Cybersecurity

Monday Morning: Scattered

That’s how I feel this morning — my head feels like a bunch of scattered pictures lying on my bedroom floor. Can’t tell how much of this sensation is work hangover from a too-busy weekend, or a result of a themeless news morning.

Often as I browse my feeds I find narratives emerge on their own, bubbling up on their own. Today? Not so much. There are too many topics in flight, too many major stories juggled, too many balls in the air, everything’s a blur.

The biggest stories adrift and muddled are those in which elections are central:

  • U.S. primary season wrap-up and the general election ahead — and I’m not going to touch this topic with a 20-foot pole. Imma’ let better writers and statisticians handle it without me piling on.
  • The Philippines election — the leading candidate is alleged to encourage urban vigilante death squads to reduce crime.
  • Brexit — Britain votes on a referendum next month on whether to exit the EU. Brexit played a role in the election last week of London’s new mayor, Sadiq Khan, who also happens to be London’s first Muslim mayor.
  • Australia’s double-dissolution election — PM Malcolm Turnbull last week announced both the House of Representatives and the Senate would be dissolved and replaced in an election on July 2nd. Turnbull faces replacement depending on which party amasses the most power during the election. There have only been seven double dissolutions since Australia’s federation under its constitution in 1901.

Anyhoo…here’s some miscellaneous flotsam that caught my eye in today’s debris field.

  • Number of unique mobile device users: 5 BILLION (Tomi Ahonen) — Do read this blog post, the numbers are mind-boggling. And intelligence agencies want to map and store ALL of the communications generated by these numbers?
  • Browser company Opera just went after iOS market with VPN offering (PC World) — Opera already announced a free VPN to Windows and Linux users; today it targeted Apple users with a VPN for iOS (do note the limited country availability). Don’t feel left out, Android users, you’ll get a VPN offering from Opera soon.
  • Swarm of earthquakes detected at Mount St. Helens (KOMO) — The eight-week-long swarm has been likened to those in 2013 and 2014 due to fault slippage. An eruption may not be imminent.
  • Jihadi Gang Warfare (@thegruq at Medium) — A really good read about the Islamic militant gang in Brussels and how their amateurishness prevented even greater bloodshed in both Paris and Brussels. Unfortunately a primer on how not to do urban terror.
  • Google isn’t just feeding romance novels to its AI to teach it language (Le Monde) — ZOMG, it’s using them to teach it morals, too! That’s what Le Monde reported that Buzzfeed didn’t.

    Valeurs morales

    Deux chercheurs de Georgia Tech, Mark Riedl et Brent Harrison, vont encore plus loin. Selon eux, la littérature peut inculquer des valeurs morales à des programmes d’intelligence artificielle. « Nous n’avons pas de manuel rassemblant toutes les valeurs d’une culture, mais nous avons des collections d’histoires issues de ces différentes cultures », expliquent-ils dans leur article de recherche publié en février.

    «Les histoires encodent de nombreuses formes de connaissances implicites. Les fables et les contes ont fait passer de génération en génération des valeurs et des exemples de bons comportements. (…) Donner aux intelligences artificielles la capacité de lire et de comprendre des histoires pourrait être la façon la plus efficace de les acculturer afin qu’elles s’intègrent mieux dans les sociétés humaines et contribuent à notre bien-être.»

    Moral values

    Two researchers from Georgia Tech, Mark Riedl and Brent Harrison, go even further. They believe literature can inculcate moral values in artificial intelligence programs. “We have no manual containing all the values of a culture, but we have collections of stories from different cultures,” they explain in their research article published in February.

    “The stories encode many forms of implicit knowledge. Fables and tales were passing generation to generation the values and examples of good behavior. (…) Giving artificial intelligence the ability to read and understand stories may be the most effective way to acculturate them so they can better integrate into human society and contribute to our well-being.”

    Gods help us, I hope they didn’t feed the AI that POS Fifty Shades of freaking Grey. Though I’d rather 90% of romance novels for morals over Lord of the Flies or The Handmaid’s Tale, because romance’s depiction of right and wrong is much more straightforward than in literary fiction, even the very best of it.

That’s quite enough trouble to kick off our week, even if it’s not particularly coherent. Catch you tomorrow morning!

Long-Serving Intelligence Executive: Sure, Government Has Been Thoroughly Pawned But What about Ordinary Citizens?

Three months after Obama rolled out a cybersecurity initiative backed by a piece in the WSJ, former Deputy Director of Defense Intelligence David Shedd has decided to critique it (the 3 month delay might have something to do with the fact that, in the interim, Shedd was getting beat up by DOD Inspector General over having created his own private limousine service).

In his op-ed, Shedd questions Obama’s embrace of a public-private partnership. He makes a good point that such government initiatives rely on voluntary participation. He insinuates that Obama ignores the contributions of Apple because of the fight over encryption.

