Tag Archives: White House

Libya’s Stuxnet?

A group of security professionals who have good credentials and strong links to the U.S. government have outlined a Stuxnet-type attack on Libyan infrastructure, according to a document released this week. But is the group outlining risks to regional stability, or is it advocating a cyber attack on Muammar Gadhafi?

The document, Project Cyber Dawn (PDF), was released on May 28 2011 by CSFI – the Cyber Security Forum Initiative, which describes itself as

non-profit organization headquartered in Omaha, NE and in Washington DC with a mission “to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners.”

CSFI now numbers about 7,500 members and an active LinkedIn forum.

To be clear, the document does not advocate anything. It merely highlights vulnerabilities, and details scenarios. It concludes, for example:

CSFI recommends the United States of America, its allies and international partners take the necessary steps toward helping normalizing Libya‘s cyber domain as a way to minimize possible future social and economic disruptions taking place through the Internet.

But before that it does say:

A cyber-attack would be among the easiest and most direct means to initially inject into the systems if unable to gain physical engineering attacks against the facility. Numerous client-side attack vectors exist that support payloads capable of compromising SCADA application platforms.

Elsewhere it says:

The area most vulnerable to a cyber-attack, which could impact not only the Libyan‘s prime source of income, but also the primary source of energy to the country, would be a focused attack on their petroleum refining facilities. Without refined products, it is difficult to fuel the trucks, tanks and planes needed to wage any effective war campaign.

The document itself is definitely worth a read; it doesn’t just focus on the cyberweapon side of things. And complicating matters is that one of the contributors to the report, a company called Unveillance, was hacked by a group called LulzSec around the time that the report was being finished. It’s not clear whether this affected release of the report.

Emails stolen from Unveillance and posted online by LulzSec indicate that two versions of the report were planned: one public one, linked to above, and one that would “go to staffers in the White House.” In another email a correspondent mentions an imminent briefing for Department of Defense officials on the report.

The only difference between the two reports that I can find are that the names of some SCADA equipment in Libya have been blacked out in the public version. The reports were being finalized when the hack took place–apparently in the second half of May.

Other commentators have suggested that we seem to have a group of security researchers and companies linked to the U.S. government apparently advocating what the U.S. government has, in its own report International Strategy for Cyberspace released May 17, would define as an act of cyberwar.

I guess I’m surprised by something else: That we have come, within a few short months, from thinking as Stuxnet as an outlier, as a sobering and somewhat shocking wake-up call to the power of the Internet as a vector for taking out supposedly resilient and well-defended machinery to having a public document airily discussing the exact same thing, only this time against non-nuclear infrastructure.

(The irony probably won’t escape some people that, according to a report in the New York Times in January, it was surrendered Libyan equipment that was used to test the effectiveness of Stuxnet before it was launched. I’m yet to be convinced that that was true, but it seems to be conventional wisdom these days.)

Frankly, I think we have to be really careful how we go about discussing these kinds of things. Yes, everything is at arm’s length in the sense that just because bodies such as CSFI may have photos of generals on their web-page, and their members talk about their reports going to the White House, doesn’t mean that their advice is snapped up.

But we’re at an odd point in the evolution of cyberwar presently, and I don’t think we have really come to terms with what we can do, what others can do, and the ramifications of that. Advocating taking out Libyan infrastructure with Stuxnet 2.0 may sound good, but it’s a road we need to think carefully about.

PR That Doesn’t Bark, Or Barks Too Much

This is my weekly Loose Wire Service column, an edited version of which was recorded for my BBC World Service slot. Audio to follow.

There’s a moment in All The President’s Men that nails it.

Bob Woodward is telling his editors about when he’d called up the White House to confirm that Howard Hunt, one of the Watergate burglars, worked there as a consultant for Charles Colson, special counsel to President Nixon. “Then,” Woodward tells his editors, “the P.R. guy said the weirdest thing to me. (reading) ‘I am convinced that neither Mr. Colson nor anyone else at the White House had any knowledge of, or participation in, this deplorable incident at the Democratic National Committee.'”

Isn’t that what you’d expect him to say, one of the editors says. Absolutely, Woodward replies. So?

Woodward, the script says, has got something and he knows it. “I never asked them about Watergate,” he says. “I simply asked what were Hunt’s duties at the White House. [A beat.] They volunteered that he was innocent when nobody asked if he was guilty.”

