The Ouroboros of Hate

I’ll confess I’ve said that if bigots were smart, they wouldn’t be bigots. Reality is a bit more complicated than that, but there is a way to rescue the sentiment.

  1. Opponents of Social Justice movements generally have a poor grasp of social justice concepts.
  2. As a consequence, some of them think these concepts lack any firm meaning. They instead act either as in-group/out-group signifiers, or as synonyms for “I don’t like you.”
  3. As a consequence, some of them have difficulty telling if these concepts are used in their proper manner.
  4. A few opponents of social justice, motivated either by a desire to show #2 to be true or simply to grief, will stage faux social justice campaigns.
  5. As a consequence, the subset mentioned in #3 will think the opponents from #4 are sincere, and given enough exposure may start thinking social justice concepts lack meaning.

I’ve seen this in action; while one group of bigots were trolling me, I saw another group think the trolling was sincere. Just recently, I spotted another example.

Older members of the crowd carried Confederate flags, while the younger, internet-driven masses wore patches with 4chan’s Kekistan banner. Rally-goers in homemade armor and semi-automatic rifles paced Houston’s Hermann Park, waiting for an enemy to appear.

The crowd, several hundred strong, gathered in the park on Saturday to defend a statue of Sam Houston, a slaveholder. They had gathered in response to reports that leftist protesters had planned a rally to remove the statue, despite Houston Mayor Sylvester Turner publicly stating that removing the statue wasn’t “even on my agenda.” But as sniper rifles and Infowars-branded jackets crowded the park, it became evident that the left protesters were not coming. They had never planned to come. The rumors of an antifa protest were actually a hoax, orchestrated by an anti-left group defending Confederate monuments.

I suspect these scenarios are more common than we realize, if only because the same thing happened again a month later.

A “patriot” who brought a revolver to Gettysburg National Military Park Saturday amid rumors of desecration of memorials accidentally shot himself in the leg Saturday. […]

Dozens of self-described Patriots came to the park about noon Saturday after hearing rumors that Antifa protesters might crash the park’s events and try to desecrate memorials. Members of Antifa caused a ruckus in Harrisburg recently at an Anti-Sharia rally and one member was arrested for swinging a wooden pole with a nail attached at a police horse.

The rumors on Saturday appeared to be just that: rumors, as no Antifa members were seen at Gettysburg park Saturday.

The result of all this is a self-supporting feedback loop, where people opposed to social justice keep getting fooled by false flags into thinking social justice is as loopy as they’ve been told, and some of them graduate to generate those false flag campaigns.

Look Around You

Let’s say the Kremlin was responsible for the DNC hack, and deployed Twitter bots and trolls to drive disinformation during the recent US election. You wouldn’t expect something like this to pop up overnight, instead it’s likely Russia has practised on its closer neighbours for years. If this were the case, you’d expect them to have plans and organisations set up to counter Kremlin influence.

Sweden has launched a nationwide school program to teach students to identify Russian propaganda. The Defense Ministry has created new units to seek out and counter Russian attempts to undermine Swedish society.

In Lithuania, 100 citizen cyber-sleuths dubbed “elves” link up digitally to identify and beat back the people employed on social media to spread Russian disinformation. They call the daily skirmishes “Elves vs. Trolls.”

In Brussels, the European Union’s East Stratcom Task Force has 14 staffers and hundreds of volunteer academics, researchers and journalists who have researched and published 2,000 examples of false or twisted ­stories in 18 languages in a weekly digest that began two years ago. […]

France and Britain have successfully pressured Facebook to disable tens of thousands of automated fake accounts used to sway voters close to election time, and it has doubled to 6,000 the number of monitors empowered to remove defamatory and hate-filled posts.

The German cabinet recently endorsed legislation — now before Parliament — to impose fines of up to $53 million on social-media companies that fail to remove posts deemed to be “hate speech.” Some especially notorious recent examples concerning migrants have been traced to Russian origins.

You’d also expect the Kremlin to brag about their online savvy. It would be a national source of strength and pride, after all.

Last February, a top Russian cyber official told a security conference in Moscow that Russia was working on new strategies for the “information arena” that would be equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”

Andrey Krutskikh, a senior Kremlin adviser, made the startling comments at the Russian national information security forum, or “Infoforum 2016,” held Feb. 4 and 5. His remarks were transcribed by a Russian who attended the gathering and translated for me by an independent European cyber expert. […]

According to notes of Krutskikh’s speech, he told his Russian audience: “You think we are living in 2016. No, we are living in 1948. And do you know why? Because in 1949, the Soviet Union had its first atomic bomb test. And if until that moment, the Soviet Union was trying to reach agreement with [President Harry] Truman to ban nuclear weapons, and the Americans were not taking us seriously, in 1949 everything changed and they started talking to us on an equal footing.”

