Saturday, March 14, 2020

Donald Trump on coronavirus

This timeline has been updated with Trump rallies and golf playing since (as of March 31, 2020) he is now trying to create a narrative that claims he was trying hard to address the pandemic early on, but was distracted by his impeachment. He was impeached by the House on December 18, 2019, and his Senate trial ran from January 16, 2020 to his acquittal on February 5, 2020.

July 2019: The Trump administration made the decision to eliminate the position of CDC's resident advisor to the U.S. Field Epidemiology Training Program in China, Dr. Linda Quick, in September 2019. She quit her job in July after receiving the news. (https://www.reuters.com/article/us-health-coronavirus-china-cdc-exclusiv/exclusive-u-s-axed-cdc-expert-job-in-china-months-before-virus-outbreak-idUSKBN21910S)

September 2019: The Trump administration ends a $200 million pandemic early warning program, PREDICT, at the U.S. Agency for International Development, started in 2009, aimed at training scientists in China and other countries to detect and respond to new viruses. During its lifetime, the project identified 1,200 viruses with pandemic potential. The PREDICT program involved 60 foreign laboratories, including the Chinese lab in Wuhan which identified SARS-CoV-2/COVID-19. (https://www.latimes.com/science/story/2020-04-02/coronavirus-trump-pandemic-program-viruses-detection)

January 8, 2020: The Centers for Disease Control (CDC) issues its first warning about a novel coronavirus now known as COVID-19.

January 9: Trump holds a campaign rally in Toledo, Ohio.

January 14: Trump holds a campaign rally in Milwaukee, Wisconsin.

January 16: The U.S. House sends articles of impeachment to the Senate, starting Trump's impeachment trial.

January 18: Secretary of Health and Human Services Alex Azar phones Trump at Mar-a-Lago to warn him about the risk of coronavirus, but "Even before the heath [sic] secretary could get a word in about the virus, Trump cut him off and began criticizing Azar for his handling of an aborted federal ban on vaping products, a matter that vexed the president." (https://www.washingtonpost.com/national-security/2020/04/04/coronavirus-government-dysfunction/)

January 18: Trump plays golf at the Trump International, West Palm Beach, Florida.

January 19: Trump plays golf at the Trump International, West Palm Beach, Florida.

January 21: CDC confirms first U.S. case of COVID-19. (https://www.cdc.gov/media/releases/2020/p0121-novel-coronavirus-travel-case.html)

January 22: "We have it totally under control. It's one person coming in from China. It's going to be just fine." (https://www.thedailybeast.com/trump-says-he-trusts-xis-word-on-coronavirus-its-all-under-control) 314 global cases in 4 countries, 309 China, 4 outside China (Thailand, Japan, South Korea).

January 26: Sen. Schumer calls on the Department of Health and Human Services for coronavirus to be designated a public health emergency. (https://www.politico.com/news/2020/03/30/how-coronavirus-shook-congress-complacency-155058)

January 27: Joe Biden writes an op-ed warning of the U.S.'s lack of preparedness for the coronavirus pandemic. (https://nymag.com/intelligencer/2020/04/nobody-expected-the-coronavirus-pandemic-joe-biden-did.html)

January 28: Elizabeth Warren releases a plan for "Preventing, Containing, and Treating Infectious Disease Outbreaks at Home and Abroad."

January 28: Trump holds a campaign rally in Wildwood, New Jersey.

January 30: Trump holds a campaign rally in Des Moines, Iowa.

February 1: Trump plays golf at the Trump International, West Palm Beach, Florida.

February 2: Trump plays golf at the Trump International, West Palm Beach, Florida.

February 2: "We pretty much shut it down coming in from China." (https://www.nytimes.com/2020/02/02/us/coronavirus-airports.html) 14,557 global cases in 23 countries, 14,411 China, 146 outside of China (WHO).  CDC starts sending out test kits in first week of February, which turn out to be faulty.

February 5: The U.S. Senate impeachment trial votes to acquit Trump on both articles.

February 10: "You know in April, supposedly, it dies with the hotter weather." Interview with Trish Regan, Fox Business. (https://factba.se/transcript/donald-trump-interview-trish-regan-fox-business-february-10-2020)  40,554 global cases in 24 countries, 40,235 China, 319 outside China, 12 U.S.

February 10: Trump holds a campaign rally in Manchester, New Hampshire.

February 15: Trump plays golf at the Trump International, West Palm Beach, Florida.

February 19: Trump holds a campaign rally in Phoenix, Arizona.

February 20: Trump holds a campaign rally in Colorado Springs, Colorado.

February 21: Trump holds a campaign rally in Las Vegas, Nevada.

February 23: Trump and the White House National Security Council is sent a memo from White House economic advisor Peter Navarro warning of coronavirus epidemic in the U.S. which could kill up to two million Americans. (https://www.axios.com/exclusive-navarro-deaths-coronavirus-memos-january-da3f08fb-dce1-4f69-89b5-ea048f8382a9.html)

February 24: "The Coronavirus is very much under control in the USA... Stock Market starting to look very good to me!" Twitter. (https://twitter.com/realdonaldtrump/status/1232058127740174339)  Dow closes down 227.51 points at 28,992.40. 79,331 global cases in 29 countries, 77,262 China, 2,069 outside China, 35 U.S.  12 labs other than CDC can perform coronavirus testing.

February 25: "CDC and my Administration are doing a GREAT job of handling Coronavirus." (https://twitter.com/realdonaldtrump/status/1232492821501771776) 80,239 global cases in 33 countries,  77,780 China, 2,459 outside China, 53 U.S.

February 25: "I think that's a problem that's going to go away... They have studied it. They know very much. In fact, we're very close to a vaccine."  In India. (https://abcnews.go.com/Politics/trump-coronavirus-control-us-problem/story?id=69198905) The vaccine was, in fact, for Ebola, not COVID-19: https://www.cnbc.com/2020/02/25/white-house-says-trumps-vaccine-claims-about-ebola-not-coronavirus.html

February 26: "The 15 (cases in the US) within a couple of days is going to be down to close to zero." White House Press Conference. (https://www.whitehouse.gov/briefings-statements/remarks-president-trump-vice-president-pence-members-coronavirus-task-force-press-conference/) 81,109 global cases in 37 countries, 78,191 China, 2,918 outside China, 53 U.S.  First day with more new cases outside China than in China.

February 26: "So we’re at the low level.  As they get better, we take them off the list, so that we’re going to be pretty soon at only five people. And we could be at just one or two people over the next short period of time.  So we’ve had very good luck." White House Press Conference (same link as above)

February 26: "We're going very substantially down, not up." White House Press Conference (same link as above)

February 26: "Low Ratings Fake News MSDNC (Comcast) & @CNN are doing everything possible to make the Caronavirus look as bad as possible, including panicking markets, if possible. Likewise their incompetent Do Nothing Democrat comrades are all talk, no action. USA in great shape! @CDCgov....." Twitter. (https://twitter.com/realdonaldtrump/status/1232652371832004608

February 27: "One day it's like a miracle, it will disappear." At White House. (https://www.cnn.com/2020/02/28/politics/donald-trump-coronavirus-miracle-stock-markets/index.html) 82,294 global cases in 46 countries, 78,630 China, 3,664 outside China, 59 U.S.  More new cases in Korea than China.

