China can’t quit. We have yet another theft of US technology by a Chinese company, and the length of the list of stolen products just continues to grow. I don’t pay as much attention to these cases anymore because there are so many of them and they are in different sectors. The theft is both broad and deep.
This one is summarized in a press release by the Justice Department and involves something called syntactic foam - “Syntactic foam is a class of material created using pre-formed hollow spheres (commonly made of glass, ceramic, polymer or even metal) bound together with a polymer. The “syntactic” portion refers to the ordered structure provided by the hollow spheres. The “foam” term relates to the cellular nature of the material. Thanks to its unique properties of high strength at low density, syntactic foam has become widely used in subsea buoyancy applications.” See What is Syntactic Foam
The names and companies in these cases are blurred by the number and breath of the thefts of technology. The Chinese have stated goals for certain areas of technology in the 2025 initiatives, but they are not limited to those areas, nor have they stopped stealing. About the only difference is the use of naturalized US citizens who have better access to a wider list of things that can be stolen.
Monday, April 30, 2018
China Squeezes Taiwan
The Wall Street Journal editorial board does not get into Chinese policy too often, but today they did. They summarized the four-fold increase of air patrols over Taiwan, and the running of live-fire exercises near it. Air patrols are annoying but don’t serve the same purpose as live fire exercises.
Live fire exercises are what I call “denial of area” events. There are international warnings that go out to shipping and air traffic warning of the potential for harm if people get too close. As they did several times around Hainan Island (at least once with joint Russian exercises) the Chinese work up to these exercises with announcements and fanfare that declare areas of territory off limits for several days. They shoot off lots of ammo and make spalshs in the water, but not much else. They probably kill a good number of fish.
But, what they are really doing is declaring their control of these areas, and their domain over air and sea. Taiwan is not likely to last long in a real fight with China, so it walks a fine line in being independent. Xi wants Taiwan to go the way of Hong Kong, where live fire exercises could not be conducted. He thinks if enough pressure is applied, Taiwan will have no choice and there is nothing anybody in the world can do about it. It is all part of the South China Sea, which China still claims in spite of international condemnation of that claim. What is the rush?
China has always kept the claim to the South China Sea below the radar, similar to the way Russia dealt with Crimea. Now, other countries are getting involved and the US has threatened to get back into trade agreements with the countries of the region. Opening up more trade with Taiwan makes it harder for China to exercise its control. Opening up regional trade makes it harder still. They want to make their move before those agreements are set and the world decides China is interfering with trade when it stakes claims to little islands, then militarizes them to enforce those claims. Anyone who runs their ships or aircraft through that area is very familiar with the warning notices and implied threats.
President Trump is not like President Obama, and I doubt that China is fond of the differences. Trump has linked economic, military, and political interests together, just as the Chinese do.
Live fire exercises are what I call “denial of area” events. There are international warnings that go out to shipping and air traffic warning of the potential for harm if people get too close. As they did several times around Hainan Island (at least once with joint Russian exercises) the Chinese work up to these exercises with announcements and fanfare that declare areas of territory off limits for several days. They shoot off lots of ammo and make spalshs in the water, but not much else. They probably kill a good number of fish.
But, what they are really doing is declaring their control of these areas, and their domain over air and sea. Taiwan is not likely to last long in a real fight with China, so it walks a fine line in being independent. Xi wants Taiwan to go the way of Hong Kong, where live fire exercises could not be conducted. He thinks if enough pressure is applied, Taiwan will have no choice and there is nothing anybody in the world can do about it. It is all part of the South China Sea, which China still claims in spite of international condemnation of that claim. What is the rush?
China has always kept the claim to the South China Sea below the radar, similar to the way Russia dealt with Crimea. Now, other countries are getting involved and the US has threatened to get back into trade agreements with the countries of the region. Opening up more trade with Taiwan makes it harder for China to exercise its control. Opening up regional trade makes it harder still. They want to make their move before those agreements are set and the world decides China is interfering with trade when it stakes claims to little islands, then militarizes them to enforce those claims. Anyone who runs their ships or aircraft through that area is very familiar with the warning notices and implied threats.
President Trump is not like President Obama, and I doubt that China is fond of the differences. Trump has linked economic, military, and political interests together, just as the Chinese do.
Sunday, April 29, 2018
Mishaps in Cyberland
The rerouting of a bunch of Internet traffic to an ISP in Russia last December was ignored by most news agencies. Ars Technica, one of the few who ran substantive articles on it called it a “Mishap”. That is an odd thing to call the routing of some well known companies like Facebook, Microsoft, Google and Apple to a Russian ISP. A similar thing happened several years ago when China rerouted US military traffic to Chinese ISPs “accidentally” they said. I wrote about this 18-minute episode in my first book. I thought then that this was never an accident as much as practicing for the future of war. It wasn’t until Russia and China started sharing techniques that Russia started doing the same thing. To me, there are clear indicators that both of them share techniques and are up to no good. If either of them were to get deeper into war with the US, the other would certainly help out, never admitting anything, of course.
Friday, April 27, 2018
Why Comcast Slants The News
I have been looking for reasons that might explain the shift in news coverage from the Comcast news outlets which used to be neutral and have taken a sharp turn to the left. Some insight came from an unusual place, the Comcast annual report.
The report has a map of subscribers for Comcast and as soon as I came to it, the radical turn seemed to make more sense. The bulk of Comcast subscribers are in Blue states, those that lean to Democratic Party. Most of them are in New England, New York, and the North West above San Francisco. The map is on page 3 and is illuminating. These are the strongholds of the Left that characterizes itself as Progressive, which sounds better than the Left.
So, if you were Comcast and you wanted to boost subscribers in one of these areas, it makes sense to swing your coverage to the Left.
The report has a map of subscribers for Comcast and as soon as I came to it, the radical turn seemed to make more sense. The bulk of Comcast subscribers are in Blue states, those that lean to Democratic Party. Most of them are in New England, New York, and the North West above San Francisco. The map is on page 3 and is illuminating. These are the strongholds of the Left that characterizes itself as Progressive, which sounds better than the Left.
So, if you were Comcast and you wanted to boost subscribers in one of these areas, it makes sense to swing your coverage to the Left.
China’s Engineering by Theft
Foreign Policy had an article on the first Chinese aircraft carrier already being obsolete. With major weapon systems that is not unusual. The development time is so long, the new technologies are making the current systems obsolete by the time they get to the field. That part is not new and the aircraft carrier was not a good example because the second and third aircraft carriers had catapults and better designs than the first one. They are moving pretty fast in this area, but they are so far behind it will take awhile to show that much progress.
What makes this interesting to me is the problems that come from stealing technology, something I spent some time on in my 2nd Edition of the Chinese Information War. Most of the examples were already debated in the building of the Chinese aircraft industry, built on stolen technologies and “shared” joint ventures with other countries. These agreements were forced by Chinese laws and not the business interests of those companies. One company executive I quoted said his company would never give over this kind of technology even though they shared working space and built engines in China. He worked with PLA officers who were the designers so it kind of makes you wonder how dual use fits in to this kind of technology exchange.
In the aircraft industry, Chinese engineers soon became dependent on the technology they were stealing to make progress. They had no reason to innovate or improve the products because when they came to a roadblock, they stole or acquired the solution from somebody who had already done that. It doesn’t make good engineers, though the Chinese have many of those now. It reminded me of the Russians stealing designs for military aircraft in the 80’s and 90’s. Those aircraft looked good until you got close up or compared their performance against similar aircraft made somewhere else. It took two generations to start building something that was comparable, sometimes even better, than world producers. Eventually, both countries have to stop stealing and start innovating, and they are in that transition zone today. But it kind of makes you wonder why they still feel it necessary to steal technology rather than invent it. They file millions of patents every year so they must not be stealing everything. Maybe they just don’t know how to quit.
What makes this interesting to me is the problems that come from stealing technology, something I spent some time on in my 2nd Edition of the Chinese Information War. Most of the examples were already debated in the building of the Chinese aircraft industry, built on stolen technologies and “shared” joint ventures with other countries. These agreements were forced by Chinese laws and not the business interests of those companies. One company executive I quoted said his company would never give over this kind of technology even though they shared working space and built engines in China. He worked with PLA officers who were the designers so it kind of makes you wonder how dual use fits in to this kind of technology exchange.
In the aircraft industry, Chinese engineers soon became dependent on the technology they were stealing to make progress. They had no reason to innovate or improve the products because when they came to a roadblock, they stole or acquired the solution from somebody who had already done that. It doesn’t make good engineers, though the Chinese have many of those now. It reminded me of the Russians stealing designs for military aircraft in the 80’s and 90’s. Those aircraft looked good until you got close up or compared their performance against similar aircraft made somewhere else. It took two generations to start building something that was comparable, sometimes even better, than world producers. Eventually, both countries have to stop stealing and start innovating, and they are in that transition zone today. But it kind of makes you wonder why they still feel it necessary to steal technology rather than invent it. They file millions of patents every year so they must not be stealing everything. Maybe they just don’t know how to quit.
Huawei’s Cancelled Bond Offering
The Wall Street Journal carried a story today on Huawei’s offering of bonds, which was suddenly withdrawn as it neared issue. The cause, as the article says, is a Justice Department criminal investigation over whether Huawei was involved in violating nuclear sanctions against Iran.
