Wednesday, January 01, 2020

Books read in 2019

Not much blogging going on here still, but here's my annual list of books read for 2019.
  • Graham T. Allison, Destined for War: Can America and China Escape Thucydides's Trap?
  • Ross Anderson, Security Engineering (3rd edition, draft chapters)
  • Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld
  • Heidi Blake, From Russia with Blood: The Kremlin's Ruthless Assassination Program and Vladimir Putin's Secret War on the West
  • Rutger Bregman, Utopia for Realists: How We Can Build the Ideal World
  • Oliver Bullough, Moneyland: The Inside Story of the Crooks and Kleptocrats Who Rule the World
  • Bryan Caplan and Zach Weinersmith, Open Borders: The Science and Ethics of Immigration
  • C.J. Chivers, The Fighters: Americans in Combat
  • Sefton Delmer, Black Boomerang
  • Nina J. Easton, Gang of Five: Leaders at the Center of the Conservative Crusade (bio of Bill Kristol, Ralph Reed, Clint Bolick, Grover Norquist, and David McIntosh)
  • Ronan Farrow, Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators
  • Ronan Farrow, War on Peace: The End of Diplomacy and the Decline of American Influence
  • Ian Frisch, Magic is Dead: My Journey into the World's Most Secretive Society of Magicians
  • Anand Giridharadas, Winners Take All: The Elite Charade of Changing the World
  • Reba Wells Grandrud, Sunnyslope (Images of America series)
  • Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
  • Jodi Kantor and Megan Twohey, She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement
  • Stephen Kinzer, Overthrow: America's Century of Regime Change From Hawaii to Iraq
  • Michael Lewis, Flash Boys: A Wall Street Revolt
  • Jonathan Lusthaus, Industry of Anonymity: Inside the Business of Cybercrime
  • Ben MacIntyre, A Spy Among Friends: Kim Philby and the Great Betrayal
  • Joseph Menn, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
  • Anna Merlan, Republic of Lies: American Conspiracy Theorists and Their Surprising Rise to Power
  • Jefferson Morley, Our Man in Mexico: Winston Scott and the Hidden History of the CIA
  • Sarah T. Roberts, Behind the Screen: Content Moderation in the Shadows of Social Media
  • Hans Rosling, with Ola Rosling and Anna Rosling Rönnlund, Factfulness: Ten Reasons We're Wrong About the World--and Why Things Are Better Than You Think
  • Russell Shorto, Amsterdam: A History of the World's Most Liberal City
  • Alexander Stille, The Sack of Rome: Media + Money + Celebrity = Power = Silvio Berlusconi
  • Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech
  • Erik Van De Sandt, Deviant Security: The Technical Computer Security Practices of Cyber Criminals (Ph.D. thesis)
  • Tom Wolfe, The Right Stuff
  • Tim Wu, The Attention Merchants: The Epic Scramble to Get Inside Our Heads
Top for 2019: Bullough, Farrow (Catch and Kill), Wu, Chivers, Rosling, Greenberg, Blake, Allison, Caplan and Weinersmith, Kinzer, Delmer.

I started the following books I expect to finish in early 2020:

Myke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World
Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition)
Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital Age
Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History

Two books I preordered and look forward to reading in 2020:

Anna Wiener, Uncanny Valley: A Memoir (due out January 14)
Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (due out April 21)

(Previously: 20182017201620152014201320122011201020092008200720062005.)

Thursday, December 12, 2019

CIA torture program

It was interesting to go back through the old posts on this blog about the CIA torture program in light of the new film, The Report, which can be seen on Amazon Prime.

One of the early posts on this blog resulted in a debate in the comments about the ethics and efficacy of torture, which the 2014 Senate torture report (PDF link) and the film resolve decisively against torture.  The CIA torture program was ineffective and unethical.

Jeremy Scahill's interview with Daniel Jones about the CIA program and the Senate investigations and report is quite illuminating, and highly recommended listening, as is the podcast associated with the film.

A couple other items of interest:

Jason Leopold's exposure of an accidentally leaked draft letter from John Brennan to Dianne Feinstein apologizing for hacking the Senate investigation.

Senator Mark Udall's questioning of CIA general counsel Caroline Krass during her Senate confirmation hearing.

New York Times book review of Frank Rizzo's memoir, Company Man, which confirms that George W. Bush was not briefed on the torture program but was a "stand-up guy" by lying and claiming that he was.

