Two contrasting reports have recently appeared in the news. The Washington Post describes how a British local government authorized itself to conduct comms checks, covert surveillance and an undercover operation to discover whether or not a mother had improperly filled out an elementary school enrolment form. They gave a mother the mafia treatment over what was essentially a primary school issue. Critics have drawn attention to its lack of proportionality, like a case of using a pile-driver to crack a nut. In the meantime retired General Wesley Clark argues that America has been taking the opposite approach: taking a pop-gun to a T-rex by deciding to treat grave threats to its information infrastructure as if they were trivial. The story of the British local government’s valiant detection efforts need to be told first.
Suspecting Ms. Paton of falsifying her address to get her daughter into the neighborhood school, local officials here began a covert surveillance operation. They obtained her telephone billing records. And for more than three weeks in 2008, an officer from the Poole education department secretly followed her, noting on a log the movements of the “female and three children” and the “target vehicle” (that would be Ms. Paton, her daughters and their car). It turned out that Ms. Paton had broken no rules. Her daughter was admitted to the school.
under a law enacted in 2000 to regulate surveillance powers, it is legal for localities to follow residents secretly. Local governments regularly use these surveillance powers — which they “self-authorize,” without oversight from judges or law enforcement officers — to investigate malfeasance like illegally dumping industrial waste, loan-sharking and falsely claiming welfare benefits.
But they also use them to investigate reports of noise pollution and people who do not clean up their dogs’ waste. Local governments use them to catch people who fail to recycle, people who put their trash out too early, people who sell fireworks without licenses, people whose dogs bark too loudly and people who illegally operate taxicabs.
“Does our privacy mean anything?” Ms. Paton said in an interview. “I haven’t had a drink for 20 years, but there is nothing that has brought me closer to drinking than this case.”
If Ms. Paton decides to drink she better make sure to recycle the whiskey bottle and dump it in the right bin. Can’t have serious crimes happening. But Wesley K. Clark and Peter L. Levin have the opposite fear: they think the US doesn’t have enough capability to watch the watchers. Both argue that the US has been under sustained cyberattack for some years now and that the public has simply been lulled into a false sense of security because they haven’t ‘seen’ the obvious signs of disaster: people running in the streets, buildings crashing down, etc. In Foreign Affairs they write:
Adversaries planning cyberattacks on the United States enjoy two other advantages. The first, and most dangerous, is Americans’ false sense of security: the self-delusion that since nothing terrible has happened to the country’s IT infrastructure, nothing will. Such thinking, and the fact that so few scientists are focused on the problem, undercuts the United States’ ability to respond to this threat. Overcoming a complacent mentality will be as difficult a challenge as actually allocating the resources for genuine hardware assurance. Second, the passage of time will allow adversaries and cybercriminals to optimize the stealth and destructiveness of their weapons; the longer the U.S. government waits, the more devastating the eventual assault is likely to be.
The incident of the British schoolgirl highlights the growing importance and centralization of government control over every aspect of a country’s internal affairs. The Clark-Levin paper by contrast, describes the increasing scarcity of resources necessary to protect this burgeoning apparatus from malicious intrusion. The two are related in this way: the Western lead in information technology has fueled a boom in automated systems. It’s growing like the Blob; governments and corporations are addicted to it. But as it grows, its guardians are looking the wrong way for threats. Indeed, they are so invested in adding features that they’ve simply given up doing any code review. It’s easier to simply pretend the electronic music will never stop. Not that foreign hands haven’t been groping for the off button. Clark and Levin write:
In 2007, there were almost 44,000 reported incidents of malicious cyberactivity — one-third more than the previous year and more than ten times as many as in 2001. Every day, millions of automated scans originating from foreign sources search U.S. computers for unprotected communications ports — the built-in channels found in even the most inexpensive personal computers. For electronically advanced adversaries, the United States’ information technology (IT) infrastructure is an easy target.