There has been speculation for several years about this since ZTE was the only named country in the original case of violations, but the existence of another company doing the same things was clear from the documents that were filed with the notice of accusations against ZTE. That occurred during the Obama Administration, which less than three weeks after naming ZTE, seemed to back quickly away from any criminal charges, letting ZTE agree to discipline its own employees. The Obama White House allowed a consent decree in lieu of going any further, and the named person who enforced that agreement had little power to much of anything. Now, we know ZTE took action against the three senior officials in the company but not any of the employees. The inaction was named in the reason for reviving actions against the company this month. Now, it looks like the other shoe will drop.
This goes back to sanctions which China voted for in the UN. It then turned to state-owned companies to violate them by selling computers and other electronics to Iran. Why not vote for sanctions and then violate them within the year? ZTE even issued elaborate instructions on how to set up front companies to avoid export controls. And, by the way, they were trading with about all of the criminal countries in the world - not just Iran.
The fact that the Obama Administration was quick to squelch the cases in the Justice Department was not surprising. Now that the trade war is on, lots of things that were hidden will be dragged out and revived. This is just one of them.
There has been speculation for several years about this since ZTE was the only named country in the original case of violations, but the existence of another company doing the same things was clear from the documents that were filed with the notice of accusations against ZTE. That occurred during the Obama Administration, which less than three weeks after naming ZTE, seemed to back quickly away from any criminal charges, letting ZTE agree to discipline its own employees. The Obama White House allowed a consent decree in lieu of going any further, and the named person who enforced that agreement had little power to much of anything. Now, we know ZTE took action against the three senior officials in the company but not any of the employees. The inaction was named in the reason for reviving actions against the company this month. Now, it looks like the other shoe will drop.
This goes back to sanctions which China voted for in the UN. It then turned to state-owned companies to violate them by selling computers and other electronics to Iran. Why not vote for sanctions and then violate them within the year? ZTE even issued elaborate instructions on how to set up front companies to avoid export controls. And, by the way, they were trading with about all of the criminal countries in the world - not just Iran.
The fact that the Obama Administration was quick to squelch the cases in the Justice Department was not surprising. Now that the trade war is on, lots of things that were hidden will be dragged out and revived. This is just one of them.
Second Edition Published on 9 May
The Second Edition of The Chinese Information War is available for pre-order on Amazon. I did three new chapters, and extensively revised the rest, adding some material on Russia and China’s cooperation in Cyberwar.
Wednesday, April 25, 2018
Reuters Reports on Russians in Syria
One of the reasons Reuters manages to make news some others cannot is their ability to get to stories in places other reporters would want to go. It landed two of its reporters in Myanmar in jail, and likely will do so in other cases as well. In the meantime, they have exclusive stories like the one they did today that contains video of Russians returning from Syria and being hauled off in busses to a nearby Molkino, Russia, home to the 10th Special Forces Brigade. They even followed the busses from the airport to their destination, and the videos are great additions to the text.
The significance, of course, is that the Russians deny having these troops in Syria (though they don’t deny having uniformed troops in Syria). These are covert forces, the same ones that went into the Ukraine as “volunteers on vacation from the armed forces”, about as farcical as one gets in an explanation. Some of them got killed in various Syrian combat operations against forces supported by the US and others in the area where they served. [see my previous post ]
This is the lot of covert forces, killed but not ever recognized as having been in combat. As I noted in The New Cyberwar, some of these forces die without their parents even knowing they are dead. The Russians never tell them. They just disappear, never being heard from again. This is kind of the ultimate in “We will disavow any knowledge of your or your team” that we saw in the Mission Impossible series, and pretty cruel if you asked me. Of course it does keep people from holding funerals for people killed in Syria. In the Ukraine, deaths of some Russians and their subsequent funerals made denial of their loss more difficult. They have solved that problem.
The significance, of course, is that the Russians deny having these troops in Syria (though they don’t deny having uniformed troops in Syria). These are covert forces, the same ones that went into the Ukraine as “volunteers on vacation from the armed forces”, about as farcical as one gets in an explanation. Some of them got killed in various Syrian combat operations against forces supported by the US and others in the area where they served. [see my previous post ]
This is the lot of covert forces, killed but not ever recognized as having been in combat. As I noted in The New Cyberwar, some of these forces die without their parents even knowing they are dead. The Russians never tell them. They just disappear, never being heard from again. This is kind of the ultimate in “We will disavow any knowledge of your or your team” that we saw in the Mission Impossible series, and pretty cruel if you asked me. Of course it does keep people from holding funerals for people killed in Syria. In the Ukraine, deaths of some Russians and their subsequent funerals made denial of their loss more difficult. They have solved that problem.
Tuesday, April 24, 2018
Medical Data Security
Brian Krebs had an interesting article yesterday about leaked medical records, where he quoted Verizon’s last report summary as medical material makes up 1/4 of the security breaches. Medical records are big business because this kind of data has value.
But it reminded me of a statement I hear from a lot of doctor’s offices. “Sign up for our portal and get those test results on line”. Then, they add, “It’s secure.” This is a dream, started and fed by two groups: healthcare providers and the Federal government. Medical records are not secure on the third-party medical records processors engaged in the business. Would you believe that your bank data was safe on a portal on the Internet that used passwords for security? Look at all the security that banks have added to make on-line authentication possible. Medical records need the same level of protection, but they don’t get it. Anyone who knows a tiny bit about security knows that what these providers are doing and the Feds have yet to set standards for service providers. They have the same data on thefts of records that Verizon has, and more. Yet, they have done nothing to improve the protection this data gets. The Feds pushed medical data to be shared between physicians and their patients but never adequately addressed the protection of that data.
The banking community got together with regulators and developed security for their products. These service providers better do the same before the regulators decide to come to them.
Saturday, April 21, 2018
When Something is Classified on a Computer
What with all the discussion of James Comey, former FBI Director’s email, and of course the email of Hillary Clinton, former Presidential candidate, there is good reason to go into some of the aspects of computers and classification of their content. Comey and Clinton have said “nothing was marked as classified when I sent it” which is not relevant to the rules of protecting classified in computer systems. I taught this subject around the country for almost 10 years.
Much of the information in computer networks is not marked in the same way it would be if it were written on paper because it is created on a network with a classification of its own, like Top Secret/SCI or SECRET. The rule for the majority of networks is this: When the network is classified, all the information on it is classified until it is reviewed and properly marked. So, while it is on that network, it is treated as if it were Top Secret until someone reviews it and marks it with the proper classification. This includes such innocuous things as appointments, emails, etc.
Sometimes the review process is automated, but most of the time it is not. It could be done all the time, but the information technology folks rarely want that much security on their systems. It makes them slow. They have allowed some tools to be used to speed up the process of review, but the rules remain that a human being must look at it before public release.
Computers hold much more information that belongs to several agencies. Each of those agencies get to decide what is classified, and at what level and access authorization. Often, users make a classification decision based on that person’s knowledge and not the classification guidance of other agencies. Those decisions are often wrong, and are discovered after the fact. That is how a memo written by James Comey becomes classified after he released it to a person who has no security clearance - a compromise of that material.
As a practical matter, classifications are retained long after they are still valid because it is impossible - not difficult, impossible - because large computer networks are never reviewed for classification of individual pieces of data. That is a second reason for the required review. Most of the information from a Top Secret computer system is not classified at that level, but has to be treated as if it were until it is reviewed. Anyone who says they can do that accurately every time is crazy. It is almost easier to not use anything from the computer but compose a new document- also done on the same computer. It is too easy to make mistakes, and everyone who uses those systems knows the danger. Some of them think they are smarter than the rest of us. Nobody will ever know anyway.
Much of the information in computer networks is not marked in the same way it would be if it were written on paper because it is created on a network with a classification of its own, like Top Secret/SCI or SECRET. The rule for the majority of networks is this: When the network is classified, all the information on it is classified until it is reviewed and properly marked. So, while it is on that network, it is treated as if it were Top Secret until someone reviews it and marks it with the proper classification. This includes such innocuous things as appointments, emails, etc.
Sometimes the review process is automated, but most of the time it is not. It could be done all the time, but the information technology folks rarely want that much security on their systems. It makes them slow. They have allowed some tools to be used to speed up the process of review, but the rules remain that a human being must look at it before public release.
Computers hold much more information that belongs to several agencies. Each of those agencies get to decide what is classified, and at what level and access authorization. Often, users make a classification decision based on that person’s knowledge and not the classification guidance of other agencies. Those decisions are often wrong, and are discovered after the fact. That is how a memo written by James Comey becomes classified after he released it to a person who has no security clearance - a compromise of that material.
As a practical matter, classifications are retained long after they are still valid because it is impossible - not difficult, impossible - because large computer networks are never reviewed for classification of individual pieces of data. That is a second reason for the required review. Most of the information from a Top Secret computer system is not classified at that level, but has to be treated as if it were until it is reviewed. Anyone who says they can do that accurately every time is crazy. It is almost easier to not use anything from the computer but compose a new document- also done on the same computer. It is too easy to make mistakes, and everyone who uses those systems knows the danger. Some of them think they are smarter than the rest of us. Nobody will ever know anyway.
