Posts

Showing posts from 2015

A Brief History of the Internet in Northern Virginia

Image
Earlier today I happened to see a short piece from the Bloomberg Businessweek "The Year Ahead: 2016" issue, titled The Best Places to Build Data Centers . The text said the following: Cloud leaders including Amazon.com, Microsoft, Google, IBM, and upstart DigitalOcean are spending tens of billions of dollars to construct massive data centers around the world. Microsoft alone puts its total bill at $15 billion. There are two main reasons for the expansion: First, the companies have to set up more servers near the biggest centers of Internet traffic growth. Second, they increasingly have to wrestle with national data-privacy laws and customer preferences, either by storing data in a user’s home country, or, in some cases, avoiding doing just that. The article featured several maps, including the one at left. It notes data centers in "Virginia" because "the Beltway has massive data needs." That may be true, but it does not do justice to the history of t

Domain Creep? Maybe Not.

Image
I just read a very interesting article by Sydney Freedberg titled  DoD CIO Says Spectrum May Become Warfighting Domain . That basically summarizes what you need to know, but here's a bit more from the article: Pentagon officials are drafting new policy that would officially recognize the electromagnetic spectrum as a “domain” of warfare, joining land, sea, air, space, and cyberspace, Breaking Defense has learned.  The designation would mark the biggest shift in Defense Department doctrine since cyberspace became a domain in 2006. With jamming, spoofing, radio, and radar all covered under the new concept, it could potentially bring new funding and clear focus to an area long afflicted by shortfalls and stovepipes. The new electromagnetic spectrum domain would be separate from cyberspace, although there’s considerable overlap between the two...  But the consensus among officials and experts seems to be that the electromagnetic spectrum world — long divided between electroni

Not So Fast! Boyd OODA Looping Is More Than Speed

Image
The name "John Boyd" and the term "OODA Loop" are probably familiar to many of the readers of this blog. I've mentioned one or the other in 2006 , 2007 , 2009 ( twice ), and 2014 . Boyd was a fighter pilot in the Korean war and revolutionized thinking on topics like fighter design and military strategy. His OODA loop -- an acronym for Observe, Orient, Decide, Act -- is the contribution that escaped from the military sphere into other fields of thought. In a world that has finally realized prevention eventually fails , the need for a different strategy is being appreciated. I've noticed an increasing number of vendors invoke Boyd and his OODA loop as an answer. Unfortunately, they fixate on the idea of "speed." They believe that victory over an adversary results from operating one's OODA loop faster than an opponent. In short, if we do something faster than the adversary, we win and they lose. While there is some value to this approach, it

Seven Tips for Personal Online Security

Image
Last year I wrote  Seven Tips for Small Business Security , but recently I decided to write this new post with a different focus. I realized some small businesses are in some ways indistinguishable from individuals, such that advice for personal online security would be more appropriate for some small businesses. In other words, some businesses are scaled such that one or a few people are the entire business. In that spirit, I offer the following suggestions for individuals and these small businesses. 1. Protect your email. Email is the number one resource most of us possess, for three reasons. First, imagine that you forget your password to just about any Web site. How do you recover it? It's likely you request a password reset, and you get an email. Now, if you no longer control your email, an attacker can reset your passwords and take control of your Web accounts. How does an attacker know what accounts you own? That is answered by the second key to email: content. A quick

A Different Spin on the Air War Against IS

Image
Sunday evening 60 Minutes aired a segment titled Inside the Air War . The correspondent was David Martin, whose biography includes the fact that he served as a naval officer during the Vietnam War. The piece concluded with the following exchange and commentary: On the day we watched the B-1 strike, that same bomber was sent to check out a report of a single ISIS sniper firing from the top of a building. Weapons officer: The weapon will time out directly in between the two buildings. This captain was one of the weapons officers in the cockpit. David Martin: B-1 bomber. Weapons officer: Yes sir. David Martin: All that technology. Weapons officer: Yes sir. David Martin: All that fire power. One sniper down on the ground. I thought the captain's next words were right on target: Weapons officer: Sir, I think if it was you or me on the ground getting shot at by that sniper we would take any asset available to make sure we were no longer getting, you know, engaged by

