Cybersecurity

 Scott Shapiro's 2023 book's aim is to answer three questions: (1) why is the Internet (still) so insecure? (2) how do hackers do what they do? and (3) what can be done about it? He recounts some historical events, the "five extraordinary hacks" of the subtitle, to tell the story, and introduces the terms "upcode" and "downcode" as the core concepts in his framework for understanding--where "downcode" means actual, implemented computer code and "upcode" means the social, political, and institutional forces providing incentives and governance.  This is essentially a simplified version of Lawrence Lessig's four forces of law, social norms, markets, and code spelled out in his 1999 book, Code: And Other Laws of Cyberspace, and also reminded me of the framework in Bruce Schneier's 2012 book, Liars and Outliers: Enabling the Trust That Society Needs to Thrive, where the four forces are moral pressures (internalized incentives), social pressures (social/cultural incentives from other people), institutional guidelines and rules (formal rules, regulations, and laws), and security systems (locks, police, firewalls, fraud detection, etc. -- actual operational controls which may be implemented physically, in code, or by policies and practices). For Shapiro, Lessig's first three forces are "upcode" and only code is "downcode," and Schneier's first three forces and parts of his fourth are "upcode." ...

 OpenBSD 5.9 (current as of this post is 7.5) introduced the "pledge" system call and 6.4 introduced the "unveil" system call, which together provide a means of more granular control of system access by processes running on the system to enforce least privilege.  When a program calls "pledge", it provides a list of categories of system calls (called "promises") that it is planning to make during the life of the running process (children have to make their own pledges and are not restricted), and attempts to make calls outside of those areas will cause the call to be blocked and the process to be killed. Additional calls to pledge cannot add new categories but it can remove them, so access can become more restrictive but not less restrictive. ...

 I was thinking about writing a blog post about file system immutability flags in OpenBSD, and thought I'd ask ChatGPT to write it for me. It appears to have gleaned its content from OpenBSD man pages, but it is highly misleading and inaccurate, misrepresenting the key distinction between system and user immutability flags. What it got right is that only the superuser (root) can set and unset the system immutability flag (schg/noschg) while users (if they own the file) can set and unset the user immutability flag (uchg/nouchg). But either flag can be set or unset on any kind of file. ...

Not much blogging going on here still, but here's my annual list of books read for 2020.Nicholson Baker, Baseless: My Search for Secrets in the Ruins of the Freedom of Information ActJohn Bolton, The Room Where It Happened: A White House MemoirBen Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics Susannah Cahalan, The Great Pretender: The Undercover Mission That Changed Our Understanding of MadnessMichael Cohen, Disloyal: The True Story of the Former Personal Attorney to President Donald J. TrumpMyke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World Libby Copeland, The Lost Family: How DNA Testing Is Upending Who We Are Barton Gellman, Dark Mirror: Edward Snowden and the Surveillance StateFiona Hill and Clifford G. Gaddy, Mr. Putin: Operative in the Kremlin (2012)James W. Johnson, Arizona Politicians: The Noble and the Notorious (2002) Gene Kim, The Unicorn Project: A Novel about Developers, Digital Disruption, and Thriving in the Age of Data Maria Konnikova, The Biggest Bluff: How I Learned to Pay Attention, Master Myself, and WinTalia Lavin, Culture Warlords: My Journey Into the Dark Web of White Supremacy Carol D. Leonnig and Philip Rucker, A Very Stable Genius: Donald J. Trump's Testing of America Ben Macintyre, The Spy and the Traitor: The Greatest Espionage Story of the Cold War (2018) Nancy MacLean, Democracy in Chains: The Deep History of the Radical Right's Stealth Plan for America (2017)H. Keith Melton and Robert Wallace, with Henry R. Schlesinger, Spy Sites of New York City: A Guide to the Region's Secret History (2020)Jefferson Morley, Morley v. CIA: My Unfinished JFK InvestigationBastian Obermayer and Frederik Obermaier, The Panama Papers: Breaking the Story of How the Rich & Powerful Hide Their Money Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital AgeMary Trump, Too Much and Never Enough: How My Family Created the World's Most Dangerous Man Robert Wallace and H. Keith Melton with Henry R. Schesinger, Spy Sites of Washington, DC: A Guide to the Capital Region's Secret History (2017) Anna Wiener, Uncanny Valley: A MemoirIsabel Wilkerson, Caste: The Origins of Our Discontents Top for 2020: Copeland, Macintyre, Cahalan, Smith and Browne, Buchanan, Obermayer and Obermaier, Gellman, Rid. I started the following books I expect to finish in 2021 (yes, I also said that about LeFeber and Wilson last year--I'm well in to LaFeber's book and thought I might finish before the end of the year, but had only read Wilson's intro so it's barely started): William Dalrymple, The Anarchy: The East India Company, Corporate Violence, and the Pillage of an Empire Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition) Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History I've also pre-ordered and am looking forward to reading: Nicole Perlroth, This Is How They Tell Me the World Ends: The Cyberweapon Arms Race (due to be published on February 9) (Previously: 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

