Things related to computer security in some way or another.
I’ve made the statement before that the US government is not merely a victim of cyber attacks but a perpetrator (to be fair, it isn’t just the US but this is about the US). I went further to point out that they provoke other nations. I seem to think I at one point wrote about how they participate in a black market, and how that would not at all help the situation. Even if I haven’t discussed the latter, I have the others. So it is most unfortunate that there is solid evidence (I know I’ve seen other evidence, though) of them wanting to buy 0-days. It isn’t even hearsay. No, not at all; it is a statement directly from the United States Navy.
The Electronic Frontier Foundation has a mirror of the document that was taken from Google cache. This, I might add, is another thing I believe I’ve written about and if I haven’t I know I meant to at one point. I’ll just give a quick summary here: you don’t simply erase something from the Internet. The people that believe Snapchat is a brilliant way to keep things safe are very ignorant, very ignorant indeed. It isn’t brilliant at all (in any way), and there has been more than one incident where many of these supposedly very temporary photos were archived elsewhere (that is not a link but FOUR unique links, two of which include a list of different exploits and results.. and there certainly are others out there). Then there is the Internet which is even more extreme here. That is another topic entirely, however, so I will refrain from going there. I’ll return to the issue of persistence again but for the moment all you need to know is the Navy has since removed their copy of the document. But it isn’t gone.
I’m going to highlight some points from the document, comment on them and bring them all together.
This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied on commercial software.
From the very mouth of the US Navy; they require binaries to exploit widely used and relied on commercial software. Software they almost assuredly will use themselves. It gets better though; I’ll return to the issue of who uses what in a bit.
– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others. [sic]
While there are other things I could label with [sic] I won’t because I’m not trying to be critical here (I won’t at all suggest I don’t make mistakes in writing… I do. Often). However, I do want to point out that Linux isn’t commercial software. In addition, they want the exploits to exploit including but not limited to these products, and all others (is there a reason to list any at all, then? If there is, why ‘and Linux, and all others’?). But the important point here is that they don’t actually care what it is; if it is used they want exploits for it. Not just any exploits though, they want 0-days and also technical support, instructions and everything you would expect a legitimate vendor to provide. I’ll return to this again, too.
– The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.
Interesting bit here: they will select from the list and direct development of the exploit binaries. Why then, pray tell, don’t you just go to a CVE website where they can find it all for free? You know, they exist for a reason, a good reason. But here they’re being used for anything but good. It isn’t bad enough that many home users have unpatched (or otherwise insecure) systems (often unknowingly) that are already infected by more viruses and worms (etc.) than a human body would likely experience in a life time (certainly in the amount of years computers are ‘alive’). No, of course not; but governments to the rescue! Yes, it will affect others: even systems that aren’t vulnerable can be affected indirectly. People are also affected. Including our saviours in the Navy. That’s the best part. This also goes for governments wanting to get rid of encryption; it’ll affect them, their family, their friends, the nation they state they say they are protecting (that’s why they need to get rid of encryption, see? It is a lie, however, that smells near as bad as septic tank.. which is to say can easily be sniffed out even for those without a strong sense of smell). It also is a risk to themselves. It has the potential to affect every device. And the more exposure a device has, the more risks can affect it. This is sort of like the immune system: the common cold is nothing for those with a healthy immune system but to those with a poor immune system, it can be very serious.
– Completed products will be delivered to the government via secured electronic means. Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.
It is rather amusing, isn’t it, that they want it delivered in a secured manner. I suppose they hope no one else will have access to these exploits (which I have alluded to already and will get to further) and somehow it will be safer for everyone. Safer for themselves, actually, and that is incredibly naive: if the US government accidentally ships live anthrax to laboratories across the US and even in other countries (all of which has been reported recently.. and other similar incidents have happened), who is to think they could keep computer exploits under their control? Reality: malware tends to spread; there is a reason the words ‘virus’, ‘worm’, ‘trojan horse’ are used for naming said types of malware. Even if it isn’t malware itself it is incredibly stupid to believe it can’t directly affect the buyer (themselves). You don’t control exploits in the wild like that – you don’t nicely tell it that you are its master and it’ll suddenly obey your every command. Even then you have the reality of bugs in software: humans aren’t perfect (irony: because I thought I saw it earlier, and because I should rest my eyes soon, I checked spelling and what did I do but spell perfect as ‘prefect’ … a great example and I wouldn’t be surprised if more exist in this write-up), programmers are human, therefore programmers aren’t perfect: this leads to errors in software (commonly called ‘bugs’). I won’t even get in to simulators.
– Based on Government’s direction, the vendor will develop exploits for future released Common Vulnerabilities and Exposures (CVE’s).
This extreme naivety that comes close to delusion (and using that word is painful… I readily admit have been delusional in the past and much of their problem is extreme foolishness) they have, that they are in control, is rather scary. Unsurprising. But scary nonetheless.
– Once a product is transferred from the vendor to the government, the government maintains a perpetual license to use, modify or share at the buyer’s discretion.
