Today at National Defense University in Washington, Obama spoke at length on the topic of drones. Despite our President's emphasis on the precise nature of drone assassinations, it's important to recognize that the C.I.A. has no idea who is actually being killed.
"The documents also show that drone operators weren't always certain who they were killing despite the administration's guarantees of the accuracy of the CIA's targeting intelligence and its assertions that civilian casualties have been 'exceedingly rare.'"Hence, it's only logical that the victims are often innocent people:
"Sadaullah Wazir was another victim of hope and change. His house in North Waziristan was targeted on Sept. 7, 2009. The strike killed four members of his family. Sadaullah was 14 years old when it happened. A few days after the attack, he woke up in a Peshawar hospital to the news that both of his legs had to be amputated and he would never be able to walk again. He died last year, without receiving justice or even an apology. Once again, no militant was present or killed."
What we've created, as Jeremy Scahill explains , is a global battlefield that perpetuates itself:
"The president, like his predecessors Bush and Cheney, has asserted the right to strike in any country around the world and has effectively subscribed to the doctrine that the world is the battlefield. And so, as long as that remains on the books, that the United States says, 'Well, we're different than every other nation around the world, in that we have the right to strike in any country where we perceive an imminent threat, and imminent has been redefined in our secret proceedings inside the White House or the Justice Department,' then none of this is going to fundamentally change."
WAR IS PEACE, proclaims the Ministry of Truth. The Telescreens are here. So are the Thought Police. Orwell's vision is being realized in all its horrific glory. The oligarchs quietly gloat and we mostly remain silent. -BB(2013-05-23)
Over the past few months Paul Krugman has authored a series of "see, I told you so" articles in the New York Times on the failings of austerity dogma. And rightly so, as austerity doctrine is merely an ideological weapon of the elite:
"Business interests hate Keynesian economics because they fear that it might work — and in so doing mean that politicians would no longer have to abase themselves before businessmen in the name of preserving confidence. This is pretty close to the argument that we must have austerity, because stimulus might remove the incentive for structural reform that, you guessed it, gives businesses the confidence they need before deigning to produce recovery."
Rob Urie, however, observes that Krugman's Keynesian solutions tend to focus on treating the symptoms of our economic illness:
"Were a leading 'liberal' economist able to implement his/her wish list of fiscal stimulus it would do little to stabilize the system of finance capitalism. And by avoiding the larger issues Keynesian economic 'patch' jobs facilitate the next spectacular catastrophe. In fact, modest Keynesian patches have been applied during recessions in the recent decades of the ascendance of finance capitalism and its associated crises keep getting worse."
In other words, Dr. Krugman would be well-advised to revisit his tacit support for Obama and start considering underlying structural issues (e.g. state-capture and the subsequent growing inequality) that shape our economy. Urie concludes:
"The 'debate' isn't a debate at all—the ruling class wants austerity to transfer wealth from government to their pockets and austerity is what we have. The Ivy League Keynesian contingent can continue to have their egos soothed with phone calls from the White House but that does little to suggest their economics aren't an effete hoax—they might be right if they could get their policies implemented but they can't. For everyone else Marx and Lenin are the new go-to political economists, not because I say so but because the ruling class does."
Looks like someone has called Krugman out... -BB(2013-05-18)
Gerry Cauley, chief executive of the North American Electric Reliability Corp, just put a damper on all of the hype surrounding cyber-attacks on the power grid:
"It takes a small number of crews with explosives and you've created not only an outage over an area or a city, but smoke and fire and flash-type stuff"
"We don't do ourselves a favor if we only concentrate on cyber. Physical security is a concern for us as well... Anyone who is smart enough to do those kinds of things has better things to do than shut the lights out"
Cauley refers to recent attempts to hack the power grid "not that overwhelming" and says that he's genuinely more concerned about physical security. -BB(2013-05-15)
Buried on page 36 of the DoD's 2013 report on China:
"The US government continued to be targeted for [cyber] intrusions, some of which appear to be attributable directly to the Chinese government and military"
"We firmly oppose any groundless criticism and hype, because groundless hype and criticism will only harm bilateral efforts at co-operation and dialogue."
"American businesses ceded their technology to the Chinese industrial base long before Chinese espionage became an issue the national security megaplex decided to exploit for the purpose of corporate computer security business rent-seeking."
"Who are you going to find on the street who cares if Chinese cyberwarriors from a building in Shanghai are into American businesses? They've already lost their jobs or much of their earning power. And their access to the Internet is a smartphone made in China."
"Take a day off from the memes. Corporate America isn't hiring, haven't you heard? It's not because of mass Chinese cyber-spying."
Chinese officials echo this to a degree:
"Trumpeting China's military threat to promote its domestic interests groups and arms dealers... U.S. arms manufacturers are gearing up to start counting their money."
As with Drones, the Pentagon views "cyber" as a growth market. The strategies at play in both domains will ultimately make us less safe. -BB(2013-05-09)
The New Yorker has just published an essay on U.S. drone attacks. It begins by presenting some insightful historical context:
"During the nineteen-seventies, it seemed as though this era of covert action were coming to an end. After a congressional investigation exposed the extent of C.I.A. plots, President Gerald Ford issued an executive order banning political assassinations. Successive Presidents strengthened the ban with executive orders of their own, codifying a growing bipartisan consensus that assassinations undercut America's avowed commitment to democracy, human rights, and the rule of law."
This raises some important questions:
"Is a program of targeted killing, conducted without judicial oversight or public scrutiny, consistent with American interests and values?"
"As things stand, Obama will bequeath to his successors a worrisome precedent: without trial, the President has the right to kill any U.S. citizen who is judged, on the basis of unpublished criteria, to have become an enemy combatant."
The criteria, though secret, would appear to be fairly loose:
"In an area of known militant activity, all military-age males were considered to be enemy fighters. Therefore, anyone who was killed in a drone strike there was categorized as a combatant."
Once more, is assassination-by-drone even a plausible solution. Or will it just make matters worse and set an awful precendent?
"Several former Shin Bet leaders argue forcefully that terrorism is ultimately a political problem that cannot be resolved by endless campaigns of assassination."
"Just as Eisenhower failed to think through the consequences of his push-button interventionism, Obama seems unwilling to confront the possibility that drone strikes may be creating more enemies than they're eliminating."
"Ten years or less from now, China will likely be able to field armed drones. How might its Politburo apply Obama's doctrines to Tibetan activists holding meetings in Nepal?"
Our leaders don't seem to be interested in publicly discussing any of this. It's far more convenient for them to marginalize the public by keeping everything secret. -BB(2012-04-30)
Related : A Yemeni speaks on drone strikes in his country.
"In another botched strike, a missile struck a passenger van in central al-Bayda governorate on September 2, 2012, killing 12 civilians, 3 of them children. Local and international media initially quoted anonymous Yemeni officials as saying the strike targeted militants, but state-run media later conceded the killings were an 'accident' that killed civilians."
"The short-term military gains are miniscule compared to the long-term damage that the targeted killing program causes. In the place of one slain leader, new leaders swiftly emerge in furious retaliation for attacks in their territories. And with each strike, it becomes ever easier to belong to a militant group in the region where your tribe lives."
"There is no easy way to end terrorism. Only a long-term approach that strengthens democracy, accountability and justice, together with programs to address structural economic and social drivers of extremism can bring about security in my country."
A very telling Obama quote:
"There is no country on Earth that would tolerate missiles raining down on its citizens from outside its borders."
Yet drone strikes persist. Why? Perhaps it might help to follow the money.
Update : Using Old War Crimes to Justify New Ones
"In a chilling 16-page dossier known simply as the White Paper, one of Obama's statutory brains at the Justice Department cites the 1969 secret bombing of Cambodia as a legal rationale justifying drone strikes, deep inside nations, against which the United States is not officially at war."
Update : Drones or Indefinite Detention?
"John Bellinger, who was responsible for drafting the legal framework for targeted drone killings while working for George W Bush after 9/11, said he believed their use had increased since because President Obama was unwilling to deal with the consequences of jailing suspected al-Qaida members."
Update : Chomksy speaks
"JSOC and the drones are a self-generating terror machine that will grow and expand, meanwhile creating new potential targets as they sweep much of the world. And the executive won't want them just 'sitting around.'"
"The dangers of unexamined and unregulated monopoly power, particularly in the state executive, are hardly news. The right reaction is not passive acquiescence."
Matt Taibbi drops a bombshell in an article published this past week by Rolling Stone:
"Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps."
"Interest-rate swaps are a tool used by big cities, major corporations and sovereign governments to manage their debt, and the scale of their use is almost unimaginably massive. It's about a $379 trillion market, meaning that any manipulation would affect a pile of assets about 100 times the size of the United States federal budget."
The European Federation of Financial Services Users warns that:
"Those markets which are based on non-attested, voluntary submission of data from agents [Libor, ISDAfix] whose benefits depend on such benchmarks are especially vulnerable of market abuse and distortion"
Or, as Taibbi puts it:
"When prices are set by companies that can profit by manipulating them, we're fucked."
Yet the financial institutions involved in this alleged manipulation have proven too big to fail in the past. Officials offered apologies about preventing harm to the economy and the Oligarchs who've captured our political system basically walked away Scott Free. In other words, don't expect anyone to do any jail time. -BB(2013-04-27)
According to a report in the New York Times, Afghan officials believe that the U.S. Deep State is involved in a recent massacre:
"The spokesman for President Hamid Karzai said Thursday that the C.I.A. was responsible for calling in an airstrike on April 7 that left 17 Afghan civilians dead, 12 of them children, and that the secret Afghan militias that the agency controls behaved as if they were 'responsible to no one.'"
Surely you can imagine the wave of outrage that would shake the United States if an airstrike killed 12 children on American soil. -BB(2013-04-20)
Related : Why Terrorists Attack
"Al-Muslimi will meet with White House officials to tell them what he told a Senate subcommittee yesterday: CIA and military drone strikes are strengthening al-Qaida's Yemeni affiliate and making average Yemenis hate America."
"In the last several years, there have been four other serious attempted or successful attacks on US soil by Muslims, and in every case, they emphatically all say the same thing: that they were motivated by the continuous, horrific violence brought by the US and its allies to the Muslim world - violence which routinely kills and oppresses innocent men, women and children"
In a Danger Room post, Spencer Ackerman cautions readers not to jump to conclusions:
"Not every bombing, no matter how many civilians are killed or how terrifying it is, is terrorism. The Boston Marathon atrocity on Monday may qualify or it may not... Terrorism is not just violence aimed at civilians. Terrorism is violence aimed at civilians with a political objective. Most often, but not always, terrorism is violence aimed at civilians with a political objective, aimed to cause a spectacle."
If the bombings actually end up to be a genuine act of terrorism, Bruce Schneier has a few choice words of advice:
"There's one thing we can do to render terrorism ineffective: Refuse to be terrorized."
"Don't glorify the terrorists and their actions by calling this part of a 'war on terror.' Wars involve two legitimate sides. There's only one legitimate side here; those on the other are criminals. They should be found, arrested, and punished. But we need to be vigilant not to weaken the very freedoms and liberties that make this country great, meanwhile, just because we're scared."
"A nonpartisan, independent review of interrogation and detention programs in the years after the Sept. 11, 2001, terrorist attacks concludes that 'it is indisputable that the United States engaged in the practice of torture' and that the nation’s highest officials bore ultimate responsibility for it."
Finally, Glenn Greenwald focuses on the need to extend empathy and compassion towards all innocent victims of violence, especially those in other countries:
"Indeed, just yesterday in Iraq, at least 42 people were killed and more than 250 injured by a series of car bombs, the enduring result of the US invasion and destruction of that country. Somehow the deep compassion and anger felt in the US when it is attacked never translates to understanding the effects of our own aggression against others."
George Smith responds to a Reuters story which announces that Obama is going to make cybersecurity a growing priority:
"There are no statistics on what cyberespionage or cyberwar costs (or could cost) the nation, just claims and wild estimates based on nothing."
"By contrast, charts and graphs of hard statistics are published weekly on the horrifying state of the economy for the middle and lower class. They show that among western civilized nations, yawning inequality that dwarfs the rest has grown. They show that foodstamp usage has ballooned to an all time high because the American economy does not produce jobs that pay a living wage. They show that corporate profits have soared but that the great majority of people have seen nothing except shrinkage or, even, total collapse in their worth and fortunes."
"Yet today we are saddled with an administration that has actively worked to create the impression that defense against cyberattack is one of the country's most pressing problems."
George makes a valid point. So what's behind the media push?
"As the sequestration slowly starts to grind at the sick, the poor, the elderly and the other parts of the middle class, the cyberwar-is-coming campaign is all about realignment of taxpayer dollars for the preservation and expansion of security jobs and services, a transfer of wealth from the bottom and the middle of American society, to the top."
We're being barraged by messages that point to external agents attacking U.S. banks. But perhaps we should be more concerned about these same banks attacking us. -BB(2013-04-13)
Related , Theat inflation during the Cold War:
"To hide the ugly realities and to overcome popular opposition to the policies, Reagan granted CIA Director William Casey extraordinary leeway to engage in CIA-style propaganda and disinformation aimed at the American people, the sort of project normally reserved for hostile countries. To oversee the operation – while skirting legal bans on the CIA operating domestically – Casey moved Raymond from the CIA to the NSC staff."
There are respected political philosophers like Sheldon Wolin who argue that the public has largely receded into the background of contemporary politics, assuming the role of disinterested observers:
"Roughly between one-half and two-thirds of America's qualified voters fail to vote, thus making the management of the 'active' electorate [the political class] far easier. Every apathetic citizen is a silent enlistee in the cause of inverted totalitarianism. Yet apathy is not simply the result of a TV culture. It is, in its own way, a political response. Ordinary citizens have been the victims of a counterrevolution that has brought 'rollbacks' of numerous social services which were established only after hard-fought political struggles, and which the earlier Republican administrations of Eisenhower and Nixon had accepted as major elements in a national consensus. Rollbacks don't simply reverse previous social gains; they also teach political futility to the Many. And along the way they mock the ideal and practice of consensus."
In his book Griftopia Matt Taibbi provides an example of this sort of general disengagement:
"The presidential election is a drama that we Americans have learned to wholly consume as entertainment, divorced completely from any expectations about concrete changes in our own lives. For the vast majority of people who follow national elections in this country, the payoff they’re looking for when they campaign for this or that political figure is that warm and fuzzy feeling you get when the home team wins the big game. Or, more importantly, when a hated rival loses. Their stake in the electoral game isn't a citizen's interest, but a rooting interest"
Occassionally high-level planners will experience fits of honesty and admit how they view the rest of society:
"We're an empire now, and when we act, we create our own reality. And while you're studying that reality -- judiciously, as you will -- we'll act again, creating other new realities, which you can study too, and that's how things will sort out. We're history's actors... and you, all of you, will be left to just study what we do."
Decision makers employ the necessary stimulus to elicit the desired response from the political class. From the vantage point of Hegel's Dialectic, controlling the interaction between the thesis and antithesis produces the necessary synthesis. This is how oligarchs manufacture consent. -BB(2013-04-06)
Nearly a year ago, General Keith Alexander stood up in front of the American Enterprise Insitute and made the following statement regarding the losses attributed to cyber attacks:
"In my opinion, it's the greatest transfer of wealth in history"
Perhaps General Alexander was too busy running the NSA and CYBERCOM to notice the $7.7 trillion (roughly half our annual GDP) that our government secretly committed to bailing out the banks back in 2008? If you want to ponder genuine economic destruction all you need to do is follow the aftermath of the 2008 crisis. According to UC Berkeley economist Brad DeLong:
"When I take present values and project the US economy's lower-trend growth into the future, I cannot reckon the present value of the additional loss at less than a further 100% of a year’s output today – for a total cost of 1.6 years of GDP. The damage is thus almost equal to that of the Great Depression – and equally painful"
Yet President Obama, during his 2013 State of the Union address, chanted the Cult of Cyberwar's standard doomsday mantra:
"Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems."
And in the wake of recent DDoS attacks he's making conspicuous public gestures.
"The difficulty of deterring such attacks was also the focus of a White House meeting this month with Mr. Obama and business leaders, including the chief executives Jamie Dimon of JPMorgan Chase; Brian T. Moynihan of Bank of America; Rex W. Tillerson of Exxon Mobil; Randall L. Stephenson of AT&T and others."
George Smith succinctly explains the misdirection at work:
"The President cannot get the minimum wage raised. He cannot do anything to reverse the austerity policies the Republican Party, from its minority position, has imposed on the country. He cannot or will not enact any measures as chief executive that might begin to make economic life in the country better for the majority of its citizens.
"So what is he doing? Partially busying himself meeting with Wall Street's master bankers and ginning up news on the daggers of cyberwar, attributed to China, Iran and North Korea, aimed at America’s heart."
While the 1% is busy hollowing out the middle class, our leaders distract us with intimations of Cybergeddon. -BB(2013-04-01)
"The term 'Deep state' comes from Turkey. They invented it after the wreck of a speeding Mercedes in 1996 in which the passengers were a Member of Parliament, a beauty queen, a local senior police captain, and an important drug trafficker in Turkey who was also the head of a criminal paramilitary organization – the Grey Wolves – that went around killing people. And it became very obvious in Turkey that there were a covert relationship between the police who officially were looking for this man – even though a policeman was there with him in the car – and these people who committed crimes on behalf of the state. The state that you commit crimes for is not a state that can show its hand to the people, it’s a hidden state, a covert structure."
The New Yorker offers a somewhat equivalent definiton:
"The deep state is a presumed clandestine network of military officers and their civilian allies who, for decades, suppressed and sometimes murdered dissidents, Communists, reporters, Islamists, Christian missionaries, and members of minority groups—anyone thought to pose a threat to the secular order, established in 1923 by Mustafa Kemal, or Atatürk. The deep state, historians say, has functioned as a kind of shadow government, disseminating propaganda to whip up public fear or destabilizing civilian governments not to its liking."
While the term was invented in Turkey, Scott has his own interpretation which he uses to discuss power structures in the U.S.:
"I adapt the term somewhat to refer to the wider interface in America between the public, the constitutionally established state, and the deep forces behind it of wealth, power, and violence outside the government. You might call it the back door of the Public state, giving access to dark forces outside the law."
In a review of the Movie Dirty Wars published today by the Guardian, Glenn Greenwald provides astute commentary about what enables, and the consequences of, the global covert war being fought by the American Deep State:
"The most propagandistic aspect of the US War on Terror has been, and remains, that its victims are rendered invisible and voiceless. They are almost never named by newspapers... As Ashleigh Banfield put it her 2003 speech denouncing US media coverage of the Iraq war just months before she was demoted and then fired by MSNBC: US media reports systematically exclude both the perspectives of 'the other side' and the victims of American violence. Media outlets in predominantly Muslim countries certainly report on their plight, but US media outlets simply do not, which is one major reason for the disparity in worldviews between the two populations."
"The evidence has long been compelling that the primary fuel of what the US calls terrorism are the very policies of aggression justified in the name of stopping terrorism. The vast bulk of those who have been caught in recent years attempting attacks on the US have emphatically cited US militarism and drone killings in their part of the world as their motive. Evidence is overwhelming that what has radicalized huge numbers of previously peaceful and moderate Muslims is growing rage at seeing a continuous stream of innocent victims, including children, at the hands of the seemingly endless US commitment to violence."
Witness the combined potency of secrecy, violence, and propaganda as the body politic stumbles recklessly forward under their influence. -BB(2013-03-31)
Cryptome's John Young has reviewed Deep State, a book by Marc Ambinder and D.B. Grady about our thriving surveillance state and the imminent threat it represents to our Constitutional liberties:
"The least protected, most Wall Street billboarded, secret is that war is immensely profitable to those shrewd enough to avoid the carnage while being generously rewarded by wartime picking of citizen wallets, aided by ridiculously paid safe-at-home shills celebrating valor and sacrifice (market boom, Zero Dark Thirty ilk, ex-SEAL chest-beaters)."
"The open-dirty-secret secrecy industry exposed in Deep State is as rouged as war harlotry, as venal as political campaigns, as crass as high-brass military coins, as formulaicly vulgar as thanking troops for service, as duplicitous as veterans' filthy hospitals and always delayed, cropped and denied benefits."
"Top leaders lust for secretly sharing means and methods to exploit the bottom, so gather to swap kisses with PR whores in Aspen, Bilderberg and Davos. They serve on secrecy-slathered advisory boards of governments, rotate through government offices, eroticize military contracting officers with promises of future triple-dipping benefits."
"Read Deep State to be informed, galvanized and bold-heartened to raise the black flag, commence cutting throats of secretkeepers."
I strongly suspect that the authors may have drawn from Peter Dale Scott's concept of Deep Politics when they decided on the title for their book. A synopsis of Deep Politics and the Deep State can be found in Scott's recent book American War Machine -BB(2013-03-30)
The Christian Science Monitor is covering a recently updated report published by scholars at Brown University's Watson Institute for International Studies. Among other things, the report finds that:
"More than 70 percent of those who died of direct war violence in Iraq have been civilians – an estimated 134,000. This number does not account for indirect deaths due to increased vulnerability to disease or injury as a result of war-degraded conditions. That number is estimated to be several times higher."
"The Iraq war will ultimately cost US taxpayers at least $2.2 trillion. Because the Iraq war appropriations were funded by borrowing, cumulative interest through 2053 could amount to more than $3.9 trillion."
"Terrorism in Iraq increased dramatically as a result of the invasion and tactics and fighters were exported to Syria and other neighboring countries."
To think that all of this devastation took place on behalf of imaginary WMDs. But if WMDs were a pretext, why the invasion? Former chair of the Federal Reserve, Alan Greenspan, stated:
"I am saddened that it is politically inconvenient to acknowledge what everyone knows: the Iraq war is largely about oil."
Current Secretary of Defense Chuck Hagel also noted:
"People say we're not fighting for oil. Of course we are. They talk about America's national interest. What the hell do you think they're talking about? We're not there for figs."
Greg Palast has concluded:
"The invasion was not about 'blood for oil', but something far more sinister: blood for no oil. War to keep supply tight and send prices skyward."
The ability of our leaders to lead the charge into Iraq is a testimony to the power of modern propaganda. -BB(2013-03-19)
"The agency's intelligence collection on Iraq's relationship with al-Qaida was thin — Iraq's connections to terrorist organizations were so minute it wasn’t a priority for us — so it was difficult to even construct a chart showing connections, as if we were mapping the Barksdale crew on The Wire."
Related , The Invasion as Premeditated Crime:
"Four of the administration's key sources were not verified. Two sources were fabricators, one had provided forged documents and the other shared hearsay."
"Iraqis, at minimum, deserve to see officials in the United States and United Kingdom who engineered the war and then waged empire for over eight years brought to justice."
There is a counter-narrative emerging:
"Sadly, policymakers seem to think we have completely solved the attribution problem. We have not... Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense."
"If you see an attack coming from China in particular it is because they WANT you to know it is coming from China. I would think any state sponsor conducting a very serious attack would conceal themselves better than that. I also believe that a lot of attacks that look like they are coming from China are actually coming from elsewhere. Think about this, if I am a hacker in the US, attacking a US victim, it would be a big advantage to look like I was coming from China because it almost guarantees no attempt to prosecute or track me down since everyone in this business knows that if it comes out of China you can't do anything about it."
As mentioned in a previous post below, false flag operations are an age-old tactic used by spies throughout history. It's typically in the best interest of an intel operator to muddy the water by framing someone else. Who better than China? Anti-forensic technology has attained a level of sophistication where you can tell whatever story you want... and it will entirely convince more susceptible members of the public.
Related : Cryptome on Staged Attacks
"Malware can be invented, planted and discovered by cybersecurity and AV experts to exploit fearful clients, governments, citizens, users and in complicity with other experts and their witting and unwitting hackers -- cyberwarfare is booming thus mostly war-time profligate waste, duplicity, treachery and chicanery."
Security researchers have announced that they've identified attackers whom they suspect are backed by the Chinese government. However, as the New York Times article on this story concedes:
"The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area."
Another security professional comments:
"For non-technologically savvy people, it is easy to become starry-eyed for the forensics experts. They seem to have this magical power to pinpoint the bad guys. I can picture readers of these stories smirking and trying to high five these CSI themed cybersuperheros. In a fantasy world, it is touching. In the intelligence, political, financial and security world, it is a dangerous precedent being set by companies like Mandiant and others. It is slowly becoming 'cyber yellow cake' [WIK] at its finest with the outcomes always being distorted, or misunderstood, or outright flagrant lies being told by security professionals."
Allow me offer a degree of clarity. If I were running an operation for an organization in Eastern Europe, as a matter of standard operating procedure I would go to great lengths to obfuscate my trail and stage my attacks in such a way as to implicate a 3rd-party. Honestly, it's anti-forensics 101. Using internationalized tools, a different language, indigenous computing algorithms, planted artifacts, and pivot points in other countries are all par for the course. Any operator worth their salt will use these techniques. Welcome, dear reader, to the wilderness of mirrors. -BB(2013-02-19)
President Obama raises the specter of Cybergeddon:
"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
D.B. Grady comments :
"It's hard to take warnings of an 'imminent' cyber-9/11 seriously, in part because no serious observer of electronic warfare considers it possible, let alone imminent."
The New Yorker has just published a piece that questions the wisdom of U.S. military spending:
"The U.S. once regarded a standing army as a form of tyranny. Now it spends more on defense than all other nations combined... Between 1998 and 2011, military spending doubled, reaching more than seven hundred billion dollars a year—more, in adjusted dollars, than at any time since the Allies were fighting the Axis."
Where does all this money go? The author, Jill Lepore, states:
"Much of the money that the federal government spends on 'defense' involves neither securing the nation's borders nor protecting its citizens. Instead, the U.S. military enforces American foreign policy."
Foreign policy that, ultimately, is dictated from boardrooms across the country by the various corporate interests that have captured our political structures. Much to the benefit of the patronage networks which branch out from the Pentagon.
To convince the public to submit to high levels of military spending, our leaders have deployed a truly massive campaign of propaganda. According to former Army Colonel Andrew Bacevich:
“'The mystical war against Communism... finds its counterpart in the mystical war on terrorism.' Mystification, he said, leads us to exaggerate threats and ignore costs. 'It prevents us from seeing things as they are.'"
And now the front men of the Military-Industrial Complex have identified new markets. They use the same basic PR tactics to convince us that a "cyber-Pearl Harbor" is imminent. Unless, of course, we fork over a mountain of cash so that they can keep us "safe." -BB(2013-01-27)
"The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians."
"The plan calls for the creation of three types of forces under the Cyber Command: 'national mission forces' to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; 'combat mission forces' to help commanders abroad plan and execute attacks or other offensive operations; and 'cyber protection forces' to fortify the Defense Department’s networks."
Glenn Greenwald offers a much-needed sanity check:
"This massive new expenditure of money is not primarily devoted to defending against cyber-aggressors. The US itself is the world's leading cyber-aggressor. A major purpose of this expansion is to strengthen the US's ability to destroy other nations with cyber-attacks. Indeed, even the Post report notes that a major component of this new expansion is to 'conduct offensive computer operations against foreign adversaries.'"
"This new massive expansion has little to do with any actual cyber-threat - just as the invasion of Iraq and global assassination program have little to do with actual terrorist threats. It is instead all about strengthening the US's offensive cyber-war capabilities, consolidating control over the internet, and ensuring further transfers of massive public wealth to private industry continue unabated."
Bravo, Mr. Greenwald. -BB(2013-01-31)
Frontline recently broadcast a program that demonstrates the degree to which rule of law has been subverted in the United States. Jeff Connaughton, the former Chief of Staff for Senator Ted Kaufman, states:
"I think that is without a doubt a factor in the difficulty of proving intent. But I'm sorry, I just don’t believe there was enough effort. It just doesn't make common sense. And so you're telling me that not one banker, not one executive on Wall Street, not one player in this entire financial crisis committed provable fraud? I mean, I just don’t believe that."
Former New York State Attorney General Eliot Spitzer adds:
"The Justice Department failed. They have not done what needed to be done. They didn’t ever try to bring together one coherent narrative, laying out the entirety of the story against one of the major players and demand sanctions that are meaningful. That to me is what has been fundamentally lacking."
Our security services threatened Aaron Swartz with decades in prison for downloading files from JSTOR. Yet the executives who sent the economy into a death spiral, rigged LIBOR, and washed money for the Cartels are doing just fine. This is what happens when politicians are bought and paid for by Wall Street money:
"As for President Obama, what is there to be said? Goldman Sachs was his number-one private campaign contributor. He put a Citigroup executive in charge of his economic transition team, and he just named an executive of JP Morgan Chase, the proud owner of $7.7 million in Chase stock, his new chief of staff."
The gains of the New Deal Era are gradually being rolled back until there's just the Plutonomy and the Precariat. The battles that were waged by organizations like the Wobblies will now have to be fought all over again. As you can glean from this Army Manual, the owners of our society understand what's coming and are making preparations to deal with the inevitable. -BB(2013-01-23)
The Economic Policy Institute explains that the growing wage gap isn't the result of a skill shortage, despite what high-tech companies claim (normally when they want the government to raise the H1-B ceiling):
"In our view, the substantially increased need for education and skills has been met by the increased supply of education and skills. Changing wage differentials have been driven by economic policy in acts of omission and commission."
This conclusion has been rienforced by a well-known Professor at Berkeley:
"Despite anecdotes about how employers cannot find workers with the skills they need, there is little evidence that the unemployment rate remains elevated because of mismatches between the skill requirements of available jobs and the skills of the unemployed... The high unemployment rate is the result of weak demand, not structural mismatches."
There are plenty of highly-skilled workers in the United States. There are also plenty of lobbyists who funnel a veritable mountain of cash into D.C. on behalf of corporate interests.
What we're seeing is the gradual deconstruction of notion that increases in productivity and economic growth will benefit everyone. The rising tide does not lift all boats. When the 99% finally realize that they're losing ground to the benefit of a ruling elite, the social fabric of the United States will begin to disintegrate.
When this fabric begins to break apart, dear readers, people will begin to see why the Department of Homeland Security was really created. -BB (2013-01-13)
The ACLU reports:
"The Senate today reauthorized the FISA Amendments Act of 2008, an unconstitutional spying bill that violates the Fourth Amendment and gives vast, unchecked surveillance authority to the government. The FISA Amendments Act Reauthorization Act (H.R. 5949), passed on a 73-23 vote, authorizes the National Security Agency to conduct dragnet surveillance of Americans’ international emails and phone calls."
Dianne Feinstein claims:
"This necessary legislation will continue to keep America safe by enabling our intelligence community to identify and neutralize terror networks before they harm us either at home or abroad."
The Electronic Frontier Foundation Responds:
"This vote was nothing less than abdication by Congress of its role as watchdog over Executive power, and a failure of its independent obligation to protect the Bill of Rights. The FISA Amendments Act and the ongoing warrantless spying on Americans has been, and will continue to be, a blight on our nation and our Constitution."
Oliver Stone adds:
"He [Obama] has taken all the Bush changes he basically put them into the establishment, he has codified them. That is what is sad. So we are going into the second administration that is living outside the law and does not respect the law and foundations of our system and he is a constitutional lawyer, you know."
