Category Archives: History

Food, History, Security

Bloomberg Fear: All Has Been Lost to Chinese

Leave a comment

Anyone remember the controversy in Europe over Americans stealing commercial secrets? I’m not talking about Budweiser, Cheddar Cheese, Parmesan Cheese, Champagne, assembly lines or the millions of others ideas ruthlessly transfered to the American market in the 1800s and 1900s without any credit or attribution to the European sources they came from. I doubt any American you ask today knows Cheddar is from a town called Cheddar, England or even knows that such a town exists. The AP framed that old problem by quoting a prominent trade expert in America.

Gary Litman, vice president for European affairs for the U.S. Chamber of Commerce, said it’s too late to rename imitation Italian products that are already firmly established. “You cannot change history that easily,” he said.
[…]
Litman said most American buyers probably don’t care whether the cheese was made in Parma. “No one thinks it’s coming from Parma. They don’t even know where Parma is. They couldn’t find it on a map.”

No, not that controversy about imitations and knowledge transfer. I actually am talking about a different one; the much more recent case as described by the BBC in 2000 as “Big brother without a cause

The Echelon spy system, whose existence has only recently been acknowledged by US officials, is capable of hoovering up millions of phone calls, faxes and emails a minute.

Hoovering secrets? Why would America want to do that? Surely it is only for the safety and defense of the country. They can’t possibly be using it to steal secrets about cheese.

Its owners insist the system is dedicated to intercepting messages passed between terrorists and organised criminals.

But a report published by the European Parliament in February alleges that Echelon twice helped US companies gain a commercial advantage over European firms.

[…]

Mr Campbell believes that when the Cold War ended, this under-employed intelligence apparatus was put to use for economic gain.

“There’s no safeguards, no remedies, ” he said. “There’s nowhere you can go to say that they’ve been snooping on your international communications. It is a totally lawless world.”

Now that’s just crazy talk. Lawless world? Or is it…? Are there other examples of this kind of problem?

A lengthy Bloomberg article has just appeared that tries to paint the U.S. as innocent victim of Chinese lawless behavior. I find a strikingly familiar style to the story. Note this quote, for example.

“The situation we are in now is the consequence of three decades of hands-off approach by government in the development of the Internet,” Falkenrath said.

I think he means the lawless world that Campbell warned about in 2000. Falkenrath’s quote is vague so here’s an even better quote.

“What has been happening over the course of the last five years is that China — let’s call it for what it is — has been hacking its way into every corporation it can find listed in Dun & Bradstreet,” said Richard Clarke, former special adviser on cybersecurity to U.S. President George W. Bush, at an October conference on network security. “Every corporation in the U.S., every corporation in Asia, every corporation in Germany. And using a vacuum cleaner to suck data out in terabytes and petabytes. I don’t think you can overstate the damage to this country that has already been done.”

In contrast, U.S. cyberspies go after foreign governments and foreign military and terrorist groups, Clarke said.

“We are going after things to defend ourselves against future attacks,” he said.

Well, it is not like the U.S. is going to go around saying “hey everyone, we’re stealing your secrets” even if they were. So Clark could honestly believe what he is telling the press but it doesn’t change the fact that the U.S. might continue denying corporate espionage while actually performing it.

Ok, I know what you’re thinking. China has spies funded with state money. That makes it different from American spies because in America the spies are unorganized and beg on the street for pennies, right? Ashcroft paying Choicepoint tens of millions (before they payed him) to collect information on companies around the world and sell it to the government, that was an exception to the rule about funding spies with state money, right?

The Chinese are said to now be going at it with a national determination not seen since…the “hoovering” by Echelon.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. U.S. investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret.

If they run that “sophisticated support infrastructure” anything like Choicepoint then all the U.S. has to do is get on the phone to China, give some random identity of a false company and offer to buy the data. Bada bing.

But seriously, the Bloomberg story starts off strong and repeats an old scary picture of a vacuum cleaner (vacuum one, vacuum two, vacuum three, vacuum four, vacuum five, etc.) sucking all the data out of America. Is it any coincidence that a company in Hong Kong acquired Hoover in 2007?

Then Bejtlich gets in a quote that changes the tone completely.

“The guys who get in first tend to be the best. If you can’t get in, the rest of the guys can’t do any work,” said Richard Bejtlich, chief security officer for Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber espionage. “We’ve seen some real skill problems with the people who are getting the data out. I guess they figure if they haven’t been caught by that point, they’ll have as many chances as they need to remove the data.”