Obviously. After all, Microsoft and all these other vendors you suggest (with the exception of open source software which you don’t mention many) sell their software and openly allow it to be modified and shared with others. The license also works for infinite devices. So of course you would have this right! Too bad you’re dealing with a black market, isn’t it? Governments create black markets. Stupidly, I might add. Yet in this case there is nothing else: this is to break the security of others, something the governments outlawed years ago. Creating black markets is also another example of not learning a bloody thing from history. Yet in this case it isn’t the same thing, is it? Not exactly. If a company hires (or better yet has on staff all the time) others to audit their security (maintain it), that’s fine. But if a company were to pay another company (or other third party) to break the security of another corporation – or states! – they would be in a lot of legal trouble. This is a triple standard: whine about being victims; pay others to help you do to others what you would whine about if others did it to you; and if anyone else were to do it to others, whine also. Global police.
– The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytical white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.
Gullibility to the extreme! To think that anyone would believe that an entity selling exploit code (especially since in the past, and likely still, much exploit code is still released for free.. but it doesn’t take much thought to figure out that some would have no problem to profit over it; can you blame them? Do corporations sell to only one customer?) is going to not profit from others that would be willing to also pay, is amusing, very amusing indeed. I’ll also point out there is a hypocrisy here: you have the right to do whatever the hell you want with the software, something that corporate vendors wouldn’t allow (and some free software doesn’t allow it!) with their software. At the same time, though, you have the boldness to state that you maintain the license here and not only do you state the licensing terms, you also state that the vendor can’t do what they wish with their own work! Licenses are only acceptable if you’re the one stating the terms, yes?
– All delivered products will be accompanied by documentation to include exploit description, concept of operation and operator instructions.
Pathetic. That’s being incredibly nice. That is the brutally honest truth. You really need documentation of how it works as well as how to use it? Weren’t you also the one wanting to direct the development? Usually the developers write the documentation (at least when they do document it which isn’t always)! Script kiddies demanding documentation. Highly impressive. I know, I know… you bought it all on your terms and since you state the terms, you can also demand the documentation. No dignity, no pride, no honour whatsoever.
– Technical support shall be provided by the vendor to the government for purposes of integrating, troubleshooting, bug fixes, feature enhancements, and OS and third party software compatibility testing. These services must be available Monday through Friday during normal working hours (0730 EST through 1630 EST).
You demand technical support.. on your own hours?! The amount of arrogance there is unfathomable.
Indeed, no pride, no honour, no respect for others (including themselves actually), no dignity. None at all. I’ve made clear that governments participating in cyber attacks are not just victims but perpetrators (and consequently provokers). Well here is solid proof that they really are doing exactly that. With no shame on their behalf (meanwhile everyone else will see their actions as only shameful). I’d like to lastly say this: they deleted it from their website for a reason. They finally realised the implications. If they didn’t mean harm they wouldn’t have removed it. But they did. There is only one reason for it. The tragedy here is they could do things to make things better. But instead they make things worse, worse for everyone. It is a cyclical process too. Indeed, just like mirroring, this will continue more and more.
Prepend ‘Rant:’ to the title. I’m on the fence of whether it would be better as ‘Viewpoint:’ or ‘Rant:’ but for now I’m erring on rant because there is aggression and rant is therefore more likely what people would think of (even though there certainly are personal viewpoints here). Yes, the point is valid – cyberwar is a dangerous game indeed, and a game that is unlikely to stop (this is not War Games, after all – at least not as the movie portrays). But sarcasm is in my blood, it really is (and it has always been this way, even as a toddler), and if I were a god I would likely be the god of sarcasm with a quick and nasty temper. I won’t deny it; the way I express myself is probably not the best, certainly it is not the way most people express themselves. I do try to be reasonable – and fair – and this is one of the reasons I try to always have a point but the fact remains that it is often in a vague and cryptic manner with a tendency to go too far.
I want to take some time to clarify some things that I wrote yesterday, that being 2015/01/20. The intent that this is less aggressive. With that in mind, here goes:
Perhaps it is true that I should not have tackled what I did yesterday. Based on how I’ve felt for quite some time, it wouldn’t surprise me one way or another. But even though I might have gone too far in some ways (or in some parts), there is the fact that the point remains the same: attacking someone (or some entity) as well as provoking them, followed by whining (and that is EXACTLY what it is) when the same happens in return, is stupid and hypocritical. Would you really lunge at someone and then complain about how much harm they caused you in return? That is what it is – you reap what you sow.
The fact remains that participating in cyber war, in general, is a dangerous game (and directly attacking other nations computers is NOT defence – it is the cyber equivalent of declaring war on and invading the country). In other words, yes, the suggestion that if all the activity being done was in the real world, it would be a nuclear holocaust, isn’t so far off the radar (if you will excuse the pun).
