There was a nice read by DANIEL GELERNTER in the Wall Street Journal on the 28th. It was called "Why I’m Not Looking to Hire Computer-Science Majors" with the drift of it being that all those degrees and certifications don't make good developers. I have to agree that there is the same situation in the IT Security field. Last week I talked to a guy who was going to work for DoD and they wanted him to have a cert for security and one for Java. He had been a Java developer for 27 years. He had to go back and sit for the CISSP and hadn't needed to do that for any job prior to this one. He had to prove to a bunch of kids that he had the skills to do Java development and be certified, when he could have been teaching the course for them (he didn't learn a lot in that one). In case you are wondering what is going on, the government no longer has the employees who know enough about the business to know whether a person knows anything or not, so they have decided to substitute certificate quals instead of real experience. Dan's remarks are to that point.
I used to have a simple test of a new architect: "Draw for me the last architecture that you were responsible for developing". It isn't hard, and they quibbled about the level of detail required for this drawing, but most of the ones I hired were able to do it to any level of detail I thought necessary. I saw Brian Miller pass this test at the House of Representatives when I worked down there, and he did it at a public meeting with very little preparation. That was one smart guy. He didn't have a lot of certs but he had experience doing the job and applying what he did know. I'm sick of CISSPs claiming they can be responsible for security of a network when all they know is what they got in preparation for the test. I can almost guess that all of those contractors at OPM had them. So while the people who can do the work won't do it because they are not going to go back and get a bunch of certs they don't need, the government does without qualified people. Somehow, I don't feel sorry for them.
Monday, August 31, 2015
A Free Internet Myth
If ever there were an organization that would want to keep the Internet free, it should be the Electronic Frontier Foundation. Yet, free to them seems to mean something different than it does to the rest of us. They really don't like the new cyber legislation and comment often on the "privacy" aspects of the bill. Cyber Intelligence Sharing and Protection Act (CISPA) which is in doubt, largely due to privacy issues raised by like-minded people in the ACLU and the EFF. It is not about Privacy as much as their perceptions of the use of the Internet by the International community. Unfortunately, they when they see the privacy nail, they want to use the hammer.
The Russians, Iranians, Saudis, Chinese and a number of others, are not free in the context they discuss. We can look at this a couple of ways. We can say, "It doesn't matter what they do; it only matters what we do." That used to work well in an age before the Internet. Other countries use the Internet to influence and control their populations. If you don't agree, they will persuade you to stop making comments, don't do it again, or you will disappear. Strange that these two groups would be on the side of angels and still doing little to work around the firewalls and cannons of the net.
I think it does matter what we do to control crime on our Internet. That cost is sharing of information between those who get hit and those who can do something about it. While the rest of us debate whether industries can strike back, these guys would have us lay down and accept the Internet as it is - similar to the Wild West- we can certainly agree that it is a government responsbility to hack back. They can't do that unless they know when someone is attacked. Terrorists and criminals benefit from their reluctance to support a bill that is trying to help our government. When privacy is your only concern, neither one will matter.
The Russians, Iranians, Saudis, Chinese and a number of others, are not free in the context they discuss. We can look at this a couple of ways. We can say, "It doesn't matter what they do; it only matters what we do." That used to work well in an age before the Internet. Other countries use the Internet to influence and control their populations. If you don't agree, they will persuade you to stop making comments, don't do it again, or you will disappear. Strange that these two groups would be on the side of angels and still doing little to work around the firewalls and cannons of the net.
I think it does matter what we do to control crime on our Internet. That cost is sharing of information between those who get hit and those who can do something about it. While the rest of us debate whether industries can strike back, these guys would have us lay down and accept the Internet as it is - similar to the Wild West- we can certainly agree that it is a government responsbility to hack back. They can't do that unless they know when someone is attacked. Terrorists and criminals benefit from their reluctance to support a bill that is trying to help our government. When privacy is your only concern, neither one will matter.
Sunday, August 30, 2015
Getting to a Cybersecurity Bill
Congress has managed to make it all the way through another legislative session without getting a cybersecurity bill up for a vote. There are a curious mix of organizations preventing the bill from getting there, and none of them are directly involved with cybersecurity. The USA Today's Erin Kelly touched on it yesterday in his piece, Cybersecurity legislation may face tough road. [ http://www.usatoday.com/story/news/politics/2015/08/28/cybersecurity-wyden-burr/71312428/ ] It seems the debate will have to consider 21 amendments, some brought for a second or third time by "privacy advocates". Kelly quotes Matt Eggers, U.S. Chamber of Commerce as saying there is very little time left for this legislation and using the "woe is me" line like a politician. This from an organization that has done more to slow-roll any legislation that has been proposed. They used the liability excuse for years, when there was no clear indication that liability was the real issue. Now, they try to blame someone else - everybody with a brain blames Congress - but there are other forces at work.
The Chamber blamed "liability issues" for the first fight with Congress over this bill. The only liability that comes to mind is the one faced by an IT industry that builds information systems and software ill suited for its intended purpose. The industry has fought any kind of standards for security indicating the exchange of information might be a legal issue if one business or a government entity says there is something wrong with one of their products. In some circles we call these zero-day exploits, and they are everywhere, yet the industry takes no responsibility for them, and certainly does not want a company or government entity telling them they need to take corrective action. So, while the Chamber says it "really wants to get this legislation going" nothing has yet been done.
