Organizational Doxing

Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It's a huge trove, and already reporters are writing stories about the highly secretive government.

What Saudi Arabia is experiencing isn't common but part of a growing trend.

Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world.

Last year, hundreds of gigabytes of Sony's sensitive data was published on the Internet, including executive salaries, corporate emails and contract negotiations. The attacker in this case was the government of North Korea, which was punishing Sony for producing a movie that made fun of its leader. In 2010, the U.S. cyberweapons arms manufacturer HBGary Federal was a victim, and its attackers were members of a loose hacker collective called LulzSec.

Edward Snowden stole a still-unknown number of documents from the National Security Agency in 2013 and gave them to reporters to publish. Chelsea Manning stole three-quarters of a million documents from the U.S. State Department and gave them to WikiLeaks to publish. The person who stole the Saudi Arabian documents might also be a whistleblower and insider but is more likely a hacker who wanted to punish the kingdom.

Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it. Law professor and privacy expert Peter Swire refers to "the declining half-life of secrets." Secrets are simply harder to keep in the information age. This is bad news for all of us who value our privacy, but there's a hidden benefit when it comes to organizations.

The decline of secrecy means the rise of transparency. Organizational transparency is vital to any open and free society.

Open government laws and freedom of information laws let citizens know what the government is doing, and enable them to carry out their democratic duty to oversee its activities. Corporate disclosure laws perform similar functions in the private sphere. Of course, both corporations and governments have some need for secrecy, but the more they can be open, the more we can knowledgeably decide whether to trust them.

This makes the debate more complicated than simple personal privacy. Publishing someone's private writings and communications is bad, because in a free and diverse society people should have private space to think and act in ways that would embarrass them if public.

But organizations are not people and, while there are legitimate trade secrets, their information should otherwise be transparent. Holding government and corporate private behavior to public scrutiny is good.

Most organizational secrets are only valuable for a short term: negotiations, new product designs, earnings numbers before they're released, patents before filing, and so on.

Forever secrets, like the formula for Coca-Cola, are few and far between. The one exception is embarrassments. If an organization had to assume that anything it did would become public in a few years, people within that organization would behave differently.

The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn't like, and Hacking Team wouldn't have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently. Such embarrassment might be the first significant downside of hiring a psychopath as CEO.

I don't want to imply that this forced transparency is a good thing, though. The threat of disclosure chills all speech, not just illegal, embarrassing, or objectionable speech. There will be less honest and candid discourse. People in organizations need the freedom to write and say things that they wouldn't want to be made public.

State Department officials need to be able to describe foreign leaders, even if their descriptions are unflattering. Movie executives need to be able to say unkind things about their movie stars. If they can't, their organizations will suffer.

With few exceptions, our secrets are stored on computers and networks vulnerable to hacking. It's much easier to break into networks than it is to secure them, and large organizational networks are very complicated and full of security holes. Bottom line: If someone sufficiently skilled, funded and motivated wants to steal an organization's secrets, they will succeed. This includes hacktivists (HBGary Federal, Hacking Team), foreign governments (Sony), and trusted insiders (State Department and NSA).

It's not likely that your organization's secrets will be posted on the Internet for everyone to see, but it's always a possibility.

Dumping an organization's secret information is going to become increasingly common as individuals realize its effectiveness for whistleblowing and revenge. While some hackers will use journalists to separate the news stories from mere personal information, not all will.

Both governments and corporations need to assume that their secrets are more likely to be exposed, and exposed sooner, than ever. They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don't look good on the front pages of the world's newspapers.


This essay previously appeared on CNN.com. I didn't use the term "organizational doxing," though, because it would be too unfamiliar to that audience.

EDITED TO ADD: This essay has been translated into German.

Posted on July 10, 2015 at 4:32 AM • 45 Comments

Comments

CouldntPossiblyCommentJuly 10, 2015 5:24 AM

While a lovely sentiment & one that is easy to agree with in principle, there is an implicit assumption that stuff turning up on newspapers, social media, etc. & the reaction to it is a good barometer of what is good for society (and which society?).

Anyone observing the way trends and reactions are manipulated would suggest that widespread doxxing isn't necessarily a healthy outcome. I take issue, for example, with the notion of 'doxxing for good'. Mobs aren't known for their impartial common sense or ability to distinguish jokes from serious content & there are plenty of innocents still caught up in the repercussions today. It also ignores the question of who it's good for, and according to whom.

