Posts

Three Things: Still Active Measures

[Note the byline. This post contains some speculative content. / ~Rayne]

Whether counter-arguments or conspiracy theories, it’s interesting how certain narratives are pushed when tensions rise. But are they really theories or conditioning? And if conditioning, could other media infrastructure changes create more successful conditioning?

~ 3 ~

In an interview with Fox News post-Helsinki summit, Vladmir Putin made a point of blaming the Democratic Party for “manipulations of their party.”

…“The idea was about hacking an email account of a Democratic candidate. Was it some rigging of facts? Was it some forgery of facts? That’s the important thing that I am trying to — point that I’m trying to make. Was this — any false information planted? No. It wasn’t.”

The hackers, he said, entered “a certain email account and there was information about manipulations conducted within the Democratic Party to incline the process in favor of one candidate.” …

Have to give Putin props for sticking with a game plan — increase friction within the American left and fragment Democratic Party support to the benefit of Trump and the Republican Party at the polls and ultimately Putin himself if sanctions are lifted. Christopher Steele indicated in the Trump-Russia dossier that the Kremlin was using active measures to this effect in 2016 to widen the divide between Sanders and Clinton supporters; apparently left-splitting active measures continue.

But this is only part of an attack on the Democratic Party; another narrative undermines both the DNC and the FBI by questioning the investigation into the DNC’s hacking. Why didn’t the FBI take possession of the server itself rather than settle for an image of the system? A key technical reason is that any RAM-resident malware used by hackers will disappear into the ether if the machine is turned off; other digital footprints found only in RAM memory would likewise disappear. “The server” isn’t one machine with a single hard drive, either, but 140 devices — some of which were cloud-based. Not exactly something the FBI can power down and take back to a forensic lab with ease, especially during the hottest part of a campaign season.

But these points are never effectively made as a counter narrative, though some have tried with explainers, and certainly not featured in broadcast or cable news programs. The doubt is left to hang in the public’s consciousness, conditioning them to question FBI’s competence and the validity of their investigative work.

If Putin is still using active measures to divide Democratic Party voters, is it possible this narrative about the hacked DNC server is also an ongoing active measure? What if the active measure isn’t meant to undermine the FBI by questioning its actions? What if instead the lingering doubt is intended to shape future investigations into hacked materials which may also rely on server images rather than physical possession of the hardware? What if this active measure is pre-crime, intended to tamper with future evidence collection?

~ 2 ~

I’d begun drafting this post more than a week ago, but came to a halt when FCC chair Ajit Pai did something surprisingly uncorrupt by putting the brakes on the Sinclair-Tribune merger.

Sinclair Broadcast Group is a propaganda outlet masquerading as a broadcast media company. The mandatory airing of Boris Epsteyn’s program across all Sinclair stations offers evidence of Sinclair’s true raison d’etre; Epsteyn is a Russian-born former GOP political strategist who has been responsible for messaging in both the McCain-Palin campaign and the Trump administration, including the egregious 2017 Holocaust Remembrance Day statement which omitted any mention of Jews. The mandatory statement Sinclair management forced its TV stations to air earlier this year about “fake news” is yet another. The forced ubiquity and uniformity of messaging is a new element at Sinclair, which already had a history of right-wing messaging including the attempt to run a Kerry-bashing political movie to “swiftboat” the candidate just before the 2004 elections.

Sinclair and Tribune Media announced a proposed acquisition deal last May. If approved, the completed acquisition would give Sinclair access to 72% of U.S. homes — an insanely large percentage of the local broadcast TV market effectively creating a monopoly. There was bipartisan Congressional pushback about this deal because of this perceived potential monopoly.

FCC’s Ajit Pai wanted to relax regulations covering UHF stations — they would be counted as less than a full VHF station and therefore appear to reduce ownership of marketshare. Democrats protested this move as it offered Sinclair unfavorable advantage when evaluating stations it would acquire or be forced to sell during its Tribune acquisition.

Fortunately, Pai had “serious concerns” about the Sinclair-Tribune deal:

We have no idea to which administrative judge this deal may be handed, let alone their sentiments on media consolidation. We don’t know if this judge might be Trump-friendly and rule in favor of Sinclair, taking this horror off Ajit Pai’s back — which might be the real reason Pai punted after his egregious handling of net neutrality and the pummeling he’s received for it, including the hacking of the FCC’s comments leading up to his decision to end Obama-era net neutrality regulations and subsequent “misleading” statements to the media about the hack. New York State is currently investigating misuse of NY residents’ identities in the hack; one might wonder if Pai is worried about any personal exposure arising from this investigation.

BUT WAIT…the reason I started this post began not in New York but in the UK, after reading that Remain turnout may have been suppressed by news reports about “travel chaos,” bad weather, and long lines at the polls. Had the traditional media played a role in shaping turnout with its reporting?

