Category Archives: Security

History, Poetry, Sailing, Security

Chinese Attacks Raise Concerns

Leave a comment

Let’s just get out of the way that there are many examples of wrongdoing by Chinese nationals. Take today’s clash with South Korea, for example:

A South Korean coastguard commando has been stabbed to death and another injured by Chinese fishermen detained for illegal fishing in the Yellow Sea.

Some might look at this story and say it’s an isolated example. Maybe we even can agree that these few fishermen, a tiny fraction of the total number of Chinese on the Yellow Sea, are the ones who do most of the damage. I phrase it that way because of a story I noticed today by the Associated Press: “A Few Chinese Hacker Teams Do Most US Data Theft

As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.

This should be good news, right? Only 12 groups in China? Does that equate to something like 0.0001 percent of all the different Chinese groups?

I guess you could say “largely backed or directed by the government” is supposed to add an element of legitimacy, but anyone familiar with China knows that everyone there still is largely backed or directed by the government.

Now here’s the bad news. Despite the tiny number of suspects, officials in the U.S. are not hopeful that they can prove anyone in China actually guilty.

It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people.

Always difficult to provide “ironclad proof”? They say it like it is a bad thing. Even if we accept that China has a small number of suspects and that it is always difficult to prove someone guilty I don’t follow the logic to the next part of the article. Enter the U.S. military:

“Right now we have the worst of worlds,” said [James Cartwright, a retired Marine general and former vice chairman of the Joint Chiefs of Staff]. “If you want to attack me you can do it all you want, because I can’t do anything about it. It’s risk free, and you’re willing to take almost any risk to come after me.”

The U.S., he said, “needs to say, if you come after me, I’m going to find you, I’m going to do something about it. It will be proportional, but I’m going to do something … and if you’re hiding in a third country, I’m going to tell that country you’re there, if they don’t stop you from doing it, I’m going to come and get you.”

First of all, this is a deterrence model, which I covered in my Dr. Stuxlove presentation based on the Dr. Strangelove movie by Stanley Kubrick. Deterrence is known to be far from a slam-dunk security strategy. It can create risks of its own which are larger and even much worse than the original threat of attack.

Second, he lost me at the “I’m going to find you”. If it is impossible to prove guilt in the first place then who are they going to find and threaten, people who aren’t proven guilty? I know it’s frustrating to follow loose threads but saying “I’m going to come and get you” can actually create a game in itself, as anyone familiar with Smurf attacks will remember. Someone could purposefully stage attacks to kick-off a premature and misguided escalation (i.e. back to the plot of Dr. Strangelove). The fix to Smurf redirects, incidentally (pun not intended), was not to threaten everyone with massive retaliation but to reduce risk through immunization that prevented the forwarding/relaying of attacks.

Back to the article, I noticed another strange comment that might be driven by an unfamiliarity with Chinese culture.

One of the analysts said investigations show that the dozen or so Chinese teams appear to get “taskings”, or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list, and compete to be the first to get it, or the one with the greatest haul.

Motivated by what? It is tempting to say a paradigm of competition is a universal hacking mantra; perhaps the Chinese are now emulating the American system of competition. Again, however, it sounds very unlike Chinese philosophies and writing, such as the vision of success through following orders and looking backwards, as expressed in The Way of Lao Tzu. 

I have three treasures. Guard and keep them.
     The first is deep love.
     The second is frugality,
     And the third is not to dare to be ahead of the world.
Because of deep love, one is courageous.
Because of frugality, one is generous.
Because of not daring to be ahead of the world,
One becomes the leader of the world.

I also am curious about who really believes it makes sense for China to hold a competition of only two groups out of twelve. If China has almost unlimited human resources, and can launch attacks “risk free”, why would they hold such tiny attack competitions? Why hold back? There must be some risk or there would be far more than twelve groups..if you add up all the arguments in the article, it really does not make much sense.

In any case, perhaps it helps some to compare the twelve groups in the AP article to the nine evil fishermen of the Yellow Sea. Always proceed with caution in building a response so as not to lose control of the situation. The risk of ruthless and underhanded attack has to be factored when investigating and responding to breaches; death of the South Korean commando is tragic. At the same time an opportunity to approach and win insider support from any/all remaining Chinese groups, the ones not attacking, should not be overlooked or underestimated.

Energy, Security

How penguins know when to land

Leave a comment

New research indicates that penguins can count, or maybe subtract. Either way, they can measure energy spent in order to predict the time to stop flying.

When fishing in open water, the ten free-rangers studied, over the course of 15,978 dives stayed under for an average of 5.7 minutes. When fishing from a hole in the ice however, the three birds under study dived 495 times but stayed under much longer, which led the researchers to believe that the penguins’ decision to end their time under water wasn’t about how long they’d been under at all. This led them to consider the possibility that it was based on energy expended instead, which is how they came to start counting how many times the penguins flapped their wings to propel themselves while chasing after fish.

Turns out regardless of whether the penguins are fishing in open water, or through a hole in the ice, they flap on average 237 times before surfacing. Thus, it seems rather clear that they are basing their time spent under water on energy spent flapping, rather than on some predetermined time span; though, how they count and keep track, is still anyone’s guess.

Emperor penguins flying
Emperor penguins flying. Photo by Guillaume Dargaud

Energy, Security

Mini Diesel Coming to America?

