Tuesday Morning: The Fat One You’ve Awaited

/10 Comments/in , , , /by

Mardi Gras. The day before Ash Wednesday. Fat Tuesday. In Brazil, it’s Carnival — plenty of parades with costumed dancers and samba. In New Orleans, it means king cake, beads, and more parades, but here in Michigan, it means pączki. No parades in the snow, just an icy trek to the Polish bakery for some decadent sweets we get but once a year.

I’m still drafting this, too much stuff to weed through this morning. I’ll update as I write. Snag a cup of joe and a pączki while you wait. Make mine raspberry filled, please!

Economic indicators say “Maybe, Try Again”
Asian and European stock markets were a mess this morning. There’s no sign of an agreement between OPEC nations on production and pricing, which may lead to yet more floundering in the stock market. Yet one indicator — truck tonnage on the roads — doesn’t show signs of a recession in the U.S.

UK court cases topsy-turvy: LIBOR Six and a secret trial

  • UK can’t hold the LIBOR Six bankers accountable for their part in the 2008 economic crisis because the prosecution was sloppy. It’s pretty bad when a defense attorney asks if the prosecution was “making this up as they go along.”
  • The article’s first graf is a warning:

    Warning: this article omits information that the Guardian and other news organisations are currently prohibited from publishing.

    The case, R v Incedal and Rarmoul-Bouhadjar, continues to look like a star chamber, with very little information available to the public about the case. The accused have been charged and served time, but the media has been unable to freely access information about the case, and their appeal has now been denied. A very ugly precedent for a so-called free country.

Facebook: French trouble, and no free internet in India

  • Shocked, SHOCKED, I am: French regulators told Facebook its handling of users data didn’t sufficiently protect their privacy. The Commission nationale de l’informatique et des libertés (CNIL) told the social media platform it has three months to stop sharing users’ data with U.S. facilities for processing. CNIL also told Facebook to stop tracking non-Facebook users without warning them.
  • The Indian government told Facebook thanks, but no thanks to its Free Basics offering, a so-called free internet service. The service ran afoul of net neutrality in that country as it implicitly discouraged users from setting up sites outside Facebook’s platform. Many users did not understand there was a difference between Facebook and the internet as a whole. Mr. Zuckerberg really needs to study the meaning of colonialism, and how it might pertain to the internet in emerging markets.

Boy kicked out of school because of his DNA
This is a really sad story not resolved by the Genetic Information Nondiscrimination Act (GINA). The boy has cystic fibrosis; his parents informed the school on his paperwork, as they should in such cases. But because of the risks to the boy or his siblings with similar genes, the boy was asked to leave. GINA, unfortunately, does not protect against discrimination in education, only in healthcare and employment. This is a problem Congress should take up with an amendment to GINA. No child should be discriminated against in education because of their genes over which they have no control, any more than a child should be discriminated against because of their race, gender identity, or sexuality.

All right, get your party on, scarf down the last of your excess sweets, for tomorrow is sackcloth and ashes. I can hardly wait for the sugar hangover to come.

Share this entry

Monday Morning: Taking out the Garbage

/28 Comments/in , , /by

Most of the time, I’m here in Michigan and I’m taking out the garbage every Monday. — Bob Seger

Morning-after blues now set in, feeling the weight of too much beer and cheese, doing the Walk of Shame, reeking of regret. Gotta’ love American excess in all things, including sports.

Take out last night’s garbage, pour yourself an herbal tea or a detox smoothie, and let’s get back at it. Speaking of garbage…

VW expected to make appetizing offer to U.S. passenger diesel owners — BUT…

The German car maker has still not decided whether vehicle owners will be offered cash, car buy-backs, repairs or replacement cars, Kenneth Feinberg told the Frankfurter Allgemeine Sonntagszeitung.

In other words, everything compensation manager Kenneth Feinberg said on behalf of VW for a German media outlet is vaporware. Best to keep in mind Feinberg has previously represented shining examples of corporate ethics like BP after the Deepwater Horizon spill.

