If existence is turtles all the way down, then when it comes to technology and linked infrastructure, John Robb’s latest thought is Cyberhreats all the way down. There’s no good way to excerpt it, so you’ll have to just go read it. But that’s not a Bad Thing.

Still, as you read them, consider that these statements also apply to each component of the infrastructure with generally only syntactic tuning. Within a government or corporate entity, the same framework holds true. Within a business unit. Within a department. On a workstation. Within an application. Within a .dll or .so. etc.

I’m not sure if this Wired News story about how to visit a top-secret nuclear site makes me feel better or worse about my own day-to-day challenges.

The first rule of Site R is: You do not talk about Site R. Or, as the security guidance about the Pentagon’s nuclear war bunker (AKA Raven Rock Mountain Complex, or RRMC), states: “Avoid conversations about RRMC with unauthorized personnel.” The other two rules of Site R are: “Do not confirm or deny information about RRMC to reporters or radio stations,” and “Do not post RRMC information on Internet web pages.”

We might suggest a fourth rule: do not send information about RRMC to reporters working on a travelogue about nuclear weapons.

…

But our interest in Site R was piqued by an announcement that was posted in 2006 on the website of the Defense Threat Reduction Agency (DTRA), the Pentagon’s nonproliferation agency.

…

If Site R is so gosh-darn secret, why did they post this notice, and more importantly, how did we get our grubby little mitts on documents relating to this conference, including an an informational overview, a “Welcome Package”, an agenda, security guidance for attendees, and a schedule of shuttles to Site R (which we are not posting)? Cunning subterfuge? A Deep Throat inside the mountain? A Freedom of Information Act request?

Sadly, we just asked for them. We e-mailed the contact person for the conference, provided our affiliation, and asked for the conference materials. We did say “please.”

Welcome to my life. If the Pentagon can’t keep people from posting information about Top Secret sites which only have value if they are complete secrets (Yeah, right!) on the Internet or disclosing it to journalists, what chance do I have?

Actually, I could excerpt and comment on pretty much the entire article, but they do a good enough job you should just read it for yourself. They discuss the obsolescence of bunkers both as a countermeasure (”if it’s not a secret, what good is it? A modern thermonuclear warhead would destroy it in an instant.”) and as a a base of operations for emergency response operations:

Are bunkers good for combating terrorism? Probably not. As the nation learned on September 11, what you want in the event of a terrorist attack is information: immediate, accurate and unfiltered. Site R, where government workers are stripped of their personal cell phones and PDAs, is arguably the worst place to be.

In fact, based on the conference agenda, the bunker is a problem in search of a solution:

So, what do bunker managers do at meetings like this? Judging from the conference agenda, they look for things to worry about: pandemics; electromagnetic pulse weapons; and biological attacks. But as one item on the agenda hinted — “Tunnel Collapse Briefing” — possibly the most dangerous threat to life in the bunker is the bunker itself.

This article is like a parable of the entire IT & IT Security industries. Even the people who supposedly know how to keep secrets don’t. We have tools that are only effective if they are a secret, but which we then must publicize so they can act as a deterrent. Much of the time, we are running around trying to find problems which match the solutions we have available, and even when we manage to get them up and running, we spend inordinate amounts of time trying to keep them from failing and taking the whole place down with themselves.

It’s only encouraging insofar as realizing you have a problem is the first step to fixing it.

This has been around for a few days, but there are reports that there may be a backdoor in Skype which allows call interception by authorized parties.

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This would be different than the experience of the German Bundespolezei who, I think it was earlier this year, stated that their inability to monitor Skype was harming counter-terror efforts.

So what does this mean in the Grand Scheme of Things?

First, Skype has traditionally been known to be better-than-POTS for preventing call interception. It allows the parties to a conversation to be reasonably secure versus attempts at eavesdropping on the traffic scheme. This may or may not now be the case where government entities are involved, which makes it no better or worse than POTS in this respect.

Previously, there has been analysis which indicated that Skype might have some crypto flaws and a paper was published at BlueHat a year or so ago which confirmed both application and crypto issues which, when combined, could produce some interesting misbehavior.

So if you’re worried about government eavesdropping, Skype is now at the same level of confidentiality as POTS. You’ll have to find a tool that allows you to do your own key management, which you should have been doing anyway. If you’re not, then it’s still better than POTS.

This is interesting and not surprising–corporate interests follow the money, not principles, but nothing to see here.

He doesn’t call them by name, but Cory Doctorow nails the human inability to deal with Black Swans, the Very-High-Impact, Very-Low-Likelihood event perfectly.

The single most pernicious threat to liberty today is humanity’s natural
tendency to misunderstand the statistics of rare events. We’re just not wired to have good intuition about things that happen with extreme infrequency.

I’ll prove it. If we were good at understanding statistics, then here’s what would happen when you flew to Las Vegas. You’d step out of McCarran airport, stare down the Strip at all those glittering, palatial casinos and say to yourself, “Holy crap – think of all the suckers who must have lost everything to finance this place!” Instead, our foolish minds are filled with thoughts like, “Man, look at all the money in this town – I’m going to win big!” And another casino is built.

He spoke about two miles from my house on his book tour a week ago, but I was unable to make it. *sigh*

What we need is this:

But what we get is this:

Remember, it’s not breaking the law, it’s love…

When I read stories like this, I really begin to wonder if my country has gone irrevocably off the rails:

A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. “This laptop doesn’t belong to me,” he remembers protesting. “It belongs to my company.” Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself.

I guess that the Fourth Amendment is the latest member of the Bill of Rights to be put explicitly out-of-scope at airports.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

I’d never heard of the Mall Ninja until my friend Mike E. sent me a link to it. It’s a hilarious extraction of posts on a couple of firearms discussion boards allegedly between two mall security guards with incredibly warped assessments of risk.

