using their full powers to ensure that their law enforcement and intelligence agencies are able to keep their citizens safe."
It's interesting to note that Falkenrath, who was a deputy homeland security adviser to President George W. Bush, now works for the Chertoff Group. The Chertoff Group is a consulting firm that derives its name from one of its principals, Michael Chertoff, the Secretary of the U.S. Department of Homeland Security from 2005 to 2009.
Co-CEO of Research in Motion responded that "Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."
RELATED: Nicholas Merrill (aka John Doe) of Calyx Internet Access finally speaks out.
"I kind of felt at the beginning, so few people challenge this thing, I couldn't just stand by and see, in my opinion, the basic underpinnings of our government undermined ... I was taught about how sophisticated our system of checks and balances is . . . and if you really believe in that, then the idea of one branch of government just demanding records without being checked and balanced by the judicial just is so obviously wrong on the surface."
The "Insurance" File
"At the center of the drama was the posting last week of a massive 1.4 gigabyte mystery file named 'Insurance' on the WikiLeaks website. The 'Insurance' file is encrypted, nearly impossible to open until WikiLeaks provides the passwords. But experts suggest that if anyone can crack it - it would be the National Security Agency."
"'Do we believe that WikiLeaks has additional cables? We do,' said State Department spokesman P.J. Crowley. 'Do we believe that those cables are classified? We do. And are they State Department cables? Yes.'"
Cryptome: Doubts about the invulnerability of AES have persisted since NSA selected an algorithm from an AES competition that was considered by cryptographers not to be the strongest. And that it is likely for strongest protection NSA uses a top secret cryptosystem while promoting AES for public and official use. It is argued that NSA, like all official comsec agencies, would never endorse a system it could not secretly access. And these agencies never reveal that capability -- NSA's backdoor access to Crypto AG was revealed by an employee of the company.
Too Many Secrets
The following excerpts are from an op-ed in The New Yorker
"Shutting WikiLeaks down, assuming that this is even possible, would only lead to copycat sites devised by innovators who would make their services even more difficult to curtail. A better approach for the Defense Department might be to consider WikiLeaks a competitor rather than a threat, and to recognize that the spirit of transparency that motivates Assange and his volunteers is shared by a far wider community of people who use the Internet."
"There is a simple lesson here: whatever the imperfections of WikiLeaks as a startup, its emergence points to a real shortcoming within our intelligence community. Secrets can be kept by deterrence, that is, by hunting down the people who leak them, as Thiessen proposes, and demonstrating that such behavior comes with real costs, such as prison time. But there are other methods: keep far fewer secrets, manage them better."
Wikileaks and Our Foreign Policy
"No amount of rhetorical tap dancing will allow the White House to escape the fundamental contradictions that underlie U.S. policy toward Af-Pak."
Contradiction #1: We're in Afghanistan to prevent future attacks by Al Queda
"Now that al Qaeda can attack the United States, its friends and allies from Yemen or Somalia or Pakistan or London or New Jersey, it's hard to claim any uniqueness for Afghanistan. So, why does the United States have to fight the war there with 100,000 troops?"
Contradiction #2: We're in Afghanistan to prevent an extremist coup in Pakistan
"Here's where the new trough of secret WikiLeaks comes in Pakistani military intelligence... is indeed helping the Taliban against Americans in Afghanistan. To boot, the Pakistani government is providing safe haven to the Taliban in Northwest Pakistan, thus making it militarily impossible for U.S. forces to smash them."
Cryptome's John Young Responds to Mike Mullen
"The principal thing that WikiLeaks is doing and as I'm -- and I'm doing, also on another side, is we're trying to give a more fuller picture of the -- of the terrible situation in these countries, that the -- the U.S. military is killing thousands of people over there and that that is not being reported very well.
We regularly publish photographs put out by the Department of Defense about Afghanistan and Iraq. And there's never any carnage shown. You seldom see any of the carnage caused by the military in these wars. And war is carnage. But what you see are a kind of scenes you've just shown. And that's a -- that's an unbalanced view of what's happening there.
There is far more killing being done by the military in Afghanistan than there is by the Taliban, including innocent people. And we just don't get to see that. That is heavily censored. It's classified. It's not put out. What we get is the sanitized version that makes it look like the young soldiers are at risk or innocent civilians are at risk of being killed by the Taliban. But that is a completely inaccurate picture.
...the two talking points that are now being used to change the -- the dialogue about this leak. One is the risk of these informants. The other is that there's nothing new here. Those are talking points that are used by people who are trying to change the topic away from the carnage caused by the military into a polite kind of talking head version, as though there's nothing new here.
Notice that Admiral Mullen talked about blood on the soldiers' hands. WikiLeaks has answered that very effectively. He's changing the topic. He does not want to talk about what the military is doing in Afghanistan.
It is uncontrolled carnage going on over there as American policy. Otherwise, they'd be showing more of the truth."
This is it, dear readers. John Young is pointing out the propaganda machine in action. Pick up a copy of Noam Chomksy's Manufacturing Consent for a more detailed description of how the media works. -BB (2010-07-31)
I Walk The Line
Chairman, Joint Chiefs of Staff Adm. Mike Mullen
"Mr. Assange can say whatever he likes about the greater good he thinks he and his source are doing, but the truth is they might already have on their hands the blood of some young soldier or that of an Afghan family. Disagree with the war all you want, take issue with the policy, challenge me or our ground commanders on the decisions we make to accomplish the mission we've been given, but don't put those who willingly go into harm's way even further in harm's way just to satisfy your need to make a point."
"Foresight requires trustworthy information about the current state of the world, cognitive ability to draw predictive inferences and economic stability to give them a meaningful home. It's not only in Vietnam where secrecy, malfeasance and unequal access have eaten into the first requirement of foresight ('truth and lots of it'). Foresight can produce outcomes that leave all major interests groups better off. Likewise the lack of it, or doing the dumb thing, can harm almost everyone."
Wikileaks Releases Over 75,000 Secret US Military Reports
In a bold move that probably constitutes this generation's version of the Pentagon Papers, Wikileaks has published thousands of classified documents that describe U.S. military operations in Afghanistan from 2004 to 2010.
Three media outlets received copies of these documents in advance: The New York Times, The Guardian, and Der Spiegel. These outlets have confirmed the authenticity of the reports.
The documents imply, among other things, that Pakistan's intelligence service may be assisting the Taliban despite the billions of dollars in support that Pakistan receives from the United States. In addition, as with Vietnam, things may be less encouraging than our leaders are willing to admit.
The White House has responded. Julian Assange dismissed accusations by Obama administration officials, stating that "We are familiar with groups whose abuse we expose attempting to criticise the messenger to distract from the power of the message."
"Mission Accomplished" proclaims the former President, with a big grin on his face. After spending hundreds of billions of dollars to no avail, one has to wonder who the winners are. My guess is that the answer to this question can be gleaned by scanning through annual reports of companies in the defense industry. Pay no attention to the man behind the curtain. -BB (2010-07-26)
The Top Secret America Project: The New Praetorian Class
The first time I heard the term Praetorian used, it was in a book written by former CIA agent John Stockwell. By the time you're done reading these three Washington Post articles you should have a pretty good idea what's driving all of the recent Cyberwar fear-mongering ...
Overview of Project : "'Top Secret America' is a project nearly two years in the making that describes the huge national security buildup in the United States after the Sept. 11, 2001, attacks."
Project Articles - PART 1
Part 1 - A hidden world, growing beyond control
Quotes and Comments
"The U.S. intelligence budget is vast, publicly announced last year as $75 billion, 21/2 times the size it was on Sept. 10, 2001."
"Because it lacks a synchronizing process, it inevitably results in message dissonance, reduced effectiveness and waste ...We consequently can't effectively assess whether it is making us more safe."-Retired Army Lt. Gen. John R. Vines
comment: So, in other words, we have no idea if all of this money is simply a gift to the private corporate interests that help build this system.
"Secrecy can undermine the normal chain of command when senior officials use it to cut out rivals or when subordinates are ordered to keep secrets from their commanders."
"In the Department of Defense, where more than two-thirds of the intelligence programs reside, only a handful of senior officials - called Super Users - have the ability to even know about all the department's activities. But as two of the Super Users indicated in interviews, there is simply no way they can keep up with the nation's most sensitive work."
"'I'm not going to live long enough to be briefed on everything' was how one Super User put it. The other recounted that for his initial briefing, he was escorted into a tiny, dark room, seated at a small table and told he couldn't take notes."
comment: This makes me wonder if the people who are supposed to be in control are actually in control? Has the system been subverted by a cabal of mid-level people who know how to firewall the boss?
Project Articles - PART 2
Part 2 - National Security Inc.
Quotes and Comments
"Out of 854,000 people with top-secret clearances, 265,000 are contractors"
"Contractors can offer more money - often twice as much - to experienced federal employees than the government is allowed to pay them. And because competition among firms for people with security clearances is so great, corporations offer such perks as BMWs and $15,000 signing bonuses, as Raytheon did in June for software developers with top-level clearances."
