There were two stories in the Wall Street Journal last week that tell of the difficulty in being one of Russia’s neighbors. They are about the small countries of Estonia and Moldova both of which face the Russian Bear every day. The Russians have not given up on getting them back and use the same techniques so familiar in the Ukraine. The Moldova article mentions Georgia, just so we don’t forget about that one either.
Mostly, we call what the Russians do harassment- meddling in elections, undermining the military, degrading politicians that do not favor their views, running campaigns to influence every person they can reach. Both of these countries are small and face the Bear bravely.
Both the leaders who wrote these articles are calling for the same thing - they need help. It takes huge amounts of energy to fight all the time, and the Russians are both relentless and brazen about their work. Europe has finally come around to the idea that Russia cannot just take these little states like they did Crimea. The lesson there was clear. I always thought that President Obama was talking about Crimea when he said he would have to wait until after the election to carry out his agreements with Russia. He said that on an open mike and not for public consumption. Now that little place is gone and the rest of the world will not be getting it back.
We need to give these countries some aid of various types - cyber training, intelligence support, weapons for their own defense, and help them organize. First they need to organize with one another. they can fight better together. Next, they need to organize with Europe which should help them for their own well being. None of them want Russian controlled countries on their borders like they had for years. But, like in Ukraine last week, there is room for the rest of the world to help too. Putting Javelins in their will make a lopsided situation less so. It doesn’t take much, and like many business executives in them world, President Trump is just paying attention to cries for help. He doesn’t have to do much, but paying attention is important. Same for Europe and the border countries of the old Soviet Union.
Sunday, December 31, 2017
Friday, December 29, 2017
Suicide before Life in NK
You can read the whole story here. But for a man to commit suicide rather than go back to North Korea after China returned him, Here, is a statement about both countries. That China would return a man knowing how well he would be received in the North is a travesty of huge proportions. I guess they are so attached to the North’s nuclear program that they want to discourage other defections that might allow all of us to know how close they are to a miniature warhead, and to say where that technology came from- China most likely. What a country.
It isn’t a great place to defect to, unless you have secrets like our boy Snowden. They didn’t send him back. But this breaks new ground for shallowness of thought. They couldn’t have allowed poison to pass through the kind of searches the Chinese give. They had to provide it to him rather than let him talk or go back. What nice guys they must be.
It isn’t a great place to defect to, unless you have secrets like our boy Snowden. They didn’t send him back. But this breaks new ground for shallowness of thought. They couldn’t have allowed poison to pass through the kind of searches the Chinese give. They had to provide it to him rather than let him talk or go back. What nice guys they must be.
Thursday, December 28, 2017
Russia and China Sell Oil to N. Korea
Sanctions mean nothing to China or Russia, it seems. It took them a little over a week to start selling oil to China in what is proabably a “humanitarian” sale. I can’t believe the Chinese do this with a straight face. They must smile secretely. The story is complete with satellite photos anyone can buy from a vendor. It’s fun to be able to check without going through a government filter.
Reuters has an exclusive on Russian sales to North Korea and transfers at sea. These are the same people who claim to want to stop North Korea from building a nuclear weapon but violate the sanctions within a week of them being made. Sanctions are worthless.
Reuters has an exclusive on Russian sales to North Korea and transfers at sea. These are the same people who claim to want to stop North Korea from building a nuclear weapon but violate the sanctions within a week of them being made. Sanctions are worthless.
Wednesday, December 27, 2017
Not Like Us
I did a post last week on Andrew Browne’s article on China in the Wall Street Journal. What it says is that China is not going to be “more like us”, and “The game of make-believe is winding down.”
From a business standpoint, I have been saying that for the last 6 years. Chinese businesses, many of which are state-owned, and all of which are state influenced, are not like our businesses, though they go to great lengths to keep that illusion. They pretend that businesses that come to China will be allowed some flexibility in meeting Chinese rules for ownership and cooperation with State Security. They pretend that intellectual property will be protected. They pretend that censorship rules will not be applied to companies that come there. They pretend that U.S. companies will not be spying on China’s citizens, and maybe a few other citizens too.
He asks an interesting question : “What is the appropriate response to an increasingly predatory Chinese state that takes advantage of Western openness to acquire technology even as it shelters its own markets behind protectionist barriers?” Cooperation with their approach isn’t it. Browne says a “reset” is in order.
For years, business leaders have been saying that the free world can “out-innovate” China even if they steal our intellectual property and use it to manufacture their own goods. We might have to think about that approach more. By the time Boards of Directors realize that approach fails more than it succeeds, it is largely too late. They are looking at losses caused by unfair competition from state controlled industries subsidized by China’s banks and partner businesses. The reset has to be on both sides for it to work well. Business leaders have to know that short-term profitability is not enough to satisfy shareholders with long-term interests.
From a business standpoint, I have been saying that for the last 6 years. Chinese businesses, many of which are state-owned, and all of which are state influenced, are not like our businesses, though they go to great lengths to keep that illusion. They pretend that businesses that come to China will be allowed some flexibility in meeting Chinese rules for ownership and cooperation with State Security. They pretend that intellectual property will be protected. They pretend that censorship rules will not be applied to companies that come there. They pretend that U.S. companies will not be spying on China’s citizens, and maybe a few other citizens too.
He asks an interesting question : “What is the appropriate response to an increasingly predatory Chinese state that takes advantage of Western openness to acquire technology even as it shelters its own markets behind protectionist barriers?” Cooperation with their approach isn’t it. Browne says a “reset” is in order.
For years, business leaders have been saying that the free world can “out-innovate” China even if they steal our intellectual property and use it to manufacture their own goods. We might have to think about that approach more. By the time Boards of Directors realize that approach fails more than it succeeds, it is largely too late. They are looking at losses caused by unfair competition from state controlled industries subsidized by China’s banks and partner businesses. The reset has to be on both sides for it to work well. Business leaders have to know that short-term profitability is not enough to satisfy shareholders with long-term interests.
It’s Only Art
Look at the picture shown by BBC. It is innocent enough, and just a work of art. You can like it, or not, by the feeling it gives you about spaces and objects, like an empty chair sitting in the middle of a room. The bars on the windows of the home, with an old scene from China outside them are another clue. The creators of this art are a pair of French artists, who were unceremoniously hauled away after he mural was completed, and have not been heard from since. This is, as a plainclothes police officer said, China and not some other country where such things are allowed. The artists should have known. Really?
I wondered about the antics of Kathy Griffin holding up a plastic head of Donald Trump that looks like it was severed with some malice. It was art, and it was judged by the quality of it, not by the message it sent to the people of the United States. Kathy Griffin has largely been out of work since. The quality of comedy was not there. A few found it hard to see the humor, like the Secret Service, which actually has no sense of humor and thus is not good at considering the source and moving on. The Chinese are apparently much less accepting of this kind of art. Amazon is not still sellling severed heads of Xi Jinping, so we can assume Chinese censors would not like that very much. If they can sell Trump’s, they should be able to sell others too.
The difference is, Kathy Griffin is not in jail. The whole of China is not very tolerant of critics. But, even for them, this seems a little harsh. Liu Xiaobo is dead, after all. But, he made such an impression on the leadership that they won’t let it go, even after his death. No more powerful statement can be made about a man.
Arresting a couple of French artists just brings more attention to Liu Xiaobo. Don’t they get it?
