Open Letter to My Congressman Regarding Impeachment of Five Supreme Court Justices

July 12, 2015

The Honorable Keith Rothfus
1205 Longworth House Office Building
Washington, DC 20515

Dear Congressman Rothfus,

I write to ask that you initiate necessary proceedings for impeachment of the five U.S. Supreme Court justices who voted in favor of the petitioners in the recently decided case, Obergefell v. Hodges. The justices are Anthony M. Kennedy, Ruth Bader Ginsburg, Stephen G. Breyer, Sonia Sotomayor and Elena Kagan.

If other members of the House are already taking steps for impeachment, please give them your earnest support.

Impeachment of the five justices is authorized by Article II, Section 4 of the U.S. Constitution:

The President, Vice President and all civil Officers of the United States, shall be removed from Office on Impeachment for, and Conviction of, Treason, Bribery, or other high Crimes and Misdemeanors.

And by Article III, Section 1:

The Judges, both of the supreme and inferior Courts, shall hold their Offices during good Behaviour…

It is not good behaviour — indeed, it is very bad behavior — for appointed judges to seize law-making power which belongs to legislatures, and ultimately to the People, who express their will by voting. The five justices cannot possibly have behaved this badly by accident, setting a foot down on the wrong side of a fuzzy line, as it were. The opinion in which they all joined is clear evidence of their collaboration in what the House has every right to decide was a “high Crime or Misdemeanor.” (As an aside, it is for the House and Senate to interpret that phrase, not the Court; it will be perfectly reasonable when the House decides that it is a high crime to flagrantly subvert the Constitution.)

What was decreed by the five justices is obnoxious, but the ruling itself is not the issue. It is not for sharing a bizarre opinion (abeit fashionable in some circles) that justices should be removed from the Court. What is at stake is the Consitutional right of the People to be governed by their elected representatives. We, the People, do not want to be governed by an oligarchy — a tiny committee of unelected lawyers. We would not want to be governed by a committee of unelected lawyers even if they were not so disoriented and confused in their thinking.

Justices of the Supreme Court are unelected, but they are not unaccountable. Impeachment, followed by conviction in the Senate and removal from office, is the Constitutional remedy for tenured judges who run amok, disregarding the Constitution in order to rule according to personal moral and social preferences, in defiance of the will of the People.

Congressman Rothfus, what will you do to persuade the House to Impeach the five justices who are guilty of the Obergefell v. Hodges ruling?

Do all that you can. I will support you, as will many others. Please keep us informed so we will know how we can help.

Sincerely,

Peter Barry

Posted in Uncategorized | Leave a comment

Normal

One of the government contractors slurping up our tax money has a slick idea for how the Department of Defense can spot the next Bradley Manning before that yet-to-be-discovered individual steals classified information and makes it public. [1]

This is the mission:

…blue-sky research firm Darpa asked software engineers to design a system to sift through Defense Department e-mail, web and network usage for “anomalous missions” indicating that a user might intend to siphon sensitive information to unauthorized entities. The program is called CINDER, short for the Cyber Insider Threat Program.[2]

According to Wired, HBGary claims it can create the necessary software.

Data will be collected on employees while they work. This data will include what they do, where they go on the internal network and the internet, how and what they type, mouse movements, etc. Computer webcams trained on employees could be used to get snapshots and video. A lot of data would be accumulated and used to determine what is “normal”. Employees who deviate from Normal in particular ways would be flagged as potential Bradley Mannings.

HBGary’s proposal acknowledges: The only way to judge anomalous user behavior is to create a model for normal behavior; that in turn requires mapping normal behavior for the median user — which in the Defense Department’s case is millions of people.[3]

Got that?

Now, if you think this project is credible, that it makes sense, on any level, in any way, you need to think about it a little longer. Thirty seconds should be sufficient.

Pause here to think…

Now you get it, right?

And you didn’t need the whole 30 seconds, did you? A regular snake-oil scam if there ever was one. But of course, DARPA put out an RFP that said, in essence, “Please submit snake-oil scams…”

Snake-oil scams are entertaining for everyone in the audience who has paused to think for a few seconds.

I like this bit:

The only way to judge anomalous user behavior is to create a model for normal behavior…[4]

Let’s work on that, come up with a couple of situations where we can identify “normal behavior”.

Here’s one: Picture yourself as a striking, 20-something blonde female US Army master sergeant employed by the Department of Defense. You know the webcam built into your computer monitor may at any time (or all the time) be taking close-up still shots or video of you while you work. Is it normal or abnormal for you to put a Post-it note or piece of chewing gum over the camera?

Normal, of course. In fact, it’s normal for everyone to put a Post-it note over the camera, simply because people don’t like being spied on and photographed at close range without their permission. Of course, every now and then a smart aleck will take off the Post-it to make a rude gesture, stick his tongue out at the camera, or to pose for a few seconds wearing mirror shades and a Bedoin-style turban.

Smart aleck behavior at some level is normal, and the HBGary software would have the intelligence to treat it as normal. [5]

But that’s an easy one. Let’s try something a little tougher.

You’re still a DOD employee, male or female, age is irrelevant. Would it be normal or abnormal for you to start your day by typing “Bradley Manning for President”, or “a republic, if you can keep it”, or the NSA couch potato joke-of-the-day …with nothing but a black DOS box in focus? Nothing saved; nothing sent; just private keystrokes.

