Prius Shopping
Well, back to writing after a very long haitus. My wife and I test drove the 2009 Prius on Sunday. Beyond the obvious gas milage and inherent "greenness" of the car it has some cool gimmicks. My favorite is the video screen rear camera view when you are backing up (that alone would save me dings and dongs backing up. My favorite target is ornamental rocks). It also has a lot of room for a car that is basically a compact.
On the down side, it has the pickup of a moped going uphill and heavily scanted on trunk space.
The real pratical issue is, at least right now, how does it make sense? I own free and clear two cars myself, a 2001 mini van and daddy's toy, a 2001 z-3 roadster. Being a homeowner with a family of four and sometimes six there is no way we will get rid of the van. Much as I conceptually hate the mini van, nothing else is quite as usefull for moving around, say, a squad of girl scouts or a load of home improvment stuff from The Home Depot. The roadster is non negotiable, waited too long to have that baby and I plan to be buried in it like a modern day viking. With both paid off and with gas prices moderate, there is no way that it makes economic sense for me to buy another car for another decade.
So much for me. It is my wife that wants it, but in her case, she has a five minute commute to work and daycare. She drives a BMW sedan and has no interest in the mini van (unless, of course, she needs something moved, like a new dining room table from the store to our house.) Doing the math, she fills up about once a month, so she is not getting killed on gas, and the deal to offload the current car and get the new one will cost her more than she could save in the next four years.
I suppose if it were a hypercool ride, you could make the case just on "wanting" one. But, beyond the hybrid engine and that backup camera, it is pretty unimpressive.
So she is thinking about it.
Now, I will admit, one of these days the van will see it's last, and I will need a new people and stuff mover, and gas is not going down anytime soon. So check back in a decade and I am sure you will hear a great story about the new and wonderfull Hybrid (or might we be so lucky, plug electric) mini van that is mean, green and a load moving machine.
"We All Live in a Hacking Submarine..."
A bit of whimsy for your Monday morning.
In a previous article I explored the links between hacking and guerilla warfare. Today, to extend the metaphor of hacking as war by other means, lets take a look at how your garden variety computer malwarist is like a U-boat.
And, by analogy, what do to about them.
For you purists and experts, I am specifically talking about Diesel Electric boats and drawing historical parallels and lessons primarily from the record of World War I & II. This is not to say that there are not important lessons from modern submarine warfare, but a 21 century Nuclear Attack Boat is an altogether much more lethal kind of fish. If hackers were like nuke boats, nothing in cyberspace would be safe.
Diesel electric submarines are small, independent hunters. They carry a powerful ship killing weapon, the torpedo. Their advantage is undetectability, it allows the submarine to choose the time, place and conditions of the attack. The sub would acquire the convoy while still at long range. It would plot the track of the targets and run ahead of the target track on the surface at night. Then, at dawn the submarine would dive and wait.
As the convoy approached it would set up the attack, choosing the juiciest targets and quietly setting up the firing solution, until all was ready. At best, the first indication of danger to the target ships was the wake of incoming torpedoes, more often it was the sound of the first torpedoes detonating.
After the first several ships were sunk, the escorting destroyers would race to the assumed position of the sub and begin to depth charge the predator while the convoy turned away at top speed. Sometimes the destroyers would get lucky, but most of the time the sub would survive a depth charging, which was little more than blindly dropping TNT filled cans set to detonate at the sub's assumed depth.
Most of the time, the sub would get away to celebrate victory and kill again.
Stealth was the key, stealth and the ability of a small ship to carry a load of ship killing weapons, the torpedo. Submarines used their invisibility, a lot of patience and a bit of luck to set up the attack precisely to inflict maximum damage with minimum risk to itself. It was this ability to hide that allowed what was otherwise a small, slow, and vulnerable ship to become a dreaded ship killer. In the case of the American submarine campaign against Japan, this dreaded ship killer was decisive, bringing the Japanese war economy to its knees.