"A 2008 study published by the Office of the Director of National Intelligence found that contractors made up 29 percent of the workforce in the intelligence agencies but cost the equivalent of 49 percent of their personnel budgets."
"The evolution of General Dynamics was based on one simple strategy: Follow the money... Revenue from General Dynamics' intelligence- and information-related divisions, where the majority of its top-secret work is done, climbed to $10 billion in the second quarter of 2009, up from $2.4 billion in 2000, accounting for 34 percent of its overall revenue last year"
comment: As I noted earlier, if all of this funding isn't necessarily making us more secure, then who is truly benefiting from the massive intel build up?
"In September 2009, General Dynamics won a $10 million contract from the U.S. Special Operations Command's psychological operations unit to create Web sites to influence foreigners' views of U.S. policy. To do that, the company hired writers, editors and designers to produce a set of daily news sites tailored to five regions of the world. They appear as regular news Web sites, with names such as 'SETimes.com: The News and Views of Southeast Europe.' The first indication that they are run on behalf of the military comes at the bottom of the home page with the word 'Disclaimer.' Only by clicking on that do you learn that 'the Southeast European Times (SET) is a Web site sponsored by the United States European Command.'
comment: Widespread manipulation of public opinion is alive and well. Don't think for a minute that it's only limited to other countries.
Project Articles - PART 3
Part 3 - The Secrets Next Door
Quotes and Comments
"From the road, it's impossible to tell how large the NSA has become, even though its buildings occupy 6.3 million square feet - about the size of the Pentagon - and are surrounded by 112 acres of parking spaces. As massive as that might seem, documents indicate that the NSA is only going to get bigger: 10,000 more workers over the next 15 years; $2 billion to pay for just the first phase of expansion; an overall increase in size that will bring its building space throughout the Fort Meade cluster to nearly 14 million square feet."
"Six of the 10 richest counties in the United States, according to Census Bureau data, are in these [Fort Meade] clusters."
"Loudoun County, ranked as the wealthiest county in the country, helps supply the workforce of the nearby National Reconnaissance Office headquarters, which manages spy satellites. Fairfax County, the second-wealthiest, is home to the NRO, the CIA and the Office of the Director of National Intelligence. Arlington County, ranked ninth, hosts the Pentagon and major intelligence agencies. Montgomery County, ranked 10th, is home to the National Geospatial-Intelligence Agency. And Howard County, ranked third, is home to 8,000 NSA employees."
comment: All animals are equal. It's just that some animals are more equal than others. This is your federal tax money at work.
Responses
David C. Gompert : Acting Director of National Intelligence
Wired : "This piece is about much more than dollars. It's about what used to be called the Garrison State: the impact on society of a praetorian class of war-focused elites. Priest and Arkin call it 'Top Secret America,' and its so big and grown so fast, that it's replicated the problem of disconnection within the intelligence agencies that facilitated America's vulnerability to a terrorist attack."
The Office of the DNI : Attempts to apologize for redundancy, mission overlap, and poor information sharing.
The Atlantic: "The culture of secrecy has fascinated observers and participants for decades. It is always deplored as a fundamental rejection of American values: citizens need reliable information in order to exercise their rights, and lawmakers cannot use the cloak of secrecy to hide their own sins. But somehow, the secrecy apparatus resists all efforts to shrink it. Presidents come and go, but secret-keepers burrow deep into the government."
Salon: "Secrecy is the religion of the political class, and the prime enabler of its corruption. That's why whistle blowers are among the most hated heretics. They're one of the very few classes of people able to shed a small amount of light on what actually takes place."
Closing Remarks
"Over the past two years, one of the most thought-provoking observations I have heard from both military and intelligence folks is this: There are probably 500 al-Qaeda members left in the Afghanistan-Pakistan region. At most, the organization may have a couple thousand people worldwide. Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?" -Question posed by Dana Priest
Hardware-Level Malware on Dell R410s
MORE DETAILS:
1. This issue does not affect any Dell PowerEdge servers shipped from our factories and is limited to a small number of the replacement motherboards only which were sent via Dell's service and replacement process for four servers: PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410. The maximum potential exposure is less than 1% of these server models.
2. Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware.
3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.
4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer's operating system.
5. Systems running non-Microsoft Windows operating systems cannot be affected.
6. Systems with the iDRAC Express or iDRAC Enterprise card installed cannot be affected.
7. Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.
RELATED: Richard Bejtlich calls out Dell to step up their game with regard to how they handled the incident.
I have to admit, this story really caught my attention.
"We have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly. The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware as you indicated."
It will be interesting to see how this story unfolds. How did the malware find its way into the firmware? Who was responsible? Will we ever know? How can you protect yourself from this sort of subversion, especially on a tricked out machine that only the OEM truly understands. -BB (2010-07-21)
NPR Reports on Cyberwarrior Shortage
Years ago, when the debate over offshore outsourcing took center stage, we were told that high-tech corporations were simply following their financial prerogatives by finding new ways to stay competitive in the free market economy. Never mind the long-term strategic costs that would come back to haunt us years later when the countries we shipped our jobs off to started to catch up with us. Naturally, many students saw the writing on the wall and pursued work in other fields. Why take out all of those student loans and devote years of your life preparing for a job that's headed overseas?
This "shortage" of computer security talent: we did it to ourselves. It's a symptom of a much larger problem. The unpleasant truth is that our leaders have willfully allowed this state of affairs to develop. This is because they're beholden to a powerful group of business interests that have no real sense of obligation to the U.S. as a country. Strictly speaking, the multinationals exist to generate value on behalf of their shareholders, whoever they may be.
Furthermore, I would contend that the free market argument is nothing more than an ideological ploy that's brought into discourse whenever it happens to be convenient. What exists in our society is a thinly veiled double standard. Unemployed workers can be sternly lectured by drug-addled radio commentators on the advantages of self-reliance. But for large corporations that need to be bailed-out or benefit from wars based on imaginary weapons of mass destruction, the welfare state must thrive to the tune of hundreds of billions of dollars.
To see where this trend is going to take us, I would start by reading a book published by the Cornell University Press (a notably conservative institution) entitled The State of Working America. If you want to extrapolate even further, research the origins of the term "Plutonomy."
Though free market advocates ridicule protectionist measures as decidedly un-American, Intel's former CEO Andy Grove has a few words of his own to offer:
"I fled Hungary as a young man in 1956 to come to the U.S. Growing up in the Soviet bloc, I witnessed first-hand the perils of both government overreach and a stratified population. Most Americans probably aren't aware that there was a time in this country when tanks and cavalry were massed on Pennsylvania Avenue to chase away the unemployed. It was 1932; thousands of jobless veterans were demonstrating outside the White House. Soldiers with fixed bayonets and live ammunition moved in on them, and herded them away from the White House. In America! Unemployment is corrosive. If what I'm suggesting sounds protectionist, so be it."
-BB (2010-07-21)
WSJ: Raytheon Wins $100 Million Classified Contract
According to an article written by Siobhan Gorman in the Wall Street Journal, Raytheon Co. has been awarded a $100 million dollar classified contract to perform initial work on a program called "Perfect Citizen." Note that Gorman is relying on information received from "a person familiar with the project." This report claims that Perfect Citizen is a surveillance program intended to detect cyber attacks on organizations that maintain our critical infrastructure. Both the NSA and Raytheon declined to comment.
Reuters has also looked into this development. They quote an NSA spokesman who claims that "This is a research and engineering effort... there is no monitoring activity involved, and no sensors are employed in this endeavor." Other than that, both the NSA and Raytheon are very tight-lipped about the contract itself.
The Reuters article points to a speech given by Secretary of Defense William Lynn, where Lynn states that "more than 100 foreign intelligence organizations are trying to break into U.S. systems."
What this seems to confirm is that the actual threats we face are related to espionage and cybercrime. It think it's pretty safe to assume that nation-states spy on each other, and that espionage has been going on for centuries. Furthermore, I bet we're neck deep in our own efforts when it comes to compromising systems in other countries and so it strikes me as odd that people are so shocked when we happen to be on the receiving end.
The gilded hyperbole of cyberwar exists partially because certain contracting companies, consulting firms, and federal agencies know that they stand to benefit from the spotlight that's been put on the Internet. They know that with the right amount of fear-mongering they can steer some of the resulting federal funding their way. -BB (2010-07-10)
RELATED:
Is Espionage an act of War?
While government officials, and former government officials, stoke the flames of hysteria, it's reassuring to occasionally hear a measured voice of dissent. I'm speaking of Bruce Schneier's recent op-ed piece on CNN. Schneier states:
"Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion."
Based on the relative frequency of cybercrime and espionage, I would agree with him. These are the clear and present dangers. As Schneier points out, what cyberwar advocates tend to do is to lump everything together such that occurrences of espionage suddenly become acts of war. If that's the case, then it's safe to say that we're currently at war with half of the developed world, including our allies (and we have been for decades). For example, Schneier observes:
"Recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we're not talking about real war here, but a rhetorical war: like the war on terror."