I went looking for similar reports in the U.S. — and yes, news reports of long lines may have discouraged hundreds of thousands of voters in Florida in 2012. This wasn’t the only location with such reports in the U.S. during the last three general elections; minority voters are also far more likely to experience these waits than voters in majority white areas.

Probabilistic reports about a candidate’s win/loss may also suppress turnout, according to a Pew Research study.

Think about low-income voters who can’t afford cable TV or broadband internet, or live in a rural location where cable TV and broadband internet isn’t available. What news source are they likely to rely upon for news about candidates and voting, especially local polling places?

Hello, local broadcast network television station.

Imagine how voter turnout could be manipulated with reports of long lines and not-quite-accurate probabilistic reports about candidates and initiatives.

Imagine how a nationwide vote could be manipulated by a mandatory company-wide series of reports across a system of broadcast TV stations accessing 72% of U.S. homes.

How else might a media company with monopolistic access to American households condition the public’s response to issues?

~ 1 ~

There was all kinds of hullabaloo about the intersection of retiring Justice Anthony Kennedy, his son Justin, and Justin’s employment at Deutsche Bank at the same time DB extended financing to Donald Trump. It looks bad on the face of it.

And of course one prominent defense-cum-fact-check portrays Justin’s relationship to DB’s loans to Trump as merely administrative:

The extent to which Kennedy worked with Trump on this loan, or possibly on other Deutsche Bank matters, is unclear. “In that role, as the trader, he would have no contact with Trump … unless Eric [Schwartz] was trying to get Justin in front of Trump for schmoozing reasons,” Offit said, adding that he had recently spoken with former colleagues at the bank about Kennedy’s work.

Seems odd there has been little note made of Jared Kushner’s relationship with LNR Partners LLC — a company which Manta says has only 17 employees — and its subsidiary LNR Property which financed the Kushner 666 Fifth Avenue property in 2012. There was a report in Medium and another on DailyKos but little note made in mainstream news media.

I’m sure it’s just a coincidence that along with his business partner, Justin Kennedy was named 26th on the 50 Most Important People in Commercial Real Estate Finance in 2013 by the Commercial Observer — a publication of Observer Media, then owned by Jared Kushner.

I wonder what Justin’s rank was on this list while he worked at Deutsche Bank (also with current business partner Toby Cobb).

How odd this deal and the relationship wasn’t defended. I guess it’s just coincidence all the amphibians and reptiles know each other well in the swamp.

~ 0 ~

Let’s not forget:

587 Puerto Rican homes still don’t have electricity.

All asylum seeking families haven’t been reunited. Children may still be in danger due to poor care and lack of adequate tracking. As of yesterday only 364 children of more than 2500 torn from their families were reunited.

Treat this as an open thread.

Three Things: It’s All About the Cable, Mabel. Oh, and the Mooch

If last night’s Twitter timeline was any measure, folks have a LOT to say about premium cable programming let alone the cable television industry. Add the crazy surrounding White House communications and it’s best if I just get out of the way and run like hell.

~ 3 ~

I simply can’t write fast enough or better about the situation than many folks have on Twitter already.

Basta.

~ 2 ~

Crazy amount of chatter about cable networks and M&A. Biggest stories:

Discovery to buy HGTV’s owner Scripps because of Scripps’ audience demographics — heavily weighted toward women.

Charter Communications will not merge with Sprint to expand into cell phone business; it already has a reseller agreement with Verizon.

However, Japan’s Softbank, Sprint’s parent, is interested in buying Charter Communications. This deserves debate in Congress as well as CFIUS review. There’s a reason why Charter isn’t Cable but Communications now; do we want additional foreign ownership of another communications network even if it isn’t fully into the cell phone business (yet)?

Should note here that a beef I have with my GOP representative on regulating cable networks is on this very point. Rep-who-will-not-be-named sent a pro forma response spouting what is probably party line: FTC has always regulated cable, shouldn’t increase regulation by allowing cable to be regulated by FCC.

Except that cable isn’t just a series of tubes distributing entertainment content. It’s also a series of tubes carrying our communications.

Again, do we want to allow foreign ownership of these particular communications tube in addition to existing cell phone network ownership?

~ 1 ~

By now you may have heard HBO’s most popular series, Game of Thrones, may have been affected by a breach of the cable network’s system. Based on conflicting reports, it’s not clear what was stolen from HBO, though unlike other recent hacks HBO itself was attacked and not a content creator/producer. It may sound reminiscent of the Sony Entertainment hack but HBO is nowhere as leaky as Sony.

Will winter still come after this hack? You’ll have to tell me — this isn’t a series I follow.

~ 0 ~

There you have it, your next open thread. Trump-Russia stuff in the last one, please. Everything else here.

Minority Report: An Alternative Look at NotPetya

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?