That behavior wouldn’t be average, but remember, what this cool Bradley Manning detection software must do is figure out what “Normal” is in such a way that an employee’s deviation from “Normal” isn’t just any deviation, but a particular kind of deviation — a deviation that indicates that person intends to steal and misuse confidential information.

In any sizable group of Americans it will be absolutely normal to find one or two, or several, who are passionately American. They are wary of government power, they believe the 4th Amendment was written because it really does happen that jerks get into government, and they detest unwarranted government invasions into the lives of free citizens. They strenuously object to government lawlessness, incompetence, corruption and stupidity.

Again, in a normal group of Americans, there will be a few passionate Americans — Americans who take their citizenship seriously.

So, out of, say, ten thousand DOD employees, it will be perfectly normal for some number of them to occasionally type unsaved, unsent messages on their keyboards — if they think they are being  studied for deviations from Normal — because they take the view that the only way those messages can be read is if the reader is an anti-American (domestic) enemy of the Constitution, and they like to send taunting, insulting messages to enemies of the Constitution and enemies of America.

“Wikileaks Rocks! (for your eyes only, Stooge)”

It’s perfectly normal for a group to have a few indiduals of that sort.

Now, switch roles: You’re the tax-money-slurping contractor. You’ve collected a ton of data on ten thousand DOD employees. Those employees know you’ve been watching them, testing whether or not they are Normal, collecting and saving data — keystrokes, mouseclicks, video, still shots, whatever — in order to analyze them in detail, as individuals who may or may not be Normal. Out of that ten thousand DOD employees, not one person, not a single American, has ever typed “Bradley Manning for President” or some such provocative thing into a DOS window.

Now you’ve really got a problem.

A normal group of ten thousand Americans should include a few history-conscious, passionate Americans with enough courage to resist, at least quietly, a spirit of anti-American stupidity.

Here you’ve got a group of ten thousand Americans that is not Normal.

What will you do with that group?

PB

[1] At the time of this writing, Bradley Manning is accused; he has not been convicted of any crime. Regrettably, in this period of American history, it is possible for an accused-but-not-convicted individual to be cruelly mistreated if he has the misfortune to be held by the Department of Defense.

[2] Wired. “‘Paranoia Meter’ Is HBGary’s Plot to Find the Pentagon’s Next WikiLeaker”. Spencer Ackerman. http://www.wired.com/dangerroom/2011/04/paranoia-meter-hbgarys-plot-to-find-the-next-pentagon-wikileaker/

[3] Ibid.

[4] Ibid.

[5] And snake oil is known to cure cancer.

Posted in Uncategorized | Leave a comment

Enemies

Bradley Manning has been charged with “aiding the enemy”.

The charges, filed Tuesday but not disclosed until Wednesday, are one count of aiding the enemy, five counts of theft of public property or records, two counts of computer fraud, eight counts of transmitting defense information in violation of the Espionage Act, and one count of wrongfully causing intelligence to be published on the internet knowing it would be accessible to the enemy. The aiding-the-enemy charge is a capital offense… [1]

I await with great interest the definition of “enemy” that will be used by prosecutors. As far as I know, the United States does not have any enemies. We are not at war with anyone.

We think and perhaps speak of al Qaeda as the “enemy”. We may think and speak of terrorists in general as the “enemy”. But that’s colloquial speech. In a court room, in a legal context, the word “enemy” must have a particular meaning. If you charge someone with “aiding the enemy” then for a start you’ll have to identify the enemy who received the aid.

Congress has not declared war on anyone, so identification of the “enemy” is highly problematic. Arguably, the definition is entirely subjective, in the eye of the beholder, as it were. Is bin Laden an enemy or a criminal wanted for conspiracy and murder? Will there be an effort to cast Wikileaks as an “enemy”? Is the New York Times an enemy, since the NYT has published material made available by Wikileaks? George Bush initiated a “war” (metaphor?) on “terror” (an abstraction, a word in the dictionary). Is it possible to give aid to an abstraction?

Anyway, I will be very interested to see how “enemy” is defined in the trial of Bradley Manning.

One thing to bear in mind:

The charge of aiding the enemy is a purely military charge from the Uniform Code of Military Justice, which applies only to service members. [1]

So, if aiding the enemy is a crime that can only be committed by members of the armed services, it’s entirely possible that “enemy” can be defined by the military in a way that only applies within the military. Let me clarify…

The United States, as a nation, does not have any enemies at present because our Congress has not declared war on anyone. But the military services possibly do have one or more enemies, determined in some way by the military. If the military wants to put someone belonging to the military on trial for “aiding the enemy” that can work because the military will define “enemy” — for itself, not for the nation.

If I’m correct that the military can define “enemy” in its own way, to support a charge of “aiding the enemy”, then logically, nothing prevents an enemy of the United States military from also being a good friend of the United States, a constitutional republic.

PB

[1] “Bradley Manning Charged With 22 New Counts, Including Capital Offense” http://www.wired.com/threatlevel/2011/03/bradley-manning-more-charge/

Posted in Uncategorized | Leave a comment

Wikileaks and Secrets

Reactions from the U.S. Government to the Wikileaks publication of diplomatic cables are puzzling. For instance, here’s a USMC memo published by Wired:

[W]illingly accessing the WIKILEAKS website for the purpose of viewing the posted classified material [constitutes] the unauthorized processing, disclosure, viewing, and downloading of classified information onto an UNAUTHORIZED computer system not approved to store classified information. Meaning they have WILLINGLY committed a SECURITY VIOLATION.[1]

If you’re a civilian with an appreciation for slapstick comedy, you can just laugh. But if you’re one of The Few, The Proud, etc., and you’re not accustomed to turning off your brain when you hear trite, throw-away phrases like “national security” you might not see the humor in this.