Not much blogging going on here still, but here's my annual list of books read for 2019. Graham T. Allison, Destined for War: Can America and China Escape Thucydides's Trap? Ross Anderson, Security Engineering (3rd edition, draft chapters) Herbert Asbury, The Barbary Coast: An Informal History of the San Francisco Underworld Heidi Blake, From Russia with Blood: The Kremlin's Ruthless Assassination Program and Vladimir Putin's Secret War on the West Rutger Bregman, Utopia for Realists: How We Can Build the Ideal World Oliver Bullough, Moneyland: The Inside Story of the Crooks and Kleptocrats Who Rule the World Bryan Caplan and Zach Weinersmith, Open Borders: The Science and Ethics of Immigration C.J. Chivers, The Fighters: Americans in Combat Sefton Delmer, Black Boomerang Nina J. Easton, Gang of Five: Leaders at the Center of the Conservative Crusade (bio of Bill Kristol, Ralph Reed, Clint Bolick, Grover Norquist, and David McIntosh) Ronan Farrow, Catch and Kill: Lies, Spies, and a Conspiracy to Protect Predators Ronan Farrow, War on Peace: The End of Diplomacy and the Decline of American Influence Ian Frisch, Magic is Dead: My Journey into the World's Most Secretive Society of Magicians Anand Giridharadas, Winners Take All: The Elite Charade of Changing the World Reba Wells Grandrud, Sunnyslope (Images of America series) Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers Jodi Kantor and Megan Twohey, She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement Stephen Kinzer, Overthrow: America's Century of Regime Change From Hawaii to Iraq Michael Lewis, Flash Boys: A Wall Street Revolt Jonathan Lusthaus, Industry of Anonymity: Inside the Business of Cybercrime Ben MacIntyre, A Spy Among Friends: Kim Philby and the Great Betrayal Joseph Menn, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World Anna Merlan, Republic of Lies: American Conspiracy Theorists and Their Surprising Rise to Power Jefferson Morley, Our Man in Mexico: Winston Scott and the Hidden History of the CIA Sarah T. Roberts, Behind the Screen: Content Moderation in the Shadows of Social Media Hans Rosling, with Ola Rosling and Anna Rosling Rönnlund, Factfulness: Ten Reasons We're Wrong About the World--and Why Things Are Better Than You Think Russell Shorto, Amsterdam: A History of the World's Most Liberal City Alexander Stille, The Sack of Rome: Media + Money + Celebrity = Power = Silvio Berlusconi Jamie Susskind, Future Politics: Living Together in a World Transformed by Tech Erik Van De Sandt, Deviant Security: The Technical Computer Security Practices of Cyber Criminals (Ph.D. thesis) Tom Wolfe, The Right Stuff Tim Wu, The Attention Merchants: The Epic Scramble to Get Inside Our Heads Top for 2019: Bullough, Farrow (Catch and Kill), Wu, Chivers, Rosling, Greenberg, Blake, Allison, Caplan and Weinersmith, Kinzer, Delmer. I started the following books I expect to finish in early 2020: Myke Cole, Legion versus Phalanx: The Epic Struggle for Infantry Supremacy in the Ancient World Walter LaFeber, Inevitable Revolutions: The United States in Central America (2nd edition) Brad Smith and Carol Anne Browne, Tools and Weapons: The Promise and Peril of the Digital Age Peter H. Wilson, The Holy Roman Empire: A Thousand Years of Europe's History Two books I preordered and look forward to reading in 2020: Anna Wiener, Uncanny Valley: A Memoir (due out January 14) Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (due out April 21) (Previously: 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