Tomorrow I can look at some of those 21 amendments that are slowing down the process of having this bill approved. That goes to our good friend, Harry Reid.
The Chamber blamed "liability issues" for the first fight with Congress over this bill. The only liability that comes to mind is the one faced by an IT industry that builds information systems and software ill suited for its intended purpose. The industry has fought any kind of standards for security indicating the exchange of information might be a legal issue if one business or a government entity says there is something wrong with one of their products. In some circles we call these zero-day exploits, and they are everywhere, yet the industry takes no responsibility for them, and certainly does not want a company or government entity telling them they need to take corrective action. So, while the Chamber says it "really wants to get this legislation going" nothing has yet been done.
Tomorrow I can look at some of those 21 amendments that are slowing down the process of having this bill approved. That goes to our good friend, Harry Reid.
Wednesday, August 26, 2015
Russian Sanctions on Soap
Nothing in trade sanctions makes sense, but the Russian reaction to Europe and U.S. trade sanctions kind of breaks new ground in ridiculous. The Russians have decided, similar to their discovery of McDonald calorie counts during previous sanctions, that some soaps exceed the rigidly controlled toxicity requirements of the State regulatory agency, Rospotrebnadzor.
In today's Wall Street Journal comes some of the details [ PAUL SONNE and ELLEN EMMERENTZE JERVELL, Russia Restricting Sale of Some Western Cleaning Products, 25 August 2015 ] of this dust up over household cleaners. The article says Rospotrebnadzor did not publish a list of the offending chemicals, but named the companies involved: Procter & Gamble Co., Colgate-Palmolive Co., Clorox Co., Henkel AG and Werner & Mertz GmbH.
I didn't even know there were toxicity requirements for soap, though it does seem logical that there would have to be some, just as there were requirements for other goods imported into Russia during previous crises. It's obvious the selective enforcement of these policies is part of the overall strategy of dealing with sanctions, which the Russians say "have no effect" on them.
In today's Wall Street Journal comes some of the details [ PAUL SONNE and ELLEN EMMERENTZE JERVELL, Russia Restricting Sale of Some Western Cleaning Products, 25 August 2015 ] of this dust up over household cleaners. The article says Rospotrebnadzor did not publish a list of the offending chemicals, but named the companies involved: Procter & Gamble Co., Colgate-Palmolive Co., Clorox Co., Henkel AG and Werner & Mertz GmbH.
I didn't even know there were toxicity requirements for soap, though it does seem logical that there would have to be some, just as there were requirements for other goods imported into Russia during previous crises. It's obvious the selective enforcement of these policies is part of the overall strategy of dealing with sanctions, which the Russians say "have no effect" on them.
Monday, August 24, 2015
Planning to Build a Weapon of Mass Destruction?
Of all things, we have the first U.S. case I can ever remember where a person planned to use a radiological device to contaminate people, and use it on people he politically opposed. It was not what we usually think of when getting a home-grown terrorist into court. There have been so many ISIS supporters caught and prosecuted that we get used to it now, but this is not one of them. In a Justice Department press release today, [http://www.justice.gov/opa/pr/upstate-new-york-man-convicted-his-role-attempting-develop-lethal-radiation-device] we have a member of the Ku Klux Klan, Glendon Scott Crawford, from Galway, New York, convicted of a scheme to kill Muslims in the U.S. This is a quote from the release:
" In April 2012, the FBI received information that Crawford, who was employed as an industrial mechanic with General Electric in Schenectady, New York, had approached local Jewish organizations seeking people who might help him develop technology to be used against people whom he perceived to be enemies of Israel. During a 14-month investigation, the Albany FBI Joint Terrorism Task Force learned that Crawford was attempting to solicit funds to purchase, and then weaponize, a commercially available X-ray machine so that it could be used to injure or kill others by exposing them to lethal doses of radiation.
" In April 2012, the FBI received information that Crawford, who was employed as an industrial mechanic with General Electric in Schenectady, New York, had approached local Jewish organizations seeking people who might help him develop technology to be used against people whom he perceived to be enemies of Israel. During a 14-month investigation, the Albany FBI Joint Terrorism Task Force learned that Crawford was attempting to solicit funds to purchase, and then weaponize, a commercially available X-ray machine so that it could be used to injure or kill others by exposing them to lethal doses of radiation.
During the investigation, Crawford, with help from co-conspirator Eric J. Feight, took steps to design, acquire the parts for, build and test a remote initiation device that could have activated the radiation machine, and acquired the X-ray machine that he planned to modify into a weapon of mass destruction. The X-ray device that he planned to use had been modified so that Crawford could not have used it to hurt anyone."
How bizarre is that? We will now have other terrorists combing through literature to find out how to modify an x-ray machine to radiate people. This takes some imagination, if nothing else.
Pro-Iran Deal Ads
In case you were wondering who was sponsoring those ads that say the Iran deal avoids war with Iran and overcomes those wicked Republicans that were in the White House before President Obama, you can go to their website or visit factcheck.org at the below address. They are Americans United for Change, an offshoot of the White House. Factcheck says they are a liberal group that derives its background from organized labor. It took out similar ads to promote Obamacare and changes to Social Security.
http://www.factcheck.org/2014/03/americans-united-for-change-3/
http://www.factcheck.org/2014/03/americans-united-for-change-3/
Wednesday, August 19, 2015
China after Dissidents in the US
It should not surprise anyone that China has come after dissidents in the U.S. and were, last week, accused of trying to influence Chinese expats to return home -mostly by intimidating them. They put pressure on their relatives and on the expats to make the switch and come home. This is hardly news to anyone following the Chinese for more than a few weeks.