February 28: "We're ordering a lot of, uh, elements that frankly we wouldn't be ordering unless it was something like this. But we're ordering a lot of different elements of medical." At White House.  (https://twitter.com/atrupar/status/1233516512830459908) 83,652 global cases in 51 countries, 78,961 China, 4,691 outside China, 59 U.S.

February 28: Trump holds a campaign rally in North Charleston, South Carolina.

March 2: "You take a solid flu vaccine, you don't think that could have an impact, or much of an impact, on corona?" White House coronavirus task force meeting. (https://www.whitehouse.gov/briefings-statements/remarks-president-trump-members-coronavirus-task-force-meeting-pharmaceutical-companies/) 88,948 global cases in 64 countries, 80,174 China, 8,774 outside China, 62 U.S.  CDC removes number of tests completed from its website (474 on March 1). (https://www.theverge.com/2020/3/2/21161693/cdc-coronavirus-testing-numbers-website-disappear-expansion-us)

March 2: "A lot of things are happening, a lot of very exciting things are happening and they're happening very rapidly." White House coronavirus task force meeting, same as previous link.

March 2: Trump holds a campaign rally in Charlotte, North Carolina.

March 4: "If we have thousands or hundreds of thousands of people that get better just by, you know, sitting around and even going to work - some of them go to work, but they get better." (https://www.politico.com/news/2020/03/05/trump-disputes-coronavirus-death-rate-121892) 94,091 global cases in 76 countries, 80,422 China, 12,669 outside China, 108 U.S.

March 5: "I NEVER said people that are feeling sick should go to work." (https://www.politico.com/news/2020/03/05/trump-disputes-coronavirus-death-rate-121892) 95,324 global cases in 85 countries/territories/areas, 80,565 China, 14,759 outside China, 129 U.S.

March 5: "The United States... has, as of now, only 129 cases... and 11 deaths. We are working very hard to keep these numbers as low as possible!" Twitter. (https://twitter.com/realdonaldtrump/status/1235604572850343937)

March 6: "I think we're doing a really good job in this country at keeping it down... a tremendous job at keeping it down." At CDC. (https://www.whitehouse.gov/briefings-statements/remarks-president-trump-tour-centers-disease-control-prevention-atlanta-ga/) 98,192 global cases in 88 countries/territories/areas, 80,711 China, 17,481 outside China, 148 U.S.

March 6: "The tests are beautiful.... the tests are all perfect like the letter was perfect. The transcription was perfect. Right? This was not as perfect as that but pretty good." At CDC, same as previous link.

March 6: "I like this stuff. I really get it. People are surprised that I understand it... Every one of these doctors said, 'How do you know so much about this?' Maybe I have a natural ability. Maybe I should have done that instead of running for president." At CDC, same as previous link.

March 6: "I don't need to have the numbers to double because of one ship that wasn't our fault." At CDC, same as previous link.

March 6: "It’s something that nobody expected." (https://www.whitehouse.gov/briefings-statements/remarks-president-trump-vice-president-pence-members-coronavirus-task-force-press-briefing/)

March 6: "Everybody who wants a test can get a test." At CDC, same as previous link. In fact, tests are still hard to come by on March 23:  https://thebulwark.com/where-are-the-tests/

March 7: Trump plays golf at the Trump International, West Palm Beach, Florida.

March 8: "We have a perfectly coordinated and fine tuned plan at the White House for our attack on CoronaVirus." Twitter. (https://twitter.com/realdonaldtrump/status/1236634209516752896) 105,586 global cases in 101 countries/territories/areas, 80,859 China, 24,727 outside China, 213 U.S.

March 8: Trump plays golf at the Trump International, West Palm Beach, Florida.

Prior to March 9: CDC wanted to recommend people over 60 stay at home, but Trump administration said no. (https://www.nbcnews.com/politics/white-house/mismanagement-missed-opportunities-how-white-house-bungled-coronavirus-response-n1158746)

March 9: "So last year 37,000 Americans died from the common Flu. It averages between 27,000 and 70,000 per year. Nothing is shut down, life & the economy go on. At this moment there are 546 confirmed cases of CoronaVirus, with 22 deaths. Think about that!" Twitter. (https://twitter.com/realdonaldtrump/status/1237027356314869761) 109,577 global cases in 104 countries/territories/areas, 80,904 China, 28,673 outside China, 213 U.S.

March 9: "And we have a great economy, we have a very strong economy, but this came -- this blindsided the world. And I think we've handled it very, very well. I think they've done a great job." Press conference. (https://factba.se/transcript/donald-trump-remarks-coronavirus-briefing-march-9-2020)

March 10: "Be calm. It's really working out. And a lot of good things are going to happen." Press conference. (https://twitter.com/joshtpm/status/1237453485899223040)

March 11: "Health insurers have agreed to waive all copayments for coronavirus treatments." Press conference. (https://twitter.com/owermohle/status/1237922717699014658) In fact, this only applied to tests, not treatments.

March 12: White House says neither Trump nor Pence will be tested for coronavirus despite contacts with people who have tested positive. (https://www.nytimes.com/2020/03/12/us/politics/trump-brazil-coronavirus.html)

March 13: Trump repeatedly shakes hands at White House coronavirus press conference, despite knowing that he has recently been exposed to people who have now tested positive for the virus.  (https://www.washingtonpost.com/politics/2020/03/13/trump-handshakes-coronavirus-press-conference/) 132,758 global cases in 122 countries/territories/areas, 80,991 China, 51,767 outside China, 1,264 U.S.  Dow closes the week at 23,185.62.

March 13: "I don't take responsibility at all." White House press conference, in response to question about whether Trump takes any responsibility for the failures in U.S. coronavirus testing. (https://www.politico.com/news/2020/03/13/trump-coronavirus-testing-128971)

March 13: Trump says he likely will be tested for coronavirus.  Same White House press conference. (https://www.cnn.com/2020/03/13/politics/donald-trump-emergency/index.html)

March 13 (evening just before midnight): White House doctor Sean Conley issues statement saying that Trump doesn't need to be quarantined or even tested for coronavirus because he is at low risk. (http://cdn.cnn.com/cnn/2020/images/03/14/whmemo.png)

March 14: "SOCIAL DISTANCING!" Twitter. (https://twitter.com/realDonaldTrump/status/1238824050924883968) CDC has tested 3,958 specimens (not individuals). 142,539 global cases in 135 countries/territories/areas, 81,021 China, 61,618 outside China, 1,678 U.S.

March 14: "It's something that nobody expected." (https://www.whitehouse.gov/briefings-statements/remarks-president-trump-vice-president-pence-members-coronavirus-task-force-press-briefing/)

March 14: Trump says he has been tested for coronavirus and is awaiting results expected in a day or two. (https://www.cnn.com/2020/03/14/politics/trump-press-conference-coronavirus/index.html)

March 14: New screening measures are introduced at airports, which lead to delays from processing bottlenecks and large crowds of people. (https://www.washingtonpost.com/transportation/2020/03/14/europe-travel-ban-airport-delays/)

March 15: The White House announces Trump has tested negative for coronavirus. (https://www.cnn.com/2020/03/14/politics/trump-press-conference-coronavirus/index.html) The Fed announces $700B in quantitative easing as stock market futures hit circuit breakers after a 5% drop.

