Archive for the ‘Psychology’ Category
The Joker: Nihilism, Mental Illness, Incel’s and Societal Pressures
Creation of the Joker: Mental Illness and Abuse
The recent controversies over the new ‘Joker’ movie were not lost on me as I sat through it recently. Given that there have been BOLO’s put out by the US Military and the FBI concerning the threats of active shooters attacking theaters playing the film, even I had some trepidation in going to see it for fear that my theater might be the one targeted by some shooter. In fact, I deliberately went to see the film at a matinee during the week in order to have very few people there, and thus in my mind, less of an attractive target for a would be shooter. As I watched the film there were in fact moments of “ah ha” this is why some were concerned about this being a touchstone for those who might carry out such acts. At it’s heart, the movie is a character study of the Joker, aka Arthur Fleck.
The Story:
Arthur fleck is solitary figure who still lives with his mother in a strained relationship. He works as a clown for children’s parties and the odd gig fronting for a store closing sale. It is at this job we start to understand Arthur’s situation even further, as he is beaten by a gang of kids who stole his sign. After he is reprimanded by his boss, he has a conversation with a co-worker who gives him a revolver to protect himself with. This gift implies a couple of things in the conversation. The first is that Arthur has been feeling like he needs a gun and had talked to this co-worker before about it, and secondly, that this co-worker is not really his friend, today we might call that person a ‘frenemy’ with an agenda of bullying Arthur while being his ‘friend’.
Arthur starts carrying the gun and eventually gets fired for having it at a children’s ward where it drops on the floor. He is summarily fired for this and on his way home is taunted by three Wall Street types who finally end up beating him. That is until Arthur pulls the gun and kills them. This is the catalyst for Arthur’s transformation to begin from Fleck to ‘Joker’ as he has his first taste of not only power, but also recognition as the incident makes it into the press where some are lauding the unknown clown as a hero. Finally, Arthur is starting to feel like he is powerful and seen where most of his life he was a nobody and invisible. During this time as well, Arthur has a relationship with a woman down the hall. She attends his stand up comedy night and all seems good with them. One might think at this point that, murder aside, he is starting to become empowered and perhaps might be ok, that is until he discovers a letter from his mother to Thomas Wayne and learns in there that he is in fact his illegitimate son.
Arthur’s discovery that his mother has been lying to him about who his father is (Mr. Wayne) causes a dualistic reaction of anger against his mother and hope that he is in fact Wayne’s son. A hope that is dashed when he confronts Wayne and is told that his mother was delusional and that in fact she had spent time in Arkham because of it. It was then that she adopted Arthur as a prop to keep her own delusion in place and perhaps leverage Wayne. Arthur then goes to Arkham to see if there are in fact files that show his mothers illness and what he gets confirms not only this, but also the long standing abuse he was subject to that he had been suppressing psychically. Meanwhile, his mother has a collapse and is brought to the hospital. Arthur is being sought by police in the investigation of the subway murders, and while he is sitting with his mother he see’s his idol, the Tv Show host, air Arthur’s painful standup routine mocking it for a national audience.
Fleck is brought on TV by this host because he, fleck, is inadvertently funny as a standup comedian because he is so spectacularly bad at it. Fleck’s uncontrolled laughter during the performance is an alleged medical condition wherein he laughs, or rather cackles, uncontrollably when he is upset. This response is a trigger for attacks on him by others both verbally and physically that also add to his psychological state of ‘negative ideation’ which he talks with the social worker about. Fleck realizes from the start that he is being mocked by the TV host he has idolized as a surrogate father in his delusions.
After murdering his mother in the hospital and feeling a release, Arthur goes home and accepts an appearance on the TV show knowing that it is just an opportunity to make fun of him for a live studio audience. It is at this point, after going off of his meds, that Fleck has the psychotic break and the personality of Fleck is subsumed by “The Joker”, a name given to him by the tv show host as a sleight. It is at home while he is getting ready to go on air that his ‘frenemy’ and another friend from his workplace show up. The frenemy wants to insure that he is not going to get into trouble over the gun he gave Arthur that he used in the subway killings. Arthur finally has had enough of this man and kills him violently while the other man, a dwarf, hides in the corner. It is at this point that we see Arthur spare this dwarfs life saying that he was in fact the only person who was decent to him.
Arthur goes on the show in his clown makeup and regalia while the city is seizing up in mass revolt in an ‘eat the rich’ movement that has taken the clown image of the subway killer on as their rallying cry. He is brought out on stage and has requested that he be called ‘joker’ and proceeds to confess his killings on the subway and through questions by the host tells him that he believes in nothing and that they should be careful who they treat poorly.
Arthur Fleck : What do you get when you cross a mentally ill loner with a society that abandons him and treats him like trash? You get what you fuckin’ deserve!
Joker then pulls his gun and shoot’s the TV host dead. The crowd in the audience screams and start to flee, and Joker runs around the stage manically. He finally runs off stage and out of the camera frame. We next see Arthur in the back of a police car being taken ostensibly to jail while the city is in the middle of a spasm of violence by the joker rabble protesting. As he is watching this as they pass by, a truck plows into the cop car and we next see the joker’s taking Arthur/Joker from the back and laying him on the hood. Joker rises and starts to dance to the adulation of the mass wearing clown masks. The scene cuts to a white room with Joker talking to a therapist who is asking him questions;
Social Worker : Is something funny?
Arthur Fleck : I just thought of a funny joke!
Social Worker : Do you mind telling it?
Arthur Fleck : …You wouldn’t get it.
Next you see Joker running the overly white halls of Arkham Asylum and the music swells, the end.
Nihilism: Believing In Nothing Is Liberating
Joker, is a film that sets the stage for the character of “The Joker” as the clown prince of crime, a character with no real backstory in the ouvre of Batman, which makes him all the more interesting. It really wasn’t until later years after the ‘Dark Knight’ graphic novels and the movies, that the character of the Joker began to take on an even more menacing tone. In “The Dark Night” (2008) the character of the Joker took on new dimensions with a portrayal of a nihilist character who’s seeking to cause anarchy because he believes in nothing and no one. In “Joker” we have the backstory (akin to the Batman graphic novel “The Killing Joke”) of how the Joker emerges. In this film as in the graphic novel, the Joker has, what is termed in the book as ‘one bad day’ as he tells Batman, and that bad day broke his psyche thus becoming the Joker.
The bad day, or days, in Joker are exacerbated by Arthur’s mental illness, the pressures of life in the city, and a series of circumstances that lead him to go off his meds and begin his life of crime. Once the break happens, Joker, now fully formed, announces on the show that he is the one who killed the three men on the subway and repeats that he is not political, he is making no political statement here at all. He in fact believes in nothing. This is the core of the philosophical system of Nihilism, and now Joker is an adherent. This is a key point in the movie and one that carries over into the reality we have today concerning the fears of mass shooters who may be incel’s or other Nihilists actors.
While Joker believes in nothing, Arthur believed in his mother, believed that the system could help him, and that by being a nice person, would be reciprocated by others. Arthur’s descent into madness was hastened by learning that the sole person who he knew loved him, was in fact a delusional individual who adopted and then proceeded to abuse him as a means to an end for her own needs. This core betrayal is the linchpin in Arthur’s break and rebirth as Joker. In the moments before Joker shoots the show host on live TV, the host asks him why he had come on the show and why he was doing the things he had done. Joker looks at the show host and mockingly says
Arthur Fleck : How ’bout another joke, Murray?
