Cybersecurity

Cyber-Goggles: When China’s Tool Box Looks Like a Pile of Cyber-Hammers

Last week, the cybersecurity firm FireEye released a report largely declaring victory over Chinese cyberspying. The report itself is suspect. It spends two pages talking about internal issues — such as Xi Jinpeng’s efforts to consolidate power in China — then throws in a timeline designed to suggest actions the US has done has led to a decline in spying.

Screen Shot 2016-07-01 at 1.43.45 PM

The timeline itself is problematic as it suggests both indictments — of some People’s Liberation Army hackers targeting industrial companies and one union, and of Chinese businessman Su Bin — as IP hacks.

In May 2014, the U.S. Department of Justice indicted five PLA officers, marking the first time that the U.S. Government has charged foreign government personnel with crimes related to commercial cyber espionage. Although China warned that the move “jeopardizes China U.S. cooperation,” the Department of Justice indicted another Chinese national, Su Bin, the following August for allegedly orchestrating a cyber-enabled economic espionage operation targeting U.S. defense companies.

Neither should be classified so easily (though the press has irresponsibly done so, especially with respect to the PLA indictment). As I have laid out, with one exception the PLA indictment treated the theft of information pertaining to ongoing trade negotiations — something the US engages in aggressively — with the exception being the theft of trade information that China might have gotten anyone as part of a long-standing nuclear technology transfer deal with the target, Westinghouse. And while Su personally profited off his spying (or that’s what he said as part of pleading guilty), the targeted items all have a military purpose.

Without any internal evidence to back the case, FireEye declares that these indictments (the former of which, at least, relies on intelligence shared by FireEye division Mandiant) had an effect in China.

In 2014, the U.S. Government began taking punitive measures against China, from indicting members of the PLA to raising the possibility of sanctions. These unprecedented measures, though met with skepticism in the U.S., have probably been taken much more seriously in Beijing.

[snip]

Screen Shot 2016-07-01 at 1.42.23 PMIn 2013, when we released the APT1 report exposing a PLA cyber espionage operation, it seemed like a quixotic effort to impede a persistent, well-resourced military operation targeting global corporations. Three years later, we see a threat that is less voluminous but more focused, calculated, and still successful in compromising corporate networks. Rather than viewing the Xi-Obama agreement as a watershed moment, we conclude that the agreement was one point amongst dramatic changes that had been taking place for years. We attribute the changes we have observed among China-based groups to factors including President Xi’s military and political initiatives, the widespread exposure of Chinese cyber operations, and mounting pressure from the U.S. Government.

The report then shows an impressive decline of perceived attacks. But even there, there’s no granularity given about where FireEye is seeing the decline (or whether these numbers might rise as it response to attacks on companies that will call FireEye in for hacks that started months or years ago). Again, in its description of the ongoing attacks, FireEye includes a lot of things that every country but the US would consider to be clear national defense hacks.

In the wake of the report, there has been some even more overheated victory laps about the success of the US-Chinese agreement in 2015, as well as this utterly absurd piece insisting that the US doesn’t engage in economic espionage. The piece is particularly nonsensical for how it uses evidence from Snowden.

More importantly, the U.S. does not steal information to give to its companies, as a rule. That none of the documents released from the vast trove of material pilfered by Edward Snowden points to this kind of commercial espionage is indicative. Those who control the Snowden documents are eager to release anything that would harm the U.S., yet they have not yet produced an example of information being given to a U.S. company.

[snip]

What we know of American espionage against foreign companies (thanks to Snowden) is that the intent of the espionage against commercial targets is to support other American policies: non-proliferation, sanctions compliance, trade negotiations, foreign corrupt practices, and perhaps to gain insight into foreign military technologies.  The U.S. as well as other nations who care about such things regard these as legitimate targets for spying—legitimate in the sense that this kind of espionage would be consistent with international law and practice.  This spying supports foreign policy goals shared by many countries, in theory if not always in practice.

I say that because there’s no evidence from most domestic companies that NSA interacts with — not the Defense contractor targeted in a cyber powerpoint, and certainly not any of the telecoms that partner with the government. You would, by definition, not see evidence of what you’re claiming. Moreover, ultimately, this is retreat back to a fetish, the description of certain things to be a national good (like the trade negotiations we’ve indicted China for), but not others.

Ultimately, American commentators on cybersecurity continue to misunderstand the degree to which our corporations — especially out federal partners — cannot and are not in practice separated from a vision of national good. Though discussions about the degree to which tech companies should be wiling to risk overseas customers to spy without bound is one area where that’s assumed, even to the detriment of the tech company bottom lines.

Here’s what all this misses. There is spying of the old sort: spying on official government figures. And then there are decisions supporting national well-being (largely economics) that all countries engage in, pushing the set of rules that help them the most.