That doesn't make transparency and 'do the right thing' an incorrect stance; it does move the battlefield squarely into controlling public opinion & a society's mores (and I'm sure there are plenty ready to explain that that has been going on a long time already).

Clive RobinsonJuly 10, 2015 6:23 AM

Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it.

I predicted much of this years ago back when what we now call "botnets" did not have a name as they were just coming to peoples attention.

I later pointed out in one of my little arguments with Richard Clayton over at Camb Labs (see their lightbluetouchpaper blog) that the controlers of such networks were not moneterizing their illict assets in anything aproaching a sensible way. That is renting them out for spam and DDoS was pennyanty compared to the benifts to lifting documents etc, and that it also ment they could keep their illicit assets covertly much longer than otherwise (thus predicting APT before it had a name).

It was quite a while after that that Zeus was the first known malware of it's type to have searching for documents included.

What few realise is that Doxing is or can be a moneterizing activity. If you pick the right company you can using the futures market through proxies make a large sum from it.

Take Sony PE for instance, that movie was a dog, no doubt about that and it was destined to make a loss, quite a few insiders and thus a fair number of outsiders would have known it was going to have an effect on SPEs stock value. It's not difficult to see that both SPE executives and others playing the futures market could gain considerably by the Doxing, it needed no unsupported Presidential statment about the US current bogieman (NK) as an impetus to get the money ball rolling.

The trick to moneterizing doxing is not being obvious in what you do. A big play on the future share value of the hit organisation is going to draw attention, much less so that of it's suppliers and competitors.

The only way to stop doxing for financial gain is as Bruce has noted greater transparancy in certain areas of company activities.

However, keeping C row and above execs on properly air gapped systems might also reduce the incidence of doxing as well.

MoJoJuly 10, 2015 6:35 AM

Was it North Korea that hacked Sony? Considering that the US security services claimed it was, that's almost certainly a lie. I thought it had been debunked.

Elvis is backJuly 10, 2015 6:51 AM

"Doxing" may be nice but "exposure" is closer to real people understanding.

JdLJuly 10, 2015 7:53 AM

The attacker in this case was the government of North Korea...

Has that definitely been established? Last I heard, many "security experts" thought it highly implausible that North Korea could pull off such a hack. But you're a security expert, treating it as fact, so I must have missed something?

JaysonJuly 10, 2015 9:00 AM

I like the thought that it's a trend toward open society....but we all know that the trend will soon be labelled "Infoterrorism" and punished accordingly.

J on the river Lethe July 10, 2015 9:22 AM

@bruce

1. Yes, some secrets are important such as diplomacy efforts, military, Econ, etc.
2. People can become desensitized to the flood of info, just as they do in anything else. There is an alarming decline in civility here in u.s. The crowd or herd can be a fearsome thing. But the same crowd would fail a 1950's civics test, anyway.
3. The OPM breach may have gone on for a year. A year? BTW on a COBOL system? Unencrypted. A lot of systems can be broken into are encrypted. It may have taken them more time to learn COBOL than the time to break in. But since learning languages is easier as you go.......if COBOL I can think of some of some "that era" software really old guys will be needed.
4. Productivity would take a hit. But would simple system separation and procedure help. Literally make it impossible to play angry birds on anything connected to database, or email, etc. spear phishing is a common vector for a long time now.
What do you think of that?
5. Just as a pilot joke goes, " the only time you have too much fuel is when you are on fire"
Well security one I would add. You only have too much security is when you are in charge of it. Human nature seems to be either paranoid measures or inadequate. But pessimism may be a survival tool after all.
Just as chemist can blow stuff up, security is seeing the shockwaves but since the real Nasty stuff is whooshing past them at the speed of sound they are not paying enough attention to it. For now. But the rotten egg smell is coming.

Bruce SchneierJuly 10, 2015 9:42 AM

"Has that definitely been established? Last I heard, many 'security experts' thought it highly implausible that North Korea could pull off such a hack. But you're a security expert, treating it as fact, so I must have missed something?"

I don't know about "definitely been established," but since about mid January I was convinced.

barJuly 10, 2015 10:12 AM

@J on the river Lethe

Except that secrets actually impede a lot of operations. Information asymmetry is a threat to market efficiency, increases opportunities for fraud and leads to increased aggression on the part of all players.