Step back and think about who this material, now published by Wikileaks, was kept secret from, back when it was secret. More broadly, what is the purpose of a secret, any secret? What is a secret for?

If I’m negotiating to buy a house, the absolute maximum price I’m willing to pay is something I will want to keep secret from the seller, with whom I’m negotiating. I really don’t care who else knows my max price. All of my family and friends — indeed, all of the seller’s family and friends — can know, as far as I care. I only want to keep knowledge of my max price from the seller himself, because he might change his behavior in our negotiations if he knows the price. He’s the one chap who can take advantage of that knowledge to cause me a problem by shaking a few extra dollars out of my pockets.

As a practical matter, I’ll need to keep the maximum price I’m willing to pay quiet from just about everyone, because if I make it widely known among those whose knowledge of it does not matter at all, there’s a greater chance that the one person I’m actually concerned about will find it out. I will keep this secret from the many only because I want to be sure it remains secret from the one.

What if the seller of the house somehow finds out my maximum price?

Well, that’s it. He knows. If he wants he can dig in his heels and hold out for what he knows I’m willing to pay. For me, it’s Game Over, as far as the secret of my max price is concerned. It’s no longer secret from the one person I wanted to keep it secret from.

But what about everybody else?

What about them? I never cared about everybody else knowing; why would I start caring now?

How about U.S. diplomatic cables? What if an American ambassador makes a remark about Mubarak and his associates in a cable, and that cable is “secret”?

Who is it secret from? Clearly, it’s secret from Mubarak and his associates, and probably from Mubarak’s opponents, and maybe Mubarak’s peers in the Middle East — quite a few people for sure, but not everybody. It’s secret from people who might alter their behavior in some way that is disadvantageous to the United States. It isn’t secret from a random Chinese peasant or an Inuit seal hunter. It isn’t secret from me, or from a United States Marine. In fact, it isn’t secret from tens of millions of people. For the vast majority of the population of earth it’s a matter of indifference if it’s known or not.

But as a practical matter, there’s no way the cable can be shared with peasants and seal hunters and me and the Marines and millions of others whose knowledge of the cable doesn’t matter, simply because dissemination among those from whom it’s not secret will increase the chance of it falling into the hands of someone from whom it is secret.

What happens if somehow (NYT, Washington Post, Wikileaks…) Mubarak and his associates find out the contents of the cable? Well, that’s it. They know… Game Over.

Is it ok now if U.S. Marines and Inuit seal hunters read the cable?

What a weird question. Why would it not be ok? It never was secret from them, except as a precaution against the cable reaching Mubarak & Associates. Mubarak has it. If they’re so inclined, seal hunters can translate it into Greenlandic, add an iceberg and a whale to spice it up a bit, and read it to their children as a bedtime story. Whatever.

What the Marine Corps leadership and the leadership of the U.S. Government in general don’t seem to understand is that it’s “Game Over”: The people the documents were being kept secret from have them, and there’s nothing to be done about that.

The “few” have the documents.

The practical need to keep the documents secret from the many in order to keep them secret from the few no longer exists. As far as all the people from whom the documents never were secret — employees of the Department of Defense, for instance — the documents are still not secret from them. Nothing has changed. It never mattered, really, if they saw the cables, and it still doesn’t matter.

PB

[1] “Pentagon to Troops: Taliban Can Read WikiLeaks, You Can’t”: http://www.wired.com/dangerroom/2010/08/pentagon-to-troops-taliban-can-read-wikileaks-you-cant/

Posted in Uncategorized | Leave a comment

Thank you, Wikileaks

In the recent public discussions of Wikileaks, I haven’t seen (though I could have missed it) any credit and congratulations given to Julian Assange’s organization for exposing the insecurity of the US Government’s SIPRNet. That exposure was an important service to the people of the United States, as well as to our hired help, the US Government.

According to the Pentagon, SIPRNet has approximately half a million users. Access is also available to a “…small pool of trusted allies, including Australia, Canada, the United Kingdom and New Zealand…”
http://en.wikipedia.org/wiki/SIPRNet

I don’t know if Wikipedia is right about the number, “half a million users”. I’ve seen quotes lately that claim a million users. But even if it’s a tenth of the Wikipedia figure – that is, 50,000 users — that is a sizable global network, and if data on that sizable network has value, it’s simply naive for someone to think data will not leak out — naive about networks and computers, and naive about people.

The bureaucratic position is, “But this network is locked down, not physically connected to the Internet, accessible only by people who are authorized, closely monitored… blah, blah, blah…” In a word, Naive.

Think about it: Here’s a network 1) with data that has value and 2) 50,000 or 500,000 or a million users. A network admin claims data will never be copied from the network for some unauthorized purpose…

That doesn’t even make sense.

But if you’re a bureaucrat without much knowledge of technology in general, or of networks and the internet in particular, and if you have little or no understanding of human nature, you might think it does make sense, which is sad for you at a personal level, but also bad for the people you work for. And it’s why you should thank Wikileaks for giving you the benefit of a little education.

The way data would normally be copied from a network like SIPRNet — the way it has been copied from SIPRNet in the past, we can assume — is secretly, without fuss, without fanfare. People with access to the network, and with particular interests, have quietly copied data by various means, to be delivered to persons with a shared ideology or religion, or to persons of whatever ideology, who are able to pay well, and pay in cash.

