Friday, March 27, 2015

The Attack on GitHub Must Stop

For many years, private organizations in the West have endured attacks by the Chinese government, its proxies, and other parties. These intruders infiltrated private organizations to steal data. Those not associated with the targeted organizations were generally not directly affected.

Today an action by the Chinese government is affecting millions of users around the world. This is unacceptable.

You may be aware that an American technology company, GitHub, is suffering a massive distributed denial of service attack, at the time of writing.

According to Insight Labs, Internet traffic within China is being manipulated, such that users are essentially attacking GitHub. They are unwittingly requesting two sites hosted by GitHub. The first is a mirror of the Chinese edition of the New York Times (blocked for several years). The other is a mirror of the GreatFire.org Web site, devoted to discovering and exposing Internet filtering by China's "Great Firewall."

As noted in this Motherboard story, it's unlikely a party other than the Chinese government could sustain this attack, given the nature of the traffic injection within the country's routing infrastructure. Even if somehow this is not a state-executed or state-ordered attack, according to the spectrum of state responsibility, the Chinese government is clearly responsible in one form or another.

It is reprehensible that the censorship policies and actions of a nation-state are affecting "over 3.4 million users and with 16.7 million repositories... the largest code host in the world." (Source)

The Chinese government is forcing GitHub to expend its private resources in order to continue serving its customers. I call on the US government, and like-minded governments and their associates, to tell the Chinese to immediately stop this activity. I also believe companies like IBM, who are signing massive IT deals with "Chinese partners," should reconsider these associations.

Tuesday, March 24, 2015

Can Interrogators Teach Digital Security Pros?

Recently Bloomberg published an article titled The Dark Science of Interrogation. I was fascinated by this article because I graduated from the SERE program at the US Air Force Academy in the summer of 1991, after my freshman year there. SERE teaches how to resist the interrogation methods used against prisoners of war. When I attended the school, the content was based on techniques used by Korea and Vietnam against American POWs in the 1950s-1970s.

As I read the article, I realized the subject matter reminded me of another aspect of my professional life.

In intelligence, as in the most mundane office setting, some of the most valuable information still comes from face-to-face conversations across a table. In police work, a successful interrogation can be the difference between a closed case and a cold one. Yet officers today are taught techniques that have never been tested in a scientific setting. For the most part, interrogators rely on nothing more than intuition, experience, and a grab bag of passed-down methods.

“Most police officers can tell you how many feet per second a bullet travels. They know about ballistics and cavity expansion with a hollow-point round,” says Mark Fallon, a former Naval Criminal Investigative Service special agent who led the investigation into the USS Cole attack and was assistant director of the federal government’s main law enforcement training facility. “What as a community we have not yet embraced as effectively is the behavioral sciences...”

Christian Meissner, a psychologist at Iowa State University, coordinates much of HIG’s research. “The goal,” he says, “is to go from theory and science, what we know about human communication and memory, what we know about social influence and developing cooperation and rapport, and to translate that into methods that can be scientifically validated.” Then it’s up to Kleinman, Fallon, and other interested investigators to test the findings in the real world and see what works, what doesn’t, and what might actually backfire.

Does this sound familiar? Security people know how many flags to check in a TCP header, or how many bytes to offset when writing shell code, but we don't seem to "know" (in a "scientific" sense) how to "secure" data, networks, and so on.

One point of bright light is the Security Metrics community. The mailing list is always interesting for those trying to bring counting and "science" to the digital security profession. Another great project is the Index of Cyber Security run by Dan Geer and Mukul Pareek.

I'm not saying there is a "science" of digital security. Others will disagree. I also don't have any specific recommendations based on what I read in the interrogation article. However, I did resonate with the article's message that "street wisdom" needs to be checked to see if it actually works. Scientific methods can help.

I am taking small steps in that direction with my PhD in the war studies department at King's College London.

Monday, March 02, 2015

Why Would Iran Welcome Western Tech?

I noticed an AFP story posted by Al Jazeera America titled Iran could allow in Google, other tech companies if they follow rules. It included the following:

Iran could allow Internet giants such as Google to operate in the the country if they respect its "cultural" rules, Fars news agency said on Sunday, quoting a senior official.

"We are not opposed to any of the entities operating in global markets who want to offer services in Iran," Deputy Telecommunications and Information Technology Minister Nasrollah Jahangard reportedly told Fars.

"We are ready to negotiate with them and if they accept our cultural rules and policies they can offer their services in Iran," he said.

Jahangard said Iran is "also ready to provide Google or any other company with facilities" that could enable them to provide their services to the region.


These statements caught my eye because they contrast with China's actions, in the opposite direction. For example, on Friday the Washington Post published China removes top U.S. tech firms from government purchasing list, which said in part:

China has dropped several top U.S. technology companies, including Cisco and Apple, from a list of brands that are approved for state purchases, amid a widening rift with the United States about cyberspace...

Other companies dropped included Apple, Intel’s McAfee security software firm, and network and server software company Citrix Systems. Hewlett-Packard and Dell products remained on the list.

“The main reason for dropping foreign brands is out of national security. It’s the effect of Snowden and PRISM,” said Mei Xinyu, a researcher with the Ministry of Commerce. “When it comes to national security, no country should let their guard down.”

So why would Iran "let their guard down," to use Mei Xinyu's suggestion?

It's possible Iran is trying to encourage a favorable resolution to the nuclear power negotiations currently underway. I don't think its stance on technology is going to move the negotiations one way or another, however.

It's more likely that Iran recognizes that it lacks the sorts of national champions found in China. Iran isn't at the point where a local version of Cisco or Apple could replace the American brands. China, in contrast, has Huawei and ZTE for telecoms and Xiaomi (and others) for smartphones.

Iran might also be smart enough to realize that American brands could be the "safest" and most "secure" brands available, given the resistance of American tech companies to perceptions that they work on behalf of the US intelligence community.

At the New America cyber event last week, Bruce Schneier noted that the Cold War mission of the NSA was to "attack their stuff, and defend our stuff." However, when we "all use the same stuff," it's tougher for the NSA to follow its Cold War methodology.

I stated several times last week in various locations that countries like China who adopt their own national tech champions are essentially restoring the Cold War situation. If China rejects American technology, and runs its own, it will once again be possible for the NSA to "attack their stuff, and defend our stuff."

In that respect, I encourage the Chinese to run their own gear.