Chaos Program

How can you not love a domain named “cryptohippie.com?”

Okay, so it’s a business that sells unusual and interesting services that broadly fall under the heading of “security.” I say broadly because this is not the usual anti-virus or hacker proofing kind of stuff. Check out the website if you like. For now let’s just say that CryptoHippie lives up to its name.

What I really want to discuss is CryptoHippie’s report on the Electronic Police State, 2008. (Available here). The title caught my eye immediately, partly because I recently finished a class that included in the reading list a couple books that were chock full of scare stories about that same topic, more or less [See No Place to Hide by Robert O'Harrow, Jr. and Darknet: Hollywood's War against the Digital Generation by J.D. Lasica]. The class wasn’t quite about that, though. It was about the law as it relates to computer and internet security and privacy (It was also brutal but it looks like I got the A).

Of course, some of what we covered included the hoops the government has to jump through to gather and the way that was changed by the USA PATRIOT Act. Privacy policies and the laws that govern or even require them were also a large part of the class. And other interesting things. Never did the phrase “Electronic Police State” come up. That would be worth another class by itself and I hope to take it one of these days.

The first topic should be What does “Electronic police state” mean?

First, what is a “regular” police state? According to Wikipedia, the term “describes a state in which the government exercises rigid and repressive controls over the social, economic and political life of the population” (Police state). This is a nice start but doesn’t tell the half of it. A police state is one where citizens have few, if any, rights. It’s a place where they can be arrested at any time with, or without a reason. In the old Soviet Union the crime of committing “anti-soviet activities” (or was it un-Soviet?) was a catchall that could be used to collect dissidents or prostitutes with equal ease (the story goes that it was used against prostitutes because there were no laws against prostitution, since that was said to exist only in decadent western countries like the U.S.A. But that law could be used to nab almost anybody for almost anything, so it worked just fine).
read more »

After I wrote the last post about problems with the upcoming CyberSecurity bill (see The Law of Unintended Cyber Consequences) – actually after I went to bed – I realized what bugged me about the whole idea of the president having a Real-Time CyberSecurity Dashboard. It’s an alarm system just begging for someone to mess with it. There are three possible scenarios that I can think of without trying very hard.

In the first scenario someone with a great many resources (maybe well-educated Russian youth groups (as described in my post Cyberwars Redux), launches a series of  “events” to gauge the workings of the dashboard. Maybe they do a virus one month, a severe denial of service attack on a high profile target another month and a serious attempt at penetration of a military target some other month. They monitor responses from the White House, particularly the CyberSecurity Advisory Panel. Maybe they go by press releases and rumors in the press. An actual intelligence operation (as all governments have and quite a few terrorist organizations as well) might have live humans they can pump for information. Anyway, after a time, they gather enough information to know how to make the dashboard show what they want it to show.

I’ve described this as an entire intel program but it doesn’t have to be. The dashboard will be something most security geeks will be interested in. Information about it will get out. Maybe it will show up in the trade press, or in casual conversations at conventions or on IRC. The trouble is, once people learn how to manipulate the system, worse scenarios become possible or even likely.

read more »

Computer security seems to be an endlessly hot topic. Recently, there has been talk of a bill in the U.S. Senate that would dramatically change the security landscape in this country. Under the guise of protecting national infrastructure, this legislation would raise the price tag for security significantly while allowing the federal government to take charge of any and all systems and networks it happened to choose.

Great idea. “We’re from the government, and we’re here to help your computers. Here’s our secure example. It’s called Colossus” (That’s a somewhat obscure movie reference. See Colossus: The Forbin Project or even Colossus: The DVD. See what people worried about long before we ever heard of Skynet).

The bill is The Cybersecurity Act of 2009, co-sponsored by Democrat John Rockefeller of West Virginia and pretend Republican Olympia Snowe of Maine. As of yet (if I remember correctly and didn’t miss something in my reading), the bill has no sponsors in the House. That’s a hopeful sign. Let’s see why.

read more »

There’s already a new chapter in the story of the alleged confession that Russia was behind the cyber attacks on Estonia in 2007. (See http://www.chaosprg.com/blog/2009/03/the-coming-cyberwars/) for previous discussion. In that post I discussed the (improbable, I thought) claim of a Russian official that his assistant had started the attacks for purely patriotic reasons. Now there’s a new story that the previously unnamed assistant has come forward and said it’s true, and added some fascinating details.