I wondered about the antics of Kathy Griffin holding up a plastic head of Donald Trump that looks like it was severed with some malice. It was art, and it was judged by the quality of it, not by the message it sent to the people of the United States. Kathy Griffin has largely been out of work since. The quality of comedy was not there. A few found it hard to see the humor, like the Secret Service, which actually has no sense of humor and thus is not good at considering the source and moving on. The Chinese are apparently much less accepting of this kind of art. Amazon is not still sellling severed heads of Xi Jinping, so we can assume Chinese censors would not like that very much. If they can sell Trump’s, they should be able to sell others too.
The difference is, Kathy Griffin is not in jail. The whole of China is not very tolerant of critics. But, even for them, this seems a little harsh. Liu Xiaobo is dead, after all. But, he made such an impression on the leadership that they won’t let it go, even after his death. No more powerful statement can be made about a man.
Arresting a couple of French artists just brings more attention to Liu Xiaobo. Don’t they get it?
Tuesday, December 26, 2017
Acts of War
We have to think a little bit when North Korea calls sanctions an act of war. These are the same guys who sunk a South Korean ship, attacked the banking infrastructure, and shot people who tried to escape across their borders. The latter is clearly not an act of war. The thing about acts of war is that they are much like pornography - we know them when we see them. Having sanctions against a country that wants to build a nuclear-armed Missile is certainly not an act of war. Is building one?
Sunday, December 24, 2017
ZTE Monitoring Does Not Go Smoothly
Most people have already forgotten about how ZTE managed to get into court and end up being monitored by two firms, set up by the court to oversee their rehabilitation. ZTE was not only violating agreements China made to keep nuclear weapons out of the hands of North Korea and Iran, they were using a “rule book” that described how they could avoid detection by a shell game of companies. When they were caught, the Commerce Department published the rule book along with their indictment.
In somewhat of a mystery, the two monitoring companies both quit, and there was an indication by Reuters that they were not able to do their job under restraints put on them by a court-appointed individual assigned to oversee the monitoring for the judge. He seems to have limited their access to both documents and people who worked for ZTE - almost like he didn’t want the team to do their job, but wanted the appearance of doing it.
In somewhat of a mystery, the two monitoring companies both quit, and there was an indication by Reuters that they were not able to do their job under restraints put on them by a court-appointed individual assigned to oversee the monitoring for the judge. He seems to have limited their access to both documents and people who worked for ZTE - almost like he didn’t want the team to do their job, but wanted the appearance of doing it.
Javelins for Ukraine
Nothing like facing a tank with small arms and grenades. It is sure to ruin your day. But, things are a little more even with a Javelin. It is man carried and small, but it packs a whallop where it counts. You can see video of one and how easy they are to operate. It will not be fun for the Russians who encounter one. All it took for the Ukraine to get these things was political will.
Putin claims there are no Russian soldiers in the Ukraine so he should not be affected by the addition of such a weapon, yet Russia manages to see it in light of an “escalation”. Putting contract soldiers and missiles into Ukraine is the escalation. The Obama Administration called for “proof” of missile launchers and Russian troops almost every day of the week. A long stream of video and photos were surely enough for most people, but not for that White House. Now that they are mostly gone, the proof seems easier to come by.
Putin claims there are no Russian soldiers in the Ukraine so he should not be affected by the addition of such a weapon, yet Russia manages to see it in light of an “escalation”. Putting contract soldiers and missiles into Ukraine is the escalation. The Obama Administration called for “proof” of missile launchers and Russian troops almost every day of the week. A long stream of video and photos were surely enough for most people, but not for that White House. Now that they are mostly gone, the proof seems easier to come by.
Friday, December 22, 2017
Let the Retaliation Begin
It always takes too long for a country to retaliate for cyber intrusions into their internal affairs. That is because the country of origin always denies doing it, and the proof of it is a state secret on both sides of the action. Well, the British are about to enter the fray with Russia over the same kind of influence campaigns run by Russia in the U.S. We should all remember that Russia has their own elections next year. We might know who would win that election, but it could be more difficult than they realize if the wronged countries put their heads together. Germany and France were part of that too.
The BBC has published a story about how this all started and the threats of retaliation being made. The British are hot about the interference in the Brexit debate, where the Russians did quite a bit for those wanting to leave the EU, but kept the fires burning on both sides of the debate. The PM warned Russia in November; the head of part of the U.K.’s security establishment said it again this month as the Russians continue to undermine the U.K and every democracy they can.
The Russians and Chinese both need to see what the West can do when motivated. The U.S., U.K., Germany and France all have capable cyber forces that can combine to make like more interesting for both of them. The Russians and Chinese have 32 agreements on non-interference and cooperation against the rest of the world. We only need a little of that same kind of cooperation to make them think twice about stealing our technology, and stiring up trouble in our respective countries - without consequence. Retaliation is a good start, but a deterrent strategy we can all live with would be better.
The BBC has published a story about how this all started and the threats of retaliation being made. The British are hot about the interference in the Brexit debate, where the Russians did quite a bit for those wanting to leave the EU, but kept the fires burning on both sides of the debate. The PM warned Russia in November; the head of part of the U.K.’s security establishment said it again this month as the Russians continue to undermine the U.K and every democracy they can.
The Russians and Chinese both need to see what the West can do when motivated. The U.S., U.K., Germany and France all have capable cyber forces that can combine to make like more interesting for both of them. The Russians and Chinese have 32 agreements on non-interference and cooperation against the rest of the world. We only need a little of that same kind of cooperation to make them think twice about stealing our technology, and stiring up trouble in our respective countries - without consequence. Retaliation is a good start, but a deterrent strategy we can all live with would be better.
Time For CFIUS Reforms Has Come
What a mess. The Committtee on Foreign Investment in the U.S. has been around for as long as I worked in government, rarely raising an eyebrow anywhere because it moved slowly, relied on voluntary reporting for the most part, and took its time making decisions. Over the years, that has all changed. Now, there is sentiment in the Congress for legislation to strengthen and clarify the rules for companies buying into the U.S. What prompted most of that review and revision is State-Owned Enterprises, almost all from China, buying into the U.S. critical technologies like microchips.
In today’s Wall Street Journal there is another case that is likely to push that movement forward. I know Congress has been busy on other things, but there is agreement on both sides to get moving on this, and this story gives good reason for some urgency. It is the case of HNA. The Journal says, “The requests from Capitol Hill follow recent allegations by a U.S. firm that HNA provided ‘knowingly false, inconsistent, and misleading information’ about its ownership and ties to the Chinese government during the interagency panel’s review of a $325 million deal.”
Of course HNA says it has no connection with the government of China. In a great article, the Financial Times put this all together pretty well, naming names and posting faces of most of the leadership of HNA. Most, and they were pretty blunt about a few of the leaders that they couldn’t find much about. I pointed out at the time that HNA was feeding the Hillary Clinton campaign through other charities and its own. This sweetheart arrangement fell through, and the protection of HNA went with it.
There are many others besides HNA, and the Chinese will move from one company to another when attention is drawn to one of them. They keep the national strategy going by changing the face to U.S. regulators. As I pointed out in my testimony on this last year, CFIUS can’t keep up with the way China is hiding its state connections to its own companies. They have gotten better because it was possible for researchers to find military leaders in government companies, and ownership and management by state agencies. It is harder to find anything like that anymore, because their websites now hide the truth.