Penetrated: Today’s Senate Intelligence Committee Hearing on Russian Interference in the 2016 U.S. Elections

If you didn’t catch the Senate Intelligence Committee hearing on Russian influence on 2016 U.S. election on live stream, you should try to catch a replay online. I missed the first panel but caught the second when University of Michigan Prof. J. Alex Halderman began his testimony with his opening statement.

The same Halderman who questioned the 2016 election could have been hacked based on his expertise.

The same Halderman who hacked a voting machine to play Pac Man.

When asked if it was possible Russia could change votes, Halderman told the SIC that he and a team of students demonstrated they were able to hack DC’s voting system, change votes, and do so undetected in under 48 hours. Conveniently, Fox News interviewed Halderman last September; Halderman explained the DC hack demonstration at that time (see embedded video); the interview fit well with Trump’s months-long narrative that the election was ‘rigged’.

If you aren’t at least mildly panicked after watching the second panel’s testimony and reading Halderman’s statement, you’re asleep or dead, or you just plain don’t care about the U.S.’ democratic system.

Contrast and compare this Senate hearing to the House Intelligence Committee’s hearing with former DHS Secretary Jeh Johnson as a witness. Johnson sent out numerous messages last year expressing his concerns about election integrity, but after listening to the second Senate panel, Johnson should have been hair-on-fire (it’s figure of speech, go with it). But the Obama administration erred out of some twisted sense of heightened sensibility about appropriateness (which would have been better suited to its policies on drone use and domestic surveillance). The excess of caution feels more like foot dragging when viewed through the lens of time and Johnson’s testimony.

Early in the hearing, Johnson as well as DHS witnesses Jeanette Manfra and Samuel Liles said there was no evidence votes were changed. It’s important to note, though, that Johnson later clarifies in a round about way there was no way to be certain of hacking at that time (about 1:36:00-1:41:00 in hearing). I find it incredibly annoying Johnson didn’t simply defer to information security experts about the possibility there may never be evidence even if there were hacks; it’s simply not within in his skill set or experience then or now to say with absolute certainty based on forensic audit there was no evidence of votes changed. Gathering that evidence never happened because federal and state laws do not provide adequately for standardized full forensic audits before, during, or after an election.

Halderman’s SIC testimony today, in contrast, makes it clear our election system was highly vulnerable in many different ways last November.

Based on the additional testimony of a representative of National Association of State Election Directors, the President-Elect of National Association of Secretaries of State (NASS) & Secretary of State, Executive Director of Illinois State Board of Elections Illinois — whose combined testimony revealed lapses in communication between federal, state, and local government combined with gaps in information security education — the election system remains as vulnerable today as it was last autumn.

Nothing in either of these two hearings changed the fact we’ve been penetrated somewhere between 21 and 39 times. Was it good for you?

Monday: A Border Too Far

In this roundup: Turkey, pipelines, and a border not meant to be crossed.

It’s nearly the end of the final Monday of 2016’s General Election campaign season. This shit show is nearly over. Thank every greater power in the universe we made it this far through these cumulative horrors.

Speaking of horrors, this Monday’s movie short is just that — a simple horror film, complete with plenty of bloody gritty gore. Rating on it is mature, not for any adult content but for its violence. The film is about illegal immigrants who want more from life, but it plays with the concepts of alien identity and zombie-ism. Who are the illegals, the aliens, the zombies? What is the nature of the predator and their prey? Does a rational explanation for the existence of the monstrous legitimize the horror they perpetuate in any way?

The logline for this film includes an even shorter tag line: Some borders aren’t meant to be crossed. This is worth meditating on after the horrors we’ve seen this past six months. Immigrants and refugees aren’t the monsters. And women aren’t feeble creatures to be marginalized and counted out.

Should also point out this film’s production team is mostly Latin American. This is the near-future of American storytelling and film. I can’t wait for more.

Tough Turkey
The situation in Turkey is extremely challenging, requiring diplomacy a certain Cheeto-headed candidate is not up to handling and will screw up if he places his own interests ahead of that of the U.S. and the rest of the world.