Discussions of China’s cyberspying have always been too isolated for discussions of China’s other national economic decisions. China steals just as much from US corporations located in China, but no one seems to care about that as a national security issue. And China buys a great deal, and has been buying a lot more of the things that it used to steal. The outcome is the same, yet we fetishize the method.

Which is why I find this so ironic.

A Chinese billionaire with party connections last year purchased the company, Wright USA, that insures a lot of national security officials in case they get sued or criminally investigated.

The company, Wright USA, was quietly acquired late last year by Fosun Group, a Shanghai-based conglomerate led by Guo Guangchang, a billionaire known as “China’s Warren Buffett” who has high-level Communist Party connections.

The links between Guo and Wright USA came under scrutiny by the Treasury Department’s Committee on Foreign Investment in the United States, as well as the Office of Director of National Intelligence, the coordinating body of all U.S. spy agencies, soon after Fosun announced the purchase of Wright’s parent company last November. The FBI has also launched a criminal probe into whether the company made “unauthorized disclosures of government data to outsiders,” according to a well-placed source, who like others, spoke to Newsweek on condition of anonymity because the information was sensitive.

(The FBI declined to comment, and Fosun denies the FBI has asked it for any documents.)

U.S. officials are concerned that the deal gave Chinese spy agencies a pipeline into the names, job titles, addresses and phone numbers of tens of thousands of American intelligence and counterterrorism officials—many working undercover—going back decades.

This happened after the Chinese acquired via the kind of cybertheft everyone seems to agree is old-fashioned spying the medical records and clearance records of most of Americans cleared personnel. And yet a Chinese firm was able to buy something equally compromising right out from underneath the spooks who oversee such things.

China will get what it wants via a variety of means: stealing domestically when Americans come to visit, stealing via hack, or simply buying. That we treat these differently is just a fetish, and one that seems to blind us to the multiple avenues of threat.

FBI Still Not Counting How Often Encryption Hinders Their Investigations

The annual wiretap report is out. The headline number is that wiretaps have gone up, and judges still don’t deny any wiretap applications.

The number of federal and state wiretaps reported in 2015 increased 17 percent from 2014.   A total of 4,148 wiretaps were reported as authorized in 2015, with 1,403 authorized by federal judges and 2,745 authorized by state judges.  Compared to the applications approved during 2014, the number approved by federal judges increased 10 percent in 2015, and the number approved by state judges increased 21 percent.  No wiretap applications were reported as denied in 2015.

The press has focused more attention on the still very small number of times encryption thwarts a wiretap.

The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to 7 in 2015.  In all of these wiretaps, officials were unable to decipher the plain text of the messages.  Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.  Encryption was also reported for one federal wiretap that was conducted during a previous year, but reported to the AO for the first time in 2015.  Officials were not able to decipher the plain text of the communications in that intercept.

Discussing the number — which doesn’t include data at rest — on Twitter got me to look at something that is perhaps more interesting.

Back in July 2015, 7 months into the period reported on today, Deputy Attorney General Sally Yates and FBI Director Jim Comey testified in a “Going Dark” hearing. Over the course of the hearing, they admitted that they simply don’t have the numbers to show how big a problem encryption is for their investigations, and they appeared to promise to start counting that number.

Around January 26, 2016 (that’s the date shown for document creation in the PDF) — significantly, right as FBI was prepping to go after Syed Rizwan Farook’s phone, but before it had done so — Comey and Yates finally answered the Questions for the Record submitted after the hearing. After claiming, in a response to a Grassley question on smart phones, “the data on the majority of the devices seized in the United States may no longer be accessible to law enforcement even with a court order or search warrant,” Comey then explained that they do not have the kind of statistical information Cy Vance claims to keep on phones they can’t access, explaining (over five months after promising to track such things),

As with the “data-in-motion” problem, the FBI is working on improving enterprise-wide quantitative data collection to better explain the “data-at-rest” problem.”

[snip]

As noted above, the FBI is currently working on improving enterprise-wide quantitative data collection to better understand and explain the “data at rest” problem. This process includes adopting new business processes to help track when devices are encountered that cannot be decrypted, and when we believe leads have been lost or investigations impeded because of our inability to obtain data.

[snip]

We agree that the FBI must institute better methods to measure these challenges when they occur.

[snip]

The FBI is working to identify new mechanisms to better capture and convey the challenges encountered with lawful access to both data-in-motion and data-at =-rest.

Grassley specifically asked Yates about the Wiretap report. She admitted that DOJ was still not collecting the information it promised to back in July.

