Category Archives: cyber war

Originally a fictional story on cyber war that parallels the hacking events surrounding Google and China in early 2010. Now contains newer commentary on current events.

Source Content

27 Wednesday Mar 2019

Posted by in cyber war, Novel

Leave a comment

Tags

, , ,

Cyber War

I wrote Cyber War I because there was no good fictional content on cyberwar.  Not really.  The first cyberwar story I know was when Clifford Stoll wrote the non-fiction The Cuckoo’s Egg in 1989.  He tracked a spy and wrote about it in first person.  

I was junior in something at IBM at the time.  Can’t recall if I was in data networking, let alone security yet.  My tech career vector has been data networking with a useful understanding of network operating systems, which somehow led to IT systems architecture, back to network, then to security, where I remain stuck.

That tech career vector is what has formed my desires for the better-than-text-book content that can only be delivered with fiction.  Those needs did not go unsatisfied, not by me.  There is other good non-fiction, although mostly cybercrime instead of cyberwar.  You know the difference, right?  “There’s money in cybercrime, but cyberwar will get you killed.”

Read Joseph Menn tell his Fatal System Error story on Barrett Lyon, the Mafia, and Russia.  Or read Kevin Poulsen turn some clever hacker into a super protagonist out to save the world in Kingpin.  Trust me, there’s some non-fiction out there that sets the bar high for fiction.

What I did differently in the blog book-cover photo is it’s literally the front cover, spine, and back cover jpeg of my paperback edition.  After creating the jpeg above, I leveraged the KDP cover-creating publishing tool to add some text to the back cover, and it added the barcode programagically.  What I could not do was move or adjust the text box window, so I hit the return key until I was half way down the page, in order to begin my text on the lower half of the back-cover page.

If you want to be blown away by non-fictional cyberwar, read Malcom Nance’s The Plot to Hack America.  The writing is of course very good, but talk about prescient.  Macolm published it in September of 2016 – before Trump was elected.  You might not believe his story personally, but my point is that it serves as the original source of content for everything about the topic since.

I’ve also shared with you some of my source content that I read around the time of writing the sequel to Cyber War I, Full Spectrum Cyberwar.  That link is to GoodReads, which allowed me to post my unique perspective of the entire book cover.  From there, you can click on the link to buy my book from Amazon – ebook or paperback.  While you’re at Amazon, look for a link in my author page that takes you back to this blog.  If enough of us click through that loop, excessively, I’m wondering if that wouldn’t create an internet looping vortex with enough force to possibly tear a seam into the very fabric of cyberspace itself.  There’s only one way to find out.  Experimentation.

By now, you’ve guessed that this post is pure marketing.  That doesn’t change the fact that you’re still reading and I’m still pitching.  My expectation is for anyone who is my friend on GoodReads to spend $3 on my ebook, read it, and give me a review.  The way reviews work, I probably don’t need overwhelmingly positive  feedback as much as I just need volume.  

Hopefully, GoodReads will sort the best reviews at the top.  So go on, click on that link.  Worse thing that could happen is we take GoodReads down with a massive Distributed Denial of Service attack.

The Sequel

21 Thursday Mar 2019

Posted by in cyber war, Novel

Leave a comment

Tags

Full Spectrum Cyberwar ebook Cover

For those of you who haven’t read a good tech thriller in over two years, because it’s been that long since I published Cyber War I, your wait is over.  I published the sequel last night, an ebook version of Full Spectrum Cyberwar on Amazon (₹99 in India) (£2.27 in UK).  The print version is coming soon, once I recover from the tedium of having formatted an ebook and feel up to the task of formatting print.  Self-publishing is not as glamorous as it sounds.

A year after Cyber War I made Robert Warner a celebrity in his field of cybersecurity forensics, he’s ready to cash it all in and retire young, with the sale of his software firm to a conglomerate for over $100 million.  He’s two weeks away from starting the next chapter of his life living large in a Colorado resort community.  He just has one more business trip to complete, an international assignment to pen test a wind farm in the North Sea.

Rob turns over one too many stones and finds himself the target of Fancy Bear, the infamous Russian military hacking organization.  It’s Rob’s nature to dig deeper, to solve the crime.  Instead, he’s forced to play defense, to protect the welfare of his employees, his wife, and himself.  If he can survive a chase through Europe, he can complete the transaction to sell his software firm and retire wealthy.

