Thursday, November 29, 2018

The false path of ReIntermediation

Salsa Shark. . . 

I sent a recent paper on information operations over Twitter to some people for feedback and one of the comments was the following:
I also think there’s a meta question that needs to be answered. 
You say that censoring inauthentic accounts is not the way to go for various reasons...but you still have an info ops problem given that inauthentic accounts are still publishing garbage getting likes, retweets, shares, and driving online activity/conversations. How does your Jiu Jitsu solution remedy that?
And here's the larger picture: I never think re-intermediation is a valid policy solution, but it's the most common reflex in government and policy bodies. The internet was a tidal wave of disintermediation - in technology, in society, in geopolitics. It's hard to explain that yes the Russian Government gets to talk to all your people directly without you being able to do anything about it or that people can talk to each other in encrypted format now without you being able to listen or that money or music is going to transfer around without any real mediation by governments.

The instinct is always to try to force social media companies to just get REALLY good at banning Russian propaganda networks, or legally enforce impossible encryption regulations, or somehow enforce a global copyright regime. To re-intermediate, in other words. It's always the wrong direction. You can't roll back the tide.





Tuesday, November 20, 2018

A Question of Trust

For those of you who have not read Eugene Kasperky's latest piece, it is here:
https://www.forbes.com/sites/eugenekaspersky/2018/11/19/a-question-of-trust/

I have pasted the most relevant section below.


While obviously Kaspersky's transparency initiative is a good thing, and probably something that should be emulated by other companies in the field, I think it's worth taking a step back to see what metrics you can judge its design on for effectiveness. Many portions of the stated initiative don't seem to be relevant in security sense - they are for marketing purposes, as cover for people who want to use Kaspersky software and are looking for an excuse.

Some questions, a positive answer to any one of which is fatal to the goals of a Transparency initiative:

  • Can Kaspersky update the software of only one computer, or write a rule that would run only a subset of computers? 
  • Is the data from computers in France still searchable from Moscow? (And hence, subject to Russian law?)
  • Could Kaspersky install a NOBUS backdoor which would get through the review of the Transparency team in Switzerland and get installed on international customers?
I think the answer to these questions is probably "yes".

The hard problem here is that the goal of a "Trust" initiative of this nature is to be able to protect your customers while provably being being unable to see what they are doing, or target them in any way. The most obvious solution would be for Kaspersky to start up an entirely independent operation to handle the international market, at the cost of any economies of scale (and also at a reaction time trade-off). Even that might not even solve the third question, although at a certain point you have to admit that you are setting a bar high enough that software from extremely risky development locales is not going to clear it (which sucks for Kaspersky, but is an extremely realistic risk profile, depending on who you talk to!).

As a final note, this talk by a Kaspersky researcher is fantastic:




Tuesday, November 13, 2018

The true meaning of the Paris Call for Trust in Cyberspace

Links:


I often find it hard to explain anything in the cyber policy realm without pointing out how weird an idea "copyright" is. The easiest way to read Cat's article in the Washington Post is that the PR minions of most big companies wants to make it seem like some sort of similar global controls over cyber vulnerabilities and their use are a natural thing, or at least as natural as copyright. In some sense, it's a coalition of the kinda-willing, but that's all the PR people need since this argument is getting played out largely in newspapers.

But just to take one bullet point from the Paris text:
  • Develop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm;

What ... would that mean? you have to ask yourself.

You can paraphrase what software (and other) companies want, which is to find a way to ameliorate what in the industry is called "technical debt" by changing the global environment. If governments could assume the burden of preventing hacking, this can allow for greater risk-taking in the cyber realm by companies. I liken it to the credit card companies making it law enforcement's problem that they built an entire industry on the idea of everyone having a secret number small enough to memorize that you would give to everyone you wanted to pay money to.

From the WP article:
This could make way for other players on the global stage. France and the United Kingdom, Jordan said, are now emerging as leaders in the push to develop international cybersecurity norms. But the absence of the United States also reflects the Trump administration’s aversion to signing on to global pacts, instead favoring a transactional approach to issues, Singer said.

It's not so much "transactional" as it is "practical and workable" because to have a real agreement in cyber you need more trust than is typical of most arraignments. This is driven by the much reduced visibility into capabilities that is part and parcel of the domain, which frankly I could probably find a supporting quote for in Singer's new book :).