Wikileaks, by making SIPRNet data available publicly and with great fanfare, badly mauled the business models and espionage exploits of everyone who was already quietly copying data from SIPRNet for profit or for a cause. The network security clampdown, inspired by Wikileaks, will impact an unknown number of enterprises.

The outrage of the US Government at Wikileaks for making secrets public is probably echoed behind closed doors in obscure facilities in Iran, North Korea and elsewhere. But the outrage in the echo is not that Wikileaks made secrets public, but that Wikileaks made it public that secrets could be acquired from SIPRNet. Lots of secrets.

The Big Secret — that SIPRNet leaks — was leaked by Wikileaks, and we can be certain there are people of various nationalities who would rather that were not known.

Thank you, Mr. Assange. You’ve done us a favor.

PB

Posted in Uncategorized | Leave a comment

Al Jazeera

I recently discovered Al Jazeera news, via YouTube, in English.

http://www.youtube.com/user/AlJazeeraEnglish

I can’t compare it with other TV-style news outlets, like CNN and FoxNews, because I haven’t watched those. But Al Jazeera English is easily on par with, and in many ways superior to, The Wall Street Journal of our day, when it comes to coverage of world news, in both breadth and depth. The format is video, interview and discussion, so a comparison with print is not quite apples-to-apples. If you’re interested in keeping up with things going on in the world, Al Jazeera is worth following.

I subscribed to the Al Jazeera English YouTube channel and selected the option to get email alerts when something new is uploaded, so I get email for regular news updates, In Depth, 101 East, etc — all the Al Jazeera productions, I suppose. I don’t have time to watch many, but I can quickly click through emails and decide based on topic if it’s something I’m interested in. The emails have some basic description of what the video upload contains.

Their coverage of Sudan has been quite good — much better than the WSJ. Lately, I’ve watched informative shows about ETA, the Basque terrorist (a.k.a. “separatist”) group, how South Korea integrates North Korean defectors, the current Lebanese political crisis, Gbagbo vs Ouatarra in Cote d’Ivoire, Berbers in North Africa…

http://www.youtube.com/user/AlJazeeraEnglish

PB

Posted in Uncategorized | Leave a comment

Hallmarks of Shallow Thinking

The rabbi at one of the synagogues told the Journal that its website had been visited dozens of times recently by individuals located in Egypt. The episode underscores how crucial it is that U.S. intelligence be able to eavesdrop on email and phone conversations between people abroad and in the U.S., and in real time without having to wait for a warrant.

This is from an Opinion piece in the Wall Street Journal (October 31, 2010), “Hallmarks of al Qaeda,” which was published after the failed parcel bomb attacks on cargo planes.

Is it assumed that I will draw a conclusion from the fact that the website of one of the synagogues targeted has been “visited dozens of times recently by individuals located in Egypt”? Am I supposed to think, “…must have been terrorists, casing the joint” — and then congratulate myself on being a regular Sherlock Holmes?

Frankly, without context, I don’t know what to make of that information. It might be an interesting data point, but to know whether or not it’s interesting, we need more.

Note: “dozens of times” is not an exact number; “recently” is not a precise time frame.

In a typical week, looked at over the last 5 years, how many hits to the website come from Egypt? Was there a sudden jump in the number of hits from Egypt recently? In the past, have there been jumps in the number of hits from Egypt that didn’t correlate with a parcel bomb attack, or is this completely unique? How does the number of hits compare to other synagogues, or to other entities, like churches or mosques?

“Visited dozens of times” — are these unique visitors, or http requests? It’s important to know what is being counted. A single unique visitor to a single page might generate dozens of http requests in the log, depending on how the page is built.

The drift of reporting has been that these parcel bombs came from Yemen. What is the significance of Egypt in this context? Is it just that Egypt is, to a geographically illiterate readership,  “over there” where Yemen is? They aren’t in the same timezone, but it is probably less than 2,000 miles from Sana’a to Cairo, so I suppose you could say they are close, like Poland and Wales are close.

Is it that there are a lot of Muslims — and therefore potentially, a disproportionate number of terrorists — in Egypt? Were there recent visitors to the synagogue website from other places where there there might be terrorists, like Pakistan, or Gaza, or London, or New Jersey… or Chicago?

I presume the Journal editorial writer knows that the source IP of a website hit doesn’t say much about where the person looking at the the web page is sitting. And if that person doesn’t want his physical location known, the source IP says nothing at all, except perhaps that he’s not where the source IP is. Someone in Munich can vpn into a network in Egypt and his web requests, from the point of view of the website, will come from Egypt. And, by the way, are there TOR nodes in Egypt?

My point is that it’s silly for the Journal to throw out one piece that may or may not belong to a thousand-piece puzzle and expect intelligent readers to know whether the completed puzzle is an old man in a boat or the carcass of a leopard on Mount Kilimanjaro. And it is way beyond silly to propose that anything about this event “underscores how crucial it is that U.S. intelligence be able to eavesdrop on email and phone conversations between people abroad and in the U.S., and in real time without having to wait for a warrant.”

Warrants, among other things, prove there’s been some work done to ensure that “a person of interest” might really be up to something — not just that he appears to be in Egypt and browsed to a Chicago website. One reason, in my opinion, that the American 3-letter services want to avoid the warrant process and other controls that protect freedom, is that a large number of their employees are loafers, and protecting freedom while they try to catch bad guys is just too much like work.