Though, I would add that, because attribution is such a basic issue, we may never know who was behind the attacks on Google. It could very well have been another nation-state using anti-forensic technology. For the time being, we only know that the attacks originated from China. I think that this is an important point.
So why all of the hyperbole? Why all of the semantic acrobatics? Why all of the doomsday Cassandra's? According to Schneier:
"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top."
Let's not forget all of those defense contractors and consulting firms that stand to make a tidy profit if the government decides to steer tax dollars in their direction. It's been well documented that these organizations have been bolstering their cyber divisions in anticipation of a windfall.
Instead of giving control of the Internet over to the military, Schneier advocates leveraging existing peacetime institutions that can be moderated by the judicial system and legal protections. I would also recommend that we focus on the core vectors that facilitate these attacks to begin with: like insecure software. -BB (2010-07-07)
UPDATE: Richard Bejtlich does us the service of referencing a formal defintion.
Comments on The Economist, July 3rd - 9th, 2010 Issue
The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. Note the dramatic mushroom cloud and the intimations of mass destruction. The first article concludes that "countries should agree on more modest accords, or even just informal 'rules of the road' that would raise the political cost of cyber-attacks." It also makes vague references to "greater co-operation between governments and the private sector."
When attribution is a lost cause (and it is), international treaties are a meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions.
The following article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Perhaps this is because the author is grasping for examples to impress the reader with. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author shows his true colors in closing when he concludes with the ominous warning that terrorists "prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage...for now."
What disturbs me the most is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt. Perhaps that would be dysfunctional, as it might lead the press to investigate itself. To help shed light on what's taking place in the body politic, I've decided to release my Lockdown 2010 white paper and slide deck. Read through this material and then go back and re-visit the articles in The Economist. -BB (2010-07-03)
White Paper: Manufacturing Consent & Cyberwar
Slide Deck: Manufacturing Consent & Cyberwar
RELATED: A NYTimes article detailing proposed "solutions." Including Howard Schmidt's "voluntary trusted identity" system and Vinton Cerf's internet driver's license.
Dueling Banjos
Charlie Miller:"It would take two years and cost less than 50 million dollars a year to prepare a cyberattack that could paralyse the United States."
Bruce Schneier:"It's very easy to invent scare scenarios but this does not mean we should actually be scared by them."
Comments:These statements were made at a conference in Estonia that was organized by the NATO-accredited Cooperative Cyber Defence Centre of Excellence. This should tell you a few things right away.
The threat of cybercrime is real, just read the articles in Below Gotham's News section. Cyberwar, however, is more likely a pretext. The ultimate question is what can we do to protect ourselves from the former and insulate ourselves from the fear-mongering agenda of the latter?
As Estonian President, Mr. Toomas Hendrik Ilves noted on the opening day of the conference: "we lack clear attribution to any political entity; we lack a response doctrine to apply were we to know who committed the aggression." This is a central issue that will define the debate that follows. I think that Richard Clarke may have touched a nerve when he started talking about regulating the software industry. -BB (2010-06-19)
Clarke Points a Finger at Microsoft
Microsoft: "Don't regulate security in the software industry, don't let the Pentagon stop using our software no matter how many security flaws it has, and don't say anything about software production overseas or deals with China."
This isn't anything new to us folks who slog away in I.T. oblivion. What's interesting is that someone high up finally got the nerve to acknowledge the truth. Until we hold software vendors liable, we can expect the same lip-service that self-regulation has generated in the past. There are some public goods that the free market simply cannot generate. -BB (2010-06-10)
Fear and Loathing at Lockdown 2010
In mid-July our frontman, Bill, will be headed to the midwest to talk about manufacturing consent and the gilded hyperbole of cyberwar. He's been invited by the folks who run Lockdown 2010 at UW. -Rick James (June 3, 2010)
Intel Myths
David Cornwell, also known by the pen name John le Carré, worked for both MI5 and MI6 before he retired in 1964 to focus on writing. His literary depiction of intelligence work is in stark contrast to the romantic stereotype promulgated by actors like Sean Connery and Pierce Brosnan. In what may be his best novel to date, The Spy Who Came in from the Cold, he uses the main character as a means to comment on the nature of his earlier profession:
"What do you think spies are: priests, saints and martyrs? They're a squalid procession of vain fools, traitors, too, yes; pansies, sadists and drunkards, people who play Cowboys and Indians to brighten their rotten lives. Do you think they sit like monks in London, balancing the rights and wrongs?"
When spies come in from the cold they often have trench-level insights that differ sharply with popular conceptions. Take Philip Agee's 1978 book entitled Dirty Work: The CIA in Western Europe, where he dispels several myths about the Central Intelligence Agency. For example:
Myth: The major problem is lack of control; that is, the CIA is a "rogue elephant."
"As former Secretary of State Kissinger told Representative Otis Pike's Intelligence Investigating Committee, 'Every operation is personally approved by the President.' ... Successive administrations - together with American-based multinational corporations - have continually demanded the freest possible access to foreign markets, labor, agricultural products, and raw materials. To give muscle to this demand for the 'open door', recent presidents have taken increasingly to using the CIA to strengthen those foreign groups who cooperate - and to destroy those who do not."
On Recruiting Spies
On the surface, this is just another glossy article put out by a University's PR department. But there are actually a couple of interesting nuggets embedded in this alumnus biography. For example, while most of the books that I've read seem to indicate that intelligence agencies draw primarily on the military to fill positions, my own experience is that agencies like the CIA also tend to attract people who possess what might be seen as unconventional backgrounds. Sometimes these are the best hires (Fidelity's Peter Lynch was a philosophy major as an undergraduate). Sulick has both components in his background; he served in the Marines and spent years in academia studying Russian literature.
Note Sulick's recruitment tactic: "Foreigners, certainly Russians who were my main target, are proud of their literature and are proud when a foreigner knows something about it. When you discuss literature with somebody, they reveal much about themselves."
If Sulick's career trajectory is any indication, it's my guess that twenty years from now the director of the CIA's Clandestine Service will be someone who's completely fluent in Farsi and Mandarin. Perhaps they will have analyzed the Persian translation of Shuǐhǔ Zhuan. -BB (2010-05-28)
Joe Riggins: Don't be a Know-It-All
Wednesday at CEIC 2010 I sat in on Joe Riggins "Spy vs. Spy" presentation, which focused on the vagaries of the insider threat. Joe did a commendable job of maintaining our attention with a series of war stories. My personal favorite involved an engagement where a team from Guidance was inspecting a machine that processed credit card transactions. It had five (count them: five) different remote desktop applications installed on it. As it turned out, the server was managed by a number of administrators who couldn't agree on a standard package; definitely a case of too many cooks in the kitchen.
Joes also reported that organized crime elements in Russia are now making more money off of credit card fraud than the Columbian crime lords are making off the drug trade. Now that's one hell of a statement! While I'd like to know where he got that information, I wouldn't necessarily be surprised if it was true.
Finally, Joe hinted at where security software vendors will be headed to expand their market space: intelligent mobile devices. -BB (2010-05-28)
Rootkit Arsenal Discount Flyer
After my talk at CEIC 2010, a couple of people asked me where they could pick up a copy of The Rootkit Arsenal. The publisher (Jones and Bartlett) is offering copies at a discount. See the above link for details. -BB (2010-05-28)
Richard Clarke's Book Reviewed By The New York Times
More cyberwar doom and gloom. Who can come up with the best movie script? Mike McConnell or Richard Clarke? - BB (2010-04-28)
Cryptome's John Young adds his two cents:
"Pity Kakutani [book review author], dim-wittingly flogging for two highly paid promoters of cyber pearl harbors. Cybersec, a favorite DC scam spreading around the globe, meanwhile all govs and coms working together are going full speed at spying on cyber users, as ever, for racketeering national security. What the racketeers want is perfect cybersecurity for their trashing that of everyone else."
SOURCE Boston 2010 Post-Game Wrap-up
The demands of my job prevented me from staying for more than a day, so I sat in on a couple of presentations on the 22nd. Perhaps that's a good thing, as my mere presence tends to attract black helicopters and clean cut fellows talking into their sleeves. All told, Stacy Thayer and her SOURCE co-conspirators did an admirable job of managing the flow of people and events. The weather was balmy, the lobster was fresh, and (best of all) the Seaport Hotel, where the event took place, was a $2 bus ride from Boston Logan International. -BB (2010-04-23)
Assurance at Oracle
Mary Ann Davidson is a suit that doesn't sound like a suit. This is definitely a mark in her favor. During her presentation she described how Oracle is trying to build assurance into its products. She said that isn't so much about establishing a brigade of security police as much as it's about putting the requisite expertise into development so that engineers do the right thing to begin with. Prevention beats detection, so to speak. Davidson observed: "My goal in life is to be out of a job."
