Monday, October 29, 2007

Our Broken Itelligence Agencies

HumInt/SigInt:
Human Intelligence, CIA
Signal Intelligence, NSA

The English have been masters at the spy trade for centuries. In WWII, the United States felt that it should get into the act and turned to the English for guidance.

With their tutelage, the CIA became a formidable tool against the Soviet threat throughout the cold war. We had clearly defined enemies with clearly defined borders. Gathering intelligence became a methodical science... then, once the Soviet Union collapsed, the clearly defined enemies with clearly defined borders went with it.

The growth of the internet created an atmosphere wherein information and 'intelligence' became a commodity. Then the emergence of an enemy that is not only difficult, if not impossible, to clearly define but who also operates entirely without borders. The polar opposite from what the CIA were trained to do.

Not only has this rule-set reset turned the CIA upside-down, it has rendered it all but useless. The UK isn't doing much better either. The problem is that western society itself is at odds with the rules required to make an effective spy agency. Our open government(s), free access to information, laws against spying on citizens and so forth are what both protect our civil liberties as well as create the environment in which our enemies can plot against us.

The CIA knew about al Qaeda operators operating in the USA prior to 9/11, yet did nothing to notify the FBI. This is because of the opposing nature of each agency. The CIA finds a criminal and wants to string them along to see what intelligence they can uncover by monitoring them. When the FBI finds a criminal, they want to string them up. From the CIA perspective, the FBI sure knows how to screw up an investigation and destroy your intelligence network.

The CIA is now dysfunctional to the point of uselessness. In fact, there isn't a single effective spy agency in the western world. The current battle we're fighting and the enemy we face is one that cannot be defeated by military might, it is a war that MUST be fought using intelligence.

So, the administration turned to the only other agency with experience in gathering and monitoring enemies. It also happens that this agency is experts at SigInt, as opposed to the HumInt. The problem is that the NSA is forbidden by law from spying on American Citizens, UNLESS they are monitoring overseas communications. This exception has always been allowed, no warrant necessary. There is no law that states that I have the constitutional right to conspire with enemies overseas.

No other nation even comes close to the SigInt capabilities of the NSA...

Monday, October 22, 2007

No Rules, Just Write - and the OLPC

Does technology enable crime? Yes, but it isn't technology per se, it is connectivity in general.

Anywhere that you have connectivity combined with the absence of a functioning judicial system; you will breed crime. It doesn't matter what that connectivity is, or how you measure that connectivity - whether it is in paved roads, running water, electricity - each of these factors contributes to both the reach of commerce and the reach of criminals. The two cannot be divorced from each other. If you have a rapid expansion of transportation, without an equal expansion of police power, criminals will exploit that weakness. In the wild west, outlaws would rob trains as they crossed the nation, knowing that they'd be vulnerable and there was little chance of being caught.

Let's look at Russia. Back in the cold war era, there were technology export restrictions in place. With the fall of the Iron Curtain, those restrictions were relaxed. By the time we in the United States started going online en-masse in 1995, upgrading our computer systems to Pentium machines running Windows 95 - our old computer systems didn't go into the garbage, they were sold into the huge technological vacuum of the former Soviet Union.

Who are the early adopters of technology? Kids of course! And Russia was no exception. Like a 16-year-old with a hot rod, the youths started souping up computers that we considered garbage. They got on to the internet using whatever they could, and once they connected to our information flows, they started teaching themselves programming. Because they were learning to program on outdated equipment, this forced them to become very, very good. There was no such thing as code bloat. Then you add 5 years to the calendar and what do you have? Little Ivan is no longer 15, he is 20 and has 5 years experience - and therein lies the rub - Ivan cannot go out and get a job in information technology, there is no economy to support his skill set. So, he goes about earning a living any way he can. I call it "N0 RUL3Z, JU5T WR1T3". Ivan sets about writing spam software, creating Trojan horses, worms... this is where we see the emergence of the botnet.

Brazil wasn't far behind. In 2004-2005 we saw an uptick in the botnet wars arms race with Russia being one-upped by Brazil with the Beagle/Bagle, Mydoom and Sasser botnet pissing contest.

There is a tide shift taking place. Putin has implemented a 12% flat tax which is bringing revenues flowing into the Russian economy for the first time in 15 years. They are reviving their legal system because they want to attract the Foreign Direct Investment dollars which will never come if they have no legal system which can enforce a legal contract. Along with the civil justice and FDI dollars, criminal justice must reign in corruption otherwise the FDI dollars will quickly disappear. So, Russia is growing out of the script kiddie phase and reemerging onto the world scene. Its good to have Mother Russia back (New & Improved with 1337 h4x0rs).

I could go on providing details of history and economics, but I will leave that for the book I'm writing. But I will pose this question for you to think about: What do you think the outcome of One Laptop Per Child will have on the future of cybercrime? If connectivity absent a legal system is the breeding ground for crime, what do you think will happen as the bottom billion in Africa gets online?

Computer security is all about dealing with the unintended consequences. Every computer and every system that was ever built was first done to share information, not secure it. Security only came after we got everything connected, then had the collective "awww crap!" moment.