Any guesses for what the ratio of false positives to real terrorists would be if U.S. Intelligence was not subject to law that prevents promiscuous snooping? Does anyone believe that promiscuous snooping would make it easier to catch real bad guys, who will, of course, change their comm channels as needed — from satellite phone to bicycle courier, or from in-the-clear email to 256-bit encryption?

U.S. “Intelligence” should just get off its obese government butt, quit whining about how it can’t do anything unless it can snoop on everything everyone is saying, and get to work.

PB

9ozAnXLL3BDe
Posted in Uncategorized | Leave a comment

unpolluted sprockets #1

One thing I like about Wikipedia are the little “citation needed” inserts reminding the reader, in effect, “Here we have a statement of fact which has been made without supporting evidence.”

For instance, this is from the Raytheon article[1]:

Raytheon Professional Services (RPS) is a global leader[citation needed] in training services and learning outsourcing for over 75 years.[citation needed]

Raytheon is the company where William J. Lynn III worked as a lobbyist before he was made Deputy Secretary of Defense in the current administration.

A citation doesn’t make the fact asserted true, it just means there is some kind of evidence for the assertion that anyone is free to check out. That evidence might be strong or weak, and the reader probably won’t bother to check it anyway, but the presence of a citation makes a statement of fact, in some way, verifiable.

In Foreign Affairs, essays are not required to have footnotes, much less “citation needed” flags, so in comparison to Wikipedia, the reading experience of FA is superficial.

In Mr. Lynn’s Foreign Affairs essay[2], “Defending a New Domain” he says this:

Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times.

Citation needed, right?

None supplied.

This sounds like a variation on the 6-million-attacks-a-day (on Department of Defense networks) assertion that is part of the template for people writing for or speaking to technically non-literate audiences. This example from Bill Lambrecht:

The new head of the U.S. Cyber Command, Gen. Keith Alexander, revealed this month that Pentagon systems are attacked 250,000 times an hour, 6 million times a day.[3]

No citation available for Mr. Lambrecht’s assertion either. Which is a shame, because I’d like to know if Gen. Alexander really said Pentagon systems are “attacked” 6 million times a day in some context I’m not familiar with, or if Mr. Lambrecht spiced up his column by carelessly swapping in the word “attack” for what Gen. Alexander really did say:

DOD systems are probed by unauthorized users approximately 250,000 times an hour, over 6 million times a day.[4]

I’ll bet that Gen. Alexander chose the word “probed” deliberately when he was speaking to CSIS, and I will further bet that he consciously avoided using the word “attack” in characterizing what was happening 250,000 times an hour, 6 million times a day to Pentagon systems. In his Senate confirmation hearing, Gen. Alexander specifically said that “probes” are not “attacks”.[5] For military guys, the word “attack” is loaded with all kinds of baggage completely unknown to those who use the same word in a network security context.

Another variation uses “targeted”:

When asked how often the federal government’s computers get targeted or probed each day, defense specialist Rep. Adam Smith, D-Wash., curtly responds: “North of a million times.”[6]

Here’s another:

The Pentagon’s top information-security official, Robert Lentz, said the Defense Department detected 360 million attempts to penetrate its networks last year, up from six million in 2006. [7]

Hmm… “Attempts to penetrate” DOD networks? How is a single attempt identified for the purpose of counting? When a Facebook scraper works for weeks putting together information for a spear-phishing attack on a Navy Admiral, to craft an email with a link in it he will foolishly click… Will all those http GETs and POSTs at Facebook and elsewhere, plus the email to the Admiral count as just just one attempt to penetrate a DOD network? With a number in the hundreds of millions, there must be an automated way of counting. How do they count? What do they count?

Mr. Lynn has some vague numbers, “thousands” and “millions”, for probes and scans respectively. But what is a “probe”? What is a “scan”? Do his IT guys parse router logs into “probes,” “scans” and “other,” based on what protocols are used, what ports are queried, what the source IPs are?

Gen. Alexander has more precise numbers for “probes” by “unauthorized users” (250,000/hour, 6 million/day). But what, pray tell, is an “unauthorized user”? If these numbers come from router logs, what distinguishes an authorized user from an unauthorized user?

Observe:

$ ping nsa.gov
PING nsa.gov (12.120.166.8): 56 data bytes
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3

—-nsa.gov PING Statistics—-
46 packets transmitted, 0 packets received, 100.0% packet loss

I just pinged NSA at nsa.gov. DNS resolved the name to 12.120.166.8, but that IP doesn’t answer to ping so I get a “destination unreachable” response from a router closer to my NIC.

My ping put a line in a router log at NSA for an ICMP echo request from my IP that was dropped. Will that line count as a “probe” or is it counted as something else (like, “blog post demonstration”: – )? Since we don’t know what a probe is, we can’t know what kinds of IP traffic are not probes.

If my ping is a probe, it can’t count as coming from an unauthorized user. I authorized it myself, so I know it was authorized. But how will the light-starved gnomes counting probes deep in the catacombs beneath Ft. Meade know my ping was authorized? Do they flip coins?

Logs can be mined for data that will sort inbound traffic into “solicited” and “unsolicited” buckets (ICMP echo requests are always unsolicited, by the very nature of the protocol). But “authorized” and “unauthorized” categories have no technical meaning. Do they have any meaning at all?