  • Luxembourg’s foreign minister compares Erdoğan’s purge to Nazi Germany (Deutsche Welle) — Yeah, I can’t argue with this when a political party representing an ethnic minority and a group sharing religious dogma are targeted for removal from jobs, arrest and detention.
  • Op-Ed: Erdoğan targeting critics of all kinds (Guardian) — Yup. Media, judges, teachers, persons of Kurdish heritage or Gulenist religious bent, secularists, you name it. Power consolidation in progress. Democracy, my left foot.
  • HDP boycotts Turkish parliament after the arrest of its leaders (BBC) — Erdoğan claimed the arrested HDP leaders were in cahoot with the PKK, a Kurdish group identified as a terrorist organization. You’ll recall HDP represents much of Turkey’s Kurdish minority. But Erdoğan also said he doesn’t care if the EU calls him a dictator; he said the EU abets terrorism. Sure. Tell the cities of Paris and Brussels that one. Think Erdoğan has been taking notes from Trump.
  • U.S. and Turkish military leaders meet to work out Kurd-led ops against ISIS (Guardian) — Awkward. Turkish military officials were still tetchy about an arrangement in which Kurdish forces would act against ISIS in Raqqa, Syria, about 100 miles east of Aleppo. The People’s Protection Units (YPG) militia — the Kurdish forces — will work in concert with Arab members of Syrian Democratic Forces (SDF) coalition in Raqqa to remove ISIS. Initial blame aimed at the PKK for a car bomb after HDP members were arrested heightened existing tensions between Erdoğan loyalists and the Kurds, though ISIS later took responsibility for the deadly blast. Depending on whose take one reads, the Arab part of SDF will lead the effort versus any Kurdish forces. Turkey attacked YPG forces back in August while YPG and Turkey were both supposed to be routing ISIS.

In the background behind Erdoğan’s moves to consolidate power under the Turkish presidency and the fight to eliminate ISIS from Syria and neighboring territory, there is a struggle for control of oil and gas moving through or by Turkey.

Russia lost considerable revenue after oil prices crashed in 2014. A weak ruble has helped but to replace lost revenue based on oil’s price, Russia has increased output to record levels. Increase supply only reduces price, especially when Saudi Arabia, OPEC producers, and Iran cannot agree upon and implement a production limit. If Russia will not likewise agree to production curbs, oil prices will remain low and Russia’s revenues will continue to flag.

Increasing pipelines for both oil and gas could bolster revenues, however. Russia can literally throttle supply near its end of hydrocarbon pipelines and force buyers in the EU and everywhere in between to pay higher rates — the history of Ukrainian-Russian pipeline disputes demonstrates this strategy. Bypassing Ukraine altogether would help Russia avoid both established rates and conflict there with the west. The opportunities encourage Putin to deal with Erdoğan, renormalizing relations after Turkey shot down a Russian jet last November. Russia and Turkey had met in summer of 2015 to discuss a new gas pipeline; they’ve now met again in August and in October to return to plans for funding the same pipeline.

A previous pipeline ‘war’ between Russia and the west ended in late 2014. This conflict may only have been paused, though. Between Russia’s pressure to sell more hydrocarbons to the EU, threats to pipelines from PKK-attributed terrorism and ISIS warfare near Turkey’s southwestern border, and implications that Erdoğan has been involved in ISIS’ sales of oil to the EU, Erdoğan may be willing to drop pursuit of EU membership to gain more internal control and profit from Russia’s desire for more hydrocarbon revenues. In the middle of all this mess, Erdoğan has expressed a desire to reinstate the death penalty for alleged coup plotters and dissenters — a border too far for EU membership since death penalty is not permitted by EU law.

This situation requires far more diplomatic skill than certain presidential candidates will be able to muster. Certainly not from a candidate who doesn’t know what Aleppo is, and certainly not from a candidate who thinks he is the only solution to every problem.

Cybery miscellany

That’s it for now. I’ll put up an open thread dedicated to all things election in the morning. Brace yourselves.

‘Picking on’ Volkswagen: Why Follow Dieselgate?

[photo: macwagen via Flickr]

[photo: macwagen via Flickr]

One of our commenters described my attention to Dieselgate as ‘picking on’ Volkswagen. It’s not as if there haven’t been scandalous problems with other automotive industry manufacturers, like General Motors’ ignition switches or Takata’s airbag failures, right?

But Volkswagen earns greater attention here at this site because:

1) A critical mass of emptywheel readers are not familiar with the automotive industry, let alone manufacturing; they do not regularly follow automotive news. Quite a number are familiar with enterprise information security, but not car manufacturing or with passenger vehicle security. Many of the readers here are also in policy making, law enforcement, judiciary — persons who may influence outcomes at the very beginning or very end of the product manufacturing life cycle.

2) This is the first identified* multi-year incidence in which an automotive industry manufacturer using computer programming of a street-ready vehicle to defraud consumers and willfully violate multiple U.S. laws. This willfulness wholly separates the nature of this risk from other passenger vehicle vulnerabilities, ex: Fiat Chrysler’s hackable Uconnect dashboard computers or Nissan’s unprotected APIs for keyless remotes. (These latter events arose from inadequate info security awareness though responsiveness of vehicle manufacturers after notification may be in question.)

3) Volkswagen Group is the single largest passenger vehicle manufacturer in Europe. This isn’t a little deal considering half of all passenger vehicles in Europe are diesel-powered. Health and environmental damage in the U.S. from 600,000 passenger diesels has been bad enough; it’s taking lives in the tens of thousands across Europe. 75,000 premature deaths in 2012 alone were attributed to urban NO2 exposures, the source of which is diesel engines. It was testing in the U.S. against U.S. emissions standards which brought VW’s ‘cheating’ to light making it impossible for the EU to ignore any longer. The environmental damage from all Volkswagen passenger diesels combined isn’t localized; these additional non-compliant emissions exacerbate global climate change.