March 15: "We're learning from watching other countries ... This is a very contagious virus, it's incredible, but it's something that we have tremendous control over." (https://www.cnn.com/2020/03/15/politics/fact-check-trump-control-coronavirus/index.html)

March 16: "That's not under control for any place in the world. ... I'm not talking about the virus." Press conference. (https://twitter.com/AaronBlake/status/1239637609309261826) 167,511 global cases in 151 countries/territories/areas, 81,077 China, 86,434 outside China, 1,678 U.S. (CDC count for U.S.: 3,487).

March 16: The Supreme Court announces that it is postponing its next argument sitting, for the first time since it did the same in 1918 due to the deadly global influenza outbreak.

March 16: "Respirators, ventilators, all of the equipment — try getting it yourselves." On conference call with U.S. governors. (https://www.nytimes.com/2020/03/16/world/coronavirus-news.html)

March 16: "It’s so contagious. It’s so contagious. It’s like record-setting contagious." White House press conference. (https://metro.co.uk/2020/03/16/donald-trump-admits-contagious-coronavirus-control-12407873/)

March 17: "I've always known, this is a real ... this is a pandemic. I felt it was a pandemic long before it was called a pandemic." White House press conference. (https://www.cnn.com/2020/03/17/politics/fact-check-trump-always-knew-pandemic-coronavirus/index.html) (https://twitter.com/atrupar/status/1239956622312701952) 179,112 global cases, 7,426 deaths (WHO), U.S. 4,226 cases, 75 deaths (CDC).

March 19: "You're actually sitting too close. You should really -- we should probably get rid of another 75%, 80% of you. I'll have just two or three that I like in this room." White House press conference. (https://twitter.com/ddale8/status/1240678632361807873)

March 19: "I only signed the Defense Production Act to combat the Chinese Virus should we need to invoke it in a worst case scenario in the future. Hopefully there will be no need, but we are all in this TOGETHER!" Twitter (https://twitter.com/realDonaldTrump/status/1240391871026864130) Trump didn't sign the Defense Production Act, which was signed into law in 1950 by Harry S Truman, who, as Kevin M. Kruse noted in response to this tweet (https://twitter.com/KevinMKruse/status/1240446891055251457), famously said "the buck stops here," rather than the "I don't take responsibility at all" of this president. As of March 23, Trump still hasn't invoked the Defense Production Act. 209,839 global cases, 8,778 deaths (WHO), U.S. 10,442 cases, 150 deaths (CDC).

March 20: Yamiche Alcindor asks Trump at his press conference: "When will everyone who needs a coronavirus test be able to get a test?" Trump's response: "No-one is talking about this except you, which doesn’t surprise me." Alcindor: "What about people w/ symptoms who cannot get a test?" Trump: "Yeah, well, OK. I’m not— I'm not hearing it." (https://twitter.com/Yamiche/status/1241056026872426496) 234,073 global cases, 9,840 deaths (WHO), U.S. 15,219 cases, 201 deaths (CDC). Tests done to date:  CDC: 4,524, public health labs: 49,681, commercial labs: 88,000. (https://twitter.com/davidalim/status/1241111313935458305)

March 20: "We haven't been given the credit we've deserved." White House press conference. (https://twitter.com/atrupar/status/1241054458525765634)

March 22: "Ford, General Motors and Tesla are being given the go ahead to make ventilators and other metal products, FAST! @fema Go for it auto execs, lets see how good you are? @RepMarkMeadows @GOPLeader @senatemajldr" (https://twitter.com/realdonaldtrump/status/1241732681366482944) 292,142 global cases, 12,784 deaths, U.S. 15,219 cases, 201 deaths. This tweet apparently a reference to Ford making respirators in partnership with 3M and GE Healthcare: https://www.cnn.com/2020/03/24/business/ford-3m-ge-ventilators-coronavirus-duplicate-2/index.html

March 23: 332,930 global cases, 14,510 deaths (WHO), U.S. 33,404 cases, 400 deaths (CDC). Dr. Fauci doesn't appear at Trump's daily press conference.

March 24: "Our people want to return to work. They will practice Social Distancing and all else, and Seniors will be watched over protectively & lovingly. We can do two things together. THE CURE CANNOT BE WORSE (by far) THAN THE PROBLEM! Congress MUST ACT NOW. We will come back strong!" Twitter. (https://twitter.com/realDonaldTrump/status/1242455267603877894) 372,757 global cases, 16,231 deaths (WHO), U.S. 44,183 cases, 544 deaths (CDC).

March 25: "Just reported that the United States has done far more “testing” than any other nation, by far! In fact, over an eight day span, the United States now does more testing than what South Korea (which has been a very successful tester) does over an eight week span. Great job!" Twitter. (https://twitter.com/realDonaldTrump/status/1242824631230308353?s=19) 414,179 global cases, 18,440 deaths (WHO), U.S. 68,440 cases, 994 deaths (CDC). While the U.S. has done a greater number of tests, it also has a much larger population -- where Korea has tested 1 of every 170 people, the U.S. has tested 1 of every 1,090 people.

March 26: "I have a feeling that a lot of the numbers that are being said in some areas are just bigger than they are going to be. I don’t believe you need 40,000 or 30,000 ventilators." Press conference. (https://twitter.com/Yamiche/status/1243354645927530498) 462,684 global cases, 49,219 deaths (WHO), U.S. 68,440 cases, 994 deaths (CDC).

March 27: 509,164 global cases, 23,335 deaths (WHO), U.S. 85,356 cases, 1,246 deaths.

March 28: "You can call it a germ. You can call it a flu. You can call it a virus. You can call it many different names. I'm not sure anyone even knows what it is." Press conference. (https://twitter.com/Yamiche/status/1243670348211654664) 571,678 global cases, 62,514 deaths (WHO), 103,321 cases, 1,668 deaths (CDC).

March 28: "I am giving consideration to a QUARANTINE of developing “hot spots”, New York, New Jersey, and Connecticut. A decision will be made, one way or another, shortly." Twitter. (https://twitter.com/realDonaldTrump/status/1243953994743103489) Advance notice of a quarantine order caused many people to leave northern Italy and spread the virus (https://abcnews.go.com/International/wireStory/italys-virus-lockdown-dash-train-69469683). The three states here already had shelter-in-place orders from their governors. Trump subsequently retracted his quarantine suggestion in a pair of tweets (https://twitter.com/realdonaldtrump/status/1244056559577071616).

March 29: "We sent thousands of generators to New York ... the people in New York never distributed the generators." Press conference, Trump means ventilators. (https://twitter.com/atrupar/status/1244394071982051329) 634,835 global cases, 29,957 deaths (WHO), U.S. 122,653 cases, 2,112 deaths (CDC).

April 1: "They're doing tests on airlines--very strong tests--for getting on, getting off. They're testing on trains--getting on, getting off." White House briefing. There is no such testing occurring, this is complete fabrication. (https://www.cnn.com/2020/04/02/politics/fact-check-trump-plane-and-train-passengers-tested-for-the-coronavirus/index.html) 823,626 global cases, 40,598 deaths (WHO), U.S. 186,101 cases, 3,603 deaths (CDC).