In an article by Charles Clover in the Financial Times (Kremlin-backed group behind Estonia cyber blitz), the assistant in question, a Mr. Konstantin Goloskokov, is quoted as claiming not only that he started the attacks but – and this is the really interesting part – that he enlisted members of a group called Nashe to carry them out. He insists that the decision to do this was spontaneous, not something prompted by orders from the Russian government and that there was nothing illegal about it. It wasn’t a denial of service attack, it was just more service requests than the Estonian servers could handle. The article does not say if he used air quotes or an “end sarcasm” tag when explaining this.
read more »

What do you do if a foreign government attacks your country’s computer systems? In America we apparently throw a lot of money down a hole and then the guy theoretically in charge of defending our networks quits.

Anyone who has followed the news knows this is not a hypothetical question. For example, two years ago when Russia invaded Estonia there was a concurrent denial of service attack across the Internet on Estonian servers. This attack caused communications difficulties that may have affected the Estonia response to the invasion (not that there was ever very much they could do) and even reportedly disrupted such things as ATM transactions (See Russia’s Cyberwar on Estonia)

Recently, a story has been circulating that the Russians have admitted to being behind the Estonian attacks (See Russian politician: ‘My assistant started Estonian cyberwar’). There’s less to this story than meets the eye, though. Sergei Markov, a Russian government official, claimed recently that a deputy (who he conveniently refused to name) of his was outside Russia at the time the war began and started the cyber attacks entirely on his own, as a “reaction from civil society.” Apparently this was meant to indicate that the attacks had nothing to do with any official strategy but were a spontaneous uprising of the proletariat against the reactionary forces etc. etc.

In other words, it sounds like typical old-fashioned Soviet propaganda and just doesn’t pass the smell test. Unless the Russians really want the world to believe that low grade government functionaries often have access to destructive botnets that can be turned against any country that happens to annoy them?
read more »

Once, when I was considering things like blog names and twitter-like user names, I considered calling myself the Security Cynic. I know, that sounds redundant. Anyone who knows much about security is likely to be highly skeptical of much of what is often said about security. And anyone who has worked for a living may be, um, less than impressed by the security practices of a lot of companies or departments, even when their managers claim that security is the most important thing on their minds.

It would be easy at this point to segue into a discussion of the monstrous Heartland data breach but that’s not where I’m going with this today. Still, it’s an interesting object lesson in security cluelessness and should be studied as such. Here are some links:

• Heartland data breach could be bigger than TJX’s
• And the Heartland lawsuits pile on and up
• Heartland Payment Systems Under Informal SEC Inquiry – Another Red Flag

Now that that’s out of the way, back to today’s storyline. I laughed out loud (seriously enough to not even acronymize it!) when I saw this in the Twitter stream of dantheshive:

@pvponline Be sure to save that bad boy. I personally have a mail folder marked simply as “evidence”.
read more »

Is security a science? (I mean specifically computer/Internet security here.) Maybe the question is trivial but sometimes I wonder. The question occurred to me as I was reading a section on cross-site scripting attacks in Ed Skoudis’s excellent book Malware: Fighting Malicious Code, which is the textbook for a class I’m taking. Being a curious sort of guy, I tried it out. I took a prototype web site I had developed for my job and inserted some javascript into a text field, just to see if it would work. It did.

I had the advantage of knowing that I had not included defenses against such an attack in the code because it was a prototype intended to work through a problem, not an actual attempt to build a real live website. It was never going to see real life on the Internet. Well, it seems now that this may not be true. I’ve moved on to other things while that old prototype site has been handed to another programmer to build out into a more complete system. I guess I’d better warn the programmer that he has to include some kind of white listing or tag stripping in the data entry fields before it goes live.

Monday I guess I’ll add it to his backlog. It’s already on mine for the current project (at least, I hope it is!).
read more »