In today’s Wall Street Journal there is another case that is likely to push that movement forward. I know Congress has been busy on other things, but there is agreement on both sides to get moving on this, and this story gives good reason for some urgency. It is the case of HNA. The Journal says, “The requests from Capitol Hill follow recent allegations by a U.S. firm that HNA provided ‘knowingly false, inconsistent, and misleading information’ about its ownership and ties to the Chinese government during the interagency panel’s review of a $325 million deal.”
Of course HNA says it has no connection with the government of China. In a great article, the Financial Times put this all together pretty well, naming names and posting faces of most of the leadership of HNA. Most, and they were pretty blunt about a few of the leaders that they couldn’t find much about. I pointed out at the time that HNA was feeding the Hillary Clinton campaign through other charities and its own. This sweetheart arrangement fell through, and the protection of HNA went with it.
There are many others besides HNA, and the Chinese will move from one company to another when attention is drawn to one of them. They keep the national strategy going by changing the face to U.S. regulators. As I pointed out in my testimony on this last year, CFIUS can’t keep up with the way China is hiding its state connections to its own companies. They have gotten better because it was possible for researchers to find military leaders in government companies, and ownership and management by state agencies. It is harder to find anything like that anymore, because their websites now hide the truth.
Wednesday, December 20, 2017
How Much Surveillance is Enough?
In the Wall Street Journal today there is an interesting article about how much surveillance is enough to deter and prevent terrorism in China. According to this article there is never enough. But, one thing I did find interesting was the mention of voice recognition technology, not something I had seen associated with Chinese surveillance. Facial recognition is used a lot more than in other parts of the world. Retinal scanning is more common and seemingly accepted by the most affluent members of the population. What choice do they have?
The cars of journalists were watched with license plate scanners, the cars stopped and searched just because it was possible to easily identify them. This is just harassment, though it was easy to tell that it wasn’t just journalists that came in for this kind of treatment.
The “social credit” system shows up here too when a man is blacklisted and everywhere he goes there is an X by his name when he checks in. He claims to not know why, but says “I can’t go anywhere.” Imagine doing a facial scan at a gas station and then wondering if the police will show up to ask you why you need more gas today. All this in the name of “harmony”. You can never have enough harmony.
The cars of journalists were watched with license plate scanners, the cars stopped and searched just because it was possible to easily identify them. This is just harassment, though it was easy to tell that it wasn’t just journalists that came in for this kind of treatment.
The “social credit” system shows up here too when a man is blacklisted and everywhere he goes there is an X by his name when he checks in. He claims to not know why, but says “I can’t go anywhere.” Imagine doing a facial scan at a gas station and then wondering if the police will show up to ask you why you need more gas today. All this in the name of “harmony”. You can never have enough harmony.
Tuesday, December 19, 2017
Reciprocity for the Saudis
The Houthis acquired and fired another of those Iranian missiles, which was intercepted by the Saudis. The last time this happened the remnants of the missile were put on public display, and fingers were pointed the Iranian’s way because the parts were made in Iran. We might hope the parts are big enough to identify, yet again. The New York Times questions whether the missiles actually hit the target, but I don’t think they know much about missiles defense. The Patriots don’t always have to blow up a target to kill it.
The Saudi’s can play this game if they want to, and reciprocity is always good for discouraging the firing of ballistic missiles into your neighborhoods. Somebody could get hurt doing that. So, let the Saudis give a couple of missiles to a bunch of the good guys in Yemen and have them fire these off at a couple of Iranian cities. They can hope their anti missiles systems will work as good as the Saudi systems did the last two times.
The Iranians have their own, which they call the Bavar 373. They had the Russian S-300 but that was not provided continued after sanctions started. They had to build their own, at least that is their story and they are sticking to it. This is similar to the story the Houthis told about their own missiles, but that turned out to be a fairy tale. I suspect the Iranian story is equal in fantasy.
One day the Saudis are going to stop playing this game and fire off some of their own through an equal proxy. That is when we find out if those Russian S-300s really work. We know how well the Patriot works. It has a long history in combat.
The Saudi’s can play this game if they want to, and reciprocity is always good for discouraging the firing of ballistic missiles into your neighborhoods. Somebody could get hurt doing that. So, let the Saudis give a couple of missiles to a bunch of the good guys in Yemen and have them fire these off at a couple of Iranian cities. They can hope their anti missiles systems will work as good as the Saudi systems did the last two times.
The Iranians have their own, which they call the Bavar 373. They had the Russian S-300 but that was not provided continued after sanctions started. They had to build their own, at least that is their story and they are sticking to it. This is similar to the story the Houthis told about their own missiles, but that turned out to be a fairy tale. I suspect the Iranian story is equal in fantasy.
One day the Saudis are going to stop playing this game and fire off some of their own through an equal proxy. That is when we find out if those Russian S-300s really work. We know how well the Patriot works. It has a long history in combat.
Cyber Picks Up in U.S. Foreign Policy
The President yesterday laid out a bigger context for competition between national powers, and mentioned cyber as one of the areas he would give additional emphasis. At the same time, the White House pointed fingers at North Korea over the Wannacry attacks, which most everyone in security circles knew were launched from there. It sounded like a warning in the context of the other parts of the speech.
I pointed out last year that Janet Yellen mentioned cyber security in one of her major speeches. That doesn’t happen very often. The North Koreans and Chinese have pushed the cyber parts of heir strategy into territory that crosses into commercial interests. The first attacks by North Korea were on the banking infrastructure of South Korea ( along with some military and government targets at the same time). That was sure to get the desired effect. The second atttack was on Sony, a further demonstration of what happens when private emails are given to the press after a damaging attack is completed. These kinds of attacks haven’t stopped coming, now that they have proven to be effective. Political interference and manipulation of social media is expanding rapidly.
These are all threats generated from foreign governments, or with their sponsorship. There is a long series of articles in today’s Wall Street Journal on the national of the nation-state threat, but there is very little new in what is discussed. Attacks on businesses by foreign governments are out of line and need a response. That response should use two principles, reciprocity and retaliation. Attacks on business need a response to businesses, especially those contacted to do this kind of work. Our government needs to sponsor that response, but not necessarily do it themselves. Attack them, publish their internal email, and disrupt their computers. Retaliate against the government directly, which the Obama Administration was said to have done with North Korea. They don’t mind, but that doesn’t mean it shouldn’t be done. They have to expect that their attacks are not without consequence.
At the same time, start doing more to defend against cyber attacks. We have seen very little new cyber defense mechanisms that work. Sow a little reserach money on this area. Then, start with new policies that recognize advanced cyber defense. We continue to struggle along with nothing new, and policies that discourage anything that is.
I pointed out last year that Janet Yellen mentioned cyber security in one of her major speeches. That doesn’t happen very often. The North Koreans and Chinese have pushed the cyber parts of heir strategy into territory that crosses into commercial interests. The first attacks by North Korea were on the banking infrastructure of South Korea ( along with some military and government targets at the same time). That was sure to get the desired effect. The second atttack was on Sony, a further demonstration of what happens when private emails are given to the press after a damaging attack is completed. These kinds of attacks haven’t stopped coming, now that they have proven to be effective. Political interference and manipulation of social media is expanding rapidly.