But the growth has reached the point where no top-down security spec can fix things any more. The IT system has become so complex it is impossible to write a blanket prescription to solve its ills. Clark and Levin argue that the only way forward lies in turning this vulnerability into a strength; that in fact America’s principal defense now lies in emulating a rain forest; its best chance relies on diversity, creativity and innovation. Like an ecosystem consisting of millions of distinct organisms, it can simply become too resilient and too inscrutable to kill. But they’re making the free market argument in a world in which markets have been described as sinful, greedy institutions. Clark and Levin note that US policymakers, ever confident in their own wisdom, are mandating standards which may like the Pearl Harbor commanders on the eve of the attack, leading to parking all airplanes in the center of the runway to prevent sabotage.
The U.S. government must begin by diversifying the country’s digital infrastructure; in the virtual world, just as in a natural habitat, a diversity of species offers the best chance for an ecosystem’s survival in the event of an outside invasion. In the early years of the Internet, practically all institutions mandated an electronically monocultural forest of computers, storage devices, and networks in order to keep maintenance costs down. The resulting predominance of two or three operating systems and just a few basic hardware architectures has left the United States’ electronic infrastructure vulnerable. As a result, simple viruses injected into the network with specific targets — such as an apparently normal and well-trusted Web site that has actually been infiltrated — have caused billions of dollars in lost productivity and economic activity.
Recently, national intelligence authorities mandated a reduction in the number of government Internet access points in order to better control and monitor them. This sounds attractive in principle. The problem, of course, is that bundling the channels in order to better inspect them limits the range of possible responses to future crises and therefore increases the likelihood of a catastrophic breakdown. Such “stiff” systems are not resilient because they are not diverse. By contrast, the core design principle of any multifaceted system is that diversity fortifies defenses. By imposing homogeneity onto the United States’ computing infrastructure, generations of public- and private-sector systems operators have — in an attempt to keep costs down and increase control — exposed the country to a potential catastrophe. Rethinking Washington’s approach to cybersecurity will require rebalancing fixed systems with dynamic, responsive infrastructure.
The next thing government has to do apart from not parking the airplanes in one place, Clark and Levin say, is bring the really sensitive parts of the system into the rainforest, and back from China. It’s a decision fraught with political danger. They write: “In addition to building diverse, resilient IT infrastructure, it is crucial to secure the supply chain for hardware. This is a politically delicate issue that pits pro-trade politicians against national security hawks. Since most of the billions of chips that comprise the global information infrastructure are produced in unsecured facilities outside the United States, national security authorities are especially sensitive about the possibility of sabotage.”
It bears mentining that the changing conception of government has national security implications. Government cannot continue to become responsible for ever increasing swaths of daily life without increasing the risk of systemic failure. Where once the default role of government was to be absent unless required by compelling public interest, many now believe it is government’s duty to be present whenever we might conceivably need it. From the prevention of obesity to the enforcement of puppy poop regulations to ensuring little girls file the right school forms, the government should be there “to help you”. The reasons given vary: it is “for the children”; it is about ‘caring’ and above all, it is for your own good. What doesn’t vary is the monotonically increasing centralization of risk in the goverment.
Where once you could do things for yourself, today it “takes a village”. Where once we had a diversified portfolio of outcomes today we have systems which are “too big to fail”. The modern village needs an increasing amount of IT to minister to its population requiring an increasing amount of money to carry out its caring. That increasing governance necessarily leaves less time to take foreign threats seriously and less money to watch an ever growing surveillance infrastructure. Like a giant prehistoric beast struggling to pump blood to its ever distending extremities, the state grows and grows until it literally can’t see under its belly. To its already vast responsibilities will soon be added the need to monitor health care on a national vast scale, administer the stimulus package and manage your carbon footprint. If that enemy EMP bomb ever goes off over New York city, there’ll be a hell of a lot of puppy poop the village will lose track of the next day.
But never fear. There’s a bureaucratic solution to every known bureaucratic problem. As Clark and Levin tell us, new standards will be crafted to create standard defenses — and standard vulnerabilities. It might work, but then again, it might not.