The Wiretap Report only reflects the number of criminal applications that are sought, and not the many instances in which an investigator is dissuaded from pursuing a court order by the knowledge that the information obtained will be encrypted and unreadable. That is, the Wiretap Report does not include statistics on cases in which the investigator does not pursue an interception order because the provider has asserted that an intercept solution does not exist. Obtaining a wiretap order in criminal investigations is extremely resource-intensive as it requires a huge investment in agent and attorney time, and the review process is extensive. It is not prudent for agents and prosecutors to devote resources to this task if they know in advance the targeted communications cannot be intercepted. The Wiretap Report, which applies solely to approved wiretaps, records only those extremely rare instances where agents and prosecutors obtain a wiretap order and are surprised when encryption prevents the court-ordered interception. It is also important to note that the Wiretap Report does not include data for wiretaps authorized as part of national security investigations.

These two answers lay out why the numbers in the Wiretap Report are of limited value in assessing how big a problem encryption is.

But they also lay out how negligent DOJ has been in responding to the clear request from SJC back in July 2015.

House Homeland Security Committee Apparently Knows Little about Homeland Security

Here are the first 36 words of an otherwise useful House Homeland Security Committee report on encryption:

Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection—a phenomenon known as “going dark.”

The statement has grains of truth to it. It is true that engagement on encryption surged following the Paris attacks, largely because intelligence committee sources ran around assuming (and probably briefing the White House) that encryption must explain why those same intelligence committee sources had missed the attack. It surged further months later when FBI chose to pick a fight with Apple over Syed Rizwan Farook’s work phone which — it was clear from the start — had no evidence relating to the attack on it.

It is also true that ISIS had been using Telegram leading up to the Paris attack; in its wake, the social media company shut down a bunch of channels tied to the group. But there has never been a public claim the plotters used Telegram to plan their attack.

It is also true that an ISIS recruit, arrested and interrogated months before the Paris attack, had told French authorities he had been trained to use a Truecrypt key and an elaborate dead drop method to communicate back to Syria.

But it is not true that the Paris attackers used encryption to hide their plot. They used a great many burner phones, a close-knit network (and with it face-to-face planning), an unusual dialect. But even the one phone that had an encrypted product loaded on it was not using that service.

It is also not true that the San Bernardino attackers used encryption to evade detection. They used physical tools to destroy the phones presumably used to plan the attack. They hid a hard drive via some other, unidentified means. But the only known use of encryption — the encryption that came standard on Farook’s work phone — was shown, after the FBI paid to bypass it, not to be hiding anything at all.

Now it’s possible there was encryption involved in these attacks we don’t know about, that HLSC has gotten classified briefings on. But even if there was, it could not very well have led to a public surge of engagement last year, because it would not be public.

There are reasons to discuss encryption. But factually false claims about terrorists’ use of encryption are not among those reasons.

h/t to Access Now’s Nathaniel White, who pointed out this bogosity on Twitter.

Update: See this Grugq post laying out what little encryption ISIS has been known to use in any attack.

Wednesday: Wandering

All that is gold does not glitter; not all those who wander are lost.

— excerpt, The Lord of the Rings by J. R. R. Tolkien

It’s a lovely summer day here, cool and dry. Perfect to go walkabout, which I will do straight away after this post.

Hackety-hack-hack, Jack

  • Spearphishing method used on HRC and DNC revealed by security firm (SecureWorks) — Here’s their report, but read this Twitter thread if you don’t think you can handle the more detailed version. In short, best practice: DON’T CLICK ON SHORTENED LINKS using services like Bitly, which mask the underlying URL.
  • Researchers show speakerless computers can be hacked by listening to fans (arXiv.org) — Air-gapping a computer may not be enough if hackers can listen to fan operation to obtain information. I’ll have to check, but this may be the second such study.
  • Another massive U.S. voter database breached (Naked Security) — This time 154 million voters’ data exposed, revealing all manner of details. 154M is larger than the number of voters in the 2012 general election, though smaller than the 191M voters’ records breached in December. At least this time the database owner slammed the breach shut once they were notified of the hole by researcher Chris Vickery. Nobody’s fessed up to owning the database involved in the the December breach yet.
  • Speaking of Vickery: Terrorism databased leaked (Reddit) — Thomson-Reuters’ database used by governments and banks to identify and monitor terrorism suspects was leaked (left open?) by a third party. Vickery contacted Thomson-Reuters which responded promptly and closed the leak. Maybe some folks need to put Vickery on retainer…
  • Different kind of hack: Trump campaign hitting up overseas MPs for cash? Or is he? (Scotsman) — There are reports that Trump’s campaign sent fundraising emails received by elected representatives in the UK and Iceland. Based on what we know now about the spearphishing of HRC and DNC, has anybody thought to do forensics on these emails, especially since government officials are so willing to share them widely? Using these kinds of emails would be a particularly productive method to spearphish government and media at the same time, as well as map relationships. Oh, and sow dissension inside the Trump family, urm, campaign. On the other hand, lack of response from Trump and team suggests it’s all Trump.