These are all threats generated from foreign governments, or with their sponsorship. There is a long series of articles in today’s Wall Street Journal on the national of the nation-state threat, but there is very little new in what is discussed. Attacks on businesses by foreign governments are out of line and need a response. That response should use two principles, reciprocity and retaliation. Attacks on business need a response to businesses, especially those contacted to do this kind of work. Our government needs to sponsor that response, but not necessarily do it themselves. Attack them, publish their internal email, and disrupt their computers. Retaliate against the government directly, which the Obama Administration was said to have done with North Korea. They don’t mind, but that doesn’t mean it shouldn’t be done. They have to expect that their attacks are not without consequence.
At the same time, start doing more to defend against cyber attacks. We have seen very little new cyber defense mechanisms that work. Sow a little reserach money on this area. Then, start with new policies that recognize advanced cyber defense. We continue to struggle along with nothing new, and policies that discourage anything that is.
DISA and Russian Programmers
Today, the Justice Department released a long package of documents outlining the case of Netcracker Technology, a software company having part of the code used on the Defense Department’s networks. These networks are the ones used by a Defense and a number of other Federal agencies. They range in sensitivity from unclassified to Top Secret.
According to the documents released the geniuses at the Defense Information Systems Agency knew that Russians were writing the code that was used in Netcracker’s software and OKd it. So they thought it was OK to have code written by Russians, in Russia, running on the networks of the Defense Department. Whoever made that decision should be roasted in oil, but since 2008, the person is probably gone. Nobody stays in DISA unless they can’t find another job.
It was Netcracker which actually revived the issue in 2011, again telling DISA that it was using uncleared Russian nationals to write code for the core of this project. No wonder the Justice Department decided on this novel, and totally worthless, approach of a “non-prosecution agreement”. This amounts to nothing except a CYA document for DISA which made the mistake of allowing them to continue to use Russian nationals when they should have known that was improper.
This, of course, gets to the thorny issue of when software used by Defense Agencies can use software written by foreign nationals. Take Microsoft for example, where large portions of their software is written In other countries. Microsoft offered to make Defense a version of Windows and Office but they turned it down. China has its own version, because it knows better. This whole COTS product issue has to be reviewed and thought out a little more.
This isn’t about money, because we all know that software is more expensive if the government has its own versions that have to be updated and controlled by U.S. citizens with security clearances. But, we sometimes pay that money because it is the right thing to do and reduces risk of using just anyone’s software. I remember a Dilbert cartoon where the Ebonians offered to make software for Dilbert’s company for free, and the boss thought that was a great idea. That level of humor must have been a little above the idiots at DISA.
According to the documents released the geniuses at the Defense Information Systems Agency knew that Russians were writing the code that was used in Netcracker’s software and OKd it. So they thought it was OK to have code written by Russians, in Russia, running on the networks of the Defense Department. Whoever made that decision should be roasted in oil, but since 2008, the person is probably gone. Nobody stays in DISA unless they can’t find another job.
It was Netcracker which actually revived the issue in 2011, again telling DISA that it was using uncleared Russian nationals to write code for the core of this project. No wonder the Justice Department decided on this novel, and totally worthless, approach of a “non-prosecution agreement”. This amounts to nothing except a CYA document for DISA which made the mistake of allowing them to continue to use Russian nationals when they should have known that was improper.
This, of course, gets to the thorny issue of when software used by Defense Agencies can use software written by foreign nationals. Take Microsoft for example, where large portions of their software is written In other countries. Microsoft offered to make Defense a version of Windows and Office but they turned it down. China has its own version, because it knows better. This whole COTS product issue has to be reviewed and thought out a little more.
This isn’t about money, because we all know that software is more expensive if the government has its own versions that have to be updated and controlled by U.S. citizens with security clearances. But, we sometimes pay that money because it is the right thing to do and reduces risk of using just anyone’s software. I remember a Dilbert cartoon where the Ebonians offered to make software for Dilbert’s company for free, and the boss thought that was a great idea. That level of humor must have been a little above the idiots at DISA.
Monday, December 18, 2017
A Business Approach to Foreign Policy
Reuters today is describing what it thinks will be in the U.S. President’s speech tomorrow on foreign policy with Russian and China. People who specialize in this topic will not like what he has to say, probably for the wrong reasons. That is because he has a business approach to it.
In big business, entities can compete without necessarily fighting. The President will say that Russia and China are competitors, and are trying to maximize their economies at our expense. At the same time, they are expanding their territories by seizing land and water claimed by other countries. Business generally ignores this kind of government activity, focusing on the areas where business can be done. Be friends with the leaders of these countries and work at what works, even though there are political disagreements. Sure, businesses take territories from one another all the time, but a long-term strategy can get those territories back. The objective always is to maximize the business without getting into a fight that will hurt profitability in all competing businesses.
In this model, Russia and China are not enemies, determined to destroy the United States. They are competitors whose business interests are at odds. I would not agree with that view. The Russians and Chinese both interfere with the U.S. political system, in different ways. This would be like having the Board of SAIC, in China, undermining the Board of General Motors with proxy fights and stock maneuvers to influence how General Motors does business abroad. Maybe they do that too, but it isn’t apparent one way or another. Incursions into the undermining of U.S. political processes, the military, and intelligence capabilities are analogous to direct interference in the operations of General Motors, which businesses generally do not do. They know that is a two-edged sword.
North Korea is the best example of where such a strategy fails. NK wants to cloud the dealings by threatening to destroy General Motors and kill large numbers of its workers. That doesn’t work very well with this model. It is not behavior that can be tolerated and Russia and China seem to want to let it go on because it is destabilizing. If we are going to be competitive and not enemies, then North Korea (and Iran too) have to end their nuclear ambitions. They are neither one playing the game the way this strategy suggests. Russia and China can stop them both anytime they want. The fact that they haven’t suggests they are not just competitors.
In big business, entities can compete without necessarily fighting. The President will say that Russia and China are competitors, and are trying to maximize their economies at our expense. At the same time, they are expanding their territories by seizing land and water claimed by other countries. Business generally ignores this kind of government activity, focusing on the areas where business can be done. Be friends with the leaders of these countries and work at what works, even though there are political disagreements. Sure, businesses take territories from one another all the time, but a long-term strategy can get those territories back. The objective always is to maximize the business without getting into a fight that will hurt profitability in all competing businesses.
In this model, Russia and China are not enemies, determined to destroy the United States. They are competitors whose business interests are at odds. I would not agree with that view. The Russians and Chinese both interfere with the U.S. political system, in different ways. This would be like having the Board of SAIC, in China, undermining the Board of General Motors with proxy fights and stock maneuvers to influence how General Motors does business abroad. Maybe they do that too, but it isn’t apparent one way or another. Incursions into the undermining of U.S. political processes, the military, and intelligence capabilities are analogous to direct interference in the operations of General Motors, which businesses generally do not do. They know that is a two-edged sword.
North Korea is the best example of where such a strategy fails. NK wants to cloud the dealings by threatening to destroy General Motors and kill large numbers of its workers. That doesn’t work very well with this model. It is not behavior that can be tolerated and Russia and China seem to want to let it go on because it is destabilizing. If we are going to be competitive and not enemies, then North Korea (and Iran too) have to end their nuclear ambitions. They are neither one playing the game the way this strategy suggests. Russia and China can stop them both anytime they want. The fact that they haven’t suggests they are not just competitors.