Friday, April 20, 2018
Judicial Watch on Track
Judicial watch has asked for something interesting related to James Comey, the former FBI Director: the information surrounding the public release of his book. Books like his, and mine, are required to be reviewed by the government office that held his Secret Compartmented Information access, which would be the FBI. Since parts of the book were alleged to contain classified information, it might be interesting to see who let that go through. Even if those claims of it being classified are not true, somebody still had to approve it for publication. It did not matter that he no longer worked for the Bureau. The requirement does not end when you get out, or get fired.
How Stupid is That?
The minority’s party in the US is bringing a lawsuit lumping Russia, the Trump campaign and Wikileaks saying they conspired to disrupt the US Presidential election in 2016. I’m not sure if Russia can be a party to this kind of suit, but the ludicrously constructed suit makes no sense and is an obvious indication that the Mueller Special Prosecutor’s Office is not likely to charge anyone with much of anything. This is a part of a continuing abuse of the legal system to make it difficult for the other party to govern. Except for them being named in the suit, it is difficult for the Democrats to be distinguished from the Russians. They both want the US to be difficult to govern and have done what they can to support that end. So far, they have done what the Russians have tried to do elsewhere by joining forces with those who have these whacked ideas about how to help their country.
Thursday, April 19, 2018
ZTE and Android
Reuters is saying today that one matter under consideration in the export controls placed on ZTE is the license for Android. What a hit that would be. We forget sometimes that the US tech engine generates some pretty good operating systems that are used by companies all over the world. Think about the impact of not getting a new OS when the next version comes out, or getting updates for things that are already sold. No doubt the Chinese have already stolen it multiple times over. They can make that work for awhile, but if these trade negotiations don’t start soon, the pain may be more than China might have guessed.
Microsoft was smart enough to avoid this kind of confusion by selling the Chinese their own version of Windows 10. By now that one is probably used to spy on everyone using it. That probably includes more than Chinese.
Microsoft was smart enough to avoid this kind of confusion by selling the Chinese their own version of Windows 10. By now that one is probably used to spy on everyone using it. That probably includes more than Chinese.
Wednesday, April 18, 2018
Chinese Military Aircraft at Mischief Reef
A Reuters story today says the Philippines is “looking into” two military aircraft on Mischief Reef. The Chinese move them in and out as they choose, and they don’t stay long. They had fighters there for awhile too. Certainly more than just the Philippines knows about these aircraft. I’m not sure why the Philippines has to be so coy about this and pretend they are trying to make a verification that the aircraft were there. Satellites these days can show you serial numbers and lots more that will verify that is ithat it is a military plane and belongs to China. Why be cute about it?
A Little Chinese History
Today, John McKinnon at the Wall Street Journal describes a recent case of Chinese history in an article about The Federal Communications Commission’s attempt to block sale of Chinese equipment used in rural areas of the US because that equipment poses a national security threat to the infrastructure of communications in general. Better late than never, as the saying goes.
Included in that article was one about Huawei that was written in 2012. That was about the original Congressional investigation of Huawei and why the Congress felt that Huawei and ZTE were risks to the national security and their acquisitions in the US should be curtailed. That article is historical, but interesting from the standpoint of the stated reasons for the concerns. Both were considered to be capable of some damage to national security of the US.
You may remember that David Sanger at the New York Times said in 2014 that the National Security Agency went further than just guessing whether Huawei was actually doing this kind of thing. According to his account, NSA acautally got into the computers at Huawei and were poking around. Nobody was surprised at the accusation, and little to nothing was said about it at the time because Edward Snowden was the source of some of the documents describing the NSA actions and there were plenty of things to talk about that overshadowed two Chinese companies.
Fast forward to trade disputes with China and you have the ingredients for a clampdown on Huawei and ZTE, those two named in the Congressional inquiries in 2012. Notice that China has not denied any of these claims, allowing the two companies to speak for themselves. The more publicity they give to the claims against the two of them, the worse it will be in international markets. In the meantime, the US wants to see where Huawei and ZTE have already made inroads. It will take years to make a dent in that. They are going to be looking at cloud security next. Perhaps the Chinese curse, May you live in interesting times will apply equally to the Chinese.
Included in that article was one about Huawei that was written in 2012. That was about the original Congressional investigation of Huawei and why the Congress felt that Huawei and ZTE were risks to the national security and their acquisitions in the US should be curtailed. That article is historical, but interesting from the standpoint of the stated reasons for the concerns. Both were considered to be capable of some damage to national security of the US.
You may remember that David Sanger at the New York Times said in 2014 that the National Security Agency went further than just guessing whether Huawei was actually doing this kind of thing. According to his account, NSA acautally got into the computers at Huawei and were poking around. Nobody was surprised at the accusation, and little to nothing was said about it at the time because Edward Snowden was the source of some of the documents describing the NSA actions and there were plenty of things to talk about that overshadowed two Chinese companies.
Fast forward to trade disputes with China and you have the ingredients for a clampdown on Huawei and ZTE, those two named in the Congressional inquiries in 2012. Notice that China has not denied any of these claims, allowing the two companies to speak for themselves. The more publicity they give to the claims against the two of them, the worse it will be in international markets. In the meantime, the US wants to see where Huawei and ZTE have already made inroads. It will take years to make a dent in that. They are going to be looking at cloud security next. Perhaps the Chinese curse, May you live in interesting times will apply equally to the Chinese.
Tuesday, April 17, 2018
Facebook the Facilitator
Facebook probably deserves what they get these days, but maybe not everything they get. Brian Krebs is saying today that Facebook closed 120 private groups, with over 300,000 members engaged in no good. These groups were forums for cybercrime. I’m not sure, except for the good works of Brian, that Facebook could ever find these kinds of groups on their own.
What Krebs pointed out though was that he could do it in two hours of keyword searches. Now take those keywords and translate them into 100 or so languages and search social media of all kinds, not just Facebook and you can find the visible part of an empire that uses encrypted sites and closed memberships. How many people are living off the crime of a public, unpoliced Internet? Only a fraction of the criminals. Remember, as Donn Parker told me, criminals spend as much time at their jobs as you do at yours. They are good at what they do.
What Krebs pointed out though was that he could do it in two hours of keyword searches. Now take those keywords and translate them into 100 or so languages and search social media of all kinds, not just Facebook and you can find the visible part of an empire that uses encrypted sites and closed memberships. How many people are living off the crime of a public, unpoliced Internet? Only a fraction of the criminals. Remember, as Donn Parker told me, criminals spend as much time at their jobs as you do at yours. They are good at what they do.
Boys Will Be Boys
Krebs on Security has A great story about domain access that gives away the destination for boys ( and a few girls no doubt) who want porn, and get it through a government computer. The article has specifics on a number of government agencies that do that on a regular basis.
This story shocked me, not because people were still accessing porn from government sites, but because the government offices had not caught them at it and corrected the behavior. It used to be a common discovery in our intrusion detection systems, at least once a week. We gave these to agency security officers who dealt with it. We did find out that a large part of our porn problem came from inside the network and shut that down through prosecution. After that, it dropped down to every other month. People in our organizations knew they were being monitored and used their own systems after that. That tells me something about the new networks. Just from my own observations, I wonder what has happened to intrusion dectection. Insider threat should be solved by now since it is a mandatory requirement. What gives here? The auditors and the auditors of them are not doing much of anything, if simple things like porn site access cannot be stopped.
This story shocked me, not because people were still accessing porn from government sites, but because the government offices had not caught them at it and corrected the behavior. It used to be a common discovery in our intrusion detection systems, at least once a week. We gave these to agency security officers who dealt with it. We did find out that a large part of our porn problem came from inside the network and shut that down through prosecution. After that, it dropped down to every other month. People in our organizations knew they were being monitored and used their own systems after that. That tells me something about the new networks. Just from my own observations, I wonder what has happened to intrusion dectection. Insider threat should be solved by now since it is a mandatory requirement. What gives here? The auditors and the auditors of them are not doing much of anything, if simple things like porn site access cannot be stopped.
Cyberwar with Russia
The BBC asked the question today: Can the US and Russia be headed for a Cyber war? I wonder where these people have been these last few years. Russia has meddled in Brexit, Germany, France and US politics, run criminal enterprises that steal money from everyone in the world, and are basically violating every international norm of behavior. The Russians called what they did in the US: Information War. Some people call that Cyberwar, and we have been engaged for years on this. Don’t forget about China in all this discussion of the Russians. Below the surface, both countries have done a lot more than that. See my book The New Cyberwar for more details on both of them.
My second edition of The Chinese Information War will have much more than that.
My second edition of The Chinese Information War will have much more than that.
ZTE Slapped by US & UK
So, both the US and UK announced today that they are going to sanction product sales of ZTE. In the US Reuters reports the main reason goes back to a consent agreement from a 2016, based on a 2014 case involving sales to Iran that were set up to intentionally avoid sanctions against Iran’s nuclear program. At that time, the US published the internal playbook used by ZTE “and one other company” never named by the Obama Administration. The UK story is a little different but not too much. The BBC says their cyber security people were concerned that ZTE equipment might pose a threat to UK networks. They don’t seem to mention why that would be.
While there is not much changed since this all started, it has to be taken in the spirit of the Chinese manipulation of networks to collect intelligence for the government. But, with trade tensions rising, this is one more thing that will not be ignored anymore. Much more to come.