Saturday, June 08, 2019

The Phoenix Lights, 1945

From John Keeling, by way of the May 2019 Fortean Times (p. 28):
In 1945 a jittery American public was mistaking Venus for Japan’s FU-GO balloon bombs on an alarmingly regular basis. 9,000 of the 30 ft balloons with incendiary bomb payloads had been launched against the US in the hope of causing large-scale forest fires and spreading terror....On June 6th, Phoenix and several other Arizona communities had their first ‘Jap balloon’ panic. Telephone lines to the press, police department, sheriff’s office and weather bureau were reportedly jammed....Luke Field and Williams Field fliers, checking the object from planes, were able to report back definitely that there was no balloon where reported. And Phoenix Junior college’s 5 inch refractor telescope clearly identified the object as Venus. According to the Associated Press, Tucson had the same experience, with Davis-Monthan fliers being ‘sent to cut down the invader.’

Tuesday, January 01, 2019

Books read in 2018

Not much blogging going on here still, but here's my annual list of books read for 2018.
  • Charles Arthur, Cyber Wars: Hacks that Shocked the Business World
  • Radley Balko and Tucker Carrington, The Cadaver King and the Country Dentist: A True Story of Injustice in the American South
  • Mary Beard, SPQR: A History of Ancient Rome
  • Yochai Benkler, Robert Faris, and Hal Roberts, Network Propaganda: Manipulation, Disinformation, and Radicalization in American Politics
  • Ronen Bergman, Rise and Kill First: The Secret History of Israel's Targeted Assassinations
  • Rebecca Burns and David Dayen, Fat Cat: The Steve Mnuchin Story
  • John Carreyrou, Bad Blood: Secrets and Lies in a Silicon Valley Startup
  • Graydon Carter, George Kalogerakis, and Kurt Andersen, Spy: The Funny Years
  • Stephen Ellis, This Present Darkness: A History of Nigerian Organized Crime
  • Jason Fagone, The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies
  • Paul French, City of Devils: The Two Men Who Ruled the Underworld of Old Shanghai
  • Diego Gambetta, Codes of the Underworld: How Criminals Communicate
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • Atul Gawande, Being Mortal: Medicine and What Matters in the End
  • David Golumbia, The Politics of Bitcoin: Software as Right-Wing Extremism
  • Richards J. Heuer Jr. and Randolph H. Pherson, Structured Analytic Techniques for Intelligence Analysis
  • Michael Isikoff and David Corn, Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump
  • Sarah Jeong, The Internet of Garbage
  • Steven Johnson, Farsighted: How We Make the Decisions That Matter the Most
  • Louise M. Kaiser and Randolph H. Pherson, Analytic Writing Guide
  • Chuck Klosterman, But What If We're Wrong?: Thinking About the Present As If It Were the Past
  • Susan Landau, Listening In: Cybersecurity in an Insecure Age
  • Peter T. Leeson, WTF?! An Economic Tour of the Weird
  • Jeffrey Lewis, The 2020 Commission Report on the North Korean Nuclear Attacks Against the United States
  • Michael Lewis, The Fifth Risk
  • Liliana Mason, Uncivil Agreement: How Politics Became Our Identity
  • Nick Mason, Inside Out: A Personal History of Pink Floyd (new updated 2017 edition)
  • Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power
  • Jefferson Morley, The Ghost: The Secret Life of CIA Spymaster James Jesus Angleton
  • Roger Naylor, The Amazing Kolb Brothers of Grand Canyon
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life
  • Ellen Pao, Reset: My Fight for Inclusion and Lasting Change
  • Dana Richards, editor, Dear Martin/Dear Marcello: Gardner and Truzzi on Skepticism
  • Louis Rossetto, Change Is Good: A Story of the Heroic Era of the Internet (1st edition, #1453, Kickstarter)
  • David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age
  • Eli Saslow, Rising Out of Hatred: The Awakening of a Former White Nationalist
  • Harold Schechter, The Pirate (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Little Slaughterhouse on the Prairie (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, The Brick Slayer (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Panic (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, Rampage (Amazon Prime Reading "Bloodlands Collection")
  • Harold Schechter, The Pied Piper (Amazon Prime Reading "Bloodlands Collection")
  • Natasha Dow Schüll, Addiction by Design: Machine Gambling in Las Vegas
  • Kevin Simler and Robin Hanson, The Elephant in the Brain: Hidden Motives in Everyday Life
  • P.W. Singer and Emerson T. Brooking, LikeWar: The Weaponization of Social Media
  • Ali Soufan, Anatomy of Terror: From the Death of Bin Laden to the Rise of the Islamic State
  • Robert Timberg, The Nightingale's Song (bio of John McCain, James Webb, Oliver North, Robert McFarlane, and John Poindexter)
  • Mick West, Escaping the Rabbit Hole: How to Debunk Conspiracy Theories Using Facts, Logic, and Respect
  • Rick Wilson, Everything Trump Touches Dies: A Republican Strategist Gets Real About the Worst President Ever
  • Michael Wolff, Fire and Fury: Inside the Trump White House
  • Bob Woodward, Fear: Trump in the White House
  • Tim Wu, The Curse of Bigness: Antitrust in the New Gilded Age
I made some progress on a few other books:
  • Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld (will probably finish today)
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
Top for 2018:  Singer and Brooking, Bergman, Balko and Carrington, Gawande, Carreyrou, Sanger, Simler and Hanson, Soufan, Isikoff and Corn, Fagone, French, Schüll, Michael Lewis, Mason, Benkler et al., West, Wu, Saslow, Naylor. I didn't care for the Klosterman book at all--quick read, but a waste of time.