Alas, the transcript for Gen. Alexander’s talk doesn’t have citations, so his “unauthorized users” just get stirred into the soup of nebulous terminology along with “attacks” and “probes” and “scans” and “attempts to penetrate” and “targeted computers” — and when someone who doesn’t know much about how the internet works, or about network security, wants to say something to impress an audience which also doesn’t know much… he just dips in a ladle and serves up a big helping of whatever soup mush happens to be near the top.

Probably, these people are talking about nothing more than what we think of as the Background Noise of the Internet, what Steve Gibson calls Internet Background Radiation.[8] Anyone who wants to watch random unsolicited packets from the Internet bouncing against a home router can see it. Dozens of log entries an hour. Unless it’s a hobby for you, you don’t watch. Router logs just aren’t that fascinating. Ten or 12 years ago IBR was interesting and something of a novelty for many people (me included). But now it’s just raindrops on the roof. Who cares?

Well, the lobbyists-presently-in-government and the lobbyists-presently-lobbying care, possibly because it looks to them like there’s a lot of unguarded money ready to be bagged and trucked off for those who can spin up a fun “cyber” story. The 6-million-attacks-a-day bit is how a good cyber story always begins, just like, “Gather round children and I’ll tell you about…”

You’re thinking, “Someone must have counted something; surely, if there’s a number someone, sometime, somehow must have counted something? Or if they didn’t count they had a statistically validated method of estimating?”

Ah… Wouldn’t it be nice to have a citation? — a reference to some document or web page to check, so we could see when the count was done (if it’s not ongoing), how it was done, what was counted, how the categories were defined…

Wouldn’t it be nice…

Here is the simple truth concerning the 6-million-attacks-a-day assertion, in all its protean forms:

No one has ever counted anything.

Sometime back in the 90s a low-level Pentagon beaurocrat named Winston Smith overheard a couple of techies from the server room talking about unsolicited packets in the logs — “…1,012 hits between 0100 and 0200 from who-knows-where…” and later that day, helping his report-producing boss prepare a report for some other report-producers, Winston did a quick calculation: “With 249 other offices big enough to rate an auto-grind coffee machine like ours, that’s 250 times 1,012… but just to be conservative, let’s say 1000… that’s 250,000 an hour… But what was it they called them? Unpolluted sprockets? That’s too technical…”

This morphed from an overhead projector transparency into a PowerPoint slide, was copied into another slide deck, then another, then it became part of the standard intro to hundreds of PowerPoint presentations, was copy-pasted into reports, repeated with a straight face at news conferences, adjusted to fit preferences for the nuance of one word over another (“probe” vs. “attack”), merged into the President’s telepromter stream… and in the course of time, came to be believed by a generation of those in the greater Washington government-and-contractor community: “…and so, children, that is how the rabbit lost its tail.”

None of the people quoted above could tell you one important difference between UDP and TCP, or between telnet and ssh, or how sha256sums are used to know when a file changes — technical concepts so basic that in 2010, they are arguably not even technical any more.

At a higher level, they don’t know why it is that the vast majority of network (a.k.a “cyber”) security challenges today, approaching 100%, come from solicited packets, not unsolicited raindrops-on-the-roof packets. If you probe Gen. Alexander, he won’t be able to tell you what a probe is, or how probes are counted. Given as much time as he likes to scan his notes, William J. Lynn III will not be able tell you the difference between a scan and a probe.

If you questioned them, even trivially, this generation of talkers and report-producers would not be able to define clearly and consistently their own words. And if President Obama brought the whole lumbering, obese government to a blubbery, wobbling halt, demanding to know, “Where does this 6 million probes a day number come from?” — no one would be able to tell him. Gen. Alexander would ask his staff, and they would turn around and ask their staffs and those staffs would, in turn, try to find and wake up their staffs… and no one would be able to find the original study or tell the President how and when it was done.

Because there was no study.

Winston Smith is currently working for a government contractor and may not be back in government proper for a year or two. He’s now an expert in Arctic tundra reclamation policy. He doesn’t even remember what word he thought was better than “unpolluted sprockets” back when he was a computer network security expert, before the government contractors rebranded network security as “Cyber” so they could jack up their per diems, scan congressmen for opportunities to fill white space in 1000-page bills, probe DHS with cybersecurity concepts, target DOD for billion dollar firewall upgrades, give those timid NSA loafers the willies with horror stories about unauthorized users, and attack the ongoing problem of how to move money out of the pockets of working people and into report-writing employment and lively conversation over drinks and good food at the finest dining establishments in Washington, D.C.

If there had been a count of something, none of the government/contractor people you see quoted in the papers and blogs would know what was counted, or how.

But the fact is, no one ever counted anything. Six million whatevers a day, 250,000 whatevers an hour, 360 million whatevers a year… it doesn’t matter. It’s all bogus. And I have a citation for that. –> [9]