Lastly, the very idea that nations need laws to somehow share more information with corporations, it is an absurd and dangerous lie. That they also claim it is for the citizens’ own safety and good, is actually scary. Shockingly scary. Yesterday I didn’t want to elaborate on why I chose Nazi Germany to compare. I’ll get to the point momentarily, but to anyone who might want to know (not that I believe I have many readers): there’s many reasons, one of which is I’m a WW2 buff. I studied Nazi Germany extensively. While there is much I don’t remember (compared to before), I still remember a lot. So here it is: the Schutzstaffel, otherwise known as the SS, and the secret police the Gestapo? They made these same claims too: that they were doing it for everyone’s good. The world still hasn’t learned from the war and they didn’t learn much about tolerance, either, did they? Not even close. Tolerance for group one and not group two is not any more tolerant than being tolerant for group two and not group one. But that is exactly what happens to this day and it is a double standard (at best). I’ll not get in to the history aside from this final point, a point that should not be dismissed (I know it is and will continue to be, though): the problem isn’t how far someone travels (i.e. the severity of each act); the problem is how willing they are to create the path that allows the travelling (i.e. what laws come into existence to remove the blockades). In other words, the very idea that they’re needing more and more control (notice how this doesn’t stop after they get the next amount? And then the next? And next? And start all over ad infinitum? Ask yourself how new you really believe that is) for the same purpose – for the safety and the good of the population is scarily similar to what should never be ignored. But it is ignored. Ironically – as I already suggested – the rationale of ‘why they need this’ remains the same. The part that does change is they continue to need more and more (of what they already supposedly have!) to fulfil the same(!) task. The more they need, the more they abuse (it) and the more they abuse the more power they crave. Truly feel safer? What makes you feel that way? What actually changed? Sadly some (many, obviously) will fall for this claim – repeatedly. It is ironically just like history.
This will be a piece that is mixed with ridicule as well as a warning. I fully acknowledge that the warning will be largely dismissed, at least dismissed by those who actually should not ignore it. But then you can’t really reason with politicians, can you? No – one of the definitions of a politician is a complete idiot that is dangerously high on a power trip, desperate for power, one that spreads fear, incites hate and anger. That is about as far as I’ll go in that regard because, as I’ve made clear before, politics is one of the most potent cesspools known to mankind (I have no problem, however, with actually attacking their arguments, their claims, when it comes to computers). To this end, another warning: while I do have good intent here, it was a thoroughly obnoxious day. So the ridicule might go too far. I’ll be in good company though, won’t I? Not sure it is the right company but such is life. So with that:
It seems to me that, given the circumstances, now is a good time as ever to write about the risks of cyber wars. What circumstances? It has been claimed by the New York Times, as well as Germany’s Der Spiegel, that the reason the US officials suggested that North Korea was responsible for the attacks on Sony, is that they had access to North Korea’s network. Yes, that means they compromised North Korea’s network. Yes, that means more hypocrisy indeed (there is never enough of that, is there?). These two news sources, I might add? These are the agencies that Edward Snowden leaked the spying accusations to. As I’ve made clear before, the NSA has a long history of hissy fits about encryption (and otherwise needing control) so really the only news to me is what specifically they were up to – as a spying agency, and as a spying agency that has the history that the NSA has, it isn’t really surprising. Sadly this makes it even more believable. Let’s see, what are the claims that are known, and what is the US saying in defence of themselves?
“While no two situations are the same, it is our shared goal to prevent bad actors from exploiting, disrupting or damaging US commercial networks and cyber infrastructure,” said spokesman Brian Hale.
Noted. That says quite a lot, doesn’t it? The fact no two situations are the same and the fact you want to prevent bad actors from ‘exploiting, disrupting or damaging US commercial networks and cyber infrastructures’, this is why you don’t count yourself, right? Because it is a different situation than yourselves. Makes sense – and since there’s often a lot of assumptions in this topic, I don’t see why I shouldn’t assume here, too, that my suggestion makes sense. That isn’t wrong, is it? Or perhaps it is because you aren’t actually actors but instead being your usual self? That seems quite plausible, too, I must admit. Then again, maybe it is simply that you don’t consider reputation all that important? That would explain why you find it perfectly acceptable to BREAK THE LAW as long as it is for those you (supposedly) are protecting? But it gets better, doesn’t it?
When it becomes clear that cyber criminals have the ability and intent to do damage, we work cooperatively to defend networks.”
You work to defend the networks. If it is on the land of the US, of course. But is that really the full truth? I don’t know if I agree. The BBC makes claim that the paper reporting this new information says that you – that is the officials supposedly investigating the crime – believed that North Korea was mapping the network for two months prior to the attack. Considering that one of the very first things an attacker will do, when going after a network, is getting as much information as they can about the organisation (its employees, its hours of work, its network, the hosts, the services, everything means as much as they can possibly gather), this would make sense, wouldn’t it? Yet it took you two months to figure this out? Weren’t you monitoring them? Why would you not alert them? Why would you not help them? (One hopes you don’t do this with your own although seeing as how there are issues at times, it makes me wonder) Is it because there is some other use out of it? I don’t know, maybe making it an excuse to give more power, more control to the government, with regards to what capabilities you are allowed? Something like this:
A senior Democrat on the House Intelligence Committee on Friday will reintroduce a controversial bill that would help the public and private sectors share information about cybersecurity threats.
“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea.
