The improbable story in today's Wall Street Journal [China gets Jaguar to Cut Prices] involves the price of a Jaguar in China. It was hard to believe the story was true, unless you understand that China does not play economic numbers the way everyone else does. Walmart, Rio Tinto, and many others knew this already, but Tata Motors may just be finding it out.
China has a government organization with the unlikely name, National Development and Reform Commission which has pressured Jaguar to lower prices by 19% or so. Jaguar sells for less than $100,000 in the U.S. and $300,000 in China. The Chinese say that is proof enough that there in a reason to lower the price. Why would a car cost almost three times as much in one country as another?
I went to an article in Want China Times that explains the cost difference.
(you can read it yourself at http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130805000005&cid=1102)
Cars in China are subject to a 25% tax based on cost, insurance rates, and freight. They add 17% for value added tax, which isn't done in the U.S. It is then subject to a tax on consumption which is based on engine size. That cost is between 1% and 40% with the highest rates charged for engines that have the largest displacement. Jags have big engines, as we know, so they are going to pay the heaviest penalty. A BMW 650i that costs $91,000 in Germany, costs $326,000 in China.
So, we have the interesting situation where China charges enormous sums that are tacked onto the price of a car, via a series of taxes, then complain about the prices of the car being so high. I don't know about you, but this sounds like Tata Motors is not thinking clearly about the business in China. Would anyone think this was a good business environment to be doing things in? They charge all these taxes so they can sell domestic cars at a good price, compared to all those imported models. It seems like some companies are influenced by this illogical and corrupt way of doing business. India has a $31B trade deficit with China. They could surely find a way to even that out a little.
Saturday, July 26, 2014
Wednesday, July 16, 2014
NIST, Russian Gangs,Chinese hackers
I had occasion to look at some White House and OMB guidance on implementing a security procedure in an enterprise. Since I don't deal with this very much anymore, it was a little surprising to see what passes for policy these days. It reminded me of the fiasco with security of E-Qip, the personnel security system.
OMB and NIST still think that it is realistic to do risk assessments for even the most trivial of things, developed in an agile environment, and moving along like a rocket leaving the launch pad. Security can't keep up, or ever get ahead of the developers if they are constantly trying to assess things that don't matter tomorrow, when the work is done.
E-Qip is one of the most sensitive systems in the Federal government, housing the applications for security clearances for most employees. It is beyond comprehension that it could be at risk, unless somebody is still trying to complete a risk assessment after development has ended. Given the guidance, that is entirely possible.
OMB and NIST publish guidance, not policy. Guidance means you can do it or not, depending on how you feel about it, or how a manager feels about it above you in the food chain. This is a ludicrous concept that allows government officials to say "I told you so" without any idea of what it was they were telling someone to do. There is nothing firm in what an agency is told to do. It makes for inconsistent implementation, weak links that can be exploited, and no consideration that the threat environment has passed them by.
There was a time when policy was managed by the Intelligence Community for the bulk of National Security systems and by NIST for the civil sector. Nothing has advanced in policy since NIST became the center of it. Hand waving is not going to work when hackers are getting into almost every government system we have. If there ever was a national security system, E-Qip was it. It angers me that we can't make it secure enough to keep this data out of the hands of Russian mobs and Chinese military units. You can't do that with guidance.
OMB and NIST still think that it is realistic to do risk assessments for even the most trivial of things, developed in an agile environment, and moving along like a rocket leaving the launch pad. Security can't keep up, or ever get ahead of the developers if they are constantly trying to assess things that don't matter tomorrow, when the work is done.
E-Qip is one of the most sensitive systems in the Federal government, housing the applications for security clearances for most employees. It is beyond comprehension that it could be at risk, unless somebody is still trying to complete a risk assessment after development has ended. Given the guidance, that is entirely possible.
OMB and NIST publish guidance, not policy. Guidance means you can do it or not, depending on how you feel about it, or how a manager feels about it above you in the food chain. This is a ludicrous concept that allows government officials to say "I told you so" without any idea of what it was they were telling someone to do. There is nothing firm in what an agency is told to do. It makes for inconsistent implementation, weak links that can be exploited, and no consideration that the threat environment has passed them by.
There was a time when policy was managed by the Intelligence Community for the bulk of National Security systems and by NIST for the civil sector. Nothing has advanced in policy since NIST became the center of it. Hand waving is not going to work when hackers are getting into almost every government system we have. If there ever was a national security system, E-Qip was it. It angers me that we can't make it secure enough to keep this data out of the hands of Russian mobs and Chinese military units. You can't do that with guidance.