The attackers have skill problems with their vacuum cleaner? The imagery is ruined. Who needs skill to use a vacuum? Now I see a bunch of guys running around in circles with USB drives, bumping into each other and falling down.

Such tracing is sometimes possible because of sloppiness and mistakes made by the spies, said another senior intelligence official who asked not to be named because the matter is classified. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyberspying operations to communicate with his mistress, the intelligence official said.

Cue Benny Hill

But seriously, again, the story does have an interesting counterpoint to my point in a recent blog post. I asked if there was no risk of retribution and China has unlimited human resources then why the U.S. military is trying to convince us that there are a small number of attackers.

Bloomberg brings up the possibility of large numbers of Chinese entrepreneurs hacking for profit.

Driving China’s spike in cyberspying is the reality that hacking is cheaper than product development, especially given China’s vast pool of hackers, said a fourth U.S. intelligence official. That pool includes members of its militia, who hack on commission, the official said. They target computing, high technology and pharmaceutical companies whose products take lots of time and money to develop, the official said.

They don’t target our food and beverage industry?

Oh, right, they probably just go to Europe to steal the original information and not American knock-offs. I’m only being half-facetious. Europe obviously has a lot of IP at risk and innovation as good or even better than in America.

We heard complaints about Americans spying on European companies in 2000. The French complained in 2005 about China and there was a fair bit of discussion in 2010 about Renault. Why don’t we hear anything now from the European security experts, or from the European Generals and politicians, similar to the arguments by the U.S.? Where is the comparable outrage about the need to retaliate and fight the Chinese spies; why hasn’t Bloomberg included targets outside the U.S.?

Although I like the WSJ treatment of the topic far better than Bloomberg, they too fail to mention the European angle let alone other areas of the world with innovation (e.g. India, who is often trading harsh words with China). The reports from Europe seem to be far more cloak and dagger, as if their computers are impenetrable.

…an unnamed French company realised too late that a sample of its patented liquid had left the building after the visit of a Chinese delegation. It turned out one of the visitors had dipped his tie into the liquid to take home a sample in order to copy it.

Well then I guess we are left to imagine a Chinese cyberarmy squad throwing up their hands in disgust. American companies all were easily penetrated with just a simple email attachment but now, unable to get through through the French company’s defenses, one of the Chinese agents says “that’s it, I’m putting on a tie and going in”.

And then there is the case of Chinese students paying tuition and attending class to learn about vacuum cleaner technology from the British. What kind of elite cyberarmy agent pays tuition and actually goes to class? Those British computers must be seriously hardened to force students to attend classes. At least now we know where spies get the latest vacuuming techniques from…

History, Poetry, Sailing, Security

Chinese Attacks Raise Concerns

Leave a comment

Let’s just get out of the way that there are many examples of wrongdoing by Chinese nationals. Take today’s clash with South Korea, for example:

A South Korean coastguard commando has been stabbed to death and another injured by Chinese fishermen detained for illegal fishing in the Yellow Sea.

Some might look at this story and say it’s an isolated example. Maybe we even can agree that these few fishermen, a tiny fraction of the total number of Chinese on the Yellow Sea, are the ones who do most of the damage. I phrase it that way because of a story I noticed today by the Associated Press: “A Few Chinese Hacker Teams Do Most US Data Theft

As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.

This should be good news, right? Only 12 groups in China? Does that equate to something like 0.0001 percent of all the different Chinese groups?

I guess you could say “largely backed or directed by the government” is supposed to add an element of legitimacy, but anyone familiar with China knows that everyone there still is largely backed or directed by the government.

Now here’s the bad news. Despite the tiny number of suspects, officials in the U.S. are not hopeful that they can prove anyone in China actually guilty.

It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people.

Always difficult to provide “ironclad proof”? They say it like it is a bad thing. Even if we accept that China has a small number of suspects and that it is always difficult to prove someone guilty I don’t follow the logic to the next part of the article. Enter the U.S. military:

“Right now we have the worst of worlds,” said [James Cartwright, a retired Marine general and former vice chairman of the Joint Chiefs of Staff]. “If you want to attack me you can do it all you want, because I can’t do anything about it. It’s risk free, and you’re willing to take almost any risk to come after me.”

The U.S., he said, “needs to say, if you come after me, I’m going to find you, I’m going to do something about it. It will be proportional, but I’m going to do something … and if you’re hiding in a third country, I’m going to tell that country you’re there, if they don’t stop you from doing it, I’m going to come and get you.”