China
It seems to me the Tea Party Movement shows how decentralized Americans can be when the need arises. So far it has not arisen except in relation to a massively expensive (and inefficient) stimulus package, so the folks who responded as tea partiers have focused on that. But if our IT infrastructure comes under effective attack I think the same kind of reaction will take place. DARPA always had in mind that this would be the essence of the internet, and it has indeed turned out to be the case. Of course the question is always there — can an attack be made on a large enough part of the computer (Social Security records, for example) that some major part of our economy would be damaged. And I have a nagging fear that the tea partiers are not IT-sensitive (although I must admit they were largely called to action through the internet.) I won’t dismiss Clark and Levin’s warning — I’ll just say we as a people are more resilient than generally given credit. F
If a diverse ecology is the solution we need (and it’s a good argument), than evolution should be the tool we use. A research program into an “evolving immune system” for computers would be money well spent, if those immune systems are allowed to vary, compare notes, breed, evolve, and select divergent paths of fitness, we would do well. Even if this leads to computers that are 98.5% immune to cyber attacks (as opposed to some NASA written 99.9999% code), the resultant diversity would make it worth it.
I say this because (1) evolution often finds answers we wouldn’t expect, and is therefore a good thing all by itself, and (2) maintaining dozens of different security models with human programmers would be something of a burden.
Come to think of it, this is the solution for governments too! Or, it would be, if Federalism were more in vogue. Maybe we should try Charter Cities.
I’m afraid that even if government were to take Clarke’s and Levin’s advice to heart, they would try to create an artificial cyberdiversity while ignoring the fact that a free, diverse and decentralized populace is the best foundation on which to build the system proposed.
My Zen moment, a reference to Japan would have missed the topic, covers three parts of the problem.
1) Intrusion of the collective down through the level of the town, past the family and into the individual.
a. The local environmental, educational, and public order inspectors.
b. Report Daddy for not recycling, follow Mommy for misregistering, charge the invaded home owner for grabbing a knife.
c. Canadian/Canadien Human Rights Commission investigates “intent,” Hate Crimes laws vary punishment by victim class.
2) The real threat to our security from attacks carried out by units of the Chinese People’s Liberation Army to probe, map and disrupt American network based or reliant systems. These are potentially far more devastating than were the Russian cyber attacks on Estonia and Georgia.
3) The stultifying effects of centralization choke off the flow of information needed for both rational market operations, innovation to meet changing conditions, and efficient government administration. Eventually the centralized bureaucratic authoritarian or totalitarian model will face systemic failure.
China has set the template in all three areas and the West is following in their footsteps. Mao as a role model indeed. Economy of analysis on my part. The situations methodology, threats and outcome risks are summed up in one word, China.
Weasley Clark could be right but I suspect the messenger’s motives.
This points precisely to the flaw in bureaucratic thinking, especially in the hands of the left.
Small things are regarded as grave threats — like second hand smoke, high calorie cheese burgers, and unsupported dangers from the ozone layer and CO2. Big things — like Communism, Islamic Terrorism, and inflation are thought of as imaginary.
The moral compass is broken.
“”"”"” Small things are regarded as grave threats “”"”"”"
Add to the list the following depraved logic:
Innocent elderly and severely ill infants and toddlers are to die, but Heaven forfend that we should keep the Death Penalty for murderers or actually kill terrorists on purpose!
#7….or deny medical coverage to prisoners on death row.
Speaking of British schoolgirl, what does Madonna think of this?
I heard something on Frontline the other night that I found a tad disturbing. It said, essentially, that Chairman of the FED, Alan Greenspan was so devoted to a libertarian economy, that even fraud would remain unregulated and un-pursued. Case inpoint, derivatives which were illegal in certain forms. I think this is about where Libertarians and I depart on philosophical grounds. I think most conservatives are first and foremost committed to the rule of law. It is the creation of these laws that pose a dilemma when weighing between Liaise Faire and over-regulation. One could say that the surveillance of potential law breakers has the same concerns but one would expect that the surveillance would be proportional to the gravity of the crime. But, then again, these peculiar cases have a tendency to keep the rest of us sheep in check. If I had a neighbor being prosecuted for not properly recycling his refuse it would certainly feed my own paranoia. Rudy Giuliani made the case when reforming NYC that allowing one window to remain broken or one wall of graffiti to remain would lead to all of the other larger crime dominos to fall.
A part of me wants to believe that the government has created back-doors in certain export architecture but when every router you buy is either designed and built in China or at least built in China one wonders who is inserting what into the back-door. I’d hope that the DOD and other three letter agencies would have considered this very seriously. There is a buy American mandate for the defense acquisition and this kind of infrastructure certainly would apply. Ever wonder how we end up with $700 toilet seats? Diversity means nothing when they are all your economic enemies.