Hackers pretty much follow the submarine model. Vulnerable if every detected, they use stealth and devastating weapons to wreak havoc, choosing the time and place of their attacks, breaking off when frustrated or threatened. Then, reappearing in a different guise to attack the target from a different vector.
For both hacker and submarine, the advantages lie with the attacker in the context of the individual action. Given enough time and remaining undetected, the Hacker, if determined, will break through. Over time, the advantage is with the attacker, much like playing blackjack against the house. The good guys may win a few, may even have a winning streak, but in the end its the house that gets everyone's money.
The Anglo Americans beat the German U-boats by realizing the fundamental nature of the conflict and by changing its basic framework. Using intelligence, aerial reconnaissance and Radio Direction finding to locate subs when they transmitted on their HF radios, the Allies began in effect to shrink the Atlantic. By having a general idea of submarine movements, convoys could be routed away from danger and hunter killer groups routed towards the submarines. Aerial patrols reduced the areas where submarines could operate on the surface in daylight, and after radar was invented, reduce surface operations even further. For a boat that had to re-charge its batteries every day that acted to seriously restrict range and speed.
By 1944, much of the Atlantic was off limits or very dangerous to the U-boat. It still had its advantage of stealth, but was unable to use it effectively. Moreover, more and more U-boats were destroyed before they even got close to a convoy.
The same kind of thinking needs to inform the whitehat community as we address the blackhat. If all we do is sit behind our firewalls and wait, we are like destroyer captains peering after periscopes in the gloom. What will have to come eventually is coordinated action between companies and their security groups. Not just attending the same conferences, but actual realtime coordination of detection and tactics to shut down hackers. We also need realtime strategic coordination, to begin the gradual process of denying safe zones of operation to the blackhat. Eventually, we need coordination with law enforcement to create methods to seek out and neutralize blackhat individuals and groups.
When hacking was defacing the occasional website, maybe it was amusing. Today the world runs on computers and their networks. We cannot adopt a defensive strategy if we are going to make cyberspace safe.
Six weeks, Twenty Lbs.
Ok, so your Doctor does your blood work and tells you that:
a. Your cholesterol is too high.
b. Your glucose numbers are a bit marginal.
Of course, the very next thing he tells you is that it is all about your weight. Now, you are a pretty active guy, lift and run, and you are convinced that the 210 lbs you carry are due to extra muscle and a bit of weight, and for crying out loud, you really are not that fat!
What is an engineer to do?
Well, I will give you a secret, forget Adkins and South Beach and all that other stuff. Here is what you do:
1. Trade in the biweekly beer for single barrel Kentucky Bourbon (Evan Williams is great), Gentleman Jack, or some good single malt scotch. Sip it straight from a brandy snifter after you have given the car keys to the designated driver.
2. Give up the mayonnaise. Switch from Half and Half to 2% milk for the coffee.
3. Trade the bread for a wheatberry/ ryeberry mix. You can put a little olive oil on it and season to taste and eat it by the truckload. Sun dried tomatoes are also good on this. Bottom line, you get carbs, fiber and a full belly, but because it is a whole grain your body has to work hard to get the carbs, so you have fuel to burn, but not a lot of sugars to drive insulin and fat production.
4. Back off on the red meat, though chicken and fish can be consumed as if you were a hungry Grizzly bear.
5. Add a big salad to your chicken/ fish dinner with the wheatberry side. Eat these three staples to your hearts content.
6. Get some moderate exercise.
7. Potatoes are fine. Keep around fruits and veggies and pack them down when you get hungry.
Three things will happen:
a. Weight will drop off you like a winter coat off a dog in spring.
b. You will never feel hungry.
c. Your wife will find a new found appreciation for your naked, thin body. This will be a very good thing
Oh, and I suggest you add some non fat plain yoghurt to the mix. I also take a daily vitamin.
This worked like a dream. The weight is off and continues to stay off. I am not hungry and I can and do enjoy the occasional frozen yoghurt or dinner out.