These are the reasons why Dieselgate deserved heightened scrutiny here to date — but the reasons why this scandal merits continued awareness have everything to do with an as-yet unrealized future.

We are on the cusp of a dramatic paradigm shift in transportation, driven in no small part by the need for reduced emissions. Development and implementation of battery-powered powertrains are tightly entwined with artificial intelligence development for self-driving cars. Pittsburgh PA is already a testing ground for a fleet of self-driving Uber vehicles; Michigan’s state senate seeks changes to the state’s vehicle code to permit self-driving cars to operate without a human driver to intervene.

All of this represents a paradigm shift in threats to the public on U.S. highways. Self-driving car makers and their AI partners claim self-driving vehicles will be safer than human-driven cars. We won’t know what the truth is for some time, whether AI will make better decisions than humans.

But new risks arise:

  • An entire line of vehicles can pose a threat if they are programmed to evade laws, ex: VW’s electronic control unit using proprietary code which could be manipulated before installation. (Intentional ‘defect’.)
  • An entire line of vehicles can be compromised if they have inherent vulnerabilities built into them, ex: Fiat Chrysler’s Uconnect dashboard computers. (Unintentional ‘defect’.)

Let’s ‘pick on’ another manufacturer for a moment: imagine every single Fiat Chrysler/Dodge/Jeep vehicle on the road in 5-10 years programmed to evade state and federal laws on emissions and diagnostic tests for road-worthiness. Imagine that same programming exploit used by criminals for other means. We’re no longer looking at a mere hundred thousand vehicles a year but millions, and the number of people at risk even greater.

The fear of robots is all hype, until one realizes some robots are on the road now, and in the very near future all vehicles will be robots. Robots are only as perfect as their makers.

An additional challenge posed by Volkswagen is its corporate culture and the deliberate use of a language barrier to frustrate fact-finding and obscure responsibility. Imagine now foreign transportation manufacturers not only using cultural barriers to hide their deliberate violation of laws, but masking the problems in their programming using the same techniques. Because of GM’s labyrinthine corporate bureaucracy, identifying the problems which contributed to the ignition switch scandal was difficult. Imagine how much more cumbersome it would be to tease out the roots if the entire corporate culture deliberately hid the source using culture, even into the coding language itself? Don’t take my word for how culture is used to this end — listen to a former VW employee who explains how VW’s management prevaricates on its ‘involvement’ in Dieselgate (video at 14:15-19:46).

Should we really wait for another five to 10 years to ‘pick on’ manufacturers of artificially intelligent vehicles — cars with the ability lie to us as much as their makers will? Or should we look very closely now at the nexus of transportation and programming where problems already occur, and create effective policy and enforcement for the road ahead?
_________
* A recent additional study suggests that Volkswagen Group is not the only passenger diesel manufacturer using emissions controls defeats.

Monday: A Different Ark

[Caution: some content in this video is NSFW] Today’s Monday Movie is a short film by Patrick Cederberg published three years ago. This short reflects the love life of a youth whose age is close to that of my two kids. A few things have changed in terms of technology used — I don’t think either Facebook or Chatroulette is as popular now with high school and college students as it was, but the speed of internet-mediated relationships is the same. It’s dizzying to keep up with kids who are drowning in information about everything including their loved ones.

Their use of social media to monitor each other’s commitment is particularly frightening; it’s too easy to misinterpret content and make a snap decision as this movie shows so well. Just as scary is the ease with which one may violate the privacy of another and simply move on.

Imagine if this youngster Noah had to make a snap decision about someone with whom they weren’t emotionally engaged. Imagine them using their lifetime of video gaming and that same shallow, too-rapid decision-making process while piloting a drone.

Boom.

Goodness knows real adults with much more life experience demonstrate bizarre and repeated lapses in judgment using technology. Why should we task youths fresh out of high school and little education in ethics and philosophy with using technology like remote surveillance and weaponized drones?

Speaking of drones, here’s an interview with GWU’s Hugh Gusterson on drone warfare including his recommendations on five of books about drones.

A, B, C, D, USB…

  • USBKiller no longer just a concept (Mashable) –$56 will buy you a USB device which can kill nearly any laptop with a burst of electricity. The only devices known to be immune: those without USB ports. The manufacturer calls this device a “testing device.” Apparently the score is Pass/Fail and mostly Fail.
  • Malware USBee jumps air-gapped computers (Ars Technica) — Same researchers at Israel’s Ben Gurion University who’ve been working on the potential to hack air-gapped computers have now written software using a USB device to obtain information from them.
  • Hydropower charger for USB devices available in 2017 (Digital Trends) — Huh. If I’m going to do a lot of off-grid camping, I guess I should consider chipping into the Kickstarter for this device which charges a built-in 6,400mAh battery. Takes 4.5 hours to charge, though — either need a steady stream of water, or that’s a lot of canoe paddling.