How odd that the president didn’t even mention Apple among the other leading technology firms when it comes to cybersecurity. Apple, America’s (and the world’s) largest and most valuable technology firm, has led the industry in securing its products, a claim the others listed can’t stand by. But of course the president can’t mention Apple as a shining example of American cybersecurity, because his administration is entrenched in a political battle with the company over encryption.

It’s a fair dig. Except that’s the kind of anachronism I wouldn’t expect from a lifetime spook. It is true that Jim Comey was on the war path with Apple since the company made iPhone encryption standard in fall 2014. But things didn’t start ratcheting up until February 16, when DOJ got an All Writs Act to make Apple rewrite their operating system, after Obama wrote the op-ed that didn’t mention Apple.

Shedd then mocks Obama’s efforts to introduce more flexibility in hiring cybersecurity people. Here’s what Obama said:

We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office. I want this generation of innovators to know that if they really want to have an impact, they can help change how their government interacts with and serves the American people in the 21st century.

Here’s what Shedd (he of the personal limousine service) said:

While this proposal rightly addresses the need to recruit great talent, does the administration really think the ability to wear jeans is going to sway the best and brightest away from the pay in Silicon Valley?

Perhaps we’re all missing the metaphor of “wearing jeans” for smoking pot. But the truth is some people aren’t motivated primarily by personal limousine services; they would like to help the government. One real barrier to hiring talent — people like Ashkan Soltani — is something Shedd has been a very big player in: security clearances.

Which gets me to my real confusion about this piece.

First, even before he talks about how much better the tech industry, at least, is than the government on these issues, Shedd complains that there’s nothing in Obama’s policy for “everyday citizens or industry.”

It’s all well and good to talk about protecting U.S. innovation and giving every American a level of online security. But the president fails to suggest even a single solution that would impact everyday citizens or industry.

Then he lays out how absolutely incompetent the government has been in protecting itself.

[C]onsidering the fact that multiple government agencies, as well as the Justice and Homeland Security departments, have faced significant cyberattacks, this is an odd claim to make.

The most egregious breach took place less than a year ago, when the Office of Personnel Management suffered a huge data breach that continues to impact tens of millions of federal workers and contractors, including those with access to America’s most sensitive secrets. No one was fired over the incident. Is that accountability? In late February, the office’s chief information officer resigned just two days before having to testify before Congress.

The administration’s failed record in cybersecurity extends beyond the breaches on government systems. In a recent score card released by the House Oversight and Government Reform Committee, the majority of federal agencies received subpar, if not failing, grades on their cybersecurity posture.

Among the worst was the Department of Energy, which is charged with protecting our nation’s nuclear technology. Given that the Obama administration had seven years to meet its cybersecurity obligations, why should the American people believe anything will change with a new initiative?

Now, if the government is a cybersecurity sieve, then why is Shedd bitching that there’s nothing in Obama’s policy for “ordinary citizens” or the private industry companies that aren’t getting pawned? Shouldn’t locking down the nation’s nuclear secrets — a point I’ve emphasized — be a higher priority than saving Target from liability when its customers get their credit card data stolen (besides the fact, for customers who can afford an iPhone, as Shedd pointed out, Apple is already doing something)? In a purportedly capitalist society, should the government free private industry of all responsibility for its own security?

Crazier still, Shedd — who worked in Bush’s National Security Council until 2005, then moved to Director of National Intelligence, then in 2010 moved to DIA — is bitching that no one (aside from Katherine Archuleta) got fired for the OPM hack. In several of those positions, Shedd was in a place where he should have been one of the people asking why the security clearance data for 21 million people was readily available to be hacked — though no one in his immediate vicinity thought to ask those questions until 2013 and even then not including the non-intelligence agencies that might be CI problems. He was in a position when he may have — probably should have — reviewed some of the underlying database consolidation of clearance databases, including (at ODNI) identifying them as a counterintelligence threat.

A report published by the Office of the Director of National Intelligence provides some insight: In order to report security clearance volume levels, the National Counterintelligence and Security Center’s Special Security Directorate (SSD) “compiled and processed data from the three primary security clearance record repositories: ODNI’s Scattered Castles (SC); DoD’s Joint Personnel Adjudication System (JPAS); and the Office of Personnel Management’s (OPM) Central Verification System (CVS). To fulfill specific reporting requirements of the FY 2010 IAA, the SSD issued a special data call to the seven IC agencies with delegated authority to conduct investigations or adjudications.” The purpose of the data call was to consolidate security clearance data.

It’s probably not Shedd’s fault personally OPM got hacked, but some of the people who directly worked for him along the way may well bear responsibility.

Moreover, when he bitches about how so little has been accomplished in Obama’s 7 years, it ought to raise questions about why nothing got accomplished in his own decade of service in a position when he might have done something. Perhaps he spent years fighting with Obama (and before him Bush) to do something about the government’s cybersecurity, but if so, that’s what he should be talking about, not that Obama wants to make it easier for hackers to wear jeans to work.