Both the Russians and Chinese have never been content to allow dissidents to sit in another country communicating with people via the Internet about events and policies that disrupt their governments. I have used Christopher Andrew's book, The Sword and the Shield, as a reference in my books. He outlines the methods used to influence relatives of Russians emigres long before anyone ever heard of the Internet. They did that, and interfered with US elections more than once.
In October 2006, an editorial by Fred Hiatt in the Washington Post, described the case of Rebiya Kadeer, a dissident who lived not far from me in Fairfax, Virginia. She had a mysterious car accident, her children in China had been beaten, and she had spent 6 years in prison before leaving a bad neighborhood for the US. They tried to influence the Norwegian officials who issued the Nobel Prize to prevent her from winning. Her main crime was being Uighur and expressing the rights of her people in terms of Chinese law as it existed then. She gave newspaper articles to some of her friends and those were called "state secrets" after the fact, something the Chinese still do to businesses that don't fix prices the way they want them to be. Ask Rio Tinto about that.
What is unusual about what they are doing this time is the lack of coverage of any of these incidents by the press, which seems focused on Donald Trump to the exclusion of any other news. We don't have an election for a year and a half, but the Chinese are whacking away at people in this country right now. I wonder what the Donald says about that?
Both the Russians and Chinese have never been content to allow dissidents to sit in another country communicating with people via the Internet about events and policies that disrupt their governments. I have used Christopher Andrew's book, The Sword and the Shield, as a reference in my books. He outlines the methods used to influence relatives of Russians emigres long before anyone ever heard of the Internet. They did that, and interfered with US elections more than once.
In October 2006, an editorial by Fred Hiatt in the Washington Post, described the case of Rebiya Kadeer, a dissident who lived not far from me in Fairfax, Virginia. She had a mysterious car accident, her children in China had been beaten, and she had spent 6 years in prison before leaving a bad neighborhood for the US. They tried to influence the Norwegian officials who issued the Nobel Prize to prevent her from winning. Her main crime was being Uighur and expressing the rights of her people in terms of Chinese law as it existed then. She gave newspaper articles to some of her friends and those were called "state secrets" after the fact, something the Chinese still do to businesses that don't fix prices the way they want them to be. Ask Rio Tinto about that.
What is unusual about what they are doing this time is the lack of coverage of any of these incidents by the press, which seems focused on Donald Trump to the exclusion of any other news. We don't have an election for a year and a half, but the Chinese are whacking away at people in this country right now. I wonder what the Donald says about that?
Wisconsin Prosecutorial Abuse
In yesterday's Wall Street Journal Opinion [Zombie Prosecutors, 18 August] the Journal compares the Democratic prosecutors with zombies who will not die, even though the Wisconsin State Supreme Court shot them several times and we thought it was over for good. Now they are trying to release some of the information illegally obtained from some of these "investigations" set up to prosecute a Republican governor's staff members. This kind of prosecutorial abuse is usually handled by the Justice Department before it goes this far, but this Justice Department finds it in their own interests... to let it go until after the primary selection process has sorted itself out....
Monday, August 17, 2015
FAA Does IT
You have to wonder what idiots the FAA has doing IT when "a new software upgrade" brings down our airports and backs up passenger lines for two days after. What ever happened to testing upgrades before installing them? What ever happened to back-out plans in case something happens? You have to wonder where the government and their contractors are getting their IT training.
Russian Military in Ukraine
Another story in the Euronews [Robert Hackwell, Caught Red-Handed: The Russian Major Fighting in the Ukraine, with accompanying video] points to what the Russian military is going through with the covert war in Ukraine. The Russian Major does not get to tell his family where he is going, or when he is coming back. When he is captured, transporting Russian military equipment to forces there, he carries a fake ID. Two years ago, one was captured with 6 IDs, one from the Russian Special Forces. This story is about the recruitment, the bait-and-switch on assignments, and being captured in a country where almost everyone speaks your language.
What is sad about these cases is the denials by Russia that they have troops there. That is what covert means. They want to have the ability to say, "We don't have Russian military forces in the Ukraine", while they run those tanks and personnel carriers across the border. When one dies, the family is not notified. I don't mean the government tells them a lie about what happened to their loved ones - they get nothing. They just don't get letters or phone calls from them anymore, and they must wonder what has happened. Why has my son stopped calling, visiting, or writing home? No grave at the Russian Arlington Cemetary for these guys. We might even feel a little sorry for this guy, who seems to have been over his head to begin with.
The Russians did a lot of things in Ukraine before ever going there, killing political opporsition figures, carving up the communications services, monitoring leaders in government, feeding propaganda to the locals, and giving them enough heavy equipment to shoot down a commercial airliner. All, while they say they have no troops there and are not at war with Ukraine. Even the Russians can't believe their own words.
What is sad about these cases is the denials by Russia that they have troops there. That is what covert means. They want to have the ability to say, "We don't have Russian military forces in the Ukraine", while they run those tanks and personnel carriers across the border. When one dies, the family is not notified. I don't mean the government tells them a lie about what happened to their loved ones - they get nothing. They just don't get letters or phone calls from them anymore, and they must wonder what has happened. Why has my son stopped calling, visiting, or writing home? No grave at the Russian Arlington Cemetary for these guys. We might even feel a little sorry for this guy, who seems to have been over his head to begin with.
