In April, we heard the some IRS employees, who had "tax issues" themselves, still got incentive bonuses paid to employees who do well at their job. [http://www.foxnews.com/politics/2014/04/23/irs-employees-with-tax-and-conduct-issues-still-got-awards-watchdog-report/ ]
I suppose we could say that this is a small mistake that could happen to any organization. This week, we find the same thing in hospitals rewarded for doing a good job moving vets through their doors, and presumably, through treatment too. That would be the Veterans Administration, where waiting lists were made for dying vets. Those who were in charge got bonuses.
During my government career, I saw hundreds of people get bonuses, even when they had not been behaving. In contractor land, the same kind of thing happened, and employees even complained when they didn't get one. They had the mistaken belief that they got a bonus if they showed up for work, and didn't screw up too badly.
I started a new trend in my section at EDS. I gave bonuses to the people who performed best and made the group the most money. Most of them were surprised by getting a bigger check than they were used to. There was little whining from the ones who got nothing. Even they knew it was fair. This should tell you a little about bonuses. People who should not get them, are surprised when they don't, and people who worked their butts off all year were surprised to be rewarded for it. Something is wrong with our business culture when those are the expectations.
Have we become so "correct" in our thinking that bonuses are an egalitarian right? No. Managers have no backbone in business or government let these kinds of things happen. It isn't management; it is abandoning management in the mistaken belief that it is important to be popular with the team, even where that means taking money away from the best and most productive in our workforce, and giving it to people who don't deserve it. That isn't management, justice, or equality. People in charge of these organizations need to be retired or demoted.
Friday, May 30, 2014
Thursday, May 29, 2014
Snowden as Spy
There is a good video on the issue of whether Edward Snowden was a spy or not, taking up one side of a convoluted story. It is an interview with Former CIA officer Lindsay Moran at the Wall Street Journal Live http://live.wsj.com/video/former-cia-officer-snowden-was-no-spy/D2BAC276-2EB2-47D7-96D6-E655218EB5A5.html?mod=trending_now_video_1#!D2BAC276-2EB2-47D7-96D6-E655218EB5A5
Moran is describing why she thinks Snowden was not a spy for the U.S., was never trained for the job, and was not in a position where he would have been employed that way. He makes that claim in an interview with NBC, to be aired tonight. He is a "spy want-a-be", a sad, but interesting characterization.
What is confusing about this is that Snowden likely was a spy, just not a spy for the U.S. Mike Rogers, from the House Permanent Select Committee on Intelligence, and Homeland Security Committee Chairman Michael McCaul, confirmed that Snowden was a spy, after all, and probably had help from the FSB. The KGB, predecessor to the FSB, was Putin's home before he came to office. The news media calls this a "revelation", which only means they hadn't even thought about it before theses two stated the obvious. We have the unusual twist of having each side in this, the Russians and the U.S. claiming Snowden was a spy, without either one making a statement about it.
Snowden is not making his claims without his Russian handlers being close by. He has a crudely crafted story of why he ended up in Russia (the State Department took my passport) that is inconsistent with history where spies have fled the country without a passport and were taken in by the Russians who helped them out. I can just imagine the Russians saying to him, "Gee, we're sorry, but we can't let you and your stash of classified documents in the country because you don't have a passport." It doesn't even pass the laugh test, but it is the kind of crude lie the Russians tell. They aren't very subtle. Look at Crimea for the evidence.
Snowden makes a great foil for the FSB, and we have to give them credit for the way they have used him. They hold him up as the Spy Who Came In From the NSA, and he repeats his incredible stories with a youthful style that sounds sincere. He may have practiced them often enough to believe them. The longer he is around, the more elaborate these stories will be. He has some of the characteristics that make a good spy, and the technical savy to go with it. Just not the spy he makes himself out to be. Amazon books:
Moran is describing why she thinks Snowden was not a spy for the U.S., was never trained for the job, and was not in a position where he would have been employed that way. He makes that claim in an interview with NBC, to be aired tonight. He is a "spy want-a-be", a sad, but interesting characterization.