Leave a comment

A sad and somewhat funny story in MotoringFile by the MINI USA Product Manager

I’ve been on a personal mission to get Diesels here in the US since 2007. I’ve owned oil burners myself (PowerStroke F-250, X5 35d) and love the purring clatter of a Diesel that let’s everyone know that you’re smarter than the current crop of Prius drivers on the road. Couple that with incredible fuel economy, great drivability and the 40% increase in fuel economy, it is so obvious that we should have a MINI Diesel in the US. While many people think we’ve been dragging our feet and that we’re anti-Diesel, the opposite is true. I know many claim that they have gone to other makes because we don’t have the Diesel here, but we hope we can win them back.

Oh, that sounds good, although he is missing emissions as one of the virtues of diesel. Perhaps that’s not a mistake given his list of his prior diesel engines are both trucks with horrible mileage and emissions. Keep that in mind when you see how he blames the regulators for Mini’s inability to import their engines.

…Diesel vehicles in Europe conform to very rigid but more importantly, predictable, BIN standards that do not require SCR. This is unlike the US where every lawmaker is trying to get a book deal by becoming automotive engineers and petroleum industry experts overnight and to re-write the law as they go.

So MINI Diesel won’t be coming anytime soon. Apparently the company is unable to figure out how to stay ahead of American requirements, which most people would say are long overdue. Case in point, he describes Mini design and engineering as not responsive enough to adapt to what they call a surprise in requirements:

…the changes to the CAFE and EPA regulations by the Obama administration meant that we’d (by law) have to add urea injection two years sooner by 2013, during the lifecycle of the current R5x platform. So, Plan A was to sell a MINI Diesel for two years without SCR and to then add urea injection when it was needed. Plan B was to add urea injection right away, so that we wouldn’t have to worry about it. We asked the engineering team, the Oxford plant and the internal project financing team what it would take. The answer was a STAGGERING amount because of the necessary changes to the body-in-white. We all love our MINIs but often forget just how tightly packages the car is today and to provide a place for the urea mixture tank, pump, lines, wiring and injection system, we needed to re-engineer the car with a new floorpan, left rear quarter panel, inner wheelhouse and attendant hardware (including interior panels and trim.)

Maybe that’s a huge problem and a surprise to a person who buys an F250 or a X5 diesel for a town car but achieving better emissions definitely should have been no great hurdle for the company that makes the Mini and wants to sell into the small/efficient car market.

If I had a dollar for every company that said “regulators are always behind” and then later said they can’t meet regulations because they change too quickly…

The truth is regulators move in response to large and obvious trends in public sentiment. The politicians react to public and private influence that is no secret and easily predictable. Mini should have been anticipating the rules and working with the regulators directly ahead of time if they had any concerns about meeting them. I don’t accept their excuses at all.

Imagine if Mini made the same argument in other areas of marketing as they do with their emissions problems. Note how the story describes the virtues they measure in an engine, in line with the opening paragraph above:

Now I know you will all hate me, but I had a chance to drive it and the thing is incredible. It was Pepper White manual R56 Cooper SD on 17s. It rips out of the gate like the current Cooper S and just revs, all the way to 4,500 rpm. It has noticeably more noise than the N18 (about 40% more) but like I said, it’s GOOD noise! Best part, it can get 48 mpg (true US conversion.)

Unfortunately “rips out of the gate” is not the full set of criteria to measure the success of their engineering. Even 48 mpg for a high-performance engine is not enough (and unimpressive, given that a full-size Jaguar diesel averages 62 mpg; a Fiat 500 diesel gets 56 mpg).

Although Mini marketing probably pushed engineering into performance and mpg and thought they were important to grow market share, even more important was the ability to exceed basic expectations of clean emissions (e.g. regulatory requirements).

Mini Cooper Diesel
Engineered wrong and unable to win you back: the dirty Mini Cooper Diesel

Food, Security

Spy Planes Veer into Iran, South Dakota

Leave a comment

Compare and contrast.

First, Jon Stewart makes fun of CIA loss of control over their stealth surveillance UAV in a segment called “I’m no expert but that sounds like bullsh#t”:

 

Second, the LA Times reports that surveillance UAVs (military-grade Predator B) are flying over America with “high tech cameras and sensors” for domestic police operations

As the unmanned aircraft circled 2 miles overhead the next morning, sophisticated sensors under the nose helped pinpoint the three suspects and showed they were unarmed. Police rushed in and made the first known arrests of U.S. citizens with help from a Predator, the spy drone that has helped revolutionize modern warfare.

To be fair the Predator B was not exactly “veering” into South Dakota. It is one of two unmanned aircraft based at the National Air Security Operations Center (NASOC) UAS Operations Center in Grand Forks, North Dakota. There also are Predator Bs stationed in Arizona, New York and Texas, all funded under U.S. Customs and Border Protection (e.g. domestic surveillance in Texas).

…a 2008 report by the Congressional Research Service, the nonpartisan analytical arm of Congress, found UAVs have an accident rate 100 percent higher than manned aircraft.

In recent months, the Federal Aviation Administration has been cautious in approving their use on the Texas border, drawing rebukes from Republican and Democratic lawmakers who have kept up a chorus of public pressure calling for the deployment.

“Safety is our big concern,” said Laura Brown with the FAA, the federal agency that oversees flight plans for UAVs amid high-traffic air routes like those in South Texas. “There have been a number of situations where operators have lost a radio signal.”

And then third, of course, we can’t look at stories about overhead surveillance risks and privacy without mentioning the Streisand effect.

It is named after American entertainer Barbra Streisand, whose attempt in 2003 to suppress photographs of her residence inadvertently generated further publicity.

Maybe it’s just me but I have a feeling a some people are scanning Google maps of North Dakota right now to see if they can figure out details behind the six missing cattle story. I mean those cattle might not have disappeared if the ranchers had started out by deploying some of their own high-tech identity tags and surveillance instead of waiting for the Posse Comitatus to show up, as I have written about before.