A new movie on the issue of water quality is set to appear in theaters tomorrow:

Illuminating the vital role water plays in our lives, exposing the defects in the current system and depicting communities already struggling with its ill-effects, the film features activist Erin Brockovich and such distinguished experts as Peter Gleick, Alex Prud’homme, Jay Famiglietti and Robert Glennon.

This comes just in time to highlight the latest research on nuclear fallout from Japan, which now is being detected on the West Coast of North America as reported in Environmental Science and Technology: Canopy-Forming Kelps as California’s Coastal Dosimeter: 131I from Damaged Japanese Reactor Measured in Macrocystis pyrifera.

Projected paths of the radioactive atmospheric plume emanating from the Fukushima reactors, best described as airborne particles or aerosols for 131I, 137Cs, and 35S, and subsequent atmospheric monitoring showed it coming in contact with the North American continent at California, with greatest exposure in central and southern California. Government monitoring sites in Anaheim (southern California) recorded peak airborne concentrations of 131I at 1.9 pCi m−3

“Greatest exposure” translates to rates 500% higher near Los Angeles than the rest of the coast. For many years now I have been researching methods of using dehumidifiers to source water. The military been developing some amazing technology that can pull water out of the air in the desert, or reclaim water from exhaust pipes in vehicles. Imagine having a drinking fountain in your dashboard. In San Francisco each building, or even each dwelling, would simply produce their own water from absorbing moisture out of the fog, powered by the sun or the wind, as I mentioned in my presentation at last year’s BSidesLV.

It makes a lot of sense to pull moisture from the air when it is such high humidity and there is no shortage of wind power. This move from ground-based systems avoids numerous pollution issues found in piping water from remote reservoirs and it creates higher resilience to attack or disruption. However, it does not help in cases where nuclear fallout or other risks are drifting through the air.

Bitter Seeds is Peled’s third film in a trilogy on globalisation. It explores the risks faced by Indian cotton farmers caught up in a genetically modified seed program by Monsanto. The movie follows a farmer’s daughter as she tries to expose the story of her father’s death.

Farmers unable to get bank loans instead try to borrow illegally but they take on high interest rates. Then they struggle to overcome low yields coupled with expensive seeds that need for even more expensive fertilizer and water. The traditionally stable means of living becomes a financial gamble that the farmers realise they can’t win; they then kill themselves to escape an inevitable loss of pride.

Monsanto’s pesticide is said to be a direct cause of death in hundreds of thousands of farmer suicides.

Part One: Store Wars – When Wal-Mart Comes to Town
Part Two: China Blue

Scientists are perfecting their ability to survey penguins by using high-resolution satellite imagery. The birds now can only hide by flying (underwater)

The satellites are actually providing the first ever species-wide population count of an animal. The space-based species census had good news:

“We are delighted to be able to locate and identify such a large number of emperor penguins,” lead author Peter Fretwell, a geographer for the British Antarctic Survey, said in a press release. “We counted 595,000 birds, which is almost double the previous estimates of 270,000 – 350,000 birds. This is the first comprehensive census of a species taken from space.”

Any guesses what the next target species will be? The secret sauce to the surveillance seems to be linked to waste analysis.

Although finding a great splurge of penguin poo on the ice is a fairly straightforward – if laborious – process, counting individual birds in a group huddle is not, even in the highest resolution satellite pictures.

This means the team therefore had to calibrate their analysis of the colonies by using ground counts and aerial photography at some select sites.

The Guardian in 2009 showed penguin guano from space

Few probably realise that waste is one of the primary ways to find and monitor them (e.g. tracking is all about impact). I’ve written before about the security implications of innovative recycling and avoiding centralised sewer systems. Analysis of waste, especially water quality, tells us a lot about behaviour to predict risks. In this case the scientists are trying to predict how climate change affects the penguins but the methodology could easily be flipped around.

The Wall Street Journal just ran a cover story with the title called “U.S. Outgunned in Hacker War”.

Run for the hills!

No, wait, let’s take a closer look. My first reaction was to look for details on who is out gunning the U.S.. My second reaction was to look for definition of a “Hacker War.” Unfortunately, the story comes up short on both accounts.

The reader is left without clarity who is shooting or what was meant by the term war. That is unfortunate because it is not hard for them to write a more balanced (e.g. include a counter-point) and substantive (e.g. include some data) story. Here is how I tried to make some sense of this story using a few simple steps.

The WSJ uses a quote from the FBI to start their story.

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Could this be in terms of U.S. criminals who are plundering U.S. assets? Why would I ask that? Let’s jump right past all the glaringly obvious examples of Bernard Madoff, Kenneth Lay, Jeffrey Skilling, Andrew Fastow, Bernard Ebbers, Scott Sullivan…and look at some of the latest data on IT threats from a security solution vendor.

