Taliban: Going Dark
September 3, 2021
I spotted a story from the ever reliable Associated Press called “Official Taliban Websites Go Offline, Though Reasons Unknown.” (Note: I am terrified of the AP because quoting is an invitation for this outfit to let loose its legal eagles. I don’t like this type of bird.)
I can, I think, suggest you read the original write up. I recall that the “real” news story revealed some factoids I found interesting; for example:
- Taliban Web site “protected” by Cloudflare have been disappeared. (What’s that suggest about the Cloudflare Web performance and security capabilities?)
- Facebook has disappeared some Taliban info and maybe accounts.
- The estimable Twitter keeps PR maven Z. Mjuahid’s tweets flowing.
I had forgotten that the Taliban is not a terrorist organization. I try to learn something new each day.
Stephen E Arnold, September 3, 2021
Why Big Tech Is Winning: The UK Admission
August 31, 2021
I read “UK’s FCA Say It Is Not Capable of Supervising Crypto Exchange Binance.” This is a paywalled story, and I am not sure how much attention it will get. As Spotify is learning from locking up the estimable Joe Rogan, paywalls make sense to a tiny slice of one’s potential audience.
The story is an explanation about government helplessness when it comes to fintech or financial technology. The FCA acronym means Financial Conduct Authority. Think about London. Think about the wizards who cooked up some nifty digital currency methods at assorted UK universities less than one hour from the Pickle. Think about the idea that a government agency with near instant access to the wonks at the National Crime Agency, the quiet ones at Canary Wharf, and the interesting folks in Cheltenham. Now consider this passage from the write up:
… the Financial Conduct Authority said that Binance’s UK affiliate had “failed to” respond to some of its basic queries, making it impossible to oversee the sprawling group, which has no fixed headquarters and offers services around the world. The admission underscores the scale of the challenge facing authorities in tackling potential risks to consumers buying frequently unregulated products through nimble crypto currency businesses, which can often circumvent national bans by giving users access to facilities based overseas.
Hello? Rural Kentucky calling, is anyone at work?
Let’s step back. I need to make one assumption; that is, government entities’ have authority and power. What this write up makes clear is that when it comes to technology, the tech outfits have the authority and the power.
Not good in my opinion for the “consumer” and maybe for some competitors. Definitely not good for enforcement authorities.
Who finds sun shining through the clouds after reading this Financial Times’s story? I would wager that tech centric outfits are thinking about a day or more at the beach. No worries. And look. Here comes Snoop Dog handing out free beer. What a day!
Stephen E Arnold, August 31, 2021
Fancy Code? Nope, Just Being Nice to Apple Customer Care
August 25, 2021
I continue to be fascinated by the number of cyber security companies reporting new exploits. If an exploit is a hot ticket, should not multiple cyber security threat identification services report a breach? Maybe, but the reality is that some expensive and often exotic smart software fumble the ball.
How do bad actors gain access to what these individuals perceive as high value targets? It is not a team of hackers sponsored by a rogue state or a tech-literate oligarch. The crime often is the anti-security action of a single individual.
Lone wolves being nice is a technique not captured by artificially intelligent, over-hyped platforms. “La Puente Man Steals 620,000 iCloud Photos in Plot to Find Images of Nude Women” may be an example of the methods which can penetrate the security of outfits which tout their concerns about privacy and take pains to publicize how secure their online systems, services, and products are.
The allegedly accurate write up states:
Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records. He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.
The “real” news report added some color to this action:
Chi said he hacked into the accounts of about 200 of the victims at the request of people he met online. Using the moniker “icloudripper4you,” Chi marketed himself as capable of breaking into iCloud accounts to steal photos and videos, he admitted in court papers. Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims’ iCloud accounts, they called them “wins,” which they collected and shared with one another.
What’s happening in this example?
- Social engineering
- Pretending to be a concerned professional at a big company
- A distributed group of anti security types who don’t know one another too well
- Victims.
Net net: Fancy security systems are indeed fancy. The security part is different from what bad actors are doing. That’s a bit of a problem for outfits like Microsoft and T-Mobile, among others.
Stephen E Arnold, August 25, 2021
Amazon AWS: Personalization? What Is That? Who Cares?
August 23, 2021
I read the impassioned “AWS Doesn’t Know Who I Am. Here’s Why That’s A Problem.” The individual appears to perceive himself as an Amazon-savvy professional. I learned:
My name is Ben Kehoe. I’m an AWS Serverless Hero. I’ve spoken at re:Invent. I meet regularly with teams across AWS. I’m followed by @awscloud on Twitter. But AWS doesn’t know who I am.
