Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘The Stupid It Burns!’ Category

It’s The 90’s All Over Again.. Except This Time Online: Political Correctness and Human Nature

leave a comment »

Remember The 90’s and The PC Movement?

Ahh the 90’s… A time when things were good. The economy was booming, terrorism was, well, starting again having been in a lull since the 70’s, and we all were just zippidy doo da about life! Well most of us were. Others though, well, they were fretting over our collective moral souls because we were an inch from perdition’s flame from vulgar behavior and attitudes! That’s right kids, for those of you who were too young to remember, this is the time when the government started to think that they should control (but in the end label) the lyrics of songs or records because they could be harmful to children  and much more insidious things ensued. Step into the Wayback machine kids… Political Correctness The “Culture Wars” Culture Wars: The Struggle to Define America by James Davison Hunter Pat “Fuckin” Buchanan *shudder* It was a scary time kids, but then again, so were the 70’s and 80’s as well if you were around for them and cognizant of what was going on. It was this landscape though, the 90’s that really bears the most on the conversation I want to have with you all though. The 90’s where the technology today (internet) began to be prevalent and also a scary scary thing to the powers that be. Just as the times were changing socially, artistically, and most of all to me, musically, the technology also gave people an outlet as well as to some, a means of control, just remember the clipper chip and you’ll know what I mean.

In other areas though, there seemed to be this movement toward “right behavior” and conforming to norms that, well, rankled me and I am sure many others. At the time we had people like Tipper Gore trying to get things labeled as (R) or (Mature) because they could not outright ban it (re rap music/gangsta rap lyrics) I remember her and certain people throwing a kanipchen fit over the images and lyrics to Guns-N-Roses Appetite for Destruction as well. I mean, I listened to it and I am just fine… Right? So why all the need to censor things? Was it perhaps that too many people were not, oh, say, watching their kids and dealing with them? Perhaps letting the TV raise them? Heh. Well, many jumped on board and it made the 90’s a hell of a fun time. I had thought we had gotten past all this claptrap, but, it seems its all coming back and now, it’s all about “online” content too! Of course, there are those looking to do the old fashioned route again like Middleborough Mass, where they decided to put out an ordinance against swearing in public. You read that right, they will fine your ass $20.00 for swearing! Morons.

Being “Sensitive”

The other day I had to endure a “sensitivity training” I will not go into the reasons why we were being trained but I will extrapolate for you all the reason why I think we were there. The real reason we were there was to 1) CYA for the company and 2) because far too many people are not raised to be accepting whatsoever of anyone being different in our collective cultures. It is my contention that if you are unable to be tolerant of others differences now at adulthood, then you are the product of a poor upbringing and failed to learn anything in Kindergarten. It’s really as simple as that. However, because of the legal system and because of the overblown nature of what is considered PC corporate behavior today, people have to go through the basics of “Don’t be an asshole” training. Now, for me, this also extends to the laws being drafted today about cyber bullying. Granted, people are bullied (kids and adults) and some do in fact take their lives over it. This is sad and I really wish it upon no one, but, is it not the job of the parents or the person to just realize that these people are assholes and get over it? I mean, it’s the internet for God’s sake! We are ALL ASSHOLES and we had better learn this from a young age.

We all need to develop coping mechanisms and much of this should stem from good parenting. Instead I fear, we have all abdicated the parenting to the beige box and the intertubes as opposed to sitting with your kids and having real discourse and bonding. Regardless, now it seems that the Nanny state needs to get in on the act and create law to help sort it all out. It’s one thing to make something criminal, and another to attempt to force behavioral modifications on us all that may yet infringe on our first amendment speech rights in this country. I think we are at the tipping point here and with all the cyber hubbub over warfare and criminality, the congress critters have taken the reigns in their oft ill conceived ways and will likely fuck us all in the end with their swift pens of “justice”

Laws On Online Behavior, or Making Free Speech Criminal

The re-birth it seems of the PC attitudes of the past now has begun to spill into the internet and its “Wild West” of cussing and bad behavior. Once again, people are starting to stir up rhetoric to speed congress toward action against those horrible people who inhabit the internet. Once again, it’s certainly not the parents job to control their children online and certainly not the individual’s right to be as vulgar or maybe say, buy a exceedingly large soda in NYC it seems. No! We need the Nanny State to come along and control what we do for our own good! Meanwhile that same group of people is allowing “Cyberwar” to be pre-emptively acted upon even though we have no fucking clue as to how to defend against such attacks on our own feeble infrastructure.