South Korea Signs Up to Cyber Theft Pledge

Image
On Friday the Obama administration secured its second win toward establishing a new norm in cyberspace. The  Joint Fact Sheet  published by the White House includes the following language: "no country should conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information with the intent of providing competitive advantages to its companies or commercial sectors ;" (emphasis added) This excerpt, as well as other elements of the agreement, mirror words which I covered in my Brookings piece To Hack, Or Not to Hack ? I recommend reading that article to get my full take on the importance of this language, including the bold elements. It's likely many readers don't think of South Korea as an economic threat to the US. While South Korean operations are conducted at a fraction of the scale of their Chinese neighbors, ROK spies still remain busy. In January Shane Harris wrote a great story titled  Our

For the PLA, Cyber War is the Battle of Triangle Hill

Image
In June 2011 I wrote a blog post with the ever polite title  China's View Is More Important Than Yours . I was frustrated with the Western-centric, inward-focused view of many commentators, which put themselves at the center of debates over digital conflict, neglecting the possibility that other parties could perceive the situation differently. I remain concerned that while Western thinkers debate war using Western, especially Clausewitzian, models, Eastern adversaries, including hybrid Eastern-Western cultures, perceive war in their own terms. I wrote in June 2011: The Chinese military sees Western culture, particularly American culture, as an assault on China , saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries ... Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychologic

Personal Info Stolen? Seven Response Steps

Image
Yesterday on Bloomberg West, host Emily Chang reported on a breach that affected her personally identifiable information (PII). She asked what she should do now that she is a victim of data theft. This is my answer. First, I recommend changing passwords for any accounts associated with the breached entities. Second, if you used the same passwords from the breached entities at unrelated sites, change passwords at those other sites. Third, if any of those entities offer two factor authentication, enable it. This likely involves getting a code via text message or using an app that generates codes. Fourth, read Brian Krebs' post  How I Learned to Stop Worrying and Embrace the Security Freeze . It's a personal decision to go all the way to enable a security freeze. I recommend everyone who has been a PII or credit data theft victim, at the minimum, to enable a "fraud alert." Why? It's free, and you can sign up online with one credit bureau and the others will

Attribution: OPM vs Sony

Image
I read  Top U.S. spy skeptical about U.S.-China cyber agreement based on today's Senate Armed Services Committee hearing titled  United States Cybersecurity Policy and Threats . It contained this statement: U.S. officials have linked the OPM breach to China, but have not said whether they believe its government was responsible. [Director of National Intelligence] Clapper said no definite statement had been made about the origin of the OPM hack since officials were not fully confident about the three types of evidence that were needed to link an attack to a given country: the geographic point of origin, the identity of the "actual perpetrator doing the keystrokes," and who was responsible for directing the act. I thought this was interesting for several reasons. First, does DNI Clapper mean that the US government has not made an official statement regarding attribution for China and OPM because all "three types of evidence" are missing, or do we have one

Good Morning Karen. Cool or Scary?

Image
Last month I spoke at a telecommunications industry event. The briefer before me showed a video by the Hypervoice Consortium , titled  Introducing Human Technology: Communications 2025 . It consists of a voiceover by a 2025-era Siri-like assistant, speaking to her owner, "Karen." The assistant describes what's happening with Karen's household. 15 seconds into the video, the assistant says: The report is due today. I've cleared your schedule so you can focus. Any attempt to override me will be politely rebuffed. I was already feeling uncomfortable with the scenario, but that is the point at which I really started to squirm. I'll leave it to you to watch the rest of the video and report how you feel about it. My general conclusion was that I'm wary of putting so much trust in a platform that is likely to be targeted by intruders, such that they can manipulate so many aspects of a person's life. What do you think? By the way, the briefer before m

Are Self-Driving Cars Fatally Flawed?

