Hidden but important truths from the presidential debate

Summary: The last debate was mostly chaff, like the campaign mostly entertaining demonstrations of the obvious. But there were moments revealing deep truths about our government and us. They were, of course, ignored. Here is the story of one such moment, a statement by Hillary Clinton that is rich with useful insights — if we dig into it.

“Fire destroys all sophistry, that is deceit; and maintains truth alone, that is gold.”
— Leonardo da Vinci, from his Notebooks. A bad solution for political structures built on lies.

CyberEspionage

More essential insights from Glenn Greenwald at The Intercept: “In the Democratic Echo Chamber, Inconvenient Truths Are Recast as Putin Plots”…

“Donald Trump, for reasons I’ve repeatedly pointed out, is an extremist, despicable, and dangerous candidate, and his almost-certain humiliating defeat is less than a month away. So I realize there is little appetite in certain circles for critiques of any of the tawdry and sometimes fraudulent journalistic claims and tactics being deployed to further that goal. In the face of an abusive, misogynistic, bigoted, scary, lawless authoritarian, what’s a little journalistic fraud or constant fearmongering about subversive Kremlin agents between friends if it helps to stop him?

“But come January, Democrats will continue to be the dominant political faction in the U.S. — more so than ever — and the tactics they are now embracing will endure past the election, making them worthy of scrutiny. Those tactics now most prominently include dismissing away any facts or documents that reflect negatively on their leaders as fake, and strongly insinuating that anyone who questions or opposes those leaders is a stooge or agent of the Kremlin, tasked with a subversive and dangerously un-American mission on behalf of hostile actors in Moscow.

“To see how extreme and damaging this behavior has become, let’s just quickly examine two utterly false claims that Democrats over the past four days — led by party-loyal journalists — have disseminated and induced thousands of people, if not more, to believe. …”

Both are straightforward lies by Team Hillary about the Wikileak emails of John Podesta, propagated by good liberals and her loyal journalists — allowing them to ignore the emails’ damaging content. His conclusion is spot-on.

Read more

Advertisements

Remember the world-shaking effects of the March 2014 OPM hack!

Summary: On the second anniversary of the OPM hack let’s compare the terrifying predictions with the results seen so far. Perhaps from this we will learn skepticism, and avoid national pants-wetting in response to the next clickbait terror barrage. A confident America might deter our foes more than the weak hysterics we’ve display today in response to threats.

OPM hacked

“Anxiety is spreading among defense officials and the military community that the recent theft of federal government data linked to China may affect hundreds of thousands of service members. …’They had access on everyone who has applied for a security clearance: families, residences and job assignments, bank records,’ Socotra {pseudonym of alleged retired senior intelligence official} said. “If that’s not an absolute calamity, I don’t know what is.'”  {From Military Times, 18 June 2015.}

Since 9/11 the US public has been bombarded with stories designed to make us fearful and obedient, and acceleration in the manufacture of scary stories by the government since WWII.

  • The revelations of Private Chelsea Manning in April – November 2010 were certain to cause countless deaths of American soldiers (example), so we were told. Didn’t happen, despite the government’s efforts to prove damages.
  • Edward Snowden‘s revelations in June 2013 were certain to have horrific effects on US security. Again, no reports of serious effects despite the government’s attempts to find them (unfortunately, that “nothing big” includes reforms of the NSA).
  • Starting in March 2014 the databases of the US Office of Personnel Management and some of its contractors were hacked, allegedly by China (accurate attribution of such attacks ranges from difficult to impossible). Details here. Visible results so far: zero, despite provision of free credit monitoring tools and other security services to millions of federal employees (to detect attacks).

On this second anniversary of the OPM hack let’s remember the stories, and also recall that the OPM hack is only one class of clickbait fear barrages, in addition to others such as the news about ISIS’ secret base in Mexico and the Ebola pandemic sweeping America).

Read more

Fight the hysteria about the hack of OPM’s files. It’s probably not a big threat.

Summary:  We’re told the OPM hack will have horrific consequences for America. Just as we have been told so many times since WWII, almost always falsely. I expect this too will prove to be a wet firecracker. Here are the reasons why, obvious things few journalists have told you. {1st of 2 posts today.}

China cyberattack
Know fear, America, that you might be easily ruled. Graphic from Third Certainty.

Contents

  1. OPM, our latest bout of hysteria
  2. An alternative forecast
  3. Why so much hysteria so often?
  4. Other posts about the OPM hack
  5. For More Information

(1)  OPM, our latest bout of hysteria

We were confidently told that the revelations of Private Chelsea Manning would cause countless deaths of American soldiers (example). But they never materialized. US authorities confidently predicted even more horrendous results from Edward Snowden‘s revelations. Again, nothing big happened (unfortunately, that “nothing big” includes reforms of the NSA). These are just the most recent in the long list of scary stories the government has told us since WWII.

The latest nighttime story concerns the hack of the Office of Personnel Management database (see the posts at the end for details). A wide range of information has been stolen on tens of millions of Americans, as the OPM announced on July 9

Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints.

What could someone do with this treasure trove? Anonymous government officials, private experts, and amateurs have let their imaginations run wild. Both Left and Right go wild, predicting horrific results. See how fear-mongering brings America together. Here’s my favorite, from Naked Capitalism on July 27.

Read more

Seeing behind the headlines about China’s attack, stealing the governments’ jewels

Summary:  China attacked! Playing a script from countless action-adventure movies, our political leaders and columnists gear up for bold headlines by screaming for war while they know nothing. It’s America. But the info highway gives us information to see beyond the headlines and sort fact from fancy. Here’s the latest news about the massive theft of Federal personnel data. It’s a follow-up to the post describing the attack and who was at fault.