In the second edition of The Chinese Information War, I added some new sections and detail on Huawei and ZTE which have been called the main characters in this intelligence drama. ZTE and Huawei have been on the front edge of US targeting of sanctions violations. China signs up for sanctions in the U.N. then violates them before the ink is dry on the agreements.
See also previous posts on monitoring ZTE agreement and on the mystery of why ZTE and Huawei are targets
While there is not much changed since this all started, it has to be taken in the spirit of the Chinese manipulation of networks to collect intelligence for the government. But, with trade tensions rising, this is one more thing that will not be ignored anymore. Much more to come.
In the second edition of The Chinese Information War, I added some new sections and detail on Huawei and ZTE which have been called the main characters in this intelligence drama. ZTE and Huawei have been on the front edge of US targeting of sanctions violations. China signs up for sanctions in the U.N. then violates them before the ink is dry on the agreements.
See also previous posts on monitoring ZTE agreement and on the mystery of why ZTE and Huawei are targets
Sunday, April 15, 2018
Pardoning the Guilty
There is an old tradition in US politics where the President gets to pardon or commute sentences of people to prevent political or “unjust” prosecutions (though it does seem that this is widely interpreted). President Trump, amid a huge uproar of the “loyal opposition” party, the Democrats, has pardoned a Watergate leftover “Scooter” Libby. The criticism is totally out of line with the pardon granted to General Cartwright who gave classified information to the Press, and the commutation of sentence for Chelsea Manning who gave mountains of classified information to everyone in the world. The only difference, of course, was that President Obama did those two actions. Hypocrisy abounds here.
Friday, April 13, 2018
Russian Story Number 25
Among the now 25 stories the Russians are telling about the poisoning of the Skripals is one that seems to have some traction. The Russians are saying the Skripals were detained, taken underground, and the whole story of poisoning concocted to cover the removal. They were, by this account, never poisoned.
In a BBC story yesterday, Yulia Skripal reminds everyone that she speaks for herself and the Russians do not, including at least one relative in Russia, who seem to support the story the Russians are trying to spin. They have managed to take a phone call between Yulia and her relative as “proof” that she was never poisoned, when she more than likely wanted her relatives to know that she was not dead, or suffering too many ill effects from her experience. “The Russian embassy said the statement ‘only strengthens suspicions that we are dealing with a forcible isolation of the Russian citizen’ and called on UK authorities to ‘urgently provide tangible evidence’ that Ms Skripal was not deprived of her freedom.” If she is being protected it is more likely that she wants to avoid giving them a second chance, after missing the first time.
You have to admire the imagination of the Russian intelligence services that create these fantasies, then publish stories about them in their own news outlets, and use their government channels to push the narratives. It is all part of their Information War, one that seems to go along quite well sometimes.
In a BBC story yesterday, Yulia Skripal reminds everyone that she speaks for herself and the Russians do not, including at least one relative in Russia, who seem to support the story the Russians are trying to spin. They have managed to take a phone call between Yulia and her relative as “proof” that she was never poisoned, when she more than likely wanted her relatives to know that she was not dead, or suffering too many ill effects from her experience. “The Russian embassy said the statement ‘only strengthens suspicions that we are dealing with a forcible isolation of the Russian citizen’ and called on UK authorities to ‘urgently provide tangible evidence’ that Ms Skripal was not deprived of her freedom.” If she is being protected it is more likely that she wants to avoid giving them a second chance, after missing the first time.
You have to admire the imagination of the Russian intelligence services that create these fantasies, then publish stories about them in their own news outlets, and use their government channels to push the narratives. It is all part of their Information War, one that seems to go along quite well sometimes.
Bulgaria, Russia, China, Iran and Syria
The US Justice Department has arrested Zhelyaz Andreev, 29, a Bulgarian national, for charges related to conspiracy to defraud the U.S. Government and violations of the Syria Trade Embargo. He worked or the Bulgarian office of AW-Tronics, a Miami, Florida-based company. Their website says “permanently closed”, but the other AW-Tronics is in Hong Kong.
Andreev was charged with conspiracy to violate IEEPA and the OFAC regulations by exporting dual-use goods to Syrian Arab Airlines, the Syrian government’s airline, which is an entity designated and blocked by OFAC for transporting weapons and ammunition to Syria in conjunction with Hezbollah, and the Iranian Revolutionary Guard Corps (IRGC). A local Florida paper says the three other principals at the company, and eight foreign nationals, were named in the indictment, but those names do not appear in the Wednesday release.
This is convoluted as can be, but we have dual-use aircraft parts going to Syria, arranged by a Bulgarian, to help out a Syrian transfer of US goods by an airline that transports weapons to terrorists and the IRGC. Believe me, there are Russian and Chinese connections in there somewhere, what with all the left-over Communists in Bulgaria and a NATO-member government in flux. The Russians have done everything they can to destablize the political situation there. The Chinese have hundreds of these little companies doing the Intelligence Services bidding, and this one seems to fit that bill. Movies are made about this kind of thing.
All of this goes back to Syria, where the US has threatened to blast away at almost anyone who condones the use of chemical weapons. Those targets are complicated by having IRGC and Russians mixed in with Hezbollah, Syrian Army troops, and a bunch of terror groups on both sides of the action. For you Mission Impossible fans, the Director will disavow knowledge of anyone or anything that happens there.
Andreev was charged with conspiracy to violate IEEPA and the OFAC regulations by exporting dual-use goods to Syrian Arab Airlines, the Syrian government’s airline, which is an entity designated and blocked by OFAC for transporting weapons and ammunition to Syria in conjunction with Hezbollah, and the Iranian Revolutionary Guard Corps (IRGC). A local Florida paper says the three other principals at the company, and eight foreign nationals, were named in the indictment, but those names do not appear in the Wednesday release.
This is convoluted as can be, but we have dual-use aircraft parts going to Syria, arranged by a Bulgarian, to help out a Syrian transfer of US goods by an airline that transports weapons to terrorists and the IRGC. Believe me, there are Russian and Chinese connections in there somewhere, what with all the left-over Communists in Bulgaria and a NATO-member government in flux. The Russians have done everything they can to destablize the political situation there. The Chinese have hundreds of these little companies doing the Intelligence Services bidding, and this one seems to fit that bill. Movies are made about this kind of thing.
All of this goes back to Syria, where the US has threatened to blast away at almost anyone who condones the use of chemical weapons. Those targets are complicated by having IRGC and Russians mixed in with Hezbollah, Syrian Army troops, and a bunch of terror groups on both sides of the action. For you Mission Impossible fans, the Director will disavow knowledge of anyone or anything that happens there.
Thursday, April 12, 2018
From Seed Corn to Rice
A Justice Department press release today tell us more than the Chinese ever want us to know about how they steal our technology: Weiqiang Zhang, 51, a Chinese national, and U.S. legal permanent resident residing in Manhattan, Kansas, was sentenced by U.S. District Court Judge Carlos Murguia in the District of Kansas. Zhang was convicted on Feb. 15, 2017 of one count of conspiracy to steal trade secrets, one count of conspiracy to commit interstate transportation of stolen property and one count of interstate transportation of stolen property.
He was stealing engineered rice in Kansas. Justice has already prosecuted a Chinese National for stealing seed corn in Iowa. The new thieves are US Nationals who were Chinese when they came here and never left the country loyalty.
He was stealing engineered rice in Kansas. Justice has already prosecuted a Chinese National for stealing seed corn in Iowa. The new thieves are US Nationals who were Chinese when they came here and never left the country loyalty.
Silicon Valley Communications
There is a good article today in the Wall Street Journal a about a communications problem prevelant in technical issues on the Hill in Washington. The Silicon Valley crowd seems hard-pressed to understand how Congressmen could so misunderstand their apps and how they are used, that legislation might be misdirected. That might actually happen, but it won’t be the fault of Congress if it does. Their real problem is those techies in the Valley do not understand what legislators actually do, and they are about to find out.
My first published article was in Computerworld in 1980. It was about communications between security and operations of computer systems. I said then, communications between groups depends on several things, but they first is a common understanding of what they are talking about. Congress and the Valley are not even close on some of the issues.
It didn’t take the Facebook CEO to make Congress understand how apps are used. They are users, and all users make mistakes, just as all technical development people do. They have a user’s perceptions of what computers do and how they work. But, don’t underestimate them because of a few who know next to nothing about technology. They know a lot about other things that the Valley seems to not understand. They didn’t get elected because they were as smart as Elon Musk, but there are few of them that can come close on the issues, and the rest of them listen to those people. Congressmen are smart enough to know what they don’t know.
Let’s ask ourselves if we can say the same for Silicon Valley. They sell data about us, making decisions about what we have “consented to” as if that were a legal issue that could be settled with a EULA. Congress was surprised by how much data was being sold, and to whom. Congress was surprised that tech companies were tacitly allowing third parties to have that data. And, OMG, they allowed political parties and apparently some foreigners to buy data about US citizens. They were surprised that ads were run by foreign intelligence services. They were surprised that some companies had business models that didn’t allow for defacto privacy. Look at all the changes Facebook has made in the last few weeks leading up to Zuckerberg speaking on the Hill. Didn’t the Valley know that elected officials would be really perturbed if they found out all the tech companies were doing? One big note for all of you: Congress Does Not Like Surprises.