Zika, Zika, Zika…
The virus is now driving some people mad — and they’re not even infected. Like Republican presidential candidates who believe persons traveling to the U.S. should be quarantined if they come to the U.S. from Brazil (Christie), or could be quarantined if they have been infected (Carson). Or scientists pushing to kill all the Aedes aegypti mosquitoes, without much thought for what removal of a species of insects will do to the rest of the ecological system which they’ve made home. Viruses are opportunistic; lose one host and they’ll hop to another. Are scientists modeling that next likely host?

Electronic toy maker VTech offers to buy LeapFrog
LeapFrog was popular with my kids 10 years ago; their line of educational toys helped my kids’ grades with spelling test games. But LeapFrog made a strategic error leaving the smaller handheld games for children’s tablets, and is now limping along. VTech has its own problems with technology, like the recent breach of user data, exposing millions of children and their families. Perhaps LeapFrog’s information technology will help shore up VTech’s through this acquisition.

Death from outer space
A bus driver in India may have been the first recorded casualty of a meteorite this weekend. Three others were injured when the meteorite exploded, leaving a small crater and broken windows.

Gong Xi Fa Cai or Gong Hey Fat Choy to you, depending on whether you speak Mandarin or Cantonese, as we enter the Year of the Monkey. Oops, perhaps you shouldn’t take out the trash just yet, especially if it requires sweeping. It’s bad luck to do so on the first new moon of the year — you might sweep your good luck out the door! Oh, your team lost last night? Sweep away. Best wishes for a prosperous new year!

Share this entry

Superb Owl: Keeping Eye on Fans and More?

/4 Comments/in , , /by

If humans could see the full spectrum of radiation, the San Francisco Bay Area shines bright like the sun this evening — not from lighting, but from communications. The Super Bowl concentrates more than 100,000 people, most of whom will have a wireless communications device on their person — cellphone, phablet, or tablet. There are numerous networks conveying information both on the field, the stands and to the fans watching globally on television and the internet.

And all of the communications generates massive amounts of data surely monitored in some way, no matter what our glorious government may tell us to the contrary. The Super Bowl is a National Special Security Event (NSSE), rated with a Special Event Assignment Rating (SEAR) level 1. The designation ensures the advance planning and involvement of all the three-letter federal agencies responsible for intelligence and counterterrorism you can think of, as well as their state and local counterparts. They will be watching physical and electronic behavior closely.

Part of the advance preparation includes establishing a large no-fly zone around the Bay Area. Non-government drones will also be prohibited in this airspace.

What’s not clear to the public: what measures have been taken to assure communications continuity in the same region? Yeah, yeah — we all know they’ll be watching, but how many of the more than one million visitors to the Bay Area for the Super Bowl are aware of the unsolved 15 or 16 telecom cable cuts that happened over the last couple of years? What percentage of local residents have paid or are paying any attention at all to telecommunications infrastructure, or whether crews “working” on infrastructure are legitimate or not?

Planning for a SEAR 1 event begins almost as soon as the venue is announced — perhaps even earlier. In the case of Super Bowl 50, planning began at least as early as the date the game was announced nearly 34 months ago on March 28th, 2014. The Levi’s stadium was still under construction as late as August that same year.

And the first cable cut event happened nearly a year earlier, on April 16, 2013 — six months after Levi’s Stadium was declared one of two finalists to host the 50th Super Bowl, and one month before Levi’s was awarded the slot by NFL owners.

News about a series of 11 cable cuts drew national attention last summer when the FBI asked for the public’s assistance.  These events happened to the east of San Francisco Bay though some of them are surely inside the 32-mile radius no-fly zone observed this evening.

But what about the other cuts which took place after April 2013, and after the last of 11 cuts in June 2015? News reports vary but refer to a total of 15 or 16 cuts about which law enforcement has insufficient information to charge anyone with vandalism or worse. A report last month quotes an FBI spokesperson saying there were 15 attacks against fiber optic cable since 2014. Based on the date, the number of cuts excludes the first event from April 2013, suggesting an additional four cuts have occurred since June 2015.