The Russians did a lot of things in Ukraine before ever going there, killing political opporsition figures, carving up the communications services, monitoring leaders in government, feeding propaganda to the locals, and giving them enough heavy equipment to shoot down a commercial airliner. All, while they say they have no troops there and are not at war with Ukraine. Even the Russians can't believe their own words.
Friday, August 14, 2015
Business Worried About China
There have been a few articles this week [one example: China Cybersecurity Fears Prompt Business Groups to Press Obama, The Wall Street Journal, 12 August] about China's new policies on cybersecurity and counterterrorism laws that present problems for anyone trying to operate a business in the country. This comes up repeatedly, but especially when China's leaders come to visit, as Xi Jinping is about to do.
Our industry leaders, many of whom already work in China, have sent a letter to the White House complaining about China's policies that "limit trade". That is far from accurate. The new policies do a lot more than that, including such things as demanding encryption keys and source code from vendors who operate in China, and forcing them to store data under Chinese control. It is a dangerous trend in what China says is a way to protect themselves from the evils of doing business with foreigners. They always mention Edward Snowden in these discussions, though the White House must laugh every time they do. China has the market on theft of data.
Our trade with China has never been on equal ground. They steal our proprietary and trade secret information; they pump that stolen data back into their own research and development programs; they control pricing of goods so they remain artificially low in their own country, and higher in ours; they make their own businesses thrive on our innovation. That is a good deal more than "limit trade" would imply, but to those who live there and make their goods there, that may be all they can say. The Chinese have a way of getting even if anyone complains about their policies.
I wonder what the Donald, or the Hillary, would do about trade with China. It is the kind of question the debates should be bringing up, and a good reason for the lack of jobs here.
Our industry leaders, many of whom already work in China, have sent a letter to the White House complaining about China's policies that "limit trade". That is far from accurate. The new policies do a lot more than that, including such things as demanding encryption keys and source code from vendors who operate in China, and forcing them to store data under Chinese control. It is a dangerous trend in what China says is a way to protect themselves from the evils of doing business with foreigners. They always mention Edward Snowden in these discussions, though the White House must laugh every time they do. China has the market on theft of data.
Our trade with China has never been on equal ground. They steal our proprietary and trade secret information; they pump that stolen data back into their own research and development programs; they control pricing of goods so they remain artificially low in their own country, and higher in ours; they make their own businesses thrive on our innovation. That is a good deal more than "limit trade" would imply, but to those who live there and make their goods there, that may be all they can say. The Chinese have a way of getting even if anyone complains about their policies.
I wonder what the Donald, or the Hillary, would do about trade with China. It is the kind of question the debates should be bringing up, and a good reason for the lack of jobs here.
Thursday, August 13, 2015
China News Clamp on Tianjin
This morning on CNN, who was lucky enough to have a reporter in Tianjin during the explosion of a chemical storage facility, we saw how China's press controls are both resource intensive and restrictive. The reporter reminded his audience that all of them had been reminded that "there would be severe penalties for spreading rumors" a phrase that means a good bit more over there than here. One guy who "spred rumors" about the number of people killed in riots in Xinjiang went to prison for a a number of years, having gone around the Great Firewall to do his reporting. A reporter on a cell phone can't do that quite as easily, though it must have made his handlers very nervous.
We got to see some of the secret police in their street clothes in his video. They were policing some victims' families who wanted more information than they were getting on the condition of their relatives. They crowded around the poor guy's cell phone looking for the footage he had from the hospital, understandable by any standard, but the police also crowded around his cell phone looking at the same coverage. He had some pretty good shots of people being wheeled into the hospital for treatment. He had even better shots of the destruction and physical damage to property, one mile from the fire. You can bet we won't be seeing too many more of those in the coming days. The Chinese lay down rules about what type of reporting can be done, and what those reports should say.
The cell phone has taken a good bit of their control away for catastrophic events like this fire. They can shut off the transmission of things, but the camera still stores it and it does get out. The most graphic images of the explosions and fire will not be contained by any amount of control. They were scary and made by people who lived close enough to get burned in the process. Watch how these images are slowly replaced over the next few days, by people being released from the hospitals, families moving back home after being removed from the city, débris being picked up from everywhere, and police making the area safe again.
Fox News reported the following today: " As is customary during disasters, Chinese authorities tried to keep a tight control over information. Police kept journalists and bystanders away with a cordon a few miles from the site. On China's popular microblogging platform of Weibo, some users complained that their posts about the blasts were deleted, and the number of searchable posts on the disaster fluctuated, in a sign that authorities were manipulating or placing limits on the number of posts."
We got to see some of the secret police in their street clothes in his video. They were policing some victims' families who wanted more information than they were getting on the condition of their relatives. They crowded around the poor guy's cell phone looking for the footage he had from the hospital, understandable by any standard, but the police also crowded around his cell phone looking at the same coverage. He had some pretty good shots of people being wheeled into the hospital for treatment. He had even better shots of the destruction and physical damage to property, one mile from the fire. You can bet we won't be seeing too many more of those in the coming days. The Chinese lay down rules about what type of reporting can be done, and what those reports should say.