This, to me, is not only great cinema but classic journalism. It’s a classic PR error, and you can see it all the time. Not always as dramatically, but it’s there if you notice it. To say or do something that reveals what your client really cares about—and how much they care about it.

I see it in breathless press releases that I never asked for. Read: We really, really need to get this information out. We’re desperate.  So you think I’m just a press release churning machine, is that it?

I see it in interviews when the media-trained exec grinds each answer back to the message bullet-points he’s got tattooed into his brain:

When did you start to think there was a problem with the building? When the people start falling out one side? We have always focused our synergistic approach to inbuilding personnel customer management by being people-centred, and while we regret the involuntary vertical defenestrations, we’re sure that until they exited the building extramurally they felt as empowered as we did about the efficiencies we implemented by removing what turned out to be vital structural features.

I see it in unsolicited pitches that offer interviews with CEOs who really should be busier than this—particularly ones that end with “when is your availability?” as if to say, if we give the impression you already said yes, maybe you might. So you think I’m stupid and gullible, is that it?

I see it in PR companies which are a little too eager to lend us technology columnists a gadget. Read: this is a product that isn’t good enough to sell on its own, so we’ve got a warehouse full of them to try to get fellas like you interested.

I see it in a cupboard full of gadgets that PR companies promised to come pick up after I finished reviewing them but never did. Read: even the client doesn’t really care any about this. And it certainly belies the talk about the review units being in hot demand.

This sounds like heaven, I agree, but the reality is that there is such a thing as too many gadgets. Especially ones which weren’t that good to start with.

Just this morning I saw it in a emailed response from a major software company in response to a very specific question I’d asked. The question was sort of addressed, but tagged onto it was pure PR-speak, addressing a bunch of imaginary questions I hadn’t asked, or even implied I was interested in. Lord knows how long they took to put this together. Actually I know—10 days, because that’s how long I had to wait.

As a journalist, when you get one of these responses your instinct is to remove clumps of hair from your own head, or, if already clump-free, those of family members or passers-by. But actually, buried in the robot speak are the nuggets.

The email in question talked of “a community effort…to understand and unravel this extremely complex issue.”  I’m not going to tell you what the complex issue is, but the words are a giveaway: “We couldn’t figure this one out ourselves so we had to turn to companies we’d have much preferred to have humiliated by getting there first.”

Subtext: We’re not actually as good at this as we thought, or our customers assume. We were out of our depth so we’re falling back on the old “we’re all in this together” trick. Works great if you’re at the bottom of the bucket and the crab above you looks like he’s about to make a break for it.

Buried in all that unrequested bilge are quite a few good story ideas. Nothing tells you a company’s weak spot than PR guff dreamed up in hope of putting journalists off the scent. Thanks, big software company, for pointing out your sensitive spots!

Of course, coupled with the “But I never asked them that” is the Sherlock Holmes’ dog that didn’t bark clue. In Conan Doyle’s short story Silver Blaze Holmes is summoned to investigate the disappearance of the eponymous racehorse. The less-than-impressed Scotland Yard detective asks Holmes: “Is there any other point to which you would wish to draw my attention?”

Holmes: “To the curious incident of the dog in the night-time.”
Detective: “The dog did nothing in the night-time.”
Holmes: “That was the curious incident.”

In this case, of course, the dog didn’t bark because it recognised its owner, who turned out to be the guilty party. Whereas the Woodward Clue is about what PR folk put in that wasn’t asked for, the Holmes Clue is about what they leave out. In PRdom this can be requests that go unanswered, questions that are get very short answers while others get long ones, answers that skirt the question, or requested review units that somehow never arrive.

In the case of my big software company response, it’s the fact that they omitted to really answer the question I asked—and got very vague when I sought a timeline. It’s not rocket science to know when smoke is wafting in your direction.

So how should PR avoid these pitfalls? Well, the first rule is to answer the question, or tell the journalist you’re not answering it—and preferably why. Not answering it by pretending she didn’t ask it is going to infuriate a journalist and flag that there’s something there worth chasing.

But worse, don’t answer questions you weren’t asked. At least not directly. You can let it be known there’s more if they want it, but don’t forcefeed them. Journalists aren’t all Robert Redfords, but neither are they foie gras geese.

