Anonymous and North Korea

Hactivist attacks on North Korea have followed the announcement that they were behind the attacks on Sony.  There are two articles I want to mention as representing the view that these attacks are not very successful, and may prove to be dangerous.  I think both of them might be premature thinking. 

The first is Ian Bremmer’s article for Reuters called When hackers bully a bully:  Anonymous vs Kim Jong-un.  His premise in this article can be summed up in this statement –“Anonymous knows how to hack, but it has no insight into how North Korea might respond to a cyber-invasion – and likely won’t be the target if North Korea decides it must retaliate. Western powers aren’t exactly anxious to defend cyber-anarchism or to pay the price for its excesses.” 

The second article is by Max Fisher in the Washington Post, Hacker Group Anonymous is no Match for North Korea.  Fisher says the attacks on North Korea have been largely ineffectual and some claims of their success exaggerated.

It takes time to sort these things out and both of these authors should look at what happened when Anonymous and Telecomix started hacking Syria after it cut off Internet connectivity for its people in 2013. 

Anonymous launched what it called Operation Syria in which they stole records from the Syrian Railways, the Parliament, the Patent Office, and Syrian TV and published these stolen items for anyone to read.  They tinkered with the websites of Syria’s embassies in a few countries.  Other groups joined them, collecting and releasing more.  Perhaps the most interesting thing was a set of records on how the Syrian government was monitoring its own citizens. Telecomix, another of the Internet activist groups, released records of a monitoring tool called Bluecoat, software made in the U.S.A.  The software allowed the Assad government to monitor how and where its own citizens were using the Internet.  It took months for that whole story to emerge and the implications to peek out. 

Anonymous is not one thing, nor are they the only activists who hack.  Governments generally do not like this kind of activity and discourage it because of what Bremmer says are the unintended consequences of hacking a government, especially a whacko one like North Korea.  North Korea and China, through one of its senior military officials, are the only two countries to threaten us with nuclear attack, which is not very credible.  It is easier to believe they might take action over a movie.  Governments want to take time to get the attribution right, and get the response right.  Governments are looking at deterrence and how we might prevent such things from happening again.  Activists do something right away,  even it is doesn’t work out very well.

Our government threatens to do something, eventually.  They use the Chinese strategy of war to strike at a time and place of their own choosing when they have an advantage.  The response doesn’t have to be quick and waiting for it creates its own kind of reward for the attacker.    Since we don’t have a really good deterrence for these kinds of events, we will have to wait and see which approach works best in the long run. 

Alternative Sony Hack Theories

There are too many experts on who did the Sony Hack, and I wouldn't give too much credibility to any of them over the combined resources of the U.S. Intelligence Community.  

Politico carried a story yesterday [Tal Kopan, FBI Briefed on Alternate Sony Hack Theory] that said one such group of experts had briefed the FBI on an alternate theory that the attack was done by disgruntled ex-employees of Sony.  The CEO told Politico that his company "didn't see" the data points that led to the conclusion that the hack was done by North Korea and, if there were some, they should "be shared with the community" to help draw accurate conclusions.  That isn't going to happen, and he knows it.  But, attribution is a big business, and accurate attribution can be a bigger one.  

The business model of some security companies depends on accurate assessments of who does what in the hacker world.  Is it a company hacking a company, a government hacking a company, or a hacktivist group hacking one or the other?  Can we prove that we know who did it?  Can we write a report that will show who did it and have that report hold up on peer reviews?  

The profitability of such an approach has been demonstrated over and over.  The small security business correctly identifies an attack, shows who did it, and after a suitable time, sells itself to the highest bidder.  It profits from its expertise in accurate attribution.   Big companies like BAE, Symantec, HP, and McAfee, and IBM do the same thing to prove they have the capabilities that others want in a security vendor.  They sell services by accurately doing what companies cannot do for themselves, without spending a lot of money.  But, can they do it more accurately than the combined resources of the Federal government, especially the Intelligence Community?  I don't think so.  

This is about the distinction between the kinds of attribution that goes on every day in counter terrorism operations, and the kind that goes into a hacking incident.  Can we say that the Taliban blew up that bridge or was it a stray bomb from an airstrike?  Did ISIS kill those people or did someone seeking family revenge?  There are physical things to look at, like holes in the ground and bodies, but they don't really say who did the deed, just what happened to the innocent victims.  There are intelligence reports that give indications that this or that group was preparing to do something, or that a person known to be a terrorist was in the area when the bombing took place.  There are spies that tell our government what they see.  Other governments tell us things that their spies see.  Analysts pour over thousands of reports to get a picture of what is going on.  They have to account for dis-information given out by people trying to hide who they are or what was done.  When they make an assessment of who is responsible, they are not following bread crumbs;  they are collecting evidence, deciding on the credibility of that evidence, and drawing conclusions.  

What the briefers to the FBI are looking at in Sony's hack is just a small part of the information available to an Intelligence service anywhere in the world.  They may share this information with other governments, maybe even with Sony, but they aren't going to say much about what they did or didn't do.  How they knew what they know is not something they share with the public.  Too many people say, "I want proof that it was North Korea" .  What they are really saying is they don't trust the conclusions of the Federal government, the President, his National Security staff, and the Intelligence Community that supports them.  The President doesn't go on TV and name names very often, and he certainly doesn't do it on a whim.  We might want to give some weight to the White House conclusions since they were based on a good deal more than a code analysis and IP map.     

Cyber-vandalism by North Korea

In a CNN interview aired yesterday, President Obama called what North Korea did to Sony Cybervandalism.  This is an odd and inaccurate term akin to somebody spraypainting a school wall or defacing a website, just for the hell of it.  The President is gettting bad advice from someone on this, maybe China who loves to pat North Korea on the head and say, "bad boy" and look the other way.  At the same time, they provide most of the fuel and food that the country needs to continue on this course of pushing the limits of war.  There is no doubt about why China allows North Korea to do these kinds of things.  They get to observe how the rest of world reacts to things they might want to do in the future, but they claim to be uninvolved in the activities - "It wasn't me", they would say.  Then, they watch and wait for us to do something.  

The President says what happened to Sony was not an act of war.  When someone asked Leon Panetta if we were at war with China, he said, "I guess it depends on your definition of war."  Here,we definitely need a new definition, because the one the President is using is dated.  The North Koreans have decided to attempt to influence a U.S. business (a U.S. subsidiary of a Japanese company) to give up distributing and showing a movie they say offends their government.  They call making the movie and attempting to show it, an act of war.  Somebody is not using the same definition.  Had The Interview been an attempt to actually influence some zealot to assassinate the leader of North Korea, it would have been an act of war, but this movie is far from that kind of effort.  It's a comedy, a concept some world leaders don't understand.  

When another country attempts to disrupt a business venture for the sole reason they don't like the content, we have the situation George Clooney alluded to when he said the studios were scared and backed down because of it.  The North Koreans did what they intended to do and that was a state-sponsored attack on a U.S. business, with the intent of disrupting their business operations and intimidating them into adopting a new course.  That is an act of war, whether this Administration understands it that way or not.  I thought China's disruption of the New York Times over a series of articles on the wealth of China's leadership was an act of war too.  They were trying to get a U.S. newspaper to stop publishing articles that China did not want to see in print.  They broke into computers in the U.S. and used information they collected there to go after the sources of the Times articles, and they have done the same thing to other businesses too.  Tell me the North Koreans are not following their handler's lead.  

We can't accept the definition of cyber vandalism.  This is much more serious and widespread than this administration wants to admit, though since they are so ill prepared to make a response, they need to delay until they can think of something.  This kind of characterization gives them some, and hands the North Koreans a clear victory.  Most of us will have forgotten about it by the time the Administration gets around to doing something.  

