Category Archives: Security

FCC Declares Kaspersky “threat to U.S. national security”

Remember when Kaspersky in 2018 lost an obviously stupid lawsuit that claimed the U.S. government shouldn’t be able to prohibit products harmful to society?

U.S. District Court Judge Colleen Kollar-Kotelly wrote in her May 30 opinion that U.S. networks and computer systems are “extremely important strategic national assets” whose security depends on the government’s ability to act swiftly against potential threats, even if such actions cause adverse affects for third-party providers like Kaspersky Labs. “These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional,” Kollar-Kotelly wrote.

On a related note, Americans I know personally who foolishly agreed to attend Kaspersky CEO’s invite-only security “bash” on a tropical island… ended up with food poisoning and severe illness. Projectile vomit.

True story.

Well, the big news today is that under a 2019 law the FCC has just formally added AO Kaspersky Lab along with China Telecom and China Mobile to a national security threat list.

Kaspersky earlier this year was also in the news when the German government issued a warning, and again when their CEO gave a rather tone-deaf message about Russia invading Ukraine.

“Better to have stayed silent than to have called an invasion a ‘situation’ that requires a ‘compromise’,” Rik Ferguson, of rival cyber-security company TrendMicro, tweeted.

That makes me like TrendMicro.

Think of Kaspersky in terms of a security software vendor telling customers that a serious breach is a situation needing compromise when attackers are Russian. Who would really want to use that vendor versus one that actually defended against being breached?

Some also may remember Kaspersky’s handling of the infamously traitorous General Michael Flynn by giving him large cash payments.

Flynn also received $US11,250 ($14,667) from Kaspersky Government Security Solutions, Inc., described as the US subsidiary of Kaspersky Lab, a Russian cybersecurity firm, according to the documents.

Yes, he was traitorous. Any U.S. General full well knows how businesses and criminal enterprises in Russia are direct extensions of Russian intelligence whenever the Kremin chooses. It’s really no understatement to call Flynn a traitor.

As I told journalists in 2017 (clumsily, I admit): while Mandiant is close to NSA, Crowdstrike is close to FBI, we can’t compare the collaborations with Russia because Putin’s dictatorial control model is completely different from congressional contracts and hand-outs.

Israeli intelligence had since 2014 sounded the alarm to anyone in the U.S. willing to listen to intelligence.

Source: “How Israel Caught Russian Hackers Scouring the World for U.S. Secrets”, New York Times

Perhaps also worth mentioning here, since we’re talking about remembering things, Facebook around 2014 started to carefully audit anyone who came to their site… and then actively pushed Kaspersky code as “free” help.

The problem with Facebook is thousands of active phishing scams but the social media giant has partnered with popular security software developer firm Kaspersky so that users could identify and remove malware from their computers.

Popular security software developer firm Kaspersky? According to what population?

Let’s be honest here.

The real question is whether users could identify and remove the threat from the relatively unheard of Kaspersky software being pushed upon them by Facebook’s security team? I guarantee the vast majority of users had never heard that name before Facebook made it a required “checkpoint” to login.

Moreover, does having a problem with phishing on Facebook sound anything close to being a relevant reason to push an unfamiliar Russian content scanning tool onto people?

No. No, it does not. Now read this:

In a Facebook post, Facebook’s Software Engineer Threat Infrastructure Team head Trevor Pottinger explained: “To make this programme even more effective, Kaspersky Lab is bringing their expertise… we will offer Kaspersky Malware Scan for Facebook… in the past three months, we have helped [run Kaspersky code on] more than 2 million people’s computers.”

Facebook safety “checkpoint” hit millions of users. Was it Russian surveillance or just Russian code meant “to help”?

Facebook knew exactly who had run the Kaspersky code. They boasted about knowing how many people ran it.

You’ll never guess what happened next.

When called to account for their very precise user tracking and audit practices, Facebook tried to plead total ignorance as if there had been no factual basis to loudly boast “more than 2 million” users had Kaspersky pushed onto them.

Source: CNN

The dubious and forked-tongue of Facebook “help” came not long after they hired an unqualified CSO, and Moscow Times in 2015 ran the headline “Kaspersky Plans Push for Sales to U.S. Government” (link now unreachable)… which was countered by the even more salacious headline “Russian antivirus firm faked malware to harm rivals – Ex-employees“.

Faked malware to harm its own employees and rival companies while pushing into U.S. Government sales. No wonder that now-disgraced Facebook CSO, known for failing to disclose the largest breaches in history, was so welcoming.

For context on why this all might sound so evil the two founders of Kaspersky served as Russian intelligence (KGB). Twice there have been major disagreements at the executive level and its CEO has had major exodus of talent as he consolidated control and refused to be transparent, allow other views, or resolve disputes.