Hackety-hack, don’t walk back

  • Arizona and Illinois state elections systems breached (Reuters) — An anonymous official indicated the FBI was looking for evidence other states may also have been breached. The two states experienced different levels of breaches — 200K voters’ personal data had been downloaded from Illinois, while a single state employee’s computer had been compromised with malware in Arizona, according to Reuters’ report. A report by CSO Online explains the breaches as outlined in an leaked FBI memo in greater detail; the attacks may have employed a commonly-used website vulnerability testing application to identify weak spots in the states’ systems. Arizona will hold its primary election tomorrow, August 30.
  • Now-defunct Australian satellite communications provider NewSat lousy with cyber holes (Australian Broadcasting Corp) — ABC’s report said Australia’s trade commission and Defence Science Technology Group have been attacked frequently, but the worst target was NewSat. The breaches required a complete replacement of NewSat’s network at a time when it was struggling with profitability during the ramp-up to launch the Lockheed Martin Jabiru-1 Ka-band satellite. China was named as a likely suspect due to the level of skill and organization required for the numerous breaches as well as economic interest. ABC’s Four Corners investigative reporting program also covered this topic — worth watching for the entertaining quotes by former CIA Director Michael Hayden and computer security consultant/hacker Kevin Mitnick in the same video.
  • Opera software users should reset passwords due to possible breach (Threatpost) — Thought users’ passwords were encrypted or hashed, the browser manufacturer still asks users to reset passwords used to sync their Opera accounts as the sync system “showed signs of an attack.” Norwegian company Opera Software has been sold recently to a Chinese group though the sale may not yet have closed.

That’s a wrap for now, catch you tomorrow! Don’t forget your bug spray!

Thursday: Only You

Sometimes when I go exploring for music I find something I like but it’s a complete mystery how it came to be. I can’t tell you much of anything about this artist — only that he’s German, he’s repped by a company in the Netherlands, and his genre is house/electronica. And that’s it, apart from the fact he’s got more tracks you can listen to on SoundCloud. My favorites so far are this faintly retro piece embedded here (on SoundCloud at Only You) and Fade — both make fairly mellow listening. His more popular works are a little more aggressive, like Gunshots and HWAH.

Caught a late summer bug, not firing on all cylinders. Here’s some assorted odds and ends that caught my eye between much-needed naps.

  • Infosec firm approached investment firm to play short on buggy medical devices (Bloomberg) — Jeebus. Bloomberg calls this “highly unorthodox,” but it’s just grossly unethical. Why didn’t this bunch of hackers at MedSec go to the FDA and the SEC? This is a shakedown where they get the market to pay them first instead of ensuring patients are protected and shareholders of St. Jude medical device manufacturer’s stock are appropriately informed. I call bullshit here — they’re trying to game the system for profit and don’t give a shit about the patients at risk. You know when the maximum payout would be? When patient deaths occurred and were reported to the media.
  • Apple iPhone users, update your devices to iOS 9.3.5 stat: serious malware designed to spy and gain control of iPhone found (Motherboard) — Hey look, a backdoor applied after the fact by a “ghost” government spyware company. The malware has been around since iPhone 5/iOS 7; it could take control of an iPhone and allow a remote jailbreak of the device. Interesting this Israeli spyware firm received a big chunk of cash from U.S. investor(s).
  • Apple filed for patent on unauthorized user biometric data collection system (AppleInsider) — If an “unauthorized user” (read: thief) uses an iPhone equipped with this technology, the device could capture a photo and fingerprint of the user for use by law enforcement. Not exactly rocket science to understand how this might be used by law enforcement remotely to assure a particular contact (read: target) is in possession of an iPhone, either. Keep an eye on this stuff.
  • India-France submarine construction program hacked (NDTV) — The Indian Navy contracted construction of (6) Scorpene-class submarines from French shipbuilder DCNS. Tens of thousands of pages of information from this classified project were leaked; the source of the documents appears to be DCNS, not India. The French government as well as India is investigating the hack, which is believed to be a casualty in “economic war.”
  • Hacking of Ghostbusters’ star Leslie Jones under investigation (Guardian) — Jones’ website and iCloud accounts were breached; initial reports indicated the FBI was investigating the matter, but this report says Homeland Security is handlng the case. Does this mean an overseas attacker has already been identified?
  • Taiwanese White hat hacker and open government activist named to digital policy role (HKFP) — Audrey Tang, programmer and consultant for Apple, will shift gears from private to public sector now that she’s been appointed an executive councillor for digital policy by Taiwan. Tang has been part of the Sunflower Student Movement which has demanded greater transparency and accountability on Cross-Strait Service Trade Agreement with China while resisting Chinese reunification.
  • Oops! Recent Google Apps outage caused by…Google? (Google Cloud) — Change management boo-boo borked an update; apparently engineers working on an App Engine update didn’t know software updates on routers was in progress while they performed some maintenance. Not good.
  • Gyroscope made of tiny atomic chamber could replace GPS navigation (NIST.gov) — A miniature cloud of atoms held in suspension between two states of energy could be used as a highly accurate mini-gyroscope. National Institute of Standards and Technology has been working a mini-gyro for years to provide alternate navigation in case GPS is hacked or jammed.
  • Tim Berners-Lee wants to decentralize the internet (Digital Trends) — The internet has centralized into corporate-owned silos of storage and activities like Facebook, Google and eBay. Berners-Lee, who is responsible for the development of browsing hyperlinked documents over a network, wants the internet to be spread out again and your data in your own control.

