excellent. more security theater. tax $ hard(ly) at work.

It started with your shoes, then your water. Now the TSA wants your snacks.

Some PVC Security maintenance

Dear Friends,
Our dearly departed podcast project is drifting into the dark recesses of the collective mind, so the time arrives for some archiving.
The pvcsec twitter account is disabled & on its way to deletion. I will be going through to make sure all of our other social media bits are similarly retired – Facebook, Google+, and so on.
I am not sure if the web site will move over here as a subsection or if I will let the Internet Archive have its way with it. I’m also considering a plain text archive on gopher, but that might be more work than I want.
Anyway, this will be thought about and done over the next 2 to 4 weeks or so. Stay tuned?

A counter argument on a government run cybersecurity “moonshot”

Evaluating a “Cybersecurity Moonshot”

For cybersecurity, however, the “moonshot” or the sometimes-interchangeable cyber “Manhattan Project” may not be the best models.
First, both the moonshot and the Manhattan Project were relatively focused, short-term efforts aimed at a single and clearly defined objective—land on the moon, explode an atomic bomb. We do not have the same clarity and focus for cybersecurity. Project Apollo, delayed by a tragic fire, took seven years to put people on the moon while the Manhattan Project took three years to build the atomic bomb. Both were well-resourced. It may be possible to match these speeds if the technological objective of the cybersecurity moonshot was clearly defined and if the United States is willing to make the needed investments, but the construct we call cyberspace is the most complex creation ever built by humans. There are entrenched interests fearful of any change, and the politics of a cyber moonshot will be much more daunting.
A cyber moonshot could increase its chances of success if it could identify technologies that would provide wide-ranging improvements for cybersecurity.

This article raises some excellent concerns. Indeed, in order for this kind of thing to be successful (or like the Solarium Project I wrote about the other day) we need to define clear goals and objectives.
And we need fresh thinking, something VCs, the cybersecurity industry, and the US government largely lack at the moment. Everyone seems to be iterating the same concepts.
What do you think? Is this a space where a government run or sponsored project could, assuming the best conditions, make a noticeable impact?

The story of Mary

The story of Mary:

Mary spent a lot of time on the phone speaking with her CEO, general counsel, CFO and other business leaders in her company and at those she was evaluating for purchase. “A good deal doesn’t get done on email” she was fond of telling her co-workers. And it was true. So as Mary was waiting on her delayed flight to board at Newark International Airport one day, she decided to squeeze in one more call to try and finalize the terms of a merger that was coming together between her company and a competitor.  What Mary didn’t consider, as she was singularly focused on that conversation, was that she wasn’t alone in her conversation. Sitting near her, and listening to every word she said, was a financial reporter from a well-known business website. He put two and two together pretty easily. The pending merger would not be a secret for long.
You can use your imagination to guess what happened next. Story of the pending merger, which Mary had finalized on the call that day, broke online within 24 hours. Investors and speculators climbed all over the stocks of both companies and the fallout drastically changed the financial dynamics, effectively killing the deal. In the end, Mary’s company calculated that the failed merger attempt cost them $12 million, not to mention the lost market opportunity and value that the merger would have created. No one was ever able to tie the leak directly to Mary, but since there were so few people involved in the negotiations there were assumptions made. Mary’s career stalled after that.

(Via CSO Online)
I’ve talked before about my role in defending against outsiders learning about potential Mergers & Acquisition targets of a former employer. So much around this is old-school physical security and OpSec. It is challenging but fun work – very cloak and dagger.
The article is a nice reminder that all of your security budget going toward shiny boxes and cool services doesn’t protect against this very real risk scenario.

Supply-Chain Attacks: Why the U.S. Should Worry

Supply-Chain Attacks: Why the U.S. Should Worry:

There are different types of supply-chain attacks: generic attacks, which attempt to sabotage all devices; and targeted attacks, which take advantage of knowing the end customer for a device. Additionally, supply-chain attacks on the software component can take place not only when a device is shipped but also whenever the software receives an update. There are also information-gathering supply-chain attacks in which a cloud service provider reveals data.

The U.S. government needs to take supply-chain attacks much more seriously and refine government purchasing in ways that resist these attacks. Some attacks—such as bulk sabotage of consumer chips or devices—are probably unavoidable. But wide-ranging attacks like these can cause only limited amounts of damage, because, unless they are particularly subtle, they are more likely to be detected.

(Via Lawfare – Hard National Security Choices)
Why supply chain isn’t a bigger discussion when discussing security boggles my mind. Every company and organization – and individual – is vulnerable.

A Glimpse into Private-Sector Cybersecurity in Japan

A Glimpse into Private-Sector Cybersecurity in Japan:

Many Japanese government agencies and corporate actors are discovering the importance of cybersecurity as a set of national policies (the selection of Tokyo for the 2020 Olympics has been an impetus). But Japan’s role in the global economy means that government, business, policy, and academic actors outside of Japan need to understand the current policy stances and policy processes for their own economy and cybersecurity. “Business Management and Cybersecurity” provides an excellent entry into Japan’s changing understandings and its roles in global cybersecurity.
… Another example of the value of the book’s comparative approach is its description of the different expectations the chief information-security officer (CISO) role in corporations in Japan and overseas. Only 63 percent of Japanese companies assign a CISO, whereas the ratio is 95 and 85 percent in the U.S. and Europe respectively. While CISOs are “dual-hat” positions in 35 percent of Japanese companies, the ratio is only 17 percent in the U.S. and 18 percent in Europe. Since Japan does not have many long-term cybersecurity professionals as the U.S., and since Japanese business culture does not usually recruit C-suite executives externally, “Business Management and Cybersecurity” expresses doubt that an American or European approach of hiring and assigning a CISO would work in Japan. Instead, the book suggests that cybersecurity team building would be more effective given Japan business culture and patterns of Japanese corporate governance.