There are examples of services which pay attention to the “identity” or “alleged identity” of a user. These are helpful examples, and I liked the inclusion of Microsoft GitHub as an outfit who appears to care about an individual’s or a persona’s identity.
The write up includes the many tokens used to keep track of an AWS user or account. There is, it seems, no meta-token basket. Thus, instead of being a single entity, there are many separate AWS entities.
Several thoughts occurred to me:
- Fragmenting makes it easier to assess fees on hard-to-track services one part of an entity incurs. Why make it easy to manage AWS fees?
- Like security, Amazon AWS shifts the burden from the utility to the person, entity, or software process. My hunch is that the approach allows AWS to say, “Not our problem.”
- Amazon and AWS require that users and entities recognize that the company is, in effect, a person. Most people forget that a commercial enterprise may have more rights than a humanoid.
Net net: Amazon has no incentive to care about anyone, including Ben Kehoe unless the corporate person benefits in my opinion. Humans want to be perceived as unique. AWS is not mom. Thus, the problem is not Amazon’s.
Stephen E Arnold, August 23, 2021
Federated AI: A Garden of Eden. Will There Be a Snake or Two?
August 23, 2021
I read “Eden AI Launches Platform to Unify ML APIs.” I had two immediate reactions. The first was content marketing, and the second was that there was a dark side to the Garden of Eden, wasn’t there?
Eden is a company pulling a meta-play or leveling up. The idea is that one can pop up higher, pull disparate items together, and create a new product or service.
This works for outfits ranging from a plumbing supply company serving smaller towns to an outfit like the Bezos bulldozer. Why not apply this model to the rock solid world of machine learning application programming interfaces.
The write up states:
… using Eden AI, a company could feed a document in Chinese into Google Cloud Platform’s optical character recognition service to extract its contents. Then it could have an IBM Watson model translate the extracted Chinese characters into English words and queue up an Amazon Web Services API to analyze for keywords. Eden AI makes money by charging providers a commission on the revenues generated by its platform.
Latency? Apparently no problem. The costs of maintaining the meta-code as the APIs change. Apparently no problem. Competition from outfits like Microsoft who whether the technology works or not wants to maintain its role as the go-to place for advanced whatevers. No problem.
Someday.
Stephen E Arnold, August 23, 2021
Remember Who May Have Wanted to License Pegasus?
August 20, 2021
Cyber intelligence firm NSO, makers of Pegasus spyware, knows no bounds when it comes to enabling government clients to spy on citizens. Apparently, however, it draws the line at helping Facebook spy on its users. At his Daring Fireball blog, computer scientist John Gruber reports that “Facebook Wanted NSO Spyware to Monitor iOS Users.” We learn that NSO CEO Shalev Hulio has made a legal declaration stating he was approached in 2017 by Facebook reps looking to purchase certain Pegasus capabilities. Gruber quotes Motherboard’s Joseph Cox, who wrote:
“At the time, Facebook was in the early stages of deploying a VPN product called Onavo Protect, which, unbeknownst to some users, analyzed the web traffic of users who downloaded it to see what other apps they were using. According to the court documents, it seems the Facebook representatives were not interested in buying parts of Pegasus as a hacking tool to remotely break into phones, but more as a way to more effectively monitor phones of users who had already installed Onavo. ‘The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices,’ the court filing reads. ‘The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users.’”
We are glad to learn NSO has boundaries of any sort. And score one for Apple security. As for Facebook, Gruber asserts this news supports his oft-stated assertion that Facebook is a criminal operation. He bluntly concludes:
“Facebook’s stated intention for this software was to use it for mass surveillance of its own honest users. That is profoundly [messed] up — sociopathic.”
Perhaps.
Cynthia Murrell, August 20, 2021
CISA Head Embraces Cooperation with Public-Private Task Force
August 20, 2021
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly is wielding the power of cooperation in the fight against ransomware and other threats. Her agency will work with both other security agencies and big tech companies. This novel approach might just work. The article “Black Hat: New CISA Head Woos Crowd With Public-Private Task Force” at Threatpost reports on Easterly’s keynote presentation at this year’s Black Hat USA conference.
