Russia’s SolarWinds Attack

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

Espionage is internationally allowed in peacetime. The problem is that both espionage and cyberattacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk — and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR — previously known as the KGB — hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” — something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.

This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself — and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.

SolarWinds has removed its customer list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.

That’s a lot of vulnerable networks, and it’s inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsoft’s analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs — and it will certainly grow.

Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and we’re only just learning some of the techniques involved here.

Recovering from this attack isn’t easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to burn it to the ground and rebuild it, similar to reinstalling your computer’s operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can&;t be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers — again believed to be Russia — stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.

Even without that caveat, many network administrators won’t go through the long, painful, and potentially expensive rebuilding process. They’ll just hope for the best.

It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, there’s no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.

And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVR’s hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)

While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States.” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.

The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and it’s basically “buyer beware.” The US regularly fails to retaliate against espionage operations — such as China’s hack of the Office of Personal Management (OPM) and previous Russian hacks — because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

We don’t, and I’m sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSA’s budget is the largest of any intelligence agency. It aggressively leverages the US’s position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and it’ll probably never be made public. In 2016, President Obama boasted that we have “more capacity than anybody both offensively and defensively.”

He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of “persistent engagement,” sometimes called “defending forward.” The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.

But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians’ success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.

And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why don’t organizations like the Departments of State, Treasury and Homeland Wecurity regularly conduct that level of audit on their own systems? The government’s intrusion detection system, Einstein 3, failed here because it doesn’t detect new sophisticated attacks — a deficiency pointed out in 2018 but never fixed. We shouldn’t have to rely on a private cybersecurity company to alert us of a major nation-state attack.

If anything, the US’s prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cell phone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the world’s popular encryption systems be made insecure through back doors — another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.

We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyberattacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.

Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVR’s access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.

This preparation would not be unprecedented. There’s a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russia’s power grid — just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.

We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live.

This essay previously appeared in the Guardian.

Posted on December 28, 2020 at 6:21 AM61 Comments

Comments

anon December 28, 2020 6:52 AM

I think the more telling number is 112000. This is the number of Solarwinds users who either 1) don’t apply vendor updates in timely manor or 2) actually have a default block for outbound traffic and are fine with software compliance audits because their software isn’t allowed to phone home.

Goat December 28, 2020 7:08 AM

Politics and business often prioritises short term over the long term.. This has lead to the current state of security. Indeed this short term view is what humans are bred with and causes stupid things like ads, smoking and what not.

Basically, defence isn’t a lucrative deal with politicians, they get better awarded by offence.. This rationality may help us better understand the problem and find soultions that may be hidden by thinking of these people as stupid or evil.

JonKnowsNothing December 28, 2020 7:38 AM

@Goat

A further aspect of the political-business duopoly is that for neoliberal economies all aspects must be “Outsourced From Government To Business”.

Business is about making money.

Other governments and economic systems also fail because their model is about “Power For and To The One”.

Uni-power systems are about accumulating wealth at the top.

Even in the current crisis, neoliberal governments are still focused on “counting costs” and off loading as much as they can to “Someone Else” and “Somewhere Else”.

There is no concept of “public or even self benefit”. Only how much can a corporation earn supplying governments. Governments feedback into that system by purchasing bespoke systems. The loop is closed.

Other system designs that had huge government infrastructures had different problems, but some of those lasted millennia.

How to decouple the Profit-Motive from Incompetence from Indifference maybe too much of a challenge.

_ing December 28, 2020 7:56 AM

Attributed to SVR, but I haven’t seen any detailed sourcing for that. Can you say more about why you’re confident in that attribution?

kk December 28, 2020 8:12 AM

Is there any proof that Russia, and not any other country or a group, was indeed behind the attack? Any facts aside from Pompeo’s words? The more they push this narrative and with more details surfacing, these APT claims become more and more absurd. We still saw nothing that couldn’t be done from anywhere in the world by a small group of skilled programmers. Despite the relatively high profile of the victims, the actual scale of the operation doesn’t look that massive at all, still well within the potential of any ransomware ring.

Goat December 28, 2020 8:37 AM

re:”How to decouple the Profit-Motive from Incompetence from Indifference maybe too much of a challenge.”

@JonKnowsNothing, Indeed this is a very complex problem and reminds me of a dictotarial rule: Keep them hungry but alive

Corruption more often something rather than actual losses that eats up these orgs. It’s not unusual for top personnel in govt to be underpaid and the jobs are valued at the actual pay-off, to justify the ill acts.

koebalte December 28, 2020 9:05 AM

<> “The solution is to prioritize security and defense over espionage and attack.”

IOW apply most of one’s security resources to defense rather than offense.

That solution is exactly opposite to US national strategy, since always.

What do all the US government counter-intelligence bureaucrats do all day at the office?

TimH December 28, 2020 9:58 AM

Perhaps being paranoid, but what if the nation state actor was actually the USA, which is why private company FireEye disclosed the breach?

Uhu December 28, 2020 10:15 AM

“Espionage is internationally allowed in peacetime.” I’d like to see a real citation supporting this claim. Just because some actors do something without (readily visible) consequences doesn’t make it “internationally allowed”.

Red December 28, 2020 12:28 PM

“And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked.”

While there isn’t evidence the the US did, is there any they didn’t? Given the game of cat and mouse; its fairly common not to let the Germans find out you’ve broken the enigma, if if you were a German who did find out you now have incentive to pretend you didn’t and intentionally mislead your adversary.

What benefit would the US have in potentially sacrificing sources and methods? And given the cross pollination between US public and private sector personal/interests can the public confidently assume that Fireeye wasn’t tipped off?

Its not purely accidental that the US looks weak and incompetent or strong and unstoppable depending on how either narrative supports their international objectives.

xcv December 28, 2020 1:20 PM

@ O.P.

It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

We’ve got to close the barn door. People put things out on a table and look the other way whistling a tune.

Espionage is internationally allowed in peacetime.

Are you saying that persons and organizations charged with maintaining directories and databases of personal information should be civilly liable for “allowing” espionage?

There are “buddies” I don’t want to associated with, and I found this:

https://www.fncinc.com/
Software technology company FNC Inc. builds systems that give mortgage lenders and servicers access to the most current residential real estate information available.

https://www.mtrade.com/
mTrade’s primary focus is to improve the efficiency for trading residential whole loans. Starting with industry “best practices”, we have built an end to end Loan Acquisition System (LAS) that ties buyers, sellers, documents, data, analytics and vendors together. For the first time, decision makers can optimize the experience of one centralized HUB.

Both still in business, and both founded by the same individual.

Kevin December 28, 2020 1:31 PM

Why not Both Offense and Defense? They are two sides of one coin, yin and yang if you wish. Offensive operations could work hard to discover vulnerabilities and then alert the defensive research arm of the NSA (or other agencies) as they discover them, and then Defense could work to defend against them. Offensive operations can also be directly informed by defensive ones: “Hey, we’ve built this defense, can you break it?” It should be both. In fact, it is both. It’s just that, based on what you’ve said, defense lags behind offense. It’s both because once an offensive operation is successful in the wild, defensive operations have to scramble. So, it is both. Why not make it both proactively?