Or maybe it was because then more sanctions could hit North Korea? Because a cyber attack is the right reason for that over all other things, yes (and of course, sanctioning an isolated state isn’t provocative – it is actually helping the relationship, that’s what sanctions are for, right? It won’t hurt the citizens and actually it will make them feel better, that other nations care enough to cause them more grief ‘as long as it teaches the nation to do what’s right’)? On the other hand, it is possible the attacks are being abused to do that (some might argue all of the above – they’re probably right). My problem with this, goes further. This is encouraging cyber attacks (yet more recently there is the suggestion that the US and the UK will participate in war games, the irony in it all is too much, when you consider why the two nations want to do this). “I want to keep the momentum going on what’s happening out there in the world” implies that you honestly don’t care why, you just have to have more control, as if it is as I put it – a drug. Nazi Germany did similar and their excuses were similar too; they were protecting others from whatever they didn’t like (even though the claim was a farce). Indeed, that ‘keep the momentum’ remark also implies that you’re fine with the attack, an attack that revealed confidential information about people whose only crime was working for Sony. You’re fine with it because it gives you an excuse to tighten the noose (ironically the law allows more spying on the citizens of the nation you claim to be protecting – again, just like Nazi Germany). (Yes, I’m deliberately comparing it to Nazi Germany even though there are plenty of others. There are many reasons for it. I won’t elaborate on it aside from that.) And the law you want to introduce isn’t just making it easier to share information about cybersecurity threats. There is not a single thing that prevents you from doing that now! Nothing prevents the corporations from informing you of attacks (as they recently showed you exactly that – because the government refused to warn them even knowing it was imminent, a shameful act indeed). The only thing that prevents the government from sharing that information is they would rather not. But that isn’t a legal issue. No, the law you refer to is CISPA – the law that allows spying on citizens (among other things). Anything else is an absurd lie – a lie designed to manipulate the situation (yet again just like Nazi Germany)! No, it wouldn’t have prevented the attack, either. Ironically, given the claim by the government, it seems the one thing that could have prevented it would be the government themselves; the government that claims they need more power (yes, because having been monitoring North Korea wasn’t enough!). Indeed – people in power can never get enough, no matter what they have already, and the more they get (and they are often so insistent on it that it is expected they will) the more they want in a vicious cycle just like the addictive properties (and effects) of drugs.
The fact of the matter is: the United States is not just a victim of cyber crime; they are perpetrators just as much as other nations (perhaps in some ways more so). It is just the United States has the status to get away with it more easily. The reality is that by participating in cyber wars, you’re actually creating more problems and I do not refer just between nations (but that is what this is about). The end result: each and every nation that adds fuel to the fire rationally has only themselves to blame when they fall prey. In addition, corporations that are attacked because of where they reside also could rationally blame their nation (whether they are allowed to be there or not is frankly an irrelevant point (and keep in mind that Sony is a Japanese corporation, not an American corporation, and this, I fear, makes that argument – of nationality and otherwise location – less relevant)). If nations acted this way in the real world – and let’s be honest: that is already far too extreme – there would be a nuclear holocaust. Much of what is claimed is defence is actually direct provocation. As for North Korea versus the United States, I will remind you again: the two nations are not allies and in fact are more like enemies; consequently, provoking them and then complaining about the response, is hardly helpful. It is actually about as stupid and arrogant as when a human goes in to the ocean, even with warning signs about recent shark activity, gets killed (why go in to its territory?) and what do officials do? They hunt the shark down and viciously slaughter it, as if it was deliberately in the territory of humans (because humans live in the oceans, yes?) to slaughter as many (humans) possible (never mind the fact that many shark attacks are accidental). Yes, that is a great analogy: go in to their territory, run into problems and then it is their fault; they shouldn’t have been where I wanted to be! Indeed.
I am redacting my original post because while I strongly believe it is misguided and unhelpful what is being claimed (by the US government), I think also that the way I addressed this was was not helpful, either. Certainly it detracts from my main point. While I often will keep things I’ve written, as I put it in my about section, I also believe in fixing mistakes where necessary. I’ve also noted that some of my writing will come off as a rant or otherwise aggressive and that I fix it where I can (and I always try to get a point across but often fail because of aggressiveness, whether it was intentional or not – yesterday’s aggressiveness was not intentional by any means). It is interesting to note that the other day I actually went to write something about this issue and I decided to delay it because I felt I was not in the right mindset. Apparently I was still not in the right mindset, yesterday. Of course, even though I’m fixing the post, that does not at all mean what was public will not remain public: once on the Internet it is as good as on the Internet (and even if all references were removed it still doesn’t mean there isn’t a single person who saw it and potentially captured it: I’ve done exactly this and I know others have too). But I still believe in taking responsibility and addressing mistakes where possible, and addressing means fixing the issue(s). So with that, my modified view on the attack on Sony. Do note that the title could very well be better worded (and this is how it was yesterday, too). I’m not sure how else to word it so it’ll suffice.
The last time, Sony brought (after the ‘first’ – the quotes are important here – attack) brought in a security professional. Yet, while some might find it ironic (it isn’t) there was another attack. First tip of old: if you consider security after an attack, or after deployment (e.g. in software development), then you’re behind at best and you may very well be too late, too. Second tip of old: in general, notwithstanding certain (rare and still not well advised) cases, if your network was compromised (there is one thing to consider here), the only safe way is to start all over with improved policies, based on what you learned from the attack. There is the reason I quoted ‘first': while it isn’t a guarantee (by all means, given what was claimed, it could have been individual but that makes it even worse, not better!) I wouldn’t be surprised if they had left a backdoor or otherwise hadn’t truly left. This very bit is a common thing, isn’t it? Why would it not be? While some do it for a challenge (and I would argue this is far less common these days) there is this simple fact that they use the breached network for many things. This includes bouncing (and this isn’t counting bouncing off of proxies). This brings me to the first real point about the ‘evidence': IP address.