Carlo GrazianiJuly 10, 2015 10:16 AM

It is worth making an important distinction between private and government secrecy: In a real democracy, citizens have a right to privacy, while government has a duty of transparency.

Unfortunately, in the US (and increasingly in the West), it's the other way around. Governments reserve the right to privacy through extensive classification and fierce legal barricades around classified information, while citizens have the duty to be transparent (to the security/law enforcement agencies) in their communications (which are not to be encrypted, according to our securocracy) and data.

Perhaps, someday, a more democratic balance of transparency and privacy can be struck. Meanwhile, while this antidemocratic situation exists and grows in scope, the doxing of government institutions is, in my opinion, a perfect duty of the civic-minded citizens who fear for their democracy.

Gert-JanJuly 10, 2015 11:08 AM

Maybe this trend is the ideal counter balance for the trend to capture all, store all and for eternity.

Why capture data you don't need? Why keep it stored when it no longer serves a purpose?

When information becomes a liability, the perverse trend of take-all may finally be slowed down.

JohnJuly 10, 2015 11:34 AM

"The decline of secrecy means the rise of transparency."

Yet nothing seems to change, and why is anyone still pointing fingers at NK for the Sony hack? Did I miss something?

Jeffrey RadiceJuly 10, 2015 11:55 AM

Bruce, apparently you're not the only one convinced of NK complicity. From the Wikileaks archive of Hacking Team, apparently also convinced was David Vincenzetti, who directly contradicts Mandiant and the FBI regarding the "nothing particularly sophisticated" complexity of the attack on Sony. Mandiant was hired to perform damage control / PR and the FBI has to keep that funding spigot wide open, so neither of them is an unbiased observer here.

https://wikileaks.org/hackingteam/emails/emailid/166464

Dear Eric, Yes, North Korea is most likely behind such an attack. The attack might have been performed with the help of Chinese PLA hackers which are much better in respect to North Korean ones. It is nothing big: corporations invariably get hacked into from time to time, Governmental Institutions computer networks invariably get hacked into from time to time, from a technical point of view hacking a Governmental network is not different from hacking a large corporation computer network. BTW Sony has a very bad track record, a very bad reputation when it comes to security its data. In fact, Sony has been hacked into a number of times and the hacking of its gaming network, allegedly performed by Anonymous a few years ago, was much more severe. Still from a technical point of view, this attack is nothing big, nothing particularly sophisticated, what indeed is technically sophisticated are some little nasty beats such as the allegedly Russian Government sponsored Energetic Bear or OUROBOROS malware systems, or the allegedly US/Israeli Governments sponsored STUXNET malware, or the allegedly US Government sponsored REGIN, REGIN being so advanced and so innovative and hence so fascinating to me! :-) . Politically wise, if North Korea, China, Sudan or Russia would release a movie depicting the destruction of the White House I guess that both #1 The movie would be distributed in most countries anyway and #2 A public debate would be started. Finally, Iran and Russia are already showing short propaganda movies to their population in which they depict the overthrown, or the destruction, of the US by means of nuclear technologies or by other means. Take care,David

paulJuly 10, 2015 11:59 AM

This article ties very neatly back to the previous one about mandated backdoors. Because of the way that corporations and semi-governmental entities are constituted as legal persons, their lawful options for using nonstandard security are limited in comparison to those of individuals (or to those of criminal operations, which dont' care so much about the lawfulness of their options).

So any mandated back door becomes an unfixable APT in the network of every company doing business in the mandating jurisdiction as soon as any unauthorized person finds out how to get access.

Anonymous CowJuly 10, 2015 12:37 PM

I still wonder if that Sony hack started out as a publicity stunt but got out of control and everybody, including POTUS, joined in.

And those speculating on any debate arising from any movie depicting the White House being occupied or destroyed: we've had a few movies already and I haven't noticed any debates. If anything the 'debates' are about such scenarios not happening. (OK, maybe Independence Day but that's another story.)

DAINTYTALKJuly 10, 2015 1:39 PM

Odd turn of phrase, stole. Information of state agencies is not government property. The relevant authority is national freedom-of-information provisions, if and when they are brought into conformity with Article 19 of the ICCPR and UDHR. And in Manning's case, and arguably in the case of Snowden and Wikileaks' latest, the right of denunciation applies (the authority for that, the Santiago Declaration, is not formally customary international law but the overarching right to peace is cited by UN member nations and the UNSG.) Illegal US rights derogations mean that the people informing us should be described not as thieves but as rights defenders, which gives them a specific legal status.