“If that enemy EMP bomb ever goes off over New York city…” If this happens the abacus and the slide rule will gain in popularity immensely.
http://www.nbcchicago.com/news/local-beat/A-City-of-Stool-Pigeons-66367287.html
A short quote:
The folks at city hall will pay cash bounties to informants who turn in business tax cheats around the city. The reward would amount to some sort of percentage of the tax money that the city recovers.
Salaam!
Speaking of vulnerability, 60minutes ran a story on Medicare fraud and that was just using a paper push system. Imagine when the frauds are carried out using programs that spider through the system and only skim a little to avoid detection. Recall the hacker who rounded every penny and became rich. I know that was probably apocryphal but what if this was used as a weapon of economic war?
Precipitous crystallization in any solution always temporarily ends only through 3 possible scenario: 1. solution is vigorously stirred up, or 2. it is drastically diluted, or 3. crystals are broken.
All 3 requires phase transition and we are very far from it. In all previous local bureaucratic crystallization efforts there always existed some external force that provided energy for a phase shift. Now the bureaucratization becoming global. So it will continue for a while and in this sense we haven’t seen anything … yet. Both the Soviets and Red China were local child play.
” A research program into an “evolving immune system” for computers would be money well spent…”
The problem Brock is the research scientists would be mostly Chinese and Pakistani. I am not impugning their loyalty but can not attest to it either.
Maybe we could use biometrics for all of the little stuff and little wooden balls for the government to government traffic validation certificates. We could have that delivered by a newly created United Postal Servi… never mind.
I am reminded of the Savannah cheating scam for roulette. Since the cheating move wasn’t made on wins but existed instead to cut losses, the casino detectives couldn’t figure out how the cheaters succeeded.
Big wigs look at gee whiz gizmos and don’t like to waste their time on petty things. That’s what moves like the Savannah take advantage of. Chances are, there are equivalent holes in computer architecture. The key is to think small.
Diversity in IT, is a frustration for me. I use an offbeat system and something other than an MS browser, as a result I run into websites every now and then that will not work — the last one was for employment bennie enrollment. I had to borrow another’s laptop so I could use IE.
On the other side of the equation I have to make sure the sites I develop are viewable in a plethora of browsers (or again at least in about 4 or so different ones). If I could shoehorn everyone into my choice of platform I would probably opt for that.
Add to this the force of trying to dominate a marketplace for maximum economic self-gain.
As much as PCs have become commodity items the operation of them is still a bigger trick than what is generally acknowledged. I’ve ten years of experience in developing applications but low level operation of networked systems is not something I would take on lightly.
As Brock notes, Clarke & Levin describe an IT version of federalism. People in charge of systems should be the ones who decide on how to best to secure their systems — no specific approach can fit all specific needs.
My systems have been behind IP masquerades for sometime now but I recall during the dialup days and reviewing my various logs seeing all the attempts to crack my system. Not just worms probing my system for IIS weaknesses but outright dictionary attempts are logging in. As far as I can tell, my system was never cracked.
There is no magic bullet to information security and therein lies the problem. Most want to install a software system and forget hoping the system will magically run itself.
Software is inherently vulnerable and it is only through routine drudgery that it can be made secure and kept secure. That is the rub, we use information technological systems to relieve ourselves of the drudgery but in order to make sure they are locked down. One has to screen all untrusted input, manually review log files, manually scan ports, one has to review the literature to make sure the software is up to date, one has to sit through those reviews and pay attention to lines and lines of dry code.
As a computer “user” I’m tired of the hassle of keeping my computer bug free. Anti-Virus software that in some cases causes more problems than the bugs it is supposed to protect against. My IT buddies say get a hardware firewall. Yeah, right, like I can barely operate what I have, let alone deal with a low cost router with a firewall. “Look all you have to do is buzzzzzzzz and buzzzzz and then buzzzz and you’ll have just as good as protection as the RamboRockerfeller firewall/server/coffemaker gives you.” If I can’t fix it with a 5 pound shop hammer I don’t want to deal with it.