I could elaborate on why IP address doesn’t mean much, certainly not for proof, but I think I have a better way. If you were to lose your mobile phone, or if someone were to steal it, who is the rightful owner? You? Yes. Okay, so what happens if they then use that phone to pull pranks, make threatening calls, or otherwise abuse the fact it isn’t their phone? Is it your fault, is it your responsibility? No? Then what makes you think IP address is any different? It isn’t. There’s far too many possibilities. Worse is that even if the IPs are from North Korea (which I haven’t seen them nor do I really care – it is irrelevant to the point) it doesn’t mean it is state sponsored. It also doesn’t mean it isn’t. And that is exactly the problem: it is speculation and until it is actually confirmed it may as well be slander. I’m sorry to say that being confident (as at least one US official has stated) doesn’t equate to reality, most certainly not 100% of the time; I know this personally as does anyone who has been delusional but is not currently having said delusion: I was confident that traffic signals were spying on me and me alone as one example. Yes, I’m able to admit this publicly. Why? Why not is better asked. While I am by no means suggesting they are delusional here, my point is that being confident does not equate to reality (and this applies to those who are not delusional). While this is not necessarily any better of an example, this is something that specifically makes my point that many things are not as they seem: Mirror Lake in Yosemite National Park, to name one of several (I seem to remember there is one in Canada, too). This should all be kept in mind when dealing with accusations. I know, I know, there is the addition to IP that the attack ‘looks’ similar to a previous attack: it is still speculation until proven otherwise. Again I’m going to give a non-technical example: some countries purchase aircraft from other countries. But that doesn’t mean the jet flying over a country IS the country that manufactured the jet. Similarly, some countries share flags while others have flags that are similar to another. That doesn’t mean that the countries are the same.
There’s also been the claim that this attack is unprecedented. I don’t think so. Neither was it impossible to prevent. Yes, there is always someone who can best another, but that doesn’t mean there is never room for improvement; there is always room for improvement! Always. Just like some attacks are not prevented, many more are. But to throw blame elsewhere, and to not address the real problem is a problem itself. This is not the first time Sony has come under attack. They also aren’t the only one to be compromised more than once. I know for a fact that Kevin Mitnick, what many would call a notorious hacker (and he calls himself a hacker too, or at least he did) fell prey to some that bested his him and consequently compromised his network. His company after his release from federal prison (2001 comes to mind as his release date but I’d have to check to confirm). In addition, the reason he was caught the second time around (indeed his arrest in the mid 1990s was not his first time being in trouble with the law) was because someone bested him then, as I recall someone he had attacked himself. I certainly do not call him a hacker, not even by the media’s definition of hacker: he is excellent at social engineering, that much is true. Regardless, this was not the first time Sony was compromised. You would think that someone like Mitnick would be able to not fall prey here, given his title. But then it is easier to forgive a company like Sony. The only thing that matters is (and I really hope they do exactly this) they re-evaluate their policies and implement the improvements. This goes for every entity. The only true mistake is not learning from your mistakes. The only failure is not learning from your supposed failures; we all make mistakes and none of us succeed in everything.
I would like to leave with some final thoughts: The group that claimed responsibility for the attack on Sony, GOP – Guardians of Peace – only started to use the film about North Korea’s leader after it was suggested it was related. Because of this, and since North Korea was enraged about the film (I have some thoughts here, which I share below) prior to the attack, it was now North Korea’s fault. This is a fallacy. A fallacy is illogical deduction and even if they are responsible, the logic used as above, is flawed.
In the end, IP address, similarity in attack and other such things are not indicative of anything, not indicative unless you wish to believe only what you want to believe. As a final example: Robert Tappan Morris, indeed the author of the infamous ‘Internet Worm’, aka ‘The Morris Worm’, made his worm appear to come from a different university than his. This was to throw the authorities off his trail. Due to mistakes on his part, however, the worm brought the affected machines to their knees. The effects of it were out and he was tracked down. Combine this with the fact that (for instance) many viruses, worms, trojan horses, backdoors and otherwise malware, are families of malware (which might not be written by the same person and indeed this is the case), this shows too that similarities does not imply equivalence (nor same source).
 Does web defacement constitute network being compromised? It could. But it could also not be. File integrity checks would help determine this here (but is not perfect either, if the attacker gets root access). It is true that with content management systems, a web defacement makes it easier and not requiring compromising the system itself (especially true if there is a configuration in the web files that specifically deny the CMS from modifying those files; i.e. you can only use the interface for the content and nothing else). In the end, the only safe way (but mind the fact that depending on how long ago the attack was (and attack implies original access, not defacement!) backups could also have a backdoor or indeed anything else). On this latter bit, backups: this is one of many reasons that the backup volume should either only be mounted when backing up (or restoring) or made immutable (except during writing to the volume). Another reason is user error (and yes, as I’ve made clear, administrators count as users): if a command you run, a script you write or something else you run (or is affected by a bug) goes badly, what if you wipe out (or damage) your backup? Redundant backup isn’t necessarily the answer any more than redundant storage; the point of backup is having it in multiple locations (e.g. off-site – and no, this does not include the cloud or anything you do not have complete control over! – and on-site, even if off-site is only stored on backup disk that is detached from the system), not having multiple copies: the difference is subtle but something that should be understood.
