Feeds:
Posts
Comments

Last week, I attend MIRcon, Mandiant’s conference on Advanced Persistent Threats. One of the keynote addresses was given by Keith Alexander, the former head of the NSA. I enjoyed his talk, it was a good one.

What Others Are Saying

Here is Kelly Jackson Higgins’ take on his talk, from an article on DarkReading. Everything in the article is accurate:

* Former NSA Director reflects on Snowden Leaks
http://www.darkreading.com/analytics/threat-intelligence/former-nsa-director-reflects-on-snowden-leaks/d/d-id/1316466

Higgins’ main talking point is that Alexander and the NSA were trying to bring to the public attention the fact although that the United States is under constant attack from advanced persistent threats, the Snowden leaks ended up overshadowing any of the good work that the NSA was doing. The NSA is a professional organization and 3rd party auditing showed that what they did:

  1. Was authorized by Congress
  2. Was within the law
  3. Was 100% audited
  4. Even though they were audited afterwards, no violations ever came up that were not already self-reported
  5. The NSA is highly professional

That’s all I have to say about that, go ahead and check out the article.

My Impression of Others’ Impressions of the NSA

While I was in Washington, D.C., I noticed that there was more of “pro-America” feel, that is (and I am badly paraphrasing) “we understand that the NSA had to do what they did” perspective compared to where I live. Whereas on the left coast, Microsoft’s own top lawyer identified the American government as an advanced persistent threat [1], and you can read other technical blogs that are very critical of the US government’s actions (Google, Yahoo and Apple are all moving to encrypt their data in response to this), I didn’t find any of the anti-government sentiment at MIRcon.

I see this as either the attendees at MIRcon genuinely understand that what the NSA did is more nuanced, and a position of “The government should not collect any data” is too narrow a viewpoint; OR, representatives from these companies work with government and therefore their perspective is skewed; OR, I didn’t sample enough people to get a broader perspective.

In any case, that’s what I experienced.

My raw notes of Keith Alexander’s Keynote

I don’t have time to type this up into a more nuanced blog post, but here are my raw notes from the session.

—————

2014.10.07 – Keynote Keith Alexander

  • Keith Alexander – cyber security people are underpaid (he’s a funny guy)
  • CyberCommand was created based upon intrusion into DoD in 2008 (later believed to be the Russians), wake up call
    • Now Target, eBay, Home Depot, JPM; attributed to eastern Europe/Russia
    • Did you know 2014 (website, talks about rapid change in technology)
      • Top 10 in-demand jobs in 2013 did not exist in 2004. Half of college newbs tech knowledge will be out of date by the time they get to junior year. People being trained for a job that doesn’t exist today.
      • Talked about how using Watson, they can get cancer treatments figured out in 9 minutes rather than 30 days (important because that 30-days results in cancers metastasizing)
      • Within a decade, some diseases will be solved thanks to advances in technology
    • We created the Internet, we can secure it.
      • But what we have created, today, isn’t secure.

  • Pre-2007, Internet was used as a way of going out and exploiting (everyone was doing it)
    • Then in 2007 changed from exploitation to disruption (Estonia attacks), had to disconnect from Internet
    • Aug 2008 Georgia was hit with cyberattacks (coincided with attacks by Russia govt ground offensive), DDOS attacks
    • Tells of issue on DOD networks one Friday afternoon in 2008, some people found 1500 pieces of malware on classified network
      • Built a system to mitigate the problem at network speed.
      • NSA built the system in 22 hours (!!!)
    • In 2011, NSA took a look at DOD networks, 15,000 in all, discovered they have an indefensible architecture (opened up that bag… of fertilizer… can we give this back to the DOD? Nope.)
      • Created Cyber Command as a result. Our defense must be as good as their offense

  • Fast forward, actions in 2012 were timed to problems in the middle east
    • August: Attack on Saudi Aramco (DDOS coupled with a virus – destroyed data on 30k systems)
    • Over 350 DDOS attacks on Wall Street in the intervening one year. 2013: attacks on South Korea
    • Goes from stealing data to using the networks as an element of national power.
    • People attack cyberspace because that’s where the money and IP and secrets are

  • Cyber command
    • Joint taskforce to defend the DOD networks but when it came over decided to defend everything within the nation

      1. Need a defensible architecture – Too difficult to draw a picture of network without any situational awareness

      2. Training – Need to train at a classified threat, offense and defense need to be the same

      3. Command and control – How do we work together with govt and industry? There’s more industry by orders of magnitude, and exploitation surface is hundreds of time larger. Nothing prevents industry from working with govt for a common cause

      4. Cyber legislation – Didn’t really discuss this

      5. Signature based AV systems good for certain things but not for where we want to go. Need to have real time consumable threat intelligence; detect mitigate report at network speed; within and among networks. These are not technical challenges, it is culture and competitiveness. Just think if we were to work together. It will take several companies and a consortium to figure it out.
          

