Readings: Knightmare, Ulbricht Convicted, Franklin on Vaccinations

Doug Seven: Knightmare: A DevOps Cautionary Tale – “This is the story of how a company with nearly $400 million in assets went bankrupt in 45-minutes because of a failed deployment.” – I remember watching Knight explode in real time, had never heard the actual story. This is amazing. A great, and relatively short, post.

Wired: Silk Road Mastermind Ross Ulbricht Convicted of All 7 Charges – “Ulbricht faces a minimum of 30 years in prison; the maximum is life.” – No surprise. Defense was firing on half a cylinder, jury was confused and weakly led. May post about the path they should’ve taken soon.

Vox: Benjamin Franklin had the perfect response to anti-vaxxers back in the 18th century

In 1736 I lost one of my sons, a fine boy of four years old, by the small-pox, taken in the common way. I long regretted bitterly, and still regret that I had not given it to him by inoculation. This I mention for the sake of parents who omit that operation, on the supposition that they should never forgive themselves if the child died under it; my example showing that the regret may be the same either way, and that, therefore, the safer should be chosen.

Readings: Silk Road shenanigans, Great Firewall, Marriott backdown, Bitcoin in Britain, Google bug

Ars Technica: Defense bombshell in Silk Road trial: Mt. Gox owner “set up” Ulbricht – “In just over an hour of staccato cross-examination, Dratel’s strategy became clear: he was going to pursue a line of questioning suggesting that the man who really controlled Silk Road wasn’t his young client, but Mark Karpeles, the wealthy former owner of the Mt. Gox Bitcoin exchange.” – This is some serious tinfoil. I’d love to know the evidence behind it beyond “well, he knows bitcoin.”

Ars Technica: Behind the Great Firewall: using my laptop and phone in China – “I’m doing one of the biggest trips of my life using a four-year-old cell phone and a discontinued laptop that I hate. There’s a technology angle to traveling these days, and going to Shanghai has really complicated that situation.” – Interesting operational suggestions…worth doing in the US now too? Maybe.

Engadget: Marriott no longer wants to block guests’ WiFi devicesGlad to hear it.

Motherboard: The Struggle Between Bitcoin Traders and British Banks – “In each of these cases, the customer identified the buying and selling of Bitcoin as the only change in how they were using their bank accounts.” – Appears to be happening a bit in the US as well: bitcoin traders having their bank accounts abruptly closed. Given that bitcoin isn’t illegal, the question becomes: backdoor government pressure to marginalize bitcoin, or industry decision? Both?

Engadget: Why Google won’t fix a security bug in almost a billion Android phones – “Rafay Baloch, an independent researcher, and Joe Vennix, an engineer at Rapid7 (a security and data analytics firm) found a serious bug in the WebView component of Android 4.3 and below. It’s an older bit of software that lets apps view webpages without launching a separate app, and the bug in question potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users — that’s close to a billion people — still use Android 4.3 or lower, it still affects a lot of people.” – Troubling.

Readings: Cheap USB Keylogger, Ridiculous Reasons to Call 911, Charlie Hebdo’s Legacy

Ars Technica: Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes – “KeySweeper is the brainchild of Samy Kamkar, a hacker who has a track record of devising clever exploits that are off the beaten path. The namesake of the Samy worm that inadvertently knocked MySpace out of commission in 2005, Kamkar has concocted drones that seek out and hack other drones and devised exploits that use Google Streetview and Google Wi-Fi location data to stalk targets. His hacks underscore the darker side of the connected world that makes it possible for bad guys to monitor our most private communications and everyday comings and goings.”

CBC: Worst 911 calls of 2014, from B.C.’s E-CommAs a former 911 dispatcher of ten years or so, I can sympathize. And as silly as they seem to be I believe them.

From a French leftist and longtime Hebdo reader, via @michaeldweiss:

B7F7x1LCMAAuT7q

Readings: Dreams, Dresses, Petraeus, Twitter, North Korea

via Morgan Housel:

dream

Well, I’m glad that’s finally settled.

