April 10, 2008
The Room
The Room is an episodic novel I am writing. The first five episodes have been published at Combat, the Literary Expression of Battlefield Touchstones, an online labor of necessity and love by a man committed to exploring the psychological impact of warfare. http://www.combat.ws/
The names of the stories, found by a search of the Combat site, are:
Outside the Door
Cliché
BRB
A Second Opinion
The Big O
They begin an exploration of the impact of torture on the people in a society that condones the practice. A single instance in “the room” in the war zone leads to other rooms until we arrive by a very circuitous route at “the room” where torture was authorized in the first place.
Fiction seems to be the right place to explore issues that once found their way into Islands in the Clickstream. I have published thirty stories in the past few years. Coming up next are: “The Man Who Hadn’t Disappeared” in Karamu, a literary magazine published at Eastern Illinois University (http://www.eiu.edu/~english/karamu/index.html), and “Silent Emergent, Doubly Dark,” in an anthology to be published in November in London, Subtle Edens: The Elastic Book of Slipstream. http://www.elasticpress.com/
Allen Ashley, the editor of Subtle Edens, wrote: “The story is gripping and fascinating. Your narrator's three off-world trips raise questions of science, philosophy, religion, consciousness, reality and much more.”
And did that ever delight me! Why? Because he got it! He knew what I was doing! What more can any writer want?
Well ... a writer might want to find a publisher interested in a collection of all this published short fiction called More Than a Dream: Stories of Flesh and the Spirit (many of which can be found at www.thiemeworks.com), or a writer might want to find a publisher interested in looking at The Room. If you happen to be one, married to one, live next door to one, or know one, let me know ... publishing in the digital age is a little tricky. We are all trying to figure out how best to get our writing, music, films, and other digital creations into the world. The old models are breaking down and the new ones are not yet clear. Maybe they’re slouching into outer space to be born. And more people seem to be writing these days than reading. The Indiana Review noted, “We receive more than 10,000 submissions a year, yet our subscriber list is less than 500.” Only subsidies keep them alive. The rest of us are heading to the Web.
Posted by Thieme at 11:19 PM | Comments (0)
Hexen
Hexen is more than a game - it’s an exploration by London artist Suzanne Treister of military technologies for psychological warfare. In 1995 she created a fictional alter ego, Rosalind Brodsky, a delusional time traveler who believes herself to be working at the Institute of Militronics and Advanced Time Interventionality (IMATI) in the twenty-first century.
Now Treister is updating HEXEN2039 and charting more of Brodsky's scientific research towards the development of new mind control technologies for the British Military. This work uncovers or constructs links between conspiracy theories, occult groups, Chernobyl, witchcraft, the US film industry, British Intelligence agencies, Soviet brainwashing, behavior control experiments of the US Army and recent practices of its Civil Affairs and Psychological Operations Command (PSYOP), in light of alarming new research in contemporary neuroscience.
The Science Museum of London sent Treister and art critic Richard Grayson to Milwaukee to videotape interviews with me on those subjects. She thought my book review of Jonathan Moreno’s “Mind War” indicated a kindred spirit. And it did. She uses the interviews to anchor her project in the (more or less) present day.
See www.hexen2039.net and http://ensemble.va.com.au/tableau/suzy/TT_ResearchProjects/index.html)
for more about Hexen
see http://www.kunstverein-langenhagen.de/treister/index.html - to see a gallery opening of some of Treister’s work in Germany that includes a fourteen minute video loop from our interviews.
Posted by Thieme at 11:17 PM | Comments (0)
Quiet American
Quiet American at http://www.quietamerican.org/ is a good place to take a break. It’s a wonderful repository of sound art and found sound by Aaron Ximm, a technology entrepreneur from S P Controls, http://www.spcontrols.com/.
Quiet American hosts discography, field recordings, and one minute vacations. It wins lots of recognition and people from all over the world come to find magical, mysterious, immersive sites of sound, precisely layered in unexpected wondrous ways.
Posted by Thieme at 11:13 PM | Comments (0)
March 05, 2008
The Difference It Makes Being Different
The response to Michelle Obama’s remark that she was proud of being an American for the first time in her adult life is the latest in a series of events that reveal the gulf fixed between the experience of the majority that make up a dominant culture – any dominant culture – and those it calls “minority.”
No group labels itself “a minority.” The label comes from the dominant culture and is itself a way of establishing superiority.
Back when talks on diversity paid in CEUs (continuing education units), many corporations checked the diversity box by having speakers address the issue. Some invited me to talk on “The Difference It Makes Being Different.”
What, you may ask, does a “white middle aged male” know about diversity?
The people who hired me asked that question, too, and some of my appeal as a speaker was that I was “safe,” that is, I was not an angry radical and was therefore more likely to present the issues in a non-threatening way.
As I spoke, however, it became clear that while I looked like a “middle aged white male,” my insides had traveled a path more similar to the experience of women and African-Americans in the audience.
That’s because I have lived in five different ways as a “minority. I have been a religious minority twice, a racial minority once, and a foreigner twice. Each experience provided anecdotes about the ways a dominant culture socializes its members differently than it does the members of what it calls a “minority.”
One punch line in my talk is that the bigger shock came when I moved twenty years ago to Milwaukee. Arriving with a German name and a job (I was an Episcopal minister, then) that facilitated my identification with the dominant culture, I was treated for the first time in my life as if I belonged. The shock came with the discovery of how radically different members of a dominant culture treat someone who is perceived to be “one of us.”
Dominant cultures open doors in a million ways for those who belong. Through mentoring, the communication of intrinsic value, promotions, and other ways, members of dominant cultures are assisted, supported, and sustained in their personal and professional lives. Over time, they cease to see these privileges that come with membership and believe, as was said of George Bush, that they are born on third base and think they hit a triple.
Because the privileges of power are invisible, dominants also fail to see how “minorities” do not have them. Because they believe that their attainments are based on intrinsic merit, they genuinely can not understand why everyone can not simply do as they do and achieve the same level of success.
African Americans in Milwaukee frequently say they can not get traction in careers. They are startled when they go somewhere else – Chicago, Atlanta, Minneapolis – and get traction, find mentors, and advance. They are treated differently.
That refrain has been heard so often that a reasonable person might conclude that conditions here do not change for a simple reason – the leaders of the dominant culture do not want it to change.
We hear repeated calls for change in our economy, too, and they will probably happen, but not because our leaders have worked actively to bring them about.
Initiatives like regional branding by the Greater Milwaukee Committee or the Wisconsin Technology Council’s efforts to attract entrepreneurial technology companies are good approaches. They don’t try to change the heart first, a daunting task. Their good approaches because realists know: where money flows, the heart will follow.
We would like to believe that we will do the right thing and money will follow, but it doesn’t work that way. Anyone who is paying attention learns in the ministry that economics is the right hand of God. When real money is on the table, our prejudices will be checked at the door.
That brings us back to Michelle Obama.
I point out in my speech that blacks must understand whites, Jews must understand Christians, gays must understand straights, and women must understand men, because there is a price to be paid if they don’t. The reverse, however, is not true. It costs whites, for example, nothing not to understand blacks, which is why Obama’s statement was incomprehensible to many – they do not understand that the whole of her life was a different experience and led to that statement which popped out with such unselfconscious clarity. They do not know that what she has achieved was not achieved in the same way or with the same ease as the equivalent education or career by a white, Christian male.
Naming is powerful. Dominant cultures have pejorative terms for members of the minority, but you have to work to think of a similar term to denote members of the dominant culture. Think of a term for “an angry woman,” for example; one comes to mind at once, doesn’t it? Try to think of a similar term for “an angry man” and you’ll draw a blank.
If that’s news to you, and if you were upset when you heard what Michelle Obama said, my bet is that you’re a member of the “dominant culture” and have never been asked to look at the real difference it really does make to be different.
Posted by Thieme at 08:41 PM | Comments (0)
February 18, 2008
Reading, Writing, and the Politics of Hope
A well-educated, highly accomplished friend wrote:
Sunday's Washington Post (February 18 2008) opinion section had two front-page articles on declining literacy in the US and on the general dumbing-down of the population. Certainly worth reading, but it also explains far more about the essentially issueless presidential campaigns that have been on-going -- viz., let's all hear it for CHANGE, whatever 'change' is meant to portend!
The results are dismal: reading of all forms is down significantly amongst the population, independent of educational level. The leisure reading score for the population has continued to go down over the last several decades. Here is a brief extract, but I'd recommend your looking at both this report and its 2004 predecessor. My extrapolated average indicates that the adult population (ages 15-34) puts in *8 MINUTES PER DAY* doing some form of weekday reading, rising to *10.5 minutes per day* on weekends. (Source, US Dept of Labor, Bureau of Labor Statistics.)
(My reply below is in two parts: (1) the politics of hope and change, and (2) what can we do about literacy? (I don’t mean sounding out simple words – I mean reading complex paragraphs with comprehension).
Among the key findings:
Americans are reading less - teens and young adults read less often and for shorter amounts of time compared with other age groups and with Americans of previous years.
Less than one-third of 13-year-olds are daily readers, a 14 percent decline from 20 years earlier. Among 17-year-olds, the percentage of non-readers doubled over a 20-year period, from nine percent in 1984 to 19 percent in 2004.1
On average, Americans ages 15 to 24 spend almost two hours a day watching TV, and only seven minutes of their daily leisure time on reading.
Americans are reading less well – reading scores continue to worsen, especially among teenagers and young males. By contrast, the average reading score of 9-year-olds has improved.
Reading scores for 12th-grade readers fell significantly from 1992 to 2005, with the sharpest declines among lower-level readers.
2005 reading scores for male 12th-graders are 13 points lower than for female 12th-graders, and that gender gap has widened since 1992.
Reading scores for American adults of almost all education levels have deteriorated, notably among the best-educated groups. From 1992 to 2003, the percentage of adults with graduate school experience who were rated proficient in prose reading dropped by 10 points, a 20 percent rate of decline.
As I said, my reply is in two parts: (1) the politics of hope and change, and (2) what can we do about literacy? (I don’t mean sounding out simple words – I mean reading complex paragraphs with comprehension).
The Politics of Hope and Change
(1) I understand your point, but as the younger people's posts about Obama we have been sharing suggest, they have NEVER had a president of whom they were proud. For eight years, one was a compulsive liar and getting blow jobs under his desk, and then, there is Mister Incoherent. Have you ever seen the film, The Great Escape? What is being pitched by “change” is a tunnel that makes it all the way to the trees, that there is a way out! That we CAN escape a nightmare of despair, shame, and depression. That's what "change" sells, something, anything, other than what the younger voters have known their whole lives long. If you heard the noise when Obama came through the curtain the other night (at the Democrats’ Founders Day Dinner n Milwaukee) , the depth of that yearning would be clear.
The editorial board of the Milwaukee Journal Sentinel sat down with Obama and asked him serious questions and reported that the depth, intelligence, and realism of his answers led them to endorse him for the primary tomorrow (they saw Hillary's divisiveness as a deal-breaker).