 As for North Korea being enraged. The fact remains that North Korea and the United States are not on good terms. So when you consider the film’s plot, and you consider the different culture, it isn’t all that surprising, is it? And you can see how it can provoke them. The subject of free speech (and more specifically freedom of expression) is usually brought up and indeed it is here too. Unfortunately though, like many things in this world, it is very often taken too far. It is especially taken too far when defending someone or something that (you) agree with (or sympathise with). It is also defended when you disagree or dislike that which is offended or upset by the expressions. As something I am unfortunately familiar with far too well, many people excuse bullies (even minor bullying is wrong but minor bullying develops further in to moderate to extreme to beyond extreme) as “kids will be kids”. The problem is, you can only abuse someone so much, before they snap. So yes, kids will be kids, until, that is, the victims of bullying (also kids, by the way) get revenge on bullies (especially if revenge is seriously harm, maim or kill). Then the kids are now horrible, and the “kids will be kids” is no where to be seen or heard (and the parents of these horrible kids are also horrible; what about the bullies who drove their victims to this extent or their ignorant – if not bad – parents?). I am eternally grateful that there isn’t a violent streak in me, because I would have been another example of the above by far. I did get revenge in ways, but I did it subtly and non-violently. I also enjoyed outsmarting them, making them look like fools without them even knowing just how much so (let alone that I had done this in the first place). The reality is violence doesn’t solve anything, at least not in positive ways, but if you subject someone to abuse, when they get revenge (which indeed includes violence), it is natural and expected (and if I am to be blunt, it is in some ways more acceptable because they were driven to it rather than doing it out of arrogance, hate and cruelty). To explain this, there is a phenomenon called ‘identifying with the aggressor’. This is exactly why domestic abuse runs in families: the victims are not in power, are helpless and suffer because of it. But they also see that in order to gain control, which means to stop the abuse, they can become abusive themselves. So continues a vicious cycle…
First, as is typical of me, the title is deliberate but beyond the pun it actually is an important thing to consider, which is what I’m going to tackle here. The secret does indeed imply multiple things and that includes the secret to secrets, the relation between privacy and security and how trust is involved in all of this. I was going to write a revision to my post about encryption being important (and I might still to amend one thing, to give credit to the FBI boss about something, something commendable) but I just read an article on the BBC that I feel gives me much more to write about. So let me begin with trust.
Trust is something I refer to a lot, in person and here and pretty much everywhere I write about something that considering trust is a good thing. Indeed, trust is given far too easily. As I have outlined before, even a little bit of trust – seemingly harmless – can be abused. Make no mistake: it is abused. The problem is if you’re too willing to trust how do you know when you’ve been too trusting? While I understand people need to have some established trust with in their social circles, there are some things that do not need to be shared and there are things that really should not be entrusted to anyone except yourself, and that potentially includes your significant other. Computer security is something that fits here. Security in general is. The other problem is: ignorance. Ignorance is not wrong but it does hurt and if you don’t understand the risks of something (which I would argue the fanatical and especially the younger Facebook and other social media users, are) is risky, how do you proceed? For kids it is harder as it is known that kids just do not seem to understand that they are not immortal, not immune to things that really are quite dangerous. However, if you are too trusting with computers, you are opening a – yes, I know – a huge can of worms, and it can cause all sorts of problems (any of taking complete ownership of your computer, monitoring your activities which can lead to identify theft, phishing and many other things, from …). The list of how many issues that granting trust can lead to, is, I fear, unlimited in size. It is that serious. You have to find a balance and it is incredibly hard to do, no matter how experienced you are. I’ve made the general ideas clear before, but I don’t think I’ve actually tackled this issue with privacy and secrecy. I think it is time I do that.
In the wake of the Edward Snowden leaks, many more people are concerned for their privacy. While they should have always been concerned, it doesn’t really change the fact that they are now at least somewhat more cautious (or many are, at least). I have put this thought to words in multiple ways. The most recent is when I made a really stupid mistake (leading to me – perhaps a bit too critical but the point is the same – awarding myself the ID 10 T award), all because I was far more exhausted than I thought. Had I been clear I wouldn’t have had the problem. But I wasn’t clear headed and how could I know it? You only know it once it is too late (this goes for driving too and that makes it even more scary because you could hurt someone else, whether someone you care about or someone you don’t even know). The best way to word this is new on my part: Despite the dismissal people suggest (“what you don’t know cannot hurt you” is 100% wrong), the reality is this: what you don’t know can hurt you, it likely will and worse is it could even kill you! This is not an exaggeration at all. I don’t really need to get in to examples. The point is these people had no idea to what extent spying was taking place. Worse still they didn’t suspect any thing of the sort. (You should actually expect the worst in this type of thing but I suppose that takes some time to learn and come to terms with.) Regardless, they do now. It has been reported – and this is not surprising really, is it? – that a great population of the United States are now very concerned with privacy, have much less trust in the governments (not just the US government, folks – don’t fall for the trap that only some countries do it, you’re only risking harm to yourselves if you do!) in privacy. What some might not think of (although certainly more and more do and will over time), and this is something I somewhat was getting at with the encryption post, is this: If the NSA could not keep secret (and that is ironic itself, isn’t it? Very ironic and to the point of hilarity) their own activities (own is keyword number one) secret (and safe!) then how can you expect them to keep YOUR (keyword number two) information secret and safe? You cannot. There is no excuse for it: they aren’t the only ones, government, corporations, it really doesn’t matter, too many think of security after the fact (and those that do think of it in the beginning are still prone to making a mistake or not thinking of all angles… or a bug in a critical component of their system, leads to the hard work in place, being much less useful or relevant). The fact they are a spying agency and they couldn’t keep that secret is to someone who is easily amused (like myself), hilarious. But it is also serious isn’t it? Yes, and it actually strengthens (or further shows) my point that I will get to in the end (about secrets). To make matters worse (as hard as that is to fathom), you have the increase (and I will tell everyone this, this is not going to go away and it is not going to be contained – no, it will only get worse) in point of sale attacks (e.g. through malware) that has in less than a year led to more corporations having major leaks of confidential information than I would like to see in five or even ten years. This is the number of corporations – the amount of victims is millions (per corporation, even)! This information includes credit card details, email addresses, home addresses, … basically the information that can help phish you even enough to steal your identity (to name one of the more extreme possibilities). Even if they don’t use it for phishing you would be naive to expect them to not use the stolen information.