Makers making, takers taking

  • Apple granted a patent to block photo-taking (9to5Mac) — The technology relies on detecting infrared signals emitted when cameras are used. There’s another use for the technology: content can be triggered to play when infrared signal is detected.
  • Government suppressing inventions as military secrets (Bloomberg) — There’s merit to this, preventing development of products which may undermine national security. But like bug bounties, it might be worth paying folks who identify methods to breach security; it’s a lot cheaper than an actual breach, and a bargain compared to research detecting the same.
  • Google wants to make its own smartphone (Telegraph-UK) — This is an effort apart from development of the modular Ara device, and an odd move after ditching Motorola. Some tech industry folks say this doesn’t make sense. IMO, there’s one big reason why it’d be worth building a new smartphone from the ground up: security. Google can’t buy an existing manufacturer without a security risk.
  • Phonemaker ZTE’s spanking for Iran sanction violations deferred (Reuters) — This seems kind of odd; U.S. Commerce department agreed to a reprieve if ZTE cooperated with the government. But then think about the issue of security in phone manufacturing and it makes some sense.

A-brisket, a Brexit

  • EU health commissioner Andriukaitis’ response to Nigel Farage’s insulting remarks (European Commission) — Farage prefaced his speech to European Commissioners yesterday by saying “Most of you have never done a proper day’s work in your life.” Nice way to win friends and influence people, huh? Dr. Vytenis Andriukaitis is kinder than racist wanker Farage deserves.
  • Analysis of next couple years post-Brexit (Twitter) — Alex White, Director of Country Analysis at the Economist Intelligence Unit, offers what he says is “a moderate/constructive call” with “Risks definitely to the downside not to the upside.” It’s very ugly, hate to see what a more extreme view would look like. A pity so many Leave voters will never read him.

Follow-up: Facebook effery
Looks like Facebook’s thrown in the towel on users’ privacy altogether, opening personal profiles in a way that precludes anonymous browsing. Makes the flip-flop on users’ location look even more sketchy. (I can’t tell you anymore about this from personal experience because I gave up on Facebook several years ago.)

Happy hump day!

Monday: Fierce Dog

Hunger and fear are the only realities in dog life: an empty stomach makes a fierce dog.

— excerpt, personal journal of Capt. Robert Falcon Scott

This short film by Aaron Dunleavy was inspired by his childhood in Blackburn, Lancashire UK. The script was improvised and cast using locals.

All districts in Lancashire voted Leave during last week’s Brexit referendum, with 65% of Blackburn voters supporting Leave.

Worth noting an article in Lancashire Telegraph about an Aldi’s store under construction. Aldi’s is a German-owned grocery store chain; have to wonder if construction will be completed.

Brexit botch bits

  • @shockproofbeats on Brexit’s impact on Northern Ireland (Storify) — It’s messy now and promises to be even uglier.
  • Downside for China (and other foreign investors): Real estate purchases may be put on hold (SCMP) — Some deals in the works may be halted until the pound is more stable. On the other hand, Britain may step in and put the brakes on sales; too easy for overseas entities with big money to buy up property while pound is depressed.
  • Upside for China (and other banking centers): Business could pick up in Hong Kong (SCMP) — London is the second largest trading center of yuan next to Hong Kong; some of the business could shift back to Hong Kong, especially if HSBC bank choose to relocate its headquarters to HK from London.
  • No change in position on Brexit referendum since last Friday according to PM David Cameron (Independent-UK) — Though Cameron is now going to leave in September. He continued to push triggering of the Article 50 to his successor while taking pot shots at Labor Party over its purge this weekend. Not certain most Americans will notice just how Cameron has managed to shift the blame to both MPs and the people for a referendum he proposed, or how he has turned execution of Article 50 into a poisoned chalice. Lord Chancellor Secretary of State for Justice Michael Gove, Leave campaign proponent, was present at today’s session in Parliament but said nothing before disappearing. Boris Johnson, MP for Uxbridge and South Ruislip and Leave campaign proponent, was noticably absent. Wankers all three.

SCOTUS Week
Waiting around watching the court for good or ill until this morning is kind of like waiting for Shark Week — hey, it IS Shark Week! What a coincidence!

Miscellaneous trouble

Promises to be a busy week ahead. Stay tuned!

Wednesday: Get Bach

Summer bug laid me up. I’m indulging in the audio equivalent of tea with honey, lemon, and a shot of something to scare away the bug. A little cello playing by Yo-Yo Ma never fails to make me feel better.