"State Department officials need to be able to describe foreign leaders, even if their descriptions are unflattering." Very true. Like seat belts, it's not just a good idea, it's the law: Vienna Convention on Diplomatic Relations Article 27, which like all laws applies to every treaty party, not just us. So maybe stealing legally inviolable diplomatic communications is not really what we want the NSA to be doing.

There are strict conventions for discussing US state conduct: everything's policy, there are no rules. This piece conforms to those restrictions. Public intellectuals are rewarded for staying in character as chin-scratching philosophers, dreaming things up from scratch like nobody ever thought of that before. The unspeakable thing is, the rules are set out in black and white. Our government agreed to them. It's a matter not of policy but of law. There is no on-the-one-hand, on-the-other-hand. Instead there are things that the state may not do. It's categorical, and bureaucrats can't bullshit their way out of it by balancing this and that. That's the best-kept state secret, guarded more carefully than RD or ECI or Eyes Only or the launch codes. Spill those beans and you wind up on the no-fly list like Francis Boyle, with your character-assassination wiki coming up as the first hit.

albertJuly 10, 2015 1:57 PM

@Jeff,
"...Finally, Iran and Russia are already showing short propaganda movies to their population in which they depict the overthrown, or the destruction, of the US by means of nuclear technologies or by other means..." - you got links on this?
.
It sounds a lot like US/NATO propaganda. Nuclear war has ALWAYS been a threat. And it's always an option. Insane, of course, but true.

.
...

A Nonny BunnyJuly 10, 2015 2:15 PM

@Gert-Jan

Why capture data you don't need? Why keep it stored when it no longer serves a purpose?
Because it's cheap to do, and may be useful in the future even if you can't think of a purpose now.


When information becomes a liability, the perverse trend of take-all may finally be slowed down.
I wouldn't bet on it.
Besides, it's not that hard to safely store 'cold' data -- use a public key to encrypt it onto permanent storage, and put your private key in a bank safe (or split it over several).

It's the information that you need 'hot' that is the liability.

Ray DillingerJuly 10, 2015 2:25 PM

Even if computer security were perfect - which it isn't - using an organization of people to do things requires an organization of people each of whom knows what they are doing. In the first place even people who intend to keep secrets make mistakes, so you're going to have disclosures occasionally regardless. In the second place, every one of those people wakes up every day and decides whether to make a disclosure. The more your operations conflict with their personal morality, the more often they will decide to disclose.

What it comes down to, eventually, is that one person can keep a secret, and organizations are more than one person. An organization, unavoidably, is going to have disclosures and they'll get more frequent the more that organization is out of step with general morality.

Also the consequences of public disclosures will be worse for the organization the more the disclosed acts are out of step with general morality. At some point the consequences of disclosure grow so dire that your organization would be better off just not doing the things that, if it did, it would have to keep secret.

Jeffrey RadiceJuly 10, 2015 2:36 PM

@albert

I suggest you ask David Vincenzetti, who is attributed with the quote I cited. His email is available at the WikiLeaks link provided.

I'm not sure why any of that should be surprising, nor how it is any different from the various incarnations of the film Red Dawn or nuclear scare films of the 1980s like The Day After, etc. except maybe they have state sponsors while we leave our propagandizing to Hollywood.

Rufo Guerreschi July 10, 2015 3:06 PM

the problem is not the general lack of privacy per se, or expectation thereof, but ONLY the asymmetry in its distribution.

Enforcing adequately both privacy and transparency requires primarily the samr extreme technical and organizational standards for the entire lifecycle of the computing service involved.

David Brin July 10, 2015 3:09 PM

"Organizational Doxing"... hm... nice terminology. And welcome to the light side of the force, Bruce, admitting at last that:

(1) the tsunami of revelation is unstoppable, but that
(2) it needn't be the end of the world - or even some privacy - if we acquire habits of reciprocal accountability. And
(3) thorough-militant sousveillance-supervision of elites.

One might have hoped for reference to earlier works on this topic, such as The Transparent Society (1997). I'd be honored if you finally got around to reading it, and thereupon took public note of how diametrically opposite your relentlessly (and unprovokedly) hostile earlier missives were, to the book's actual content --

--content with which you now apparently agree. Well, better late than never.

