Expectations of Light Ahead
This painting by Swedish painter Carl Larsson, dated 1904, depicts a Christmas Eve gathering. Family members present are not giddy but quietly enjoying the prospect of the feast they will share, set out before them. Snow falls outside in the growing dark as candle and fire light fills the space within. The picture is illuminated as well by the serving girl’s soft smile – she and what she bears, created by human hands, are as important and warming as the light within the room.
Tonight in my household we are making Swedish cookies from a recipe left to us by a departed family member. We laugh over happy memories we shared with them, and now make new memories over this messy communion flavored with cinnamon, sugar, and too much butter. The fun and memories are as important as the cookies themselves; they create the foundation for decades of holidays yet to come.
I hope you are also someplace warm and happy tonight, enjoying pleasant memories and making more. Do something joyful, whether for yourself or others, even if you are alone. Embrace the expectation of increasing light in the days ahead.
And I wish Marcy and Mr. Wheel, Jim, bmaz, Ed, their families, and all the rest of the Emptywheel crew and community a very happy and peaceful Christmas.
Sony, Hacked: It’s Not One Massive Breach – It’s More Than 50 Breaches in 15 Years
Ever try to follow an evolving story in which the cascade of trouble grew so big and moved so fast it was like trying to stay ahead of a pyroclastic flow?
That’s what it’s like keeping up with emerging reports about the massive cyber attack on Sony. (Granted, it’s nothing like the torture report, but Hollywood has a way of making the story spin harder when it’s about them.)
The second most ridiculous part of the Sony hack story is the way in which the entertainment industry has studiously avoided criticizing those most responsible for data security.
In late November, when the hacker(s) self-identified as “Guardians of Peace” made threats across Sony Pictures’ computer network before releasing digital film content, members of the entertainment industry were quick to revile pirates they believed were intent on stealing and distributing digital film content.
When reports emerged implicating North Korea as the alleged source of the hack, the industry backpedaled away from their outrage over piracy, mumbling instead about hackers.
The industry’s insiders shifted gears once again it was revealed that Sony’s passwords were in a password-protected file, and the password to this file was ‘password.‘
At this juncture you’d think Sony’s employees and contractors – whose Social Security numbers, addresses, emails, and other sensitive information had been exposed – would demand a corporate-wide purge of IT department and Sony executives.
You’d think that anyone affiliated with Sony, whose past and future business dealings might also be exposed would similarly demand expulsion of the incompetents who couldn’t find OPSEC if it was tattooed on their asses. Or perhaps investors and analysts would descend upon the corporation with pitchforks and torches, demanding heads on pikes because of teh stoopid.
Nope.
Instead the industry has been tsk-tsking about the massive breach, all the while rummaging through the equivalent of Sony Pictures’ wide-open lingerie drawer, looking for industry intelligence. Reporting by entertainment industry news outlets has focused almost solely on the content of emails between executives.
But the first most ridiculous part of this massive assault on Sony is that Sony has been hacked more than 50 times in the last 15 years.
Yes. That’s More Than Fifty.
Inside Fifteen Years. →']);" class="more-link">Continue reading
Reagan? No, Regin — Yet Another [GCHQ] Intelligence Malware
Recently, computer security firm Symantec reported discovery of another intelligence-gathering malware, dubbing it “Regin.”
What’s particularly interesting about this malware is its targets:
- It infected computers in Afghanistan, Austria, Belgium, India, Iran, Ireland, Mexico, Pakistan, Russia, Saudia Arabia;
- At 48% of total infections, the largest group of targets were private individuals and small businesses.
Please do read Symantec’s blog post and its technical paper on Regin to understand how it works as well as its targets. Many news outlets either do not understand malware and cybersecurity, or they get facts wrong whenever major malware attacks are reported. Symantec’s revelation about Regin is no different in this respect.
Independent.ie offers a particularly exceptional example distorting Symantec’s report, claiming “Ireland is one of the countries worst hit globally by a dangerous new computer virus that spies on governments and companies, according to a leading technology firm.”
