Author Archives: Marcus J. Ranum

About Marcus J. Ranum

Marcus J. Ranum, CSO at Tenable Network Security, Inc., is a world-renowned expert on security system design and implementation. He has been involved in every level of operations of a security product business, from developer, to founder and CEO.

What they mean when the government says “We do not have ‘direct’ access to your info”

Summary: Even the best journalists and national security experts have difficulty with technical stories like the recent NSA revelations. Today Marcus Ranum (bio) cuts through the government’s lies, explaining the truth behind the NSA’s tapping vital telephone and email communication systems.

These are the small ones.

These are the small ones; America’s nerves

.

When politicians and spokespeople choose their words with exquisite care, then it’s time to examine them with extra care. Let’s talk a little bit about the realities of how one might monitor a data center, shall we?

.

“We have no direct access to their systems.”

Of course you don’t. By “direct access” you mean that you can log in and collect data directly from the system, or have database administrators’ credentials and can issue queries, or whatever. You wouldn’t want that, anyway, because the queries and the activities might then become public knowledge — those are traceable, you know.

When someone logs into a system, gains administrative rights, and looks at someone’s email in-box that leaves traces in the system logs, and that’s completely unacceptable because what you’re querying for is classified and suddenly those system logs contain extremely sensitive data, indeed.

Here’s how you do it

Those big outfits decrypt all their traffic at the edges of the network using a load-balancer/redirector that’s capable of offloading the CPU-intensive activity of decryption from the backend servers. Inside the provider’s core network, the traffic carried within their switches is all in the clear.

You show up with a national security letter and maybe a warrant and tell the provider that you’ve got a system that does classified stuff and they’re going to plug it into their network and have the core switches span some of the traffic between, say, the mail servers and everything else, and the user authentication servers and everything else, and send a copy of that traffic to the mystery box (or boxes, depending on the load you need to consume) and that’s it.

There’s no need even to give the box an IP address, which is a feature also, because that makes the box impossible for anyone to see other than in the configuration of the core switch or if they get into the special locked room in the data center and count the number of boxes in the rack there.

The box is a sniffer. Remember the old FBI CARNIVORE system that was “outed” back in 2000? That’s how CARNIVORE worked, pre 9-11. The newer systems may look like Insight.

Sniffing traffic is fairly straightforward

Continue reading

About American exceptionalism – what it really means

Summary:  As an afterword to the campaign, Marcus Ranum takes a look at American Exceptionalism.  While either false or daft as a doctrine, every presidential candidate had to profess allegiance to it.

.

But first, let’s look at the origin of the phrase “American exceptionalism”:

The position of the Americans is therefore quite exceptional, and it may be believed that no democratic people will ever be placed in a similar one. {Circumstances} have singularly concurred to fix the mind of the American upon purely practical objects. His passions, his wants, his education, and everything about him seem to unite in drawing the native of the United States earthward; his religion alone bids him turn, from time to time, a transient and distracted glance to heaven. Let us cease, then, to view all democratic nations under the example of the American people, and attempt to survey them at length with their own features.
— Alexis de Tocqueville’s Democracy in America, Book I, chapter 9 (1840)

“Communists in the 1920s talked of “American exceptionalism,”, the belief that thanks to its natural resources, industrial capacity, and absence of rigid class distinction, American might for a long while avoid the crisis that must eventually befall every capitalist society. American exceptionalism explained to Communists why their movement, like the rival Socialist movement, fared so poorly here in the most advanced capitalist country on earth.”
Communism in America: A History in Documents, Albert Fried (1997)

When we use the term “exceptionalism” what we’re really saying is that whoever’s doing it has abandoned the most simple and central premise of moral argument: what applies to me, applies to you. And vice-versa.

This principle is found in every moral system that I’m aware of, and is often re-cast as The Golden Rule, or The Categorical Imperative. Lao-Tze expressed it as:  “Do not do to others what you do not want done to yourself” and Buddha as “Hurt not others in ways that you yourself would find hurtful.”