Krutskikh continued, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”

Putin’s cyber adviser stressed to the Moscow audience the importance for Russia of having a strong hand in this new domain. If Russia is weak, he explained, “it must behave hypocritically and search for compromises. But once it becomes strong, it will dictate to the Western partners [the United States and its allies] from the position of power.”

If you live in the United States and focus on news relevant to there, it isn’t that hard to dismiss evidence of Kremlin hacking. They haven’t done it before, right? The US is a tech leader, anyway, and would spot any attempts coming from a mile away.

If you step outside of that bubble, though, you find many more people convinced of the Kremlin’s hand, if only because they’ve felt it themselves.

Bookmark This One

Not this one, mind, but this one from Shiv.

So, without further ado, let’s dive into the latest candy-glossed hate piece to make waves in feminist discourse: “I am not a ‘cis’ Woman, I am a Woman and that Matters.

Hands down, it’s the best counter-argument to the “E” in TERF that I’ve read.

I mean, hey, it’s taken a good ~2,400 words but now we can answer the question, “why is it wrong for cis women to have some spaces just for them to feel safe in a world where they don’t?”

It’s not wrong to want safety. However, the motivations for this trans-free “women only” space…

  1. Perpetrate rape culture by overstating stranger danger;
  2. Perpetrate rape culture by obscuring the actual tactics of serial predators;
  3. Assumes trans women are as likely to be violent as cis men, which is factually incorrect;
  4. Assumes violence is an essential property of certain persons, which is also factually incorrect–not to mention the rhetorical flourish liberally employed by white supremacists;

…all of which are complaints which have nothing to do with “trying to take away cis women’s safety.”

And all of those prior 2,400 words are well-cited and argued. I do two minor nitpicks, but the first only strengthens the argument. The second:

Please note, I have not once accused Broustra of being transphobic in this piece, nor will I.

I’ll go two steps farther. Broustra denies gender identity, via calling for the explicit exclusion of trans* women in “women-only” spaces; she shows a familiarity with TERF culture, through her Xeroxing of their ideas and arguments; and as a bonus, she is actively working to exclude trans* women, because she is campaigning for her point of view in a public forum. In my books, that makes her a TERF.

That first? I’ll post it over on Shiv’s piece as a comment, when I get a chance. So go read and bookmark her post!

When Winning Becomes Everything

Before getting to the point, though, do you mind if I be a little petty? Emphasis mine:

I was asked about my observations on technical details buried in the State Department’s release of Secretary Clinton’s emails (such as noting a hack attempt in 2011, or how Clinton’s emails might have been intercepted by Russia due to lack of encryption). I was also asked about aspects of the DNC hack, such as why I thought the “Guccifer 2” persona really was in all likelihood operated by the Russian government, and how it wasn’t necessary to rely on CrowdStrike’s attribution as blind faith; noting that I had come to the same conclusion independently based on entirely public evidence, having been initially doubtful of CrowdStrike’s conclusions.

MMmmmm.

But on to the main point: the day after Thursday’s revelation that “a GOP operative who presented himself as working with Mike Flynn, … actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government,” one of the anonymous sources became nonymous. Meet Matt Tait, a British cybersecurity researcher who’s covered that angle of American politics. Said GOP operative, Peter Smith, approached him to validate the batch of emails that were claimed to be from Hilary Clinton’s private email server.

In my conversations with Smith and his colleague, I tried to stress this point: if this dark web contact is a front for the Russian government, you really don’t want to play this game. But they were not discouraged. They appeared to be convinced of the need to obtain Clinton’s private emails and make them public, and they had a reckless lack of interest in whether the emails came from a Russian cut-out. Indeed, they made it quite clear to me that it made no difference to them who hacked the emails or why they did so, only that the emails be found and made public before the election.

Ignore the whole attribution angle of the DNC hack. Instead, let’s focus on the actions of the Republicans. They had access to illegally-obtained dirt on a rival party, and didn’t care that this dirt was illegal. All that mattered to them was winning.

This isn’t a one-off, either; yesterday I pointed to an old story about another GOP operative, Aaron Nevins, who struck a deal with “Guccifer 2.0” to use the material they gathered from local DNC chapters in local races. That material wound up being used in attack ads, and may have swayed voters. But there was also a recent report which showed that Republicans had extensively gerrymandered electoral districts, guaranteeing themselves safer seats and a greater odds of winning. This lines up with prior reports. Republicans are also notorious for voter suppression, to the point that they openly brag about it and waste taxpayer funds to do it. Voter disenfranchisement? Also a Republican tactic.