National Security is the ultimate apology. As with torture, our leaders claim that they must undermine the Constitution because they don't have a choice... national security is at stake. -BB(2012-12-29)
According to an information warfare specialist at the National Defense University, manipulating public opinion has taken center stage as a means to gain support for U.S. policies:
"What's changing is the realization that in this so-called war on terrorism, this is not a force multiplier; this might be the thing that wins the whole thing for you... This gets to the importance of the war of ideas. There are a billion-plus Muslims that are undecided. How do we move them over to being more supportive of us? If we can do that, we can make progress and improve security."
Related: Along these lines, Yemen's government attempted to conceal U.S. Drone strikes:
"Within seconds, 11 of the passengers were dead, including a woman and her 7-year-old daughter. A 12-year-old boy also perished that day, and another man later died from his wounds. The Yemeni government initially said that those killed were al-Qaeda militants and that its Soviet-era jets had carried out the Sept. 2 attack."
Related: An article on torture propaganda.
"Even given that huge damage, arguably the more severe and longest lasting unintended consequences have been those we have inflicted upon ourselves. That we are still debating torture's virtues is itself strong evidence of the ill effect of torture on those who would wield it, in this case an entire society. There has been not just a coarsening of our ideals but a rebuke of them. In failing to assess and acknowledge the damage we've done, we have cheapened the idea of America."
Our leaders try very hard to convey the idea that the United States is spreading freedom and democracy. Yet, anyone who makes the effort to look beyond this kind of superficial rhetoric will realize that we do just the opposite by supporting brutal regimes around the world. -BB(2012-12-26)
"The United States speaks about supporting human rights and democracy, but while the Saudis send troops to aid the Khalifa government, America is sending arms. The United States is doing itself a huge disservice by displaying such an obvious double standard toward human rights violations in the Middle East. Washington condemns the violence of the Syrian government but turns a blind eye to blatant human rights abuses committed by its ally Bahrain."
George Monbiot points out the media's double standard:
"Most of the world's media, which has rightly commemorated the children of Newtown, either ignores Obama's murders or accepts the official version that all those killed are 'militants'. The children of north-west Pakistan, it seems, are not like our children. They have no names, no pictures, no memorials of candles and flowers and teddy bears. They belong to the other: to the non-human world of bugs and grass and tissue."
Juan Cole reminds us:
"Let's also Remember the 176 children Killed by US Drones."
To the executives that run the major news outlets, why is the mass murder of children outside the United States any less significant? -BB(2012-12-19)
The New York Times reports that HSBC, after transferring mountains of cash on behalf of drug cartels, will simply be fined. State and federal authorities have basically apologized for their inability to indict the bank:
"A money-laundering indictment, or a guilty plea over such charges, would essentially be a death sentence for the bank. Such actions could cut off the bank from certain investors like pension funds and ultimately cost it its charter to operate in the United States, officials said."
Glenn Greenwald comments on how this apology fit into the larger narrative of exceptionalism:
"We are constantly told that immunizing those with the greatest power is not for their good, but for our good, for our collective good: because it's better for all of us if society is free of the disruptions that come from trying to punish the most powerful, if we're free of the deprivations that we would collectively experience if we lose their extraordinary value and contributions by prosecuting them."
You can't jail bankers because ultimately they are the law. Threaten them and you'll see who really wields power in the United States. Our representatives are just intermediaries, the political operatives of the 1%. -BB(2012-12-14)
Related: Matt Taibbi relates the sort of punishment that these bankers deserve:
"How about you dive into every bank account of every single executive involved in this mess and take every last bonus dollar they've ever earned? Then take their houses, their cars, the paintings they bought at Sotheby's auctions, the clothes in their closets, the loose change in the jars on their kitchen counters, every last freaking thing. Take it all and don't think twice. And then throw them in jail."
"Sound harsh? It does, doesn't it? The only problem is, that's exactly what the government does just about every day to ordinary people involved in ordinary drug cases."
Grover Norquist is a front man for the right wing of the Republican Party. He's succeeded in getting more than 270 members of congress to sign an agreement (the "Taxpayer Protection Pledge") whereby they promise not to support legislation that will raise taxes. Republicans who defy Norquist face primary battles against candidates supported by Norquist. When asked what he thought about the government's duty towards the elderly and the poor (e.g. medicare, social security), he responded:
"It should stop stepping on them, kicking them and making their lives more difficult."
In other words, we have no need for government, for regulation, and everything should be left to the free market and "individual initiative." This was the world envisioned by Ayn Rand when she created the philosphy of Objectivism. Relentless self-interest is virtuous; Social Darwinism reborn.
Nicholas Kristof exposes the fraud of this sort of market fundamentalism:
"Anyone who honestly believes that low taxes and unfettered free markets are always best should consider moving to Pakistan’s tribal areas. They are a triumph of limited government, negligible taxes, no 'burdensome regulation' and free markets for everything from drugs to AK-47s."
As does Noami Klein:
"Climate change is, I would argue, the greatest single free-market failure. This is what happens when you don't regulate corporations and you allow them to treat the atmosphere as an open sewer."
The standard argument, deployed by the political operatives of the 1%, against raising tax rates is that it will negate growth by discouraging investment (i.e. trickle-down economics). Warren Buffet explodes this myth:
"Between 1951 and 1954, when the capital gains rate was 25 percent and marginal rates on dividends reached 91 percent in extreme cases, I sold securities and did pretty well. In the years from 1956 to 1969, the top marginal rate fell modestly, but was still a lofty 70 percent — and the tax rate on capital gains inched up to 27.5 percent. I was managing funds for investors then. Never did anyone mention taxes as a reason to forgo an investment opportunity that I offered."
The plutocrats of today, like the British colonialists of yesterday, live in their own separate world. Why should they care about the societal fallout that their wealth extraction generates? -BB(2012-11-27)
Below are a number of telling excerpts from a New York Times article on drone strikes:
"For years before the Sept. 11, 2001, attacks, the United States routinely condemned targeted killings of suspected terrorists by Israel, and most countries still object to such measures."
"The word evolved to mean the 'signature' of militants in general — for instance, young men toting arms in an area controlled by extremist groups."
"Experts say the strikes are deeply unpopular both in Pakistan and Yemen, in part because of allegations of large numbers of civilian casualties, which American officials say are exaggerated."
"Despite public remarks by Mr. Obama and his aides on the legal basis for targeted killing, the program remains officially classified."
Sarah Knuckey of New York University School of Law asks:
"What if all countries did what the U.S. is doing?"
A study performed by Stanford Law School and the NYU School of Law contends that the government's claims of surgical accuracy are nothing more than propaganda:
"While civilian casualties are rarely acknowledged by the US government, there is significant evidence that US drone strikes have injured and killed civilians."
"US drone strike policies cause considerable and under-accounted for harm to the daily lives of ordinary civilians, beyond death and physical injury. Drones hover twenty-four hours a day over communities in northwest Pakistan, striking homes, vehicles, and public spaces without warning. Their presence terrorizes men, women, and children, giving rise to anxiety and psychological trauma among civilian communities."
Glenn Greenwald points out the futility of our government's basic strategy:
"To solve the problem of anti-American hatred in the region, we must do more and more of exactly that which - quite rationally - generates that hatred."
Noam Chomsky observes:
"One of the major reasons for government secrecy is to protect the government from its own population."
The United States is setting a dangerous precedent, using methods that will inevitably backfire, while stifling formal legal challenges through secrecy. - BB(2012-11-25)
Thomas Friedman, the establishment mouthpiece, is back at it, towing the corporate line with flimsy anecdotal evidence:
"We're in the midst of a perfect storm: a Great Recession that has caused a sharp increase in unemployment and a Great Inflection — a merger of the information technology revolution and globalization that is simultaneously wiping out many decent-wage, middle-skilled jobs, which were the foundation of our middle class, and replacing them with decent-wage, high-skilled jobs. Every decent-paying job today takes more skill and more education, but too many Americans aren’t ready. This problem awaits us after the 'fiscal cliff.'"
"Simply put, a desire for cheap, skilled labor, within the business world and academia, has fueled assertions—based on flimsy and distorted evidence—that American students lack the interest and ability to pursue careers in science and engineering, and has spurred policies that have flooded the market with foreign STEM workers. This has created a grim reality for the scientific and technical labor force: glutted job markets; few career jobs; low pay, long hours, and dismal job prospects for postdoctoral researchers in university labs; near indentured servitude for holders of temporary work visas."
These CEOs aren't job creators, they're wealth extractors. -BB(2012-11-19)
The U.S.-China Economic and Security Review Commission predictably concludes that (a drum roll please)... China is "the most threatening actor in cyberspace." Who would have guessed?
Former NSA and CIA director Michael Hayden indicates otherwise:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one."
Given how much we spend on our military, roughly equal to the combined defense spending of the rest of the world, it's highly unlikely that China can hold a candle to the U.S. stockpile of offensive technology. -BB(2012-11-14)
Gary McGraw does a truly impressive job of revealing the flawed reasoning behind Leon Panneta's stance on cyber-attacks. In this illuminating essay Gary explains how the best defense is NOT a good offense (though such thinking might serve to acquire large disbursements of federal funding):
"We've established that offense, even in the guise of active defense is a poor deterrent. If everyone has cyber-rocks and attribution is difficult, a cyber-troublemaker can start a real war using Gandalf's trick. What are we to turn to as a deterrent or a power differentiator?"
"The answer is clear: cyber-defense."
This is a topic that I've also spoken about. -BB(2012-11-08)
Related : Chevron, Stuxnet, & Collateral Damage
"I don't think the U.S. government even realized how far it had spread... I think the downside of what they did is going to be far worse than what they actually accomplished."
Here's a question: Is the U.S. government going to compensate organizations which were unintended victims?
The New York Times celebrates Peter Neumann's gambit to rethink the whole concept of a computer:
"Years after most of his contemporaries have retired, Dr. Neumann is still at it and has seized the opportunity to start over and redesign computers and software from a 'clean slate.'"
"He is leading a team of researchers in an effort to completely rethink how to make computers and networks secure, in a five-year project financed by the Pentagon's Defense Advanced Research Projects Agency, or Darpa, with Robert N. Watson, a computer security researcher at Cambridge University's Computer Laboratory."
"One design approach that Dr. Neumann's research team is pursuing is known as a tagged architecture. In effect, each piece of data in the experimental system must carry 'credentials' — an encryption code that ensures that it is one that the system trusts. If the data or program’s papers are not in order, the computer won’t process them."
Cryptome offers a couple of salient remarks:
"Peter Neumann proposes killing computers and the Internet to start over and build something far worse to meticulously track every nano-bite of digital communications with unrevocable, implanted encrypted ID in every device to authenticate ID of users."
"DARPA, who else, is funding the work to kill anonymity and privacy for, ta da, national security racketeering."
"The bountiful cyberwar mongerers are delirious with support for their job security of predicting evermore Pearl Harbors, amply protected by secrecy of 'defensive' USG cyber aggression."
Keep in mind that Neumann works for SRI, which has long-standing ties with the Department of Defense. -BB(2012-10-31)
The New York Times has publised an article that describes how the relatives of China's prime minister, Wen Jiabao, have benefited financially as a result of his political influence.
"Many relatives of Wen Jiabao, including his son, daughter, younger brother and brother-in-law, have become extraordinarily wealthy during his leadership, an investigation by The New York Times shows. A review of corporate and regulatory records indicates that the prime minister's relatives — some of whom, including his wife, have a knack for aggressive deal making — have controlled assets worth at least $2.7 billion."
Of course, these people don't even comes close to the Walton family. According to labor economist Sylvia Allegretto:
"the Forbes  list reveals that six Waltons — all children (one daughter-in-law) of Sam or James 'Bud' Walton the founders of Wal-Mart — were on the list. The combined worth of the Walton six was $69.7 billion in 2007— which equated to the total wealth of the entire bottom thirty percent!"
The Waltons, you see, don't have time to run for office. They leave the dull chore of legislation to their political operatives in Washington. In fact, the Waltons probably see lawmakers as nothing more than 'hired help'.
The Chinese government has formally censored this story. In the United States, the ruling class doesn't bother. It's far easier to distract everyone with reality T.V., sports, and the latest electronic gadgets. - BB(2012-10-27)
This is a favorite tactic of the establishment, because it allows our legislators to throw their arms up and claim that there's nothing they can do.
"The causes of income stagnation are varied and lack the political simplicity of calls to bring down the deficit or avert another Wall Street meltdown. They cannot be quickly remedied through legislation from Washington. The biggest causes, according to interviews with economists over the last several months, are not the issues that dominate the political debate."
"At the top of the list are the digital revolution, which has allowed machines to replace many forms of human labor, and the modern wave of globalization, which has allowed millions of low-wage workers around the world to begin competing with Americans."
Of course, it's an obvious cover story, as Paul Pierson and Jacob Hacker explain. The U.S. economy is based on ground rules that are established by lawmakers.
"When you look at other affluent democracies that have also been exposed to these same kinds of pressures, who are actually more open -- smaller economies are often more open to the global economy than the United States is -- you don't see anything like the run-up in inequality, especially this very concentrated high-end inequality, in most of these other countries that you see in the United States. Which to us, really, was a very strong clue that we need to understand why the American response to globalization, to technological change has been different than the response of most other wealthy democracies."
Legislators won't do anything, not because of economic forces beyond their control, but because they're beholden to corporate money. -BB(2012-10-26)
High-profile commentators like Thomas Friedman purport to understand the great issues facing the United States:
"The nexus of debt, taxes and entitlements... how to generate growth and upgrade the skills of every American in an age when the merger of globalization and the information technology revolution means every good job requires more education; how to meet our energy and climate challenges; and how to create an immigration policy that will treat those who are here illegally humanely, while opening America to the world's most talented immigrants, whom we need to remain the world's most innovative economy."
Yet Friedman completely fails to acknowledge the underlying core issue that most gravely threatens society on a fundamental level: the corporate takover of our republic. Perhaps this is expected as Friedman is, beyond a shadow of a doubt, a member of the establishment. As such he has to assume the system's validity a priori. The Occupy Movement doesn't suffer from this shortcoming.
"With the upcoming presidential election, we are going to be given two sides of the same corporate coin. Without question, we reject the idea that Mitt Romney, the man behind Bain Capital, can do anything other than gut what remains of the public sector, destroy what remains of our social services, and empower corporations to further take over our country."
"Barack Obama's agenda is not so different from that of Mitt Romney's. If Obama is elected we will continue to see more human rights abuses, the rolling back of our constitutional rights, and a continuation of the silent coup that corporate America is executing on what remains of our sham of a democracy."
Bill Moyers also stands in stark contrast to spokesmen like Friedman:
"We've been governed for years now by one or the other of them, see-sawing back and forth in controlling Congress and the White House, so self-absorbed and corrupted by money that neither seems willing or able to cope with reality, or even to grasp what's happening to everyday Americans. By their very nature, neither party's capable of providing the radical critique we need - a blunt, even brutal assessment of a political system so dysfunctional as to call into question the survival of democracy."
Metanoia Films does a brilliant job of explaining the two-party illusion here.
Let's face it, the 1% see us as expendable:
"Neither American political party recognizes this disconnect. Neither party can afford to recognize it, as both parties are dependent on corporate campaign financing, and offshoring boosts executive bonuses and share prices. A political party that opposes offshoring of US jobs simply does not get financed."
I've written about the corporate-party system also. -BB(2012-09-07)
Wired reports on the Pentagon's 'Plan X':
"The Pentagon's top research arm is unveiling a new, classified cyberwarfare project. But it's not about building the next Stuxnet, Darpa swears. Instead, the just-introduced 'Plan X' is designed to make online strikes a more routine part of U.S. military operations. That will make the son of Stuxnet easier to pull off -- to, as Darpa puts it, 'dominate the cyber battlespace.'"
Our leaders go into hysterics about Russia and China, to distract us from offensive programs that are being developed by the world's leading rogue state. All to the benefit of a sprawling defense industry, which is currently outshining WallStreet as far as CEO pay is concerned:
"Chief executives of the top five U.S. military contractors were paid a total of $107 million last year, 43 percent more than the heads of the five biggest U.S. banks, who made $75 million. That's a reversal from 2007, when the defense executives received $97 million, 41 percent less than the $163 million that went to the top banking chief executives."
Recall Harold Pinter's 2005 Nobel Lecture:
"I have said earlier that the United States is now totally frank about putting its cards on the table. That is the case. Its official declared policy is now defined as 'full spectrum dominance'. That is not my term, it is theirs. 'Full spectrum dominance' means control of land, sea, air and space and all attendant resources."
He's right. The moneyed elite are actually pretty clear about what they want. In his book Tragedy and Hope, Georgetown University professor Carroll Quigley breaks it down (see the bottom of page 277 ):
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole."
For specifics, research the War and Peace Studies undertaken by the Council on Foreign Relations. -BB(2012-08-22)
The New York Times reports on a recent event, the Aspen Security Forum, which it also happens to sponsor. The Times claims that this is the "first official acknowledgment" of how vulnerable the U.S. is:
"General Alexander said that what concerned him about the increase in foreign cyberattacks on the United States was that a growing number were aimed at 'critical infrastructure,' and that the United States remained unprepared to ward off a major attack. On a scale of 1 to 10, he said, American preparedness for a large-scale cyberattack is 'around a 3.'"
Cryptome exposes this somber warning for what it is: propaganda
"Alexander, contrary to previous DIRNSAs, is speaking quite often to gin cyber-aggression as dual-use head of NSA and Cybercom, first for defense second for offense, both now ordered to expound open cyber-threat propaganda to parallel long-standing covert information operations."
"Among a slew of commercial initiatives drumming cyber conflict, the Aspen Security Forum aims to be the premier war-bloviation platform, heavily empaneled by former USG officials now shilling for the national security industry. NY Times sponsorship is indicative of the perdurable wartime financial benefits for the media in conjunction with financial markets. Bloviation blows ill winds, the storm front gaining force during presidential campaigns."
"Cyber attacks on the US, do not forget them, they are legion, expect them, thanks to NSA/Cyber Command Anonymous operations."
These officials loudly warn about attacks on our infrastructure while they're busy sticking it to someone else under the veil of government secrecy. We've met the attackers; they're U.S. intelligence services. -BB(2012-07-27)
In the aftermath of the attack in Colorado, officials may take the opportunity to focus our attention on homegrown terror threats. This would only be expected as, in their minds, terror is the greatest threat that this country faces:
"Terrorism, Clapper [Director of National Intelligence] said, is the first and foremost threat."
Is our DNI aware that terrorist attacks killed seventeen U.S. private citizens in 2011? (see page 20 of the report)
On the other hand, there are roughly 30,000 people killed in lethal traffic incidents every year.
Of course, admitting this won't help the DNI acquire additional funding or authority. -BB(2012-07-24)
Barack Obama has left a missive at the corporate altar which is the Wall Street Journal:
"In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill."
"For the sake of our national and economic security, I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law."
The Electronic Frontier Foundation warns that:
"Our contacts in Washington tell us it's likely that opponents will try to strip out these [privacy] protections by hyping up fears of catastrophic cyberattacks and calling for stronger national security provisions. We need to organize now to stop any Floor amendments that would undermine these major privacy wins."
Ask any seasoned Public Relations consultant. Nothing sells an agenda like a heavy dose of anxiety. Create the perception of a threat (the thesis) which leads to public outcry (the anti-thesis) and facilitates the adoption of a preconceived solution (synthesis). Hegel's dialectic lives on. -BB(2012-07-20)
First the Mortgage Crisis, then the LIBOR Scandal, and now we find that HSBC has been laundering money for Mexican drug lords and catering to the banking needs of Organized Crime groups the world over. Though Forbes is insistent that HSBC was, strictly speaking, fined for "inadequate paperwork." Ahem.
The attraction of this sort of blood money is that it represents a cheap source of what is essentially the banking industry's raw material. As Michael Ruppert explains in his book Crossing the Rubicon :
"Those who have the lowest cost of capital win. In the best-case scenario this would be capital on which you didn't have to pay any interest at all, or even raised -- somehow -- for free. Finding the cheap capital (just like the cheap oil) is the trick: knowing where the money is and how it works. But big money doesn't always broadcast its location."
I don't necessarily buy the cover story that these poor executives are simply in over their heads with regard to grasping the complex nature of their industry. I think they're well aware of the basic game plan: extract as much wealth as they can and work to prevent our mobilization against the process. HSBC will pay a fine and be on its merry way, because the elite own everyone with enough institutional authority to send them to jail. -BB(2012-07-17)
Related David Brooks defends the elite:
"I'd say today's meritocratic elites achieve and preserve their status not mainly by being corrupt but mainly by being ambitious and disciplined. They raise their kids in organized families. They spend enormous amounts of money and time on enrichment. They work much longer hours than people down the income scale, driving their kids to piano lessons and then taking part in conference calls from the waiting room."
Chris Hayes offers an astute response:
"There's a lot of hard-working, disciplined, totally corrupt folks on Wall Street, for instance, and I don't think we have to choose between the two. And, you know, I make a book-length argument to support my contention..."
The Guardian has published a report that examines the Syrian "official spokesmen" or "pro-democracy campaigners":
"A number of key figures in the Syrian opposition movement are long-term exiles who were receiving US government funding to undermine the Assad government long before the Arab spring broke out. Though it is not yet stated US government policy to oust Assad by force, these spokespeople are vocal advocates of foreign military intervention in Syria and thus natural allies of well-known US neoconservatives who supported Bush's invasion of Iraq and are now pressuring the Obama administration to intervene."
Bassma Kodmani is one of these key figures. She's the director of the Arab Reform Initiative which was founded by the Council on Foreign Relations (CFR), an organization that's best described by Shoup and Minter:
"[Council on Foreign Relations] goals remain, as always, to influence the government and public opinion in favor of an imperial role for the United States."
With these credentials it should come as no surprise that she's been to the Bilderberg conference twice. In other words, she's a vetted representative of establishment interests. The Guardian article remarks:
"Kodmani is not some random 'pro-democracy activist' who happens to have found herself in front of a microphone... A picture is emerging of Kodmani as a trusted lieutenant of the Anglo-American democracy-promotion industry."
The crisis in Syria has set in motion a campaign to establish a pro-US regime. That is, one that supports U.S. foreign policy goals as defined by the boardrooms in Manhattan. Noam Chomsky states that:
"The real challenge for the west relates to democracy itself. If there were to be a true democracy in Syria, the west would find this much more difficult to handle."
This definitely says something about how the average Syrian feels about the United States. -BB(2012-07-13)
In the early days of the Soviet Empire, the GPU ran a counterintelligence campaign called Operation Trust which created an anti-Bolshevik opposition group in an effort to provide the GPU with a means to undermine their enemies. As cryptome's John Young explains, this strategy is still being used:
"The enemy are those who set up and participate in false public interest initiatives to mislead the public, a very ancient practice of power groups who sponsor dissidents to serve as controlled opposition. CIA and most if not all national intelligence agencies (and their host governments) engage in this practice by supporting NGOs, individuals, churches, universities, think tanks, media outlets, including so-called alternative outlets, anti-war initiatives."
"Indeed, it is prudent to consider any long-lived group as having been either set up by authorities or co-opted once successful (usually through favorable tax treatment and funding). It is a difficult task to sort out who is complicit and who is not due to the quick adoption by covert operations of the honest groups means and methods."
Michel Chossudovsky offers a similar analysis:
"It is in the interest of the corporate elites to accept dissent and protest as a feature of the system inasmuch as they do not threaten the established social order. The purpose is not to repress dissent, but, on the contrary, to shape and mould the protest movement, to set the outer limits of dissent."
"To maintain their legitimacy, the economic elites favor limited and controlled forms of opposition, with a view to preventing the development of radical forms of protest, which might shake the very foundations and institutions of global capitalism. In other words, 'manufacturing dissent' acts as a 'safety valve,' which protects and sustains the New World Order."
In other words, high-level planners can control the outcome of a conflict by managing both sides. Manipulate the thesis and anti-thesis and you can determine the outcome of their inevitable synthesis. To put Hegel's dialectic another way: nothing beats a fixed fight. -BB(2012-07-05)
History repeats itself in Montana. The U.S. Supreme Court, in light of the Citizens United case, has reversed an existing decision of the Montana Supreme Court that limited political spending by business interests. Larry Howell, an associate professor at the University of Montana School of Law, explains what originally led to political spending limits in Montana:
"Montana's continued fight to restrict independent corporate expenditures in campaigns for elected office is rooted in the State's history of corrupt elections during the War of the Copper Kings, which took place at the turn of the twentieth century. At the time, the State was infamous for what historian K. Ross Toole described as the 'massive corruption of the machinery of government' that resulted from the willingness of three mining barons, or 'copper kings,' to spend millions of dollars in their battle to control both Montana's vast copper deposits and its government."
Somehow the U.S. Supreme Court believes that billions of dollars of untraceable cash won't purchase influence. The very fact that a decision like this could be made, one that contradicts well-documented historical evidence, is a demonstration of just how strong the ruling class has become. Without a doubt this is power being wielded, right before our eyes. The ventriloquists of Wall Street have gained the upper hand. -BB (2012-06-25)
For decades, ideologues like Alan Greenspan have perpetuated Ayn Rand's misconception that relentless self-interest was a good thing and that any attempt by the government to intervene was a bad idea (as Atlas might shrug and we'd all starve). After proving himself wrong, by playing a pivotal role in the dismantling of our regulatory structures, a normally unrepentant Greenspan would eventually admit that he was wrong.
Yet the cognitive illusion known as free market dogma survives in people like Jamie Dimone, who Barack Obama would have us believe is wealthy because he's 'superior' (the core tenant of Social Darwinism).
Research done by Kenichi Ueda and Beatrice Weder di Mauro of the IMF demonstrates otherwise. They're aren't wealthy because they're brilliant, the elite of the financial sector are wealthy because they've paid off our elected officials and turned them into their personal political operatives. This article at Bloomberg desbribes a result of this relationship:
"In recent decades, governments and central banks around the world have developed a consistent pattern of behavior when trouble strikes banks that are large or interconnected enough to threaten the broader economy: They step in to ensure that all the bank's creditors, not just depositors, are paid in full. Although typically necessary to prevent permanent economic damage, such bailouts encourage a reckless confidence among creditors. They assume the government will always make them whole, so they become willing to lend at lower rates, particularly to systemically important banks."
In other words, our government is providing an implicit subsidy to large financial institutions by assuming risk of failure so that they can borrow at lower rates. Such is the moral hazard of what's known in financial circles as the "Greenspan put", the belief that the Fed will bail out the industry if failure is imminent.
This reveals free market ideology for what it is: a pretext that the elite dust off when they find it expedient, like when they want to attack social spending or other measures to protect the working class. Noam Chomsky describes this hypocrisy:
"Free markets are fine for you, but not for me. That's, again, near a universal. So you -- whoever you may be -- you have to learn responsibility, and be subjected to market discipline, it's good for your character, it's tough love, and so on, and so forth. But me, I need the nanny State, to protect me from market discipline, so that I'll be able to rant and rave about the marvels of the free market, while I'm getting properly subsidized and defended by everyone else, through the nanny State. And also, this has to be risk-free. So I'm perfectly willing to make profits, but I don't want to take risks. If anything goes wrong, you bail me out."
Thomas Friedman claims that our leaders simply need to be more honest.
"You'd think one of them, just one, would seize the opportunity to enlist their people in the truth: about where they are, what they are capable of"
Of course, this would require politicians to admit that they're nothing more than intermediaries for the small group of oligarchs that controls this country. -BB(2012-06-24)
Bruce Schneier has written an essay where he espouses the use of cyber treaties:
"Banning cyberweapons entirely is a good goal, but almost certainly unachievable. More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits."
"...The very act of negotiating limits the arms race and paves the way to peace. And even if they're breached, the world is safer because the treaties exist."
This is debatable. For example, when the United States signed the Biological Weapons Convention of 1972, the Russians interpreted this as a sign to rush forward and create new weapons. According to Kanatjan Alibekov, First Deputy Director of Biopreparat from 1988 to 1992:
"In the 70s and beginning of 80s the Soviet Union started developing new biological weapons -- Marburg infection biological weapon, Ebola infection biological weapon, Machupo infection, [or] Bolivian hemorrhagic biological weapon, and some others."
"Smallpox was declared eradicated in 1980. And just immediately after, the Soviet Union government realized that nobody would have defense in the future against this agent, because it was declared [that] there was no necessity to vaccinate people any more. This weapon became one of the most important weapons, because the entire population of the Earth became absolutely vulnerable to this agent and to this weapon."
Concealing the development of malware is far easier than it is for bioweapons. How, exactly, are we to ensure that certain kinds of offensive software aren't being implemented? The very idea that we could detect and track the development of such malware is pleasant fiction.
Once more, in the aftermath of an orchestrated attack the quandry of attribution would make enforcement almost impossible. Staging an attack to frame another country is entirely feasible. Even worse, false-flag ops are well within reach of a funded private outfit. There are too many actors joining the fray, which is itself a wilderness of mirrors, for our leaders to think that they can put a lid on Pandora's Box with a treaty. I'm still not sure just how effective this approach would be. -BB(2012-06-14)
David Brooks, op-ed columnist for the New York Times, explains why society has lost faith in its institutions:
"Vast majorities of Americans don't trust their institutions. That's not mostly because our institutions perform much worse than they did in 1925 and 1955, when they were widely trusted. It's mostly because more people are cynical and like to pretend that they are better than everything else around them. Vanity has more to do with rising distrust than anything else."
Sorry Mr. Brooks, we don't trust these institutions because they don't deserve it. Trust is something that's earned and they've proven that they don't work on our behalf. How else would you explain the Gramm–Leach–Bliley Act or the The Commodity Futures Modernization Act? How else would you explain the tidal wave of lobbying money that washes over the beltway? Or why banks that were too big to fail back then are larger than ever?
Our rising distrust isn't a product of our vanity. It results from the financial disaster of 2008 which, as Matt Taibbi puts it, "forced the monster of American oligarchy out from below the ocean surface and onto the beach, for everyone to see."
The Masters of Mankind, those "extraordinary" people celebrated by the establishment, have demonstrated a notable talent for rigging the game, wading neck deep into "shitty deals", and then getting their political operatives in DC to stick the rest of society with the losses. -BB(2012-06-12)
Update: a more recent version of this essay has been posted at Counterpunch.
After its initial discovery in 2010, the culprit behind the Stuxnet computer worm has finally been revealed: the United States. Despite the ruckus that U.S. officials make in public about Chinese and Russian hackers, the U.S. is admittedly one of the most active players in this field. News coverage may adopt a seemingly congratulatory tone but there are reasons why this is an unsettling state of affairs.
Containment and control are not trivial issues. As the White House discovered, once you deploy offensive software there's no guarantee that it won't find its way out into the wild and infect otherwise uninvolved third parties. And what about the risk that some random Black Hat scavenges captured components for their own purposes? These concerns are exactly what discouraged the Pentagon from launching a cyber-attack against Saddam Hussein's financial system before the invasion of Iraq.
Then there's also the matter of efficacy. Was the Stuxnet attack actually as debilitating as a conventional military strike? Or have decision makers merely shown their hand and tipped off the Iranians?