A vote for Obama in tomorrow’s primary is a vote for possibility and potential. Everybody knows, as the song says, how detours ahead will inflect his and our best intentions. Thus has it always been, thus will it always be.
Mt friend adds: I realize this is probably old news to most of you, but the US National Endowment for the Arts has conducted a reading survey twice now (2004 and 2007) that can be found at http://www.nea.gov/news/news07/TRNR.html
The Real Decline in Reading, Writing and Thinking
(2) I have not read anything that contradicts this.
I did a keynote a few weeks ago for Deans and Provosts and profs of engineering schools on creativity and innovation at the Thunderbird School of Global Management. One of the profs said he is finding that his (college) students can understand words but often fail to comprehend the meaning of a whole paragraph. They can not easily discern, articulate or make useful the essence of a whole complex statement.
So, my question is this: what can we do? I mean that seriously, not we as individuals, but "we."
I have spoken at Def Con (The premiere Las Vegas hacker conference, paired with Black Hat Briefings) for 12 years now and from the very beginning, the subtext if not the explicit text was about doing research, thinking critically, being "good hackers" in the sense of doing everything necessary to see how something works, so one can access the deeper levels - not just of programs, machines, or code, but comprehensive and coherent bodies of thought. I always try to embed an "upward call" in the message, and some have gotten it, as well as my obvious commitment to them and equally obvious respect. That feedback loop of mutual energy sustains that particular dialog.
Yet ... when I see a feature on Ren, a Japanese girl who thumbs out little text "novels" on cell phones, and hear that she is now a millionaire because they brought out two of her little heart-throb tales in hardcover and they sold 400,000 copies each ... and I get one of a series of stories I am writing back from the Boston Review and the editor writes, this is "enthralling and so well written," but we just don't have room for it, and small press publishers send back the proposal because "we have no money, publish a very few titles/year" and mainstream foreign-owned as a rule publishers will not speak to you because publishing is 100% marketing and product delivery, as Bob Woodward said Simon and Schuster told him when they wanted a new topic before the ink was dry on his last book ... (he added, OK, my next book will be about the New York publishing industry, and his editor laughed and laughed, then said, great! and I have the title! ... “My Last Book” ... to which Woodward added, “and he wasn‘t kidding” ... and on and on ... so as a writer without an agent and a serious reader, it is difficult not to despair.
We discussed earlier how technology is often misused in school trying to be trendy at the expense of real teaching, how it is not integrated intelligently with critical skills of research and analysis. All of my talks to teachers at in-services have been about integrating technology so the world of reading and writing and the worlds of clicking and quick fluid visuals can cross-pollinate, so the digital world will recontextualize, not eliminate, reading and writing and discursive thinking ...
and what teachers often say, and what some of the professors at that conference said, and what people in government bureaucracies often say is always about the culture and how it inhibits them and beats down their best intentions, taking the life out of them, making them count the days until they die or retire. It's about cultures that assimilate them and generate feelings of powerless to do anything significant within their constraints.
I think of a keynote I did for executives from a bank for a planning retreat when the digital world was just coming. I interviewed a dozen top people at the bank and every single one spoke of "the bank" as something that was in the way of their creativity. When I had them off site, I asked them all, where is the bank? As they looked around they could see that the bank that constrained them was not something physical but "the bank in their heads," a paradigm of limited possibility that they had internalized. So the challenge was how to change the model of banking in their heads and the behaviors and actions it had determined. (the underlying subtext which I named, causing a deep silence, was, do you want the bank to succeed in its current form? Or do you want to maximize the value of your stock options so when you are bought, you can cash out? That, I said, will determine not what you say, but what you choose to do. The answer to that was signified by the silence - that bank was bought, and then THAT bank was bought in turn, and lots of employees are gone).
This was also the bank where a guy lingered after a different talk and tried to tell me what the culture was like. He had worn a blue shirt to his first meeting eight years earlier and everyone stared at him. He realized that everyone else wore a white shirt. He has never worn anything but white shirts for eight years, but in the bathroom stall the other day, he heard himself referred to as "the guy in the blue shirt."
Eight years. EIGHT YEARS.
So the question remains: assuming we don't want to be just a bunch of grumpy old white men (those of us who qualify for that club, that is) - what can we do? How can we contribute, how can we make a difference, however slight?
What can we do?
Posted by Thieme at 06:06 PM | Comments (0)
February 17, 2008
Real Communication
As our conversations about Hillary Clinton, Obama, George W. Bush, and communication evolved. a younger friend on an email list asked these questions. Hence my response, below, not about how to communicate effectively, but how to communicate, period.
What, in short, is the essence of real communication?
After I posted my son’s reflections on Barak Obama, my friend wrote:
I've heard this same type of thinking from many people over the past 7 years.
I've heard you speak publicly many times, both formal and informal and I think you know that I also pattern some of my public speaking style around yours. (Sorry!)
So I wonder what a thinking speaker feels beyond Pres. Bush's obvious speaking skills.
The questions that come to mind:
1. How much does a political candidate's public speaking abilities (note: not skills) reflect on the public (you?) opinion of their ability to lead?
2. How much do we as public speakers place on a candidate's public speaking abilities and their opinion to lead?
I answered:
1. How much does a political candidate's public speaking abilities (note: not skills) reflect on the public (you?) opinion of their ability to lead?
Speaking for myself, it's an important factor but not the only factor, and glibness can eclipse an inability to be effective in other areas. Reagan said he could not understand how anyone could be president if they had not been trained as an actor. In the ministry, I often said (after I had lots of experience) that if you could fake sincerity, you could do the job.
That was not a cynical or smart ass crack. It meant that you had to know how to access that part of yourself from which meaning came, where it was generated by intentionality, how it was communicated, how to hit that button, time and time again - regardless of how you felt. You had to short circuit your normal human emotions as expressed through body language and language and "come from" that deeper place, and know how to get to it when you did not want to go there or feel much like it. That's what I meant, not insincerity or hypocrisy.
Work like ministry is often a junior subset of politics (e.g. Mike Huckabee) and requires that one speak to the same audiences, often in the same words, with effectiveness and above all - high intentionality – over and over again. When one articulates every Sunday morning, as I did as an Episcopal priest, words that had to convey the nexus between this concrete everyday world and liminal worlds of ultimate meaning (really different dimensions of consciousness, "world" is a metaphor, let he who has ears, hear), and say the same things again and again - one could only do so by knowing how to be INTENTIONAL in how one spoke, that is, intending to communicate the deeper meaning of the words no matter how often one had said the same thing.
After hearing/seeing both Obama and Hillary Clinton last night, here in Milwaukee at the Democrat’s Founders Day Dinner, that same truth obviously applies. I had heard many of these "talking points," having listened to more debates and speeches this election than ever before, but you could know, feel, understand when they said something with meaning and it got communicated to you.
I did a lot of workshops outside the church setting that significantly enhanced my understanding of communication. Bottom line: communication is a function of intentionality. If you intend that someone get what it is you are communicating, they will. And at the same time, if you intend to get what someone is communicating, you will. You can disable communications coming in and blame it on the communicator or you can blame it on the listener when they don't get what you are saying, but it is always YOUR responsibility, as listener and speaker, to communicate or to get the communication, and you have to own that responsibility 100%.
In some exercises we used nonsense syllables, and that did not prevent the intention from being the driver of someone "getting it." This learning process was experiential, repetitive, and empowering. Once you knew how to do it, you could never not know that you knew, so it was always your responsibility and your choice whether to do it – or not.
So a leader by definition must communicate on several levels and in several modalities to be most effective. Speaking and listening is the province of "speech acts" in a formal way and there's lot of data out there on those. But also obviously, "leadership" in a functional way involves a lot more than that, too. You have to do know how to fund the enterprise, get the deals done, negotiate complexities, and remain the same person regardless of the role of the moment. You had to know who you were and what you intended, regardless of the variety of personae you had to use to be "all things" to a lot of people if not all of them. That’s true in ministry and political life and other areas, too.
But ... yes, often enough, complex, clear, even profound thinking and effective speaking do overlap. You can’t say what you can’t think, and you can’t think what you haven’t got words to express.
2. How much do we as public speakers place on a candidate's public speaking abilities and their opinion to lead?
One can look at Bush's reelection and say, obviously, not much. But there are many other factors there too, of course. I mean it when I say I think there is something amiss in Bush's brain that disables the ability for us to sync with his thinking. You try, as he speaks, to align with the rhythm and the meaning, but it’s like his brain stutters, then the connection is dropped, like a bad cell phone connection. It’s sometimes frightening, listening as he becomes incoherent, because that incoherence is about the ability to think clearly, not just “effective speaking.” I wish that people who know him well would contradict what I see, but so far, they have not. Greenspan said his lack of intellectual curiosity was extreme. Other “insiders” tell me of his short temper, his refusal to listen to opposing points of view, his rigidity – all signs I knew well in the ministry of someone who had been an addict for a long time. His prior life seems to have been that of an addict, a spoiled child. It was not gratifying to come to the unhappy conclusion that the cocaine and drinking had an effect. I wanted to believe that, like Prince Hal in Shakespeare's histories, he would leave his carousing companions behind and grow into a mature man. But I have not seen anything that would suggest it. And the lack of transparency in his government, his cronies’ obsession with secrecy, his violation of the constitution and insistence on a pardon in advance for companies (e.g. telecoms) that he got to go along with illegal eavesdropping on American citizens, his ability to talk the IC [intelligence community] into violating their charters and laws - what can one say? He was reelected. Is that "leadership?" Or a lapse in good judgment? Or something else?
When people in other countries asked me how he could be re-elected, I said, he wasn't. But in America, if you steal an election fair and square you get to keep it. Nixon knew 1960 was stolen but did not contest it. Gore made the same choice. That's our process.
You know the definition of a schlemiel? It's someone who, when they finally leave the room, it feels like someone you really like came in.
That will be the feeling of a lot of people when he finally leaves office.
I hope I answered your questions. I could write a book about all that but it would be outsold so quickly by Ren the Japanese phone text novelist, what would be the point? The sentences would be too long, the words too big (two, no more than three syllables, please, professional speakers used to advise), and it would be too dense ...
Posted by Thieme at 10:42 PM | Comments (0)
February 15, 2008
Hobbit Makes Cyber Crime Sense
If you aren't sure who Hobbit is ... he's a highly respected information security researcher and practitioner, and you can google him and learn more.
On a list we share, an article from The Register - MayDay! MayDay! Ruskies reinvent cyber crime- was posted.
I am copying the article and Hobbit's wiser saner response. There is so much obfuscation and distortion in the field of computer security - so his intelligent reply is offered as a public service.
http://www.theregister.co.uk/2008/02/13/new_botnet_advances/
Not your father's botnet
By Dan Goodin in San Francisco
Published Wednesday 13th February 2008 23:42 GMT
Researchers have unearthed two previously undetected botnets that exhibit sophisticated new capabilities that could significantly advance the dark art of cyber crime.