(Previously: 2017201620152014201320122011201020092008200720062005.)

Monday, January 01, 2018

Books read in 2017

Not much blogging going on here still, but here's my annual list of books read for 2017. Items with hyperlinks are linked directly to the item online (usually PDF, some of these are reports rather than books, though I've made no attempt to collect all papers, blog posts, and reports I read here), with no paywall or fee.
  • Lilian Ablon, Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
  • Ben Buchanan, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations
  • J.D. Chandler, Hidden History of Portland, Oregon
  • Ted Conover, Newjack: Guarding Sing Sing
  • Richard A. Clarke and R.P. Eddy, Warnings: Finding Cassandras to Stop Catastrophes
  • Thomas H. Davenport and Julia Kirby, Only Humans Need Apply: Winners & Losers in the Age of Smart Machines
  • Mike Edison, Dirty, Dirty, Dirty: Of Playboys, Pigs, and Penthouse Paupers--An American Tale of Sex and Wonder
  • FINRA, Distributed Ledger Technology: Implications of Blockchain for the Securities Industry
  • Al Franken, Al Franken, Giant of the Senate
  • David Gerard, Attack of the 50 Foot Blockchain: Bitcoin, Blockchain, Ethereum & Smart Contracts
  • Joscelyn Godwin, Upstate Cauldron: Eccentric Spiritual Movements in Early New York State
  • Jonathan Goldsmith, Stay Interesting: I Don't Always Tell Stories About My Life, But When I Do They're True and Amazing
  • Heidi Grant Halvorson, No One Understands You: And What To Do About It
  • Jon Lindsay, Tai Ming Cheung, and Derek S. Reveron, editors, China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain
  • William MacAskill, Doing Good Better: Effective Altruism and How You Can Make a Difference
  • Jane Mayer, Dark Money: The Hidden History of the Billionaires Behind the Rise of the Radical Right
  • Nick Middleton, An Atlas of Countries That Don't Exist: A Compendium of Fifty Unrecognized and Largely Unnoticed States
  • Kevin Mitnick, The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
  • Andrew Monaghan, "The New Russian Foreign Policy Concept: Evolving Continuity," Chatham House, 2013 (PDF)
  • Milton Mueller, Will the Internet Fragment? Sovereignty, Globalization and Cyberspace
  • Tom Nichols, The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters
  • David Ronfeldt, Beware the Hubris-Nemesis Complex: A Concept for Leadership Analysis
  • Thomas Rid, Rise of the Machines: A Cybernetic History
  • Gabriel Sherman, The Loudest Voice in the Room: How the Brilliant, Bombastic Roger Ailes Built Fox News--and Divided a Country
  • Doug Stanhope, Digging Up Mother: A Love Story
  • Doug Stanhope, This Is Not Fame: A "From What I Re-Memoir"
  • Charles Stross, Halting State
  • Charles Stross, Rule 34
  • Sarah Vowell, Unfamiliar Fishes
  • Timothy Walton, Challenges in Intelligence Analysis: Lessons from 1300 BCE to the Present
  • Kristan J. Wheaton and Melonie K. Richey, Strawman
  • Ilya Zaslavskiy, How Non-State Actors Export Kleptocratic Norms to the West (PDF)
I may or may not have made progress on a few other books (first four from 2017, next two from 2016, one from 2015,  next three from 2014, next three from 2013, last two still not finished from 2012--I have trouble with e-books, especially very long nonfiction e-books):
  • Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life
  • Dana Richards, editor, Dear Martin/Dear Marcello: Gardner and Truzzi on Skepticism
  • Richards J. Heuer, Jr., Structured Analytics Techniques for Intelligence Analysis
  • Louis M. Kaiser, Analytic Writing Guide
  • Andreas Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies (now 2nd ed)
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • John Searle, Making the Social World
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top for 2017:  Rid, Buchanan, Sherman, Mayer, Clarke and Eddy, Conover, Middleton.