Wait for it. Legislation is coming, and all the changes in apps and data handling will not change that. Congressmen know what their constituents actually care about, unlike those in the Valley who treat users all the same - like data. They are not customers; they are the product, and get treated accordingly. Ever get a human at Google, Facebook or Twitter to talk to you about a problem? Ever wonder why?
My first published article was in Computerworld in 1980. It was about communications between security and operations of computer systems. I said then, communications between groups depends on several things, but they first is a common understanding of what they are talking about. Congress and the Valley are not even close on some of the issues.
It didn’t take the Facebook CEO to make Congress understand how apps are used. They are users, and all users make mistakes, just as all technical development people do. They have a user’s perceptions of what computers do and how they work. But, don’t underestimate them because of a few who know next to nothing about technology. They know a lot about other things that the Valley seems to not understand. They didn’t get elected because they were as smart as Elon Musk, but there are few of them that can come close on the issues, and the rest of them listen to those people. Congressmen are smart enough to know what they don’t know.
Let’s ask ourselves if we can say the same for Silicon Valley. They sell data about us, making decisions about what we have “consented to” as if that were a legal issue that could be settled with a EULA. Congress was surprised by how much data was being sold, and to whom. Congress was surprised that tech companies were tacitly allowing third parties to have that data. And, OMG, they allowed political parties and apparently some foreigners to buy data about US citizens. They were surprised that ads were run by foreign intelligence services. They were surprised that some companies had business models that didn’t allow for defacto privacy. Look at all the changes Facebook has made in the last few weeks leading up to Zuckerberg speaking on the Hill. Didn’t the Valley know that elected officials would be really perturbed if they found out all the tech companies were doing? One big note for all of you: Congress Does Not Like Surprises.
Wait for it. Legislation is coming, and all the changes in apps and data handling will not change that. Congressmen know what their constituents actually care about, unlike those in the Valley who treat users all the same - like data. They are not customers; they are the product, and get treated accordingly. Ever get a human at Google, Facebook or Twitter to talk to you about a problem? Ever wonder why?
Monday, April 9, 2018
Cyber Careers Fail
I had a coincidental meeting with two government cyber professionals in the same weekend. Neither one knew me before Saturday, but as we talked I found that both of these women were getting out of the business entirely, one after 15 years. I thought this was odd until they talked to each other about what was driving them out of the career field.
Both said it was their IT people who would not accept security policies nor respect what they did as Cybersecurity professionals. They were tired of beating their heads up against the wall every day, even though the money was good. No respect was the bottom line.
I could relate to some of that, but when you work for the Intellgence side of security, it is a little different. Security was built into builds, operations and maintenance. We did have a CIO buy curtains and a new carpet with his security budget (they were so outrageously expensive he got caught and removed), but for the most part the IT people accepting of what they knew had to be done to have systems in that environment.
But what these two were describing is something else again. One said that in her latest endeavor the CIO said the government employees could work at home, which included software development, testing, and almost any software acquisition. They had no idea where these geniuses were getting software and most of it was public domain stuff. The security for that working at home was less than adequate (by my standards) though I won’t say what it was. It was cheap, easy to get to, and came with libraries of subroutines they could use. No wonder our government cannot keep its information safe.
The other said there was next to no understanding of what agile development was supposed to produce. They weren’t having sprints, they didn’t post the schedule for sprints and they did everything ad hoc until a government rep checked up on them and they had a meeting. It was all for show. They had a lot of idle time and were bored stiff. They had to contact these people individually to stay abreast of what was being done. That was ad hoc too. Didn’t they invite you to the development meetings? I went to them but they didn’t invite me, and were not happy about having me there.
I wish I could say this is nothing new, but it is new. IT is getting to the point where they pay no attention to security at all, if these accounts are true. I think they were doing the right thing by getting out of the field. As I used to tell my students, if they aren’ paying any attention to you, they don’t want somebody to help them with security - they want somebody to blame.
Both said it was their IT people who would not accept security policies nor respect what they did as Cybersecurity professionals. They were tired of beating their heads up against the wall every day, even though the money was good. No respect was the bottom line.
I could relate to some of that, but when you work for the Intellgence side of security, it is a little different. Security was built into builds, operations and maintenance. We did have a CIO buy curtains and a new carpet with his security budget (they were so outrageously expensive he got caught and removed), but for the most part the IT people accepting of what they knew had to be done to have systems in that environment.
But what these two were describing is something else again. One said that in her latest endeavor the CIO said the government employees could work at home, which included software development, testing, and almost any software acquisition. They had no idea where these geniuses were getting software and most of it was public domain stuff. The security for that working at home was less than adequate (by my standards) though I won’t say what it was. It was cheap, easy to get to, and came with libraries of subroutines they could use. No wonder our government cannot keep its information safe.
The other said there was next to no understanding of what agile development was supposed to produce. They weren’t having sprints, they didn’t post the schedule for sprints and they did everything ad hoc until a government rep checked up on them and they had a meeting. It was all for show. They had a lot of idle time and were bored stiff. They had to contact these people individually to stay abreast of what was being done. That was ad hoc too. Didn’t they invite you to the development meetings? I went to them but they didn’t invite me, and were not happy about having me there.
I wish I could say this is nothing new, but it is new. IT is getting to the point where they pay no attention to security at all, if these accounts are true. I think they were doing the right thing by getting out of the field. As I used to tell my students, if they aren’ paying any attention to you, they don’t want somebody to help them with security - they want somebody to blame.
Hong Kong Independence
There is a funny story run today by All India. It is about Nirav Modi and his sanctuary in Hong Kong, which India does not find amusing. Several news outlets say China will not intervene if Hong Kong decides to take Modi into custody for a $2 Billion swindle of Punjab National Bank. There is a long story attached to that part.
What is odd about the way this is portrayed is China is saying the Hong Kong has a justice system of its own and that China itself is only involved in defense and external affairs of Hong Kong. HK is free to make agreements with other countries on dealing with such matters. Does anyone remember the Hong Kong elections where some of the candidates were removed before the ballots were drawn up? Where dissidents were carted off to confinement until it was over? The Chinese have allowed Hong Kong to deal with this matter only because Modi had some very upscale jewelry stores in Hong Kong and Beijing. Not everyone in China can come close to getting past the front door, so you can bet these stores catered to some pretty influential people.
What is odd about the way this is portrayed is China is saying the Hong Kong has a justice system of its own and that China itself is only involved in defense and external affairs of Hong Kong. HK is free to make agreements with other countries on dealing with such matters. Does anyone remember the Hong Kong elections where some of the candidates were removed before the ballots were drawn up? Where dissidents were carted off to confinement until it was over? The Chinese have allowed Hong Kong to deal with this matter only because Modi had some very upscale jewelry stores in Hong Kong and Beijing. Not everyone in China can come close to getting past the front door, so you can bet these stores catered to some pretty influential people.
Jammers on Spratly Island Chain
There is some good reporting done on the military development of the Spratly Islands, but rarely by the Wall Street Journal. Today, it was. The Journal used Digital Globe to get imagery of some ground based jammers that can disrupt communications in the area. They took some good pictures.
As the article points out, the Chinese routinely use the islands as a means of communicating what could be, rather than what is. They flew military fighters into that area, then withdrew them. They flew military transports into the area, then flew them out again. They prepared long-range radar, launcher areas suitable for anti-ship and anti-air missiles, and stationed military troops there for brief periods -though the Chinese deny most all of these things. They are just trying to find out what we do to counter these kinds of weapons, so they watch closely when a US ship gets in the area. If we complain, they get what they have in the way of intelligence, then move the stuff. They are building a capability to put fighters, jammers, radars and missiles right in the heart of an area they claim, but the U.N. Permanent Court of Arbitration says they do not own.
As the article points out, the Chinese routinely use the islands as a means of communicating what could be, rather than what is. They flew military fighters into that area, then withdrew them. They flew military transports into the area, then flew them out again. They prepared long-range radar, launcher areas suitable for anti-ship and anti-air missiles, and stationed military troops there for brief periods -though the Chinese deny most all of these things. They are just trying to find out what we do to counter these kinds of weapons, so they watch closely when a US ship gets in the area. If we complain, they get what they have in the way of intelligence, then move the stuff. They are building a capability to put fighters, jammers, radars and missiles right in the heart of an area they claim, but the U.N. Permanent Court of Arbitration says they do not own.
A Multitude of Lies and One Truth
The advantage to lies told in abundance is that you don’t have to remember the ones you told. You can challenge each one as someone brings up an alternative truth, pointing out how preposterous each one is. Somewhere in there is a truth worth having.
ABC has a story saying there are 24 versions of the Russian fairy tales on how the Skripals were poisoned with a nerve agent in England. I read about one of them the other day and laughed out loud. They are just shooting them out, doing what we used to call “sheep dipping” hoping one would catch on and become a good alternative to the world fact that Russians did it with nerve gas made by them. They were even brazen enough to demand they be allowed to participate in the investigation (they would provide an antidote to the poison), but that was voted down by other UN members.
Over the weekend I read a story inferring that both of the Skripals were OK, and had always been OK. They were hidden and made to look like they were poisoned. I liked that one, but it doesn’t align very well with the facts. That is the point, of course. When the number and type of lies don’t matter, imagination is the most important ingredient. Aliens will be next.