One of them, dubbed MayDay by security firm Damballa, uses new ways to send and receive instructions to infected machines. One communication method uses standard HTTP that is sent through an organization's web proxy. That allows the malware to circumvent a common security measure employed by many large companies.
Indeed, Tripp Cox, vice president of engineering and operations at Damballa, says he's observed MayDay running inside some of the world's most elite organizations, including Fortune 50 companies, educational institutions and ISPs. (He declines to identify them by name.)
"Most malware doesn't go through the trouble of trying to discover a computer's web proxy settings and use that as a method for getting onto the internet," he says.
The botnet also uses two separate peer-to-peer technologies so zombies can stay in touch with each other, presumably as a back-up measure in case the central channel is disconnected. One protocol communicates using the internet control message protocol (ICMP) and the other uses the transmission control protocol. The ICMP traffic is obfuscated so it's indecipherable to the human eye. Damballa researchers are still working to figure out exactly what kind of information is being transported over the channel.
Up until now, the zombie army popularly known as Storm has been the 800-pound gorilla of the botnet underground. Having recently marked it's one-year birthday, it is believed to comprise about 85,000 infected machines. It was responsible for about 20 percent of the world's spam over the past six months, according to MessageLabs, which provides email and web filtering services to more than 16,000 business customers.
By comparison, MayDay and another newly discovered botnet called Mega-D have far fewer nodes, but they are worth watching for a couple reasons. For one, they are likely to get bigger over time. And for another, their increasing sophistication is a good indicator of the direction professional bot herders are headed.
MayDay has also done a good job of flying under the radar. Infected machines have a limited amount of time to connect to the command and control channel. If the time stamp is more than a few hours old, the server returns an error message, making it hard for white-hat researchers and rival bot masters to perform reconnaissance. And according Cox, the vast majority of the anti-virus products fail to detect at least some of the samples obtained by Damballa researchers. (Symantec and Sophos, in postings here and here, question Damballa on this issue.)
There's another reason why MayDay has managed to remain under cover until now: it is still relatively small. At any given time, there are only "several thousand victims" infected, according to Cox.
The other recent arrival on the botnet scene is Mega-D. It was discovered by security firm Marshall, which last week said it had dethroned Storm as the top source of spam.
Some of Marshall's peers in the research community aren't so sure about that, including Joe Stewart of SecureWorks. He says Mega-D consists of about 35,000 bots, less than half the size of Storm. Mega-D isn't propagating as fast or efficiently is Storm has, either. Finally, he suspects spam from Storm is being under-counted.
Referring to Mega-D he says: "This is a very strong botnet, but hardly a challenger to Storm."
Nonetheless, Mega-D boasts some advances that Stewart says aren't common in botnets. One of them allows it to avoid being "greylisted," a technique used by email servers to prevent spam by instructing unrecognized senders to retransmit the email later. Whereas most spam bots give up, Mega-D bots don't.
"This is the first time I've seen any bot have any type of code in it dealing with greylisting," Stewart says. "This is actually at the bot level."
Stewart says Mega-D is the work of Russian hackers and has its genesis in a little-known family of malware known as "Ozkok." It is detected by most anti-virus products, but usually is only flagged with generic labels such as "Pakes" or "Agent," which may partly explain why Mega-D has been able to grow into such a large army with seemingly no one noticing.
While the newcomers aren't as big as Storm and, depending on who's asked, aren't believed to be as big of a nuisance, they are a reminder that the development of malware is a growing business that places a high value on innovation. MayDay's ability to communicate within heavily fortified businesses shouldn't be taken lightly. Neither is Mega-D's anti-greylisting capability.
In its first year, Storm showed a preternatural ability to stop on a dime, morph and take on new capabilities. Here's wondering how soon its developers adopt some of these latest bells and whistles? ®
And Hobbit's response:
*Hobbit*
Breathless articles like this just piss me off. It isn't about whose botnet is bigger or more secretive or what its C2 protocol is. It's
really about the fact that they're permitted to exist at all, let alone successfully send huge volumes of spam.
If the ISPs would actually grow a pair one of these days and curtail
untrusted customer netblocks full of known-infested machines from
sending ANY direct SMTP traffic to anywhere but the ISP's own authorized and well-controlled egress relay, there would be no point in spam botnets. I wrote at length about this over two years ago and suggested some local [and arguably somewhat lame] mitigation strategies, in
http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf
but how many people actually read Usenix papers, anyways. The point
here is that the ISPs are a very large percentage AT FAULT for the
continued existence and appeal of botnets. If you work for an ISP, go ahead, be as angry as you want at me for saying that, but you know how true it is. Have you ever spent *4 hours* on the phone with reps in the Phillipines for Verizon or Comcast [to pick on the big boys] trying to find someone who can even spell SMTP, let alone do anything to solve a problem or track spam? GFL.
How hard is it to add some anti-forgery header rules to the egress
dropoff mailservers that ALREADY exist, special-case a few people who
actually know what they're doing, and then hop on the edge routers and clamp down on any other TCP 25 noise emerging from subscriber clouds?
HOW HARD IS IT?? Don't give me that lame "common carrier, can't do it" excuse -- you wouldn't be blocking ingress CIFS and the like either if that held any water. If you're an ISP and continuing to let botnets work under your noses, you are an overt threat to the security of many nations at once. Get busy.
Oh, and you could try answering your abuse@ mailboxes once in a while.
_H*
Posted by Thieme at 09:53 PM | Comments (0)
February 08, 2008
Fresh Cargo Ship Arrives at Space Station
Maybe it's just the mood after two feet of snow (beautiful, quieting, shutting everything down for a day) on top of as much snow as we usually have in a winter ...
or maybe the lack of sleep waiting for the news that finally came at 5:30 a.m. that my son Aaron Ximm (http://www.quietamerican.org/) (see the Quiet American web site for found sound and one minute vacations) and his wife Bronwyn have their first baby, a beautiful girl, 9 pounds 5 oz ...
but when I saw this headline in the list of space stories of the day, it flashed me back to a short time ago, only a few decades ago, when seeing this headline
Fresh Cargo Ship Arrives at Space Station
would have meant I was reading Willie Ley (does anyone remember that name?) or science fiction.
And I thought, what headlines a few decades hence will hit us the same way? what will be commonplace, then?
today, it’s a plume of water jetting from Enceladus or a picture of a methane sea on Titan or more detail on the map of Mars ... my bet is that then we’ll be out of the solar system, earth-like planets will be known in significant numbers, we'll have outposts on the moon, Mars, a space station at a Lagrange point. another in the asteroid belt (it’s the high ground for military watchfulness, a new frontier for mining) ...
and the Cantina scene in the first Star Wars film will seem like a cartoon but a cartoon that illustrates a real multi-species society ... because we will have allowed ourselves to accept a more humble place in a universe teeming with life ...
Posted by Thieme at 02:57 AM | Comments (0)
January 31, 2008
Hacking UFOlogy
Here is a link to a talk I gave for hackers and their many and various associates at Def Con in Las Vegas last summer (August 2007), my 12th year speaking for this wonderful group ...
"Hacking UFOlogy"
the purpose was to send them out to look at the data and begin to see for themselves, as good hackers do ... it included a 30-page handout which will be sent to anyone who requests it.
http://hardflame.blogspot.com/2007/10/must-see-defcon-talks.html
Watch the talk as it streams or download and save it.
Also watch the two other talks at this link by Johnny Long (of Hacking Google fame, a great resource for researchers) and Bruce Schneier who usually needs no introduction.
Posted by Thieme at 09:43 PM | Comments (0)
January 29, 2008
Ethical Formation Worthy of the Name
A bunch of us were talking online about intelligence and ethics. Yes, I know that sounds like an oxymoron, like “military intelligence,” but as usual, it isn’t that simple. People at the extremes are not in the conversation as a rule; that is, those who are deeply ethical from the onset do not choose work that requires lying, deception, blackmail, stealing, and perhaps torture and killing as part of the routine, while those who have been deeply into the work for many years don’t worry about ethics and never raise the subject. It’s the ones in the middle, those who do the work, but have consciences, consciences that won’t quit, that nags at them about things done or known to be done. When they have no other choice – and only when they have no other choice - they become whistle blowers. Most, however, negotiate with that nagging conscience and stop short of betraying friends and the agency (whatever one it might be) and find ways to live with themselves. Just like the rest of us.
More about intelligence and ethics another time. This time, my contribution to the conversation was a reminiscence of my training for the ordained Episcopal ministry which is part of me still. Bottom line: any call and commitment to right behavior requires deep self-knowledge and a willingness to participate in structures of accountability so we will really grow in the directions we say we want to grow.
This is what I wrote:
The training I received for the ministry is relevant to this discussion. There were three years of intensive study, all of which was useful, of course. But the most valuable three months was what we called "clinical pastoral education." In a hospital setting, usually, sometimes a prison or other alternative site, we met every day in a group of six, a "growth group," as we said back then, with a very good supervisor, which was necessary for success.
We showed up, were assigned to wards, and told to go be chaplains. Period.
Then, the supervisor talked to us, nurses, doctors, professional chaplains and got feedback about our performance. Every day we brought our experiences to the group where we were quickly and directly challenged if we were unaware of a lack of congruence between what we felt, thought, said, and did. The goal was to provide feedback that enabled us to integrate what we learned on the job with how we presented ourselves (in ministry, unlike IT and infosec, the person and the interpersonal are the real tools, a context for meaningful pastoral care that was both realistic and compassionate was the intention). We did weekly verbatims, detailing complete dialogs with patients, and were critiqued, and we met weekly with the supervisor for intensive reflection on all of it. We wound up telling him or her just about everything.
Every twelve days we did a 32 hour shift, two full days and a night on-call night, and responded to emergency room traumas and especially DOAs. We often met people at the door as they arrived with their suddenly-dead spouse or child and mediated the grief and horror of the experience.
Unless you were unconscious, you learned that the catechetical approach to ministry (and often to life) - thinking you knew and telling people what was true - did not work. What worked better was what we called the theological approach, i.e. embodying what you believed in how you behaved, being fully present, making what you believed implicit in your interaction with someone, not giving a lecture from your head to theirs.
One week was also dedicated to confronting "death." We processed in the group and with the supervisor the critical experiences of our lives in relationship to death so that when we dealt with such absolutes in peoples' lives, we were not glib, evasive, or in denial about our real feelings about loss and death - which creates incongruity. We learned not to give glib smiley-faced answers and to know when we didn’t know.
“Death week” included immersion in an autopsy, passing around the brain (the regulars always had side bets on the weight of the brain and one who was most wrong had to buy coffee), the inner organs, glands, winding up covered in blood and with the indelible odors of body cavities imprinted forever and deeply. One did not easily forget the way the face, where we read so much humanity, wrinkled with simulated emotion as it was slid up off the skull so they could drill a trap door to remove the brain. That drill was real loud, too. It was very difficult to think of death in an airy-fairy way after seeing the brain of someone you had talked with for weeks in a bottle with a label, taking his organs as they came out of the bloody cavity, etc. Anyone who thinks the word "animal" applies to OTHER animals ought to do this.