I completed three Coursera courses in 2017, two of which I recommend:


(Previously: 201620152014201320122011201020092008200720062005.)

Sunday, March 12, 2017

Rep. Tom Graves' Active Cyber Defense Certainty Act

Rep. Tom Graves (R-GA14) has circulated a draft bill, the "Active Cyber Defense Certainty Act" (or ACDC Act), which amends the Computer Fraud and Abuse Act (18 USC 1030) to legalize certain forms of "hacking back" for the purposes of collecting information about an attacker in order to facilitate criminal prosecution or other countermeasures.

The bill as it currently stands is not a good bill, for the following reasons:

1. It ignores the recommendations in a recent report, "Into the Gray Zone: Active Defense by the Private Sector Against Cyber Threats," from the Center for Cyber & Homeland Security at the George Washington University. This report distinguishes between low-risk active defense activities within the boundaries of the defender's own network, such as the use of deceptive technology (honeypots, honeynets, tarpitting), the use of beaconing technology to provide notifications in case of intrusions, and research in deep and dark web underground sites, on the one hand, and higher-risk active defense activities such as botnet takedowns, sanctions and indictments, white-hat ransomware, and rescue missions to recover stolen assets, on the other. One of the report's key questions for an active defense measure is "is the active defense measure authorized, whether by an oversight body, law enforcement, or the owner of the affected network?"  This bill creates no mechanism for providing particular authorizations (also see points 2 and 3, below).

The "Into the Gray Zone" report also suggests that if a decision is made to authorize the accessing of a remote system (an attacker's system is almost always the system of another victim) for information collection purposes, it should be limited to cases in which a defender can "assert a positive identification of the hostile actor with near certainty, relying on multiple credible attribution methods." This, however, seems too strict a condition to impose.

Finally, however, this report advises that, even without a change in the law, DOJ "should exercise greater discretion in choosing when to enforce the CFAA and other relevant laws, and should provide clarity about how it intends to exercise such discretion. Companies engaging in activities that may push the limits of the law, but are intended to defend corporate data or end a malicious attack against a private server should not be prioritized for investigation or prosecution." (p. 28) The report cites active defense activity by Google in response to hacking from China as an example where there was no prosecution or sanction for accessing remote systems being used by attackers. This proposal seems to me a wiser course of action than adopting this bill. (Also see point 5, below.)

2. It disregards the recommendations from the Center for Strategic and International Studies Cyber Policy Task Force on the subject of active defense. The CSIS Cyber Policy Task Force report contains a short three-paragraph section on active defense (p. 14) which throws cold water on the idea, calling active defense "at best a stopgap measure, intended to address companies’ frustration over the seeming impunity of transborder criminals" and affirming that only governments should be authorized to engage in activities on the high-risk side, and that it is their responsibility to coordinate and engage in such activity. It does offer up a possibility for a proposal that allows accessing remote systems by private parties in its last sentence: "Additionally, the administration could consider measures, carried out with the prior approval of federal law enforcement agencies (most likely requiring a warrant to enter a third-party network) to recover or delete stolen data stored on servers or networks under U.S. jurisdiction." This bill does not require approval from federal law enforcement agencies or a warrant for accessing remote systems or networks, and jurisdiction is only implicit.

3. While the proposal in the bill resembles a proposal made in a Mercatus Center at George Mason University proposal by Anthony Glosson, it adopts the carrot element of the proposal while neglecting the stick. Glosson's proposal is that, like this bill, private parties should be permitted to access remote attacking systems in order to collect information ("observation and access"), but not to engage in "disruption and destruction." However, Glosson suggests three requirements be present to make such access and information collection permissible, and if those requirements are not present, that there be "stiff statutory damages" imposed. The bill omits any statutory damages, and imposes only one of Glosson's three requirements (though a previous version of the bill included the second). Glosson's three requirements are (1) that the defender's actions are limited to observation and access, (2) that the attacker was routing traffic through the defender's network at the time of the active defense action, and (3) that obtaining the owner of the attacking system's cooperation at the time of the attack was impractical.  This third criterion is a critical one, and a good way to observe the undesirability of this bill is to imagine that you are the owner of the intermediary system used by the attacker to go after a third party--what would you want that third party to be able to do with your system without your permission or consent?

4. The bill appears to have been somewhat hastily written and sloppily updated, failing to update a persistent typographical error ("the victim' [sic] own network") through its revisions, and the current version seems to be somewhat incoherent. In its current form it is unlikely to meet its short title objective of encouraging certainty.