Lately I have been hearing stories of people being told to remove their blogs because they have offended someone, case in point today came from some child blogging on how bad her cafeteria was at school! Holy WTF?! What the hell is going on here? Is this not free speech? Are we not in America? Oh, wait, SHE was in Scotland.. Ok, so the daily haggis was not to her liking, but trying to stifle the creativity and the opinion of the child was just ok? NO, it was and IS not! Nor should it be even thought of as acceptable that this happen in the first place.  It was even worse that a governmental body tried to pull this crap, and this is what I fear here in the states as well. How long til we have “free speech zones” on the internet one wonders?

Meanwhile, back to bad behavior and the internet. Like I have said before, its the “internet” and the intonation there is that “who the fuck cares?” No one should take it seriously. If someone says something bad about you to the world, well, say that it isn’t true. If it isn’t true and you get fired or something happens and you have a case, sue their asses. Otherwise, all this claptrap about lil johnny’s feelings being hurt should just stop. There are already laws about harassment on the books and those should be used or amended for use to arrest someone on stalking etc. However with all of the rush to get legislation on the books, it seems that other areas are being exposed to piteously stupid law making around freedom of speech globally. Now, I realize that it is a global community and many places do not allow free speech, but, I am only here to ring the warning bell.

DING DING DING!

Pay attention to what the Congress Critters are up to or soon enough you will find yourself having to deal with some bogus charge of swearing in public or online.

FUCK! ASS!

K.

Written by Krypt3ia

2012/06/15 at 15:47

BYOD Bring Your Own Device: One of the most STUPID Gartner/Forrester/Executive Ideas EVER!

with 15 comments

God Damned Executives On A Plane

Last night a lively debate broke out on Twitter between Rafal Los, myself and Hrbrmstr about the wonders of BYOD (Bring Your Own Device) A movement brought to you undoubtedly by some moron of a CIO/CTO/CEO and your pal’s at Gartner. Now, if you haven’t run into the concept of BYOD yourself, just go and Google it to understand. Suffice to say that my theory on how this all came to pass is the following scenario…

  • C level executive A was on a plane one day and reached into the pocket in front of him. He pulled out the “In Flight” magazine and starts perusing it when low and behold he see’s an article about how YOU TOO CAN SAVE LOTS AND LOTS OF MONEY if you let your employees BUY THEIR OWN PHONES AND LAPTOPS to use at work!
  • C level exec then gets an EXTREME hard on for the idea envisioning his bonus growing exponentially as he foists the cost of phones to the employee as well as most of the cost of the service plan! GENIUS!
  • Contentedly the rest of the flight C level exec sits pondering just what fancy addition to his yacht he will be able to buy with the savings from this master plan.
  • C level exec immediately upon return drafts an email to the other C level execs with the master plan.. They all see bonuses and shiny things they can buy once their bottom line has been altered by pushing the costs to the employees by making them pay to work (remember the days of company stores and housing? Yeah, its kinda like that again)
The C level conclave concludes and they all decide this is a capital idea! Lets do it!.. Of course, they have not talked to the CSO or CISO and if the CSO is capable, they will raise the question over security and legal/privacy concerns. If they have a CSO/CISO at all.

Alas… They still will forge ahead… Dollar signs in their eyes like cartoon characters.

But.. It Will Make Our Workers SO HAPPY and SAVE US MONEY!

And on it goes, the steamroller of BYOD begins its descent, picking up velocity where it finally makes it to the security folks (if the company has any) and someone will undoubtedly say;

“WHOA, what about the security issues here?

What about the PRIVACY issues?

Legal issues?

To which they will be told it’s all good and not to worry.. Just do it. This even after being told by a smart security person that there are many moving parts here that present major problems that could in fact cost more money in the long run to do right AND that if they don’t do it right, they could be more easily compromised or have big legal issues.

“Do not worry about that.. It will save us money and it will make the employees happy” says the C level… Just do it.

The poor security person is left with the pile of shit idea in the paper bag from then on.. Just waiting for it to be lit on fire for them to stamp out with their new Nike shoes.

The Magic Fucking Quadrant of STUPID (Now With Added Unicorn Spit!)

Soon the security team and the exectives/managers are on the phone with Gartner or Forrester having meetings about how BYOD is the SHIZ and how magic it is in the quadrant and just what companies are offering the newest WHIZ BANG products that will help you “secure” the personal devices for you!

For just 50 thousand dollars YOU can have this solution!!!

