Schneier on Security

Nick P • September 29, 2015 1:53 PM

@ IanLB

Sony shows recurring pattern: Government makes claims, backlash happens, and what should people think of this?

It’s a weird situation. I still don’t have a fully-formed opinion on it: just different points that I keep in mind in these discussions. I think it’s a good, default position for people to be extra-skeptical of pronouncements that call for action on U.S. government’s, public agenda. Particularly if it involves the military or their cyber capabilities. The reason is not that they “have been shown to lie in the past.” It’s that they and the media systematically, consistently deceive the public on certain topics to promote an impression and (they hope) results that the public wouldn’t otherwise support.

The Iraq situation was a good example of this. Here’s a few things we saw:

1. The U.S. government using forged intelligence data, imagery, and media to support their claims about WMD’s. Many of these were easy to spot. People should be tried for treason when media reports it all.
2. Most of the U.S. media, with occasional exceptions, pushed the false information as truth and often cited anonymous sources to further back it. So much for trials. That obvious BS even amateurs debunked was pushed by most media outlets is the worst part and worth remembering: only could’ve been done on purpose for whatever benefits the organizations received from cooperation.
3. The U.S. mainstream media un-objectively embedded journalists with U.S. troops and largely presented the government’s side of what was going on. Foreign media painted a different picture. One notable case, Dora Farms, had most U.S. media reporting on a 100% leadership strike on a palace. BBC sent cameras there to check to find the palace still standing, holes in ground nowhere near it, and lots of dead and/or traumatized children. I can only recall two outlets here contradicting the claims. Such events showed majority were propaganda outlets at least for some topics.
4. In the fall-out, the media covered failures but refused to dig into hard questions that could’ve led to arrests, terminations, etc. It’s almost as if, just as in No2 and No3, they were aiding the activities of the corrupt politicians and military.

These should’ve already given Americans reason to stop trusting… anything those media outlets say on topics involving U.S. military and politicians. You can’t even do “trust, but verify” on sources that unreliable or complicit: must be “distrust, then optionally verify.” Latter part is because the rate of false claims in mainstream media on that topic was so high that few have time to separate wheat from the chaff. So, it was rational and sensible to dismiss such organizations entirely until they clean up their act. I did that to Fox during Bush/Cheney administration. Seeing them argue in a trial for right to lie to their viewers cemented that.

So, fast forward a bit to post-Iraq. The media’s new bad guy is The Evil Hackers, esp China and North Korea. They’re talking cyber-attacks, cyber-defense, cyber-walls, cyber-9/11’s… more use of word cyber than any information security (INFOSEC) type I know. Anyway, INFOSEC pro’s know that preventative measures, monitoring, & recovery procedures are the main solution to hacker threat. All one can do aside from using paper and memory for secrets. 😉 U.S. government knows this, too. So, they should be pouring billions into INFOSEC improvements and training to get a good baseline deployed as wideley as possible.

Instead, we see U.S. government promoting widespread surveillance of Americans, backdoors into all our systems, less rights for us, less accountability for them, cyber-armies, Internet kill switches, and so on. Most media outlets repeat this endlessly and have “experts” to suggest need for same stuff despite it contradicting decades of wisdom in proven methods to reduce hacking risk (i.e. apply INFOSEC). Contractors like Booz that stand to make billions in “cyber” contracts also pushed that nonsense and still do. One hack after another occurs, almost always due to poor INFOSEC, with U.S. government and obedient media pushing surveillance and cyber weapons as the solution rather than INFOSEC. Same pattern as Iraq on a new topic where key players benefit financially and politically on a path that’s bad for our country while ignoring real solutions.

The same situation happens with NSA surveillance pre- and post-Snowden. That time the leaks made more obvious the lies of both U.S. government and media. That foreign media would publish many of the capabilities forced U.S. media to cover them more specifically than they might have. They still seemed to do damage control by avoiding efforts to convey just how much risk there was (eg J Edgar Hoover comparison) and avoiding hard questions. Relevant here was NSA via BULLRUN program, etc spending $100-200 mil a year to secretly weaken American security products and standards across the board for surveillance purposes despite this increasing damage foreign attackers can do across the board. If INFOSEC was the right solution, is U.S. government’s secret war on it the cause or a major factor in devastating attacks like Sony’s? They and Cyber Command were also shown to be covertly attacking China, North Korea, etc. Might our covert cops on these foreign countries cause blowback where their hackers hit us hard and should we stop doing that? These are obvious questions for anyone whose read the Snowden leaks but the mainstream media did little to nothing in that area. Still don’t.