Where did these cuts occur? Were they located inside tonight’s no-fly zone? Will any disruption to communications services be noticed this evening, when so many users are flooding telecommunications infrastructure? Will residents and visitors alike even notice any unusual technicians at work if there is any disruption?

Keep your eyes peeled, football fans.

Share this entry

Friday Morning: Nasty Habits

/6 Comments/in , , /by

I got nasty habits; I take tea at three.
— Mick Jagger

Hah. Just be careful what water you use to make that tea, Mick. Could be an entirely different realm of nasty.

Late start here, too much to read this morning. I’ll keep updating this as I write. Start your day off, though, by reading Marcy’s post from last night. The claws are coming out, the life boats are getting punctured.

Many WordPress-powered sites infected with ransomware
Your next assignment this morning: check and update applications as out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are most prone to this new wave of ransomware affecting WordPress sites. Back up all your data files to offline media in case you are hit with ransomware, and make it a habit to back up data files more frequently.

Planes inbound to the UK from regions with Zika virus may be sprayed
Take one tightly-closed oversized can, spray interior with insecticide, then insert humans before sealing for several hours. This sounds like a spectacularly bad idea to me. What about you? Yet this is what the UK is poised to do with planes flying in from areas with frequent Zika infections.

Comcast a possible smartphone service provider
NO. I don’t even have Comcast, yet I think this company is one of the worst suited to offering smartphones and service to their users. The company has expressed interest in bidding on spectrum for wireless, however. Comcast has struggled for years with one of — if not THE — worst reps for customer service. How do they think they will manage to expand their service offering without pissing off more customers?

AT&T obstructing muni broadband
No surprise here that AT&T is lobbying hard against more broadband, especially that offered by communities. The public knows there’s a problem with marketplace competition when they don’t have multiple choices for broadband, and they want solutions even if they have to build it themselves. When AT&T annoys a Republican lawmaker while squelching competition, they’ve gone too far. Keep an eye on this one as it may shape muni broadband everywhere.

Volkswagen roundup
VW delayed both its earnings report scheduled March 10th and its annual meeting scheduled April 21. The car maker says it needs more time to assess impact of the emissions control scandal on its books. New dates for the report and meeting have not been announced.

Volkswagen Financial Services, the banking arm of VW’s holding company structure which finances auto sales and leases, suffers from the ongoing scandal. Ratings firms have downgraded both the bank and parent firm. Not mentioned in the article: potential negative impact of emissions control scandal on VW’s captive reinsurer, Volkswagen Insurance Company Ltd (VICO).

Both the Justice Department and the Environmental Protection Agency filed a civil suit against VW in Detroit this week. Separate criminal charges are still possible.

That’s a wrap, I’m all caught up on my usual read-feed. Get nasty as you want come 5:00 p.m. because it’s Friday!

Share this entry

Data Mining Research Problem Book, Working Thread

/6 Comments/in , /by

Yesterday, Boing Boing liberated a fascinating 2011 GCHQ document from the Snowden collection on GCHQ’s partnership with Heilbronn Institute for Mathematical Research on datamining. It’s a fascinating overview of collection and usage. This will be a working thread with rolling updates.

In addition to BoingBoing’s article, I’ll update with links to other interesting analysis.

[1] The distribution list is interesting for the prioritization, with 4 NSA research divisions preceding GCHQ’s Information and Communications Technology Research unit. Note, too, the presence of Livermore Labs on the distribution list, along with an entirely redacted entry that could either be Sandia (mentioned in the body), a US university, or some corporation. Also note that originally only 18 copies of this were circulated, which raises real questions about how Snowden got to it.

[9] At this point, GCHQ was collecting primarily from three locations: Cheltenham, Bude, and Leckwith.