Opting Into Surveillance
By far, this was the highlight of the day. Moxie Marlinspike offered an insightful look at how small choices about the technology we use can end up being big choices that impact our ability to participate in society. His delivery was crisp and very entertaining. Why mandate telescreens when you can solicit people to voluntarily be monitored? Who needs TIA when we have Google? Who knows more about their local population: Kim Jong-Il or Google? (Hint: it's not Kim Jong-Il).
I was in the front row taking notes and midway through the talk he came rushing over to where I was seated. At that very moment, I had visions from the movie The Manchurian Candidate flashing through the back of my mind. The Man was finally going to dispatch me with a deep cover plant. Lucky for me, Moxie just wanted a glass of water. "I should have planned ahead," he muttered under his breath.
The Current State of Metasploit
HD was back, and this time he was wearing a suit and a bit more formal in his manner. Hey, give the guy a break, he's a father now. With the blessings of the demo gods, HD managed to pack two hours of material into a 60-minute period. As things stand now, Metasploit has attained the 100,000 LOC mark in light of full-time QA and an accelerated release cycle. He also showed off a slick GUI interface and talked about the Express version's price tag (somewhere around $3K). I think what I appreciate the most was his side-comment that the presentation basically amounted to a thinly veiled sales pitch.
Doing Away With Anonymity
This past week, experts met at a Russian-sponsored security conference in Germany.
"During a panel discussion on computer crime, Col. Gen. Boris N. Miroshnikov, an official with the Russian Interior Ministry, and Stewart A. Baker, a fellow at the Center for Strategic and International Studies in Washington, and the former chief counsel for the National Security Agency, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture."
As Dan Greer has observed: "If the tariff of security is paid, it will be paid in the coin of privacy"
As Cryptome has observed: "There it is: spies oppose anonymity for anyone except their own criminal operators, winking, 'do what we say not what we do.'"
My thoughts: It's dangerous to install the machinations of a totalitarian state and then simply assume that it will never come to that. There was a time, not so long ago, when social security cards were printed with the caveat that they were not to be used for purposes of identification. -BB (2010-04-17)
RELATED: According to Lt. General Keith Alexander, the impact of new security technology on Internet privacy is classified.
Enter: QubesOS
Notable researchers Joanna Rutkowska and Rafal Wojtczuk (from Invisible Things Lab, aka ITL) have released an open source OS that uses virtualization technology to implement security through isolation. Given the architect's reputation with rootkit technology, who else would you trust to offer a secure platform? -BB (2010-04-07)
Shadows in the Cloud
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. It examines "a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."
As usual, attribution is an issue. The true identity of the attackers is unknown -BB (2010-04-06).
The War on WikiLeaks Continues
"At exactly the time when U.S. government secrecy is at an all-time high, the institutions ostensibly responsible for investigation, oversight and exposure have failed. The American media are largely co-opted, and their few remaining vestiges of real investigative journalism are crippled by financial constraints. The U.S. Congress is almost entirely impotent at providing meaningful oversight and is, in any event, controlled by the factions that maintain virtually complete secrecy."
The CIA document that this article links to is particularly disturbing. Basically, it confirms my suspicion that leaders often depend on voter apathy and manipulate the local population to manufacture consent. It will be interesting to see how things unfold in Iceland. - BB (2010-03-29)
After All These Years: Zero-Day Exploits Persist
Hats off to Peter Vreugdenhil, who bypassed both ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) as part of his bid to compromise IE8 at this year's CanSecWest. Well played, Peter.
RELATED: The reknowned Charlie Miller also demonstrated his superior Black Hat Gong Fu with a Safari hack.
...One tends to wonder how much a fellow like Charlie could make on the open market by selling exploits to the people behind the current generation of APTs? This is literally the sort of technology that can make or break a covert operation. In my opinion, guys like Charlie are worth their weight in plutonium. BB - (2010-03-25)
The Cyber War Has Not Begun
In this essay, James Lewis states that: "Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a 'cyber war.'"
Yet, this doesn't seem to have stopped people from using the term to encourage the sort of hysteria that leads to heavy federal spending. In my opinion, we need to be focusing on cybercrime, not cyberwar. - BB (2010-03-19)
Propaganda Aimed at WikiLeaks
When the New York Times publishes a story on you, you've definitely gotten someone's attention. Perhaps this is what happens when you release unclassified copy of the "standard operating procedures" at Guantnamo Bay. Recently Wikileaks published an Army Counterintelligence analysis of the threat posed by Wikileaks. The report concludes:
"Wikileaks.org uses trust as a center of gravity by assuring insiders, leakers, and whistleblowers who pass information to Wikileaks.org personnel or who post information to the Web site that they will remain anonymous. The identification, exposure, or termination of employment of or legal actions against current or former insiders, leakers, or whistleblowers could damage or destroy this center of gravity and deter others from using Wikileaks.org to make such information public."
The report also speculates that Wikileaks may be supported by the CIA. As the accusations fly, and the water becomes ever more muddied, one is left to ponder who's telling the truth. Now you know why spies refer to their professional environment as the "hall of mirrors." -BB (2010-03-18)
Military Propaganda Techniques
Comes see the tradecraft of the grand rumor mill. This excellent compilation of tactics is based upon "Appendix I: PSYOP Techniques" from "Psychological Operations Field Manual No.33-1" published by Headquarters; Department of the Army, in Washington DC, on 31 August 1979.
UPDATE: To witness a classic example of this sort of manipulation, there's an article you can view online in Monday's WSJ. When it comes to overt, state-sponsored, propaganda on a large scale, China really excels. According to the WSJ's report:
"Chinese news Web sites have also been told they will be required to use only official accounts of the situation if Google.cn is closed... It's not uncommon for propaganda authorities in China to give orders dictating the nature of news coverage on sensitive issues where they fear dissent. The fact that authorities have decided that Google's situation should get that treatment suggests they know that many Chinese Internet users, tens of millions of whom are Google users, don't see things the same way the government does."
...Beware the Ides of March. -BB (2010-03-15)
RELATED: speaking of propaganda, check out the FBI's stern warning and the recent WhiteHouse "leak". -BB (2010-03-05)
The Big Haircut
Another remark that Robert Baer makes in the WSJ piece mentioned earlier is that "The art of assassination, the kind we have seen over and over again in Hollywood movies, may be as passé as killing people by arsenic or with a garrote. You just can't get away with it anymore."
This led to some lively banter among members of the lab this evening. OK, guarded by a phalanx of bodyguards and custom armored vehicles, how would one world power decapitate another nation state?
According to Colonel Stanislav Lunev, a Russian military officer who defected to the United States, the GRU planned to employ suitcase nukes to take out our leadership if the need ever arose. It makes sense, I guess. Why gamble on a huge operation that allows no margin for error when all you really need to do is get a high-yield bomb within range of a capital building?
As Baer asserted: "If it had been a Russian hit, for instance, they would have used a pistol or a car bomb, indifferent to the chaos left behind." Or, in this case, a kiloton nuclear device. -BB (2010-03-03)
Assasination Econometrics
Here's an interesting WSJ article by Robert Baer, a former CIA spook. In it, he concludes that:
"There should be a cost-benefit calculation in deciding whether to assassinate an enemy... There's certainly an argument to be made that we should have assassinated Saddam Hussein rather than invade Iraq."
This sounds remarkably similar to ideas presented by Jim Bell over a decade ago in his "Assasination Politics" manifesto. The difference is that Bell takes Baer's somewhat offhand observation and follows through with it to reach a rather novel corollary.
"Consider how history might have changed if we'd been able to 'bump off' Lenin, Stalin, Hitler, Mussolini, Tojo, Kim Il Sung, Ho Chi Minh, Ayatollah Khomeini, Saddam Hussein, Moammar Khadafi, and various others, along with all of their replacements if necessary, all for a measly few million dollars, rather than the billions of dollars and millions of lives that subsequent wars cost."
"But that raises an interesting question, with an even more interesting answer. 'If all this is so easy, why hasn't this been done before?' I mean, wars are destructive, costly, and dangerous, so why hasn't some smart politician figured out that instead of fighting the entire country, we could just 'zero' the few bad guys on the top?"
"The answer is quite revealing, and strikingly 'logical': If we can kill THEIR leaders, they can kill OUR leaders too. That would avoid the war, but the leadership on both sides would be dead, and guess who is making the decisions about what to do? That's right, the LEADERS!"
"And the leaders (both theirs and ours!) would rather see 30,000,000 ordinary people die in WWII than lose their own lives, if they can get away with it. Same in Korea, Vietnam, the Gulf War, and numerous other disputes around the globe. You can see that as long as we continue to allow leaders, both 'ours' and 'theirs,' to decide who should die, they will ALWAYS choose the ordinary people of each country."
Not to mention that large military operations are costly affairs, demanding a nontrivial infusion of taxpayer dollars. -BB (2010-03-02)
New Information on Aurora Attacks "Leaked"
The New York Times reports that "people involved in the investigation" have disclosed that the recent attacks on Google have been traced back to Shanghai Jiaotong University and the Lanxiang Vocational School.