What is confusing about this is that Snowden likely was a spy, just not a spy for the U.S. Mike Rogers, from the House Permanent Select Committee on Intelligence, and Homeland Security Committee Chairman Michael McCaul, confirmed that Snowden was a spy, after all, and probably had help from the FSB. The KGB, predecessor to the FSB, was Putin's home before he came to office. The news media calls this a "revelation", which only means they hadn't even thought about it before theses two stated the obvious. We have the unusual twist of having each side in this, the Russians and the U.S. claiming Snowden was a spy, without either one making a statement about it.
Snowden is not making his claims without his Russian handlers being close by. He has a crudely crafted story of why he ended up in Russia (the State Department took my passport) that is inconsistent with history where spies have fled the country without a passport and were taken in by the Russians who helped them out. I can just imagine the Russians saying to him, "Gee, we're sorry, but we can't let you and your stash of classified documents in the country because you don't have a passport." It doesn't even pass the laugh test, but it is the kind of crude lie the Russians tell. They aren't very subtle. Look at Crimea for the evidence.
Snowden makes a great foil for the FSB, and we have to give them credit for the way they have used him. They hold him up as the Spy Who Came In From the NSA, and he repeats his incredible stories with a youthful style that sounds sincere. He may have practiced them often enough to believe them. The longer he is around, the more elaborate these stories will be. He has some of the characteristics that make a good spy, and the technical savy to go with it. Just not the spy he makes himself out to be. Amazon books:
Thursday, May 22, 2014
Bombing China
Try to imagine two cars driving into shoppers, then 5 or 6 bombs going off in quick succession. Police and private security at the stores run everywhere. Local news channels are on the scene in a few minutes; CNN shows up in the next hour and we start to see live reports, every hour for the next two months. We get to see families of the 31 who were killed and many more injured. Relatives parade by to say what nice people they were.
At the Boston Marathon two bombs killed 3 and injured 264. We got news of it for a year afterwards. At Boston sporting events, people actually sing the National Anthem. Nobody forgets, at least for now.
If we had an event like this, every other month or so, there would be Congressional hearings and senior government leaders firing questions and moving people around to get them out of the line of fire. There would be police everywhere, television and radio stories about how to survive a random attack, and legislation would set new standards for collecting information about everyone in the country. It would make 9/11 seem like a short review of counter-terrorism operations.
This is what is happening in XinJiang, China. The random killing of children and adults with knives was not sufficient to kill enough people to get the leaders to pay attention, so bombs and automobiles have picked up the pace. What they get from this kind of thing escapes most of us. Seeing a child cut to pieces is hardly the image terrorists want to show to their audience. If their was tension with Muslims in that region before, there will only be more after seeing them. The latest was in a market, a normal looking suburb, with normal looking middle-class people who shop there. [ http://www.bbc.co.uk/news/
Terror isn't a good word for this. It doesn't strike terror unless we have a clear danger, over a period of time. I remember the feeling when people in our area started being shot in public places by a couple of whakos who were eventually caught. We were never sure what these idiots were really trying to say to us when they were arrested and went to jail. All we could think of was "look at me" which is in that 15 minutes of fame that we are all supposed to get. I sympathize with the Chinese on this one. My wife was in the corridor of the Pentagon that the airplane hit on 9/11. I remember that feeling. It was hate. It was long-term hate, that meant devoting my life to finding these folks so they could be killed by our government. I had the feeling that no matter what I did, it was not enough. They make an enemy every time they do something like this, and I hope they find justice somewhere other than a court.
At the Boston Marathon two bombs killed 3 and injured 264. We got news of it for a year afterwards. At Boston sporting events, people actually sing the National Anthem. Nobody forgets, at least for now.
If we had an event like this, every other month or so, there would be Congressional hearings and senior government leaders firing questions and moving people around to get them out of the line of fire. There would be police everywhere, television and radio stories about how to survive a random attack, and legislation would set new standards for collecting information about everyone in the country. It would make 9/11 seem like a short review of counter-terrorism operations.