Saturday, July 12, 2014
Chinese Hacker in Boeing and Lockheed Mart
Andrew Grossman and Danny Yardon say this new person, and two co-conspirators in China, are being prosecuted for leading an effort to steal technology from such companies as Boeing and Lockheed Martin. Since Justice seems to name names only when the companies concur, we have to assume there were more. The co-conspirators apparently gave the accused a 1500-page list of documents they wanted from Boeing. That list will be interesting reading because they usually don't ask for something they already have.
Either news is getting harder to come by, or this new Chinese hacker is important to the Justice Department. His case made the front page of today's Wall Street Journal, no small feat. http://online.wsj.com/articles/u-s-accuses-chinese-executive-of-hacking-to-find-military-data-1405105264?mod=WSJ_hp_LEFTTopStories
What makes this a little different is the person is a freelancer who hooked up with people in China making military weapons. I mentioned the case of the companies stealing seed corn who got sentenced last week. Chinese businesses will steal almost anything, but this isn't almost anything. These are designs of aircraft used by the military.
The complaint has been sealed for a long time, showing the pace of justice, referencing attacks from 2009 to 2013. Anyone with experience with hackers knows what kind of things can be collected in that amount of time. I couldn't even guess at the volume, though we are not likely to ever know it. Justice wouldn't bring charges on every piece of data, just a few that could be proven in court. The Air Force and Justice will say the loss of the named material "is not serious" if they stick to their past statements on these kinds of thefts. These claims are incredible.
We will never know the pace or extent of hacking of U.S. defense contractors, although the Defense Science Board did more to document it than the press. We shouldn't single out Boeing and LM because there are many more on that list. Remind me of why their advertisements of cyber defense capabilities are credible. Amazon books:
Either news is getting harder to come by, or this new Chinese hacker is important to the Justice Department. His case made the front page of today's Wall Street Journal, no small feat. http://online.wsj.com/articles/u-s-accuses-chinese-executive-of-hacking-to-find-military-data-1405105264?mod=WSJ_hp_LEFTTopStories
What makes this a little different is the person is a freelancer who hooked up with people in China making military weapons. I mentioned the case of the companies stealing seed corn who got sentenced last week. Chinese businesses will steal almost anything, but this isn't almost anything. These are designs of aircraft used by the military.
The complaint has been sealed for a long time, showing the pace of justice, referencing attacks from 2009 to 2013. Anyone with experience with hackers knows what kind of things can be collected in that amount of time. I couldn't even guess at the volume, though we are not likely to ever know it. Justice wouldn't bring charges on every piece of data, just a few that could be proven in court. The Air Force and Justice will say the loss of the named material "is not serious" if they stick to their past statements on these kinds of thefts. These claims are incredible.
We will never know the pace or extent of hacking of U.S. defense contractors, although the Defense Science Board did more to document it than the press. We shouldn't single out Boeing and LM because there are many more on that list. Remind me of why their advertisements of cyber defense capabilities are credible. Amazon books:
Thursday, July 10, 2014
China Hacking Security Clearance Files
The New York Times has a story from yesterday that shows how deep Chinese hacking has gone into the Federal government infrastructure and how reluctant the administration is to admit it.
Three of my favorite reporters, Michael Schmidt, David Sanger, and Nicole Perlroth wrote the story, and all three of them have good sources for this kind of article, http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0 They could make a series out of this one, and probably will before it is over.
Chinese hackers broke into the Personnel networks that have E-Qip, targeting people who were applying for Top Secret clearances. An honest-to-God chill went up my back when I read that part of it. Anyone with a security clearance knows what EQip is, and they know what information they had to put into it. The reaction so far, from Homeland Security and the White House, is the same as the one they had when the Obamacare website went live without any security testing: We have no reason to believe any personally identifiable information was taken from the system. How many intrusions have these official spokespersons ever handled, and who was on the other end of them? They have no reason to believe it because they wouldn't like the consequences of admitting it. It may be true they don't know if any was taken. I could believe that before believing that nothing was taken.
When DoD was handling the storage and processing of data for security clearances, I always had the idea that security was their number one concern. If they got hacked, they could put together a team and do a damage assessment pretty fast. They might not be able to stop the activity right away, because hackers put backdoors into the system after they hack it, but they do what they have to do to fix the problems. I don't get that same warm feeling, when the people at the Office of Personnel Management are handling these kind of things.
The article rightly points out that this is the system that handles our most sensitive personnel information. It shouldn't be a system accessible from the Internet. I remember why we went to a system that was automated; our defense contractors agitated for it because they had people sitting around waiting for clearances to be processed while paper floated from one office to another. They put software into their own contractor facilities to process the forms. Automation of the process hasn't speeded it up, and now we find the unintended consequences of putting all your eggs in one Internet-based basket, and handing that basket to OPM. If we don't have Congressional hearings on this by next Tuesday, Congress is not doing its job.