The integration of a moral/ethical perspective with a realistic theological approach to life and our work, and a deep profound respect for the facticity of creation as is where is was the goal of that three month session. I remember still with gratitude and affection the guiding hand of my supervisor at Lutheran General Hospital in Park Ridge IL.
In short, the action-reflection model with support for clarifying our feelings and aligning them with our thinking, under the guidance of a well-trained mentor, is critical to the sort of learning such interaction can provide. But the leader MUST have gone through even deeper training so they do not unintentionally skew conversations in any direction of unreality, and in turn, when we did our years of intensive counseling, often during crises, in our ministries, whatever we had not faced and resolved or integrated in ourselves would be an obstacle to allowing the same issues to surface clearly in a counseling session. (example: I was much more effective in marital counseling AFTER my divorce because the issues I hesitated to face before it happened, being afraid, were up and out, known and seen, and I did not subtly divert conversations away from touching on issues too painful for me to face.)
I cannot imagine meaningful ethical reflection without thinking of this highly effective model. Lectures without self-knowledge and self-understanding become the heavy artillery of defending our frightened or fragile selves and defeating another. The catechetical model rather than the incarnational prevents reality from showing up in helpful ways. But it does takes courage to move through that process which is why I think so many avoid it. The courage comes from mutual support, mutual understanding, and ultimately, the mutuality implicit in our shared humanity.
Posted by Thieme at 09:49 PM | Comments (0)
Real Politics
A friend on a list said this about Barak Obama:
being all too exposed to the level of racism and prejudice in the non-metro areas of our great nation, I've no confidence at all that if elected, he'd live to take office. It's fabulous that he has been so successful in attracting those who'd not bothered to vote before back to the polls. However the understanding that it just takes one loony (goaded on by extreme media messaging) and a less than motivated protection detail to take him down is all too real to me.
to which I responded:
unfortunately I responded the same way while watching his (Obama's) dynamic victory speech in South Carolina. "If he genuinely threatens the powerful interests he attacks on the stump, he'll be killed," was the comment, I believe. A coalition of haters and shooters is always in the wings.
I found Caroline Kennedy's statement sweet and lovely and about on the same level as the recent movie "Enchanted." "I am sending you to a place where there are no happy endings," said the witch, except in the film, Disney finished it with exactly that, using of course a cartoon (what else?) It is wonderful that the impact of her dad (do you know, "Camelot" was not used until after 1963, not during or before?) on those of us who were young then, that charismatic campaigner in 1960, has remained indelible for some, while the details of his (and his brother's) ruthlessness, extralegal activities, and pathological assault on the same mobsters who helped to elect him, have all faded from memory. (Can you imagine the response if W reversed the post-Kennedy law with the help of Scalia and Company and appointed Jeb - or his dad - as Attorney General?)
I do believe Obama is giving a new generation a splendid illusion of hopefulness and that's what youth is about, fond and cherished illusions that stir and animate the soul, while middle age is about de-illusioning as the archetypal projections of that same soul shred like old newspaper in the wind and driving rain, and then senescence as they used to call post-sixty (now we call it "the portal to the next fifty years") is about realistic strategies to achieve the best we can get in the face of what we know is real. Maybe McCain who was tortured for so long and like the Kafka protagonist in The Harrow, saw the light with shining eyes at the end of his ordeal, best understands what was and is and is to come.
This is an optimistic statement and hope it is read as such. Afghanistan deteriorates, Iraq is fragmented and bloody, and the real problem now - the mountains of Pakistan/Afghanistan where both Taliban and Al Queda find support and safe haven - are (mostly) off limits. The Brits promised both Jews and Arabs Palestine after WW1 which ought to remind us that long-term consequences don't just go away. Yet here in the upper Midwest, the softly falling snow blurs all of the rough edges, buries the landscape with its dark shadows, quiets the wind, and reminds us that beauty and peace can be found in blessed forgetfulness ... think the opening scene of Fargo, before the violence begins, and be grateful.
Posted by Thieme at 06:59 AM | Comments (0)
December 19, 2007
A Reader Reflects on Beliefs and What Happens When They Collide with Life
Beliefs and Confrontation
by
Karen Hamp (klhamp@yahoo.com)
Two articles in the news left questions in my head. What do I believe in strongly enough to take a public stand? How and why did I form those beliefs? And what would happen if I were confronted in a personal way with that which I stood for?
In the first article, a church, attended by the sole survivor of a senseless tragedy confronts its strong work and belief that the death penalty is wrong., and weighs it against its own anger, and vengeful feelings , and its sensitivity toward one of its members.
Several weeks ago, a house was broken into, the husband was tied up, the wife murdered, the teen age daughters raped, and as the husband got loose and tried to get help, the men who broke in set the daughters on fire and they burned to death. Only the husband survived.
His church now tries to weigh its multi year, socially active, anti-death penalty stance against its anger, and the anger and anguish of the man who now has no family. For years they have used mistaken identity as a basis for actively working toward not killing criminals. There is no mistaken identity in this case. The men were picked up leaving the scene. They have used the love of Christ, and the case against vengeance in their righteous campaign, and now they confront their own feelings, and those of the surviving father and husband who is part of their own body.. There are some who are shocked at their own vehemence and vengeful thoughts and feelings. Vengeance is now a personal experience for many there.
In another story, a man in California has publicly fought to keep the expanses of desert flora, known as chaparral, natural. Others wanted to burn, burn swaths, or clear cut in order that periodic fires would not spread. The man argued that it was a natural ecosystem for birds and other life, and needed to be left natural. A few weeks ago he was on his roof with a hose in defiance of an evacuation order to save his home from fire. The fire was feeding on the burning chaparral surrounding the area of his home. He now says he understands as never before the importance of cutting the chaparral in a wide swath around buildings. And the people who have suggested cutting fire lanes thru the chaparral seem much more credible.
In both cases, people who thought they were doing the right thing are questioning the rightness of their stand. Or the way they presented it. These are good hearted, socially active people who have been coming down on the side of good for all and for the earth. And now have been knocked off balance.
They were trying to fix a world which they perceived as out of balance. And were then knocked off balance themselves when the solution they were proposing as a general rule, turned against them, in a very personal way.
Back in the 1960’s, Joseph Fletcher, an Episcopal priest wrote a book on situational ethics. He said there were no absolute “rights” other than the law of “agape” love. He felt that all legal and ethical situations needed to be examined in relationship to loving concern.
What is the most lovingly concerned approach toward the man who lost his family and toward the humanity of the church members, and indeed, toward the men who broke into the house? What is the most lovingly concerned answer for the natural habitat called chaparral, for the people who build there, for the earth itself, whose winds, weather, and water are affected by clearing forests, burning fires, and disturbing the natural order?
What do I believe in strongly enough to take a stand? And how might I be knocked off balance? What might it take for me to be not so sure anymore that my stance or my way of presenting it was exactly “right’?
Posted by Thieme at 07:27 PM | Comments (0)
December 03, 2007
Habits of Thought
until we get the Second Edition page up and running, I will be posting "The Second Edition" here on the blog ...
Habits of Thought
by
Richard Thieme
A lot of my writing and speaking looks at how to turn context into content, invisible assumptions into visible structures, background into foreground while illuminating the frame of the picture as well.
Security professional Matt Blaze said, the weakest link in the security chain is often the definition of the problem, and the real definition of the problem is often not the one that is advanced. So we need to know what to do to discover the real definitions, the essential ones, that will flood the problem space with light.
"What is the thing in itself?" asked Marcus Aurelius, an information expert in his own right. “What is its essence? Look beneath the surface; let not the several qualities of a thing nor their value escape your gaze.”
Software and hardware do not simply add tools or processes to our lives – they form habits, and once they become part of the infrastructure, part of the culture, those habits are stealthy. For information technology professionals, whether the ones who build or the ones who secure networks, to become aware that the structures they create shape the behaviors and thinking of people who interact with them is critical.
For counter-intelligence professionals, too, seeing the context is not an option. Context is content, plain and simple. If nested levels of appearance cloaked with deception are misunderstood, it is impossible to hit the real target. The old Cold War and the new one are replete with examples of elaborate ruses run by the KGB, among others, and the level of strategic thinking needed to see what is really happening.
Counter-intelligence is a skill that ought to be taught in schools as necessary for having a clue. Seeing the context and turning it into content is essential for anyone who just plain wants to know what is or might be real. It isn’t an option for outsiders like us either.
I hope to weave together these three domains – information security, counter-intelligence, and the basic human desire to understand what’s going on – in this piece.
Failures of intelligence often result from group think, the peer pressure of political necessity, corporate cultures that force creative thinking into habitual molds to make it acceptable. Then—after an unfortunate event – the tendency to cover one’s butt ensures that the transparency needed for subsequent accountability - which might prevent something similar from happening again – does not take place. Recent political history brims with examples.
I often cite the wisdom of Robert Galvin of Motorola, who said that when a group faced a problem and everyone quickly came to the “right solution,” it was always wrong. The reason, of course, is that a quick consensus is necessarily grounded in the past and past perceptions always fuzz the current data, making it fit prior models. Galvin added that real breakthrough ideas at Motorola during his tenure were always minority opinions at first and sounded crazy when first stated like the notion of a “chip in the head,” a then-radical idea that is now a mundane “medical implant.”
A few years ago I listened to the wisdom of a profiler for the CIA describe the habits of thought she had learned to apply in her work—work that resulted in commendations for helping to track down and prosecute a man who had killed two of her colleagues. I think her practice is worth reviewing. Although we mostly discussed network intrusions, her insights apply to hacking any system including the complex webs of mass media through which much of our working knowledge is spun.
When we looked at a network intrusion, she said, no matter who did it, it was best to look with a “beginner’s mind.” Do not bring preconceived notions to the task. The data when seen clearly always told us what we needed to know. This was true whether investigating serial killers, terrorists or criminal hackers.
A common assumption in the early days was that we faced “a young male hacker,” an assumption that had to be completely disregarded. We learned it worked best not to impose a template on the data. In the instance of the DC snipers, for example, every assumption about their identities was wrong. Yet ... we can’t help but bring some preconceptions with us. So corrective mechanisms need to be built in. We need not “group think” but a “group that thinks.”
A former FBI profiler, William Tafoya, echoed this insight. When the Bureau was searching for the Unabomber, Tafoya’s counter-intuitive sketch of a suspect was right on, but contradicted the primary working assumption of the bureau. He calls his throwaway line a fluke, when asked who he thought they were seeking, that the Unabomber was “a monk on a mountaintop in Montana.” But his intuitive leap was a hit because it resulted from processing a great deal of data and then refusing to censor the hypotheses the data suggested.
My friend, the CIA profiler, said that the common belief that network patterns, constituting sets of known predictable behaviors, lead to specific criminal hackers is too narrow and unsophisticated when you observe good attackers. The latter are invisible, like ghosts, vague shapes moving stealthily at night. It is sophomoric, then, she said, to rely on templates because they exclude critical data and make the rest conform to expectations.