So while it’s really good to see Kaspersky finally being handed the kind of label it has always deserved, I’m disappointed that a heavily Russian-backed Russian-asset like Facebook wasn’t included (as I’ve warned about publicly since at least February 2011 and why I deleted my Facebook account in 2009).

After this FCC explicit ban on Kaspersky should we get to call it the most anti-democratic software ever? Or does that crown remain on Facebook (not least of all for peddling Kaspersky)?

Also, US sales of Kaspersky (under $50m) is tiny compared to the UK (over $500m), so maybe the real question is how much exposure does American national security have to British system compromise.

Cyber War Wide Open as Ukraine Loudly Pwns Russian Assets

In multiple channels I keep getting updates about a “hidden” cyber war, with “little” visibility” and how “quiet” attacks are when they run over networks instead of roads or through forests.

Nothing could be further from the truth.

The Ukraine war is the loudest and most obvious integration of cyber (information technology) into conflict I have ever seen.

To be fair, I have studied war for more than three decades and earned two degrees in the topic before spending all my professional life engaged in many forms of hot and cold power disputes related to technology.

Perhaps I see things differently.

It reminds me, for example, of my post about the Allied troops laughing out loud in 1942 about how incompetent Rommel was, versus people today trying to see Rommel as something more than a failure.

Perhaps someday in the future a historian will read the news that I am reading every day now, like I read the news of the past, and wonder who was paying attention.

Let me give an example.

Budanov and I also spoke about the unseen war that is happening over computer networks, and how hackers are now vigorously involved on both sides. This phase of the war began nine days before the invasion, on February 15, when Russian hackers launched an attack on government agencies and Ukrainian banks (“The key issue for the Russians was the disruption of work and the spread of panic”). Recently, he said, Ukrainian intelligence has monitored phishing attacks on his government’s officials by the Belorussian hacking group Ghostwriters, and the Russia-affiliated Fancy Bear group, which also has been blamed for orchestrating the hack of Democratic party e-mails during the 2016 election. Ukraine, he said, has mobilized a large volunteer force of hackers who are targeting their own attacks on Russia’s digital infrastructure.

“Unseen war that is happening over computer networks” is a lot like saying tanks hidden on forested roads.

Did the packet route if no one sniffed it, did the tree fall if no one was there to see? I mean if you aren’t in that forest or standing on that road why would you consider a tank battle anything more than unseen?

Unseen is a word I would use for what is happening in many countries around the world right now being ignored while a very obvious focus is on Ukraine.

Perhaps one of the best examples of this is the regular updates I see where Russian technology and assets are infiltrated by Ukrainian forces.

…hacking some of Russia’s proudest accomplishments (its space program) and most successful technologies (its nuclear research program), the Ukrainian government is sending Putin a message that your cybersecurity systems cannot keep us out, that even your most valuable technological secrets aren’t safe from us, and that if you push us too far, we can do whatever we want to your networks.

Nobody sending such a message wants that message to be unseen, if you get what I mean.

Here is another one.

Anonymous claims it has hacked Russian state TV and streaming services to air footage highlighting the horrors of the war on Ukraine. The secretive vigilante cyber group late Sunday shared footage of channels that are forced to air pro-Kremlin footage instead showing shocking scenes of missile attacks that killed innocent civilians. A message also told Russians, “This war was waged by Putin’s criminal, authoritarian regime on behalf of ordinary Russian citizens.”

Editing content on Russian state TV. That’s huge.

And of course there have been outages as well.

Confirmed: Various #Russia government websites including the Kremlin, State Duma and Ministry of Defense are again down, with real-time network data showing impact to FSO networks consistent with previous cyberattacks.

Even more interesting, in the most controversial and emerging field of cyber conflict (integrity), is how Ukraine has destroyed propaganda and lies of Russia.

In the Russian world, Chechens have the reputation of being particularly effective soldiers. Throughout the invasion, Kadyrov has released videos on his Telegram channel of bearded Chechen troops in Ukraine engaging in brutal firefights and conducting activities on Ukrainian soil. Some Ukrainians have traced locations in these pictures of Kadyrovtsi, as Kadyrov’s men are known, and highlighted that they are in fact in Belarus, far from the front.

Fact checking as a weapon. Integrity can bring a powerful narrative, using geolocation data like a truth bomb that destroys ground oppressors hope to stand upon.

This is Gordon Parks level stuff.

That [weapon] wasn’t no six-shooter. When Gordon Parks had that camera in his hands, that was a bazooka.

The camera was a weapon in the sense it captured knowledge to be seen more widely. Likewise this war is being fought using information captured and disseminated.

The Chechen narrative again was easily unraveled by Ukraine using geolocation and social proximity data.