So, now we get to the Sony hacks. We see Sony get smashed in a way that looks like when Anonymous hit HBGary Federal except on overdrive. Poor INFOSEC is the cause again with insider risk due to lay-offs and vicious management. Consensus theory is external attack with possible inside help. We see U.S. government instantly claim guilt for NK along with need for cyber-military action. This supports their anti-NK and pro-cyber-attack agendas, which have had much disinformation in past. The media and everyone jumps on bandwagon without any fact-checking or real journalism just like they did with Iraq and cyber-everything. The main source is secret, the corroborators are all anonymous, and nobody should ask any questions. Journalism at its finest…

So, there’s a clear pattern of deception for political/military/financial agendas and media cooperation with that deception going back decades. It got stronger in past decade. The Sony/NK situation contains all key elements of this pattern. So, the rational approach is to distrust by default the mainstream position, dismiss any secret/anonymous evidence, see stories like this (or Norse) that provide data on each side, carefully make an opinion, and revise it if necessary as new data comes in. And factor that into both your media outlets of choice and your vote if political corruption is involved.

So, what to believe? Top theories here are (a) NK w/ inside help or (b) hackers w/ inside help that knew how easy it would be to shift blame to NK. Could go either way. The one thing the data makes clear is that the real reason for the damage was (surprise!) horrific INFOSEC. Good INFOSEC might’ve caught the leaks early while blocking much of the damage. Great INFOSEC, although inconvenient and costly, might have prevented most of it entirely. The U.S. government’s malicious intent or incompetence becomes more clear in the contrast between their response and the obvious solution. Their response was same dragnets, secret programs, and military action. The obvious solution was better INFOSEC. Supporting the damage was that most of private market relies on shoddy INFOSEC and doesn’t do better. The resulting combo was a 1-2 punch that made the simple attack devastating rather than a nuisance.

The takeaway: a commercial sector and secret agencies pushing weak INFOSEC hard across the board is the real problem. The U.S. government’s and media’s schemes to push political and financial agendas everywhere is another problem. The Sony situation illustrates the first perfectly while maybe the latter. Regardless of which theory is true, the solution is to have market and government to put billions into stuff that improves INFOSEC baseline instead of what reduces it. The was the solution in 1970 when the Ware Report demonstrated it clearly, that was the solution after many subsequent breaches, it was the solution for Sony, and it’s still the solution now before next one. Everyone should start improving INFOSEC posture on their own with whatever help they can find. Clearly, the U.S. government and media aren’t going to be of any help: the opposite is in their best interests it seems.

Nick P • September 29, 2015 5:47 PM

@ IanLB

“The rest of the security community has moved on a long time ago. All I see is a massive kneejerk reaction, and the only reason I can explain it is the fact that a lot of people here are ready to massively politicize anything because they are so used to.”

Most of the security community doesn’t study government disinformation or media complicity. They would’ve looked up a few trusted sources as your original post suggested, read what they said, look at some data, optionally looked at sources with a dissenting opinion, and made a decision. A more important measure is whether people who had rational, dissenting views based on the data changed their mind. Bruce is in that camp and did. I don’t know about the others. My own opinion includes NK scenario and one very similar. If anything, the official story came closer to us with implications of insider help in recent report: most of us here thought disgruntled insiders as culprit or aid were likely.

Far as the skeptical reaction, I explained why. I’ll hold off on elaboration as you made more points.

“Even when the lie has let to no reaction against NK from the US?”

Whether a lie or not, the U.S. did deliver a reaction. They did these: public condemnation that might affect future negotiations with NK or others; hit specific organizations and individuals with sanctions; probably behind the network outage given their comments alluding to other responses that wouldn’t be public. The U.S. reacted for sure with NK’s financial system, defense and intelligence organizations being the target.

“Same thing with the reference to the NSA domestic surveillance programs. Why even mention this? How is this relevant to anything? So, because the NSA lied about it, they automatically are lying about anything else remotely involving information security? What about Mandiant? Are they lying too?”

A source is giving you big information justifying sanctions, putting a country on terrorism list, and possibly a cyberattack. This could create a response from that country. You have to decide if you want to (a) believe that source’s claim or (b) support it. The first step is assessing the source’s credibility esp on similar matters (eg military, espionage). The examples I gave do that in a way that shows a consistent pattern of deception and media complicity with these same organizations leading up to this year with known-false claims like “going dark” due to encryption and lies about NSA programs’ legality. Would the organizations that still mislead us for political or military agendas still do that again in a similar space? High risk there.