Murray Franklin : No, I think we’ve had enough of your jokes.
Arthur Fleck : What do you get…
Murray Franklin : I don’t think so.
Arthur Fleck : …when you cross…
Murray Franklin : I think we’re done here now, thank you.
Arthur Fleck : …a mentally ill loner with a society that abandons him and treats him like trash?
Murray Franklin : Call the police, Gene, call the police.
Arthur Fleck : I’ll tell you what you get! You get what you fuckin’ deserve!
[Joker shoots Murray in the head, killing him instantly]
While Joker does not call out the specifics, or knowledge of Nihilism, he is certainly espousing it saying that he now believes in nothing. His actions throughout the comics and the movies have shown him to be a Nihilist as well as an agent of chaos. This is what I believe is one of the foundations of this film and the overall canon for Joker and his foil Batman. They are intimately intertwined in their history, in some places it is Joker who created Batman by killing his parents. In others, it is Batman who creates Joker after dropping him in a vat of chemicals that make him go insane, as well as have the green hair and white skin. In each case though, his break from sanity is of a kind where he see’s life as a cosmic joke meaning nothing.
Incel’s, Hand Wringing, and Mental Illness:
This film has had such a polarizing effect on audiences as well as reviewers. Much of the criticism has been around the story of Joker being something that plays well with those who might want to shoot up a theater full of people and idolize the Joker. In the case of this film though, to date there have been no incidents and the hand wringing that has been going on by the media has only served to perhaps egg those actors into action more than having any greater meaning.
The families of the Aurora shooting victims went as far as petitioning Warner Brothers, about the films violence and possible call to those unbalanced souls like James Eagan Holmes, who committed the crime in 2012, attempting to link his actions to the Joker. The fact of the matter is that Holmes did not act out as the Joker, and only chose the film because it was going to be a full theater. The linking of the two was an emotional reaction, not a rational or correct one.
Other reviews of the film tagged Incel culture with this film saying that Arthur was an Incel and thus this film would be a call to others to act out in emulation. In reality, Arthur was not in fact an ‘Incel’ by strict interpretation because he was not solely acting out because women would not date or have sex with him. While Arthur has a delusion of a relationship with a woman in his building, it is not that she rebuffed him that caused his break with sanity. This argument by those who have made these claims are I think, putting social justice warrior ideals and fear above actually looking at the story line as a more nuanced picture of a man on the edge of a psychotic break.
My Take-away’s:
Joker was a good film in my opinion. The film is a great addition to the whole Batman franchise and gives more nuance to the Joker and perhaps one backstory. There are parts of the films plot I did not cover in the beginning of this post that have direct connections to the Batman timeline that are incongruous. If you take this film as the ‘prime’ timeline, then this Joker is not ‘the’ joker that Bruce Wayne as Batman fights because this Joker would be geriatric if not dead by then, so this could be the Proto-Joker that starts a movement and one of those later ‘Jokers’ becomes the one he battles.
This is a well put together film and you will leave the theater thinking about it. In today’s world where everything seems so pressurized, it is not uncommon to see mass shootings by perhaps mentally unstable people. It is an every day thing now unfortunately for us, and as such, this film touched a raw nerve with people. As I said at the start of this post, I too was apprehensive about going to the theater to see this for fear that someone would decide that this is the theater to shoot up. It is this world weariness and constant fear with live with today that I think, made this film such a touchstone for the hate on it as well as the attempts at cancel culture that were made against it by certain factions.
I personally find the psychology of Joker fascinating as well as the others within the Rogues Gallery that Batman fights. There are books and articles about the psychology of all of these characters that you can read and they are good. There is much more to understand than just that some guy couldn’t get a girl and had a bad day so he became a psychotic criminal. This film does a good job at trying to show just how this could happen and why.
Most of all people, it’s just a movie!!
Go and enjoy it.
K.
Anders Brievik and Brenton Tarrant: Parallels of Manifesto’s, Actions and Psychology
I recently began to consider the parallels between the Christchurch and the Norwegian mass shooters which was sparked by watching a special on Anders Breivik. In the documentary on Breivik, they delve into the manifesto and his history a bit and these two things seemed to track a bit with Brenton Tarrant’s actions. In fact, it seems that Tarrant was directly influenced by Anders and his actions as well as his manifesto. So much so, that Tarrant say’s in his manifesto that he idolized Anders and in fact reached out to the “knights Justiciar” online and had communication with Breivik; “Receiving a blessing for my mission after contacting his brother knights” in his own manifesto placed online minutes before the attacks.
Digging in further, I located several copies of the full video that Tarrant was live streaming on Facebook on the darknet. I watched this and took notes on parallels between what Breivik’s and Tarrant’s actions methods and actions. It quickly became clear just how much Tarrant had taken from Breivik’s attacks and methodology. From this, I then sought out each of their writings online and their manifesto’s. I then began to map out just how much one had imitated the other and started to ponder if they are both suffering from the same mental maladies and to what extent. I began to see the parallels quite clearly and this is something the media really has not delved into. First, let’s look at the planning stages of their actions.
- Breivik planned his attacks meticulously for eleven years
- Tarrant planned for two years
- Breivik wrote extensively about certain regions and histories around clashes of cultures
- Tarrant seems to have traveled to those countries and regions that Breivik wrote about as a means to understand what Breivik had been writing about
- Breivik researched and wrote quite a bit on his plan and his mission to include a manifesto over one thousand pages long
- Tarrant wrote a seventy six page manifesto and his research was haphazard and minimal as to targeting
It seems that Tarrant lacked the concentration or perhaps the methodical nature that Breivik shows. By looking at the manifesto’s side by side, you can see that Tarrant pretty much just cribbed Breivik’s style and format as seen below. The imagery and the motive seem to be pretty parallel but once again, the diversion is on Tarrant’s side where he could not muster the longer and more convoluted writings as well as the complex ideas that Breivik is trying to get across in his writings. Of course the writings that Breivik put out also are cribbed as well from many sources and are mostly overly complex, the machinations of a disturbed mind. Actually, they remind me a lot of the writings of Ted Kaczinsky.
Breivik
Tarrant
Formatting is not the only similarity that these two documents hold though. Tarrant actually copies Breivik’s style as well. In the much longer Breivik manifesto he drones on and on but finally toward the end has a Q&A with himself as a Justiciar Knight to describe what and why he is doing what he is doing. This is a direct attempt at self justification as well as a narcissistic pastiche about seeking others to emulate him as a warrior for the cause. In both cases they show the same pathology of attention seeking and self aggrandizement as rationalization for their actions and a call to others of like mind.
- Both saw themselves as warriors in a greater war
- Both have a need to be seen as a great actor in history
- Both uploaded the manifesto just before actions
- Both expected that these actions would be the lynch pin in causing a race war or cause great social changes
In addition to the manifesto’s and desires to be “great men” both actors had very specific needs to look and play the part of the warrior. What I mean here is that both nationalistically needed to be seen as well as heard. In this way, Breivik made the mold that Tarrant re-used and added to in his attacks. While Breivik did not live stream his attack, he did plan it and carry it out in a way that made him look and feel the part. Tarrant as well followed these visual and audio cues in his own way.
