Tag Archives: Andy Greenberg

July 13, 2021 · 21:20

The Lawyer wins, the law loses

Yes, it is a stage that we will be seeing soon enough. As the lawyer wins, the law loses and tht is just the beginning. As we see ‘Apple loses appeal in Fortnite court battle’ (source: Australian Financial Review) there is a secondary stage that comes up. It is not immediately clear, but someone gave the reader by Jeff Dotzler in GC Consulting in 2019 ‘Will You Get Sued if Your Business is Hacked?’ There we see “Even though the company was able to restore the records, one of the affected clients, Surfside Non-Surgical Orthopedics in Boynton Beach, sued Allscripts in federal court. Surfside accused Allscripts of not doing enough to prevent the attack or lessen its impact and sued on behalf of all affected clients for “significant business interruption and disruption and lost revenues.”” Now consider that ‘significant business interruption’ can be replaced with ‘game score disruption’, a stage I saw coming a mile away. Epic Games did not  consider the stupidity of their actions and now, should they win they will soon face several, if not well over a dozen class cases. They cannot make some ‘we are not responsible draft’, the moment ANYONE at Google or Apple squeals the setting of the hack and it comes with the accompanied ‘We could have prevented that’ Epic Games is lost, it will cost them billions in settlements and lawyer costs. If you doubt that, consider ‘SolarWinds says unknown hackers exploited newly discovered software flaw’ (at https://www.reuters.com/technology/solarwinds-says-unknown-hackers-exploited-newly-discovered-software-flaw-2021-07-12/), so they just got out of one mess only to land in a new one and these people have a decently simple system, Epic Games will have to spend on protection that is several levels higher and I feel decently certain that it is not enough. The moment any profile is transgressed on whilst there was a purchase, that is the game, loss Epic Games and loose they will, a lot. 

Even as we are told “SolarWinds said the flaw was “completely unrelated” to last year’s hack of government networks”, it will not matter, another flaw is found and there is every chance that more than one will still be found. In this Forbes gives us ‘Why SolarWinds Is The Wakeup Call No One Heard’, it comes with “everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare” and when you consider that EBITDA is Earnings Before Interest, Taxes, Depreciation, and Amortisation. You see the problem, it is not all, it is earnings before interest and depreciation that bites, earnings before interest is all earnings with cost diminishing this and too many corporate players tend to cut cost. In some cases they have no choice in the cloud a lot does not matter but it is transgressed on (according to some numbers) for almost 90%. And when you add that Amortisation is merely anther view of  depreciation the path is clear. Steve Andriole also gives us “The number of severity of cyberattacks will explode in 2020.  Cyberwarfare has now levelled the playing field in industry, in government, and in national defence:  why spend ten or fifteen billion dollars on an aircraft carrier when you can disable it digitally?” You think that this is about defence? Do you have any idea what 50 million whining gamers can do? EVERY ransomware player will target Epic Games and with an open Android and iOS setting they will succeed. I saw this when this all started in 2020 within 5 minutes, the short sightedness will hit Epic Games and others in a few ways. Think I am BS’ing you?  Consider that several sources gave you a month ago “Hackers Stole 780GB Data Including FIFA 21 Source Code in EA Hack” and EA has been in this game a lot longer than Epic Games has been. That is not evidence, but it is a setting that we need to consider and when Epic Games loses that data the class actions start, and it is not something that they can keep quiet (apart from that being a crime), the people will talk and the parties involved, including government parties will find a nice letter making claim to financial losses. The law source (see above) also gives us a link to the Ohio Data Protection Act. There we see “Under the law, damages cannot be imposed if a state court finds your company had a reasonable cybersecurity plan when a breach occurred and followed it to the best of your ability. Or, as the legislation puts it, the law is “an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”” In this I offer ‘reasonable cybersecurity plan’, was it followed through? Was there a backup if it fails, was there consideration for cross platform transgressions? In this last part I offer to the older programmers 

IF(clipper)
  
ELSE
   …
ENDIF

Those who know will nod and consider what else Epic Games and others have forgotten, what happens when someone exploits a Sony flaw over the entire system, and at that point these companies have little to no protection. 