With cordial regards,

David Brin
http://www.davidbrin.com


JoeJuly 10, 2015 4:28 PM

I don't think the internet age necessarily guarantees more transparency in government. What IS true is that hacking makes opacity as difficult as draconian punishments for whistleblowers makes transparency difficult. Unless the law tips to the favor of whistleblowers, the Security State will guarantee that they are locked up, sent off into exile and foreign embassies, and a climate of fear will have won.

CarlJuly 10, 2015 4:37 PM

@ Clive Robinson, "What few realise is that Doxing is or can be a moneterizing activity. If you pick the right company you can using the futures market through proxies make a large sum from it."

It fairly obvious that cybersecurity firms suffer the most from this type of activity, which directly impair their reputation. Sony will survive a hack. Most cybersecurity firms won't. It just a matter of putting enough eggs into a basket thru consolidation to make them prime targets. Traders and vultures have been attacking traded firms for profit long before the existance of botnets and computer hackers. This isn't anything new.

SteveJuly 10, 2015 4:39 PM

@Bruce "The NSA would have had to weigh its collection programs against the possibility of public scrutiny."

Not really.

Fisrt of all, the revelations by Snowden et al do not seem to affected a thing. What was illegal has largely been made legal by a pliant and acquiescent Congress and Administration (hello, Senator Feinstein!).

Second, one has to wonder whether the Snowden revelations weren't planned (or at least anticipated) by the spooks. If nothing else, it's a wonderful bit of miscirection, guaranteed to sow paranoia and divert attention from the real nefarious goings on under deep deep deep cover.

While we get our shorts in a wad over the electronic equivalent of "mail covers" and peeping toms, the real dirty work goes on, unobserved.

gordoJuly 10, 2015 9:01 PM

@ David Brin,

Timely, to say the least, and room for everyone.

Serendipity also brought to light the work of Gary T. Marx of MIT.

"Surveillance Studies"
Gary T Marx, Massachusetts Institute of Technology, Cambridge, MA, USA
International Encyclopedia of the Social & Behavioral Sciences, Second Edition, 2015, 733–741

From the closing paragraphs:

Surveillance practices need to be understood within specific settings in light of history, culture, social structure and the give and take of interaction, and require the appreciation (if not necessarily the welcoming) of the ironies, unintended consequences, and value conflicts that limit the best laid plans. Mushrooms do well in the dark, but so does injustice. Sunlight may bring needed accountability through visibility, but it can also blind and burn. (p. 740)

Abstract:

This article suggests some basic terms for surveillance analysis. The analysis requires a map and a common language to explain and evaluate its fundamental properties, contexts, and behaviors. Surveillance is neither good nor bad but context and comportment make it so. Topics considered in this article include: a broad definition of surveillance, its strategic and nonstrategic forms, and the traditional and new surveillance. A family of related terms – privacy, publicity, confidentiality, and secrecy – is also considered. The discussion next focuses on characteristics of the social structures that organize behavior, the characteristics of the means used, and some value conflicts and social processes seen with the emergent, interactive character of much surveillance behavior.

http://web.mit.edu/gtmarx/www/surv_studies.html

-------

Forthcoming book, December 2015:

Windows into the Soul: Surveillance and society in an age of high technology
The University of Chicago Press Books

We live in an age saturated with surveillance. Our personal and public lives are increasingly on display for governments, merchants, employers, hackers—and the merely curious—to see. In Windows into the Soul, Gary T. Marx, a central figure in the rapidly expanding field of surveillance studies, argues that surveillance itself is neither good nor bad, but that context and comportment make it so.


In this landmark book, Marx sums up a lifetime of work on issues of surveillance and social control by disentangling and parsing the empirical richness of watching and being watched. Using fictional narratives as well as the findings of social science, Marx draws on decades of studies of covert policing, computer profiling, location and work monitoring, drug testing, caller identification, and much more, Marx gives us a conceptual language to understand the new realities and his work clearly emphasizes the paradoxes, trade-offs, and confusion enveloping the field. Windows into the Soul shows how surveillance can penetrate our social and personal lives in profound, and sometimes harrowing, ways. Ultimately, Marx argues, recognizing complexity and asking the right questions is essential to bringing light and accountability to the darker, more iniquitous corners of our emerging surveillance society.

http://www.press.uchicago.edu/ucp/books/book/chicago/W/bo22228665.html

zyxJuly 10, 2015 9:42 PM

"The person who stole the Saudi Arabian documents might also be a whistleblower and insider but is more likely a hacker who wanted to punish the kingdom."