- Breivik created/bought military uniforms to include full regalia
- Tarrant created/bought a military uniform with added Neo Nazi black sun logo
- Both use imagery and language concerning knights (Neo Nazi black sun in Tarrant’s equates to Wewelsburg and SS knights)
I would be interested to see if more of Tarrant’s writings and or images come out during his trial. This would add context to the comparison between the two actors actions and psyche’s. It seems that both planned for acquiring weapons and tactics much the same way, but, it is yet to be seen if Tarrant had any plans for bombs or had been working on or researching such things. My guess is that Tarrant lacked the patience for this and went for the quick hit instead. This is also visible in his shorter planning phase as well as his brevity in manifesto. It is also clear that Breivik’s hate was directed not only outwardly at Muslims or foreigners but also inward at his own country in his attacks and professions. Tarrant just went for the Muslims and the foreigner in a more spree killing modus.
Finally, I will cover the video that Tarrant live streamed. It is a hard thing to watch in total but it shows some cues that backstop this idea that Tarrant was really emulating Breivik down to some fine details.
- Breivik wrote about using an iPod during the attacks to mute out the screams. This he said was to prevent him from losing his motivation
- Tarrant played neo nazi music in the car and was dubbing this also over his video live feed
- Breivik game-afied his attacks and played video games incessantly in preparation for the attacks
- Tarrant did much the same making the video a “first person shooter” game with video as he gunned people down
It is pretty clear that Tarrant took Breivik’s model and upgraded it with the technology today of Facebook and a helmet cam. This I believe will not be the last time we see this kind of activity as the technology becomes even more ubiquitous. The question is then, how much amplification we will see with such attacks being footage that can be watched and re-watched online to activate others of like mind and mental states. It’s pretty clear that the motive of creating such videos is to activate others as well as get that 15 minutes of internet fame that the narcissist needs to sate them momentarily.
As a parting thought, I would also like to say that both of these men seem to have the same mental illnesses but I am afraid there isn’t enough evidence in the case of Tarrant as yet. Breivik clearly is a paranoid schizophrenic and I believe that was the diagnosis of him at trial. Tarrant’s history and a review of his mental status as yet to my knowledge has not been carried out and released to the public. I would be interested to see more of Tarrant’s history and biography to see if there are parallels as well. As of this date I know that Tarrant’s father died when he was ten years old but there seems not to be a similar history of mental illness as presented by Breivik even at an early age. Nature versus nurture is still a coin toss as far as I am concerned so there is still much to learn about Tarrant before we can make any pronouncements of mental illness. I will keep watching as more comes out but I thought this was an interesting set of circumstances to write about.
K.
Industrial Society and Its Future (1995) & Our Socio-Technology Woes Today
With Manhunt Unabomber on TV recently which I binged, I have been thinking about old Ted and his ideals behind the madness he was pushing. I would like to state up front that I do believe that Ted is clinically mentally ill and that manifested itself when he finally went into seclusion. What happened over the years that followed was an unbalanced reaction to ideas that have a core of truth though and many people actually see the same kernels of insight that I am going to talk about here. I have just finished re-reading the manifesto that he got the papers to publish under threat in 1995 and clipped some passages for you to see here without having to read the tome yourselves.
Where I want to direct this post though is about the problems we have today with technology that Ted seemed to foresee and also to extend a little further into the social issues that we have seen played out in our recent election cycle and the probable attacks on the one upcoming in 2018. Ted touched on some of the sociological and more human issues of technologies and systems in his manifesto but for the most part he was taking a very rigid stance that all technology is bad for human beings and the environment. He had some interesting ideas on sociology specifically on left wing and right wing personalities and ideals that, well, he get’s all wrong frankly, but I feel it is important to mention. Though he got it wrong and his opinions on motivations was, well, very 1950’s, you can see some of what he is talking about in what has been playing out with the alt-right movement.
Ted is misdiagnosing people’s motivations likely tinged with his own issues psychologically so his assessment is flawed. However, if you read above you can see something there if you align it to the alt-right today. They feel inferior in that they lack the power, or, lacked the power until Trump was put into power by their minority of thirty odd percent of the vote. Anyway, Ted goes on for a fair bit on this and I will not bore you with it as it is not overly germane to this post, but I thought you should at least get a glimpse here. Ted, you got leftists and right wing all wrong dude. Of course this was within the first pages of his manifesto and he really does not get to the technology part until section 114 or so where we want to be.
In 114 Ted starts to talk about “the system” which means all technologies to him I think, but if you look at it from the perspective of a political system as well, you can see something that maybe we all have felt. How many of you have thought about voting and come to the conclusion that your vote doesn’t count? I have, in fact in the last election I almost did not vote because I just felt that the system was rigged. In rigged I mean districts were gerrymandered, back door deals are all in play, and possibly even the election machines had been hacked because, as we all know in the security circle here, they are so weak in security mechanisms to be laughable to hack. In effect, these systems, both technological and rule based were inherently made untrustworthy by the system of politics. We have had our real autonomy and ability of action removed from us through the system and it’s rules …So why bother voting if it’s a foregone conclusion and there is no foreseeable change right?
Another area of thought that Ted writes about that seems to be a companion to the above section is once again your power is taken from you because the government or the system. In Ted’s mind it is the technology at the bottom of all this but here again he is making what I would consider more a political or societal argument. In that conservatives really want states rights over big government, I for one cannot extricate this paragraph from the notion today that the right wing would like to take away the power of the people locally as well as nation wide even with “small government” Honestly some of their thought processes are rife with cognitive dissonance but the goals seem to be “we are in control because we have the money and the power and you should just do what we say” Anyway, it is just another system and technology today only enhances the control as far as I can see. Of course we are also seeing that with things like Anonymous and the internet, the power can be interrupted with the application of the right technologies as well huh?
Here Ted is talking about the system taking over the individual to perpetuate the “system” and if you read this with an eye to today’s concerns over jobs and the rise of the Trumpists, you can see a parallel right? If the systems are now creating supply chains that are automated enough to not need human intervention for function, then we lose jobs right? Of course Trump really doesn’t cover this notion completely in favor of jingoism over borders and immigrants taking over our jobs but the real reality is that automation is doing this as well as tax games that move companies overseas. I sometimes wonder how the future will look if we do not educate our people better and these systems just function without the need for under educated workers, will we see more of this unrest that leads to another Trump?
If you have seen Manhunt Unabomber, then you will recognize the imagery that they used at the end concerning free will and systems of control. Ted takes it to the nth degree but the reality is that systems do control our actions but once again you have to accept that control and accede to it to be controlled. The very core of hackers and hacking is the notion that we can subvert the systems to make them do things they were not meant to do right? In the case of the stop light and the philosophical questions over being part of a system or controlled by one is very interesting. You all should ponder this as hackers and persons within a series of systems both technical and logical and consider your position here as well. I think we are at a cross roads here post 2016 and the use of technologies and systems of governance where one might feel like Ted a bit. What control do we really have when you could opt out of the system but the masses don’t? Look at what has happened when a small percentage of people in this country gamed the electoral system to elect Trump over the clear popular vote. The system has control over the lot of us and there isn’t very much we can do as we have seen if those in power, a small group, is in control of all our fates.
It makes one have thoughts about hacking systems… What does it mean? Can it be done? Should it?
