Archive for the ‘Terrorism’ Category

Privacy and anonymity on the Internet and in real life are under increasing assault due to companies’ and governmental agencies’ ability to capture incredible amounts of data mainly from Internet traffic, and their ability to track users across websites and services, generally without users’ knowledge.  Once it’s been captured, this data is essentially impossible to erase regardless of whether it is right or in error, and many organizations that have captured such troves of data have demonstrated a weak ability to maintain control of it.

Often this data is used “just” for commercial purposes, but could also be used to threaten to expose users of certain websites or services, or expose holders of unpopular political, social, or economic views, or to prevent people from accessing whatever websites someone in power wishes them not to access.

Privacy and anonymity are different but interrelated, and both are deeply and honorably enshrined in American legal and cultural traditions.  For our purposes,

  • Privacy means other people can’t get information about me (e.g. tax returns or medical records) that I don’t willingly give them, and it’s no business of anyone else’s what websites I go to or what I do online.  To have privacy is part of what it means to be an autonomous human being; if you have no privacy, other people can know everything about you and be able to make decisions for you or predict your actions.
  • Anonymity means I can express opinions, access Internet-based data, or visit websites without anyone knowing who I am in real life, or where I am physically (not being able to find or contact me, in other words to be able to harass, expose, or arrest me).  This should include someone not being able to identify me via some pseudo-me that they have constructed from my presence using cookies, malware, or other hidden identifiers.  Just their not knowing my real name is not enough, to be anonymous is to be unreachable.

I am disturbed by people who, in the wake of 9/11 or because of some other real or perceived terrorist activities, take the position that “only people with something to hide need to hide behind privacy.”  This is nonsense.  We all deserve privacy in our private lives, unless for a very specific reason someone gets a court order to pierce this veil.  Nor is anonymity somehow un-American.  In the early days of our Revolution, Madison, Jay, and Hamilton wrote the Federalist Papers under the name of Publius to avoid any untoward personal issues from their views.  Purer and more patriotic Americans never existed than these!

This situation has been brought about by aggressive data capture technologies, and the ability to cheaply store incredible amounts of raw data and quickly process it to correlate, trace, and extract meaning from even the tiniest pieces of it.  Governments, repressive or otherwise, have used court orders to compel Internet-based services to disgorge details on individuals’ use of these services and have also developed network-penetration techniques (hacking) to harass individuals and obstruct their access to data.  Technology has thus leapt ahead of accepted proper use of it, and indeed ahead of the common person’s ability to even comprehend what is happening.

Here is a good, and seemingly harmless example.  If a woman is a regular Target shopper, using a Red Card or consistently using a single credit or debit card, and she becomes pregnant, Target will know that fact by the third or fourth month with a very high degree of certainty, based on subtle shifts in her buying habits.  Not because she’s buying diapers, because she isn’t yet, but by other changes they won’t make public.  At this point they start biasing their ads delivered to her for the purpose of increasing her “lock in” to Target, so that Target becomes her preferred store during the next couple of years.

But if Target can do this, what if an insurance company could buy data on policyholders that would allow them to determine that you are developing some serious health problems, and raise your rates, or drop you entirely,or not take you on in the first place?  Or could the state pre-emptively revoke your driver’s license?  Or arrest you because they felt you were exhibiting signs of radicalism, whatever that may mean?  And worse yet, if any of these things happened to you, would you even know the reason, or would you think it was some accident of nature?

And now we have the evidence that the National Security Agency has for many years, without any warrant or even hint that any wrong-doing was being carried out, been recording phone call details and Internet access data (“metadata”) on a great fraction of the American public on an ongoing basis.  These governmental criminals then look you in the face and say, “we’re not listening to your calls or looking at your data, we’re just recording this ‘metadata,’ you don’t have to worry!”

Let’s look at this metadata.  For a phone call, it would include your number, where you were, were you moving, who you called, where they were, at what time of day, and how long it lasted.  You may say, “so they know I call my sister in Toledo every Friday evening.  So what?”  Well, if they have the metadata on every call you have made for the last several years, they can build a profile of your normal calling patterns to a surprising level of detail.  Now you start calling – even twice a week, say, a lover in San Antonio.  They would be able to see this as a deviation from your usual calling pattern, and they could be alerted, perhaps, and perhaps interested.