PB

——-

[1] http://en.wikipedia.org/wiki/Raytheon
[2] Foreign Affairs, September/October 2010, “Defending a New Domain”
[3] Bill Lambrecht, LA Times, June 24, 2010, “U.S. is busy thwarting cyber terrorism — The government and defense contractors are in a constant battle against computer attacks” http://articles.latimes.com/2010/jun/24/business/la-fi-cyber-terrorism-20100624
[4] Gen. Keith Alexander, Director, National Security Agency, Commander, U.S. Cyber Command, Thursday, June 3, 2010, speaking to the Center for
Strategic and International Studies (CSIS)
[5] Sean Lawson blog post at Forbes.com: “Just How Big Is The Cyber Threat To The Department Of Defense?” Jun. 4 2010. http://blogs.forbes.com/firewall/2010/06/04/just-how-big-is-the-cyber-threat-to-dod/
This is not the only place that references Gen. Alexander’s testimony. Sean has also put together some interesting quotes that capture the muddled-terminology situation. What I’m prone to say with war-painted, spear-shaking unruliness, he conveys in a gentlemanly way: “The contradictions between this and previous statements of the threat, both by Alexander and others, combined with continued confusion over the definition of key terms, points once again for the need to more clearly articulate the cyber threat if we are to develop appropriate policy responses.”
[6] Joel Connelly, “Cyber attacks: The next big security threat?” Seattle Post Intelligencer, April 11, 2010 http://www.seattlepi.com/connelly/418225_joel12.html
[7] Yochi J. Dreazen and Siobhan Gorman, “U.S. Cyber Infrastructure Vulnerable to Attacks” Wall Street Journal, May 6, 2009. http://online.wsj.com/article/SB124153427633287573.html
[8] Steve Gibson, grc.com, SecurityNow, SpinRite, the Portable Dog Killer and other useful endeavors.
[9] https://pmbarry.wordpress.com/2010/10/30/unpolluted-sprockets-1/

Posted in Uncategorized | Leave a comment

Education and Learning #1

“Most of my chess growth came from studying my losses very deeply…” –Josh Waitzkin

This Authors@Google interview with Josh Waitzkin lasts about an hour. He talks about chess, martial arts, learning. It is a little abstract, with a sprinkling of Oriental philosophy, sometimes on the edge of flakiness — but not quite over the edge. I follow him, even when he talks about playing 40 games of chess with 40 opponents at one time, moving from board to board, and all of the games somehow converge in his mind into a single big game, in which each board is a part…

What he says about loss and failure — rather, the importance and value of loss and failure — must feel like a surprise bee sting to a lolling, complacent education establishment wanting to ensure that no child is left behind, that every student succeeds, that Self Esteem is forever protected and pampered.

Self esteem is all very well in its own place, alongside other “self” stuff, like self-deception and selfishness, but with respect to education, what if real growth in skills, knowledge and understanding depends on failure, loss and pain?

Josh Waitzkin doesn’t so much make a case for the importance of failure, he simply testifies to his own experience: “I hardly remember the wins… what I remember are the losses…” And he makes connections between seemingly different failures in different areas of life…

I’m a programmer[1], and if I look at programming in a certain light, I see that what I do when I attack a problem is fail my way through it.

In programming, failure happens at every level, from the whiteboard planning to the last lines of svn-committed code, and even beyond, as bugs are discovered by users.

Try something. It doesn’t work. Examine the failure and what you did. Try something else. It doesn’t work. Examine the failure and what you did. Try something else… Pretty soon it works and you move on to the next iterations of try-fail-examine.

With energetic debate as the soundtrack, whiteboard lists, illustrations, boxes and arrows are erased and new ones fill the space. While coding, methods are written, then moved, then split into new methods; lines are written, then deleted, replaced by new lines in different places. The erasing, moving, splitting, deleting, replacing… all articulate on instances of failure.

It’s not just failure. It’s failure followed by study of the failure. If contemporary pop education were to suddenly stand on its head and junk all the self esteem rubbish — let students fail, tell them plainly they’ve failed, and when necessary, contrive to make them fail — that would not, in itself, improve learning. But it would create a context in which great learning is possible.

Take a picture of this:

A professor introduces himself on the first day of class and says, “This is a two semester course. Every one of you in this room will fail the first semester.

“If you are really sharp, learn the material, solve the problems I give you to solve… I’ll give you more material and tougher problems. Solve those and you get even tougher problems. The problems will keep coming until you get one that can be solved by someone, but you can’t solve it, even when you stay up all night, then miss fall break to work on it.

“You will fail this semester.”

[Even the burnouts at the back of the room are awake and sitting up straight.]

The professor continues: “In this semester, although you will fail, by the end you will be able to analyze a problem, develop a coherent plan, and write respectable code to solve the problem. You’ll be valuable to an employer because of your analytical and programming skill. But the main thing you must learn this semester is how to study your own failure.

“That’s what we will do in this class: Study failure. Learn to describe it accurately and completely. Learn to break a failure into its components and analyze each component, figure out how 3 or 4 small components of a failure work together to cause a single big failure… But not just any failure. Your failure. Not the failure of other people, in other places, or in history. You will study your own failure, and in that you will become an expert.”

hmm… That sounds like a class that would be worth taking. For credit.

What if we take the word “chess” out of Josh Waitzkin’s quote above?

“Most of my __________ growth came from studying my losses very deeply…”

Take that as a starting point for an approach to learning and education. Build a course of study on that concept. What does it look like?

PB

Kings of Convenience: Failure

——-

[1] QA Software Engineer, to be more specific

Posted in Uncategorized | Leave a comment

stuxnet #4

Glance over this quote from a (useful) Symantec blog dissection of Stuxnet. Or, if it seems too dense, just look back as I refer to it below:

To access a PLC, specific software needs to be installed; Stuxnet specifically targets the WinCC/Step 7 software used for programming particular models of PLC. With this software installed, the programmer can connect to the PLC via a data cable and access the memory contents, reconfigure it, download a program onto it, or debug previously loaded code. Once the PLC has been configured and programmed, the Windows machine can be disconnected and the PLC will function by itself.