The cell phone has taken a good bit of their control away for catastrophic events like this fire. They can shut off the transmission of things, but the camera still stores it and it does get out. The most graphic images of the explosions and fire will not be contained by any amount of control. They were scary and made by people who lived close enough to get burned in the process. Watch how these images are slowly replaced over the next few days, by people being released from the hospitals, families moving back home after being removed from the city, débris being picked up from everywhere, and police making the area safe again.
Fox News reported the following today: " As is customary during disasters, Chinese authorities tried to keep a tight control over information. Police kept journalists and bystanders away with a cordon a few miles from the site. On China's popular microblogging platform of Weibo, some users complained that their posts about the blasts were deleted, and the number of searchable posts on the disaster fluctuated, in a sign that authorities were manipulating or placing limits on the number of posts."
Wednesday, August 12, 2015
Hillary and the Top Secret E-mail
As a I said in a previous post, the most important information is classified Top Secret. It causes grave damage if disclosed to an unauthorized person.
see
https://www.blogger.com/blogger.g?blogID=9033304048882784982#editor/target=post;postID=3100986242287564374;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=4;src=postname
It turns out, the government is saying that some of Hillary's mail was Top Secret. Most anyone in government knows when something is Top Secret and it doesn't take a rocket scientist to recognize it when they see it. This is what happens when someone tries to get too cute with a system they either don't understand, or think they get a pass on. Now, she has decided to turn over a server of dubious value, so she can say she is "cooperating". Everyone wants to see that thumb drive with the copies of some of those emails on it, and she can't do much to stop that now. Bad judgements all around.
see
https://www.blogger.com/blogger.g?blogID=9033304048882784982#editor/target=post;postID=3100986242287564374;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=4;src=postname
It turns out, the government is saying that some of Hillary's mail was Top Secret. Most anyone in government knows when something is Top Secret and it doesn't take a rocket scientist to recognize it when they see it. This is what happens when someone tries to get too cute with a system they either don't understand, or think they get a pass on. Now, she has decided to turn over a server of dubious value, so she can say she is "cooperating". Everyone wants to see that thumb drive with the copies of some of those emails on it, and she can't do much to stop that now. Bad judgements all around.
Tuesday, August 11, 2015
Creating a New Poison & the Antidote
Back in my early days in security, we had some geniuses
learning specific hacks against systems so they could attack them, then apply
for a job to fix the problems they identified.
It was a mild form of extortion. One
of them was a company that identified a new thing, a virus that affected UNIX,
once considered to be like Apple, more secure than anything else out
there. That virus was invented in a lab,
along with an “antidote” which the company was going to sell. We all thought that was a dangerous thing to
do. It is almost like inventing a new
disease that might kill everyone on the planet, but developing a drug that can
kill off the infection. What surprised
us all in government was our white knight turned out to be the National
Security Agency (NSA).
NSA sent lawyers around to talk to these folks and tell them
that if this particular virus were to appear in the wild, they were going to be
sued. I think I nearly fell on the floor
when that happened.
I see similarities in that situation and the one Kim Zetter
identifies in a Wired article earlier this month [ Researchers Create First
Firmware Worm that Attacks Macs, 3 August 2015, link ] Zetter says “The Mac firmware research was
conducted by Kovah, owner of LegbaCore, a firmware security consultancy, and
Trammell Hudson, a security engineer with Two Sigma Investments. They’ll be
discussing their findings on August 6 at the Black Hat security conference in
Las Vegas.” They have identified a
problem, built a lab worm to exploit it, and are now going to tell hackers everywhere
what the problem is, no doubt making a market for themselves in the
process. This is equally dangerous
territory. There are lots of arguments
for identifying vulnerabilities and developing cures for them, but this one is
really on the edge of creating a problem and fixing it for profit. The government needs to take an interest in
what they are doing and a stance on whether or not it should be allowed to go
on.
This entry was approved for public release and does not reflect the opinions of the Intelligence Community or the Federal Government.
Monday, August 10, 2015
Dead Taliban Leader Still Disrupts
Saeed Shah and Margherita Stancati have an article in today's Wall Street Journal [ Taliban Leader’s Death Derails Peace Effort ] that shows a Taliban leader, dead for two years now, can still disrupt international relations and the cause of peace. That is only the way they see it, because the whole idea of a meeting being postponed because the death of Mullah Omar was announced, is ridiculous. The Taliban knew he was dead when this latest peace initiative was being planned. They are just confused about who the new leader is going to be, and don't want another dog fight during this next meeting with the Afghan government.
Mullah Mansour is "calling for 'jihad until we establish an Islamic state'." He is trying to out-ISIS the competition so he can lead with the same kind of tactics ISIS is using. We have to ask ourselves if our State Department Friend, Pakistan, is looking for peace, or looking for a caliphate like ISIS is trying to manufacture in Syria. Maybe they believe they might eventually replace ISIS with a more organized and behaved regime. Mansour is hardly that kind of leader, but he is their leader. They are stuck with him.
Pakistan has been hiding the death of Omar for two years because choosing between two guys who don't really like each other and will end up settling their disagreements the way the Taliban always has, car bombs and assassinations.
They are really talking about the leadership of Afghanistan, not the Taliban per se. Pakistan will help the Taliban take back Afghanistan after years of retreat, and billions of U.S. dollars trying to avoid just that. The real enemy here is not the Taliban.