Note: You say questioning the integrity of a low-integrity source makes “absolutely no sense.” I say it’s common sense to think a con artist might lie to you. Anyway, it’s also standard procedure for intelligence analysts too. I’m just applying their techniques to their claims. Result is a highly-unreliable source that sometimes gives good information that’s currently giving information that has significant chance of being true by fitting specific, data points but competes with similarly good claims by more honest sources. Naturally, I stalled at two potentials (one NK) without more data or sources.

“I’m a corporate security manager at IT company with a world wide presence, before that I’ve work in the utility and financial industry – why did I never noticed it? I worked with some people from the NSA and other security organisations, some of them are family, why aren’t they involved?”

You’re not the lead decision-maker of an intelligence or military organization. Data flows up, decisions and their justifications flow down. Long ago, Pentagon Papers showed that the whole Vietnam War ran on lies with the truth being imperalist activities that went back 50 years and resulted in the trouble there. Despite everyone involved, from intelligence people to media to solders, so few people knew the big picture in detail that U.S. investigators narrowed suspects down to 3 people almost immediately after publication. Plenty of insiders, like Karen Kwiatkowski, later informed the public of the efforts to produce and push false intelligence during Bush administration. The leakers under Obama administration showed systematic subversions by NSA with many partners and whatever labor $200+mil buys.

Most people, even in those companies & agencies, were unaware of what was going on via need to know and TS/SCI classification. Just talking about it was a potential felony. Given what’s in the leaks, there still had to be be hundreds, maybe thousands, that knew pieces of what was going on from their roles. Yet, only one person published evidence of all of it with maybe a half dozen leaking about a few, specific issues. So, there’s your ratio of those who are unaware of the truth to those that keep it secret to those that pubish key details. Ratio is actually similar to Vietnam and Pentagon Papers revelations despite time passed & all the changes since then. There’s important lessons to learn there in human nature, willingness of companies + government to deceive, and how easily they do it in normal case with few people whistleblowing.

“Why do people directly handling this shit during their day job aren’t seeing the huge conspiracy, but somehow the internet commentators make huge links between Iraq, the NSA domestic surveillance, and the Sony hack?”

You handle attribution/analysis of NK attacks, offensive cyber-espionage, and decision-making for military commands day to day? You might be uniquely qualified to assess this. Otherwise, your job experience in regular INFOSEC has nothing to do with this situation except maybe the following: you recognized and attributed North Korean attacks on the job with ability to assess current data; evaluating Sony’s INFOSEC practices based on available data. You can probably handle the second part, maybe the first. Past that, you’re operating on 3rd-party claims with little data to use and little bearing to your INFOSEC job. Just like the rest of us.

“but that’s not what the people answering Schneier are doing – they are actively calling the whole deal a “false flag”.”

That’s what some people are doing. I’m not in that camp as we’d need evidence to justify that claim and I haven’t seen it. The data was a ransom, then an attack typical of hacker gangs when no security exists, the vid/language clues pointing to North Korea, a level of access that might indicate insiders, and then claims from government based on secret evidence. So, the discussion and thinking went along paths including each of these.

That said, there is a subset with a “resist and conspiratorialize anything government does” mindset. They mostly stay on infowars.com etc to get daily doses of nonsense, but some similar comments show up here. I doubt anyone here (outside that crowd) would disagree that they exist, are foolish, and should be ignored. They mostly showed up after Snowden leaks because Bruce was one of the people hosting the slids. Very small percentage of comments before that. I wrote it off as it’s an open, security blog on the Internet so you see that stuff too. (shrugs)

“And anyway, who here is even in a position to “verify” anything regarding the investigation? We can’t. So what’s the point in bringing this standard?”

We can in several ways. First, we look at the data without any official claims best we can to derive likely hypothesis directly from it. Second, we compare the official claims to the data and to our own to spot obvious issues. Third, we look at the reliability of the sources in similar, prior situations to determine weight that should be applied to their claims. Such approaches led to early criticisms of official story and alternative hypothesis with plenty of precedents. Past that, we can’t verify anything because it’s all corporate and national secrets.

“I’ve NEVER seen any information security professional being bothered with that word. NEVER. The absolutely only place where this seem to be an issue is on the Internet. So again, I just don’t get it.”