Naming North Korea Doesn't Help Sony

Attribution, identifying who is responsible for a cyber event, is always more complicated than fixing the methods hackers used in getting in.  So, when two of the best reporters in cyber, David Sanger and Niccole Perlroth, said in yesterday's New York Times "U. S. Said to Find North Korea Behind Cyberattack on Sony", they were already saying more than the White House about who was behind the threats and attacks against Sony.  Our government said North Korea was ''centrally involved" in the hacking.  We have to think about that for a minute, since this sets a new standard for wishy-washy statements related to attribution of a state government in Cyberwar.  They aren't saying North Korea actually did the attacks, made any of the threats, or published any information about Sony's internal matters.  But, they were involved.  

In Sanger and Perlroth's analysis, they describe the White House debate on what to do about this kind of event.  You can blame the country directly and say there was evidence they hired someone to do it, or they actually did it themselves using government resources.  Japan was concerned that its negotiations with North Korea would be upset by us naming names.  If you do that, you might have to say a little about how you know that to  be true and that is often very close to giving up sources and methods of the Intelligence Community.  Nobody wants to do that either.  

Bernadette Meehan, spokesperson for the National Security Council, says the U.S. government is "considering a range of options in weighing a potential response" which is nearly always true of almost anything happening anywhere in a world.  It should have been something they had been thinking about  after North Korea did millions of dollars in damage to South Koreas banks in a long, destructive targeted attack.  Like the Sony attack, those against South Korea wiped the hard disks of the computers they went after.  This is a "no joke" kind of thing that doesn't just drop a few thousand e-mails on the Internet.  It does real damage, and drops the e-mails to do more.  

What the NSC is trying to get around is the nasty business of deterrence.  North Korea has threatened to put a nuclear weapon on a missile and fire it our way.  We had trouble believing they could or would do that, so deterrence is not that important.  Cyber is harder because they did that attack and we know they can do it again.  We have to do something to discourage them.  

Sony is a U.S. business, though its parent is in Japan.  The U.S. government did next to nothing to help businesses who were routinely hacked by China and Russia, as a part of national efforts to steal from us,  so we can't expect to see much in the way of help going to Sony.  We have no strategy for deterrence in Cyberwar. 

China has used North Korea as a stalking horse on all kinds of provocations to other governments.  They tolerate the kind of behavior because it allows them to see how the world will react without getting their own hands dirty.  China can stop North Korea from doing anything like this again, if they want to continue to eat and stay warm in the winter.  They are going to wait and see what we do first.  The first thing they are looking for is how much we know about who did what over there, because the Chinese were involved, even if not "centrally involved".  The second thing is to see how we respond to this kind of event so they can strenghen their counter moves.  North Korea has gone over the edge on this one and China is waiting to see if it went too far.  It doesn't look good for us if there is nothing we can do about it.  

Hey, North Korea, All this over a movie?

Now they are making threats by linking events that might occur in theaters with those of 9/11.  First they hacked Sony and spread enough e-mails around to prove they had some insider stuff.  Then, they threatened to send out more by Christmas, the release date of The Interview.  Apparently that wasn't enough.

Attribution is always a problem with events like this, but name a country in the world that is whacko enough to hire hackers to disrupt a studio's operations over the making of a fictional movie.  We can narrow it down further by looking at the subject of the movie, an absurd plot to use an interview as a way of getting at the leader of North Korea and killing him.  Let's see, how many countries might be interested either in doing some damage or hiring someone to do it for them?

North Korea has portrayed itself as a country willing to use nuclear weapons to meet it foreign policy goals, so we are convinced that they are radical enough to do more than most other parts of the civilized world, but now they are proving they can be even crazier than that.  They want to make war on a movie making studio.  Nobody could fault them if it was one of their studios, but it isn't.  Last year, they attacked businesses in South Korea and did hundreds of millions in damage to some of their IT systems.  That wasn't funny and didn't seem very neighborly.  Now, they want to manage events in other countries, using their own criteria for what is acceptable behavior, and proving beyond a shadow of a doubt that is one of the most unstable regimes anywhere in the world.  They aren't the only ones doing it, but so far, they have set a new standard for in-your-face use of information war.

They want to make Sony, and every other institution they can't control, think twice before doing anything like this again.  Nobody knows if Sony will take any action against them, like hiring their own hackers.  Nobody knows what governments are contemplating.  So far, only Anonymous has ever done much of anything to governments that try to make the people bow to this kind of intimidation.  Where are you now, Anonymous?  Somebody put the A on the searchlight and light up the sky.

Russian Sanctions Ratchet Up Pressure

Russia raised its bank benchmark interest rate to 17% yesterday, amid claims that sanctions and lower cost of oil forced the change.  That is the rate used to calculate all other interest rates.  We have to wonder what the Russians are paying for a home or car loan these days.  

Before sanctions even started, Russian press reports were saying they would not have any effect on the Russian economy.  Putin and some of his buddies were laughing about having sanctions placed on them for the incursions into Ukraine.  They have probably thought about that more since then.  They may not have modified their behavior, but they have to think about whether Ukraine is really worth what they are paying for it.  Putin's popularity is still high, but we shall see how long that lasts with those who need loans to prop up a business, buy a home or get a new car.  Sticker shock will take on a whole new meaning when currency conversions raise the price of the car, and loans take a bigger bite than last year.  

I was never a big fan of sanctions, especially long-term ones that take months or years to take effect.  We see how well they have stopped the Iranians from working on a bomb, and Russia is still in Ukraine and adding to their control of the eastern part of the country.  We seem to forget that most countries with sanctions are not democracies.  

They don't rely on opinion polls to govern, and they don't much care that sanctions hurt the middle class more than the rich who run the country.   Criticizing the government for raising interest rates can bring consequences to the news agency or blogger that does it.  Putin is going to run out of options, before he faces any kind of new revolution.  He will double down in Ukraine and do what he did in Crimea - take it with overwhelming force.  The Russians seem to love him for it.  

Money Laundering by Cybercriminals at Liberty

When we think of a criminal enterprise, we usually don't think of it being a bank, though there have been a few, but Liberty Reserve was not an ordinary bank, even in past terms.  Several of its members have pleaded guilty to operating as described in the seizure documents filed by the United States District Court, Southern District of New York, as "the on-line service preferred by cybercriminals around the world for distributing, storing, and laundering the proceeds of their criminal activity..."  Those under indictment are complete with mobster-sounding aliases, and they knew how to operate a global enterprise.  Accounts were seized in Costa Rica, where the operation was based, Cyprus, Russia, Hong Kong, China, Morocco, Spain, Latvia, and Australia.  It operated through shell companies in these countries and, when orginally indicted, told they Costa Rican government that the company was sold, but continued to operate through the shells.   It didn't take long to see through that.

The U.S. government also seized five domain names, including LibertyReserve.com, and enjoined Amazon Web Services, Inc from providing services to Liberty Reserve.  Seizing those operations would provide a lot of information about the customers using Liberty Reserve to launder money.  It may not be on the scale of Silk Road for shere numbers, but it should still make for a lot of leads to Federal agents who are pursuing various aspects of this company.  

January 30 update:  The Justice Department today released the conviction data of the former IT supervisor at the bank.  

Maxim Chukharev, 28, of San José, Costa Rica, pleaded guilty in September 2014 before U.S. District Judge Denise L. Cote, who also imposed today’s sentence.

"According to allegations contained in the indictment and statements made in related court proceedings, Chukharev was an associate of Liberty Reserve founder Arthur Budovsky and served as Liberty Reserve’s information technology manager in Costa Rica.  In that role, Chukharev was principally responsible, along with co-defendant Mark Marmilev, formerly Liberty Reserve’s chief technology officer, for maintaining Liberty Reserve’s technological infrastructure. "  So, the IT department of the bank goes down with the management of the institution.  

  

Senate Intelligence Committee CIA Report

The Senate Intelligence Commnittee report on the CIA was a travesty, says Rich Lowry in yesterday's Politico.  While I tend to agree with him, for the reasons he outlines, it wasn't the low point in Diane Fienstein's blatent attempts to politicize national security and justify the publication.  There are parallels between the Rolling Stone article on the University of Virginia rape and this report, only the Senate had years to write their report and Rolling Stone didn't.  Neither one of them interviewed the people who mattered most to establishing their case.  They had their minds made up and made the story fit the scenario they wanted people to believe.  Truth was subjective.  This is the way of most information wars.