The current version of the bill makes it legal for a victim of a "persistent unauthorized intrusion" to access "without authorization the computer of the attacker to the victim' [sic] own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network," so long as this does not destroy information on the system, cause physical injury, or create a threat to public health or safety.

The phrase "without authorization the computer of the attacker to the victim's own network" doesn't make sense [it should say "attacker of" or "attacker against"], and appears to be the result of poor editing from the prior version of the bill, which made permissible accessing "without authorization a computer connected to the victim' [sic] own network", with the rest of the text remaining the same. This prior wording apparently attempted to thread the needle of the GWU "Into the Gray Zone" report by defining the accessing of a remote system as being within the boundaries of the defender's own network, and thus on the low-risk side of the equation. However, the wording "connected to the victim's own network" is ambiguous and unclear--does it mean directly connected (e.g., to a WiFi access point or LAN port on a switch), in which case this is much less useful, or does it mean any active session flow of packets over the Internet into the victim's network (similar to Glosson's second requirement)? The latter is the more reasonable and charitable interpretation, but it should be made more explicit and could perhaps be too strict--what happens if the attacker disconnects just moments before the active defense activity begins?

Left unsaid in the bill is what can be done with information collected from the attacking system, which might include information belonging to other victims, the exposure of which could cause harm. Presumably other remedies from other statutes would exist if a defender engaged in such exposure, but it seems to me that this bill would be improved by making the parameters of permissible action more explicit and restrictive. Perhaps the current wording limits actions to information sharing with law enforcement and reconfiguration of one's own defensive systems based on the collected information, but "to disrupt continued unauthorized activity against the victim's own network" is a purpose that could be achieved by a much broader set of actions, which could cause harm to other victims.

5. It's not clear that the bill is necessary, given that security researchers are today (as they have been for years) taking steps to access infrastructure used by malicious cyber threat actors in order to monitor their activity and collect intelligence information. They are already making legal and regulatory risk decisions which incorporate the existing CFAA, and deciding to proceed anyway.

If this bill is to move forward, it needs some additional work.

(News story on the bill: Michael Mimoso, "Active Defense Bill Raises Concerns of Potential Consequences," ThreatPost.
Further reading: Paul Rosenzweig, "A Typology for Evaluating Active Cyber Defenses," Lawfare blog)

UPDATE (March 14, 2017): Robert Chesney wrote a good critique of the bill at the Lawfare blog, "Legislative Hackback: Notes on the Active Cyber Defense Certainty Act discussion draft," in which he points out that the word "persistent" is undefined and vague, notes that "intrusion" excludes distributed denial of service attacks from permissible cases of response under this bill, and wisely notes that there may be multiple computers in an attack chain used by the attacker, while the bill is written as though there is only one.  (It is also noteworthy that an attacking IP could be a firewall in front of an attacking machine, and a response attempting to connect to that IP could be redirected to a completely different system.)  Chesney also questions whether destroying information is the right limit on responsive activity, as opposed to altering information (such as system configurations). He also notes that the restrictions for destruction, physical injury, and threats to public health and safety are probably insufficient, noting as I did above that there could be other forms of harm from disseminating confidential information discovered on the attacking system.

I think a more interesting bill that would create incentives for companies to invest in security and to appropriately share information about attacks (rather than trying to hide it) would be a bill that created a safe harbor or liability limits for a company whose systems are used to attack third parties, if they have taken certain precautionary measures (such as having patched all known vulnerabilities more than 30 days old, and having a continuous monitoring program) and if they also share in a timely manner information about their breach.

UPDATE (May 25, 2017): Rep. Graves has released a version 2.0 of his bill which is vastly improved, addressing almost all of my concerns above. The new Sec. 2 of the bill puts the use beaconing technology on a sound legal footing, which is consistent with the recommendations of the CSIS "Into the Gray Zone" report. The new Sec. 4 of the bill requires notification of the FBI, which, while it isn't the notification of/deferral to organizations which have their own cyber defense teams to protect and investigate their own compromised infrastructure, it might effectively serve the same purpose, and it also provides a deterrent to irresponsible active defense.  The core of the former bill, Sec. 3, has been revised to limit what can be done, so that now taking or exposing content on the attacker machine belonging to other parties would not be permissible. And there is also a new Sec. 5 of the bill, which sunsets it after two years. I cautiously support the new bill as a potentially useful experiment.