Verge: Prosecutors recommend felony charges against General Petraeus for email leak – “Today, The New York Times is reporting that the FBI and Justice Department have recommended felony charges against the General for leaking classified information to his mistress, Paula Broadwell. Petraeus hasn’t commented on the charges, but has apparently told the Justice Department that he has no interest in a plea deal.” – This’ll be fascinating to watch, if it happens.

Lifehacker: Falcon Pro Returns to the Play Store with Columns, Multi-Account, More - Pretty terrible relaunch. Given that they stopped supporting the original Falcon Pro app, charge for extra features and the app itself doesn’t seem to be working all that well, I’m going to avoid this one. Reviews in the Play store are abysmal. A shame. I loved the original.

Ars Technica: FBI Director says Sony hackers “got sloppy,” exposed North Korea connectionSo an easily engineered false lead is their strongest evidence? Huh. Also – Comey takes the moment to fire shots at device encryption, signaling a renewed war by the government on secure communications.

via Theremina:

Meet the Robotic Spider Dress. Techno Couture from Anouk Wipprecht, a dress with insect-like robotic limbs which react to the proximity of others.

dress

Sony Hack, attack on North Korea and the Attribution Problem

I’m wrapping myself in all sorts of tinfoil lately.

A whole lot’s been made of North Korea undergoing a Distributed Denial of Service attack yesterday that basically cut it off from the rest of the internet. There’s been speculation that the DDoS was perpetrated by the US, or by Sony, in response to the hack of Sony that North Korea’s currently being blamed for.

In regards to both the Sony hack and Korean DDoS, we don’t know at this point who did them. The FBI is obviously blaming North Korea for the former, but a number of experts find that implausible, as does this layperson. This is one of the major problems to the idea of “responding” to a cyberattack: unlike a gunshot, mortar or missile it’s hard as hell to tell where it came from. And the technologies to change that are the same technologies being abused by major governments around the world to spy on whole populations.

I’m going to go out on a limb here, though. And I’m going to make a stab at identifying the people that attacked North Korea and cut them off the internet.

It was the same damn people that hacked Sony.

I’m pretty sure the US wouldn’t respond with something as blatant as a DDoS attack, but it’s the perfect move to escalate US/North Korean tensions sky high. And it’s startlingly easy:

Prince and others bet that a run-of-the-mill DDoS attack took down North Korea’s Internet because the isolated country has a “pipe” to the Internet so narrow that a routine attack could easily flood its capacity and take it offline.

Ofer Gayer, security researcher at Incapsula, estimated North Korea’s total bandwidth at 2.5 Gbps, far under the capacity of many recent DDoS attacks, which typically are in the 10Gbps to 20Gbps range. “Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint,” Gayer said, also in an email.

Almost all of North Korea’s Internet traffic passes through a connection provided by China Unicom, the neighboring country’s state-owned telecommunications company. North Korea has just a single block of IP (Internet protocol) addresses, or just 1,024 addresses, another vulnerability; in comparison, the U.S. boasts 1.6 billion IP addresses.

As the Computer World article states, there’s even the chance this is some random “kid in a Guy Fawkes mask.” But I’m willing to bet a small amount of money that it’s the same people that hacked Sony, who have no affiliation to North Korea whatsoever. It’s a fascinatingly easy way to screw around in the International Relations game, and a logical second step to their first with Sony. The inability to attribute hacks and cyberattacks means that a single actor can easily pretend to be both aggrieved sides.

The first attack had them down for nine hours yesterday. According to the folks that broke the story, DynResearch, North Korea is down again.

Let’s see what happens next.

Tor Carding Forum Shutdown Synchronicity

Tracking a slight synchronicity that I imagine no one but me finds interesting. Journalist and all-around security news badass Brian Krebs posted yesterday about the arrest of alleged counterfeiter Willy Clock:

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

The story’s interesting and worth reading on its own merits when you have a moment, but a particular facet of the investigation stood out to me. Clock used Tor Carding Forum to vend his counterfeit bills:

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

That’s interesting to me not on its own but in combination with the announcement last Thursday that Tor Carding Forum is shutting down, relayed to me by Ars Technica (and linked in yesterday’s readings):

After many successful years I have decided to close TCF. There are several reasons including significant decline of quality contributions, what to do with sales/escrow, but ultimately I no longer have the time to run both TCF and Evolution. The site will remain online for a while to allow members to save any important messages or conclude any outstanding business, however new registrations are permanently disabled.