Hey, we all have our tricks, and as a disclaimer, I am not a doctor or a nutritionist, this is just one man's opinion on something that worked for him. Your mileage may vary.
But for all you guys, if you are carrying an extra 20, time to get it off and keep it off. My dad is a heart patient, three bypasses and trust me, you do not want to end up like him.
Hackers and Guerrillas: Information Security and Lessons from History
Casually skim through any five books on hacking and information security the next time you are in the computer section of Borders. Guaranteed four out of five, if not all five will explicitly draw comparisons between cyber security and military science. Titles like "Know Your Enemy", "Cyber War" using terms like "attack" " reconnaissance" Defense in Depth". Business texts also tend to go a bit overboard with Sun Tzu and Clausewitz, almost as if General Electric should be building up armored divisions to launch their next marketing campaign.
In the case of Cyber Security, the analogies are not that far off. Truly, no one is getting bombed or straifed, and the worst casualties are blunted careers, defrauded banks, wasted time and the occasional prosecution. Still, malicious hackers and the opposed security teams are engaged in something more like war than say, a foot ball game or competitive marketing. Consider that like war:
- There are targets defended by security groups and their attending systems.
- There are attackers attempting to breach these targets using their skill and systems.
- Breaching or disabling the system provides gain for the attacker and loss to the defender, even if the gain is the knowledge of the damage done to the target. It is a pure zero sum situation.
- The only rules are those imposed by the laws of nature and physics.
A few more minutes of thought would bring more parallels to light, but for now we can see the outline. Cyberwar really is cyber war.
One objection to this analysis may be that hackers have many motivations that are beyond simple economic gain. Max Kilger, Ofir Arkin and Jeff Stutzman, in their chapter on Profiling in the Honeynet Project's book, "Know Your Enemy" make the argument that hackers are driven as much by the societal imperatives of their counter culture as they are by the lure of ill gained credit card numbers. If war is politics by other means, and if politics are in the end driven by economics, where then how do we understand the need for hackers to exploit simply to impress fellow hackers?
Interestingly, the answer may be found in another modern work, John Keegan's " The History of Warfare". That distinguished historian and scholar makes a lucid and compelling argument that war, much to the chagrin of the realists, is a cultural phenomena that is not necessarily tied to realpolitik or the dismal caculus of loss and gain. If nations can go to war because the culture demands that men prove themselves on the field of battle, what is different about a hacker proving his skill in an elegant exploit that brings down an e-commerce site?
It is useful to those of us in the security community to think on what kind of war we are fighting. Military theorists spend much time studying the history of war as a way of understanding present and future conflict. Technology advances can morph the tactics and change the damage profile, but the fundamental principles remain suprisingly invariant across time, across space and across technology. Perhaps this is true because in the end, war is a human endeavor. If we can categorize modern hacking as a form of understood warfare, then at an operational and strategic level, we can use it as a model for our own actions and as a guide to solutions.
Simple reflection gives us a hypothesis, as it is obvious that hacking is not like the classic stand up fight between armies. (Though some days security professionals feel a lot like Custer at the Little Bighorn.) Malicious Hacking shares common characteristics with three conflict styles, guerilla war as practiced in the twentieth and twenty-first centuries, submarine warfare of the last eighty years and the Barbarian Raids of Ancient times. We will leave the ax wielding savages and the U-boats for another time and article, and focus on guerrillas.
Mao's book on guerilla war is the best basic reference on insurgencies. To paraphrase from Mao:
-Win the hearts and minds of the people
-Fight where the enemy is weak, retreat where he is strong
-Secure bases are critical
-Stay decentralized, cells are isolated from each other
-Strive to have better intelligence than the government
-Stay mobile, stay flexible. Use tatical innovation to counter government superiority in numbers and material
-Live off the enemy
There is more, but this is enough to draw some parallels to hacking. Mao saw the population as a sea and the guerilla as a fish that swam in that sea. Now, clearly the hearts and minds of the computer using populace is not with the hackers (except for maybe a few anarchist webzians) but in this case, it is not the mind of the owner that matters, but the processor of the computer.