Fienstein, who I have respected for many years as a fair-handed supporter of the Intelligence Community, had to have pressure from the White House to let this report loose while she was still Chairman of the Committee, knowing full well in a couple of weeks, it would never see the light of day.  For all the right reasons, it would have been kept in the dark where it belonged.  

However, Feinstein went even further than just publishing the report, into uncharted territory.  She Tweeted out comments about John Brennan's speech, as he made his reponses to questions from the press.  She contradicted his positions and disagreed with his characterizations, as he made them.  This is unprofessional for a person in that position.  There is a certain decorum on the Hill that goes with being in a powerful positions with responsibility for difficult decisions and policy positions that affect real lives of people.  Most Staff members know enough to keep their opinions to themselves once the public has the issue.  She, seemingly, couldn't wait to make her points.  I say uncharted territory, because in my time on the Hill, I never heard of such a direct public challange to an Administration official, made by a person in her position - and never in real time.  If a staffer had done that, he would be looking for a job the next day.  They usually are more polished.  She lost a lot of respect and damaged the position she holds.  

In one day, reputations can change.  Diane Feinstein lost part of hers, and John Brennan regained part of his, doing a superior job of defending the actions of his employees.  Part of what both did can be viewed not by the substance of what was said, but by the way they conducted themselves in doing it.  

Patience and Respect

Many of us wonder why the Chinese have allowed a very public demonstration in Hong Kong to go on for 2 months without clearing out the whole bunch of people there and arresting most of them.  They are just now starting to clear them out and it seems to be going smoothly.

To get some perspective, we might want to do as Time.com did recently and go back to Tiananmen Square.  At the Time article points out what we remember most about it was one man standing in front of a tank and living to tell the story.  see [http://time.com/2822290/tiananmen-square-massacre-anniversary].  The Chinese are usually patient in international relations and less so inside their own country, but the image of that man standing in front of a tank was powerful enough to make a repeat of it less likely.  We all knew one person can make a difference, but rarely is it so dramatic and so quick.  There is something about unarmed people facing down a military vehicle that arouses notice.  The Ukrainians in Kiev were a similar example, though they used Molotov cocktails to brighten up their cause.  

So, in looking at our own demonstrations of late, we can see the difference between those who have had experience with long-term public disruptions and those who haven't.  Ferguson brought in heavy weapons and vehicles to make a show a force, then fired off enough tear gas to clean up a small city.  I have been the innocent victim of tear gas on the campus of the University of Wisconsin when a brilliant patrolman rolled one down the steps of the building I was in, and it came to rest in the only exit on that side.  We were angry people who could not escape.  

New York had hundreds of police following along with much less trouble than one might expect from the crowd size.  We did see a window broken, but not much else.  New Yorkers are better behaved than the people of Ferguson.  The police gave them space and followed then along fairly close, but not close enough to be threatening.  They were professional and patient.  The demonstrators made their points without hurting the people around them.  It takes respect on both sides to make that happen.  I always wondered why that tank driver stopped.  It had to be respect for a man who would stand alone against something so big.  He might have moved if the tank had gone forward but we will never know.  What we do know is that one person can change the way even the harshest of governments respond.  The people of Ferguson missed a good chance to do something good for their respective causes and they will be forgotten for it.  

Thousands of people were killed at Tiananmen Square in the same kind of incident.   Before we lose our perspective, we should remember that respect for each other will go a long way toward living togehter in tight spaces.  Respect and patience.  

Iran and Facebook

There is an interesting tale of the difference between people who view the Internet as a good thing and ones who think of it as an opportunity for repression.   Today's Wall Street Journal has an open letter from Marlam Memarsadeghi and Akbar Atri to Mark Zuckerberg about Iran's use of the Internet.  [Facebook, Please Don't Let the Mullahs Troll Us, 25 November]

They say the run a Persian-language Facebook page for Tavaana, a "civil-society empowerment initiative" giving voice to people and educating on social action and human rights violations.  These are both tough subjects to address in any repressive regime, and they probably can understand if the government doesn't welcome it.  Iran has been on top of its game in this area for some time, as has China, Russia, Syria, and several others.  Because we favor an open Internet, we occasionally think the rest of the world does too.

These two are telling Facebook that their own policies are being abused by their government.  It isn't hard to do.  They claim "trolls" have called some of the pages they post morally objectionable.  This is not the first time for Facebook, since the Russians and Chinese do the same thing Iran is accused of here.

This is an area of Information War that we ignore.  The Russians have ask both Facebook and Twitter to close accounts of "subversives",  and they get to say who that might be.  How subversive they are is always a matter of opinion, but this is not world opinion we are talking about here.  If Iranian people write in to Facebook and say that picture of the Amistad slave rebellion I posted is objectionable in their country, Facebook or Twitter has to think about it.  If they make the wrong decision, they might have to worry about becoming "subversive" themselves.  They won't be operating if they do.

They might do well to see how the Chinese get around an army of censors, from people monitoring the national press to local party officials who look for things more innocuous.  They have an elaborate system of codes and taking advantage of a complex language.  Yes, it can be dangerous, but Mark Zuckerberg is not going to be able to do much to help them in a country where opening the wrong kind of website can land a person in jail.

Not every country sees the Internet as a good thing, and it is dangerous for us to see them as wanting to be good neighbors on the electronic highways.  These are the same guys who ran denial of service attacks against some of our biggest banks.  We have to teach their citizens to survive in a hostile environment that we take for granted.

Cyber Security Bets Land on Blue

In writing a piece on Einstein 3, I ran across an interesting article about increases in the Cyber Security budget for Federal programs.  [See Richard Walker, in Informationweek at:
 http://www.informationweek.com/government/cybersecurity/budget-bill-boosts-cybersecurity-spending/d/d-id/1113494]

These phases in government spending, are a typical reaction to government agencies getting hacked on such a regular basis, but their spending profiles are often similar to Einstein 3.

The bill was used to expand Homeland Security's Cyber Security budget by giving $15 million in new funds to Senator Landrieu (D-La) for expansion of the Cyber Innovation Program.  She is the Chair of the Senate Homeland Security Appropriations Committee, at least for a little while longer.  [see the press release at http://www.landrieu.senate.gov/?p=press_release&id=4510  ]

The Cyber Innovations Center  was said by the Senator's office to provide 800 jobs in I-20 Tech Corridor in Bossier City.  Homeland gave the Center $2.5 million in 2012 and $5 million in 2013 so they could raise awareness of existing threats and educate a new generation of cyber security professionals.  Seemingly, it is important that Louisiana have its own.  In May 2014, the Senator and Jeh Johnson, who runs Homeland, where Einstein 3 resides, went to Louisiana to visit CenturyLink, one of the three ISPs on Einstein 3.

It may have been a coincidence that she was going with this largess at a time when she was running for a tight Senate campaign that was not going well.  Whether it is legitimate funding of an important program is worth looking into.  The Russians and Chinese are beating our systems every day and these kinds of expenditures do not help save us from them.  At least we know where the support for the money for Einstein 3 came from.

DHS Leads with Chin on Einstein 3

In Today's Politico, David Perera reports a delay in the implementation of Einstein 3.  [http://www.politico.com/story/2014/11/federal-cybersecurity-plan-stalls-113044.html]  which has had more delays than any computer security project in recent years.  Putting DHS in charge of anything computer related is always an interesting experience, but their inability to get capability from money is probably the most telling.

If you ever wanted to know what Einstein 3 was, you need only look at the publically posted Privacy Impact Statement at [http://www.dhs.gov/sites/default/files/publications/privacy/PIAs/PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.pdf]

Why they thought it necessary to publish this much about the program is beyond understanding, especially when it says the impact to privacy by this deep-packet inspection program, is wavering on the non-existent.  This totally bogus argument is beyond any rational understanding of what deep-packet inspection means, or how it is used.