This is a party devoted primarily to winning. Their policies and values are secondary, leading to an unending stream of hypocrisy. This explains a lot about why they have so much difficulty governing, the Republicans lack a unified vision to guide policy and rally everyone around. This makes it easy for outside groups to sway Republicans to their side, to the point that they even rely on them to draft some legislation.

This is poisonous for democracy. It must be opposed, no matter your political leanings.

The Good Ol’ Days

Do you remember the good old days? Back when political parties didn’t team up with foreign powers on multiple occasions to use illegally obtained material for personal gain?

[Aaron] Nevins confirmed to the [Wall Street] Journal that he told hacker Guccifer 2.0 to “feel free to send any Florida based information” after learning that the hacker had tapped into Democratic Congressional Campaign Committee (DCCC) computers last summer. From the DCCC, Guccifer 2.0 released internal assessments of Democratic congressional candidates, known as “self-opposition research,” to GOP operatives using social media. Nevins told the Journal that, after receiving the stolen documents from the hacker, he “realized it was a lot more than even Guccifer knew that he had.” The stolen DCCC documents also contained sensitive information on voters in key Florida districts, breaking down how many people were considered dependable Democratic voters, undecided Democrats, Republican voters and the like. Nevins made a war analogy, describing the data he received to Guccifer 2.0 as akin to a “map to where all the troops are deployed.”

After Nevins published some of the material on the blog HelloFLA.com, using his own pseudonym, Guccifer 2.0 sent a link of the information to close Trump associate Roger Stone — who is currently under federal investigation for potential collusion with Russia.


What the Journal story does indicate, however, is that a GOP operative who presented himself as working with Mike Flynn, a top Trump adviser with numerous dodgy Russian ties himself, actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government. Once he obtained a stash of unverified emails presented as the deleted Clinton emails, this operative then suggested the hackers release the cache to WikiLeaks one month after the DNC WikiLeaks dump and a month before the Podesta WikiLeaks dump.

*sigh*, I sure miss those days.

The Mechanisation of Hate

Over time, I’ve believed anti-feminism is a cult of sorts. Their use of memes was a deciding factor, but there are other tells. One exploits our instincts as a social species.

In order to encourage those social bonds, we have a need to be loved. This creates a loyalty to a social group, which we repay by advancing the needs of the group. We band together to gather food, fend off predators or other groups, and so on.
But if love forms bonds, couldn’t a lot of love form a really strong bond? Or overcome resistance to forming a bond? This is the rationale behind “love-bombing:” by showering your target with love, you hope to generate a relationship that otherwise wouldn’t happen. The term was even coined by a cult. The flip-side is hate-bombing, or showering someone with hate in the hope of causing emotional distress.

Via PZ, I learned that anti-feminists have a very similar concept: red-pilling.

“Redpill,” for the blissfully unaware, is a slang term in certain alt-right-adjacent internet communities like the men’s rights crew. It refers to that famous Matrix scene where Neo takes the red pill and sees things as they really are. When alt-right dudes use it, they generally mean “convince other white people that we’re better than others,” and many of them are not shy about trying to redpill their friends and families.

“It’s a new label for an old idea,” said Ryan Lenz, who gathers information on hate groups for the Southern Poverty Law Center’s Intelligence Project, and edits their Hatewatch blog.

That Vice article points out some common tactics, like building empathy and using bargaining to expose people to your propaganda. Laci Green appears to be the latest person to fall victim.

In late May, seemingly out of the blue, Green dramatically shifted her tone on harassment. Where once she supported the abused, she suddenly began questioning why there’s “more than two genders” and arguing that “both sides of the argument are valid” for everything from racism to transphobia to misogyny. In a stunning example of her newfound hypocrisy, she called feminist YouTuber and fellow member of her anti-harassment Facebook group Kat Blaque a “sociopath,” […]

In a series of videos, Green revealed that her shift was a result of “red pilling,” the term for a twisted Matrix-inspired recruitment process coined by men’s rights advocates, pick-up artists, and the “alt right.” The process involves a recruiter who attempts to position white supremacists as oppressed truth tellers while spinning phony racial and gender science as “free speech” that’s being trampled on by feminists and the political left.

