Thursday, July 17, 2014

Implications of Quantum Capabilities, TAO, and other nasty tricks

From the just in case you weren't paying attention file...I know I haven't been keeping up on my reading for quite some time.

Original source article here.

A comprehensive internal presentation titled "QUANTUM CAPABILITIES," which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.
 ...and, of course, Bruce Schneier clued me in that I missed it.  And because the article that led me to that one is hugely important too...here it is.

Now, yesterday I wrote about why 'they' do it, with 'they' being a reference to certain group of bad guys.  The question today is...well, not why the NSA does it, we know the answer there, but rather how certain are you that they (the NSA) are only doing this stuff to the bad guys?  Because, to be honest, a lot of the monitoring tools sound like there are targeted at normal citizens.  Or at least the widely used internet services that vast segments of the internet citizenry frequent.  The list of sites and the tools to exploit them are not only the domain of bad guys, but regular people all over the world.  While I'm sure that people with bad intentions use those sites too, I would expect a bit more cloak a dagger than just hiding in all the noise in plain sight (or site?) on Facebook, Yahoo, Twitter and YouTube.  However, I suppose, it is easier to poison the waterhole rather than track the 'critters' as they move through the woods.

I think that one of the most worrying aspects of this type of information is that when my peers and colleagues talk about this vulnerability or that vulnerability, that there exists a whole host of exploits and things that we DON'T know about.  In fact, even the vendors don't know about; as opposed to quietly know about and are working on a fix, but haven't mentioned publicly yet.  It is not just the governments that are keeping these things a secret, but to a certainty the bad guys have their own bag of tricks they are not keen to share (but are very willing to sell).

Other people making choices for me...


Now this list of compromises has caused me to think and notice on Facebook that videos that people share of cute and funny things have started playing automatically.  I used to have to click on something to make it play, which I was happy with.  I really hate the fact that someone else at some point in time decided that I automatically want to play and see every video of a cat or dog doing something odd, strange, cute, or funny.  I did learn that you can turn this functionality off, by the way.  Again, the assumption that you want to opt-in unless you specifically opt-out is maddening.

There can be a myriad of reasons why I may not want to drink at the massive bandwidth firehose that characterizes many popular sites these days; first among them is that I don't trust every bit of eye-candy left out there.  This list of government tools and capabilities is foremost among them.  An old trick by bad guys is to leave something out in the open that lures you to interact with it and suddenly the trap is sprung.  Greek story of the Trojan horse, anyone?  Variations of this trick come in all forms.  Think vendor conferences and a vendor booth with fish bowl of free USB memory sticks...complete with a chuck of stealth malware to infect your system when you plug it in.  Old trick, by today's timeline measured in internet speed, almost certainly a derivation of Ludicrous Speed.

Internet warning labels anyone?


I really like the trend in various state's legislation that requires the caloric content of restaurant menu items to be posted with the item itself.  It allows me to make a choice.  Now, obviously, like most people, I may choose to have that high calorie dessert once in a while, but at least I know the implications of my choice.

We really need some legislation to require the choices be left to the individual when it comes to internet content...maybe some warning language like on cigarette cartons.  "This link cannot be guaranteed to be safe.  Clicking it may have dire consequences, including allowing your government or a foreign government or an evil hacker organization to follow your every move."  I would have no problem with any elective setting to turn off such warnings and allow all content to flow automatically based upon user choices.  User choice being a key concept here.

Of course, all these government tools and compromises could be a major part of the reason of why we don't have such legislation...heck, they could even rig the polls that might sample public opinion as to whether we feel it would be a good idea or not.

Monday, July 14, 2014

Why do they do it?

Well, a completely different source, from my usual dose of NPR, got me to scratch my head and inspired me to write today.  I was reading a slightly older post from a colleague at work who shared a link to an article...and began to think that there was much more to the subject than was being discussed.

The article from mid-June about why Russian hackers are so good is here.

One point that is very much missed is the simple fact that the good guys have to be right all the time.  The bad guys only have to be right once.  That certainly slants the numbers in your advantage if your failures are basically ignored and only your successes count.  A very simply point, but consider this too...every country in the world could have iron-clad security protection laws, yet one does not.  As long as bad guys have a safe harbor of their own to ply their craft, they will operate with impunity from that base of operations like the pirates of 17th century that sailed the turquoise blue waters of the Caribbean.  This is an unrealistic description of a slightly shy of the ideal world where only one country would have less than iron-clad laws.  However, the reality is that anywhere in the world where there economic disparity exists, there exist opportunities for money to be made by hook or by crook.  This lends a Robin Hood-like charm to those that would steal from the 'rich' and give to the 'poor.'  This condition also gives a voice to those that see themselves akin to Robin the Hood and makes those that would otherwise play the role of the Sheriff of Nottingham less likely to enforce the laws, if any such exist, and care much less than they might otherwise be so inclined.

The Enemy of My Enemy


The Chinese have a saying, "the enemy of my enemy is my friend." If there is a country that has my country under it's economic or military thumb, how eager might I be to bother to do anything other than encourage, albeit quietly, some computer hacker that is stealing from my enemy or causing them economic heartache?  Simple question, huh?  If I don't like my neighbor and you are stealing from my neighbor's house, why would I care?  Ok, maybe in good conscience you might care a little, but what if your neighbor was a rich, pompous, jerk that did nothing but jump up and down and shout how awesome they are and it really sucked to have to live near them and see that all the time and no one liked him or her?...would you care then? Not so much, huh?

Let's take that a step further, what if this horrible excuse for a human was your neighbor and this person stealing their stuff was selling it real cheap at the swap meet? And some other less fortunate people in your neighborhood were able to buy some of this stuff for cheap and have a better life...would you be so quick to cry foul and demand that your local lawmakers or law enforcers do something to try to stop it? Dumb question, huh?

Certainly there are lots of historic reasons why a group of people become practiced at what might otherwise be considered questionable skills when they are fighting against an oppressor to survive.  Without being too controversial (what? no controversy...I'm outta here.), I'll point to the examples from the US Revolutionary war as an one easy point of emphasis where questionable skills were used by the 'oppressed' against an 'oppressor.'  The soon-to-be-US stole assets from the British overlords to fund their new country.  We call them 'startups' today.  Should that mean that such skills, maybe being the easier path to tread than the path of hard work and innovation, should culturally become the norm?  Obviously not...would be the morally correct answer.

So when do you change from criminals to a respectable society?

I would hope that the answer to this question would be quite obvious...when you have something to lose.

Let's go back to the Chinese saying again.  What is the enemy of my enemy from our perspective? Hopelessness...or rather having nothing to lose.  Wouldn't it make more sense to help these fellow humans past the stage of hopelessness and teach them how to create their own intellectual valuables that they can cherish and thereby desire a system of laws of their own to protect those valuables?

Recognize the symptoms of the real disease.  Hopelessness, pure and simple.  If you have nothing to lose you are willing to ignore nearly every legal and moral precept to improve your condition.  The catalyzing event is when you suddenly accumulate enough capital (intellectual or real) that you feel you have to worry about someone else wanting to take it from you.

(Now that leaves no excuse for those three-letter-agencies out there that simply are evil because they can be...sorry...couldn't resist one controversial dig.)

Wouldn't it be better all around for those of us that have plenty to teach those that don't have much how to create their own business, with all the computer bells and whistles?  Better than trying to go into their country and export our businesses to their country for the purpose of exploiting their resources so we can have more stuff?  Now there's a risk management tactic you won't learn in school.