If by “worst hit,” they mean among the top four countries targeted by this malware? Sure. But only 9% of the infections affected Irish-based computers, versus 28% of infections aimed at Russian machines, and 24% affecting Saudi machines. The Independent.ie’s piece reads like clickbait hyperbole, or fearmongering, take your pick.
What wasn’t addressed by the Independent.ie and numerous other outlets, including those covering the tech sector are some fundamental questions:
- What assets or activities might the targeted countries have in common that would make them targets of a single intelligence operation organized by one or more nation-states?
- What are so many private individuals and small businesses targeted by this malware, in contrast to other malware-based intelligence-collection operations seen to date?
The Guardian came closest to examining these issues, having interviewed researchers at computer security firm F-Secure to ask the origins of the malware. As of 24-NOV-2014, the firm’s Mikko Hypponen speculated that the US, UK, and/or Israel were behind Regin’s development and deployment.
As of the video embedded above, Hypponen firmly says the UK’s intelligence entity GCHQ is behind Regin, in particular the malware’s invasion of a Belgian telecom network (see video at 07:20). Continue reading
Plane Meets Plow: The Curious End of Total S.A. CEO Christophe de Margerie
![[Photo tweeted by @Enel_Aire, post time stamped 2014-10-21 at 09:45 (time zone unknown)]](http://www.emptywheel.net/wp-content/uploads/2014/10/CdeMargerieTOTAL_crash_21OCT2014-1.jpg)
[Photo tweeted by @Enel_Aire, post time stamped 2014-10-21 at 09:45 (time zone unknown)]
Not as much as Moscow, mind you, but we get snow where I live in flyover country USA. Any time between mid-October and mid-April we can expect some frozen precipitation. A blizzard in October isn’t unheard of — we had one 17 years ago this week, in fact. I’ve lived with six months of snow per year for most of my life.
Which is why the photo here of the crash site looks sketchy to me.
Early reports indicated the plane carrying de Margerie hit or was hit by a snowplow driven by a drunken operator, in poor visibility. It’s not clear exactly which hit the other based on different accounts across the internet. A Russian reconstruction video furnished to Le Figaro shows the plane’s wing clipping a vehicle upon landing — but the video exerts more effort on the fire and smoke than it does on the initial impact. Note in this second video of the plane after the crash during daylight hours that the wing which hit the plow as characterized in the video is missing.
At least one article claimed debris was spread 200 meters by the plane after impact. Perhaps the wing was in that debris, but it’s not reflected in the Russian reconstruction video. A more recent report said the snowplow was parked on the runway.
Ultimately, what we see is a plane that flipped over — either tipped over by the force of a plow, or flipped over after impact.
And no snow. This particular photo is rather pixelated, but it doesn’t reflect reduced visibility due to snowfall. There’s no snow in the second video link above, though visibility has worsened. →']);" class="more-link">Continue reading
JPMorgan’s Form 8-K to Investors: We’ve Been Hack-Mapped!
JPMorgan’s Form 8-K filed on Thursday with the Securities and Exchange Commission advises:
On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its Chase.com and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:
• User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.
• The compromised data impacts approximately 76 million households and 7 million small businesses.
• However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
• As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.
• JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.
The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.
According to ZDNet, a forensic security firm suggests the bank’s users’ accounts are now at greater risk of compromise and that password changes and two-factor authentication should be implemented to address the risk.
However, the 8-K’s wording indicates a different security risk altogether as the users’ passwords and Social Security numbers are not compromised.
The disclosure of information compromised combined with earlier reporting about the breach more closely matches a description of that collected by National Security Agency’s TREASURE MAP intelligence collection program. TREASURE MAP gathered information about networks including nodes, but not data created by users at the end nodes of the network. The application delineated the path to the ends. and physical ends, not merely virtual ends of the network. →']);" class="more-link">Continue reading
Treasure Map: It’s About Location, Not Gold
Der Spiegel and The Intercept published collaborative reporting this weekend on another Snowden document — this one referring to a National Security Agency program named TREASURE MAP.