UPDATE (October 14, 2017): A new version of the bill was released this week which has further improvements. Instead of just creating an exemption to the CFAA, it creates a defense to a criminal charge, and makes clear that it is not a defense for civil liability. This means if you are within the bounds of the new rules accessing the systems of a third party which is another victim of the attacker, you won't go to jail for it, but you could still be successfully sued for damages by that third party. The new version of the bill also lists a few more things which you are NOT permitted to do in order to use the defense, and it requires that the FBI create a program for receiving advance notices from individuals and organizations that intend to use these measures, as well as a requirement for an annual assessment of this legislation's effectiveness.

UPDATE (February 2, 2018): There are still a few issues with the current version of the Graves bill. (1) It doesn't require defenders to document and disclose actions taken against systems not owned by the attacker to the owners of those systems. (2) It places no limits on what vulnerabilities may be exploited on intermediary or attacker systems. (3) It allows destructive actions against information which belongs to the defender, as well as against any information or system which belongs to the attacker. (4) It does not limit the targets to systems within U.S. jurisdiction, or does it require any judicial approval. Attacks on systems outside U.S. jurisdiction could result in state-sponsored blowback. (5) The exception to permitted activity for any action which "intentionally results in intrusive or remote access into an intermediary's computer" seems at odds with the overall proposal, since 90%+ of the time the systems used by attackers will belong to an intermediary. (6) Sec. 5's requirement that the FBI be notified and presented with various pieces of information prior to the active defense seems both too strict and too loose. Too strict in that it doesn't allow pre-certification and must occur in the course of an attack, too loose in that it requires that the FBI acknowledge receipt before proceeding but no actual approval or certification, and that there's a loophole on one of the required pieces of information to be given to the FBI, which is any other information requested by the FBI for the purposes of oversight. Since all the active defender requires is acknowledgment of receipt, if the FBI doesn't request any such further information as part of that acknowledgement, the defender is good to go immediately at that point before any further information is provided. Sec. 5 is kind of a fake certification process--there is no actual certification or validation process that must occur.

Thursday, February 16, 2017

Confusing the two Trump cybersecurity executive orders

In Andy Greenberg's Wired article on February 9, 2017, "Trump Cybersecurity Chief Could Be a 'Voice of Reason," he writes:
But when Trump’s draft executive order on cybersecurity emerged last week, it surprised the cybersecurity world by hewing closely to the recommendations of bipartisan experts—including one commission assembled by the Obama administration.
The described timing and the link both refer to the original draft cybersecurity executive order, which does not at all resemble the recommendations of Obama's Commission on Enhancing National Cybersecurity or the recommendations of the Center for Strategic and International Studies Cyber Policy Task Force, which both included input from large numbers of security experts. Contrary to what Greenberg says, the executive order he refers to was widely criticized on a number of grounds, including that it is incredibly vague and high level, specifies an extremely short time frame for its reviews, and that it seemed to think it was a good idea to collect information about major U.S. vulnerabilities and defenses into one place and put it into the hands of then-National Security Advisor Michael T. Flynn. That original version of the executive order resembled the Trump campaign's website policy proposal on cybersecurity.

The positive remarks, instead, were for a revised version of the cybersecurity executive order which was verbally described to reporters on the morning of January 31, the day that the signing of the order was expected to happen at 3 p.m., after Trump met for a listening session with security experts. The signing was cancelled, and the order has not yet been issued, but a draft subsequently got some circulation later in the week and was made public at the Lawfare blog on February 9.

This executive order contains recommendations consistent with both the Cybersecurity Commission report and the CSIS Cyber Policy Task Force report, mandating the use of the NIST Cybersecurity Framework by federal agencies, putting the Office of Management and Budget (OMB) in charge of enterprise risk assessment across agencies, promoting IT modernization and the promotion of cloud and shared services infrastructure, and directing DHS and other agency heads to work with private sector critical infrastructure owners on defenses.

One key thing it does not do, which was recommended by both reports, is elevate the White House cybersecurity coordinator role (a role which the Trump administration has not yet filled, which was held by Michael Daniel in the Obama administration) to an Assistant to the President, reflecting the importance of cybersecurity. Greenberg's piece seems to assume that Thomas Bossert is in the lead cybersecurity coordinator role, but his role is Homeland Security Advisor (the role previously held by Lisa Monaco in the Obama administration), with broad responsibility for homeland security and counterterrorism, not cybersecurity-specific.

Despite Greenberg's error confusing the two executive orders being pointed out to him on Twitter on February 9, the article hasn't been corrected as of February 16.