Ralph December 28, 2020 1:40 PM

Besides, as General “Buck” Turgidson says in “Dr. Strangelove”, “Mr. President, if I may speak freely, the Russkie talks big, but frankly, we think he’s short of know-how. I mean, you just can’t expect a bunch of ignorant peons to understand a machine like some of our boys.” Hence “NOBUS”.

chuck December 28, 2020 4:03 PM

Russian SVR — previously known as the KGB

OMG :facepalm:

SVR was military intelligence (DIA). KGB was civilians (CIA). Both have different names now.

Clive Robinson December 28, 2020 4:08 PM

@ Uhu,

I’d like to see a real citation supporting this claim.

Do you understand the difference between “permiso” and “non permiso” legal systems?

One is “You may only do whst is permitted” the other is “You may do whatever is not prohibited”.

As espionage is generally only refered to in treaties relating to war and those involved in formal conflict, under the “You may do whatever is not prohibited” view point then espionarge is under inyernational agreement alowed, because it is not prohibited.

There is good reason for this viewpoint, diplomats by definition are there to ease relationships between two nations or if you prefere where posible talk not fight. To be able to do this they must have a good understanding of the nations, their politics, their militaries, covilians, culture, industries and economics.

As you might have noticed some nations have decided that many of those topics are “National security” issues. Thus for a diplomat to carry out their job, they have to involve themselves in the host nations “National Security” issues, and have had to do so for several centuries. Thus diplomats are protected under inyernational treaty for sticking their noses into “National Secirity” issues that some would regard as espionage. You may not be aware of it but the term “No Official Cover”(NOC) applies to those who are not nationals of the nation and do not have diplomatic status from their own nation. The base definition of Treason is “To betray your country to another”, thus NOC’s are not technically traitors but this has not stopped many nations arresting journalists and ordinary businessmen on what are Treason charges…

For instance various seniors in the US have tried repeatedly to bend the US treason legislation within the 1917 Espionage act to fit wikileaks founder Julian Assange even though he is not a US citizen, and from what has been said has never set foot inside the US in the time periods alleged. By international agreement a countries legislation stopped at it’s boarders and various mrasures such as “under flag” were deemed to apply on vessels not officialy in another nations waters (sailing through them was not sufficient). Various nations the US in particular have tried to push their legislational reach not just into international waters but into other soverign nations, which is not legal under international law… And thus created confusion were clarity once was.

trsm.mckay December 28, 2020 4:13 PM

The problem with depending upon the attackers motives to decided if it was traditional espionage or grey-zone warfare; is that it ignores the “threat” posed by having successfully accomplished setting up a grey-zone attack. Even if it is not used for sabotage and other grey-zone activities; the threat of being able to do that still exists. This is why I lean towards calling it a grey-zone attack, even if those capabilities were not actually used.

Clive Robinson December 28, 2020 5:11 PM

@ Bruce, ALL,

Even without that caveat, many network administrators won’t go through the long, painful, and potentially expensive rebuilding process. They’ll just hope for the best.

Most Network Admins I know won’t even bother with “hope” they are way past that. What they do know is they are going to fail if attacked. They also know that the reason they have not failed so far is that the Internet is such a target rich environment their number has not yet come up, but it will, it’s just a question of time…

Network Admins also know something else, they don’t have to be even remotely secure, as long as they are on the surface just that little bit harder to attack than others. That is others are going to be attacked on the “low hanging fruit” principle. Which might be better stated as “Criminal attackers tend to go for minimum investment attacks to get a higher ROI over time”.

Thus we end up with what has been called “Camembert Security”… that is it has an outer skin that looks tough to ingress but is not, and a center so soft it is very nearly runny thus you can almost glide serenely through it like a swan on a millpond…

But what the Network Admins know deep down is that the real issue is “Managment”… Who see ICTsec as a “sinkhole” that reduces “Shareholder value”. Yes it’s a very short term view, but then “bonuses” are based on “quaterly figures” so why do Execs and other managment look more than 183days into the future…

But it gets worse, there is an MBA mantra that “Internet connectivity is good”. When the reality is in most cases it’s bad very bad in all sorts of ways most do not realise.

Oddly perhaps @Cassandra, myself and one or two others are discussing this very issue of “Camembert infrastructure” over on the current Squid page,

https://www.schneier.com/blog/archives/2020/12/friday-squid-blogging-small-giant-squid-washes-ashore-in-japan.html/#comment-361638

Goat December 28, 2020 7:08 PM

Re:”Why not Both”

@Kevin, you cannot design systems to be secure from the enemies and insecure for when you need to crack it.

The cryptographic algorithms, techniques and much else is basically same internationally

Etienne December 28, 2020 8:04 PM

The answer is, that the IP protocols (V4 and V6) are completely obsolete, and must be replaced within 10 years.

The Government should put out an RFP for a replacement network protocol, and select the best on within 3 years, given say 2 rounds.

The basis for the new Level-3 protocol, will be its nomenclature as an “Assault Weapon” and must have authenticated encryption. For example:

AEAD_AES_256_OCB_TAGLEN128

Level-3 IP Addresses will be 64 bits long and be registered as “Assault Weapons” by each countries equivalent of a Firearms Agency.

The serial number will be used to apply for an electronic certificate, and the applicant must physically show their Passport to a registering agent, at a designated facility. The serial number should be plainly visible on the computer, and have specified 3D dimensions.

No Tourists, Illegal Immigrants, or persons in the country for Education, and any other valid Visa reason, will be eligible to apply for an “Assault Weapon” computer IP address.

Other rules to follow.

Minh December 28, 2020 8:13 PM

Typo in the article: “Homeland Wecurity”

Thanks for this great summary of what’s going on and what can/should be done.

lurker December 29, 2020 2:08 AM

Why would anybody do business with an outfit that leaves its customer database on a world facing web page? [Rhetorical question, no answer needed]

JonKnowsNothing December 29, 2020 2:23 AM

@Etienne

re: The Government should put out an RFP for a replacement network protocol, and select the best on within 3 years, given say 2 rounds.

Therein lies the main problem. What is an RFP? Who produces it? Where’s the profit?

All an RFP will yield is another set of proposals based on Profit and who will get the lucrative contract(s).

Even public-minded entities bow to might of Google’s and Apple’s pockets and control.

Corporations don’t care if the systems work, they only care about how much money they made from the contracts. More precisely, how much money the Top Made.

No government is going to accept anything that isn’t to their direct benefit or let another country get a toe hold higher up the ladder.

The premise that the internet is fixable means more fingers in the dike and we’ve run out of fingers. Certain countries have already concluded this and they have put in massive shutoff valves.

There are times when systems expand and times when system contract.

Clive Robinson December 29, 2020 3:50 AM

@ Etienne,

The serial number will be used to apply for an electronic certificate, and the applicant must physically show their Passport to a registering agent, at a designated facility.

None of this will stop espionage in the slightest.

We know countries issue “fake passports” and “reuse genuine pasports”

The same will happen to any kind of security identifier you try to put on someone.

And I’m by no means the only person to say this.

The former head of the UK internal Security Service (MI5) Dame Stella Rimington[1] observed of Tony Blair’s national biometric ID card,

“I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards.”

Which historically is still true today. So why are both UK internal(MI5) and external(MI6) intelligence services uninterested?

Well Dame Rimington gave one reason that is always going to be true,

“My angle on ID cards is that they may be of some use but only if they can be made unforgeable – and all our other documentation is quite easy to forge.