Frankly I’d like to see a different approach. Assassinate hackers and have cruise missles hit the ISPs that they use.
In the forest we could develop the electronic venus flytrap.
Entice and then eat.
ADE
“In 2007, there were almost 44,000 reported incidents of malicious cyberactivity.”
Now admittedly a fair percentage of that is going to be “Mom, Fox is being MEAN to me on the Internets!!!!”
Oh wait a minute, that’s Obama….
NYT covers this here: Prof Reynolds found it.
I always have thought that the hardware we give to our bestfriendsforever had little surprises for them if the friends went bad. But apparently not or there would have been some evidence. I would also think that the irreplaceable industrial goods we sell to people like Chavez would have surprises as well. But that would be unethical.
In urban planning, thirty years ago, enforcement of zoning regs was on a complaint basis, since no one was fool enough to go looking for problems. Enforcement was a sideline done at the lowest of priorities.
Today, cities have discovered code enforcement is a profit center. The city of San Jose, California no longer goes to court for a violator of an “ordinance”, they are their own judge, jury and executioner, a “commission” made of citizens “selected” by the city, review “cases”. For example, a homeowner who bought a house, split into two units some time in the deep dark past. He now must prove it was legal, when it was done. He has not idea how to do it. He didn’t do it. He doesn’t know who did it. But he is guilty until proven innocent. Because this is land use regulation.
Now, no longer on a complaint basis, but staff looking for “problems”. When work slowed at planning and building departments because no one was building, the “solution”, transfer people to code enforcement, where they generate revenue to pay their salaries and feed the general fund. Because you see, the special commission not only fines the “guilty”, but adds the cost of staff time. Most enforcement activities do little to make the city safer, or a better place to live, but they do make sure city employees get paid, and provide revenue you don’t need a two thirds vote to approve.
The inmates now run the asylum.
Don’t get me started on Red Light cameras.
Annoy Mouse @ 9
You believe Frontline?
;>)
Small l libertarians are a heterogeneous group.
If they can be said to follow general principles those can be covered in the Two Rules.
1. Do not impinge on another’s property.
2. Keep all of your promises.
Fraud would violate the second rule.
Perhaps ‘The One’ is a weapon. No one who thinks, reasons, or is logical, would ever erect such a facade. What are those crazy ‘mericans planning?
Is it possible that Americans erected a Chavez? What cunning plan is being missed?
/sarcasm cough/
The notion of trojans in the firmware of devices is a real concern. I do not have any definitive (or otherwise) links/sources but I recall hearing a lot of Iraqi devices went goofy in the spring of 2003 (not due to hardware bombs but software).
This is one reason I am a huge fan of open source software. Each device comes with the software source and if a person or organization is concerned about security of the code they can review, compile, and install it all on their own.
Frankly I’d like to see a different approach. Assassinate hackers and have cruise missles hit the ISPs that they use.
That is a common sentiment, my friend. The same should be applied to ID thieves and bureaucrats looking to ‘enforce codes.’
an ever growing surveillance infrastructure.
There’s also the matter of the type of person drawn to surveillance work, i.e. control freaks. It’s interesting that the BTK killer worked as an installer of home burglar alarm systems for awhile– a job that allowed him to gain information about some of his victims and go to their homes to kill them over his lunch hour because he knew they would be home at that time. His last job before his arrest was that of compliance officer in a suburb of Wichita where residents remembered him as overzealous and hassling them about trivial issues. One resident said that he had her dog euthanized one day while she was at work as petty revenge for her having a boyfriend living with her.
I’m not suggesting that every petty bureaucrat has the makings of a serial killer, only that bureaucracy has plenty of outlets for small-minded people to vent their hostility toward others.
Arms protester on police spotter card was alleged infiltrator for BAE
Police spotter card O Ewa Jasiewicz UK news guardian.co.uk
The surveillance state on the streets is multi-dimensional and operational in a variety of spheres – our living-rooms and hard drives are coming out into the streets. Spotter cards are virtually antique now. But the first thing that struck me about the row of faces on the spotter card was dazzling white skin privilege. I think the public reaction would have been very different if those were brown Muslim faces staring back.