One aspect of Stuxnet, which has been corroborated at length by forensic investigators, is that the worm leveraged zero-day exploits to do its job. It's generally known among Black Hats that the United States is a principal customer in the underground market for zero-day exploits. As Bruce Schneier notes, the very existence of a market like this undermines our collective security because it encourages flaws to remain secret on behalf of intelligence services who want to covertly access computers. This is security for the 1%, relative insecurity for everyone else.
Finally, Stuxnet exposes American exceptionalism. Espionage and sabotage are presented as intolerable criminal transgressions, normally causing our elected officials and military leaders to erupt in fits of righteous indignation. That is, unless the United States is doing the spying and the sabotaging (in which case we're seemingly rather proud of our status as leading rogue state). By crossing the Rubicon, our leaders have irrevocably lost the moral high ground. Not a wise decision for a country that, itself, depends heavily on the same buggy software that it regularly subverts. -BB(2012-06-06)
Related: With regard to attribution and Flame, this blogger claims to know who's responsible:
"My source also tells me that this is the first known instance in which Israeli intelligence has used malware to intrude on Israeli citizens. Within Israel and the Palestinian territories Flame is implemented by the Shin Bet. The 'beauty' of it for the secret police is that unlike 'legal' eavesdropping on phones or computers, you don't need to ask for judicial approval to infect a computer."
Conjecture? Disinformation? This would be standard tradecraft (spies love nothing more than to muddy the water). An official statement by an Isreali government spokesman denies any responsibility.
On the other side of the Atlantic, an NBC reporter has quoted an un-named U.S. official who stated that "it was U.S." Yet the New York Times article says otherwise:
"The computer code [for Flame] appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack. "
Five years old? Anti-Virus researchers like Mikko Hypponen openly admit that current approaches to securing systems are lacking:
"Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game."
This morning Jake Tapper presented the following question to the Secretary of Defense:
"The Times of London reported last week that the civilian casualties in Yemen as a result of drone strikes have, quote, 'emboldened Al Qaeda.' Is there not a serious risk that this approach to counterterrorism, because of its imprecision, because of its civilian casualties, is creating more enemies than it is killing? "
Leon Panetta's response:
"First and foremost, I think this is one of the most precise weapons that we have in our arsenal. Number two, what is our responsibility here? Our responsibility is to defend and protect the United States of America."
Glenn Greenwald offers some revealing commentary:
"Note that Panetta studiously ignored, rather than addressed, the question of whether the U.S. - by continuously killing Muslim civilians and thus intensifying anti-American animus - is creating more Terrorists than it is killing and thus making the U.S. less safe. That's because there is no answer. Continuously bombing Muslim countries and killing civilians ostensibly as a means of combating anti-American Terrorism is exactly like smoking six packs of cigarettes a day to treat emphysema: one would do it only if one wanted to make the problem worse, or, at best, was recklessly indifferent to the outcome."
Note also on how Mr. Tapper didn't insist on getting a straight answer. - BB(2012-05-27)
Related: Business interests in Ohio are trying desperately to jump on the drone bandwagon.
"Ohio, in particular, has made attracting the drone industry a major component of its statewide economic strategy, hoping to encourage local economic growth and create jobs by making the state the premier location for drone testing and research in the U.S."
"In order to clear the way for increased drone testing and research in Ohio, the Dayton Development Coalition and Science Applications International Corporation (SAIC), a major defense contractor with substantial operations in Dayton, are conducting a multi-year study led by 'senior executives of military and civilian stakeholder organizations.'"
This New York Times report looks at how the 1% in China are utilizing an age-old technique to try and mobilize the populace:
"This week Mr. Yang revealed another side of his persona in a torrent of microblog messages that derided some foreigners as 'trash' and accused Western men of seducing local women in an effort to spy on China."
"Analysts suggest the rising nationalist sentiment may be related to a spate of events that have unnerved the Chinese leadership, including territorial disputes in the South China Sea, a sharply slowing domestic economy and the political turmoil prompted by the downfall of the populist up-and-comer Bo Xilai."
Misdirect people to an external enemy to distract them from a concrete internal threat. Tycoon Joe Ricketts is using the same ploy here in the United States:
"Our Republic is under assault from our government..."
The big lie is a standard propaganda technique. It's described below in an Office of Strategic Services profile of Adolph Hitler:
"People will believe a big lie sooner than a little one; and if you repeat it frequently enough people will sooner or later believe it."
A couple of years back, New York Times columnist David Brooks wrote a piece which appears to have based its conclusions on the the big lie of high finance:
"They [populists] can't seem to grasp that a politics based on punishing the elites won't produce a better-educated work force, more investment, more innovation or any of the other things required for progress and growth."
"Hamilton championed capital markets and Lincoln championed banks, not because they loved traders and bankers. They did it because they knew a vibrant capitalist economy would maximize opportunity for poor boys like themselves. They were willing to tolerate the excesses of traders because they understood that no institution is more likely to channel opportunity to new groups and new people than vigorous financial markets."
In other words, we have to overlook their shortcomings because these men are geniuses who construct the pillars of economic growth. President Obama definitely admires certain members of the financial caste:
"JPMorgan is one of the best-managed banks there is. Jamie Dimon, the head of it, is one of the smartest bankers we got"
Such is the big lie. Matt Taibbi breaks it down:
"Goldman is not a company of geniuses, it's a company of criminals. And far from being the best fruit of a democratic, capitalistic society, it's the apotheosis of the Grifter Era, a parasitic enterprise that has attached itself to the American Government and taxpayer and shamelessly engorged itself on us all."
These bankers aren't givers, they're takers. That's their fiduciary duty: short-term profit regardless of the greater societal costs. Does Brook's op-ed sound more like an apologia for the 1%? -BB(2012-05-23)
Recently a federal judge forbid enforcement of detention-related portions of the 2012 NDAA. According to Chris Hedges:
"The government has 60 days to appeal. It can also, as Mayer and Afran have urged, accept the injunction that nullifies the law. If the government appeals, the case will go to a federal appellate court. The ruling, even if an appellate court upholds it, could be vanquished in the Supreme Court, especially given the composition of that court."
Is this really about fighting terror, or perhaps something else?
"The corporate state knows what is coming. Globalization is breaking down. Our natural resources are being depleted. Economic and political upheavals are inevitable. And our corporate rulers are preparing a world of masters and serfs, a world where repression will be our daily diet, a world of hunger and riots, a world of brutal control and a world where our spirits must be broken."
Keep in mind that in terms of sheer size, the DHS is unrivaled outside of the military. -BB(2012-05-21)
"Studies conducted by Canadian forensic psychologist Robert Hare indicate that about 1 percent of the general population can be categorized as psychopathic, but the prevalence rate in the financial services industry is 10 percent. And Christopher Bayer believes, based on his experience, that the rate is higher."
The author then goes on to describe a mindset that has become commonplace in corporate boardrooms:
"Enron, BP, Goldman, Philip Morris, G.E., Merck, etc., etc. Accounting fraud, tax evasion, toxic dumping, product safety violations, bid rigging, overbilling, perjury. The Walmart bribery scandal, the News Corp. hacking scandal -- just open up the business section on an average day. Shafting your workers, hurting your customers, destroying the land. Leaving the public to pick up the tab. These aren't anomalies; this is how the system works: you get away with what you can and try to weasel out when you get caught."
The standard counter-argument goes something like this: sure, there are a few bad apples. But, there are a lot of honest, hard-working, executives in the workplace too. Deresiewicz responds by observing that ethical behavior is purely optional. I would further add that institutional forces also drive executives to behave as if they were psychopaths.
"There are ethical corporations, yes, and ethical businesspeople, but ethics in capitalism is purely optional, purely extrinsic. To expect morality in the market is to commit a category error. Capitalist values are antithetical to Christian ones. (How the loudest Christians in our public life can also be the most bellicose proponents of an unbridled free market is a matter for their own consciences.) Capitalist values are also antithetical to democratic ones. Like Christian ethics, the principles of republican government require us to consider the interests of others. Capitalism, which entails the single-minded pursuit of profit, would have us believe that it's every man for himself."
The "job creators" claim they're merely "doing god's work." -BB (2012-05-13)
In this essay Glenn Greenwald explains (once again) why it's dangerous to make exceptions to the rule of law, even when it seems justifiable:
"Julius Caesar... noted that Roman law forbids the execution of Roman citizens even for heinous crimes, and that executing the conspirators would thus require the creation of a radical and dangerous precedent: dangerous because to vest the power in the State to kill its own citizens, even if justified in the specific case where it is first done, would be to vest the power generally and thus ensure its inevitable abuse."
The same dynamic is at work with the Glomar Doctrine, a policy which:
"Allows government agencies to respond to requests under the Freedom of Information Act, or FOIA, by refusing to confirm or deny the existence of the records that have been requested."
When the Glomar Doctrine was first established, there seemed to be a legitimate reasons. But now...
"The C.I.A. has grossly abused it, in cases relating to the targeted killing program and other counterterrorism operations. It is invoking the doctrine not to protect legitimately classified information from disclosure, but to shield controversial decisions from public scrutiny and to spare officials from having to defend their policies in court."
In order to govern and make constructive decisions, citizens need access to accurate information. -BB(2012-05-08)
Author Michael Snyder laments that:
"We are witnessing the deindustrialization of America. Tens of thousands of factories have left the United States in the past decade alone. Millions upon millions of manufacturing jobs have been lost in the same time period. The United States has become a nation that consumes everything in sight and yet produces increasingly little."
If a manufacturing country like China wants to engage us in a trade war, what do you think would happen? We don't make anything... -BB (2012-05-06)
This IMF report describes a process of economic extraction that has been utilized over the past few decades:
"The poor and the middle class seem to have resisted the erosion of their relative income position by borrowing to maintain a higher standard of living; meanwhile, the rich accumulated more and more assets and invested in assets backed by loans to the poor and the middle class. Consumption inequality that is lower than income inequality has led to much higher wealth inequality."
In other words, profits made on behalf of stagnating wages, cutbacks, and increased efficiencies have been invested... so that they can loan it back to us and charge us interest on it.
Paul Krugman points out the ultimate culprit:
"The real structural problem is in our political system, which has been warped and paralyzed by the power of a small, wealthy minority. And the key to economic recovery lies in finding a way to get past that minority's malign influence."
Our Republic has suffered a Corporate Coup d'Etat. - BB(2012-05-04)
The GOP's Paul Ryan spells it out:
"Cut income tax rates and simplify the code, privatize Medicare, shrink the food-stamp and Medicaid programs and turn almost all control over to the states, and reduce domestic federal spending to its smallest share of the economy since World War II."
This op-ed warns that:
"The slow start for the economy in 2012 - an annual rate of 2.2 percent in the first three months of the year - is evidence that the recovery is too weak to push joblessness much lower than its current 8.2 percent, and too fragile to withstand the kinds of budget cuts Congressional Republicans are proposing."
Noam Chomsky further explains that:
"The reason is that state governments are much more under the control of private business than the federal government is. The federal government's big enough so that, you know, it can somehow stand up against private power to some extent. State governments, it's hopeless. I mean, even middle-sized businesses can play one state against another."
For good measure, Paul Krugman choke slams Mitt Romney:
"Not long ago, conservatives gushed over Ireland's economic policies, especially its low corporate tax rate; the Heritage Foundation used to give it higher marks for 'economic freedom' than any other Western nation. When things went bad, Ireland once again received lavish praise, this time for its harsh spending cuts, which were supposed to inspire confidence and lead to quick recovery. And now, as I said, almost a third of Ireland's young can't find jobs."
At least the Democrats try to assume a low profile when they cater to the 1%. -BB(2012-04-30)
As usual, the universal apology ("national security") is brought out by decision makers to explain away torture.
"But we did the right thing for the right reason. And the right reason was to protect the homeland and to protect American lives. So yes, I had no qualms."
Another approach is to re-direct our attention to an equally disturbing practice:
"We don't capture anybody any more, Lesley. You know their default option of this Administration has been to kill all prisoners. Take no prisoners."
Nevertheless, even the Inspector General of the CIA conlcuded that there's no solid proof that torture works (see page 89):
"There is limited data on which to assess their [Enhanced Interrogation Techniques] individual effectiveness."
Senator John McCain agrees that not only is torture ineffective, but it also robs us of any sort of moral authority. -BB (2012-04-30)
With homage to Chomsky, Rob Urie takes this meme and applies it to our military campaigns in the Middle East:
"The wars in Iraq and Afghanistan are wars over resources, primarily oil. In the minds of war architects they may serve a broader geopolitical purpose, but that purpose is at its core economic --maintaining a ready supply of oil for multinational oil companies. The wars were estimated some years ago to cost several trillion dollars. This amount is to be borne by taxpayers, not to mention the human toll in lives and lost possibilities. Another way to phrase this is: 'oil companies and military contractors got bailed out, we got sold out.'"
With regard to implementing this purpose, the tip of the spear is well-protected by state sanctioned secrecy:
"The rest of the world has had few illusions about where American wealth comes from. The CIA has long functioned as an oil mafia undermining democratically elected and democratically functioning governments to control oil for private interests. The American military has been a tool of private American interests for most of its existence. And these government agencies are economies unto themselves receiving 'black' budgets over which there is little oversight or accountability."
Witness the efficacy of corporate extraction and exploitation. -BB (2012-04-29)
According to the New York Times Neil Heywood, the British businessman who was allegedly murdered in China, had ties to Hakluyt & Company, a private-sector spook outfit established by former MI6 officers.
"The private intelligence firm Hakluyt, founded by former officials with MI6, the British secret intelligence service, said Mr. Heywood had occasionally worked as one of its associates, helping prepare due-diligence reports on Chinese companies for investors. That association, even if it had ended months before his death, inspired speculation that he was a spy, although an official with the Foreign Office in London effectively denied that."
There are whispers that Hakluyt is still on Shell Oil's payroll. This isn't necessarily suprising, as Shell has made use of Hakluyt's clandestine services before. Shell Oil has done business in Chongqing, the city where it is believed that Mr. Heywood was murdered. The Wall Street Journal recently reported that Shell "signed the first production-sharing contract to explore, develop and produce shale gas in China." This deal was signed with China National Petroleum Corporation, which has ties to several people involved in this scandal. -BB (2012-04-28)
Yesterday in a hearing of the House Subcommittee on Oversight, Investigations, and Management (OMI), Cyber- Hype got some air time:
"The US government, critical infrastructures, American business institutions and our personal data are being compromised by nation states and hacker groups. The intent is to conduct cyber warfare, possibly paralyzing our infrastructure, stealing our intellectual property, conducting espionage, and gaining access to our credit card, bank account and social security numbers."
It's no surprise that the legislator who made these statements, Michael McCaul (R-TX), has received campaign money from the likes of Raytheon, Boeing, VeriSign, and Lockheed Martin.
In accordance with Ferguson's Investment Theory of Politics, McCaul is merely catering to the wants and needs of his constituents (e.g. defense contractors).
Forget Cyberwar. Let's focus on serious threats, like greedy bankers. -BB (2012-04-25)
According to 60 Minutes, Lehman execs have relative immunity from SEC prosecution:
"There is one plausible explanation why the SEC hasn't gone after top Lehman executives. As it turns out, some of Lehman's most egregious accounting shenanigans took place right under the noses of government regulators."
It probably didn't help that the regulators in the SEC were outgunned with respect to grasping the rocket-science internals of derivatives.
"They may not have had the expertise necessary to understand the material they were receiving. They were getting the material. Whether they understood it is another question."
All of this complexity is a shroud that bankers hide behind. Once more, because officials in DC see these execs as being privy to the inner workings of certain opaque financial products, Washington brings the execs back to clean up the mess that they created. Sensible minds would have reinstated the Glass-Steagall Act. No such luck. -BB (2012-04-23)
These world-class economists, who documented the growth of economic inequality in the United States, broach the subject of taxation:
"Their proposed corrective remains far outside the bounds of polite political conversation: much, much higher top marginal tax rates on the rich, up to 50 percent, or 70 percent or even 90 percent, from the current top rate of 35 percent."
"Mr. Piketty and Mr. Saez argue that history is on their side: Many countries have higher tax rates -- and the United States has had higher tax rates -- without stifling growth or encouraging the concentration of income in the hands of the very rich."
"I have worked with investors for 60 years and I have yet to see anyone - not even when capital gains rates were 39.9 percent in 1976-77 - shy away from a sensible investment because of the tax rate on the potential gain. People invest to make money, and potential taxes have never scared them off."
Related: According to a report from Mother Jones :
"Between 2008 and 2011, 26 major American corporations paid no net federal income taxes despite bringing in billions in profits."
"When big corporations use offshore tax havens, small businesses pay the price -- literally. If they were to cover the cost of corporate abuse of tax havens in 2011, the average U.S. small business would pay $2,116."
Related: It Pays to Lobby.
"280 profitable Fortune 500 companies collectively received $223 billion in tax breaks between 2008 and 2010 while contributing $216 million to Congressional candidates over the last four election cycles."
The San Jose Mercury News has published a report on the emerging concept of public-private partnerships to fight cybercrime.
"On Monday, in a sign these concerns are shared at the highest levels of the Obama administration, Homeland Security Secretary Janet Napolitano will make a personal pitch for help to tech companies in San Jose. And Congress is mulling several bills to encourage government and business to share intelligence about the computerized threats."
"Also sounding alarms is Gen. Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, which guards military networks. At an October conference he appealed for the private and public sectors to work together because 'this is something that we cannot do by ourselves.'"
Related: The EFF states that:
"The bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight--effectively creating a 'cybersecurity' loophole in all existing privacy laws."
Take action: here. -BB (2012-04-15)
This L.A. Times article exposes a rift in the upper echelons of China's ruling class. The implications are disturbing.
"Last month, Bo [Xilai] lost his job, fired over what was described in a Communist Party statement released through state media this week as 'serious discipline problems.' The statement also said Gu [Bo's wife] and a family aide were under arrest as suspects in the November death of Neil Heywood, a 41-year-old British businessman and a longtime family friend."
It would appear that, similar to the basic dynamic in the United States, rule of law breaks down as one ascends the power structure. Recall the case of Viktor Bout. Are Chinese officials only willing to enforce the law now that Bo has outlived his usefulness? Would this murder have been investigated as rigorously if Bo had chosen not to rock the boat? All animals are equal, only some are more equal than others. Especially in China - BB(2012-04-11)
Related: this New York Times article observes that:
"In the view of some analysts and party insiders, that same scandal has raised the notion of high-level misconduct among China's elite to a level that some say could have far-reaching and unpleasant implications for stability. It could cast a long shadow over one of the party's linchpins: the notion that a handful of all-powerful officials and retired elders are better qualified to pick their successors than are ordinary citizens."
This article reveals how Universities have become concerned that people may begin to evaluate the quality of their programs. Educators contend that:
"I'm not sure any standardized test can effectively measure what students gain in problem-solving, or the ability to work collaboratively"
Of course, there's no reason to shell out $80,000 to learn how to problem solve or work collaboratively. The best way to acquire these tools is through direct experience in the field, not in a classroom. Organic chemistry and quantum mechanics, now that's a different story...
"In 2008, the Consortium on Financing Higher Education, a group of some of the nation's most prestigious colleges and universities --including all of the Ivy League-- issued a lengthy manifesto saying that what its students learn becomes evident over decades and warning against a 'focus on what is easily measured.'"
Would you join a weight loss program that didn't believe in scales? The people who ran such a business could shower customers with a litany of alleged benefits without having to demonstrate any sort of concrete results. The ivy league institutions, in particular, face the unpleasant prospect of people realizing that the diplomas that they sell are merely pricey ornaments made of paper. -BB (2012-04-08)
"The Tsolakoglou government has annihilated all traces for my survival, which was based on a very dignified pension that I alone paid for 35 years with no help from the state. And since my advanced age does not allow me a way of dynamically reacting (although if a fellow Greek were to grab a Kalashnikov, I would be right behind him), I see no other solution than this dignified end to my life, so I don't find myself fishing through garbage cans for my sustenance. I believe that young people with no future, will one day take up arms and hang the traitors of this country at Syntagma square, just like the Italians did to Mussolini in 1945."
The New York Times has covered a monograph released by the Brookings Institute:
"At a seminar last week at Tsinghua University in Beijing, where Brookings finances a study center, Mr. Lieberthal said there was an increasing belief on both sides that the two countries would be 'antagonistic in 15 years.' That would mean major military expenditures by both countries to deter each other, and pushing other countries to take sides."
The tone of this content is very telling. In the late 1970s, a decorated CIA officer named John Stockwell went public. In his book, The Praetorian Guard, he stated that:
"Enemies are necessary for the wheels of the U.S. military machine to turn."
The Times article above also makes reference to cyber operations originating (e.g. IP address) from within China.
"American law enforcement officials see an alarming increase in Chinese counterespionage and cyberattacks against the United States that they have concluded are directed by the Chinese authorities to gather information of national interest."
Some concrete proof might be nice, the kind that stands up in a court of law.
Richard Clarke, in a separate Times op-ed, believes that traffic inspection is the way out:
"The Department of Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. And under the Intelligence Act, the president could issue a finding that would authorize agencies to scan Internet traffic outside the United States and seize sensitive files stolen from within our borders."
Yet, it's dangerous to institute the tools of a Police State and simply assume that they'll never be abused. Classified Executive Orders seem to be in fashion at the moment... -BB(2012-04-03)
The EFF discusses Senator Joseph Lieberman's Cybersecurity Act of 2012 (S. 2105) and McCain's SECURE IT Act (S. 2151):
"As written, these bills could provide immunity to ISPs and other private and government actors for all of the egregious behavior outlined above involving the monitoring, blocking, and modification of data packets."
This post also highlights an aspect of cybersecurity that's traditionally ignored by lawmakers:
"The intelligence community within the government benefits from keeping attacks secret so that they can be deployed against our enemies, and very likely stockpiles zero-day exploits for this offensive purpose. There is then pressure to selectively harden sensitive targets while keeping the attack secret from everyone else and leaving popular software vulnerable. This is 'security for the 1%,' and it makes the rest of us less safe. "
Elected officials want to avoid laws that might offend their investors (software vendors) in the private sector. -BB(2012-03-25)
Update (2012-04-02): An article at Forbes reports that iOS exploits garner the highest payday.
Professor Saez has updated his paper "Striking it Richer: The Evolution of Top Incomes in the United States" to include data up to the end of 2010. His conclusions are not encouraging.
"In 2010, average real income per family grew by 2.3% (Table 1) but the gains were very uneven. Top 1% incomes grew by 11.6% while bottom 99% incomes grew only by 0.2%. Hence, the top 1% captured 93% of the income gains in the first year of recovery."
The political operatives of the 1% think this is a good thing:
"There is income inequality in America. There always has been and hopefully, and I do say that, there always will be."
Perhaps these apologists should visit the Third World to see exactly where we're headed. The kind of inequality we're witnessing is a threat to our republic -BB(2012-03-14)
Beryl Benderly exposes the myth of the skill shortage:
"For years that the US produces ample numbers of excellent science students. In fact, according to the National Science Board's authoritative publication Science and Engineering Indicators 2008, the country turns out three times as many STEM degrees as the economy can absorb into jobs related to their majors."
The reports which claim that we don't have enough grads in the hard sciences are driven by greedy corporate interests that want access to cheap labor. I applaud the Columbia Journalism Review for honestly covering this topic. -BB (2012-03-02)
Related: don't let the recent unemploymet figures fool you. As Dave Lindorff remarks:
"The US economy is in the same swamp that it has been in for the past four years, and the American people are still being screwed by a system that is all about shifting wealth from the bottom and the middle up the top 1%."
"Today, Monday 27 February, WikiLeaks began publishing The Global Intelligence Files -- more than five million emails from the Texas-headquartered 'global intelligence' company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defense Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment-laundering techniques and psychological methods."
This demonstrates that nation states don't have a monopoly on intelligence collection and analysis. - BB(2012-02-27)
They're back at it again, the Cult of Cyberwar has revealed a new marketing twist on their standard doomsday message: switching from China to Anonymous. George Smith breaks it down:
"One of the central features of cyberwar/cyberattack scaremongering is argument from authority. Us officials have abused it for personal and political agendas for well over a decade. In the process, they've destroyed any legitimacy, relying totally on fantastic and apocalyptic claims, never backing anything up other than with assertion one had better listen up because very important people are all repeating the same claims. Noam Chomsky called it manufacturing consent. Now it's gulling the rubes for personal gain."
Related: The Atlantic questions:
"Ask yourself if Anonymous should be deemed a terrorist group. Who has Anonymous hurt? What kinds of laws have they broken? Are they pursuing weapons? Do they sell drugs? Do they have guns? What credible evidence do we have that they are trying to hurt regular citizens? If not, what is gained by lumping them in along with real and persistent threats to Americans?"
For all to see... this is the rain dance of the 1% - BB(2012-02-23)
There are reasons why an open debate about the role of money in politics has been stymied. It goes without saying that a truly honest conversation about the formulation of public policy is bound to make the vast majority of elected officials uneasy. The relatively small group at the top of the income spectrum is in a position where they can exert their leverage, directly or indirectly, to muddy the water and silence dissent. In some cases the mere threat of reprisal is enough to quell voices of opposition.
The 1st edition of The Rootkit Arsenal, published back in the summer of 2009, included a short epilogue that raised questions about the underlying integrity of the political system in the United States. It used the metaphor of a malware infestation to discuss aspects of popular participation and means of control. In preparing the forthcoming 2nd edition, this material has been extended and explores territory that has just barely received attention from the major news outlets. Though the publisher has opted not to include this content, it has been made available here.
In this article from the Daily Beast we see the U.S. government admitting that the Significant Activity reports in question (the documents contained in the Iraq and Afghan war logs) did NOT contain information that would compromise our key sources.
"Would a SIGACT, if it was released, compromise our key sources?"
National security is the perfect apology, an all-purpose justification used to marginalize us and give free reign to those who would abuse it. -BB(2011-12-18)
This op-ed, written by two retired four-star Marine generals, notes that U.S. legislators believe that we must choose between our safety and our ideals:
"One provision would authorize the military to indefinitely detain without charge people suspected of involvement with terrorism, including United States citizens apprehended on American soil. Due process would be a thing of the past. Some claim that this provision would merely codify existing practice. Current law empowers the military to detain people caught on the battlefield, but this provision would expand the battlefield to include the United States -- and hand Osama bin Laden an unearned victory long after his well-earned demise."
"A hollowed-out country like the this one, which is under-funding education, health care, infrastructure investment, research, and environmental protection, while its governing class steadily disenfranchises, disempowers, and impoverishes the public while systematically taking away their right to protest, is ultimately doomed."
Dana Priest has reported, on the vast domestic security apparatus that was built up in the wake of 9/11. Re-visit the above op-ed one more time and consider this development. Then consider who funds all those lobbyists in D.C. -BB(2011-12-17)
"The Forbes list reveals that six Waltons -- all children (one daughter-in-law) of Sam or James 'Bud' Walton the founders of Wal-Mart -- were on the list. The combined worth of the Walton six was $69.7 billion in 2007 -- which equated to the total wealth of the entire bottom thirty percent!"
Six people own more than the bottom 30%. Can you imagine the political influence these six people have? Somebody funds all those lobbyists. It's only natural that these people have moved to cut back on employee benefits. -BB(2011-12-15)
Related: The Guardian reports that the top one percent received 27-40% pay hikes last year. How are you doing?
David Samuels provides a degree of clarity to what's really at stake.
"The fact that so many prominent old school journalists are attacking him with such unbridled force is a symptom of the failure of traditional reporting methods to penetrate a culture of official secrecy that has grown by leaps and bounds since 9/11, and threatens the functioning of a free press as a cornerstone of democracy."
"The result of this classification mania is the division of the public into two distinct groups: those who are privy to the actual conduct of American policy, but are forbidden to write or talk about it, and the uninformed public, which becomes easy prey for the official lies exposed in the Wikileaks documents"
John Young of Cryptome chimes in about the media's double standard:
"This scapegoating of WikiLeaks and Assange by the New York Times counsel commences a defense against prosecution for conspiracy. Expect all those who have profited from the WikiLeaks salacious material and worldwide consumption of it, including the WSJ, will do the same. Official secrecy is the biggest cause of leaks, and nobody leaks more than governments and lawyers in their own interest, under guise of national security, law and order, fair play, and other dissimulation."
The media relies heavily on the government as a source of information. You can expect the major outlets to tow the line. -BB(2011-12-14)
While critics have claimed a lack of focus, this is just misinformation. As Robert Fisk explains, people are outraged because:
"They have for decades bought into a fraudulent democracy: they dutifully vote for political parties which then hand their democratic mandate and people's power to the banks and the derivative traders and the rating agencies, all three backed up by the slovenly and dishonest coterie of 'experts' from America's top universities and 'think tanks', who maintain the fiction that this is a crisis of globalization rather than a massive financial con trick foisted on the voters."
Mark Shields adds:
"I think the message, which is, people say, unclear is a lot stronger than the messenger... It cuts across partisan, religious, racial, age divisions. So I think that is a direct consequence of the movement. I think the movement's message has been very effective in getting across."
Our Secretary of State proclaims the following during a speech at the Hague:
"This is an urgent task. It is most urgent, of course, for those around the world whose words are now censored, who are imprisoned because of what they or others have written online, who are blocked from accessing entire categories of internet content, or who are being tracked by governments seeking to keep them from connecting with one another."
Glenn Greenwald points out the obvious double standard:
"What Hillary Clinton is condemning here is exactly that which not only the administration in which she serves, but also she herself, has done in one of the most important Internet freedom cases of the last decade: WikiLeaks. And beyond that case, both Clinton specifically and the Obama administration generally have waged a multi-front war on Internet freedom."
Once again, Clinton wields the unspoken assumption of American exceptionalism. -BB(2011-12-09)
Related: WikiLeaks has published an information pack on the banking blockade.
Henry Ford paid his workers enough so that they could buy the cars they produced. Alan Nasser points out that this dynamic has changed:
"Conventional economic wisdom teaches that it is not in the interests of employers to drive wages down to desperation levels, since most consumers are wage earners and consumption demand generates from 66 to 72 percent of the Gross Domestic Product. Were employers to drive wages too low they would at the same destroy their customer base, which is good for neither capital nor labor. This line of reasoning assumes that capitalism is organized such that each nation's labor market is both entirely domestic and the sole source of the demand for its economy's output. But capitalism is a global system and its sovereign components are not closed economies."
The emergence of demand in other countries will allow business leaders to profit by hollowing out of the American middle class. Our loss is their gain because they don't care what we can or cannot afford. After all, they can always give us loans so that we can purchase what they tell us we should have.
These people at the top are pressing their advantage and they're in this game to take it all. -BB(2011-12-03)
"Banking powerhouse Wachovia Corp. last year agreed to pay $160 million in forfeitures and fines after U.S. federal prosecutors accused it of 'willfully' overlooking the suspicious character of more than $420 billion in transactions between the bank and Mexican currency-exchange houses - much of it probably drug money, investigators say."
As Ruppert points out, any business with access to cheap raw materials (capital, in the case of banking) has an notable advantage. Large banks might just overlook half a trillion dollars worth of drug-related business because it serves shareholders.
Notice how no one goes to jail for fundamentally enabling an industry that results in untold misery and destruction. Again, this just goes to show you who really runs this country. -BB (2011-12-02)
Related: check out Roger Ebert's review of Ruppert's 2009 documentary.