Full Spectrum Cyberwar exposes the real-world activities of the Russian GRU as they conduct hybrid warfare on their European neighbors in this gripping sequel to Cyber War I.  U.S. CyberCom attempts to confront the Russians with a forward defense strategy that escalates well beyond Major Calvert’s control.  In Full Spectrum Cyberwar, the battlefield extends beyond the keyboard.  Lives are on the line in this relentless exchange of one-upmanship between nation states as they battle for dominance over geopolitical assets.

I know you’re not reading anything else right now, or you wouldn’t be on the Internet reading blogs.  Download my book and give me what I need – reviews!

Cyan

10 Sunday Mar 2019

Posted by in cyber war, Novel

2 Comments

Tags

 

13536634 - pretty futuristic cyber girl posing over dark background

And now, for something completely different.

My first two books were on cyberwar.  Book one was intended to serve as a tech primer of sorts, to explain cybersecurity concepts in a fictional story.  Iran was the adversary.  Book two, which I’ll publish in the next few weeks, focuses on explaining the concepts of hybrid warfare, with Russians as the bad guys.  Book three will pivot toward cyber terrorism, where the motives become murkier.

I won’t be able to reference cyberwar in the title.  That’s fine.  I already have a working title for my draft manuscript, Cyan, the name of the story’s heroine.  This graphic is her.  I’ve licensed it and might use it for the book cover.

Shifting the content focus from cyberwar to cyber terrorism isn’t the only turning point in my writing.  The genre will evolve from a tech thriller to cyberpunk – a derivative of science fiction.  Twenty years into the future, I’ll be able to take more liberties with technology – the focus of which will be on virtual and augmented reality.

I completed the first chapter this weekend.  I would tell you that I started the story in January, but really, I’ve been planning before I finished book two, Full Spectrum Cyberwar.  I fleshed out a character in that story who wasn’t even born yet by the end.  How’s that for foreshadowing?  Obviously, Cyan will be twenty years old in this 3rd book.

I expect to have fun working in a new genre.  I know that my writing improved dramatically between books one and two, but I’m already somewhat bored with the conventions of a tech thriller.  Writing in a new genre should continue my growth on the skills curve while keeping the exercise fun and interesting.  Of course, just continuing writing is the most important thing.  Repetition is the key to learning.  Let me say that again, repetition is the key to learning.

With the inherent ability of cyberpunk to take more liberties with reality, I hope to put more focus on character development.  And structurally, I’m improving on my outlining.  There are two types of writers, plotters and pantsers.  I wrote the first two books more by the seat of my pants than from outline.  I started them before I knew how they would end.  Although strangely, in Full Spectrum Cyberwar, I wrote the beginning after the end.  For Cyan, I have the first half of the book fully outlined.  I still don’t know the end, but then neither do you.  Stay tuned.

 

The End

24 Saturday Nov 2018

Posted by in cyber war, Novel

Leave a comment

Tags

,

Cyber War

Just finished the first draft of my second novel.  I haven’t named the title yet but I’ve been calling the draft Cyber War II since it’s a sequel to the first book.  I already licensed the graphic above for the cover.  Nothing says cyberwar more than computer mice dressed up as tanks.

Once again, Thanksgiving week plays a special role in the timing of my writing.  Two years ago, I took off the entire week to self publish my novel.  I’m on a slower schedule this time around, taking two full years to get to a first draft, whereas I completed writing the first book in six months, then edited and published two months later.  Still, this week plays a productive role in my personal storyline.

For those of you who served as beta readers the first time around, I promise you, this first draft is much more readable.  I’ve developed my skills.  I can tell it isn’t finished yet though.  It’s 40,000 words less than my first novel, 10,000 too short.  There really aren’t rules on this but the convention for a tech thriller is to be between 70,000 and 100,000 words.  This draft is at 60,000.

No doubt, it could use another 10,000 words worth of character development.  I’ll take feedback from friends on that.  I developed some new characters that I actually plan to use for my third novel.  It’s not exactly a trilogy, but the 3rd book will be 20 years in the future, using the more youthful characters from this story, and will be in the cyber punk genre.  Always thinking ahead.