The delay in implementation is caused by an interesting two-year reluctance on the part of AT&T to buy into using the system on their networks.  Century Link and Verizon have both agreed to do it.

AT&T has used the old standby of liability to describe their foot dragging.  This same argument was used to kill the last bill to allow information sharing between commercial companies, only in this circumstance, they could have a better case.  What ISP wants to use a system that was developed by a number of different government contractors, and automatically responds and mitigates intrusions?  There are far too many variables in this kind of thing to do that in networks as big as the ones at the Federal level.  Maybe AT&T is right, but if so, they should bow out and not participate.  Maybe that $3 Billion was too much for them to ignore.    

I remember the start of this Einstein program back in the 2007 time-frame.  A 7-year implementation of anything in IT is doomed.  The technology is outdated by the time it is deployed.  Why DHS was content to "negotiate" with AT&T for 2 years is beyond understanding.  Why they spend 7 years upgrading is also.

GAO needs to get in there an find out what is going on, as they did in 2010 when they said " Agencies that participated in Einstein 1 improved identification of incidents and mitigation of attacks, but DHS will continue to be challenged in understanding whether the initiative is meeting all of its objectives because it lacks performance measures that address how agencies respond to alerts."  Doesn't sound like much has changed.  Where that $3 Billion is going is a mystery worth looking into.  

Poland Expels Another Russian Spy Handler

Patryk Wasilewski, in today's Wall Street Journal, outlines another tale of "diplomats" being kicked out of a country for aiding and abetting spying.  Yesterday, it was the Germans and today we have a new account in Poland.  This time, the cause and effect was the arrest of a Polish "defense ministry official and a civilian detained for spying for Russian military intelligence".  You can bet there will be more.  Russia seems to have brought this on themselves by continuing to put more troops and support into the Ukraine.

We have to know that this spying has been going on for a lot of years, but Europe has been taking care of those cases without making a fuss.  The Germans were quietly removing them, as were others, so it looked like spying was down.  Once this starts, it will catch on.  It is always better to keep these kinds of things quiet, but once they start becoming public, they take on a life of their own.  At least in the Cold War we knew who our enemies were.

Russians & Germans Bounce Diplomats

Anton Troianovski, writing for the Wall Street Journal on the 15th, indicated the tit-for-tat exchanges of expulsions of diplomats has returned to the new Cold War.  Similar to what Canada did in April, Germany has been quietly expelling suspected spies, rather than announcing them publicly.  He also mentions that Merkel and Putin had a 3-hour meeting during the G-20 conference last week, though many have indicated Putin was meeting with quite a few leaders, then found little sympathy or support and went home early.

It is not hard to remember this kind of thing happening, but along with it, Putin doubled down on increasing his presence on radars in Europe and the U.S. The Washington Post said his bombers penetrated coastal defenses 16 times in 10 days.  His diplomatic style is the opposite of Obama's.  He wants to be in your face, which is harder for guy 5'7".  He has to adapt.

What we have been linking to these kind of events is the increase in hacking attributed to Russia, with both commercial and government targets  The White House and State Department have finally discovered hacking at their door, though it has been around for a long time, 25 years at least.  The difference is they are no longer "Eastern European" hackers;  now they are Russians.  The icing up of relations will likely expose a lot more the Russians have been up to.  They have been doing it all along, but the press and the White House have finally decided to say who it really is.  I'm wondering why they waited so long.

Strange Case of Polygraph.com

Department of Justice

Office of Public Affairs

---

FOR IMMEDIATE RELEASE

Friday, November 14, 2014

Owner of 'Polygraph.com' Indicted for Allegedly Training Customers to Lie During Federally Administered Polygraph Examinations

A former Oklahoma City law enforcement officer and owner of “Polygraph.com” has been indicted on obstruction of justice and mail fraud charges for allegedly training customers to lie and conceal crimes during polygraph examinations. 

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting Assistant Commissioner Mark Morgan of U.S. Customs and Border Protection’s Office of Internal Affairs and Special Agent in Charge James E. Finch of the FBI’s Oklahoma City Field Office made the announcement.

Douglas Williams, 69, of Norman, Oklahoma, was charged in a five-count indictment in the Western District of Oklahoma with mail fraud and obstruction.  According to allegations in the indictment, Williams, the owner and operator of “Polygraph.com,” marketed his training services to people appearing for polygraph examinations before federal law enforcement agencies, federal intelligence agencies, and state and local law enforcement agencies, as well as people required to take polygraph examinations under the terms of their parole or probation.

The indictment further alleges that Williams trained an individual posing as a federal law enforcement officer to lie and conceal involvement in criminal activity from an internal agency investigation.  Williams is also alleged to have trained a second individual posing as an applicant seeking federal employment to lie and conceal crimes in a pre-employment polygraph examination.  Williams, who was paid for both training sessions, is alleged to have instructed the individuals to deny having received his polygraph training. 

The charges contained in an indictment are merely accusations, and a defendant is presumed innocent unless and until proven guilty.

The investigation is being investigated by U.S. Custom and Border Protection’s Office of Internal Affairs and the FBI’s Oklahoma City Field Office.  The case is being prosecuted by Trial Attorneys Mark Angehr and Brian K. Kidd of the Criminal Division’s Public Integrity Section.  

Russians Back in Ukraine

We have to wonder how a country like Russia can insist they have no troops in the Ukraine.  Maybe there are just a lot of trained ex-Russian troops in the Ukraine who learned how to drive tanks, rocket launchers and motorized  SA-11s.  Maybe they don't count the ones they say are soldiers who are "on leave" from the regular Army, and love spending their spare moments in Ukraine's battles along their western border.  These are the kind of fellows every country wants in its army.  

Some of these troops are covert special forces, who also don't count.  We have to think about this before criticising them, since the world seems to accept the idea that denial of such people is OK.  Every country will accept the denial until someone proves otherwise.  There was that one case of a Russian soldier who got caught with six different IDs, one from the Special Forces of Russia, but we discount that one as someone who went on leave and forgot to leave his ID cards at home, where they belong.  There was the case of an idiot taking selfies with his unit while they wandered across the border from Russia to Ukraine and back.  There is a nice series of this rag-tag group if you look on Google Images.  We have to say the Russian forces are not the brightest bulbs on the planet, but their skill is pulling the trigger at the right time.  Putin seems to have picked the right times for them, and let them go on vacation when those were right.  

The problem with the Russians, aside from their lack of subtlety, is their seeming inability to understand that some people who read their stories of how their soldiers came to be in the Ukraine, find them incredible.  That doesn't seem to matter to them, which is odd.  They insult the intelligence of every literate person on the planet.  

A Press Conference for China

We got to see the difference between a country that controls the press and one that doesn't in the closing ceremonies of President Obama's trip to China.  The New York Times, most impacted by the event, has two stories today on it.  The first, Fruitful Visit by Obama Ends with a Lecture from Xi  and the second, In the Words of Xi Jinping:  Unraveling an Ancient Saying

Neither of these stories is really about a press conference, as much as the Chinese limiting access to their country to reporters who ask questions the government doesn't like.  The Ancient Saying is different in our culture than in China.  In the West the idea of "belling a cat" would be for a mouse to try to put a bell on a cat as a warning that it was approaching.  It means something is nearly impossible.  Unlike the Aesop version, the Chinese use it to mean the person who creates a problem should resolve it.  The person who puts a bell on the tiger's neck should be the one to remove it.

Xi was saying the New York Times created the problem of not getting visas because they would not follow Chinese rules about how the press behaves.  It is a kind of "when in Rome" saying that means submit questions in advance and you will get a scripted response.  He answered a question posed that way, and read his response.  Obama didn't.

It seems like there are really multiple issues here, none of which have anything to do with climate control, the reason for the press conference to being with.  The first is practical, the second emotional.
 