You can always tell if a journalist knows you’re not answering the question: they’ll nod a lot. Nodding a lot doesn’t mean “I’m agreeing with you, and I’m just desperate to hear more”, it’s “Why is this guy telling me stuff in the press release totally unrelated to what I asked? I wonder if he’d mind if I tore his hair out?” Nod, nod, nod. The nodding, of course, is a desperate attempt to speed up time so he can ask one more question and get to the pub before it shuts. Never works, but it’s a sort of reflex action in the face of too much barking, or not enough.

Conflicts of Interest, And The Search for Truth

Michael Arrington of TechCrunch has an interesting post about conflicts of interest, bounced off a comment by Jason Calacanis who quoted a rumor he had heard that it was possible to “buy a review at TechCrunch”. (In other words, pay money to get a positive review on the website).

There are some good points in here, and in the comments, so let’s go through them. I’m sorry if this is overlong. The issue is close to my heart.

First off, I think Michael misunderstands when he assumes Jason’s quote “just the appearance of impropriety is impropriety” means “when it comes to your reputation, an accusation is all it takes to ruin it, regardless of its veracity or lack thereof.” That’s not my understanding of the term, and I think this where the root of blogging/journalism problems currently lie. (I don’t know either of these two gents personally, so I’m just basing my comments on Michael’s account.) The appearance of impropriety, in my view, means when the person in question may be seen to be doing something improper, whether or not they are. Example: taking a ride on a corporate jet to Barbados of a company you cover for your paper. Maybe it’s a freebie with a holiday tagged on the end. Maybe it’s the only way you can interview the CEO because he’s too busy and you’re stuck in Barbados in your suit waiting for a flight back. But it may appear improper to readers, who wonder whether you’re going to be unduly influenced by the high life, so you probably don’t want to do it. Or you insist you pay for the ticket yourself. Or you take your own flight to Barbados and stay in a separate hotel. The appearance of impropriety is important. You as a reader want to be sure your journalist/blogger understands this important concept.

Actually, Michael does get it, as he writes “I want to state quite clearly that I have never taken a payment for a review and never will. Sure I’ve been offered money for a review a couple of times. But it would be completely unethical for me to take it. I couldn’t sleep at night if I did that. Companies that have offered to pay me have never been written about on TechCrunch.” In fact, Michael might consider actually naming these companies if they don’t back off quickly, to warn readers that they may be trying the same stunt with less ethical bloggers.

Then Michael explores the idea, put forward in the chat by Steve Gillmor, that “we all have conflicts, there is no such thing as objectivity.” Michael agrees. I don’t, and this is where I get worried. He uses examples from NYT, allegedly running a puff piece about a company because its CEO is allegedly influential within the NYT, and an AOL blogger who writes glowingly about an AOL which I won’t repeat here, because I don’t know about them, but he concludes that neither case is unethical: “I personally don’t think either of these cases are unethical. Because I know that human interaction drives all of this stuff, I know to factor that in when I read stuff.”

Ouch. This cannot stand uncontested. If true, the first case is highly unethical. The second, if true and if the writer pretends to be an objective commentator and doesn’t declare his connections to the company he’s writing about, is definitely so. Wherever there is a conflict of interest, ethics rears its ugly head. If the conflict of interest is not resolved — the writers not recusing themselves from writing about the subject, or not declaring their interest and consequent lack of objectivity, it’s unethical.

Then there’s the larger issue about whether there is no such thing as objectivity; this is more nuanced than Michael allows. Objectivity may not exist in the eyes of any commentator, but it should remain an aspiration, a guiding path. We all try to be objective as journalists/bloggers, or should be trying to be, or else we are letting down our readers. To declare that there is no such thing is to me a cop-out, a way of throwing up our hands and saying, “it’s too hard! Why should we even try?”

Then Michael talks about what he calls more subtle conflicts, for example, how he’s not being favored by Google PR because he’s harsh in writing about them. Meanwhile Yahoo et al include him in news embargoes because, he wonders, he often writes positively about them. Or when a company takes him to lunch? “Or writes something positive in their blog about TechCrunch before I write about them? Or here’s the read mind bender – what if I don’t write about a competitor to a company that I like? Doesn’t inaction count as much as action when we’re talking about conflicts?”

These are not, in my view, mind benders. There are clear rules for these things among credible journalists. First off, companies that don’t include people in their PR mailings because they don’t like what they say are childish, and need to be exposed. But it doesn’t matter; a good reporter/blogger shouldn’t be relying on a steady feed of early press releases anyway. To do so becomes unhealthy, the writer becomes lazy and dependent, and will (or should) quickly realise the chalice is poisoned: The goodies will keep coming if you write nice things. We laid into the White House press corps for accepting this a few years back: Why aren’t we decrying the same thing in technoland?