The parallels between religious cults and the anti-feminist movement are chilling; I didn’t even realise there was a flip-side to love-bombing until I thought of examples drawn from anti-feminism. But there’s an ingredient we can add which makes things oh-so-much worse.

You can see the outlines of it in message boards like 4chan: someone announces a target, and other commenters swarm that person with love or hate. This is the early steps of the mechanisation of hate, in this case the automation of love/hate-bombing, and it’s gotten very sophisticated. The next logical step would be to get money involved in the process, and that’s already happened.

When Green created her anti-harassment Facebook group, it was largely in response to the rising trend of “response videos,” YouTube videos created by trolls who have devoted their lives to attacking feminist content. Creators of these videos often claim that their content does not itself constitute harassment, while simultaneously ignoring the actions of their followers, who frequently bombard their targets with an overwhelming number of slurs and violent messages. […]

Troublingly, up until recently, such videos were not only supported by YouTube, but incentivized. Because response videos are so easy to make, it was easy for reactionary YouTubers to churn out a lot of content, which YouTube then prioritized in an algorithm that favored prolific output, high view counts, and abundant comments — even if those comments were toxic. Gaming the very closely held secret of the YouTube algorithm became a de facto path to internet stardom, and the format was perfect for response-video creators.

This puts a dollar tag on hate. It’s no longer just about promoting your group or winning new members, you can actually make a good living off of hating on feminism. This is yet another parallel to religion, especially Christianity, which has always used various means to extract funds from its supporters to line the pockets of its preachers. It feeds into a self-feeding cycle of hate, where preachers clamber to earn the cash of followers by whipping up their hatred.

There is no easy way to defeat this, as it relies on deeply embedded parts of our psyche. Speaking up about it and educating people is probably the best tactic in the short-term, while in the long-term we work on dismantling or altering systems which promote it.

Russian Hacking Videos

In the last part of my series on the DNC hack, I mentioned that I watched a seminar hosted by Crowdstrike on how it was done. Some Google searching didn’t turn up much at first, but it did reveal other videos from Crowdstrike and other security firms. I’m still shaking my head at the view counts of some of these; shouldn’t reporters have swarmed them?

Ah well. If you’d like to see how these security companies viewed the DNC hack, here are some videos to check out.

[Read more…]

Russian Hacking and Bayes’ Theorem, Part 4

Ranum’s turn! Old blog post first.

Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.

Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:

Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.

I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.

The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.

I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.

I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.

By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.

And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.

Hey, that was quick. Next post!

Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:

H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it

I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]

SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

That SecureWorks report expands on who was targeted.

In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.

Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.

Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.

Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.

There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.

Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.

I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.

Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.

I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?

This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.

Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.

I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:

  1. Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
  2. Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
  3. Guccifer is an American hacker who used basic off the shelf tools
  4. Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services

Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.

The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.

You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.

“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.

And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.

While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),

Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.

APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.

And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.

Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.

  • [HJH: On top of that, from what I’m reading APT28 prefers malware-free exploits, which use existing code on Windows computers to do their work. None of it works on Linux, so its source code would never be revealed via the claimed method.]

Quotas are Awesome

I’ve always been a fan of gender quotas. Think about it: sexism is largely unconscious and subtle, which means it has a disproportionate impact on subtle or indirect means of correcting gender imbalances. Blunt methods are more likely to succeed, and are more honest. If we truly think the genders are equal, why not bake that into our policies? Just be sure to incorporate non-binary people, too.

But there’s another good reason to endorse them. Emphasis mine:

Our study provides a unique window on quotas and, at the same time, pushes forward the measurement of competence in political selection. It uses the fact that, in 1993, Sweden’s Social Democratic party voluntarily introduced a strict gender quota for its candidates. In internal discussions of the reform, the party’s Women’s branch observed that some men were more critical than others. The quota became known colloquially as the “Crisis of the Mediocre Man,” since the incompetent men had the most to fear from an influx of women into politics.

If all genders are equal, but one gender has more representatives than the others, then by necessity there must be more mediocre members of that gender represented. Their average competence would be less than that of all other genders. We can measure that! And as yet another study found, quotas do indeed increase overall competence.

Within each local party, we compare the proportion of competent politicians in elections after the quota to the 1991 level. The figure below show some striking results. The left panel illustrates our estimates for politicians of both genders with black dots showing the change in the proportion of competent representatives in a party which is forced to increase their share of women (by 100 percentage points). The right panel splits the results by men and women (blue dots for men and pink dots for women). It shows distinctly that the average competence of male politicians increased in the places where the quota had a larger impact, and that the effect is concentrated to the three elections following the quota. On average, a higher female representation by 10 percentage points raised the proportion of competent men by 3 percentage points! For the competence of women, we observe little discernible effect.