Budanov said that his department has tracked a contingent of around 25,000 Chechens since the beginning of the war. “We have many informers inside the Chechen ranks. As soon as they start preparing any operation, we know that from our informants,” he said. “When the war started, Russia underwent lots of casualties, and most of these people didn’t even manage to approach Kyiv.” He pointed out that Ukrainian special forces had engaged with a group of looting Chechens near Kyiv the day before we spoke that was only two strong. “We’ve never seen more 20 or 30 Chechens in one place. The concentration is very low.”

And the reverse also is true. Google Maps disabled detailed information sharing.

In the early days of the invasion, The Washington Post revealed how researchers were using this data to track movements. Road blockages and delays signalled exoduses of people, and potential troop movements. But some fear Google Maps could be used to Russia’s advantage, giving details on how busy certain areas are. Google told Reuters that it had consulted with sources, including “regional authorities”, before making the decision.

This is similar to what we saw last year when Israel was being attacked by Hizbullah, not to mention fifteen years ago.

If anything, Russia is demonstrating to the world that they are ripe for power disruption at every level.

Full of fraud, in-fighting and demoralized looters their troops increasingly are in no position to make sound choices about conflict.

…why would you need a hypersonic missile fired from not that far away to hit a building?

I’ll tell you one good reason Russia would use impractical weapons on a target, I mean besides rank incompetence. Russian systems are being abandoned, going offline or unreliable.

Citing U.S. intelligence, three U.S. officials said the United States estimated that Russia’s failure rate varied day-to-day, depended on the type of missile being launched, and could sometimes exceed 50%. Two of them said it reached as high as 60%.

Nothing about the Ukrainian counter-attacks seem quiet to me. Defense of their country, even using latest technology, is far from being hidden or unseen. I’ve never seen anything louder or more in the open. As much as Russians clearly are incompetent clowns in this war, Ukraine deserves credit for its very loud and successful information warfare.

Feudalistic Threats to Web 3.0

When I’m asked to explain Web 3.0 I always try to start by explaining that the world is far more diverse than just coins and financial assets.

This is similar to my old saw about history being more detailed than just who won what war and why. Culture is not just coinage.

The entirety of the human experience, which arguably will be predominantly expressed via the web if anywhere in technology, is vast and rich beyond monetary action. Only about half of transactions even involve money at all.

Yet, for many people their only topic of interest or focus on technology is how to capitalize as quickly as possible on anything “new”. Beware their depictions of the Web solely as finance instead of encompassing our most rich and interesting possibilities.

Geolocation data, as just one facet, has long been recognized as a source of power and authority. Think of it in holistic terms of the English and Dutch cracking the secretive Portuguese spice trade routes and upending global power, instead of just focusing on the spices being traded.

Knowledge is a form of power, which have been expressed as political systems far more vast than markets alone could ever encompass.

Here is an example to illustrate how oversimplification of humanity down to financial terms becomes an ethical quagmire, highlighting some very important mistakes of the past.

Ukraine cancelled a Crypto airdrop.

…“a lot of people” were abusing the possibility of an airdrop by sending minuscule donations “just to benefit” themselves. This is a common tactic among crypto investors, known as airdrop farming.

Farming is in fact the opposite of what is described here. Growing food at low margin so that others may gain has somehow been framed backwards: extraction of value from someone else’s plan to help others.

In other words “airdrop farming” is far more like “airdrop banking” as it has nothing in common with farms but a lot in common with banks. It begs a question why there there was any direct return and benefit of “donations”, given what has been said in past about that loop.

Appropriation of the term “farming” in this context thus reads to me as propaganda; we may as well be in a discussion of Molotov’s WWII bombs as a delivery of bread baskets.

Likewise in the same story Kraken’s CEO displayed complete ignorance by saying his company would be on the side of Russia in this war and could not help Ukraine because in his mind political Bitcoin only has “libertarian values”.

Exchanges including Coinbase, Binance, KuCoin, and Kraken all refused Fedorov’s February public request that they freeze all Russian accounts, not just those that were legally required by recently-imposed sanctions. The companies said such an action would hurt peaceful Russian citizens and go against Bitcoin’s “libertarian values,” as Kraken CEO Jesse Powell put it.

Calling Bitcoin libertarian is like calling diamonds bloody.

In fact, Bitcoin is notoriously slow-moving (terrible for payments) and notoriously volatile (terrible for currency) just like blood diamonds being extracted from dirt at artificially low cost to artificially inflate their value to a very small group desperate for power.

Mining doesn’t have to be an exercise in oppressive asset hoarding with a total disdain for the value of human life, but Kraken clearly displays here they operate intentionally to repeat the worst thinking in history.

So what values are we talking about really? Proportionality (tailoring response to the level of the attack, avoiding collateral impact) is not a libertarian concept, obviously, because its a form of regulation (let alone morality).

Note instead there is complete lack of care for victims of aggression on the principle of protecting “peaceful” among aggressors, with absolutely no effort to prove such a principle.

