Posts

Tuesday Morning: Changing the Tenor

Once in a while, I indulge in the musical equivalent of eating chocolate instead of a wholesome meal. I’ll listen to my favorite tenors on a continuous loop for an afternoon. I have a weakspot for Luciano Pavarotti and Franco Correlli, though the latter isn’t one of the Three Tenors.

Speaking of which, this video features a really bizarre event: the Three Tenors performing at Los Angeles’ Dodgers Stadium in 1994. Poppy and Barbara Bush are there in the audience, too. What a supremely odd venue! And yet these guys did a bang up job in such a huge, open space. Pavarotti’s Nessun Dorma at ~1:05 is my favorite cut, but it’s all fun.

Now let’s change the tenor…

Former Microsoft CEO Bill Gates sides with FBI against Apple
Gates isn’t the best salesman for this job, promoting compelled software. Given Gates’ role as technology adviser to Microsoft’s current CEO Satya Nadella, how persistently invasive Windows 10 is, and Microsoft software’s leaky history, Gates comes off as a soldato for USDOJ. Do read the article; it’s as if Gates was so intent on touting USDOJ’s line that he didn’t bother to read any details about USDOJ’s demands on Apple.

UPDATE — 10:25 AM EST — Poor Bill, so misunderstood, now backpedaling on his position about Apple’s compliance. This, from a Fortune 100 technology adviser…~shaking my head~

Gates talks out of the other side of his face on climate change
Unsurprisingly, Bill Gates also looks less than credible when he pleads with students for an ‘energy miracle’ to tackle climate change. This is shameless: first, guilt-tripping minors in high school, second for the blatant hypocrisy. The Bill and Melinda Gates Foundation continues to hold investments in ExxonMobil, BP, and Shell because of their yields. Not exactly a commitment to alternative energy there. How’s that investment strategy working for you now, Gates?

Fossil fuel-based industries: wall-to-wall bad news
Speaking of crappy investments in dirty hydrocarbons, conditions are just plain ugly.

Office of Personnel Management’s CIO steps down
Donna K. Seymour stepped down from her role, the second OPM management team member to leave after the massive hack of U.S. government personnel records. She was scheduled to appear before Congress this week; that hearing has now been canceled by House Oversight and Government Reform Committee chair Jason Chaffetz. Huh. That’s convenient. Wonder if she would have said something that reflected badly on a previous GOP administration? This bit from the linked article is just…well…

FBI Director James Comey called the hacks an “enormous breach,” saying his own data were stolen. U.S. authorities blamed China, which strongly denied the accusation before it said in December that it had arrested several “criminal” Chinese hackers connected to the breach.

Wow, I wonder what China could do if they had access to every U.S. government employees’ iPhone? Anybody asked Comey what kind of phone he carries?

That’s a wrap. I’m off to listen to something sung in a sweet tenor voice.

Bulk Collection Is All Fun and Games Until Office of Personnel Management Gets Hacked

Reuters reports that, contrary to initial reports, the Office of Personnel Management hack revealed earlier this week did compromise the security clearance and background check information in the data, meaning the hack will be far more valuable as intelligence to set up phishing and other further spying efforts. The hack is believed to have been perpetrated by Chinese hackers, though it is unclear thus far whether or not they are part of the government.

Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks.

[snip]

A total of 2.1 million current U.S. government workers were affected, according to a source familiar with the FBI-led investigation into the incident.

Accusations by U.S. government sources of a Chinese role in the cyber attack, including possible state sponsorship, could further strain ties between Washington and Beijing. Tensions are already heightened over Chinese assertiveness in pursuit of territorial claims in the South China Sea.

The same report notes that the hack may be linked to the hack of similar scope of Anthem earlier this year.

This is, as a lot of the current and former government employees I follow on Twitter are realizing this morning, a devastating hack, one which will have repercussions both in the private lives of those whose data has been hacked as well as generally for America’s national security, because the data in the OPM servers offers a road map for further espionage targeting.

It is also something the US does all the time — and not just against official government employees of adversary nations, but also against civilian or quasi civilian telecom targets, as well as employees of corporations of interest.

This WaPo piece quotes a number of cybersecurity people suggesting several recent major hacks are being used to pull together large data repositories — similar to in purpose but at this point just a mere shadow of what we do using bulk collection and XKeyscore. But it tries to suggest the Chinese collection of bulk data is worse because, “in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.”

The US Intelligence Community let us have a debate over a mere fraction of the bulk data being collected by the NSA — that collected domestically to target Americans. But for the stuff targeting foreigners on a far greater scale, President Obama proclaimed we would continue collecting in bulk but limit its use to all the major purposes we were already using it for before we ever got around to debating the Section 215 dragnet.

(1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;

(2) threats to the United States and its interests from terrorism;

(3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;

(4) cybersecurity threats;

(5) threats to U.S. or allied Armed Forces or other U.S or allied personnel;

(6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

That scope goes well beyond the scope of those affected in this OPM hack.

Once the government does whatever it can to protect the millions compromised by this hack, I hope it will provide an opportunity to do two things: focus on actual cyber-defense, rather than an offensive approach that itself entails and therefore legitimates precisely this kind of bulk collection, and reflect on whether the world we’ve built, in which millions of innocent people get swept up in spying because it’s easy to do so, is really one we want to pursue. Ideally, such reflection might lead to some norm-setting that sharply limits the kinds of targets who can be bulk collected (though OPM would solidly fit in any imaginable such limits).

China has, unsurprisingly, now adopted our approach, even if it would take a decade for it to catch up in ability to bulk collect from most nodes. And that’s going to suck for a lot of government and private sector employees who will be made targets as a result.

But that’s the world and the rules we chose to create.

Update: See this NYT piece for just how shoddy the security on OPM’s servers was. We’ve been arguing for years about ways to better respond to criminal hackers and neglecting really really basic steps needed to prevent our adversaries from adopting the same approach we use.