On behalf of current and former TCF staff, thanks for all your support and we’ll see you around Evolution Forums!

A TCF vendor getting thoroughly nailed and TCF almost simultaneously announcing that it’s winding operations down reminded me pretty keenly of a few previous carder forums that had been compromised and run by federal investigators in order to bust yet more vendors and buyers. Until the investigation is ended or consolidated, and the site is either formally raided or shut down “organically” by its administrators.

In this case the admin in question, Verto, also administrates one of the biggest dark net markets still going: Evolution. If (and that’s a damn big if) TCF was compromised, Evo almost certainly is. Which would be a huge coup for law enforcement. It’d also make sense to consolidate the TCF/Evo investigation into just one, which might’ve warranted the shutdown.

There are quite a few problems with this scenario, not the least is that TCF was the problem of the Secret Service, and I’m not sure their jurisdiction would cover Evo. But the vendor bust – site shutdown timing is just wickedly convenient to me.

Update on Tor Server Shenanigans

Posted as part of my readings yesterday some apparent server seizures in Europe. The admin has posted an update:

Brief update to the situation.

Having further investigated and followed up some information leads, we (for now) are excluding direct law enforcement involvement in the events of yesterday with my server cluster, but we do have further information that something unusual was occurring. Until we’ve been able to make the proper requests however we can’t disclose what this is without running the risk of prejudicing the investigation.

I have emailed some of the DirAuths to remove several nodes and IPs from the blacklist that we feel confident have not been breached or compromised in any way. Of course everyone should still ensure they always use TLS when available and PGP encryption to prevent a single point of failure!

Most/all of our mirrors should now also be online again. The hidden service versions may be a little shaky at first as we are making some changes to our Tor configurations, but nothing which should make them unusable.

Readings: Dark Markets, Bitcoin sentence, Tor server seizures

Quotes in quotation marks, comments in italics.

Ars Technica: After Silk Road takedowns, Dark Web drug sites still thrivingAlways worth watching the dark markets. The black market tells us quite a lot about the market in the clear.

Engadget: Bitcoin exec to spend two years behind bars for Silk Road transactions – “…Faiella would instruct customers to deposit money to third-party bank accounts, then Shrem would use BitInstant to transfer the corresponding amount back to him, which he’d pass on to buyers’ Bitcoin wallets. An undercover agent, for instance, deposited $500.11 to a bank account and got $444 worth of BTC later that same day.”

Tor: Possible upcoming attempts to disable the Tor networkTor warns of upcoming server seizures in an attempt to incapacitate the network. Then this happened:

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

Sony, Entitlement and Moral Hazard

After the devastating hacks perpetrated against Sony Pictures much has been made of North Korea’s involvement. I’m not yet sold on North Korean origination for a number of reasons. As Dave Kennedy noted on Twitter, Sony’s sizable March layoffs included a fair amount of the IT staff, which is a great way to breed weaponized animosity. Add to that this excellent post by Marc Rogers, “Why the Sony hack is unlikely to be the work of North Korea.” But hey. We’re going with North Korea as the perpetrator anyway, according to the FBI press release. So for the purposes of the rest of this post let’s assume the FBI is correct and North Korea is behind the hack.

President Obama has vowed a response directed at North Korea “in a space, time and manner that we choose.” So we’ve now gone from an FBI response all the way to nation-state actors. This is some pretty thorough bullshit. Let me explain why.

The first response to the Sony hack that I see is that “this is a free speech issue.” “North Korea interfered with the ability of Sony and their content creators to speak freely by showing their movie, and the government must respond to protect it.” Here’s the problem: this isn’t a free speech issue. Free speech doesn’t include the ability to create and broadcast without consequences; in American context, free speech is the ability to communicate without government interference. Consequences have always been a part of the nature of speech.