I know that I improved my writing in one specific area for this book.  My biggest criticism from the first book was that it was way, way too technical.  That I should consider writing for people who enjoy reading user manuals.  Fair enough.  Not that I shied away from writing another primer on cyberwar, but I’ve employed a number of tricks to make the learning more digestible.

Despite my confidence on improving in that area, I find it impossible to know if I’ve written a good story or not.  I’m too close to it.  I’m certain Stephen King never scared himself with his own novels.  I’ll find some help on that.  I’m targeting completion of a second draft by end of winter, seek out my ‘ole editor, and maybe publish in the spring.

The Cyphers

02 Saturday Jun 2018

Posted by in cyber war, Novel

1 Comment

Tags

,

steganogrphy

I belong to a covert writing club.  We publish on the deep web.  Like using steganography.  I probably shouldn’t say anything more.  It started from a private invite.  We publish privately to promote creativity.

If any of this sounds illicit to you, let me define terms.  The dark net is where people conduct nefarious transactions.  Dark net sites are generally also part of the deep web, but the deep web is not inherently bad.  It’s simply web sites that have not been indexed by search engines or otherwise have their access obscured.  The metaphor is of an iceberg.  We use the Internet that’s been indexed for queries.  That’s the tip of the iceberg.  The vast majority of the web is not visible to us, like the deeply submerged section of the iceberg.

This started out as a way for us to hone our craft.  It’s also a good method to draft snippets of dialogue for later regurgitation in other works – for me, my novel.  I’m considering submitting my current writing for review, sort of like the conventional writer’s discussion group.

I’m relating this under my novel category because I think it’s a novel approach (forgive the pun) for writers to practice their craft.  Your contributions can be easily copy/pasted years into the future into derivative works.  A post today by one of the other writers spoke to me so directly, it felt unnatural.  Like the narrator had a Gods-eye view into my life.  That’s impressive writing that does that.  Not only will I benefit from the writing exercise, but I expect to read some really good stories, exclusive to my private group.

 

Dmitri and the Wallet

14 Thursday Sep 2017

Posted by in cyber war, Novel

Leave a comment

Tags

, , ,

DmitriHow big is your wallet?  Look at the objects on this tabletop.  I bet your wallet is not as big as Dmitri’s is.  I don’t really know his name.  Like any other guy, I was minding my own business in the hotel lobby when I was engulfed by a gaggle of techies attending some international conference for the betterment of humanity.  This guy sits in front of me, blocking my view of equally attractive people, and proceeds to pull out his wallet. Seemingly to make room for, not just one, but two smart phones.

To his credit, he used both mobiles at the same time.  Possibly dueling the same issue that was so important to him that he worked it while his comrades drank voraciously nearby.  Sounded more to me though that he was working some tech issue with skilled subject matter experts on the one phone, to the point he could set it down occasionally, while he yelled at the Help Desk on the other.  The wallet, despite serving as a focal point to at least me, was lost in all this performance art.

If you think it’s bad how I’m making fun of this guy, you should consider how much worse it is for me to take a photo of a complete, non-celebrity stranger, and post it online.  I don’t care.  This guy has earned a role as a European hacker in my pending novel.

Weeping Angel

08 Wednesday Mar 2017

Posted by in cyber war

Leave a comment

Tags

, , , ,

Bethesda_angel_cloudy_jeh

Any Doctor Who fans?  If so, you should appreciate the reference to the weeping angels from that show, and perhaps understand why this is such a clever name for an exploit kit to hack into Samsung TVs considering how the CIA uses it in collaboration with MI5 – or the Brits.

I’m referring of course to this week’s data dump of classified CIA material on their hacking program, actually their toolkits, by WikiLeaks.  Much of the news hovers around the ethical concerns of the CIA hacking into American citizens’ Internet-connected Samsung TV sets to listen in to their conversations or track what shows they watch.  Or the issue of them not sharing exploits with vendors.  I’m not interested in that.  It’s all inference anyway.  All we really know is the software programs they use, in conjunction with other European agencies, to electronically eavesdrop.  Personally, I’d be disappointed in them if they didn’t have some cool capabilities like this.