The most chilling part of this reporting is a network engineer’s reaction (see here on video) when he realizes he is marked or targeted as a subject of observation. He’s assured it’s not personal, it’s about the work he does – but his reaction still telegraphs stress. An intelligence agency can get to him, has gotten to him; he’s touchable.
The truth is that almost any of us who follow national security, cyber warfare, or information technology are potential subjects depending on our work or play.
The metadata we generate is only part of the observation process; it provides information about our individual patterns of behavior, but may not actually disclose where we are.
TREASURE MAP goes further, by providing the layout of the network on which any of us are generating metadata. But there is some other component either within TREASURE MAP, or within a complementary tool, that provides the physical address of any networked electronic device.
The NSA has the ability to track individuals not only by Internet Protocol addresses (IP addresses), but by media access control addresses (MAC addresses), according a recent interview with Snowden by James Bamford in Wired. This little nugget was a throwaway; perhaps readers already assumed this capability has existed, or didn’t understand the implications:
…But Snowden’s disenchantment would only grow. It was bad enough when spies were getting bankers drunk to recruit them; now he was learning about targeted killings and mass surveillance, all piped into monitors at the NSA facilities around the world. Snowden would watch as military and CIA drones silently turned people into body parts. And he would also begin to appreciate the enormous scope of the NSA’s surveillance capabilities, an ability to map the movement of everyone in a city by monitoring their MAC address, a unique identifier emitted by every cell phone, computer, and other electronic device.
[emphasis added]
In simple terms, IP addresses are like phone numbers — they are assigned. They can be static; a printer on a business network, for example, may be assigned a static address to assure it is always available to accept print orders at a stationary location. IP addresses may also be dynamic; if there’s an ongoing change in users on a network, allowing them to use a temporary address works best. Think of visits to your local coffee shop where customers use WiFi as an example. When they leave the premise, their IP address will soon revert to the pool available on the WiFi router. →']);" class="more-link">Continue reading
Internet Cats, Weaponized: US Defense Contractor Consulted on Targeted Network Injection Surveillance for Commercial Sales Abroad
![[photo: liebeslakritze via Flickr]](http://www.emptywheel.net/wp-content/uploads/2013/06/SpyGrafitti_liebeslakritze-Flickr_300pxw.jpg)
[photo: liebeslakritze via Flickr]
But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:
“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”
The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.
An interesting datapoint in the first graf of the story is timing — fall 2009.
You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.
You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.
The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.
And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. →']);" class="more-link">Continue reading
Snowpiercer: Bong Joon-Ho’s Jab at the God of the Machine
(The cats are away at Netroots Nation, leaving the meese to play. — Rayne)
A number of film critics have written that Snowpiercer — director Bong Joon-Ho’s adaptation of the French dystopic graphic novel, Le Transperceneige — is a cinematic allegory of climate change (the new “cli-fi“). Others will call it an allegory of class warfare. The film released in the U.S. on 27 June, reaching only 374 theaters across the country. Thankfully it went to video-on-demand last Friday as it entered its third week in theaters.
The highly limited and unusual method of release belies the film’s stunning appearance, its stellar cast, its punchy delivery. It’s all of these things and more: gritty, raw, gruesome, action-filled and emotion-tugging. Chris Evans was a surprise, offering restrained yet emotionally exposed work as flawed and resistant Curtis — a far cry from his recent stints as Captain America. Tilda Swinton is her funky finest, and Octavia Spencer is a powerful mother tigress. Korean actors Kang-ho Song and Ah-sung Ko fit perfectly, as do John Hurt and Jamie Bell. Effects are purposeful and not excessive, camera work highly effective, the score clings to the action like a skin.
Snowpiercer is believed to have been dissed on distribution because Bong Joon-Ho insisted on his own cut, resisting Harvey Weinstein’s demands that 20 minutes be excised. Given how closely the story reflects Dante’s Inferno, it’s difficult to see how any cuts affecting up to and through any of its gates would allow the movie to work as it does. (Really, Harvey, which of the circles of hell could we do without? Did you consult with Satan?)