That’s enough to chew on for now. Hope to check in Friday if I shake off this bug.

Monday: Build That Wall

Poor Ireland. Poor Inishturk. To be forced to consider the onslaught of refugees fleeing political upheaval should one loud-mouthed, bigoted, multi-bankrupt idiot with bad hair win the U.S. presidency. I’m amused at how the Irish in this short film mirror the U.S. albeit in a more placid way. There are some who are ardently against him, some who’d welcome the business, and the rest cover the spread between the extremes though they lean more to the left than the right.

I find it appalling, though, that Trump would install a sea wall *now* after the golf course development has already been established, rather than do his homework upfront before investing in real estate which relies on natural dune formation. This kind of thoughtlessness is completely absurd, and the disgust evident in this film is well merited.

Keep your volume control handy; hearing Trump blathering may set your teeth on edge. Mute for a moment and continue.

Schtuff happens
I couldn’t pull a cogent theme out of the stuff crossing my desk today. I’m just laying it down — you see if you can make any sense out of it.

  • Ramen can get you killed in private prisons (Guardian) — The federal government may have to do more than simply stop using private prisons for federal criminal incarceration. This report by a doctoral candidate in the University of Arizona’s school of sociology suggests states’ prisons operated by private industry may be violating prisoners’ civil rights by starving them. Ramen noodles have become a hot commodity for this reason. Not exactly a beacon of morality to the rest of the free world when incarcerated citizens must scrap for ramen noodles to make up for caloric shortfalls.
  • World Anti-Doping Agency may have been attacked by same hackers who poked holes in the DNC (Guardian) — “Fancy Bear” allegedly had a fit of pique and defaced Wada after Russian athletes were banned at Rio. This stuff just doesn’t sound the same as the hacking of NSA-front Equation Group.
  • New Mexico nuclear waste accident among most costly to date (Los Angeles Times) — Substitution of an organic kitty litter product for a mineral product two years ago set off a chemical reaction un an underground waste storage area, contaminating 35% of the surrounding space. Projected clean-up costs are $2 billion — roughly the amount spent on Three Mile Island’s meltdown.
  • Build that wall! Americans blown ashore in Canada by high winds (CBC) — Participants riding flotation devices on the St. Clair River in the annual Port Huron Float Down were pushed by high winds into Sarnia, Ontario. About 1,500 Americans had to be rescued and returned to the U.S. by Canadian police, Coast Guard, and Border Service. Just a test to see if Canada’s ready for the influx of refugees should Trump win in November, right?
  • Paternity test reveals a father’s sperm actually made him an uncle (Independent) — Upon discovering a father’s DNA only matched 10% of his child’s DNA, further genetic ancestry revealed the ‘father’ had an unborn twin whose DNA he had absorbed in the womb. His twin’s DNA matched his child’s. This is not the first time paternity testing has revealed chimerism in humans.

Commute-or-lunch-length reads

  • Walmart is a crime magnet (Bloomberg) — Holy crap. Communities should just plain refuse to permit any more Walmarts until they clean up their act. Bloomberg’s piece is a virtual how-to-fix-your-bullshit task list; Walmart has zero excuses.
  • It’s in your body, what version is it running? (Backchannel) — Before the public adopts anymore wearable or implantable medical devices, they should demand open access to the code running inside them. It’s absurd a patient can’t tell if their pacemaker’s code is jacked up.
  • Dirty laundry at Deutsche Bank (The New Yorker) — This you need to read. Parasitic banking behavior comes in many forms — in this case, Deutsche Bank laundered billions.

There, we’re well on our way this week. Catch you tomorrow!

Friday: Smells Like

With the lights out, it’s less dangerous
Here we are now, entertain us
I feel stupid and contagious
Here we are now, entertain us
A mulatto, an Albino
A mosquito, my libido, yeah


— excerpt, Smells Like Teen Spirit by Nirvana

Been a rough week so I’m indulging myself with some double bass — and because it’s Friday, it’s jazz. This is 2009 Thelonious Monk Competition winner Ben Williams whose ‘Teen Spirit’ is both spirited and minimalist. Check out this set with Home and Dawn Of A New Day, the first embued with a hip-hoppy beatmaking rhythm.