The New York Times should think a little bit before it speaks through one of its reporters to a head of State.  They only had one question to ask, and the one they asked was about their own passport restrictions and whether or not the U.S. interfered in Hong Kong.  There were a total of 3 questions asked, and none were answered.  If you are going to try to make a point about freedom of the press, this probably wasn't the best place or time.  The U.S. involvement or non-involvement in Hong Kong doesn't have anything to do with the first question and is typical of the press in the U.S. "You get one question" has no meaning to them, and it should. Common sense says this is not a good place to embarrass a national leader, but they got two for one on this one. Neither leader looked prepared for the question or the response.  Xi took his translation microphone out of his ear and asked for a question from the Chinese press.   Nobody wins here and he didn't look good.  Obama didn't either.

I would be one of the first to say the Chinese control their press to the point of repression.  It is certainly different.  They believe that the government has a right to decide what the people should know and control information accordingly.  They control what the press says about events, and carry that further on occasion.  In Singapore, they told the Rolling Stones not to sing Honky Tonk Woman.  I like that song, but if the Rolling Stones are going to sing in that country, they won't do it.  This is kind of like Pussy Riot singing about Putin in Russia.  It will not go well.

This kind of foreign policy, if that is what it was, will not be well received in China.  It is like Michelle Obama going over there and telling then how wonderful the Internet is for everyone.  They don't see it that way, and control their Internet like their press.  To them, information is important and controlling it is essential to the behavior of their people.  There will never be another press conference with the U.S. where reporters get to offer up questions.  Thank you New York Times.

You can guess they won't be getting any any visas after this, but that wasn't why they were there to begin with.  What was that press conference about?  

Navy Seals Keeping Secrets

Matt Bissonnette was on 60 Minutes last week;  the story of Robert O'neill is in Time this week [http://time.com/3574990/navy-seals-rober-oneill-osama-bin-laden/];  and, of course, we have the movie.  [See Judicial Watch Website at http://www.judicialwatch.org/press-room/press-releases/13421/ 
for the movie making story]  

These are all about killing Osama Bin Laden.  To me, the issue isn't about who killed him, but more about why they are talking about what happened, or how details of what happened managed to find their way into the press.  There are many parts to this story.

Matt Bissonnette has been getting most of the press on this because he published a book - without getting public release permission.  After going through  this process myself last week, it is a good time to remind everyone with an SCI clearance that the government has a job and that is to review books before they are published to make sure they don't have classified material in them.  They aren't reviewing it for policy unless you still work for the government, and they are pretty liberal on what they approve (if you consider that almost anything written down has been classified by somebody, in some context).  Most of them show sense in what they don't approve.

This isn't as easy as it sounds, and mine took from August 26 to November 04 to get done.  When you consider it is 100,000 words, that probably isn't too bad.  They redacted a few things but really not anything big.  Bissonnette says his lawyers said he didn't have to and he is suing those guys for that advice, but anyone who ever had a security briefing is pretty clear on what was said about the subject.

Still, a boatload of people talk to the press, write all kinds of things, and never submit any of it for public release.  University professors are my favorite targets here.  Bissonnette tried to say that all kinds of Generals and Secretaries of Defense wrote books and he should be able to do the same.  They got public release for theirs and they have the footnotes to prove it.

Seal Teams and other special operations folks should not be talking to the press about their missions.  Each time they do (like the one when they talked to the makers of a video game about some operational capabilities and got disciplined for it) little things leak out.  Those little things allow an adversary to pick up techniques to make sure they won't be doing that again.  This seems to be just as easy for the White House to do as it was for the operational folks who briefed the makers of Zero Dark Thirty, one of my all-time favorite films.  We can bet nobody had to clear that film for public release.  It was a great movie, but it is, as the White House would say, a movie and not an account of what actually happened.

What I don't like was DoD trying to make a deal with Bissonnette's lawyers and then having the Justice Department prosecute him anyway.  Either way, the guy gets no money from his book.  For pure discouragement of people publishing books without going through public release, the DoD deal would have been equally effective.  Justice should have stayed out of it, but that is not their style.  Now he can sue the legal offices for their advice, and get his money anyway.  Maybe that is why they call it the Justice Department.

Russians Creating News

The new Russian news service, Rossiya Segodnya (Russia Today) established by a decree of President Putin had a press release last month that announced the new arabic language center for the news.  In an amazing twist the spokesperson, Rima Mayta, who made the announcement said, "Our motto is We don't translate news, we create it!"  Now we know what this news service is really about.

Putin Puts Fear in Government Leaders

There is a good story in Politico today about fear.  We have to wonder if this is the cold war all over again, because it sure sounds like it.
It is by Ben Judah and it is called "Putin's Coup"
http://www.politico.com/magazine/story/2014/10/vladimir-putins-coup-112025.html#.VEajZYdh0lU

This is one of the more interesting things he has to say:  " Fear has returned to Moscow. Paranoia has gripped Russian officials and business elites. Those privy to sensitive information no longer carry smartphones. Instead they carry simple old cell phones and now remove the battery – to make sure the phone is dead – when they talk about Kremlin politics among themselves. This is because they assume the security services are now recording what is being said and this can disable the recording device. There is real fear that the next dramatic event in Russian politics could trigger a wave of sackings, arrests or even purges."

So, we have repeated bashings from the Russians over NSA and the disclosures of Edward Snowden, and we suddenly find that it is their leadership, not the rest of the world, that has to put away smartphones and live with one with no geo-location or complicated features to allow tracking and monitoring by their own government.

Russia is clamping down on their Internet, dissent, and any form of disagreement with the views of Putin.

There is a picture on the front page of the Wall Street Journal on the 17th that shows the irritation Putin has with anyone who doesn't like his leadership style.  It is a good article but the picture tells more than any story could.

http://online.wsj.com/articles/west-unwilling-to-be-objective-on-ukraine-says-russia-1413539137?tesla=y&mg=reno64-wsj 

Anonymous Hits Chinese Targets

Well, this is certainly inspiring.   Emil Protalinski, writing for ZDNet at
http://www.zdnet.com/blog/security/anonymous-hacks-hundreds-of-chinese-government-sites/11303  has a long summary of Anonymous hacking websites in China.  This must seem strange to the Chinese, since they are usually the ones doing the hacking and not being hacked.  It is good for them.

When Anonymous went after Syria, exposing a number of government documents, most of dubious value, I thought they might be experimenting with what they might be able to do to a government that was controlling its Internet and ruthless about going after people who intrude in their systems.  They are taking on a good bit more with this one.

I'm not sure what good will come of defacing websites and publishing telephone numbers of government officials.  It seems like they would be more interested in documents related to the Golden Shield Project that puts the clamps on information getting in an out of China.  It would tell them how and what information was being controlled and how that was being done.  There is some pointers on what to look for in Jonathan Zittrain and Benjamin Edelman, Empirical Analysis of Internet Filtering in China, Harvard Law School, March 2003.  Since that was quite awhile ago, it could use an update.

Most governments don't like Anonymous very much.  They are not under any government's control and do things that can prove embarrassing.  They sometimes work like the press, exposing wrongs that are done that can't be exposed any other way.  You have to decide for yourself if that is a good thing or a bad thing.  With the balkanization of the Internet preventing the flow of information around the world, I think they might be onto something.  Maybe they can work on Russia when they get done with the Chinese.

Charges added to Seleznev's indictment

http://www.justice.gov/opa/pr/alleged-russian-cyber-criminal-now-charged-40-count-superseding-indictment

The Justice department has released additional information on the arrest of Roman Seleznev, aka Track2, indicating he stole at least 2 million credit card numbers and operated a website that had instructions for how to put those numbers to good use.

Seleznev, as you may remember, has a father who is a leader in the Russian Duma.  Nice to see the son of a ranking member of their government involved in this kind of activity.

Chinese in Israel

If we believe Orr Hirschauge, writing for the Wall Street Journal on the 25th, the Chinese are in Israel to invest in technology. The companies involved got my attention because one of them, Qihoo 360 Technology, is a an Internet security company, in a land of them in Israel.