According to this account, we already did it to the Russians in the 1980s. http://www.theage.com.au/articles/2004/02/27/1077676960916.html
RE: 7. Don Rodrigo: The two snipers who killed 13 people in the DC area are still consuming oxygen -8- years later, although one of them is scheduled to get the needle in early November.
Thanks jW. I had forgotten that. Presidents with stones should be treasured.
The heavenly kingdom should be careful. We may be foreign devils, but we’re still devils.
jWarrior,
I wonder if the explosion referred to in the story is the opening scene in Clancy’s Red Storm Rising. Clancy often scoured obscure defense journals for inspiration and similarly he based The Hunt for Red October on an attempted Soviet Destroyer captain defection.
However, the Soviets were attempting to pinch the technology rather than working above board, when one is sneaking about trying to do illicit things clandestinely it is tough to then cry foul when your illicit activities lead to things like the having your pipelines blow up. Kinda like hotlinking images – don’t complain when the image all of a sudden changes to something naughty. LOL I’ve busted people doing that to my sites.
If a close scan of a lot of our electronic computing devices do turn up trojans then OS patches could take care of those (OSs often include workarounds for defect in hardware microcode or flaws in the physical engineering) and then a search for other sources for the devices. However, the problem with this is how often are systems (especially home systems) patched?
Our entire global society will be under 100% surveillance within 100 years. Implanted microchips with medical, financial, and personal records will turn everyday humans into blips on a screen, mere pawns playing in a global game with a man at the helm we know of as the Antichrist.
http://www.hackwilson.blogspot.com
First, I tend to agree with Toad in his #17 comment. As the old saying goes, a Smith and Wesson beats four aces.
The 8th Air Force now focuses on cyber-warfare. Sitting outside the 8th’s museum near Savannah, GA is a B-47. If the 8th had B-47’s cocked and ready to launch against hackers, scam artists, criminal organizations and foreign governments performing cyber-attacks on us, I think such criminal activity would prove to be far less popular.
In the attack on Georgia the Russians enlisted the aid of criminal organizations experienced in cyber attacks for robbery purposes as well as individual hackers. There should be both an individual and national price for engaging in such activity.
Back in the Cold War days of the 70’s and 80’s the USAF created something called the Ground Wave Emergency Network, or GWEN. Scattered around various rural but strategic locations were medium wave transmitter sites that could be used as part of an Internet system to relay information to military bases in the event that normal communications were knocked out. It was a simple and very robust system, but it produced a reaction from some circles as if we were putting ICBM’s in every 7/11 store.
Something similar to GWEN could serve as a backup Internet for the civilian world.
Its a difficult and mysterious game. But then again, like the Russians who stole software that blew up their pipelines when it was used, one may think they are the spider when they find they are merely prey caught in a bigger spider’s web.
Hubris can be fatal. Not only for us, but for our enemies too.
RWE,
Details are fuzzy in the old brain, but Hawaii had a robust emergency network of ham operators with a special protocol for use in emergencies such as hurricanes and/or tidal waves.
Think it provided some inspiration for the creators of ARAPNET.
—
A caller to the Dennis Miller show said he went to a job interview in Maryland for a position requiring a security clearance.
They informed him that they knew that his wife had attended a Tea Party!
…identified her from a photo taken by the Govt @the event!
“They informed him that they knew that his wife had attended a Tea Party”
Thanks Doug. I went to a Tea Party in San Diego Sunday for the first time. Nice group of people, funny signs.
I suppose the the Stasi doesn’t really beleive in democracy and the right to free assembly. Troubling thought.
In the previous thread, we had a commentor claim Britan was no no longer a socialist country, hadn’t been one for years. And then Wretchard runs out this new topic. Well, I suppose now we know where James O’Keefe and Hannah Giles got their training…
The chicken…sticks who staff these agencies are too afraid of and overwhelmed by the real problems, so they spend their time making up and enforcing meaningless rules against generally peaceful law-abiding folks. Much easier to hire and retain a police force brave enough to follow a mom and her little kids around than to staff the sort of force necessary to face down terrorists armed with real weapons and mean enough to use them.