This is an important principle because, I believe, most people understand it. Indeed, the core principle of arguing about anything is to “turn the tables” on your interlocutor and “put yourself in their shoes.” I submit to you, that when leaders begin to abandon such an obvious principle, they lose credibility. And that’s as it should be — because it indicates that those leaders are comfortable adopting a policy of exceptionalism, which is ultimately dictatorial.

Continue reading

Cyberwar, the Power of Nightmares

Summary: Today’s post by Marcus Ranum discusses Adam Curtis’ brilliant BBC documentary series “The Power of Nightmares”. Cutris deconstructs the dynamic of government as protector against unknown threats. His analysis of how generalized fears of terrorism manipulate the public apply exactly to cyberwar, as well.

“Both [the Islamists and Neoconservatives] were idealists who were born out of the failure of the liberal dream to build a better world. And both had a very similar explanation for what caused that failure. These two groups have changed the world, but not in the way that either intended. Together, they created today’s nightmare vision of a secret, organized evil that threatens the world. A fantasy that politicians then found restored their power and authority in a disillusioned age. And those with the darkest fears became the most powerful.

The Power of Nightmares, subtitled The Rise of the Politics of Fear, a BBC documentary film series written and produced by Adam Curtis in 2004.  Download here.

Contents

  1. The power of Nightmares
  2. The Man Who Was Thursday (A Nightmare)
  3. Anatomy of a Tail-spin
  4. Curtis’ Words
  5. For More Information

(1) The Power of Nightmares

Adam Curtis’ brillant documentary series offers a view of the present as a consequence of the search for meaning of the political class. In short: they need something to do, to justify their existence. After all, if everyone were simply happy and comfortable, sooner or later we might wake up and wonder, “what are we giving you guys so much power, for, anyway?” Curtis’ series describes an entirely plausible scenario of what I call an “emergent conspiracy” – a conspiracy that was not planned by a secret committee wearing black velvet capes and meeting in dimly lit corridors of power, but rather a conspiracy that happens and snowballs because it’s convenient and spares the conspirator’s having to deal with the truth.

We can think of emergent conspiracies as a result of co-evolution or co-dependency: all of the parties involved want something, and they stumble around creating a great big whopping lie in order to get it. Then they tell that lie to themselves, and believe it. They act on the lie, and are surprised by the consequences they must, thereafter, live with.

(2) The Man Who Was Thursday (A Nightmare)

“We say that the most dangerous criminal now is the entirely lawless modern philosopher. Compared to him, burglars and bigamists are essentially moral men; my heart goes out to them.
— G.K. Chesterton, The Man Who Was Thursday (1908)

Continue reading

Parsing Cyberwar – Part 4: The Best Defense is A Good Defense

Summary: In this series, Marcus Ranum, walks us through the basics of cyberconflict, in its various forms: the nature of the battlefield, logistics, and dynamics. Today he looks at methods of defense. While offense gets most of the attention, most organisations play only defense. So read and learn.

Contents

  1. Introduction
  2. Defense Strategies
  3. Corporate Response
  4. Counterintelligence
  5. Conclusion
  6. Other chapters in this series
  7. For more information

(1) Introduction

In the previous part of this series, I looked at the effects that parts of the cyberwar landscape have on the whole; how cybercrime increases our awareness of computer security weaknesses and force us to constantly improve our defenses — accidentally improving our posture against cyberwar and increasing the likelihood that cyberspies will be uncovered. The logistical problems of keeping a cyberweapon fresh and secret are severe, when you consider that you’re fielding it at the targets’ systems — where it is susceptible to dissection and analysis when it’s discovered. This dynamic has already been seen to be at play with the Stuxnet family of attack tools: security responses rapidly co-evolve with attack tools.

(2)  Defense Strategies

When we consider a breakdown of our defensive options, they aren’t very interesting!