Some of Shedd’s complaints are spot on. Just not coming, as they do, from someone who spent a decade in a position to address cybersecurity himself.

Friday Morning: Gypsy Caravan


TIME, you old gipsy man,
Will you not stay,
Put up your caravan
Just for one day?

— excerpt, Time, You Old Gipsy Man by Ralph Hodgson

If last week’s Friday chamber jazz was most like me, this genre is next to it. Gypsy jazz is what my grandfather always hoped I’d learn to play; I learned to love Django Reinhardt with Stephane Grapelli at his knee. This stuff makes a bad day move along briskly, makes heavy hearts light. I don’t mind the added filip some smart ass added to the embedded video of Hot Club of Dublin featured here — seems fitting for the tune’s mood.

Unfortunately I have to be away from my desk this morning on a mission of mercy. If I’m stuck someplace with decent WiFi I will try to share a few things I’ve been reading. Otherwise use this as an open thread and tell me what you’ve got planned this weekend — hope it’s something fun!

Oops, last minute adders:

Facebook gets smacked by court for storing biometric content (Reuters) — I really dislike Facebook. Just thought I’d tack that on.

Athabasca tar sands south of Fort McMurray threatened by fire (CBC Calgary) — something-something karma-something

A few more adders:

Aussie company touting anti-Zika virus condoms and gel – what? (Sydney Melbourne Herald) — Are you kidding me? Just use a damned condom. Think about it: plain old condoms are recommended as protection against viral STDs like HIV.

Maps showing borders India doesn’t like may earn jail time and fines (QZ-India) — Wondering why this issue has bubbled up again, not that the border with Pakistan has ever been resolved to India’s satisfaction.

Carnegie Mellon team turn human skin into touch tech (The Verge) — Um, this was done back seven years ago by MIT, called “Sixth Sense,” and released as open source a year later. Still wondering why that tech wasn’t commercialized.

Thursday Morning: Burning Bright

Tyger Tyger, burning bright,
In the forests of the night;
What immortal hand or eye,
Could frame thy fearful symmetry?

In what distant deeps or skies.
Burnt the fire of thine eyes?
On what wings dare he aspire?
What the hand, dare seize the fire?

— excerpt, The Tyger by William Blake

Props to Fort McMurray, Alberta, Canada, for evacuating a city under immediate threat of fire without any casualties directly attributable to the blaze. There was one death reported due to a vehicle accident, but it’s not clear the accident was caused by the fire or the evacuation process. I don’t know that an American city could have responded as quickly with the same results, but then Fort McMurray’s folks remember the Slave Lake wildfire five years ago in May 2011. Slave Lake, located roughly 250 miles southwest of Fort McMurray, was similarly forced to evacuate its 7,000 residents after 60 mph winds fanned a forest fire out of control and into the town.

In addition to expanded evacuation south of Fort McMurray, another wildfire in northern Alberta approximately 500 miles northwest of Fort McMurray forced evacuation of the town of High Level last evening. Fortunately, cooler weather will help battling this and Fort McMurray’s blaze; temperatures are expected to be 20 degrees cooler than the 88F degree high reached yesterday in Fort McMurray. There’s no rain in the forecast for nearly a week, though.

If you look at a satellite map of Alberta, you’ll note the areas surrounding these two municipalities actually had quite a bit of forest near them to their west (Fort McMurray is south of the Athabasca tar sands production site by a 30-minute drive). I’d like to know how much of this is boreal forest, which was once aggressively protected by Canada — before Alberta’s Stephen Harper became PM, that is. Despite the efforts of NGOs, expansion of the tar sands escalated dramatically from 2006 on. Now that oil prices have plummeted, production at Athabasca may drop, but too late to prevent damage to a wide swath of forest, not to mention the clearing done to support oil and gas development in northwestern Alberta. With the likelihood of wildfires throughout the rest of the summer running high, let’s hope the current Trudeau administration invests heavily in forest restoration efforts to replace growth lost to both fossil fuel production and to fire.

Reforestation is only a start, thought; additional protections going forward are needed as boreal forest is the largest carbon sink on earth, bigger than rain forests. We Americans don’t pay as much attention to Canadian deforestation because the country’s population is much smaller than Brazil. But Canada’s forests are critically important to reducing CO2, locking it up in trees and preserving it in bogs. We’re Canada’s largest trading partner and its largest consumer of wood products. We should be more aware and more responsible for our role in protecting Canada’s boreal forest.