The partnership is logically named the Joint Cyber Defense Collaborative (JCDC) and had 20 corporate partners signed up by the end of July. Amazon, AT&T, Google Cloud, Microsoft, Verizon, and FireEye Mandiant are some of the biggest names participating. (Is FireEye, perhaps, trying to redeem itself?) Easterly also plans to work with other federal agencies like the DoD, NSA, and FBI to make sure their efforts align. We are told ransomware will be the team’s first priority. Writer Tom Spring reveals a bit about the new director:
“Easterly is a former NSA deputy for counterterrorism and has a long history within the U.S. intelligence community. She served for more than 20 years in the Army, where she is credited for creating the armed service’s first cyber battalion. More recently she worked at Morgan Stanley as global head of the company’s cybersecurity division. Easterly replaced CISA acting director Brandon Wales after the agency’s founder and former director Christopher Krebs was fired by former President Trump in 2020.”
But will the cybersecurity veteran be able to win over her corporate colleagues? The article notes one point in her favor:
“During a question-and-answer session, the CISA director scored points with the audience by stating that she supported strong encryption. ‘I realized that there are other points of view across the government, but I think strong encryption is absolutely fundamental for us to be able to do what we need to do,’ she said. … While acknowledging distrust within some segments of the cybersecurity community, Easterly urged the audience of security professionals to trust people first. ‘We know some people never want to trust an organization,’ she said. ‘In reality we trust people – you trust people. … When you work closely together with someone to solve problems, you can begin to create that trust.’
Will the JCDC members and CISA’s fellow agencies be able to trust one another enough to make the partnership a success? We certainly hope so, because effective solutions are sorely needed.
Cynthia Murrell, August 20, 2021
Google Quote to Note: We Are Just Like Our Customers
August 18, 2021
I read “Google Cloud’s Top Engineers Explain How They Use Customers Sessions to Build Products.” The write up is information obtained from a single Google engineer. The Googler manifests the here-and-now of customer empathy sessions. Yep, empathy. Google cares about the Cloud it seems.
I noted this statement attributed to the empathetic Google expert:
When I joined Google, we needed to get better at meeting people where they are. That was the idea behind these empathy sessions.—Googler Kelsey Hightower
“Meeting people where they are.” Does that mean in a trade show booth. I thought in Washington, DC, Google relied on partners to meet “customers.” Guess I was incorrect in that but that factoid surfaced in a meeting at a security services outfit on August 9, 2021. One of those people noted that he had performed this function for the Google. Obviously, despite the security of the attendees, the first hand account was disinformation maybe?
Here’s another insightful and human centric statement about Google systems:
When you have good technology, you can fall into this trap of assuming it just works.
Okay, great observation. Is the Google in this trap because empathy is one thing and delivering systems that “work”, useful documentation, that bugaboo customer support are not inherently empathetic. These are business services directly at odds with cost cutting, efficiency, and assuming that Googlers are smarter than everyone else in the whole wide world. News flash: That’s not exactly a good premise in my opinion. If that were true, dead fish like Amazon and Microsoft would not be selling more cloud services than Mother Google.
Now here’s the quote to note:
Empathy engineering is a very humbling experience.
Yep, humbling. Maybe a new catchphrase for Googlers? Just be humble. How does that sound?
I think it is more T-shirtable than Don’t be evil. Evil can generate revenue.
Stephen E Arnold, August 18, 2021
Palantir Pushes Beyond What Any Other System Can Do It Seems
August 13, 2021
I believe everything I read online. Don’t you. I spotted this interesting article: “Palantir: Revolutionizing Big Data Analytics.” The write up shows a Covid dashboard and focuses on what’s called “data integration.” Putting information in an index or series of indexes so a user or software can run a query across that which has been placed in said indexes is sometimes called “federation”. Without entering a rabbit hole, let’s accept the “data integration” idea and ignore the buzzwords like “cross function collaborations.”
The Palantir system has a four step “process flow.” These steps include:
- Aggregating data
- Transforming data
- Securing data
- Empowering data.
I track with the first three steps, which have been required by policeware and intelware systems for decades.
The baffler is “empowering” data. I think this means that Palantir data are more valuable, potent, or muscular than data in a system for which I was a consultant many years ago. That was the i2 Analysts Notebook from the late 1990s.
That’s neither here nor there because Palantir did the Silicon Valley thing and found inspiration in that pioneering i2 system, which is now owned by IBM.
But here’s the statement in the write up that left me scratching my head:
Palantir is different from traditional business intelligence solutions like Tableau, Alteryx, or Cloudera, as it’s able to answer questions that a regular model isn’t able to. Questions such as “What steps should be taken if there’s another global pandemic”, or “How to increase margins in the most effective way”.
The companies cited in the passage are not intelware or policeware centric. Second, Palantir seems to be able to process natural language queries, extract on point facts and data from the aggregated and transformed data, and deliver answers.