This sweet video is enlightening, didn’t realize Ma had an older sister who was an accomplished musician at a tender age. Worthwhile to watch this week considering the blizzard of arguments about immigrants and refugees here and abroad.

And then for good measure, a second favorite added in the mix — Yo-Yo Ma and Itzhak Perlman together, performing Beethoven’s Triple Concerto Fantasy.

There. I feel a little better already.

Probably better than frustrated House Democrats led by Rep. John Lewis who are engaging in a sit-in protest on House floor demanding a vote on No-Fly-No-Buy gun control. If you want to watch the action, you’ll have to check social media. It’s said House GOP leadership ensured CSPAN cameras were shut off.

Diesel do you

  • Volkswagen streamlining offerings to cut costs, 40 makes on the chopping block (Bloomberg) — This is the old General Motors play that eventually killed Oldsmobile and Pontiac to reduce costs related to duplicative brands. Makes sense, especially if this hatchet job kills passenger diesels. Note the story says a fix may come later — uh-huh, like never? Because VW can’t handle the volume of required repairs OR the lack of actual clean diesel technology, OR both?
  • Testimony in S Korea: VW’s upper management may have ordered regulatory cheats (The Hankyoreh) — Story is focused on emissions controls defeat and approval process, but sound controls were also an issue in South Korea. Were those likewise suppressed by order of VW’s German head office?
  • Former CEO under investigation for securities fraud (Reuters) — Big investors want to know why it took a year for Winterkorn to act after the emissions controls defeat were made public by researchers. Bet there’s a link between Winterkorn’s notification of researchers’ findings and the destruction of emails.

Sigh, cyber, sigh

Wait, what?
Did you know Led Zeppelin is being sued over Stairway to Heaven? Allegedly a key riff in the famous 40-year-old tune was stolen, violating copyright. Forty years. ~smh~

Going back to a recumbent position. Stay braced for the outcome of the sit-in and Brexit vote tomorrow.

Monday: Buckle up, Buttercup

After my Go-Team-Yay-Space post yesterday, it’s time for a Monday morning reality check. Going to Mars will not be a panacea to our ills, as this darkly humorous animated short, Fired on Mars by Nick and Nate, shows. On the other hand, SpaceX’s Elon Musk offers an upside while acknowledging the inherent risk of space travel and colonization: “If you’re going to choose a place to die, then Mars is probably not a bad choice.”

Certainly beats an undiginified extinction by drowning on earth, eh?

We may not be leaving the planet today, but you’d best buckle up anyhow. This week’s going to be a doozy.

Brexit, Brexit, Brexit
Say that in your best Jan Brady voice — Brexit will suck all the oxygen out of this week’s market news. I’m afraid to look at the stock market at all because of it. Euronews has a roundup on the topic (though I warn you, it’s poorly formatted — keep scrolling down the page and increase print size). I’m not posting any other UK-based links here now because it’s quite obvious each media outlet has a position and their coverage reflects it. Most blatantly obvious are those owned by Rupert Murdoch’s Newsgroup, which has prompted some angry murmurs about an Aussie living in the U.S. telling the UK what to do.

Disturbing: Mexico’s federal police fire on teachers’ protest rally
I say disturbing for two reasons: first, that a democratic government’s federal would fire on protesters supporting the CNTE teachers’ union and actively deny it happened is appalling, and second, that its neighbor’s media would ignore that it happened. Teachers and supporters have been rallying in the state of Oaxaca, protesting the government’s education reform plan, characterized by some as neoliberal. It was clear from the outset that the government was in no mood to listen, given the number of riot police in place. The protests followed the detention/disappearance days earlier by police of CNTE union leaders Francisco Manuel Villalobos Ricardez and Ruben Nuñez. Conditions degraded over the course of the day, with federal police firing upon protesters. Early accounts claimed six were killed, of which one may have been a journalist and two teacher trainees. President Enrique Pena Nieto’s government at first denied there was any violence, and then later claimed the Associated Press’ photos of the violence were false. There were enough social media reports documenting the violence on the ground to neutralize the government’s claim — and thank goodness for social media, or the U.S. would have heard very little if anything about this conflict. Not exactly the fiesta of democracy President Nieto promised when he took office in 2012. For more current information about the conflict, follow hashtags #Nochixtlan (district) and #Oaxaca in Twitter; already the death count is disputed as some claim more than eight died after yesterday’s attack by police on protesters.

It’s extremely important to remember the protesters’ anger and frustration are not merely about the ENP government’s reform plan. The 43 young men who disappeared in 2014 and are believed dead were students at a teachers’ college; the federal police have been implicated in the disappearance of these students. To date, the mass disappearance of these students has not been fully accounted for. Imagine the furor if such a mass disappearance were to happen in the U.S.