Bits and pieces

  • Ford sinks cash into software company Pivotal (Detroit Free Press) — One of the many recent investment/partnerships with technology firms to augment vehicles’ features. Ford said it would have difficulty doing what Pivotal does. Let’s hope Pivotal is more conscious of cybersecurity than its automotive partners.
  • Former Apple employees to release new AI bot, VIV next week (Apple Insider) — Description sounds like Siri let out of the iPhone, or Amazon’s Alexa on Echo bot. Whatever it is, stay away from me with this stuff.
  • Nearly 300 million email account credentials floated in criminal underground (Reuters) — A massive collection including tens of millions of accounts on Yahoo, Microsoft, and Gmail email services was offered up in exchange for favorable comments in hacker forums. Something about this scenario sounds fishy, especially since the hacker first asked for 50 rubles (about one dollar) in exchange for all the compromised email accounts’ credentials. Some of the accounts belonged to banking, manufacturing, and retail personnel.
  • Has the revolution begun? Shareholders protest Reckitt Benckiser’s CEO compensation (Bloomberg) — Is this the beginning of a trend?

Your assignment today: check your area for wildfire or bushfire risk, and develop a personal evacuation strategy. Fortunately in my area we have standing water after nearly 24 hours of rain. Out of here, gang.

UPDATE — 2:00 P.M. EDT —
Fire’s still spreading across portions of Fort McMurray. Reporter vince McDermott believes he just lost his home this morning while he was at work. Must be just awful to cover a story affecting your community so dramatically and find yourself experiencing loss, too.

Tuesday Morning: Brittle, Two

Yesterday I talked about the shift toward mobile computing centered on smartphones, moving from PCs. Behind that transition, out of sight of the public, is the cloud which supports this shift. Content and applications are increasingly stored not on the user’s device but in a server (read: data farm) accessed over the internet.

One manifestation of the shift is the largest technology merger ever — computer manufacturer Dell‘s $70B acquisition of storage company EMC. Dell’s PC sales have been slowly falling over the last handful of years, not unexpected due to the maturity of the market and the shift to mobile devices. Servers have been a large part of Dell’s profits for years, but many opportunities often ended up with competitor EMC when Dell quoted storage. Mobile users need much more remote computing and storage — servers and storage in the cloud — which EMC’s storage area network (SAN) products provide. This made EMC an appetizing fit to augment Dell’s server offerings while offsetting the slowly fading desktop computer sales.

With the acquisition, Dell Technology (the new name for the merged companies) now competes more squarely against Hewlett-Packard, which also sells both desktop computers and enterprise storage.

HP, however, split into two companies late last year. One manufactures desktop and other smaller computing devices (HP), the other sells servers and storage products (HP Enterprise Business). One might wonder if HP was preparing to spin off the portion of the business that makes PCs just as its competitor IBM did in 2005 when it spun off its PC division to Chinese manufacturer Lenovo.

Media will say with the EMC acquisition that Dell is positioned for better end-to-end service — but with so much computing now done on smartphones, this is not true. Dell and its competitor HP are only offering up to the smartphone.

Speaking of smartphones…

Suspect ordered to open Apple iPhone with Touch ID
29-year-old Paystar Bkhchadzhyan, a small-time crook charged with identity theft, was ordered by U.S. Magistrate Judge Alicia Rosenberg to swipe an iPhone seized from her boyfriend’s apartment in order to unlock it.

It’s not clear whether the iPhone has been identified as belonging to Bkhchadzhyan based on multiple reports, only that she may have “control over” the device. Nor is it clear — since she has already pleaded no contest to the charge against her — if the iPhone’s contents will be used against her, or against her boyfriend.

It’s also not clear why law enforcement hasn’t used the “gummy bear technique” to open the phone, which would not force Bkhchadzhyan to lift a finger but instead use fingerprints already provided as evidence, bypassing any question of Fifth Amendment violations. Is this simple technique too much effort or too complicated for today’s police force?

DISH TV techs to offer Apple iPhone repair service
Not authorized by Apple, mind you, but DISH TV will offer new service to their customers who use iPhones, including battery and screen replacements. The company anticipates offering the same limited repair services to Android users in the near future. This says something about the transition of content consumption from TV to mobile devices, and the use of mobile devices as TV and content controllers.

LuxLeakers in court this week – Luxembourg’s version of Panama Papers
Antoine Deltour and Raphael Halet, former PricewaterhouseCoopers’ employees, appear in court this week on charges they stole and leaked documents on many of PwC’s corporate clients — Accenture, Burberry, Icap, Ikea, Walt Disney Co., Heinz, JP Morgan, FedEx, Microsoft Corp.’s Skype, PepsiCo Inc., Procter & Gamble, Shire Pharmaceuticals to name a few. The documents outline the tax avoidance/evasion strategies employed by these firms with PwC’s assistance and Luxembourg’s implicit or tacit approval. This case should have as much impact as the Panama Papers as the corporations involved are quite large and the Luxembourg government is implicated.