Let’s say I’m a programmer in a gas plant or power plant or water plant… No, scratch that. I’ll be a programmer in a nuclear research facility with live reactors. What I’ll do is connect my laptop to the PLC via a data cable. I can then “access the memory contents” of the PLC. I can “reconfigure it.” I can “download a program onto it.” I can “debug previously loaded code.”

That last is especially important, right? Because yesterday I hooked my laptop up to the nuclear reactor management PLC and made a couple of changes. Today, some engineering guys who work closer to the core than I do are complaining that it seems to be running a little hot. In fact, a fly landed on the cool side of a heat shield and instantly shrivelled and vanished in a whisp of smoke.

I hook up my laptop to the PLC and check what I did yesterday. Hmmm… it does look like I might have fat-fingered an extra couple of zeroes when I was multiplying z. Should be 10*z, not 1000*z. No wonder she’s cookin’ flies today!

I fix that, then do a little debugging on a problem I’ve been kicking around for a week, something causing weird voltage spikes for about 30 seconds every hour.

Try something… hit enter. No, that’s wrong. Try something else… hit enter. Still wrong. Try again… Bingo. That’s it. Should run smoothly now. No meltdown today! I wonder what they’re serving in the cafeteria…

Even if you have no experience of software development, you will know that picture is completely absurd. If a programmer in a nuke plant can access live code that impacts the running of the plant — so he can “reconfigure it” or “download a program onto it” or (heaven forbid!) “debug previously loaded code” — why would anyone spend a lot of time and effort creating a souped up internet worm like Stuxnet to take out this nuclear plant?

Give it a little time; it will take itself out.

I haven’t yet seen a good explanation for why commonplace software development and release processes would not have stopped Stuxnet in its tracks well short of access to any live code running a plant. All the reporting is about how clever Stuxnet is at propagating, or hiding in Windows, or hiding in PLC code. But that’s not where the challenge lies for a worm intended to take down a plant.

I feel like I’m in a class where the professor just spent an hour filling the board with equations, diagrams and proofs, concluding with, “…and then magic happens, and we have 42.”

Eh?

What is lacking in what I’ve read about Stuxnet is a coherent explanation for how it could cause evil code to move from a developer’s PC to “production” or “release” or whatever they call it in an industrial plant. Absolutely nothing that I’ve seen written about Stuxnet so far makes me think this clever worm had any chance whatsoever to damage a nuclear plant by changing code controlling the plant operations.

When a programmer changes code for a system, he or she is working on a copy of the code base that will not be installed for use anywhere until it jumps a series of hurdles — none of which Stuxnet could jump.

New code, or a code change, doesn’t go from a developer’s machine directly into production. It is reviewed. And it is tested first in an environment that simulates the deployed environment. Code never moves directly from a developer’s machine into production at all. He (can’t be “she” in Iran) checks code into source control as flat text, diff-able and reviewable, and as code moves toward deployment, it is checked out of source control onto other machines by other people.

The Symantec writer talks casually about a programmer working on a PLC who can “debug previously loaded code.” Do you think the programmer debugs code on a PLC running the plant? Do you change the oil in your motorcycle at a nice cruising speed, headed south on Lake Shore Drive?

I’ve debugged a lot of code over the years, I’ve lived in world of code debugging, and I will assure you that no programmer in Iran or North Korea or any other place, however weird or backward, will be debugging running production code in a nuclear power plant, or debugging production code in any plant that does something more complicated than smash tree stumps into pulp.

Debugging is done off to the side of production. Debugging can be a tedious trial-and-error process that takes a while, and would be highly disruptive (to put it mildly) for anyone depending on the code to be doing something. When problems are found, the solutions are tested… still off to the side of production.

Someone may say, “Don’t you think that where fanatical towelheads and raving nutcases run things the engineers are probably blockheads who don’t know anything about normal software development processes?”

No, I don’t think that.

The Iranians have reached a place where there is international concern about what they are doing with their nuclear research. They didn’t get where they are with blockhead engineers.

Much of the fuss about Stuxnet hinges on a Bogus Myth that between the developer writing or debugging code on an infected machine and absolute control of a nuke plant is… nothing… No code review. Nothing is checked into source control as flat text and tagged. There’s no QA. No testing. No bugs are ever filed. There is no staging environment that mirrors production. For new code there are no smoke tests. No sanity checks. No regression testing. There’s no configuration management of key machines. Emails don’t go out to a wide audience of engineers 7 days before, then 3 days, then 24 hours before a change is pushed to production. And of course there’s no redundancy for production control — an independent control path, if control code running in production doesn’t seem to be doing what it should; and no redundancy in monitoring; and no way to instantly roll back a change that breaks something…

Bogus Myth.

For Stuxnet, the main problem isn’t how to hide in Windows or spread in Windows-heavy networks, or conceal itself in PLC code and alter that code — the main problem is how to get from any development machine to production — anywhere.

And as far as I can see, the primary evidence that Stuxnet was sponsored by a government is this: It’s a technical marvel that, marvelously, doesn’t take into account the main problem. It’s a bridge to nowhere.

PB

[1] The Symantec publications related to Stuxnet are outstanding. They are focused on the worm itself, not on workflow and processes in a potential target facility. To review the processes, someone would have to know what they are — and that’s not known. In its context, the Symantec writer’s comment about debugging is quite reasonable. I’m sure Nicolas knows how debugging works.

Posted in Uncategorized | Leave a comment