I might be more technical in this area than you, but to let you know, I’m not really all that savvy on how these exploits work.  Which is why I think you might find my take-away from this event interesting.  You should be able to identify with my high-level understanding.  Understand it is really quite possible for a hacker to eavesdrop on your conversations, to hack into your iPhone, to capture your sensitive WhatsApp texts before they are encrypted.  For Pete’s sake, last week’s news was about two million internet-connected teddy bears, from Spiral Toy’s CloudPets, making their customers’ conversations available online.  The point isn’t that the CIA uses these tools, it’s that anyone can use these tools.  It’s that these tools exist.  There is no assurance of data privacy.

In Cyber War I, I explain to readers about how ransomware works and to be aware.  I give some technical details on several aspects of hacking and cybercrime.  I intend to go deeper and explore other dangers in my sequel.  I hope you enjoy this information; I’ll try to blog more on these topics.

If you’re looking for assurances, there aren’t very many.  For online protection for when you don’t mind the inconvenience and are uber concerned on protection, consider employing two-factor authentication.  At least on financial sites.  This is typically a process of logging into a site with your password (something you know), and a passcode that gets sent to your phone (something you have) during the login process.  More and more sites are adopting this, but leave it to you to use it.  It probably won’t be available on your TV any time soon.

Ransomware

29 Tuesday Nov 2016

Posted by in cyber war, Novel

2 Comments

Tags

sf-ransomware-attack

This week’s ransomware attack against San Francisco’s Municipal Transportation Agency underscores just how real the events in my Cyber War I novel are.  My soon-to-be-released story is fictional of course, but I didn’t make this stuff up. These attacks I describe are literally off the front pages.  This attack requested 100 bitcoin, roughly $70,000, to free their ticketing systems.

I mirror another true story from last year where a hospital was attacked, requesting a similar ransom.  My story details this attack vector and how you might recover from an attack.  Hint, backup your system, preferably offsite.  While farfetched, you might even get lucky and find your files still unencrypted in your trash bin.  It doesn’t hurt to look.

Hope you appreciate this small computer security primer.  It’s really a thinly-veiled attempt at self-promotion for my book.  I’m in the marketing phase of book writing and publication.  If I were serious about it, I’d have started marketing more aggressively months earlier.  And I’m too cheap, or just not committed enough, to drop 100s if not 1000s of dollars into book promotion – so I am leveraging my blog.  Hoping my book will be available by end of week.

Cyber Terrorism

24 Thursday Mar 2016

Posted by in cyber war

Leave a comment

Tags

,

iStock cyber warfare

The Department of Justice announced charges against seven Iranian hackers today for launching cyber attacks against the U.S. financial system and a dam in New York.  There is no question, these events were malicious cyber attacks.  But when is it cyber crime and when is it cyber war?  Apparently, sometimes never.  Loretta Lynch is calling this cyber terrorism, because also this week the Justice Department announced they have changed their approach and now treat nation-state affiliated hacking attacks like terrorism threats.

Lest you think everything is now clear, in the same statement, Loretta said, “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,”  Really?  How powerful!  I imagine then the State Department, in coordination with the Department of Justice, will now approve travel visas for these seven terrorists so that we might possibly arrest them after stepping onto U.S. soil.

Here’s my disconnect.  I understand terrorism to be used to classify harmful acts that are attributed to stateless warriors.  The circumstances around terrorism differ from crime and war such that we have this third category of aggression.  Hence, we have tribunals in Gitmo.  I sort of understand it.  Cyber Security experts have coined unique terms for hacking to categorize attacks as militaristic or criminal.  Fairly intuitive.  War is when we’re attacked by a government-attached army and crime is when we’re attacked by a civilian.  I would then think that cyber terrorism is when we’re attacked by a stateless army, but I’m wrong.  It means when we are attacked by real countries, namely China and Iran, but electronically rather than by arms.  Maybe there is additional criteria, such as the attack is against a corporation or citizen rather than against our military?

So if Iran blows up Wall Street, that’s war.  If Iran only electronically implodes Wall Street, then that is terrorism by the individuals working for the Iranian government.  Not sure how to classify the dam attack.  We need to stop pussy-footing around and call it what it is.  Cyber War!