In 130 and 147 here we have an important point from 1995 kids about the uses of technology as a form of control. Take that paragraph in and think about where we are today and what we have seen since 2001. We have fetishized technology in the name of freedom today. We have autonomous drones, cameras, NSA systems that monitor everything, and lest we forget our own abdication of our personal information and privacy for the new shiny phone or application. Collectively we have allowed our own security and privacy to be degraded for shiny things. What’s even more interesting is that those in the know, the one’s who have the capabilities to secure their private information may never really be able to completely do so because the systems are so prevalent that our data is out there anyway, just one breach away from being publicly available for sale on the darknet. I have often had thoughts about just backing away from the technology, but then my lizard brain just says “you can do this, you can secure your shit with crypto and all the things”
That’s delusional thinking.
Look at what played out in 2016 and then try to convince yourself that you can control the system enough to be immune.
Geez I am starting to sound like Neo.
Anyway, all of this manifesto reading has given me perspective on things in 2018. Ted had some ideas that are valid but he was unstable and decided to act on them to save humanity in the wrong way. Frankly he should have just lived in that cabin and kept to himself and paid no attention to the outside world. This is the crux of the problem though, could he? It seems like he lived on the fringes of society and he knew he could not go full mountain man and live off the land so he did what he did. Herein lies the problem though for us all. Unless you have the wherewithal to live fully off the land then you have to deal with technology and society right? So here we are, how many of you out there could just walk into the woods and live? I find it funny that a lot of our zombie shows pretty much deal with this issue and we are eating it up. Deep down we all know that if society broke down and technology stopped, we would have to fight for everything to survive. Many of us wouldn’t be able to handle it and there would be a lot of attrition.
As we move forward with AI and more technologies that are supposed to make our lives easier, we are also infantilizing ourselves, separating ourselves from communities, and giving away certain aspects of ourselves to the machine. So I can understand some of what Ted was saying …I am just not mentally unstable enough to want to live in a shack and make little packages of explosives. I do however have my moments when I as; “What are we doing here?” I have written posts on Stratfor about hybrid warfare counter programs and honestly between the pervasiveness of the technology and the cognitive dissonance of those who use it I can see no good options for countering it. Is the answer then to just leave Twitter and Facebook? Is the answer to just not surf the net and read a book from a library? Or do you double down and work the system like a hacker and try to get some sanity?
K.
The Post Conspiracy Age
In last weeks episode of The X-Files, the whole notion of conspiracy theories, truth, and reality were amusingly deconstructed. The premise of the episode was put into one of the more amusing funny X-Files over the years but the core observations it made were something to think about outside of satire. The story line follows the idea that Mulder and Scully had a partner that neither can remember because he has been collectively erased from their memories by a “Dr. They” a hypnotist spooky doctor of some kind. The plot line slides along greased by all the conspiracies over the decades of the show concerning belief in cryptozoology and aliens while making the case that the human memory is not only fallible, but it is also highly manipulatable.
Throughout the story line the notion that people remember things differently per experience also is at play with the idea that forces are at possibly at work shaping the collective memory. One of the ideas they drag up is that of the Mandela effect, where people have varying memories of Mandela dying in prison as opposed to him being released in 2013. Of course Mulder offers the theory that these are often explained by parallel universes, but that is shot down by Scully and “Reggie” the alleged partner they cannot remember. I for one have heard of the Mandela effect but then Reggie says it is not the Mandela effect, it’s the Mengele effect. The Mengele effect as far as I can tell is just a plot device for this episode of the X-Files but the Mandela effect is another matter. It seems many who misremember go on to substantiate their own inability to remember things properly as an “effect” to save face.
“It’s the Mandela effect. When someone has a memory of something that’s not shared by the majority or the factual record. For instance, there are some people that have a memory of seeing a movie called Shazam starring Sinbad as an irrepressible genie. Even after it’s pointed out to them they’re probably thinking of a movie called Kazaam starring Shaquille O’Neil as an irrepressible genie. Especially because a movie named Shazam was never made.”
“But what if I don’t remember either movie?”
“You win!” – Mulder and Scully
Aside from the idea that there are Mandela effects, aliens, squatches, and government conspiracies, this episode focuses not on them for me as much as the methods these ideas are spread and the nature of just what is truth anymore. In a meeting near the end of the episode, Mulder meets the mysterious Dr. They, who is seen standing by a sculpture making the “tsk tsk” or naughty hand gesture that you see above. He starts off talking to Mulder about how the kids today have no idea what this means anymore and that we are living in a “Post conspiracy age” where nothing is real anymore anyway so conspiracies just mean nothing.
“They don’t care if the truth gets out. Because the public no longer knows what is meant by the truth.” – Dr. They
Basically They tells Mulder that none of his truth seeking matters anymore because we are in a post truth society. In effect, nothing can be true anymore because everyone just believes what they want to paying no never mind to facts and things that are known to have been truths. It was this scene of the episode that just hit home for me. In a time where social media has given rise to the common man’s ability to leverage their own cognitive dissonance as part of a larger machine of propaganda and psyops by nation states and corporate entities, nothing is real anymore. Even if you present people with facts and data, they can just discount it because of they now have an arcology of communities that they belong to which re-assure and amplify their own ideas whether or not they are patently wrong and provably so.
….In essence an arcology of echo chambers.
“Believe what you want to believe. That’s what everybody does nowadays anyways.” – Dr. They
As I watched that scene over again a few times it all hit home in a way that I had not overtly thought about in a while. We are living in an age of subtle Nihilism where nothing really exists or matters on a factual or truthful level. It’s all “Truthiness” as it was coined by Stephen Colbert. You choose the level of the truthiness and it’s content per your belief system and no one will be able to assail your notions because they are just wrong. In the X-Files episode the quote by Orwell was brought up twice of “He who controls the past controls the future.” which is then re-stated by They in the meeting scene with Mulder where he says that it was Orson Welles who said it. He is corrected by Mulder that it was Orwell, but basically They then says “for now” as if he is about to manipulate everyone’s memory to change that. It’s amusing as a scene but the reality is that with the facile minded and the misinformation of the internet and manipulative media, it is a possibility that it could become a reality where the masses believe it was in fact Orson instead of Orwell, and then it will be come de facto fact as someone edits the Wiki page and commits.
“We’re living in a post-cover-up, post-conspiracy age.” The “poco”
I was left thinking after this episode about the problems I had been mulling over concerning counter narratives and programs to fight active measures campaigns like the one that Russia carried out and is still carrying out on us. One could just buy into the idea that there is no real way to fight this because we have a system now that allows and perpetuates these echo chambers. Twitter is a steaming pile of minis-information and food pictures. Facebook, well, Facebook is another animal altogether and Zuck has recently doubled down on the problem by saying they plan on only having more inter-networked news being passed on by it’s users instead of real news service feeds. This will only lead to amplification of misinformation as those groups only echo those “truths” they want to believe as opposed to facts. It all makes one want to embrace Nihilism all the more and really believe in nothing at all because what can you believe in when everything is just opinion as fact?
Today we are bombarded with information that has been created, ,managed, or manipulated by the unseen hand of corporations, people, governments, and cabals if you want to believe that. It is up to the consumer to do the leg work and discover what is truth, but unfortunately for the masses it seems, the truth is just subject to their own cognitive dissonance. In 2018 we are about to embark on a new roller coaster of disinformation and active measures not only perpetrated by Russia and other actors, but ourselves. How do we really fight that power?
K.