On the issue of computer security, I can probably speak with more authority than most around here, having spent a good number of years trying to build systems that could be secure. It’s a nearly hopeless task for the time being. People want computers to do things – that’s why they buy them after all – and the connections and programming necessary for computers to do those things make the computers exploitable. Theoretically systems could be made invulnerable, but only with a fairly rigid set of requirements for all programs deployed, and no such set of requirements can be imposed while the applied uses of computers is still exploding. The desire for features outstrips the desire for security. The only real solution is the diversity approach – have enough different systems that nothing can infect them all. Create backups of your data, including versions in different, simplified formats (e.g. raw text csv files in addition to the backup of your sql datastore, rtf versions of your doc files, etc.).
And don’t click on stupid things. Just because a determined thief can pick the lock on your front door is no reason to leave the plasma TV on the front porch overnight.
Good Old NY Times
Brother of Afghan Leader Is Said to Be on C.I.A. Payroll
Ahmed Wali Karzai, the brother of President Hamid Karzai and a suspected player in the opium trade, has gotten payments from the C.I.A. for eight years, American officials said.
Times Topics: Ahmed Wali Karzai
Lesson from paleontology: When real catastrophe arrives, the dominant species (like huge dinosaurs or mammonts) die out first, but all small bacteria originated 3.7 bn years ago are still with us. They survived several dozen global scale catastrophes like asteroid impacts.
Sergey,
all small bacteria originated 3.7 bn years ago are still with us
So bureaucrats are immortal?
Doug,
If the NY Times had tried stuff like this during Korea or WW-II the relatives of US casualties would have converged en masse on their headquarters and cleaned the place out, as millions cheered.
JMH,
Back in 1986 I was very briefly assigned a collateral duty as Information Security Officer for COMNAVSURFPAC (N-2), Intelligence. The accompanying Instruction helpfully suggested that all computers be disconnected from telephone lines and placed more than X number of feet from windows, walls or embedded power lines. See how easy it is to be secure?
Doug,
I don’t believe it. Real threats are real but there is no infrastructure in place capable of scanning photos of random crowds and picking out some job candidates wife and then informing the guys interviewing him. That is tin foil hat level crazy. The real threats are bad enough. My suggestion is that you stop relying on the Grauniad and anonymous radio callers. The wiki would be more reliable. The Guardian is promoting the infiltration of the immigrants to transform society and the campaigns of sedition that provoke the BNP reaction covered in the last thread.
The acquittal of the two trespassers who claimed they acted to prevent war crimes was one of the more serious fire breaks that have struck against Western civilization. The masturbatory glee of left wing lawyers at deconstructing the defenses of a safe law abiding society is what empowers the reactionaries. They do it partly because the resulting right wing activity stimulates funding for the left. Police state surveillance is something to fight but there is a legitimate role for trained professionals to be identifying and removing real threats.
You guys worry too much. If the Iranians can create a traffic choke point/ bottleneck and do deep packet inspection, nobody else would. Undersea fiber optic cable cuts, that damn shifty sea floor and care to the loath thyself in the English village.
Interesting post, at least on timing, considering that October is cyber-security month and this week a regular meeting of the Messaging Anti-Abuse Working Group (MAAWG) is being held. The keynote at MAAWG on Monday was U.S. Air Force Brig. Gen. David B. Warner, who outlined the new military cyber security defense initiative (http://www.maawg.org/news/maawg091015). But I digress.
The stat that jumped out at me though was that there were “44,000 reported incidents of malicious cyberactivity.” That is a laughably small number. In my experience most malicious incidents go unreported, especially when many of them are relatively small. For example, root cause analysis after a major attack often reveals a significant time period in advance of attack where you see probes of defenses and small test runs of the attack vector. These are often done to establish the thresholds for alerts/alarms, after which subsequent preparatory work is done under those thresholds of detection or alert.
The primary attack methodology that many security professionals are concerned with now are coordinated bot networks. These have special command and control networks (C&C) that are getting more sophisticated by the day, and the infection methods are extremely diverse and difficult to protect against. The attack that takes down some critical network component could be achieved by using your own botted computers to cause you to essentially attack yourself.
Of course, as the security community (especially on public networks) ramps up efforts to identify and tackle bots, there is increasing pressure to give up the use of such tools (one of the parts of ‘net neutrality’). Hopefully we don’t get into a situation where we give up a bunch of good technical tools due to some ideal of a crime-free network that doesn’t exist (or existed 20 years ago), leaving us without good defensive tools.
LOTM:
I once made a “workplace instructional video” on how to secure a computer. It began with me unplugging the network cable, then using a dremel tool to cut off the wireless antenna, then a drill with a hole saw to cut a hole in the case, into which I poured cement.
The audience was my colleagues on the security team, the purpose being to show them how absurd the typical instructions for securty were. Not sure I really got through to many of them, but it was fun to make it!
In the Alone thread two thing came up that I would like to discuss further.
1. Is the ability to get an abortion really a show of the power of the state? I would think that being forced to get an abortion a la China was more in that realm. Or the opposite of China where abortions are only available in a black market.
2. Is classical liberalism about individual rights or the right of groups to form polities? i.e. were our founders classical liberals or something more radical. Should the Declaration have stated: All Groups are created equal?
===
Security – absolute keeping of secrets is impossible. The best you can do is keep them for a time and slow their diffusion. And for those of you in the know – Shakespeare Storm. And no matter how good your crypto – sigint and procedural mistakes will compromise your secrets to a greater or lesser extent. People are very good at ferreting signals out of the noise.
Of course it is all a double edge sword. If you know you have been compromised and your opposition does not know that you know then you can use that to mislead. Double crosses, triple crosses, quadruple crosses, and on up the line until you are in a wilderness of mirrors. What does a man stand for?
In many respects our hardware is way too complicated. It is very easy to hide a Trojan in the code for a hundred million transistor computer. Not so easy if the computer has only 100,000 transistors. And you know you only get about a 20% gain in efficiency from those extra 99 million 900 thousand transistors. A gain that will be swamped by the next process tweak let alone the next process generation.
In addition the proliferation of wireless to reduce installation costs will come back to bite our factories. As a controls engineer I can preach all I want. The bean counters ain’t listening. There should be no internet protocols on airplanes. It should all be custom comms. protocols. Well I have no influence and the Internet is so trendy. But you know what? There is no guarantee your message will get through. And Ethernet is very high speed if singly loaded. Get many on a bus and your through put can go to zero. It is somewhat deterministic when lightly loaded totally non deterministic when the loading is heavy.
This is fixed where comms reliability is critical by assigning devices time slots.
So why do we get the 100 million transistor processors from Intel? It makes it harder for AMD to copy them. Good for Intel. Bad for security.
8. Tired:
#7….or deny medical coverage to prisoners on death row.
Some of them are innocent. In Illinois the number of innocent was significant. Case closed sounds much nicer than “we haven’t found the right guy”.
17. toad,
Is just the guy I’m looking for to break a system. The guy who decides the security procedures are just a pain. That gives a “break” or a “crib” or some clue I can use to turn the noise into a useful message.
toad,
You might want to read a book on the crypto wars of WW2.
Body Guard of Lies
Then do deeper research.
M.Simon, we have the hardware we do today because all that “extra” capacity will get used for something. Fancier 3D graphics, speech recognition, intelligent auto-complete, background heuristics to improve local searches, dopey paperclips asking if need help, whatever. Something. A big part of the computer industry has been someone with an idea repurposing a bit of hardware to serve that idea.
For example, Apple set out to create a graphically-based computer, and the product line just sort of drizzled along for years, not quite dying but never taking off. Microsoft came along and repurpopsed a hardward platform build mostly for character-based computing into a GUI and kaboom, everything took off, including Apple’s eventual successor offerings. Or the Internet repurposing protocols meant to send academic papers back and forth into the worlds biggest shopping mall and peep theater.
None of these things can be secured very well because the basic systems are constantly being pressed into service supporting uses they were never designed to support. Whatever security subsystem might have been built into the original design won’t recognize the new use as legitimate and will try to block it, so the security subsystem gets turned off. Then of course a replacement security system that understands the new use is cobbled together to sit on top of everything, but since it wasn’t baked into the original design it is much easier to exploit than something organic to the system. Plus everything is evolving so fast nothing can really be properly testing in time to still be relevant…
Here is an article on “digital ants” i.e. the use of swarming to detect and alert to computer security breaches: http://dsc.discovery.com/news/2009/10/28/digital-ants-computer.html