Tuesday 14 July, 2020

Le Quatorze Juillet!

In pre-pandemic times, we’d be there today. Sigh.


Notes from the new battleground

Cyberspace viewed through a military lens.

1/ The Internet is now the dominant communications medium of our world. And we’re still only at the beginning of that transformation.

2/ The network is now a battlefield, indispensable to militaries and their governments.

3/ This changes how conflicts are being — and will be — fought.

  • It’s now impossible to keep secrets
  • Power becomes the ability to command people’s attention
  • Conflicts become “contests of psychological and algorithmic manipulation.”

4/ The nature of ‘war’ is changing. It used to be “the continuation of politics by other means”. But now war and politics have begun to fuse together. However the laws of this new battlefield are not formulated by democratic or military authorities but by a handful of American tech companies.

5/ And we’re all caught up in this new warfare, as combatants, spectators or collateral damage. Our attention has become a piece of contested territory “being fought over in conflicts that you may or may not realise are unfolding around you. Your online attention and actions are thus both targets and ammunition in an unending series of skirmishes. Whether you have an interest in the conflicts of ‘Likewar’ or not, they have an interest in you”.

Notes from reading Likewar: The Weaponization of Social Media by P.W. Singer and Emerson Brooking, Houghton Mifflin, 2018.


The dark underbelly of ‘efficiency’

Tim Bray, one of the most thoughtful geeks around, has an interesting essay on his blog about the downsides of the neoliberal obsession with ‘efficiency’.

On a Spring 2019 walk in Beijing I saw two street sweepers at a sunny corner. They were beat-up looking and grizzled but probably younger than me. They’d paused work to smoke and talk. One told a story; the other’s eyes widened and then he laughed so hard he had to bend over, leaning on his broom. I suspect their jobs and pay were lousy and their lives constrained in ways I can’t imagine. But they had time to smoke a cigarette and crack a joke. You know what that’s called? Waste, inefficiency, a suboptimal outcome. Some of the brightest minds in our economy are earnestly engaged in stamping it out. They’re winning, but everyone’s losing.

I’ve felt this for years, and there’s plenty of evidence:

Item: Every successful little store with a personality morphs into a chain because that’s more efficient. The personality becomes part of the brand and thus rote.

Item: I go to a deli fifteen minutes away to buy bacon, rashers cut from the slab while I wait, because they’re better. Except when I can’t, in which case I buy a waterlogged plastic-encased product at the supermarket; no standing or waiting! It’s obvious which is more efficient.

Item: I’ve learned, when I have a problem with a tech vendor, to seek out the online-chat help service; there’s annoying latency between question and answers as the service rep multiplexes me in with lots of other people’s problems, but at least the dialog starts without endless minutes on hold; a really super-efficient process. Item: Speaking of which, it seems that when you have a problem with a business, the process for solving it each year becomes more and more complex and opaque and irritating and (for the business) efficient.

Item, item, item; as the world grows more efficient it grows less flavorful and less human. Because the more efficient you are, the less humans you need.

To help develop his argument, Bray links to a terrific essay by Bruce Schneier, my favourite security guru:

For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using many small suppliers is inefficient. Inefficiency is unprofitable.

But inefficiency is essential security, as the COVID-19 pandemic is teaching us. All of the overcapacity that has been squeezed out of our healthcare system; we now wish we had it. All of the redundancy in our food production that has been consolidated away; we want that, too. We need our old, local supply chains — not the single global ones that are so fragile in this crisis. And we want our local restaurants and businesses to survive, not just the national chains.

We have lost much inefficiency to the market in the past few decades. Investors have become very good at noticing any fat in every system and swooping down to monetize those redundant assets. The winner-take-all mentality that has permeated so many industries squeezes any inefficiencies out of the system.

This drive for efficiency leads to brittle systems that function properly when everything is normal but break under stress. And when they break, everyone suffers. The less fortunate suffer and die. The more fortunate are merely hurt, and perhaps lose their freedoms or their future. But even the extremely fortunate suffer — maybe not in the short term, but in the long term from the constriction of the rest of society.

Efficient systems have limited ability to deal with system-wide economic shocks. Those shocks are coming with increased frequency. They’re caused by global pandemics, yes, but also by climate change, by financial crises, by political crises. If we want to be secure against these crises and more, we need to add inefficiency back into our systems.

Yep.