(Via Lawfare – Hard National Security Choices)
The review definitely echoes my observations working here for the past 30 months. Looks like I found my next book! I just hope there is an English edition that doesn’t lose too much in translation.

Summary: The Supreme Court Rules in Carpenter v. United States

Summary: The Supreme Court Rules in Carpenter v. United States:

On Friday, June 22, the Supreme Court issued its much-anticipated opinion in Carpenter v. United States, holding that a warrant is required for police to access cell site location information from a cell phone company—the detailed geolocation information generated by a cellphone’s communication with cell towers. As predicted, Chief Justice Roberts authored the majority opinion, reversing the Sixth Circuit’s decision. He was joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. The remaining four justices, Justices Kennedy, Thomas, Alito, and Gorsuch each filed separate dissenting opinions.

(Via Lawfare – Hard National Security Choices)
There has been a ton of coverage about this in the US. As per usual, Lawfare does a great job of reviewing this without hyperbole. Give it a good read as it has far reaching potential implications.

Washington Needs a New Solarium Project To Counter Cyberthreats

Washington Needs a New Solarium Project To Counter Cyberthreats:

Sometimes the most significant legislative measures get the least attention at the time of passage. That may be the case with the Cyberspace Solarium Commission mentioned in the National Defense Authorization Act that was passed on June 18 by the U.S. Senate. Tucked into the bill crafted and sponsored by Sen. Ben Sasse (R-Neb.), the commission may not garner many headlines, but it could galvanize a strategic paradigm shift.
If the idea survives the House-Senate conference process and gets signed into law — and we very much hope it does — it could lead to the creation of the institutions, doctrines, resources, and strategy that the United States needs desperately in the realm of cybersecurity. As New York Times national security correspondent David Sanger argued in a recent essay, the United States is woefully unprepared for the age of cyberconflict.
… If properly led and implemented, the Sasse proposal for a Cybersecurity Solarium Commission could make a similarly timely and consequential contribution to national security. The NDAA provision self-consciously draws inspiration from President Dwight D. Eisenhower’s iconic Project Solarium exercise in 1953.
… Today, it seems like everyone is using cyberweapons, but not enough policymakers are thinking about them.
To be sure, there is a fair degree of strategic analysis and thinking in academia, in think tanks, and in the relevant Cabinet departments and agencies. But this thinking has not accumulated into definable strategies that have buy-in from the White House or that have aligned roles and responsibilities across department and agency lines.
… Neither the Obama nor the Trump administration has gone so far down the decision path, and so this commission may prove to be an enabling and action-forcing exercise, as Congress reasserts its Article 1 constitutional responsibility to “provide for the common defense.”
The United States cannot afford to wait. It is already clear that U.S. adversaries are willing to stage attacks in the cyber domain and believe they can do so with impunity: Witness Russia’s successful deterrence of the Obama administration from retaliating in 2016.
Advanced cyber capabilities and a willingness to run risks to use them are the common features of every major national security challenge facing the United States today, whether it is Iran, North Korea, Russia, or China. As a result, cyberthreats cast a long shadow over the full range of national security and foreign-policy issues, including trade, regional conflict, terrorism, and new great power rivalries.
Americans struggled to understand the nuclear threat from the Soviet Union. In an effort to overcome bureaucratic stovepipes and to catalyze fresh thinking, Eisenhower convened the Solarium exercise to help him assess and respond to an unprecedented national security challenge. With this new provision in the Senate version of the fiscal 2019 NDAA, Sasse has given the U.S. government the opportunity to make a similar landmark assessment and response.

(Via Foreign Policy)
Peter Feaver’s and Will Inboden’s article is an eye opener for me. I totally missed this somehow when I was learning about the NDAA. Based on recent actions in the Executive Branch of the US government, this looks like reasonable and better-late-than-never action by the Legislature. That is assuming it makes it makes it in to the final NDAA language, of course.
Read the whole article for the historical parallels and context.
What do you think?

Ancient Refrigeration

Yakhchal: Ancient Refrigerators – EARTH ARCHITECTURE

By 400 BC, Persian engineers had mastered the technique of storing ice in the middle of summer in the desert. The ice was brought in during the winters from nearby mountains in bulk amounts, and stored in a Yakhchal, or ice-pit. These ancient refrigerators were used primarily to store ice for use in the summer, as well as for food storage, in the hot, dry desert climate of Iran. The ice was also used to chill treats for royalty during hot summer days and to make faloodeh, the traditional Persian frozen dessert.

I love classical practical physics. I keep filing these stories away for my eventual retirement place which I want (as of now) to be as off-the-grid as practical.

Bitcoin is a Cult

Bitcoin is a Cult — Adam Caudill
A good read that gets just technical enough without reaching the point of glazing the reader’s eyes. It highlights some of the same reasoning Warren Buffet raised.
I especially love this quote:

What was once driven by curiosity, a desire to learn and improve, to determine the viability of ideas, is now driven by blind greed, religious zealotry, self-righteousness, and self-aggrandizement.

This is easily applicable in many aspects these days, neh?