Israel has several companies that we all know, two we know well, Checkpoint and Cyberark.

Checkpoint owns Zone Alarm, Protect Data, Nokia Security Appliances, and a startup in Boston called Liquid Machines, an up an coming data rights management company.

The investment company Viola is where Qihoo is going.  One their investments is Cyberark, see: [ http://www.cyberark.com/press/cyberark-files-registration-statement-proposed-initial-public-offering/ ] which specializes in security of admin and similar privileged accounts.  Another is Skybox which does security product integration across an enterprise.  There are several that specialize in VM.

The Chinese are almost always after something when they invest, and it isn't just the profits from an investment.  They start this way to get a foothold in a company.  They get to know the players and they get into business with them.  Then they hack the people they know and learn their business strategy and inside information that allows them to compete. This time, they seem to be after security, virtual machines, wireless and broadband companies, particularly new ones.   The next thing we will see will be offers of joint ventures and technology sharing agreements.  Then, they break those off and start competing directly.

The Myth of Security in Clouds

In today's Wall Street Journal, John Chambers, Chairman and CEO of Cisco, was featured in a video story about technology.  The Journal asked about myths related to cloud implementation.  He waited a long time before responding (this story is a video so you can see the hesitation)  and commented "I'm going to get in trouble on this.  I guarantee my PR team is sweating" a response.  That would be, of course, because Cisco is a major player in the cloud business and his comments were sure to listened to, and make news.  He only made news for the few thousand companies that think clouds are secure and they can push off their security worries by contracting it out to someone else.  It won't work.  It has never worked, but most of the vendors are saying how safe and secure your data is, if only you can seize the cloud moment and give your data to them.  That is a myth, as he points out.  

We should applaud him for being honest, a trait some of his contemporaries are less inclined to show.  They would rather say nothing, than speak ill of the Angel of Revenue.  

He wasn't brutally honest, just mildly so, and he did qualify everything he said.  But, he pointed out that security in clouds is "not quite there".  He did this at a time when major businesses are about to embark on a grand experiment to offload credit card payment systems to clouds, pushing them out to mobile devices.  That data has been in clouds without much fanfare, but Apple is going to make history by taking it there on a grand scale.  

The Apple developer assured me they spent "3 years making this system secure".  I have been doing security for 45 and it always amazes me that each generation thinks they can beat the world to a secure way to move money.  I remind them of something one of my college professors said, "Criminals spend as much time at their jobs as you do at yours."  You can bet those Russian and Eastern European gangs will have a solution to this problem one day.  They spend years at their jobs too.  

The Federal government is having its moment too with clouds, without understanding the difference between a public and private cloud.  They want to use clouds but don't want to do the work to have a private cloud.  They experiment, here and there, with using public clouds for e-mail and data storage without a clue about what they are doing.  There is no centralized planning for any of it.  

If we want to secure data, we can't give it off to someone else to do.  Make it secure before you give it to them, and let them store and distribute it.  Don't think they can secure it.  

Homeland Strikes Again

There are times when it is best to keep quiet.

There are a splash of stories on the news channels about the potential for lone wolf attacks in the U.S. as a way of retaliating for airstrikes in Iraq.  We have some people in Homeland Security who think it is a great idea to warn people about things they have little way to control. We used to see these stupid BOLA warnings (Be On the Lookout For) that would say some law enforcement agency was looking for a red van with four occupants, possibly heading south.  The justification is always that we can't give out classified information so we issue a warning that can be issued without divulging sources and methods.

If you can't say enough about the issue, then keep quiet.  These kinds of warnings do not convince the average person that Homeland knows what they are doing, and they certainly do not supply law enforcement with enough information that they can act on it.  The warnings actually help terrorists by amplifying their affect.

When 5 Billion is a small number

Those who saw the IRS Director on CBS' 60 Minutes this past week, must have wondered why they hadn't done anything about a simple fraud affecting 3,000,000 people every year, costing them time to stand in lines a mile long to resolve a problem they didn't cause.  It is causing losses of $5 Billion a year, slightly less than the theft of credit cards has cost Target so far.

All it takes is filing a fraudulent tax return using a stolen social security number, which everyone seems to use as an id number, in spite of rules to the contrary. Why we continue to accept that is beyond me.  IRS has made it easy to do, by assisting the fraud by dubious ways to make payment to a debit card making the money portable.  They were sending checks to the same address for hundreds of people, but anyone living in a condo knows how that can be.  Still, matching is a typical way to discover this kind of fraud and its obvious they aren't doing it.

Their problem is simple.  It isn't that much money.  The Treasury takes in $3 Trillion in revenue every year and it keeps going up.  $5 Billion is less than 1%, and maybe all the fraud schemes like filing multiple returns across IRS Regions, and the myriad of schemes to keep from paying taxes at all, don't add up to more than 2%.  They might easily say, "acceptable loss" to anyone who was looking into it.

Only that isn't the way you determine what is acceptable.  They should be looking at how much it costs to cross match returns, and how much would they recover. Maybe that answer would be more revealing than the current fraud. They have to prosecute the cases and they get no revenue when it is over.  Maybe that is what they mean by acceptable loss.  

The credit card industry was doing the same thing with stolen credit cards and the numbers had to get really big for them to do anything about it.  The 60 Minutes show alluded to the same thing happening with this fraud.  Before they will act, the numbers will be $100 Billion yearly, or something in that neighborhood.    

Maybe one of the questions the Hill should be asking in this next round of hearings is "What is the number that you need to make this loss unacceptable?"

Security of Defense Contractor

We are reminded by today's disclosures by almost every news carrier (AP and Reuters being the first I saw) that the Chinese have hacked into some interesting parts of TRANSCOM (again, we should add, since it isn't the first time TRANSCOM has been hit) deep in its transport subcontractors.  The examples given are airlines and ships, of the 20 o so discovered, two were reported to TRANSCOM.  Before we blame these folks for what is happening to their contractors, we might consider they are not alone in having their contractors hacked.  In the last couple of years it has become an epidemic of names, most of whom should know better, since they sell cyber defense.

There is no oversight of computer security among defense contractors.  There used to be a program to do that, but it only covered the protection of classified information.  They don't even do much of that anymore, and contactors security staffs certainly need help.  They don't get much from their own management.  You can run down the list of major defense contractors who have been hacked and can hardly find one that wasn't.  It makes no sense.  

We had a major contractor get hacked at a place where I once worked and we refused to use their networks for anything sensitive.  That was almost 10 years ago.  You would think Defense would be smart enough to start overseeing some of the data they give to contractors and making sure essential services are protected through reasonable reporting and oversight.  They are, after all, spending billions of dollars doing things for Defense, and should expect a little oversight.  When they lose the designs to major weapons system who loses out?

You would think that things like security clearances would be worth something, or that all that money we spent on centralized adjudication would have been well spent.  Let's ask Edward Snowden about how well that worked.

While we are cutting defense, let's make sure to keep a few things that are needed.  Contractors, are not all equal, because 10% of them have 90% of the defense work.  Let's put some effort into getting the big ones in order and helping small ones keep up.  

7.3 million on Obamacare at risk

Marilyn Tavenner testified before Congress today saying there were 7.3 million customers signed up for Obamacare.  Considering that she is the one who overrode their Security Team at CMS and put the website on-line without identifying or correcting the security vulnerabilities, it is a strange thing for her to admit now that she put that many people at risk by exposing their personal data to hackers.  Last week, GAO released its latest report on the security of the system, saying it was far from good enough for government work.  It wasn't ready when deployed and the security wasn't good enough.

A Washington Times story
[  http://www.washingtontimes.com/news/2014/sep/17/wh-took-big-security-risks-obamacare-website-gao/]  characterizes it as taking unnecessary risks with the data of states and the Federal government health care systens.

This has already died down enough that she can show her face before a Congressional Committee without having the have a team behind her and lawyers in front of her.