I'm sure "punish" isn't the verb you were looking for.

"Expose" might be a better choice, or even such drab synonyms as:

http://www.thesaurus.com/browse/expose

Jeffrey RadiceJuly 10, 2015 10:26 PM

@Carl, reputational issues aside what the incident with Hacking Team illustrates quite dramatically is the power imbalance that presently exists between defensive and offensive capabilities in the realm of "cybersecurity". Hacking Team may have been effective at monetizing hacking but they were shite at keeping it at bay. In other words, it's easier to do than it is to prevent, even when you know what to look for.

Perhaps if our government (and our Five Eyes allies -- and all the black operations and homeland security budgets we collectively maintain) would pour said vast resources and human energy into fixing the aforementioned imbalances, the problems wouldn't be so dramatic. Instead, all indications and with every proposed legislative and executive solution and leak it becomes more apparent our government, us, we just make the imbalances worse.

How much of the NSA's budget is devoted to preventing these problems: through research, support of open-source projects, grants, education, thinktanks, and on ... and not in a cynical backdoor way but open and transparent? If you're not pissed off, you're not paying attention. The inmates running the asylum think they can control the problem and wield it. (a) False assumption; (b) To what end?

Mr. RobotJuly 11, 2015 3:14 AM

... and I use this nick without the slightest blanche of pretension...

Look, who did not have some visceral cheer when, at the end of Fight Club, the buildings collapsed. With them all the credit records. Zeroing out the world.

Now, merge that as you will, or explain it away as you wish, but the fact remains, privacy is all about nakedness and clothes. That is, it is damned primordial. And for individuals? It is about corporations and governments - increasingly corrupt - making profit from the nakedness of individuals.

This is, I would suggest, a 'sign of the times', and a deep one at that. Individually, people might have a very happy life. Hunt, gather, whatever. But, people have wanted to band together, to have someone put up that 'golden calf', and produce sophistication which is beyond the capacity of individual effort.

As if... that actually means anything. It is a dream. A delusion. It breaks their peace. Their happy life. And? That is it.

So, it is only naturally, as individual pool together their efforts, willingly, that those they give their "plus" to... take advantage of them. They decide to take what they are given and not give back, proportionately. To supplant the individuals and "rise" their own self. And, all too often, the individual is willing to let this happen. As if to viscerally live through the "glory" (delusion) of the kingship.

It is sick, it is sad, but it is what people really want.

So, what is dox'ing in this? It is, when it is 'right on', about turning the tables. It takes from the corporate and provides to the individual what the individual had stolen. Willing participant as they were. They are, regardless, freed.

"Sneakers" summed this up nicely, I almost hate to say. "No more secrets". The trend, whether anyone likes it or not, is towards this direction. Because it is the Big... Hero Position Wanted, Anyone Can Apply.

The truth is, of course, your ordinary person is no hero, and not capable of such sophisticated attacks. But, they surely secretly long for some one or and some group, to help them. Because they are stuck. Their parents and their grand parents and their great grand parents and... so on and so on... put them in this horrible place. And they just hope and pray. Dare I use such a blasphemous word. That there is someone or some group powerful enough to provide them the real freedom they truly want and need. For their someone. For their self. And for their children.

If, indeed, anyone is fortunate enough to have children. Or live forever.

Which is, according to all experts, on that very last point. Entirely, very doubtful, indeed.

But, maybe? Zuckerberg will live forever for you. Let's see if we can't race and see whose face turns a nice, ripe... dried up grape... first, lol. ;-)


Damned it God. Where are you?

Left us all here in outerspace with out a damned near hope for anything.....


End of sermon.

(TM. Patent. All that shit.)

Prins van de SchemeringJuly 11, 2015 5:35 AM

There was movement at the station, for the wog had passed around.
Salmonella, I regret, had got away.
Makes you run like wild bush horses - Sorbent made a thousand pounds,
And everybody's crack began to fray.
[...]
But one was there, a stripling, with his backside tightly shut,
Against wogs that cut a mountain man to size.
He wouldn't go outside, boys, to that lonely little hut
No diarrhoea from him could be prized.