Mullah Mansour is "calling for 'jihad until we establish an Islamic state'." He is trying to out-ISIS the competition so he can lead with the same kind of tactics ISIS is using. We have to ask ourselves if our State Department Friend, Pakistan, is looking for peace, or looking for a caliphate like ISIS is trying to manufacture in Syria. Maybe they believe they might eventually replace ISIS with a more organized and behaved regime. Mansour is hardly that kind of leader, but he is their leader. They are stuck with him.
Pakistan has been hiding the death of Omar for two years because choosing between two guys who don't really like each other and will end up settling their disagreements the way the Taliban always has, car bombs and assassinations.
They are really talking about the leadership of Afghanistan, not the Taliban per se. Pakistan will help the Taliban take back Afghanistan after years of retreat, and billions of U.S. dollars trying to avoid just that. The real enemy here is not the Taliban.
Sunday, August 9, 2015
If it was the Russians....
In today's announcement of the hack of members of the Joint Staff in the Pentagon, the hack was attributed to the Russians. There was some press speculation about it being similar to other types of hacks that were long-term and did not seem to take information. It was intended for long-term monitoring and not a quick strike to get a specific database like OPM's.
That kind of speculation is just that. Unless there is more evidence, we should give it some time before making an attribution. The Russians were said to be behind the State Department hack of email, which is still going on. Since it has been going on for 6 months, it is likely the people doing the attribution for that one got it right.
Aside from the attribution issues, the Joint Staff is part of the DoD, which has unclassified networks that are supposed to be safe, secure, and protected from the Internet. We pay a boatload of money for some of those and we should be finding out how they ended up getting hacked. Since OPM brought a spotlight to hacking Federal agencies, it is possible somebody up the food chain will decide to pay attention this time. The Postal Service, State Department, OPM, the IRS, and a host of other DoD hacks are clear indication nobody is paying attention. We used to give money to the Services and Agencies so they could do security, and they would spend it for other things, then ask for more if they have a problem. Somebody is doing that now and nobody is checking to see where that money is going.
That kind of speculation is just that. Unless there is more evidence, we should give it some time before making an attribution. The Russians were said to be behind the State Department hack of email, which is still going on. Since it has been going on for 6 months, it is likely the people doing the attribution for that one got it right.
Aside from the attribution issues, the Joint Staff is part of the DoD, which has unclassified networks that are supposed to be safe, secure, and protected from the Internet. We pay a boatload of money for some of those and we should be finding out how they ended up getting hacked. Since OPM brought a spotlight to hacking Federal agencies, it is possible somebody up the food chain will decide to pay attention this time. The Postal Service, State Department, OPM, the IRS, and a host of other DoD hacks are clear indication nobody is paying attention. We used to give money to the Services and Agencies so they could do security, and they would spend it for other things, then ask for more if they have a problem. Somebody is doing that now and nobody is checking to see where that money is going.
Wednesday, August 5, 2015
I Didn't have Classified Email
I want to mention a couple of things about why the FBI might be investigating security of Hillary Clinton’s e-mail system. She wishes it were a simple thing, and so do I, but it isn’t.
When a government official says something is classified, they mean that the disclosure of it to “an unauthorized person” would result in some damage to the United States. The degree of damage measures the importance of what was said. Really important stuff causes “grave damage” and is classified Top Secret. Lesser damage is caused for Secret or Confidential information. Usually, the “unauthorized person” is anyone in the public who does not need to see the stuff that was written or spoken, and we assume they are not authorized because they don’t have a security clearance.
When someone says something is not classified, they are supposed to mean that a person who originated it did not have to mark it with a classification marking, like Top Secret. Now, if the person who originates knows or should know the information is classified but “forgets” to mark it, it is still classified because of the damage it would do. It does not become unclassified, or not classified, by any measure. It is still classified and should be marked that way. When Hillary says she did not have anything classified on her server, she means it did not have classification markings on it. If she originated it, it would be her responsibility to mark it. If someone else did, it was their responsibility. Still, everyone in governments all over the world know about this problem of not marking things when they should. Another process compensates for that.
To be sure people don’t make mistakes and release classified to the public, the government has a public release process, which I have to use to publish things. It is annoying, but not a big problem, because the DNI pre - pub people know what they are doing. The State Department should have a few that do too. It is a review by a government person designated to do this kind of thing, to make sure what I publish is not unmarked material that has slipped by in my writing. It has only happened once that anything was “redacted” a term which means taken out of something that was going to be publicly released. They don’t tell me it is classified, since I no longer have a security clearance and that would be a problem for them to tell me something was classified and I shouldn’t have it. It came out of my brain and was not marked because I don’t think about marking stuff anymore. In that particular case, I had no idea such a thing could be classified until I thought about it a little.
So, when Hillary says what she had on the server was not classified and our Intelligence services say some of it was, they are both relying on the public not having a good understanding of the system that creates classified information. When her husband’s former political advisor goes on CNN and says it was “classified after the fact” he is inferring it wasn’t classified at all until someone decided, retroactively, to mark it that way. It is only the marking that was applied retroactively, and not the classification. It was classified before and will be properly marked now, even though it is too late to stop the release of it. She decided it was to be released and not the State Department pre-pub people.
There is another aspect to this that gets little attention in government. There is always the possibility that it was not marked as classified because everyone knew that the server was an unclassified, non-government computer. I have seen Top Secret things marked as Secret and Secret things marked as unclassified because the network they were processing on wasn’t approved for that level of material. Each computer system is approved for the highest level it contains, so nobody can put a higher level on it. I once did an inspection company where a woman was removing the Secret markings from documents before she ran them on her little computer network. I noticed her doing it and asked her why. “I am not allowed to process classified information on that computer, so I have to remove those markings.” She was a nice person who didn’t know any better, but got fired from her job anyway. This was someone who did not understand why we were getting those computers approved and marking documents that others would read. Perhaps Hillary is the same kind of person, but I doubt it.