April 2: "Scarf is generally better than a mask because it's thicker." White House briefing. (https://twitter.com/joshtpm/status/1245852819753705473) 896,540 global cases, 72,839 deaths (WHO), U.S. 213,144 cases, 4,513 deaths (CDC).

April 3: The U.S. federal government seizes orders of personal protective equipment (PPE) destined for France and Germany at the Port of New York, along with equipment ordered by individual states, most notably Massachusetts. The Governor of Massachusetts makes arrangements via the Chinese ambassador to the UN for one million N95 masks to be put on the New England Patriots' plane as a "private humanitarian effort", which are successfully delivered to Boston.  972,640 global cases, 50,325 deaths (WHO), U.S. 239,279 cases, 5,443 deaths (CDC).

April 3: "In one case, an order of 200,000 masks for Germany made by U.S.-listed multinational 3M Co in China were “confiscated” in Bangkok, Berlin Secretary of Interior Andreas Geisel, said in a statement, calling it an “act of modern piracy.”" ... "At the same time, 3M said Friday that the White House ordered it to stop all shipments to Canada and Latin America of respirators that it manufactures in the United States, despite what 3M called “significant humanitarian implications.”" (https://globalnews.ca/news/6775423/coroanvirus-global-face-mask-competition/)


April 7: Trump announces he is "going to put a hold" on funding to the World Health Organization. He later says he had merely promised to consider doing so. (https://twitter.com/Acyn/status/1247646160069652482) 1,279,722 global cases, 72,614 deaths (WHO), U.S. 374,329 cases, 12,064 deaths (CDC).


April 7: Trump fires the Inspector General responsible for oversight on distribution of the $2.3 trillion COVID-19 rescue package.

Also see:
https://www.washingtonpost.com/politics/2020/02/26/trumps-coronavirus-commentary-pollyannaish-downright-false/

And:
https://www.mercurynews.com/2020/03/11/fact-check-a-list-of-28-ways-trump-and-his-team-have-been-dishonest-about-the-coronavirus/

And:
https://www.theatlantic.com/politics/archive/2020/03/trumps-lies-about-coronavirus/608647/

And: Linda Qiu, "Analyzing the Patterns in Trump's Falsehoods About Coronavirus"
https://www.nytimes.com/2020/03/27/us/politics/trump-coronavirus-factcheck.html

And: https://en.wikipedia.org/wiki/List_of_post-election_Donald_Trump_rallies#2020_campaign_rallies

And: https://trumpgolfcount.com/displayoutings


Wednesday, January 01, 2020

Books read in 2019

Not much blogging going on here still, but here's my annual list of books read for 2019.
  • Graham T. Allison, Destined for War: Can America and China Escape Thucydides's Trap?
  • Ross Anderson, Security Engineering (3rd edition, draft chapters)
  • Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld
  • Heidi Blake, From Russia with Blood: The Kremlin's Ruthless Assassination Program and Vladimir Putin's Secret War on the West
  • Rutger Bregman, Utopia for Realists: How We Can Build the Ideal World
  • Oliver Bullough, Moneyland: The Inside Story of the Crooks and Kleptocrats Who Rule the World
  • Bryan Caplan and Zach Weinersmith, Open Borders: The Science and Ethics of Immigration
  • C.J. Chivers, The Fighters: Americans in Combat
  • Sefton Delmer, Black Boomerang
  • Nina J. Easton, Gang of Five: Leaders at the Center of the Conservative Crusade (bio of Bill Kristol, Ralph Reed, Clint Bolick, Grover Norquist, and David McIntosh)
  • Ronan Farrow, Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators
  • Ronan Farrow, War on Peace: The End of Diplomacy and the Decline of American Influence
  • Ian Frisch, Magic is Dead: My Journey into the World's Most Secretive Society of Magicians
  • Anand Giridharadas, Winners Take All: The Elite Charade of Changing the World
  • Reba Wells Grandrud, Sunnyslope (Images of America series)
  • Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
  • Jodi Kantor and Megan Twohey, She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement
  • Stephen Kinzer, Overthrow: America's Century of Regime Change From Hawaii to Iraq
  • Michael Lewis, Flash Boys: A Wall Street Revolt
  • Jonathan Lusthaus, Industry of Anonymity: Inside the Business of Cybercrime
  • Ben MacIntyre, A Spy Among Friends: Kim Philby and the Great Betrayal
  • Joseph Menn, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
  • Anna Merlan, Republic of Lies: American Conspiracy Theorists and Their Surprising Rise to Power
  • Jefferson Morley, Our Man in Mexico: Winston Scott and the Hidden History of the CIA
  • Sarah T. Roberts, Behind the Screen: Content Moderation in the Shadows of Social Media
  • Hans Rosling, with Ola Rosling and Anna Rosling Rönnlund, Factfulness: Ten Reasons We're Wrong About the World--and Why Things Are Better Than You Think
  • Russell Shorto, Amsterdam: A History of the World's Most Liberal City
  • Alexander Stille, The Sack of Rome: Media + Money + Celebrity = Power = Silvio Berlusconi
  • Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech
  • Erik Van De Sandt, Deviant Security: The Technical Computer Security Practices of Cyber Criminals (Ph.D. thesis)
  • Tom Wolfe, The Right Stuff
  • Tim Wu, The Attention Merchants: The Epic Scramble to Get Inside Our Heads
Top for 2019: Bullough, Farrow (Catch and Kill), Wu, Chivers, Rosling, Greenberg, Blake, Allison, Caplan and Weinersmith, Kinzer, Delmer.

I started the following books I expect to finish in early 2020:

Myke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World
Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition)
Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital Age
Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History

Two books I preordered and look forward to reading in 2020:

Anna Wiener, Uncanny Valley: A Memoir (due out January 14)
Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (due out April 21)

(Previously: 20182017201620152014201320122011201020092008200720062005.)

Thursday, December 12, 2019

CIA torture program

It was interesting to go back through the old posts on this blog about the CIA torture program in light of the new film, The Report, which can be seen on Amazon Prime.

One of the early posts on this blog resulted in a debate in the comments about the ethics and efficacy of torture, which the 2014 Senate torture report (PDF link) and the film resolve decisively against torture.  The CIA torture program was ineffective and unethical.

Jeremy Scahill's interview with Daniel Jones about the CIA program and the Senate investigations and report is quite illuminating, and highly recommended listening, as is the podcast associated with the film.

A couple other items of interest:

Jason Leopold's exposure of an accidentally leaked draft letter from John Brennan to Dianne Feinstein apologizing for hacking the Senate investigation.

Senator Mark Udall's questioning of CIA general counsel Caroline Krass during her Senate confirmation hearing.

New York Times book review of Frank Rizzo's memoir, Company Man, which confirms that George W. Bush was not briefed on the torture program but was a "stand-up guy" by lying and claiming that he was.

Saturday, June 08, 2019

The Phoenix Lights, 1945

From John Keeling, by way of the May 2019 Fortean Times (p. 28):
In 1945 a jittery American public was mistaking Venus for Japan’s FU-GO balloon bombs on an alarmingly regular basis. 9,000 of the 30 ft balloons with incendiary bomb payloads had been launched against the US in the hope of causing large-scale forest fires and spreading terror....On June 6th, Phoenix and several other Arizona communities had their first ‘Jap balloon’ panic. Telephone lines to the press, police department, sheriff’s office and weather bureau were reportedly jammed....Luke Field and Williams Field fliers, checking the object from planes, were able to report back definitely that there was no balloon where reported. And Phoenix Junior college’s 5 inch refractor telescope clearly identified the object as Venus. According to the Associated Press, Tucson had the same experience, with Davis-Monthan fliers being ‘sent to cut down the invader.’