Bray ends with a protest:

It’s hard to think of a position more radical than being “against efficiency”. And I’m not. Efficiency is a good, and like most good things, has to be bought somehow, and paid for. There is a point where the price is too high, and we’ve passed it.

Actually, there are times when efficiency is not good but positively bad. Take our criminal justice system. It’s woefully inefficient because we have this commitment to ‘due process’, the presumption of innocence until guilt is proven, legal representation and the rest. It would be much more ‘efficient’ to be able to lock people up on the say-so of the local chief of police. But we don’t do that because our liberal, democratic values abhor it. (Which is also why authoritarians love it.) Of course the criminal justice system should operate more efficiently — in the sense that courts should be run so that the dispensation of justice is quicker and with less pointless delay, lower legal costs, etc. But the central inefficiency of the system implied by the need for due process is the most precious thing about it.


Tim Bray’s essay led me to David Wooton’s book, Power, Pleasure, and Profit: Insatiable Appetites from Machiavelli to Madison, and thence to his 2017 Besterman Lecture at Oxford, which is based on Chapter 8 of the book.

Link


I Have Cancer. Now My Facebook Feed Is Full of ‘Alternative Care’ Ads

Here we go again. Most of the current hoo-hah about Facebook and moderation is about politics and extremism. But actually almost every area of life is affected by the Facebook targeting system. Here’s a great example of that from the personal experience of Anne Borden King — who, ironically, is an advocate working to prevent the spread of medical misinformation online. “Last week”, she writes,

I posted about my breast cancer diagnosis on Facebook. Since then, my Facebook feed has featured ads for “alternative cancer care.” The ads, which were new to my timeline, promote everything from cumin seeds to colloidal silver as cancer treatments. Some ads promise luxury clinics — or even “nontoxic cancer therapies” on a beach in Mexico.

When I saw the ads, I knew that Facebook had probably tagged me to receive them. Interestingly, I haven’t seen any legitimate cancer care ads in my newsfeed, just pseudoscience. This may be because pseudoscience companies rely on social media in a way that other forms of health care don’t. Pseudoscience companies leverage Facebook’s social and supportive environment to connect their products with identities and to build communities around their products. They use influencers and patient testimonials. Some companies also recruit members through Facebook “support groups” to sell their products in pyramid schemes.

Anyone who has experimented with using Facebook’s advertising system will not be surprised by her experience. What happened is that people flogging snake oil were using Facebook’s automated machine for helping them to build a “custom audience”, and one of the questions the system will have asked them is whether they would like to target people who have posted that they have had a cancer diagnosis. Click yes and it’s done.


Finally: the UK government is mandating the wearing of face masks

This is how Politico’s daily ‘London Playbook’ newsletter puts it.

Health and Social Care Secretary Matt Hancock will give a statement in the House of Commons this afternoon confirming the news on every front page this morning: face coverings will be compulsory in shops and supermarkets in England from Friday July 24, with those refusing to wear them facing fines of up to £100.

What took you so long? The British Medical Association last night called the announcement — which brings England in line with Scotland Germany, Spain, Italy and Greece and many other countries — “long overdue,” and called for the regulation to be extended to all settings where social distancing is not possible. BMA council Chair Dr Chaand Nagpaul also questioned why the government was waiting 10 days to implement the policy. “Each day that goes by adds to the risk of spread and endangers lives,” he said. Officials say the delay will give businesses and the public time to prepare. Retailers won’t be expected to enforce the new regulations, which will be a matter for police. Only children under 11 and those with certain disabilities will be exempt.

We’ve come a long way since … the received wisdom in the U.K. was that mass wearing of face masks did little or nothing to help. It’s just over 100 days, for instance, since England’s Deputy Chief Medical Officer Jonathan Van-Tam said at the Downing Street lectern on April 3: “There is no evidence that general wearing of the face masks by the public who are well affects the spread of the disease.”

We’ve not come very far at all since … Cabinet Office Minister Michael Gove, when asked by the the BBC’s Andrew Marr whether face masks should be mandatory in shops in England, said: “I don’t think mandatory, no.” It’s not yet been 48 hours.

Nothing changes. The UK government couldn’t run a bath.

(The Politico newsletter is indispensable IMHO. And it’s free. First thing I read every morning.


This blog is also available as a daily email. If you think this might suit you better, why not subscribe? One email a day, delivered to your inbox at 7am UK time. It’s free, and there’s a one-click unsubscribe if you decide that your inbox is full enough already!