Friday, December 15, 2017
No Surprise Missiles
In case anyone was wondering, those missiles that were fired by the Houthi rebels were not made by them. When it first happened, the Houthis showed 3 missiles that were supposed to have been produced in Yemen. I said, at that time, that Yemen was not known for its missile production, and it likely got the missiles from its best buddy, Iran. Yesterday, the U.S. put on display components of the missiles that launched against targets in Saudi Arabia, indicating they had been made in Iran. I wish they had not said how they knew they were made in Iran because the next ones made there will not be produced in a way that makes them so easily identifiable. Children could have come to the conclusion that missiles with parts stamped by Iranian companies - with their company logos on them - were probably from Iran. It would have been better to say that analysis shows the parts were made in Iran and leave it at that.
Thursday, December 14, 2017
Code Reviews Gone Cold
The BBC ran an article last week that talked about a keylogger preinstalled on several models of HP laptops. A month or so ago, I talked about the Intel chip flaw that gave admin access to anyone who knew how to exploit it. My Apple experience with High Sierra was an equal example. HP and Intel flaws have been going on for some time, four and seven years, respectively. I have to ask: What ever happened to code reviews? Don’t we do them anymore?
These are two examples of hundreds that show that commercial products are getting to market with some serious flaws in their security - nothing new to most of us. Our laws allow vendors to offer products for sale without any liability for what kinds of flaws there may be. There is not much incentive to do anything accept wait until some security researcher finds the flaw and points it out. Maybe a year or so later, it gets fixed.
The vendor says that is an acceptable risk to the consumer, but never asks what an acceptable risk is to someone buying a computer. It isn’t acceptable to me. Normal due diligence requires code reviews, and vendors are ignoring that in favor of pushing it off on anyone who builds software for them. It is the integration of that software that the vendor should be responsible for. It gets integrated in their product, not in the software vendors that produce it. Why do security researchers, or users, have to be the ones finding these flaws? The vendors should be doing it before the product goes to market. Maybe they might hire a couple of those Security researchers to see what flaws they can find before they charge us for the devices. Then I might accept the risk.
These are two examples of hundreds that show that commercial products are getting to market with some serious flaws in their security - nothing new to most of us. Our laws allow vendors to offer products for sale without any liability for what kinds of flaws there may be. There is not much incentive to do anything accept wait until some security researcher finds the flaw and points it out. Maybe a year or so later, it gets fixed.
The vendor says that is an acceptable risk to the consumer, but never asks what an acceptable risk is to someone buying a computer. It isn’t acceptable to me. Normal due diligence requires code reviews, and vendors are ignoring that in favor of pushing it off on anyone who builds software for them. It is the integration of that software that the vendor should be responsible for. It gets integrated in their product, not in the software vendors that produce it. Why do security researchers, or users, have to be the ones finding these flaws? The vendors should be doing it before the product goes to market. Maybe they might hire a couple of those Security researchers to see what flaws they can find before they charge us for the devices. Then I might accept the risk.
Bitcoin Fits
I was wondering why nobody mentioned Ponzi Scheme when talking about Bitcoin. As it turns out, The Hill already did, two days ago. When Bitcoins were first introduced, it seemed like it was a product without value and the backing of no government. That is the way most Ponzi schemes work. They look like they have something to offer, but there is no real value in what they are selling.
Wednesday, December 13, 2017
The Tale of the Mistress
While the political people in this town were talking about an FBI agent and email he sent to his mistress about President Trump, not one of the press outlets made anything of the fact that he was carrying on an affair with a woman in the Justice Department. You may not have noticed that nobody really cared about his wife, who was the really wronged person here and not the President. How many people in Justice and the FBI knew about this affair and why didn’t they do anything about it? Maybe affairs are OK in the FBI. I‘m sure the wives of Agents must be wondering about that right now. Washington and the press seems to be filled up with women’s sexual harassment claims but this is a little different. This woman knew he was married and carried on with him anyway. Is this an acceptable behavior to othe women? It is acceptable in the FBI?
Comments in Your Name
The Wall Street Journal has a thought-provoking article today which concerns a study of email comments sent to the Federal Communications Commission about something called net neutrality. What the Journal found, by surveying a million people those who submitted email comments, was that 7800 of them denied making any comments to the FCC. One woman who had been dead for 12 years, certainly did not comment.
Now, we might know what the Russians and others have been doing with all of those stolen emails. They can post public comment in almost anyone’s name and clog up the reviews of any piece of legislation. But, what the Journal suggested is equally interesting - a number of people who commented agreed with the comments sent in, but did not send them. That means that some of the lobbying groups that they were registered with may have used their email addresses to send comments in their name. I do register with groups I don’t agree with, but that is mostly to find out what they are saying to their audience, not because I want to send them money or help them. Those comments trying to undo this legislation could be mine.
Diabolical. I suggest any comments be sent to every contributor of comments with an notation that these were received from them and would be reviewed. It can be a simple thing to do and can be automated so it doesn’t require a lot of work on the Agency’s part. I know this is a small number of the actual contributions to the FCC, but this is a form of identity theft that we should really not tolerate.
Now, we might know what the Russians and others have been doing with all of those stolen emails. They can post public comment in almost anyone’s name and clog up the reviews of any piece of legislation. But, what the Journal suggested is equally interesting - a number of people who commented agreed with the comments sent in, but did not send them. That means that some of the lobbying groups that they were registered with may have used their email addresses to send comments in their name. I do register with groups I don’t agree with, but that is mostly to find out what they are saying to their audience, not because I want to send them money or help them. Those comments trying to undo this legislation could be mine.
Diabolical. I suggest any comments be sent to every contributor of comments with an notation that these were received from them and would be reviewed. It can be a simple thing to do and can be automated so it doesn’t require a lot of work on the Agency’s part. I know this is a small number of the actual contributions to the FCC, but this is a form of identity theft that we should really not tolerate.
Tuesday, December 12, 2017
Contracting with the Russians
There is an interesting story in today’s Wall Street Journal’s about the U.S. Defense Department taking a contractor to task for having code written by Russians, in Russia, even storing the code on Russian servers. I can’ tell you the number of times I have seen similar things without much action taken by the government agency involved. This time, there was something done about it.
This was a classified contract, that should have had a clause in it requiring the developers to be U.S. Citizens, and, usually to have a National Agency Check to make sure they are not wanted felons. We need more of these kinds of clauses and lots more enforcement of their requirements. Should we have foreign nationals doing risk assessments of U.S. computer systems? Should we have risk assessments of our critical infrastructure or National Command Authority being done by foreign nationals? You would think this would never be an issue, but I have seen all of these and more.
There were vendors subcontracting to Chinese, Russian, Indian, Israeli and French (just as examples) companies for programming of software used in national defense systems. There were vendors employing foreign nationals who were authorized to work in the U.S. but not authorized to work on these kinds of programs. There were contractors set up in the U.S. as front companies with authorized workers, or post office boxes as offices, who then sent all the work to another country to actually be done. Each of those was competing with a U.S. company for work, and taking jobs they had no business getting away from people who should have gotten them, and putting our security at risk.
Part of the problem is government contracting agencies who have their heads somewhere they shouldn’t be and aren’t paying attention to subcontracting below the second tier. They have not even looked at some of the contractors to see if they have the capability to perform on these contracts. Then, they have to write contracts and clauses that pertain to who the work must be done by. Then, the Industrial Security people have to enforce those clauses. We cannot have a contractor using Russian contractors in Russia to write code. We know that. But, at the same time, we should know what has to be done to prevent that kind of things from happening over and over. Our contracting agencies need to wake up and do their job.