Going Dark

25 Thursday Feb 2016

Posted by in cyber war, Geek Horror, Running

1 Comment

Tags

, , , , , , ,

scytale 2

FBI Director James Comey testified to Congress today that encryption will end law enforcement’s ability to perform their job.  He suggests that the FBI’s primary tool is court orders to search for information, and he makes the general assumption that data is never accessible once encrypted.  To paraphrase, encryption leads to information “going dark” for the purpose of public safety.  As if encryption is game over for the FBI.  This reminds me of a famous quote (famous misquote actually as I don’t believe this is true) attributed to the Commissioner of U.S. Patent and Trademark office Charles Duell when he purportedly quipped, “Everything that can be invented has been invented.”  Comey seems like a decent guy but suggesting that the FBI requires clear text access to American’s data because the court order process is predicated on this is disingenuous.  The FBI has an obligation to keep up with technology.

I stated in my previous blog on this topic that cryptography and cryptanalysis have been playing a cat and mouse game throughout world history.  So let’s review that, because I believe government is obligated to defeat encryption technologically rather than by  eroding America’s privacy laws.  To be fair, I recognize they are currently playing catch-up.  Consider that cyber crime is nearly a half trillion dollar market.  Security products and services are well under $100B market.  Meaning we are applying $100B to the good side and cyber criminals are making $500B.  So I can sympathize with Comey.  The bad guys are winning.

Understand the etymology of these terms.  We began by covering up secrets.  For example, Histaiaeus, in the 5th century BC, wrote his message for Miletus to revolt against the Persian King on his messenger’s shaven head.  He then waited for his messenger’s hair to grow back before sending him on his way.  This was before instant messaging.  A similar technique was used in the latest version of Mad Max.  “Steganos” is Greek for “covered” while “graphein” is the Greek term “to write”, hence steganography means “covered writing.”  So steganography was the art of covering up a message.  It goes without saying, one didn’t necessarily have to be a rocket scientist to be a code breaker back in the day.

The art of secrecy evolved to hiding the meaning of the message, rather than simply covering up the message itself – with the understanding the message will likely be discovered eventually.  The Greek term for “hidden” is “kryptos”; hence we use the term “cryptography” which we now practice with encryption.  The picture above is of a 5th century Spartan Scytale that transposed the position of letters to hide the meaning of the otherwise open message.

Technology advanced and today one does have to be a rocket scientist to be a code breaker.  Bill Gates was quoted by Representative Bob Goodlatte (wonder if he owns shares in Starbucks?) in today’s Congressional Hearing as suggesting Quantum Computing will soon be powerful enough to break any encryption.  I don’t know about that but point is technology does eventually catch up in this cat and mouse game.  Consider the plight of Mary, Queen of Scots.

On trial for treason, her prosecutor, Sir Francis Walsingham was also England’s Spymaster.  Sir Walsingham first captured Mary’s correspondance, which she hid inside the hollow bungs that sealed barrels of beer.  This was steganography.  But Mary was clever and further used a cypher to hide the meaning of her correspondence.  Sir Walsingham engaged Thomas Phelippes to perform the requisite cryptanalysis and ultimately succeeded in proving Mary’s guilt.  The rest is history.  Point being, Cryptanalysis was on par with the cryptography of the time.  Fast forward to WWII where the British successfully decoded the German’s Enigma with the use of early computing technology.  So Bill Gates might actually know what he’s talking about.

I’m in the cyber security industry and agree with Comey that the bad guys are winning.  For now.  Still, I’m not willing to surrender any more rights to privacy than have already been suspended post 9-11.  Technology will catch up.

 

 

Secrets

23 Tuesday Feb 2016

Posted by in cyber war, Geek Horror

Leave a comment

Tags

, , ,

secret

I understand everyone believes there should be a balance between security and privacy.  Seems sensible.  Bill Gates came out today in favor of the FBI over Apple, but then he’s been making business decisions counter to consumer needs for decades.  I myself am so impassionately middle of the road on most topics that I wonder sometimes if I’m not actually dead.  It’s great when everyone can win a trophy but you cannot avoid the reality that there are winners and losers.  I believe the current Apple/FBI debate is one of those binary scenarios.  It’s as difficult for me as anyone else to plant my flag when I want both privacy and security.  The following example though helps clarify my position.

The 4th Amendment provides both privacy protection, and presents the guidelines for the State to void those privacies given reasonable cause.  Assuming proper due process, the State wins.  This is a nice template for balance, but it doesn’t stop there.  The 5th Amendment protects us from self incrimination.  “I plead the 5th.”  Taken together, people must allow the State entry into their home for a warranted and reasonable search of evidence of a crime.  However, people are not obligated to point out where they hid the evidence.  “Oh, it’s under the seat cushion.”