[9-10] Because of intake restrictions (which I believe other Snowden documents show were greatly expanded in the years after 2011), GCHQ can only have 200 “bearers” (intake points) on “sustained cover” (being tapped) at one time. Each collected at 10G a second. GCHQ cyclically turns on all bearers for 15 minutes at a time to see what traffic is passing that point (which is how they hack someone, among other things). Footnote 2 notes that analysts aren’t allowed to write up reports on this feed, which suggests research, like the US side, is a place where more dangerous access to raw data happens.

[10] Here’s the discussion of metadata and content; keep in mind that this was written within weeks of NSA shutting down its Internet dragnet, probably in part because it was getting some content.

Roughly, metadata comes from the part of the signal needed to set up the communication, and content is everything else. For telephony, this is simple: the originating and destination phone numbers are the metadata, and the voice cut is the content. Internet communications are more complicated, and we lean on legal and policy interpretations that are not always intuitive. For example, in an HTTP request, the destination server name is metadata (because it, or rather its IP address, is needed to transmit the packet), whereas the path-name part of the destination URI is considered content, as it is included inside the packet payload (usually after the string GET or POST). For an email, the to, from, cc and bcc headers are metadata (all used to address the communication), but other headers (in particular, the subject line) are content; of course, the body of the email is also content.

[10] This makes it clear how closely coming up as a selector ties to content collection. Remember, NSA was already relying on SPCMA at this point to collect US person Internet comms, which means their incidental communications would come up easily.

GCHQ’s targeting database is called BROAD OAK, and it provides selectors that the front-end processing systems can look for to decide when to process content. Examples of selectors might be telephone numbers, email addresses or IP ranges.

[11] At the Query-Focused Dataset level (a reference we’ve talked about in the past), they’re dealing with: “the 5-tuple (timestamp, source IP, source port, destination IP, destination port) plus some information on session length and size.”

[11] It’s clear when they say “federated” query they’re talking global collection (note that by this point, NSA would have a second party (5 Eyes) screen for metadata analysis, which would include the data discussed here.

[11] Note the reference to increased analysis on serious crime. In the UK there’s not the split between intel and crime that we have (which is anyway dissolving at FBI). But this was also a time when the Obama Admin’s focus on Transnational Crime Orgs increased our own intel focus on “crime.”

[12] This is why Marco Rubio and others were whining about losing bulk w/USAF: the claim that we are really finding that many unknown targets.

The main driver in target discovery has been to look for known modus operandi (MOs): if we have seen a group of targets behave in a deliberate and unusual way, we might want to look for other people doing the same thing.

Read more

Share this entry

Thursday Morning: Better than a Week

/24 Comments/in , , /by

You know the joke: 4:30 p.m. is better than an hour away from 5:00 p.m., right? Thursday is better than a week away from the weekend. For folks traveling home for the Lunar New Year holiday in China, there are four days left to get home, and the train stations are crazy-full. But today is better than five days away from family and friends.

Goldman Sachs questions capitalism
YEAH. I KNOW. I did a double-take when I read the hed on this piece. In a GS analysts’ note they wrote, “There are broader questions to be asked about the efficacy of capitalism.” They’re freaking out because the market isn’t acting the way it’s supposed to, where new entrants respond to fat margins generated by first-to-market or mature producers.

I wonder how much longer it will take them to realize they killed the golden goose with their plutocratic rewards for oligopolies? How long before they realize this isn’t capitalism at all?

Whistleblower tells Swiss (and banks) to get over themselves on whistleblowing
Interviewed last week, former UBS banker Bradley Birkenfeld said, “We have to make some changes in Switzerland — it’s long overdue … The environment there is hostile toward people exposing corruption.” Birkenfeld’s remarks prod Swiss lawmakers currently at work on whistleblowing legislation. When passed, the law is not expected to offer protections employees have in the U.S. and the UK (and we know those are thin and constantly under attack). But perhaps the law will prevent cases like Nestle SA’s suit against a former executive who disclosed food safety risks. That suit and another alleging a former UBS employee libeled the bank may be affected assuming the EU adopts the same approach toward whistleblowing and corruption reduction.