Yes, it is all about relationships, but not ones that depend on you always writing nice stuff. Free lunches: Don’t take them if you think it is in exchange for something. (In fact, if you can, don’t accept them at all. They’re not really free, as the saying goes.) As a writer you have to do whatever you need to do to maintain your freedom to write whatever you think is right. If that means keeping folk at arms’ length, do it. If it means having shouting matches every so often with industry sources who feel personally let down, do it. But keep your freedom to write what you think is right.

Michael’s conclusion: “Our lives are full of conflicts and thinking that envelopes full of cash are the only way people get paid off means you are watching too many made-for-tv dramas. Put everything you read through a filter and form your own opinions on things. Don’t look for the golden fountain of objectivity. It doesn’t exist.”  Once again, I’d say no. Find the voices you believe are objective and listen to them. Of course there’s a filter; I’m a white middle-aged Western male who lived too long in the wilds of Asia. I’m bound to see things differently. But you’ll quickly tell what I believe in, and if you share the same beliefs, you’ll probably trust me to do the right thing. 

Finally, Michael does clearly state his position on consulting, advisory roles etc. and he’s dead on. In fact, I think his post raises important points and does a good job of looking for a path through them. But we shouldn’t forget (and here’s my bias creeping through) that journalism has been battling, to lesser or greater success, with these issues for centuries. There are clear rules laid down when a journalist works for a reputable institution, and, contrary to popular opinion, most journalists extract some pride in trying to follow them, sometimes to ridiculous lengths. (I was, as were all attending journalists, thrust an envelope with $100 in cash when I attended a relaunch of Indonesia’s intelligence agency a year or so back, before I realised what was in the package. it took me weeks to not only return the money to the right place but to ensure there was a record that I had returned the money.)

Bottom line: There are ethics, they are well-established and we should seek them out, declare that we will abide by them and then abide by them. It is a struggle and none of us is perfect (definitely not me), but we should try to be. It is not an excuse to say that in this Web 2.0 world the ethics are different. We should not be so foolish as to think we have invented a new world. If we ignore this, I’ll wager, the idea that blogs might become an impartial and important source of information will quietly and quickly die because no one will believe anything we write.

Why Is The Bush Campaign Website Blocked?

I know it’s not particularly new, but why is George W Bush’s website inaccessible outside the U.S.?

Netcraft reported last week that the site could not be reached except by users in North America. Even entering the numbered IP address appears to have been blocked. (GeorgeWBush.co.uk works fine, as does GeorgeWBush.org, but then they’re not exactly under Bush’s control.)

Netcraft’s Prettejohn is quoted by the BBC as speculating it could be an effort to ensure the website stays online during the last few days of the election campaign. But what about all the overseas voters? A Bush campaign spokesman is quoted as saying that it was done for security reasons.

To me what is lacking in coverage of this issue is the notion that the blocking may actually have an impact on the election. In 2000 Bush’s victory was certified only after overseas ballots were counted. Of course, many overseas Americans have already voted, but both parties are urging last-minute voters to fill in absentee ballots and fax them home.

AP reports that “The complicated issue of counting absentee ballots also added to the confusing array of new machines and new state voting regulations prompted by the debacle of the last race for the White House.” States, AP says, have “differing and confusing rules about deadlines for such ballots. Some states, for example, allow absentee votes to be counted days after the election, provided they are postmarked by Nov. 2. Others mandate that mailed ballots received after Election Day do not count.” On top of that, election officials in more than a dozen states missed the recommended deadline for mailing absentee ballots overseas, meaning soldiers in Iraq and Afghanistan might not get them in time to vote.

In light of this looming absentee ballot issue, why would Bush’s campaign risk losing votes by closing down the site? One argument is they’re short of money, but I can’t believe that. Another is fear of too much traffic — but then add more servers. Fear of being brought down by a Denial Of Service (DDoS) attack? Makes sense — and it may have been sparked by any earlier outage blamed by some on such an attack. But with both candidates chasing every vote they can it just does not make sense to me.

If it was just blocking the DNS name (georgewbush.com) that would make sense. But why block the IP number too (not originally blocked; it seems to have happened later)? How many users are going to access the website that way? It seems to be a deliberate attempt to block every single overseas user. Which to me means they fear a DDoS attack. Another weird episode.