*eye rolls all around*

But the executives… They are eating this shit up! They are fully drinking the kool aide and have the purple lips to show it! I mean, its Gartner! How could they EVER be wrong!!

The unicorns have won the day and you, you poor security sod, are stuck with the new task of ultimately making your life more miserable and creating new and silly problems to make your environment and job more complex. Welcome to BYOD.. Bring Your Own Doom. Be sure to buy more Maalox and other products to sooth your nerves and G.I. tract. Your life as you know it is about to change for the worse and when the shit goes down, undoubtedly, you will be asked why you didn’t tell them that this was a bad idea! YOU FAILED TO TELL US!

Remember to be the squeaky wheel… and to save all your emails warning that this… is indeed a bad idea.. Unicorn spit or no.

Technical Problems

But seriously folks.. There are some major issues technically with this idea. Of course the same issues crop up with any smart phone or device that you need to secure but, you are adding complexity to the mix because you need to secure the device AND keep it real loose because its a PERSONAL DEVICE, it isn’t the companies asset! This means that the guy who paid for it wants to USE it the way THEY want. So if you secure it properly, well, then they CAN’T USE IT the way THEY WANT TO!

And this leads to unhappy end users.

So here are just some of the technical problems..

  • Differing OS’ require different solutions for security in some cases
  • Android… OMFG Android rooted by the EU is bad. How many botnets are there out there now for Android? Google also has a real lack of quality control here (nightmare)
  • Adding layers of protection to “sandbox” applications
  • Adding a layer of auditing and tracking to protect the asset (not the companies once again) to protect your IP and infrastructure if said “asset” attaches to your network at all
  • Insuring that CRYPTO is working and or used to protect that IP again
  • Insuring that the system has AV on there and it is up to date
  • Insuring that the user just can’t install anything they want on their asset to prevent compromise of CORP data (due diligence)
And the list goes on.. So here you have it, you are adding layers of complexity to a device that naturally the end user, who PAYS FOR IT does not really want because its THEIR TOY! Its a PERSONAL DEVICE! They bought it! They want to play with it and use it for their amusement. This is a key point here that most of these guys advocating this fail to understand.. Or is it they really don’t care? Suffice to say though that in the end you are forced to add software and hardware solutions to secure the personal assets in your BYOD program that will cost you money. Money to buy, and money to keep updated and licensed.
So, where is the cost benefit analysis here on this? Are you really saving all that much money in the end?
Never mind the legal aspects that you also must engage counsel for….

LEGAL Problems

Legal problems.. Oh yeah, there are many legal issues here with the whole BYOD thing. It seems to easily escape the faculties of the C levels who are all hot for these programs though.  When you bring up these issues, even in the clearest of ways, they still seem to be all for the BYOD which confuses me personally. Oh well, they have lawyers on retainer right? They will just dump it on them and they will work out the details. Details like the following;

  • E-Discovery issues with personal assets and corporate information (the company does not own the device and unless the owner signs a document saying they will give up the phone/laptop/hardware for discovery, you’re F’d)
  • PRIVACY, if you are auditing all that goes on on the device (say a phone) then you can see everything they are doing with their personal/corporate-tized/asset In short, no privacy really
  • The vagaries of corporate IP on personal assets and the legalities of who owns what when and where
These three bullets cover a HUGE amount of the problem with BYOD and people need to realize this as they go ahead thinking about this as a solution to their bottom lines.. AND this is all it really is, its not really about making end users happy. Never let yourselves be deluded into this belief that by doing all of this you will be making a more happy and productive work force. Eventually, those users will come to their senses and realize that they are being used in so many ways and that there are many grey areas.
… And if you have not gotten them to sign iron clad agreements.. You Mr. C level are gonna be in trouble eventually.

Bad BYOD Rising

Nope, this is a bad idea from all angles as I have seen. Yet, people are going for this model more and more as a way to save money and “make workers happy with new toys like iPhones” I only see the technical and legal issues as well as the potential for paranoia and bad blood on the part of the users/owners of their now corporate assets… that are theirs.. sorta… It’s just a nightmare really, but Gartner says its GREAT!

*facepalm*

Please, for the love of sanity think this stuff through before you even think about this model for your orgs!

Savings to the business my ass.. You’re only adding a slow poison to your company and your carcass will be rotting soon enough.

K.