"'Who here has an iPhone?' Assange asked attendees of the press conference in London. 'Who here has a Blackberry? Who here uses Gmail? Well you are all screwed. The reality is intelligence contractors are selling right now to countries across the world mass surveillance systems for all of those products.'"
Assange also warns that:
"SSL is no longer safe and alleged that intelligence agencies have compromised Certificate Authorities (CAs). CAs issue digital certificates used for SSL. Hundreds of intermediate CAs can issue SSL certificates linked back to a root CA."
This is not a good sign. -BB(2011-12-02)
Again, we see how secrecy is used to marginalize us.
"The Fed didn't tell anyone which banks were in trouble so deep they required a combined $1.2 trillion on Dec. 5, 2008, their single neediest day. Bankers didn't mention that they took tens of billions of dollars in emergency loans at the same time they were assuring investors their firms were healthy. And no one calculated until now that banks reaped an estimated $13 billion of income by taking advantage of the Fed's below-market rates."
"The amount of money the central bank parceled out was surprising even to Gary H. Stern, president of the Federal Reserve Bank of Minneapolis from 1985 to 2009, who says he 'wasn't aware of the magnitude.' It dwarfed the Treasury Department's better-known $700 billion Troubled Asset Relief Program, or TARP. Add up guarantees and lending limits, and the Fed had committed $7.77 trillion as of March 2009 to rescuing the financial system, more than half the value of everything produced in the U.S. that year."
Lawmakers weren't aware of details. Even they were marginalized. This fact, all by itself, demonstrates who wields the real power in this country. -BB(2011-11-29)
"The fact is, if you sit on a healthcare committee and you know that Medicare, for example, is considering not reimbursing for a certain drug that's market moving information. And if you can trade stock off of that information and do so legally, that's a great profit making opportunity. And that sort of behavior goes on."
"The buying and selling of stock by corporate insiders who have access to non-public information that could affect the stock price can be a criminal offense, just ask hedge fund manager Raj Rajaratnam who recently got 11 years in prison for doing it. But, congressional lawmakers have no corporate responsibilities and have long been considered exempt from insider trading laws, even though they have daily access to non-public information and plenty of opportunities to trade on it."
"In mid September 2008 with the Dow Jones Industrial average still above ten thousand, Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke were holding closed door briefings with congressional leaders, and privately warning them that a global financial meltdown could occur within a few days. One of those attending was Alabama Representative Spencer Bachus, then the ranking Republican member on the House Financial Services Committee and now its chairman."
"These meetings were so sensitive-- that they would actually confiscate cell phones and Blackberries going into those meetings. What we know is that those meetings were held one day and literally the next day Congressman Bachus would engage in buying stock options based on apocalyptic briefings he had the day before from the Fed chairman and treasury secretary. I mean, talk about a stock tip."
They say that the grandfather clock in the Skull-and-Bones Tomb at Yale is set 5 minutes fast. There's something to this, as financial institutions profit by being first, being smarter, or by cheating. Offering access to information, which can then be monetized, is a more subtle means of influence peddling. Compare this to the brazen tactics of a lobbyist like Grover Norquist, who'll threaten to unseat Republicans who don't sign his pledge. As Cryptome's John Young explains.
"Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access."
This may help to explain why the founders of the CIA were heavily involved in finance. -BB(2011-11-27)
Reading a DHS threat assessment of the Occupy Pittsburgh campaign, authorities seem to think that the protests are primarily "focused on the banking and finance sector."
This merely hints at the core goals of this movement, which aims to instigate a "soft regime change" to "end the pervasive corruption at the heart of our political system, in which corporate money wins elections, drafts laws and trumps citizen desires."
It's not just indignation at the all-consuming greed of certain financial institutions. It's a desire to fundamentally alter our political institutions to remove the influence of big money. -BB (2011-11-25)
In this New York Times op-ed Ross Douthat describes how the 'Groupe de Francfort (GdF)' is reminding everyone who's really in charge:
"There were few tears in Italy and Greece for Silvio Berlusconi and George Papandreou, the prime ministers -- respectively corrupt and hapless -- whose downfalls were engineered by the Brussels-Berlin-Paris axis. But their forced departures, however welcome, open a troubling window on what a true European state would look like. Stability would be achieved at the expense of democracy: the rituals of parliaments and elections would endure, but the real decision-making power would pass permanently to the forces represented by the so-called 'Frankfurt Group' -- an ad hoc inner circle consisting of Germany's Angela Merkel, France's Nicolas Sarkozy and a cluster of bankers and E.U. functionaries, which has been spearheaded European crisis management since October."
You can expect to see more of this as decision makers encourage us to passively accept what's transpiring. -BB(2011-11-20)
Lobbyists see a chance to cash in.
"A well-known Washington lobbying firm with links to the financial industry has proposed an $850,000 plan to take on Occupy Wall Street and politicians who might express sympathy for the protests...The proposal was written on the letterhead of the lobbying firm Clark Lytle Geduldig & Cranford and addressed to one of CLGC's clients, the American Bankers Association."
This is a novel trench-level view of the 1%'s propaganda machine. -BB(2011-11-19)
"The InfoSec Institute (infosecinstitute.com) offers a variety of training on security topics such as penetration testing and reverse engineering. After it was discovered that ISI took large portions of material from Corelan.be without credit or license, additional review was performed of available material. This included a presentation from founder/owner Jack Koziol and other contract instructors. It became clear that the Corelan incident was not a one-off, and likely not the work of a rogue contractor as ISI claimed."
In the wake of 9/11 our decision makers funneled hundreds of billions of dollars into our intelligence apparatus. Yet, as Richard Clark explains:
"We're all very glad that bin Laden has finally been caught, but it was a handful of people. It wasn't this enormous, bloated, tens of thousands of people apparatus that we've set up. It was a small, highly-skilled, highly dedicated group of intelligence analysts. That's who found him, not all of these contractors, not these giant agencies and giant centers."
This point raises other questions. Dana Priest, for example, asks:
"Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?"
Perhaps Chris Hedges can shed some light on the topic:
"George Orwell wrote that all tyrannies rule through fraud and force, but that once the fraud is exposed they must rely exclusively on force. We have now entered the era of naked force. The vast million-person bureaucracy of the internal security and surveillance state will not be used to stop terrorism but to try and stop us."
As Miles Copeland has observed, our security services are firmly a part of the establishment. -BB(2011-11-15)
Related: City Councilman Ydanis Rodriguez would probably agree.
Politics: "The Shadow Cast on Society by Big Business"
Chomsky describes how the elite have given up on the social contract that emerged after WWII. Now they're just out to save themselves.
"In the past 30 years, the 'masters of mankind,' as Smith called them, have abandoned any sentimental concern for the welfare of their own society, concentrating instead on short-term gain and huge bonuses, the country be damned -- as long as the powerful nanny state remains intact to serve their interests."
The New York Times just published an op-ed by Jeff Sachs where he offers a few ideas on how to implement change:
"Shareholders, for example, should pressure companies to get out of politics. Consumers should take their money and purchasing power away from companies that confuse business and political power."
Is this realistic, given that large segments of shareholders might actually have a vested interest in lobbying elected officials? Will we, as consumers, be able to act as a countervailing force? It may not be so simple. The people that actually control this country have demonstrated in the past exactly how far they'll go to maintain control and criminalize dissent. -BB(2011-11-14)
Related: The Miracles of Modern Propaganda
"Ronald Reagan beat out Franklin Delano Roosevelt as the former president Americans would like to see in the White House during these trying economic times."
Viktor Bout is an international arms dealer who hails from Russia. He was extradited to the United States in 2010 from a prison in Thailand. Earlier this month he was convicted of conspiracy to kill U.S. citizens and provide aid to a terrorist organization.
Daniel Estulin traveled to Thailand to interview Bout before he was extradited.
The New York Times points out that:
"Irbis Air [Owned by Bout] landed in Baghdad 92 times between January and May 2004, while also conducting deliveries elsewhere in Iraq. Mr. Bout earned $60 million between 2003 and 2005 -- in addition to the free fuel that the United States military gave to regular cargo operators."
"Mr. Bout's client list in Iraq made for intriguing and damning reading: The United States Air Mobility Command, Federal Express, Fluor and KBR, among others. At the time Mr. Bout was supposedly wanted by the F.B.I. and the C.I.A., as well as being the subject of an Interpol arrest warrant."
Apparently the law does not apply to people who are useful to decision makers. Our rulers conveniently turn a blind eye and then shroud what's going on under the veil of national-security-imposed secrecy. The decision makers themselves are likewise immune. -BB(2011-11-12)
In an article that's been published by The Economist readers are told that:
"Braver politicians would focus on two things. The first is tackling the causes of the rage speedily. Above all that means doing more to get their economies moving again."
In a sense, there's misdirection taking place. The state of our economy is not a root cause, only a symptom. The markets upon which our economy is based are governed by rules that our legislators establish. Starting in the 1970s, industry leaders got organized and executed what is essentially a corporate coup. The market crash of 2008 is merely a natural result of this.
Talking about the economy is easier, it saves people from facing a more painful reality about who runs this country and how they operate. Better to stick to band-aid solutions that placate Main Street without really threatening Wall Street. This is tragic, because the fundamental problem and its consequences will continue to plague us despite how we address its symptoms. -BB(2011-11-09)
NYC Mayor Michael Bloomberg shows his true colors when explaining the cause of the mortgage crisis:
"It was not the banks that created the mortgage crisis. It was, plain and simple, Congress who forced everybody to go and give mortgages to people who were on the cusp."
Matt Taibbi reveals this for what it is: a pathetic conservative talking point.
"This was an orgiastic stampede of lending, undertaken with something very like bloodlust. Far from being dragged into poor neighborhoods and forced to give out home loans to jobless black folk, companies like Countrywide and New Century charged into suburbs and exurbs from coast to coast with the enthusiasm of Rwandan machete mobs, looking to create as many loans as they could."
"They lent to anyone with a pulse and they didn't need Barney Frank to give them a push. This was not social policy. This was greed. They created those loans not because they had to, but because it was profitable. Enormously, gigantically profitable -- profitable enough to create huge fortunes out of thin air, with a speed never seen before in Wall Street's history."
Later on he adds that:
"The whole game was based on one new innovation: the derivative instruments like CDOs that allowed them to take junk-rated home loans and turn them into AAA-rated instruments. It was not Barney Frank who made it possible for Goldman, Sachs to sell the home loan of an occasionally-employed janitor in Oakland or Detroit as something just as safe as, and more profitable than, a United States Treasury Bill. This was something they cooked up entirely by themselves and developed solely with the aim of making more money."
Personally, I'm amazed that Bloomberg was able to keep a straight face while he offered up his twisted version of reality. I mean, c'mon, who do you think spends all that money lobbying congress? Could it be any more obvious who owns these politicians? -BB(2011-11-04)
"The usual suspects have rolled out some familiar arguments: the data are flawed (they aren't); the rich are an ever-changing group (not so); and so on. The most popular argument right now seems, however, to be the claim that we may not be a middle-class society, but we're still an upper-middle-class society, in which a broad class of highly educated workers, who have the skills to compete in the modern world, is doing very well."
"It's a nice story, and a lot less disturbing than the picture of a nation in which a much smaller group of rich people is becoming increasingly dominant. But it's not true."
"Workers with college degrees have indeed, on average, done better than workers without, and the gap has generally widened over time. But highly educated Americans have by no means been immune to income stagnation and growing economic insecurity. Wage gains for most college-educated workers have been unimpressive (and nonexistent since 2000), while even the well-educated can no longer count on getting jobs with good benefits. In particular, these days workers with a college degree but no further degrees are less likely to get workplace health coverage than workers with only a high school degree were in 1979."
As one commentator from The Economist stated:
"If we don't agree that rich people have more political power than poor people and that they use that power to pursue their economic interests, then we've really got a communications problem."
This story demonstrates that identifying the geographic origin of an attack doesn't necessarily result in attribution...
In a recent report, the Office of the National Counterintelligence Executive (ONCIX) admits this flat out.
"US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC [intelligence community] cannot confirm who was responsible."
Nevertheless, officials will make a lot of noise about this, perhaps blaming China despite the fact that they don't really know who's actually responsible, because they need to frame what's happening such that it will benefit them in terms of control and federal funding. -BB(2011-11-03)
Noam Chomsky speaks out in an interview published by Guernica:
"About 80% of the businesses in Mexico are involved in one manner or another with the drug racket. Now once you start publishing things like that and looking into it, you're getting to the power centers of Mexican society, and they're simply not going to want to be exposed. If they can use the drug assassins to stop it, they will."
"The drug problem is in the United States, not in Mexico. It's a demand problem and that is to be dealt with here, and it is not being dealt with. It's been shown over and over that prevention and treatment are far more cost effective than police action, out-of-country action, border control, and so on. But the money goes in the other direction and never has an impact."
"Only two plausible answers to that. All the leaders are collectively insane, which we can rule out, or else they are just pursuing different goals. Abroad, it's a counterinsurgency campaign, cover for counterinsurgency in Colombia. At home, it's a way of getting rid of a superfluous population."
"Governments are not in the business of catering to their citizens. It's as old as Adam Smith. The governments work for their main constituencies. When the Republicans come into office with plans to increase benefits for the wealthy -- like making sure that the super wealthy get tax cuts, making sure that the insurance companies and the financial institutions are unconstrained in their operations -- that's not for the benefit of U.S. citizens. That's for the benefit of their constituency. Same when Obama poured money into the banks. That's his constituency. In fact, that's the main source of his campaign funding. The things governments are doing here that have harmful effects abroad are not being done for the benefit of the citizens here."
Being from a state that tends to spend more on prisons than on education, I'm inclined to agree with Professor Chomsky. -BB(2011-10-30)
Eugene Robinson states in a Washington Post op-ed:
"The hard-right conservatives who dominate the Republican Party claim to despise the redistribution of wealth, but secretly they love it - as long as the process involves depriving the poor and middle class to benefit the rich, not the other way around. That is precisely what has been happening, as a jaw-dropping new report by the nonpartisan Congressional Budget Office demonstrates. Three decades of trickle-down economic theory, see-no-evil deregulation and tax-cutting fervor have led to massive redistribution. Another word for what's been happening might be theft."
It should be interesting to see how the commentators at Fox News try to discredit this report. -BB(2011-10-28)
Related: Ralph Nader, in a Couterpunch article, states that:
"Each new protest gives the protesters new insights. The protestors are learning how to challenge controlling processes. They are assembling and using their little libraries on site. They are learning the techniques of open, non-violent civil disobedience and building personal stamina. They are learning not to be provoked and thereby win the moral authority struggle which encourages more and more people to join their ranks."
Nothing Beats a Fixed Fight
Bernie Sanders laments the state of our financial system. He warns that:
"Not only do they run the banks, they run the institutions that regulate the banks."
This approach seems to be working out very well for the 1%. What this means is that the Occupy Movement has its work cut out for it, going up against an entrenched and formidable power structure. As one participant notes, they seem to have, at least for the time being, avoided a common pitfall:
"The good news is that even those Occupiers who do not identify as anti-capitalist/radical/revolutionary seem to recognize that the political system as presently constituted is irredeemably broken and that, consequently, selling the movement out to Democratic Party would be, at best, a gross exercise in futility"
Where to go from here? They can't bide their time forever. Perhaps they can learn something from the Civil Rights Movement. -BB(2011-10-20)
Related: This is who Occupy Wallstreet is up against. An economic "super-entity" that spans nations in such a manner that "a large portion of control flows to a small tightly-knit core of financial institutions." In short, the United States has been rooted. The only thing that will save us will be to rebuild the system.
A comedian, of all people, realized this years ago.
Symantec describes a Remote Access Trojan (RAT) that doesn't self-replicate. It also lacks industrial control system features. Though, according to Symantec, parts of Duqu are indentical to Stuxnet. Additional details can be gleaned from Wired.
George Smith cautions against hysteria and presumption:
"Once a thing is in world circulation it is not protected or proprietary property. Such malicious code may contain hindrances to copying or reverse engineering but these can be overcome given enough effort. Add to this the fact that source code for malware has never been secure. It always becomes something coveted by many, often in direct proportion to its fame. Therefore, it would not be surprising given the Byzantine and secretive interlinked nature of this world, that Stuxnet code had leaked, even if only in bits and pieces."
If I were running a black bag op and wanted to misdirect investigators, this is definitely an approach that I would consider. Nothing beats muddying the waters. -BB(2010-10-19)
Related: For all the hype surrounding cyberwar, even the United States resists the temptation because:
"Administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress."
Oh, and while you're fixated on this RAT, never mind the rise of the Plutonomy...
Lawrence Lessig explains why people are occupying Wall Street:
"As every financial analyst not dependent upon the corruption that is Wall Street has screamed since the bill was passed, financial reform changed nothing. We are more at risk of a major financial collapse today than we were a decade ago. And the absolutely obscene bonuses of an industry that pays twice its pretax profits in salaries are even more secure today."
Then he continues on to explain how the political rootkit maintains control:
"Neither party dares to cross Wall Street, since both parties know they could not win control of Congress or the White House without Wall Street's money. So they feed the addiction, and ignore the real work that they should be doing."
The idea that we live in a representative democracy is a misconception. It doesn't matter who gets elected if the lobbyists simply buy off whoever happens to be in office. -BB(2011-10-05)
"'The virus was brought back in here and run in a contained facility against actual control system equipment so that we could study those effects to release mitigation measures to the general public,'... Edwards would not reveal details of the analysis because it was sensitive information."
In a sense, this report appears to contradict claims that the United States created Stuxnet. Would the DHS really spend all this effort dissecting Stuxnet if they could get their hands on technical specifics the easy way? Or, perhaps the right hand doesn't know what the left hand is doing in the body politic of US Intelligence? -BB(2011-09-30)
In a truly incredible fit of candor, a trader being interviewed by the BBC stated that:
"Most traders we don't really care about having a fixed economy, having a fixed situation, our job is to make money from it... Personally, I've been dreaming of this moment for three years. I go to bed every night and I dream of another recession... This is not a time right now for wishful thinking that governments are going to sort things out... The governments don't rule the world, Goldman Sachs rules the world."
Faced with such honesty, detractors have tried to scream hoax. To no avail. The BBC stands by its story, and a group of pranksters known as the "Yes Men" have also denied involvement. The Yes Men web site comments:
"Who in big banking doesn't bet against the interests of the poor and find themselves massively recompensed - if not by the market, then by humongous taxpayer bailouts? Rastani's approach has been completely mainstream for several years now; we must thank him for putting a human face on it yesterday."
For all of the media hype that's accompanied the notion of cybergeddon and the fear-mongering that another nation will bring down our banking system, the raw numbers speak volumes. In terms of actual loss I think people would be well advised to much more frightened of Goldman Sachs. -BB(2011-09-26)
Related: The New York Times reports that "protesters say they so distrust their country's political class and its pandering to established interest groups that they feel only an assault on the system itself can bring about real change."
"A Wall Street regulator said industry complaints about market manipulation and trade reporting have spiked this year, raising questions about the adequacy of banks' internal controls over their traders."
Related: Senate report on the 2008 collapse.
"This Report is the product of a two-year bipartisan investigation by the U.S. Senate Permanent Subcommittee on Investigations into the origins of the 2008 financial crisis. The goals of this investigation were to construct a public record of the facts in order to deepen the understanding of what happened; identify some of the root causes of the crisis; and provide a factual foundation for the ongoing effort to fortify the country against the recurrence of a similar crisis in the future."
Related: This New York Times article claims that "A Secretive Banking Elite Rules Trading in Derivatives."
"In theory, this group exists to safeguard the integrity of the multitrillion-dollar market. In practice, it also defends the dominance of the big banks. The banks in this group, which is affiliated with a new derivatives clearinghouse, have fought to block other banks from entering the market, and they are also trying to thwart efforts to make full information on prices and fees freely available."
All the destruction of a WMD without the radioactive aftertaste - BB(2011-09-21)
Many thanks to Bruce Schneier for directing me towards this report.
"An ACLU report release to coincide with the 10th anniversary of 9/11 warns that a decade after the attacks, the United States is at risk of enshrining a permanent state of emergency in which core values must be subordinated to ever-expanding claims of national security."
Remember, there's a reason why Orwell is censored in China. Silent weapons are being deployed in a quiet war against the state's most dangerous enemy, it's own population. Control versus Liberty: choose. -BB(2011-09-12)
Related: Dick Destiny adds a few words along this line.
"Arms control agencies, any public information source that didn't directly serve the war on terror by finding new threats, any threats, went silent, were marginalized or ceased to exist. It's a matter of economics and capitalism. There is no money in not feeding the fear."
It appears that a hybrid (Ring-0/Ring-3) rootkit may have been used in the DigiNotar hack.
"a) I'm single person, do not AGAIN try to make an ARMY out of me in Iran. If someone in Iran used certs I have generated, I'm not one who should explain."
"b) This attack was really more sophisticated than simple Stuxnet worm. 0-days? I already have discovered similar bugs, trojan? I already wrote most sophisticated undetectable ring0 and ring3 rootkit (works together), signing certificates? huh, man! I have around 300 code signing certificates and a lot of SSL certs with again code signing permission, look at Google's cert, I have code signing privilege! You see? I owned an entire computer network of DigiNotar with 5-6 layer inside which have no ANY connection to internet, I have so much to explain, but later... You have to wait!"
It would be interesting to see exactly how this was done. -BB(2011-09-07)
Related: GlobalSign freaks out.
Infiltrated.net offers a welcome antidote to the growing misconception that China is the world's source of all APTs:
"We often forget that not too long ago that the boogeyman was Russia. That threat came during the arms race (Cold War) and it was business as usual then too. Many companies profited heftily during this period and I am sure many companies stand to profit handsomely from a Cyber Arms Race. This is nothing more than history being repetitive however, the platform has changed to a computing based battleground. Based on 'evidence' smack dab in front of our faces and under our noses, what else do we see or know of in regards to experts' explanation of APT? Not much. We have these experts consistently relying on word of mouth of each other and of IP addressing. Completely ignoring the fact that IP is a horrible identifier. Every security professional knows that IP addressing is not an identifier rather well, yet many are quick to fist pump and shout: 'APT, China!!! Look at that IP' even though FACTUAL evidence proves otherwise."
False flag operations are as old as warfare. I'd argue that in cyberspace they're even easier to execute. -BB (2011-08-31)
The New York Times features an op-ed by Cornel West:
"The age of Obama has fallen tragically short of fulfilling King's prophetic legacy. Instead of articulating a radical democratic vision and fighting for homeowners, workers and poor people in the form of mortgage relief, jobs and investment in education, infrastructure and housing, the administration gave us bailouts for banks, record profits for Wall Street and giant budget cuts on the backs of the vulnerable."
Perhaps this is to be expected. As Matt Taibbi explains, Goldman Sachs was Obama's number-one private campaign contributor.
This, in turn, unearths an even more unsettling reality. In the United States, our two-party system is really just a single-party system: the corporate party. -BB (2011-08-26)
Rep. Ted Poe offers his solution for dealing with intellectual property theft:
"It's time to get tough on China. And that's just the way it is."
Really Ted, some details might help. Personally, I think it's constructive to put this into perspective.
"American businesses... downsized and outsourced their manufacturing to Asian labor, effectively turning themselves into artisan custom shops for the plutocracy. In this bargain, repeated all across US non-military domestic production, the American companies gave up their intellectual property and trained the Chinese to make their goods for the sake of the short term bottom line."
"And it is only logical that some Chinese, maybe many, would see no point in maintaining licensing agreements with American multi-nationals once they could copy the goods on their own."
"Comments left on the Chinese sales site, and many YouTube vidoes, show young American men who have no problem buying fakes of US premium goods. Since wages have been destroyed, this too is a logical development."
"And American companies, individually and collectively, do not have the resources needed to combat the problems brought upon us by the great trade imbalance."
It's ironic that businesses are now complaining about a trend that they themselves were instrumental in creating. -BB(2011-08-24)
In Warren Buffet's recent New York Times op-ed he notes that:
"While the poor and middle class fight for us in Afghanistan, and while most Americans struggle to make ends meet, we mega-rich continue to get our extraordinary tax breaks... These and other blessings are showered upon us by legislators in Washington who feel compelled to protect us, much as if we were spotted owls or some other endangered species. It's nice to have friends in high places."
I, for one, particularly enjoyed his scathing rebuttal of a well-known conservative talking point:
"Back in the 1980s and 1990s, tax rates for the rich were far higher, and my percentage rate was in the middle of the pack. According to a theory I sometimes hear, I should have thrown a fit and refused to invest because of the elevated tax rates on capital gains and dividends."
"I didn't refuse, nor did others. I have worked with investors for 60 years and I have yet to see anyone - not even when capital gains rates were 39.9 percent in 1976-77 - shy away from a sensible investment because of the tax rate on the potential gain. People invest to make money, and potential taxes have never scared them off. And to those who argue that higher rates hurt job creation, I would note that a net of nearly 40 million jobs were added between 1980 and 2000. You know what's happened since then: lower tax rates and far lower job creation."
What this essay underscores is how unhealthy our political system has become. The three or four thousand families at the top of the income spectrum appear to have a special relationship with legislators. Why is that? -BB(2011-08-16)
At Black Hat USA Peiter Zatko (aka Mudge), a program manager at DARPA, touched on the nature of offensive software:
"Zatko analyzed 9,000 samples of malware code and found that, on average, each consisted of 125 lines of software code. That's not a lot of cost, time, or engineering effort. By comparison, the most sophisticated cyber protection software uses about 10 million lines of code. And, based on research by IBM, there are one to five bugs introduced in every 1,000 lines of code, Zatko said."
"Malware writers thrive by finding bugs and exploiting the vulnerabilities that the bugs introduce. Modern day operating systems may consist of 150 million lines of code, which means that each new OS can introduce 150,000 bugs to exploit. These numbers make it seem like keeping up with the bad guys is a losing game, Zatko said."
You may recall that this most recent patch tuesday included roughly 40 MB of updates for Windows Server 2008. Rather than treat the symptoms of the problem, why not address the underlying cause and find ways to build better software? -BB(2011-08-11)
Cofer Black appeared at Vegas this past week, ominously warning that "he sees parallels between the terrorism threat that emerged before the September 11 attacks a decade ago and the emerging cyber threat now."
That's interesting... I see parallels also: I see yet another former government official who's trying to drum up business by shamelessly leveraging the attacks of 9/11. On second thought, I supposed this should come as no surprise, given that Mr. Black was a Vice Chairman at Blackwater USA. It goes without saying that the aftermath of 9/11 was a gold rush for these people.
Cofer Black sanctimoniously claims that "Men's minds have difficulty adapting to things which they have no personal experience." This, no doubt, is a variation of "I could tell you, but it's classified" argument; typical of ex-agency types who fall back on the veil of secrecy when they've got nothing better to buttress their sales-pitch with. As former CIA agent John Stockwell can attest, "it's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"
Never mind the billions of dollars we actually lose every year to cybercrime, espionage, fraud, identity theft, and the like. In the tradition of Mike McConnell and Michael Hayden, Mr. Black would rather fixate on Cyberwar because... well, because none of the truly immediate (and far more tangible) threats will divert federal funding to his private sector interests. -BB(2011-08-07).
Related: Consensus Reality and Cybergeddon
Why do hypothetical stories of Cybergeddon garner so much bandwidth when reports of million dollar cyber-heists appear almost every day?
Perhaps, as this article from the Columbia Journalism Review suggests, this is a result of PR firms filling the void left by shrinking news rooms. As Arthur Brisbane queries: "Is it a concern to you that The Times relies to some extent on P.R. professionals for story ideas?"
At first blush this recent article in the San Francisco Chronicle reads like a late night infomercial for local hi-tech firms. My, my, my. Look at all the attractive, hip, 30-somethings from out-of-town being pursued by eager corporate suitors and showered with any number of tantalizing recruiting perks. Local Bay Area talent, one can only hope, has seen this sort of mating dance before and knows how it ends.
Closer inspection of this story yields a picture that is far more telling. There's a sinister punch line waiting for those who are able to see beyond the carefully constructed mirage: as workers, we are viewed by the decision-makers as disposable cogs. Contrary to the propaganda from human resources, the people at the top could care less about your long-term well-being. You're just a means to an end, and one with a conspicuously limited shelf-life at that.
As Wharton's Peter Cappelli explains, if the folks in HR had the guts to be honest they'd probably admit that: "We don't want to have to train anybody, and when those skills become obsolete we don't want to have to retrain them."
Like any successful black widow, they'll lure you into their web with a well-practiced sales pitch, bleed you for everything that you've got, and then toss your withered cadaver into the dumpster outside when they're done. Heck, when food gets scarce enough the Jackals in the executive suite will gladly turn on each other. Why should corporate America care? After all, they can simply throw a few more cocktail parties and round up yet another herd of fresh meat. -BB(2011-08-04)
Related: Cryptome's analysis of NSA help-wanted propaganda ...
"Recruiters are devious as they must be or nobody would join the secretkeepers if they knew the truth of what was in store for them to give up control of their lives and minds forever, and remain compelled to lie, lie and lie some more, and, to be sure, recruit noobs by writing noobish nonsense."
You may have heard of the story of Tom Drake, a high-ranking NSA employee who warned of mismanagement and waste in the agency on a massive scale. Specifically, he told of a failed project called "Trailblazer" which consumed $1.2 billion before being cancelled. As a result he was charged with the Espionage Act of 1917 and threatened with a 35-year sentence. Drake claims that this was done to send a message:
"To other whistleblowers, to others in the government, not to speak up or speak out. Do not tell truth to power. We'll hammer you."
The ensuing trial, where Drake was sentenced to a a year of probation and 240 hours of community service, has proved very interesting. The presiding Judge, Richard D. Bennett, stated that:
"I don't think that deterrence should include an American citizen waiting two and a half years after their home is searched to find out if they're going to be indicted or not. I find that unconscionable. Unconscionable. It is at the very root of what this country was founded on against general warrants of the British."
As in the case of Glenn Greenwald, WikiLeaks, and HBGary Federal, what we're seeing is the lengths that powerful institutions will go to in order to silence whistle-blowers. -BB(2011-07-30)
Though attention seems to be focused on nation-state players the true facilitators here are often corporate entities. Keep in mind that these same private-sector interests have no inherent sense of national loyalty. They exist strictly to serve shareholders and financial backers, period. If they could make a buck off of it I doubt if they'd have a problem with offering their services to both sides of an altercation. As the author of this article from Business Week observes:
"U.S. companies don't appear to face export restrictions, as the Pentagon's manufacturers of bombs and fighter jets do. In fact, companies like Endgame have cropped up all over the world. Appin Technologies, to cite one example, is a New Delhi company that offers a wide variety of computer security services, including helping countries analyze attacks and, if needed, respond in kind."
"...And so the unregulated cyber-weapons makers flourish, selling to the highest bidder. Business is great."
In other words, these companies help to both create incidents and then help clean up the mess afterwards. It reminds me of certain U.S. banking interests during WWII who did business with the Germans. You see, it doesn't matter who wins or loses, what matters is conflict and the lucrative business it generates. To actually address of the root cause of incidents (e.g. buggy software ) might impact the bottom line. As Tom Henderson notes:
"They aren't financially compelled to stop the problem before it starts. There is no motivation for an ounce of prevention that prevents the hideous pounds and costs of cure."