First of all, this is a deterrence model, which I covered in my Dr. Stuxlove presentation based on the Dr. Strangelove movie by Stanley Kubrick. Deterrence is known to be far from a slam-dunk security strategy. It can create risks of its own which are larger and even much worse than the original threat of attack.

Second, he lost me at the “I’m going to find you”. If it is impossible to prove guilt in the first place then who are they going to find and threaten, people who aren’t proven guilty? I know it’s frustrating to follow loose threads but saying “I’m going to come and get you” can actually create a game in itself, as anyone familiar with Smurf attacks will remember. Someone could purposefully stage attacks to kick-off a premature and misguided escalation (i.e. back to the plot of Dr. Strangelove). The fix to Smurf redirects, incidentally (pun not intended), was not to threaten everyone with massive retaliation but to reduce risk through immunization that prevented the forwarding/relaying of attacks.

Back to the article, I noticed another strange comment that might be driven by an unfamiliarity with Chinese culture.

One of the analysts said investigations show that the dozen or so Chinese teams appear to get “taskings”, or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list, and compete to be the first to get it, or the one with the greatest haul.

Motivated by what? It is tempting to say a paradigm of competition is a universal hacking mantra; perhaps the Chinese are now emulating the American system of competition. Again, however, it sounds very unlike Chinese philosophies and writing, such as the vision of success through following orders and looking backwards, as expressed in The Way of Lao Tzu. 

I have three treasures. Guard and keep them.
     The first is deep love.
     The second is frugality,
     And the third is not to dare to be ahead of the world.
Because of deep love, one is courageous.
Because of frugality, one is generous.
Because of not daring to be ahead of the world,
One becomes the leader of the world.

I also am curious about who really believes it makes sense for China to hold a competition of only two groups out of twelve. If China has almost unlimited human resources, and can launch attacks “risk free”, why would they hold such tiny attack competitions? Why hold back? There must be some risk or there would be far more than twelve groups..if you add up all the arguments in the article, it really does not make much sense.

In any case, perhaps it helps some to compare the twelve groups in the AP article to the nine evil fishermen of the Yellow Sea. Always proceed with caution in building a response so as not to lose control of the situation. The risk of ruthless and underhanded attack has to be factored when investigating and responding to breaches; death of the South Korean commando is tragic. At the same time an opportunity to approach and win insider support from any/all remaining Chinese groups, the ones not attacking, should not be overlooked or underestimated.

History, Poetry, Security

Sudanese Freedom Rap and Guns of Brixton

1 Comment

Zoul4Revolution posted an interesting video of Sudanese protest music on YouTube:

But it was a comment on a Clash song from the same account that really caught my attention:

i’m from Sudan, we’re uprising against the fascist government of NCP, i’ve always sided with the peaceful uprising, been arrested and tortured many times, everytime I play [Guns of Brixton] I think about picking up a gun to join the armed revolution side

That led me to a quick search and the discovery of a nine video set that captures Guns of Brixton covers in numerous styles from around the world.

1) Hardcore

  • Analena
  • Dropkick Murphy’s
  • rtz global

2) Acoustic

  • calexico
  • Arcade Fire
  • Déportivo

3) Chillout

  • nouvelle vague
  • pre-school

4) Dub

  • Santogold – Guns of Brooklyn
  • radici del cemento & Fermin Muguruza

5) Polish

  • Analogs – Strzelby z Brixton
  • Alians – Bomby domowej roboty

6) Punk

  • Unwritten Law
  • The Blaggers Ita
  • Evilsons

7) Spanish

  • la furia – Armas de barrio
  • mundo livre sa

8) Rockabilly

  • Honeydippers
  • Rancho Deluxe

9) Ska

  • los fabulosos cadillacs
  • Inner Terrestrials
  • Union Jack

And of course there are many, many more cover versions…not least of all is a hit British song that borrowed only the bass line:

But after all that, I have yet to hear a Sudanese version.

History, Security

Naming names, BOF and the Chinese APT

Leave a comment

One of the great legacies of Roman Emperor Justinian the Great (527 to 565) was a uniform revision of law. It has remained the basis of civil law in many parts of the world. In his Byzantine IUSTINIANI DIGESTA of the year 533, for example, it was written:

22.3.2

Paulus libro 69 ad edictum

Ei incumbit probatio qui dicit, non qui negat.

My Latin is a little rusty. Yet I am fairly certain that translates to a man named Paulus (Julius Paulus Prudentissimus, the most quoted Roman jurist in the Digest) saying the following:

Burden of proof (incumbit probatio) is on he who asserts (qui dicit), not on he who denies (qui negat)

Naming names

That old rule of law was the first thing that came to mind when I read the screeching opinion from CSO Publisher Bob Bragdon on “Naming names in APT

Let’s call a spade a spade: China is the greatest threat to international cyber­security on the planet.