Tuesday, January 01, 2019

Books read in 2018

Not much blogging going on here still, but here's my annual list of books read for 2018.
  • Charles Arthur, Cyber Wars: Hacks that Shocked the Business World
  • Radley Balko and Tucker Carrington, The Cadaver King and the Country Dentist: A True Story of Injustice in the American South
  • Mary Beard, SPQR: A History of Ancient Rome
  • Yochai Benkler, Robert Faris, and Hal Roberts, Network Propaganda: Manipulation, Disinformation, and Radicalization in American Politics
  • Ronen Bergman, Rise and Kill First: The Secret History of Israel's Targeted Assassinations
  • Rebecca Burns and David Dayen, Fat Cat: The Steve Mnuchin Story
  • John Carreyrou, Bad Blood: Secrets and Lies in a Silicon Valley Startup
  • Graydon Carter, George Kalogerakis, and Kurt Andersen, Spy: The Funny Years
  • Stephen Ellis, This Present Darkness: A History of Nigerian Organized Crime
  • Jason Fagone, The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies
  • Paul French, City of Devils: The Two Men Who Ruled the Underworld of Old Shanghai
  • Diego Gambetta, Codes of the Underworld: How Criminals Communicate
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • Atul Gawande, Being Mortal: Medicine and What Matters in the End
  • David Golumbia, The Politics of Bitcoin: Software as Right-Wing Extremism
  • Richards J. Heuer Jr. and Randolph H. Pherson, Structured Analytic Techniques for Intelligence Analysis
  • Michael Isikoff and David Corn, Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump
  • Sarah Jeong, The Internet of Garbage
  • Steven Johnson, Farsighted: How We Make the Decisions That Matter the Most
  • Louise M. Kaiser and Randolph H. Pherson, Analytic Writing Guide
  • Chuck Klosterman, But What If We're Wrong?: Thinking About the Present As If It Were the Past
  • Susan Landau, Listening In: Cybersecurity in an Insecure Age
  • Peter T. Leeson, WTF?! An Economic Tour of the Weird
  • Jeffrey Lewis, The 2020 Commission Report on the North Korean Nuclear Attacks Against the United States
  • Michael Lewis, The Fifth Risk
  • Liliana Mason, Uncivil Agreement: How Politics Became Our Identity
  • Nick Mason, Inside Out: A Personal History of Pink Floyd (new updated 2017 edition)
  • Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power
  • Jefferson Morley, The Ghost: The Secret Life of CIA Spymaster James Jesus Angleton
  • Roger Naylor, The Amazing Kolb Brothers of Grand Canyon
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life
  • Ellen Pao, Reset: My Fight for Inclusion and Lasting Change
  • Dana Richards, editor, Dear Martin/Dear Marcello: Gardner and Truzzi on Skepticism
  • Louis Rossetto, Change Is Good: A Story of the Heroic Era of the Internet (1st edition, #1453, Kickstarter)
  • David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age
  • Eli Saslow, Rising Out of Hatred: The Awakening of a Former White Nationalist
  • Harold Schechter, The Pirate (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Little Slaughterhouse on the Prairie (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, The Brick Slayer (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Panic (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Rampage (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, The Pied Piper (Amazon Prime Reading "Bloodlands Collection")
  • Natasha Dow Schüll, Addiction by Design: Machine Gambling in Las Vegas
  • Kevin Simler and Robin Hanson, The Elephant in the Brain: Hidden Motives in Everyday Life
  • P.W. Singer and Emerson T. Brooking, LikeWar: The Weaponization of Social Media
  • Ali Soufan, Anatomy of Terror: From the Death of Bin Laden to the Rise of the Islamic State
  • Robert Timberg, The Nightingale's Song (bio of John McCain, James Webb, Oliver North, Robert McFarlane, and John Poindexter)
  • Mick West, Escaping the Rabbit Hole: How to Debunk Conspiracy Theories Using Facts, Logic, and Respect
  • Rick Wilson, Everything Trump Touches Dies: A Republican Strategist Gets Real About the Worst President Ever
  • Michael Wolff, Fire and Fury: Inside the Trump White House
  • Bob Woodward, Fear: Trump in the White House
  • Tim Wu, The Curse of Bigness: Antitrust in the New Gilded Age
I made some progress on a few other books:
  • Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld (will probably finish today)
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
Top for 2018:  Singer and Brooking, Bergman, Balko and Carrington, Gawande, Carreyrou, Sanger, Simler and Hanson, Soufan, Isikoff and Corn, Fagone, French, Schüll, Michael Lewis, Mason, Benkler et al., West, Wu, Saslow, Naylor. I didn't care for the Klosterman book at all--quick read, but a waste of time.

(Previously: 2017201620152014201320122011201020092008200720062005.)

Monday, January 01, 2018

Books read in 2017

Not much blogging going on here still, but here's my annual list of books read for 2017. Items with hyperlinks are linked directly to the item online (usually PDF, some of these are reports rather than books, though I've made no attempt to collect all papers, blog posts, and reports I read here), with no paywall or fee.
  • Lilian Ablon, Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
  • Ben Buchanan, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations
  • J.D. Chandler, Hidden History of Portland, Oregon
  • Ted Conover, Newjack: Guarding Sing Sing
  • Richard A. Clarke and R.P. Eddy, Warnings: Finding Cassandras to Stop Catastrophes
  • Thomas H. Davenport and Julia Kirby, Only Humans Need Apply: Winners & Losers in the Age of Smart Machines
  • Mike Edison, Dirty, Dirty, Dirty: Of Playboys, Pigs, and Penthouse Paupers--An American Tale of Sex and Wonder
  • FINRA, Distributed Ledger Technology: Implications of Blockchain for the Securities Industry
  • Al Franken, Al Franken, Giant of the Senate
  • David Gerard, Attack of the 50 Foot Blockchain: Bitcoin, Blockchain, Ethereum & Smart Contracts
  • Joscelyn Godwin, Upstate Cauldron: Eccentric Spiritual Movements in Early New York State
  • Jonathan Goldsmith, Stay Interesting: I Don't Always Tell Stories About My Life, But When I Do They're True and Amazing
  • Heidi Grant Halvorson, No One Understands You: And What To Do About It
  • Jon Lindsay, Tai Ming Cheung, and Derek S. Reveron, editors, China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain
  • William MacAskill, Doing Good Better: Effective Altruism and How You Can Make a Difference
  • Jane Mayer, Dark Money: The Hidden History of the Billionaires Behind the Rise of the Radical Right
  • Nick Middleton, An Atlas of Countries That Don't Exist: A Compendium of Fifty Unrecognized and Largely Unnoticed States
  • Kevin Mitnick, The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
  • Andrew Monaghan, "The New Russian Foreign Policy Concept: Evolving Continuity," Chatham House, 2013 (PDF)
  • Milton Mueller, Will the Internet Fragment? Sovereignty, Globalization and Cyberspace
  • Tom Nichols, The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters
  • David Ronfeldt, Beware the Hubris-Nemesis Complex: A Concept for Leadership Analysis
  • Thomas Rid, Rise of the Machines: A Cybernetic History
  • Gabriel Sherman, The Loudest Voice in the Room: How the Brilliant, Bombastic Roger Ailes Built Fox News--and Divided a Country
  • Doug Stanhope, Digging Up Mother: A Love Story
  • Doug Stanhope, This Is Not Fame: A "From What I Re-Memoir"
  • Charles Stross, Halting State
  • Charles Stross, Rule 34
  • Sarah Vowell, Unfamiliar Fishes
  • Timothy Walton, Challenges in Intelligence Analysis: Lessons from 1300 BCE to the Present
  • Kristan J. Wheaton and Melonie K. Richey, Strawman
  • Ilya Zaslavskiy, How Non-State Actors Export Kleptocratic Norms to the West (PDF)
I may or may not have made progress on a few other books (first four from 2017, next two from 2016, one from 2015,  next three from 2014, next three from 2013, last two still not finished from 2012--I have trouble with e-books, especially very long nonfiction e-books):
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life
  • Dana Richards, editor, Dear Martin/Dear Marcello: Gardner and Truzzi on Skepticism
  • Richards J. Heuer, Jr., Structured Analytics Techniques for Intelligence Analysis
  • Louis M. Kaiser, Analytic Writing Guide
  • Andreas Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies (now 2nd ed)
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • John Searle, Making the Social World
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top for 2017:  Rid, Buchanan, Sherman, Mayer, Clarke and Eddy, Conover, Middleton.