Australia: Your human rights abuses suck, but we Americans have no room to talk
If you don’t watch Australian politics, you should. Aussies have forced approximate 900 refugees to remain indefinitely on Manus Island of Papua New Guinea and the island country of Nauru, which are little more than rocks in the middle of the ocean with penal colonies masquerading as a refugee ‘welcome centers.’ The conditions have been wretched — and they must be if an outlet like Foreign Policy calls Australia’s practice ‘intolerable cruelty.’ Their captivity is now illegal according to PNG’s court, but the refugees are left without recourse. Two refugees have immolated themselves within the last week out of desperation. But Americans have not demanded Australia take the refugees because it would mean having to take some refugees here, too. Oh, and Gitmo — can’t point to island-based human holding pens without allowing other countries to point to Gitmo. Or our immigration detention and deportation processes.

That last bit — both of the immolated refugees were not offered immediate health care — is so disgusting and disheartening I can’t come up with anything more to write. Hope for a better day tomorrow, see you in the morning.

Monday Morning: Brittle

The Emperor’s Palace was the most splendid in the world, all made of priceless porcelain, but so brittle and delicate that you had to take great care how you touched it. …

— excerpt, The Nightingale from The Yellow Fair Book by Andrew Lang

Last week I’d observed that Apple’s stock value had fallen by ~7% after its financial report was released. The conventional wisdom is that the devaluation was driven by Apple’s first under-performing quarter of iPhone sales, indicating weaker demand for iPhones going forward. Commenter Ian remarked that Apple’s business model is “brittle.” This perspective ignores the meltdown across the entire stock global market caused by China’s currency devaluation, disproportionately impacting China’s consumption habits. It also ignores great untapped or under-served markets across other continents yet to be developed.

But more importantly, this “wisdom” misses a much bigger story, which chip and PC manufacturers have also reflected in their sales. The video above, now already two years old, explains very neatly that we have fully turned a corner on devices: our smartphones are and have been replacing our desktops.

Granted, most folks don’t go through the hassle of purchasing HDMI+USB connectors to attach larger displays along with keyboards. They continue to work on their phones as much as possible, passing content to and from cloud storage when they need to work from a keyboard attached to a PC. But as desktops and their attached monitors age, they are replaced in a way that supports smartphones as our main computing devices — flatscreen monitors, USB keyboards and mice, more powerful small-footprint external storage.

And ever increasing software-as-a-service (SaaS) combined with cloud storage.

Apple’s business model isn’t and hasn’t been just iPhones. Not since the debut of the iPod in October 2001 has Apple’s business model been solely focused on devices and the operating system required to drive them. Heck, not since the debut of iTunes in January 2001 has that been true.

Is there a finite limit to iPhones’ market? Yeah. Same for competing Android-driven devices. But is Apple’s business just iPhones? Not if iTunes — a SaaS application — is an indicator. As of 2014, there were ~66 million iPhones in the U.S., compared to ~800 million iTunes users. And Apple’s current SaaS offerings have exploded over time; the Apple store offers millions of apps created by more than nine million registered developers.

At least nine million registered developers. That number alone should tell you something about the real business model.

iPhones are a delivery mechanism, as are Android-based phones. The video embedded above shows just how powerful Android mobile devices can be, and the shift long underway is not based on Apple’s platform alone. If any business model is brittle right now, it’s desktop computing and any software businesses that rely solely on desktops. How does that change your worldview about the economy and cybersecurity? Did anyone even notice how little news was generated about the FBI accessing the San Bernardino shooter’s PCs? Was that simply because of the locked Apple iOS account, or was it in part because the case mirrored society’s shift to computing and communications on mobile devices?

File under ‘Stupid Michigan Legislators‘: Life sentences for automotive hackers?
Hey. Maybe you jackasses in Michigan’s state senate ought to deal with the permanent poisoning of nearly 8000 children in Flint before doing something really stupid like making one specific kind of hacking a felony worthy of a life sentence. And maybe you ought to do a little more homework on hacking — it’s incredibly stupid to charge a criminal with a life sentence for a crime as simple as entry permitted by wide-open unlocked doors. Are we going to allocate state money to chase hackers who may not even be in this country? Are we going to pony up funds for social media monitoring to catch hackers talking about breaching wide-open cars? Will this law deter citizen white hats who identify automakers’ vulnerabilities? File this mess, too, under ‘Idiotic Wastes of Taxpayers’ Money Along with Bathroom Legislation by Bigots‘. This kind of stuff makes me wonder why any smart people still live in this state.

File this, too, under ‘Stupid Michigan Legislators‘: Lansing Board of Water and Light hit by ransomware
Guess where the first ransomware attack on a U.S. utility happened? Do I need to spell it out how ridiculous it looks for the electric and water utility for the state’s capitol city to be attacked by ransomware while the state’s legislature is worrying about who’s using the right bathroom? Maybe you jackasses in Lansing ought to look at funding assessment and security improvements for ALL the state’s utilities, including both water safety and electricity continuity.