Written by Krypt3ia

2012/02/10 at 12:01

YOU MAY BE A TERRORIST….

with 2 comments

Do You Like Online Privacy? You May Be a Terrorist

It’s been one of those days when I went from ZERO —> STABBY really really quickly. What brought me to this point today was a tweet linked to an article at PublicIntelligence where they talk about a flyer put out jointly by the FBI and the Department of Justice (Bureau of Justice Assistance) on what to look for in an “online” terrorist or an “internet cafe” terrorist.

This document is one of the silliest and useless pieces of crap I have seen. It is so general and profiles so many people today and yet, fulfills the fear fear fear agenda that some seem to have. I am shocked at this even being floated out there for the masses to even consider to be used as the litmus test to actually make a call on someone’s being a “terrorist” or not. The Justice Dept and the FBI have in fact turned everyone who uses this document into Barney Fife! Except instead of a single bullet, they have given them a full automatic and two extended clips to use for ammunition.

Good job!

Ugh.

Generalities and First Principles by Marcus Aurelius

Let me say to you all here and now, I am embarrassed for our country and our law enforcement services with this development. I thought perhaps they would have learned after the whole “Muslim = Terrorist” debacle but I guess they have not. What posessed them to be so idiotic as to pass this out to the masses? What’s worse, how many of the masses are just dumb enough to use this list of likes and concerns as the “guide” to terrorism?

Hey USGOV, FBI, DOJ, How about you spend some time with the classics “First Principles by Marcus Aurelius”  Oh, wait, maybe you have no idea what I am talking about.. Ok, how about we take a quote from a movie?

“First principles, Clarice. Simplicity. Read Marcus Aurelius. Of each particular thing ask: what is it in itself? What is its nature? What does he do, this man you seek?”

Hannibal Lecter

You guys COMPLETELY fail to do this. Instead you throw out a bunch of generalities that fit 99% of the population for the gullible “see something say something” citizen to use to point fingers and yell TERRORIST!

WTF?

Time to pay attention people.

Hi, My Name is Bob, and I am A Terrorist…. *Hi Bob*

So, this leads me to the phrase above… Hi, my name is Krypt3ia, and I am a terrorist… If you believe the shitty list of character traits in this stupid document.

*waves*

Think about it, this is out there and it would seem that the FBI and DOJ may in fact BLIEVE this??? Can you imagine this is how their world outlook is concerning the broad spectrum of today’s internet users?

“YOU ARE ALL SUSPECT”

This belies a complete lack of understanding of not only the technologies today, but also the pervading psychology and sociology at play in today’s digital world. If you use technology, if you like the internet and IF you deign to want some privacy..

You’re potentially a terrorist and should be reported.

Wow… Just wow… I cannot believe how little thought went into this campaign. Are you really all that bereft of any common sense or even guile in trying to capture the real terrorists out there?

OMFG This Makes Me REALLY STABBY

STABBY! Yes, this all makes me very stabby. I cannot fathom all of this and it really makes me distrust my governments handling of these issues all the more. I am not one to really be their cheerleader with regard to digital security and policy, but now, holy Jeebus! Then I wake up this morning to find that AntiSec has recorded a conference call that the FBI held between them and the Met (UK)

*blink*

They did not even bother to check how many people were on the call! BASIC SECOPS people!! So now they are even more the laughing stock as well as I am sure will make swift responses that likely will be futile in the grander scheme of things.

Guys.. You’re really making yourselves into the Hollywood caricature of yourselves here..

“Keystone Cops”

BOOGA BOOGA BOOGA and Other Exhortations by Our Government

In the end, I am mostly appalled at the use of these jingoistic and lowest common denominator recommendations being given to the public on “cyber terrorists” It is the kind of claptrap I expected out of the likes of GWB’s reign.. Not now! It really is just useless and makes you look like fools…

It makes one wonder just what you all really believe…

No wonder it seems that Anonymous is getting the better of you lately.

So why not make everyone the enemy huh? Guess I will just go on down to the “internet cafe” *heh* and tap away on my encrypted blog about how I long for privacy…

K.

Written by Krypt3ia

2012/02/03 at 18:35

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments


Conclusions
Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities


Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.

*sadface*

Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.

K.

The END IS NIGH! What? We’re still here? Oh, well, I must have been misled by Satan!

with 2 comments

Heironymous Bosch: Garden of Earthly Delight Triptych (rght)

Once, long ago, we all as a species were about three hairs away from being classified as Baboons. It was around that time, that someone got the bright idea to write a bunch of stories in a big book about the sky dad and his rules on how he demanded we live all our lives. Approximately two thousand years later, there are unfortunately some of these Baboons still lurking about who daily screech about the sky dad and his unhappiness with us all.