Scranton PA, Home to Terrorism

There are two incidents in Scranton PA that make you wonder what counter terrorism is all about.  A survivalist is running around in the woods near there after killing a Highway Patrolman and wounding another.  The second is a man, Harold Rinko, who pleaded guilty to exporting equipment to Syria that would detect chemical warfare agents (a handy thing for ISIS to have).  These are small things to those who hear about them, but when did Scranton become such a hotbed of this kind of activity?  

http://www.npr.org/blogs/thetwo-way/2014/09/17/349220816/police-hunt-for-armed-survivalist-in-pa-trooper-shooting

http://www.justice.gov/opa/pr/2014/September/14-nsd-991.html 

China's Business Suicides

There is an amazing article in today's Wall Street Journal, Opinion  [http://online.wsj.com/articles/chinas-unhappy-rich-1410889484?cb=logged0.3363214428536594 ] about suicide among some of China's business owners. Among the claims, "Last year more than 80 businessmen committed suicide in a six-month period in the city of Wenzhou alone."  I couldn't imagine such a thing happening, so did a little research.

Suicide from all causes in the U.S. is 6.4 per 100,000.  China's suicide rate is 13.9, which is based on data from 1999, so not very current.  Sources say it is higher, but still below Japan and South Korea.  

The Wall Street Journal article, indicates the suicides are caused by investigations into a new type of crime, being rich.

In a research paper done by a graduate student in Shanghai [ http://www.ceibs.edu/images/bmt/research/2012/02/08/216B3FA4023AC36C1799AC8D92E08914.pdf ]  it is tied to the loan rates in that area, parts of which are generated by off-book loans by the rich to those who aren't, the so-called shadow loan, which amounts to about 25% of existing loans and can be made by individuals or banks.  The state-run banks are right in the middle of this.  Being rich is not the main criteria for making these loans.

As the economy drew down (and it is), these people found it hard to pay the loans back.  A simple, but effective, way out of that mess is characterized on the first page of his paper - a man jumping from the top of a building (they are also jumping out into traffic which I hope does not catch on around here).

News China [http://www.newschinamag.com/magazine/when-wenzhou-sneezes]  has an interesting side effect to the loans, telling of a creditor who kidnapped his customer's daughter.  He offered himself up instead, getting her back, but no story of what happened after that.  But,  they did add the following:  On Oct 4, Premier Wen Jiabao made a trip to Wenzhou to investigate the seriousness of the situation... the State Council announced tax breaks and loans for small companies and "Border checks have been stepped up in Zhejiang to prevent any more businesspeople from fleeing abroad to escape bad debts."

Things are bad everywhere.

 

Don't Follow the Romans

One of the best articles I have seen on the U.S. foreign policy is Michael Auslin's Don't Do As the Romans Did... [Politico, 9 Sept].  http://www.politico.com/magazine/story/2014/09/obama-two-front-war-rome-110779.html#.VBhpBI1dXIM

If we look carefully at what has been going on around us, especially with ISIL and the Russians in Crimea, we can almost identify with the Romans.  In case you don't remember, they lost out to a horde of barbarians at their gates, and allies that abandoned them when they were most needed.  Nobody liked them. They were all looking out for themselves.  Rome was overextended, and underprepared for war, an occurrence brought about by internal disputes at home.  Auslin's point is a reminder of something else;  Leon Trotsky's fateful saying, "You may not be interested in war, but it is interested in you", a statement repeated by Rudolf Giulliani on Sept 11 2014.

I never forget 9-11, because on that one that allows us to say 9-11 and get the idea across, I was sitting in the parking lot waiting for my wife to get home.  She had to walk from the corridor of the Pentagon where the airplane had struck, to Crystal City to get a phone that would work - a landline - because the cell phones were jammed.  During that time, I didn't know if she was alive or dead. The plane hit the office where she was.   It didn't look good.  It took her 4 hours to get back after that, because the roads were jammed with cars.  I wonder how well we learned the lessons of that day.

Everyone converts to cell phones and cuts their landlines.  Cities don't plan for the disasters that this kind represented, though do it now, more than then.  Traffic will not be any better, without some planning to get people out of town.  But, there are bigger things than these.

ISIL is a small group that won't get anywhere, an analysis that the White House advertised, even as they grew.  What happened to intelligence is anyone's guess.

We have cut our military to the point that they send troops to battle 3 or 4 times and wonder why they die in those places.  We send them to some God-forsaken places to fight Ebola, which is not a military mission.  And we ship them back to Iraq with barely enough force to maintain their mission.  We give law enforcement their heavy troop carriers.  Is this how our military fights now?

The Romans said they didn't need to worry.  Everything would work out in the end.  Did we forget Al Qaeda so soon?  How do 30,000 ISIS guys run down to Baghdad, coming close to surrounding the city, without somebody noticing and doing something about it?  Where are the Russians and Chinese?  Both of them have a lot more to lose if this doesn't go well.

The Middle East is a mess.  It can burn and we can watch, or we can go to war.  What kind of choice is that?

Home Depot Playing Catch-up

In last Friday's Wall Street Journal, Danny Yadron and Shelly Banjo tell an interesting tale of big business in an article about Home Depot trying to stay ahead of hackers.  When Target broke in December, (which for those in computer security, was not really December), they started to plan to do a makeover that would keep them from getting hit with the same type of attack.

Target missed an opportunity to do the same thing [see http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data ] before Thanksgiving, avoiding the Christmas rush which allowed its numbers to be so high.  The rumors were flying then, and I wonder how Home Depot missed them.

Home Depot started to implement a system that would protect their payment structure from the same kind of attack.  They found it was slow work, and they only got about a fourth of the network done before they got hit.  It is easy to second-guess them on this, because they are a big organization and they don't want to screw up their payment system with a hasty change that might destroy them just as quickly as word that they were hacked.  On the other hand, they were missing something the community knew about for a long time before Target.  They, and many other businesses, are not listening to the drums.

We seem to be missing a basic function of business - business intelligence - that should tell us when a trend is about to shake up the business world with a shaft of light from "Eastern Europe".  I can't believe the credit card industry is so lax that they allow these organizations to be hit, one after another, without instituting changes to the credit card systems that are getting this data and processing it.  A credit card holder can do nothing, short of paying cash and moving away from them, and surely has to rely on this industry to keep us safe.  It is one thing to lose a credit card to somebody in a store or parking lot, who steals the number;  it is something else again to have someone steal 60 million of them.  We can't do anything about that.

If we look to history, Marshalls et al, should have been enough to convince us that mass theft of credit cards were real threat that had to be dealt with.  Somehow, we have managed to blame the stores for this, when the credit card industry is the one to blame.  They have known for years what was happening.  They saw Europe change, and did nothing.  They saw the massive theft of card numbers in the U.S. and made promises about what they would do - in 2015.  Well, 2015 is finally here.  Think they will get it done now?

If your credit card number is stolen, write your Congressperson and demand they do something.  I know it sounds hard to believe, to some, but the reason the industry has been allowed to wait, is legislative, not technological.   They know what to do;  they just wanted to wait until 2015, and they got their wish.  In the meantime, how many billions of dollars were taken from the industries that were affected - 2 since the Home Depot incident started - and how many total since the first ones?  "The consumer is not losing any money" they have said.  Somebody is, and the consumer is the one paying for it in higher fees.  The country is because computer crime has become so big and well organized that it is a threat to our national security.  This is not a political issue as much as a consumer protection alert.  Somebody needs to act, and it sure hasn't been the credit industry.

More IRS E-Mail Missing

In Politico, Rachael Bade, said this about the new round of e-mail exposures at IRS:

IRS Commissioner John Koskinen, in a report sent to the committees investigating whether the IRS unfairly targeted conservative groups in recent years, said 18 of the 82 people “had some type of technical computer issue” between September 2009 and February 2014. Five of those “had hard drive issues that resulted in a probable loss of emails during portions of the four-year period.”