I’ve heard plenty. The term itself doesn’t bother people so much as how it’s typically used: pushing FUD or bullshit proposals. Nice article here. Real-world, security pro’s say computers or online services are compromised due to security flaws. They say the solution is (insert good security practices). The U.S. government and media, on other hand, endlessly talk about cyberspace, cyberweapons, cyberattacks, building cyberdefenses, cybercommands, and so on. All of it usually supports the militarization of the Internet, offensive capabilities, surveillance capabilities, legislation that empowers them, etc. instead of what solves the problem (INFOSEC).

Viewers outside the profession might think there’s a whole war going on that requires special, cyber-everything and a surveillance state. Reality: it’s just hacking with some better hacking that both require good security practices, investments across the board in IT to improve baseline, no cyber-weapons, and local or corporate monitoring rather than mass surveillance. I’m surprised you haven’t noticed this trend in government and media presentations. Unless media had an agenda, their reporting on the solution to all of this would consistently match security pro’s claims albeit dressed up for lay people. It doesn’t.

“Either for some reasons I can’t understand, my professional experience and the professional experience of literally even colleagues I’ve ever worked with has been a big farce and we’re just hopefully naive about information security matters even though we are dealing with these things every single days.”

I can’t repeat it enough: the skills and background to assess information security matters has nothing to do with secretive organizations making claims based on secret analysis and how media handles it. You and your pals have probably been doing the real thing, seen the real thing, and so on. So, to illustrate the difference, when is the last time you or your collegues suggested the solution to a business’s risk was national surveillance, espionage against foreign countries, or developing/deploying “cyber-weapons” against them? Or did you give them the advice security pro’s give about protecting their endpoints, consistent patching, monitoring, recovery procedures, crypto, etc? You know, the things that work that real security pro’s promote and schemers with an agenda actively disrupt.

Giving you the benefit of the doubt in thinking that you went with second option: better INFOSEC. The option that got the least attention from U.S. government and media outside the part where Sony failed.

” it means the information security field as a HUGE communication and education problem, because we can’t afford to have conspiracy-driven opinions being considered as gospel by so many people on a blog like Schneier’s. This is a recipe for disaster.”

That I totally agree with. Good news for you is that: (a) Schneier’s blog isn’t representative of the norm, sometimes good and bad; (b) the opinions of most experienced people range from the official story to one similarly supported by data with precedents. Also, I brought up their schemes just for source assessment but based two hypotheses on the data. And all of those views were expressed, discussed, peer reviewed, etc right on Schneier’s blog in prior entries.

So, that worked in practice. That many ultra-paranoids showed up with unjustified speculation is just an artifact of it being an open, security forum. They’re recently a huge chunk of vocal readers but I doubt from years reading here that they represent most of the silent ones. Just a informed guess on that, though…

Nick P • September 29, 2015 8:35 PM

@ IanLB

Now that part of your position makes more sense. The risk at that point becomes whether (a) the initial determination of North Korea for an attack profile is correct, (b) the tracking remains so, (c) nobody else knows about it, and (d) that one was used against Sony. If all were true or done right, then NSA or any commercial vendor could have a strong attribution to NK. If (c) isn’t true, then the attribution becomes weaker as misdirection is common and some groups would know how to do it. There’s risk in (a), (b), and (d) as well.

So, the real question is “How reliable is attribution in a situation like this if the attackers are sharing tools and maybe hackers? And how reliable is that if even pirate sites scapegoat NK enough to halfway trick news agencies?” Well, odds are good enough that main theory is one of my two top ones. Enough error, esp with scapegoaters, that another party was the attacker. I think these attributions will only get harder as we see more mercenary action in this field and possibly with release of Hacking Team’s tools as well.

@ Wael

Haha. I don’t follow most politicians but few have said it so well. Great example.

@ Dirk

Another nice summary of key points. A talent I’m long overdue for developing although I thought this one could use some specific details.

@ Clive Robinson

Well-put. Yes, the sensationalism factors into the incentives. The more negative or just eye-catching stuff always gets higher ratings. So, a selection bias occurs to go for plenty of that and even invent it where necessary. Fox built an empire on that trick and others. Then, other mainstream media companies started copying its methods in their own style. Reliability is down so far that we have to work to avoid deception even in routine articles.

Btw, aside from that link, I wonder if anyone has compiled a full list of media tricks on all sides with examples. My old list of disinformation tactics had some, Manufacturing Consent mixes some with lots of theoretical stuff (unnecessary), the above has some… would be nice to have them all in one place.