Which gets us to ‘when a breach occurred and followed it to the best of your ability’, but the suing side will argue that the breach could have been prevented on day zero, or even day -1, which will be their way of saying that they opened the system when they were not ready and that is another billion in class actions right there, and I agree with the stage that there will be enough cases that have no bering (just like the loot box cases in the media), yet Epic Games will have to hand to their lawyers to investigate them all, the hours alone will rake up millions and that is merely year one. The lawyer wins his bread and butter for a year (at the very least) and the law is up the creek without a clause. The law was never ready for this, so the going will be good towards the coffers of Epic Games, a looting box that requires time, not money. 

So when we go back to Forbes and consider “When I took the results to the CFO (to which technology weirdly reported), his only question was, “what’s all this going to cost me?,” which of course was the wrong question.” We see there setting, but I wonder who gave that same question to the Chief Legal Officer (CLO) with the question ‘What will this cost the firm?’, a question that he can decently predict when he considers 1-5 class actions and that result has to be scary and any consideration of future profit goes straight out of the window, not merely the legal costs, marketing will have to offer a whole range of products and services to stem the tide of people leaving for the next safer harbour, the most dangerous of all settings, and that is merely the beginning of year one as Android and iOS stores open. Forbes also gives a reference to Andy Greenberg (Wired Magazine, 2019) said about why governments have been unwilling to deal with cyberthreats: “More fundamentally, governments haven’t been willing to sign on to cyberwar limitation agreements because they don’t want to limit their own freedom to launch cyberattacks at their enemies.  America may be vulnerable to crippling cyberattacks carried out by its foes, but US leaders are still hesitant to hamstring America’s own NSA and Cyber Command, who are likely the most talented and well-resourced hackers in the world.” And this is not a government setting, Epic Games will be hit be greed driven and vengeance driven hackers as well as organised crime, a %5 billion company? With the state of cybercrime convictions? They are definitely on board. A stage Epic Games could have prevented from the start, but someone saw 30% of $5,000,000,000 and did the math, but whoever did the math was not ready for the tidal wave they would be inviting through that choice. In this, Forbes had one more gem, it comes from Nicole Penroth and ‘The hubris of American exceptionalism’, when we see “More hacking, more offence, not better defence, was our answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second”, now consider that Fortnite is on Windows, MacOS, Switch, Sony, Microsoft, iOS and Android, they drew more than 125 million players in less than a year, do you think that there will be no flaws? And how many devices a second will that add to the equation? Do you have any clue what level of protection is required, even as Sony, Solarwinds, Nintendo and Microsoft have all been hacked even though they had nowhere near that level of complexity required. This was a dangerous situation from the start and gamers will soon have to seriously consider to remove any program that has an ‘open’ store, the cost will be too high for a lot of them. 

And that is not all, as Nicole spoke about ‘an increasingly virtual world’ the danger that open stores will mean that you either have a dedicated computer, or healthcare and safety products will not be considered to be insured in your house, when that happens we get a whole new level of nightmare, I can only imagine that setting, but I am clueless as to the impact, we cannot oversee that, not with an evolving IoT and 5G evolving before our very eyes.

Leave a comment

Filed under Gaming, IT, Law, Politics

Tagged as , , , , , , , , , , , , , , , , , , , , , , ,

October 22, 2013 · 22:28

Patrons of Al-Qaeda

Many people have some form of religion, which is fine. To have a personal believe in something that is bigger than yourself or bigger then that what you see is not a bad thing. Many Christians have their father, their son and their holy ghost. Some go the other way and give credence to Satan, the anti-Christ and the false prophet. I cannot vouch for any of that. I agree that there is more than this in the universe, but what?