First it's Taiwan, then it's somewhere in the mainland, who knows where things will lead to next? Perhaps Toledo, Ohio? As the NYTimes article concedes, "computer industry executives and former government officials said it was possible that the schools were cover for a 'false flag' intelligence operation being run by a third country."
Keep in mind that, for all intents and purposes, that this is a leak. As Cryptome has observed:
"Leaks depend upon secrets, they thrive on each other. Leakers and secret keepers are complicit and share characteristics: both exaggerate the importance of information they process, keep secret their sources and operations."
See also:
"The business of leaks has become a racket of journalism in cahoots with governments, maybe it always was, but it got a big boost in the 1960s and 70s. Leaks of secrets are now standard operating procedure of official and unofficial secret keepers to boost their budgets and privileges and to garner public belief and best of all, coins. Secret keepers supply leaks to media to lure eyeballs for advertising hypnosis."
The danger of leaks, and the gilded hyperbole that they often employ, is that they can lead to a sort of crisis mentality that's less resistant to plans that might otherwise not stand up to logical examination. Keep people off balance for long enough, on a steady diet of fear and anger, and they'll fall right into the trap that's been set for them by the people who stoke the flames of hysteria. -BB(2010-02-19)
UPDATE (More Leaks): Joseph Menn reports that an anonymous researcher working for the US government told the Financial Times that US analysts have identified the author of code used in the Google attacks.
According to this leak, the consultant who wrote this code isn't an an employee of the Chinese government and didn't launch the attack. Though he did post parts of his code to an online forum.
Great. In other words they still can't prove who performed the attack. For all we know, the attackers outsourced development, or perhaps trawled the internet looking for proof-of-concept sample code. Plenty of claims with little or no solid evidence; the SOP of media leakers. -BB(2010-02-22)
You'll Just Have to Trust Us
In matters of foreign policy, one way to sideline opposition is to employ the veil of national security. When "experts" try to pull this tactic, I'm reminded of a lecture that a former CIA officer named John Stockwell gave back in 1987. Stockwell, a Major in the Marine Corp who served on the subcommittee of the National Security Council as chief of the CIA's Angola Task Force, noted that:
"It's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"
When he questioned his superiors, they assured him that he should just focus on doing his job, that there were wise men in DC sitting in the National Security Council who had access to all the necessary information, who could see the big picture and make the tough decisions. After toiling for years in the field, Stockwell came in from the cold and was rewarded with the opportunity to peek behind the curtain. According to Stockwell:
"What I found, quite frankly, was fat old men sleeping through sub-committee meetings of the NSC in which we were making decisions that were killing people in Africa. I mean literally. Senior ambassador Ed Mulcahy... would go to sleep in nearly every one of these meetings...."
Stow this away somewhere in a far cranial recess, so that as the indictments fly over who is doing what to whom in the new cyber cold war (and why), you can maintain a semblance of objective equilibrium.
HBGary Releases Report on Aurora Malware
This a fairly comprehensive summary of what's been released to the public so far. HBGary has also developed a tool that can remotely scan Windows machines for the Aurora code and remove it. With regard to identifying the ultimate source of the attacks, the report states:
"At this time, there is very little available in terms of attribution. A CRC algorithm tends to indicate the malware package is of Chinese origin, and many attacks are sourced out of a service called 3322.org, a small company operating out of Changzhou. The owner is Peng Yong, a Mandarin speaker who may have some programming background with such algorithms. His dynamic DNS service hosts over 1 million domain names. Over the last year, HBGary has analyzed thousands of distinct malware samples that communicate with 3322.org. While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora."
Greg Hoglund, the company's CEO (and the godfather of Windows rootkits), recently acknowledged: "there's no hard evidence anywhere that shows that China's government has anything to do with it." Truth is, regardless of what the headlines in the mainstream media infer, we don't know yet who's responsible (though we can definitely speculate). If there's one lesson that I took from Black Hat DC last week it's that attribution on the Internet is problematic. -BB(2010-02-11)
China Toughens Cyber Laws?
Sort of ironic, given the recent NYTimes article on state-sponsored hacking. Then there's the TimesOnline report that quotes officers who believe that they should strengthen their military until China is "strong enough for a hand-to-hand fight with the US."
Talk about mixed messages. Pay no attention to the man behind the curtain. -BB(2010-02-07)
Black Hat DC 2010 Postgame Wrap-Up
Jeff Moss kicked off this year's Black Hat DC by observing that we'll probably never be able to completely eliminate cyber attacks, and because of this perhaps we should follow Israel's example and work on improving our response capabilities. He also mentioned the issue of attribution, my current pet peeve given all the media coverage that cyber-attacks have been getting.
Next up was keynote speaker Greg Schaffer, Assistant Secretary for Cyber Security and Communications. According to Moss, he's the highest ranking DHS official to ever speak at Black Hat. It was obvious he was up there: lots of abstract references to "spaces" and "practices." Though, I did appreciate his observation that, in the age of worldwide connectivity, every unprotected node is a potential threat. This sort of reminded me of Richard Bejtlich's "Protect The Data" blog entry.
The Joys of Whack-A-Mole
The first session I attended was hosted by a panel of speakers, including the director of Network Abuse at GoDaddy.com. The underlying message (one which Joseph Menn would echo later on the same day) was that going after offenders isn't horribly effective because law enforcement doesn't work that well in an international environment. In so many words, Russia and China don't do squat (and in some cases may actually be shielding offenders). To add insult to injury, when organizations like GoDaddy suspend domains, they end up getting lawsuits thrown at them. Granted no one's ever been successful, but still it's expensive to go through all of the legal steps to get each lawsuit thrown out.
Don't Worry: It's An Art Project
Joe Grand offered an informative discussion on how to cross over to the hardware side of hacking. A lot of what he touched on (e.g. the emergence of small-scale collaboration and outsourcing) reminded me of an article that appeared a while back in Wired Magazine about the rise of DIY.
Let's Go On A Boar Hunt!
If a Russian chief of police and his henchmen invite you to go hunting late at night after several rounds of vodka, lock yourself in your room and don't open the door for anyone. In this talk, Financial Times journalist Joseph Menn offered highlights from his recently published book "Fatal System Error." All told, Menn paints a pretty ominous picture. Though attribution is possible, it's very (very) resource intensive. Couple this with the fact that Russian authorities seem to be protecting high-level offenders. Menn suggests that we start over because, as things stand now, there's no way to impose rule of law on the internet.
Black Hat DC 2010: Day 02
It's Greece All Over Again
The caveat of implementing wiretapping functionality in a network infrastructure, AKA Lawful Intercept, is that it can be turned against the people who it was originally intended to help. The Athen's Affair is a well known example of this. In this session, IBM's Tom Cross examined flaws in Cisco's lawful intercept facilities.
White Hat Hacker Mindset
Though I can relate to the basic premise of this session, that the goals of the average pen tester are constrained (and perhaps artificial), I disagree with the speaker's claim that "In general using rootkits to maintain control is not advisable or commonly done by sophisticated attackers because rootkits are detectable."
Stealth technology is part of the ongoing arms race between Black Hats and White Hats. To dismiss rootkits outright implies that this arms race is over (and I assure you, it's not). I suspect that Greg Hoglund, Jamie Butler, Holy Father, Joanna Rutkowska, and several defense contracting agencies would all agree. By definition, the fundamental design goal of a rootkit is to subvert detection.
Always Have a Good Lawyer
The grand finale of this year's Black Hat DC was a session led by HD Moore. This guy, HD, is a geek's geek; a man whose mind is working so fast that the words tumble out of his mouth like a 10 GB text file streaming to stdout. He gave the audience a personal history of the Metasploit project and some interesting insights into what can happen when the suits get involved. Congrats on the baby HD!
NOTE: I've put up the slides and white paper for my presentation.
Government Agencies Vie for Zero Day Exploits
Here's a story you don't read about every day... -BB(2010-01-29)
"There's also another, highly secretive market for zero days [exploits]: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability ...a price tag that private industry currently doesn't match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system."
Oil Companies Targeted
UPDATE: The Register has called out the mainstream media on China's connection with the recent Google attacks: "If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?"
The Christian Science Monitor reports that Marathon, ExxonMobil, and ConocoPhillips appear to have suffered at the hands of an Advanced Persistent Threat ( APT ). The attacks, which took place in 2008, targeted "bid data" which details the potential value of oil-bearing land.
The use of custom tools and spear-phishing hints at the involvement of skilled teams. At the same time, I'll admit that it's refreshing to note that the experts cited in this article have the integrity to admit that attribution is a fundamental problem, forgoing the urge to shout out accusations:
"A simple thirst for oil is no proof that a country is conducting corporate espionage. Even the suggestion, contained in one of the documents, that some data had flowed from a ConocoPhillips computer to a computer in China could have been the result of some other nation's cyber-spy unit co-opting Chinese servers to cover their tracks, experts say. Lee and other specialists admit that it will be difficult, and perhaps impossible, to ever determine definitively who was behind the attacks."