The unpleasant reality is that there's a lot of money to be made in selling offensive weaponry and, as a result, it's convenient to get policymakers to simply side-step much more effective preventative measures. -BB(2011-07-24)
In this article recently published by The Observer we see the power of open source intelligence as Cryptome's John Young demonstrates how easy it is to follow up on the clues provided by the Associated Press and leverage the Internet to discover the identity of the man in charge of tracking down Osama bin Laden. Young asserts that there's a hidden agenda at play:
"Putting this guy in the picture was no accident. To show him directly behind Panetta? I think they wanted to reward this guy's hard work and get some favorable publicity and it worked. It's one of the few successes they can crow about..."
"I think they shopped him to Obama with his height and his basketball background and his looks, and Obama fell in love with him... C.I.A. John is a very marketable product now... I think he'll be on the lecture trail. First it will be private briefings, and slowly he'll ease out. Isn't he a great role model? Tall, athletic. They're going to make the most of this."
There's definitely something to be said for this train of thought. As good PR is a valuable commodity in the political realm that often leads to funding. At the same time, could there be a degree of risk associated with this sort of self-congratulatory disclosure?
"John could be in serious danger if exposed, not from Al-Qaeda, necessarily, but from rogue elements of the Pakistani intelligence agency, the I.S.I., who have made common cause with Al-Qaeda and have access to greater resources."
That's an interesting point, even if it's moot in the context of this story. What's the use of spending billions of dollars to destroy a terrorist threat when the organization that spawned it will simply create another? - BB(2011-07-15)
The founder of Kaspersky Lab admits that tracking down the origin of a cyberattack can be an extremely difficult (if not impossible) task:
"viruses unfortunately don't carry ID cards. We can at least usually identify the originator's language, and that's at the moment the inventor communicates with his virus and gives it a command..."
"...I have no information pointing toward China as the actual originator. Professionals do their work through proxy servers. They can be located in China but controlled from the United States. Perhaps it was just competitors -- but people then pointed the finger at China. Anything can happen in our business."
How difficult do you think it would be for a small group of skilled developers to use internationalized tools to develop malware that appears to have been created from another country? Putting your faith in the veracity of embedded strings is utter foolishness.
If Stuxnet is truly the "super weapon" that the media says it is, do you honestly think the engineers who built it would be sloppy enough to give themselves away so easily? False flag operations are a time-honored practice in the wilderness of mirrors. -BB (2011-07-14)
George Smith elaborates on how worst-case thinking causes us to focus too heavily on perceived threats rather than addressing tangible ones. Smith laments that:
"The world economy was put in a tailspin by Wall Street financial systems in 2008. It has yet to recover.
And while Wall Street has done nicely since then, Main Street America has not. And by all accounts, no significant protections against Wall Street's predations have been put in place in the intervening period.
The argument that the US financial system ought to be protected from electronic Pearl Harbor would, if all Americans actually knew of it, strike them as ridiculous.
It's easily observable that people are much more interested in protection from the racket that's the American financial system. Cyberwar and hack attacks on it, when compared to the damage inflicted by Wall Street misbehavior, are absurdly small things."
Yet we hear much more about these perceived threats because certain corporate entities stand to profit handsomely from the hysteria that they produce. Such is the madness of crowds. -BB (2011-06-28)
This is one of the reports pilfered by LulzSec. It has more than a couple of gems related to cybersecurity. For example:
"Foreign nations are the most capable and resource-rich cyber threat actors. The most advanced nations have established active and robust information operations (IO) or CNO organizations. Some nations' military and intelligence agencies have created distinct directorates to carry out aspects of IO, such as CNE, CND, and CNA."
I assume that a list of such nations would include the United States? In fact, I would wager that in terms of sheer efficacy, we're near (or at) the top of the list. As General Hayden commented, other countries are scared of us:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one."
In this sense, the nature of international relations could be characterized as anarchic. With very few exceptions, everyone spies on everyone else. This is something to keep in mind when reading Cyberwar stories. We're hardly an innocent bystander. It's probably closer to the truth to say that we're an active participant. - BB (2011-06-24)
New York Times columnist David Brooks offers a blistering commentary on the Fannie Mae scandal:
"The scandal has sent the message that the leadership class is fundamentally self-dealing. Leaders on the center-right and center-left are always trying to create public-private partnerships to spark socially productive activity. But the biggest public-private partnership to date led to shameless self-enrichment and disastrous results..."
"The final message is that members of the leadership class have done nothing to police themselves. The Wall Street-Industry-Regulator-Lobbyist tangle is even more deeply enmeshed."
This dynamic isn't limited to the financial sector of our economy. Look around at the media's coverage of recent cyberattacks and, even more telling, the solutions that government officials propose . -BB (2011-06-18)
Cryptome.org asserts that David Brooks' conclusions are:
"Equally applicable to the cybersecurity gov-mil-spy-media industry where deliberately inept, weak security -- to allow spying and data gathering -- is obscured by blaming hackers and foreign agents with demand for increased budgets and contracts."
Related: Agent.btz thrives and still no word of conclusive attribution.
Related: Check out the NSA's "Site M," a $5.2 billion centralized cyber-command center.
This is an excellent piece on the idea of an Internet killswitch and the inherent shortcomings associated with it.
"Creating a killswitch for the Internet would never work because of the flaw in attribution. Who is attacking? Seriously, ask yourself, who is attacking?
This is at the core of why most of these ridiculous ideas will fail. Because we cannot attribute an identifiable aggressor, then who are we cutting ourselves off from? Not to mention, because of the flaws associated with attribution, an attacker can pretend to be anyone he or she or Country Y wants to be. In fact, should a killswitch ever be implemented, an attacker can cause huge financial fall-out by simply pretending to be a country of his or her or Country Y's choice. Imagine having an entire banking infrastructure disconnected because of a bunch of script kiddies. For every step this government (the United States) takes, they seem to take the same redundant steps backwards."
This essay might also shed some light on Richard Clark's recent op-ed in the Wall Street Journal. Chinese Generals claim they need to protect themselves against the US Military. American officials point to the Chinese and offer similar dire warnings. Methinks the two sides keep each other in business. - BB (2011-06-16)
Related: Does this seem like a veiled threat to you?
A few days ago, Alan Paller (the director of research at The SANS Institute) made a few comments about cyber-security on the PBS News Hour:
"For too long, the corporations and governments have been what we call blaming the users... It's very much like automobiles 50 years ago. We said that the drivers had to be safe drivers, and that would solve all the problems. But we didn't solve most of the -- we didn't do as well on automobile safety until we fixed the cars and we fixed the roads. We haven't done enough to make software that people buy safe"
The current state of affairs is something that the software industry, as a whole, doesn't want to face. You can educate users all you want and lock down your servers like Fort Knox, but a skilled attacker armed with weaponized zero-day exploits will waltz right through your defenses and sink your battleship. Once that happens, short of turning the damn things off, you're out of luck.
This is not a problem that you can buy your way out of with expensive, high-end, security products (contrary to the subliminal whispers of the marketing execs). Nor can we deal with it by falling back on the threat of conventional military force or spending a few billion on cyberweapons. To evolve beyond our current state of cyber-insecurity we need to invent better ways to build secure software. -BB (2011-06-06)
The Futility of Sabre Rattling
Today the Wall Street Journal published an article describing a Pentagon report which depicts cyberattacks as acts of war and discusses the option of responding with conventional military force. As one anonymous official stated, "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
This may seem sensible, until you consider how difficult it is, in practice, to tackle the issue of attribution. As I've stated many times in the past, our government funded projects like TOR to ensure that we could perform operations online that could never be traced back to us. Is it unreasonable to assume that other nations have developed similar technology?
Can you imagine what would happen if we accused another country of committing a cyberattack and bombed them, only to discover later on that we were wrong?
Even more unsettling is the idea that this sort of military strategy could allow a nation-state to attack itself and then use the staged event as a pretext to launch a conventional military attack? Doesn't anyone remember Operation Northwoods?
According to James Bamford, in his book Body of Secrets:
"Operation Northwoods, which had the written approval of the Chairman and every member of the Joint Chiefs of Staff, called for innocent people to be shot on American streets; for boats carrying refugees fleeing Cuba to be sunk on the high seas; for a wave of violent terrorism to be launched in Washington, D.C., Miami, and elsewhere. People would be framed for bombings they did not commit; planes would be hijacked. Using phony evidence, all of it would be blamed on Castro, thus giving Lemnitzer and his cabal the excuse, as well as the public and international backing, they needed to launch their war"
The Wall Street Journal also reports that "Pentagon officials believe the most-sophisticated computer attacks require the resources of a government."
I don't necessarily agree with this. As many venture capitalists in the Bay Area will tell you, talent and skillset are important factors. Given the right group of ten people, you could build a formidable cyberweapon for a few million dollars. This is well within the reach of private corporate interests, who could then sell their technology to the highest bidder... putting the kibosh on the notion that "the best way to deter major attacks is to hold countries that build cyber weapons responsible." - BB(2011-05-31)
A Grifter's Utopia
In the wake of the 2008 financial collapse, the standard account provided by free market ideologues is that our banks sold mortgages to people who should've known better, the tools they used to quantify risk were flawed, and that federal regulators couldn't keep up with the flood of work that inundated their offices. Our capitalistic system runs in cycles, so they say, and this is just one of those occasional low points that we should all come to expect.
The service that Matt Taibbi does for us in his latest book is to expose this explanation for what it is: a cover story. Free market apologies aside, core components of this nation's power structure have been subverted by a relatively small group of moneyed interests that have used their leverage to buy off anyone who stands in their way. The rules that dictate how our markets operate are being rigged by a veritable army of corporate lobbyists. The benefactors of this hostile takeover, the economically privileged families at the top of the income spectrum, have witnessed exorbitant gains. Everyone else has had to make do with treading water.
As Taibbi explains: "While the rest of us argue about Mexican babies before the midterms, hotshot DC law firms like Skaden, Arps, Slate, Meagher & Flom may have as many as a hundred lawyers working on unresolved questions in the Dodd-Frank bill. And that's just one firm. Thousands of lobbyists will be employed; millions of lobbying dollars will be spent."
Let retired officials-turned-management-consultants trade in their credibility to peddle inflated tales of Cybergeddon . As far as our financial infrastructure is concerned, the clear and present danger that we face comes from within. Most of the propaganda that's jettisoned into the public arena is an effort to conceal this fact, to re-direct our anger and outrage away from responsible parties. As Taibbi warns, the people who played pivotal roles in creating this crisis are the same individuals who've been recruited to prevent it from happening again. "We have to trust these people to do the right thing, but we can't, because, well, they're scum. Which is kind of a big problem, when you think about it." - BB (2011-05-28)
Related: To see how these recent developments fit into a historical trend that began back in the early 1970s, you might also want to read the book Winner-Take-All Politics . For additional details on the mortgage crisis, I'd strongly recommend viewing the movie Inside Job
More On Our Double Standard
The New York Times reports that the founder of Blackwater, Erik Prince, has been hired by the crown prince of Abu Dhabi to form an 800-member mercenary force. This article states that these troops "could be deployed if the Emirates faced unrest in their crowded labor camps or were challenged by pro-democracy protests like those sweeping the Arab world this year."
This article also mentions that:
"In recent years, the Emirati government has showered American defense companies with billions of dollars to help strengthen the country's security. A company run by Richard A. Clarke, a former counterterrorism adviser during the Clinton and Bush administrations, has won several lucrative contracts to advise the U.A.E. on how to protect its infrastructure."
As Chomsky has noted:
"In the real world, elite dislike of democracy is the norm. The evidence is overwhelming that democracy is supported insofar as it contributes to social and economic objectives, a conclusion reluctantly conceded by the more serious scholarship."
"Elite contempt for democracy was revealed dramatically in the reaction to the WikiLeaks exposures. Those that received most attention, with euphoric commentary, were cables reporting that Arabs support the U.S. stand on Iran. The reference was to the ruling dictators. The attitudes of the public were unmentioned. The guiding principle was articulated clearly by Carnegie Endowment Middle East specialist Marwan Muasher, formerly a high official of the Jordanian government: 'There is nothing wrong, everything is under control.' In short, if the dictators support us, what else could matter?"
He makes some interesting statements:
"We concluded that the U.S. is the leading force behind Stuxnet development. They didn't do it on their own; they had help from nation states. But it's clearly the work of the U.S."
"If you look at the facts, it is pretty clear that the attackers had substantial Siemens insider information. Just by looking at the attack code, you can infer this because it would take an outsider years to discover the vulnerabilities that were exploited by Stuxnet by just reverse engineering."
If someone goes around throwing rocks through other people's windows, it's kind of hard to be sympathetic when they complain about someone else doing it to them... -BB(2011-05-11)
There's no need for oppressive arm-twisting. People are literally opting to be monitored. Really, I have to admit, it's an extremely clever approach. Recall how the former executive from HBGary Federal leveraged social networking as an intel resource. Yet most people don't recognize this, they're too enamored by stories that cast social networking as a tool for political change in the Middle East. They fail to see the vast potential for abuse...
...and pundits want me to trust "The Cloud" with my data. Ha! -BB (2011-05-06)
Related: Some people may consider the Internet itself to be a massive tool for surveillance. There's something to be said for this train of thought. With regard to the hunt for Osama Bin Laden, the New York Times published a story that describes how our leaders "turned to one of their greatest investigative tools - the National Security Agency began intercepting telephone calls and e-mail messages between the man's family and anyone inside Pakistan."
Related: According to the Federation of American Scientists, domestic surveillance grew in 2010.
"A federal search warrant executed on the defendant's residence on June 30, 2009 located 676,443 stolen credit card accounts on the defendant's computers and in his e-mail accounts. Credit card companies have identified tens of thousands of fraudulent charges on these accounts totaling $36,624,815.52"
There's no denying that cybercrime is a credible and well-documented threat. Yet, for whatever reason (ahem), this concrete threat tends to be overshadowed by vague intimations of cyberwar that often have only one foot in reality. -BB(2011-04-22)
Related: As usual, the media is rife with stories that describe data breaches and wire fraud. On the other side of the fence are somewhat dubious accusations of cyberwar and attempts to paint other countries as the boogeyman. This is what happens when federal funding is at stake and certain business interests stand to gain from fear mongering.
Update: Here are a couple of articles that focus on this trend (with thanks to Bruce Schneier).
This article describes Mr. Rizzo as an "elegant 63-year-old who wears cuff links and pale yellow ties." Though, I think that his interview banter is far more telling.
"How many law professors have signed off on a death warrant?" he asks.
If you'd like to address this rhetorical question, I suppose you could stop by for a chat and take this up with Mr. Rizzo. -BB(2011-04-12)
Navalny admits to ambitions towards holding public office. He's also been accused of being a CIA plant. According to the NYTimes report, he supplied his wife with "a list of phone numbers to call if he disappeared... other lawyers, journalists and opposition politicians."
With billions of dollars at stake, it will be interesting to see how Aleksei's crusade evolves and even more interesting to see how the corporate power structure responds. -BB(2011-03-31)
According to Michael G. Reed, a researcher at the Naval Research Laboratory who helped to develop TOR, the motivation behind the creation of this technology was to enable spooks to shield themselves from attribution.
"The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries."
This is why ridiculous ideas like cyberwar deterrence and international treaties are nothing more than philosophical hubris. When faced with an organized intrusion set, trying to track down their identities would be an exercise in futility. Governments have funded research efforts like TOR to ensure that this is the case. -BB(2011-03-25)
The plot thickens as Hunton & Williams faces increased scrutiny. -BB (2011-03-02)
"A group of House Democrats is calling on Republican leaders to investigate a prominent Washington law firm and three federal technology contractors, who have been shown in hacked e-mails discussing a 'disinformation campaign' against foes of the U.S. Chamber of Commerce."
"In a letter to be released Tuesday, Rep. Hank Johnson (D-Ga.) and more than a dozen other lawmakers wrote that the e-mails appear 'to reveal a conspiracy to use subversive techniques to target Chamber critics,' including "possible illegal actions against citizens engaged in free speech."
Related: The House Armed Services Subcommittee on Emerging Threats and Capabilities on Wednesday asked the Defense Department and its intelligence arm - the National Security Agency - to hand over copies of any contracts they may have signed with HBGary Federal, Palantir Technologies and Berico Technologies.
Send Lawyers, Guns, and MoneyHere's an article from Salon on Hunton & Williams, the law firm that BofA hired to deal with their Wikileaks problem (by way of a Dept. of Justice recommendation). H&W, in turn, called up their fixers and, well, you know the rest. -BB (2011-02-16)
"What makes Hunton's involvement in the anti-WikiLeaks scheming so striking is that the firm represents some of the biggest names in corporate America. Hunton's website touts its representation of Wells Fargo, Altria (aka Phillip Morris), the telecom Cingular, and defense contractor General Dynamics, among many others."
RELATED: the inside scoop on how Anonymous hacked HBGary Federal.
RELATED: Check out this op-ed from Wired. Paul Roberts observes "how effortlessly and seamlessly the focus on 'advanced persistent threats' shifted from government backed hackers in China and Russia to encompass political foes like ThinkProgress or the columnist Glenn Greenwald. Anonymous may have committed crimes that demand punishment - but its up to the FBI to handle that, not 'a large U.S. bank' or its attorneys ...What threat to all of our liberties does that kind of IT security firepower pose when its put at the behest of corporations, government agencies, stealth political groups or their operatives?"
Wired provides additional backdrop on the affair. It's interesting to see how quickly companies like Palantir and Berico backpedal once this plot comes to light. Would they have done so otherwise? -BB(2011-02-15)
RELATED: Glenn Greenwald, who was to be targeted as a part of the campaign, offers his comments:
"The real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former."
"That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented. And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its 'private partners' able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity in lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks."
"Why should the Pentagon be talking up the stocks, even implicitly, of the companies it buys from? ...The answer, I eventually learned, has to do with something that happened a very long time ago, and goes under the category of 'Be careful what you wish for.' Let's just say that banking isn't the only industry where the government has allowed a handful of companies to become too big to fail."
Defense spending is currently around $700 billion, roughly half of the discretionary spending in our budget. You can bet that this industry is looking for new reasons for us to keep spending... -BB (2011-02-12)
Documents on Wikileaks from HBGary Federal and Palantir
Here is a version of the report that HBGary Federal compiled on Anonymous. Is this the genuine article or just grist for another spook paper mill?
Even more interesting is this synopsis of "The Wikileaks Threat" written up by the likes of Palantir Technologies, HBGary Federal, and Berico Technologies. It would appear that members of the establishment have started talking to the corporate equivalent of hired guns.
"Together, Palantir Technologies, HBGary Federal, and Berico Technologies bring the expertise and approach needed to combat the WikiLeaks threat."
Looks like we know who lost the first round... -BB (2011-02-10)
"In the years after the Sept. 11, 2001, terrorist attacks, officers who committed mistakes that left people wrongly imprisoned or even dead received only minor admonishments or no punishment at all, an Associated Press investigation has found ...many officers who made significant missteps are now the senior managers fighting Obama's spy wars."
Years ago, in 1997, I recall a Control Data veteran confiding in me that you weren't considered material for upper-level management until you had at least one really big failure under your belt. - BB (2011-02-09)
"In a stunning collapse of authority, most police have withdrawn from major cities, and soldiers fired shots into the air in an effort to control the crowds, seized by growing fears of lawlessness and buoyed by euphoria that three decades of President Hosni Mubarak's rule may be coming to an end."
Related: This study released by the USAF Institute for National Security Studies "challenges the current US policy towards Egypt and its underlying assumption that regime stability supercedes a US interest in true political development."
Related: Wikileaks reports that "As recently as February 2010, as indicated in 10CAIRO213, an activist implored the United States diplomats to get closer to the Egyptian government in order to combat torture and reduce the growing brutality of the police. The answer from Vice President Biden is that the political leader, the highest authority in the country, is not a dictator. The answer from the U.S. is silence, and dismissal of the Egyptian people's desire to create a better future."
I think it's important to note that Egypt, which is a recipient of billions of dollars of US Aid, was our first partner in the CIA's rendition program in the mid-1990s. - BB(2011-01-30)
Interesting Historical Records
One can only guess what the unofficial conversations were like. The following are declassified snippets from various formal meetings during the reign of the Ford administration.
Richard Helms (former CIA Director) speaking with President Ford on the Church Commission:
"If allegations have been made to Justice, a lot of dead cats will come out. I intend to defend myself. I don't know everything which went on in the Agency; maybe no one really does."
Commentary: That's an interesting conjecture. Nobody really knows everything that goes on. Plausible deniability in action.
Henry Kissinger (then Secretary of State) adding his two cents in a different conversation along the same lines:
"Hoover did things which won't stand scrutiny, especially under Johnson. We will put these out in generic terms as quickly as possible. The Bureau would like to dribble it out. This will divert attention and show relative cooperation with the committee."
Commentary: How was Hoover able to survive, if not thrive? If there was a solid argument for an organization like Wikileaks, this is it. There are instances when all of our celebrated checks and balances break down...
William Colby (then CIA Director) speaks with President Ford and Henry Kissinger:
"They have asked for all the records of our relations with PanAm, [edited out] ITT and others. If we acknowledge a relationship, we will kill these companies and our ability to place agents and get cooperation."
Commentary: If you look at the key players in the CIA's history, you'll find that there are strong ties with this country's financial engine. -BB (2011-01-25)
With the demise of the steel industry and other manufacturing sectors in the US, George Smith addresses this question.
"From 2009, another appalling graph produced from data taken by the US Census, part of Commerce, on military production in the US versus everything else (and originally shown in the NY Times):"
"While what production of durable goods in the US that remains is charted, it along with the fortunes of the middle class and mass unemployed cratered in 2009. However, military production did not. It went through a minor dip and then soared. This is immoral. It destroys any argument on fairness and shared burden and consequences being a part of US society. It broadly and mercilessly insults the intelligence of all those who must listen to, see or read about the Department of Defense making nibbles around the edges to trim its budget in the coming time of austerity."
The risk to our nation from cyberwar is dwarfed by the economic hole that we've been digging. The Chinese have been there, gladly, helping us do just that. Perhaps this is a function of our collective short-term view. Our leaders only look towards the next business quarter or the next election cycle. All the while, a culture that measures time in terms of 200-year dynasties looks on and quietly smiles. -BB (2011-01-20)
A study done by researchers from Oxford and the London School of Economics concludes (among other things) that:
"Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An 'attack' or an 'incident' can include anything from an easily-identified phishing attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions...Cyberespionage is not a 'few keystrokes away from cyberwar.'"
"It is unlikely that there will ever be a true cyberwar."
"Large numbers of attack methods are based on faults discovered in leading operating systems and applications. Although the manufacturers offer patches, their frequency shows that the software industry releases too many products that have not been properly tested."
Of course, I could have told you that. -BB (2011-01-18)
Is the mass media a watchdog or merely a cheerleader?
"As Columbia University digital journalism expert Emily Bell argues, it [Wikileaks] forces journalists and news organisations to demonstrate to what extent they are now part of an establishment it is their duty to report. In other words, WikiLeaks exposes the degree to which normal journalism has lost its watchdog role. Mainstream journalism stands accused of failing to be critical enough of those in authority. Over the economic crash of 2007 and over intelligence and the Iraq war, it failed to challenge the conventional wisdom. It was not a conspiracy or a failure of resource. It was because journalism can be too responsible, balanced and passive. Sometimes journalism needs to be disruptive, critical and even partial."
Aside: To see just how passive the media can be, I'd strongly urge you to view Bill Moyer's eye-opening documentary Buying The War. You won't find this kind of in-depth analysis elsewhere, which is why I support PBS. -BB (2011-01-16)
Contrary to what the corporate decision makers have been telling us, there is no shortage of talent in the United States. In fact, there's a surplus! According to this recent article in The Economist:
"In a recent book, Andrew Hacker and Claudia Dreifus, an academic and a journalist, reports that America produced more than 100,000 doctoral degrees between 2005 and 2009. In the same period there were just 16,000 new professorships. Using PhD students to do much of the undergraduate teaching cuts the number of full-time jobs."
Without a doubt, the claim of a "talent shortage" is merely a pretext for offshoring and H-1B initiatives. In a nutshell, it's all about access to cheap labor. Universities benefit as do business interests. All the while executive salaries continue to skyrocket. What will this do to the United States over the long run as people realize that no one wants to hire an American with a PhD in the hard sciences? Would you like some fries with that? -BB (2011-01-08)
Related: Proponents of offshoring and H-1B often use the free market argument as a convenient ideological excuse. As John Cassidy's recent article in The New Yorker demonstrates, the idea of a free market is also somewhat mythical.
"During the half century after Lincoln's Presidency, the business-backed Republican Party was in power for most of the time, and tariffs on manufactured goods remained at forty to fifty percent, the highest levels anywhere. It was during these years that the US economy grew to rival the economies of Britain and Germany in industries such as iron and steel and chemicals ...The fact is that not one of today's economic powers practiced free trade during its developmental stage."
In other words, state intervention to protect US domestic interests enabled the United States to emerge as a financial powerhouse, not free markets. Large multinationals dust off the free market argument when it suits their interests, not ours. -BB (2011-01-09)
Related: Another New York Times article on China's "indigenous innovation" policy. -BB (2011-01-12)
The Bureaucratic Nature of the CIA
While the popular image of the CIA conveyed in books and movies is often that of a rogue organization. It's probably much closer to the truth to say that the CIA, as Chomsky has characterized it, is "basically just an obedient branch of the White House."
This view is supported by a Top Secret interview with David Cohen, the former Deputy Director for Operations for the CIA. In this interview, he notes that:
"When you take an action on the edge and you don't think leadership will stand with you, you soon decide to stay far from the edge. The DO had many years in which they thought that the White House endorsed action, only to find out that the White House was not supportive in the end. CIA is as risk-taking as the policy environment will support. Just having case officers asked by senior officials, 'why did you do this?' sends a message that risk-taking is not supported."
I suspect that the White House would prefer to maintain the CIA's rogue elephant image so that a certain degree of plausible deniability can be exercised when need be. If something unpleasant comes to light, the White House can claim "we didn't do it, it was those loose cannons over in the CIA." Then they feed a couple of CIA officials to the wolves and wash their hands. -BB(2010-12-31)
Update: Former NSA Director, General Bill Odom disagrees. He claims that "The CIA currently does not work for anyone - it pretends to work for the President but is in fact out of control."
Bruce Sterling on Wikileaks
Mr. Sterling offers his synopsis of Wikileaks and Assange.
"While others stare in awe at Assange's many otherworldly aspects: his hairstyle, his neatness, his too-precise speech, his post-national life out of a laptop bag, I can recognize him as pure triple-A outsider geek. Man, I know a thousand modern weirdos like that"
Reading this essay, I cannot help but detect a hint of offhand dismissal. "Never you mind" says Mr. Sterling, "just another cyber misfit, they're a dime a dozen." As an author, I can heartily testify that you can spend your life reading books, or you can go out and live a life that someone will want to write a book about. For better or for worse, Julian Assange falls into the latter category. Merry Christmas, Wikileaks. -BB (2010-12-25)
In this article, Michel Chossudovsky makes his case:
"On the surface, nothing proves that Wikileaks was a CIA covert operation. However, given the corporate media's cohesive and structured relationship to US intelligence, not to mention the links of individual journalists to the military-national security establishment, the issue of a CIA sponsored PsyOp must necessarily be addressed... It is in the interest of the corporate elites to accept dissent and protest as a feature of the system inasmuch as they do not threaten the established social order. The purpose is not to repress dissent, but, on the contrary, to shape and mould the protest movement, to set the outer limits of dissent."
In other words, if you control both of the prize fighters in a boxing match you'll profit regardless of who wins. -BB (2010-12-19)
Update: Over the past several days I have received mail from a number of government employees who've protested that Wikileaks couldn't possibly be a CIA psyop because the Wikileaks staff are "far too competent." -BB (2010-12-23)
Jeffrey Carr, in this Forbes article, questions the notion that Israel is responsible for Stuxnet.
"The appeal of a U.S. or Israeli cyber attack against first Bushehr, then Natanz, was just too good to pass up even though there was no hard evidence and very slim circumstantial evidence to support a case for either country. The best that Ralph Langner, CEO of Langner Communications (and the leading evangelist for this scenario) could point to was an obscure Hebrew word for Myrtus and a biblical reference for a date found in the malware that pertained to Persia; both of which could have been explained in a half dozen alternate ways having nothing to do with either Israel or the U.S."
"As far as China goes, I've identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China's unique role as Iran's ally and customer, while opposing Iran's fuel enrichment plans. There's still a distinct lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets however based solely on the known facts, I consider China to be the most likely candidate for Stuxnet's origin."
In this white paper, he also questions the assumption that Stuxnet is a state-sponsored project.
"The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with certain unique skill sets and several months for development and testing. The obvious conclusion is that this team was sponsored by a nation state, however certain multi-national corporations have the same or better resources than many governments. In some countries, the government has a controlling interest in their largest corporations such as China's national champion companies (i.e., Huawei) or France's majority ownership of Areva."
It's been months, now, and we still don't have the answers we need. This demonstrates the truck-size hole that exists in the flawed strategy of cyberwar deterrence or the idea that we can limit problems with treaties (that we can't enforce). -BB (2010-12-17)
Yet again, the central issue of attribution rears its ugly head. Even if you succeed in tracing an attack back to a specific geographic location, there's really no fool-proof way to ascribe responsibility. Such is the nature of contemporary anti-forensic technology (and the internet in general). There's nothing to prevent a determined (e.g. state funded) attacker from breaking the terms of a treaty and then shielding themselves with plausible deniability or, even worse, framing a 3rd party.
Let's not forget the possibility that the intel services of a treaty participant could simply pay one of the more sophisticated criminal groups to do their dirty work for them. The aforementioned outlaws would probably have no idea who really hired them, providing an extra layer of obfuscation.
Whenever I read about the idea of cyberwar treaties, I think back to the Biological Weapons Convention that the US and USSR signed in 1972. The Soviets seemed to interpret the treaty as an opportunity to accelerate their weapons program. -BB (2010-12-04)
Related: Attribution cuts both ways. "Recall as well that the main technical tool used to anonymize submissions to WikiLeaks, Tor (The Onion Router), came out of a US Naval Research Laboratory project to protect clandestine activities overseas. In fact, members of the military are some of the most vocal opponents of current attempts in the US to require person-level attribution of data packets online."
One of the world's leading experts on developing secure software speaks out against the hype surrounding cyberwar in this Q&A from CNET.
"There is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here's another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S. The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google's intellectual property got sucked down by the Chinese? The answer is no. What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security."
I couldn't agree with him more. -BB(2010-12-01)
Last night on PBS, Zbigniew cut to the chase pretty quickly:
"I think the most serious issues are not those which are getting the headlines right now. Who cares if Berlusconi is described as a clown. Most Italians agree with that. Who cares if Putin is described as an alpha dog? He probably is flattered by it."