No matter how that part falls, it is likely that Al-Qaeda believes in their personal ‘information’ trinity.

They would be Edward Snowden, Bradley Manning and Julian Assange. These three people have done more to support Al-Qaeda then Osama Bin Laden ever could.

Assange, who is still hiding in an embassy, is the lowest transgressor of the three. First of all, as an Australian he did not really break any laws (although some debate should be had over hindering the actions of an ally under war time conditions). The public view is that on one side he should be nailed to a cross and on the other side he should be heralded. Information is often a lot more complex than many consider. If you want an example, you only need to look at this week’s situation where Assad is now blocking peace talks. Should there be any surprise?

I still am not completely convinced he was directly involved with the Sarin attacks; the issue here is that too much intelligence is questionable. If the USA had shown ALL OF IT publicly, the doubt might not have been there. Yet, the reality is whether they actually had hard evidence on who did it. Let us not forget that the evidence collected in the investigation was all about whether it had happened, not who did it. And guess what, Al-Qaeda was an element in Syria too, so what exactly did happen? Watching Secretary of State John Kerry go on a plane with his briefcase, shown on the news like he is some kind of rock star is not helping anyone either. It seemed as empty to me as a PowerPoint on some concept that no one wants to spend money on.

It shows two possible sides, either they have actual evidence that needs to remain a secret (which no one seemed to be accepting), or they actually didn’t have any and we were watching some version of the Punch and Judy show!

The other side is one that Assange was not into, the acts of terrorism by Al-Qaeda and the Taliban were not shown, we saw through WikiLeaks just one side of it and it changed the overall balance.

Then WikiLeaks released thousands of diplomatic cables, which I consider to be an act of utter stupidity, the information was one-sided, so the US opposition (all of them) get several free punches into play and as such, US recovery is still being hindered. This is the ‘bad’ side of Julian Assange. Their one sided act destabilised many events. Yes, there is a case to be made, but by not exposing the other side, we get a one-sided situation. In the end, the damage is done and even as there might not be any criminal activity by Julian Assange, we should ask questions.

In case the reader thinks that ‘actions’ against Julian Assange should be made, then consider that many in the financial industry did nothing ‘criminals’ either, even though thousands became homeless because of their ‘non-criminal’ actions.

By the way, remember the quote by CNBC (and many others), somewhere in 2010: “WikiLeaks honcho Julian Assange told Andy Greenberg at Forbes that he was in possession of a trove of documents that ‘could take down a bank or two.’ The documents wouldn’t necessarily show illegality but they would reveal an ‘ecosystem of corruption’ at one of the biggest banks in the United States. WikiLeaks would release it ‘early next year.’

They never came! So was this about intelligence, or about positioning banks in an even stronger place? Is it not interesting that Al-Qaeda’s patron number three and number one patron are all about neutering governments, whilst the banks stay out of play? Is it such a far fetching thought that these two idealists get played by those who believe greed is all?

In the middle we see Bradley Manning. This is not some ‘foreigner’; this was a member of the US military. In my view, he is a traitor plain and simple. A private, without any in depth education thought he had it all figured out, decides on US military policy. Which is interesting as many military members above the rank of Colonel are still trying to figure out what the best course of action is, even those with Ivy League degrees. The only positive thing from all this is that the military needs to seriously start to address its mental health issues, but beyond that small sparkle of recognition, this person was more than a small danger.

That part is not addressed even as the news still discusses the winner of this unholy threesome. Three days ago USA today published information on the fact that anti-leak software had still not been installed. I think it is even worse than many think it is. Some of these applications have (as any good application would) powerful log files. Even when we look at non-military solutions we see the following:

“The client’s log file is located at <user_directory>/Palantir/<version>/logs/client.log”

We can see at Palantir’s wiki what it logs, and depending on the settings it can give a lot (at https://wiki.palantir.com/pgkb/does-the-palantir-product-do-any-logging.html)

By the way, one needed only to change three settings to really log a lot:

# log4j.logger.com.palantir.services=error # package level
# log4j.logger.com.palantir.serveres.Nexus=warn # class level
# log4j.logger.MyLabeledLogger=info # specific logger

Removing ‘# ‘ on each line was all it would take.