Sunday, January 01, 2017

Books read in 2016

Not much blogging going on here still, but here's my annual list of books read for 2016. Items with hyperlinks are linked directly to the item online (usually PDF, some of these are reports rather than books), with no paywall or fee.
  • Andreas Antonopoulos, The Internet of Money
  • Herbert Asbury, The Gangs of New York: An Informal History of the Underworld
  • Rob Brotherton, Suspicious Minds: Why We Believe Conspiracy Theories
  • Center for Cyber & Homeland Security, Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats
  • Michael D'Antonio, Never Enough: Donald Trump and the Pursuit of Success
  • Henning Diedrich, Ethereum: Blockchains, Digital Assets, Smart Contracts, Decentralized Autonomous Organizations
  • Martin Ford, Rise of the Robots: Technology and the Threat of a Jobless Future
  • Emma A. Jane and Chris Fleming, Modern Conspiracy: The Importance of Being Paranoid
  • Roger Z. George and James B. Bruce, editors, Analyzing Intelligence: Origins, Obstacles, and Innovations
  • Peter Gutmann, Engineering Security
  • House Homeland Security Committee, Going Dark, Going Forward: A Primer on the Encryption Debate
  • Dr. Rob Johnston, Analytic Culture in the U.S. Intelligence Community: An Ethnographic Study
  • R.V. Jones, Most Secret War
  • Fred Kaplan, Dark Territory: The Secret History of Cyber War
  • Maria Konnikova, The Confidence Game: Why We Fall for It...Every Time
  • Adam Lee, hilarious blog commentary on Atlas Shrugged
  • Deborah Lipstadt, Denying the Holocaust: The Growing Assault on Truth and Memory
  • Dan Lyons, Disrupted: My Misadventure in the Startup Bubble
  • Geoff Manaugh, A Burglar's Guide to the City
  • Felix Martin, Money: The Unauthorized Biography--From Coinage to Cryptocurrencies
  • Nathaniel Popper, Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money
  • John Allen Paulos, A Numerate Life: A Mathematician Explores the Vagaries of Life, His Own and Probably Yours
  • Mary Roach, Grunt: The Curious Science of Humans at War
  • Jon Ronson, The Elephant in the Room: A Journey into the Trump Campaign and the "Alt-Right"
  • Oliver Sacks, On the Move: A Life
  • Luc Sante, Low Life: Lures and Snares of Old New York
  • Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age
  • Steve Silberman, NeuroTribes: The Legacy of Autism and the Future of Neurodiversity
  • Richard Stiennon, There Will Be Cyberwar: How the Move to Network-Centric War Fighting Has Set the Stage for Cyberwar
  • Russell G. Swenson, editor, Bringing Intelligence About: Practitioners Reflect on Best Practices
  • U.S. Army Special Operations Command, "Little Green Men": A Primer on Modern Russian Unconventional Warfare, Ukraine, 2013-2014
  • Joseph E. Uscinski and Joseph M. Parent, American Conspiracy Theories
  • Paul Vigna and Michael J. Casey, The Age of Crypto Currency: How Bitcoin and the Blockchain Are Challenging the Global Economic Order
I made progress on a few other books (first four from 2016, one from 2015,  next three from 2014, next three from 2013, last two still not finished from 2012--I have trouble with e-books, especially very long nonfiction e-books):
  • Andreas Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies
  • Robert M. Gates, Duty: Memoirs of a Secretary at War
  • Jocelyn Godwin, Upstate Cauldron: Eccentric Spiritual Movements in Early New York State
  • Thomas Rid, Rise of the Machines: A Cybernetic History
  • John Searle, Making the Social World
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top ten for 2016:  Sacks, Silberman, Jane & Fleming, Konnikova, Manaugh, Lyons, Popper, Uscinski & Parent, Jones, Lipstadt.

(Previously: 20152014201320122011201020092008200720062005.)