ABC has a story saying there are 24 versions of the Russian fairy tales on how the Skripals were poisoned with a nerve agent in England. I read about one of them the other day and laughed out loud. They are just shooting them out, doing what we used to call “sheep dipping” hoping one would catch on and become a good alternative to the world fact that Russians did it with nerve gas made by them. They were even brazen enough to demand they be allowed to participate in the investigation (they would provide an antidote to the poison), but that was voted down by other UN members.
Over the weekend I read a story inferring that both of the Skripals were OK, and had always been OK. They were hidden and made to look like they were poisoned. I liked that one, but it doesn’t align very well with the facts. That is the point, of course. When the number and type of lies don’t matter, imagination is the most important ingredient. Aliens will be next.
What is DeNuclearization?
The North Koreans, and just as often the Chinese, are very good with words that have two meanings. If we remember the use of the term “One China” we see how that works. They simply define the term the way they want it to be, and allow others to define it their own way. They beat their own definition into every stone they see, and allow the other definitions to fade away. Taiwan is still Chinese territory by their own claim, and an independent country to most of the rest of the world - for all good that will do.
So, what is denuclearization? China and the North will try to define the term as what they want it to be - limit the discussion to nuclear weapons, declaring they will have no nuclear weapons and nobody else should be allowed to have nuclear weapons in South Korea. But that isn’t enough for the rest of the world.
Denuclearization has to include the design and development of nuclear weapons, the development of weapons grade nuclear material, the prohibition of deploying “nuclear capable” weapons systems, the use of nuclear power generation, and inspection programs that can determine whether they are existing weapons in the North.
After the photo op with the two leaders getting together there will be no agreements of any kind reached that will address all of these issues. The Chinese will use their press outlets and information control systems to praise the agreement on “denuclearization” using their own definition of the term. Then, they will go on supporting North Korea the same as they have always done. They need nuclear weapons threats from North Korea to keep the US from expanding their own military into the Pacific. If the North retains delivery systems and command and control needed to launch missiles, they don’t have to have weapons. Keeping strictly to the terms they could use chem/bio weapons. They can get nukes pretty fast from more than one source, including those Chinese companies that helped them develop the delivery systems. Nothing changes expect a few definitions.
So, what is denuclearization? China and the North will try to define the term as what they want it to be - limit the discussion to nuclear weapons, declaring they will have no nuclear weapons and nobody else should be allowed to have nuclear weapons in South Korea. But that isn’t enough for the rest of the world.
Denuclearization has to include the design and development of nuclear weapons, the development of weapons grade nuclear material, the prohibition of deploying “nuclear capable” weapons systems, the use of nuclear power generation, and inspection programs that can determine whether they are existing weapons in the North.
After the photo op with the two leaders getting together there will be no agreements of any kind reached that will address all of these issues. The Chinese will use their press outlets and information control systems to praise the agreement on “denuclearization” using their own definition of the term. Then, they will go on supporting North Korea the same as they have always done. They need nuclear weapons threats from North Korea to keep the US from expanding their own military into the Pacific. If the North retains delivery systems and command and control needed to launch missiles, they don’t have to have weapons. Keeping strictly to the terms they could use chem/bio weapons. They can get nukes pretty fast from more than one source, including those Chinese companies that helped them develop the delivery systems. Nothing changes expect a few definitions.
Friday, April 6, 2018
Good Video
Box made an educational video worth watching on YouTube. It is about China’s Belt Road initiative. There is some value in seeing the places that are talked about and they do that with video and graphics.
Liability for Software Flaws
One of the biggest and most frustrating events is when Delta, Equifax or anybody else in the business world, gets hacked. I used to look at this and say, “Idiots, you did not protect my data” and be mad at them for weeks. In the cases of the Office of Personnel Management, where security clearance data was stolen, and Equifax, where financial data was taken, I was angry for a lot longer than that.
Yes, these technical geniuses were not very careful with my data, and in the case of OPM deserve to be fired all the way up to the top, they have a problem that not easy to correct: the software they have in their organizations is full of holes that either have not been patched (their fault) or where flaws have not been identified (the vendor’s fault). I have a whole stream of stories I have told in the past to demonstrate that vendors with known problems wait until they can work those into a development cycle that goes on for years, before they get corrected. In the meantime, our data is at risk.
The vendors know it is at risk, and hide those flaws from anybody who looks into them. The reason they can do that is our laws do not require a software vendor to be responsible for errors they make in the production of that software and its use on the Internet where they should reasonably expect any flaws to be exploited by hackers. Years ago, I wrote several policy papers that outlined the problem. The vendors responded with justifications for maintaining a policy that protected software from this kind of liability. I know them all, by now, and some of them I would even agree with.
* Many times it is the integration of software from many vendors that produces errors that were not present in any single software product deployed.
* Patches are issued for known exploits and new ones are found every day. Millions of changes are made every month, and released even though some IT people never implement them.
* IT departments keep old software around to avoid license fees for newer software with fewer flaws.
Yes, it is complicated. However, software vendors have released versions (sometimes whole products) that were never security tested before being released. In one case, an on-line data storage company had not tested its entire system until a venture capital investor decided it might be a good idea. We have to have some laws in this area or the software vulnerabilities lists are just going to get longer and longer and it is already too long. IT shops can’t keep up.
Vendors need some incentive to do more security testing prior to releasing a new product or updating an old one. They need time limits on fixing known vulnerabilities. Buried in those software libraries they use for development are many of those, and some of them are intentionally introduced. They need some liability for products they produce and maybe that would give them some incentive to try to clean up their act.
Yes, these technical geniuses were not very careful with my data, and in the case of OPM deserve to be fired all the way up to the top, they have a problem that not easy to correct: the software they have in their organizations is full of holes that either have not been patched (their fault) or where flaws have not been identified (the vendor’s fault). I have a whole stream of stories I have told in the past to demonstrate that vendors with known problems wait until they can work those into a development cycle that goes on for years, before they get corrected. In the meantime, our data is at risk.
The vendors know it is at risk, and hide those flaws from anybody who looks into them. The reason they can do that is our laws do not require a software vendor to be responsible for errors they make in the production of that software and its use on the Internet where they should reasonably expect any flaws to be exploited by hackers. Years ago, I wrote several policy papers that outlined the problem. The vendors responded with justifications for maintaining a policy that protected software from this kind of liability. I know them all, by now, and some of them I would even agree with.
* Many times it is the integration of software from many vendors that produces errors that were not present in any single software product deployed.
* Patches are issued for known exploits and new ones are found every day. Millions of changes are made every month, and released even though some IT people never implement them.
* IT departments keep old software around to avoid license fees for newer software with fewer flaws.
Yes, it is complicated. However, software vendors have released versions (sometimes whole products) that were never security tested before being released. In one case, an on-line data storage company had not tested its entire system until a venture capital investor decided it might be a good idea. We have to have some laws in this area or the software vulnerabilities lists are just going to get longer and longer and it is already too long. IT shops can’t keep up.
Vendors need some incentive to do more security testing prior to releasing a new product or updating an old one. They need time limits on fixing known vulnerabilities. Buried in those software libraries they use for development are many of those, and some of them are intentionally introduced. They need some liability for products they produce and maybe that would give them some incentive to try to clean up their act.
Thursday, April 5, 2018
Federal Cyber is Awful
There are several IG reports in the last few months that show the state of defensive cyber security. Some of these reports, even after redactions, are showing how bad cyber security has become. It is depressing to see.
The most glaring aspect is the inability of some agencies to correct deficiencies that were identified. My own experience was that there are some government agencies that consistently do not correct problems in spite of changes in management or politics of the leadership in charge. We used to be able to predict where cyber would fail, long before it did. For the most part, these organizations have entrenched IT management that not only ignores the IG reports, but management of the agencies too. We have lived with things like Clinger- Cohen that perpetuate the separation of agencies and allow each one to have their own IT Department. Those Departments hire their own contractors who rely on their business to survive. That cycle cannot be broken with cyber security policy.
The failures continue unabated because IT is not an agency function. The current Administration has the right idea but needs to move faster on removing organizational IT departments and making them conform to Federal direction.
The most glaring aspect is the inability of some agencies to correct deficiencies that were identified. My own experience was that there are some government agencies that consistently do not correct problems in spite of changes in management or politics of the leadership in charge. We used to be able to predict where cyber would fail, long before it did. For the most part, these organizations have entrenched IT management that not only ignores the IG reports, but management of the agencies too. We have lived with things like Clinger- Cohen that perpetuate the separation of agencies and allow each one to have their own IT Department. Those Departments hire their own contractors who rely on their business to survive. That cycle cannot be broken with cyber security policy.
The failures continue unabated because IT is not an agency function. The current Administration has the right idea but needs to move faster on removing organizational IT departments and making them conform to Federal direction.
Businesses that Cooperate with China
Many of you don’t know about airplane making in China. The US-China Economic and Security Review Committee of Congress published a long and detailed analysis of how China used teaming arrangements and joint ventures to learn to make their own airplanes. They stole whole areas of technology while doing it, but they were given just as much as they stole. In my next book, my argument will be that the Chinese have not done as well as they thought they would because they can’t steal the ability to invent new ideas or expand ones they have stolen. They have a quicker path to production, but you can’t steal your way to success in a product as complicated as an airframe. GM still taught the Chinese to make cars, but it is a market they still do not dominate. Maybe they can get better success with the goals of China 2025, but stealing technology is not going to get them there.