Cyber, cyber, cyber
LOL sorry, I’m on a Brady Bunch jag. Forgot to remind you last Tuesday was Patch Tuesday — make sure you’ve updated your Win-based systems if you do so manually. Can’t hurt to check all your other non-Win devices, too.

  • Adobe Flash zero day patch a higher priority than Microsoft’s monthly patch (TechTarget) — Again, if you manually patch, get to this one ASAP. I’m a manual Adobe patcher myself; I don’t automate patching because I want to know exactly how often Adobe must patch their products. It’s annoyingly often.
  • This is your brain on drugs: Too-smart identity thief busted (ABC3340-Birmingham) — Can’t tell if the drugs ate his intelligence, or if they deluded this dude. Read this, it’s like a bad episode of COPS mashed up with Monty Python.
  • SmartTVs not so smart, held ransom by Flocker (TrendLabs) — Leap of ransomware to Android smartTVs perfectly exemplifies the danger of connecting things to the internet. Interesting how this one deactivates based on select country locations. Yet another opportunity to sell protection software, too, as you’ll note in the article.

Your recommended long read: Apple’s Differential Privacy
Crytography expert Matthew Green reviews Apple’s announcement this past week regarding development of “differential privacy,” which Apple defined as:

Starting with iOS 10, Apple is using Differential Privacy technology to help discover the usage patterns of a large number of users without compromising individual privacy. To obscure an individual’s identity, Differential Privacy adds mathematical noise to a small sample of the individual’s usage pattern. As more people share the same pattern, general patterns begin to emerge, which can inform and enhance the user experience. In iOS 10, this technology will help improve QuickType and emoji suggestions, Spotlight deep link suggestions and Lookup Hints in Notes.

This is worth your time to read as differential privacy suggests new approaches to meeting the needs of marketers while preserving the privacy of consumers applying algorithmic solutions. Read it now before this stuff gets really convoluted.

Check your safety harness from time to time. Catch you tomorrow!

Friday: How It Begins

I was half way through a post yesterday when a friend in the UK told me a member of Parliament had been killed by a fascist.

An assassination, I thought at that moment, unable to write another word for my post. How many times has an assassination kicked off a horrible chain of events?

I hoped and prayed as best a lapsed Catholic can that the murder of MP Jo Cox by a man shouting, “Britain First!” was not the beginning of something dreadful. Research says it’s less likely than if an autocratic figure had been killed, but who can really say with certainty?

We won’t know for some time if this was a trigger event for something else, though it did set off a cascade of stomach-turning crap. So many media outlets referred to politician Cox’s death by a political fanatic as something other than an assassination. Really? Would Cox have been targeted had she not been a pro-EU unity supporter? Would the assassin — characterized by so many euphemisms as mentally ill — have killed her had he not been rabidly anti-EU and racist, impelled by ramped-up anti-EU rhetoric in advance of the EU-Brexit referendum?

And the disparity in coverage between [lone white gunman suspected of mental illness] and [armed terrorist—labeled so because they’re not white]? Beyond disgusting. The racism is all the more obvious. The public is conditioned by media’s implicit bias to expect and accept the lone white gunman, but never the dark-skinned person bearing a weapon. The accused must have sympathized with white nationalism, irrespective of country, having bought his firearm components from U.S. neo-Nazis more than a decade ago. The description of his attack on Cox is chilling — it was a cold political execution, not just some wildly insane flailing without care for the outcome.

The world lost someone very special when Jo Cox died yesterday. Someone who lived progressive values out in the open, modeling a better way for us. Don’t kid yourself this was just a crazed man acting alone when white nationalist politicians like Nigel Farage believe “violence is the next step” if angry constituents feel they’ve lost control.

And don’t fool yourself into believing this was an isolated event occurring in a vacuum.

Today’s Friday jazz is a performance of She’s Crying for Me by the Yorkshire Jazz Band, in honor of Jo Cox’s home county.

A note on hacking stories
The breach of the DNC’s computers is one of a number of stories over the last several years following a pattern: the breach is attributed to one entity and then yet another entity, while the story itself has a rather interesting point of origin. Initial reports may say the hackers were affiliated with [nation/state X] and later reports attribute the hacking to [unaligned third party Y] — or a variation on this order — a key characteristic is the story’s immaculate birth.

Try looking for yourself for the earliest story reporting the hacking of the DNC. Who reported it and when? Who were the original sources? Did the story arise from a call to law enforcement or a police report, and a local beat reporter who gathered named eyewitnesses for quotes? Or did the story just pop out of thin air, perhaps simultaneously across multiple outlets all regurgitating the same thing at the same time?