Read more: http://www.politico.com/story/2014/09/irs-emails-lost-110648.html#ixzz3CcQ0AWzq

Now, maybe you can swallow the idea that a significant number of people who are being investigated for conspiracy could lose their e-mails, in a such a long period, but very few of us in IT ever could.  In the annals of public misconduct, this certainly has to rival the former Governor of Virginia, who as a Republican, was rightly targeted by the Justice Department.  He violated Federal law, but not State law.

If the IRS is this bad in IT, then they certainly should have removed their CIO by now.  If Congress turns in November, the Commissioner will be gone and there will be investigations like you have never seen.  But, in the meantime...

We are asked to believe that the IRS is technically incompetent, badly managed, apolitical, and is telling the truth to Congressional Committees trying to investigate them.  None of those things are true, and never have been.  IRS had IBM computers for a long time before some of the civil agencies understood what they could be used for.  They haven't done real well with them, but they were far from this kind of neglect.  Those e-mails are out there, unless somebody systematically went about getting rid of them.  Not even the most incompetent organization on the planet has no backups of e-mails.

IRS is managed well in most of the Regional Service Centers or they couldn't possibly handle the number of tax returns we have going to them.  Most of the people who work for IRS are dedicated and civil to the customers they serve.  Big customer service organizations all have some trouble, but the distinguishing feature of them is they get to solving those and try to improve.  If they were having these kind of e-mail problems, which most certainly must have had links back to somebody high up in the current administration to require such an effort, they should have been corrected.  Looks like they were.

They are probably one of the most political groups on the earth, with a bundle of political appointees, many of whom are being investigated.  Yes, they are government employees, but they aren't the regular Civil Service people who bust they backsides every day to make a living.  These are political hacks who take their direction from the top.  There are thousands of them in government, and try as they might, they can't cover that part up.

We have seen this kind of incredible argument made before by people who thought the American pubic was not paying attention, naive, ill-informed and didn't care.  This is one of those cases where somebody cared enough for all of them to decide to lose their e-mails after the investigation started.  They are trying to manufacture a long-term break down in IRS computing which does not exist, to cover the fact that these e-mails are missing, or can't be found.  Somebody knows where they are and you can bet, more than one IRS employee is holding onto them.  Which side that person is on is something that will eventually come out.

Do you take naked photos of yourself?

The news wires are hot today with an interesting topic involving stars of Hollywood and Apple.  It is a curious case that seems to blame Apple for a breach of its iCloud, which concerns me greatly, but hasn't yet been shown to be the basis of the case.  Since I keep almost everything in the iCloud that I feel is important, I don't want to see it hacked anymore than the rest of the Apple world.
But... and there always is one... I was wondering about how those photos got there to begin with.  Does your mother know you are taking naked photos of yourself, or allowing someone else to do that?

It is one thing to have them taken by someone activating the camera on an iPad or iPhone, because that is not going to get a hacker very much, unless they keep it on all the time and hope that their target gets naked in sight of that lens.  I don't keep my iPhone around when I get out of the shower, but some people have done things that allowed them to be blackmailed.  I could probably leave mine on on purpose for the rest of my life and never have anything worth a few cents.  How blackmail comes into it is still a mystery.

Now, to the point, are you taking naked photos of yourself, or allowing someone else to do that?  Some kids are, spawning the sexting term that finally made the dictionary.  I really wish that was possible in my high school days but we didn't even have cell phones then.  And, we walked to school, which apparently nobody does anymore.  But these are not just young people;  these are big stars with publicists, managers, and all kinds of help they don't even ask for.  Do they know you are taking naked pictures or allowing someone else to do it?  If they did, consider replacing them with someone with some common sense.

In the meantime, this should give pause to anyone, who contemplates taking pictures of themselves naked, for any reason.  Yes, there is no reason for cell phone families not to take naked pictures of the baby, but how old does the baby have to be to stop that behavior?  I wasn't happy to see naked pictures of me when I was a baby, and I'm sure adults would not like them on the Internet.

This whole process starts with technology doing things we don't like, when we shouldn't be doing them in the first place.  Now they are suing Apple.

NSA Metadata in Court

In the Wall Street Journal today, Joe Palazzolo writes that NSA is about to have another day in court over the legality of collecting metadata which has a D.C. judge, standing alone in judicial circles, has decided it is unconstitutional.  This liberal court has a record of decisions like this.

The ACLU has used Top Secret documents, disclosed by Edward Snowden, in the preparation of its case.  What an unbelievable set of circumstances allows these documents to be published to begin with, then used by the ACLU in bringing an action against NSA, to undermine the counter-terrorism actions of the U.S. government.  The D.C. court doesn't seem to think there is anything wrong with this.  The ACLU encourages it in the name of freedom, privacy and anything else they can squeeze into a brief.  The judges who will hear this case are appointed by Democrats, and two of them have prior history with this issue, voting against it.  The Supreme Court overruled them.  So, do we think they learned anything from that?  Not a chance.  This court is trying to make laws, not enforce the ones they have.  

Delaware and the Digital Dead

An article in yesterdays Wall Street Journal [Jacob Gershman, Delaware Eases Access to Digital Data of Dead]  prompts us to think about what happens to that stuff we have been saving when we die.  Delaware, which is not known for its innovation in legislation, has decided to be the first to take this on.  The bill signed by the governor gives authority to estate attorneys, and a few others, to deal with e-mail, cloud accounts and data, and social media.  Anyone who has gotten a birthday announcement for a relative that died a year ago, knows why we need such things.

It is not surprising that the industry most affected would fight this law by bringing up a 1986 law that says electronic communications companies cannot disclose digital content without the owner's consent.  The fact that the owner is dead, according to this argument, is not material to the issue.   I'm wondering why they don't just do it, and stop this kind of spurious chatter that makes them look like they are just being bad.  Other states need to get involved the same way and pass their own, or we can get Congress to pass a similar law for the whole country.

I have a suspended account from Google that I still haven't been able to get rid of and I am still alive.  If I died, my wife would have no chance of ever getting that account closed.  There may be nothing in it of any importance, but I would never know because I haven't been able to get into it for 5 years.

When my favorite aunt died a few years ago, we wanted to get some of her e-mail so we could stop automated payments she set up for some charities.  We didn't know where some of them were and it takes time to close accounts that they were paid from.  The executor and his attorney couldn't get much of anything.  The bank closed the accounts, only after getting a death certificate which takes time to get,  but never did say where all of these things were being paid, or for how long after her death.  By the time it gets ironed out, it isn't worth the legal fees.

So, I wonder why places like Facebook and Google want to hire a law firm to fight this, when they know that when a person dies, somebody needs to know what records they might have that are important to settling the estate and terminating those accounts.  Delaware may not be the most innovative legislatures, but they sure got this one right.

Hold Security

In one of Bruce's most interesting posts, he goes into detail on the discovery of hacks done to steal passwords and accounts noted by a company called Hold Security. I must admit to having doubts about this whole thing, but Bruce, as usual writes his down.  Worth the read.
 https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html#c6676010

China's Press Guidance

A story from BBC today, "China detains Xinjiang man for 'online rumours'"shows what happens to you when you don't follow the guidance given by Chinese censors.  The incident is worth noting.  A group armed with knives and axes attacked a police station.  Thirty-seven civilians were killed and the police shot dead 59.  To anyone outside China, this sounds like a major happening that could make the evening news in any country.  The Attorney Generals would be out in force in a country where the police shot that many people in one day.

The individual arrested in the lead to this story, "circumvented censors and put his comments on websites outside the country".  One of his claims is the riots in that followed shootings that occurred at the end of Ramadan, involved 3-5000 people.   Only in China is this a crime. He has confessed to inflating the numbers to get more attention for his articles.  Considering they have admitted to almost 100 people being killed, we have to wonder which numbers they are talking about.

In case you haven't noticed, the numbers of dead are increasing in Xinjiang.  The Chinese have managed to keep a lid on it by controlling the reports of injuries.  It  sounds like their tactics are apt to create more martyrs than anything else.  That is going to be hard to keep quiet.  Amazon books: