Volkswagon’s Smoke and Mirrors

Volkswagon just got caught using software to make their cars pass the US emission testing. According to the reports, if the car detects that it is being testing, it turns on all of the emission controls full bore, but most of the time the software doesn’t run the emissions controls at full bore.

This really brings to light the power of software in our everyday lives. It also brings to light the power of the people behind the software. I suspect that this would have continued to go unnoticed for many years if those pesky researchers didn’t stumble across the data.

Unfortunately, practically all software found in cars is closed source, so even if you wanted to take a look at the source code, you couldn’t. Now that VW got caught it is likely that regulators will be looking at other car manufactures and asking for access to their code. I have to wonder what other industries they may bleed over to as well. I can see petroleum and energy industries facing scrutiny. How would one be certain that any oil rig or power plant is in compliance when you can’t trust the instrumentation?

Thoughts on the Hacking Team

The recent hack of the Hacking Team makes me think of the symbiotic relationship between government and industry regarding cyber warfare. Only a Nation State has the legal authority to engage in any type of warfare, whether physical or cyber. However, it doesn’t accomplish this without the assistance of contractors. In the realm of cyber warfare, it is contractors like the Hacking Team that government’s go to for assistance.

The hack of the Hacking Team has opened up a world that was hidden from almost everyone. The relationships described in the hacked documents show a company willing to sell top-notch zero day hacking tools to a wide variety of governments. I don’t know if their sales were legal or not, but just the breath of customers is shocking. It appears that everyone wanted to get a piece of the action.

What is the role of government in all of this? A portion of the government is concerned with using these tools for spying, and another part of the government is concerned with protecting our computer systems from these types of hacks. Once a part of the government learns about a critical flaw that is being exploited across the world, is there a moral obligation to inform the vendor so they can patch the flaw?

For everyday the exploits sold the FBI by the Hacking Team was used, millions of US government and commercials computers were vulnerable and they did nothing about it. The irony is that the same vulnerabilities existing within the FBI’s own computers making them a potential victim as well.

It has to be difficult to conduct this balancing act when on one hand you want to use the tools available to conduct investigations, and on the other hand you want to protect America from these types of attacks. What is sad is that there has been no public discussion within our Government on what our priorities should be. Should our priority be to maintain an investigation capability, or to protect our systems? My belief is that potential harm due to the continued exposure to the zero day outweighs the investigation benefit in nearly all circumstances. If our banking, healthcare, utilities, and security systems are hacked using one of the exploits that are in the tools sold by the Hacking Team, the potential harm is significant.

Subverting OPM

By now you know of the cyber break-in at the Office of Personnel Management (OPM). This is bad news, but it wasn’t expected. If you think about it, the security background information of all of the Federal workers is a great target. It is an obvious target and the system should have never been allowed to connect to the internet.

The security background investigation that OPM conducts is probably one of the most personally intrusive events a person can go through. You basically put your entire life on the line for someone to “adjudicate” if you are trustworthy or not. Not only that, you sign away any shred of privacy and give the Government carte blanche to look at every record associated with you. This includes medical, mental health, finance, legal, and so on.

One of the goals of the investigation is to identify what could be used to blackmail you, and to get that out in the open before any blackmail attempts can be made. If you have something in your past that you want to hide, tell OPM exactly what it is so it can’t be used against you. This information is so private that your boss never gets to know what it is, all they get is a yes or not if you have a clearance.

Originally, the Standard Form 86, the background investigation paperwork was that, paperwork. I remember filling out the paperwork by hand for my first background investigation. It was long and tedious, but it wasn’t on a network to be hacked. Later they passed out a disc with a program on it. You’d run the DOS program and fill it out, then print out your SF–86 for the investigator. All the program did was some logic checks and to compensate for my poor handwriting. Again, it was still only paper, although there was now a local file that could potentially get loose. You generally put in on a 3.5 inch disc that you kept for yourself.

Then came online SF–86. I remember when I had to use it the first time. I asked if I could submit a paper version instead because I was afraid their systems would be hacked. I was told “no”, and that the new system was mandated. They said it was secure since it used SSL from the browser to the server.

I feel betrayed by OPM. I have not received notice that my information is now floating around somewhere in China or elsewhere. They had an obligation to use every tool at their disposal to protect my information and they didn’t. All they had to do was to store the data offline until someone needed it for starters. Just because you can have immediate access to the data doesn’t mean you should. Encrypting the data would only help if it was encrypted at the record level such that however the attackers got in, they would not have the encryption keys at their disposal. Encrypting data at rest is useless if the attacker has access to the keys.

I do not know who performs the background checks for the CIA or FBI, but if it is OPM, I’d be very worried. I’d be worried that our intelligence operatives and counter intelligence professionals could be identified. This breach could easily cause multiple operations to be blown, and in the worse case cost several good people their lives. Let’s hope that those records are secure.

The lesson learned here is that Government IT is not always about cost. Many PM’s in the Government push for lower and lower cost IT solutions at the expense of security. Sometimes you are a target and you need to have a very defensive mentality in designing your systems. No defense if theoretically perfect, but if you can raise the bar for an attacker such that they will likely be caught, then you have a chance.

I’m sure OPM will learn from their mistakes. However, this is a hell of a mistake to use as a teaching point. It should have never have happened.

Commerce Department, Really?

So, today the US Commerce Department decided that Intel should not be allowed to sell Xeon chips to China for National Security reasons. Really? How does the Commerce Department expect to stop the Chinese from getting Xeon processors?

This is another example of the US making really bad decisions. If you can’t enforce a ruling, why make a ruling that makes you look like an idiot? There is no way the US will prevent Xeon’s from flowing into China, at best, it will force the Chinese to buy them in small lots elsewhere and ship them back home.

The Attack on Sony: Attribution and Act of War

Now that the devastating cyber attack on Sony has been declared to be the result of an attack by North Korea, there are a couple of serious questions to be answered:

  1. Is North Korea actually responsible?
  2. If North Korea is responsible, is this an act of war?

Now, I have no inside knowledge on the FBI (and probably NSA) investigation, so everything here is pure speculation. Getting attribution right is damn difficult in cyber attacks! It is very difficult because:

  • Cyber weapons can be used by a wide range of actors. For example, the weapon could have been created in North Korea, but used by someone else. This is no different than blaming the US if someone using one of the tanks we sold to another country to do harm.
  • Cyber weapons can be “launched” from anywhere on the internet. Unlike conventional weapons, you can’t necessarily follow them back to the source. Now in this case, where they stole massive amounts of data, if you are able to find out who received the data that would be a huge clue.
  • The nature of cyber weapons open them up to easily laying down a false trail. For example, want to have the Russian’s blamed, borrow some of their code and hire a coder that knows Russian. If you want to really blame someone else, then have the stolen data go to them. Want to blame the Brits, have the stolen data land on a server in London.

Simply put, you can’t trust much of the evidence you collect during an intrusion investigation. You must have a whole separate analysis if you can believe the evidence before you, and you may not be able to make a determination.

The only fool-proof way of attributing an attack is to match a wide range of evidence to include spies within the guilty government, and then capture the digital fingerprints coming out of their hacking organization. You almost need to have an insider in their hacking group that could provide you written evidence that they did it. Anything else might be compelling but is more likely to be circumstantial at best, and intentionally misleading at worse.

I suspect the FBI and the NSA understand the challenges of attribution and would not have gone public with such accusations without solid evidence. I don’t know how much filtering of the evidence has taken place from the front-line analyst to the President, but let’s hope that all of the uncertainty caveats floated to the top (no Iraqi WMD otherwise).

Did North Korea do it? Personally, and without any specific insight, doubt it. Here’s why I believe so:

  1. Based on news reporting, it looks like the attackers would have needed detailed inside information to be so successful… this is more consistent with a disgruntled Sony employee that North Korea. North Korea could have infiltrated Sony, but why?
  2. If North Korea had this level of capability, why use it to stop a movie from being released. They are a country constantly preparing for war, and I doubt they’d show off this capability to South Korea or the West. Doing so, give South Korea and the US time to harden the systems required to conduct war against North Korea.
  3. I’d like to think that during the discussion within North Korea on doing this, someone spoke up and mentioned that this might backfire. I didn’t want to see the Interview until this happened. Now I want to see it just to piss off the hackers.
  4. While no one claims North Korea to be a “rational actor”, following the attack with a threat to attack movie goers at the theaters is beyond stupid for a Nation State. What once was a mere at of sabotage is quickly elevated where a Nation State response would be called for. To go after a company you disagree is one thing, but to threaten to murder innocent crosses the line for a Nation State capable of sending snipers into America. Now, if it was a hacker group without any such capabilities, this threat could be considered a hoax and an empty threat, and perhaps not taken as seriously.

I really don’t know if North Korea did it or not. If they did, it was a stupid move on them. Maybe they did it and they are stupid, or maybe someone has set them up to take the fall.

Let’s assume now look at is if this is an Act of War. No, it wasn’t. At least I don’t think it was. I’ll admit that I’m not a lawyer with an expertise in international conflicts, so maybe I’m off on this. But here’s why I think it wasn’t an Act of War.

  1. The attack was on a company and not on any Government institution. The company selected is an entertainment company and not an American vital interest (like a power company for example).
  2. The attack wasn’t even an act of terrorism. It was not designed to influence the behavior of the US Government, but of a single corporation. For it to be terrorism, they have to be trying to influence the behavior of the US Government. Now, if someone besides North Korea is trying to frame North Korea, then you might be able to argue that it is trying to influence the US Government’s behavior towards North Korea.
  3. Nothing in the attack suggest that it is an attempt to topple the US Government. It appears that their goals were limited to stopping the distribution of a single movie. Maybe we’ll learn more later and there is a bigger goal here that hasn’t been seen yet, but it was just Sony.

Now, you’ll notice that I didn’t include “because North Korea denied doing it”, and that is because it is hard to believe anything coming out of North Korea, even if it is true. Their propaganda is so strong, who knows anymore what is true and what is a lie.

So, what is this? It is:

  1. A wake-up call to corporations that haven’t thought them a target in the past. Why should Sony have top notch cyber security, it is only an entertainment company. Well, we know know why.
  2. A criminal act that should be treated as such. Don’t give these attackers any more clout than they deserve. They are criminals. Let’s not raise them to be the next all-powerful terrorist organization that casts a shadow on our Country for the next twenty years.
  3. A case for strong encryption throughout the enterprise. If all they got was an encrypted blob then it would have been bad, but not devastating. Design your systems with this attack in mind. What if this data was stolen.
  4. A reminder that you shouldn’t put something in email that you don’t want to be made public. If you really need to have a discussion on how bad famous actors are, call a meeting or get on the phone. If you write it down in an email it will never go away.
  5. If this was an inside job, it highlights why a good work environment for the IT staff is important. Now do you understand the power they have? If you have a staff you can trust, then this wouldn’t happen. Also, it reminds you that you should have corporate processes in place to see who may be a disgruntled system admin, and to quickly remove that person’s accesses if there is suspicion that they may be planning something like this. Not a fool-proof approach, but more likely to catch someone before the big hack than doing nothing at all.

I’m hoping that they catch these criminals soon. I’d like to know with some confidence who did it and why? Was this a prank gone overboard? Was a hacker inspired by North Korea responsible? Was this actually done at the direction of North Korea? There are a lot of unanswered questions that remain. Perhaps the FBI has a better understanding and maybe even some answers. I wish them the best of luck bringing them to justice.

Even if the FBI is convinced that North Korea did it, I think we should agree to their joint investigation. What an interesting experience that would be, and we might get some real insight into their cyber forensics capabilities. Who knows, maybe if they didn’t do it, maybe they could actually help us find the actual culprits. Or, maybe it would be something akin to a show trial. In any case, if it happens, will someone please make a movie out of it. I have to wonder what studio will pick up the movie rights to Sony’s experience?

Thoughts on Net Neutrality

There has been much in the press about the arguments for and against Net Neutrality. I think that the bottom line is that no one thinks that Title II is the perfect solution, it is generally seen as a better solution than the situation we have today. While violations of net neutrality are rare, there is legitimate concern that ISPs will use their monopolistic powers to discriminate against certain content providers.

The ISPs are not the only one’s to blame in this. Our Government, and especially local governments gave cable companies monopolies in exchange for providing service. No one at that time could have imagined that cable would become the backbone for broadband internet connectivity when those monopolies were granted, but it has turned out that way. While we can’t undo the monopolies without drastic measures, ensuring that the monopolistic powers do not influence their business strategies is what this discussion is about.

I still have not heard a good argument against Net Neutrality. The arguments are generally about how they must handle too much traffic from specific content providers and therefore should get paid. If that is the case, what am I as a customer paying for? I’m currently paying for 400GB of data per month with my Cox internet service. The 400GB is my data cap. It shouldn’t matter if I use my 400GB in the first two weeks streaming movies, or if I don’t come close to using that much data. I should be able to get 400GB of data to my house from whatever legal content provider I want to. Why should my content providers pay Cox to deliver the bits I’ve already paid for? If their network can’t handle it, then they should stop offering the service and get out of the ISP business.

As a customer it looks like the ISPs want to get money from both ends. I heard one argument that they are looking to be like newspapers, where not only do advertisers pay, but so do the consumers. First of all, look at how well that model is doing today for newspapers. Secondly, the content provider do pay for their access to the internet. Their bandwidth is not free.

Unless Congress suddenly passes a Net Neutrality law I don’t see any other way besides reclassification under Title II that would result in Net Neutrality becoming the law of the land. If it doesn’t work, then the FCC has the power to change the classification again and Congress always has the power to pass a law.

My ideal ISP is a company that honestly believes that they are an utility. I don’t want the up sell or other services. If you can add cable TV and suddenly my internet bill drops for six months, what they are telling me is that you are overcharging me for internet. Since that has happened recently, at least my ISP is making enough profit to slash my internet bill (if I add TV or phone) and their existing business model must be sufficiently profitable to allow them to make these offers. With such profits, they certainly can live without additional money from content producers.

My Heartbleeds for the Net

This week we learned of the Heartbleed flaw in OpenSSL.  This could potentially be very devastating for the net and the foundation of trust between the users and companies.  So much has been written on it that there is little to add except that I think this is what is so wonderful about open source software.

Had this occurred in a proprietary SSL library, we may have never learned about it.  A company could have kept it secret and simply fixed the problem in a future update.  A dishonest company may not even inform their clients of this flaw and to the fact that they servers had been vulnerable for almost two years.

lnstead, OpenSSL is open source, so we know of the bug, and in fact we know exactly when and who caused the bug.  We have no way of knowing the programmers intentions (was he paid to insert this bug or not), but he’s said that it was just a stupid mistake.  Being open source, it has also caused a grassroot effort to review the code and to make it more secure.  The end result will be a much better OpenSSL (or LibreSSL) library that will be more secure than ever.

The sad news is that this evaluation and effort could have been done before this flaw was found.  Any of the big companies could have donated manpower and money to a code review and to maintaining the code.  They benefited from OpenSSL but didn’t give back to the community to the level appropriate given the risk if there was a critical flaw in OpenSSL.  If you are going to base your trust with your customers on an open source library, and you have the resources, it would be wise to help make sure that library is as good as possible.

I hope that web companies will quickly fix their versions of OpenSSL and then get new certificates.  Then we as users will have to update our credentials and hope that will reduce the risk.  Maybe no one knew about this bug and was exploiting it for the past two years, and maybe not.  Given that it doesn’t leave a trace, you can’t count on security thorough obscurity.  We as a networked society will get through this and hopefully we will learn from this an make a more secure net for the future.

A Sea Change Against the NSA

A lot has happened since Edward Snowden started his leaks. Right after the first leaks regarding PRISM, I wrote my Congressman and Senators asking them to put an end to this unconstitutional mass surveillance. I received replies from all of them with basically the same story. They said that Snowden was a criminal and that all of the NSA surveillance was “legal”.

Since then, we have learned that the NSA has taken advantage of all possible technical collection opportunities regardless of the potential impact to our international relations or economy. It appears that if it was technically possible, then it was done.

The NSA has a huge job to do and has been pushed to its limits to meet an endless desire for intelligence. The idea is that if you build a large enough haystack, there is bound to be a needle. In this process, the NSA has either forgot or ignored one of the golden rules of intelligence collection. You must trade the potential value of the collected intelligence with the potential fallout when your activities become known.

Was building the world’s largest haystack worth it? No. From what has been released by the Government’s own review panel, the mass collection of metadata hasn’t helped in any counter-terrorism investigations. So instead of supporting our legitimate counter-terrorism efforts, the NSA’s efforts has resulted in a general distrust of the American people against their elected government, economic damage to US Information Technology (IT) companies, and damage to our international relations with our Allies.

In my letters to my Congressman and Senators, I asked if they believed if the NSA mass collection was constitutional, and if so, why. I got back form letters stating that it was legal. Being legal is not the same as being constitutional. In fact, I’d argue that any law that allows the Government to violate the Constitution is in itself null and void. I do not believe that Congress has the constitutional authority to pass unconstitutional laws. I suspect that you could argue that many laws are unconstitutional, but just because those laws were passed, doesn’t mean that Congress had the authority to pass them.

I do not agree with Edwards Snowden’s decision to release the full range of information that he has to date. I disagree with the release of information about NSA’s legitimate foreign intelligence collection efforts. That is what the NSA should be doing, although consideration of the potential fallout once these activities were known should have taken place. I do think that his release of information regarding the unconstitutional collection of American phone records does fall under the category of whistleblowing. The fact that he’s released more than that really complicates my thoughts on what should be done about him.

One thing we do need is a new Church Committee, and a thorough and public discussion on what activities we want our intelligence agencies to do in our name. Do we really want our Government to subvert cryptographic standards? I don’t. Do we really want our Government to spy on Foreign governments? In some cases, yes, and in some cases, no. But we should have an open discussion on what we as a Nation should do. Technology is amazing, and it not only empowers new ways of communicating and building relationships, it also empowers an abuse of powers by those who may or may not have good intentions.

I’m glad to see some progress being made in intelligence reform. The steps that have been made have been remarkably small and only have been made under duress. I am now seeing the IT companies combine their lobbying efforts within Washington, and I think that will have an impact. I hope that the next set of elections will bring out candidates that stand for the Constitutional limits on Government power. There is much more reform that must occur. The first thing that needs to happen is the Supreme Court reaffirming the Forth and First Amendment in the 21st Century. It is simple common sense that collecting the metadata from my communications is an unreasonable seizure of my data (even if held by a telco). I don’t think that companies should be collecting this data either, but they aren’t held to the same standards as the Government by the Constitution. Once that decision is made, then we need to dismantle the mass collection activities and let the NSA and FBI focus their collection on actual criminals.

I wonder if I’d get the same form letters back today if I wrote my Congressman and Senators or not. I’d like to think that their attitudes have changed, especially now that they know that their own phone metadata has been collected as well. It will be hard for any politician to admit that their previous hardline stance was wrong, but I hope that some in Congress have the political willpower to realize that the Constitution should come before their fundraising efforts.

EFF Gets into Computer Forensics

The EFF is now in the computer forensics business. They just posted an analysis of a malware attack which appears to be coming from Vietnam. I find it sad that a non-profit organization promoting internet freedom now has the invest the resources to conduct computer forensics.

I am not surprised that they were targeted, but are we getting to a world that everyone has to have be a computer forensic expert in order to live online? I look at my very young son in front of me, and wonder if I have to teach him this even if he wants to be an artist? Is this the price of having an opinion and being willing to speak out on what you believe?

It all comes down to the quality of the software we run. If the software was written correctly then it wouldn’t have flaws that could be exploited. If anyone can come up with a way to improve the quality of software to that level, they will be the next billionaire. So, to make up for a lack of software quality, the EFF now has to train its staff to be on the look out for malicious emails, and establish a computer forensics capability. I’m sure they would rather be spending their time protecting our internet freedoms.

A Critical Look at Today's Technology