There are two centuries of legal precedent supporting these Amendments to where most of us are fairly knowledgeable of the rules, without being actual lawyers.  Let me dumb this discussion down though even further.  Let me use the term secrets instead of privacy.  We all have secrets.  Not just our banking PIN code but family history and deep, dark fantasies.  I know that there are things I would never consider telling anyone, and I’m about as transparent as a person can possibly be.  Have you read my prostate chronicles?  I might be wavering a bit from the core Apple/FBI topic since not all secrets necessarily contain criminal content, but I believe the principle points remain intact.  I’m allowed to have secrets.

I’m not even that strong of a privacy advocate.  See above on my middle of the roadness.  For example, I don’t consider privacy an inalienable right.  We were born naked in a garden, so God wasn’t that big on personal privacy either.  Clearly, there was very little personal privacy when we were living together as tribes in caves.  But like anyone else in western civilization, I’ve grown accustomed to certain privileges and I do want privacy.  Even if I didn’t, the information age ascribes so much value to data integrity that encryption is paramount to how our society and economy function.  It’s not until I substitute the word privacy with the word secret that I begin to understand where I fall on this topic. The State can try to search but I can try to hide.  Tell me I’m wrong on this.

Cryptography and cryptanalysis have been a cat and mouse game played throughout millennia.  Technology plays the lead role.  I understand that if the State can decrypt my communications, they already have legal justification to do so.  My information is only as safe as my encryption is strong.  But if they can’t decrypt my data, I don’t have to hand them the keys.  That’s like showing them the evidence is hidden under the seat cushion.  And they can’t outlaw encryption.  That’s like saying I can’t have secrets.  Who doesn’t have secrets?

A Bad Apple

17 Wednesday Feb 2016

Posted by in cyber war, Geek Horror, Politics

1 Comment

Tags

, ,

apple n worm

All you need to know in terms of Tim Cook vs the FBI is Donald Trump’s position on the matter.  Trump believes Apple is in the wrong and should be forced to provide the government with a backdoor hack into their iPhone.  Because he believes national security trumps personal privacy.  This is actually true – in China.  And Russia.  If you already take issue with this self-made celebrity, then you can assume Apple is right.

To be fair, and less political, personal privacy is a complex issue.  The U.S. Constitution references no protections for personal privacy.  The Bill of Rights however references numerous Amendments that allude to privacy.  Privacy of beliefs, privacy in your home, privacy of person and possessions against unreasonable search and seizure.  I think the list goes on but I’m not a lawyer and can’t defend any of them.  I do know Americans expect a certain degree of privacy and the government has the authority and corresponding legal process to transcend our privacy given sufficient warrant.  In this case, the FBI is leveraging the All Writs Act to demand that Apple engineer a new IOS version that disables the feature that would wipe the iPhone data after 10 unsuccessful login attempts.  This would allow the FBI to subsequently hack into the iPhone with a brute force password attack.

Precedent is set that allows the government to do this.  Shoot, there is even a recent case where the U.S. Attorney’s Office forced another smart phone manufacturer to unlock a screenlock.  But Apple is refusing to comply.  Tim Cook wrote an open letter explaining why.  He frames his argument from his customers’ perspective.  But just think about the consequences for his company.  Apple is being forced to weaken their product in a global market and their competitors are not being forced to do this.  They will immediately be at a competitive disadvantage in a global market for their most successful product.  Game over for the iPhone.

And recall, corporations are deemed people by the Supreme Court.  Apple will have all of the same assurances to privacy, to protection from self incrimination, to a right to earn a living.  They have every right to do business as any American as an individual.  They have the resources and will win this battle.

Why is it so hard to take a position on personal privacy vs State security?  The State has laws and legal precedent allowing them to violate your personal privacy.  We have laws and legal precedent allowing us to refuse, assuming we have the financial resources to fight.  But encryption just sort of breaks everything.  Encryption means, even if the government gets their way, they might not be technically able to have their way.  You can’t hand them the keys to your data if you’re dead.  Encryption puts the government in a real pickle.

This will be the data privacy fight of the new millennium.  This will be good.