“Computer failure” at IRS halts acceptance of tax return e-filings
No details about the nature of the “computer failure” apart from a “hardware problem” or “hardware failure” appeared in any reports yesterday afternoon and overnight. The IRS expects to have repairs completed today to allow e-filings once again; filings already submitted are not affected.

FBI agent on new car purchases: entering ‘wild, wild west’
Four cybersecurity experts spoke at a meeting of the Automotive Press Association in Detroit yesterday, one of whom was an FBI cyber squad agent. The feedback from the speakers wasn’t reassuring, apart from the observation by a specialist from a start-up automotive cyber security firm that they did not know of a “real world incident where someone’s vehicle was attacked and taken over remotely by someone hacking into the vehicle.” A lawyer whose firm handles automotive industry cyber threats undercut any feeling of relief with an observation that judges aren’t savvy about cyber crime on vehicles. I think I’ll stick with my old school car for a while longer.

The Repair Coalition formed to protect the ‘Right to Repair’
Speaking of old school car, I hope I can continue to get it repaired in the future without worrying about lawsuits for copyright violations. We’ve already seen tractor owners in conflict with John Deere over repairs, and exemptions to copyright for repair have been granted only after tedious and costly effort, and then to the farmer only, not to their mechanic. Hence the emergence of The Repair Coalition, which takes aim at repealing the DMCA’s Section 1201 — terms in it make it illegal to “circumvent a technological measure that effectively controls access to a work protected under [the DMCA].”

It’s long been an American ethic to “Use it up, wear it out, make do, or do without,” an ethic we need to restore to primacy if we are to reduce our CO2 footprint. Repairing rather than tossing goods is essential to our environmental health, let alone a necessity when wages for lower income workers remain stagnant.

That’s a wrap — I could go on but now we’re better than a day away from Friday. Whew.

Share this entry

Wednesday Morning: Full of Whoa

/7 Comments/in , /by

CapagnoloFrontBrakes_BillGracey-FlickrWhoa. Halt. Stop. The brakes need firm application, even mid-week.

Zika virus infects media with crappy reporting
I can’t tell you how many times in the last 24 hours I yelled at my computer, “Are you f****** kidding me with this crap?” With so many news outlets focused on hot takes rather than getting the story right, stupidity reached pandemic levels faster than mosquito-borne viruses. And all because Dallas County health officials and the Center for Disease Control used the words “sexually transmitted” in reference to a new Zika case in the U.S.

The following sampling of heds, tweets, and reports? WRONG.

  • US reports first case of sexually transmitted Zika in Texas (Gizmodo, io9)
    [Not the first sexually transmitted case in the U.S., just the first in Texas]
  • First US case of the Zika virus infection was sexually transmitted, officials say (Verge)
    [Not the first U.S. case of Zika virus]
  • The first known case of the #ZikaVirus contracted within the US confirmed in Dallas (Newsweek)
    [Not the first known case of Zika contracted within the U.S.]
  • The first case of the #ZikaVirus contacted within the US was through sexual transmission (Newsweek)
    [Neither the first sexually transmitted case in the U.S. or the first contracted within the U.S.]
  • The First Sexually Transmitted Case of the Zika Virus Is Confirmed in Texas (Slate)
    [Not the first sexually transmitted case in the U.S.]

The first case in which Zika virus was contracted inside the continental U.S. occurred in 2008. This was the first sexual transmission of the virus in the continental U.S. as well. Scientist Brian Foy had been studying Zika in Senegal during an outbreak; he had been infected by the virus, became ill, and was still carrying the virus when he came home to Colorado. His wife became infected though she had not traveled abroad, had not been bitten by a mosquito, and children residing in their home did not contract the virus. More details on the case can be found here.