This was a classified contract, that should have had a clause in it requiring the developers to be U.S. Citizens, and, usually to have a National Agency Check to make sure they are not wanted felons. We need more of these kinds of clauses and lots more enforcement of their requirements. Should we have foreign nationals doing risk assessments of U.S. computer systems? Should we have risk assessments of our critical infrastructure or National Command Authority being done by foreign nationals? You would think this would never be an issue, but I have seen all of these and more.
There were vendors subcontracting to Chinese, Russian, Indian, Israeli and French (just as examples) companies for programming of software used in national defense systems. There were vendors employing foreign nationals who were authorized to work in the U.S. but not authorized to work on these kinds of programs. There were contractors set up in the U.S. as front companies with authorized workers, or post office boxes as offices, who then sent all the work to another country to actually be done. Each of those was competing with a U.S. company for work, and taking jobs they had no business getting away from people who should have gotten them, and putting our security at risk.
Part of the problem is government contracting agencies who have their heads somewhere they shouldn’t be and aren’t paying attention to subcontracting below the second tier. They have not even looked at some of the contractors to see if they have the capability to perform on these contracts. Then, they have to write contracts and clauses that pertain to who the work must be done by. Then, the Industrial Security people have to enforce those clauses. We cannot have a contractor using Russian contractors in Russia to write code. We know that. But, at the same time, we should know what has to be done to prevent that kind of things from happening over and over. Our contracting agencies need to wake up and do their job.
Monday, December 11, 2017
Putin Tries another Withdrawl from Syria
The press is reporting that President Putin has announced another withdrawal of troops from Syria. Before anyone celebrates this announcement, remember what happened the last time he said his troops were leaving that country. They started a new bombing campaign and brought more troops in. Maybe the translation does not work well here. The Russian word for withdrawl must mean rotate troops. We shall see this time.
A Matter of Quality
A friend of mine got together with us last week, after a year away. We were talking about the quality of the new people coming into the cyber realm and working for his company. He was disappointed in their abilities and the salary they were expecting for an entry level job. One of the things it boiled down to was the number of people who know cyber is a hot field, and try to capitalize on that without having the skill set expects of a person with that kind of salary. He called it Millennial Expectations, which would make a good book title.
He interviewed a young woman who had 2 years of experience in the field, so he expected she would have quite a bit of knowledge across a range of cyber subjects. She didn’t. Her sole job before coming for the interview was publishing vulnerability announcements on websites. He salary expectations were twice what a new person would expect to get. She might get it somewhere else, but she wasn’t going to where he was working. It was all too common a scenario.
When I first started in this field, nobody wanted to be anywhere near it. It was not well defined, and there were no certifications for people in it. You had to be something else, “a computer specialist” or a “computer security specialist” were not real fields at that time, but almost anyone could claim it. Now, all you have to do is go to a two week prep course and get a certification test that costs quite a bit. With that, and no experience, you are qualified for a job. How rediculous is that?
HR departments are not very knowledgeable about any of the criteria that make good employees in this field. Part of that is because they are not getting much help from the people who know how to do the job. Knowing how to post vulnerability announcements isn’t even one of the qualifications that a Department would look for. I went out to look at a couple of job announcements and found this as typical: “Prepare System Security Plans Conduct reviews of computer security requirements for compliance, efficiency, and standardization of technical computer security configurations. Perform technical upgrades, repairs, and patches, modifications or replacement of information security tools and technologies as directed. Perform/assist with technical investigations of security violations involving customer IT systems information. Determine corrective actions, prepare and submit reports in accordance with government and corporate directives. Required Skills Include: Must have a current DODI 8570.1-M IAT Level II (Security+ CE) (minimum) certification. Minimum of three years IA experience Must have experience with ICD 503 accreditation and Information Assurance Vulnerability Alerts (IAVA) tracking, reporting and implementation Must have a good working knowledge of security practices and procedures for various network devices and operating systems. Experience presenting technical information to customers, clients and/or other audiences The ability to work efficiently with frequent and direct customer interaction in a real-time operational environment Must have basic experience with network design; router configuration, and firewall configuration Desired Skills Include: CISSP or CCNP Security Certification Working knowledge of network protocols and common services Experience as an ISSO or ISSM.” I picked a company that I knew had a good cyber security staff and expected this level of knowledge and skills. This one expects some work experience in a cyber environment doing work related to security. This is not an entry level job.
So, take a little more time to write a job description that says what skills you really need to to the job and what experience qualifies a person for a step up. My friend should not have had to interview somebody who had such little experience and she should have been filtered out by HR before she ever got to an interview.
He interviewed a young woman who had 2 years of experience in the field, so he expected she would have quite a bit of knowledge across a range of cyber subjects. She didn’t. Her sole job before coming for the interview was publishing vulnerability announcements on websites. He salary expectations were twice what a new person would expect to get. She might get it somewhere else, but she wasn’t going to where he was working. It was all too common a scenario.
When I first started in this field, nobody wanted to be anywhere near it. It was not well defined, and there were no certifications for people in it. You had to be something else, “a computer specialist” or a “computer security specialist” were not real fields at that time, but almost anyone could claim it. Now, all you have to do is go to a two week prep course and get a certification test that costs quite a bit. With that, and no experience, you are qualified for a job. How rediculous is that?
HR departments are not very knowledgeable about any of the criteria that make good employees in this field. Part of that is because they are not getting much help from the people who know how to do the job. Knowing how to post vulnerability announcements isn’t even one of the qualifications that a Department would look for. I went out to look at a couple of job announcements and found this as typical: “Prepare System Security Plans Conduct reviews of computer security requirements for compliance, efficiency, and standardization of technical computer security configurations. Perform technical upgrades, repairs, and patches, modifications or replacement of information security tools and technologies as directed. Perform/assist with technical investigations of security violations involving customer IT systems information. Determine corrective actions, prepare and submit reports in accordance with government and corporate directives. Required Skills Include: Must have a current DODI 8570.1-M IAT Level II (Security+ CE) (minimum) certification. Minimum of three years IA experience Must have experience with ICD 503 accreditation and Information Assurance Vulnerability Alerts (IAVA) tracking, reporting and implementation Must have a good working knowledge of security practices and procedures for various network devices and operating systems. Experience presenting technical information to customers, clients and/or other audiences The ability to work efficiently with frequent and direct customer interaction in a real-time operational environment Must have basic experience with network design; router configuration, and firewall configuration Desired Skills Include: CISSP or CCNP Security Certification Working knowledge of network protocols and common services Experience as an ISSO or ISSM.” I picked a company that I knew had a good cyber security staff and expected this level of knowledge and skills. This one expects some work experience in a cyber environment doing work related to security. This is not an entry level job.
So, take a little more time to write a job description that says what skills you really need to to the job and what experience qualifies a person for a step up. My friend should not have had to interview somebody who had such little experience and she should have been filtered out by HR before she ever got to an interview.
Sunday, December 10, 2017
What is the FBI Doing in Ukraine?
I was surprised to see a story yesterday in the Wall Street Journal about the FBI investigation of corruption in the Ukraine. I was thinking the FBI had enough work for it here in the United States without devoting resources to corruption in another country, especially if it does not involve any actions by a Ukrainian against officials or business interests of the USA. Bizarre.