Friday, January 01, 2016

Books read in 2015

Not much blogging going on here lately, but here's my annual list of books read for 2015:
  • George A. Akerlof and Robert J. Shiller, Phishing for Phools: The Economics of Manipulation & Deception
  • Jeffrey S Bardin, The Illusion of Due Diligence: Notes from the CISO Underground
  • Bill Browder, Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice
  • Ron Chernow, Alexander Hamilton
  • Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
  • Karen Dawisha, Putin's Kleptocracy: Who Owns Russia?
  • Laura DeNardis, The Global War for Internet Governance
  • Daniel C. Dennett and Linda LaScola, Caught in the Pulpit: Leaving Belief Behind
  • Mary Douglas and Aaron Wildavsky, Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers
  • William J. Drake and Monroe Price, editors, Internet Governance: The NETmundial Roadmap
  • Jon Friedman and Mark Bouchard, Definitive Guide to Cyber Threat Intelligence
  • Marc Goodman, Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It
  • Marc Hallet, A Critical Appraisal of George Adamski: The Man Who Spoke to the Space Brothers
  • Shane Harris, @War: The Rise of the Military-Internet Complex
  • Peter T. Leeson, The Invisible Hook: The Hidden Economics of Pirates
  • Reed Massengill, Becoming American Express: 150 Years of Reinvention and Customer Service
  • James Andrew Miller and Tom Shales, Live From New York: The Complete, Uncensored History of Saturday Night Live, as Told By Its Stars, Writers, and Guests (two new chapters)
  • David T. Moore, Critical Thinking and Intelligence Analysis
  • Richard E. Nisbett, Mindware: Tools for Smart Thinking
  • Tony Ortega, The Unbreakable Miss Lovely: How the Church of Scientology Tried to Destroy Paulette Cooper
  • Whitney Phillips, This is Why We Can't Have Nice Things: Mapping the Relationship Between Online Trolling and Mainstream Culture
  • Joseph M. Reagle, Jr., Reading the Comments: Likers, Haters, and Manipulators at the Bottom of the Web
  • Jon Ronson, Lost at Sea: The Jon Ronson Mysteries
  • Jon Ronson, So You've Been Publicly Shamed
  • Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
  • P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know
  • David Skarbek, The Social Order of the Underworld: How Prison Gangs Govern the American Penal System
  • Andrei Soldatov and Irina Borogan, The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries
  • Philip E. Tetlock and Dan Gardner, Superforecasting: The Art and Science of Prediction
  • Richard H. Thaler, Misbehaving: The Making of Behavioral Economics
I made progress on a few other books (first two last year,  next four from 2014, next three from 2013, last two still not finished from 2012--I have trouble with very long nonfiction e-books):
  • Roger Z. George and James B. Bruce, editors, Analyzing Intelligence: Origins, Obstacles, and Innovations
  • John Searle, Making the Social World
  • Peter Gutmann, Engineering Security
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top ten for 2015:  Browder, Chernow, Coleman, Ronson (Shamed), Schneier, Phillips, Nisbett, Ortega, Miller and Shales, Thaler. I bought and read Bardin's book because Richard Bejtlich identified it as a "train wreck," and it was.

(Previously: 2014201320122011201020092008200720062005.)

Monday, November 23, 2015

A few thoughts on OpenBSD 5.8

I've been using OpenBSD since way back at release 2.3 in 1998, so I've gone through upgrades that took a fair amount of work due to incompatible changes, like the switch from ipf to pf for host firewalling or the change to ELF binaries. The upgrade from 5.7 to 5.8 was a pretty smooth and easy one, for the most part. The two most painful changes for me were the replacement of sudo with doas and the dropping of support in the rc.conf for the pf_rules variable.  While sudo is still available as a package, I like the idea of reducing attack surface with a simpler program, so I made the switch. The two things I miss most about sudo are the ability to authenticate for a period of time and the ability to have a single config file across a whole set of servers. The former I'm just living with, the latter I've adjusted to by having a single config file that has lines commented out depending on which server it's on. I did have one moment of concern about the quality of doas when it incorrectly reported the line number on which I had a syntax error in the config file--fortunately, this was just a failure to increment the line count on continuation lines (ending with a "\") which is fixed in the -current release.

The removal of the pf_rules variable support from rc.conf was a bigger issue--I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be. This wasn't the first time an incompatible change decreased my level of security--the removal of tcpwrappers support from SSH was another. I used to use a combination of pf rules and hosts.allow as additional layers of protection on my SSH access, and had a set of tools that allowed me to easily add IP addresses to or remove them from my hosts.allow files. This would have been a layer of defense still in place with the loss of my pf rules, had it still been in existence. Fortunately, I also have SSH on a non-standard port and only allow SSH key logins, not user/password logins, and most of my systems can't be reached on any port without first making a VPN connection, which requires two-factor authentication.

A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments. My "reportnew" log monitoring tool has a feature that allows you to be notified if files that are expected to change on some periodic schedule do not change, and that would be more appropriate than getting daily notifications that yes, the autotrust anchor file has been updated yet again. But what would really be ideal here would be a check that the non-comment components have not changed. (Others have also complained about this.)

A final issue I've run into with OpenBSD 5.8 is not a new issue, but it's one that still hasn't been fixed with pf. That is that pf logs certain traffic (IGMP in particular) when it matches a rule that does not call for logging. This appears to be the same issue that was fixed earlier this year in pfsense, which is derived from an older fork of pf.