The first cases of Zika virus in the U.S. in this outbreak were not locally transmitted inside the U.S., but contracted outside the continental 48 states and diagnosed on return here. States in which cases have been reported include Hawaii, New York, Virginia, Arkansas, Florida, and now Texas — in the case of the traveler who brought the disease home and infected their partner through sex.

It’s incredible how very little effort many news outlets put into researching the virus’ history or the case in Texas. Bonus points to Newsweek for trying to get it wrong in multiple tweets for the same story.

Best reporting I’ve read so far has been WaPo’s piece on the new Dallas cases, and WIRED’s collection of Zika reports. The CDC’s site on the Zika virus can be found here.

Gonna’ be a massive Patch Day for F-35 sometime soon
Whether or not Monday’s earthshaking sonic booms over New Jersey were generated by F-35 test flights, there’s still a long and scary list of bugs to be fixed on the fighter jet before it is ready for primetime. Just read this; any pilot testing these now is either a stone-cold hero, or a crazed numbnuts, and they’d better weigh between 136 and 165 pounds to improve their odds of survival.

Oral Roberts University mandates students wear FitBits for tracking
Guess the old “Mark of the Beast” is interpreted loosely at ORU in Oklahoma. Fitness is measured on campus by more than theological benchmarks. Begs the question: who would Jesus monitor?

The last straw: Fisher Price Wi-Fi-enabled toys leave kids’ info out in the open
Fisher Price is the fourth known manufacturer of products aimed at children and their families in which the privacy and safety of children were compromised by poor information security. In this case, Smart Toy Bears are leaking information about their young owners. Maybe it’s about time that either the FCC or FTC or Congress looks into this trend and the possibility toy makers are not at all concerned with keeping their youngest customers safe.

EDIT: #FlintWaterCrisis
Forgot to note the House Oversight and Government Reform Committee will hold a hearing on lead contaminated drinking water in Flint, Michigan at 9:00 a.m. EST. C-SPAN3 will carry the hearing live.

Tap the brakes a few more times before you take off, eh? It’s all downhill from here.

Share this entry

NSA Reorganizing in Manner that Directly Conflicts with President’s Review Group Recommendation

/1 Comment/in /by

Back in 2013, the President’s Review Group recommended that NSA’s defensive function — the Information Assurance Directorate — be removed from NSA. I’ve put the entirety of that recommendation below, but PRG recommended the change to:

  • Eliminate the conflict of interest between NSA’s offensive and defense functions
  • Eliminate the asymmetry between the two functions, which can lead the defensive function to be less visible
  • Rebuild trust with outside cybersecurity stakeholders

Not only didn’t President Obama accept that recommendation, but he pre-empted it in several ways, before the PRG could publicly release their findings.

[O]n Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panelPresident Obama set up in August to review the NSA’s activities in response to theEdward Snowden leaks.

The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were “still being finalized”). The biggest news item were reports about a recommendation that the director of the NSA(Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.

Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.

By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split.

Today, Ellen Nakashima reports that NSA will go further still, and completely merge its offensive and defensive missions.

In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each.

[snip]

Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks.

“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”

But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature.

Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger “sigint” collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves.

While Nakashima presents some conflicting views on whether IAD will be able to cooperate with industry, none of the comments she includes addresses the larger bureaucratic issue: that defense is already being shortchanged in favor of the glitzier offensive function.

But Edward Snowden did weigh in, in response to a comment I made on this onTwitter.

When defense is an afterthought, it’s not a National Security Agency. It’s a National Spying Agency.

It strikes me this NSA reorganization commits the country to a particular approach to cybersecurity that will have significant ramifications for some time. It probably shouldn’t be made with the exclusive review of the Intelligence Committees mostly in secret.

We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.

In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.

We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.

A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.

Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.

There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to  block penetration. Such collaboration could and must occur even if IAD is organizationally separate.

In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress. Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.