The National Anti-Corruption Bureau of Ukraine (NABU) has signed a memorandum of understanding that says, according to their website,
“At the meeting with the FBI colleagues, the NABU Director pointed out that he sees three possible ways the FBI can support the Bureau, namely the possibility of receiving the operative information on USD flows distribution , experience sharing on the operative and technical work and the work of undercover specialists, possibility of providing the NABU divisions with material and technical support.
This is the usual vagueness of international memos, which try hard to not be too specific to keep opposition parties from saying the agreement was being violated by doing thus and so.
I think Congress needs to ask the FBI if the Ukraine is incapable of doing their own Internal investigations and why resources are being plowed into this internal political matter. This is not something we need to be involved in.
The National Anti-Corruption Bureau of Ukraine (NABU) has signed a memorandum of understanding that says, according to their website,
“At the meeting with the FBI colleagues, the NABU Director pointed out that he sees three possible ways the FBI can support the Bureau, namely the possibility of receiving the operative information on USD flows distribution , experience sharing on the operative and technical work and the work of undercover specialists, possibility of providing the NABU divisions with material and technical support.
This is the usual vagueness of international memos, which try hard to not be too specific to keep opposition parties from saying the agreement was being violated by doing thus and so.
I think Congress needs to ask the FBI if the Ukraine is incapable of doing their own Internal investigations and why resources are being plowed into this internal political matter. This is not something we need to be involved in.
Friday, December 8, 2017
Can’t Take a Joke
The Chinese cannot take a joke, at least not one connected with a senior level bureaucrat and a famous female celebrity. In an article today, the Wall Street Journal describes what happened to a construction supervisor who was chatting with some of his friends on WeChat. He was arrested by the local police and held, without charge or trial, for 5 days.
The story is meant to show how censorship clouds even the most personal of conversations in China, but it shows much more too. If we just look at Twitter, there are about 500 million tweets every day. Just for fun, go to Internet Statistics and watch how fast that causes the number to climb as the day goes on. Now, imagine your boss says, “See if you can figure out a way to monitor and censor all the Tweets put out every day.” It takes some thought to do that.
It requires algorithms, connections to telecommunications platforms all over the country, and human beings who can look at some of the things collected by algorithms in order to find out which ones are worth pursuing. The algorithms look for key words in the content of the exchanges. The content also has to have associations, i.e. more than one keyword is needed or there would be millions of chats that would have to be looked at. We need both the bureaucrat’s name and his association with the celebrity. That would then be passed to an analyst who would check it to be sure it was the association, and the analyst would make an alert to the local police. The locals probably get hundreds of these a week, and have to prioritize them. They get to them when they can, and may leave the guy in jail while they look around for the extent of his transgressions and his friends. If this seems like a lot of trouble for a joke, it is.
Now, imagine what it is like to know those algorithms are running in the background of every Twitter, Facebook, and YouTube equivalents in China. Every note you send, every exchange with a coworker or Facebook friend, even family members. Say the wrong thing, and you can be spending a few days in the local jail, maybe not knowing what you are there for. That is China. Whatever kind of label you put on it, this is stifling, oppressive, and offensive to the dignity of our fellow man.
The story is meant to show how censorship clouds even the most personal of conversations in China, but it shows much more too. If we just look at Twitter, there are about 500 million tweets every day. Just for fun, go to Internet Statistics and watch how fast that causes the number to climb as the day goes on. Now, imagine your boss says, “See if you can figure out a way to monitor and censor all the Tweets put out every day.” It takes some thought to do that.
It requires algorithms, connections to telecommunications platforms all over the country, and human beings who can look at some of the things collected by algorithms in order to find out which ones are worth pursuing. The algorithms look for key words in the content of the exchanges. The content also has to have associations, i.e. more than one keyword is needed or there would be millions of chats that would have to be looked at. We need both the bureaucrat’s name and his association with the celebrity. That would then be passed to an analyst who would check it to be sure it was the association, and the analyst would make an alert to the local police. The locals probably get hundreds of these a week, and have to prioritize them. They get to them when they can, and may leave the guy in jail while they look around for the extent of his transgressions and his friends. If this seems like a lot of trouble for a joke, it is.
Now, imagine what it is like to know those algorithms are running in the background of every Twitter, Facebook, and YouTube equivalents in China. Every note you send, every exchange with a coworker or Facebook friend, even family members. Say the wrong thing, and you can be spending a few days in the local jail, maybe not knowing what you are there for. That is China. Whatever kind of label you put on it, this is stifling, oppressive, and offensive to the dignity of our fellow man.
Thursday, December 7, 2017
Apple Sees China as it is
Time Cook, in today’s Wall Street Journal, is quoted as saying, “When you go into a country and participate in a market, you are subject to the laws and regulations of that country.” That seems like a reasonable explanation of why he tries so hard to do what the Chinese ask of him in controlling the use of the Internet. So, he has Apple pull apps from the App Store that China objects to. No big deal.
So, what if the laws of that country say that Apple products must be able to disclose information to the State when asked? Apple clearly does not agree that it has to help law enforcement in the U.S., but it does so in China because it is part of the laws and regulations of the country? The problems for Apple are more murky than just taking actions to make the internal systems of computers available to law enforcement. Apple, like all of its competitors, have to deal with a lot more countries, each with different laws about access. Some demand direct access to anything produced in their country; some want available access, and some want a court to issue a warrant before any access is given.
China wants their citizens Internet access to be filtered and monitored. Apple has to help them do that. But, China also has demanded changes to software to collect intelligence-related information on a global scale. You can see this in browsers and operating systems made for, and by companies in China. Microsoft made a special version of their operating system just for the Chinese. Do we know that is not being used on computers made in China and exported? If the Chinese monitored only their own people, we would not care very much. They don’t. They then build those kinds of controls into development kits sent to other developers the world over. The University of Toronto has some great reports on the activity.
So, it is easy to say that Apple must comply with the laws of the country they are in, but when those laws directly, or through enforcement, undermine the national security of your home country does it really matter? I think it does, and I would imagine that Time Cook does too. This is why Apple pays him so much money.
So, what if the laws of that country say that Apple products must be able to disclose information to the State when asked? Apple clearly does not agree that it has to help law enforcement in the U.S., but it does so in China because it is part of the laws and regulations of the country? The problems for Apple are more murky than just taking actions to make the internal systems of computers available to law enforcement. Apple, like all of its competitors, have to deal with a lot more countries, each with different laws about access. Some demand direct access to anything produced in their country; some want available access, and some want a court to issue a warrant before any access is given.
China wants their citizens Internet access to be filtered and monitored. Apple has to help them do that. But, China also has demanded changes to software to collect intelligence-related information on a global scale. You can see this in browsers and operating systems made for, and by companies in China. Microsoft made a special version of their operating system just for the Chinese. Do we know that is not being used on computers made in China and exported? If the Chinese monitored only their own people, we would not care very much. They don’t. They then build those kinds of controls into development kits sent to other developers the world over. The University of Toronto has some great reports on the activity.
So, it is easy to say that Apple must comply with the laws of the country they are in, but when those laws directly, or through enforcement, undermine the national security of your home country does it really matter? I think it does, and I would imagine that Time Cook does too. This is why Apple pays him so much money.
Wednesday, December 6, 2017
A Question of Fact
In law enforcement there are some things an investigator can determine, and there are some things they have to surmise. The latter is not guessing - it comes from collecting evidence, leading to a conclusion. It can be circumstantial, i.e. indirectly leading to a proof of guilt, or direct, where there is some physical evidence found at the scene.
