Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Neurobiology’ Category

Detecting Psychopathy Via Tweets? A Flawed Premise May Present Dire Consequences

with one comment

In contemporary research and clinical practice, Robert D. Hare’s Psychopathy Checklist, Revised (PCL-R) is the psycho-diagnostic tool most commonly used to assess psychopathy.[1] Because an individual’s score may have important consequences for his or her future, and because the potential for harm if the test is used or administered incorrectly is considerable, Hare argues that the test should only be considered valid if administered by a suitably qualified and experienced clinician under controlled and licensed conditions.[2][3] Hare receives royalties on licensed use of the test.[4]

Background Sources:

Wikipedia on PCL-R

Defcon 20 Presentation

Fox News

Forbes

Wired

Science Daily

wmatrix 

Preamble:

A paper and talk being given at Defcon 20 this week has gotten people all worked into a lather within the news arena and has piqued my interest. The talk centers around the premise that one may be able to determine psychopathic traits (psychopathic and sociopathic behaviors) from of all things, the analysis of tweets. Now, this may be a novel idea to some and it certainly seems the news has latched onto this, but, in the cold hard light of day, this premise has way too many failures to be actually applicable to gaining any insight into anyone’s psyche via Twitter.

In this article I am staking out my contention that this is not a suitable means of diagnostics of this type and in fact, were it to be followed up on and used, would lead to bad results and perhaps the citation of individuals online as being “Psychopathic” when they are not the least bit so. As such, this talk may be an inquiry into whether or not this is possible, but, had the research been carried out to the extent of reading the materials and their ancillaries, one would quickly come to grips with some salient facts that make this method of detection untenable. As the media hype has already started on this, I think it prudent to speak up on this here and now, as well as write an after piece once I have sat through the talk and had a chance to see exactly what they say they believe possible in the end.

A Flawed Premise:

Having read the original paper by Hancock, Woodworth, and Porter, (Hungry like the wolf: A word-pattern analysis of the language of psychopaths) the experiment clearly states that they had chosen a sampling of criminals convicted of murder (various degrees of which) and verbally interviewed them on their crimes. The method of interview was strictly adhered to and was a known and well used process including blind interpretation (where the interviewer did not collate the data on psychopathy, just transcribed dialog and logged emotional states) Once the transcription was done (including disinfluences *uh and um*) this text was taken and run through the wmatrix and other tools to determine the languages affinities for psychopathy and other mental states. This “text” is actual “dialog” and as such, is not the same as the “written word” that the speakers at Defcon are going to be assessing in their presentation, and this is a key difference that I am unsure they have taken into account. Writing is affected and not natural to many (i.e. fluid dialog in writing) Add to this that you are talking about the emoting of data/emotion vis a vis Twitter at 140 characters at a time AND using quite a bit of word shortening and slang, and the premise of using “language” to determine psyche really falls apart.

A second key point is that the dialogs that are being used in the original paper are specifically stories of their crimes. This was a calculated effort on the part of the psychologists to elicit the emotional states of the subjects in relation to their crimes, and their victims. This is a key factor in the determination of the language that the researchers were looking at, and as such, this, as far as I know, is not a part of the paper being presented at Defcon, and thus, misses a key data point… Making the premise suspect to start.

It is my opinion, just from the differences between the experimental inputs, that unless you have a larger dialectic to work from and a trained set of people to determine not only language, but also emotion (we all know how easy it is to misinterpret an email right?) of the poster, you cannot in any way, shape or form come up with a psychiatric profile, never mind an actual diagnosis, of psychopathy via online content, especially that which is culled from Twitter.

Background Data On PCL-R:

Another factor that I would like to address briefly is the use of the PCL-R test. This test, though being around for some time and used, is still not part of the DSMV as a diagnostic tool that they prefer. There are many papers and articles online that do not promote the use of this test as a lock on Psychopathy, nor is there really a consensus from DSM to DSM on exactly what Psychopathy is. Psychology and Psychiatry is more of a plastic science due to the nature of the human brain. So, all of this supposition on trying to quantify an individual from their language written online at 140 characters at a time is being terribly kluged into an ideal. It is important to know the landscape here to understand that nothing is certain and even diagnosis of an ailment such as these can be countered by a second opinion by another doctor.

.. And doctors should be involved in any of these experiments online as well. However, the bulk of what I have seen online and read elsewhere, as well as common sense, points to me the fact that even with a lot of online chatter, one must interview the subject in person to determine their illness.

Not All Problems Can be Solved With Big Data and Technical Solutions:

In the end though, I guess my biggest concern is that certain people out there (or government groups) might take this idea of sifting through big data online for such linguistic cues as something to run with. In fact, contextual searches already exist and often are used by agencies to determine where someone might live or have lived, gone to school, etc by the nature of their writing. In fact, recently on Studio 360 I heard a report of a computer program being created for just such a thing. It however, was also an AI project to try and get the “Turing” effect to be so acute that a person online would not know the difference between computer and human communication.

Which, brings me to another idea.. When will we see the first “psychopathic” AI out there? But I digress…

It seems to me that more and more we are being collectively mined not only for our habits, but now our emotions as well as our psychological makeups. All of this could potentially be collated from numerous sources (not just out of the context of language but also click behavior etc) Remember those days in college when you took Psych 101 and thought the professor was just messing with you and taking notes? Well, I have the same feeling now with the internet in general and the companies and governments using it for contextual purposes.

I doubt though, we will ever be able to contextualize the human psyche just from internet datum… And that is where I think this talk is headed… And thus, I had to speak my peace. I will have another post on my thoughts after the talk.. Maybe they can change my mind a bit.

Maybe not.

K.

Written by Krypt3ia

2012/07/25 at 20:14

SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC

with 5 comments

 

The establishment of a Corporate Information

Reconnaissance Cell (CIRC) will provide Hunton &

Williams LLP with a full spectrum capability set to

collect, analyze, and affect adversarial entities and

networks of interest.

From: Team Themis pdf


CIRC: The New Private Intelligence Wing of (insert company name here)

The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.

What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.

You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?

Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?

A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.

In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate

The Technology:

I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.

Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.

There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.

The ANONYMOUS names file

This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.

The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.

What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.

Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.

The INFOSEC Community, HBGary, and Spook Country:

Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.

HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.

So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”

There is no black and white. There is only gray now.

The Morals:

And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.

It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.

So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.

Conlcusion:

We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.

The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.

If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.

The only privacy you truly have, is that which you make for yourself. Keep your wits about you.

K.

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.

Hardwired:

It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE

CoB