So metadata on calls and Internet accesses is far from harmless.  They don’t have to listen to the calls with this kind of stuff at their fingertips.  Indeed, the call metadata is in many ways superior to merely listening in on somebody’s line.  What Target can do with charge-card metadata, the NSA can to a thousand times over with call metadata.

So what they want to do is to record communication metadata on everybody in the country, forever, so they can go back into it at their convenience, and analyze it retro-spectively looking for some hint of wrongdoing.  At this point, we have no personal privacy any more, we are as good as naked on the street.  Even the Chinese or Russian police states don’t (yet) have this power.

So I ask: is this the kind of country we want to live in?


Read Full Post »

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases.  I’m not optimistic.

Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

  • Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
  • Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
  • This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
  • But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
  • Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

  • Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
  • In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
  • The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
  • After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

Read Full Post »

I was very distressed the other day to hear President Obama continuing the use of the term, “War on Terror.”  Probably nothing hampers our ability to deal with the Middle East and the rise of Neo-Islamist extremists more than talking about it as a “war.”  Are we at war?  Against “terror?”  Terror is just a tactical or strategic decision about using a weapon in a certain way.  Was Hitler at war with “strategic daylight bombing?”  No, he was at war with most of the rest of the world.  If we’re going to be at war against terror, we might as well be at war against howitzers.  Neither concept makes much sense.

Whatever it’s against, are we in fact “at war?”  I’m sure as  a paean to the (mainly) Republican saber-rattlers in Congress, Obama stated “we are surely at war . . . ”  But a war should be against some tangible objective, over a limited amount of time, and it should require the mobilization of massive resources and the will of the population to persecute it.  In this case, we are (by the Bush Administration’s calculus) really at war with Islamic populations world-wide.  Do we mean to do this?  Do we want to, if we can help it?

No, I submit we are NOT at war, not in any meaningful sense of the word.  We are not out to defeat Islam, or Pakistan, or whatever.  What would our objective be, then, defeat Osama bin Laden?  That’s pretty pathetic, and probably pretty unlikely, too.  It may sound stirring, I guess, to talk about being “at war,” but thinking that this business will resolve itself the way World War II did, with the utter defeat of the enemies, is just delusional.  Remember, the Japanese populations were eating the bark off of trees to live near the end of that war.  Are we willing to do this to the Islamic population of Pakistan?  Or Indonesia?  Are we really?  If we are, believe me our current strategies won’t take us there, not by a long shot.

No, I think we’re really trying to deal with mainly extra-governmental entities (think: al Qaeda) who are religious fanatics with an agenda against the West, and specifically the US as a proxy for the whole West.  They infest places with weak or minimal governments, and reach out to strike at their presumed enemies.  They are going to be plotting against us for a long time and we’re going to have to devise ways to restrict their actions and blunt their blows, but they’re always, like cells waiting to become cancerous, sitting there looking for an opening.  And unless we’re willing to utterly destroy the countries that harbor them, really destroy them and much of their civilian populations, military action is the wrong tool.

I don’t have a perfect solution to this, but I do know that stopping maniacs from carrying out terroristic actions will require something much more like police work than anything military.  It will require tracking people and their behavior, using little clues to home in on individuals before they make it to the airport with their bomb or their gun.  This isn’t as glamorous as sending in the Marines, but it will be, in the long run, much more effective against these guys.

And of course we could figure out what we’re doing to create all these Islamic terrorists and stop doing that at least for a while.

Read Full Post »

Maureen Dowd in the Times said it the best in a recent editorial:

If we can’t catch a Nigerian with a powerful explosive powder in his oddly feminine-looking underpants and a syringe full of acid, a man whose own father had alerted the U.S. Embassy in Nigeria, a traveler whose ticket was paid for in cash and who didn’t check bags, whose visa renewal had been denied by the British, who had studied Arabic in Al Qaeda sanctuary Yemen, whose name was on a counterterrorism watch list, who can we catch?

Seems oddly like the recent White House Party Crashers, when in spite of the mission of protecting our President, the Secret Service failed, and no one has been held accountable — i.e. fired.  I suspect that in this case, no one will either, because the charge of “systemic failure” spreads the responsibility around too far and too thin, so in the end, we just keep right on rolling along.