Her “unforgeable” point is a matter of simple logic and a basic premise of the laws of physics as they apply to existance,

1, What ever one man can make, another can duplicate.

2, Only three numbers are of importance to mankind, there is zero or does not exist, one something exists but is unique, and all other numbers that is there can be as many of something as can be duplicated.

As Dame Rimington further observed,

“If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.”

Her “absolutely useless” point is one of the simple economics of “supply and demand”. You get told “where there is demand price rises to limit supply” or the old “selling like hot cakes”[3] argument. But there is an implicit reversal,

3, Where price is no limitation demand will be suppled if technically possible.

And rule one ensures that it is technically possible.

But the simple fact is you have to realise that “Information object != Physical object”

That is there is always going to be a disconnect between the information on an ID document and a physical object / person. But also the information on an ID document is also always going to be disconnected from an information object / action.

All crypto algorithms have a result that is “bit wide” thus of limited range. So if the input number range is larger than the output range they generate and they always will be, then the output can not be unique to a given input that is there is no uniqueness property. Trying to solve this by say “chain blocks” gives rise to other problems, but it is also always going to fail to give you a uniqueness property. That is if your potential input range is unbounded then the output range has to be “always unbounded” to have a uniqueness property and thus as unbounded in effect means infinite bit width with every message no matter how small the message[4], you can not have a uniqueness property only a probablistic property.

But there is a flip side to this the “secret” size in the ID document algorithm also has to match the same unbounded condition if you want a uniqueness property…

So there can be no “unforgable” “manufactured” objects…

[1] https://en.wikipedia.org/wiki/Stella_Rimington

[2] http://news.bbc.co.uk/1/hi/uk_politics/4445760.stm

[3] The hot cakes argument is that a cake just out of the oven fetches a higher price than when the cake has cooled down, thus the more rapidly a baker can meet supply the higher the price he can ask.

[4] This is the logical consequence of having a unique or “one to one mapping” between the set of all inputs to the set of all outputs existing prior to any messages being sent. Thus the output range has to always be as great as the largest possible ever input which is unbounded and that has to be sent with each and every input.

Denton Scratch December 29, 2020 4:30 AM

@Etienne
“The Government should put out an RFP for a replacement network protocol, and select the best on within 3 years, given say 2 rounds.”

The Government? I suppose, for no reason at all, that you are referring to the US Government. Why should the rest of the world put up with IP protocols approved by the US Government? As Bruce notes, the US Government is actively opposed to network security (that may be stupid, but that’s how it is).

In practice, internet protocols have mainly been developed in public, by individuals and companies, not governments. The success of an internet protocol is determined by its take-up by network users. No government, not even the US Government, can impose a new protocol on the internet. The US Government doesn’t “own” the internet.

The IP protocols, in particular, are instructive; the resistance to take-up of IPV6 (which was developed in public) is instructive. Switching a network from IPV4 to IPV6 is challenging and costly. If there is no demonstrable benefit, it won’t be done.

Ismar December 29, 2020 5:05 AM

Just finished watching a LA Lakers vs Portland Blazers NBA game a few hours ago where Lakers lost due to their weaker defence.
There is a reason why the basketball chants go
“Defence, defence, defence..,”
It is the culture that celebrates attacking players that causes this type of weakness to set in overtime where the focus is on the wrong side of the field.

Marco December 29, 2020 8:07 AM

If we bring everything back to football it seems to me to find the differences between defensive Italian football compared to attacking Spanish football

In the Spanish one, there are many more goals … the problem is how many goals they take

Boris December 29, 2020 8:33 AM

Russian SVR — previously known as the KGB

OMG :facepalm:

SVR was military intelligence (DIA). KGB was civilians (CIA). Both have different names now.

Both statements are false but in a different way.
SVR was former the First Chief Directorate of KGB, responsible for Foreign Intelligence, now independent from the main KGB heir named FSB.

The military intelligence was GRU, reporting to the Ministry of Defense, and it runs as it run before.

JonKnowsNothing December 29, 2020 9:46 AM

@Clive Robinson @Etienne

re: forged documents

You don’t even need to forge them, just repurpose good existing ones.

a, some forgeries make up the information on a real or similated background.

b, better forgeries use a real document, with real information in a way that the change won’t be discovered easily

The Metropolitan Police / Scotland Yard has been under the microscope for a decades long undercover operation, where the embedded officers engaged in sexual relationships and impregnated their targets. Many hundreds of police were involved and many organizations were on The List. To give the officers the maximum cover the MET reused the names and information from dead children. Certainly the parents weren’t going to notice that their child’s information was now attached to a 30yo police undercover officer. The case has been filtering its way thru the British Legal System for a long time now. Mostly not filtering but a slow drip.

ht tps://www.theguardian.com/uk-news/2020/dec/07/met-police-legal-action-spies-use-dead-childrens-identities
(url fractured to prevent autorun)

Sancho_P December 29, 2020 4:11 PM

Good essay, just one point:

@Bruce wrote:
”We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world.”

The “no rules, free for all” seems to cry for “lock it all down, let the users pay (more)”.

I think that wasn’t intended, as the same paragraph implies (*).
The problem is twofold:
– The Lex Bill: “Sell something without being accountable”.
– The (resulting) monopolies in uncontrolled capitalism.

No, we don’t ”need to invest in securing …”, we just have to re-install capitalism.

(*) I did not understand the “every-network-for-itself” part, maybe that would explain what was meant?

Sancho_P December 29, 2020 4:17 PM

Re posts like “Why oh why blame the Russians?”

—> The Russians did it, no proof wanted, period.
Or would it be less embarrassing if the “Nigerian Uncle Gang” did it?
Yes, it was unfair:
Just because being better is no legitimation to grab the cake.
I’m whining with you, America!

… Well, being obsessed to hunt down Julian Assange there’s no time left for the defense of the USA.

Sancho_P December 29, 2020 4:55 PM

@Clive Robinson re “Information object != Physical object

I’m still chewing on that.
Hasn’t nature proved the contrary, in particular referring to our identity?
We have our ID built in from the beginning, in countless instances, including a “chain of trust” and built-in expiration date.
Combined with time of life (age) any forging is close to impossible.

But is it an information object or physical object? Or is it in between?

Assumed we get fast (live, Uh-Oh?) DNA readers, simple enough to unlock our smartphones – We’d shift the focus to distinction between dead or alive (IvP) objects.
And would the TLAs still object to?
Um, now, who or where is the subject? 😉

However, I concur with your “So there can be no “unforgable” “manufactured” objects…”
(only that this leads to a host of different questions …)

Clive Robinson December 29, 2020 5:43 PM

@ JonKnowsNothing,

You don’t even need to forge them, just repurpose good existing ones.

Actually you don’t even need to do that as such.

As many know biometrics are to put it politely are not that good. Nor are humans even trained humans very good at matching live faces to small photos especially if makeup has changed or facial hair removed/grown. Heck people have escaped pasport control in mail order latex masks of other people…

Thus a real valid passport will have quite a few “near matches” sufficient that ID Brokering / Shopping becomes a worthwhile business.

Get a client then steal a valid pasport from a near facial match and with a little care in the choice of embarcation and arival points you can get almost anywhere you would be likely to want to go.

As for what the UK Met Police did, this is a very old attack on the UK identity system.

So much so it was a major part of the plot line in a half century old book and the later film made of it staring James Fox as the assasin.