• More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
• Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
• On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week…

Also, as I explained in my presentation on breach data at the RSA SF 2012 conference, the U.S. shows up in many reports as the #1 source of threats. Sophos lists America as the top Spam producing country (China is the most attacked, according to them), while McAfee says 73% of malicious online content is hosted in the U.S. In other words, the U.S. currently is allowing attackers to attack the U.S.. So, if we add in this detail to the story, can we conclude the U.S. is out gunned by the U.S.?

Before I answer that, you may say this data is from vendors and of course they are stoking fear. That is true but it at least gives us some quantitative detail to assess on our own and verify. The Wall Street Journal mentions no data at all.

More to the point we could make a similar argument about the Wall Street Journal source that starts their story. The perspective they cite actually is from a person leaving to a private sector consulting practice. Clearly Henry stands to profit more, and help his consulting firm win clients, when he stokes generic security fear.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.

…operators at Mr. Henry’s firm are standing by to sign you up for a new service. You can have all the major change he says you need for the low, low price of just $$$K/month.

So the first technique I recommend when reading these scare stories is to seek transparency; get to the data and verify the analysis. Always factor and account for bias. We should not be satisfied with stories of a threat mired in sophisticated or advanced details, especially from those who stand to profit with obfuscated services. As Einstein once said “if you can’t explain it simply, you don’t understand it well enough.”

Now back to the question of the U.S. out gunning the U.S.. The Wall Street Journal suddenly and without explanation brings up China.

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them.

As Richard Bejtlich must know a vast majority of companies don’t realize they are breached until someone else told them, full stop. The new Verizon DBIR says 92% of incidents were discovered by a third party. That data point has nothing to do with China or the Chinese.

I have commented before on errors from those with an anti-Sino fixation. It is not clear to me why the Wall Street Journal is so eager to follow their fixation without question.

Breach data, referenced above, shows that the Chinese are not the most likely source of attack. That is not to mention that when I read Bejtlich’s latest opines I ponder how the person who names his book The Tao of Network Security Monitoring, his company Tao Security, and his twitter handle @taosecurity (using the yin-yang symbol as his company logo) has become the person trying to convince us that the Chinese are stealing ideas from America.

I’m not saying the U.S. should not accuse the Chinese of copying ideas, since obviously attacks can come from anywhere and a Bernie Madoff could be born in any country; but those in the U.S. who worry about transfer of knowledge should be careful to put their accusations in perspective. Noodles, gunpowder…so many things popularised as American are obviously not from America. The issue of “who” is complicated but focusing on outsiders may be a distraction from more likely threats. We should be careful before we de-emphasise or fail to account for the risk from insiders.

The answer to my first question about the WSJ title, I would argue, is that the U.S. is actually out gunned by the U.S.. This includes outsiders granted insider access. It also includes threats from trusted insiders — those supposed to be protecting other insiders.

The second technique I recommend when reading these scare stories is to seek details on the vulnerabilities. Once we identify who is involved we also need some idea of their capability to cause actual damage. Ironically, I can’t think of a better example than China to illustrate this point.

News has been flaring up that there has been a crackdown in China on expression. The Chinese are upset about the Chinese and restricting speech they consider harmful.

Authorities also closed 16 websites and detained six people, Xinhua reported, for allegedly spreading rumors of “military vehicles entering Beijing and something wrong going on in Beijing,” a spokesperson for the State Internet Information Office told Xinhua.

This is a case where an authority sees a threat so great that they take action to reduce risk. As Americans we most likely disagree with the Chinese government’s assessment of vulnerability. We live in a country where freedom of speech is said to make us stronger (still with some exceptions).

However, if you look past the question of who is the threat and on to the question of capability then the Wall Street Journal story really comes down to the FBI calling for more “guns” to fight a “Hacker War” so they can increase their capabilities, perhaps to the level that the Chinese are demonstrating with their latest crackdown.

Americans reading the Wall Street Journal story might be distracted by the Chinese tangent and think this is an us versus them war. But the reader is wise to think much more carefully about whether and when they trust an increase of power in authority to crack down on threats that may actually be on the inside.

Alas, we’re now back to the question of what they mean by “Hacker War”. If we try to define war without any notion of internal threats then it becomes more of a discussion of whether and where the U.S. is working on ways to undermine or bypass sovereignty again. But it should hopefully be clear now that the threat is not just external.

Perhaps the best way to look at this is with regard to healthcare risk news. If the Wall Street Journal ran a story on the latest data on eating well they probably would have titled it “U.S. Outgunned in Sugar War.” So the question becomes why are we allowing ourselves to do so much damage to ourselves? Or maybe the question, in terms of Bruce Schneier’s new book, is how much damage is acceptable before we are willing to give more fire power to authorities if we know how much it can reduce our freedom.