In the late 1990s, the US Government was setting up a case to argue that hacking equated to terrorism. Because, while it was mostly being used for illicit state-craft, it could potentially be used by terrorists. In 1997, at a keynote for Black Hat Briefings, I warned the hacker community what was coming but – at that time – there was a great deal of “community outreach” being done by NSA – they were hiring hackers (whose work we now see leaking on a regular basis) and it was all very hip and friendly.
While that was going on, the FBI was penetrating hacker groups because (since hacking was equal to terrorism) they had much more leeway as far as intercepting communications, suborning hackers, etc. [stderr] In terms of being easy to penetrate and suborn, the hacker community had to be a laugh-riot compared to any organized crime operation. The hacker community represented a self-selected body of useful idiots who could be used and discarded, or blamed for just about anything. It was around about this time that I began to become suspicious of libertarian-posing politics; many self-styled freedom-loving hackers were very quick to take the establishment’s money and turn against the privacy rights of the population.
Hackers are a convenient assignee of blame for the establishment. Does your data security suck? Blame the Chinese hackers, or the North Korean hackers, or Russian hackers. Are your electronic election systems wide open to attack? Blame hackers – after all, it’s awkward to explain how you spent millions of dollars on badly-designed voting machines, and ignored the warnings from security practitioners who looked at the system design. Or, if you’re a political candidate, why not be utterly stupid about how you manage your email, and then blame hackers when your documents leak out that show how you tried to corrupt your party’s politics? Why not. Hackers are useful idiots – in that sense they are very much like terrorists.
So, perhaps you recall that the city of Atlanta got hid hard by cryptolocker malware – to the point where critical city services were unavailable and about $9 million was spent (not including wasted time and annoyed citizenry) doing incident response. [cnn] As I’ve mentioned elsewhere, this is a problem that an organization elects to have when its IT executives decide that backing up data and performing basic system hygiene doesn’t matter. [stderr] Hint: it does.
I’m suspicious of this one: [bbc] It’s too convenient:
Years of video evidence gathered by police has been lost thanks to a ransomware attack on Atlanta in the US.
Most of the lost evidence involves dashcam recordings, said Atlanta police chief Erika Shields in a local newspaper interview.
The footage was “lost and cannot be recovered”, said Ms Shields.
About one-third of all software used by city agencies and departments is believed to have been affected by the attack, which took place in March.
Anyone want to bet that Gina Haspel is biting her thumb thinking, “I should have said Russian hackers wiped those torture tapes!”?
By the way:
The hearings revealed that the city has assigned an extra $9.5m (£7.1m) to finance its recovery efforts.
That’s a dramatic cost saving over basic configuration management, user controls on desktops, central managed file-service, and a backup tape array or a network-attached storage. All of which would have cost about 1/20th of that.
Police chief Shields told the Atlanta Journal Constitution that despite losing the video recordings, no “crucial evidence” had been compromised.
Dashcam footage was a “useful tool” said Ms Shields, but added that other evidence such as the testimony of an officer would “make or break” a case.
Testimony of officers “making or breaking” cases is the problem.
There is so much wrong in the Atlanta cops’ story. For one thing, dashcam video is evidence and needs to be handled appropriately. Your typical IT evidence-room is not connected to a wire-area network, and especially not to the internet, and includes network-attached storage, hard drive duplication systems, tape or hard drive archival backup and audit systems. I know IT security teams at several FORTUNE500 companies that have very nice set-ups for their evidence rooms. And they’re just worried about stuff like intellectual property and fraud, not murders. There should be a:
- “best practices” set defining a proper set-up of minimal capabilities a cop-cam system must have
- “best practices” set defining a minimal set-up of a cop-cam evidence room
- not allow any police agency to buy ammunition until they have a compliant body-cam system
In many industries, the notion of “best practices” is very important; the idea being that there is an established baseline practice or capability. For example, an accountant’s best practices include certain protections of client files. An accountant that was not keeping up with minimal practices could be argued to be negligent. For some reason, in the US, cops can be as negligent as they care to be, with no apparent consequences. The Chief Information Security Officer of a company is answerable to the shareholders, if there’s a shareholder lawsuit showing negligence. So, in federal government IT, there are repeated massive failures and no consequences. Guess what you get, then? More failures.
Oddly/ironically, encryption (competently used) is one of the important integrity controls for digital evidence. Usually what you want to do is encrypt blobs of evidence using specific keys that can be used to check that they are un-altered and control who can see them. It should be basically impossible for a cryptolocker attack to undetectably alter evidence. For that matter, votes, either.
The bad security around voting machines appears to me to be suspiciously deliberate – it’s as if the establishment in some states wants to be able to de-certify a result and blame the Russians, if the wrong person gets elected. But surely that is too cynical.
Dunc says
I kinda know what you’re saying here, but when it comes to these types of systems, Hanlon’s razor is more like a claymore – and I mean the mine, not the sword. I suspect that the (possibly even uglier) truth is that these systems are so god-damned awful simply because nobody gives a shit. Oh, you want an electronic voting system that’s going to be the centrepiece of your democracy? OK, we’ll have a couple of interns wank something out over the weekend… I’d like to think that if they were going down the route you’d suggest, they’d at least try and make it look good. (Remember, the people who build the voting machines also build important shit, like ATMs and gambling machines, so we know they know how to do it right when it matters.)