Consequences arising from the Sony hack already have well-established, long-hallowed remedies: those in civil and criminal court. These are the same remedies offered every other company, corporation and person in the United States. Were a foreign dissident hacked in America (it happens regularly) doubtless that would warrant a criminal investigation by the FBI. But we wouldn’t see Obama up on television getting ready to act on the federal and international level. It’s incredibly troubling the attention that a corporate entity is getting that is routinely denied to dissidents of all stripes. The message from the US government is: “We protect corporate speech. Individuals are largely on their own.”

We have the Computer Emergency Readiness Team in the Department of Homeland Security to analyze, reduce and respond to cyber threats and incidents like Sony’s hack. What we also have is a pervasive corporate lobbying environment utterly hostile to government cybersecurity standards. Every time the government tries to make more stringent standards mandatory the corporate entities involved appeal to the politicians they’ve contributed to on both sides of the aisle to water it down or kill it. So we’re left with a largely voluntary cybersecurity framework that helps set us up for instances like this. But now that an incident’s happened one of these same corporate entities is basically appealing for an international response, and it feels a bit like scammed Bitcoiners demanding FBI action to recover the money they pumped into an intentionally opaque, extragovernmental currency system.

And let’s be clear: Sony’s ground to an electronic halt not by consequences of speech but by its own bad digital hygiene. Of course the response to bringing up Sony’s own practices is that I’m victim-blaming. To bring victim-blaming into this we need to treat the corporation as a person, and that’s also bullshit. Sony Pictures has a clearly stated duty to stockholders (among others) to firm itself up against attacks like this as a simple matter of good business. It’s the legal responsibility of a legal entity, not an anthropomorphized construct requiring consideration of its personality and circumstance. Sony had a legal requirement to protect itself and it failed. This isn’t victim-blaming but requiring an organization to engage in Best Practices-type behavior in order to protect shareholders, employees and customers.

This is where the hack morphs from a speech issue to an economic one: the idea of moral hazard. Moral hazard occurs when someone takes risks they otherwise wouldn’t have when they know that someone else bears the burden, often a government. It was writ large in the 2008 financial crisis when we realized that investment banks were assuming massive leverage and insurers were handing out insanely large policies (credit default swaps) and depending on the government to bail them out when it all soured. Is Sony entitled to nation-state action as a remedy to the consequences they’ve faced? Of course they’re not. Sony’s losses are what corporate insurance is for, in worst case scenarios. Not a presidential address or an international reaction. Because insurance policies are not only triggered by consequences, but possess their own: failure to adhere to conditions such as adopting cybersecurity best practices invalidates the policy. There is no entitlement in an insurance policy, it’s purely a business transaction. The taxpayer does not bear the burden of being Sony’s “protector of last resort.”

And the idea of the US acting in order to protect the corporate speech of a Japanese company administrated from Tokyo is almost as enraging as acting to protect Sony when they’ve been busy threatening websites, newspapers and other entities with legal action over reporting related to the hack. Sony may even have launched cyberattacks of its own, trying to overload websites hosting the leaked data.

What’s my proposal, then? Exactly what I offered above: the same civil and criminal remedies at law offered to every other individual and company in the United States. An FBI investigation for sure, but good lord, keep the State Department dogs of war harnessed good and tight.

Read: LA iPad Shenanigans, Digital Citizenship, Bluetooth Credit Card Repository

Quotes in quotation marks, commentary in italics.

boingboing: FBI seizes LA school district’s Ipad purchasing docs – “It’s not clear what they’re investigating, but the DoJ subpoenaed everything related to the $70M program to give Ipads to all 650K kids in the district.” – Almost surely, as noted in the article, improper bid process/maybe kickbacks. Will be interesting to see, though.

Motherboard: Let’s All Become E-Residents of Estonia – “Starting today, people across the world can apply to become an “e-resident” of the Republic of Estonia, the small EU country just west of Russia.” – Odd little mechanism for what looks like a state-based Trusted Identity setup. Worth watching, as Estonia often is.

Verge: My experience with Coin Beta in the real worldBasically, a bluetooth card that stores all your credit/gift cards, similar to Apple Pay. Doesn’t do a great job at explaining what Coin is before jumping into the mechanics, but as long as you can follow, interesting to watch. Sad it’s so prone to malfunction. Want to grab one solely to eke out its weaknesses.