The FBI will be looking for mitigation, i.e. did the company that put those servers in and helped her with the processing of email do things to protect that data from others reading it? Did they encrypt the data sitting on the server and her backups? Did they know it was classified? Did they protect it like it was if they didn’t? These are all factors bearing on how much damage was done by having those four emails that have already been identified as being classified, sitting on a server anywhere. They might have done a good job and the possibility of damage will be remote. They might have treated it like any other commercial job and the possibility will be greater that someone else got it, including their own employees, who certainly could have. What is interesting about this is the who of this inquiry. If it was a damage assessment, the FBI would seldom be involved. That is the kind of thing the State Department would do themselves, unless they suspected it was more than an accident. I will go into that one day, but not today.
When a government official says something is classified, they mean that the disclosure of it to “an unauthorized person” would result in some damage to the United States. The degree of damage measures the importance of what was said. Really important stuff causes “grave damage” and is classified Top Secret. Lesser damage is caused for Secret or Confidential information. Usually, the “unauthorized person” is anyone in the public who does not need to see the stuff that was written or spoken, and we assume they are not authorized because they don’t have a security clearance.
When someone says something is not classified, they are supposed to mean that a person who originated it did not have to mark it with a classification marking, like Top Secret. Now, if the person who originates knows or should know the information is classified but “forgets” to mark it, it is still classified because of the damage it would do. It does not become unclassified, or not classified, by any measure. It is still classified and should be marked that way. When Hillary says she did not have anything classified on her server, she means it did not have classification markings on it. If she originated it, it would be her responsibility to mark it. If someone else did, it was their responsibility. Still, everyone in governments all over the world know about this problem of not marking things when they should. Another process compensates for that.
To be sure people don’t make mistakes and release classified to the public, the government has a public release process, which I have to use to publish things. It is annoying, but not a big problem, because the DNI pre - pub people know what they are doing. The State Department should have a few that do too. It is a review by a government person designated to do this kind of thing, to make sure what I publish is not unmarked material that has slipped by in my writing. It has only happened once that anything was “redacted” a term which means taken out of something that was going to be publicly released. They don’t tell me it is classified, since I no longer have a security clearance and that would be a problem for them to tell me something was classified and I shouldn’t have it. It came out of my brain and was not marked because I don’t think about marking stuff anymore. In that particular case, I had no idea such a thing could be classified until I thought about it a little.
So, when Hillary says what she had on the server was not classified and our Intelligence services say some of it was, they are both relying on the public not having a good understanding of the system that creates classified information. When her husband’s former political advisor goes on CNN and says it was “classified after the fact” he is inferring it wasn’t classified at all until someone decided, retroactively, to mark it that way. It is only the marking that was applied retroactively, and not the classification. It was classified before and will be properly marked now, even though it is too late to stop the release of it. She decided it was to be released and not the State Department pre-pub people.
There is another aspect to this that gets little attention in government. There is always the possibility that it was not marked as classified because everyone knew that the server was an unclassified, non-government computer. I have seen Top Secret things marked as Secret and Secret things marked as unclassified because the network they were processing on wasn’t approved for that level of material. Each computer system is approved for the highest level it contains, so nobody can put a higher level on it. I once did an inspection company where a woman was removing the Secret markings from documents before she ran them on her little computer network. I noticed her doing it and asked her why. “I am not allowed to process classified information on that computer, so I have to remove those markings.” She was a nice person who didn’t know any better, but got fired from her job anyway. This was someone who did not understand why we were getting those computers approved and marking documents that others would read. Perhaps Hillary is the same kind of person, but I doubt it.
The FBI will be looking for mitigation, i.e. did the company that put those servers in and helped her with the processing of email do things to protect that data from others reading it? Did they encrypt the data sitting on the server and her backups? Did they know it was classified? Did they protect it like it was if they didn’t? These are all factors bearing on how much damage was done by having those four emails that have already been identified as being classified, sitting on a server anywhere. They might have done a good job and the possibility of damage will be remote. They might have treated it like any other commercial job and the possibility will be greater that someone else got it, including their own employees, who certainly could have. What is interesting about this is the who of this inquiry. If it was a damage assessment, the FBI would seldom be involved. That is the kind of thing the State Department would do themselves, unless they suspected it was more than an accident. I will go into that one day, but not today.
Planes, Pumps, and Automobiles
Every business generation seems to learn the same lesson over and over: The Internet is not a natively safe place to operate devices. A company has to do some security to prevent hackers from taking over their little pieces of technology.
Fifteen years ago, we did a security check for a company that did venture capital. They had a business that was going to do on-line business for big customers just starting to think about clouds and they thought it was a good idea to see if they were secure enough to do Internet business. They weren't. On the first survey our team did, I sent another team back out to the same site because I didn't believe the results could have been so bad. They had to know something about security if they were going to be in business in a hostile environment. The Internet is not a safe place.
