unpolluted sprockets #1

One thing I like about Wikipedia are the little “citation needed” inserts reminding the reader, in effect, “Here we have a statement of fact which has been made without supporting evidence.”

For instance, this is from the Raytheon article[1]:

Raytheon Professional Services (RPS) is a global leader[citation needed] in training services and learning outsourcing for over 75 years.[citation needed]

Raytheon is the company where William J. Lynn III worked as a lobbyist before he was made Deputy Secretary of Defense in the current administration.

A citation doesn’t make the fact asserted true, it just means there is some kind of evidence for the assertion that anyone is free to check out. That evidence might be strong or weak, and the reader probably won’t bother to check it anyway, but the presence of a citation makes a statement of fact, in some way, verifiable.

In Foreign Affairs, essays are not required to have footnotes, much less “citation needed” flags, so in comparison to Wikipedia, the reading experience of FA is superficial.

In Mr. Lynn’s Foreign Affairs essay[2], “Defending a New Domain” he says this:

Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times.

Citation needed, right?

None supplied.

This sounds like a variation on the 6-million-attacks-a-day (on Department of Defense networks) assertion that is part of the template for people writing for or speaking to technically non-literate audiences. This example from Bill Lambrecht:

The new head of the U.S. Cyber Command, Gen. Keith Alexander, revealed this month that Pentagon systems are attacked 250,000 times an hour, 6 million times a day.[3]

No citation available for Mr. Lambrecht’s assertion either. Which is a shame, because I’d like to know if Gen. Alexander really said Pentagon systems are “attacked” 6 million times a day in some context I’m not familiar with, or if Mr. Lambrecht spiced up his column by carelessly swapping in the word “attack” for what Gen. Alexander really did say:

DOD systems are probed by unauthorized users approximately 250,000 times an hour, over 6 million times a day.[4]

I’ll bet that Gen. Alexander chose the word “probed” deliberately when he was speaking to CSIS, and I will further bet that he consciously avoided using the word “attack” in characterizing what was happening 250,000 times an hour, 6 million times a day to Pentagon systems. In his Senate confirmation hearing, Gen. Alexander specifically said that “probes” are not “attacks”.[5] For military guys, the word “attack” is loaded with all kinds of baggage completely unknown to those who use the same word in a network security context.

Another variation uses “targeted”:

When asked how often the federal government’s computers get targeted or probed each day, defense specialist Rep. Adam Smith, D-Wash., curtly responds: “North of a million times.”[6]

Here’s another:

The Pentagon’s top information-security official, Robert Lentz, said the Defense Department detected 360 million attempts to penetrate its networks last year, up from six million in 2006. [7]

Hmm… “Attempts to penetrate” DOD networks? How is a single attempt identified for the purpose of counting? When a Facebook scraper works for weeks putting together information for a spear-phishing attack on a Navy Admiral, to craft an email with a link in it he will foolishly click… Will all those http GETs and POSTs at Facebook and elsewhere, plus the email to the Admiral count as just just one attempt to penetrate a DOD network? With a number in the hundreds of millions, there must be an automated way of counting. How do they count? What do they count?

Mr. Lynn has some vague numbers, “thousands” and “millions”, for probes and scans respectively. But what is a “probe”? What is a “scan”? Do his IT guys parse router logs into “probes,” “scans” and “other,” based on what protocols are used, what ports are queried, what the source IPs are?

Gen. Alexander has more precise numbers for “probes” by “unauthorized users” (250,000/hour, 6 million/day). But what, pray tell, is an “unauthorized user”? If these numbers come from router logs, what distinguishes an authorized user from an unauthorized user?


$ ping nsa.gov
PING nsa.gov ( 56 data bytes
92 bytes from icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from icmp_type=3 (Dest Unreachable) icmp_code=3

—-nsa.gov PING Statistics—-
46 packets transmitted, 0 packets received, 100.0% packet loss

I just pinged NSA at nsa.gov. DNS resolved the name to, but that IP doesn’t answer to ping so I get a “destination unreachable” response from a router closer to my NIC.