For example, the Mall Ninja worries a lot about the dangers of things like getting from his parked car to the safety of his beloved mall:

What scares me is that, although I can fit an extra trauma plate in the front, I cannot fit a second one in back. As of late I have taken to duct-taping a second trauma plate to the area of my back where the heart and vital organs are located. Then I put my vest on.

When it’s the mall security guard, we laugh. But think about how many IT Security practitioners don’t sound entirely unlike this when asked to provide commentary on theoretical system or network vulnerabilities before IT or (even worse) business managers.

Don’t be an IT Security Mall Ninja. If not for you, for me and everyone else who needs to be taken seriously when dealing with IT risk.

Final warning: Do not read the Mall Ninja while drinking hot or snortable liquids. Do not read the mall Ninja in environments where involuntary snickering would be inappropriate or harmful to your marital or employment status. Do not begin reading the Mall Ninja if you have somewhere to be in the next few minutes.

[Update: thoughts from John Quarterman below]
[Update2: notes from a friend with some insider info]
This tale of extortionists taking power plants off-line by attacking their computer systems is getting a lot of play right now, at least in the InfoSec press.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

This whole thing seems light on fact and long on titillating detail to me personally–more the realm of Movie Plot Threats than an unacceptable risk. Even a casual (google news search for “power outage”) didn’t produce any hints–everything was either domestic to the U.S. or localized and the cause explained (worker electrocuted himself and his body shorted out the grid, etc.).

Nevertheless, people are coming out of the woodwork to defend the speaker as credible:

Having worked with Tom Donahue on these and related issues in the past, I regret to inform conspiracy theorists that he is virulently allergic to hyperbole. That he might be making these statements lightly are about as likely as any sane person playing Russian roulette with a semi-auto pistol.

But this leads to an interesting question, namely, Is the power grid vulnerable to a systems-level attack against it? We know that the United States’ 2003 blackout of the Midwest and Northeastern US and parts of Canada was caused by a cascading failure of SCADA systems essentially making the system unmanagable and taking it off-line.

So what is the level of risk? According to Alan Paller, Director of Research at NIST,

The prospect of cyberattacks crippling multicity regions appears to have prompted the government to make this information public. The issue “went from ‘we should be concerned about to this’ to ‘this is something we should fix now,’ ” said Paller. “That’s why, I think, the government decided to disclose this.”

Assuming that we use the 2003 outage as the potential impact, make some conservative assumptions that the state of security awareness and systems resilience has not improved materially since that incident, then we must assume one of two things: Either the threat has escalated or The Experts are playing FUD games with us.

We have an issue which has been known since at least 2003, when we suffered the first major incident, where suddenly all sorts of “credible” experts (or so we’re told). What are they hoping to accomplish by suddenly going public with a vulnerability that was effectively defined in the aftermath of the 2003 outage? Is this effectively a form of disclosure similar to public software vulnerability reporting as a tool of last resort to drive improvements in the electrical generation system?

Personally, I suspect an evolution in the Threat–a position that John Robb seems to have reached as well. He’s written extensively about the evolution of systems disruption attacks. Now imagine the synergy of the kidnapping-for-ransom/extortion business models so common in Latin and South America these days combined with the technical expertise that’s producing work like the Storm worm and an outdated, under-maintained IT infrastructure directly tied to real-world impact, and the threat seems increasingly credible.

Just because it sounds dramatic doesn’t mean it isn’t so. As the old saying reminds us, “Just because you’re paranoid doesn’t mean that no one is out to get you.”

So will I be researching options for going “off the grid” in response to this? No. Actually, I’ve already been looking at off-the-grid options for economic and environmental reasons, but this is something I might factor in to my ultimate decision.

[Update: An additional theory on motivations:]
As Adam pointed out, John Quarterman suggested on Dave Farber’s Interesting People mailing list that this might be a used to create a threat whose solution will turn out to be more monitoring of Internet Traffic. I already deleted the message, but had to agree that it might make sense, given the strong pro-wiretapping agenda of the agencies now propagating and vouching for one another, combined with the Urban Legend-/Weekly World News-grade facts that allegedly support the story.

[Update2: Notes from a friend with some insider info]
On the power grid thing. I have done a bit of a study of some control networks and there is quite a bit of risk out there. They have been taking old systems and just will-nilly adding them on to IP networks. this stuff used to all be dialup. They run 20 year old OS’s or worse. I do not know about all the current noise in the press. I am part of a team with [a friend] working in the industry to start making changes. There is a lot of crazy stuff. Operations and IT do not talk to each other….

The old saying, “Don’t just stand there, do something!” could pretty well sum up the TSA & Homeland Security’s approach to selecting airport security measures. Per Reuters, No proof airport security makes flying safer:study

Airport security lines can annoy passengers, but there is no evidence that they make flying any safer, U.S. researchers reported on Thursday.

A team at the Harvard School of Public Health could not find any studies showing whether the time-consuming process of X-raying carry-on luggage prevents hijackings or attacks.

They also found no evidence to suggest that making passengers take off their shoes and confiscating small items prevented any incidents.

The U.S. Transportation Security Administration told research teams requesting information their need for quick new security measures trumped the usefulness of evaluating them

I have traditionally ascribed the pointless harassment we call “security” in airports to incompetence, a desire to exert control over others and political expediency rather than any real interest or understanding what would produce effective security. DHS/TSA seem to view air travelers as a group to be handled in a matter akin to a prison population, where everyone is 100% “bad” and must be controlled to prevent chaos rather than citizens who, on any given day, are almost certainly 100% good.

But to have the effectively admit that they don’t care if their security measures are effective or not really makes my blood boil.