If I had a stereotype in mind, she confessed, I always blew it. Always.
So look at all of the data and focus on what is left behind. Focus on the evidence. Track back from “What were they after?” to “Who is likely to want that or do that or be that?” Covering one’s tracks completely is rare because a person entering a system always has a m.o., whether the system is physical or a computer network. Unconsciously or consciously, the patterns of their actions reveal their identities over time.
Such an approach is not trivial. It requires intense concentration and constant self-monitoring. The analyst is the real tool, and without the ability to step back and observe how that tool is used, how the analyst has been framed to approach problems, the tool will implement the assumptions built into it without thinking about them. Tools are extensions of the self, even when the tool IS the self. Tools are also extensions of organizational cultures and probe reality with all of their preconceptions built in.
And because there are a thousand puzzle pieces but no box with a picture to guide us, the degree of clarity required is exceptional.
So, she said, I learned not to form a pattern too quickly. I learned to interrupt my thinking when I reached for premature conclusions. A real profiler is the opposite of the popular conception of someone who leaps to conclusions as portrayed on television dramas. If you leap too quickly, you always have to unlearn what you thought you knew. You have to empty the cup, as the Zen story has it, to be teachable. You have to see the cup before it is filled so the shape that imparts form to whatever it contains can be discerned.
The way to do this is to observe yourself. But because no individual can factor in all of their unconscious assumptions, a team approach is needed. But the team must also observe itself or have specialists designated to question its assumptions. Someone must say: Wait! Stop! Interrupt! and help people distinguish what they think they see from what the data suggests.
Enterprises and individuals alike must build in an openness to heresy.
Ask, is this really true? Or does it seem true? Does it feel right because “everyone thinks so,” because it has been repeated so often, or because an authority says so and we had better go along with what they want?
Stop yourself from completing the loop too quickly. Ask at each step: how do I feel about thinking this? What am I missing? If my hypothesis is true, what other things must also be true, and how do they hold together? Did I conclude too quickly that “this particular kind of breach” must come from “that particular kind of person?” Especially with insiders, did I look for someone who does not fit the expected pattern? Always ask: who am I to know that, think that, be that, do that – without sufficient data?
Where do my conclusions and beliefs originate? How did they lead me to define the problem – and therefore the solution?
And if technologies shape social, psychological and cultural spaces, as I said, security and intelligence work in turn shape technologies. When the battle space is the hive mind of a global society, security and intelligence are thermostats that regulate the dynamic flow of information and data. Identities created at top level – the level of nation states, say – devolve into implicit commitments among practitioners to prevent the chaos which is always threatening to break out in the global system, forging new, more uncertain identities as a matter of course. Those identities do not have names, not yet. But in the trenches, deals get done on the basis of what one can do, what data one can deliver, not who one says or even thinks one is. Identities prior to action are always disguises. False flag operations are run not only on others but also on oneself, in good “Scanner Darkly” fashion.
So if others can not always be accepted at face value, neither can applications like hotmail or Google that filter information into our lives or the organizational identities behind them. Who built them, and to what multiplicity of ends? In all networks, electronic and human, boundaries blur and we occupy multiple nodes in multiple nets at the same time. Unless we connect all the dots, the pattern of the stars can be a bird or a bear and there is no point of reference for determining which.
So this profiler’s approach seems to apply to everyone seeking the truth in a world of disinformation, misinformation, and muddle. Depending on the scale or level of operations, the more difficult task is to understand the real identity of the organizational structures one confronts, whether a trans-national corporation, media or entertainment conglomerate, a university, a criminal enterprise, a state or non-state spin-off. All those terms are just names for public consumption. Only actions observed at depth and rendered in complex maps can reveal the real end of the enterprise.
Security professionals know that the apparent organizational structures in which attackers are embedded are veiled with deceptive claims, and false links to support those claims are distributed widely online and off in sophisticated ways. For example, if nodes from which sophisticated phishing attacks originate seem to be located in online China, are they sources of state-sponsored espionage, non-state freelance hacking, or organized criminal hacking? China, we know, is a “dark guest,” uninvited but present at many parties, the number one hacker enterprise in the world. But Israel is number two. Does that make Israel an enemy instead of a close friend? All those documents delivered by Jonathan Pollard to the Israelis – were they all used to map our intelligence efforts or were they bartered to whoever for whatever might be of value?
The deeper issues are generally reserved for specialists. People get uneasy when these contradictions and challenges are discussed. It gives us headaches.
But ... if by “attacker” we also mean those who assault our desire to have a clue by making it difficult or impossible to see the bigger picture, then every entity that distorts the truth is the enemy of the body politic and the essential human enterprise which is to understand our world. When the “guardians of the interface” to our information about reality do the distorting, does the enemy become all of us, too, then? Are we denied access to information not only for security reasons but to prevent transparency and accountability as well? And does that turn an investigative reporter into the equivalent of a terrorist?
"What is the thing in itself?" asked Marcus Aurelius. This is still the question that must be asked if one seeks to know what is going on. Counter-intelligence – seeing the sources of the information we receive, playing the “great game” because we must – becomes a de facto requirement for being minimally informed.
Ask, is the organizational identity what it seems to be? Who is served by their actions? Who profits? Do we know who directs the enterprise, as opposed to who seems to direct it? Are there hidden links between the directors? Follow the money – to what relationships does it lead? Is any of this information available through media and research or must one be a specialist or have clearances to know?
This effort too is not trivial and requires constant attention and self-monitoring. Who has time for all this, much less the energy needed to contend with the dissonance of knowing that this approach is appropriate to the task? Even watching the “news” requires such an attitude these days, doesn’t it? In a recent celebration of sixty years on the air, the news interview program “Meet the Press” ran a montage of VIPs who had appeared on the program. What was striking was that with one exception every single one was lying. Every talking head down through the decades addressed issues with obfuscation, distortion, evasion, everything we have come to expect in a world of spin, PR, and propaganda. Before our eyes, “history” turned into sequences of spin. So when the current candidates for president subsequently appeared in clips, doing the same thing, bobbing and weaving, saying little, it was clear that we have been watching an ongoing charade presenting itself as a responsible news program for decades.
As the historian at the National Security Agency said when I asked what history we really shared ... “Anything up until 1945.”
The speed of the leader is the speed of the team. The current administration does not believe that transparency or accountability through meaningful congressional oversight are good things. Only time will tell if a two-term limit on the presidency and a two-party system for checks and balances is sufficient to redress the consequences of obsessive secrecy and the view that constitutional law is an option or whether the kinds of scandals that resulted in the Church and Pike Committees in the seventies will be needed – if they are still possible, if they are not managed out of existence by sleight-of-hand and distraction.
It is not paranoia but common sense to recognize that designer scenarios make up the scenery of our lives. The more granular one gets in an examination of the cultural landscape, the more uncertain the visible evidence becomes. A coast line that looks long and smooth from orbit becomes a series of twists and turns, any one of which might look like a solid wall but can be in fact a door to another level or dimension of simulation or designer reality.
By advocating that profiler’s approach and level of discipline I am advocating something that unfortunately does not sell well in this society. Look at book racks in any of the big boxes and you’ll see what sells. Comfort, a feeling of security and simplistic thinking sell. Perplexity, complexity and sources of dissonance do not. Yet it is my experience that reality ultimately digests best and unreality causes constipation, or worse.
No one said it would be easy, did they? We may not be able to win this game of knowing what’s going on at an elemental level, but if we want to play, that profiler’s insights are as good a guide as any to how to do it. As the devil said in Woody Allen’s “Deconstructing Harry,” “Sometimes you’re up and sometimes you’re down. In the end, the house always wins. It doesn’t mean you didn’t have fun.”
The Second Edition is a periodic reflection by author and speaker Richard Thieme. Subscribe (or unsubscribe) by writing to rthieme@thiemeworks.com and stating subscribe (or unsubscribe).
Richard Thieme (www.thiemeworks.com) speaks and writes about the issues of our times, with an emphasis on technology, media, security, intelligence, and spirituality in all of their human and cultural dimensions. He speaks to every manner of organization – if you need a speaker, email rthieme@thiemeworks.com.
Posted by Thieme at 08:25 PM | Comments (0)
November 14, 2007
Filtering the Fortean Storm
A friend who manages a list asked us think about the kind of foundation we might establish had we the means.
This may not be quite that, but it's what I submitted as a shot in the dark when I saw the Knight Foundation's invitation, below. My offbeat proposal made the first cut but was not confined to a defined community ("the earth" is not sufficiently constrained) and that was that.
But the essence of it is, addressing the need for education in critical thinking, deeper thinking, learning how to do research (beyond clicking something on the first google page or accepting at face value a wikipedia article), learnng how to turn context into content for reflection, turning concusions into premises, in short, thinking.
I asked for a million dollars over three years, BTW. I mean, why not?
My friend wrote:
> Assume that you win the lottry, cash in your stock options, or otherwise are fotrunate enough to have some extra cash and you want to set up a foundation to use your wealth to "do something". What would the purpose of The
and the Knight Foundation published this teaser ...
KNIGHT FOUNDATION SEEKS INNOVATIVE IDEAS FOR NEWS
If you have a bold new idea for improving the production and delivery
of news and information, the John S. and James L. Knight Foundation
wants to hear about it.
The Knight Foundation, a backbone of American philanthropy in
journalism and First Amendment causes (and a supporter of Secrecy
News), has millions of dollars to give to help nurture new ideas for
the future of news.
"Whether you're a high school student, a college professor, a truck
driver, a brain surgeon, a stay-at-home parent, a journalist, an
entrepreneur, a nonprofit organizer or anything else, anywhere in the
world: If we like your idea, we will give you money to make it
happen."
and I proposed ...
Filtering the Fortean Storm
Mining Masses of Anomalous Data in Pursuit of the Bigger Picture
The history of science brims with papers not published, papers published but ignored, and anomalous data that remains invisible or is discarded for lack of a pattern in which to integrate it, e.g. Lawrence Morley’s paper on spreading seafloors and plate tectonics, rejected by the /Journal of Geophysical Research /as more appropriate for cocktail party speculation but later described as “the most significant paper in the earth sciences ever to be denied publication.”
Other critical breakthroughs, ridiculed by the thought police of a mainstream consensus, never got into a paper at all. Because those transformational insights conflicted with the consensus reality of the majority, they were literally unthinkable, unheard at the edges of society’s conversation with itself.
The information revolution, while resulting in a storm of anomalous data derived from random observations and ideas, has accelerated the flow of information, but has not generated the means for discerning meaning and patterns in that flow not taught citizens how to search for meaning.
The information revolution has also accelerated the speed with which new paradigms or consensus realities replace former ones. As constructions of society, new ideas move from the edges where they are not heard, then rejected or ridiculed, then accepted as the core of a new consensus, by which time newer ideas are emerging at the edges. Because the flow of information is accelerated by current technologies, this is happening faster and faster. The rate of change is itself changing.