Parallel One, hackers view the mass of poorly secured home and small office PC's as the populace to win and use. It is the "sea" that he swims in. Also, just as Mao sees the populace as a necessary source of supplies and intelligence, the hacker sees the home computer as a necessary source of processing power and storage. I leaned this one some years back when, as a neophyte user of DSL, I found one day that my laptop was hosting, among other things, an IRC chat server.
Parallel Two of note is the need for secure bases. In every case, the insurgent invariably must set up secure base areas, preferably across an international border, where they can rest and re-supply away from the danger of the government security forces. For the hackers of today, that is often accomplished by being located in a country other than the one where the targets are located. In particular, the more dangerous, profit motivated hacking groups of recent years are located in countries where law enforcement is practically an impossibility (think former east block, China and India). In the US for example, there is always the possibility that a hacker in Connecticut could be tracked and prosecuted. If not a deterrent, at least this fact makes the hackers job harder and forces more caution. A foreign based hacking gang can launch attacks with impunity, the only thing risked is time.
The rest of the list can be summarized in Parallel Three. Like the guerilla, the hacker adopts tactics to seize and keep the initiative, choosing the time and avenue of attack. He pursues and exploits weakness, when faced with strength or risk, he breaks off quickly, re-groups and starts probing for a new weak spot. This can be very frustrating and demoralizing for security forces and security departments alike.
It is possible to take the analogies too far, but clearly government security forces in an insurgency and information security teams face a similar nightmare scenario; immobilized behind static defenses in a hostile, or at least an insecure populace, waiting for the next attack from an enemy that has both initiative and a safe place of retreat. For the information security professional, in the new world of organized hacker crime networks, it presents a question not of if, but when they are going to be cracked, against a backdrop of every increasing hardware, software and personnel expense devoted to information defense.
What the study of counter insurgency does is give us a few new ways of thinking about information security. Firstly, it points out the potential ultimate futility of just investing increasing dollars and hardware to defeat a mobile, flexible attacker (think Viet Nam). Secondly, as counter insurgency experts have learned, victory is less about technology and more about properly addressing the strategic requirements of the insurgent. Lets focus on three concepts from counter insurgency and see how they can address computer security.
1. Deny the insurgent a friendly populace. For a security force, it means taking action to defend the populace from the insurgent, seeing to the populace's welfare and win the people's hearts and minds away from the guerilla. From an information security perspective, the populace is the vast number of personal computers that are sitting, unprotected, on a broadband connection.
The state of the internet today results in most installations being improperly patched with poorly maintained or non existent anti-virus and firewall technology. This provides the hacking community with unlimited computing resources that can be used in sophisticated attacks against more valuable targets. These systems also provide a small source of easy revenue.
The web community needs to start moving these systems into defended and managed networks, much like a government would relocate populations to defended hamlets to better protect and provide for the populace. To be successful, any such policy should provide benefits to users for participation (better on line security, protection from hackers) and consequences for the user not taking steps to protect their machine. An example would be greater responsibility for losses incurred or caused due to improper protection.
AOL and Earthlink, among others, provide such services today. What is now needed is a concerted push by technology and financial companies to get the job completed, in a way that is both a net positive for the consumer and protective of their privacy rights. If every machine connected to an ISP was part of a Defended ISP Security Zone, hackers would be denied access to a critical resource.
2. Seal off the borders. The British succeeded in Malaysia partly because they could and did seal off insurgents from their cross border bases. In the same way, the web and financial community needs incent countries that turn a blind eye to hacking to start taking computer crime seriously and act aggressively to close down hacking rings. This will be a very hard task that will take time. However, the community needs to start the work now. One step might be to devise a series of sanctions among ISP's and at a minimum get each countries ISP's serious about responding to intrusion attempts, blocking the sources and referring cases to law enforcement. If it seems like too much trouble, think about what you would do if thieves could rob your house and then just get across the county line to escape prosecution?