My point: Be more skeptical. There’s an adage in reporting, drummed into journalism students’ heads: If your mother says she loves you, check it out.

Three examples of manipulated opinion
Speaking of being more skeptical, bias manifests itself in all manner of ways and can be easily used for good or ill.

  • U.S. government and military orgs tricked into running ‘imposter code’ (Ars Technica) — Suckers didn’t perform due diligence on packages of code hosted at developer communities before running them. Gee, I wonder if any political parties’ personnel might have done the same thing…
  • GOP-led House waffles on HR 5293 surveillance bill because Orlando (HuffPo) — Ugh. Would this vote have been different this time if a lone crazed white gunman had shot up a bar? Sadly, we can’t tell based on the bill’s approval last year because the vote took place one day before Dylan Roof’s mass shooting in a Charleston church. Nor can we tell from the bill’s 2014 approval by the House because the mass shootings the week of the vote were just plain old run-of-the-mill apolitical/non-racist with too few fatalities.
  • Send manuscripts out under a man’s name = agents and publishers notice (Jezebel) — If you’re a woman you can be a great writer and you won’t get any nibbles on your manuscript — unless you submit it under a male name. Hello, implicit bias, much? This isn’t the only example, either.

Worthwhile long read
This commentary at Tor.com looks at the movie V for Vendetta, saying it’s “more important than ever,” in spite of the adaptation’s rejection by Alan Moore, author of the graphic novel on which this film was based. The essay was published this past Tuesday; read it now in light of Jo Cox’s assassination Thursday. A single event can change perception. This line alone now means something very different to me:

It seems strange that my life should end in such a terrible place. But for three years I had roses, and apologized to no one.

If time permits, I may slap up a post this weekend to make up for yesterday’s writer’s block. Otherwise I’ll catch you on Monday.

At Same Time as DNC Hack Released, Funny Alleged Hacks in the Middle East

You’ve probably heard that hackers, probably Russian, hacked the DNC and released a bunch of information, including a really crappy oppo research report on Donald Trump. See this post for some of the materials and this analysis of the materials (including metadata to support the case these are Russians).

Given that development, I’m even more interesting in this development than I already was. Several websites in the Middle East — in this case Jordan’s Petra news service — posted a report that Mohammed bin Salman, the third ranking Saudi royal, had claimed to have provided Hillary 20% of her campaign funding.

On Sunday a report appeared on the Petra News Agency website that included what were described as exclusive comments from Saudi Deputy Crown Prince Mohammed bin Salman. The comments included a claim that Riyadh has provided 20 percent of the total funding to the prospective Democratic candidate’s campaign.

I’m particularly interested in how that report got disclaimed: with intervention by the Podesta Group, which is both a lobbying arm for the Saudis and the firm of Hillary’s campaign manager.

On Monday a spokesperson for American public relations firm the Podesta Group contacted MEE to say that they work with the Saudi Royal Court and to request a correction to our earlier story that said the Jordanian news agency had deleted the quotes from Prince Mohammed.

Senior global communications specialist Will Bohlen – who, prior to joining Podesta, was chief researcher for a best-selling history of Bill Clinton’s presidency – sent a link to a clarification issued by the Petra News Agency which said it was “totally false and untrue” that they had published then deleted the quotes from Prince Mohammed about funding the Clinton campaign.

“A technical failure on Petra ’s website occurred for a few minutes on Sunday evening, 12 June 2016,” the Jordanian news agency said. “Protection systems at the agency as well as the technical department noticed that and therefore, they suspended the transmission system and the electronic site and moved to the alternative website.

“Later, it became clear that the technical failure that occurred was an attempt to hack the agency’s transmission system and its website. The agency was surprised to see some media outlets as well as the social media publishing false news that were attributed to Petra. They said that Petra transmitted a news item related to the deputy crown prince of Saudi Arabia and later deleted this news item. This is totally false and untrue.”

For now, I will assume this was a hack, which (again) I find to coincide interestingly with the DNC hack. The Clinton Foundation does get far too much money from the Saudis, but we can review Hillary’s actual funding to be sure that Mo bin Salman is not funding her campaign directly.

In entirely unrelated news I’ll put here anyway, the big Saudi investor Alwaleed bin Talal is now Twitter’s second largest investor.

Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 invested $300 million in the social network, now owns 34.9 million shares of Twitter’s common stock, according to a new regulatory filing (pdf).

At nearly 5.2%, his stake in the company is now larger than that of Jack Dorsey, Twitter’s co-founder and newly re-minted CEO, whose 21.86 million shares give him 3.2% of the company, according to FactSet. (The prince previously had a stake of roughly 3%.)

Particularly given that Twitter isn’t exactly a great investment, I find Alwaleed’s interest in it notable.