Share this entry

Tuesday Morning: Don’t Drive Angry

/10 Comments/in , , /by

Okay, campers, rise and shine! It’s Groundhog Day! Like that genius film Groundhog Day we are stuck in an unending, repeating hell — like the dark circus that is our general election cycle in the U.S.

The lesson: it’s hell by choice. Let’s choose better. What’ll we choose today?

BPS, replacement for plastic additive BPA, not so safe after all
Here’s a questionable choice we could examine: using BPS in “BPA-free” plastics. A study by Geffen School of Medicine at UCLA found that BPS negatively affects reproductive organs and increased the likelihood of “premature birth” in zebrafish, accelerating development of the embryos. Relatively small amounts and short exposures produced effects.

As disturbing as this finding may be, the FDA’s approach to BPA is worrisome. Unchanged since 2014 in spite of the many studies on BPA, the FDA’s website says BPA is safe. Wonder how long it will be before the FDA’s site says BPS is likewise safe?

Exoskeleton assists paraplegic for only $40,000
Adjustable to its wearer’s body, SuitX’s exoskeleton helps paraplegic users to walk, though crutches are still needed. It’s not a perfect answer to mobility given the amount of time it takes to put on the gear, but it could help paraplegics avoid injuries due to sitting for too long in wheelchairs. It’s much less expensive than a competing exoskeleton at $70K; the price is expected to fall over time.

SuitX received an NSF grant of $750,000 last April for its exoskeleton work. Seems like a ridiculous bargain considering how much we’ve already invested in DARPA and other MIC-development of exoskeletons with nothing commercial to show for it. Perhaps we should choose to fund more NSF grants instead of DOD research?

Patches and more patches — Cisco, Android, Microsoft

Dudes behaving badly

  • Former Secret Service agent involved in the Silk Road investigation and later charged with theft of $800K in Bitcoins has been arrested just one day before he was to begin serving his sentence for theft. This Silk Road stuff is a movie or cable series waiting to happen.
  • Massachusett’s Rep. Katherine Clark, who proposed the Interstate Swatting Hoax Act last November, was swatted this weekend. Fortunately, the local police used a low-key approach to the hoax call. Way to make the case for the bill‘s passage, swatters, let alone increased law enforcement surveillance.

I know I’ve missed something I meant to post, but I’ll choose to post it tomorrow and crawl back into my nest this morning to avoid my shadow. In the meantime, don’t drive angry!

Share this entry

A Whole Lot of Inspector General Scrutiny on Intelligence Community Networks

/4 Comments/in /by

Between this report, released today, on DOD Inspector General’s ongoing work and the Intelligence Community’s Inspector General Semiannual report, released in mid-January, the Intelligence Community is doing a whole bunch of audits and inspections of its own network security, some of them mandated by Congress. And there are at least hints that all is not well in the networks that enable the Intelligence Community to share profusely.

The most interesting description of a report from ICIG’s Semiannual review, for example, suggests that, given the IC’s recent move to share everything on an Amazon-run cloud, the bad security habits of some elements of the IC are exposing other elements within the IC.

AUD-2015-006: Transition to the Intelligence Community Cloud Audit

The DNI, along with Intelligence Community leadership, determined that establishing a common IT architecture across the IC could advance intelligence integration, information sharing, and enhance security while creating efficiencies. This led to the Intelligence Community Information Technology Enterprise, an IC-wide initiative coordinated through the Office of the Intelligence Community Chief Information Officer. IC ITE’s sharing capability is enabled by a cloudbased architecture known as the IC Cloud – a secure resource delivering IT and information services and capabilities to the entire community. The cloud will allow personnel to share data, systems, and applications across the IC. The IC elements’ effective transition to the IC ITE cloud environment is key to achieving the initiative’s overarching goals and as such, systems working together in a cloud environment creates potential security concerns.