3. Take the initiative. The security community as a group needs to get off the defensive and on to the offensive. While counter-hacking attacks are a no-no, I think that the Honeynet project is an example of a good start and methodology. Another thing to Google is Microsoft's Honey Monkey project, where "Honey Monkey" machines crawl the web looking for and identifying websites that exploit or launch Spyware. What is needed is cross industry support, cooperation and perhaps legislation providing legal protection to Honeynet operators and incentives to companies to participate.
The final lesson of counter insurgency is the need for coordinating actions. Groups working in a vacuum or without a central strategy, no matter how well intentioned, will be only marginally effective and possibly counterproductive. Remember, the insurgent by definition seeks and exploits gaps in the security structure of a target country. Nothing creates gaps and wastes valuable resources like uncoordinated effort the counter insurgent.
A great model for coordination is the VISA CISP program, where companies that want to utilize the VISA network must agree to, and be audited on, a standard set of security practices and policies. One can imagine a web e-commerce Association, led by major ISP and financial networks that could coordinate these kinds of policies across the web.
All of us that are on the internet for peaceful and beneficial reasons are smack dab in the middle of a guerilla war. If we want to be successful, we cannot just hide in our firebases while the bad guys run wild. We need to get coordinated, we need to take the initiative, we need to get the people into defended zones and starve the hackers, isolate them and shut them down.
Win Their Hearts and Minds
I am a Certified Information Systems Security Professional, courtesy of (ISC)2 and the passing of a very difficult exam. On one of the forums we have been banding about a topic of interest. I wanted to excerpt part of one of my responses
We are lethal in our commitment to security. We also are in business to get products and service to market, and I do not have to explain to anyone just how difficult that is in the tech business. I need to keep this bunch of genius geek lunatics happy and productive and avoid annoying there blessed Libertarian spleens. I have the benefit(or the curse) to have worn multiple hats in my career, and see the problem from several sides.
Like it or not, we in the high tech startup world balance security, operational effectiveness, market leadership and HR Morale issues every day. Not to mention injecting a healthy dose of "cool" into what we do (what the heck is the iMac at the end of the day but just plain cool?).......
....The deny/close/object to all mentality of some security groups in the end can be counter productive. In my Navy days, lots of people spent a heck of a lot of time and brain cycles trying to keep ship movements into and out of Subic Bay a "critical secret". Now, dear reader, choose what you think was the best way for a person in the "not need to know" category would go about compromising this information:
a. Space based Recon.
b. Passive monitoring of shipboard radio traffic
c. Human Intelligence activities directed against the Pentagon
d. Ask your favorite Subic Bay "escort".
If you chose d, you would have more than often have been right. It was a fool's errand, the girls had "boyfriends" on the ships and it was their business to know when and where the sailors were. They should have just published ship port calls in the local newspapers and spent the dollars saved in figuring out that the Walker Ring was in business a couple of years earlier.
Ok, soapbox over. I beg everyone's indulgence. The point remains the same. Your approach and solution has to match and support the business culture and culture often expresses not just preferences but real operational needs of the biz. To win the security war, systems and rules are not enough..you need to win the hearts and minds of your populace.
Hearts and minds, the key to winning at insurgency, or being a good counter insurgent. I have found that it is the key to most organizational success. This led me to thinking about computer security in a new way.
Seem my next post for more thoughts on that subject.
Libby Down, Rove to go
I am not a fan of the current administration, though I have to admit I voted for G.W. in his first election. Seriously, I felt that he was genuine and that the country needed a shift to the right. I believed that Colin Powell and Dick Cheney and the rest of his Dad's crew would give the country a solid team to lead the country in a new direction after the partisan warfare that marked the end of the Clinton administration.
Who could have known that I would be so wrong.