More Shadows on the wall
While Marcy has some questions about the recent alleged Shadow Brokers’ hack of NSA-front Equation Group and malware staging servers, I have a different one.

Why is Cisco, a network equipment company whose equipment appears to have been backdoored by the NSA, laying off 20% of its workforce right now? Yeah, yeah, I hear there’s a downturn in networking hardware sales due to Brexit and the Chinese are fierce competitors and businesses are moving from back-end IT to the cloud, but I see other data that says 50-60% of ALL internet traffic flows through Cisco equipment and there are other forecasts anticipating internet traffic growth to double between now and 2020, thanks in part to more video streaming and mobile telecom growth replacing PCs. Sure, software improvements will mediate some of that traffic’s pressure on hardware, but still…there’s got to be both ongoing replacement of aging equipment and upgrades (ex: Southwest Airlines’ router-fail outage), let alone new sales, and moving the cloud only means network equipment is consolidated, not distributed. Speaking of new sales and that internet traffic growth, there must be some anticipation related to increased use of WiFi-enabled Internet of Things stuff (technical term, that — you know, like Philips’ Hue lighting and Google Nest thermostats and Amazon Echo/Alexa-driven services).

Something doesn’t add up. Or maybe something rolls up. I dunno’. There are comments out on the internet suggesting competitor Huawei is hiring — that’s convenient, huh?

AI and Spy

  • Data security firm working on self-tweeting AI (MIT Review) — The software can generate tweets more likely to illicit response from humans than the average phishing/spearphishing attempt. Seems a little strange that a data security company is working on a tool which could make humans and networks less secure, doesn’t it?
  • Toyota sinks a bunch of cash into AI project at U of Michigan (ReadWrite) — $22 million the automaker pledged to development of self-driving cars, stair-climbing wheelchairs and other mobility projects. Toyota has already invested in similar AI development programs at Stanford in Palo Alto, CA and MIT in Cambridge, MA. Funding academic research appears to be a means to avoid a bigger hit to the corporation’s bottom line if the technologies do not yield commercially viable technology.
  • Steganography developed to mask content inside dance music (MIT Review) — Warsaw University of Technology researcher co-opted the rhythm specific to Ibiza trance music genre. The embedded Morse code buried in rhythm could not be audibly detected by casual listeners as long as it did not distort the tempo by more than 2%.

Sci-like-Fi

  • New theory suggests fifth force of nature possible (Los Angeles Times) — The search for a “dark photon” may have led to a new theory explaining the existence and action of dark energy and dark matter, which together make up 95% of the universe. I admit I need to hunt down a better article on this; this one doesn’t make all the pieces snap into place for me. If you’ve seen a better one, please share in comments.
  • Sound wave-based black hole model may show Hawking radiation at work (Scientific American) — Can’t actually create a real black hole in the lab, but a model like this one created by an Israeli scientist using phonons (not photons) may prove Stephen Hawking was right about information leakage from black holes. The work focuses on the actions of quantum-entangled particle pairs which are separated on either side of the event horizon. Beyond adding to our understanding of the universe, how this work will be used isn’t quite clear. But use of quantum entanglement in cryptography is an important and growing field; I wouldn’t be surprised to see this finding shapes cryptographic development.
  • Pregnant women’s immune system response may affect fetus’ neurological system (MedicalXpress via Phys.org) — While an expectant mother’s immune system may prevent a virus from attacking her fetus, the protective process may still affect the fetus long term. Research suggests that some neurological disorders like schizophrenia and autism may be associated with maternal infections pre-birth.

Late adder: Travel Advisory issued for pregnant women to avoid Miami Beach area according to CDC — Five more cases of Zika have been identified and appeared to have originated in the newly identified second Zika zone, this one east of Biscayne Bay in the Miami Beach area. The initial Zika zone was on the west side of Biscayne Bay. The CDC also discouraged pregnant women and their sex partners from traveling to Miami-Dade County as a whole; the county has now had a total of 36 cases of Zika.

In the video in the report linked above, FL Gov. Rick Scott pokes at the White House about additional Zika assistance, but Scott previously reduced spending on mosquito control by 40%. Now he’s ready to pay private firms to tackle mosquito spraying. Way to go, Republican dirtbag. Penny wise, pound foolish, and now it’s somebody else’s job to bat cleanup.

Longread: Stampede at JFK
A firsthand account of the public’s stampede-like reaction to a non-shooting at New York’s JFK International Airport. To paraphrase an old adage, if all you have is a gun, everything looks and sounds like a shooting.

Let go of your fear and let the weekend begin.