Rep. Tom Graves (R-GA14) has circulated a draft bill, the “Active Cyber Defense Certainty Act” (or ACDC Act), which amends the Computer Fraud and Abuse Act (18 USC 1030) to legalize certain forms of “hacking back” for the purposes of collecting information about an attacker in order to facilitate criminal prosecution or other countermeasures. The bill as it currently stands is not a good bill, for the following reasons: ...

In Andy Greenberg’s Wired article on February 9, 2017, “Trump Cybersecurity Chief Could Be a ‘Voice of Reason," he writes: But when Trump’s draft executive order on cybersecurity emerged last week, it surprised the cybersecurity world by hewing closely to the recommendations of bipartisan experts—including one commission assembled by the Obama administration. The described timing and the link both refer to the original draft cybersecurity executive order, which does not at all resemble the recommendations of Obama's Commission on Enhancing National Cybersecurity or the recommendations of the Center for Strategic and International Studies Cyber Policy Task Force, which both included input from large numbers of security experts. Contrary to what Greenberg says, the executive order he refers to was widely criticized on a number of grounds, including that it is incredibly vague and high level, specifies an extremely short time frame for its reviews, and that it seemed to think it was a good idea to collect information about major U.S. vulnerabilities and defenses into one place and put it into the hands of then-National Security Advisor Michael T. Flynn. That original version of the executive order resembled the Trump campaign's website policy proposal on cybersecurity. The positive remarks, instead, were for a revised version of the cybersecurity executive order which was verbally described to reporters on the morning of January 31, the day that the signing of the order was expected to happen at 3 p.m., after Trump met for a listening session with security experts. The signing was cancelled, and the order has not yet been issued, but a draft subsequently got some circulation later in the week and was made public at the Lawfare blog on February 9. This executive order contains recommendations consistent with both the Cybersecurity Commission report and the CSIS Cyber Policy Task Force report, mandating the use of the NIST Cybersecurity Framework by federal agencies, putting the Office of Management and Budget (OMB) in charge of enterprise risk assessment across agencies, promoting IT modernization and the promotion of cloud and shared services infrastructure, and directing DHS and other agency heads to work with private sector critical infrastructure owners on defenses. One key thing it does not do, which was recommended by both reports, is elevate the White House cybersecurity coordinator role (a role which the Trump administration has not yet filled, which was held by Michael Daniel in the Obama administration) to an Assistant to the President, reflecting the importance of cybersecurity. Greenberg's piece seems to assume that Thomas Bossert is in the lead cybersecurity coordinator role, but his role is Homeland Security Advisor (the role previously held by Lisa Monaco in the Obama administration), with broad responsibility for homeland security and counterterrorism, not cybersecurity-specific. Despite Greenberg's error confusing the two executive orders being pointed out to him on Twitter on February 9, the article hasn't been corrected as of February 16. Anonymous (2017-03-06): Dear Mr. Lippard, I apologize for contacting you in this odd way, but as your email does not seem to be publicly available, I found it my only recourse. ...