“Experts, shmexperts. Time for action…. Attribution solid enough for the US government is solid enough.”
— Tweets from a man on the street. The kind of American that rulers dream of having.

Cyber Warriors

Contents

  1. Dueling US officials.
  2. About attribution of attacks.
  3. What we know.
  4. For more information.

 

(1) Dueling US officials

From the initial announcement of the theft of files from the Federal Office of Personnel Management (OPM), anonymous officials confidently blamed China — which journalists repeated as fact. The FBI has made no official statement since its “we working” on it statement on June 4. China has denied the accusation, of course.

Today we got more useful information from the GeoInt 2015 Symposium (geoint: geospacial intelligence):

“So what really makes you think that, as the head of NSA and Cyber Com, I’m going to talk with you about this,” he told a reporter here today. … Rogers’ response did seem a trifle dismissive of a reasonable question asked reasonably in an open forum. {Breaking Defense}

Rogers spoke in response to a question about how the National Security Agency was going about attributing the breach to the Chinese government. “You’ve put an assumption in your question,” he said. “I’m not going to get into the specifics of attribution. It’s a process that’s ongoing.”

… Rogers’s hedged response, given during a question-and-answer session at the GEOINT symposium in downtown Washington, comes in stark contrast to the NSA’s approach to attribution during the Sony hack. In that case the FBI, working with the NSA and DHS, quickly named North Korea as the perpetrator, resulting in the prompt issuance of sanctions.

Rogers called that a great example of cross-agency collaboration. “Working across the United States government, DHS, FBI and the National Security agency, we were able to relatively quickly come to consensus about the characterization of the activity we were seeing coming in, which formed the basis of our attribution, and with a relatively high confidence factor, which allowed us to respond in a very public and direct way.”

Why hasn’t that collaboration worked in the case of the OPM hack? Said Rogers: “every dataset is different.”  {Defense One}

Director of National Intelligence James Clapper also spoke at GeoInt, giving a remarkably casual statement on a matter of such importance.

Read more

How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Summary:  The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

This is a follow-up to About the theft of the Federal government’s personnel records: sorting fact from fiction, another in a series about a new age of conflict in which the old ways no longer work.  {1st of 2 posts today.}

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

The Art of War
Available at Amazon.

 

InfoSec, Sun Tzu
& the Art of Whore

By Steve Tornio and Brian Martin.
At Attrition, 2 July 2010.

Posted with the authors’ permission.

 

Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Read more

About the theft of the Federal government’s personnel records: sorting fact from fiction

Summary: We’re into the phase of the OPM records breach scandal where the US public policy crisis process predictably breaks down into finger pointing and aggressive guessing. Here is a brief on what little we know, and pointers on what we certainly don’t know.  {2nd of 2 posts today.}

cyber war

Contents

  1. How was it done?
  2. What was taken?
  3. Who was at fault?
  4. Who did it?
  5. Panic!
  6. For More Information

(1)  How was it done?

We can learn the bare bones about this series of attacks from the statement by Office of Personnel Management (OPM) Director Katherine Archuleta (bio here) to the House Oversight and Government Reform Committee. For an easier to read version see this typically excellent ars technica article by

Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Beyond this we hear mostly guesswork.CyberEspionage

(2)  What was taken?

Lots of high-volume guessing in the news. The best answer might be: lots was taken. The Director’s statement says “we have not yet determined its scope and impact”. For a more precise answer see…

Read more

What they mean when the government says “We do not have ‘direct’ access to your info”

Summary: Even the best journalists and national security experts have difficulty with technical stories like the recent NSA revelations. Today Marcus Ranum (bio) cuts through the government’s lies, explaining the truth behind the NSA’s tapping vital telephone and email communication systems.

These are the small ones.
These are the small ones; America’s nerves

.

When politicians and spokespeople choose their words with exquisite care, then it’s time to examine them with extra care. Let’s talk a little bit about the realities of how one might monitor a data center, shall we?

.

“We have no direct access to their systems.”

Of course you don’t. By “direct access” you mean that you can log in and collect data directly from the system, or have database administrators’ credentials and can issue queries, or whatever. You wouldn’t want that, anyway, because the queries and the activities might then become public knowledge — those are traceable, you know.

When someone logs into a system, gains administrative rights, and looks at someone’s email in-box that leaves traces in the system logs, and that’s completely unacceptable because what you’re querying for is classified and suddenly those system logs contain extremely sensitive data, indeed.

Here’s how you do it

Those big outfits decrypt all their traffic at the edges of the network using a load-balancer/redirector that’s capable of offloading the CPU-intensive activity of decryption from the backend servers. Inside the provider’s core network, the traffic carried within their switches is all in the clear.

You show up with a national security letter and maybe a warrant and tell the provider that you’ve got a system that does classified stuff and they’re going to plug it into their network and have the core switches span some of the traffic between, say, the mail servers and everything else, and the user authentication servers and everything else, and send a copy of that traffic to the mystery box (or boxes, depending on the load you need to consume) and that’s it.

There’s no need even to give the box an IP address, which is a feature also, because that makes the box impossible for anyone to see other than in the configuration of the core switch or if they get into the special locked room in the data center and count the number of boxes in the rack there.

The box is a sniffer. Remember the old FBI CARNIVORE system that was “outed” back in 2000? That’s how CARNIVORE worked, pre 9-11. The newer systems may look like Insight.

Sniffing traffic is fairly straightforward

Read more