Figure 1, from http://blogs.lse.ac.uk/businessreview/2017/03/13/gender-quotas-and-the-crisis-of-the-mediocre-man/Subdividing the men into leaders and followers reveals another interesting finding; there is clear evidence of a reduction in the proportion of male leaders (those at the top of the ballot) with mediocre competence. This suggests that quotas work in part by shifting incentives in the composing party ballots. Mediocre leaders are either kicked out or resign in the wake of more gender parity. Because new leaders – on average – are more competent, they feel less threatened by selecting more able candidates, which starts a virtuous circle of higher competence.

Embrace your inner socialist, and consider gender quotas. It’s good for business!

Community Scientism

Existential Comics is… a bit of a weird read. Crudely drawn, a bit obsessed with nihilism, it nonetheless hits some very powerful notes. And in their latest comic, they struck a chord close to home.

At Science HQ. DAWKINS: Philosophy! Ha. Nothing could be more useless. HARRIS: Exactly, all the so called philosophical problems will be solved with science. TYSON: Yes, it's all empty speculation, wheras we scientists us EVIDENCE. DE BEAUVOIR: NO SCIENTIFIC FACT CAN GIVE A PURPOSE TO OUR LIVES! DAWKINS: Who are you? DE BEAUVOIR: WE ARE THE PHILOSOPHY FORCE FIVE!!Confession time: not too long ago, I probably would have been standing next to Science Headquarters. I never would have called philosophy useless, and I thought Harris in particular was underplaying how difficult it would be to create a moral system from science, but I did buy into things like this.

Science is the best method humankind has devised for understanding causality. Therefore the scientific method is our most effective tool for understanding the causes of the effects we are confronted with in our personal lives as well as in nature. There are few human traits that most observers would call truly universal. Most would consent, however, that survival of the species as a whole, and the achievement of greater happiness of individuals in particular, are universals that most humans seek. We have seen the interrelationship between science, rationality, and rational skepticism. Thus, we may go so far as to say that the survival of the human species and the attainment of greater happiness for individuals depend on the ability to think scientifically, rationally, and skeptically.

In the handful of years since then, I’ve realized that science is both a business and a career. That alone is enough to warp the scientific record and induce false results. But the rot extends even further, right into the scientific method itself, and the only way out is through philosophy. If you’d prefer the short version (emphasis mine):

The above derivation is one reason why the frequentist confidence interval and the Bayesian credible region are so often confused. In many simple problems, they correspond exactly. But we must be clear that even though the two are numerically equivalent, their interpretation is very different.

Recall that in Bayesianism, the probability distributions reflect our degree of belief. So when we computed the credible region above, it’s equivalent to saying

“Given our observed data, there is a 95% probability that the true value of μ falls within CRμ” – Bayesians

In frequentism, on the other hand, μ is considered a fixed value and the data (and all quantities derived from the data, including the bounds of the confidence interval) are random variables. So the frequentist confidence interval is equivalent to saying

“There is a 95% probability that when I compute CIμ from data of this sort, the true mean will fall within CIμ.” – Frequentists

Note the difference: the Bayesian solution is a statement of probability about the parameter value given fixed bounds. The frequentist solution is a probability about the bounds given a fixed parameter value. This follows directly from the philosophical definitions of probability that the two approaches are based on.

So while many in the atheo-skeptic sphere are singing the praises of science, I’m filled with existential dread from things like this.

That question has been central to [John] Ioannidis’s career. He’s what’s known as a meta-researcher, and he’s become one of the world’s foremost experts on the credibility of medical research. He and his team have shown, again and again, and in many different ways, that much of what biomedical researchers conclude in published studies—conclusions that doctors keep in mind when they prescribe antibiotics or blood-pressure medication, or when they advise us to consume more fiber or less meat, or when they recommend surgery for heart disease or back pain—is misleading, exaggerated, and often flat-out wrong. He charges that as much as 90 percent of the published medical information that doctors rely on is flawed. His work has been widely accepted by the medical community; it has been published in the field’s top journals, where it is heavily cited; and he is a big draw at conferences. Given this exposure, and the fact that his work broadly targets everyone else’s work in medicine, as well as everything that physicians do and all the health advice we get, Ioannidis may be one of the most influential scientists alive. Yet for all his influence, he worries that the field of medical research is so pervasively flawed, and so riddled with conflicts of interest, that it might be chronically resistant to change—or even to publicly admitting that there’s a problem.

Come to think, that could explain why I read the comics I do.