I had reason to question how this kind of evidence is collected in the reporting by journalists, when twice this week, stories have come out that turned out to be questions of fact. Journalists are not usually investigators, per se, but they do have a professional responsibility to verify what they publish. They don’t have to verify that it is true, but they do have to verify that it was said by someone they can point to as a source. That means they cannot just make things up and publish those things as facts.
In one story, a journalist says that Michael Flynn, the former national Security Adviser to President Trump was going to testify that the President told him to speak to the Russians. There were stories based on this “fact” that compared the conduct of the President to treason, a big stretch for anyone paying attention. Presidents do this every day in some area of national security, so there is almost no chance that this kind of conduct rises o that level, but it sells clicks on a website somewhere.
The second story is that Deutsche Bank got a subpoena for records on the Trump family accounts there. Yesterday, the White House in a press conference, and later in comments by the White House attorney engaged for Russia investigation, denied this happened. Today’s front page of he Wall Street Journal says it did happen, quoting nobody in particular.
With questions of fact, they are either true or they are not. It doesn’t make sense that these kinds of stories can present themselves without some basis for them, and it appears that journalists are not going a very good job of verifying their own facts before they publish. Somebody is feeding this kind of story to journalists who listen and publish without doing any kind of fact checking or due diligence. To ABC’s credit, they suspended Brian Ross and took him off cases involving the White House. He still has a job, but his case is a warning to other reporters that they have to be more careful with their sources. They should be looking for where he got that original piece of information and finding out how it came to Ross. The Russians are accused of doing a lot of things in the run up to the U.S. national election, but as I have often said, they haven’t stopped just because the election is over. We need to trace some of these fabrications back to their source and name names. It might make a better story than the ones being made up.
With questions of fact, they are either true or they are not. It doesn’t make sense that these kinds of stories can present themselves without some basis for them, and it appears that journalists are not going a very good job of verifying their own facts before they publish. Somebody is feeding this kind of story to journalists who listen and publish without doing any kind of fact checking or due diligence. To ABC’s credit, they suspended Brian Ross and took him off cases involving the White House. He still has a job, but his case is a warning to other reporters that they have to be more careful with their sources. They should be looking for where he got that original piece of information and finding out how it came to Ross. The Russians are accused of doing a lot of things in the run up to the U.S. national election, but as I have often said, they haven’t stopped just because the election is over. We need to trace some of these fabrications back to their source and name names. It might make a better story than the ones being made up.
Tuesday, December 5, 2017
News Outlets as Foreign Agents
Reuters has announced today that the Russians have indeed named Radio Free Europe and Voice of America as foreign agents who have to register as such in Russia. This is the retaliation for naming Sputnik and RT as representatives of foreign interests in the U.S. making them register. On both sides, this is stupid. Neither country was in the dark about which news outlets are state supported and follow the party line. China has more than either one of them, probably more than both put together. Syria, Egypt, and many others do not have a free press. Look at the map that Freedom House publishes every year and more countries have fewer free press outlets.
Russia and the U.S. have played these games for years without regard to how it looks to the rest of the world. Childish is a word that comes to mind. If we really want to play this game, there are a whole host of state owned enterprises that need to register as agents. They represent their country, not their business interests. Why not just forget this and move along?
Russia and the U.S. have played these games for years without regard to how it looks to the rest of the world. Childish is a word that comes to mind. If we really want to play this game, there are a whole host of state owned enterprises that need to register as agents. They represent their country, not their business interests. Why not just forget this and move along?
Sunday, December 3, 2017
Cyber Sovereignty for China
I read with some amusement the account today on Chairman Xi’s comments about cyber sovereignty. It seems rational to say that every country should have sovereign control over its own part of the internet but, what was not said, that control should extend only to the borders of that country. The Internet does not have borders.
The flaw in China’s direction is it interferes with any other domain of the Internet in order to control what comes into its own domain. The clear implication is China has a right to protect and filter anything that comes into its domain. So, it attacks websites in other countries if the carry unsanctioned news about China. They prevent certain publications from being seen in China by attacking the distribution points. Those are in other countries and are available to Chinese- speaking people everywhere. The Chinese espouse sovereignty but do not honor it.
The flaw in China’s direction is it interferes with any other domain of the Internet in order to control what comes into its own domain. The clear implication is China has a right to protect and filter anything that comes into its domain. So, it attacks websites in other countries if the carry unsanctioned news about China. They prevent certain publications from being seen in China by attacking the distribution points. Those are in other countries and are available to Chinese- speaking people everywhere. The Chinese espouse sovereignty but do not honor it.
Friday, December 1, 2017
Russian Access to Half of People on Earth
Not too many people have heard of Karim Baratov, nor is he likely to become a household name anytimes soon, but he has a distinction of being caught working with the Russian FSB to steal Yahoo’s webmail. His accomplices are all safe in Russia, and likely to remain there. You will remember the numbers of accounts compromised - 3 billion. Hard as I try, that is a big number to imagine.
I’m a little surprised that Yahoo had 3 billion acccounts, since they are hardly the biggest provider of email services. Google’s Gmail and Microsoft’s Outlook are bigger. But 3 billion is half of the all the people in the world (7.6 billion), a substantial portion of whom are children with no computers, a few illiterate adults. UNESCO says there are a billion illiterate adults, and another billion live in China where they can’t have Yahoo accounts. That would mean more than half of all the literate people in the world have Yahoo accounts for their email. Not likely.
None-the-less, the Russians now have them all, doubtlessly sending out a good bit of news and lots of spam by this outlet. Baratov’s place in this is explained in the Justice Department press release:
“Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money. As alleged in the Indictment, Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts. When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise those accounts. The Indictment is available here, and its allegations are summarized in greater detail in the press release that attended the unsealing of the Indictment on March 15.”
The Russians did not care about 3 billion accounts, so the fact that they had potential access to them is not of great concern to millions of normal people the FSB ignores. But, for the ones they asked for, what were they doing in the name of those accounts the FSB was using? They could publish almost anything they wanted, respond to email from journalists and government officials, and write to people the owner did not even know. It is the perfect way to phish.
I’m a little surprised that Yahoo had 3 billion acccounts, since they are hardly the biggest provider of email services. Google’s Gmail and Microsoft’s Outlook are bigger. But 3 billion is half of the all the people in the world (7.6 billion), a substantial portion of whom are children with no computers, a few illiterate adults. UNESCO says there are a billion illiterate adults, and another billion live in China where they can’t have Yahoo accounts. That would mean more than half of all the literate people in the world have Yahoo accounts for their email. Not likely.
None-the-less, the Russians now have them all, doubtlessly sending out a good bit of news and lots of spam by this outlet. Baratov’s place in this is explained in the Justice Department press release:
“Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money. As alleged in the Indictment, Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts. When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise those accounts. The Indictment is available here, and its allegations are summarized in greater detail in the press release that attended the unsealing of the Indictment on March 15.”
The Russians did not care about 3 billion accounts, so the fact that they had potential access to them is not of great concern to millions of normal people the FSB ignores. But, for the ones they asked for, what were they doing in the name of those accounts the FSB was using? They could publish almost anything they wanted, respond to email from journalists and government officials, and write to people the owner did not even know. It is the perfect way to phish.
Subscribe to:
Posts (Atom)