  • Q&A’s – Are we in a cyber war? When did it start? –> No, not yet but because of his definition
    • 22 cryptologists were killed in Iraq and Afghanistan (doing some cyber stuff to change intelligence collection)
      Someone asked a question – what does the NSA collect on me? Metadata goes into business data FISA program
    • gave example (2009) of stopping an Al Qaeda operative in the Pakistan area who was talking to someone in the Colorado area (by email, gave phone number in email to FBI). FBI can take that and get the phone number from the phone and email provider. Talked about bouncing around from Colorado to New York and North Carolina, who were also in contact with other known terrorists outside (?) the US.
  • Q&A’s (Did Angela Merkel have anything interesting to say?)
    • If you talk to known high risk contacts, there is a good chance you will be flagged. But otherwise you are probably not going to be looked at. These programs help connect the dots. Everything in the program is audited 100%. Not one person was found doing anything wrong that hadn’t already been reported before.
    • ACLU did a review of the NSA (Jeff Stone), found NSA helped to thwart plots, operates a high degree of integrity and deep commitment to the rule of law
    • People who touch special data have to go through 400 hours of training (more than pilots)
        

Those are all of my notes.



 

[1] “Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.”

Brad Smith on the Official Microsoft blog
http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/

For most of my life, I have identified with the conservative side of the political spectrum. I flirted with libertarianism for a while in my 20’s, but I had a pretty consistent voting pattern – in Canada, I always voted conservative whether it was in federal or provincial elections. I may have even voted for the Reform party once (a regional based in Canada that was right-wing) although I don’t remember.

Since that time I have mellowed out. I’m not sure who I would have voted for if I were an American citizen in 2008, but if I were a US citizen in 2012 I would have voted for Obama and not Romney, nor Gary Johnson (Libertarian party candidate).

That’s not a big deal, plenty of voters cross party lines. In the US, they are called “Independents” (you’re not an Independent if you vote the same way each time).

But what unnerves me is that I now shop at Whole Foods. For you see, Whole Foods serves a lot of organic foods and things that are good for the environment; they have a reputation as being the go-to store for rich urban hippies and limousine liberals (you know, people who drive around in limos and have a very highly consumptive lifestyle while simultaneously preaching that people are destroying the environment and politicians should redistribute other rich people’s money).

That’s my impression of Whole Foods – a certain type of people shop there. And my impression of liberals used to be that they are well meaning but out of touch and perhaps a bit (lot) hypocritical.

But I now shop there! It’s a decent store, they have good tuna (because our cat loves it) and I get fake meat there, too. Sometimes I get a few other things there.

But I go there over and over.

Does that make me a liberal hippie?

Combined with the fact that I no longer identify as politically conservative and I shop at Whole Foods and I reduced my consumption of meat because of ethical concerns about animal treatment… I’m not sure where that identifies me.

Quite frankly, if I were living in Canada, I’m not sure who I’d vote for in the next election.

Last Friday, I woke up with a sore throat. This is a common occurrence for me, it marks the third time something like that has happened. It got worse the next two days before recovering and eventually lasted only six days.

Whenever I get a sore throat, I know that a few days later I will get a cough and sinus congestion, but not necessarily in that order. This was not a good time for me to get sick because I was presenting at a conference this week. I need my voice! I need to not have a stuffed nose!

Well, on Wednesday, I came down with a stuffed nose. It got pretty bad in the evening. Thursday was better but even then I was coughing and all stuffed up… the day of my presentation. Awesome.

Luckily, when I present I get a boost of natural adrenalin and I feel pretty good. But later that evening I got stuffed up again. Usually during a cold, I get stuffed up really badly for 1-2 days (the last few times have been two days) before the peak of the cold hits and I start to feel better. Today I feel a lot better.

But it’s frustrating to have been sick three times this year (not counting my bizarre collapse after returning from Taiwan). In 2013 I didn’t get sick at all, so I guess now I am making up for lost time.

I used to never take medication while I was sick; I would just suffer through it. This past time I took plenty of cough syrup and decongestants because I had to be sharp at the conference. They helped a little bit, I think I felt better than I would have otherwise.

I hope I don’t get sick for the remainder of 2014.

Over the past couple of years, I’ve been reading a lot about genetics and its influence on personality. When I was in university, I took a class on Sociology. The basis of the class was that personality was heavily influenced by culture. Furthermore, one of the major paradigms of humanity is “the blank slate” – the idea that humans are (nearly) infinitely malleable. This was a reaction to the eugenics movement of the first half of the 20th century that stated that some people just had superior genes.