I completed three Coursera courses in 2017, two of which I recommend:


(Previously: 201620152014201320122011201020092008200720062005.)

Sunday, March 12, 2017

Rep. Tom Graves' Active Cyber Defense Certainty Act

Rep. Tom Graves (R-GA14) has circulated a draft bill, the "Active Cyber Defense Certainty Act" (or ACDC Act), which amends the Computer Fraud and Abuse Act (18 USC 1030) to legalize certain forms of "hacking back" for the purposes of collecting information about an attacker in order to facilitate criminal prosecution or other countermeasures.

The bill as it currently stands is not a good bill, for the following reasons:

1. It ignores the recommendations in a recent report, "Into the Gray Zone: Active Defense by the Private Sector Against Cyber Threats," from the Center for Cyber & Homeland Security at the George Washington University. This report distinguishes between low-risk active defense activities within the boundaries of the defender's own network, such as the use of deceptive technology (honeypots, honeynets, tarpitting), the use of beaconing technology to provide notifications in case of intrusions, and research in deep and dark web underground sites, on the one hand, and higher-risk active defense activities such as botnet takedowns, sanctions and indictments, white-hat ransomware, and rescue missions to recover stolen assets, on the other. One of the report's key questions for an active defense measure is "is the active defense measure authorized, whether by an oversight body, law enforcement, or the owner of the affected network?"  This bill creates no mechanism for providing particular authorizations (also see points 2 and 3, below).

The "Into the Gray Zone" report also suggests that if a decision is made to authorize the accessing of a remote system (an attacker's system is almost always the system of another victim) for information collection purposes, it should be limited to cases in which a defender can "assert a positive identification of the hostile actor with near certainty, relying on multiple credible attribution methods." This, however, seems too strict a condition to impose.

Finally, however, this report advises that, even without a change in the law, DOJ "should exercise greater discretion in choosing when to enforce the CFAA and other relevant laws, and should provide clarity about how it intends to exercise such discretion. Companies engaging in activities that may push the limits of the law, but are intended to defend corporate data or end a malicious attack against a private server should not be prioritized for investigation or prosecution." (p. 28) The report cites active defense activity by Google in response to hacking from China as an example where there was no prosecution or sanction for accessing remote systems being used by attackers. This proposal seems to me a wiser course of action than adopting this bill. (Also see point 5, below.)

2. It disregards the recommendations from the Center for Strategic and International Studies Cyber Policy Task Force on the subject of active defense. The CSIS Cyber Policy Task Force report contains a short three-paragraph section on active defense (p. 14) which throws cold water on the idea, calling active defense "at best a stopgap measure, intended to address companies’ frustration over the seeming impunity of transborder criminals" and affirming that only governments should be authorized to engage in activities on the high-risk side, and that it is their responsibility to coordinate and engage in such activity. It does offer up a possibility for a proposal that allows accessing remote systems by private parties in its last sentence: "Additionally, the administration could consider measures, carried out with the prior approval of federal law enforcement agencies (most likely requiring a warrant to enter a third-party network) to recover or delete stolen data stored on servers or networks under U.S. jurisdiction." This bill does not require approval from federal law enforcement agencies or a warrant for accessing remote systems or networks, and jurisdiction is only implicit.

3. While the proposal in the bill resembles a proposal made in a Mercatus Center at George Mason University proposal by Anthony Glosson, it adopts the carrot element of the proposal while neglecting the stick. Glosson's proposal is that, like this bill, private parties should be permitted to access remote attacking systems in order to collect information ("observation and access"), but not to engage in "disruption and destruction." However, Glosson suggests three requirements be present to make such access and information collection permissible, and if those requirements are not present, that there be "stiff statutory damages" imposed. The bill omits any statutory damages, and imposes only one of Glosson's three requirements (though a previous version of the bill included the second). Glosson's three requirements are (1) that the defender's actions are limited to observation and access, (2) that the attacker was routing traffic through the defender's network at the time of the active defense action, and (3) that obtaining the owner of the attacking system's cooperation at the time of the attack was impractical.  This third criterion is a critical one, and a good way to observe the undesirability of this bill is to imagine that you are the owner of the intermediary system used by the attacker to go after a third party--what would you want that third party to be able to do with your system without your permission or consent?

4. The bill appears to have been somewhat hastily written and sloppily updated, failing to update a persistent typographical error ("the victim' [sic] own network") through its revisions, and the current version seems to be somewhat incoherent. In its current form it is unlikely to meet its short title objective of encouraging certainty.

The current version of the bill makes it legal for a victim of a "persistent unauthorized intrusion" to access "without authorization the computer of the attacker to the victim' [sic] own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network," so long as this does not destroy information on the system, cause physical injury, or create a threat to public health or safety.

The phrase "without authorization the computer of the attacker to the victim's own network" doesn't make sense [it should say "attacker of" or "attacker against"], and appears to be the result of poor editing from the prior version of the bill, which made permissible accessing "without authorization a computer connected to the victim' [sic] own network", with the rest of the text remaining the same. This prior wording apparently attempted to thread the needle of the GWU "Into the Gray Zone" report by defining the accessing of a remote system as being within the boundaries of the defender's own network, and thus on the low-risk side of the equation. However, the wording "connected to the victim's own network" is ambiguous and unclear--does it mean directly connected (e.g., to a WiFi access point or LAN port on a switch), in which case this is much less useful, or does it mean any active session flow of packets over the Internet into the victim's network (similar to Glosson's second requirement)? The latter is the more reasonable and charitable interpretation, but it should be made more explicit and could perhaps be too strict--what happens if the attacker disconnects just moments before the active defense activity begins?