In the last few months, we have seen people hack an airplane's entertainment system, a pump used to control the distribution of drugs to a patient in a hospital, and the guts of an automobile electronic control system. We should be similarly surprised that the people who developed those devices thought they could be operated safely in such a hostile place. Boards of Directors should be a little more careful about their due diligence. They need to be asking more questions about any device that has an Internet connection. I talked to a friend of mine, who sat on some of those Boards, and he laughed at that idea.
Boards are not selected for thier technical abilities, he said. I know that. They don't know what questions to ask. I didn't know that. In fact, I thought Boards were smart people put in place to ask hard questions. He laughed again.
Certainly they must know something about hacking, since so much of it is going around. Then, I thought about all those businesses losing information to the Chinese, and thought I might re-evaluate that position. They don't know enough to ask about how they should protect their own trade secrets from the Chinese. They didn't ask any questions about what was being done by their own internal IT shops. The questions they would have to ask about development projects are harder to thiink about about. They would actually have to think about development as an IT-related business, rather than as a product which will make a certain amount of money, given a specific financial investment. He laughed hard at that. I may have overestimated the degree of discussion about the technical merits of a product, given the amount of investment in it. No wonder they never get around to asking about security. They are definitely paying these guys too much money.
Fifteen years ago, we did a security check for a company that did venture capital. They had a business that was going to do on-line business for big customers just starting to think about clouds and they thought it was a good idea to see if they were secure enough to do Internet business. They weren't. On the first survey our team did, I sent another team back out to the same site because I didn't believe the results could have been so bad. They had to know something about security if they were going to be in business in a hostile environment. The Internet is not a safe place.
In the last few months, we have seen people hack an airplane's entertainment system, a pump used to control the distribution of drugs to a patient in a hospital, and the guts of an automobile electronic control system. We should be similarly surprised that the people who developed those devices thought they could be operated safely in such a hostile place. Boards of Directors should be a little more careful about their due diligence. They need to be asking more questions about any device that has an Internet connection. I talked to a friend of mine, who sat on some of those Boards, and he laughed at that idea.
Boards are not selected for thier technical abilities, he said. I know that. They don't know what questions to ask. I didn't know that. In fact, I thought Boards were smart people put in place to ask hard questions. He laughed again.
Certainly they must know something about hacking, since so much of it is going around. Then, I thought about all those businesses losing information to the Chinese, and thought I might re-evaluate that position. They don't know enough to ask about how they should protect their own trade secrets from the Chinese. They didn't ask any questions about what was being done by their own internal IT shops. The questions they would have to ask about development projects are harder to thiink about about. They would actually have to think about development as an IT-related business, rather than as a product which will make a certain amount of money, given a specific financial investment. He laughed hard at that. I may have overestimated the degree of discussion about the technical merits of a product, given the amount of investment in it. No wonder they never get around to asking about security. They are definitely paying these guys too much money.
Tuesday, August 4, 2015
The Pakistan Taliban
Reuters has a
story today that may begin to open up the story of the death of Mullah Omar and
why the Taliban thought better of announcing it until two years after it
happened. That mess is described in the
resignation of Syed Mohammad Tayab Agha as director of the Political Office in
the Qatari capital Doha. [Jibran
Ahmadibran Ahmad, New Taliban leader facing tension as top official quits, 4 August]
Agha listed a few things as reasons for his resignation:
Ahmad describes
a little more that might account for the sudden departure of Agha and the
splits in the Taliban who seem to be supported by the Pakistanis. Monsour sent a delegation of “peace
negotiators” to talk to the Afghan government but didn’t include Agha who is
the lead negotiator in Doha. That must
have hurt. It sets Monsour ahead of the
other factions of Taliban and shows the Pakistan Intelligence Service (ISI)
favors him. That alone will make him the
tacit leader of the clans.
Fighting has erupted between various factions in the Taliban, something the Taliban denies, of course. This has temporarily stopped the Taliban from fighting most everyone, which may be a good thing. The only problem is the will of the fighters to fight leads to defections to ISIS. The Taliban leadership has to contend with that external group, which is not fighting the war for them in Afghanistan. Their leadership in the extremist groups is being challenged.
What we need to remember is that Pakistan is right in the middle of this. When the Chinese were having trouble with the Uighurs, they went to Pakistan to talk about stopping the training of terrorists. It seemed odd at the time, but maybe the Chinese were well informed about where the problems with Islamic extremists come from. I’m having trouble believing the Iranians are the world’s leading supporters of terror when Pakistan seems to be holding its own.
Agha listed a few things as reasons for his resignation:
1. The new leadership is made up of people living
outside the country.
2.
He blames Mullah Monsour for the concealment
of the death of Mullah Omar, something he calls a ‘historic mistake by the
individuals concerned’
3.
The Taliban are taking on roles outside
of Afghanistan and that is not good for them.
Fighting has erupted between various factions in the Taliban, something the Taliban denies, of course. This has temporarily stopped the Taliban from fighting most everyone, which may be a good thing. The only problem is the will of the fighters to fight leads to defections to ISIS. The Taliban leadership has to contend with that external group, which is not fighting the war for them in Afghanistan. Their leadership in the extremist groups is being challenged.
What we need to remember is that Pakistan is right in the middle of this. When the Chinese were having trouble with the Uighurs, they went to Pakistan to talk about stopping the training of terrorists. It seemed odd at the time, but maybe the Chinese were well informed about where the problems with Islamic extremists come from. I’m having trouble believing the Iranians are the world’s leading supporters of terror when Pakistan seems to be holding its own.
Subscribe to:
Posts (Atom)