A Psychological Thumbnail of Donald J Trump’s Narcissistic Personality Disorder and Its Implications
DSM-V Narcissistic Personality Disorder:
As you may have noticed of late I have been pretty quiet here. Since the election I have been taking stock of what is happening and trying to assess what is yet to come and what courses of action might be appropriate. As they say, when you are quiet you can hear more, unfortunately in this environment of late the cacophony is 24/7 and now has so many ‘alternative facts’ it is hard to parse it out and keep one’s sanity. I have though pondered 45’s psychology because he has been giving us all quite the window into his psyche since his inauguration. Of course if you have been paying attention to Trump throughout the years you have seen glimpses of his disorder but one could just shrug that off because he was a celebrity and not the president. Now though, he is in the presidency and he has control of many levers of power.
With that in mind I would like to acquaint you all with NPD (Narcissistic Personality Disorder) from the clinical point of view and expand a little given what we all have seen unfolding in the media as he overreacts to those things that challenge his own reality of grandiosity. As you can see from above, the diagnostic keys for NPD align to much of what we have seen of Trump over the years but in particular highlighted recently with regard to his exceeding need to have the “largest ever” crowd at an inaugural. Let’s map his recent actions with the DSM shall we?
- Identity: Excessive reference to others for self definition and self esteem regulation; exaggerated self appraisal may be inflated or deflated, or vacillate between extremes; emotional regulation mirrors fluctuations in self esteem
- I have the best people
- I have a great brain
- I had the biggest turnout at an inaugural
- The rain stopped and the sun shown down on me during the speech
- The media is at war with me
- The CIA is acting like the Nazi’s against me
- His whole Twitter feed
- The Spicer incident with Trump ordering him to have his first press conference to trumpet his own reality of exceptionally large crowds at the inaugural post the Women’s march
- Self direction: Goal setting is based on gaining approval from others; personal standards are unreasonably high in order to see oneself as exceptional, or too low based on a sense of entitlement; often unaware of own motivations.
- All of Trump’s products with his name on them proclaim to be the ‘best’ the gold standard
- He is the son of a rich man who he sought to please but has always held the entitlement of being a “winner” per his fathers ideology of winners and losers
- Gaining his fathers approval was key in his youth (being a winner)
- As to motivations, he has vacillated on topics to garner attention in the media on many occasions then lies about being pro or anti anything even after the footage is produced
- Empathy: Impaired ability to recognize or identify with the feelings and needs of others; excessively attuned to reactions of others, but only if perceived as relevant to self; over or underestimate of own effect on others.
- Mocking the disabled
- Othering of lower classes
- Reactions only when the attacks are against his own self worth or perception thereof (See debates “I’m like the smartest guy I know”)
- Intimacy: Relationships largely superficial and exist to serve self esteem regulation; mutuality constrained by little genuine interest in others‟ experiences and predominance of a need for personal gain
- Most telling, when asked who his friends were by a reporter he said “I don’t really have any”
- All relationships therefore in light of that comment (which was then backstopped) are then for gain of some kind as perceived by Trump
- Pathological personality traits in the following domain:
1.Antagonism, characterized by:
A. Grandiosity: Feelings of entitlement, either overt or covert; self centeredness; firmly holding to the belief that one is
better than others; condescending toward others.
B. Attention seeking: Excessive attempts to attract and be the focus of the attention of others; admiration seeking.
C. The impairments in personality functioning and the individual‟s personality trait expression are relatively stable across time and consistent across situations.
D. The impairments in personality functioning and the individual‟s personality trait expression are not better understood as normative for the individual‟s developmental stage or socio cultural environment
E. The impairments in personality functioning and the individual‟s personality trait expression are not solely due to the direct physiological effects of a substance (e.g., a drug of abuse, medication) or a general medical condition (e.g., severe head trauma)- See all indicators above
- See arc of his personality over time in the media
- He has no sense of the disorder whatsoever, in fact admitting such would only dimish his own portrait of esteem
- We are not aware of drug abuse or trauma to the individual
You can see where he is lining up with the DMS-V categories and I could go on with citations but we don’t really need to do we? All of this should be rather apparent and become even more nauseatingly clear as we move along in his presidency. It is also of note that leaks have started to appear due to the president’s outbursts from his narcissism at his staff. He is already alienating staff and likely will continue to alienate others around him who must work with him as his narcissistic tendencies assert themselves against them.
Another narrative I would like to bring up is the whole kompromat against Trump and how the NPD plays in this milieu. If there is kompromat on Trump then it is likely to be the one thing that would really work against a sufferer of NPD. Imagine the amounts of schadenfreude Trump would have to deal with if such documented evidence were to be released? Particular to this vein of thought would not be the sexual foray’s, I should think that some part of Trump would rationalize this as is overt manliness and sexual prowess (if only sex acts with hookers, if it was in fact being urinated on, well, that is another bent that may lead to diminishing his self perception) and use it to self re-enforce his beliefs. The kompromat that would be most damaging to him would be financial and call into question the quality of his businesses and his products. Alternatively the evidence of bad business dealings, dirty deals, and most of all, Trumps not being his own man but being beholden to others (i.e. monies lent and lost etc) that would diminish his grandiosity and perception of his world.
In summation I would just like you all to have a look at the DSM-V on this and his pathology he has shown us all and will continue to as time goes on during his presidency. I would also like you all to consider this thumbnail as a core aspect of how you might resist against him. Mocking him seems to be the best tool to use to flummox him and cause a reaction, perhaps I should say over reaction really. Additionally, look at this in light of how other countries will react to him and maybe learn to use this model as well. The way I assess it, if he is mocked enough and in the right ways he will over-rotate and cause ripples around him. Those ripples will come back at him and cause him to react more, it is a feedback loop that may in fact lead to his presidency ending through impeachment.
Interesting thoughts…
Dr. K.
ASSESSMENT: Insider Threats, Espionage Recruitment and Psychological Profiling
Insider Threat SNOWDEN:
The insider threat has always been and always will be the bigger of the threats or so the aphorism goes. In reality it certainly seems to be the case in the Snowden affair and the NSA is still stinging from it as I write this. Snowden leveraged his administrative access where he could and used technical and social means as well to gather the information and access he wanted to ex-filtrate out of Ft. Meade. Since Snowden was so successful and the NSA and IC has been blindsided by the ease of the attack and their stunning lack of controls the government and IC has been re-thinking their security around insider threats. Since much of today’s technology allows for ease of access and people tend to be the weakest link in the security chain (on average) the NSA is looking to more proactive controls against this type of exploit. Since they failed logically and technically to stop an insider attack I assume that they are in a real bind trying to assert control over not only the data they house but also the custodians of that data and architecture as well.
The Insider Threat Has Always Been The Largest:
Since the dawn of time the insider threat has always been a go to if possible in waging war against anyone. The Trojan Horse for example is the greatest use of the “insider” by placing outsiders inside and making the opposition the method of their own doom. Insiders though are commonly traitors or spies (sleeper or other) inserted or bought to work for the opposition to gain access inside the confines of the sanctum. In the case of hacking and digital malfeasance this often times takes the shape of an insider who feels they have been wronged in some way and either steals IP or destroys operations within a company or org to cause great damage. What has come to light though over the years and now has been brought to the fore are the psychological and social cues or traits that make a person more likely to be an insider threat.