Left unsaid in the bill is what can be done with information collected from the attacking system, which might include information belonging to other victims, the exposure of which could cause harm. Presumably other remedies from other statutes would exist if a defender engaged in such exposure, but it seems to me that this bill would be improved by making the parameters of permissible action more explicit and restrictive. Perhaps the current wording limits actions to information sharing with law enforcement and reconfiguration of one's own defensive systems based on the collected information, but "to disrupt continued unauthorized activity against the victim's own network" is a purpose that could be achieved by a much broader set of actions, which could cause harm to other victims.

5. It's not clear that the bill is necessary, given that security researchers are today (as they have been for years) taking steps to access infrastructure used by malicious cyber threat actors in order to monitor their activity and collect intelligence information. They are already making legal and regulatory risk decisions which incorporate the existing CFAA, and deciding to proceed anyway.

If this bill is to move forward, it needs some additional work.

(News story on the bill: Michael Mimoso, "Active Defense Bill Raises Concerns of Potential Consequences," ThreatPost.
Further reading: Paul Rosenzweig, "A Typology for Evaluating Active Cyber Defenses," Lawfare blog)

UPDATE (March 14, 2017): Robert Chesney wrote a good critique of the bill at the Lawfare blog, "Legislative Hackback: Notes on the Active Cyber Defense Certainty Act discussion draft," in which he points out that the word "persistent" is undefined and vague, notes that "intrusion" excludes distributed denial of service attacks from permissible cases of response under this bill, and wisely notes that there may be multiple computers in an attack chain used by the attacker, while the bill is written as though there is only one.  (It is also noteworthy that an attacking IP could be a firewall in front of an attacking machine, and a response attempting to connect to that IP could be redirected to a completely different system.)  Chesney also questions whether destroying information is the right limit on responsive activity, as opposed to altering information (such as system configurations). He also notes that the restrictions for destruction, physical injury, and threats to public health and safety are probably insufficient, noting as I did above that there could be other forms of harm from disseminating confidential information discovered on the attacking system.

I think a more interesting bill that would create incentives for companies to invest in security and to appropriately share information about attacks (rather than trying to hide it) would be a bill that created a safe harbor or liability limits for a company whose systems are used to attack third parties, if they have taken certain precautionary measures (such as having patched all known vulnerabilities more than 30 days old, and having a continuous monitoring program) and if they also share in a timely manner information about their breach.

UPDATE (May 25, 2017): Rep. Graves has released a version 2.0 of his bill which is vastly improved, addressing almost all of my concerns above. The new Sec. 2 of the bill puts the use beaconing technology on a sound legal footing, which is consistent with the recommendations of the CSIS "Into the Gray Zone" report. The new Sec. 4 of the bill requires notification of the FBI, which, while it isn't the notification of/deferral to organizations which have their own cyber defense teams to protect and investigate their own compromised infrastructure, it might effectively serve the same purpose, and it also provides a deterrent to irresponsible active defense.  The core of the former bill, Sec. 3, has been revised to limit what can be done, so that now taking or exposing content on the attacker machine belonging to other parties would not be permissible. And there is also a new Sec. 5 of the bill, which sunsets it after two years. I cautiously support the new bill as a potentially useful experiment.

UPDATE (October 14, 2017): A new version of the bill was released this week which has further improvements. Instead of just creating an exemption to the CFAA, it creates a defense to a criminal charge, and makes clear that it is not a defense for civil liability. This means if you are within the bounds of the new rules accessing the systems of a third party which is another victim of the attacker, you won't go to jail for it, but you could still be successfully sued for damages by that third party. The new version of the bill also lists a few more things which you are NOT permitted to do in order to use the defense, and it requires that the FBI create a program for receiving advance notices from individuals and organizations that intend to use these measures, as well as a requirement for an annual assessment of this legislation's effectiveness.

UPDATE (February 2, 2018): There are still a few issues with the current version of the Graves bill. (1) It doesn't require defenders to document and disclose actions taken against systems not owned by the attacker to the owners of those systems. (2) It places no limits on what vulnerabilities may be exploited on intermediary or attacker systems. (3) It allows destructive actions against information which belongs to the defender, as well as against any information or system which belongs to the attacker. (4) It does not limit the targets to systems within U.S. jurisdiction, or does it require any judicial approval. Attacks on systems outside U.S. jurisdiction could result in state-sponsored blowback. (5) The exception to permitted activity for any action which "intentionally results in intrusive or remote access into an intermediary's computer" seems at odds with the overall proposal, since 90%+ of the time the systems used by attackers will belong to an intermediary. (6) Sec. 5's requirement that the FBI be notified and presented with various pieces of information prior to the active defense seems both too strict and too loose. Too strict in that it doesn't allow pre-certification and must occur in the course of an attack, too loose in that it requires that the FBI acknowledge receipt before proceeding but no actual approval or certification, and that there's a loophole on one of the required pieces of information to be given to the FBI, which is any other information requested by the FBI for the purposes of oversight. Since all the active defender requires is acknowledgment of receipt, if the FBI doesn't request any such further information as part of that acknowledgement, the defender is good to go immediately at that point before any further information is provided. Sec. 5 is kind of a fake certification process--there is no actual certification or validation process that must occur.

Thursday, February 16, 2017

Confusing the two Trump cybersecurity executive orders

In Andy Greenberg's Wired article on February 9, 2017, "Trump Cybersecurity Chief Could Be a 'Voice of Reason," he writes:
But when Trump’s draft executive order on cybersecurity emerged last week, it surprised the cybersecurity world by hewing closely to the recommendations of bipartisan experts—including one commission assembled by the Obama administration.
The described timing and the link both refer to the original draft cybersecurity executive order, which does not at all resemble the recommendations of Obama's Commission on Enhancing National Cybersecurity or the recommendations of the Center for Strategic and International Studies Cyber Policy Task Force, which both included input from large numbers of security experts. Contrary to what Greenberg says, the executive order he refers to was widely criticized on a number of grounds, including that it is incredibly vague and high level, specifies an extremely short time frame for its reviews, and that it seemed to think it was a good idea to collect information about major U.S. vulnerabilities and defenses into one place and put it into the hands of then-National Security Advisor Michael T. Flynn. That original version of the executive order resembled the Trump campaign's website policy proposal on cybersecurity.

The positive remarks, instead, were for a revised version of the cybersecurity executive order which was verbally described to reporters on the morning of January 31, the day that the signing of the order was expected to happen at 3 p.m., after Trump met for a listening session with security experts. The signing was cancelled, and the order has not yet been issued, but a draft subsequently got some circulation later in the week and was made public at the Lawfare blog on February 9.

This executive order contains recommendations consistent with both the Cybersecurity Commission report and the CSIS Cyber Policy Task Force report, mandating the use of the NIST Cybersecurity Framework by federal agencies, putting the Office of Management and Budget (OMB) in charge of enterprise risk assessment across agencies, promoting IT modernization and the promotion of cloud and shared services infrastructure, and directing DHS and other agency heads to work with private sector critical infrastructure owners on defenses.