Read that last sentence carefully, and repeat it to yourself over the next few months. -BB(2010-01-26)
Fear and Loathing at SOURCE Boston 2010
In April, our spiritual fixer (Bill Blunden) will infiltrate the home of the Red Sox to speak at the SOURCE Boston conference. His talk will touch on the futility of disk-based forensic analysis. Presentation date TBA. -R. James (Jan. 23, 2010)
Rootkit Envy
About now, I suppose that the engineers who designed the payloads used in the attacks on Google (whoever they may be) are wishing that the stealth technology and anti-forensic measures that they employed were half as good as those that U.S. intelligence agencies use. -BB(2010-01-19)
The China Syndrome - Updates
UPDATE: Metasploit has released a module that utilizes the IE exploit mentioned below.
UPDATE: Code used in the Google attack is now available.
UPDATE: McAfee offers more details about the attack. Also, there's a CNET article that provides additional backdrop.
UPDATE: A newsflash from Reuters reports that the United States has backed Google's decision to end its support for censorship in China. An official from the Chinese government responded that all foreign companies are expected to abide by Chinese law.
Microsoft's CEO, Steve Ballmer, is anything but sympathetic:
"I don't understand how that helps us, and I don't understand how that helps China... There are attacks every day. I don't think there was anything unusual, so I don't understand."
I would agree that attacks happen every day. However, I think that the level of expertise demonstrated by the attackers, and the precise nature of the intrusions, warrants a certain amount of attention (especially when one of the targets is a high-profile corporation that publicly flaunts the intelligence of its employees).
Perhaps China doesn't want "help?" Perhaps they'd like this whole thing to blow over so that they could get back to business as usual. - BB (2010-01-15)
The China Syndrome: "Highly Sophisticated/Coordinated Attacks"
Big names like Google and Adobe have recently announced that they've been hit by precision-guided cyber attacks. According to the WSJ, Google and Adobe were among dozens of companies that the attackers targeted. Based on Google's response, it would appear that they believe the intrusions to be state-sponsored. I can almost hear Eric Cartman (screw you guys, I'm going home).
For those readers interested in the "how" of the attacks, this article from Wired magazine offers a number of details. Consultants from iDefense leaked specifics that Google has declined to confirm.
Though there seems to be a political angle to the Google attack, one thing's for sure: theft of intellectual property can offer a huge return on investment. Just ask Vladimir Kryuchkov, former KGB Chairman:
"Intelligence is probably the most profitable structure in the country. It pays its expenses with dividends. One single operation, concerning outer space, pumped 500 million dollars into our economy."
Hell, even Ugly Betty isn't safe! (The Chinese knock-off is a show called "Ugly Wudi")
Russian Security Firm Releases Exploits
Evgeny Legerov, of the Moscow-based company Intevydis, explains why he thinks responsible disclosure is flawed and why Intevydis is releasing a series of zero-day exploits:
"We do not support it [responsible disclosure]. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free."
"You, ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?"
Offensive Technology in CS Programs
This morning the New York Times published a story detailing how American universities are scrambling to develop academic programs that focus on computer security:
"Banks, military contractors and software companies, along with federal agencies, are looking for 'cyber ninjas' to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries."
Here's a question: how many of these newly minted programs give their students first-hand experience creating offensive (e.g. malicious) software? The Times article mentioned an MS program in cyber-security offered by NYU-Poly. I checked out the curriculum to this program and didn't see anything remotely resembling a course on malware design. Why are institutions in other countries, like Canada and Finland, able to offer such courses? Once more, will this state of affairs put the U.S. at a long-term strategic disadvantage?
The best way to construct an effective defense is often through direct exposure to offensive technology (why should the bag guys be the only ones with the requisite know-how?). If we fail to encourage an open discussion of malware analysis and development in academia, we'll end up in a position where we're constantly playing catch-up with the Black Hats. Given the steady rise of cyber-crime over the past few years, this is not somewhere that the United States will want to be. -BB (2010-01-04)
Dry Rot And The Internet
A termite infestation is one of the most insidious and destructive predicaments that a wood-framed structure can face. Infestations typically start in some obscure corner, well out of sight, and spread silently, inch-by-inch over the course of years. Colonies can number into the millions, using a decentralized swarm intelligence that's self-organizing. By the time that the owner becomes aware of the problem it's often too late, the integrity of the entire building has been compromised.
Now imagine this scenario played out by a state-sponsored botnet that's employing a bare-metal rootkit to fly below radar level; perhaps the result of a hardware vendor cooperating with an intelligence agency to embed stealth technology at the circuit level. The infestation could occur over the span of several years, as the botnet spreads to hundreds of millions of hosts using a decentralized peer-to-peer swarm intelligence that relies on a carefully designed covert channel. The botnet could sit dormant (in a manner similar to Conficker), a massive sleeper cell that exists only to propagate, waiting for the order to wake up in the event of Wold War III. Or it could work to progressively corrupt data, instituting alterations until even the backups of backups are bad.
What would happen if the circuit-level backdoor was discovered by other nation state players and unleashed against its maker? According to researchers that I've spoken with, these are cyber-war scenarios that the DoD has examined.
But is this really what we need to be worried about on a day-to-day basis? Bruce Schneier says cyber-crime is the real threat (and I would agree with this). Though, he also pointed out in a 2005 essay that:
"The countermeasures aimed at preventing both cyberwar and cyberterrorist attacks will also defend against cybercrime and cybervandalism. So even if organizations secure their networks for the wrong reasons, they'll do the right thing."
This is akin to NASA's Apollo program, which yielded a number of technological advances as a byproduct of our ultimate goal of landing on the moon. So, even if we never actually made it to the moon, the effort would have been worth it in the long run. -BB (2009-12-30)
Open Source Anti-Virus as the Public Option
Yesterday afternoon, over lunch, a colleague of mine who was born in Hungary pointed out that the United States is the only industrialized country that doesn't provide universal health care to its citizens. Then he went on to explain how medical care was a basic human right and that society, as a whole, benefits from keeping its population in good health.
Could the same argument be made with regard to computers? Should there be a state-funded alternative (e.g. open source anti-virus) so that users could take steps to maintain the health of their systems? After all, decreasing the number of compromised machines has its benefits, right? Or would this approach just provide attackers with a better way to implement instance-specific attacks, leaving users with a false sense of security? This is one of those "dangerous ideas" that I'd encourage people to think about. -BB (2009-12-23)
Black Hat Vertical Integration
While bulletproof hosting services have proven valuable to online criminals, some groups are moving up the food chain by directly allocating blocks of IP addresses from Regional Internet Registries (RIR) and Local Internet Registries (LIR). According to a posting by Kasperksy:
"Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There's no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses."
In theory, this sort of thing shouldn't happen. The problem is that in certain parts of Europe the record-keeping and oversight facilities necessary to verify applicant organizations are lacking (again, this is an infrastructure issue). A couple of years back, the Russian Business Network was able leverage this aspect of address allocation to score a large block of IP addresses from RIPE, essentially becoming a rogue ISP.
Fear and Loathing at CEIC 2010
In May of 2010, our fearless leader (Bill Blunden) will head back to Vegas to speak at the Computer and Enterprise Investigations Conference. Anti-forensics and rootkits will likely be on the menu. Presentation date TBA. -R. James (Dec. 12, 2009)
Why Isn't China Throttling Its Malware?
Anyone who has done business in Hong Kong knows that, despite the rapid growth of mainland China, this region still has one ace up its sleeve: infrastructure, thanks to the British colonialists. Specifically, I'm talking about the legal and regulatory oversight necessary to support economic activity.
For example, if you want to buy or sell gold, it's generally less risky to do so in Hong Kong because there's a significant amount of checks and balances in place to safeguard buyers and sellers. In fact, it's fairly common for merchants from the mainland to travel to Hong Kong to deal in gold for this very reason. Simply put, the infrastructure is better.
This reality points to basic underlying flaws in China's system. Perhaps this is to be expected, given that the current system evolved as a result of thousands of years of rule by dictatorship, in one form or another. China simply doesn't have the tradition of checks and balances that are the hallmark of a democratic society. This, in turn, may explain why the vast majority of bullet-proof internet hosting services operate out of China. -BB (2009/11/29)
U.S.-China Economic and Security Review Commission, 2009 Report
This congressional committee report, in Section 4 of Chapter 2, concludes that:
"The direct attribution of such activities targeting the United States presents challenges due to hackers' ability to conceal their locations. Nonetheless, a significant and increasing body of circumstantial and forensic evidence strongly indicates the involvement of Chinese state and state-supported entities."
The report doesn't go into the details of exactly how we know who's attacking us. In so many words, they're saying "we just know, trust us." Boy, that sounds like a slam dunk to me! I can't help but wonder if the actual perpetrator is simply making effective use of anti-forensics to place the blame on somebody else?
Regardless of who's culpable. The existence of state-sponsored hacking isn't necessarily earth-shaking news. As the recent 60 Minutes piece demonstrated, we're probably one of the more active players in this field. So, when other countries discover the existence of advanced persistent threats in their networks, some of the binaries that they recover probably can be attributed to us.