The thriller / novel is by English author Frederick Forsyth and called,

“The Day of the Jackal”

Which is why you sometimes hear such identity theft called a “Jackal attack” and is realy not that hard to do[1].

In the past fifty years the UK Government has had several opportunities to make such identity theft way way more difficult, but for various unstated reasons it’s always got kicked into the long grass.

[1] If you have time, then setting up a cast iron alternative identity is actually not that hard. Untill fairly recently a European nation was in effect selling E-Passports to anyone who started a business in their country. The only reason the scheme was less popular than it could have been was that the banks in that country did not make setting up banking facilities at all easy.

I actually thought about getting such an E-Passport, not for criminal or other non legal reasons, but simply because it would give me access to Europe more easily business wise than a UK passport will in the next couple of days,

https://passports.io/citizenship/estonia/business/ee1

Internet Individual December 29, 2020 5:46 PM

Regarding talk of decision-makers and the short term reward mentality. I certainly agree with the overall opinion and have been pompously blatant about that fact in recent years. But how do you change their minds? For example, some of these elderly senators and other policymakers might not even own a computer. They have been around long enough to see all manner of new fangled techno-fads come and go over the years. To them, it’s just a storm to weather out. “How can some silly videogame gadget threaten the U.S. and the military? We just need to hold steady and stay the course!” Meanwhile, salesmen and lobbyists are lined up around the block to sell the easy solution to an incredibly complex problem. One they have little to no comprehension about. Most people tend to think in binary terms. Right and Wrong. Good and Evil. Axis v. Allies. NATO vs USSR. A figurative chess match. However today, it’s more like a football game with 10 teams playing at the same time on the same field, the winner takes all. It’s a different world, a different way of thinking, different stakes, different ideas about what’s right and wrong, and different ideas about what it means to win. We hit that wall of exponential technological growth and instead of climbing with it, they plan on driving through it. The rest of us, unfortunately, happen to be along for the ride.

Clive Robinson December 29, 2020 6:06 PM

@ Sancho_P,

We have our ID built in from the beginning,

Depending on who you talk to, you apparently change the majority of your atoms over seven years…

But also peoples DNA does change and this has already caused legal issues.

In theory having a bone marrow transplant will change a large amount of your DNA as well as some other organs can likewise change DNA.

https://www.independent.co.uk/news/world/americas/dna-bone-marrow-transplant-man-chimera-chris-long-forensic-science-police-a9238636.html

xcv December 29, 2020 11:11 PM

https://en.wikipedia.org/wiki/Luke_Letlow

Luke Letlow, Representative-elect for Louisiana’s 5th congressional district has reportedly died of COVID-19 just days before he was scheduled to be sworn into office.

According to Wikipedia,

Letlow … earned a Bachelor of Science in computer information systems from Louisiana Tech University in 2003. As a student at Louisiana Tech, Letlow was an intern for John Cooksey in 2000 when Cooksey represented Louisiana’s 5th congressional district in the United States House of Representatives. He served as chairman of the Louisiana Tech College Republicans in 2001 and of the Louisiana Federation of College Republicans in 2002. …

On December 18, 2020, during the COVID-19 pandemic, Letlow announced he had tested positive for the virus. He was hospitalized in Monroe. After his condition deteriorated, Letlow was transferred to the intensive care unit of Ochsner LSU Health Shreveport on December 23. On December 29, Letlow died of complications of COVID-19 at the age of 41, only days before he was scheduled to be sworn into office.

  1. There is evidently an Establishment GOP political machine going on in that district.
  2. That degree of advanced IT or computer science knowledge in Congress is threatening to certain parties.
  3. John Cooksey is a medical doctor: an ophthalmologist or eye surgeon.
  4. The “service of process” of Letlow’s positive COVID-19 test result, subsequent hospitalization, “deterioration” of condition, transfer to Intensive Care Unit, and subsequent death points to a distinct possibility of conspiracy to commit murder, as well as a cover-up of the murder with a convenient explanation provided by the raging epidemic of the day.

JG4 December 30, 2020 12:56 AM

“you apparently change the majority of your atoms over seven years…”

Indeed, and where you changed them is sometimes measurable with a mass spectrometer. Fascinating article linked and excerpted.

A similar trick works for determining the origins of sugars in apple juice. Corn and apple trees use different photosynthetic pathways that leave a different isotope fingerprints on the C-12 / C-13 ratios. In the 1980’s, half of the apple juice sold in New England was adulterated. If I recall correctly, it was with high fructose corn syrup. Fructose from apple juice is chemically identical to fructose from corn syrup, but not isotopically identical.

I realized after my comments yesterday about cameras that stalkers can use them too, but they’d have a more difficult time with power supply and data recovery.

Stumbled into this article because of seeing more about warm fusion. I’m still a skeptic on cold and warm fusion, but it could be convenient if it works. I met Stan Pons in 1988 and saw his experimental cold fusion setup about 6 months before he went public. The Dead Sea and the Great Salt Lake should have surpluses of deuterium.

Stable Isotopes in Forensics
https://www.pbs.org/wgbh/nova/article/stable-isotopes/

let’s follow a raindrop from a cloud over the Pacific Ocean to Saltair Sally’s strand of hair. When those clouds rain, the heavier, oxygen-18 containing water molecules will fall out first. That typically happens near the coast. As the rain cloud moves inland, it’s constantly losing molecules with oxygen-18, and its raindrops become isotopically lighter and lighter. Since our drinking water comes from rainwater, people near the coasts drink water with more oxygen-18 atoms in it than people living inland. Those atoms eventually become a part of our tissues, like hair.

If Saltair Sally had been in Salt Lake City in the weeks preceding her death, the hair closest to her scalp would reflect the isotopic signature of Salt Lake City’s local water supply. If she had been in, say, Seattle instead, her hair’s isotopic composition would contain more oxygen-18, giving investigators a valuable clue.

“We analyzed the hair sample,” Chesson says. “It looked like within the two years leading up to her death, she had been a frequent migrant. She had moved at least three or four times, and it seemed she was making this sort of cyclic pattern. She was in a region consistent with Salt Lake City and the Intermountain West, and then she was moving someplace more towards the northwest. She did this a couple of times in the years leading up to her death.”

Clive Robinson December 30, 2020 2:05 AM

@ Internet Individual,

They have been around long enough to see all manner of new fangled techno-fads come and go over the years. To them, it’s just a storm to weather out.

Unfortunately they are as some would say “materially guilty”.

The US had secure(ish) computer programs, but they had a price tag that was more than somewhat higher than the price a “Mom-n-Pop” paid for a “Personal Computer” to do their tax and other paperwork with.

Back then the “Mom-n-Pop” did not have security issues because their Personal Computer did not have Networking or other Communications code in it. Likewise small businesses had Novell Networks that were so propriatary and was limiyed to LAN capability only so their main security was a locked door and their big security issue was people stealing not data but CPU’s and memory chips.

So back a quater century ago the main security concerns were physical theft of hardware and the occasional nuisance of a virus on the boot sector of a floppy drive. The ARPANET was there for a very few but not much was happening the Morris Worm that had rattled people had been done and dusted and “Hi-Fived” as “The perp went down” half a decade before and complacency had set in.