My ping put a line in a router log at NSA for an ICMP echo request from my IP that was dropped. Will that line count as a “probe” or is it counted as something else (like, “blog post demonstration”: – )? Since we don’t know what a probe is, we can’t know what kinds of IP traffic are not probes.

If my ping is a probe, it can’t count as coming from an unauthorized user. I authorized it myself, so I know it was authorized. But how will the light-starved gnomes counting probes deep in the catacombs beneath Ft. Meade know my ping was authorized? Do they flip coins?

Logs can be mined for data that will sort inbound traffic into “solicited” and “unsolicited” buckets (ICMP echo requests are always unsolicited, by the very nature of the protocol). But “authorized” and “unauthorized” categories have no technical meaning. Do they have any meaning at all?

Alas, the transcript for Gen. Alexander’s talk doesn’t have citations, so his “unauthorized users” just get stirred into the soup of nebulous terminology along with “attacks” and “probes” and “scans” and “attempts to penetrate” and “targeted computers” — and when someone who doesn’t know much about how the internet works, or about network security, wants to say something to impress an audience which also doesn’t know much… he just dips in a ladle and serves up a big helping of whatever soup mush happens to be near the top.

Probably, these people are talking about nothing more than what we think of as the Background Noise of the Internet, what Steve Gibson calls Internet Background Radiation.[8] Anyone who wants to watch random unsolicited packets from the Internet bouncing against a home router can see it. Dozens of log entries an hour. Unless it’s a hobby for you, you don’t watch. Router logs just aren’t that fascinating. Ten or 12 years ago IBR was interesting and something of a novelty for many people (me included). But now it’s just raindrops on the roof. Who cares?

Well, the lobbyists-presently-in-government and the lobbyists-presently-lobbying care, possibly because it looks to them like there’s a lot of unguarded money ready to be bagged and trucked off for those who can spin up a fun “cyber” story. The 6-million-attacks-a-day bit is how a good cyber story always begins, just like, “Gather round children and I’ll tell you about…”

You’re thinking, “Someone must have counted something; surely, if there’s a number someone, sometime, somehow must haveĀ counted something? Or if they didn’t count they had a statistically validated method of estimating?”

Ah… Wouldn’t it be nice to have a citation? — a reference to some document or web page to check, so we could see when the count was done (if it’s not ongoing), how it was done, what was counted, how the categories were defined…

Wouldn’t it be nice…

Here is the simple truth concerning the 6-million-attacks-a-day assertion, in all its protean forms:

No one has ever counted anything.

Sometime back in the 90s a low-level Pentagon beaurocrat named Winston Smith overheard a couple of techies from the server room talking about unsolicited packets in the logs — “…1,012 hits between 0100 and 0200 from who-knows-where…” and later that day, helping his report-producing boss prepare a report for some other report-producers, Winston did a quick calculation: “With 249 other offices big enough to rate an auto-grind coffee machine like ours, that’s 250 times 1,012… but just to be conservative, let’s say 1000… that’s 250,000 an hour… But what was it they called them? Unpolluted sprockets? That’s too technical…”

This morphed from an overhead projector transparency into a PowerPoint slide, was copied into another slide deck, then another, then it became part of the standard intro to hundreds of PowerPoint presentations, was copy-pasted into reports, repeated with a straight face at news conferences, adjusted to fit preferences for the nuance of one word over another (“probe” vs. “attack”), merged into the President’s telepromter stream… and in the course of time, came to be believed by a generation of those in the greater Washington government-and-contractor community: “…and so, children, that is how the rabbit lost its tail.”

None of the people quoted above could tell you one important difference between UDP and TCP, or between telnet and ssh, or how sha256sums are used to know when a file changes — technical concepts so basic that in 2010, they are arguably not even technical any more.