Aside from really asking yourself what it would MEAN IN REAL PRACTICAL TERMS for humanitarian law to apply to the cyber domain, you also have to ask yourself if all the parties in any particular group would AGREE on those meanings.

And then, as a follow up, ask yourself what the norms are that the various countries really live by, as a completely non-aspirational practicality, and especially the UK and France.



Wednesday, October 24, 2018

Book Review: LikeWar (Peter W. Singer, Emerson T. Brooking)

TL;DR


Buy it here!

Summary


There are some great stories in this book. From Mike Flynn's real role pre-Trump Admin, to a hundred other people's stories as they manipulated social media or tried to prevent it in order to have real world effects. This book draws a compelling narrative. It's well written and it holds your interest.

That said, it feels whitewashed throughout. There's something almost ROMANTIC about the people interviewed through much of it. But the particular take the authors have on the problem illustrates an interesting schism between the technical community and the academic community. For example, in the technical community, the minute you say something like this, people give you horrible looks like you were doing a Physics lecture and somehow wanted to tie your science to a famous medieval  Alchemist :

Highlight (yellow) - Location 307

Carl von Clausewitz was born a couple of centuries before the internet,
but he would have implicitly understood almost everything it is doing to
conflict today.
What's next? OODA Loops?!? Sheesh.

In a way though, it's good that the book started this way, as it's almost a flare to say exactly what perspective the book is coming from.

Two other early pieces of the book also stuck out:
Highlight (yellow) - Location 918

For it has also become a colossal information battlefield, one
that has obliterated centuries’ worth of conventional wisdom
about what is secret and what is known.
And:
Highlight (yellow) - Location 3627

And in this sort of war, Western democracies find themselves
at a distinct disadvantage. Shaped by the Enlightenment,
they seek to be logical and consistent. Built upon notions of transparency,
In other words: This book has a extreme and subjective view of government and industry and an American perspective. Its goal is often less to explain LikeWar than to decry its effects on US geopolitical dominance. We have a million Cleared individuals in the US. Are we really built on notions of transparency? This would have been worth examining, but does not fit with the tenor of the author's work here.

The book does bring humor to its subject though and many of the stories within are fleshed out beyond what even someone who lived through them would remember, such as a detailed view on AOLs early attempts to censor the Internet:

Highlight (yellow) - Location 4203

AOL recognized two truths that every web company would
eventually confront. The first was that the internet was a teeming
hive of scum and villainy.

Missing in Action

That said, anyone who lived through any of the pieces of this book will find lots missing. Unnoticed is the outsided role of actual hackers in the stories that fill this book. It's not a coincidence where w00w00 or Mendax ended up, although it goes unmentioned. And the role of porn and alternative websites is barely touched upon. How the credit card companies have controlled Fetlife would be right in line with what this book should cover, yet I doubt the authors have heard of FL (or for that matter could name the members of w00w00). Nor is Imgur mentioned. It's also not recognized that the same social network the intelligence community uses to publish their policies (Tumblr) is 90% used for browsing pornography.

Clay Shirky, the first real researcher into this topic, who gets one mention in the book (iirc), pointed out that whenever you create a social network of any kind, it becomes a dating site. This is one of those axioms that can produce predictive effects on the subject matter at hand. Sociology itself has been revolutionized by the advent of big data from Big Dating. The very shape of human society has changed, as the spread of STDs has pointed out. And the shape of society changes War, so this book could be illustrating it.

At its most basic example, examining social networks involves looking for network effect - the same thing that drives most dating sites to create fake profiles and bots so they can convince people to pay for their service. These are primal features of the big networks - how to get big and stay big. As Facebook loses relevance, Instagram gains it, and as Instagram loses it....we didn't see any of this sweep in the book. Some topics were too dirty, perhaps?

Conclusion


Like many books coming out, this book is a reflexive reaction to the 2016 election and nowhere is that more evident than in the conclusion.