Similarly, when it comes to the Atlanta PS losing a bunch of dashcam evidence to ransomware, I totally can believe that yes, they really are that incompetent.
LykeX says
Yes, but they are also really that corrupt, so it could go either way. I’m starting to feel like that “don’t assume malice, when it can be explained by stupidity” proverb gives way too much free rein to malicious people.
bluerizlagirl . says
Voting machines are intrinsically insecure. This is not a limitation of present day technology; it is a limitation of the universe, and there is nothing anybody could invent that would change this situation. Even if the machines are available for members of the public to inspect when not required for use in an actual election, built to a published specification that any qualified electronics / mechanical engineer can download and check, running published code that any qualified programmer / software engineer can download and check, that doesn’t really solve the problem that most people aren’t competent to verify the machines fully. And if you can’t understand it, you can’t hope to trust it. (It also doesn’t solve the problem that the machines may have been altered between inspection and deployment.)
Pencil and paper, ballot boxes and hand-counting are pretty much the only way to meet the important requirement of Universal Comprehensibility. It also scales really well (you get more people to help with the counting), and has some built-in anti-corruption protection in that (1) the people doing the counting are the candidates and their representatives, and do not trust each other — the only result on which they can possibly agree is the correct one; and (2) you would have to nobble a lot of people to be sure of a result you wanted.
Marcus Ranum says
bluerizlagirl@#3:
Voting machines are intrinsically insecure. This is not a limitation of present day technology; it is a limitation of the universe, and there is nothing anybody could invent that would change this situation.
Yes, but that’s not a good reason to accept systems that are as bad as they are.
A great deal could be done with just cryptographically identified ballots so that a voter could verify that theirs had been counted. But we don’t even get that. Suspicious.
Marcus Ranum says
LykeX@#2:
I’m starting to feel like that “don’t assume malice, when it can be explained by stupidity” proverb gives way too much free rein to malicious people.
Quoted for truth.
Reginald Selkirk says
You never let a serious crisis go to waste. And what I mean by that it’s an opportunity to do things you think you could not do before. – Rahm Emanuel
bluerizlagirl . says
@MJR, #4: Cryptographically-identified ballots would still be susceptible to some forms of manipulation. All you are doing is adding unnecessary costs, and moving even further away from Universal Comprehensibility.
A paper ballot is a token that starts off identical to all the other unmarked ones and indistinguible from any of them; but can be marked in one of a finite number of ways. Each of those marked-up tokens is still indistinguible from any other token marked the same way; the only information it carries is the preference. Counting up those actual self same tokens is verifiable; but if at any stage of the procedure, any sort of copying process is involved, then verifiability is sacrificed and all bets are off.
Bill Spight says
Corruption? You betcha!
Here is a link to Greg Palast on Ohio turning off the audit function of its voting machines for the 2016 election. A judge ruled that was OK. http://www.gregpalast.com/democracy-now-theyre-stealing-ohio-vote-machines-audit-function-disabled-worse/
Crip Dyke, Right Reverend Feminist FuckToy of Death & Her Handmaiden says
@marcus & LyleX
My favorite qualification of the original is that when problems crop up in your industry or institution, and you continue doing the same things that resulted in those problems the first time, stupidity can no longer explain the behavior and intention is strongly evidenced.
Cops electronically deleting files has been happening over and over since they first got computers. To say now that cops don’t want files to be tracelessly deleted with no possibility of accountability is to reject decades of evidence to the contrary.
Marcus Ranum says
Crip Dyke, Right Reverend Feminist FuckToy of Death & Her Handmaiden@#9:
Cops electronically deleting files has been happening over and over since they first got computers. To say now that cops don’t want files to be tracelessly deleted with no possibility of accountability is to reject decades of evidence to the contrary.
It’s tampering with evidence.
Sigh, I guess with cops you get less than what you paid for.
Dunc says
Well, I’m certainly not saying that… I’m saying that we know that they’re both massively incompetent and completely corrupt, which makes it really difficult to tell whether any given issue is caused by incompetence or corruption.
Maya says
Unfortunately, while hackers are easy scapegoats to hid bad behavior, I know a lot of this equipment is being built by companies that don’t care about any security aspects at all, and that most of this junk is paid for with grants, so law enforcement gets money for the toys, and then no budget for the on-going maintenance/security updates that a real system would need.
So you see a lot of systems that claim to be install and forget, even though they need Internet access to function. Basically, see anything Matthew Garrett has written about the Internet of Things devices he’s looked at, and then remember that they are the same people who are developing this stuff.
Pierce R. Butler says
… surely that is too cynical.
No such condition is possible.
Only the most dedicated can achieve even sufficient cynicism.
LykeX says
That’s why the best cynic is a disappointed idealist.
Raucous Indignation says
You could have stopped at “not allow any police agency to buy ammunition.”
Marcus Ranum says
Raucous Indignation@#15:
You could have stopped at “not allow any police agency to buy ammunition.”
I don’t know if you’re a Jim Jarmusch fan, but I am, and I love the way he occasionally fits into his movies – someone gets handed a gun “but it’s empty!” “Yeah, you’ll have to throw rocks.” I love the part in Straight To Hell where the cops are in the gunfight and are throwing rocks…