Venezuela changes clocks to reduce electricity consumption
Drought-stricken Venezuela already reduced its work week a month ago to reduce electricity demand. Now the country has bumped its clocks forward by 30 minutes to make more use of cooler early hour during daylight. The country has also instituted rolling blackouts to cutback on electricity. Cue the right-wing pundits claiming socialism has failed — except that socialism has absolutely nothing to do with a lack of rainfall to fill reservoirs.

Coca Cola suing for water as India’s drought deepens
This is a strong piece, worth a read: Whose Water Is It Anyway?

After a long battle, the UN declared in 2010 that clean water was a fundamental right of all citizens. Easier said than done. The essential, alarming question has become, ‘Who does the groundwater belong to?’ Coca Cola is still fighting a case in Kerala where the farmers rebelled against them for using groundwater for their bottling plants. The paddy fields for miles around dried up as water for Coke or the company’s branded bottled water was extracted and transported to richer urban consumers.

Who did that groundwater belong to? Who do our rivers belong to? To the rich and powerful who can afford the resources to draw water in huge quantities for their industries. Or pollute the rivers with effluent from their industries. Or transport water over huge distances at huge expense to turn it into profit in urban areas.

Justus Rosenberg: One of Hannah Arendt’s rescuers
Ed Walker brought this piece to my attention, a profile of 95-year-old Justus Rosenberg featured in this weekend’s New York Times. I love the last two grafs especially; Miriam Davenport characterized Rosenberg as “a nice, intelligent youngster with no family, no money, no influence, no hope, no fascinating past,” yet he was among those who “…were a symbol of sorts, to me, in those days […] Everyone was moving Heaven and earth to save famous men, anti-fascist intellectuals, etc.” Rosenberg was a superhero without a cape.

That’s our week started. See you tomorrow morning!

See you tomorrow morning!

Notorious “FOIA Terrorist” Jason Leopold “Saves” FBI Over $300,000

Last week, Jim Comey suggested the FBI paid more for the vulnerability that helped it break into Syen Rizwan Farook’s phone than he will be paid for the 7 years he’ll remain at FBI. The WSJ then did this math.

Speaking at the Aspen Security Forum in London, FBI Director James Comey didn’t cite a precise figure for how much the government paid for the solution to cracking the phone but said it was more than his salary for the seven-plus years remaining in his term at the FBI.

His annual salary is about $180,000 a year, so that comes to $1.26 million or more.

“[We] paid a lot’’ for the hacking tool, Mr. Comey said. “But it was worth it.’’

Over 600 outlets covered that story, claiming — without further confirmation — that FBI paid over $1 million for the hack, with many accounts settling on $1.3 million.

I noted at the time that 1) Jim Comey has a history of telling untruths when convenient and 2) he had an incentive to exaggerate the cost of this exploit, because it would pressure Congress to pass a bill, like the horrible Burr-Feinstein bill, that would force Apple and other providers to help law enforcement crack phones less expensively. I envisioned this kind of exchange at a Congressional hearing:

Credulous Congressperson: Wow. $1M. That’s a lot.

Comey: Yes, you’ll need to triple our budget or help me find a cheaper way.

Lonely sane Congressperson: But, uh, if we kill security won’t that be more expensive?

Comey: Let me tell you abt time I ran up some steps.

I then mused that, because Comey had officially acknowledged paying that kind of figure, it would make it a lot easier to FOIA the exact amount. By the time I tweeted that thought, of course, Jason Leopold had already submitted a FOIA for the amount.

Sure enough, the outcome I figured has already happened: without offering an explanation for the discrepancy, Mark Hosenball reported today that the figure was actually under $1 million, and FBI will be able to use it on other phones.

The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters – a figure smaller than the $1.3 million the agency’s chief initially indicated the hack cost, several U.S. government sources said on Thursday.

The Federal Bureau of Investigation will be able to use the technique to unlock other iPhone 5C models running iOS 9 – the specifications of the shooter’s phone – without additional payment to the contractor who provided it, these people added.

Just one FOIA submission later (and, probably, the calls of a bunch of outraged members of Congress wondering why FBI paid $1.3 million for a hack they claimed, in explaining why they would not submit the hack to the Vulnerabilities Equity Process that might require them to share it with Apple nine months after Apple patched it, they didn’t understand at all), and all of a sudden this hack is at least $300,000 less expensive (and I’m betting a lot more than that).

You see how effective a little aggressive FOIAing is at reining in waste, fraud, and abuse?

A pity it can’t reverse the impact of all those credulous reports repeating Comey’s claim.

Friday Morning [?!]: Chamber of Delights

It’s Friday. FINALLY. And it’s jazz exploration day, too. Today we sample some chamber jazz, here with Meg Okura and the Pan Asian Chamber Ensemble.