One key thing it does not do, which was recommended by both reports, is elevate the White House cybersecurity coordinator role (a role which the Trump administration has not yet filled, which was held by Michael Daniel in the Obama administration) to an Assistant to the President, reflecting the importance of cybersecurity. Greenberg's piece seems to assume that Thomas Bossert is in the lead cybersecurity coordinator role, but his role is Homeland Security Advisor (the role previously held by Lisa Monaco in the Obama administration), with broad responsibility for homeland security and counterterrorism, not cybersecurity-specific.

Despite Greenberg's error confusing the two executive orders being pointed out to him on Twitter on February 9, the article hasn't been corrected as of February 16.

Sunday, January 01, 2017

Books read in 2016

Not much blogging going on here still, but here's my annual list of books read for 2016. Items with hyperlinks are linked directly to the item online (usually PDF, some of these are reports rather than books), with no paywall or fee.
  • Andreas Antonopoulos, The Internet of Money
  • Herbert Asbury, The Gangs of New York: An Informal History of the Underworld
  • Rob Brotherton, Suspicious Minds: Why We Believe Conspiracy Theories
  • Center for Cyber & Homeland Security, Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats
  • Michael D'Antonio, Never Enough: Donald Trump and the Pursuit of Success
  • Henning Diedrich, Ethereum: Blockchains, Digital Assets, Smart Contracts, Decentralized Autonomous Organizations
  • Martin Ford, Rise of the Robots: Technology and the Threat of a Jobless Future
  • Emma A. Jane and Chris Fleming, Modern Conspiracy: The Importance of Being Paranoid
  • Roger Z. George and James B. Bruce, editors, Analyzing Intelligence: Origins, Obstacles, and Innovations
  • Peter Gutmann, Engineering Security
  • House Homeland Security Committee, Going Dark, Going Forward: A Primer on the Encryption Debate
  • Dr. Rob Johnston, Analytic Culture in the U.S. Intelligence Community: An Ethnographic Study
  • R.V. Jones, Most Secret War
  • Fred Kaplan, Dark Territory: The Secret History of Cyber War
  • Maria Konnikova, The Confidence Game: Why We Fall for It...Every Time
  • Adam Lee, hilarious blog commentary on Atlas Shrugged
  • Deborah Lipstadt, Denying the Holocaust: The Growing Assault on Truth and Memory
  • Dan Lyons, Disrupted: My Misadventure in the Startup Bubble
  • Geoff Manaugh, A Burglar's Guide to the City
  • Felix Martin, Money: The Unauthorized Biography--From Coinage to Cryptocurrencies
  • Nathaniel Popper, Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money
  • John Allen Paulos, A Numerate Life: A Mathematician Explores the Vagaries of Life, His Own and Probably Yours
  • Mary Roach, Grunt: The Curious Science of Humans at War
  • Jon Ronson, The Elephant in the Room: A Journey into the Trump Campaign and the "Alt-Right"
  • Oliver Sacks, On the Move: A Life
  • Luc Sante, Low Life: Lures and Snares of Old New York
  • Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age
  • Steve Silberman, NeuroTribes: The Legacy of Autism and the Future of Neurodiversity
  • Richard Stiennon, There Will Be Cyberwar: How the Move to Network-Centric War Fighting Has Set the Stage for Cyberwar
  • Russell G. Swenson, editor, Bringing Intelligence About: Practitioners Reflect on Best Practices
  • U.S. Army Special Operations Command, "Little Green Men": A Primer on Modern Russian Unconventional Warfare, Ukraine, 2013-2014
  • Joseph E. Uscinski and Joseph M. Parent, American Conspiracy Theories
  • Paul Vigna and Michael J. Casey, The Age of Crypto Currency: How Bitcoin and the Blockchain Are Challenging the Global Economic Order
I made progress on a few other books (first four from 2016, one from 2015,  next three from 2014, next three from 2013, last two still not finished from 2012--I have trouble with e-books, especially very long nonfiction e-books):
  • Andreas Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • Jocelyn Godwin, Upstate Cauldron: Eccentric Spiritual Movements in Early New York State
  • Thomas Rid, Rise of the Machines: A Cybernetic History
  • John Searle, Making the Social World
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top ten for 2016:  Sacks, Silberman, Jane & Fleming, Konnikova, Manaugh, Lyons, Popper, Uscinski & Parent, Jones, Lipstadt.

(Previously: 20152014201320122011201020092008200720062005.)

Friday, January 01, 2016

Books read in 2015

Not much blogging going on here lately, but here's my annual list of books read for 2015:
  • George A. Akerlof and Robert J. Shiller, Phishing for Phools: The Economics of Manipulation & Deception
  • Jeffrey S Bardin, The Illusion of Due Diligence: Notes from the CISO Underground
  • Bill Browder, Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice
  • Ron Chernow, Alexander Hamilton
  • Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
  • Laura DeNardis, The Global War for Internet Governance
  • Daniel C. Dennett and Linda LaScola, Caught in the Pulpit: Leaving Belief Behind
  • Mary Douglas and Aaron Wildavsky, Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers
  • William J. Drake and Monroe Price, editors, Internet Governance: The NETmundial Roadmap
  • Jon Friedman and Mark Bouchard, Definitive Guide to Cyber Threat Intelligence
  • Marc Goodman, Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It
  • Marc Hallet, A Critical Appraisal of George Adamski: The Man Who Spoke to the Space Brothers
  • Shane Harris, @War: The Rise of the Military-Internet Complex
  • Peter T. Leeson, The Invisible Hook: The Hidden Economics of Pirates
  • Reed Massengill, Becoming American Express: 150 Years of Reinvention and Customer Service
  • James Andrew Miller and Tom Shales, Live From New York: The Complete, Uncensored History of Saturday Night Live, as Told By Its Stars, Writers, and Guests (two new chapters)
  • David T. Moore, Critical Thinking and Intelligence Analysis
  • Richard E. Nisbett, Mindware: Tools for Smart Thinking
  • Tony Ortega, The Unbreakable Miss Lovely: How the Church of Scientology Tried to Destroy Paulette Cooper
  • Whitney Phillips, This is Why We Can't Have Nice Things: Mapping the Relationship Between Online Trolling and Mainstream Culture
  • Joseph M. Reagle, Jr., Reading the Comments: Likers, Haters, and Manipulators at the Bottom of the Web
  • Jon Ronson, Lost at Sea: The Jon Ronson Mysteries
  • Jon Ronson, So You've Been Publicly Shamed
  • Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
  • P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know
  • David Skarbek, The Social Order of the Underworld: How Prison Gangs Govern the American Penal System
  • Andrei Soldatov and Irina Borogan, The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries
  • Philip E. Tetlock and Dan Gardner, Superforecasting: The Art and Science of Prediction
  • Richard H. Thaler, Misbehaving: The Making of Behavioral Economics
I made progress on a few other books (first two last year,  next four from 2014, next three from 2013, last two still not finished from 2012--I have trouble with very long nonfiction e-books):
  • Roger Z. George and James B. Bruce, editors, Analyzing Intelligence: Origins, Obstacles, and Innovations
  • John Searle, Making the Social World
  • Peter Gutmann, Engineering Security
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top ten for 2015:  Browder, Chernow, Coleman, Ronson (Shamed), Schneier, Phillips, Nisbett, Ortega, Miller and Shales, Thaler. I bought and read Bardin's book because Richard Bejtlich identified it as a "train wreck," and it was.

(Previously: 2014201320122011201020092008200720062005.)