Some statements are impossible to justify:
Highlight (yellow) - Location 4488

Like them or hate them, the majority of today’s most
prominent social media companies and voices will
continue to play a crucial role in public life for years to come.
Other statements are bizarre calls for a global or at least American censorship regime:

Highlight (yellow) - Location 4577

In a democracy, you have a right to your opinion, but no
right to be celebrated for an ugly, hateful opinion, especially
if you’ve spread lie after lie.
The following paragraph is not really true, but also telling:
Highlight (yellow) - Location 4621

Of the major social media companies, Reddit is the only one that preserved the known fake Russian accounts for public examination. By wiping clean this crucial evidence, the firms are doing the digital equivalent of bringing a vacuum cleaner to the scene of a crime. They are not just preventing

The authors, like many people, see the big social networks as criminal conspirators, responsible for a host of social ills. But for the past generations we have "Taught the Controversy" when it comes to evolution in our schools and it's hard to be confused as to why the population finds it hard to verify facts.

Instead of trying to adjust our government and society to technological change, we've tried to stymie it. Why romanticize the past, which was governed by Network News, the least trustworthy arbiters of Truth possible? We've moved beyond the TV age into the Internet age, and this book is a mournful paean to the old gods, rightfully toppled by disintermediation.

Still worth a read though.

Tuesday, October 2, 2018

"Own your data"

In today's edition of "trying to figure out what things in the cyber policy world really mean" I want to highlight this extremely insightful thread on "Owning your data".


Obviously you're never going to get AccessNow and FS-ISAC or any other group to agree on what that means. But sometimes it's worth noting that a particular terms one of the policy groups is pushing doesn't really mean anything at all or (as in the case of "Surveillance software") encompasses a lot more than they want you to think it does.

Friday, September 28, 2018

Forecasting vs Policy Work

No castle in Games of Thrones is complete without an extremely accurate map room! Apparently satellite imagery was available to all at a good price point.


Like many people in the business I'm a fan of the work of "StratFor", which is an ex-spook shop that does what they call "Strategic Forecasting" of geopolitical change. If you read their work carefully, a large amount of their methodology is an attempt to avoid a bias towards assuming that national or political leaders matter. 

If you just assume that every country has a set of resources and goals, and that it will act in its best interests, regardless as to who gets voted President, then over a long enough term you have a much better chance of making accurate predictions, is their play. 

It's an attempt to discover and analyze the emergent behavior inherent in the system, as opposed to getting caught up doing game theory and monte carlo simulations until the end of time. Using this mindset produces vastly different results from most predictive methods, and the cyber tilt on the playing field is notable. Early StratFor predictions used fundamentals such as the aging population or shrinking workforces in various countries, and indicated they would need to vastly increase unskilled labor pools by importing workers, but of course, modern predictions look at this as a gap automation will fill. 

But you can still look at the fundamentals - what resources do countries have, what are their geopolitical strengths and weaknesses and how will they be able to maintain their position using their resources. Geopolitical positioning has been altered by the Internet, of course, as everything has. And a large internet company is its own kind of resource. 

This is why when a paper comes out saying that Germany will have a strong VEP leaning towards disclosure any decent forecaster is going to look at that as an oddity. We are now, and have been for a long time, in a great-powers competition meta. Germany needs to ramp up as soon as possible on both its defensive and offensive capabilities. The real question is how close it gets to the 5EYES in order to do so. You can make these predictions without looking at all at who's in charge, or what the politics are.

The one hole, of course, that seems obvious in retrospect, is that non-state actors are vastly more important than any Westeros map can capture. Everyone asks about the Cyber-9/11 and then goes on to talk about Russia and China as if it was a Taliban plot to hit the WTC. In other words, we may be looking in the wrong direction entirely.





Tuesday, September 18, 2018

Equities issues are collectives

One of the great differences between people who've dealt with exploits their whole lives and people who are in the national security policy space just starting with exploits is the concept of an exploit being a singular thing. If you've tried to hack into a lot of networks, you generally view your capabilities as a probabilistic function. The concept of making a one-by-one decision on how releasing any particular vulnerability to the vendor would affect your future SIGINT is an insane one since the equities issues are a "collective" noun.

LINK (This equities issue argument made here about the Trump admin declassifying FBI texts is  familiar to those of us to follow the VEP)

As you can see above the "presumption of public disclosure" line feels almost stolen directly out of one of Stanford or Belfer's VEP papers.