This one warning gives a final view “Note that we do NOT recommend enabling logging below the warn level for production scenarios.” which means that all logging is possible mapping out the active military network in real time as the user muddles along.

This is not about Palantir, or even anti-Palantir. It is a software solution that part of the Intelligence community is currently using. IBM Modeler and SAS Miner are both data mining tools with similar abilities (and there are more). They all have these options as it is needed to make their products go smoothly. So when Bradley Manning gave it all away, he really gave it all away! The consequence might have (or could be resulting) in deep targeted attacks against a military server system. The question becomes how good is the anti-leak software? As many logging is set at higher levels (read administrator), many of them would be able to log events unhindered by many prying eyes (it is not realistic to monitor all logs on even 1 server). Even if it is all covered, who else has access to just read these log files? It is not uncommon to negate log files, as their users are usually vetted for use of the application. LOG files can however show more than many bargain for.

Unless the server architecture has been re-arranged, there is plenty of worry whether these servers are safe at this time, because log files are inherently their and needed, they are not linked to a password change and often, they do not get reconfigured away from their standard configuration as the case has been with plenty of application that it would hinder smooth operations.

Last on the list of the Patron Threesome is Edward Snowden. I have mentioned him often enough, so I will not go through it all again. He is in my view a traitor and not some ‘holier than thou’ protector. He is not some idealist, too much pointed to him making a getaway with the eye on some quick bucks (and many of them), I might be wrong, but that is how I see him. As he showed us how ‘naughty’ the NSA was, did he show us how unscrupulous Microsoft seems to be?

That view can be seen through an article in Techbeat just 4 days ago. The first quote is “Microsoft is developing a new technology to replace cookies. This work is similar to projects being undertaken by Amazon, Apple, Facebook and Google. Tracking cookies have come under scrutiny recently from regulators by many concerned about privacy; certain types of cookies (Third party tracking cookies) are now easily blocked through built-in functions and extensions/add-ons within main web browsers.

The second one from the same article is “This technology should also include Microsoft services including their search engine Bing. Tracking in mobile devices remains a key point. The big advantage of Microsoft’s emerging technology is that it could track a user across a platform.

So basically, this reads like: ‘we the consumer used to have a little privacy, but soon, thanks to Microsoft, that privacy might be gone forever, allowing for non-stop online harassment wherever we are‘ So, That Snowden fellow never gave us anything on that, did he? Even though the NSA should have been aware of such plans long before Techbeat had a clue. Does the reader still think he is such an idealist?

Yet, on the other side, he has shown one important weakness. The US intelligence branch is on that same low level as the organisation that in the 50’s used to be laughingly referred to as ‘British Intelligence’. The question is not just how weak is the NSA seems to be; it links to questions regarding the weakness that GCHQ and its current Commonwealth peers might have. There are in addition issues with the personal digital safety of people on a global scale. Not because the NSA is scanning to identify terrorist networks, but if one person (Snowden) could get away, is there anyone else who just wanted money and gave their data download to cyber criminals? There is absolute 0% guarantee that this did not happen, so in how much danger are our details?

So, why this blog today? Many do this at the start, but in certain light this had to be done at the very end. It is not just about their acts, but also about the acts you and I undertake. We willingly give out our details to Facebook (including a beheading, but excluding exposed breasts), LinkedIn and Google+, yet many scream about ‘some government‘ seeing what we are doing and who we are doing it with (or without).

The twisted world we allowed to be created is likely to throw us at least two more curve balls before Christmas. Enjoy!

 

 

1 Comment

Filed under IT, Law, Military

Tagged as , , , , , , , , , , , , , , , , , , , ,