Even Dr Solomon sold his AV business a few years later because he thought that Sneaker-Net attacks by floppy had got about as far as they were going to get thus AV had got about as far as it was going to get. So more complacency…

It was around this time “the great and the good” of US politics decided that the US Government was wasting money on Secure(ish) Computing and that from now onwards everything had to be Consumer Of The Shelf (COTS) solutions… Much in the way of quiet nods and payoffs followed.

And suddenly the Internet was the new “Information Superhigh way” the world was now at your PC modem port and brought so much that was undesirable with it. Because attackers could be armies of one and vandalism for ego food started.

A nuisance was what it was seen as, Cliffod Soll’s book “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” from a decade before was either not read because it had bern put on the ScFi / Fantasy shelves in book shops or forgoton by those that should have been listening. “The Great and the Good” of US politics had been emboldened and they wanted “Less IT spending” in Government they wanted “out sourced” to their friends in industry…

Unsupprisingly so many Personal Computers go owned that we started calling them “bots” thrn “bot nets” and then the term “Bot Herding” came along and people were taking guesses as to how long it would be before the first million computer bot net existed. Academics like Dr Richard Clayton were complacent, because it was still “ego-food” and thus still the nuisance of vandalism. When somebody told him that it was only a nuisance because the bot herders currently lacked the imagination and knowledge to make real money stealing data he more or less poo-pooed it. So still more complacency.

And still “The Great and the Good” of US politics were taking the pay-offs of “cutting government spending” by out sourcing to even more new friends. Though by now the price was actually going up, as it always “mysteriously” does with out sourcing. But also the quality was “mysteriously” going down as well, as it always does with outsourcing.

Somewhere along the way “The Great and the Good” of US politics decided they could dispense with their annoying scientific advisors, they did not want to hear about the mess they were creating with not just oistsourcing but the environment etc. Most of all they did not want to hear “That the chickens were comming home to roost” and by now they had turned into “cow-birds” with droppings to match.

The unwanted warnings were proved right, and it all became very public. First with Wikileaks, Ed Snowden, OPM and now SolarWinds. But the for warning signs of CarrierIQ that had actually riled one of “The great and the Good” to get off their lardy-arsess had been forgoton

The thing is computer security is a very good example of “The Great American Dream” in progress in a time period that is well within a working life time. But we now have another example of “The Great and the Good” helping “The Great American Dream” along, this time it’s as short as an MBA course and it’s called COVID and both should be “required reading” of by far the majority of University level teaching.

At least we might have a way out of COVID if we keep throwing money at it. As for computer security, probably not it’s turned into a very lucrative faux market place where fortunes are being made on what are little more than glorified traffic light systems, because not only are “The Great and the Good” responsible for starting the snowball rolling, science has not come up with measurands of any worth by which “snake oil” can be quickly assayed as the fools gold that it is.

Clive Robinson December 30, 2020 4:58 AM

@ JG4,

Fascinating article linked and excerpted.

Which raises an interesting question.

If a carcass is in effect ground up / liquedized mechanically with other organics be it by machine or beast does the resultant slurry / scat contain the same isotope ratios in an identifiable way?

It’s kind of generally known that the meat industry can turn mechanically recovered meat into a slurry/past to use as “pie filling”.

What is less well known is that the industry can go further, turning things like animal hides as well as mechanically recovered meat into protein without DNA markers to identify the animal it came from, and the resulting product can be injected into chicken carcasses and hams with water to effectively double their weight and half the fat so they become much higher value.

Thus a fowl carcass could have protein from cow, goat, horse, pig, or sheep in it. Which would not be welcome news to many (but heck chicken feathers and human hair have all gone through chemical processes and ended up in flour via the Chorleywood process for bread making so we should not realy be surprised).

But getting back to forensics, as some may know the hard part of the crime is not ending up with a warm body, but what to do with it next.

There is a history of disposing of bodies using farming methods the expression “take them to the farm” has rather more meaning than some will assume. It’s been said by some who have left serious organised crime gangs like the mafia and certain biker gangs that the hard part of disposing of a body through a pig, is not getting the pig to eat it. No it’s thay you have to sift through the waste to find the teeth as those are the only recognisable things left.

So if the body can be identified by analysis of the waste for DNA then the criminals will have to “up their game”. It’s known that certain quite commonly available “household” chemicals[1] will break down and destroy DNA but the process of using them is both slow, and a give away to any investigator, because it’s not something that would ordinarily be done. However, would it leave identifiable isotope ratios that could provide coroborative evidence?

Which suggests using other food production techniques might be the next logical step. Thus it might not be the “chlorine” in chickens you have to worry about…

[1] I’m not going to mention them, because some people think it’s giving people ideas, even though the information is very widely available in television and radio broadcasts, movies, magazines, books and a veritable myriad of places on the internet, as well as basic science guidence you can use to do home “DNA experiments”.

Internet Individual December 30, 2020 5:06 AM

@ Clive

Im inclined to agree with your assesment of the “stew” in which we find our selves. One of the points I was attempting to make regarding the (older) generation being outdated to the new challenges we now face. Wasn’t a cheap shot at something along the lines of cognative decline from old age or a life time of backwards thinking. Rather, it has to do with “growing up” in the internet age. For me, I remember living in the Bay Area as a youngster in the 90’s and logging onto America Online or AOL via 28.8kbps paying by the minute. Fast forward 30 years and here I sit today. Still on the internet. It’s a tool that I’ve grown up learning how to use almost as an extension of myself.

The point being, my fathers age group were the inventors of the internet. Infact my step-father was a Computer Programmer his entire career. Worked on mainframes at IBM, and many large banks. He has long since retired, but when I talk with him today about computer systems, networks and security. There is an obvious disconnect, I have a difficult time holding a coherent conversation with him. After explaining a hundred times, I still don’t think he understand the concept of virtualization, and he keeps droneing on about the importance of efficient code as cpu cycles and memory were incredibly expensive, and how computers today arent much different than back then.

I never liked programming much and decided to go the security route, (after a brief stint trying to become a musician). However, to this very day when I come across fresh computer science grads with no experience. Those fundementals are still being drilled into their heads. Except, memory and cpu cycles aren’t the limiting factors anymore (relatively speaking). Writing code to be secure, error handeling, graceful failure are now what’s important. Resilience. I’ve realized 30-40 year age gap is significant, in more ways than simply faster hardware. What seems obvious and clear to me, I’ve realized others in the older age demographic seem to have wandered into the fog somewhere.

With the world being more connected, decisions and outcomes being made faster and faster by the day. We, in my opinion are in a race towards a cliff. In such a hurry to build new technologies ontop of outdated fundementals and practices, for a few specific purposes. Like the internet they likely will impact many other aspect of life that havent been comprehended. But we will be damned if we lose the race! Faster! Faster! How do we get a country of divided peoples, beliefs, economic classes, and systems to work together as a team. And then allied countries manuevering and pivoting as a unit, while supporting eachothers immidiate logistical needs dynamically? That is the next challenge we will need to overcome for whats headed our way, in my opinion.

Anyways, those are my thoughts about the subjects.

Winter December 30, 2020 5:19 AM

I think we, the people, should answer any requests for backdoors in security products with the request for adequate protection first.

If the LEOs&TLAs cannot protect us against criminals and foreign agents, they have no business forbidding us to protect ourselves.

JonKnowsNothing December 30, 2020 10:23 AM

@Clive @All

re: While you are in there…

When looking at potential solutions for Out With The Bad – In With The Good; it might be a good time to consider exactly WHO are we trying to protect and WHY?