In the case of espionage the recruitment of spies really is the tale of an insider threat. What makes someone become an asset for a service like the CIA? Within the IC (CIA) a lot of time was spent on the psychology of recruitment and handling of assets. MICE was the standard by which the CIA handled recruitment and handling up until recently when a new paradigm was put forth (RASCLS) which is much more reciprocal instead of just carrot and stick. Where all of this touches on insider threats though in the common vernacular of INFOSEC is where the motivation lies for someone’s actions. In a paper put out recently called “Inside the Mind of An Insider” the focus is on technologists and insider attacks that they have or may carry out and their personal motivations as well as proclivities to do so within the tech sector. I however would assert that this take is only a sub header within the larger umbrella of motivations and actions that an insider whether or not they are a spy or just an aggravated tech worker would have or carry out.
in the paper (cited above in picture at top) the writers lay out the “six characteristics” that coincidentally make up much of the same ideals and motivations that you will find in a recruit-able asset within the IC sphere. In fact, I would assert as well that if in fact Snowden were at all contacted by an outside security services to do what he did, these motivations would have been leveraged within him as well. What it all comes down to human nature. We are all subject to wants and desires as well as feelings of being under appreciated or not appreciated at all in our daily lives. This makes anyone potentially an insider whether they self activate or are handled by someone.
Countermeasures And Technologies:
The NSA though has been working on some technical means of detection and deterrence of an insider attack where other logical means have failed. These consist of programs that monitor behaviour patterns of users and access as well as I can only assume their outside activities such as internet access, browsing, and comments on sites. Can such programs really detect accurately the mind of a person and their motivations to lock down on them as a potential threat? I am sure that the technology is getting much better at this heuristic behaviour detection so sure but I don’t think it will be infallible however. I also suspect that it will also mark people as bad actors when in fact they may never even entertain the thought of actually carrying out some plan against the NSA or whatever company that might employ such tech. I would also assume that the people at the NSA will be undergoing more frequent and rigorous Poly sessions as well as perhaps psychological profiling which does not bode well for many I think who want to feel as though they are part of a team. Generally the job is stressful enough when you cannot talk about anything you do and are always fearing that you might slip at some point and give away information that you shouldn’t. The psychological stress of cleared life is hard and this will all just make it a little harder in the post Snowden world.
ANALYSIS:
Whether you call it an “insider threat” or a spy, saboteur, or insurgent the same psychology applies. People are motivated by things that are personal to them. Desires they have for money, power, or fame as well as a myriad of other reasons for their actions. To attempt to detect and deter this activity will be quite the undertaking and hard enough in the classified world. Now imagine that you are not a cleared individual but instead an corporate employee, how are you going to feel about such activities and programs attempting to tell whether or not you might turn on the company and damage their servers? I somehow doubt that many corporations will undertake the threat modelling here for insider threats as seriously as the NSA but I can see where some might want some insight. We already have things like Websense and IDS/IPS/SIEM tech that follows traffic but with the advent of the likes of Facebook, how long will it be until they offer a service that tracks users behaviour and sells it to your security department? If companies are sufficiently worried about their insider threats then they will begin profiling and putting in countermeasures.
Welcome to the brave new world…
K.
Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies
XXXXXXXXXXXXXXXXXXXX
Digital Natives
Last week Josh Corman was at a conference and live tweeting commentary and thoughts online about INFOSEC and around the ideas of Cyberwar. At one point he mentioned the idea of “Digital Natives” against the backdrop of nation states and it struck me again as something I needed to expand upon. Though Josh had said he wanted a chance to explain further to me his ideas before I posted I don’t feel like I think that differently than he does about the topic. Though perhaps I do, I am not sure as I have yet to hear his ideas in full but I wanted to get this out of my head now so here it is.
Digital natives as a term has been around since 2001 when Marc Prensky coined the term in his work “Digital Natives, Digital Immigrants” was published. In this article he explains the basis of the idea that since kids from 2000 on (I would say earlier for some of us) have grown up with computers and the internet as a ubiquitous appliance/medium they tend to be greatly different in thinking, acting, and general attitudes than their parents and older generations. These people who did not grow up with the technology always around them and used by them are termed to be “Digital Migrants” and have emigrated to the use of the Internet and technologies. As such, these immigrants are often seen as foreigners in the digital world with antiquated ideas on how things should work and methods of doing things. The article (see below link) also goes into some detail on the cognitive differences as well as social differences that Presnky was seeing in the studies he was conducting.
Prensky; Digital Natives, Digital Immigrants
Prensky; The Emerging Online Life of Digital Natives
Another paper that Prensky wrote was on the emerging online lives of these “digital natives” in that you could see the emergent behaviors progressing as online life (Web2.0 and Social Media for example) expanded to allow for more connectivity and social malleability. In both though the idea is put forth that we now have a generation or a couple really, that are inherently living their lives in a completely different way than their parents and all of it predicated on rapidly changing technology. This idea lends itself to the problems we face today as INFOSEC ptactitioners, governments, law enforcement agencies, and as parents to children who on the face of it are cognitively different than we are. Add to this the problem that much of our lives are now greatly affected by these technologies (banks, power, credit, reputations etc) that this generation or two now can control at very young ages for good or for ill and we have a problem that we must understand in order to manage.
Digital Immigrants
Moving on we have the Digital Immigrants, those who have moved into the digital space with smart phones, PC’s, Laptops, Ipads, and the like. Many do not leverage these devices in the ways that the natives do and in fact do not understand them on the whole. Outside of the people in the business of creating these wonders and creating their infrastructure the bulk of the populace older than 30 on average have little cognition of how things really work. I know this is a gross generality but just go with me on this and let’s not quibble ok? So, we have all these people who still use paper books and write things on pads and the natives think on the whole that they are a foreign species according to Prensky.
What really shakes out for me is that on the whole the LEA’s, the Gov, The Generals, and corporate execs of the world are all pretty much on the whole not of the Z or iGeneration (Natives) This means that they are all immigrants and by the terms of the idea not really connected to the ideals, attitudes, and cognitive changes that the iGen’s have in place. Add to this that aforementioned inability to really understand the technology itself nor how it could be leveraged and we have a pretty big problem with the world don’t we? Look at all this talk over cyberwar today and the outmoded modalities that are being used to try and grapple with the problems. How many times have you had the experience gentle reader with your boss or some other person as you try to explain to them the security problems with technology just to get a blank look back? …You get my point…
So we have the digital natives on average running circles around the immigrants (kids vs. parents, iGen vs. those in power) and friction occurs. All you really need look to are the cases of Aaron Swartz and Weev to see it play out in the media and the courthouse. What we commonly see as nothing really wrong the immigrants see as abhorrent, illegal, and immoral. The fact that say Weev just wrote a script to enumerate pages to us is nothing while in the eyes of the corporate types and the law it is an offense worthy of going to jail for 3.5 years and a lot of money in recompense to the corporation that was enumerated. Until such time as the immigrants are all gone and only the natives inhabit the net and the meatspace we will not have substantive cognition of the new generations mores and means of living with the technologies and how the laws can be changed to make a little more sense about offenses online as well as problems like cyber-warfare. It will take a at least another generation until parity is reached.
Digital Exo Nationals
While I think that the ideas of Digital Natives and Immigrants was what Josh had in mind as the core to his statement I also think he was alluding to those natives as being their own state. This is an idea that has been brought about by Anonymous and I think could be termed as “Digital Exo-Nationals” Those out there who feel that the net is a stateless space where no one state rules them (nation) nor do the mores of meatspace apply within the electronic world they live in. A group like Anonymous can claim to be truly stateless and on the face of it they can be on one level, but I think that on the whole anyone who is not persistently living just online (meaning they reside inside of a computer network) is in fact affected greatly by where they were raised, by whom, and are the product of their upbringing. This fact will always color people’s reactions and there will always be some form of nationalism to them as they interact online or take up arms in defense of some ideal.