Except of course for the usual “locking the barn door” reaction by TSA.  Just as post-Richard-Reed, we all dutifully take off our shoes at the security checkpoints, 60 million people a year uselessly inconvenienced because of one failed terrorist attempt, now will we be taking off our pants for them?  And so, international travelers (only) will not be able to use the rest room in the last hour, or have a book or magazine in their laps?  This stuff doesn’t protect us, it just costs us.

And then, the next idea is millimeter-wavelength or backscatter x-ray machines to do full-body scans.  Just for the record, the potential for these images to be captured and disseminated to perverts and voyeurs is virtually 100%.  Please — the images that have been released to the press to show how these machines don’t really invade your privacy have had the genitals blocked out, which, folks, they won’t be when the machines are actually in use.

This reminds me of my time as a systems consultant to manufacturers.  One of the mantras we preached was “you can’t inspect-in quality, you have to build it in” and that’s the case here.  Trying to catch terrorists at an airport checkpoint, or worse yet at the gate, is just trying to inspect-in quality.  Per the quote above, you need to find them before they get to the gate.

Read Full Post »

As if we don’t have enough spam, viruses, phishing attacks, and other forms of network-mediated malware assailing us, now we have Storm. Storm is a kind of compound malware, not so clever in and of itself, since it infects like so much other malware, via a user getting suckered into clicking a link. What is especially insidious about it is that it enslaves vulnerable machines, like a regular bot does, but then rather than going on the attack, it tends to lie there for a time, waiting for instructions. And the instructions come not from a central command center, but on a distributed 2-C (Command and Control) pathway from a smaller group of command systems. In effect, the bot-herder can jack into the botnet at many points and from anywhere, making it exceptionally difficult to intercept and contain. The bot software is also reputed to self-modify when installed, so that it can further hide itself from anti-virus cleaners.

Probably the best and readable technical overview of the Storm worm is here in Bruce Schneier’s blog.

Several pundits are predicting nothing short of the end of the world over this thing, and I grant that it’s going to be a bear to deal with, but I’m quite confident that it will be dealt with successfully. OK, so the Storm developers are very clever, but the good guys aren’t dunces, either. No, it’s much more likely to become part of the Internet background noise, just more gunk we have to filter out.

I mean, right now in my current work environment, only 3% – 5% of the emails we get in a given day are actual valid communications to someone here, the rest are spam or worse (this is by my actual count). We just filter them out, some get through, we individually delete them, and we go back to work. It’s a large problem, but it’s more of a nuisance than a threat to the business. And we all just keep emailing.

Of course, it might be placed in the hands of any of the various political terrorists around the world that are continually assailing us, they they have very little to lose if the Internet itself is rendered unusable. This I do worry about, but it still seems unlikely.

The more important issues revolve around what we might have to do to harden our defenses, and what this will lead to in terms of a “revised” Internet. We currently enjoy the Internet as an extremely free and borderless ecosystem, where data races back and forth with few restrictions, and people dream up and implement new services — and new kinds of services — that no one could have dreamed of a few years ago. Harden all this down too much, and suddenly everything turns into molasses. Not good!

So something very bad happens. Will we have to license servers or individual PCs? Will there be qualifications to connect to the Internet? Will sysadmins need to be licensed? What about our ability to publish or participate in discussions anonymously?

I’ll address these and other related issues in a future post. But I encourage you to think about it now, because if the Internet takes a big hit from criminal or terrorist elements, the legislature won’t be far behind, and we all know what kind of technicians the lawyers are.

Read Full Post »

Yet another indication of the general lack of capability of the Department of Homeland Secutiry surfaced this week, when the recipient of a relatively routine DHS counter-terrorism email newsletter attempted to have his delivery email address changed. His request, which he apparently thought was going to the mailing list administrator, in fact executed a “reply all” and shot off the request to all 7,500 subscribers. The humor of his simple request blasting the whole list resulted in an increasing number of recipients joining in with various sage and less than sage comments, and the initial wave of activity resulted in over 2.2 million emails being generatd during the day.