Three of my favorite reporters, Michael Schmidt, David Sanger, and Nicole Perlroth wrote the story, and all three of them have good sources for this kind of article, http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0 They could make a series out of this one, and probably will before it is over.
Chinese hackers broke into the Personnel networks that have E-Qip, targeting people who were applying for Top Secret clearances. An honest-to-God chill went up my back when I read that part of it. Anyone with a security clearance knows what EQip is, and they know what information they had to put into it. The reaction so far, from Homeland Security and the White House, is the same as the one they had when the Obamacare website went live without any security testing: We have no reason to believe any personally identifiable information was taken from the system. How many intrusions have these official spokespersons ever handled, and who was on the other end of them? They have no reason to believe it because they wouldn't like the consequences of admitting it. It may be true they don't know if any was taken. I could believe that before believing that nothing was taken.
When DoD was handling the storage and processing of data for security clearances, I always had the idea that security was their number one concern. If they got hacked, they could put together a team and do a damage assessment pretty fast. They might not be able to stop the activity right away, because hackers put backdoors into the system after they hack it, but they do what they have to do to fix the problems. I don't get that same warm feeling, when the people at the Office of Personnel Management are handling these kind of things.
The article rightly points out that this is the system that handles our most sensitive personnel information. It shouldn't be a system accessible from the Internet. I remember why we went to a system that was automated; our defense contractors agitated for it because they had people sitting around waiting for clearances to be processed while paper floated from one office to another. They put software into their own contractor facilities to process the forms. Automation of the process hasn't speeded it up, and now we find the unintended consequences of putting all your eggs in one Internet-based basket, and handing that basket to OPM. If we don't have Congressional hearings on this by next Tuesday, Congress is not doing its job.
Wednesday, July 9, 2014
Russia in China's Internet footsteps
There was a good article in the Financial Times weekend, this past week on new Russian legislation to require data of Russian citizens to be kept in Russia - stored there. This is driving the likes of Google, Facebook and Twitter to distraction and using a term we have not heard often in connection with the Internet: Balkanization. Too late for that; it has already started to happen.
Countries like Syria, China, Iran, and Russia are looking at controlling their own part of the Internet. I was kind of surprised at the number of places that were monitoring the use of the Internet, but not controlling it by clamping down directly. As an example, Syria steals passwords of social media accounts and doesn't bother the users until they find the need. Egypt did the same thing in Mubarak's time, even shutting down the cell network when things got rough.
Russia is passing legislation left and right to clamp down on the Internet and put monitoring devices on every ISP and network service. Now they are asking U.S. companies to store data on Russian systems. On a good day, I doubt that any of these companies have a real good idea of where all that data really is, and even if they did, it is more than a little difficult to manage storage on networks that are geographically bounded. Cloud services balked at keeping data in the U.S. and some government services won't allow storage anywhere else. Balkanization is already going pretty fast, and it is a global phenomena driven by polar opposites, both authoritarian governments and privacy advocates. Imagine that....
Countries like Syria, China, Iran, and Russia are looking at controlling their own part of the Internet. I was kind of surprised at the number of places that were monitoring the use of the Internet, but not controlling it by clamping down directly. As an example, Syria steals passwords of social media accounts and doesn't bother the users until they find the need. Egypt did the same thing in Mubarak's time, even shutting down the cell network when things got rough.
Russia is passing legislation left and right to clamp down on the Internet and put monitoring devices on every ISP and network service. Now they are asking U.S. companies to store data on Russian systems. On a good day, I doubt that any of these companies have a real good idea of where all that data really is, and even if they did, it is more than a little difficult to manage storage on networks that are geographically bounded. Cloud services balked at keeping data in the U.S. and some government services won't allow storage anywhere else. Balkanization is already going pretty fast, and it is a global phenomena driven by polar opposites, both authoritarian governments and privacy advocates. Imagine that....
Secret Service Nabs Roman Seleznyov
We could hunt all day for a spy story and not come up with one that is as interesting as Roman Seleznyov. If you haven't see it yet, there are several stories like the one by Dan Murphy, in today's Christian Science Monitor.
[ http://www.csmonitor.com/World/Security-Watch/Backchannels/2014/0708/US-nabs-alleged-Russian-hacker-and-Kremlin-cries-foul-video ] and it seems to have been picked up by most of the major news services.