There are several entities and they do not necessarily mesh on needs

  * Governments
  * Large Corporations or Commerce Systems
  * Medium Size Corporations or Regional Commerce Systems
  * Small Business or Gig Business
  * Individuals or Gig Laborers

There are likely more divisions. At the top are those who can afford people to manage their systems and those at the bottom are at the mercy of everything above them. The bottom doesn’t get much unless someone higher in the food chain notices, demands, or pays for some change, fix, update that might filter down to those at the bottom.

The I(DI)OT and BOT folks have figured out that there are a lot more fish at the bottom of the barrel and just by volume are worth Big Money provided they don’t have to spend too much to extract it. (Depletion Extraction Mining)

So, it is worth an attempt at coming up with a NO DAMAGE FIX process where something at the TOP does not wreck something at the BOTTOM.

Granted there should not be any fixes needed in a stable environment. This is not an acceptable practice in Corporations with Built In Obsolescence as their product cycle driver (either from faulty physical aspects or faulty software).

The Fix It In The Next Release needs to have an addendum to add No Achy Breaky Things that goes beyond the 80-20 rule.

Without this there is no stability and there is always an exploit opening.

If you only put in fencing on 3/4 of the pasture, it doesn’t matter how great the fence is, it’s not going to hold the critters. If you put in 99% of the fencing and leave a gap, it’s not going to hold either. If you put in 100% of the fencing and leave the gate open, same lack of critters.

The critters will show you where the fence is broken; expecting the critters to repair the fence themselves isn’t going to get the fence fixed.

Any security system that does not keep all the critters in the safety of the fenced area, is going to have the same problems we have now.

Wigeon December 30, 2020 11:29 AM

@anon

I think the more telling number is 112000. This is the number of Solarwinds users who either 1) don’t apply vendor updates in timely manor or 2) actually have a default block for outbound traffic and are fine with software compliance audits because their software isn’t allowed to phone home.

While my employer uses SolarWinds Orion, we weren’t at risk from the hack- because we hadn’t updated to the affected version yet.

Clive Robinson December 30, 2020 1:03 PM

@ Winter, ALL,

If the LEOs&TLAs cannot protect us against criminals and foreign agents, they have no business forbidding us to protect ourselves.

Some years ago now I pointed out that the Internet was more lawless than the Wild West[1].

At least back then they had “The Gun and the Bible” admittedly more the former than the latter. But they enabled “The Law” to be spread slowly but surely. The founding fathers were after all were mainly fine English Lawyers plying their trade most benificially to themselves and their peers, with most other as second class or worse with no rights.

The advantage from the criminal perspective of the Internet is individuals can become armies, you only have to see a quite small DDoS to see thst. Whilst there are no armed or civil forces there are danegeld mercenaries to oppose them if you have the spice. However most Netizens in effect live in stick huts issolated from everyone else, no villagrs, towns or cities where people could group together to fend off attackers. Imagine if you will the east coast of Britain, in the pre middleages with viking vessels coming over the horizon, were they raiders or traders or both? On the Internet there is no horizon for you to watch out at, raiders smash in at near the speed of light and you are disposesed of your hut of sticks faster than you can blink. Mostly the only reason you don’t get raided is your turn has not come up, or you have not noticed you are occupied. If you are lucky you become an entry in a database from which statistics are collated and lucky to not be told you are “wasting Police time” or equivalent. Because the politicians do not want those statistics collated. Why because “Street crime is moving online baby” so their “Were Hard on Crime” figures look good but actuall proceads of online/electronic crime are up in the trillions of dollars…

If you think otherwise then you are going to become quite suprised when your turn happens if it has not already. When it does happen or you become aware of it, it’s a “dead rodent on the kitchen floor” moment… After all how do you think Bot-herders get botnets of over a million computers?

The chances are if you have an Internet connection and an IoT device more than a year old connected to it, you are already “Giving succor to the enemy”… You just do not know it, and,as with termites, sometimes the best solution is “Burn the house down”.

If you look back on this blog you will see for years I’ve been saying the same old things,

1, None of my computers are connected to the Internet or any neywork you could get access to without being deep down inside the property.

2, I advise two computers, one is always offline that you do your private and important stuff on, the second being a stripped down box you use for the Internet, preferably without a hard drive of any type inside it or memmory stick attached to it and a real power on off switch.

That’s the minimum I would recommend and that’s nowhere near as safe as it used to be due to the way computers are changing. Consider Smart devices with built in batteries you can not remove, WiFi and Bluetooth you cannot remove that can work from your sofa or desk right out to that parked car under the lamppost in the street or into the upto the 17 flats/bedsits around yours on Bluetooth or the whole block of houses or every flat/bedsit in the appartment building on WiFi. Oh and an OS that turns them on in promiscuous mode even though you’ve turned them off. Oh and don’t forget the “COVID beaconing” courtesy of Apple and Google in a smart device right next to you right now…

I could go on but two things should by now be clear,

1, The “gaurd labour” the authorities own under no circumstances want to help you get security or help.

2, All computing devices are rapidly becomming less secure day by day and nobody is going to change that as it makes them money and keeps them in business.

If nothing else the recent SolarWinds Orian debacle and a few years back the Massive DDoS attacks taking major players of the map with IoT devices, and a few years before that the CarrierIQ debacle in smart phones, you should realise the “Bottom line” is,

You are ON YOUR OWN and they are all out to destroy your privacy.

Welcome to the brave new world that scared George Orwell. You are not paranoid they are all out to get you one way or another online. Likewise the authorities will lie, prevaricate, threaten and sanction you aby which way they can off line if you try to change their cosy way of doing things online.

[1] The film “The Man Who Shot Liberty Valance”[2] is what most think of, as “How the West Was Won”. But that was not at all close to how it realy happened. The film is basicaly a “Motherhood and apple pie” version holding hands with “The Great American Dream” in the name of propaganda. Made at a time when America felt good about it’s self in white middle class suburbs. It’s hard to dig out the truth of what actually went on because a lot of the written history was based on people writing small pamphlets of short stories, that had to “over egg the puding” if they were to sell and knowing the right story teller could turn you from being the town bum with a temper into some super villain almost over night. As they say “Such is the power of the press”. What you are not supposed to know is that at the start America was a fairly narow strip of land runing down what would be about 2/3rds of the east coast. It was mainly farming and shipping up and down the coast with actual piracy still in progress. Eventually the setlers moved inwards and the guns, bibles and law books were used on the indigenous native (indians) peoples it was a story of unbridaled greed to grab what ever could be grabed and in the process dispoil most of it by disease, rape, pillage, and plunder. Not exactly something the victors want taught in school, especially as much of the heavy work was actually done by slaves who again had no rights under law and persecution under the bible and gun. Even after the African slave trade petered out, it was replaced by Asian slaves from around the South China Seas and today slaves effectively still exist, though they are called “illegal immigrants” shipped in by criminal work gangs amongst others. Kept down out of sight by those who use them and look the other way and “tut tut” at dinner parties and the like.