It’s sloppy and exactly backwards for a Bitcoin CEO to claim he cares about impacting others. The inherent negative-externality of Bitcoin means it carries a high cost someone else has to pay, proving that if Kraken cared about “peaceful” Russian civilians it would shutdown all Bitcoin since it harms them all while benefiting few if any.

Systemically redistributing transaction costs from selfish individuals to society instead, while claiming to be worried about societal impact of an individual action is… dangerously reminiscent of “nobles” and “clergy” of pre-revolutionary France who ignorantly stumbled into their own demise.

The Web already is so much more than a narrow line of thought from the ugly past of feudal thinking, and 3.0 should be more broadly representative of the human condition instead of boxed in like this by selfish speculators trying to get rich quick through exploitation and manipulation of artificially constrained assets.

Nearly 10,000 Russian soldiers reported dead, leadership failing.

Two things have come to mind since before Russia invaded Ukraine.

1) It would be an incredibly stupid move by Putin. As much as people were warning me that it was coming and officially the buildup was menacing enough to predict an invasion, I did not believe it would happen because it would be a disaster for Russia.

2) Paper Bear. Despite widespread worry about Russian forces having some residual capabilities, deep levels of corruption inherent to dictatorships meant their logistics and technology was sure to fail. Moreover, I didn’t see much evidence of adaptation or learning. The hard work and feedback needed for success are anathema to dictatorships; strong men are typically extremely weak when tested in conditions they can’t cheat.

Clearly I was wrong on the first count as invasion did happen. Being a terrible mistake for Putin wasn’t enough to deter him from invading.

On the second count I was more right, and I’ve had to resist temptation to say “told you so” especially on channels where Americans wildly overestimated Russian ability to execute on anything other than basic looting.

This has now been documented better by the NYT than I could have ever said it.

… shows the pitfalls of Putin’s top-down governance, in which officials and military officers have little leeway to make their own decisions and adapt to developments in real time.

Even though multiple U.S. officials have for multiple days said they expect Russia to adapt to its failures, I have seen the opposite. The culture is devoid of adaptation by design, in order to ensure fealty to Putin.

That same NYT article goes on to say that Putin’s messaging is now that it is an overabundance of concern for Ukrainian civilians to blame for slow progress, and also that it is going exactly to plan.

Clearly anyone with even the least ability to adapt to a situation and think independently would immediately recognize that as garbage propaganda.

And there’s the rub.

The Russian military death toll is unofficially headed over 10,000, nearing the same number of lives they lost over a decade in Chechnya.

It becomes increasingly difficult to cover that up, not to mention explain away a high death toll even among top Russian military leaders.

The deaths reflect operational security failures as well as the challenges of the Russian military’s top-heavy command structure in the face of a much nimbler Ukrainian fighting force. […] “Continuing to lose senior leaders is not good,” he said in an email. “Eventually, loss of leadership affects morale, fighting prowess and effectiveness.”

When morale and effectiveness starts out so low, it’s now a question of how Russia will keep things going at all. History suggests that there will be increasingly hostile speech and greater war crimes, increasing suffering.

In Chechnya and Syria dominance manifested in ruthless scorched-earth campaigns against civilians.

Ukraine however is rolling differently as Russia attempted a complex and rapid mobilization without having much of a clue.

“Even Stalin had an idea,” she said…to underscore Putin’s failure to articulate a reason for invading Ukraine.

Fukiyama’s March 10th prediction is most interesting to me because he suggested morale weakness may cause an abrupt end to Russian force.

The army in the field will reach a point where it can neither be supplied nor withdrawn, and morale will vaporize.

It may already be coming true, according to the latest reports.

“We shot at the first vehicle, and when it exploded the column stopped,” he says. “(Russian soldiers) ran away and we took their military equipment.” According to Golodov and his men, this is a common occurrence on the battlefield. “Russian soldiers are frightened, demoralized. They are afraid to part with each other, because they are being shot at from every bush,” he says. He says some seem to be very young and inexperienced: “Most of them do not know or understand why they are here.”

However, this doesn’t seem to take into account that Putin may attempt to boost morale by engaging in ever more destructive war crimes.

The intelligence report says Russia intends its ‘total destruction’ of Mariupol to ‘serve as a warning to other cities’. It said: ‘The pattern of destruction of food and water supplies, targeting of civilians, indiscriminate use of firepower to advance, is already being repeated elsewhere. This is based on effective lessons learned [by the Russians] in Syria.’

I don’t believe Russia is in any position to learn, but instead are prone to repetition and mysticism/fear. Thus dehumanization of people and targeting civilian areas is likely to increase as a form of desperation to demonstrate power (e.g. give demoralized troops a “reason” to be there), given how a paper bear has been blown away by any real resistance.