On Saturday, according to one of the more vocal baboons. we are all about to enter a world of pain because the sky dad has seen fit to tell this ‘civil engineer’ that end is in indeed nigh. Of course, this particular baboon has made this claim before and wouldn’t you know it, he was wrong. So why is it that this guy is back in 2011 with a radio ministry that is worth over 100 million dollars?

I will tell you a secret… There are many fucking morons amongst us.

*gasp*

Yes, yes it is true. We have reached a point in our existence that we can tame (almost) the atom and we can walk in space, but we just can’t seem to get rid of all these backward thinking barely upright walking throwbacks who still think that an Atlatl is a pretty nifty weapon. They just don’t seem to be able to get past the idea that there is no sky dad and that things like the ‘rapture’ are all parts of an imaginary tale in a big book created by hegemonic men some time after an alleged profit’s life.

So, you might look at the graphs above and think;

“Boy, this guy’s got it in for religion!”

And, you’d be mostly right. I personally think that religion, is in fact the opiate for the masses. An easy way for people to absolve themselves of the bad things that they have done with their lives (confession and absolution) while not really coming to grips with what they may have done and why. Religion also seems to be just a general crutch for those unable to grasp the idea that there is no destiny and perhaps there is nothing after life. Instead, they cling desperately to the idea that the sky dad has a great condo on a cloud for them all and their very own neighbor is ‘The Jeez’ himself.

Right…

Meanwhile, the charlatans like Mr Camping crow like the cock at first light that they have the inside knowledge on it all and can help YOU go to that heavenly condo with the Jeez…

For just a small donation YOU TOO can be saved! 

Seems to me that the only difference between noodnicks like Camping and someone like  L. Ron Hubbard is that Hubbard at least had some creativity. Camping’s only creative streak is the use of AM radio to bilk people of their money before the end comes. Hubbard on the other hand came up with the ‘I own you forever’ contract that every Scientology freak signs up for.. For a hefty fee that is. Nope, the two of these guys only vary in their particular brands of crazy that they pimp out. Camping went ‘old school’ (aka old testament) and Hub, well Hub went all out schizoid with aliens who inhabit our bodies (Thetans) that we must rid ourselves of by holding some useless electric cans in our hands!

Now that’s creative.

Nope, instead Camping and company have chosen the tried and true carnival revival tent approach. Even to the point of buying a set of RV’s and travelling the country preaching the word of apocalypse in the months before the end. An end mind you, pulled out of his ass once again (remember the 1994 thing) for May 21st 2011.

COME ON FOLKS! Tithe it all to us and SALVATION CAN BE YOURS!

Just how did he come up with this date? Well, he magically came up with it.. Cuz, ya know he admits to not studying the scriptures extensively. Yeah, you heard that right. Admittedly he just sorta ‘knows’ in his gut that the time is nigh. 

Fucknut.

What’s worse? He has followers and that 100 million that they have given him over the years. So, I guess the question becomes; “Who is worse? The fool who is fleecing the flock? Or the flock of sheeple being fleeced?” In my opinion, I do surely hope the rapture comes and takes them all. Then at least we would be without all of these intolerant and ignorant fools and perhaps we could actually progress as a civilization.

So, on Monday if you answer that phone Camping, and you know we will be all calling you to rag on you, you better have one hell of a great story to sell to all your sheeple.

Oh who am I kidding.. You will just pull another date out of your ass and say it’s the sky dad’s mysterious ways blah blah blah while passing the hat for donations.

Collectively we are doomed until we get past this intolerant and superstitious claptrap.

K.

Written by Krypt3ia

2011/05/18 at 19:56

Barrett Brown: Anonymous and Their Alleged Propagandist

with one comment

DALLAS — A leader of the computer hackers group known as Anonymous is threatening new attacks on major U.S. corporations and government officials as part of at an escalating “cyberwar” against the citadels of American power.

“It’s a guerrilla cyberwar — that’s  what I call it,” said Barrett Brown, 29,  who calls himself a senior strategist and “propagandist” for Anonymous. He added: “It’s sort of an unconventional, asymmetrical act of warfare that we’ve involved in. And we didn’t necessarily start it. I mean, this fire has been burning.”

A defiant and cocky 29-year-old college dropout, Brown was cavalier about accusations that the group is violating federal laws. He insisted that Anonymous members are only policing corporate and governmental wrongdoing — as its members define it.