Asymmetrical vulnerabilities

This morning’s Observer column:

In their book, The Future of Violence, Benjamin Wittes and Gabriella Blum point out that one of the things that made the Roman empire so powerful was its amazing network of paved roads. This network made it easy to move armies relatively quickly. But it also made it possible to move goods around, too, and so Roman logistics were more efficient and dependable than anything that had gone before. Had Jeff Bezos been around in AD125, he would have been the consummate road hog. But in the end, this feature turned out to be also a bug, for when the tide of history began to turn against the empire, those terrific roads were used by the Goths to attack and destroy it.

In a remarkable new paper, Jack Goldsmith and Stuart Russell point out that there’s a lesson here for us. “The internet and related digital systems that the United States did so much to create,” they write, “have effectuated and symbolised US military, economic and cultural power for decades.” But this raises an uncomfortable question: in the long view of history, will these systems, like the Roman empire’s roads, come to be seen as a platform that accelerated US decline?

I think the answer to their question is yes…

Read on

Collateral damage and the NSA’s stash of cyberweapons

This morning’s Observer column:

All software has bugs and all networked systems have security holes in them. If you wanted to build a model of our online world out of cheese, you’d need emmental to make it realistic. These holes (vulnerabilities) are constantly being discovered and patched, but the process by which this happens is, inevitably, reactive. Someone discovers a vulnerability, reports it either to the software company that wrote the code or to US-CERT, the United States Computer Emergency Readiness Team. A fix for the vulnerability is then devised and a “patch” is issued by computer security companies such as Kaspersky and/or by software and computer companies. At the receiving end, it is hoped that computer users and network administrators will then install the patch. Some do, but many don’t, alas.

It’s a lousy system, but it’s the only one we’ve got. It has two obvious flaws. The first is that the response always lags behind the threat by days, weeks or months, during which the malicious software that exploits the vulnerability is doing its ghastly work. The second is that it is completely dependent on people reporting the vulnerabilities that they have discovered.

Zero-day vulnerabilities are the unreported ones…

Read on

Watergate 2.0

This morning’s Observer column on the hacking of the Democratic National Committee’s computer networks:

Needless to say, it’s been dubbed Watergate 2.0, in memory of the burglary of the DNC HQ in June 1972 by people working for Richard Nixon’s campaign team. And now, just as in 1972, the key questions are: who were the burglars? And what were their motives? A number of cybersecurity firms investigated the DNC hacks and concluded that the culprits were two agencies of the Russian government, one the FSB (successor to the KGB), the other Russia’s military intelligence agency, the GRU. A clinching piece of evidence linking the hack to the Russians was the existence of an internet address in the DNC malware that had also been found in a piece of malware used in a Russian attack on the German parliament’s servers.

So it seems pretty clear that Putin’s lot were the burglars. But what were their motives? Here the conspiracy theories begin…

Read on

Forget North Korea – the real rogue cyber operator is closer to home

This morning’s Observer column.

The company [Symantec] goes on to speculate that developing Regin took “months, if not years” and concludes that “capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state”.

Ah, but which nation states? Step forward the UK and the US and their fraternal Sigint agencies GCHQ and NSA. A while back, Edward Snowden revealed that the agencies had mounted hacking attacks on Belgacom, a Belgian phone and internet services provider, and on EU computer systems, but he did not say what kind of software was used in the attacks. Now we know: it was Regin, malware that disguises itself as legitimate Microsoft software and steals data from infected systems, which makes it an invaluable tool for intelligence agencies that wish to penetrate foreigners’ computer networks.

Quite right too, you may say. After all, the reason we have GCHQ is to spy on nasty foreigners. The agency was, don’t forget, originally an offshoot of Bletchley Park, whose mission was to spy on the Germans. So perhaps the news that the Belgians, despite the best efforts of Monty Python, are our friends – or that the UK is a member of the EU – had not yet reached Cheltenham?

Read on

Cyberwarfare: Iran ups its game

Intriguing NYT story about the next phase of cyberwarfare. Phase One, you will recall, was the Stuxnet attack, organised by the US and Israel.

On Aug. 15, more than 55,000 Saudi Aramco employees stayed home from work to prepare for one of Islam’s holiest nights of the year — Lailat al Qadr, or the Night of Power — celebrating the revelation of the Koran to Muhammad.