Cross Border Data Flow

06 Tuesday Oct 2015

Posted by in cyber war, Geek Horror

4 Comments

education-ukeulitigation

The U.S. completed their Trans-Pacific Partnership Trade Deal yesterday.  If signed by Congress, this will lower trade barriers to the import and export of physical goods.  How quaint in the Information Age.  Today, the European Union Court of Justice declared the U.S. Safe Harbor policy for demonstrating compliance with the EU Directive for Data Privacy to be invalid.  EU 1 : Pacific Rim 0.

I don’t know of the availability of any stats that show the value of global trade in information vs physical goods bought and sold, but I’m willing to guess data is at least more strategic if not already more valuable.  Explaining the details of the EU Data Privacy Directive, Safe Harbor, and this new ruling isn’t my objective here.  Much of it is very legal in nature and over my head.  My goal with my cyber security series is to offer a basic primer on topics I deem of interest.  At issue here is data privacy, specifically personally identifiable data or PI.

My 13 year old daughter is uncomfortable with the notion that data can never be fully erased with any certainty.  I don’t know why or how she developed this very specific concern, likely something to do with the proliferation of online photos.  She is totally aware of the EU’s Right to be Forgotten ruling wherein citizens can demand their online references be deleted by digital firms such as Google and Facebook.  Understand that the EU considers personal privacy to be a basic human right.

The irony here is in the arrogance of any U.S. citizens who think we invented personal privacy.  Indeed, the 4th Amendment of the U.S. Constitution states that, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”  Or stated more plainly, “Each man’s home is his castle.”  Well that was written over 200 years ago.  Post-911, the U.S. has conceded leadership on the personal privacy front to Europe.

I probably shouldn’t reveal what I really think because I suspect I’m on the wrong side of history here, but I will.  I don’t believe in personal privacy.  I want it to a degree but I certainly don’t think of it as a basic human right.  I can assure you there was little to no personal privacy when humans were living in caves.  Were Adam and Eve not born naked?  And yet I do like the 4th Amendment.  I believe we need a balance between personal privacy and the benefits that the sharing of personal information ascribes to a society – like security.  An example of that is the Patriot Act.  This latest EU ruling impacts a more commercial benefit, such as advertising.

I don’t think I’m alone on this one.  Anyone reading this is online and therefore highly likely also surrendering a large degree of their personal data privacy to social networks.  You’ve probably granted Facebook complete digital rights to more family photos than your parents ever collected in photo albums.  There are benefits to sharing.  And I don’t believe we ever, ever had complete personal privacy; so I don’t think of it as a basic human right.  No man is an island.  In the end, I imagine personal data privacy will be determined more by technological capabilities than regulation.  Your data is only as secure as your encryption.  I’m interested in comments.

BYOE

04 Wednesday Mar 2015

Posted by in cyber war, Geek Horror, Politics

5 Comments

Tags

, , , ,

email chainI’m not sure whether to file this one under Cyber War or Geek Horror.  The subject matter fits under Cyber War.  My goal with cyber war is to discuss topics of interest while sneaking in a bit of a computer security primer for friends and family.  But Hillary’s Bring Your Own Email to work story also smacks of tech gone horribly wrong.  And I don’t have enough stories in that genre.  I’ll classify this under both categories.

Hillary has yet to respond so it’s premature for me to comment, but this is a blog.  She might surprise us by stating other reasons once she does respond, but the general consensus at this point in time is that the Clintons are private people (no really, everyone is saying this on the air about the most public figures in America) and they have lessons learned from their share of lawsuits and subpoenas.  So I don’t question Hillary’s desire to set up an email server at home before beginning her tenure as Secretary of State to maintain a degree of privacy.  In fact, and I’m still struggling to digest this, it’s common practice for high-level politicos.  Apparently there’s a strong market for consultants to set up personal email servers for public figures.

I can even relate to Hillary, and so can you.  Does your employer support BYOD in the workplace?  You know, Bring Your Own Device to work?  Mine does.  If they didn’t, they would have to buy 450,000 $500 smart phones for us all.  Do the math on that.  This is a real trend.  You use your personal iPhone to access your company email.  You use your iPad to access company databases while sitting on your couch and also drafting your fantasy football team.  The tradeoff is that you install your company’s computing policy onto your phone.  That sets configuration specs such as the complexity of your password and how often you have to change it.  And we’re as okay with this as we are with granting Facebook complete copyright to our family photo library.