Image
I read the following in the Guardian story  Hackers can trick self-driving cars into taking evasive action . Hackers can easily trick self-driving cars into thinking that another car, a wall or a person is in front of them, potentially paralysing it or forcing it to take evasive action. Automated cars use laser ranging systems, known as lidar, to image the world around them and allow their computer systems to identify and track objects. But a tool similar to a laser pointer and costing less than $60 can be used to confuse lidar... The following appeared in the IEEE Spectrum story Researcher Hacks Self-driving Car Sensors . Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles... Petit acknowledges that his attacks are currently limited to one specific unit but

Top Ten Books Policymakers Should Read on Cyber Security

I've been meeting with policymakers of all ages and levels of responsibility during the last few months. Frequently they ask "what can I read to better understand cyber security?" I decided to answer them collectively in this quick blog post. By posting these, I am not endorsing everything they say (with the exception of the last book). On balance, however, I think they provide a great introduction to current topics in digital security. Cybersecurity and Cyberwar: What Everyone Needs to Know by Peter W. Singer and Allan Friedman Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter @War: The Rise of the Military-Internet Complex by Shane Harris China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain by  Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier Spam Nation: The Inside Story of O

Effect of Hacking on Stock Price, Or Not?

Image
I read Brian Krebs story  Tech Firm Ubiquiti Suffers $46M Cyberheist just now. He writes: Ubiquiti, a San Jose based maker of networking technology for service providers and enterprises, disclosed the attack in a quarterly financial report filed this week  [6 August; RMB]  with the U.S. Securities and Exchange Commission (SEC). The company said it discovered the fraud on June 5, 2015, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. “This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of

Going Too Far to Prove a Point

Image
I just read  Hackers Remotely Kill a Jeep on the Highway - With Me in It by Andy Greenberg. It includes the following: "I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold... To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening . Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the I-40 on-ramp , “no matter what happens, don’t panic.” As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped w

My Security Strategy: The "Third Way"

Image
Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice: You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM. This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result. In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach. I do not see the situation in this way, for two main reasons. First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access

My Prediction for Top Gun 2 Plot

Image
We've known for about a year that Tom Cruise is returning to his iconic "Maverick" role from Top Gun, and that drone warfare would be involved. A few days ago we heard a few more details in this Collider story: [Producer David Ellison]: There is an amazing role for Maverick in the movie and there is no Top Gun without Maverick, and it is going to be Maverick playing Maverick. It is I don’t think what people are going to expect, and we are very, very hopeful that we get to make the movie very soon. But like all things, it all comes down to the script, and Justin is writing as we speak. [Interviewer]; You’re gonna do what a lot of sequels have been doing now which is incorporate real use of time from the first one to now. ELLISON and DANA GOLDBERG: Absolutely... ELLISON:  As everyone knows with Tom, he is 100% going to want to be in those airplanes shooting it practically. When you look at the world of dogfighting, what’s interesting about it is that it’s not a w

Hearing Witness Doesn't Understand CDM

Image
This post is a follow up to this post on CDM . Since that post I have been watching hearings on the OPM breach. On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled  DHS’ Efforts to Secure .Gov . A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness. During his opening statement, and in his written testimony , he made the following comments: "The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called  EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN  focusing on keeping threats out of federal networks and CDM identifying them when they are  inside government networks. EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com  space that have responsibility for critical infrastructure. EINSTEIN functions by installing

The Tragedy of the Bloomberg Code Issue

Image
Last week I Tweeted about the Bloomberg "code" issue . I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post . I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise. This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security. Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results: Security research specialists love to party. I have been asked if I was physical security (despite security we

Air Force Enlisted Ratings Remain Dysfunctional

Image
I just read  Firewall 5s are history: Quotas for top ratings announced in Air Force Times. It describes an effort to eliminate the so-called "firewall 5" policy with a new "forced distribution" approach: The Air Force's old enlisted promotion system was heavily criticized by airmen for out-of-control grade inflation that came with its five-point numerical rating system. There were no limits on how many airmen could get the maximum: five out of five points [aka "firewall 5"]. As a result nearly everyone got a 5 rating. As more and more raters gave their airmen 5s on their EPR [ Enlisted Performance Report], the firewall 5 became a common occurrence received by some 90 percent of airmen. And this meant the old EPR was effectively useless at trying to differentiate between levels of performance... Under the new system, [Brig. Gen. Brian Kelly, director of military force management policy] said in a June 12 interview at the Pentagon, the numerica