Fear and Loathing at Black Hat DC 2010
In late January, Bill will be navigating the beltway to speak at Black Hat DC 2010. Hopefully life in Northern California hasn't softened him up so much that he can't handle winter on the east coast. -R.James (Nov. 12, 2009)
Wired Magazine on the 60 Minutes Report
One side claims the 2007 power outage in Brazil was due to hackers and the other side dismisses it as the result of poorly maintained high voltage insulators. Who do you believe? This story from Wired reminds me of an observation that Bruce Schneier made recently.
"We tend to be poor judges of risk. We overact to rare risks, we ignore long-term risks, we magnify risks that are also morally offensive. We get risks wrong -- threats, probabilities, and costs -- all the time. When we're afraid, really afraid, we'll do almost anything to make that fear go away. Both politicians and marketers have learned to push that fear button to get us to do what they want."
As an experiment, read through the news stories that I've collected over the past year and ask yourself which threat seems more immediate: cyberwar or cybercrime. Naturally, some people would argue that the actual threat that cyberwar represents can't be properly evaluated because much of the truly substantive evidence must be kept secret for the sake of national security... -BB (2009/11/11)
60 Minutes: Sabotaging the System
This evening I watched a piece by 60 Minutes that focused on threats to our infrastructure from computer-based attacks. While some aspects of the broadcast verged on sensationalism (which is only natural, given that 60 Minutes is trying to attract viewers on behalf of their advertisers), I was encouraged by the inclusion of points that are typically neglected when it comes to news stories like this.
For example, take the following observation made by Jim Lewis, director of the Center for Strategic and International Studies:
"We're in the top of the league. We are really good. And if you talk to the Russians or the Chinese, they say, 'How can you complain about us, when you do exactly the same thing?' It's a fair point with one exception: we have more to steal. We have more to lose. We're the place that depends on the Internet. We've done the most to take advantage of it. We're the ones who've woven it into our economy, into our national security, in ways that they haven't. So, we are more vulnerable."
Sure, our networks have been penetrated and data has been stolen. But we're not an innocent bystander here. Heck, we break into networks in other countries too, all of the time. In fact, we're pretty damn good at it. So should do we, as a country, have the right to be indignant when intruders breach our security? Personally I think embarrassment might be a better response. Obviously our offense is much better than our defense. But why does this state of affairs exist? The 60 Minutes report hinted that part of the problem has to do with the financial prerogatives of the corporations that create high-tech products. Specifically, Congressman Jim Langevin noted that:
"The private sector has different priorities than we do in providing security. Their, in a sense bottom line, is about profits. We need to change that. We need to change their motivation so that when we see a vulnerability like this we can require them to fix it."
In my opinion, instituting meaningful change is going to be difficult, as legislators will be forced to bite the hand that feeds. Don't think for a minute that all of those hi-tech lobbyists will roll over and purr if our representatives start talking about measures that might adversely impact the bottom line. Offshore outsourcing, for instance, represents a long-term threat to the technical leadership that the United States has maintained since World War II. Yet, our legislators are woefully silent when it comes to actually doing anything about it. Guess what happens when most of our hardware is manufactured in other countries because it's cheaper? According to Jim Gosler:
"We have found microelectronics and electronics embedded in applications that shouldn't be there. And it's very clear that a foreign intelligence service put them there."
Would you like some fries with that? -BB (2009-11-08)
Peter Kleissner: It's Just Technology
After presenting the "Stoned Again" bootkit at Black Hat USA 2009, Peter's then employer (Ikarus Software) asked him to resign. This is ridiculous. As Professor George Ledin of Sonoma State has pointed out, it's probably more dangerous not to have an open discussion of malware technology. It seems the AV industry would rather gag everyone and stifle external research.
Reading this Washington Post article made me think of Colonel Kurtz from the movie Apocalypse Now.
"I've seen horrors... horrors that you've seen. But you have no right to call me a murderer... you have no right to judge me."
Microsoft's (Lack of) Forensic Tools - Continued
A reader contacted us this morning to let us know that Microsoft does actually offer a forensic tool. It's a custom USB drive that ships with a suite of 150 commands. Unfortunately, Microsoft seems to limit distribution of its forensic thumb drive to law enforcement personnel.
The tool's public announcement, from 2008, can be viewed here. Microsoft's official page for this product is here.
Can You Believe It? They're Spying on Us!
Yet another vague story from the Wall Street Journal about an unnamed company that had its machines compromised by intruders who were "likely supported, if not orchestrated," by the Chinese government. Note that attribution is one of the primary issues when it comes to cyber-attacks. Recall the news stories that came out earlier this year that had legislators clamoring for retaliation. As it turned out, the reported attacks didn't come from North Korea, but from somewhere in Miami (or who knows where).
Keep in mind, dear reader, that the art of starting wars has been honed for thousands of years. Whenever I read this sort of story, I'm reminded of a particularly chilling quote from Gilbert's Nuremberg Diary that's attributed to Hermann Goering:
"Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger."
Finally, just to be fair, even if this actually is the work of attackers backed by China, I'm pretty sure we're spying on China also. It's just that we're not as noisy or conspicuous when we do. -BB (2009/10/23)
The Invisible Giants
In the early 1900s, the city of Cleveland established itself as a center of economic activity. Its status was reflected by the fact that, in the wake of the Federal Reserve Act, Cleveland was chosen to host one of the Fed's twelve regional banks. The driving force behind Cleveland's ascent during this period can be traced back to the Van Sweringen brothers, who developed a railroad empire that was based in the city. The Van Sweringen brothers were elusive, low key, billionaires. One might even go so far as to say that discretion was their hallmark. They literally had a man on their payroll whose sole job it was to keep their name out of the papers. The economic equivalent of a rootkit, they preferred to exercise their power indirectly from behind the scenes, with subtlety. Hence, cynics who scoff at the notion of hidden rulers and their intermediaries in the power structure might be well advised to recall a statement made by then President Woodrow Wilson:
"A great industrial nation is controlled by its system of credit. Our system of credit is privately concentrated. The growth of the Nation, therefore, and all our activities are in the hands of a few men... We have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world, no longer a government by free opinion, no longer a government by conviction and the vote of the majority, but a government by the opinion and the duress of small groups of dominant men."
Related: Thought control in economics. A professor at Wellesley observes that "supply and demand curves only determine prices in perfectly competitive markets, which don't exist. I considered this key to my students' education, especially since mainstream economists apply the framework inappropriately so often."
We're Number 1 (Well, Sort Of)
As of 7:27am PST (2009-09-17), The Rootkit Arsenal is the #1 selling book in the Security category of the "Business & Culture" sub-section of the "Computers & Internet" section at amazon.com. Though, strictly speaking I think I should point out that with its overall sales ranking of 8,399 the book is hardly the most popular technical book at amazon.com. My suspicion is that books are assigned to these carefully delineated groups for marketing purposes. Ahem. Anyway, having put this into context, I'd like to extend my thanks to everyone who's read the book and also to my cohorts here at Below Gotham Labs. Keep those e-mails coming. -BB
State-Sponsored Rootkits
Recently, a professional malware developer who worked for ERA IT Solutions (a commercial software company that supplies security tools to the Swiss government) released VoIP monitoring code to the public. That's right, you heard correct, there are professional software engineers actively designing malware on behalf of national governments.
Security through obscurity may not be an impenetrable shield but it is a barrier, and not always a trivial one. Results that might take an independent lab several months of excruciating reverse engineering might only take a few days for a lone engineer who happens to possess the necessary design documents and specifications. Having the cooperation of OEMs and software vendors can make the difference between a buggy proof of concept and a robust, production-quality, implementation with all the bells and whistles. This is because effort that otherwise would be spent isolating magic numbers and decomposing obscure protocols can be directed towards actual software development.
I'll probably never know exactly how far ahead state of the art rootkits are from what we see at conferences like Black Hat. I don't have the requisite security clearance. But if my instincts are correct, the things that show up in the public sector are relatively basic instruments that merely hint at what's been done by the intelligence agencies. To see what I'm talking about, check out the rootkit described in this article. -BB (2009-08-30)
Microsoft's (Lack of) Forensic Tools
For many years, I wondered why Microsoft couldn't release a set of utilities that were as serviceable as those offered by the researchers at Winternals. Then, on July 18th of 2006, Microsoft announced they were acquiring Winternals. Will we have to wait for a similar event to occur in order to have access to robust, native, forensic tools?After all, if anyone possesses the information necessary to build a stable and comprehensive suite of forensic tools for Windows it would be, well, Microsoft. Perhaps they're worried that such apps would be used by reversers to peek at things that they're not supposed to? Who knows? I just wish that I could sidestep the process of having to deal with freeware that randomly crashes or shelling out big bucks for overpriced third-party software. -BB (2009-08-19)
Sun Tzu and Cyber War in Georgia
"A wise general makes a point of foraging on the enemy. One cartload of the enemy's provisions is equivalent to twenty of one's own, and likewise a single pound of his provender is equivalent to twenty from one's own store" -Sun Tzu, The Art of War
While reading the Wall Street Journal's article on the DDoS that took place last year in Georgia, I couldn't help but think of the above quote. The perpetrators used our infrastructure to support their attack. They used U.S.-based social-networking sites, stolen American identities, and modified code that Microsoft provides for free.