Tuesday: Going Alone

I’ve been so damned angry I’ve had difficulty wrapping words around what I want to say. It’s still Tuesday somewhere, so I’ll grit this out.

Assault weapons should be banned for sale to civilians.

Spare me the crap about hunters and taking their guns. My freezer contains 25 to 100 pounds of venison at any time. This household lives off the results of hunting and respects the power of firearms. None of this meat required an assault weapon.

If an assault weapon had been used, it would have been a waste of a deer tag. There’d be no meat left.

The embedded video above shows the damage hunting ammo does at close range — approximately 15-20 feet — on meat. The next video shows the damage #4 and #8 birdshot can do at short range, even through multiple layers of denim and drywall. Imagine what an assault weapon would do to flesh at similar range.

Better yet, listen to what a combat vet says about assault weapons.

There’s nothing in the Second Amendment to suggest a prohibition on certain weapons is wrong; if anything, the framing of a ‘well regulated militia’ suggests limitations are in order.

There’s also nothing in the Second Amendment to suggest that gun manufacturers have an absolute right to an unrestrained business model, or to profits at the expense of the public’s general welfare.

Nor does the Second Amendment say a damned thing about catering to ‘gun enthusiasts’ who want guns for ‘pleasure’. A ‘well regulated militia’ doesn’t possess guns but as necessary for the ‘security of a free state’, not personal enjoyment.

And both embedded videos embedded make a bloody good case that arguments about assault weapons being necessary to stop a home invasion are trash. Birdshot at close range can do one hell of a lot of damage, as do 00 buckshot and a 1-oz slug.

Congress — more specifically, the GOP — needs to strap on its spine and draw the line on assault weapons. How many more dead Americans is it going to take before Congress clues in the terrorist threat is already here? It’s domestic, and it’s better armed than the police because GOP-led Congress is as weak as the GOP is against Trump.

Spare the empty moments of silence and prayers which might as well be to Moloch after another human sacrifice. Such fail at protecting the American public.

Speaking of which…

Information Security Fail

  • USAF database with records on ~100,000 investigations ‘lost’ (Defense One) — This is such bullshit, I can’t even…why is a CONTRACTOR, which may be the subject of any one of the 100K investigations, hosting and managing a database like this? What a massive conflict of interest. The database included constituent and congressional inquiries. Don’t even get me started on the fact this system relied on Microsoft Internet Explorer. Where have we seen this kind of massive loss of data including failed backups before? Hardly a surprise the data covers the period including most of the Iraq and Afghanistan wars as well as the construction of the F-35. Somebody better lose their job for this crap, and there’d better be a respectable investigation instead of the usual fluffery hiding billions of lost dollars.
  • DNC database infiltrated by the Russians (WaPo) — DNC Chair Debbie Wasserman-Schultz needs to be walked out the door for this bullshit, along with responsible IT management. As if anyone able to sit up and take nourishment couldn’t see the DNC computer systems would be a target for cybercrime and cyberwarfare. No excuses for this during the run-up to a general election season, especially when her favorite candidate is already floundering because of information security failures during her tenure as Secretary of State. This bit:

    The depth of the penetration reflects the skill and determination of the United States’ top cyber adversary as Russia goes after strategic targets, from the White House and State Department to political campaign organizations.

    Total blowjob for access. If the hackers got in by spearphishing as suggested in the article, there’s no finesse required. Just poorly trained/educated users and no firewall between email and database. The only thing that surprises me about this is that ransomware wasn’t deployed. Imagine it: a major U.S. political party ground to a halt by spearphish-delivered ransomware.

  • University of Calgary paid CDN$20K after ransomware attack (Calgary Herald) — First heard about this attack the end of May. Looks like the school had no choice but to offer the bitcoin equivalent of $20K to release their systems, which says a lot about backup systems and rebuild cost. Considering the broad range of users at universities and widely different levels of experience and training, I’m surprised we haven’t seen more ransomware attacks on schools. Though monetarily they’re less appetizing than other targets, and may have more resources to deal with the threat if they have a strong IS/IS program.
  • Chinese IBM employee arrested for trade secret theft (Reuters) — The indictment (pdf) says the now-former IBM employee stole proprietary software related to hyperscale storage clusters, or what most consumers would know as ‘cloud storage’. This is a technology segment in which the U.S. still has considerable clout in terms of marketshare, and in terms of global economic impact based on its use. Reporting on this indictment has been vague, referring to the technology at the heart of this case as ‘networking software’. It’s more complex than that; the proprietary software underpins storage and retrieval of data across networked large storage devices. (Hi blueba. Just checking to see if you missed me. Can’t let the Russians have all the fun.)

Basta. Enough. Let’s hope Wednesday is kinder than the last handful of days have been.