As far as I know, NLP system do not reliably field ad hoc questions about general business issues or warfighting/intelligence issues. If systems did, there would not be the grousing about training, complexity, and disused intelware due to complexity and instability.
I don’t want to suggest that Palantir cannot deliver NLP which works. I would like to gently suggest that this just may not work in a way which would be useful in certain situations.
I understand the reasons “traditional” intelware fails. Managing data and logic together is tricky and made more challenging and expensive because real time streams can be ingested into some intelware systems. Specialists exist to deal with the real time challenge, and I am not sure Palantir has the robustness of Trendalyze, for example.
The data integrity issue is a big deal. Palantir makes it possible to know who input data. But the integrity issue is larger than than a single person. There are vendors who assemble data sets. Automated data sets work okay too, but when a stream is lost from an authorized intercept, the data set takes a hit. Plus, there is just bad data; for example, variable mechanisms for counting Covid deaths. Has Palantir whipped this garbage in problem? Maybe.
One weakness of Palantir’s competitors is described this way:
The inability to define key business metrics transparently in a common data foundation
This is an ambiguous statement. Most managers don’t know what they need or want. A case in point is a cyber security vendor offering phishing protection to clients. What happens if phishing techniques rely on auto generated emails with smart software crafting the pitch and the inclusion of valid links to the recipient’s company’s Web site. How is an employee to recognize these malformed email? We know phishing systems are not working because of the notable breaches in the US and elsewhere in the last six months of 2021. Senior managers want answers, and hopefully the answers are “good” or at least don’t lead to a diplomatic crisis or a severe business impact. Has Palantir cracked the problem of people who say, “I know what I want when I see it.” In my experience, quite a few CxOs rely on this method. Unfortunately this is not 1690 in Rhode Island where the vigilant are on the look out for irritated Native Americans. Recognizing that eye ball glimmering in a bush is not something intelware systems are able to do in a reliable, economical, speedy way.
Finally, the Palantir competitors “lack flexibility due to rigid data assets.” I remember the sales pitch of MarkLogic, a vendor of slicing-and-dicing content systems. The idea is that XML was almost magical. Input parameters and one gets output like a book made up of relevant content from the objects in the database. XML is a useful tool, but based on my experience with intelware systems, most of them use structured files, open source software, and the same popular algorithms taught in CompSci 401 around the world. The flexibility issue is a big one because now intelware must make sense of audio, video, pictures, gifs, database files, proprietary files from legacy systems, consumer file types like Word, and numeric streams. The phrase “rigid data assets” does quite capture the nuances of the data chaos facing most organizations.
Net net: This is an interesting write up, but I think it needs evidence, and substantive information. Palantir certainly has magnetism, but I still ask myself:
Why is Palantir funding SPACs and allegedly requiring these firms to agree to license the Palantir system?
This is a mystery to me. Because if Palantir whipped NLP, for instance, or the data chaos problem, the company would the hottest thing since i2 Analysts Notebook.
Stephen E Arnold, August 13, 2021
Microsoft: Maybe ESET-Type Companies Are a Problem?
August 12, 2021
Microsoft security may have a problem other than bad actors compromising systems. The news cycle has moved forward, but I still chuckle at the SolarWinds’ misstep. How many super duper cyber solutions failed to detect the months long compromise of core Windows processes? I don’t know, and my hunch is that whoever knows does not want to talk about the timeline. That’s understandable.
I read “IISpy: A Complex Server?Side Backdoor with Anti?Forensic Features.” The source appears to be We Live Security which is reporting about an ESET research finding. (I find it interesting that cyber security researchers report interesting things that other cyber security vendors appear not to report or possibly know about. Interesting or a signal that cyber security systems are not particularly effective when new methods poke through a secured system, saying, “Surprise!)
The write up states:
According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension. According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.
If the affected server is the exact one the bad actor wants, numbers may not be germane. Also, does the phrase “not the full picture” indicate that the cyber researchers are not exactly what’s going on?
Interesting questions from my point of view.
If I step back, what’s my observation:
Perhaps cyber security is in a quite pitiful state. If this is accurate, why would the US government offer Amazon AWS another $10 billion deal? Microsoft will contest this important award. You can read the Microsoft News story “Microsoft Challenges the Government’s Decision to Award Amazon a NSA Cloud-Computing Contract, Which Could Be Worth $10 Billion” to get a sense about the disconnect between selling and addressing what may be fundamental security issues.
Would that money, time, and effort be better invested in addressing what seems to be another troubling security issue?
The answer to this question would be in my opinion a true juicy potato.
Stephen E Arnold, August 12, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