Continue reading

Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware

Summary: In “Parsing Cyberwar – Part 3” Marcus Ranum discussed the logistical problems implicit in cyberweapons. We now have a case-study showing how quickly a new cyberweapon technology obsoletes itself.  This, coupled with the tendency of one cyberweapons’ getting burned and potentially burning others in its family tree, will to tend to keep cyberweapons in the tactical domain, where they’ll be part of a churning arms-race that happens in “internet time.”

War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.

This series by Marcus Ranum shows us the frontier of war (and crime), helping us prepare for the future instead of polishing myths about trendy but now only niche forms of war.  You children might consider this the primary form of State-to-State war, seeing tanks and fighters only as toys on the playroom floor.

Contents

  1. About Gauss, new malware
  2. Building Gauss
  3. A Timeline of Quick Burn
  4. Pallida Narrow
  5. With Tweezers and Microscope
  6. Other chapters in the Parsing Cyberwar series
  7. For more information

(1)  About Gauss, new malware

The latest-breaking piece of malware in the Stuxnet/Duqu/Flame saga is called “Gauss.”  According to researchers at Kaspersky Labs (global IT security), it appears that all 4 of these state-sponsored pieces of malware were written by the same contractors, or by contractors who had access to a common code-base to build upon.

Continue reading

Parsing Cyberwar – Part 3: Synergies and Interference

Summary:  As the cyberwar with Iran continues, we cheer to the news media’s reporting information and misinformation about this next frontier of war.  All fodder for laughter at a future version of The Atomic Cafe.  But there are reliable sources of insight to prepare us for the big cyber-events that lie in the future, such as this series by Marcus Ranum.

Watch for this on your PC!

Contents

  1. Introduction
  2. Synergies
  3. Cyberweapons
  4. Shared Weapons: Cyberwarriors and Spies
  5. Accidental Disarmament
  6. Spies and Soldiers
  7. Summary
  8. Past chapters and the next up
  9. For more information

(1)  Introduction

In the previous parts of this series, I assessed the value of cyberwar and cyberespionage as decisive weapons. By this I mean if they are capable of allowing a nation to achieve its strategic goals without additional arms. I believe it ought to be obvious to anyone that they are not.

In order to exploit the short-term advantages gained from a cyberattack, a nation needs a credible military that is capable of winning the meatspace battles that potentially follow. The same holds doubly true for cyberespionage, whether it is military or economic. In order to take advantage of stolen intellectual property the nation engaging in spying needs to have the economic logistical train necessary to do something useful with the stolen technology while escaping punishment. That would virtually always imply that the stealing nation needs to be a power at or near par with their victim, thus any benefit would be incremental not asymmetric.

Continue reading

Parsing Cyberwar – Part 2: The Logistical Train

Summary: In the previous part of this series, Marcus Ranum dissected the various subtypes of cyberwar into four specializations: cybercriminals, cyberspies, cyberterrorists, and cyberwarriors, so that we could begin to compare and contrast the practical problems faced by each specialty. I paid particular attention to explaining which are strategic processes that require long-term planning and execution. Briefly, they break down as follows:

  1. Cybercriminal: tactical profit
  2. Cyberspy: strategic surreptitious
  3. Cyberterrorist: tactical high-profile
  4. Cyberwarrior: strategic destructive

.

Contents

  1. The Geopolitical Logistics Train
  2. Attacking The Boardroom
  3. Summary
  4. Next Up in this series
  5. For more information

(1)  Geopolitical Logistics Train

One of the reasons cybercriminals are so successful is because they require nothing outside of their own operations. Indeed, they are self-funding! I sometimes wonder whether, someday, a nation-state will do the equivalent of issuing letters of marque and reprisal, supporting the actions of cybercriminals and cyberterrorists as long as they were directed against a specific target nation’s assets. That’s a fantasy scenario, really, for reasons we’ll consider shortly, but it might make a fun theme for a novel.

Both cyberwar and cyberespionage require geopolitical top-cover in order to be effective, or, in fact, to be valuable at all. That is implicit in their nature as strategic activities. In cyberwar, it becomes explicit: there’s no point in launching one arm of a combined-arms attack unless there are additional forces arrayed and prepared to exploit any advantage it confers.

Continue reading