At a higher level, they don’t know why it is that the vast majority of network (a.k.a “cyber”) security challenges today, approaching 100%, come from solicited packets, not unsolicited raindrops-on-the-roof packets. If you probe Gen. Alexander, he won’t be able to tell you what a probe is, or how probes are counted. Given as much time as he likes to scan his notes, William J. Lynn III will not be able tell you the difference between a scan and a probe.

If you questioned them, even trivially, this generation of talkers and report-producers would not be able to define clearly and consistently their own words. And if President Obama brought the whole lumbering, obese government to a blubbery, wobbling halt, demanding to know, “Where does this 6 million probes a day number come from?” — no one would be able to tell him. Gen. Alexander would ask his staff, and they would turn around and ask their staffs and those staffs would, in turn, try to find and wake up their staffs… and no one would be able to find the original study or tell the President how and when it was done.

Because there was no study.

Winston Smith is currently working for a government contractor and may not be back in government proper for a year or two. He’s now an expert in Arctic tundra reclamation policy. He doesn’t even remember what word he thought was better than “unpolluted sprockets” back when he was a computer network security expert, before the government contractors rebranded network security as “Cyber” so they could jack up their per diems, scan congressmen for opportunities to fill white space in 1000-page bills, probe DHS with cybersecurity concepts, target DOD for billion dollar firewall upgrades, give those timid NSA loafers the willies with horror stories about unauthorized users, and attack the ongoing problem of how to move money out of the pockets of working people and into report-writing employment and lively conversation over drinks and good food at the finest dining establishments in Washington, D.C.

If there had been a count of something, none of the government/contractor people you see quoted in the papers and blogs would know what was counted, or how.

But the fact is, no one ever counted anything. Six million whatevers a day, 250,000 whatevers an hour, 360 million whatevers a year… it doesn’t matter. It’s all bogus. And I have a citation for that. –> [9]



[1] http://en.wikipedia.org/wiki/Raytheon
[2] Foreign Affairs, September/October 2010, “Defending a New Domain”
[3] Bill Lambrecht, LA Times, June 24, 2010, “U.S. is busy thwarting cyber terrorism — The government and defense contractors are in a constant battle against computer attacks” http://articles.latimes.com/2010/jun/24/business/la-fi-cyber-terrorism-20100624
[4] Gen. Keith Alexander, Director, National Security Agency, Commander, U.S. Cyber Command, Thursday, June 3, 2010, speaking to the Center for
Strategic and International Studies (CSIS)
[5] Sean Lawson blog post at Forbes.com: “Just How Big Is The Cyber Threat To The Department Of Defense?” Jun. 4 2010. http://blogs.forbes.com/firewall/2010/06/04/just-how-big-is-the-cyber-threat-to-dod/
This is not the only place that references Gen. Alexander’s testimony. Sean has also put together some interesting quotes that capture the muddled-terminology situation. What I’m prone to say with war-painted, spear-shaking unruliness, he conveys in a gentlemanly way: “The contradictions between this and previous statements of the threat, both by Alexander and others, combined with continued confusion over the definition of key terms, points once again for the need to more clearly articulate the cyber threat if we are to develop appropriate policy responses.”
[6] Joel Connelly, “Cyber attacks: The next big security threat?” Seattle Post Intelligencer, April 11, 2010 http://www.seattlepi.com/connelly/418225_joel12.html
[7] Yochi J. Dreazen and Siobhan Gorman, “U.S. Cyber Infrastructure Vulnerable to Attacks” Wall Street Journal, May 6, 2009. http://online.wsj.com/article/SB124153427633287573.html
[8] Steve Gibson, grc.com, SecurityNow, SpinRite, the Portable Dog Killer and other useful endeavors.
[9] https://pmbarry.wordpress.com/2010/10/30/unpolluted-sprockets-1/

About pmbarry

One of these days a man's gonna walk up to you with a shoe on one foot and a boot on the other, and he's gonna tell you 'bout things you ain't never heard of.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s