With that said though I think it is nominally an idea that has merit. I believe in many ways the deizens of the net (i.e. the iGen/Natives) think of themselves as apart from the “real world’ that they physically inhabit when they are online, which today is pretty persistent at a connectivity level. This cognitive dissonance creates quite the dichotomy of perceptions for the natives. Once offline they must generally adhere to the structures of the “old world” as opposed to the pretty much wild west of the Internet and on average they manage to separate the two lives much like the quote from “The Matrix” by Agent Smith;
Agent Smith: It seems that you’ve been living two lives. One life, you’re Thomas A. Anderson, program writer for a respectable software company. You have a social security number, pay your taxes, and you… help your landlady carry out her garbage. The other life is lived in computers, where you go by the hacker alias “Neo” and are guilty of virtually every computer crime we have a law for. One of these lives has a future, and one of them does not.
This is pretty much the perception for the immigrants right? While on the other side Neo would consider himself a freedom fighter or a seeker looking for a basic truth that the old system (i.e. The Matrix) is trying to prevent him from seeing. Think about this idea for a minute while reflecting on Anonymous today in the Wikileaks age. I think you will see the parable here and this is a core issue between Immigrant culture versus the new Native one. It is interesting to note though, that in the case of the Matrix, the natives are in fact both Neo and Smith in one sense but only Neo resides in a corporeal way… But I digress into philosophy here and before I break out my copy of “Simulacra and Simulation” on you I will stop.
Ok back to the issue at hand. We have digital natives now that perceive themselves as “Exo-Nationals” the net is their country and it is outside of the corporeal world. Their rules are not the rules of the real world and their mores are different. Their culture is one that is new and evolving and unfortunately the world they inhabit is not really theirs to control. Since the backbone of the infrastructure is owned by corporations and governments they’re really only renting if not actually squatting in their exo-national domain. This fact however does not stop them from trying to control the networks and in many ways they are able to through hacking and the use of good OPSEC. You see, in reality the natives who consider themselves Exo-Nationals are in fact guerrilla’s for the most part to my thinking.
The Digital Lord of The Flies
No matter the dialectic, there are issues to the dichotomy between the natives and the immigrants that can beget darker things. Since on average the common kid today can bypass most protections a parent my try to purchase for their home computers, that is if they are even cognizant enough to try, we have a generation that pretty much can run amok online. Without oversight the digital natives pretty much run the show. This has been touched upon by sociologists studying 4chan and Anonymous in the past and is quite valid a point. The mores of the natives are greatly different within the online world than those that we would teach them in the offline one. All of this is really predicated on the idea that once online the native is “anonymous” by use of technological means in the extreme or just the perception thereof by those who do not cognitively understand it (younger natives still learning)
Generally though the natives learn quickly that they can do many more things online that parents and others would find frightful offline and in public. It is this “disinhibition effect” through percieved or technical anonymity that allows for this behavior to evolve and thus gives rise to what I call the “Digital Lord of The Flies” effect. In essence the children have been left to their own devices on a digital island and those more powerful take over and rule rather mercilessly. In the last few days I got a first hand view of this effect with regard to teens and twenty somethings in the gamer/Xbox verse. Where gaming had become banal some of these “crews” or “Teams” began upping the ante by hacking, carding, and what they call GT (gamer tag) “Jacking” All criminal activities that are perceived by these kids as ok because they are not doing these things to people in reality (and by reality I mean in person in front of them)
There seems to be a disconnect within the psyche for these kids where their actions are just not real because it happens online. Some of these kids that I tracked online due to recent events with the attacks on Brian Krebs that leads me to believe some of them may in fact be on the road to sociopathy. This though is not the case for all of them of course so one has to ask how is it that they feel so moved to carry out these deeds online and not feel the least bit of remorse about them? It is this disconnect that fascinates me really and I will be looking further at it in the future. As more and more generations move into the natives category being born into a world with prevalent technologies we will only see more of these problems until that parity I spoke of happens. When the parents of all these kids are just as savvy about the net as their kids are, then we will be able to teach them.. Of course in thinking about this it comes to me that perhaps that will only shift to natives teaching natives the same behaviors…
Sigh…
Time will tell I guess.
K.
So APT Is China *snicker* Now What?
zl’s egt amsk sbfmt kze kwcyfocggp ktlhiu!
Avanced? Persistent? Threat?
As RSA comes to a close and the corridors of the hall stop ringing with the acronym APT bleated out by a megaphone from the Mandiant booth I find myself once again looking at the problem as opposed to the hype. Let me simplify this for you all a little bit here to start though. APT is not necessarily “advanced” as the Mandiant finally lets you all out there not in the secret squirrel club know. In fact the APT’s are often just outsmarting the average end user on a daily basis and you and I both know it does not take a mental genius to do that right? Seriously there is nothing overly advanced nowadays in sending phishing emails and doing recon to assess your targets. Sure there is some coding going on once inside that is novel but really, any good hacker will tell you that they can code some shit up to keep persistence or maybe just buy it on the black market if needed. This is not rocket science here.
On the persistence thing yes, yes they are. They are persistent not only in trying to keep their toehold but also in that they bombard companies with emails in order to have a signal to noise attack. This is nifty but really it’s not a new technique. So ok persistence means they keep trying but it is often our own failings that ALLOW their persistence. Everything from the #click_sheep who keep clicking on every god damned email they get that asking if they want a bigger penis to companies lack of controls over patching and other standard procedures that they should be carrying out on their infrastructure. So when really looking for someone to blame look in the mirror folks. Hey maybe you will look in the mirror and see that you are Chinese huh?
Finally the “threat” part well I think I just covered that huh? YOU are the real threat in this vector. The adversary is just leveraging that fact to obtain their goals. The threat is not Chinese, Russian, Israeli, or French. It’s us. We are the threat and this was the case even before computers and espionage came together. How do you think a lot of the information was stolen back in the day from governments and companies? That’s right kids! It was by people being paid off or being leveraged in some way by spies and spy agencies. Now though, we really don’t have to leverage people as much with compensation or threats. Instead we just leverage their human natures and boy oh boy does it work ever so well!
Our sloth, greed, and general cluelessness are our own undoing.
Is WHO Hacked You That Important?
So Mandiant puts out a report on our Chinese hackers and everyone is a twitter over the “revelations” As someone who has personally dealt with this type of activity in my work life I was pretty apathetic about the report and it’s being published outside of the “sekret squirrel” world. Sure, they probably set us all back some and certainly have set the stage for a great amount of douchery to come but really, what good comes from this report and the data it dropped? Hurriedly I have seen many glom onto the hashes and the techniques that the Comment Crew was using in order to fortify their environments since the drop. Of course this may be to no avail as soon I am sure the CC will be changing their ways but hey, it gives us all something to do huh?
Meanwhile people are nodding their heads and saying “BAD CHINA” while the government pops out 140 page draft resolutions on how to deal with China and their hacking of our IP. I for one see this as just a lot of smoke and mirrors that may in the end have no greater effect other than political gain but hey who am I right? Let’s let it roll as everyone gets their panties in a bind over China. Others though have piped in and said that maybe it’s not only China but all too often these voices are not enough to cut through the cacophony of stupid to make it to the reasoned ear. Guess what kids it’s not just China and it never has been and this is the problem of fixating on one target. You tend to lose the other and then they come up behind you and shoot you in the back of the head.