Yet cultural and societal filters as well as the conservative nature of scientific progress removes anomalous data and unusual observations and reports from the mainstream. Significant insights, especially ones which might turn out to be revolutionary, are not allowed into the light.
Paradigms determine the questions that can be asked. Once one determines the questions that can be asked or even thought, one does not have to worry about answers. Answers to unasked questions remain forever implicit in unknown and unthinkable notions beyond the edges.
Current political and social realities filter out even more data because secrecy in the name of security obsessively excludes much data that would inform people about ... the Real. Scientific and social scientific research, often weaponized or hidden in covert budgetary sleeves, is increasingly done out of sight.
Areas in which this dynamic is rife include - weapons development, biotechnology, research in psychology, sociology, and anthropology, credible observer reports of unconventional events and objects, pharmaceutical and medical research, political and economic events, and much more.
It is not complexity or massive amounts of data that prevents the average person from seeing the real. No one is overwhelmed when they enter a university library with millions of volumes when they know how to use a card catalog and the Dewey Decimal System. No, it is not the mass of information, but whether or not it is indexed in a useful scalable way, that matters.
When it is, we can do what we call “research” rather than merely googling random items arranged according to predetermined or accidental patterns. Then we can aggregate data into meaningful patterns. Then we can aggregate the anomalous and make it meaningful. Then we can critique current models of reality and discover new ones.
The tools to filter large masses of data already exist. They are used by the numerous components of the intelligence community, think tanks, research facilities, and corporate R&D groups to identify relationships and patterns. From time to time, insights derived from this enterprise leads to a hierarchical restructuring of the models and habits of thought that make sense of our lives. Then new possibilities are disclosed that transform the very definition of what it means to be human.
This project suggests means by which to put these tools and knowledge of how to use them into the hands of ordinary people. Invoking the name of Charles Forte, who spent his days searching through periodicals from all over the world and aggregating anomalies which suggested new insights (such as panspermia (the seeding of planets with organic molecules from interstellar space, now an accepted fact but ridiculed when we wrote it), I call this enterprise “filtering the Fortean storm.”
This project has two components: mining the Fortean Storm AND educating the citizenry in how to derive value from thinking critically about the results.
(1) Create and make available on the Internet an inviting interface that would enable people to input observations and anomalous data.
(2) Simultaneously adapt the means of mining large aggregates of data to this enterprise. Public/private government/corporate/NGO partnerships would assist in this phase, porting their expertise to the body politic at large.
(3) Educate and train people online through tutorials and mentoring how to think critically and remain agnostic about anomalous data, how to hold things tentatively while entertaining new models, how to curtail ridicule as a primary means of filtering. The simple tools and techniques of doing research – the marks of rational and critical thinking, openness to heresy (“all great truths begin as blasphemy,” said George Bernard Shaw), and the use of research tools – will be taught online interactively as well as in communities through public venues. Organizational structures will scale. The use of volunteers will be essential.
(4) Use the expertise of classification analysts, that is, librarians, retired intelligence analysts, project managers on both a volunteer and paid basis to develop these meaningful structures so users are not overwhelmed but encounter a scalable, useable interface which fractal-like enables individuals and communities alike to move up the ladder of abstraction to the bigger pictures that currently elude us.
Posted by Thieme at 04:33 PM | Comments (0)
November 13, 2007
What is it About UFOs?
This is a cross post from The Second Edition, a new newsletter. The newsletter won't always be about UFOs, of course, but sometimes it will. I have been keenly interested as opposed to merely interested ever since an Air Force officer told his Episcopal priest, who was me, then, that "we chase the things and we can't catch them." That was thirty years ago, and like most people who really take a look at this subject, I have become more and more convinced that real vehicles have been flying around our planet for a long long time and we did not always make them. The subject with its many detours into psychological operations, deception, black budget research in some very interesting areas like materials science, perception management, and propulsion systems, the cottage industry and its folkways - it's all worth exploring, isn't it?
This is a polemic, written after Chris Matthews made a real fool of himself. I just couldn't help it. The sentences are long and rant-like and I was told by a reader that it just doesn't work for a digital format. True enough. People click away from a You Tube video in fifteen seconds if it does not grab them, after all. One thought just led to another ("It's no wonder how complicated things get," wrote E. B. White, "what with one thing leading to another.") So I will write simple and short ... when I can. If I can. Maybe.
Anyway, this flashed up in response to a scene that belonged in Idiocracy that the cable station had the balls to call "news and commentary."
What is it About UFOs?
When you think about it – I mean, really step back and think about it – the reaction, I mean, to Dennis Kucinich’s statement the other night during the Democratic debate, about seeing an aerial vehicle, a large dark triangle, something reported by many people in this and other countries and probably one of our own, one of our new stealthy inventions, but one he couldn’t identify – the fact that it was brought up as it was, to ridicule a man whose candidacy has already been made to seem silly, a waste of time and money – and then more ridicule and disdain, after the debate, the thigh-slapping laughter of a loud shouter like Chris Matthews who hooted and hollered and asked other candidates like Joe Biden did they “believe” in UFOs as if this alone of all domains is not a question of evidence, thinking about it all, but a belief like leprechauns or Santa Claus or God - and then, when Governor Richardson of New Mexico stated the obvious, that there is a documented record that our government has withheld information about the subject for decades – not months, not years, but decades – his quiet statement caused the already wildly raving Matthews to get even louder and wilder, demanding to know, my god man, do you think there was a cover-up? a cover-up? And all this said not simply with confidence, but with arrogance fused with ignorance, as if we do not live in a secrecy-shrouded world in which millions and millions of government documents, even when they have been declassified, will not emerge into the light of day for years – years! – a world in which statesmen like the late Senator Patrick Moynihan wrote an entire book about the negative impact of obsessive secrecy (and that was before the Cheney-Bush regime took it up another notch) and how unnecessary secrecy eroded the fabric of a once-open society – I mean, when you think about all that, while the rest of us live our lives downwind in the bluster of the loud shouters screaming their beliefs as if they were part of a civil discourse or a civilized debate – well, all a member of the hidden crowd can do is laugh or weep or perhaps wonder what in the name of God is going on?
I mean, think about it. Mention the silly distractions used to draw the scent into the bushes, nonsense like Britney Spears or the Hilton woman or the dead one, what was her name, now, Anna Nicole, just bring them up, I say, and you’ll get hours of silly discourse, pundits and news anchors and bloggers taking the silly nothings so seriously, playing hand-in-glove games with their publicists, as if such trivia has anything to do with anything real or anything that matters at all, making the silly film Idiocracy seem like a pretty good forecast of things to come, no, things already here.
You understand, it did not just happen. UFOs were not ridiculed when they were covered as news, years ago. As well they ought to have been. Anomalous vehicles having their way and will with our skies, showing up as Look Magazine documented over nuclear plants like Hanford and air force bases all over the country – that’s news, or ought to be. Vehicles behaving in ways that led Life Magazine to conclude, with an in-depth article using official quotes, that the vehicles which had been photographed and documented by official USAF cameras, were in all likelihood extraterrestrial.
Because, given what they did and how they did it, what else could they be?
But you wouldn’t know that, would you? You wouldn’t know that there exists a voluminous amount of data, an immense historical documentation going back into the nineteen thirties, long before the so-called “modern UFO era” had begun, filled with credible observers who were flying fighters or commercial planes or simply looking up or straight ahead, sometimes, at something landing, something alive coming out, then taking off again and disappearing so quickly it made their hair stand up. To observe that this history exists and is well-documented by serious researchers, that historical studies like Keith Chester’s Strange Company, a book that compiles reports mostly from Europe before the second world war and then, during and after the war, or historical articles by Michael Swords, a retired professor from the University of Western Michigan, documenting for example the Robertson Panel, a group that established CIA-supported debunking and ridicule of reports, keeping them out of the mainstream news, or the Condon Committee, a “scientific” panel intended to settle the matter once and for all, the conclusions of which however contradicted the data in its own report, as if the committee did not even read its own work, and indeed, the chair had declared his conclusion with a chuckle and a wink long before the committee had done its work – one could go on and on, there are many serious well-researched works that document the phenomena, and the obviously successful campaign by the US government to use ridicule above all to make the whole domain a matter of jokes and precisely the kind of silliness for which we can thank Tim Russert, Chris Matthews, and their pals, who have never seen much less read any of this serious work, or the other accounts that accurately describe the cottage industry of useful idiots, pathological liars, con artists and flimflam men (and women, of course), making multiple points about the real serious research, as well as the ways that psychological operations and propaganda have been carried out for many years, addressed to the people of this country of necessity in addition to “enemies,” the stated targets of deception, it now being impossible to distinguish one from the other in a world of ubiquitous information.
The subject, in short, is complex, vast, and worthy of study.
So I ask, once again – what is it about UFOs that makes them such a subject of ridicule when patently ridiculous subjects like Hilton and Spears are treated with respect and amplified by the loud shouters?
A friend who spent his life at the National Security Agency doing analysis said to me once, speaking of the practice of deception – “Illusion, misdirection, and ridicule, these three. But the greatest of these is ridicule.”
His echo of the Apostle Paul was deliberate. This was the Gospel according to the IC, the world of professional intelligence.
Ridicule. The greatest of these is ridicule.
Indeed, people fear ridicule more than death, it seems. The dismemberment of their reputations, careers, and self-images is a grave threat. The thought police know this, of course. The art and science of the intentional destruction of troublesome human beings is alive and well.
The blow-back, however, as our intel friends call the unintended consequences of a sanctioned campaign, is the destruction of civil discourse, the undermining of a public space in which serious subjects receive the attention they deserve. Because so many people do not believe the official truth but don’t know what the truth might be. They know they are lied to much of the time, but don’t know what’s so, so they fill the empty space with projections, confabulations, nightmares and dreams.
There is more to it than that, of course. There is also a threat to the unspoken compacts that keep society hanging together, the ones that get people out of bed in the morning to go to work, not money or other rewards, but how a society functions at its deepest levels. The threat is that a superior civilization exists not “out there” where SETI serenely searches for distant signals, officially sanctioned and signifying nothing, but right here, up close, where thousands of credible witnesses have testified to the presence of anomalous vehicles obviously directed remotely or on the spot by intelligent agents, right here on our very own planet, not the isolated little blue marble in space that we collectively imagine, but one of many inhabited planets, where our society has against all evidence been built on a cornerstone of key beliefs, say them how you will – for religious, that we are the apple of God’s eye, not one apple among many, but the most favored nation, and for non-religious, that our species is the top of the food chain, the obviously smartest and best of all species, kings of the kingdom and queens of the realm. The threat is to the threads that stitch together our particular ways of being a self-conscious collective entity into a cultural myth of priority, invincibility, being the favored children of God. Now, this is a serious threat, along with the other lesser threats, to our dominance of other countries, scientific prowess, and other key pieces of the way we perceive ourselves in this nation. ... and so we come back to UFOs, which have been well-documented, as I said, noted all over the world, in most countries, not just here, for sixty, seventy years, or more, behaving in the same ways, doing similar things, all reported by diverse peoples of all cultures and tribes and ages noting the same small details – that’s not the stuff of insanity, is it? That is something serious, something real, something worthy of scientific study and discussion in the public domain, not only behind closed doors where the masters of deception do indeed practice their dark arts on behalf of multiple agendas which have neither been floated nor voted upon by we, the people, the impotent watchers in the wings, we who ought to know better when the shouters do their job, we who know we have listened for years to lies yet still, like children, believe them because we must, so when they ridicule their victims, pumping up the abuse to effective levels, we must jump on the wagon at once, lest we be ridiculed too by Official Truth. We choose to believe the illusions, to look away from the real, knowing what we are doing, but so afraid of what they’ll say and do if we don’t.