As the article observed: "cyber-warfare has outpaced military and international agreements, which don't take into account the possibility of American resources and civilian technology being turned into weapons."
Encryption Keys and Plausible Deniability
Recently an article appeared in the Register about two people who were convicted for failing to reveal their encryption keys to authorities. If you're using an encryption package that allows you to create, and encode, a virtual file system (i.e. a large file that the software mounts and treats as a logical disk), one way you could protect yourself would be to create a secondary encrypted file system within another. This way, if you're coerced into providing an encryption key you could offer the key to the outer file system (which you might want to populate with a smattering of decoy files) while concealing the inner file system somehow. This is the motivation behind TrueCrypt's "hidden volume" feature.
I suppose that if you really wanted to be paranoid, you could create yet another encrypted file system within the secondary file system...
Computer Security Meets Ulam's Dilemma
Stanislaw Ulam was a Mathematician from Poland who came to the United States at the outbreak of World War II and subsequently was involved in the Manhattan Project. He observed that, over time, mathematics had grown into such a vast discipline that making progress required focusing on a narrow area of specialization. The problem with this tendency is that it makes it much more difficult to grasp, and appreciate, developments in other sub-domains.
Having walked the halls at Black Hat, I can see the same thing happening to computer security. Fields like web-based attacks and firmware exploits are so rich with ideas and technical minutiae that specialization is becoming a matter of necessity. The emerging ecosystem that supports the creation and deployment of malware reflects this fact. One engineer builds a rootkit that gets bundled as a payload in an exploit used by a worm that's written by another engineer, who then sells it to someone else who uses it to seed the internet and grow a botnet, that gets rented out by a front man from somewhere else...
Like an Eskimo stuck on an iceberg that's breaking apart, it gets harder and harder to keep a foothold on every field until finally it becomes impossible. Eventually, you have to choose your own little plot of conceptual real estate and try to keep an eye on related subjects. In the worst case, you choose an area that dwindles into obscurity (remember Trusted Xenix?), and then, well, it helps if you can swim.
Black Hat USA 2009 Material Posted
Here's the white paper and slide deck that I presented at Black Hat USA 2009. My comments on the event follow below.
Black Hat USA 2009: Postgame Wrap-Up
Looking back over the two-day event, the first thing that struck me was the sheer scale of the conference and how well they were able to manage the flow of people. Caesar's Palace was definitely a suitable venue for this conference.
I started off the first day with the keynote address by Douglas Merrill, whose talk revolved around psychological acceptance (i.e. security measures are futile unless users are willing to actually use them). Next, I sat in on Peter Kleissner's presentation on the Stoned Again Bootkit, which detailed a framework for loading arbitrary payloads into the kernel during system startup.
The highlight of the morning session was the talk led by Peter Silberman and Steve Davis , from Mandiant, who demonstrated how to re-construct Metasploit intrusions using a custom tool in conjunction with Memoryze to scan the address space of a compromised process.
In the afternoon I stayed primarily on the rootkit track. I sat through Erez Metula's discussion of user-mode rootkits, which embed themselves in virtual machine runtime environments (e.g. the JRE, or .NET) by altering the bytecode libraries that they rely upon. This talk was particularly well organized and easy to follow, though the emphasis in this case appeared to be on data exfiltration and manipulation. Metula observed that absolute stealth would probably require the assistance of a system-level rootkit.
I ended the first day with the presentation on "Ring -3" rootkits from the Invisible Things Lab (ITL), which focused on firmware-related subversion that targeted a special region of memory reserved for Intel's Active Management Technology. This time, Joanna sat with the audience while her two colleagues (Alexander Tereshkin and Rafal Wojtczuk) did most of the talking. The trend that the speakers touched upon is that vendors often try to protect against malware by putting special management code in remote locations that the operating system (and any malware that it might be hosting) cannot access. This is all nice and well until malware somehow loads itself into these specially protected regions...
On the second day of Black Hat, I started with a presentation by ITL and then sat in on Nick Harbour's discussion. Nick, a reputed Ninja, examined API tracing via detour patching as a way to reverse engineer malware. He also demonstrated a novel technique for unwrapping packed binaries using a customized version of kernel32.dll.
Being a native of the Bay Area, I couldn't resist the talk on smart parking meters given by Joe Grand, Jacob Appelbaum, and Chris Tarnovsky. I can't speak for everyone, but the photograph of the meter with $999.99 worth of parking time brought many people to a standing ovation. Over the next few months I'm going to be eagerly watching the Mission District for hacked parking meters. Let's hear it for a truly great presentation!
I also sat in on the Feds versus Ex-Feds panel for a bit. Man, those feds are a cheeky bunch. I suspect they were overcompensating as they may have expected the same from us. One audience member commented that he was essentially asked to: "step up to the microphone, sir, and be shot."
Around the mid-point of the discussion panel, I left to go prep for my own talk. During my presentation on anti-forensics I looked down into the audience and recognized a couple of well-known people whose work I truly respect: Richard Bejtlich and Jamie Butler. Whoa. That was cool. Thanks so much, Richard and Jamie, for taking the time to sit through my talk!
Fear and Loathing at Black Hat USA 2009
Bill Blunden will be joining the pilgrimage to Vegas this July to speak at Black Hat USA 2009. The title of his presentation is Anti-Forensics: The Rootkit Connection. The speaker schedule is available here. It looks like Bill will be speaking on July 30th from 16:45-18:00 in the Augustus Ballroom on the Fourth Floor.
Fear and Loathing in San Francisco
On May 15th, 2009, at San Francisco State University I'll be giving an encore performance of the rootkit presentation that I gave at Sonoma State back on April 9th. The talk will be given in the HSS building, room 362, from noon to 1:30pm.
The Rootkit Arsenal: Approach versus Intent
"If you know the enemy and know yourself, you need not fear the result of a hundred battles." -Sun Tzu
Recently a number of people have raised the issue of whether an open discussion of Black Hat tradecraft is a dubious proposition. The general concern being that a book like The Rootkit Arsenal poses a threat because it will show bad people how to do bad things. In response to the e-mails that I've received, I'd like to take a moment and directly address this topic.
The Rootkit Arsenal offers both concepts and source code. Ultimately, I'm a broker. I can't control what the reader does with what they read. However, I might add that the bad guys already know this stuff. In fact, many of the book's tactics were excavated from Black Hat sites. It's the average system administrator who needs to appreciate just how potent this technology can be.
Hence, though the approach of my book is obviously from the vantage point of a Black Hat, my intent is to offer insights which normal, law-abiding, IT professionals might find useful. Trying to secure the Internet by limiting access to potentially dangerous information is a recipe for disaster. Security through obscurity is not the answer. As Mark Ludwig put it in his seminal book The Giant Black Book of Computer Viruses, "No intellectual battle was ever won by retreat. No nation has ever become great by putting its citizens' eyes out."
Malware Research at American Universities
Why is the obscure art of malware so, well, obscure? Why aren't students at MIT, Princeton, Caltech, and Stanford actively studying this relevant topic? According to George Ledin of the Anti-Conficker Project, "The AV industry has kept everything under wraps, most university professors are busy with their cozy niche and don't want the aggravation, and the topic is dangerous, unchartered territory."
But this answer begs the question: why is this dangerous territory? Heck, software is just software. Right? Ledin presents his case, quite well, in the January 2005 issue of the CACM.
Here's what Niccolo Machiavelli would say: "And it ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, then to take the lead in the introduction of a new order of things. Because the innovator has for enemies all those who have done well under the old conditions and lukewarm defenders in those who may do well under the new. This coolness arises partly from fear of the opponents, who have the laws on their side, and partly from the incredulity of men, who do not readily believe in new things until they have had a long experience of them"
Fear and Loathing in Sonoma
At the request of George Ledin, the Spring 2009 Computer Science Colloquium organized by Sonoma State University will be hosting a presentation by Bill Blunden in April. The hour-long talk, entitled The Rootkit Primer, will provide an overview that examines the core services that rootkits provide, how they provide these services, and who's using this technology.
Powerpoint slides of the talk can be found here.
The Rootkit Arsenal
In late April, Wordware Publishing will be sending my book The Rootkit Arsenal to press. The manuscript was several years in the making and the book investigates a broad range of related topics (e.g. system-level code, anti-forensics, reversing, etc.). Unlike the vast majority of computer security books The Rootkit Arsenal does not attempt to veil itself with ethical window dressing. My book approaches its material, without apologies, from the standpoint of a Black Hat. No doubt this publication will ruffle a few feathers.
Greetings and Welcome
This entry marks the launch of the web site for Below Gotham Labs. We'd like to thank everyone involved and encourage our visitors check out the latest news, events, and publications.