"The real issue is, who is feeding Wikipedia on this issue -- Wiki -- Wiki -- WikiLeaks on this issue? They're getting a lot of information which seems trivial, inconsequential, but some of it seems surprisingly pointed...It's, rather, a question of whether WikiLeaks are being manipulated by interested parties that want to either complicate our relationship with other governments or want to undermine some governments, because some of these items that are being emphasized and have surfaced are very pointed. And I wonder whether, in fact, there aren't some operations internationally, intelligence services, that are feeding stuff to WikiLeaks, because it is a unique opportunity to embarrass us, to embarrass our position, but also to undermine our relations with particular governments."
Wikipedia? Was that a Freudian slip? All joking aside, I think he's alluding to an issue that is worth some thought. Just as intelligence services have long standing back channels with the press, as pointed out by editors like the New York Time's Max Frankel, have interested parties devised ways to influence Wikileaks? This is the danger of being an information chokepoint. -BB (2010-11-30)
"Mr. Ahmadinejad publicly acknowledged, apparently for the first time, that Iran's nuclear program had recently been disrupted by a malicious computer software that attacked its centrifuges. 'They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,' he said at the news conference."
This New York Times article implies that the malware was indeed Stuxnet. Though it isn't stated explicity. In fact, the article mentions that "Mr. Ahmadinejad did not specify the type of malware or its perpetrators." Assuming that Stuxnet was to blame, questions still remain: Who wrote Stuxnet? Was Iran an intended target?
Related: Another New York Times article provides additional information concerning the Google attacks:
"China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."
Keep in mind that this is based on information from a "contact." Before we invaded Iraq, our Secretary of State stood before the UN Security Council on May 27, 2003, and (based on intel from a contact) alleged that Iraq had developed mobile production facilities for biological weapons.
Another thing to keep in mind is that China isn't the only nation-state that ventures into other peoples networks. I'm fairly confident that we do it just as much (if not more so). -BB (2010-11-29)
The cables, which date from 1966 up until the end of February this year, contain confidential communications between 274 embassies in countries throughout the world and the State Department in Washington DC. 15,652 of the cables are classified Secret. The embassy cables will be released in stages over the next few months.
The White House has responded:
"Such disclosures put at risk our diplomats, intelligence professionals and people around the world who come to the United States for assistance in promoting democracy and open government. These documents also may include named individuals who in many cases live and work under oppressive regimes and who are trying to create more open and free societies."
The New York Times thinks otherwise:
"The cables tell the unvarnished story of how the government makes its biggest decisions, the decisions that cost the country most heavily in lives and money. They shed light on the motivations and, in some cases, duplicity of allies on the receiving end of American courtship and foreign aid. They illuminate the diplomacy surrounding two current wars and several countries, like Pakistan and Yemen, where American military involvement is growing. As daunting as it is to publish such material over official objections, it would be presumptuous to conclude that Americans have no right to know what is being done in their name."
Regardless of how government officials and the press view the release of these documents, one thing is certain: leaders are probably now aware that they may one day be held accountable for what they do and say. The veil of secrecy has been pulled back. This will impact how our government operates and how we interact with other countries. Perhaps this is one of the ulterior motives of cablegate? -BB (2010-11-28)
Life in The Wilderness of Mirrors
This New York Times book review looks at a number of recent books that have been authored by former CIA officers. These sort of memoirs tend to fall into two categories. On one side you'll find people like Miles Copeland, an officer in both the OSS and CIA, who asserts that the general public has a biased view of the CIA because we only hear about the failures (an argument that rests heavily on the secret nature of intelligence operations). In his book, Without Cloak Or Dagger, Copeland explains that:
"Unless you can believe that even a government as wasteful and inefficient as our own would tolerate the existence of a vast and costly facility which is inactive and ineffective, you must believe that it accomplishes something. More than that, you must believe that most of what it does is successful. No Government, even our own, would tolerate for long a costly agency that has more failures than successes."
The current slew of publications seem to claim just the opposite. They paint a picture of an unwieldy bureaucracy that's mired in the security of administrative rituals which place an emphasis on quantity over quality. Some former officers even go so far as to suggest that we start over with a clean slate. This definitely doesn't jibe with Copeland's description of the indoctrination process that CIA officers undergo during training.
"Even the most anti-Government cynic comes out with the conviction that the nation faces dangers to national security which are more awful than even the gloomiest columnist imagines, and that the machinery of which the CIA is a part has means of combating them which are so sophisticated and powerful as to be beyond the comprehension of all but those who are a part of them."
How's that for hyperbole? So, who do you believe: the old stalwart or the groans of disenchantment that point to the conspicuous absence of intelligence "slam dunks?"
Perhaps Lindsay Moran can offer some insight. In her book, entitled Blowing My Cover, she recalls a warning from a grizzled rank and file CIA veteran who advises her not to let the job consume her, as the higher-ups in the beltway pay much more attention to failure than success. -Barry Bennington (November 27, 2011)
According to this article in the Washington Post, Wikileaks is gearing up to release US State Department documents. The current administration appears to be bracing for impact. The article reports:
"U.S. officials are concerned that some of the leaked cables could include details of conversations in which senior foreign politicians offer candid appraisals of their governments. Those assessments could prove embarassing, not only to the United States but to the politicians and governments concerned."
Elizabeth King, the Assistant Secretary of Defense for Legislative Affairs recently sent an e-mail to Senate and House Armed Services Committees asserting that "The publication of this classified information by WikiLeaks is an irresponsible attempt to wreak havoc and destabilize global security. It potentially jeopardizes lives."
Julian Assange is no stranger to this sort of critique. In a correspondence sent to volunteers[at]lists.wikileaks.org in March of 2008, he stated that:
"The first ingredient of a democracy is the people's right to know, because without such understanding no human being can meaningfully choose to support anything, let alone a political party. Knowledge is the driver of every political process, every constitution, every law and every regulation... Since knowledge is the creator and regulator of all law, it must be placed beyond law."
As the clock ticks down to the release date, which the Pentagon suspects may be as soon as November 26th, I wonder if the State Department will simply weather the oncoming storm. Or, (as Wikileaks has intimated ) "the coming months will see a new world, where global history is redefined." Either way, I cannot help but notice the admonishment by Wikileaks to "Keep us strong." Says Cryptome: "it's the patois of whispering promises of manifold return on investiment for riches to come. Open your wallet." -BB (2010-11-24)
In this article from Network World, the NSA's Information Assurance Technical Director, Dickie George, acknowledges the issues posed by attribution. He states, "Back then, if the Soviets fired a missile you knew it was the government and could tell where it was fired from... Today, it's bits and you don't see them coming through the air." In other words, how can you rely on a policy of deterrence when you can't even tell who attacked you? Correct me if I'm wrong, but it's been months now and we still don't have any concrete evidence that will tell us who, exactly, built stuxnet.
In this arena, Dickie claims that we need to "make ourselves harder targets." The best defense isn't a good offense, contrary to what you may hear from retired government officials who now represent corporate interests in the defense industry. The best defense is... a solid defense.
These are similar to some of the basic arguments that I touched on this past October during an event at San Francisco State University. -BB (2010-11-21)
RELATED: A recent Senate hearing on Stuxnet. Notice who provided the witness testimony. Do you think they might have a vested interest in painting an ominous picture?
Researchers at Symantec have uncovered more details with regard to what this malware does. Specifically, they discovered that "Stuxnet requires particular frequency converter drives... [and] changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process."
Note that Details over who created Stuxnet and why they created it are still sadly absent. Though this didn't stop anyone in the press from taking almost comical speculation about Stuxnet and presenting it as fact. -BB (2010-11-13)
"This technology is very easy to build since it does not rely on deep analysis of chip logical gates architecture. Floating Point Arithmetic (FPA) looks promising to define a set of tests to identify the processor or, more precisely, a subset of possible processors."
This is the first step towards building malware that targets a specific chipset, as opposed to a specific OS. Once you know the chipset, you can look for hardware-specific exploits. Finding a hardware-level flaw... that, dear reader, is the challenging part. -BB (2010-11-11)
If this doesn't raise an eyebrow, I don't know what will:
"The Bureau of Information Resource Management's Radio Programs Branch (IRM/OPS/ITI/LWS/RPB) provides all overseas missions two-way radios equipped with Digital Encryption Standard (DES) or Advance Encryption Standard (AES). These encryption algorithms provide limited protection from unauthorized interception of voice communications and are only approved for the transmission of Department of State Sensitive But Unclassified (SBU) and Department of Defense For Official Use Only (FOUO) communications. Under no circumstances should DES- or AES-equipped radios be used for the transmission of classified information, as defined by Executive Order 12958."
If there are flaws in AES that make it undesireable as an encryption algorithm for classified information, then it's probably not a good standard. Unless of course, for whatever reason, you want people to rely on an algorithm that allows you to eavesdrop. Someone has some explaining to do... -BB (2010-11-07)
The Wall Street Journal reports that "a group that includes former WikiLeaks staffers who left the organization after disagreements with founder Julian Assange is pursuing plans for a rival document-leaking venture, said people familiar with their plans."
It's interesting to examine how the WSJ frames this story. They present it as if it were a bad thing. The reality is that having multiple outlets makes it more difficult for opponents to subvert the flow of information to the public. A single outlet represents a choke point that becomes an attractive target for prosecution, bribery, and disinformation campaigns. Don't think "competition," think "failover." - BB (2010-11-05)
RELATED: Here are some notes from a recent event at the NYU School of Law. "Wikileaks should be seen as one of many counter-authority initiatives stretching back three millennia, the numbers increasing rapidly via the Internet, including those using public benefit initiatives to hide the authoritarian -- every authoritarian allows a controlled counter for gloss." I find the last part of the previous sentence to be particularly disturbing. Every power structure tolerates a token amount of resistance to help legitimize itself. - BB (2010-11-06)
The Press, Intel Agencies, & Wikileaks
New York Times Op-ed: "Some say that what's important is the material itself. Whether or not Julian Assange is a rogue with a political agenda, what matters most is that The Times authenticates the information."
Cryptome: "This is the Times's vainglorious argument: we will take the information, for free, thank you very much, then transform it into our 'reputable' product. The same with spies. In the end there is little difference among thieves who steal open and leaked information and bump up the price as if exploiting sweat labor."
The Drive Towards National Operating Systems
Reliance on Windows has motivated countries like Russia, India, and China to think about building their own OS. The basic premise being that it may not be a wise to base your core digital infrastructure on an OS that you don't own, control, and audit. Who really knows what's in that special sauce? Is that a genuine kernel bug or a cleverly disguised back door? Can you say "plausible deniability?"
Perhaps these governments should chat with Joanna Rutkowska. There's definitely something to be said for her disposable VM concept. Though I wonder how this would impact a forensic investigation?
One might speculate that certain problems we have regarding cyber security may be rooted in the short-term mindset of our culture in general. Executives focus on the next business quarter, politicians focus on the next election cycle, and as a result we never step back to see that there's a long-term endgame being played out; one that will require us to make investments that may not yield significant returns (or appear attractive) over the short-term but will be necessary for us to function as years turn into decades. -BB(2010-10-27)
"At 5pm EST Friday 22nd October 2010 WikiLeaks released the largest classified military leak in history. The 391,832 reports ('The Iraq War Logs'), document the war and occupation in Iraq, from 1st January 2004 to 31st December 2009 (except for the months of May 2004 and March 2009) as told by soldiers in the United States Army. Each is a 'SIGACT' or Significant Action in the war. They detail events as seen and heard by the US military troops on the ground in Iraq and are the first real glimpse into the secret history of the war that the United States government has been privy to throughout."
"The reports detail 109,032 deaths in Iraq, comprised of 66,081 'civilians'; 23,984 'enemy' (those labeled as insurgents); 15,196 'host nation' (Iraqi government forces) and 3,771 'friendly' (coalition forces). The majority of the deaths (66,000, over 60%) of these are civilian deaths. That is 31 civilians dying every day during the six year period. For comparison, the 'Afghan War Diaries', previously released by WikiLeaks, covering the same period, detail the deaths of some 20,000 people. Iraq during the same period, was five times as lethal with equivallent population size."
According to the Washington Post, main outlets like the The New York Times, The Guardian, and Der Spiegel, were granted early access to the War Logs and have established portals focusing on different aspects of the reports. -BB(2010-10-23)
RELATED: The New York Times reports that Afghan President Hamid Karzai has admitted that he accepts "bags of cash" from the Iranian government.
RELATED: PBS News Hour included a segment last night that addressed what we've learned from the leaked information. John Mearsheimer, a West Point graduate, former Air Force officer and professor at the University of Chicago had this to say: "It's quite clear from the documents that numerous cases are found where Americans were reporting these abuses. The problem is that people further up the chain of command, both the military and civilian individuals, didn't do anything to stop it. There is no question that the Americans knew what was going on. It's not like this was happening in the dark, and we only suspected it and didn't really know about it. We knew about it, and we didn't do anything to stop it. We effectively turned a blind eye. And this was strategically foolish and, I think, morally bankrupt."
RELATED: I thought the following excerpt from an article published by Der Spiegel summed things up nicely. "In one respect, the US Armed Forces, which compiled these documents, and the website WikiLeaks, which is now publishing them, share a common interest. Both organizations view the documents as an inside look at the Iraq war -- the most precise, detailed and comprehensive proximity to the bloody truth yet."
This Thursday, October 21st, our primary investigator and resident heretic will appear at San Francisco State University to speak on the gilded hyperbole of Cyberwar. Come see what drives the media frenzy behind this term and learn how the power brokers in our society manipulate our institutions to manufacture consent. -R. James (10/18/2010)
Former DHS secretary Michael Chertoff repeats a message originally promoted by former DNI Mike McConnell: deterrence. As I've pointed out, this is a flawed approach that could lead us to initiate hostilities against the wrong country. Anti-forensics has progressed to the point where it would be entirely feasible for one nation-state to frame another. Currently there seem to be any number of former government officials talking about Cyberwar, and this fact hints at the reasons why this idea has achieved so much momentum. -BB (2010-10-15)
RELATED: A Reuters article notes that "The Pentagon's biggest suppliers -- including Lockheed Martin Corp, Boeing Co, Northrop Grumman Corp, BAE Systems Plc and Raytheon Co -- each have big and growing cyber-related product and service lines for a market that has been estimated at $80 billion to $140 billion a year worldwide"
RELATED: The truth finally starts to come out. The BBC reports on the UK's recently published National Security Strategy. This document claims that Cyberwar is right up there with nuclear weapons and pandemics. These assertions have been made in light of annual cuts of 8% to the defence budget over the next four years.
John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel's Unit 8200. According to Markoff, "Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."
Really? Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.
It may be that the "myrtus" string from the recovered Stuxnet file path "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs," as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.
As you can see, the media's propaganda machine is alive and well. -BB (2010-10-01)
UPDATE: Elinor Mills of cnet tries to separate fact from theory in this reality check. For example: there's no solid evidence as to who's behind the malware or even what country or operation was the intended target, and it's unknown if any serious damage has been done.
RELATED: As the frenzy over Stuxnet plods onward, The FBI has released details on Operation Trident Breach. According to the FBI's press release, criminals made off with roughly $70 million.
I'm sure you can see a pattern here. While we're distracted with a litany of ominous sounding potential threats to our welfare, actual losses caused by tangible crimes are occurring on a daily basis. As Bruce Schneier has pointed out, the solutions that we turn to depend on how we frame what's going on. Will we focus on Cybergeddon or will we focus on more mundane events that have an actual cost which we can directly measure?
Stuxnet: Despite Rumors and Hyperbole, Questions Remain
RELATED: George Smith observes that "the lack of substantial proof of success in offensive malware operations won't stop anyone in the business of insisting just the opposite... Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical"
RELATED: Cybercrime Continues As CyberWar Fizzles - "In a rash of dawn raids, police in the United Kingdom nabbed 19 people suspected of stealing more than $9 million from online bank accounts."
RELATED: Yet Even More Cybercrime - "The FBI and the U.S. Attorney's office in southern New York announced charges today against 37 people accused of being part of an international crime ring that stole $3 million from bank accounts." No rumors, no hype, no anonymous sources. Just hard facts. Cybercrime is the domain where we are suffering death by a thousand cuts.
The issue of attribution once again comes to the forefront. This morning an Associate Press article declared that "Government experts and outside analysts say they haven't been able to determine who developed it [Stuxnet] or why." Keep this in mind because there are any number of interests that stand to gain by planting the seed of suggestion.
Another thing that I found interesting was the admission by commercial researchers that this might not be the work of a nation-state. Rather, it might just be a "well-funded private entity." Trust me, there are plenty of these out in the wild (just take a look at how Presidential elections are financed in the United States). Contrary to popular belief, you don't necessarily need a billion-dollar budget to develop cyber weapons. Though I'm sure there are contractors who would insist that this is the case. Charlie Miller has asserted that paralyzing the United States would requires two years of effort and less than 100 million dollars. In the case of Stuxnet, the estimate seems to be a team of 5-10 people. In my opinion, this kind of effort would easily be in reach of a private organization that has a few million dollars to throw around.
Finally, despite all the media buzz that reflects on what could have happened, according to Siemens: of the 15 industrial control plants that Stuxnet found its way into, none have been adversely affected. -BB (2010-09-26)
Not So Cutting-Edge Aspects of Stuxnet
Despite certain facets of this malware that are definitely notable (e.g. employing multiple 0-day exploits, the use of code signing certificates, auto-update with an option to use P2P channels in the event that the C2 node goes down), there are aspects of the implementation that surprised me as being slightly dated.
For example, to map DLLs into memory Stuxnet relies on a well-known hook-based approach that alters a handful of lower-level APIs used by the Kernel32.LoadLibrary() routine. This strategy generates forensic artifacts by virtue of the fact that a DLL loaded in this manner ends up in memory, and in the system's runtime bookkeeping, while failing to show up on disk (a telltale sign, just ask the response team at Guidance Software). In other words, the absence of an artifact is itself an artifact.
A less conspicuous strategy is to use what's been called "Reflective" DLL injection, which is what contemporary suites like Metasploit use. Essentially, reflective DLL injection sidesteps the Windows Loader entirely in favor of a custom user-mode loader (an idea that was presented years ago by researchers like the Grugq, e.g. Data Contraception).
Stuxnet also uses DLLs packed with UPX. Any anti-forensic developer worth their salt knows that UPX leaves a signature that's easy for a trained investigator to recognize. A brief glance at the file headers is usually enough. Once recognized, unpacking is a cake walk. Now, I would expect that if the engineers who built this software took the time and care to implement the obscure PLC features that they did, they'd also have the resources and motivation to develop custom packing components. I mean, if you're going to pack your code, at least make it difficult for the forensic guy wading through your payload. C'mon! It's not that much work.
Why even use DLLs? Why not create some special-purpose file format that relies on a shrouded address table and utilizes an embedded virtual machine to execute one-of-a-kind bytecode? Really, if you have a federal budget backing you up why not go full bore? Heck, I know I would. Ahem.
What all of this seems to indicate is that the people who built this in some respects took the path of least resistance. They opted to trade development effort for a forensic footprint. Is this the super weapon that the media is making Stuxnet out to be? -BB(2010-09-24)
We've Met the Enemy and He Is...
When reading stories about espionage in the press there can be a tendency to adopt a mindset that frames incidents in terms of one nation-state versus another, and this often lends itself to tacitly assuming a sort of moral high ground. Or, put more mildly, it gives the general impression that a specific nation-state is an offender in this arena more so than other nation-states (e.g. man, it's those darn Canadians again!).
While certain intelligence agencies have been known to establish "special relationships," for the most part everyone spies on everyone else. Such is life in the theatre of international relations. As in the genre of noir fiction, everyone is dirty to some extent (even the protagonist). While most of the stories I've read seem to point to China or Russia as the usual suspects, I think it's interesting to note something that retired Air Force General Michael Hayden said during an interview on the Jim Lehrer News Hour program:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one.
The Chinese were a close second, but we were number one, which I think is simply a reflection that we are a technologically agile country, and we have very good intelligence services, and the rest of the world is kind of responding to that reality."
RELATED: Recall the Crypto AG story reported by the Baltimore Sun. If these allegations had been leveled at another country, you can imagine the outrage that we would have voiced.
"For four decades, the Swiss flag that flies in front of Crypto AG has lured customers from around the world to this company ...Some 120 nations have bought their encryption machines here. But behind that flag, America's National Security Agency hid what may be the intelligence sting of the century. For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents."
A Cyberwar Gulf of Tonkin Incident?
An article by SecurityWeek offers opposing viewpoints on the Pentagon hack.
Chester Wisniewski, Sophos Chief Security Adviser: "Why would a foreign intelligence agency attack the U.S. government with such a low-powered weapon? ...In his words, 'Either it wasn't put there by a foreign government or it wasn't agent.btz.'"
Tom Conway, McAfee's Director of Federal Business Development: "Why reveal your trade craft if something that's widely available on the black market will do the job?"
Comments: I'm inclined to side with Chester. The fact is that the agent.btz worm didn't "do the job." In an age of custom firmware rootkits, rogue hypervisors, and circuit-level subversion, a payload that "does the job" wouldn't have been discovered!
"Never ascribe to malice that which is adequately explained by incompetence" - Napoleon Bonaparte
If intel agencies from other countries had wanted data from top secret networks, I have a very hard time believing that they'd be anywhere near this sloppy. It sounds more like someone is exaggerating a pedestrian malware infestation as a means to bolster funding and then shielding themselves against further scrutiny by using the standard secrecy argument: "I can't tell you, it's classified." -BB (2010-09-05)
The decision makers at the Pentagon are at it again. According to an article published by the Washington Post, officials are considering preemptive strikes as a way to protect us. The difference is that it's being dressed up with new jargon; in this case it's being referred to as an "active defense." Oh, that's rich.
This suffers from the same basic problem as the doctrine of massive retaliation: attribution. If you can't identify the actual origin of an attack, it's an exercise in futility to build up a huge stockpile of offensive capabilities (unless of course you're in the business of building offensive weaponry). Furthermore, are we prepared to live with the consequences when we attack the wrong country? Correct me if I'm wrong but did we just spend close to a trillion dollars to protect ourselves from imaginary weapons of mass destruction? Think of what that money could have done here in the US if we had directed it towards health and human services.
In what military officials are calling the fifth domain, the best defense is not a good offense. We'd be much better off focusing on, well, defense. -BB (2010-09-02)
In this Foreign Affairs article, Deputy Secretary of Defense William Lynn hypes an incident with a thumb drive that occured back in 2008:
"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control"
Reports from Wired appear to counter his assertions.
"Agent.btz is a variant of the SillyFDC worm... Agent.btz's ability to compromise classified information is fairly limited. SIPRNet, the military's secret network, and JWICS, its top secret network, have only the thinnest of connections to the public internet. Without those connections, intruders would have no way of exploiting the backdoor, or, indeed, of even knowing that agent.btz had founds its way into the CENTCOM network... What spy service would launch such a lame attack?"
Another thing to keep in mind, dear reader, is that Foreign Affairs is a publication of the Council on Foreign Relations. -BB (2010-08-26)
UPDATE: The New York Times has printed an article on this. According to the Times, Lynn composed his Foreign Affairs essay to "to raise awareness of the threat to United States cybersecurity ...and partly to make the case for a larger Pentagon role in cyberdefense."
I'd pay close attention to the second half of that previous sentence. -BB(2010-08-26)
"This CIA 'Red Cell' report from February 2, 2010, looks at what will happen if it is internationally understood that the United States is an exporter of terrorism..."
"The report looks at a number cases of US exported terrorism, including attacks by US based or ﬁnanced Jewish, Muslim and Irish-nationalism terrorists."
RELATED: A WSJ article that looks at how WikiLeaks conceals funding information. The empire strikes back, so to speak. -BB (2010-08-26)
"Secrecy hides privilege, incompetence and deception of those who depend on it and who would be disempowered without it...
A vast global enterprise of governments, institutions, organizations, businesses and individuals dependent upon the secrecy of abuse of secrecy has evolved into an immensely valuable practice whose cost to the public and benefits to its practitioners are concealed by secrecy...
Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access and to punish those who violate these laws."
This may sound a bit overblown. But consider this: according to the Top Secret America project, some 854,000 people (more than the entire city of San Francisco) hold top-secret security clearances. In the greater DC area, 33 buildings for top-secret intelligence work are under construction or have been built in the aftermath of September 2001. These structures consume the same amount of space as three Pentagons - roughly 17 million square feet.
Does John Young really sound so far off of the mark? -BB (2010-08-23)
"Barclays Bank PLC, a United Kingdom corporation headquartered in London, has agreed to forfeit $298 million to the United States and to the New York County District Attorney's Office in connection with violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA)"
"According to court documents, from as early as the mid-1990s until September 2006, Barclays knowingly and willfully moved or permitted to be moved hundreds of millions of dollars through the U.S. financial system on behalf of banks from Cuba, Iran, Libya, Sudan and Burma, and persons listed as parties or jurisdictions sanctioned by OFAC in violation of U.S. economic sanctions."
Though this may seem like a lot of money at first blush. It's just a slap on the wrist, which Barclays will probably accept as the cost of doing business. At best, this is a symbolic victory. -BB (2010-08-18)
"The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies duplicate the same work."
"The major function of secrecy in Washington is to keep the U.S. people and U.S. Congress from knowing what the nation's leaders are doing. Secrecy is power. Secrecy is license. Secrecy covers up mistakes. Secrecy covers up corruption." - Major John Stockwell
In this New York Times op-ed, Richard Falkenrath applauds the United Arab Emirates for its recent decision to suspend BlackBerry service within its borders. The Canadian company that developed the technology, Research In Motion, has resisted modifying its infrastructure to enable authorities to easily intercept the data streams of selected users.
Falkenrath concludes: "In the end, it is governments, not private industry, that rule the airwaves and the Internet. The Emirates acted understandably and appropriately: governments should not be timid about using their full powers to ensure that their law enforcement and intelligence agencies are able to keep their citizens safe."
It's interesting to note that Falkenrath, who was a deputy homeland security adviser to President George W. Bush, now works for the Chertoff Group. The Chertoff Group is a consulting firm that derives its name from one of its principals, Michael Chertoff, the Secretary of the U.S. Department of Homeland Security from 2005 to 2009.
Co-CEO of Research in Motion responded that "Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."
RELATED: Nicholas Merrill (aka John Doe) of Calyx Internet Access finally speaks out.
"I kind of felt at the beginning, so few people challenge this thing, I couldn't just stand by and see, in my opinion, the basic underpinnings of our government undermined ... I was taught about how sophisticated our system of checks and balances is . . . and if you really believe in that, then the idea of one branch of government just demanding records without being checked and balanced by the judicial just is so obviously wrong on the surface."
"At the center of the drama was the posting last week of a massive 1.4 gigabyte mystery file named 'Insurance' on the WikiLeaks website. The 'Insurance' file is encrypted, nearly impossible to open until WikiLeaks provides the passwords. But experts suggest that if anyone can crack it - it would be the National Security Agency."
"'Do we believe that WikiLeaks has additional cables? We do,' said State Department spokesman P.J. Crowley. 'Do we believe that those cables are classified? We do. And are they State Department cables? Yes.'"
Cryptome: Doubts about the invulnerability of AES have persisted since NSA selected an algorithm from an AES competition that was considered by cryptographers not to be the strongest. And that it is likely for strongest protection NSA uses a top secret cryptosystem while promoting AES for public and official use. It is argued that NSA, like all official comsec agencies, would never endorse a system it could not secretly access. And these agencies never reveal that capability -- NSA's backdoor access to Crypto AG was revealed by an employee of the company.
The following excerpts are from an op-ed in The New Yorker
"Shutting WikiLeaks down, assuming that this is even possible, would only lead to copycat sites devised by innovators who would make their services even more difficult to curtail. A better approach for the Defense Department might be to consider WikiLeaks a competitor rather than a threat, and to recognize that the spirit of transparency that motivates Assange and his volunteers is shared by a far wider community of people who use the Internet."
"There is a simple lesson here: whatever the imperfections of WikiLeaks as a startup, its emergence points to a real shortcoming within our intelligence community. Secrets can be kept by deterrence, that is, by hunting down the people who leak them, as Thiessen proposes, and demonstrating that such behavior comes with real costs, such as prison time. But there are other methods: keep far fewer secrets, manage them better."
Wikileaks and Our Foreign Policy
"No amount of rhetorical tap dancing will allow the White House to escape the fundamental contradictions that underlie U.S. policy toward Af-Pak."
Contradiction #1: We're in Afghanistan to prevent future attacks by Al Queda
"Now that al Qaeda can attack the United States, its friends and allies from Yemen or Somalia or Pakistan or London or New Jersey, it's hard to claim any uniqueness for Afghanistan. So, why does the United States have to fight the war there with 100,000 troops?"
Contradiction #2: We're in Afghanistan to prevent an extremist coup in Pakistan
"Here's where the new trough of secret WikiLeaks comes in Pakistani military intelligence... is indeed helping the Taliban against Americans in Afghanistan. To boot, the Pakistani government is providing safe haven to the Taliban in Northwest Pakistan, thus making it militarily impossible for U.S. forces to smash them."
"The principal thing that WikiLeaks is doing and as I'm -- and I'm doing, also on another side, is we're trying to give a more fuller picture of the -- of the terrible situation in these countries, that the -- the U.S. military is killing thousands of people over there and that that is not being reported very well.
We regularly publish photographs put out by the Department of Defense about Afghanistan and Iraq. And there's never any carnage shown. You seldom see any of the carnage caused by the military in these wars. And war is carnage. But what you see are a kind of scenes you've just shown. And that's a -- that's an unbalanced view of what's happening there.
There is far more killing being done by the military in Afghanistan than there is by the Taliban, including innocent people. And we just don't get to see that. That is heavily censored. It's classified. It's not put out. What we get is the sanitized version that makes it look like the young soldiers are at risk or innocent civilians are at risk of being killed by the Taliban. But that is a completely inaccurate picture.
...the two talking points that are now being used to change the -- the dialogue about this leak. One is the risk of these informants. The other is that there's nothing new here. Those are talking points that are used by people who are trying to change the topic away from the carnage caused by the military into a polite kind of talking head version, as though there's nothing new here.
Notice that Admiral Mullen talked about blood on the soldiers' hands. WikiLeaks has answered that very effectively. He's changing the topic. He does not want to talk about what the military is doing in Afghanistan.
It is uncontrolled carnage going on over there as American policy. Otherwise, they'd be showing more of the truth."
This is it, dear readers. John Young is pointing out the propaganda machine in action. Pick up a copy of Noam Chomksy's Manufacturing Consent for a more detailed description of how the media works. -BB (2010-07-31)
I Walk The Line
"Mr. Assange can say whatever he likes about the greater good he thinks he and his source are doing, but the truth is they might already have on their hands the blood of some young soldier or that of an Afghan family. Disagree with the war all you want, take issue with the policy, challenge me or our ground commanders on the decisions we make to accomplish the mission we've been given, but don't put those who willingly go into harm's way even further in harm's way just to satisfy your need to make a point."
"Foresight requires trustworthy information about the current state of the world, cognitive ability to draw predictive inferences and economic stability to give them a meaningful home. It's not only in Vietnam where secrecy, malfeasance and unequal access have eaten into the first requirement of foresight ('truth and lots of it'). Foresight can produce outcomes that leave all major interests groups better off. Likewise the lack of it, or doing the dumb thing, can harm almost everyone."