This is what is happening in XinJiang, China. The random killing of children and adults with knives was not sufficient to kill enough people to get the leaders to pay attention, so bombs and automobiles have picked up the pace. What they get from this kind of thing escapes most of us. Seeing a child cut to pieces is hardly the image terrorists want to show to their audience. If their was tension with Muslims in that region before, there will only be more after seeing them. The latest was in a market, a normal looking suburb, with normal looking middle-class people who shop there. [ http://www.bbc.co.uk/news/
Terror isn't a good word for this. It doesn't strike terror unless we have a clear danger, over a period of time. I remember the feeling when people in our area started being shot in public places by a couple of whakos who were eventually caught. We were never sure what these idiots were really trying to say to us when they were arrested and went to jail. All we could think of was "look at me" which is in that 15 minutes of fame that we are all supposed to get. I sympathize with the Chinese on this one. My wife was in the corridor of the Pentagon that the airplane hit on 9/11. I remember that feeling. It was hate. It was long-term hate, that meant devoting my life to finding these folks so they could be killed by our government. I had the feeling that no matter what I did, it was not enough. They make an enemy every time they do something like this, and I hope they find justice somewhere other than a court.
Monday, May 19, 2014
Justice Announcement Disappointing
After a day of hoopla and promise, all we get from the indictment of "Chinese Economic Espionage" is five people named in the document. One of the cases was in 2008; two in 2010. In hacking, this is old news. But, the big winner in it all is Mandiant, who rightly said the attacks were coming from a military unit in China. The indictment calls out Unit 61398 of the Third Department of the Chinese People's Liberation Army, exactly as they had said. I was skeptical of their claim, but they are obviously able to prove it in court.
The targets named were all businesses except one - Allied Industrial and Service Workers International Union. The details of that one should prove interesting, with this part setting the stage: "In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013."
China never lets anything go, even a trade dispute that questions their business practices. They have a wide net, and a lot more than five people doing this work. Amazon books:
The targets named were all businesses except one - Allied Industrial and Service Workers International Union. The details of that one should prove interesting, with this part setting the stage: "In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013."
China never lets anything go, even a trade dispute that questions their business practices. They have a wide net, and a lot more than five people doing this work. Amazon books:
Department of Justice
Office of Public Affairs
FOR IMMEDIATE RELEASE
Monday, May 19, 2014
U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage
First Time Criminal Charges Are Filed Against Known State Actors for Hacking
A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.
The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.
“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”
“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” said FBI Director James B. Comey. “The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.”
“State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,” said John Carlin, Assistant Attorney General for National Security. “Cyber theft is real theft and we will hold state sponsored cyber thieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.”
“This 21st century burglary has to stop,” said David Hickton, U.S. Attorney for the Western District of Pennsylvania. “This prosecution vindicates hard working men and women in Western Pennsylvania and around the world who play by the rules and deserve a fair shot and a level playing field.”
Summary of the Indictment
Defendants : Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA). The indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things, managing infrastructure (e.g., domain accounts) used for hacking.
Victims : Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.
Time period : 2006-2014.
Crimes : Thirty-one counts as follows (all defendants are charged in all counts).
Count(s)
|
Charge
|
Statute
|
Maximum Penalty
|
1
|
Conspiring to commit computer fraud and abuse
|
18 U.S.C. § 1030(b).
|
10 years.
|
2-9
|
Accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain.
|
18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2.
|
5 years (each count).
|
10-23
|
Transmitting a program, information, code, or command with the intent to cause damage to protected computers.
|
18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2.
|
10 years (each count).
|
24-29
|
Aggravated identity theft.
|
18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2
|
2 years (mandatory consecutive).
|
30
|
Economic espionage.
|
18 U.S.C. §§ 1831(a)(2), (a)(4), and 2.
|
15 years.
|
31
|
Trade secret theft.
|
18 U.S.C. §§ 1832(a)(2), (a)(4), and 2.
|
10 years.
|
Summary of Defendants’ Conduct Alleged in the Indictment
Defendant
|
Victim
|
Criminal Conduct
|
Sun
|
Westinghouse
|
In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.
Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.
|
Wen
|
SolarWorld
|
In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.
|
Wang and Sun
|
U.S. Steel
|
In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.
|
Wen
|
ATI
|
In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.
|
Wen
|
USW
|
In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.
|
Sun
|
Alcoa
|
About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spearphishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.
|
Huang
|
Huang facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.
| |
Gu
|
Gu managed domain accounts used to facilitate hacking activities against American entities and also tested spearphishing e-mails in furtherance of the conspiracy.
|
An indictment is merely an accusation and a defendant is presumed innocent unless proven guilty in a court of law.
The FBI conducted the investigation that led to the charges in the indictment. This case is being prosecuted by the U.S. Department of Justice’s National Security Division Counterespionage Section and the U.S. Attorney’s Office for the Western District of Pennsylvania.
Google Bitten by EU Bug
We have been taught that once something is in the public domain, it is public. There is no going back from public to "not public" anymore. In my experience, there have been some exceptions, like the information released by people like Edward Snowden, which the government insists is still classified, in spite of its publication by newspapers around the world. There is no logic to that.
Most of the time, when a person is convicted of a crime, that conviction stands as public information. What we see with the EU ruling against Google, sets a new standard for judging that thought.
The Court of Justice of the European Union, decided to say that it was up to Google to allow people who thought they had information that was old, inaccurate or irrelevant to exclude that information from searches conducted by Google. [http://www.bbc.com/news/technology-27394751]
The BBC says half of the first people to make these requests were criminals. Some of the other examples were people who had a bad incident in their past and didn't want people to know about it, including a politician who was running for office and wanted people to forget his history, and a guy who tried to kill members of his own family [http://www.bbc.com/news/technology-27439194 ].
Somewhere along the way, they seem to be missing something important about the data that Google collects in a search. It is already public.
Taking data from a Google search will not make it "not public". If I go to every court, in every jurisdiction, I could find every conviction ever made. Is the court saying that information cannot be posted on a website that shows convictions? Is there to be a statue of limitations on information about convictions? That is not going to come out of this kind of ruling, but something else will.
I know we are supposed to forgive a person who commits a crime, but are we also supposed to forget it too? Think about that. Information is relevant to choices I make about a politician, my neighbor, or people who work with me. I want to know that guy across the street is a child molester, or at least he was once or twice. If was 8 years ago, I would take that into consideration, but still want to know. I certainly don't want the person who was convicted, making the decision about whether the information was old, irrelevant, or inaccurate. That child molester or murderer will think it is. Amazon books:
Most of the time, when a person is convicted of a crime, that conviction stands as public information. What we see with the EU ruling against Google, sets a new standard for judging that thought.
The Court of Justice of the European Union, decided to say that it was up to Google to allow people who thought they had information that was old, inaccurate or irrelevant to exclude that information from searches conducted by Google. [http://www.bbc.com/news/technology-27394751]
The BBC says half of the first people to make these requests were criminals. Some of the other examples were people who had a bad incident in their past and didn't want people to know about it, including a politician who was running for office and wanted people to forget his history, and a guy who tried to kill members of his own family [http://www.bbc.com/news/technology-27439194 ].
Somewhere along the way, they seem to be missing something important about the data that Google collects in a search. It is already public.
Taking data from a Google search will not make it "not public". If I go to every court, in every jurisdiction, I could find every conviction ever made. Is the court saying that information cannot be posted on a website that shows convictions? Is there to be a statue of limitations on information about convictions? That is not going to come out of this kind of ruling, but something else will.
I know we are supposed to forgive a person who commits a crime, but are we also supposed to forget it too? Think about that. Information is relevant to choices I make about a politician, my neighbor, or people who work with me. I want to know that guy across the street is a child molester, or at least he was once or twice. If was 8 years ago, I would take that into consideration, but still want to know. I certainly don't want the person who was convicted, making the decision about whether the information was old, irrelevant, or inaccurate. That child molester or murderer will think it is. Amazon books:
Wednesday, May 14, 2014
The Hacker Press
BBC ran a continuing story today about the hacking going on at News of the World. It's byline was Kate Middleton 'hacked 155 times' . There is no longer a doubt that hacking was going on, the British courts are just trying to establish how much.
