GovInfoSecurity reports on a flash drive that breached the US Department of Defense

Deputy Defense Secretary William Lynn III, in an article to be published by the journal Foreign Affairs, writes that a flash drive inserted into a laptop on a military post in the Middle East in 2008 caused the most significant breach of military computers.

The incident is now being declassified. Lynn says this is to increase awareness of threats. However, we know that malware spreads from flash drives. The real news is here:

That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control

Lack of segmentation between classified and other systems? While it is nice that a Deputy Defense Secretary would come forward with details that say the military did not manage security well, just to educate congress, perhaps there is another motive.The story reads less about threats of sophisticated malware and more about poor segmentation controls.

The more I hear and read the military focus the discussion on “threats” the more I wonder if they are trying to stir fear in American politics to establish control or at least major influence over Cyber Command.

This is the new political landscape. I see it as a career-related move on their part (they want to be seen as the new generation of leaders) as much as an organizational fight with civilian leadership.

I asked the esteemed panel at DefCon about this and their response was “No one thinks that…. Howard Schmidt is a civilian.” I guess that makes me no one, because I still think that these military-led presentations are not a token of mere goodwill but rather part of some political process. The breach review should include threat analysis but the vulnerabilities are often more interesting; I hope we will soon find out why military leaders left classified systems so easily exposed.

Update: More on this topic in Civilians giving away too much control of US CyberSecurity?

Interesting development in horse risder safety, reported by NYTimes.com

Inflatable vests have been sold to motorcyclists for about a decade, but few equestrians used them until a British company, Point Two Air Jackets, adapted them for use on horses and began distributing them at top European competitions last year. Hit Air, a Japanese company that says it has been selling motorcycle vests since 1999, also sells an equestrian version.

They each rely on similar technology. The two-pound vest is attached by a cord to a rider’s saddle and is worn over a traditional protective vest made of high-density foam. When a rider is thrown from a horse, the cord is yanked, puncturing a cartridge of carbon dioxide and inflating the vest. The vest can be reused after the cartridge is replaced. Point Two said its vest inflates in one-tenth of a second; Hit Air said its average rate is one-quarter of a second.

I have never seen a motorcyclist wearing one. The article explains that speed and impact are different so the benefits are considered controversial. The equestrians seem to have only qualms about minor improvements.

The vests have become so common on the competition circuit that it has become a common courtesy to warn other riders to unhook their cords before dismounting. “When you arrive, everyone says: ‘Your vest! Your vest!'” Laghouag said.

Inevitably, someone forgets.

“It’s always a source of amusement,” O’Connor said. “You hear a pop, and somebody’s looking like a marshmallow.”

Even before I flew to Rio de Janeiro I was getting warnings about personal safety from friends, colleagues and family. Without rehashing the usual advice (walk briskly and do not pull out a camera to take pictures, do not wear a nice watch, etc.) I thought I could add a little fresh detail.

A 2008 article in the New York Times says you must also pay attention to your clothes, especially on the beach:

..dress for the beach as the Cariocas do, the implication being that I would otherwise look like a gringo and become the target of every panhandler, pineapple salesman and potential kidney-napper

Two caveats to this kind of advice. First, tan lines also matter. If your dark tan starts below your knees, expect to stand out from the Cariocas. A short suit far above a tan line actually makes your impersonation worse. You are better off with a local pair of board shorts. Second, I have been told on very good authority that the color of a Sunga has meaning. The Times talks about a “world of sungas to be explored” but black is actually a safe bet.

California Senate Bill 1411, authored by Joe Simitian, has passed the legislature unanimously and now awaits Governor signature. He has only 140 days left in his term but it seems likely to get through.

“In the age of the Internet,” said Simitian, “pretending to be someone else is as easy as using their name to create a new e-mail account. When that is done to cause harm, folks need a law on the books they can turn to.”

The current law, said by Simitian to be from 1872, apparently could not handle the latest attacks that involve impersonation online. I have not yet found the right copy of the old text (Chapter 8, Sections 528 through 539?) but apparently the language had a loophole for “electronic means” (Pony Express mail was covered) and perhaps the fine was only 10 cents. This will be changed to a whopping maximum of $10,000 or up to a year in jail. The Simitian site says the new law makes it a misdemeanor if impersonation has two conditions: criminal intent and if it is done without consent. This must expand the current tests of harm to the victim and benefit to the attacker, but I am not a lawyer.

I wonder why 1872 is relevant. Other laws from a hundred years prior (e.g. 1776) seem to be ok. Is the age of a law really important or is there something more specific that is wrong?

It also prompts me to wonder if you have consent can you still have criminal intent? Imagine a couple who are married or have given written full power of attorney for a transaction…perhaps that would give a situation with legal consent yet criminal intent. On the other hand there seem to be cases where you do not have consent but that does not mean criminal intent. Consider the recent ruling on schools that monitor students at home, for example.

“Electronic means” is defined here.

This bill defines “electronic means” to include opening an e-mail account or an account or a profile on a social networking Internet Web site in another person’s name.

Although Simitian speaks of stopping pernicious attackers, the bill seems much more broad. Someone just opening an account, rather than active use of the account for impersonation, could already face lawsuits related to their intent. I assume they mean registering a new one and not just authentication when they say “opening…an account”.