In a bold move that probably constitutes this generation's version of the Pentagon Papers, Wikileaks has published thousands of classified documents that describe U.S. military operations in Afghanistan from 2004 to 2010.
The documents imply, among other things, that Pakistan's intelligence service may be assisting the Taliban despite the billions of dollars in support that Pakistan receives from the United States. In addition, as with Vietnam, things may be less encouraging than our leaders are willing to admit.
The White House has responded. Julian Assange dismissed accusations by Obama administration officials, stating that "We are familiar with groups whose abuse we expose attempting to criticise the messenger to distract from the power of the message."
"Mission Accomplished" proclaims the former President, with a big grin on his face. After spending hundreds of billions of dollars to no avail, one has to wonder who the winners are. My guess is that the answer to this question can be gleaned by scanning through annual reports of companies in the defense industry. Pay no attention to the man behind the curtain. -BB (2010-07-26)
The first time I heard the term Praetorian used, it was in a book written by former CIA agent John Stockwell. By the time you're done reading these three Washington Post articles you should have a pretty good idea what's driving all of the recent Cyberwar fear-mongering ...
Overview of Project : "'Top Secret America' is a project nearly two years in the making that describes the huge national security buildup in the United States after the Sept. 11, 2001, attacks."
Project Articles - PART 1
Quotes and Comments
"The U.S. intelligence budget is vast, publicly announced last year as $75 billion, 21/2 times the size it was on Sept. 10, 2001."
"Because it lacks a synchronizing process, it inevitably results in message dissonance, reduced effectiveness and waste ...We consequently can't effectively assess whether it is making us more safe."-Retired Army Lt. Gen. John R. Vines
comment: So, in other words, we have no idea if all of this money is simply a gift to the private corporate interests that help build this system.
"Secrecy can undermine the normal chain of command when senior officials use it to cut out rivals or when subordinates are ordered to keep secrets from their commanders."
"In the Department of Defense, where more than two-thirds of the intelligence programs reside, only a handful of senior officials - called Super Users - have the ability to even know about all the department's activities. But as two of the Super Users indicated in interviews, there is simply no way they can keep up with the nation's most sensitive work."
"'I'm not going to live long enough to be briefed on everything' was how one Super User put it. The other recounted that for his initial briefing, he was escorted into a tiny, dark room, seated at a small table and told he couldn't take notes."
comment: This makes me wonder if the people who are supposed to be in control are actually in control? Has the system been subverted by a cabal of mid-level people who know how to firewall the boss?
Project Articles - PART 2
Quotes and Comments
"Out of 854,000 people with top-secret clearances, 265,000 are contractors"
"Contractors can offer more money - often twice as much - to experienced federal employees than the government is allowed to pay them. And because competition among firms for people with security clearances is so great, corporations offer such perks as BMWs and $15,000 signing bonuses, as Raytheon did in June for software developers with top-level clearances."
"A 2008 study published by the Office of the Director of National Intelligence found that contractors made up 29 percent of the workforce in the intelligence agencies but cost the equivalent of 49 percent of their personnel budgets."
"The evolution of General Dynamics was based on one simple strategy: Follow the money... Revenue from General Dynamics' intelligence- and information-related divisions, where the majority of its top-secret work is done, climbed to $10 billion in the second quarter of 2009, up from $2.4 billion in 2000, accounting for 34 percent of its overall revenue last year"
comment: As I noted earlier, if all of this funding isn't necessarily making us more secure, then who is truly benefiting from the massive intel build up?
"In September 2009, General Dynamics won a $10 million contract from the U.S. Special Operations Command's psychological operations unit to create Web sites to influence foreigners' views of U.S. policy. To do that, the company hired writers, editors and designers to produce a set of daily news sites tailored to five regions of the world. They appear as regular news Web sites, with names such as 'SETimes.com: The News and Views of Southeast Europe.' The first indication that they are run on behalf of the military comes at the bottom of the home page with the word 'Disclaimer.' Only by clicking on that do you learn that 'the Southeast European Times (SET) is a Web site sponsored by the United States European Command.'
comment: Widespread manipulation of public opinion is alive and well. Don't think for a minute that it's only limited to other countries.
Project Articles - PART 3
Quotes and Comments
"From the road, it's impossible to tell how large the NSA has become, even though its buildings occupy 6.3 million square feet - about the size of the Pentagon - and are surrounded by 112 acres of parking spaces. As massive as that might seem, documents indicate that the NSA is only going to get bigger: 10,000 more workers over the next 15 years; $2 billion to pay for just the first phase of expansion; an overall increase in size that will bring its building space throughout the Fort Meade cluster to nearly 14 million square feet."
"Six of the 10 richest counties in the United States, according to Census Bureau data, are in these [Fort Meade] clusters."
"Loudoun County, ranked as the wealthiest county in the country, helps supply the workforce of the nearby National Reconnaissance Office headquarters, which manages spy satellites. Fairfax County, the second-wealthiest, is home to the NRO, the CIA and the Office of the Director of National Intelligence. Arlington County, ranked ninth, hosts the Pentagon and major intelligence agencies. Montgomery County, ranked 10th, is home to the National Geospatial-Intelligence Agency. And Howard County, ranked third, is home to 8,000 NSA employees."
comment: All animals are equal. It's just that some animals are more equal than others. This is your federal tax money at work.
David C. Gompert : Acting Director of National Intelligence
Wired : "This piece is about much more than dollars. It's about what used to be called the Garrison State: the impact on society of a praetorian class of war-focused elites. Priest and Arkin call it 'Top Secret America,' and its so big and grown so fast, that it's replicated the problem of disconnection within the intelligence agencies that facilitated America's vulnerability to a terrorist attack."
The Office of the DNI : Attempts to apologize for redundancy, mission overlap, and poor information sharing.
The Atlantic: "The culture of secrecy has fascinated observers and participants for decades. It is always deplored as a fundamental rejection of American values: citizens need reliable information in order to exercise their rights, and lawmakers cannot use the cloak of secrecy to hide their own sins. But somehow, the secrecy apparatus resists all efforts to shrink it. Presidents come and go, but secret-keepers burrow deep into the government."
Salon: "Secrecy is the religion of the political class, and the prime enabler of its corruption. That's why whistle blowers are among the most hated heretics. They're one of the very few classes of people able to shed a small amount of light on what actually takes place."
"Over the past two years, one of the most thought-provoking observations I have heard from both military and intelligence folks is this: There are probably 500 al-Qaeda members left in the Afghanistan-Pakistan region. At most, the organization may have a couple thousand people worldwide. Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?" -Question posed by Dana Priest
1. This issue does not affect any Dell PowerEdge servers shipped from our factories and is limited to a small number of the replacement motherboards only which were sent via Dell's service and replacement process for four servers: PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410. The maximum potential exposure is less than 1% of these server models.
2. Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware.
3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.
4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer's operating system.
5. Systems running non-Microsoft Windows operating systems cannot be affected.
6. Systems with the iDRAC Express or iDRAC Enterprise card installed cannot be affected.
7. Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.
RELATED: Richard Bejtlich calls out Dell to step up their game with regard to how they handled the incident.
I have to admit, this story really caught my attention.
"We have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly. The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware as you indicated."
It will be interesting to see how this story unfolds. How did the malware find its way into the firmware? Who was responsible? Will we ever know? How can you protect yourself from this sort of subversion, especially on a tricked out machine that only the OEM truly understands. -BB (2010-07-21)
Years ago, when the debate over offshore outsourcing took center stage, we were told that high-tech corporations were simply following their financial prerogatives by finding new ways to stay competitive in the free market economy. Never mind the long-term strategic costs that would come back to haunt us years later when the countries we shipped our jobs off to started to catch up with us. Naturally, many students saw the writing on the wall and pursued work in other fields. Why take out all of those student loans and devote years of your life preparing for a job that's headed overseas?
This "shortage" of computer security talent: we did it to ourselves. It's a symptom of a much larger problem. The unpleasant truth is that our leaders have willfully allowed this state of affairs to develop. This is because they're beholden to a powerful group of business interests that have no real sense of obligation to the U.S. as a country. Strictly speaking, the multinationals exist to generate value on behalf of their shareholders, whoever they may be.
Furthermore, I would contend that the free market argument is nothing more than an ideological ploy that's brought into discourse whenever it happens to be convenient. What exists in our society is a thinly veiled double standard. Unemployed workers can be sternly lectured by drug-addled radio commentators on the advantages of self-reliance. But for large corporations that need to be bailed-out or benefit from wars based on imaginary weapons of mass destruction, the welfare state must thrive to the tune of hundreds of billions of dollars.
To see where this trend is going to take us, I would start by reading a book published by the Cornell University Press (a notably conservative institution) entitled The State of Working America. If you want to extrapolate even further, research the origins of the term "Plutonomy."
Though free market advocates ridicule protectionist measures as decidedly un-American, Intel's former CEO Andy Grove has a few words of his own to offer:
"I fled Hungary as a young man in 1956 to come to the U.S. Growing up in the Soviet bloc, I witnessed first-hand the perils of both government overreach and a stratified population. Most Americans probably aren't aware that there was a time in this country when tanks and cavalry were massed on Pennsylvania Avenue to chase away the unemployed. It was 1932; thousands of jobless veterans were demonstrating outside the White House. Soldiers with fixed bayonets and live ammunition moved in on them, and herded them away from the White House. In America! Unemployment is corrosive. If what I'm suggesting sounds protectionist, so be it."
WSJ: Raytheon Wins $100 Million Classified Contract
According to an article written by Siobhan Gorman in the Wall Street Journal, Raytheon Co. has been awarded a $100 million dollar classified contract to perform initial work on a program called "Perfect Citizen." Note that Gorman is relying on information received from "a person familiar with the project." This report claims that Perfect Citizen is a surveillance program intended to detect cyber attacks on organizations that maintain our critical infrastructure. Both the NSA and Raytheon declined to comment.
Reuters has also looked into this development. They quote an NSA spokesman who claims that "This is a research and engineering effort... there is no monitoring activity involved, and no sensors are employed in this endeavor." Other than that, both the NSA and Raytheon are very tight-lipped about the contract itself.
The Reuters article points to a speech given by Secretary of Defense William Lynn, where Lynn states that "more than 100 foreign intelligence organizations are trying to break into U.S. systems."
What this seems to confirm is that the actual threats we face are related to espionage and cybercrime. It think it's pretty safe to assume that nation-states spy on each other, and that espionage has been going on for centuries. Furthermore, I bet we're neck deep in our own efforts when it comes to compromising systems in other countries and so it strikes me as odd that people are so shocked when we happen to be on the receiving end.
The gilded hyperbole of cyberwar exists partially because certain contracting companies, consulting firms, and federal agencies know that they stand to benefit from the spotlight that's been put on the Internet. They know that with the right amount of fear-mongering they can steer some of the resulting federal funding their way. -BB (2010-07-10)
While government officials, and former government officials, stoke the flames of hysteria, it's reassuring to occasionally hear a measured voice of dissent. I'm speaking of Bruce Schneier's recent op-ed piece on CNN. Schneier states:
"Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion."
Based on the relative frequency of cybercrime and espionage, I would agree with him. These are the clear and present dangers. As Schneier points out, what cyberwar advocates tend to do is to lump everything together such that occurrences of espionage suddenly become acts of war. If that's the case, then it's safe to say that we're currently at war with half of the developed world, including our allies (and we have been for decades). For example, Schneier observes:
"Recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we're not talking about real war here, but a rhetorical war: like the war on terror."
Though, I would add that, because attribution is such a basic issue, we may never know who was behind the attacks on Google. It could very well have been another nation-state using anti-forensic technology. For the time being, we only know that the attacks originated from China. I think that this is an important point.
So why all of the hyperbole? Why all of the semantic acrobatics? Why all of the doomsday Cassandra's? According to Schneier:
"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top."
Let's not forget all of those defense contractors and consulting firms that stand to make a tidy profit if the government decides to steer tax dollars in their direction. It's been well documented that these organizations have been bolstering their cyber divisions in anticipation of a windfall.
Instead of giving control of the Internet over to the military, Schneier advocates leveraging existing peacetime institutions that can be moderated by the judicial system and legal protections. I would also recommend that we focus on the core vectors that facilitate these attacks to begin with: like insecure software. -BB (2010-07-07)
Comments on The Economist, July 3rd - 9th, 2010 Issue
The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. Note the dramatic mushroom cloud and the intimations of mass destruction. The first article concludes that "countries should agree on more modest accords, or even just informal 'rules of the road' that would raise the political cost of cyber-attacks." It also makes vague references to "greater co-operation between governments and the private sector."
When attribution is a lost cause (and it is), international treaties are a meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions.
The following article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Perhaps this is because the author is grasping for examples to impress the reader with. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author shows his true colors in closing when he concludes with the ominous warning that terrorists "prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage...for now."
What disturbs me the most is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt. Perhaps that would be dysfunctional, as it might lead the press to investigate itself. To help shed light on what's taking place in the body politic, I've decided to release my Lockdown 2010 white paper and slide deck. Read through this material and then go back and re-visit the articles in The Economist. -BB (2010-07-03)
RELATED: A NYTimes article detailing proposed "solutions." Including Howard Schmidt's "voluntary trusted identity" system and Vinton Cerf's internet driver's license.
Charlie Miller:"It would take two years and cost less than 50 million dollars a year to prepare a cyberattack that could paralyse the United States."
Bruce Schneier:"It's very easy to invent scare scenarios but this does not mean we should actually be scared by them."
The threat of cybercrime is real, just read the articles in Below Gotham's News section. Cyberwar, however, is more likely a pretext. The ultimate question is what can we do to protect ourselves from the former and insulate ourselves from the fear-mongering agenda of the latter?
As Estonian President, Mr. Toomas Hendrik Ilves noted on the opening day of the conference: "we lack clear attribution to any political entity; we lack a response doctrine to apply were we to know who committed the aggression." This is a central issue that will define the debate that follows. I think that Richard Clarke may have touched a nerve when he started talking about regulating the software industry. -BB (2010-06-19)
Microsoft: "Don't regulate security in the software industry, don't let the Pentagon stop using our software no matter how many security flaws it has, and don't say anything about software production overseas or deals with China."
This isn't anything new to us folks who slog away in I.T. oblivion. What's interesting is that someone high up finally got the nerve to acknowledge the truth. Until we hold software vendors liable, we can expect the same lip-service that self-regulation has generated in the past. There are some public goods that the free market simply cannot generate. -BB (2010-06-10)
Fear and Loathing at Lockdown 2010
In mid-July our frontman, Bill, will be headed to the midwest to talk about manufacturing consent and the gilded hyperbole of cyberwar. He's been invited by the folks who run Lockdown 2010 at UW. -Rick James (June 3, 2010)
David Cornwell, also known by the pen name John le CarrÃ©, worked for both MI5 and MI6 before he retired in 1964 to focus on writing. His literary depiction of intelligence work is in stark contrast to the romantic stereotype promulgated by actors like Sean Connery and Pierce Brosnan. In what may be his best novel to date, The Spy Who Came in from the Cold, he uses the main character as a means to comment on the nature of his earlier profession:
"What do you think spies are: priests, saints and martyrs? They're a squalid procession of vain fools, traitors, too, yes; pansies, sadists and drunkards, people who play Cowboys and Indians to brighten their rotten lives. Do you think they sit like monks in London, balancing the rights and wrongs?"
When spies come in from the cold they often have trench-level insights that differ sharply with popular conceptions. Take Philip Agee's 1978 book entitled Dirty Work: The CIA in Western Europe, where he dispels several myths about the Central Intelligence Agency. For example:
Myth: The major problem is lack of control; that is, the CIA is a "rogue elephant."
"As former Secretary of State Kissinger told Representative Otis Pike's Intelligence Investigating Committee, 'Every operation is personally approved by the President.' ... Successive administrations - together with American-based multinational corporations - have continually demanded the freest possible access to foreign markets, labor, agricultural products, and raw materials. To give muscle to this demand for the 'open door', recent presidents have taken increasingly to using the CIA to strengthen those foreign groups who cooperate - and to destroy those who do not."
On the surface, this is just another glossy article put out by a University's PR department. But there are actually a couple of interesting nuggets embedded in this alumnus biography. For example, while most of the books that I've read seem to indicate that intelligence agencies draw primarily on the military to fill positions, my own experience is that agencies like the CIA also tend to attract people who possess what might be seen as unconventional backgrounds. Sometimes these are the best hires (Fidelity's Peter Lynch was a philosophy major as an undergraduate). Sulick has both components in his background; he served in the Marines and spent years in academia studying Russian literature.
Note Sulick's recruitment tactic: "Foreigners, certainly Russians who were my main target, are proud of their literature and are proud when a foreigner knows something about it. When you discuss literature with somebody, they reveal much about themselves."
If Sulick's career trajectory is any indication, it's my guess that twenty years from now the director of the CIA's Clandestine Service will be someone who's completely fluent in Farsi and Mandarin. Perhaps they will have analyzed the Persian translation of Shuǐhǔ Zhuan. -BB (2010-05-28)
Joe Riggins: Don't be a Know-It-All
Wednesday at CEIC 2010 I sat in on Joe Riggins "Spy vs. Spy" presentation, which focused on the vagaries of the insider threat. Joe did a commendable job of maintaining our attention with a series of war stories. My personal favorite involved an engagement where a team from Guidance was inspecting a machine that processed credit card transactions. It had five (count them: five) different remote desktop applications installed on it. As it turned out, the server was managed by a number of administrators who couldn't agree on a standard package; definitely a case of too many cooks in the kitchen.
Joes also reported that organized crime elements in Russia are now making more money off of credit card fraud than the Columbian crime lords are making off the drug trade. Now that's one hell of a statement! While I'd like to know where he got that information, I wouldn't necessarily be surprised if it was true.
Finally, Joe hinted at where security software vendors will be headed to expand their market space: intelligent mobile devices. -BB (2010-05-28)
After my talk at CEIC 2010, a couple of people asked me where they could pick up a copy of The Rootkit Arsenal. The publisher (Jones and Bartlett) is offering copies at a discount. See the above link for details. -BB (2010-05-28)
More cyberwar doom and gloom. Who can come up with the best movie script? Mike McConnell or Richard Clarke? - BB (2010-04-28)
Cryptome's John Young adds his two cents:
"Pity Kakutani [book review author], dim-wittingly flogging for two highly paid promoters of cyber pearl harbors. Cybersec, a favorite DC scam spreading around the globe, meanwhile all govs and coms working together are going full speed at spying on cyber users, as ever, for racketeering national security. What the racketeers want is perfect cybersecurity for their trashing that of everyone else."
SOURCE Boston 2010 Post-Game Wrap-up
The demands of my job prevented me from staying for more than a day, so I sat in on a couple of presentations on the 22nd. Perhaps that's a good thing, as my mere presence tends to attract black helicopters and clean cut fellows talking into their sleeves. All told, Stacy Thayer and her SOURCE co-conspirators did an admirable job of managing the flow of people and events. The weather was balmy, the lobster was fresh, and (best of all) the Seaport Hotel, where the event took place, was a $2 bus ride from Boston Logan International. -BB (2010-04-23)
Assurance at Oracle
Mary Ann Davidson is a suit that doesn't sound like a suit. This is definitely a mark in her favor. During her presentation she described how Oracle is trying to build assurance into its products. She said that isn't so much about establishing a brigade of security police as much as it's about putting the requisite expertise into development so that engineers do the right thing to begin with. Prevention beats detection, so to speak. Davidson observed: "My goal in life is to be out of a job."
Opting Into Surveillance
By far, this was the highlight of the day. Moxie Marlinspike offered an insightful look at how small choices about the technology we use can end up being big choices that impact our ability to participate in society. His delivery was crisp and very entertaining. Why mandate telescreens when you can solicit people to voluntarily be monitored? Who needs TIA when we have Google? Who knows more about their local population: Kim Jong-Il or Google? (Hint: it's not Kim Jong-Il).
I was in the front row taking notes and midway through the talk he came rushing over to where I was seated. At that very moment, I had visions from the movie The Manchurian Candidate flashing through the back of my mind. The Man was finally going to dispatch me with a deep cover plant. Lucky for me, Moxie just wanted a glass of water. "I should have planned ahead," he muttered under his breath.
The Current State of Metasploit
HD was back, and this time he was wearing a suit and a bit more formal in his manner. Hey, give the guy a break, he's a father now. With the blessings of the demo gods, HD managed to pack two hours of material into a 60-minute period. As things stand now, Metasploit has attained the 100,000 LOC mark in light of full-time QA and an accelerated release cycle. He also showed off a slick GUI interface and talked about the Express version's price tag (somewhere around $3K). I think what I appreciate the most was his side-comment that the presentation basically amounted to a thinly veiled sales pitch.
This past week, experts met at a Russian-sponsored security conference in Germany.
"During a panel discussion on computer crime, Col. Gen. Boris N. Miroshnikov, an official with the Russian Interior Ministry, and Stewart A. Baker, a fellow at the Center for Strategic and International Studies in Washington, and the former chief counsel for the National Security Agency, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture."
As Dan Greer has observed: "If the tariff of security is paid, it will be paid in the coin of privacy"
As Cryptome has observed: "There it is: spies oppose anonymity for anyone except their own criminal operators, winking, 'do what we say not what we do.'"
My thoughts: It's dangerous to install the machinations of a totalitarian state and then simply assume that it will never come to that. There was a time, not so long ago, when social security cards were printed with the caveat that they were not to be used for purposes of identification. -BB (2010-04-17)
RELATED: According to Lt. General Keith Alexander, the impact of new security technology on Internet privacy is classified.
Notable researchers Joanna Rutkowska and Rafal Wojtczuk (from Invisible Things Lab, aka ITL) have released an open source OS that uses virtualization technology to implement security through isolation. Given the architect's reputation with rootkit technology, who else would you trust to offer a secure platform? -BB (2010-04-07)
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. It examines "a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."
As usual, attribution is an issue. The true identity of the attackers is unknown -BB (2010-04-06).
"At exactly the time when U.S. government secrecy is at an all-time high, the institutions ostensibly responsible for investigation, oversight and exposure have failed. The American media are largely co-opted, and their few remaining vestiges of real investigative journalism are crippled by financial constraints. The U.S. Congress is almost entirely impotent at providing meaningful oversight and is, in any event, controlled by the factions that maintain virtually complete secrecy."
The CIA document that this article links to is particularly disturbing. Basically, it confirms my suspicion that leaders often depend on voter apathy and manipulate the local population to manufacture consent. It will be interesting to see how things unfold in Iceland. - BB (2010-03-29)
After All These Years: Zero-Day Exploits Persist
Hats off to Peter Vreugdenhil, who bypassed both ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) as part of his bid to compromise IE8 at this year's CanSecWest. Well played, Peter.
RELATED: The reknowned Charlie Miller also demonstrated his superior Black Hat Gong Fu with a Safari hack.
...One tends to wonder how much a fellow like Charlie could make on the open market by selling exploits to the people behind the current generation of APTs? This is literally the sort of technology that can make or break a covert operation. In my opinion, guys like Charlie are worth their weight in plutonium. BB - (2010-03-25)
In this essay, James Lewis states that: "Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a 'cyber war.'"
Yet, this doesn't seem to have stopped people from using the term to encourage the sort of hysteria that leads to heavy federal spending. In my opinion, we need to be focusing on cybercrime, not cyberwar. - BB (2010-03-19)
When the New York Times publishes a story on you, you've definitely gotten someone's attention. Perhaps this is what happens when you release unclassified copy of the "standard operating procedures" at Guantnamo Bay. Recently Wikileaks published an Army Counterintelligence analysis of the threat posed by Wikileaks. The report concludes:
"Wikileaks.org uses trust as a center of gravity by assuring insiders, leakers, and whistleblowers who pass information to Wikileaks.org personnel or who post information to the Web site that they will remain anonymous. The identification, exposure, or termination of employment of or legal actions against current or former insiders, leakers, or whistleblowers could damage or destroy this center of gravity and deter others from using Wikileaks.org to make such information public."
The report also speculates that Wikileaks may be supported by the CIA. As the accusations fly, and the water becomes ever more muddied, one is left to ponder who's telling the truth. Now you know why spies refer to their professional environment as the "hall of mirrors." -BB (2010-03-18)
Comes see the tradecraft of the grand rumor mill. This excellent compilation of tactics is based upon "Appendix I: PSYOP Techniques" from "Psychological Operations Field Manual No.33-1" published by Headquarters; Department of the Army, in Washington DC, on 31 August 1979.
UPDATE: To witness a classic example of this sort of manipulation, there's an article you can view online in Monday's WSJ. When it comes to overt, state-sponsored, propaganda on a large scale, China really excels. According to the WSJ's report:
"Chinese news Web sites have also been told they will be required to use only official accounts of the situation if Google.cn is closed... It's not uncommon for propaganda authorities in China to give orders dictating the nature of news coverage on sensitive issues where they fear dissent. The fact that authorities have decided that Google's situation should get that treatment suggests they know that many Chinese Internet users, tens of millions of whom are Google users, don't see things the same way the government does."
...Beware the Ides of March. -BB (2010-03-15)
The Big Haircut
Another remark that Robert Baer makes in the WSJ piece mentioned earlier is that "The art of assassination, the kind we have seen over and over again in Hollywood movies, may be as passÃ© as killing people by arsenic or with a garrote. You just can't get away with it anymore."
This led to some lively banter among members of the lab this evening. OK, guarded by a phalanx of bodyguards and custom armored vehicles, how would one world power decapitate another nation state?
According to Colonel Stanislav Lunev, a Russian military officer who defected to the United States, the GRU planned to employ suitcase nukes to take out our leadership if the need ever arose. It makes sense, I guess. Why gamble on a huge operation that allows no margin for error when all you really need to do is get a high-yield bomb within range of a capital building?
As Baer asserted: "If it had been a Russian hit, for instance, they would have used a pistol or a car bomb, indifferent to the chaos left behind." Or, in this case, a kiloton nuclear device. -BB (2010-03-03)
Here's an interesting WSJ article by Robert Baer, a former CIA spook. In it, he concludes that:
"There should be a cost-benefit calculation in deciding whether to assassinate an enemy... There's certainly an argument to be made that we should have assassinated Saddam Hussein rather than invade Iraq."
This sounds remarkably similar to ideas presented by Jim Bell over a decade ago in his "Assasination Politics" manifesto. The difference is that Bell takes Baer's somewhat offhand observation and follows through with it to reach a rather novel corollary.
"Consider how history might have changed if we'd been able to 'bump off' Lenin, Stalin, Hitler, Mussolini, Tojo, Kim Il Sung, Ho Chi Minh, Ayatollah Khomeini, Saddam Hussein, Moammar Khadafi, and various others, along with all of their replacements if necessary, all for a measly few million dollars, rather than the billions of dollars and millions of lives that subsequent wars cost."
"But that raises an interesting question, with an even more interesting answer. 'If all this is so easy, why hasn't this been done before?' I mean, wars are destructive, costly, and dangerous, so why hasn't some smart politician figured out that instead of fighting the entire country, we could just 'zero' the few bad guys on the top?"
"The answer is quite revealing, and strikingly 'logical': If we can kill THEIR leaders, they can kill OUR leaders too. That would avoid the war, but the leadership on both sides would be dead, and guess who is making the decisions about what to do? That's right, the LEADERS!"
"And the leaders (both theirs and ours!) would rather see 30,000,000 ordinary people die in WWII than lose their own lives, if they can get away with it. Same in Korea, Vietnam, the Gulf War, and numerous other disputes around the globe. You can see that as long as we continue to allow leaders, both 'ours' and 'theirs,' to decide who should die, they will ALWAYS choose the ordinary people of each country."
Not to mention that large military operations are costly affairs, demanding a nontrivial infusion of taxpayer dollars. -BB (2010-03-02)
New Information on Aurora Attacks "Leaked"
The New York Times reports that "people involved in the investigation" have disclosed that the recent attacks on Google have been traced back to Shanghai Jiaotong University and the Lanxiang Vocational School.
First it's Taiwan, then it's somewhere in the mainland, who knows where things will lead to next? Perhaps Toledo, Ohio? As the NYTimes article concedes, "computer industry executives and former government officials said it was possible that the schools were cover for a 'false flag' intelligence operation being run by a third country."
Keep in mind that, for all intents and purposes, that this is a leak. As Cryptome has observed:
"Leaks depend upon secrets, they thrive on each other. Leakers and secret keepers are complicit and share characteristics: both exaggerate the importance of information they process, keep secret their sources and operations."
"The business of leaks has become a racket of journalism in cahoots with governments, maybe it always was, but it got a big boost in the 1960s and 70s. Leaks of secrets are now standard operating procedure of official and unofficial secret keepers to boost their budgets and privileges and to garner public belief and best of all, coins. Secret keepers supply leaks to media to lure eyeballs for advertising hypnosis."
The danger of leaks, and the gilded hyperbole that they often employ, is that they can lead to a sort of crisis mentality that's less resistant to plans that might otherwise not stand up to logical examination. Keep people off balance for long enough, on a steady diet of fear and anger, and they'll fall right into the trap that's been set for them by the people who stoke the flames of hysteria. -BB(2010-02-19)
UPDATE (More Leaks): Joseph Menn reports that an anonymous researcher working for the US government told the Financial Times that US analysts have identified the author of code used in the Google attacks.
According to this leak, the consultant who wrote this code isn't an an employee of the Chinese government and didn't launch the attack. Though he did post parts of his code to an online forum.
Great. In other words they still can't prove who performed the attack. For all we know, the attackers outsourced development, or perhaps trawled the internet looking for proof-of-concept sample code. Plenty of claims with little or no solid evidence; the SOP of media leakers. -BB(2010-02-22)
You'll Just Have to Trust Us
In matters of foreign policy, one way to sideline opposition is to employ the veil of national security. When "experts" try to pull this tactic, I'm reminded of a lecture that a former CIA officer named John Stockwell gave back in 1987. Stockwell, a Major in the Marine Corp who served on the subcommittee of the National Security Council as chief of the CIA's Angola Task Force, noted that:
"It's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"
When he questioned his superiors, they assured him that he should just focus on doing his job, that there were wise men in DC sitting in the National Security Council who had access to all the necessary information, who could see the big picture and make the tough decisions. After toiling for years in the field, Stockwell came in from the cold and was rewarded with the opportunity to peek behind the curtain. According to Stockwell:
"What I found, quite frankly, was fat old men sleeping through sub-committee meetings of the NSC in which we were making decisions that were killing people in Africa. I mean literally. Senior ambassador Ed Mulcahy... would go to sleep in nearly every one of these meetings...."
Stow this away somewhere in a far cranial recess, so that as the indictments fly over who is doing what to whom in the new cyber cold war (and why), you can maintain a semblance of objective equilibrium.
This a fairly comprehensive summary of what's been released to the public so far. HBGary has also developed a tool that can remotely scan Windows machines for the Aurora code and remove it. With regard to identifying the ultimate source of the attacks, the report states:
"At this time, there is very little available in terms of attribution. A CRC algorithm tends to indicate the malware package is of Chinese origin, and many attacks are sourced out of a service called 3322.org, a small company operating out of Changzhou. The owner is Peng Yong, a Mandarin speaker who may have some programming background with such algorithms. His dynamic DNS service hosts over 1 million domain names. Over the last year, HBGary has analyzed thousands of distinct malware samples that communicate with 3322.org. While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora."