In particular, information system security risks or vulnerabilities to one IC element operating within IC ITE may put all IC elements at risk. Information from a joint IG survey of 10 IC elements suggested that the elements may have the differing interpretations of policies and requirements, or are not fully aware of their responsibilities for transitioning to the IC Cloud. As a result of these preliminary observations, IC IG initiated an audit that will: 1. Assess how the IC elements are planning to transition to the IC ITE Cloud environment; 2. Determine IC elements’ progress in implementing cloud transition plans; and, 3. Compare how IC elements are applying the risk management framework to obtain authorizations to operate on the IC Cloud. We plan to issue a report by the end of the first quarter of FY 2017. [my emphasis]

The IC is banking quite a bit on being able to share safely within the cloud. I would imagine that fosters a culture of turf war and recriminations for any vulnerabilities. It certainly seems that this report arises out of problems — or at least the identification of potential problems — arising from the move to the cloud. Note that this report won’t be completed until the end of this calendar year.

Then there’s this report, which was mandated in a classified annex of the Intelligence Authorization passed in December and, from the looks of things, started immediately.

Audit of Controls Over Securing the National Security Agency Network and Infrastructure (Project No. D2016-DOOORC-0072.000)

We plan to begin the subject audit in January 2016. Our objective is to determine whether initiatives implemented by the National Security Agency are effective to improve security over its systems, data, and personnel activities. Specifically, we will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity. The classified annex to accompany H.R. 2596, the Intelligence Authorization Act for Fiscal Year 2016, contained a Department of Defense Inspector General classified reporting requirement. This audit is the first in a series. We will consider suggestions from management on additional or revised objectives.

It seems to be an assessment — the first in a series — of whether limits on privileged access to NSA systems are working. This may well be a test of whether the changes implemented after the Snowden leak (such as requiring two parties to be present when performing functions in raw data, such as required on dragnet intake) have mitigated what were some obviously huge risks.

I’m mostly curious about the timing of this report. You would have thought the implementation of such controls would come automatically with some kind of audit, but they’re just now, 2.5 years later, getting around to that.

Here are some other reports from the ICIG report, the latter three of which indicate a real focus on information sharing.

AUD-2015-007: FY 2015 Consolidated Federal Information Security Modernization Act of 2014 Capstone Reports for Intelligence Community Elements’ Inspectors General

This project will focus on FY 2015 FISMA report submissions from the OIGs for the IC elements operating or exercising control of national security systems. We will summarize 11 IC elements’ information security program strengths and weaknesses; identify the cause of the weaknesses in these programs, if noted by the respective OIGs; and provide a brief summary of the recommendations made for IC information security programs. To perform this evaluation, we will apply the Department of Homeland Security FY 2015 IG FISMA metrics for ten information security program areas.

1. Continuous Monitoring Management 2. Security Configuration Management 3. Identity and Access Management 4. Incident Response and Reporting 5. Risk Management 6. Security Training 7. Plan of Action and Milestones 8. Remote Access Management 9. Contingency Planning 10. Contractor Systems We will issue our report by the end of the first quarter of FY 2016

INS-2015-004: Inspection: Office of the Intelligence Community Chief Information Officer

The IC CIO is accountable for overall formulation, development, and management of the Intelligence Community Information Technology Enterprise. The scope of our review was limited and informed by a concurrent IC IG Audit survey of IC ITE, as well as an ongoing evaluation of IC ITE progress by the ODNI Systems and Resources Analyses office. Additional details of this report are in the classified annex.

INS-2015-005: Joint Evaluation of Field Based Information Sharing Entities

Along with our OIG partners at the Departments of Justice and Homeland Security, we are evaluating federally supported entities engaged in field-based domestic counterterrorism, homeland security, and information sharing activities in conjunction with state, tribal, and local law enforcement agencies. This review is in response to a request from Senate committees on Intelligence, Judiciary, Homeland Security and Governmental Affairs. We will issue our report during FY 2016.

INS-2015-006: Inspection: ODNI Office of the Program Manager–Information Sharing Environment

We last inspected the ODNI PM-ISE office in 2013 and are conducting a follow-up review with a focus on resource management.

Share this entry