I know I elaborate a lot and unfortunately I haven’t tied it all together yet. I promise it is short, however (although I do give some examples below, too, that do add up in length). There is only one way to keep something safe, and that is this: don’t share it. The moment you share something with anyone, the moment you write it down, type it (even if you don’t save it to disk), do some activity that is seen by a third party (webcam or video tape, anyone?), it is not a secret. While the latter (being seen by camera) is not always applicable, the rest is. And what good is a secret that is no longer a secret? Exactly: it is no longer secret and therefore cannot be considered a secret. Considering it safe because you trust someone – regardless of what you think they will do to keep it safe and regardless of how much you think you know them – is a dangerous thing (case in point: the phenomenon called, as I seem to remember, revenge porn). In the end, always be careful with what you reveal. No one is immune to these risks (if you are careless someone will be quite pleased to abuse it) and I consider myself just as vulnerable exactly because I AM vulnerable!
On a whole, here is a summary of secrets, trust and security: the secret to staying safe and as secure as possible, is to not give out trust for things that need not be shared with anyone in the first place. If you think you must share something, think twice really hard and consider it again: you might not need to no matter how much the person (or entity) claims it will benefit you. Do you really, honestly, need to turn your thermostat on by your computer or phone? No, you do not and some thermostats have been exposed to have security flaws (in recent times). It isn’t that important. What might seem to be convenient might actually be the opposite in the end.
Bottom line there is this: If someone insists you need something from them or their company, they do not have you in your best interest! Who is anyone else to judge whether you need their service or product?
A classic example and a funny story where the con-artist was exposed: If you go to a specialist to have an antique valued and they offer to buy it you should never do it because if they tell you something is worth X it is one thing. It is however another thing entirely to tell you it is worth X and then offer to buy it from you. The story: years ago, my mother caught a smog-check service in their fraud (and they were consequently shutdown for it, as should be) because despite being female – and therefore what the con-artist thought would be easy prey, nice try loser – she is incredibly smart and he was a complete moron. He was so moronic that despite my mother being there listening to the previous transaction between the customer (“victim”) and himself, he told my mother the same story: you have a certain problem and I’ll charge X to fix it. The moron didn’t even change the story at all – he used it word for word, same problem, same price, right in front of my mother. In short: those telling you the value of something and then telling you they’re willing to buy/fix/whatever, are liars. Some are better liars but they’re still liars.
It is even worse when they are (example) calling you – i.e., you didn’t go to them! Unsolicited tech support calls, anyone? Yes, this happened not long ago. I really pissed off this person by turning the tables on him. While what I did is commendable (As he claimed, I wasting his time which means he lost time he could be cheating someone else) do note that some would have instead fallen victim and the reason he kept up until I decided to play along (and make a fool of him, as you’ll see if you read), is exactly because they are trained: trying to manipulate, trying to keep me on the line as long as possible (which means more time to try to convince me I need their service), and they only wanted to cheat me out of money (or worse: cause a problem with my computer that they were claiming to fix). Even though I got the better of them (as I always have) and to the point of him claiming I was wasting HIS time, they will just continue on and try the next until they find a victim. It is just like spam: as long as it pays they will keep it up. People do respond (directly and indirectly) to spam and it will not end because of this, as annoying as it may be. Again, if some entity is telling you you need their service or product, it is not with your best interest but their interest! That is undeniable even if you initially went to them, if they are insisting you need their product or service, they are only their to gain and not help. This is very different from going to a doctor and them telling you something serious (although certainly there are quacks out there, there is a difference and it isn’t too difficult to discern). Always be thinking!