Breaking laws, but ‘ethically’
“Our people break laws, just like all people break laws,” he added. “When we break laws, we do it in the service of civil disobedience. We do so ethically. We do it against targets that have asked for it.”

And those targets are apparently only growing in number. Angered over the treatment of Bradley Manning, the Army private who is accused of leaking classified U.S. government documents to WikiLeaks and who is currently being held in solitary confinement at a military brig in Quantico, Va., Brown says the group is planning new computer attacks targeting government officials involved in his case.

The rest HERE

Barrett, really? You are really going to be the next person to take the penis out and put it in the hornets nest as Colbert put it? Boy, you must be one big dumbass. Here is what I think you are about to do.. Wait, no what you already DID to yourself here.

  1. You just popped your head up for all federal agencies around the world to say Hi! I am ANONYMOUS! To which they will begin to take aim at said head.
  2. Anonymous will in fact just use you to their ends. You are now chaff to the heat seeker that is the US Government.
  3. Guarantee that if you do anything with anonymous as a hive minder, you are about to be the poster boy for what not to do with a computer. Expect a warrant to be issued soon to be executed wherever you live.
  4. Breaking laws ethically… Hmmm.. I have yet to see anywhere where hacking was considered civil disobedience by the legal system…
  5. PSSST you have a phone call from Joe Goebels on the white courtesy phone and he is PISSED!

What made you say this? I mean, other than being a giant attention seeker that is? You will go down in the annals of hacker/computer security history along side the likes of Project Viglio.

Duh.

Meanwhile, taking a peek at the anonnews.org site we can see just how many folks there think highly of you… Well.. none really, with -46 comments. Though, this whole thing does bring up some interesting issues that I have been writing about lately. Here is one comment that stuck with me.

moot- CEO, canv.as – 2011-03-09 00:55:54 repost-

It is time to instate a form of puppet government, and also wear more then just the Fawkes mask.

It will soon become very risky to carry out Op’s under the guise of Anon. We need to take it one step further, by decenteralizing and assuming the identities of others. Remember the blame ebaumsworld standard of the past? That shit worked, it caused confusion amongst those not in the know and kept the heat level minimal.

We need to create leaders within that do not really exist outside of word of mouth. Reference their handles often, integrate them into our culture and Op plans. Place them at the top of our imaginary “ranks”. Give the vans targets to aim for, that will simply vanish when the sheet is pulled off from over them.

Instead of Anon carrying out the B. Manning OPs, make it known that it is in fact a rogue group of protesters originating from knowyourmeme.com that are coordinating the raid. The BMI DDoS is being carried out through mass chain PM’s amongst tumblr users, fed up with big brother.

We operate very publicly and therefore are left wide open to LE infiltration, the least we can do is keep them on their toes and tie them up with false leads, while also keeping mainstream media in the dark.

Interesting… So, is this one too;

Sage – 2011-03-09 02:12:12

If the ops were viewed as discreet groups that many anonymous people joined, but that was a split group from Anonymous, and that was emphasised to the media like Chanology, being a scifag breaking group but that being all they do, and that it was remphasised that anonymous is no single website, place or action, it would probably be more effective than blinding the majority of people from our actions, which would only increase the percieved level of illegality with our actions, as well as the publics paranoia, instead of being seen as the end of the world, and a bunch of sociopathic “hackers”, we should be seen as our centuries incarnation of we the people [from an american perspective] as this is probably closer.

Yes we should aim to be more covert within the individual operations, people doing things that are counted illegal need to be untraceable or want to be caught, same with the people organising these groups, but to bring this level of paranoia to the rest of our actions that are in general legal, would probably be counter productive.

Instead of closing the trench coat and heading back to the shadows, we are better off at this point leaving it open and getting some puppetry action going on to keep the crowd laughing with us.

tl;dr being a puppeteer of the penis is better than being called a flasher and taken to jail.

Interesting indeed. The ideas are beginning to swirl and it would seem from implication here, that some may be worried about operations and cells being caught. This would be only natural as I have been trying to point out, that any time you have a group of entities together, there will be de-facto leaders, there will be troops, and there will always be the possibility of making mistakes that will lead to capture. It’s just the nature of the beast.

I think that all involved really have to take that into account. There is always the chance they will be caught.

Looking at the responses however is begging a question and perhaps a little thought project. What is the median age of the anonymous crowd?

Ponder ponder….

Things are about to get interesting.

K.

 

Written by Krypt3ia

2011/03/09 at 16:24