I’m tired of pussyfooting around this issue the way that I, and many others in security, industry and government have been for years. We talk about the “threat from Asia,” the attacks perpetrated by “a certain eastern country with a red flag,” network snooping by our “friends across the Pacific.” I swear, this is like reading a Harry Potter book with my daughter. “He-Who-Must-Not-Be-Named” just attacked our networks.

Let me be absolutely, crystal clear here. In this scenario, China is Voldemort. Clear enough?

Crystal clear? Spade a spade? China is Voldemort? This article must be tongue-in-cheek because it is so obviously self-contradictory it can’t possibly be serious.

The author then offers us an example from a report by NPR. It names China as one of two great threats to business information in the U.S.:

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

The author’s example in the article thus contradicts his complaint about naming names. The fact is China has been explicitly named in security reports for a long time, as I have written about before. Here is what I found in just a few seconds of searching:

So naming names is hardly a problem for “many others in security, industry and government” and should be set aside. China is obviously getting named both officially, unofficially and even when there is only suspicion.

Burden of proof

What if we accept the author’s argument, setting aside the naming names complaint, that “China is Voldemort”? Now we face a problem of proof.

I’m not talking about proof that China meets the Dictionary definition of Voldemort. I mean why doesn’t the author drop in a couple examples to show that China, even under any other name, is the “greatest threat to international cybersecurity on the planet”. Incidentally, I have to wonder what is the greatest threat off the planet but I’ll leave that alone for now.

Let’s look again at the one example provided.

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

This report fails to say that China is the greatest threat to international cybersecurity. Is China a threat to U.S. economic interests? Obviously, as mentioned in CSO before in an article on “Byzantine Hades” (coincidental name, no?). There are many, many examples. One of the economic and social conflict areas between China and the U.S. most interesting to me is the Sudan, as I have written about before. Does anyone think it is a coincidence that the successful American effort to split a country in Africa into separate nations with a clear border was led by a U.S. General?

I see border dispute, tension, and conflict as a very tangible and long-standing indicator of threat. Take as another example the 2009 prediction in the Indian Defense Review.

China will launch an attack on India before 2012.

There are multiple reasons for a desperate Beijing to teach India the final lesson, thereby ensuring Chinese supremacy in Asia in this century. The recession that shut the Chinese exports shop is creating an unprecedented internal social unrest. In turn, the vice-like grip of the communists over the society stands severely threatened.

The arguments made were interesting because they actually went so far as to try and prove the foundation of Chinese aggression and thereby predict an escalation. Even more interesting was the response and attempt to disprove the arguments for aggression, as illustrated by an article in ChinaStakes.

Mr Verma’s reasoning rests on a lack of documentation. Looking into the past 60 years, China has no record of launching a war to divert public attention from anything. Moreover, while Mr. Verma supposes the Chinese Communist Party has no cards to play other than “invading India,” the Party, widely experienced in dealing with domestic disputes, will hardly in only three years have run out of all options facing potential social instability. Moreover, even if Chinese leaders considered such an option, they would certainly be aware that an external war would severely jeopardize domestic affairs.

After review of those two sides of the argument I neither believe that China will invade India before 2012 (easy to say now) nor that a lack of a record launching attacks prevents China from changing policy and taking a more aggressive stance. And while I discount both I find myself reviewing the arguments and contemplating a third option.

What if 60 years of American past is what China is actively studying to weigh strategic options? What if they are drawing lessons from the American long-range missile pre-emptive strike doctrine as well as the deterrence doctrine? I have no doubts that there are hawks in the Chinese government studying a history of similarly hawkish plans abroad and trying to find a best-fit for their own country. Whether they can achieve a fit or even emulate/fake one is another story.

Now I’m off talking about awesomely scary missile and invasion conspiracy theories. How did I get here? Oh, right, the Chinese get blamed in name. At least in border disputes, strike plans and missile-tests, there is an effort to provide evidence by authors to prove their point. Before I get too far into reality, let’s pull back to the the CSO article.

The author offers the reader nothing even remotely resembling an argument and thus ends up just name-calling in an article against name-calling. Greatest threat to cybersecurity on the planet? Let’s see some evidence or at least an argument to back that up. I’m not asking for predictions, just something Paulus might have approved — something that we can actually argue for or against.