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat.” In the Aramco case, hackers who called themselves the “Cutting Sword of Justice” and claimed to be activists upset about Saudi policies in the Middle East took responsibility.

Google turns to the spooks

I know that cloud computing is wonderful, etc. but have you noticed this development?

Just the thought is enough to send an involuntary little shiver up your spine: Google — keeper of a vast repository of data on our activities, interests and connections — working hand-in-hand with the National Security Agency — the top-secret electronic surveillance specialists who have been known to go rogue from time to time. But according to sources who spoke to the Washington Post, there are delicate talks now going on to form such a partnership with the goal of fortifying Google’s defenses against the kind of espionage-oriented hacking attacks launched from China against it and dozens of other U.S. companies in December.

Google reportedly approached the NSA shortly after the attacks, but in an indication of the sensitivity of such arrangement, the talks have been going on for weeks. Reports the Post: “Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google’s policies or laws that protect the privacy of Americans’ online communications. The sources said the deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data.” What the agency would be do, as it has with other corporations, is help Google evaluate hardware and software vulnerabilities and gauge the sophistication of its attackers.

At face value, it all sounds reasonable, especially given the suspicions of state support for the Chinese hacking, but of the many things the NSA can tap, a deep reservoir of public trust is not one.

Amen.

The FT’s Gideon rachman spent the morning at the International Institute for Strategic Studies’s briefing on their annual survey of the ‘Military Balance’. He reports that

The briefing offered by the IISS experts ranged fascinatingly over a variety of topics from the Iranian nuclear programme, to Russia’s new military doctrine and the links (or lack of them) between al-Qaeda and Iran.

But the thing I found most interesting was the confirmation that cyber-security is the hot issue of the day. John Chipman, the head of the IISS, says the institute is about to launch a special study of cyber-security which raises all sorts of fascinating issues about hard power, about the responsibilities of states and about international law. What if a country’s infrastructure could be destroyed as effectively by a cyber-attack, as by an invasion of tanks? How do you defend against that? How do you identify the culprits? And what does international law have to say about the issue – might we have to revise our definitions of what constitutes an act of war? Chipman argues, plausibly, that we are now at an equivalent period to the early 1950s. Just as strategists had to devise whole new doctrines to cope with the nuclear age, so they willl have to come up with new ideas to cope with the information age.

And over at the Guardian Charles Arthur has an exhaustive (or should that be exhausting?) analysis of whether the UEA Climate Research Unit’s emails were hacked. His conclusion:

After the July incident, perhaps CRU failed to batten down the hatches, either through technical failings or because someone inside was subverting the efforts. So what happened in November?

Rotter blogged his theory last year. “In the past I have worked at organisations where the computer network grew organically in a disorganised fashion. Security policies often fail as users take advantage of shortcuts … one of these is to share files using an ftp server … This can lead to unintentional sharing with the rest of the internet.”

He added that files were perhaps put “in an ftp directory which was on the same central processing unit as the external webserver, or even worse, was on a shared driver somewhere to which the webserver had permissions to access. In other words, if you knew where to look, it was publicly available”.

If this hypothesis turns out to be true, UEA may end up looking foolish. For there will be no one to arrest.

In other words, the cock-up theory of history rules ok.

A wilderness of mirrors

From today’s NYTimes..

It is an axiom that “on the Internet nobody knows that you are a dog.”

By the same token, it is all but impossible to know whether you are from North Korea or South Korea.

That puzzle is plaguing law enforcement investigators in several nations who are now hunting for the authors of a small but highly publicized Internet denial-of-service attack that briefly knocked offline the Web sites of some United States and South Korean government agencies and companies.

The attack, which began over the Fourth of July weekend and continued into the next week, led to South Korean accusations that the attack had been conducted by North Korean military or intelligence agents, possibly in retaliation for new United Nations sanctions. American officials quickly cautioned that despite sensational news media coverage, the attacks were no different from similar challenges government agencies face on a daily basis.

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world.

“It would be incredibly difficult to prove that North Korea was involved in this,” said Amrit Williams, chief technology officer for Bigfix, a computer security management firm. “There are no geographic borders for the Internet. I can reach out and touch people everywhere.”

This is the back-story to the post by Mark Anderson that I blogged earlier in the week.

Does Skype have a back door?

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

CyberCrime 2.0

From the Register

Selling “installs” is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a “nice little earner”.

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we’ve verified. The site is loaded with malware and for that reason we’ll refer to it by a shortened version of its name, installscash.org.