If this lesson is not giving us second thoughts about our own press, it should be. How do the e-mails of Sarah Palin, New Jersey governor, Chris Christi's, staff, and then, Scott Walker, http://www.politico.com/story/2014/02/emails-released-in-probe-of-scott-walker-aide-103666.html end up in the press? What about the recorded phone calls of the Clipper's owner, or the video of Mitt Romney taken at a private meeting, Is this what passes for journalism? The yellow press of the 1800's could not do better.
We need to have laws that govern the collection and publication of stolen information. Apple tried to stop blogs from posting information it said was proprietary and the courts overruled them. That is because we have pretended to have a free press that could publish anything it gets its hands on, even if it is stolen. Is this what passes for journalism today?
If this lesson is not giving us second thoughts about our own press, it should be. How do the e-mails of Sarah Palin, New Jersey governor, Chris Christi's, staff, and then, Scott Walker, http://www.politico.com/story/2014/02/emails-released-in-probe-of-scott-walker-aide-103666.html end up in the press? What about the recorded phone calls of the Clipper's owner, or the video of Mitt Romney taken at a private meeting, Is this what passes for journalism? The yellow press of the 1800's could not do better.
We need to have laws that govern the collection and publication of stolen information. Apple tried to stop blogs from posting information it said was proprietary and the courts overruled them. That is because we have pretended to have a free press that could publish anything it gets its hands on, even if it is stolen. Is this what passes for journalism today?
Monday, May 12, 2014
Glenn Greenwald on NBC's Today
It was interesting to hear Glenn Greenwood talk about the demeanor of Edward Snowden while he was preparing to hand over some of the most sensitive classified material since Ames at CIA.
He says both he and Snowden were surprised about the outpouring of public debate over the world. Snowden only wanted to stop NSA from doing terrible things. He scoffed at the idea that Snowden was a spy.
We aren't buying the story, Glenn.
Is it possible that Greenwald and Snowden could be prosecuted for what they did? He apparently thinks so, and so did Snowden. They are going to stick to this tale of Snowden's landing in Russia "because the U. S. Cancelled his passport" probably the most ridiculous and implausible story ever invented. Some very we'll known spies managed to get to Russia without a passport and there is no reason to think Snowden couldn't have done it.
The Russians are not innocent in this theft. They have done it hundreds of times before, and getting the press to help them is the only unique aspect of this farce. We owe Russia for this one. Time to get even. Amazon books:
Sunday, May 4, 2014
Heartbleed Gets Attention from Users
Pew Research took a look at user's attention to Heartbleed, and published a two-part study on it at http://www.pewinternet.org/2014/04/30/heartbleeds-impact/
It has an interesting comparison of users who knew about Heartbleed and users who knew about Edward Snowden. Sixty-four percent of Internet users actually knew about the vulnerability, and thirty-nine percent said they actually did something about it, like changing passwords or canceling accounts. The amazing part of this for security professionals is the percentages of people who knew a lot, or a little, about the issue of Heartbleed, outnumbered those who knew about Snowden.
Scarier still, fewer people knew a lot, or a little, about Russian incursions into the Ukraine.
This is a case where the companies serving Internet users got out the word to their consumers. It worked to raise their awareness of the vulnerability and the need to change account passwords. That was certainly worth the effort and users responded. However, beware of the consequences. It also increased user awareness of the vulnerability of their personal data. That too is a good thing.
I had a recent experience that points to the need, when a bank asked me to send them a receipt on email, and to indicate the credit card number used to pay it. I asked them why I would want to do that, and they said not to worry, "its secure". Anyone who goes through a loan application or resume submission knows that term. Banks and credit institutions, who should have strong security, spend more money on insurance than protecting my data. I don't trust them, and neither do an increasing number of users of their services. Amazon books:
It has an interesting comparison of users who knew about Heartbleed and users who knew about Edward Snowden. Sixty-four percent of Internet users actually knew about the vulnerability, and thirty-nine percent said they actually did something about it, like changing passwords or canceling accounts. The amazing part of this for security professionals is the percentages of people who knew a lot, or a little, about the issue of Heartbleed, outnumbered those who knew about Snowden.