It. Me. That is to say, of all genres, this one feels most like a part of myself. Here’s another chamber jazz favorite — Quarter Chicken Dark from The Goat Rodeo Sessions. And another — Model Trane, the first cut in this linked video by Turtle Island Quartet.

You can see and hear for yourself what makes chamber jazz different from other genres: chamber instruments used in classical music to perform jazz.

Whew, I needed this stuff. Hope you like it, too, though I know it’s not everybody’s cup of tea.

My morning was overbooked, only have time today for a few things that caught my eye.

Encryption and privacy issues

Go To Jail Indefinitely card for suspect who won’t unlock hard drives (Naked Security) — Seems odd this wasn’t the case the USDOJ used to force cracking of password-protected accounts on devices, given the circumstances surrounding a less-than-sympathetic defendant.

Amicus brief by ACLU and EFF for same case (pdf – Ars Technica)

Supreme Court ruling extends reach of FBI’s computer search under Rule 41 (Bloomberg) — Would be nice if the Email Privacy Act, now waiting for Senate approval, addressed this and limited law enforcement’s overreach.

Climate change and its secondary effects

India’s ongoing drought now affects 330 million citizens, thousands have died from heat and dehydration (Oneindia) — 330 million is slightly more people than the entire U.S. population. Imagine what could happen if even one or two percent of these affected fled the country as climate refugees.

Tiger poaching in India dramatically increased over last year (Phys.org) — Have to ask if financial stress caused by drought encouraged illegal killing of tigers, now that more tigers have been poached this year to date compared to all of last year. Are gains in tiger population now threatened by primary and secondary effects of climate change?

Though severe El Nino deepened by climate change causes record drought now, an equally deep La Nina could be ahead (Phys.org) — Which could mean dramatic rains and flooding in areas where plant growth has died off, leaving little protection from water runoff. Are any governments planning ahead even as they deal with drought?

Hope your weekend is pleasant — see you Monday morning!

Thursday Morning: Mostly Cloudy with a Chance of Trouble

This video came from a random browse for new artists. I don’t know yet if I have an opinion; first minute is rocky, but improves. Think I need to sample some more by this artist. You can find Unknown Mortal Orchestra on SoundCloud.com if you want to sample more without the video — I do like the cover of Sitting on the Dock of the Bay. Verdict still out on the more experimental atmospheric stuff.

Looking for more trouble…

House passed Email Privacy Act (H.R. 699) 419-0
Sampling of reports: Phys.org | Reuters  |  Forbes

A few opinions: ACLU | EFF  |  Americans for Tax Reform

Wow. An issue everybody could love. Do read the Forbes bit as they had the most objections. Caveat: You may have to see John Stossel’s mug if you read the ATR’s opinion.

Next up: Senate, which is waffling thanks to Grassley

But it was unclear if Senate Judiciary Committee Chairman Chuck Grassley, who holds jurisdiction over the legislation, intends to move it forward during an election year.

The Iowa Republican will review the House bill, consult with stakeholders and his committee “and decide where to go from there,” a spokeswoman told Reuters in an email.

Apple crisp

  • Apple’s stock tanked yesterday falling 7% in response to a drop in demand for iPhones; Apple suppliers likewise took a hit. Come on, there’s a finite number of smartphone users, and the limit must be reached some time. Shouldn’t have rattled the market so much — not like the market didn’t notice China’s market woes and subsequent retrenchment of purchasing over the last 6 months, too.
  • FBI said it wouldn’t disclose the means by which a “grey hat hacker” cracked the San Bernardino shooter’s work-issued iPhone 5c. Wouldn’t, as in couldn’t, since the FBI didn’t acquire intellectual property rights to the method. Hmm.
  • coincidentally, FBI notified Apple of a vulnerability in older iPhones and Macs, though an unnamed source said the problem had already been fixed in iOS9 and in Mac OS C El Capitan. Nice of FBI to make an empty gesture validate the problem.
  • And because I mentioned it, Apple Crisp. I prefer to use Jonathans and Paula Reds in mine.

Malware everywhere

  • The Gundremmingen nuclear power plant in Bavaria found malware in computers added in 2008, connected to the fuel loading system. Reports say the malware has not posed any threat, though an investigation is under way to determine how the plant was infected. Not many details in German media about this situation — timing and method of discovery aren’t included in news reports.
  • A report by Reuters says the malware was identified and includes “W32.Ramnit” and “Conficker” strains. The same report implies the malware may have been injected by devices like USB sticks found in the plant, though the report does not directly attribute the infection to them.
  • BONUS: Reuters quoted cybersecurity expert Mikko Hypponen of F-Secure about the nuclear plant’s infection — but Hypponen elaborated on the spread of viruses, saying that

    he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.

    Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.

    Pretty sure Reuters hadn’t counted on that tidbit.