For he hailed from Kaomagma down by Sulphanilamide
Where the wogs are twice as big and twice as tough,
Where their guts are lined with leather, (they're impregnable inside),
And a man that holds his own is good enough.


We need a phrase equivalent to "verbal diarrhoea"" for organizations that need a dose of digital kaomagma ... but you're right, the secret to avoiding Sancho Panza's unfortunate experiences with Don Quixote's miraculous medicine where he wound up voiding from both ends, is not to imbibe such vast quantities of data in the first place.

AnonJuly 11, 2015 10:01 AM

@DAINTYTALK

You seem to misunderstand the nature of treaties in international law. Treaties are agreements between sovereigns not between sovereigns and their people. Treaties in the US are not self executing and thus can not create individual rights. Instead, the ICCPR is more like a promise from the US to other countries that it will enact legislation to create the individual rights specified in the treaty. If the US does not enact such legislation, then arguably they might be in violation of the treaty, but until they do so no individual rights specified in the treaty apply to US citizens(except those already part of the Constitution).

mbJuly 12, 2015 5:37 PM

You can't prevent a leak of networked data. If there's a path there's a way to eventually get there. But these kind of uber-leaks are heavily supported by a total lack of internal security at the victim.

JonSJuly 12, 2015 7:08 PM

"Edward Snowden stole ... Chelsea Manning stole ... The person who stole the Saudi Arabian documents ..."

It's a semantic debate, but an important one because it ties into the narrative around copyright and DRM. Snowden, Manning, and the Saudi (SM&S) person didn't "steal" anything. They copied stuff they probably weren't supposed to or entitled to, but the original owner still has full possession of and access to anything SM&S *copied*.

Ciopyright maximalists like it when 'stolen' is used in this context, because it plays to their desired - but false - narrative about the type of crime being conducted. please don't make their job easier.

Rob JonesJuly 12, 2015 11:11 PM

There's an interesting choice of words in describing Hacking Team as a 'cyber-weapons arms manufacturer'. What makes them distinct from any other 'hacker' or 'cyber terrorist' given the apparent disinterest in the business of their customers beyond their ability to pony up cold hard cash and the provenance of 0-day exploits that they have purchased? It seems very much a case of 'ask me no questions and I'll tell you no lines' when it comes to potentially unpalatable truths whilst relying on the air of legitimacy afforded by doing business with nation state customers. Of course this could equally be put to the manufacturers of old fashioned killing machinery... nothing new in this.

d33tJuly 13, 2015 12:10 PM

I can definitely see Robert Hare's "CEO" as being a common figure today (and for previous aeons). Psychopaths are very good at being popular for a short amount of time. Given enough time, they tend to lose popularity (hang themselves for fun) or use someone close and unknown as a patsy to take the fall when they encounter those pesky little laws (ethics) they tend to break without care or get caught murdering an odd 16 year old with a drone (perfectly legal now). The corporate structure and the fact that corps are treated as individual living beings legally, lends to having the CEO (sociopath / psychopath) as the conscience and "decider" ("changer"). Many times the art of failing upwards and the lack of marketable skills are big assets for (CEOs) world leaders and corps.

I also see some irony in pointing out the psychopath in the business world while we all live in a world where people will kill or die for bearded men they have never actually seen or shaken hands with. Somehow belief is celebrated (used) and many will gleefully do the wrong things throughout their lives for little to no money, fame or pleasure (saved for later in the "afterlife"). Living in a world full of people with bipolar tendencies (84% consider themselves religious I have read) is already taxing enough.

Although I have had a great life, and still enjoy the flowers and life's small delicacies, I also wish for better days. Globally better days. I do think it is a small infraction to be buried in the emotional baggage of the world to a degree where one can't enjoy their own life to the fullest. It is also a small crime in my world to watch and do nothing as someone suffers. At the very least I can do something indirectly helpful (helping everyone directly all of the time is difficult).