But another reason for the short shrift on distribution may be the film’s unacknowledged allegory: the engine of production continues at all costs.
This is not the message of class warfare which Le Transperceneige’s two books more closely spell out. This is the ugly truth of our current global economy and the descent it makes into a catastrophic climate hell ahead.
The creators of the train ensuring your existence insist you stay where you are, even if you perceive yourself to be at the head of the train. You will be punished if you step out of your assigned place in the works. Resistance is terrorism, and must be eliminated to retain the careful balance necessary to assure production’s continuity. You have no privacy, no rights, no value save for your usefulness to the god of the machine.
This film jabs at the global economy’s bloated belly, wherein gross domestic product is worshipped, and energy’s demands obeyed at the expense of free will and a survivable planet. Bong Joon-Ho’s message is far more subtle and important than that of conflict between labor and capital. It’s certainly more unsettling to the domestic distribution system which desires a sure, non-threatening blockbuster to continue their offering of profit to the god of productivity.
Spoiler (look away now, I’ll put this after the jump): →']);" class="more-link">Continue reading
Remotely Yours: Internet of Things Meets Father’s Day
![[Graphic: Google Glass by Wilbert Baan via Flickr]](http://www.emptywheel.net/wp-content/uploads/2014/06/GoogleGlass_WilberBaan-Flickr.jpg)
[Graphic: Google Glass by Wilbert Baan via Flickr]
Predicting the future on the Web’s 25th anniversary*, a Pew Internet study published in March this year, reveals the depth of naivete bordering on gross ignorance on the part of so-called experts surveyed for this report.
The subhead alone should concern you:
Experts say the Internet will become ‘like electricity’ over the next decade–less visible, yet more deeply embedded in people’s lives, with many good and potentially bad results
Emphasis mine — because really, how much more deeply embedded does the internet need to become in our lives before we begin to rethink its widening application?
At the risk of sounding Ted Kaczynski-ish, we have allowed the development, implementation and integration of technology to run amok. We’ve only paid attention to the narrowest benefits we might receive from explicit application of any new technology, failing to look at the systemic repercussions of all our technology on all our society and on the planet we share.
It’s not your remote controlled light switch in itself that is a problem. Go ahead, turn on your lights at home while you’re on your summer vacation across country.
It’s the lack of thought about the entirety of the internet itself and its embedment that is a major problem. We’ve already become utterly dependent upon it. The additional little tools and toys we inanely call the “internet of things” will only make the situation more complex.
Ask yourself this: If the internet suddenly crashed this week, completely collapsed for an unspecified length of time, what would happen to the global economy?
What would happen to the health of patients in hospitals and care facilities — are there monitoring and medication-dispensing applications that are both life saving and internet mediated?
How would we conduct and record any kind of transaction, between individuals, between businesses, between governments?
Would our power grid continue to run smoothly without the use of the internet?
At a minimum we should be asking ourselves at what point our government will limit its tracking and compilation of meta data, let alone whether it can use data from one’s wireless slowcooker as a criteria to dispatch a deadly drone. Imagine the mind-boggling size of the data farm required to house all the meta data alone from the internet of things.
We should be asking what happens if foreign governments conduct cyber war through this internet of things what our response should be — conduct cyber-retaliation with equal and measured response, taking out wireless ricecookers and teapots on the other side of the globe?
What happens if our cyberweapons are deployed against us, like a customized Stuxnet invisibly tweaking all the settings on all our internet of things? Would we know we’d been targeted until far too late?
Anyhow, just some food for thought, something to mull over as you flip your remotely monitored ribs on the smoker while sipping on your icy cold brew produced from your wirelessly controlled refrigerator — which may tell you soon you’re low on beer.
Happy Father’s Day!
* h/t @sarahkendzior
[UPDATED] Russian GPS-Alternative Satellites Went ‘Illegal/Failure’: Solar Storm Damage or Cyberwar in Space?