  • Give their report on Gundremmingen’s infection, it’s odd that Reuters’ op-ed on the state of nuclear safety post-Chernobyl made zero reference to cybersecurity of nuclear facilities.

Miscellania

  • Online gaming community Minecraft “Lifeboat” breach exposed 7 million accounts (NetworkWorld) — Minecraft took its tell notifying users because it says it didn’t want to tip off hackers. Wonder how many of these accounts belonged to minors?
  • On the topic of games, feckless Sony leaks like a sieve again, tipping off new game (Forbes) — Jeebus. Sony Group’s entire holding company bleeds out information all the time. This latest leak is about the next version of Call of Duty. Not certain which is more annoying: yet another Sony leak, or that “Infinite Warfare” is the name of the game.
  • Open source AI consortium OpenAI shows a bit of its future direction (MIT Technology Review) — Looks like the near term will be dedicated to machine learing.
  • Just another pretty face on Cruz’ ticket may bring conflict on H-1B visas (Computerworld) — Seems Cruz wants to limit low-cost H-1B labor, and new VP choice Fiorina is really into offshoring jobs. Commence headbutting. (By the way, I’m being snarky about ‘another pretty face.’ They deserve each other.)

I may have to quit calling these morning roundups given all the scheduling issues I have on my hands right now. At least it’s still morning in Alaska and Hawaii. Catch you here tomorrow!

Wednesday Morning: Lüg mich an, Lügner

I admit freely my facility with the German language is poor. I hope this post’s headline reads, “Lie to me, Liar.” Which is about as close as I could get to “Lying Liars” because I can’t conjugate the verb ‘to lie.’

~shrug~

It’s not like anybody’s paying me for this, unlike the lying liars at Volkswagen who’ve been paid to deceive the public for a decade. This video presentation featuring Daniel Lange and Felix Domke — a security consultant and an IT consultant, respectively, who reverse engineered VW’s emissions control cheat — is a bit long, but it’s chock full of unpleasant truths revealing the motivations behind VW’s Dieselgate deceptions. The video underpins the cheat outlined in a 2006 VW presentation explaining how to defeat emissions tests.

The one problem I have with this video is the assumption that the fix on each of the affected vehicles will be $600. Nope. That figure is based on how much has been set aside for the entire Dieselgate fix, NOT the actual cost to repair the vehicles.

Because if VW really fixed the vehicles to match the claims they made when they marketed and sold these “clean diesel” passenger cars, it’d cost even more per vehicle. I suspect one of the motivations behind inadequate reserves for a true repair is a reluctance to disclose to competitors how much emissions standards-meeting “clean diesel” really costs.

And of course, avoiding more stringent calculations also prevents an even bigger hit to the company’s stock price, which might affect the pockets of some board members and executives rather disproportionately to the rest of the stock market.

Just how closely that figure per car hews to the agreement with the court this past week will be worth noting, since the video was published in December last year.

But now for the much bigger, even more inconvenient Lügner Lügen: This entire scandal exposes the fraud that is the U.N. Framework Convention on Climate Change Paris agreement.

We know a small nonprofit funded research by a tiny group of academics exposing VW’s emissions controls defeat. We know this set off a cascade of similar analysis, exposing even more cheating by more automobile manufacturers.

But why are we only now finding out from nonprofits and academics about this fraud? Didn’t our elected representatives create laws and the means for monitoring compliance as well as enforcement? Why aren’t governments in the U.S. and the EU catching these frauds within a year of their being foisted on the public?

These questions directly impact the Paris agreement. We’re not starting where emissions standards have been set and where the public believes conditions to be, but at real emissions levels. In other words, we are digging out of  a massive pollution hole.

Our elected officials across the world will avoid funding the dig-out; they’ll continue another layer of lies to prevent removal from office. And we can reasonably expect from them only what they’ve done so far, which Dieselgate has proven to be little.

For that matter, Flint’s water crisis has much in common with Dieselgate, relying on academic research and nonprofit entities to reveal mortal threats to the community. Flint’s crisis showed us government at all levels can be even worse at writing laws, monitoring compliance, and subsequent enforcement.

If the public cannot expect government to do the job it believes it elected them to do over the last several decades, how ever can they expect their government to enact the terms of the Paris agreement? How can we expect third world countries to reduce carbon emissions to save the world from the devastation of climate change while we and our governments continue to ignore corporations’ ongoing deceptions?

No roundup today, gang. I strongly recommend watching the video above. Thanks to BoingBoing for linking to it.

Emptywheel Twitterverse
It seems that widget parameters haven't been configured properly. Please make sure that you are using a valid twitter username or query, and that you have inserted the correct authentication keys. Detailed instructions are written on the widget settings page.
May 2016
S M T W T F S
« Apr    
1234567
891011121314
15161718192021
22232425262728
293031