However, “the blank slate” is wrong. While culture and environment shape us, we are not infinitely malleable. We are are not even greatly malleable. It turns out that our genetics, just as it shapes our physical bodies, also shapes our personalities. We can do things to affect it and choose to behave in certain ways, but our brain structures and genes dictate greatly how we react internally, and then we choose to override it.

One of those personality traits is introversion. I’ve been introverted as far back as I can remember, with the possible exception of when I was less than 5 years old. But it turns out that introversion is probably genetic. Dr. Jerome Kagan has been studying the introversion/extroversion phenomenon and has tons of data.

I found this one excerpt:

For example, he believes, based on his data, that high reactivity is associated with physical traits such as blue eyes, allergies, and hay fever, and that high-reactive (introverted) men are more likely than others to have a thin body with a narrow face.

Um:

  • I have blue eyes
  • I have hay fever (although no other allergies – although I do get nosebleeds easily in dry weather)
  • I have a thin body
  • My face is narrow

In other words, the description 100% describes me!

I thought that was eerie. I used to think that I was in control of my own personality and that I could change it with enough work. That’s not really true; I can change it to some extent but I have much less free will than I thought.

A couple of weeks ago I decided to stop drinking coffee. I did this because I am having hip surgery in December and I will not be able to eat or drink that day. That means that I will probably be feeling lousy that day because of headaches from caffeine withdrawal and I don’t want to go into it feeling bad.

That means I need to detox from coffee.

But I don’t know how it takes me to detox. However long it takes me to stop feeling symptoms of no coffee, that’s how many days before my surgery I need to give up coffee. Thus, if I discover it takes me 7 days to stop feeling bad, then 7 days before hip surgery I need to give up coffee.

All I do is drink 1 cup per day in the morning.

So how long did it take before I was symptom free?

7 days. Sheesh, that’s a long time. The first few days, I got headaches. At first it was around 10 am, then it got pushed back to 3 pm, then 5 pm. I had to take some Ibuprofen to get rid of the discomfort in order to function at work.

I began to wonder “How long is this going to take?” Well, it took a week.

And all of this on a single cup in the morning. I don’t know how anymore who drinks 4-5 cups per day like one of my co-workers could ever give it up (he was fasting during Ramadan).

That must have been rough.

I thought I’d do a blog post about some common myths about how the brain works.

  1. People only use 5-10% of their brains

    This is a common myth I hear all the time, that people don’t use all of their brains. This implies that we have a lot of untapped potential and if we could unlock it, we would be super-geniuses!

    But it’s not true.

    The brain consumes 20-25% of our total calorie intake, that’s far too much energy to waste on an organ that is running at 1/10 of its potential capacity. The truth is that we use 100% of our brains, we just don’t use all parts of it at the same time. Various parts of the brain are dedicated to doing different functions, and we aren’t using those functions all the time at the same time.

  2. The left brain/right brain model

    One thing we frequently hear is the right brain/left brain model – left-brained people are more analytical and right-brained people are more creative.

    This isn’t true. Or rather, it’s hopelessly oversimplified.

    While it is true that different hemispheres of our brains control different parts of our bodies, the truth is that we all have parts of our brains that talk to other parts. The reason that some of us are more analytical than others, while some people are more creative than others, has more to do with genetics and environment.

    One hemisphere dominating and leading to a particular trait doesn’t adequately explain how our brains work with all of its parts to form a whole. While the term “right brain/left brain” is useful to describe what type a person is, it is not accurate about how it actually works biologically.

  3. The brain is a single unit, like a computer

    One of the ways we think of the brain is that it is like a computer – it has a central processing unit that takes in all the inputs, we make a decision, and then act on it. The brain weighs the evidence and then issues its verdict. All the possible inputs go to a central processing unit.

    But that’s not how it works.

    Instead, the brain is more like the Internet. There are a bunch of nodes that have highly specialized functions. Some of these nodes talk to each other, but others do not. When we receive information (sound, sight, touch or ideas), the various units process it but there’s not a central unit in charge. Some units are unaware of others, and this is very strategic.

    We don’t process information that efficiently.

Those are brain myths I thought I’d briefly correct.

Lately, the cat has been throwing up a lot. So far in August she has thrown up 9 times. The average for her is once or twice per month.

A little bit of Internet research says that she probably has a food allergy. Feeding her the same thing over and over (Royal Canin kibbles) is not good, and apparently the lack of diversity is resulting in her stomach not producing the required enzymes to digest food. While we do feed her tuna, apparently it’s not enough.

We have been on a quest to find something else she’ll actually eat, and so far have had no success. We’re currently up to five different foods she has sniffed and rejected. Five! We’ve tried raw chicken, freeze-dried food, new kibbles and new canned food.

“Nope,” says the cat. “This takes like garbage!” and then she walks away.

Ugh.

Ruby! You eat some new food! Got it?

image

Follow

Get every new post delivered to your Inbox.