I admit that I’m not big on mobile phones (and I also admit this starts out on phones but it is a general thing and the rules apply to all types of nodes). I’ve pointed this out before, especially with regards to so-called smart technology. However, just because I personally don’t have much use for it, most of the time, does not mean that the devices should not be as secure as possible. Thus, I am firstly, giving credit to Apple (which all things considered is exceptionally rare) and Google (which is also very rare). I don’t like Apple particularly because of Steve Jobs’ arrogance (which I’ve also written about) but that is only part of it. At the same time, I do have fond memories of the early Apple computers. As for Google, I have serious issues with them but I haven’t actually put words to it here (or anywhere actually). But just because I don’t like them does not mean they can never do something right or that I approve of. To suggest that would be me being exactly as I call them out for. Well, since Apple and Google recently suggested they were to enable encryption by default for iOS and Android, I want to commend them for it: encryption is important.
There is the suggestion, most often by authorities (but not always as – and this is something I was planning on and I might still write about – Kaspersky showed not too long ago when they suggested similar things), that encryption (and more generally, privacy) is a problem and a risk to ones safety (and others’ safety). The problem here is that they are lying to themselves or they are simply ignorant (ignore the obvious please, I know it but it is besides the point for this discussion). They are also risking the people they claim to want to protect and they also risk themselves. Indeed, how many times has government data been stolen? More than I would like to believe and I don’t even try to keep track of it (statistics can be interesting but I don’t find the subject of government – or indeed other entity – failures all that interesting. Well, not usually). The problem really comes down to this, doesn’t it? If someone has access to your or another person’s private details, and it is not protected (or poorly protected), then what can be done to you or that other person if someone ELSE gets that information? Identify theft? Yes. Easier time gathering other information about you, who you work for, your friends, family, your friends’ families, etc.? Yes. One of the first things an attacker will do is gather information because it is that useful in attacks, isn’t it? And yet, that’s only two issues of many more, and both of those are serious.
On the subject of encryption and the suggestion that “if you have nothing to hide you have nothing to fear”, there is a simple way to obliterate it. All one needs to do is ask a certain (or similar) question and explanation following, directed at the very naive and foolish person (Facebook founder has suggested similar, as an example). The question is along the lines of: Is that why you keep your bank account, credit cards, keys, passwords, etc., away from others? You suggest that you shouldn’t have a need to keep something private because you have nothing to hide unless you did something wrong (and so the only time you need to fear is when you are in fact doing something wrong). But here you are hiding something (that you wouldn’t want others knowing, in other words, and with your logic it follows that you did something wrong), yet here you are hiding your private information. The truth is that if you have that mentality, you are either lying to yourself (and ironically hiding something from yourself and therefore not exactly following your suggestion) or you have hidden intent or reasons to want others information (which, ironically enough, is also hiding something – your intent). And at the same time, you know full well that YOU do want your information private (and YOU should want it private!).
But while I’m not surprised here, I still find it hard to fathom how certain people, corporations and other entities still think strong encryption is a bad thing. Never mind the fact that many high-profile cases of criminal data confiscated by police has been encrypted and yet revealed. Never mind the above. It is about control and power and we all know that the only people worthy of power are those who do not seek it but are somehow bestowed with it. So what am I getting at? It seems that, according to the BBC, the FBI boss is concerned about Apple’s and Google’s plans. Now I’m not going to be critical of this person, the FBI in general or anything of the sort. I made aware in the past that I won’t get in to the cesspool that is politics. However, what I will do is remark on something this person said but not remark on it by itself. Rather I will refer to something most amusing. What he said is this:
“What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law,” he said.
“I am a huge believer in the rule of law, but I am also a believer that no-one in this country is beyond the law,” he added.
But yet, if you look at the man page of expect, which allows interactive things that a Unix shell cannot do by itself, you’ll note the following capability:
- Cause your computer to dial you back, so that you can login without paying for the call.
That is, as far as I am aware, a type of toll fraud. Why am I even bringing this up, though? What does this have to do with the topic? Well, if you look further at the man page, you’ll see the following:
Thanks to John Ousterhout for Tcl, and Scott Paisley for inspiration. Thanks to Rob Savoye for Expect’s autoconfiguration code.
The HISTORY file documents much of the evolution of expect. It makes interesting reading and might give you further insight to this software. Thanks to the people mentioned in it who sent me bug fixes and gave other assis‐
Design and implementation of Expect was paid for in part by the U.S. government and is therefore in the public domain. However the author and NIST would like credit if this program and documentation or portions of them are
29 December 1994
I’m not at all suggesting that the FBI paid for this, and I’m not at all suggesting anyone in the government paid for it (it is, after all, from 1994). And I’m not suggesting they approve of this. But I AM pointing out the irony. This is what I meant earlier – it all comes down to WHO is saying WHAT and WHY they are saying it. And it isn’t always what it appears or is claimed. Make no mistake people, encryption IS Important, just like PCI compliance, auditing (regular corporation auditing of different types, auditing of medical professionals, auditing in everything), and anyone suggesting otherwise is ignoring some very critical truths. So consider that a reminder, if you will, of why encryption is a good thing. Like it or not, many humans have no problem with theft, no problem with manipulation, no problem with destroying animals or their habitat (Amazon forest, anyone?). It is by no means a good thing but it is still reality and not thinking about it is a grave mistake (including indeed literally, and yes, I admit that that is pointing out a pun). We cannot control others in everything but that doesn’t mean we aren’t responsible for our own actions and ignoring something that risks yourself (never mind others here) places the blame on you, not someone else.