[2] The 1962 movie is based on a stage play of a short story written a decade before by Dorothy M. Johnson. It’s a Western in reflection about a simple lawyer who turns up to town with a handfull of law books at a stateless town bidding for statehood. He is horse whip to near death by the local villain Liberty Valance who is opposed to law, and statehood. The simple lawyer ends up as a kitchen hand whilst also doing good deeds around the town all the while trying to work out how to legaly brong Liberty down. It ends up in a gunfight where Liberty is killed. The simple lawyer ends up as the State Senator. The story is told when he returns as a much older man to the town for the funeral of an old friend and tells a journalist the story of his origins… Only there are a couple of secrets that come out one of which is his shot missed Liberty Valance…

xcv December 30, 2020 1:35 PM

@Clive Robinson

Some years ago now I pointed out that the Internet was more lawless than the Wild West[1].

You’re essentially talking about High California, the area that became the State of California in the United States of America just to the north of Low California — i.e., Baja California — un estado de los Estados Unidos Mexicanos.

At least back then they had “The Gun and the Bible” admittedly more the former than the latter. But they enabled “The Law” to be spread slowly but surely. The founding fathers were after all were mainly fine English Lawyers plying their trade most benificially to themselves and their peers, with most other as second class or worse with no rights.

Not so fast there. California statutes and case law — some only poorly translated from Spanish to English to this day — are still derived from the old Spanish common law that permitted various forms of slavery or peonage as well as “tenancy in common” vs “joint tenancy by the entirety” or other modes of ownership of property by couples deemed married under Spanish common law rather than by proper English law.

High California was Mexican territory — which the Spanish Conquistadores had taken over from the Incans, Aztecs, Mayans and other tribes — until the United States officially conquered it in the Mexican–American War.

JonKnowsNothing December 30, 2020 4:55 PM

@xcv

re: High California was Mexican territory — which the Spanish Conquistador

The last European owners of the area was not Spain. The Mexican Empire II is French.

All that Spanish stuff comes because most of the areas speak Latin American Spanish (or Portuguese) and the Conquistadors look so much smarter in armour than an Emperor with a bullet in him.

When the US Border Patrol asks where you want to go; you can ask for France.
You might not get there but for some it’s a legal destination.

ht tps://en.wikipedia.org/wiki/Maximilian_I_of_Mexico

Maximilian I (Ferdinand Maximilian Joseph Maria, Spanish: Fernando Maximiliano José María de Habsburgo-Lorena; 6 July 1832 – 19 June 1867) was an Austrian archduke who reigned as the only Emperor of the Second Mexican Empire from 10 April 1864 until his execution on 19 June 1867. A younger brother of Emperor Franz Joseph I of Austria,

France, together with Spain and the United Kingdom, had invaded Mexico in the winter of 1861…

the Spanish and British both withdrew the following year….realising the true intention of the French, while France sought to conquer the country.

Seeking to legitimize French rule, Emperor Napoleon III invited Maximilian to establish a new pro-French Mexican monarchy. With the support of the French army and a group of Conservative Party monarchists hostile to the Liberal Party administration of President Benito Juárez, Maximilian accepted the crown of Mexico on 10 April 1864.

The Empire managed to gain the diplomatic recognition of several European powers, including Russia, Austria, and Prussia.

ht tps://en.wikipedia.org/wiki/Carlotta_of_Mexico

Charlotte of Belgium (7 June 1840 – 19 January 1927) was a Belgian princess who became Empress of Mexico when her husband accepted the Imperial Throne of Mexico and reigned as Maximilian I of Mexico.

(url fractured to prevent autorun)

Cranky Observer December 31, 2020 9:41 AM

“The point being, my fathers age group were the inventors of the internet. Infact my step-father was a Computer Programmer his entire career. Worked on mainframes at IBM, and many large banks. He has long since retired, but when I talk with him today about computer systems, networks and security. There is an obvious disconnect, I have a difficult time holding a coherent conversation with him. After explaining a hundred times, I still don’t think he understand the concept of virtualization, and he keeps droneing on about the importance of efficient code as cpu cycles and memory were incredibly expensive, and how computers today arent much different than back then.”

Have you considered the possibility that it is not your stepfather who doesn’t understand? IIRC IBM mainframes had virtualization in the mid-1960s, and it was certainly widely used by the 1970s. And while PC/Intel x86 programmers in the 1980s came to believe that ‘efficient’ programming meant using obscure trickery to reduce the size of the machine code back in those old dinosaur days efficiency including using the best possible algorithm for the problem, selecting a system or language for the problem (e.g. a solid database is often the correct choice over miles of custom code), and then building a solid. tested, peer-reviewed system that conformed to its specifications and documentation. Documentation – what’s that the PC generation asks?

One of the reasons a lot of greybeards shake their heads at what they see of Internet coding and security practices is not that they don’t understand them, but that they see the current generation re-solving problems that were nailed down in the 1960s and 70s and generally not doing so very well.

Clive Robinson December 31, 2020 7:05 PM

@ Ethan Burger,

Appart from Mike Pompeo jumping up and down like a belligerent six year old in the school playground shouting “Russia Russia Rusdia” what court presentable evidence do you have?

Because unless you have evidence acceptable to an international tribunal any hostile action against Russia by the US would actually be a primary act of war, making the US guilty of war crimes.

So there is no “Casus Belli” in evidence currently.

But you have to also be carefull with attribution, it is possible it is not Russia but another nation.

The US has got it wrong before. They claimed it was North Korea that attacked the Olympics then quite some time later admitted that they had changed their minds and now thought it was Russia

It is also known that the US has developed tools to run “False Flag” operations to make US atacks look like they were carried out by other nations such as the Chinese or Russians etc.

Also war is expensive, the losses you talk of are but a tiny fraction, perhaps not even 0.1% of the cost ofva conventional war. How much more if it went nuclear and the latest rumored Russian hyper sonic nuclear devices were lainched?

The US economy has not just dropped into the toilet due to stupidity over COVID it’s gone “clean around the bend”. How much damage would the cost of a war be to US citizens over the next fifty years?

The result of a US-Russian war would be all of Europe becoming a war zone for various reasons and the old jokes about “Ash City” would become a reality potentially with civilian casualties being up in the millions

So all in all it would not be the best idea to start a war that almost certanly would see the cost go crazy as it escalated into yet another world war…

xcv January 1, 2021 1:20 AM

@JonKnowsNothing

When the US Border Patrol asks where you want to go; you can ask for France.
You might not get there but for some it’s a legal destination.

France is definitely not the solution to what’s wrong with America.

Winter January 1, 2021 3:55 AM

@xcv
“France is definitely not the solution to what’s wrong with America.”

I am curious, what is so bad in France?

There is an awful lot wrong with America, according to Americans. So, why are the solutions implemented in France too bad to even consider?

One striking example, France’s foreign policies are remarkably effective. When the Americans move, it generally devolves in an epic mess, e.g, Afghanistan and Iraq. Especially in the Iraq case, the French were actually successful in reaching their foreign policy goals, eg, blunting the disastrous American sham “coalition of the willing”.

Clive Robinson January 1, 2021 6:47 AM

@ Winter,

Especially in the Iraq case, the French were actually successful in reaching their foreign policy goals, eg, blunting the disastrous American sham “coalition of the willing”.

Which upset some, hence the,

Cheese eating surrender monkeys

That some without investigating took to heart, and unfortunately still believe…

Certain Americans like war, and will do what they can to cause it any place but in their own back yard. 9/11 was not even war, but two degades down the road many in the US see terrorists behind every bush up every tree and nothing appears to trump their fortress mentality that had all but destroyed their base economy, such that the fear of taking action over a virus has led to god alone knows how many deaths and currently 200,000 getting ill each day. So much so that economically the US has had it some economists are saying the USD will be nolonger the trading currency within half a decade because the US will have fallen to far down the economic list, maybe number four or five behind the wider Asian countries and even Russia and some still think Brazil will rise up again, though I’m doubtful on that.