The greatest of these is ridicule. Ridicule is King. And we, good subjects and loyal, obey the King.
The Second Edition is a periodic reflection by author and speaker Richard Thieme. Subscribe (or unsubscribe) by writing to rthieme@thiemeworks.com and stating subscribe (or subsubscribe).
Richard Thieme (www.thiemeworks.com) speaks and writes about the issues of our times, with an emphasis on technology, media, security, intelligence, and spirituality in all of their human and cultural dimensions.
Posted by Thieme at 06:27 PM | Comments (0)
February 14, 2005
ShmooCon 1.0 a Big Success
ShmooCon 1.0 a Big Success
by
Richard Thieme (rthieme@thiemeworks.com), author of Richard Thieme’s Islands in the Clickstream
The first ShmooCon worked.
Sponsored by the Shmoo Group, known to hackers and security professionals from presentations at Def Con, Toor Con, and other security forums, ShmooCon was held at the Wardman Park Marriott Hotel in Washington DC February 4-6.
“The con scene is shifting to smaller regional cons,? was frequently said but it became clear that ShmooCon is complementary, not competitive, with larger established franchise cons like Def Con and the Black Hat Briefings and Trainings.
ShmooCon successfully straddled the multiple worlds of the-security-industry-in-transition and all lived together happily at the spacious hotel. Attendees did not put cement in toilets, hijack security frequencies to give false orders, or plant fake bombs under cars. Bruce Potter, who with his wife Heidi led the planning, set the tone with opening remarks that established clear guidelines. Don Bailey (aka Beetle) is also one of the original planners.
A Senior Associate with Booz Allen Hamilton and founder of the Shmoo Group, Potter made clear that the con was meant to be fun – he identified entertainment venues from the Saturday night DJ party to hacking and halo contests in the hotel ballroom – but also made clear that professional standards were expected to be met.
That mindset was amplified by a well-received keynote address from Riley “Caezar? Eller.
Widely respected in security and hacking circles for his technical achievements and creativity (Caezar and his cohorts, the Ghetto Hackers, made the Capture the Flag contest at Def Con an elite technical challenge) called for hackers to forego the kinds of narrow niche-dwelling exploits that give props to their buddies in a piece of code that most folks just don’t need. Instead, he called on hackers to use their skills to deliver applications to a population hungry for the fruits of their real expertise.
“People want Bonzi Buddy. Yes, I know,? he said, sharing the crowd’s obvious disgust at the dumb memory-hogging animated talking parrot, “But we have to pay attention to what people want and need.?
Lest that emphasis on the marketplace imply that creative larceny has been expunged from the hacker heart, it should be noted that the most popular presentations indicate a precarious yin-yang balance in the security world. Mark Loveless (Simple Nomad) continued his con-by-con illumination of the necessity for a stealthy online life, outlining the need for piracy and anonymity on the web while explaining what it really takes to achieve it. Nomad spoke from experience directly to the heart of a community that knows who is out there and what they do.
The beating of a hacker heart that’s alive and well was also indicated by the crowd overflowing into the hallways from Deviant Ollams “Lockpicking 101? BOF. Crossing boundaries with passion and stealth still infuses the obsessive hacker spirit.
At the same time, Johnny Long’s Google Hacking (his book of the same name is a powerful treatise on how to hack information) was packed.
Long articulates creative ways to use the popular search engine for sophisticated research and information hacking, showing how the real power of pursuit comes from knowing who’s doing what and with who. Long’s painstaking work discloses techniques for solid online research and intelligence gathering and also moves traditional hacking of machines and systems up a notch to the level at which information has real significance. Long’s presentation amplified Caezar’s call to a higher purpose with a practical demonstration of one way to do it.
There were plenty of other good technical talks – panels including the likes of Novell’s security director, Ed Reed; the sly sophisticated mechanics of DNS hacking by Dan Kaminsky; and the wisdom of Crispin Cowan, founder and CTO of Immunix, who did justice to complex problems of application security. But perhaps the mellow vibe of the con was best seen in the size of the crowd staying to hear Bruce Potter’s final remarks. Leaving early is typical of cons like this, but most folks didn’t want to leave. That was due to a first-time con going off with nary a serious glitch, the value of most presentations (hey, nobody bats a thousand) and the supportive context of a well-timed winter reunion. The location of the hotel, just off Connecticut across the Taft Bridge from Dupont Circle, meant lots of restaurants a few minutes away and easy access to the pleasures of a sunny mild weekend in DC. And for those who love social engineering, the National Defense Industrial Association, loaded with beltway bandits and Colonels doing business, was also on site for a while, offering tempting tasty targets.
The Potters began planning ShmooCon 2.0 as soon as the con ended. They built the first one from scratch and, to their surprise, had to stop registrations when they reached 440. As Jeff Moss noted, the time was right, the location was right, the setting was right, and a “small regional con? quickly became a bigger one. The Shmooikins brought an obvious love of the game and high professional standards to the scene and next year looks to be even better.
Richard Thieme is a speaker and writer focused on creative and effective responses to technology-driven change. A collection of his work, “Richard Thieme’s Islands in the Clickstream,? was published by Syngress in 2004.
Posted by Thieme at 04:02 PM | Comments (0)
Fear and Loathing in Information Security by Mick Bauer
Fear and Loathing in Information Security
by Michael D. Bauer, author of Linux Server Security, 2nd Edition
02/11/2005
http://www.oreillynet.com/lpt/a/5624
If I were to tell you that I'm proud to be a hacker, would you wish I was
dead? Last week I attended a speech by someone who just may, and while that
speech was offensive on more levels than I can address in one editorial, I
would like to talk about the demonization of hackers within the information
security ("infosec") profession. In my opinion, the time has come for
infosec professionals to stop fearing technology's boundary-pushers and for
hackers to stop pretending there's any glory in the crimes most of them are
too smart to want to commit in the first place.
The Speech
The speech that set me off took place at a local meeting of an information
security professional organization, and the presenter represented a
well-known vendor of intrusion-detection software. During his lengthy
address this person called competing security researchers "ankle-biters,"
suggested most users in Brazil are "miscreants," and expressed a desire to
use an Apache helicopter to "take all those morons out" (apparently meaning
hackers in general). While he was at it he referred to Eastern Europe as a
"country," ridiculed the weight problems of several young computer
criminals, and generally displayed what struck me as truly remarkable levels
of bigotry, anger, and ignorance.
I said I wasn't going to dwell on the specifics of this speech, outrageous
though it was. But I'm sure that the gist of what he was saying, that is,
that hackers are scum, resonated with some percentage of the audience, and
that's the part I want to address here.
Over-the-top invective aside, it wasn't the first time I've been exposed to
this attitude. Many people in my profession, even knowing that "hacker"
doesn't mean "criminal" any more than "locksmith" means "burglar,"
nonetheless fear and mistrust hackers. In the interest of trying to do
something about this rift, which I think serves no useful purpose, I'd like
to discuss why infosec practitioners demonize hackers, and why that tendency
is both irrational and counterproductive. As someone who identifies very
closely with the hacker community, I'll also share some ideas on what
hackers might do to help the situation.
Hacking Defined
I want to stress that the real problem here isn't one of vocabulary: it's
one of culture. But just to be safe, let me clarify what I mean by
"hackers": I mean people generally obsessed with solving problems with
computers and with determining for themselves how things really work. These
are people who see a computer or network not as a predictable,
black-and-white system regulated by strict rules, but rather as a nearly
infinite set of potentials limited only by its users' skills and
imaginations.
Hackers tend to employ unorthodox means of solving problems and learning
things. In fact, the very definition of a "hack" is "something that isn't
supposed to work but does." It therefore follows that whether they call
themselves such or not, many of the world's greatest engineers and
enterpreneurs throughout history have been hackers. Linux Torvalds is a
hacker icon; Neal Stephenson has argued that Lord Kelvin was a hacker too.
In summary, hackers are the world's boundary-pushers.
One quick note about where I fit in, since you'll notice I sometimes use the
word "we" when describing the hacker community. I consider myself a member
of both the hacker and professional infosec communities. I've presented at
both Def Con (twice) and at the Computer Security Institute's Annual
Conference, and while I am neither a programmer nor a penetration tester
(which by some people's definition disqualifies me from ever being an elite
hacker), I identify closely with the hacker values of creativity, curiosity,
knowledge-sharing, and exploration. I have this "dual citizenship" in common
with some of my most valued infosec colleagues. In no way do we condone any
crime or consort with known criminals, but of course that's the whole point
of this essay.
Boundary-Pushing: Sin or Virtue?
The reactionary element in information security understands this definition
of "hacker as boundary-explorer," and is perfectly capable of distinguishing
between people who live on the edge and people who cross the line. However,
we seem to be sharply divided over whether (a) pushing boundaries is a good
thing to be doing in the first place, and (b) it must inevitably lead to
crime.
Consider the popular hacker pastime of security research (or, more
precisely, vulnerability research). Security researchers attack, within the
confines of their own lab systems, operating systems and software
applications for the purpose of proactively identifying security
vulnerabilities so they can be patched against or otherwise mitigated. There
are, it seems, three prevailing points of view on security research.
Hackers, naturally, love security research: It's a constructive outlet for
some of their darker impulses, one with tangible benefits to society. Such
"full-disclosure" proponents believe we all benefit any time the "good guys"
find a new vulnerability, give affected vendors fair notice to release a
patch, and then notify the public so they can apply the patch or take other
corrective action. This ethos is exemplified (most of the time) by the
Bugtraq mailing list.
Vendors seem to have a somewhat more ambivalent attitude toward independent
security research. On the one hand, it provides free third-party quality
assurance testing. On the other hand, it can be really embarrassing,
depending on how obvious or egregious a given vulnerability is and on how
much advance notice the researcher truly gives.
Many people, however, including many information security professionals,
think it's simply wrong to abuse any system or application for any purpose,
even in a lab setting, unless it's conducted by whomever created that system
or application. People with this attitude tend to be highly suspicious of
the motivations of security researchers and tend to believe that "security
research" is actually a euphemism for "mischief."