This trade war will end quickly, and the Chinese will be back to doing what they always do. They made laws that require the sharing of technology and that allows businesses to give it over with a clear conscious. They steal our technology in new ways that avoid getting caught in corn field in Iowa, or a chemical manufacturing plant in Virginia. No wonder so many businesses are upset with tariffs. That business as usual they are so warm to embrace is exactly what the Chinese want.
We have too many businesses that sacrifice their intellectual property future for access to markets that want to compete with them in the future. They ease their Board’s anxiety by saying “it’s the law” but knowing that law is corrupt. This semi-trade war is an acknowledgment that the US government does not recognize this arrangement as legitimate. This isn’t about tariffs at all. It is about basing a whole country’s economy on taking someone else’s property as if you deserve it.
This trade war will end quickly, and the Chinese will be back to doing what they always do. They made laws that require the sharing of technology and that allows businesses to give it over with a clear conscious. They steal our technology in new ways that avoid getting caught in corn field in Iowa, or a chemical manufacturing plant in Virginia. No wonder so many businesses are upset with tariffs. That business as usual they are so warm to embrace is exactly what the Chinese want.
We have too many businesses that sacrifice their intellectual property future for access to markets that want to compete with them in the future. They ease their Board’s anxiety by saying “it’s the law” but knowing that law is corrupt. This semi-trade war is an acknowledgment that the US government does not recognize this arrangement as legitimate. This isn’t about tariffs at all. It is about basing a whole country’s economy on taking someone else’s property as if you deserve it.
A Trade War is not War
If I say to you “Within 24 hours of the U.S. publishing its list, China drew its sword, and with the same strength and to the same scale, counterattacked quickly, fiercely and with determination,” you have an image in your head of a real battle, not harsh words over a negotiating table. Reuters has a story on that today, but it is really about how the Chinese press is used to stoke up a domestic population and get them prepared for some pain in the process. After all, it is war. In war we have to make sacrifices for the state.
China says it has never backed down from a trade war in the past, and will not back down from this one either. In fact, the terms are very precise here. They won’t back down, but they will back off. The last time we accused them of stealing intellectual property from the US, they did actually cut down on the amount of that theft. They didn’t cut it out, just backed off. They have made trade concessions before, especially when the US brought actions against them in the WTO. But like the promises they make to the UN every time they vote for a sanction against Iran, it will not take them long to forget that promise and go back to what they are doing. They try to find out how we know what they are doing, then change their rules to fit the new situation. The Chinese have seen this coming for years.
China says it has never backed down from a trade war in the past, and will not back down from this one either. In fact, the terms are very precise here. They won’t back down, but they will back off. The last time we accused them of stealing intellectual property from the US, they did actually cut down on the amount of that theft. They didn’t cut it out, just backed off. They have made trade concessions before, especially when the US brought actions against them in the WTO. But like the promises they make to the UN every time they vote for a sanction against Iran, it will not take them long to forget that promise and go back to what they are doing. They try to find out how we know what they are doing, then change their rules to fit the new situation. The Chinese have seen this coming for years.
Wednesday, April 4, 2018
Facebook and the IRA
The Internet Research Agency (IRA) in Russia is the current target of delayed response by Facebook. Facebook is making a public display of deleting 138 accounts “controlled by the IRA” [TechCrunch says 70], regardless of content. This is just before announcing that the CEO will testify before Congress on the 11th of April, one week from now. You can bet somebody at Facebook finally figured out that they were going to asked a lot of questions about the accounts and why they were still operating as current accounts after all that has been done.
Can you say, “Better late than never”? Facebook has known for months that it was facing criticism for not removing accounts that were traceable to the IRA. The ads that were paid for have already been published by other committees of Congress. I’m really shocked that Facebook did nothing until now to get rid of any leftover accounts that were traceable to Russian trolls, whether they worked for the IRA or not. Maybe the Iranian trolls or Chinese trolls would be a good idea too. Maybe any trolls from anywhere, even companies that sponsor and fund them would be a good idea.
They might have looked at this the way a number of others have done. Gosh, we can’t possibly know who all of our users are because we have no way of knowing who our users are. I know that part is true because I am reminded that my aunt’s birthday is in February and she has been dead for three years. When you are selling to advertisers, numbers count. The advertisers don’t know she is dead and Facebook doesn’t want to know who owns all those accounts used by foreign intelligence services. Their focus has always been on the numbers of users, because that is where the revenue comes from. In fairness, though I really don’t want to be fair to Facebook, they really have no way to find out how many of these accounts are paid trolls. In this case, Congress told them, and likely had intelligence sources that gave them the information. Did they clear out those accounts when they found out? No, not until the CEO had to testify and that seat was getting awfully warm.
Can you say, “Better late than never”? Facebook has known for months that it was facing criticism for not removing accounts that were traceable to the IRA. The ads that were paid for have already been published by other committees of Congress. I’m really shocked that Facebook did nothing until now to get rid of any leftover accounts that were traceable to Russian trolls, whether they worked for the IRA or not. Maybe the Iranian trolls or Chinese trolls would be a good idea too. Maybe any trolls from anywhere, even companies that sponsor and fund them would be a good idea.
They might have looked at this the way a number of others have done. Gosh, we can’t possibly know who all of our users are because we have no way of knowing who our users are. I know that part is true because I am reminded that my aunt’s birthday is in February and she has been dead for three years. When you are selling to advertisers, numbers count. The advertisers don’t know she is dead and Facebook doesn’t want to know who owns all those accounts used by foreign intelligence services. Their focus has always been on the numbers of users, because that is where the revenue comes from. In fairness, though I really don’t want to be fair to Facebook, they really have no way to find out how many of these accounts are paid trolls. In this case, Congress told them, and likely had intelligence sources that gave them the information. Did they clear out those accounts when they found out? No, not until the CEO had to testify and that seat was getting awfully warm.
Better Police Work
We can hardly deny the police, who are trying to protect us, the benefits of artificial intelligence to screen people at football games or look for fugitives from justice who might be trying to shoot a police officer, or terrorists who want to blow us up, but we need to think a little bit about how this technology is being used and where the data is stored. We have already had cases where the location information on a cell phone is requested in bulk so it can be sorted through to determine if someone was at the location of more than one crime committed in an area. It actually seems like a good thing - we look for people who were at the scene of a crime in Manhattan, and at the scene of a crime in Brooklyn, when those were committed. It gives police a list of people who might be suspects. I wonder why people who commit crimes carry cell phones. Perhaps only the ones who get caught carry cell phones.
There was a story today in the Wall Street Journal that says this technology is coming to a neighborhood near you. Police will start wearing body cams that allow them to “see” when a lost child crosses into their field of vision (only the vendor of this technology would use such an example), or a fugitive. The article notes that it has not yet been sold to any department, but technology companies don’t do development for things that are not marketable, so that is not a good marker.
I don’t want my local Sheriff storing that kind of data where I live. I like him, and all that, but I don’t trust his administrative staff to keep that kind of record on file in case I commit a crime, or think about committing one. It might be useful if somebody steals my iPhone, but I can already do that without the police having that information stored somewhere. They have license plate readers on all the major roads, so they have a subset of data already. Now they are talking about using my face, which is public, to scan for possible crimes. There is a lot to like here, but a lot not to like too. This cries out for a standard for storage of data, processing of data, cross jusridicational exchanges of data, and things we might not have thought of just yet. Just look at what China has done with this same technology and it will cause you to think harder on the subject. China uses the data to limit travel of dissidents, limit their ability to buy almost anything, to establish profiles for people based on their political or social statements, and - yes, catch criminals. I don’t like that, and would want to avoid having that kind of thing here. For every kind of new technology there is always someone who will abuse it. I like and want to support our police, but I wonder if they are ready for this kind of thing.
Trying to be Good
I saw a segment yesterday on Fox News on the EB-5 visa that made it sound like this was a great program, doing exactly what it was supposed to do. The reporter was out in the field’s of Illinois watching a building being built, with the mayor of the town close in tow, extolling the virtues of the EB-5. He used the exact words described by Homeland Security as the reasons for the program - benefits low economic area by employing local people.
The story mentions the Chinese who get green cards out of this for contributing as little as $500,000. The mayor says: “The Chinese really want to employ these people and deserve the benefits.” He was very sincere, but I couldn’t help laugh.
He fails to mention that the EB-5 visa allows those same Chinese to donate to his electoral campaign the next time he is up for office. They can donate the same as a US citizen, because having a green card has benefits that very few even know about. Being able to donate to elections is one of them. This is as crooked as can be, and the main beneficiaries of this nonsense are politicians who take money for these so-called employment programs. I added a section to second edition of my first book to show the truth of some of that. These are not rural, or disadvantaged areas that are benefiting from this program. Only political parties and politicians benefit, and a few fat cat builders who make money off the sale of the properties. Look at Texas, California and New York as the biggest beneficiaries. The building programs are in anything but disadvantaged areas. Atlantic Monthly had a good article on the whole scheme that pegs Chinese as 90% of the beneficiaries of this program. That number is down now, though one has to wonder why that is. It seems like too good of a deal to pass up. Check the classified ads for some of these programs - yes, they are advertised as investment opportunities.
The story mentions the Chinese who get green cards out of this for contributing as little as $500,000. The mayor says: “The Chinese really want to employ these people and deserve the benefits.” He was very sincere, but I couldn’t help laugh.