Do you think Hillary complied with State Department computing policies on her home email server?  The discussion to date is about her operating within the guidelines (at the time) of leveraging a personal email account for official business.  My point is there is so much more to comply with.  All of us working from home at the remote end of a VPN tunnel understand that we’re the weak link in the corporate security chain.  We have family members accessing our keyboard.  We allow guests on our wifi.  Shoot, I use my personal MacBook Pro as my primary work computer.  I also sacrifice half my CPU utilization to my company’s AV and computing policy auditing software.  Some people use their work computer to host their personal pictures, play their music, and send personal email.  I prefer to subject my personal MacBook Pro to crippling corporate security and compliance software in order to use a single device.  Before that, I used two devices.

No one is talking about this yet but my concern is that Hillary did none of this.  Maybe she ran AV software.  Well of course she did.  Computers don’t run for very long if you don’t.  Point is, how would we know?  How would the State Department I/T staff know?  And AV is just one small example.  There are many essential security practices that must be followed.  Once that home email server is compromised, it can then email malware to heads of state!  I’m trying to remain optimistic.  Maybe this server was supported by a special team of State Department I/T staff.  That’s not unusual at all for C-levels at large corporations.  But stories like this remind us not to be surprised when common sense is ignored by people who should know better.  Lost in this week’s news, General David Patraeus reached a plea agreement for sharing extremely confidential information with his biographer/lover.  Trust no one.

Anthem

06 Friday Feb 2015

Posted by in cyber war

2 Comments

Tags

, , , ,

Anthem logoAnthem has no shortage of registered trademarks.  If you’re not familiar with them, before yesterday’s announced breech of 80 million personal records, you might know them as BlueCross BlueShield.  Or WellPoint, which they recently acquired.  What do you suppose their brand logo will be worth three months from now?  The prevailing consensus after every corporate breech is that the company’s equity value will dive.  Oftentimes it does.  Usually though for far much less than twelve months, and then it recovers.  Target was an exception, not because customers remember the compromise of their credit card data, but for their fundamentals and managerial fubars.  Rather than pilot a few outlets in Canada, they went all-in.  And failed.  Spectacularly.  I have this sense that Anthem might be the first to not recover their brand from a cyber attack.  I suspect I might feel this way because I’m pissed.  They stored my records.  Unencrypted!  Freakin’ idiots!

I’m not being mean.  Anthem is negligent in their compliance to the Health Insurance Portability and Accountability Act (HIPAA).  This isn’t some newly erected Obama healthcare thing.  This regulation is nearly twenty years old.  The guidelines for Protected Healthcare Information (PHI) include much of what is considered Personally Identifiable Information (PII), which in turn includes social security numbers.  I was tempted there to include the abbreviation for social security numbers but understand I’ve already drowned you in alphabet soup.  The government might only fine Anthem a few million dollars, but I have to believe a class action lawsuit should be expected.

On a more constructive, non-litigious note, what should we do about this?  The best advice I’ve seen so far is to place a security freeze on my credit reports with the three major players, Equifax, Experian and TransUnion.  Of course, dealing with these firms has got to be painful.  Placing a security freeze on my credit reports is essentially what LifeLock does.  Having just completed feezing my reports on all three online, I’m not sure I would mind paying LifeLock $19.99 per month.  The process actually went quite well with Experian and TransUnion.  A few minutes per site.  Equifax though did not print out my pin code which I will need to remove the freeze when I need access to my credit reports.  And trust me, contacting them is virtually impossible.  With that said, their customer service number is 800-829-4577 and their direct security freeze number is 888-298-0045.  These are non automated, real person answers the phone numbers.  I finally got through and was able to get a pin.  The websites to freeze your credit reports are:

Equifax  https://www.freeze.equifax.com/

Experian:  https://www.experian.com/freeze/center.html

TransUnion:  http://www.transunion.com/securityfreeze

I think it was free for me to place these freezes.  This varies per state.  I suspect it will cost me $10 or so to remove the freeze.  Maybe not but there is a temporary removal called a lift that will likely cost money.  There is an option to mail them a letter describing myself a victim of the Anthem breech that would waive any fees.  I don’t have the patience for that.  Wish me luck with this.  And if you’re one of the 80 million, good luck to you.