Scarier still, fewer people knew a lot, or a little, about Russian incursions into the Ukraine.
This is a case where the companies serving Internet users got out the word to their consumers. It worked to raise their awareness of the vulnerability and the need to change account passwords. That was certainly worth the effort and users responded. However, beware of the consequences. It also increased user awareness of the vulnerability of their personal data. That too is a good thing.
I had a recent experience that points to the need, when a bank asked me to send them a receipt on email, and to indicate the credit card number used to pay it. I asked them why I would want to do that, and they said not to worry, "its secure". Anyone who goes through a loan application or resume submission knows that term. Banks and credit institutions, who should have strong security, spend more money on insurance than protecting my data. I don't trust them, and neither do an increasing number of users of their services. Amazon books:
Friday, May 2, 2014
China Terrorists Create Alarm at the Top
In today's Wall Street Journal, Brian Spegele, Jeremy Page, and James Areddy have identified the high level attention terrorism in China is starting to get.
[see China President Xi Vows to Crush Separatists After Xinjiang Attack at
http://online.wsj.com/news/articles/SB10001424052702303948104579535302412634992?mg=reno64-wsj ]
This is the latest in a string of events that make the Boston Marathon bombing seem like an isolated incident. The attack in Xinjiang, and that in a train station in Kunming, by knife-wielding people killing at random, had as many casualties as Boston. [for a good article on this see Calum MacLeod's No Guns, just Knives: Chilling Details of 'China's 9/11'
[at http://www.usatoday.com/story/news/world/2014/03/29/china-train-stabbing-kunming/6162803/ ]
Another incident in Beijing, with a car ramming into tourists, has raised other concerns about the adaptation of these groups to terror methods used elsewhere. It would make people anywhere wonder why their government could not stop this sort of thing. Police have been covering train stations and gatherings ever since these things started happening. What they have been able to do is find these folks, after the fact, and kill some of them, but they accomplish what they set out to do - get local populations to doubt the security they are being given.
We should probably consider that what we do in the U.S. to counter terrorism seems to be more successful than what China is doing. Clamping down on Muslims, making speeches, writing new legislation, making new rules, and putting more police on the street is probably not going to be very effective. They need to go after the people who fund these groups and steer them towards their targets.
The Chinese already point to Pakistan for the training and sanctuary given to them. [see China Urges Pakistan to expel Uighur Islamic Militants at http://www.bbc.com/news/world-asia-18276864 ] They need to do more. Terrorists aren't living without support from someone. Amazon books:
[see China President Xi Vows to Crush Separatists After Xinjiang Attack at
http://online.wsj.com/news/articles/SB10001424052702303948104579535302412634992?mg=reno64-wsj ]
This is the latest in a string of events that make the Boston Marathon bombing seem like an isolated incident. The attack in Xinjiang, and that in a train station in Kunming, by knife-wielding people killing at random, had as many casualties as Boston. [for a good article on this see Calum MacLeod's No Guns, just Knives: Chilling Details of 'China's 9/11'
[at http://www.usatoday.com/story/news/world/2014/03/29/china-train-stabbing-kunming/6162803/ ]
Another incident in Beijing, with a car ramming into tourists, has raised other concerns about the adaptation of these groups to terror methods used elsewhere. It would make people anywhere wonder why their government could not stop this sort of thing. Police have been covering train stations and gatherings ever since these things started happening. What they have been able to do is find these folks, after the fact, and kill some of them, but they accomplish what they set out to do - get local populations to doubt the security they are being given.
We should probably consider that what we do in the U.S. to counter terrorism seems to be more successful than what China is doing. Clamping down on Muslims, making speeches, writing new legislation, making new rules, and putting more police on the street is probably not going to be very effective. They need to go after the people who fund these groups and steer them towards their targets.
The Chinese already point to Pakistan for the training and sanctuary given to them. [see China Urges Pakistan to expel Uighur Islamic Militants at http://www.bbc.com/news/world-asia-18276864 ] They need to do more. Terrorists aren't living without support from someone. Amazon books:
Subscribe to:
Posts (Atom)