Greg Hoglund, the company's CEO (and the godfather of Windows rootkits), recently acknowledged: "there's no hard evidence anywhere that shows that China's government has anything to do with it." Truth is, regardless of what the headlines in the mainstream media infer, we don't know yet who's responsible (though we can definitely speculate). If there's one lesson that I took from Black Hat DC last week it's that attribution on the Internet is problematic. -BB(2010-02-11)
Sort of ironic, given the recent NYTimes article on state-sponsored hacking. Then there's the TimesOnline report that quotes officers who believe that they should strengthen their military until China is "strong enough for a hand-to-hand fight with the US."
Talk about mixed messages. Pay no attention to the man behind the curtain. -BB(2010-02-07)
Black Hat DC 2010 Postgame Wrap-Up
Jeff Moss kicked off this year's Black Hat DC by observing that we'll probably never be able to completely eliminate cyber attacks, and because of this perhaps we should follow Israel's example and work on improving our response capabilities. He also mentioned the issue of attribution, my current pet peeve given all the media coverage that cyber-attacks have been getting.
Next up was keynote speaker Greg Schaffer, Assistant Secretary for Cyber Security and Communications. According to Moss, he's the highest ranking DHS official to ever speak at Black Hat. It was obvious he was up there: lots of abstract references to "spaces" and "practices." Though, I did appreciate his observation that, in the age of worldwide connectivity, every unprotected node is a potential threat. This sort of reminded me of Richard Bejtlich's "Protect The Data" blog entry.
The first session I attended was hosted by a panel of speakers, including the director of Network Abuse at GoDaddy.com. The underlying message (one which Joseph Menn would echo later on the same day) was that going after offenders isn't horribly effective because law enforcement doesn't work that well in an international environment. In so many words, Russia and China don't do squat (and in some cases may actually be shielding offenders). To add insult to injury, when organizations like GoDaddy suspend domains, they end up getting lawsuits thrown at them. Granted no one's ever been successful, but still it's expensive to go through all of the legal steps to get each lawsuit thrown out.
Joe Grand offered an informative discussion on how to cross over to the hardware side of hacking. A lot of what he touched on (e.g. the emergence of small-scale collaboration and outsourcing) reminded me of an article that appeared a while back in Wired Magazine about the rise of DIY.
If a Russian chief of police and his henchmen invite you to go hunting late at night after several rounds of vodka, lock yourself in your room and don't open the door for anyone. In this talk, Financial Times journalist Joseph Menn offered highlights from his recently published book "Fatal System Error." All told, Menn paints a pretty ominous picture. Though attribution is possible, it's very (very) resource intensive. Couple this with the fact that Russian authorities seem to be protecting high-level offenders. Menn suggests that we start over because, as things stand now, there's no way to impose rule of law on the internet.
Black Hat DC 2010: Day 02
The caveat of implementing wiretapping functionality in a network infrastructure, AKA Lawful Intercept, is that it can be turned against the people who it was originally intended to help. The Athen's Affair is a well known example of this. In this session, IBM's Tom Cross examined flaws in Cisco's lawful intercept facilities.
Though I can relate to the basic premise of this session, that the goals of the average pen tester are constrained (and perhaps artificial), I disagree with the speaker's claim that "In general using rootkits to maintain control is not advisable or commonly done by sophisticated attackers because rootkits are detectable."
Stealth technology is part of the ongoing arms race between Black Hats and White Hats. To dismiss rootkits outright implies that this arms race is over (and I assure you, it's not). I suspect that Greg Hoglund, Jamie Butler, Holy Father, Joanna Rutkowska, and several defense contracting agencies would all agree. By definition, the fundamental design goal of a rootkit is to subvert detection.
The grand finale of this year's Black Hat DC was a session led by HD Moore. This guy, HD, is a geek's geek; a man whose mind is working so fast that the words tumble out of his mouth like a 10 GB text file streaming to stdout. He gave the audience a personal history of the Metasploit project and some interesting insights into what can happen when the suits get involved. Congrats on the baby HD!
NOTE: I've put up the slides and white paper for my presentation.
Here's a story you don't read about every day... -BB(2010-01-29)
"There's also another, highly secretive market for zero days [exploits]: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability ...a price tag that private industry currently doesn't match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system."
UPDATE: The Register has called out the mainstream media on China's connection with the recent Google attacks: "If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?"
The Christian Science Monitor reports that Marathon, ExxonMobil, and ConocoPhillips appear to have suffered at the hands of an Advanced Persistent Threat ( APT ). The attacks, which took place in 2008, targeted "bid data" which details the potential value of oil-bearing land.
The use of custom tools and spear-phishing hints at the involvement of skilled teams. At the same time, I'll admit that it's refreshing to note that the experts cited in this article have the integrity to admit that attribution is a fundamental problem, forgoing the urge to shout out accusations:
"A simple thirst for oil is no proof that a country is conducting corporate espionage. Even the suggestion, contained in one of the documents, that some data had flowed from a ConocoPhillips computer to a computer in China could have been the result of some other nation's cyber-spy unit co-opting Chinese servers to cover their tracks, experts say. Lee and other specialists admit that it will be difficult, and perhaps impossible, to ever determine definitively who was behind the attacks."
Read that last sentence carefully, and repeat it to yourself over the next few months. -BB(2010-01-26)
Fear and Loathing at SOURCE Boston 2010
In April, our spiritual fixer (Bill Blunden) will infiltrate the home of the Red Sox to speak at the SOURCE Boston conference. His talk will touch on the futility of disk-based forensic analysis. Presentation date TBA. -R. James (Jan. 23, 2010)
About now, I suppose that the engineers who designed the payloads used in the attacks on Google (whoever they may be) are wishing that the stealth technology and anti-forensic measures that they employed were half as good as those that U.S. intelligence agencies use. -BB(2010-01-19)
The China Syndrome - Updates
UPDATE: Metasploit has released a module that utilizes the IE exploit mentioned below.
UPDATE: Code used in the Google attack is now available.
UPDATE: A newsflash from Reuters reports that the United States has backed Google's decision to end its support for censorship in China. An official from the Chinese government responded that all foreign companies are expected to abide by Chinese law.
Microsoft's CEO, Steve Ballmer, is anything but sympathetic:
"I don't understand how that helps us, and I don't understand how that helps China... There are attacks every day. I don't think there was anything unusual, so I don't understand."
I would agree that attacks happen every day. However, I think that the level of expertise demonstrated by the attackers, and the precise nature of the intrusions, warrants a certain amount of attention (especially when one of the targets is a high-profile corporation that publicly flaunts the intelligence of its employees).
Perhaps China doesn't want "help?" Perhaps they'd like this whole thing to blow over so that they could get back to business as usual. - BB (2010-01-15)
The China Syndrome: "Highly Sophisticated/Coordinated Attacks"
Big names like Google and Adobe have recently announced that they've been hit by precision-guided cyber attacks. According to the WSJ, Google and Adobe were among dozens of companies that the attackers targeted. Based on Google's response, it would appear that they believe the intrusions to be state-sponsored. I can almost hear Eric Cartman (screw you guys, I'm going home).
For those readers interested in the "how" of the attacks, this article from Wired magazine offers a number of details. Consultants from iDefense leaked specifics that Google has declined to confirm.
Though there seems to be a political angle to the Google attack, one thing's for sure: theft of intellectual property can offer a huge return on investment. Just ask Vladimir Kryuchkov, former KGB Chairman:
"Intelligence is probably the most profitable structure in the country. It pays its expenses with dividends. One single operation, concerning outer space, pumped 500 million dollars into our economy."
Hell, even Ugly Betty isn't safe! (The Chinese knock-off is a show called "Ugly Wudi")
Evgeny Legerov, of the Moscow-based company Intevydis, explains why he thinks responsible disclosure is flawed and why Intevydis is releasing a series of zero-day exploits:
"We do not support it [responsible disclosure]. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free."
"You, ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?"
Offensive Technology in CS Programs
This morning the New York Times published a story detailing how American universities are scrambling to develop academic programs that focus on computer security:
"Banks, military contractors and software companies, along with federal agencies, are looking for 'cyber ninjas' to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries."
Here's a question: how many of these newly minted programs give their students first-hand experience creating offensive (e.g. malicious) software? The Times article mentioned an MS program in cyber-security offered by NYU-Poly. I checked out the curriculum to this program and didn't see anything remotely resembling a course on malware design. Why are institutions in other countries, like Canada and Finland, able to offer such courses? Once more, will this state of affairs put the U.S. at a long-term strategic disadvantage?
The best way to construct an effective defense is often through direct exposure to offensive technology (why should the bag guys be the only ones with the requisite know-how?). If we fail to encourage an open discussion of malware analysis and development in academia, we'll end up in a position where we're constantly playing catch-up with the Black Hats. Given the steady rise of cyber-crime over the past few years, this is not somewhere that the United States will want to be. -BB (2010-01-04)
Dry Rot And The Internet
A termite infestation is one of the most insidious and destructive predicaments that a wood-framed structure can face. Infestations typically start in some obscure corner, well out of sight, and spread silently, inch-by-inch over the course of years. Colonies can number into the millions, using a decentralized swarm intelligence that's self-organizing. By the time that the owner becomes aware of the problem it's often too late, the integrity of the entire building has been compromised.
Now imagine this scenario played out by a state-sponsored botnet that's employing a bare-metal rootkit to fly below radar level; perhaps the result of a hardware vendor cooperating with an intelligence agency to embed stealth technology at the circuit level. The infestation could occur over the span of several years, as the botnet spreads to hundreds of millions of hosts using a decentralized peer-to-peer swarm intelligence that relies on a carefully designed covert channel. The botnet could sit dormant (in a manner similar to Conficker), a massive sleeper cell that exists only to propagate, waiting for the order to wake up in the event of Wold War III. Or it could work to progressively corrupt data, instituting alterations until even the backups of backups are bad.
What would happen if the circuit-level backdoor was discovered by other nation state players and unleashed against its maker? According to researchers that I've spoken with, these are cyber-war scenarios that the DoD has examined.
But is this really what we need to be worried about on a day-to-day basis? Bruce Schneier says cyber-crime is the real threat (and I would agree with this). Though, he also pointed out in a 2005 essay that:
"The countermeasures aimed at preventing both cyberwar and cyberterrorist attacks will also defend against cybercrime and cybervandalism. So even if organizations secure their networks for the wrong reasons, they'll do the right thing."
This is akin to NASA's Apollo program, which yielded a number of technological advances as a byproduct of our ultimate goal of landing on the moon. So, even if we never actually made it to the moon, the effort would have been worth it in the long run. -BB (2009-12-30)
Open Source Anti-Virus as the Public Option
Yesterday afternoon, over lunch, a colleague of mine who was born in Hungary pointed out that the United States is the only industrialized country that doesn't provide universal health care to its citizens. Then he went on to explain how medical care was a basic human right and that society, as a whole, benefits from keeping its population in good health.
Could the same argument be made with regard to computers? Should there be a state-funded alternative (e.g. open source anti-virus) so that users could take steps to maintain the health of their systems? After all, decreasing the number of compromised machines has its benefits, right? Or would this approach just provide attackers with a better way to implement instance-specific attacks, leaving users with a false sense of security? This is one of those "dangerous ideas" that I'd encourage people to think about. -BB (2009-12-23)
Black Hat Vertical Integration
While bulletproof hosting services have proven valuable to online criminals, some groups are moving up the food chain by directly allocating blocks of IP addresses from Regional Internet Registries (RIR) and Local Internet Registries (LIR). According to a posting by Kasperksy:
"Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There's no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses."
In theory, this sort of thing shouldn't happen. The problem is that in certain parts of Europe the record-keeping and oversight facilities necessary to verify applicant organizations are lacking (again, this is an infrastructure issue). A couple of years back, the Russian Business Network was able leverage this aspect of address allocation to score a large block of IP addresses from RIPE, essentially becoming a rogue ISP.
Fear and Loathing at CEIC 2010
In May of 2010, our fearless leader (Bill Blunden) will head back to Vegas to speak at the Computer and Enterprise Investigations Conference. Anti-forensics and rootkits will likely be on the menu. Presentation date TBA. -R. James (Dec. 12, 2009)
Why Isn't China Throttling Its Malware?
Anyone who has done business in Hong Kong knows that, despite the rapid growth of mainland China, this region still has one ace up its sleeve: infrastructure, thanks to the British colonialists. Specifically, I'm talking about the legal and regulatory oversight necessary to support economic activity.
For example, if you want to buy or sell gold, it's generally less risky to do so in Hong Kong because there's a significant amount of checks and balances in place to safeguard buyers and sellers. In fact, it's fairly common for merchants from the mainland to travel to Hong Kong to deal in gold for this very reason. Simply put, the infrastructure is better.
This reality points to basic underlying flaws in China's system. Perhaps this is to be expected, given that the current system evolved as a result of thousands of years of rule by dictatorship, in one form or another. China simply doesn't have the tradition of checks and balances that are the hallmark of a democratic society. This, in turn, may explain why the vast majority of bullet-proof internet hosting services operate out of China. -BB (2009/11/29)
U.S.-China Economic and Security Review Commission, 2009 Report
This congressional committee report, in Section 4 of Chapter 2, concludes that:
"The direct attribution of such activities targeting the United States presents challenges due to hackers' ability to conceal their locations. Nonetheless, a significant and increasing body of circumstantial and forensic evidence strongly indicates the involvement of Chinese state and state-supported entities."
The report doesn't go into the details of exactly how we know who's attacking us. In so many words, they're saying "we just know, trust us." Boy, that sounds like a slam dunk to me! I can't help but wonder if the actual perpetrator is simply making effective use of anti-forensics to place the blame on somebody else?
Regardless of who's culpable. The existence of state-sponsored hacking isn't necessarily earth-shaking news. As the recent 60 Minutes piece demonstrated, we're probably one of the more active players in this field. So, when other countries discover the existence of advanced persistent threats in their networks, some of the binaries that they recover probably can be attributed to us.
Fear and Loathing at Black Hat DC 2010
In late January, Bill will be navigating the beltway to speak at Black Hat DC 2010. Hopefully life in Northern California hasn't softened him up so much that he can't handle winter on the east coast. -R.James (Nov. 12, 2009)
One side claims the 2007 power outage in Brazil was due to hackers and the other side dismisses it as the result of poorly maintained high voltage insulators. Who do you believe? This story from Wired reminds me of an observation that Bruce Schneier made recently.
"We tend to be poor judges of risk. We overact to rare risks, we ignore long-term risks, we magnify risks that are also morally offensive. We get risks wrong -- threats, probabilities, and costs -- all the time. When we're afraid, really afraid, we'll do almost anything to make that fear go away. Both politicians and marketers have learned to push that fear button to get us to do what they want."
As an experiment, read through the news stories that I've collected over the past year and ask yourself which threat seems more immediate: cyberwar or cybercrime. Naturally, some people would argue that the actual threat that cyberwar represents can't be properly evaluated because much of the truly substantive evidence must be kept secret for the sake of national security... -BB (2009/11/11)
This evening I watched a piece by 60 Minutes that focused on threats to our infrastructure from computer-based attacks. While some aspects of the broadcast verged on sensationalism (which is only natural, given that 60 Minutes is trying to attract viewers on behalf of their advertisers), I was encouraged by the inclusion of points that are typically neglected when it comes to news stories like this.
For example, take the following observation made by Jim Lewis, director of the Center for Strategic and International Studies:
"We're in the top of the league. We are really good. And if you talk to the Russians or the Chinese, they say, 'How can you complain about us, when you do exactly the same thing?' It's a fair point with one exception: we have more to steal. We have more to lose. We're the place that depends on the Internet. We've done the most to take advantage of it. We're the ones who've woven it into our economy, into our national security, in ways that they haven't. So, we are more vulnerable."
Sure, our networks have been penetrated and data has been stolen. But we're not an innocent bystander here. Heck, we break into networks in other countries too, all of the time. In fact, we're pretty damn good at it. So should do we, as a country, have the right to be indignant when intruders breach our security? Personally I think embarrassment might be a better response. Obviously our offense is much better than our defense. But why does this state of affairs exist? The 60 Minutes report hinted that part of the problem has to do with the financial prerogatives of the corporations that create high-tech products. Specifically, Congressman Jim Langevin noted that:
"The private sector has different priorities than we do in providing security. Their, in a sense bottom line, is about profits. We need to change that. We need to change their motivation so that when we see a vulnerability like this we can require them to fix it."
In my opinion, instituting meaningful change is going to be difficult, as legislators will be forced to bite the hand that feeds. Don't think for a minute that all of those hi-tech lobbyists will roll over and purr if our representatives start talking about measures that might adversely impact the bottom line. Offshore outsourcing, for instance, represents a long-term threat to the technical leadership that the United States has maintained since World War II. Yet, our legislators are woefully silent when it comes to actually doing anything about it. Guess what happens when most of our hardware is manufactured in other countries because it's cheaper? According to Jim Gosler:
"We have found microelectronics and electronics embedded in applications that shouldn't be there. And it's very clear that a foreign intelligence service put them there."
Would you like some fries with that? -BB (2009-11-08)
After presenting the "Stoned Again" bootkit at Black Hat USA 2009, Peter's then employer (Ikarus Software) asked him to resign. This is ridiculous. As Professor George Ledin of Sonoma State has pointed out, it's probably more dangerous not to have an open discussion of malware technology. It seems the AV industry would rather gag everyone and stifle external research.
Reading this Washington Post article made me think of Colonel Kurtz from the movie Apocalypse Now.
"I've seen horrors... horrors that you've seen. But you have no right to call me a murderer... you have no right to judge me."
Microsoft's (Lack of) Forensic Tools - Continued
A reader contacted us this morning to let us know that Microsoft does actually offer a forensic tool. It's a custom USB drive that ships with a suite of 150 commands. Unfortunately, Microsoft seems to limit distribution of its forensic thumb drive to law enforcement personnel.
Yet another vague story from the Wall Street Journal about an unnamed company that had its machines compromised by intruders who were "likely supported, if not orchestrated," by the Chinese government. Note that attribution is one of the primary issues when it comes to cyber-attacks. Recall the news stories that came out earlier this year that had legislators clamoring for retaliation. As it turned out, the reported attacks didn't come from North Korea, but from somewhere in Miami (or who knows where).
Keep in mind, dear reader, that the art of starting wars has been honed for thousands of years. Whenever I read this sort of story, I'm reminded of a particularly chilling quote from Gilbert's Nuremberg Diary that's attributed to Hermann Goering:
"Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger."
Finally, just to be fair, even if this actually is the work of attackers backed by China, I'm pretty sure we're spying on China also. It's just that we're not as noisy or conspicuous when we do. -BB (2009/10/23)
The Invisible Giants
In the early 1900s, the city of Cleveland established itself as a center of economic activity. Its status was reflected by the fact that, in the wake of the Federal Reserve Act, Cleveland was chosen to host one of the Fed's twelve regional banks. The driving force behind Cleveland's ascent during this period can be traced back to the Van Sweringen brothers, who developed a railroad empire that was based in the city. The Van Sweringen brothers were elusive, low key, billionaires. One might even go so far as to say that discretion was their hallmark. They literally had a man on their payroll whose sole job it was to keep their name out of the papers. The economic equivalent of a rootkit, they preferred to exercise their power indirectly from behind the scenes, with subtlety. Hence, cynics who scoff at the notion of hidden rulers and their intermediaries in the power structure might be well advised to recall a statement made by then President Woodrow Wilson:
"A great industrial nation is controlled by its system of credit. Our system of credit is privately concentrated. The growth of the Nation, therefore, and all our activities are in the hands of a few men... We have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world, no longer a government by free opinion, no longer a government by conviction and the vote of the majority, but a government by the opinion and the duress of small groups of dominant men."
Related: Thought control in economics. A professor at Wellesley observes that "supply and demand curves only determine prices in perfectly competitive markets, which don't exist. I considered this key to my students' education, especially since mainstream economists apply the framework inappropriately so often."
We're Number 1 (Well, Sort Of)
As of 7:27am PST (2009-09-17), The Rootkit Arsenal is the #1 selling book in the Security category of the "Business & Culture" sub-section of the "Computers & Internet" section at amazon.com. Though, strictly speaking I think I should point out that with its overall sales ranking of 8,399 the book is hardly the most popular technical book at amazon.com. My suspicion is that books are assigned to these carefully delineated groups for marketing purposes. Ahem. Anyway, having put this into context, I'd like to extend my thanks to everyone who's read the book and also to my cohorts here at Below Gotham Labs. Keep those e-mails coming. -BB
Recently, a professional malware developer who worked for ERA IT Solutions (a commercial software company that supplies security tools to the Swiss government) released VoIP monitoring code to the public. That's right, you heard correct, there are professional software engineers actively designing malware on behalf of national governments.
Security through obscurity may not be an impenetrable shield but it is a barrier, and not always a trivial one. Results that might take an independent lab several months of excruciating reverse engineering might only take a few days for a lone engineer who happens to possess the necessary design documents and specifications. Having the cooperation of OEMs and software vendors can make the difference between a buggy proof of concept and a robust, production-quality, implementation with all the bells and whistles. This is because effort that otherwise would be spent isolating magic numbers and decomposing obscure protocols can be directed towards actual software development.
I'll probably never know exactly how far ahead state of the art rootkits are from what we see at conferences like Black Hat. I don't have the requisite security clearance. But if my instincts are correct, the things that show up in the public sector are relatively basic instruments that merely hint at what's been done by the intelligence agencies. To see what I'm talking about, check out the rootkit described in this article. -BB (2009-08-30)
Microsoft's (Lack of) Forensic ToolsFor many years, I wondered why Microsoft couldn't release a set of utilities that were as serviceable as those offered by the researchers at Winternals. Then, on July 18th of 2006, Microsoft announced they were acquiring Winternals. Will we have to wait for a similar event to occur in order to have access to robust, native, forensic tools?
After all, if anyone possesses the information necessary to build a stable and comprehensive suite of forensic tools for Windows it would be, well, Microsoft. Perhaps they're worried that such apps would be used by reversers to peek at things that they're not supposed to? Who knows? I just wish that I could sidestep the process of having to deal with freeware that randomly crashes or shelling out big bucks for overpriced third-party software. -BB (2009-08-19)
Sun Tzu and Cyber War in Georgia
"A wise general makes a point of foraging on the enemy. One cartload of the enemy's provisions is equivalent to twenty of one's own, and likewise a single pound of his provender is equivalent to twenty from one's own store" -Sun Tzu, The Art of War
While reading the Wall Street Journal's article on the DDoS that took place last year in Georgia, I couldn't help but think of the above quote. The perpetrators used our infrastructure to support their attack. They used U.S.-based social-networking sites, stolen American identities, and modified code that Microsoft provides for free.
As the article observed: "cyber-warfare has outpaced military and international agreements, which don't take into account the possibility of American resources and civilian technology being turned into weapons."
Encryption Keys and Plausible Deniability
Recently an article appeared in the Register about two people who were convicted for failing to reveal their encryption keys to authorities. If you're using an encryption package that allows you to create, and encode, a virtual file system (i.e. a large file that the software mounts and treats as a logical disk), one way you could protect yourself would be to create a secondary encrypted file system within another. This way, if you're coerced into providing an encryption key you could offer the key to the outer file system (which you might want to populate with a smattering of decoy files) while concealing the inner file system somehow. This is the motivation behind TrueCrypt's "hidden volume" feature.
I suppose that if you really wanted to be paranoid, you could create yet another encrypted file system within the secondary file system...
Computer Security Meets Ulam's Dilemma
Stanislaw Ulam was a Mathematician from Poland who came to the United States at the outbreak of World War II and subsequently was involved in the Manhattan Project. He observed that, over time, mathematics had grown into such a vast discipline that making progress required focusing on a narrow area of specialization. The problem with this tendency is that it makes it much more difficult to grasp, and appreciate, developments in other sub-domains.
Having walked the halls at Black Hat, I can see the same thing happening to computer security. Fields like web-based attacks and firmware exploits are so rich with ideas and technical minutiae that specialization is becoming a matter of necessity. The emerging ecosystem that supports the creation and deployment of malware reflects this fact. One engineer builds a rootkit that gets bundled as a payload in an exploit used by a worm that's written by another engineer, who then sells it to someone else who uses it to seed the internet and grow a botnet, that gets rented out by a front man from somewhere else...
Like an Eskimo stuck on an iceberg that's breaking apart, it gets harder and harder to keep a foothold on every field until finally it becomes impossible. Eventually, you have to choose your own little plot of conceptual real estate and try to keep an eye on related subjects. In the worst case, you choose an area that dwindles into obscurity (remember Trusted Xenix?), and then, well, it helps if you can swim.
Black Hat USA 2009 Material Posted
Black Hat USA 2009: Postgame Wrap-Up
Looking back over the two-day event, the first thing that struck me was the sheer scale of the conference and how well they were able to manage the flow of people. Caesar's Palace was definitely a suitable venue for this conference.
I started off the first day with the keynote address by Douglas Merrill, whose talk revolved around psychological acceptance (i.e. security measures are futile unless users are willing to actually use them). Next, I sat in on Peter Kleissner's presentation on the Stoned Again Bootkit, which detailed a framework for loading arbitrary payloads into the kernel during system startup.
The highlight of the morning session was the talk led by Peter Silberman and Steve Davis , from Mandiant, who demonstrated how to re-construct Metasploit intrusions using a custom tool in conjunction with Memoryze to scan the address space of a compromised process.
In the afternoon I stayed primarily on the rootkit track. I sat through Erez Metula's discussion of user-mode rootkits, which embed themselves in virtual machine runtime environments (e.g. the JRE, or .NET) by altering the bytecode libraries that they rely upon. This talk was particularly well organized and easy to follow, though the emphasis in this case appeared to be on data exfiltration and manipulation. Metula observed that absolute stealth would probably require the assistance of a system-level rootkit.
I ended the first day with the presentation on "Ring -3" rootkits from the Invisible Things Lab (ITL), which focused on firmware-related subversion that targeted a special region of memory reserved for Intel's Active Management Technology. This time, Joanna sat with the audience while her two colleagues (Alexander Tereshkin and Rafal Wojtczuk) did most of the talking. The trend that the speakers touched upon is that vendors often try to protect against malware by putting special management code in remote locations that the operating system (and any malware that it might be hosting) cannot access. This is all nice and well until malware somehow loads itself into these specially protected regions...
On the second day of Black Hat, I started with a presentation by ITL and then sat in on Nick Harbour's discussion. Nick, a reputed Ninja, examined API tracing via detour patching as a way to reverse engineer malware. He also demonstrated a novel technique for unwrapping packed binaries using a customized version of kernel32.dll.
Being a native of the Bay Area, I couldn't resist the talk on smart parking meters given by Joe Grand, Jacob Appelbaum, and Chris Tarnovsky. I can't speak for everyone, but the photograph of the meter with $999.99 worth of parking time brought many people to a standing ovation. Over the next few months I'm going to be eagerly watching the Mission District for hacked parking meters. Let's hear it for a truly great presentation!
I also sat in on the Feds versus Ex-Feds panel for a bit. Man, those feds are a cheeky bunch. I suspect they were overcompensating as they may have expected the same from us. One audience member commented that he was essentially asked to: "step up to the microphone, sir, and be shot."
Around the mid-point of the discussion panel, I left to go prep for my own talk. During my presentation on anti-forensics I looked down into the audience and recognized a couple of well-known people whose work I truly respect: Richard Bejtlich and Jamie Butler. Whoa. That was cool. Thanks so much, Richard and Jamie, for taking the time to sit through my talk!
Fear and Loathing at Black Hat USA 2009
Bill Blunden will be joining the pilgrimage to Vegas this July to speak at Black Hat USA 2009. The title of his presentation is Anti-Forensics: The Rootkit Connection. The speaker schedule is available here. It looks like Bill will be speaking on July 30th from 16:45-18:00 in the Augustus Ballroom on the Fourth Floor.
Fear and Loathing in San Francisco
On May 15th, 2009, at San Francisco State University I'll be giving an encore performance of the rootkit presentation that I gave at Sonoma State back on April 9th. The talk will be given in the HSS building, room 362, from noon to 1:30pm.
The Rootkit Arsenal: Approach versus Intent
"If you know the enemy and know yourself, you need not fear the result of a hundred battles." -Sun Tzu
Recently a number of people have raised the issue of whether an open discussion of Black Hat tradecraft is a dubious proposition. The general concern being that a book like The Rootkit Arsenal poses a threat because it will show bad people how to do bad things. In response to the e-mails that I've received, I'd like to take a moment and directly address this topic.
The Rootkit Arsenal offers both concepts and source code. Ultimately, I'm a broker. I can't control what the reader does with what they read. However, I might add that the bad guys already know this stuff. In fact, many of the book's tactics were excavated from Black Hat sites. It's the average system administrator who needs to appreciate just how potent this technology can be.
Hence, though the approach of my book is obviously from the vantage point of a Black Hat, my intent is to offer insights which normal, law-abiding, IT professionals might find useful. Trying to secure the Internet by limiting access to potentially dangerous information is a recipe for disaster. Security through obscurity is not the answer. As Mark Ludwig put it in his seminal book The Giant Black Book of Computer Viruses, "No intellectual battle was ever won by retreat. No nation has ever become great by putting its citizens' eyes out."
Malware Research at American Universities
Why is the obscure art of malware so, well, obscure? Why aren't students at MIT, Princeton, Caltech, and Stanford actively studying this relevant topic? According to George Ledin of the Anti-Conficker Project, "The AV industry has kept everything under wraps, most university professors are busy with their cozy niche and don't want the aggravation, and the topic is dangerous, unchartered territory."
But this answer begs the question: why is this dangerous territory? Heck, software is just software. Right? Ledin presents his case, quite well, in the January 2005 issue of the CACM.
Here's what Niccolo Machiavelli would say: "And it ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, then to take the lead in the introduction of a new order of things. Because the innovator has for enemies all those who have done well under the old conditions and lukewarm defenders in those who may do well under the new. This coolness arises partly from fear of the opponents, who have the laws on their side, and partly from the incredulity of men, who do not readily believe in new things until they have had a long experience of them"
Fear and Loathing in Sonoma
At the request of George Ledin, the Spring 2009 Computer Science Colloquium organized by Sonoma State University will be hosting a presentation by Bill Blunden in April. The hour-long talk, entitled The Rootkit Primer, will provide an overview that examines the core services that rootkits provide, how they provide these services, and who's using this technology.
Powerpoint slides of the talk can be found here.
In late April, Wordware Publishing will be sending my book The Rootkit Arsenal to press. The manuscript was several years in the making and the book investigates a broad range of related topics (e.g. system-level code, anti-forensics, reversing, etc.). Unlike the vast majority of computer security books The Rootkit Arsenal does not attempt to veil itself with ethical window dressing. My book approaches its material, without apologies, from the standpoint of a Black Hat. No doubt this publication will ruffle a few feathers.
Greetings and Welcome
This entry marks the launch of the web site for Below Gotham Labs. We'd like to thank everyone involved and encourage our visitors check out the latest news, events, and publications.