What scares many is that they see the US thinking it’s only way out of economic downfall is by starting a war. It looks less and less likely it will be against China or Russia as both are “weaponing up” for International not Domestic troubles. Thus North Korea is probably off the list as they are trying to keep in the good books of both China and Russia as best they can. Iran has already called the US bluster and bluff twice and have earned grudging respect from other nations because of it.

But the US State Dept has turned it’s eye towards Europe and is trying divide-n-conquer via NATO and by trying to build conflict up in and amongst the old Warsaw Pact nations. A proxie war in Europe would suit them greatly…

Winter January 1, 2021 8:17 AM

@Clive
“A proxie war in Europe would suit them greatly…”

We need France’s diplomats now more than ever.

lurker January 1, 2021 12:00 PM

@xcv

France is definitely not the solution to what’s wrong with America.

Thomas Paine had another opinion on that. And if anyone says that was two and a half centuries ago, it was about the same time the US Constitution was being written. P’raps enough has changed to require an update…

ResearcherZero January 3, 2021 12:23 AM

None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe.
hxxs://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html

…he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.”

It’s an all too common story.

ResearcherZero January 3, 2021 1:12 AM

From the Wall Street Journal

“For a country that already perceives itself as being in conflict with the West practically in every domain except open military clashes, there is no incentive to leave any field that can offer an advantage,”

hxxps://www.adelaidebusiness.net/blog/2021/01/how-russias-info-warrior-hackers-let-kremlin-play-geopolitics-on-the-cheap/

…apart from cost cutting exercises to increase profit, that’s a fairly large incentive, until everyone gets burned. Still, the shareholders are making money in the meantime, and have sold by then.

It should be a lesson in how not to do things, but history is full of the same kinds of lessons, and a good measure of those lessons are marked ‘Top Secret’.

Clive Robinson January 3, 2021 4:58 AM

@ Researcher Zero,

It’s an all too common story.

Because it comes from a senior managment short term view point.

In essence the law requires them to maximise shareholder value, but does not say in the long term or the short term.

Thus as execs remuneration and future is almost entirely dependent on short term profit. The idea of cost cutting by outsourcing work to cheaper labour zones is popular.

Thus China, Brazil, India, Israel, Eastern Europe / Russia . Have all gained technological advantage by such “outsourcing” as I’ve been watning about for a quater of a century.

However do not make the mistake of thinking that geo-location and thus the politics of the location are directly related.

Low cost labour attracts criminal activity as those doingvit try to raise their personal status. Thus to some one in any of those locations a brown envelope with high denomination bills, tends to answer questions befor they are asked…

Thus whilst the “Who?” of the mechanics of the backdoor that enabled all of this might be in Eastern Europe the “For Whom?” question and where the instructions originated remains very open…

For instance alleged “Russian Money” that funded Pro Brexit campaigns illegaly. Methodical investigative work suggested that the money originated from an organisation setup by a US Hedge Fund manager who was vying with two other families for control of the GOP. That is Russian criminals and others were being used as a “cut out” to try to hide the origin of the funds. For not unexpected reasons the investigation got killed off “politically” before it got into US jurisdiction to trace back at criminal case acceptable evidentiary levels who was the “directing mind”. Thus a lot of prominant “establishment people” in both the UK and US were not draged into the light, though M. Zuckerburg was thrown under the bus amongst quite a number of employees of another company that got rapidly folded, but some were tracable back to another US major ICT corp Palantir…

That much is a matter of public record, I’ll let you and others play a game of “join the dots to see what picture emerges”.

ResearcherZero January 4, 2021 1:20 AM

@Clive Robinson

That is a good point on location.

I have seen pretty shady examples by people in many western countries, and unfortunately poor performance at dealing with it. It makes foreign influence campaigns easy. Many times people are not aware that the people helping them climb the ladder in a department, or as they put it “go places”, are occasionally foreign agents. It is the actions of our people that allow influence campaigns to take place. They all dismiss such notions as fantasy, spy novel fantasy, and if it isn’t, you are not allowed to tell them anyway.

It is hard though to act on espionage, quite difficult in fact sometimes, even when it involves other serious crime, as people are very uncooperative in these situations. You have to build up evidence over years and years in some cases, then throw charges at them by the dozen and see if they become more cooperative. In the meantime the foreign actors, who are very well trained at not leaving behind evidence, wreak havoc, sometimes for decades.
The situation is not helped at all be a severe lack of enthusiasm by many to get involved, although it falls under their job description.

Imagine, you’ve been working hard for years, then some jerk asks you to ruin your career prospects by investigating alleged espionage by a couple of dangerous individuals, who are know for being a bit murdery, and possibly go after family members. Funnily they don’t want to be involved anymore.

I would argue work is going to get a hell of a lot more interesting, and interesting work is what they signed up for. The final report will make it all sound rather boring, even if you get shot, or similar. I’m starting to get an inclination some of the people I’ve worked with, perhaps think it’s better to lose the odd civy, which sounds to me like they are greatly overestimating their own importance. At least they could help tighten up departmental security, write a report recommending action to follow up the auditing. Maybe ask why all the witnesses for that one particular case keep turning up dead, which to me seems a bit suspicious, and ask “did we fail in our duty to protect those witnesses”, without breaking all the keys on the keyboard when describing how badly we failed.

But anyway, that’s why we are supposed to keep the database and information safe, the poor bloody civilians and protected witnesses.

The United States does a much better job than my particular jurisdiction incidentally. Tends to follow up on things a bit more promptly.

Clive Robinson January 4, 2021 1:54 AM

@ ResearcherZero,

The United States does a much better job than my particular jurisdiction incidentally. Tends to follow up on things a bit more promptly.

I know in the UK several Russian’s who “got out” have died in mysterious circumstances. One I knew who lived a few hundred meters away from where I lived.

As the families of such victims tell you the UK police appear to look hard for excuses not to investigate what they understandably call “Putin’s murders”.

Shawn January 5, 2021 6:46 AM

An RFP for a new IP protocol replacement and the resulting solution would have done nothing to prevent the repercussions of this vulnerability. IP is just the transport mechanism.

Systems handling highly sensitive information should simply not have access to the Internet. At layer 1. Period. Those systems that do connect to the Internet and do handle less sensitive, but sensitive nonetheless, data should do so through the standard CDS,firewall,IDS\IPS, encryptor setups. Carefully managed systems applying these standards, which have existed for many years, would be largely immune to this attack.

A consistent application of basic network security technologies and their management applied in the spirit of their intent rather than simply “checking the box” for compliance always offers the best defense.

SpaceLifeForm January 8, 2021 4:00 PM

Krebs and Stamos start their mission

hXXps://www.ft.com/content/df641e33-9150-4846-b4f7-db4e3175d290

He will work for SolarWinds to co-ordinate the company’s crisis response alongside his new business partner Alex Stamos, a Stanford University professor and Facebook’s former security chief. The pair, who operate as the Krebs Stamos Group, told the Financial Times it could take years before all of the compromised systems can be made completely secure again.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.