The upshot here? Who hacked you is NOT as important as WHY you got hacked and HOW you got hacked. The old WHO WHAT WHY WHEN & HOW are important equally and we unfortunately have collectively latched onto the WHO and this will be our downfall. At least Mandiant is looking at the how but I am not hearing much about how to remediate the problems that cause the problem to start with. Instead as we see with the government response they are going to the WHO and saying “cut it out” and anyone who thinks that that is going to make them stop is really biting too tightly on the crack pipe. So back to the point which should be plainly clear. We are the target and we are the problem. It is important to understand the who but you cannot leave out the WHAT, WHERE, WHEN, and WHY. If you do then you will never win the battle.
Know Thy Enemy.. Know Thyself…
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
Sun Tzu: Art of War
It’s a trite thing to some out there *looking at you Jericho* to quote Sun Tzu in any cyber context but in my case here it is absolutely correct to quote. The problem I am finding in much of the approaches to trying to defeat or lessen the APT problem focuses less on knowing the self (aka your network and your people) and more on blinky light solutions to stop them dead in their tracks as the vendor propaganda states. Some even go as far as to proclaim that security awareness is pointless which I called bullshit on before rather vociferously in the past. I find it to be one of the more reprehensible statements made up until yesterday’s revelations that a panel gave at RSA saying that “We are soon going to live in a post crypto world” and that crypto is pointless because the APT keeps avoiding it. This is one of the most idiotic statements I have heard in a while and it just makes me think people misunderstand APT even more than before. Everyone thinks they are unstoppable and that is not right. These attacks can be mitigated but it will take real work to do do not some blinky verndor solutions.
The point here is this; We need to carry out due diligence and we need to be vigilant in our security apparatus. We need to engage the end users and teach them about malware and phishing and keep teaching them over and over and over again. Wrote learning is the ONLY way that this will get into their collective heads. Sure, we can also use technologies to attempt to arrest the spear phishing attacks but if you have a 3 star general who is a #click_sheep well, you are pretty much fucked if you are not really paying attention to the network SIEM and other mitigations in place and even then, with creativity those too can be outwitted. These APT types use common traffic to hide within and that is the problem. The pivot is the key here, they are using your network to their advantage just like a Judo expert. Will you be able to stop them all? No. Will you be able to considerably cut the attack success down with holistic methods? I believe you can and I have seen it in action. Others have said much the same thing and I hope more people start paying attention.
I agree that knowing who is attacking is important but it is only important as long as you take the time to be introspective about what they are seeking from you and how they are getting it out of you. What flaws in your infrastructure and culture are they exploiting that is allowing them to rob you blind and how can you remedy them to stop them. These are the key questions that seem to be missing from so many vendor offers like Crowdstrike and others out there today offering offensive defense or active defense. Sure, if your org is working properly and you have security enlightened end users go for the disinformation honeypot things and other means of defense. However, if your people are a bunch of #click_sheeple then what is the point? You will be PWND and it will be all be moaning and wailing “woe is me” in the end …Trust me.
Oh, and a last word here on the #click_sheep thing. Why am I harping on it? Look at the reports again. 99.999 percent of the attacks are being performed via phishing and spear phishing STILL! We have known about this type of attack how long? Come on people! There’s a reason it is done this way. It’s because people are not being trained properly as well as their systems are not being patched up! I know what you are thinking “but there’s 0day!” Yes yes there is but that is only a small percentage of the attack surface at present.
CLICK CLICK PWN.
Behavior Modification Is Needed
Now that I have ranted a while let me just re-iterate the facts. We are to blame for the APT successes. The term was coined back in 2006 and though it’s been in the secret squirrel world it was a known quantity. In fact I would say that it was not only the APT but generally crackers who were using these techniques for the most part and the APT just went along with it and refined it. This is not new and now that it is all out in the open we need to really pay attention here and look at the problem from the macroverse level and not just the myopic microverse that we in the industry tend to have. This isn’t just a technical problem it’s a sociological and psychological problem that we have to work on. Many say that there is no defense to social engineering attack but I do not ascribe to that. With the proper security education and awareness training anyone can defeat SE attacks. It just takes training like that which Dave Aitel thinks is pointless.
9/11 pointed out to the intelligence community that an over-reliance on technology failed to detect and stop the 19 hijackers from AQ. This failure was remedied by adding record numbers of assets post 9/11 to carry out HUMINT (Human Intelligence) and what we learned most of all that technology in itself is useless against human nature and a healthy dose of avoiding tech. It was tradecraft that allowed the plot to succeed even when their phone conversations were being tapped. I make this analogy because once again we are facing the same problem within the INFOSEC community as well as the government and military’s. The adversary is relying on human nature and we are relying on technologies created by humans. It’s a bad mix really and it needs to be re-evaluated to include more introspection on the people creating, maintaining, and using the technologies today. So far I am not seeing too much of this ethos being bandied about in the community and I think it is at our own peril.
I feel like it should be a catch phrase akin to the GHW Bush era’s “It’s the economy stupid” In my case though its more along the lines of “It’s not just the technology stupid” We have been myopic and we need to cut that out. The next shiny whizbang appliance is not going to stop that 3 star #click_sheep from opening the email addressed to him with the misspellings about how he has a package from UPS and needs to install this .EXE file to get it.
Derp.
K.
Psychopathy Tweets: Too Much Statistics, Not Enough Proof of Concept
On Sunday Defcon 20 had a talk that I had previously written about on the idea of using statistical analysis of word use to determine psychopathy in individuals online. As I sat through the talk and steadily watched people get up and leave I too had the urge to walk away as well. However, I had a mission and that was to confirm if there was any evidence that would say to me this was a viable means of detection for psychopaths.
What I came out with, after many slides of numbers, was “nope not really” Which, I pretty much had thought before. There are just too many variables to this type of venture and you would, in the end, need to have a trained psychoanalyst to talk to the individual to determine whether or not they are a true psychopath.
Sorry Sugg.. It was an interesting idea and I am wondering just where this will go if the author of the original paper tries to expand upon this process. You see, for this to work online possibly, is that the trained individual would chat with the “patient” or “UNSUB” as the case may be, to ask specific questions to elicit responses. See, that would work I think, but it is a manual process not a big data solution. So, while it was an interesting trip into what psychopathy is and possibly how to spot it in word use, it was a failed experiment in my book.
Now, another twist on this idea might be to take the transcripts of anonymous and other IRC chats and wash that through your program… There’s a lot going on there mentally and might show some traits, but, are they really suffering from some sort of psychiatric illness or are they just maladjusted? This has been something I have written about before an the vernacular used as well as the mindset that seems to be prevalent warrants some looking at perhaps.
Maybe next year?
Overall though, I surely hope that the governments and law enforcement bodies out there do not take up this idea and begin to mine people’s chat logs for psychopathy
*shudder*
Ding Dong! It’s the forensic psychiatrist.. We saw your tweets and thought we’d have a chat? What? these cops? They’re just here to visit too!
K.
INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.
“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”
(Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor” It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise.. Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”
(Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there)
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me”
(Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“
(John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this;
“Some get it.. Some don’t”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds”
(John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
Eventually.
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
K.
Krypt3ia 