Seleznyov is 30, so he is not some kid off the street, trying to make a name for himself in hacking. According to the U.S. Attorney in Washington, he is "a Russian man who was indicted in the Western District for hacking into point of sale systems at retailers throughout the United States". It so happens that his father is the Deputy of the lower house of the Russian Duma. This is kind of like the John Boehner of Russia.
His father says he thinks he was taken to trade for Edward Snowden, a story repeated by several of the Russian news services, as preposterous as it might be. Things have hit the fan in Russia over this, with the headlines there looking like the following:
[ http://www.csmonitor.com/World/Security-Watch/Backchannels/2014/0708/US-nabs-alleged-Russian-hacker-and-Kremlin-cries-foul-video ] and it seems to have been picked up by most of the major news services.
Seleznyov is 30, so he is not some kid off the street, trying to make a name for himself in hacking. According to the U.S. Attorney in Washington, he is "a Russian man who was indicted in the Western District for hacking into point of sale systems at retailers throughout the United States". It so happens that his father is the Deputy of the lower house of the Russian Duma. This is kind of like the John Boehner of Russia.
His father says he thinks he was taken to trade for Edward Snowden, a story repeated by several of the Russian news services, as preposterous as it might be. Things have hit the fan in Russia over this, with the headlines there looking like the following:
·
“Foreign Ministry concerned over US ‘hunt’ for Russian
citizens in foreign countries”
·
“Moscow rips into ‘vicious practice’ of extraditing Russian
nationals to US”
·
“Russian official slams US for turning down Moscow’s
extradition requests”
ITAR/TASS
says Seleznyov confirmed detention of his son and says he may be traded for Snowden.
Moscow is claiming Seleznyov was "kidnapped" by the U.S. Secret Service from the Maldives, an archipelago off India's south-west coast. One article wonders why he wasn't charged in the Maldives if he was guilty of hacking, and raises the matter of law enforcement protocols in taking him away on an airplane. We won't know that part of the story for some time yet, but it sounds like it will make a great movie.
The Russians have been protecting their gangs of credit card thieves as long as I can remember. Many years ago, I was in a senior manager's office when he talked to one, who by the way, spoke English like he was born here. The guy admitted to taking the credit card numbers, but laughed a little when the manager suggested he stop doing that. He wasn't arrogant about it; he just thought it was mildly funny that someone could (1) find him, and (2) ask him to stop. I thought it was funny too, but kept that to myself. There was no way we were going to find him or get him out of the country. Maybe we just had to get a warrant and wait for him to go somewhere that has an extradition treaty with the U.S.
Thursday, July 3, 2014
China's Theft of Seed leads to arrest
Yes, it is true that the Chinese steal everything, but I never thought that would mean seeds from Montsano, DuPont and LG Seed. Jacob Bunge, in today's Wall Street Journal, is telling the tale of two Chinese, working for DBN a Chinese conglomerate that has a seed-corn business. A total of 7 people will be indicted. Two people were already arrested and charged with stealing genetically altered rice. [U.S. Arrests Second Chinese Citizen in Seed -Theft Case http://online.wsj.com/articles/u-s-arrests-second-chinese-citizen-in-seed-theft-case-1404338788]
The Chinese have been hacking these same places trying to get what information they can about seed development and a number of other technologies of interest. Apparently, in the seed corn business, that is not enough. They felt the need to go out into the test fields of Iowa and steal the stuff right out of the ground. This is as brazen as it gets.
I'm not sure what is going on here, but it is the height of arrogance to think they can have researchers come to the U.S., fly out to Iowa, and start digging. We need to rethink Chinese coming the the U.S. when they are in sectors of the economy where they steal from us. They are all over Silicon Valley, working for companies that do defense work, and doing research in some of our most advanced laboratories and schools. We need to be thinking about a reaction to this kind of wholesale theft that keeps some of the relatives of corporate officials out of the country. We did the same with Iran and Russia, and it is time to do it to China.
The Chinese have been hacking these same places trying to get what information they can about seed development and a number of other technologies of interest. Apparently, in the seed corn business, that is not enough. They felt the need to go out into the test fields of Iowa and steal the stuff right out of the ground. This is as brazen as it gets.
I'm not sure what is going on here, but it is the height of arrogance to think they can have researchers come to the U.S., fly out to Iowa, and start digging. We need to rethink Chinese coming the the U.S. when they are in sectors of the economy where they steal from us. They are all over Silicon Valley, working for companies that do defense work, and doing research in some of our most advanced laboratories and schools. We need to be thinking about a reaction to this kind of wholesale theft that keeps some of the relatives of corporate officials out of the country. We did the same with Iran and Russia, and it is time to do it to China.
Subscribe to:
Posts (Atom)