Now so far, this is just a lighthearted little bungle, it does happen inside businesses or agencies, with no particular harm done except to the administrators of the email system. Once when I was at US Bank, some hapless low-level employee in the Proof and Transit department managed to “reply all” to a monthly-fluff-from-the-president email thinking he was asking his supervisor if the vacation schedule was done yet. So everybody got this email too, and some of the recipient’s email “I’m not here” notifications were sent to “reply all” list, as were 2 or 300 emails back to him telling him what he had done, all these copied everybody and ricocheted around the bank until by 11 AM the whole system croaked with overload.

So, as it turns out, it’s possible to flag certain emails as “nonforwardable” and/or “nonreplyable” so this doesn’t happen. That was new stuff, about 5 or 6 years ago. And it was internal email in a bank.

But this is the organization in charge of protecting our critical infrastructure and us from terrorists! And, it’s 5 or 6 years later! The Times’ article points out,

The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem.

“It is a very simple fix,” said Marcus H. Sachs, a volunteer computer security expert at the SANS Internet Storm Center. “Do they not have anybody there that understands how to fix it?”

Actually, the worse problem is, don’t they have anybody who knows how to set it up in the first place? After all, this is not something that’s never happened before. Now they may argue, we’re so busy on the really big stuff, like setting standards for shampoo bottles when you fly, that we didn’t have time to do this right. To anyone who makes that argument with a straight face, I direct you to the parable of the talents in the Bible (Matthew 25:14 – 30). In the end, the master said, “Well done, good and faithful servant! You have been faithful with a few things; I will put you in charge of many things.”

I’d like to see DHS, and especially it’s cyber-terrorism unit, so some small things right, so we had a better feeling about their being able to do complex and critical things right, and right the first time.

Read Full Post »

Ever leery as I am about only throwing stones at other people and never offering anything useful as a solution, I now present my Four Great Suggestions for reducing the terrorist threat to the US. I do this as the current Bush administration seemingly seeks to prepare us for additional losses of personal rights and privacy in the name of “combating terrorism.” And administration shills like Senator Rick Santorum have started touring the country drumming “there’s going to be another attack, there’s going to be another attack” to try to scare us into submission. So rather than meekly giving in to this bogus raising of boogeymen, let’s just actually look at why these people are attacking us, and counter those reasons! Much simpler and more cost-effective.

I presented these earlier in a comment I posted to an article on Newsvine, which you all ought to be reading anyway, but here is my solution to this mess we have walked into:

1. Dramatically reduce our dependence on middle-eastern oil so they have less leverage on us;

2. Stop attempting to meddle in middle east politics and issues, those people have to work it out for themselves, they have to kill until they’re sick of killing and finally want to find common ground with each other;

3. Stop depending on a spy-counterspy mentality to save us, the Brits and the Germans catch terrorists with good old-fashioned police work, and we can do this too, we don’t need to sacrifice our hard-won freedoms on the altar of Homeland Security;

4. Ensure that we remain a (however flawed) melting pot that can absorb immigrants and make them part of a long-term American dream. We must BE the shining beacon on the hill to the rest of the world, we must implement in our hearts Emma Lazarus’ poem on the base of the Statue of Liberty:

Not like the brazen giant of Greek fame,

With conquering limbs astride from land to land;

Here at our sea-washed, sunset gates shall stand

A mighty woman with a torch, whose flame

Is the imprisoned lightning, and her name

Mother of Exiles. From her beacon-hand

Glows world-wide welcome; her mild eyes command

The air-bridged harbor that twin cities frame.

“Keep ancient lands, your storied pomp!” cries she

With silent lips. “Give me your tired, your poor,

Your huddled masses yearning to breathe free,

The wretched refuse of your teeming shore.

Send these, the homeless, tempest-tost to me,

I lift my lamp beside the golden door!”

None of this has the satisfaction of slaughtering people we disagree with, or reducing their countries and economies to absolute ruin, and watching their children starve in the street or be blown to smithereens because they disagree with our politics, but I believe in the long run it will bring us more safety and security than comes out of the barrel of a gun. “He who lives by the sword will die by the sword.” The standard we set in the world is the standard by which we, and our civilization, will be judged. What will that standard be? Rule of law, or Guantanamo? Geneva Convention, or torture? Freedom, or repression? It’s our choice, in fact, it’s US.

Read Full Post »

Older Posts »