Lately there have been studies with regard to Neanderthals vs Homo Sapiens and how even after successful interbreeding and long periods of simultaneous existence, one beat out the other in "the race to be human". From some of the descriptions I've seen in docs or read of the bone evidence of Neanderthals, they were resourceful, somewhat lone wolfish, self reliant, party animals that liked to paint and sing and eat well. They also suffered from religious (bipolar?) tendencies and had ceremonial burials etc. I'm guessing that Homo Sapiens back in the day were faster breeders, organized more quickly, tended to hoard resources and possibly had leaders who had psychopathology working hard for them. Maybe they even managed to start early churches or similar institutions (governments, clubs, cadres, cartels, mafias etc). Chances are, Neanderthals lost the race due to some random cycle of events and Homo Sapiens took some tiny advantage and moved along to the next round.

The "race to be human" is still going on today. In most of the world the "cult of ruthlessness" is still the biggest religion of all, and anyone can quit or join anytime they like (great biz opportunities to be had in temples, mosques and churches et al. I hear). We really haven't evolved far enough along to completely realize we're evolving yet (or ever), and the "race to be naked apes" is in staunch competition with the "race to be human".

A lot of the whistle blowing and doxing of institutions (businesses, corps etc), I think is a form of civil disobedience. They are acts of mostly nonviolent revolution against institutions who murder, coerce, torture, exploit and rape with celebration on a daily basis. Doxing / Whistle blowing is one of the only weapons the netizenry have to defend their new homeland the "Internet" (also punishable by death of course). The eternal (published) truth with evidence is the bane of the psychopathic state, corp, individual (CEO). The irony of having to blow away the privacy of the state to defend one's own personal privacy (and of others) seems natural to me.

Eventually, maybe "national security" states, "terrorists" and corporations will be doxed so often that they will lose their ability to be so "evil" and the planet will have a chance to repair the stuff that has allowed us to live here so far.

For individual privacy there is always the possibility of widely available, well understood encryption.

65535July 14, 2015 1:52 AM

@ Rob Jones

“What makes them distinct from any other 'hacker' or 'cyber terrorist' given the apparent disinterest in the business of their customers beyond their ability to pony up cold hard cash and the provenance of 0-day exploits that they have purchased? It seems very much a case of 'ask me no questions and I'll tell you no lines' when it comes to potentially unpalatable truths..."

Not much. I agree.

We are seeing the raw unbecoming intercourse between criminals and police. One of Brian Krebs’s poster notes how the Italian police manipulated the Boarder Gate Protocol to resurrect a bot net.

“Nitefood:

“And I might add, after reading the whole email exchange between the Carabinieri and HT, that the Carabinieri came up with the BGP hijack on their own, without HT “pushing” in any way the option. The Carabinieri had lost control of the C&C VPS, and thanks to a “hook” they had inside the italian hosting provider Aruba, they were immediately granted the propagation of the needed subnet.

“Furthermore, the Carabinieri contacted two other major italian ISPs (Telecom Italia and Fastweb), and were granted immediate assistance by both. Fastweb responded immediately, while Telecom Italia took a little longer to comply. The Carabinieri had asked them to propagate the route without filters and limits, even if announcements came from an unrelated peer (Aruba).HT had some internal exchanges about the “trick”, but apparently they had limited techincal understanding of the way the BGP hijack was going to work out… in a final email they were reportedly “cheering up” during a video chat with a Carabinieri person once their targets finally synchronized with the “new” C&C server.” –nitefood

http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-resurrect-spy-network/comment-page-1/#comment-387032

http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-resurrect-spy-network/#more-31533

I wonder how far this partnership between criminals and police go. I wonder if the NSA, DEA, FBI, and local US police use these very same hacks. I cannot imagine the Italians authorities are the sole users of these hacks.

Further, I would suspect that the Italian police/HT buy some of these 0-days from the darknet and just add a GUI interface. All of which seems to be pure criminal behavior.

Hacking computers, BGP routes, and thousand of users must be against some EU law or American law [possible an opportunity of a life time for class action lawyers – the nations police services and the HT have deep pockets].

Note Brian Krebs recommends removing flash altogether to eliminate the infection vector. This must certainly hurt Adobe. I would think Adobe would have their lawyers on this – assuming Adobe has note been NSL’d.

Brian Krebs is doing a public service – but just eliminating the initial infection vector will not clean computers of modular root kits and key loggers - which brings up more questions of how to eliminate Italian police modular root kits on computers and in corporate networks.


KyleJuly 22, 2015 3:28 AM

They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don't look good on the front pages of the world's newspapers.

This seems... "optimistic" is the kindest way I can put it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.