I still think that George II is probably an ok guy, but he clearly is in way over his head. Cheney is clearly the evil Dr No and if Karl Rove is not the anti-Christ, then he is part of the Posse of the Damned. Everything that this administration has touched has turned to merde, to the point where I am convinced that this is both the most corrupt and clearly the most inept administration since U.S. Grant was in the White House. Strangely, Grant and G.W. share the same basic fault, they put loyalty to friends and cronies far ahead of the national interest.
That, and Colin turned out to be something of a wussy. Now THAT was a surprise.
So here we have it. We are embroiled in a war that has no end in sight, scant support at home or abroad, led there for reasons that turn out to be faked, so faked that one if not two of the architects of the fiasco saw fit to use dirty and possibly illegal tricks to discredit an opposition voice.
We have a government that as consistently failed to protect us, first from the crooks at Enron and more recently from the lash of natural disaster.
Our budget deficits are out of control and our economy is under serious threat of a housing market meltdown that could make the Dot Bomb look like a holiday picnic.
Lets not mention that our Terrorism President has done more to embolden and inject life into the international terrorist movement than they could have done themselves, and our Energy President has left us at the brink of an energy crisis that also threatens our economy.
What have these guys done right?
What world have we inherited?
Created?
We had better start asking.
Back From Greece..and a Perspective From Art
Well, we are back, Two glorious weeks on the Greek islands, with stops in Athens and London. It was the best Honeymoon every, made even better by the fact that I was with my honey. No doubt, I did very well in the wife department, she is a dream.
Impressions, in no particular order.
1. The wine dark sea is magic. The first time I dove in on Falastrani beach in western Crete was a baptism of joy. I will never forget that moment.
2. Santorini is like the Grand Canyon in that seeing it in person, your mind cannot completely process the image and you become covinced that it is some kind of movie special effect. Stayed at the Altana in Imgrovili, just up from Fira. We were in the VIP suite on the top of the caldera, the sunsets alone were worth the price.
3. Greek food is ok. We made lunches of Cretan cheese, olives and bread that were perfect. Dinner was often appetizers and Greek Salad and grilled Chicken or fish. The fish was way too expensive, but the rest was cheap and good. The coffee sucked.
4. I like Santorini wine and Ouzo.
Did I say that I like Ouzo.
5. I love seeing ruins, saw Knossos, the Acropolis, the temple of Demeter and of Apollo in Naxos, as well as a couple of Venetian forts and towers.
6. The Samaria gorge in Crete ranks with any I have hiked.
7. Nude and topless bathing is very civilized. We Americans are a prudish bunch, for no good reason.
There are a lot more, just a sample. It was lovely, it was memorable.
One last though.
While wandering Santorini, we came across an art studio where the artist specialized in reproductions of ancient Minoan and Doric Greek art, using the materials and techniques of the originals. His work was authentic and beautiful. We spent some time looking at it, and for the first time in a life time of historical study, I was struck by something that I should have seen before.
The Minoan art was beautiful, scenes of nature and life, free flowing, peaceful, women and men going about there lives and religion in touch with the beauty around them. You wanted to move there and live with them.
Doric art, that of the high Greeks was also beautiful and technically brilliant.
I knew that, I had seen it before.
But it was all about conflict. Scenes of war, scenes of the hunt. Scenes of the race.
More scenes of war.
There is other art, like it, to be seen in Greece. In every shop you can find books and playing cards with vase representations of Greeks having sex. Greek Porn, Doric style.
And that is what it was, rough porn, scenes of men having sex with prostitutes.
The classical Greek culture was lofty, it was a bright star that gave us philosophy and science, rational though and democratic ideals. We are who we are today because of the Greeks, and in that the world has gained much.
But the Doric Greeks also invented the tradition of close combat and battle to the death that marks the western way of war. Yes, the Assyrians were brutal, as were many Ancients, but war changed with the Greeks, and since them it has never been the same.
And as I was looking at those two artistic traditions, remembering all that I knew of what we had gained from the Greeks.
For the first time I found myself wondering what we had lost.