He fails to mention that the EB-5 visa allows those same Chinese to donate to his electoral campaign the next time he is up for office. They can donate the same as a US citizen, because having a green card has benefits that very few even know about. Being able to donate to elections is one of them. This is as crooked as can be, and the main beneficiaries of this nonsense are politicians who take money for these so-called employment programs. I added a section to second edition of my first book to show the truth of some of that. These are not rural, or disadvantaged areas that are benefiting from this program. Only political parties and politicians benefit, and a few fat cat builders who make money off the sale of the properties. Look at Texas, California and New York as the biggest beneficiaries. The building programs are in anything but disadvantaged areas. Atlantic Monthly had a good article on the whole scheme that pegs Chinese as 90% of the beneficiaries of this program. That number is down now, though one has to wonder why that is. It seems like too good of a deal to pass up. Check the classified ads for some of these programs - yes, they are advertised as investment opportunities.
Monday, April 2, 2018
A Forgotten Hacking Story
Some of my readers can remember 2012, but if you read a lot, it becomes hard to remember that story from so long ago. I had to sit down and find some older articles because the new ones didn’t quite tell the story the way I remembered it. It is about the hacking by Yevgeniy Nikulin, who is now in a U.S. court for crimes he was said to commit many years ago, the hacking of LinkedIn, Dropbox, Formspring, Inc. and Google. The indictment is at https://www.justice.gov/opa/press-release/file/904516/download
He had been sitting in detention in Prague since 2016, and was finally extradited to the U.S. last week. I did remember that the Russians tried a good trick to get him back. They tried to say he committed crimes in Russia and should be extradited to Russia instead. They put pressure on to get him back, but that was harder to do than it would have been a few years ago. That is pretty clever if you think about it. He could then be tried, acquitted, and back on the street in a couple of days. You have to admire the Russians thinking on that, but it didn’t work. Fox Business says “But the Czech Republic's pro-Russia president, Milos Zeman, repeatedly asked [Czech Justice Minister Robert] Pelikan to allow Nikulin's extradition to Russia, the minister said. Zeman has no official say in cases like this one.”
He is charged with a number of counts that will have in jail for a long time, absent a deal. He was charged with stealing the user database of Formspring, then using G-mail to tell others that the database was for sale. They must have a pretty good case on that one but there were probably a lot more the Justice Department is not talking about. It would make a good movie.
He had been sitting in detention in Prague since 2016, and was finally extradited to the U.S. last week. I did remember that the Russians tried a good trick to get him back. They tried to say he committed crimes in Russia and should be extradited to Russia instead. They put pressure on to get him back, but that was harder to do than it would have been a few years ago. That is pretty clever if you think about it. He could then be tried, acquitted, and back on the street in a couple of days. You have to admire the Russians thinking on that, but it didn’t work. Fox Business says “But the Czech Republic's pro-Russia president, Milos Zeman, repeatedly asked [Czech Justice Minister Robert] Pelikan to allow Nikulin's extradition to Russia, the minister said. Zeman has no official say in cases like this one.”
He is charged with a number of counts that will have in jail for a long time, absent a deal. He was charged with stealing the user database of Formspring, then using G-mail to tell others that the database was for sale. They must have a pretty good case on that one but there were probably a lot more the Justice Department is not talking about. It would make a good movie.
Russian Poison
A reminder of the past came out today in the BBC, which has taken an interest in reporting on poisoning’s by the Russians. Viktor Yushchenko still speaks to the effects on any person poisoned by some of the nastiest kinds of things on earth - dioxins. I was sorry to have forgotten about him and his political race in the Ukraine, at a time when Russia wanted to maintain control of that country and have someone sympathetic to them in power. Yushchenko wasn’t that person. He won the election, but did so at a tremendous cost. The BBC has the pictures of his face in this article. The Russians should be given a special place in hell for what they did to him.
China Froze Exports to NKPR
An article over the weekend (China froze exports to North Korea in run-up to Kim’s meeting with Xi, Financial Times Weekend, 31 March) similar on-line story leads with “ China virtually halted exports of petroleum products, coal, and other key materials” just prior to last week’s meeting between the best friends leaders. That kind of makes us believe that the meeting was not just an off-hand get together to discuss strategy before Kim meets with the US representatives. This was something else. In some US circles, this would be called a “come to Jesus” meeting, very fitting at Easter.
The meaning of this Christian-based saying is much like the old Mafia rule: Make them an offer they can’t refuse. The hoopla surrounding the get together of Xi and Kim Jong Un was reported mostly by China and world press outlets as a love fest - best of friends getting together to cement their own successes. FT notes a few skeptics who say the Chinese are famous for manipulating their statistics for their own political purposes, might have some difficulty making these trade numbers what they want them to be and not what they really were. I prefer to believe them this time, because they are dealing with their own child, spoiled by the parents for far too long. He needed a slap on the backside to get his attention, and the Chinese will find it less difficult in the future to have the North follow their direction. Parents know that is not going to happen quickly, nor without further discipline once it has been neglected for so long. It will take a few months to find out if the Chinese are really serious about getting the North under control, or if they want a change of behavior for the North’s meeting with the U.S. They have proved their point, that they will dictate any final outcome of talks with the North. Now, we just have to wait an see if that will be enough. Somehow, I doubt it.
The meaning of this Christian-based saying is much like the old Mafia rule: Make them an offer they can’t refuse. The hoopla surrounding the get together of Xi and Kim Jong Un was reported mostly by China and world press outlets as a love fest - best of friends getting together to cement their own successes. FT notes a few skeptics who say the Chinese are famous for manipulating their statistics for their own political purposes, might have some difficulty making these trade numbers what they want them to be and not what they really were. I prefer to believe them this time, because they are dealing with their own child, spoiled by the parents for far too long. He needed a slap on the backside to get his attention, and the Chinese will find it less difficult in the future to have the North follow their direction. Parents know that is not going to happen quickly, nor without further discipline once it has been neglected for so long. It will take a few months to find out if the Chinese are really serious about getting the North under control, or if they want a change of behavior for the North’s meeting with the U.S. They have proved their point, that they will dictate any final outcome of talks with the North. Now, we just have to wait an see if that will be enough. Somehow, I doubt it.
Sunday, April 1, 2018
Microsoft Case Ending
You will remember that the US Justice Department sought to get Microsoft to turn over email held on servers Microsoft said were in Ireland. That was always a little suspect to me because it would be difficult to know, with the precision Microsoft was claiming, that it was there and only there. European privacy rules were partly at issue, but the case was mostly about whether domestic warrants were valid for cloud-stored data.
All is good says Justice, after the President signed an Executive Order that allows judges to ask for such data, but allows them to claim conflict with another country’s rules. This might make everyone happy, and Microsoft thinking it won, but I don’t think they should be happy and no legislation came out of this. The issue will revive with a the first President who wants to cancel the Order. This is a short-term solution because nobody wants to handle the real problem: where are the clouds actually storing data?
I live in a neighborhood of data centers- there are hundreds and more on the way. So, is data really stored in the data centers? Yes, of course it is, but a data center may not hold all the data and the vendors know it. We looked into this several years ago when we wanted US government data to be stored in the US. Everybody else demands it, so why shouldn’t we? Except we found it difficult to find a vendor who could support that requirement. One was storing cloud data in “other countries” one of which was China. We thought that was a bad idea. Most were not willing to say if they were storing data in any other country.
I still think Microsoft has no idea where that Mail was, even though they say it was stored in Ireland.
It must have not been sent outside Ireland. That is possible, but unlikely. It is just as complicated on the Justice side. If China says Microsoft can’t have any data produced in China, even if stored somewhere else, does Microsoft comply? Actually, China says all data produced in China has to be stored in China. Microsoft is willing to do that, but does not do it for the US. This cries out for legislation, but like most really complicated issues it is very hard to create policy with hundreds of lobbiests looking over their shoulders.
All is good says Justice, after the President signed an Executive Order that allows judges to ask for such data, but allows them to claim conflict with another country’s rules. This might make everyone happy, and Microsoft thinking it won, but I don’t think they should be happy and no legislation came out of this. The issue will revive with a the first President who wants to cancel the Order. This is a short-term solution because nobody wants to handle the real problem: where are the clouds actually storing data?
I live in a neighborhood of data centers- there are hundreds and more on the way. So, is data really stored in the data centers? Yes, of course it is, but a data center may not hold all the data and the vendors know it. We looked into this several years ago when we wanted US government data to be stored in the US. Everybody else demands it, so why shouldn’t we? Except we found it difficult to find a vendor who could support that requirement. One was storing cloud data in “other countries” one of which was China. We thought that was a bad idea. Most were not willing to say if they were storing data in any other country.
I still think Microsoft has no idea where that Mail was, even though they say it was stored in Ireland.
It must have not been sent outside Ireland. That is possible, but unlikely. It is just as complicated on the Justice side. If China says Microsoft can’t have any data produced in China, even if stored somewhere else, does Microsoft comply? Actually, China says all data produced in China has to be stored in China. Microsoft is willing to do that, but does not do it for the US. This cries out for legislation, but like most really complicated issues it is very hard to create policy with hundreds of lobbiests looking over their shoulders.
Subscribe to:
Posts (Atom)