[Update at end of article.—Rayne 6:45 pm EST]
Between 1030 and 0400 UTC last night or early morning, most of Russia’s GLONASS satellites reported “illegal” or “failure” status. As of this post, they do not appear to be back online.
GLONASS is the equivalent of GPS, an alternative global navigation satellite system (GNSS) launched and operated by Russian Aerospace Defense Forces (RADF). Apart from GPS, it is the only other GNSS with global capability.
It’s possible that the outage is related to either a new M-class solar storm — the start of which was reported about 48 hours ago — or recent X-class solar flare on March 29 at approximately 1700 UTC. The latter event caused a short-term radio blackout about one hour after the flare erupted.
But there is conjecture that GLONASS’ outage is human in origin and possibly deliberate. The absence of any reported outage news regarding GPS and other active satellite systems suggests this is quite possible, given the unlikelihood that technology used in GLONASS differs dramatically from that used in other satellite systems.
At least one observer mentioned that a monitoring system tripped at 21:00 UTC — 00:00 GLONASS system time. The odds of a natural event like a solar storm tripping at exactly top of the hour are ridiculously slim, especially since radiation ejected from the new M-class storm may not reach its peak effect on earth for another 24-48 hours.
It’s not clear whether the new GLONASS-M satellite launched March 24th may factor into this situation. There are no English language reports indicating the new satellite was anything but successful upon its release, making it unlikely its integration into the GLONASS network caused today’s outage.
If the outage is based in human activity, the problem may have been caused by:
— an accidental disabling here on earth, though RADF most likely has redundancies to prevent such a large outage;
— deliberate tampering here on earth, though with RADF as operator this seems quite unlikely; or
— deliberate tampering in space, either through scripts sent from earth, or technology installed with inherent flaws.
The last is most likely, and of either scripts sent from earth or the flawed technology scenarios, the former is more likely to cause a widespread outage.
However, if many or all the core operating systems on board the GLONASS satellites had been updated within the last four years – after the discovery of Stuxnet in the wild – it’s not impossible that both hardware and software were compromised with an infection. Nor is it impossible that the same infection was triggered into aggressive action from earth.
Which begs the question: are we in the middle of a cyberwar in space?
UPDATE — 6:45 PM EST—
Sources report the GLONASS satellite network was back online noon-ish Russian time (UTC+4); the outage lasted approximately 11 hours. Unnamed source(s) said the outage was due to the upload of bad ephemeris data, the information used by the satellites to locate other satellites in space. An alleged system-wide update with bad data suggests RADF has serious problems with change management, though.
There is speculation the M-class solar storm, summarized at 1452 UTC as an “X-ray Event exceeded M5,” may have impacted GLONASS. However early feedback about radiation ejected by an M-class storm indicated the effects would not reach earth for 24-48 hours after the storm’s eruption.
Emptywheel Twitterverse
bmaz
RT @dcbigjohn: This SIGAR report in Afghanistan spending really puts the lie to "most transparent administration" claim http://t.co/GQhPOky…
bmaz
@JonathanTurley She seems to recognize no bounds on Executive Branch power; maybe you could address that problem.
bmaz
I love @digby56 but, dammit, I had totally forgotten that Joe Klein existed before she up and had to remind me. http://t.co/MYUQ30AvTD
bmaz
@JasonLeopold @AmbassadorPower @SenFeinstein Jason, that word has banned from the lexicon of our mighty political elites. Don't trifle them.
emptywheel
What if Rand Paul ran on this? "As President, I promise to classify how much war we're at so you can pretend I've ended it."
emptywheel
@mattapuzzo MILLIONSWILLDIE (which, if true, would be far worse than the hundreds of thousands I'm in the process of killing)
emptywheel
@cristianafarias No biggie. It's what @bmaz gets for going so long between legal posts. ;p
bmaz
RT @MonaHol: Poop found on gym floor: Students forced to expose underwear for inspection http://t.co/vgNUZl8JMt Attn: @ChuckCJohnson. Ur al…
bmaz
@ScottGreenfield @gideonstrumpet Incredible. "Stickier than it seems". Fuck you Professor Moron.