Granted, I'm intentionally dodging some subtle controversies of the
full-disclosure movement, that is, precisely how much time a security
researcher should give a vendor to respond and release a patch before the
researcher publicizes a vulnerability, whether sample exploit code is ever
justifiable, and so on. My point is simply that vulnerability research is an
area that many people consider to be inherently conducive to abuse,
regardless of its usefulness, and that many people are uncomfortable not so
much with vulnerability testing's specific impact on Internet security, but
rather with the general idea of people pushing limits in this fashion.
And here we come down to fundamentally opposite realities. There are people
who think that vendors should be allowed exclusive control over security
testing on their products, and should be trusted to both admit to and fix
security problems whenever they find them. And there are people who think
that (a) software nowadays is too complex and the threats too numerous for
this to really work, and (b) it isn't necessarily in vendors' best interests
to do so anyhow.
The infosec purist, in other words, wants to believe what vendors tell him,
but the hacker wants to figure things out for herself. I believe this to be
one of the main sources, if not the primary source, of discomfort with
hackers.
The Corruptive Nature of Hacking
Perhaps less irrational than the fear of boundary-pushing is the belief that
hacking leads to crime. If you become too fascinated by how network attacks
work, the story goes, you'll eventually cave in to the temptation to conduct
those attacks. And it is an incontrovertible fact that many people who
commit computer crimes are hackers. But are they criminals because they're
hackers, or do they have other problems? I'm convinced of the latter.
I have nothing more scientific to base this belief on than my own experience
and observations (plus those of my friends), but as somebody who's spent a
lot of time researching and experimenting with network hacking, not to
mention securing large networks against intrusion, I think this counts for
something.
I started out as a network engineer. Early on I learned how TCP/IP works,
how Ethernet works, and how to use network diagnostic tools such as packet
sniffers. Even in my first year doing this type of work, I knew how to
eavesdrop on telnet sessions and to otherwise abuse the tools of my trade.
But I didn't abuse them; I respected the rights of my users and understood
the consequences of betraying my employer's trust.
After eight years of immersion in both information security and hacker
circles, I humbly submit that this level of awareness and ethics is typical
among hackers. Hackers who cross the line into illegal and unethical
behavior are, in my opinion, outside the mainstream of hacker culture. I'm
sure of this for two reasons.
First, anybody who understands how networks work knows that there's no such
thing as privacy or anonymity on the Internet, and that those who mess with
other people's systems will be caught eventually. Second, insofar as hacking
involves increasing and sharing knowledge, it's an altruistic pursuit for
most of its practioners; abusing that knowledge generally runs contrary to
the hacker ethos.
So who, exactly, commits computer crimes? Mostly the very young or very
ignorant, I think. These are people who don't understand the ramifications
of what they're doing or how easily they can be caught. There are some bona
fide sociopaths; the hacker community is no more free of these than any
other segment of the human population. And yes, there is such a thing as an
evil hacker mastermind; the world surely contains highly-skilled
professional computer criminals who seldom if ever get caught. Most people I
trust, however, believe there are relatively few hacker sociopaths and even
fewer evil hacker geniuses.
Conventional wisdom nowadays is that the vast majority of people who commit
computer crimes are in fact script kiddies, that is, people scarcely skilled
or creative enough to even be called hackers. If this is the case, that the
least skilled hackers are most prone to commit crimes, then can it really be
said that acquiring hacker skills leads to crime? I don't think so. It seems
to me that people who are inclined to commit computer crimes sometimes
acquire (limited) hacker skills, not the other way around.
The Notoriety Thing
Okay, so people's discomfort with hacking is their own problem, and most
hackers are in fact upstanding citizens. Then why do so many hackers like to
dress and act provocatively, and why is Kevin Mitnick treated like royalty
when he attends Def Con?
Personally, I think hackers' tendency to act out comes at least partly from
their being treated like outcasts. Hackers have been so misunderstood for so
long that we shouldn't be surprised when they cop a "to hell with mainstream
society" attitude. If you're going to be treated like a misfit, then you may
as well have some fun playing the part.
In this context, it becomes tempting even for otherwise-straight hacker
types to sympathize with actual techno-outlaws, especially when it seems
like the punishment meted out to them is disproportionate to their actual
crimes. For example, most hackers knew Mitnick deserved jail time, but few
felt he deserved to be held for four years, without bail, including eight
months in solitary confinement, before he was even brought to trial.
Personally, as I sat through that hate-filled speech last week, I found
myself starting to feel sorry for the young, misguided, and yes, even stupid
computer criminals whose photos the speaker ridiculed and excoriated; much
as I deplore their transgressions, they're still human beings for whom I
can't help but feel some compassion and even kinship. (There, but for a
happy childhood and some crucial mentoring early on, go I...)
Still, clearly it's wrong when hackers do or say things that implicitly or
explicitly condone illegal behavior. A few years ago a hacker named "Se7en"
got a lot of attention for claiming to be on a crusade to infiltrate the
systems of child pornographers for the purpose of shutting them down (though
by all accounts, se7en's braggadoccio was disproportionate to his actual
skill). More recently, the brilliant but misguided Adrian Lamo penetrated a
series of high-profile corporate networks for the purpose of demonstrating
their insecurity, and although in each case he worked with his "victims" to
fix the problems he found, the last of these (The New York Times) pressed
charges.
People like Mitnick, Se7en, and Lamo are, in real terms, well outside the
mainstream of hacker culture: Most hackers simply don't approve of messing
with other people's property, productivity, or freedom of speech. But
hackers do sometimes idealize people like Lamo because of their talent,
skill, or panache, and because of the aforementioned persecution thing.
This idealization is unfortunate. It impairs hackers' credibility and
ultimately reinforces people's misconceptions about hackers. So what I
suggest to the hacker community is this: Let's work a little harder to
downplay the notoriety angle, and be a little more vocal in condemning the
behavior of those few of us who cross the line from pushing boundaries to
breaking laws.
This doesn't mean we need to ostracize those who fall from grace; giving up
on people who make bad choices surely isn't any more altruistic than
computer crime is. I'm not suggesting that Kevin Mitnick be barred from
attending Def Con. In all honesty, I'm not entirely sure how to achieve what
I'm suggesting. My point is that there's still a lot of skepticism out there
with regard to the reality of hacker daily life, which for most of us
emphatically excludes illegal and unethical behavior, and the hacker
community must accept some responsibility for people's hesitating to give us
the benefit of the doubt.
Conclusions
My esteemed colleague the hacker-philosopher Richard Thieme says that
hackers, due to the very fact that they operate at the edges of what is
known (and especially of what is thought to be possible), are destined to be
misunderstood. Society has always treated innovators and whistle blowers
with ambivalence. Information security professionals, however, tasked as we
are with protecting critical infrastructures that everyone depends on, can't
afford the mental laziness of demonizing this important segment of the
technical community. For one thing, it's amply represented within our
profession: "They" can't all be enemies, because so many of "them" are in
fact "us." And that's a good thing. Hackers are arguably our biggest allies
in neutralizing and catching real live computer criminals.
If more information security professionals would free themselves of the
notion that the hacker mindset is morally wrong or that it inevitably leads
to crime, they could borrow or even learn themselves how to use hackerly
creativity and innovation in their efforts to protect and secure. Everyone
would benefit from that; nobody benefits from narrow-mindedness.
Michael D. Bauer is Network Security Architect for a large financial
services provider. He is also Security Editor for Linux Journal Magazine.
Posted by Thieme at 03:53 PM | Comments (0)
December 23, 2004
Lisa Pease Describes Gary Webb's Memorial Service
http://realhistoryarchives.blogspot.com/
Gary Webb's Memorial Service
This past Saturday, I woke at 6 AM and drove six hours through dense fog to reach Sacramento to attend the memorial service for Gary Webb.
I can’t put into words what Gary meant to me. In my lifetime, there have been only a few people I have truly admired and loved with all my heart. Gary was one of those people. But I knew what was important about him. He was a truth teller in the best tradition. He spent his life writing major exposes of government corruption long before his famous and, if I can say it, fatal Dark Alliance series.
I won’t rehash here the details of his research and the forces he challenged with that story. As most of you know, when I heard he had committed suicide, like so many, I found that nearly impossible to believe. I had met the guy twice, and he struck me as a lion of a man, with a huge, fighting spirit. I knew I had to attend the memorial, to hear from those closest to him what happened. I knew I’d have doubts if I didn’t. I had to see for myself.
I arrived about an hour early and headed for the room where the service was to be held. I did a double-take as I passed the elevator. A man who conveyed the essence of Gary Webb stood there, casually dressed. I kept moving so I wouldn’t stand and stare. I would see him again.
When I got to the door of the room where the service was to be held, I paused, not sure if I should enter yet or not. A few people were just starting to set up tables. I wasn’t even 100% sure I was in the right place. But then I saw Mike Ruppert, who had gotten there just ahead of me, and said hello. A lovely, delightful woman approached me and said she was Gary’s sister-in-law Diana Webb. I started to say something - who knows what, and even as I opened my mouth I started to cry. I apologized, saying I had promised myself I wouldn’t lose it, and Diana instantly made me at ease saying something like, don’t worry - everyone will be losing it today.
Diana asked for my name. When I told her, she said, “Lisa Pease! I loved your Emperor’s New Clothes piece!? I was both shocked and thrilled that she knew who I was. I had sent the family a condolence the night before, with a link to my blog, and Diana and Gary’s ex-wife Susan Bell had both read and loved my little satire. They felt it captured in a nutshell all that happened in that story. People who didn’t follow the unfolding attack on Gary won’t understand the piece. But they had lived through it, and recognized every nuance and reference. Diana told me excitedly that they had put memorial binders together of articles about Gary, and mine was the top piece, right in the front. I can’t tell you how moved I was by that. Other pieces in the binder were from Mike Ruppert, Peter Dale Scott, and several others.
I offered to help set up. I wanted to do what I could. His children had put together a couple of folding board displays of pictures of Gary from all parts of his life, including his book cover and their favorite magazine article, “The Pariah,? by Charles Bowden in Esquire. There were lovely arrangements of flowers that people had sent. And the awards. Gary had won so many awards over his career, from various organizations at various different newspapers. The biggest prize was a Pulitzer he shared with the rest of the San Jose Mercury News team for their coverage of the Loma Prieta earthquake.
As I stood there, surrounded by reminders of his greatness, I felt all the more sad. It wasn’t just a fluke. It wasn’t my imagination. He had spent his whole journalistic career doing what all journalists should do, and so few EVER do, seeking out and telling not just truth, but really important truths, the kind of truths that could change people’s lives for the better. That’s who he was.
Along with the pictures and article references, there were some cartoons and other humorous pieces too. There was this little propaganda poster from a Kentucky paper he had once worked for, saying how they’d NEVER kill a story. There were Tom Tomorrow cartoons. But front and center, everywhere you looked, were the references to the Dark Alliance series. That was the key moment in his life. The moment after which everything he held dear slowly slipped away from him.
As I helped set up, I used that as my little personal time to honor the man, soaking up every last image, reading each award, conducting my own silent prayer for the soul of this lost man.
Suddenly, Susan Bell, Gary’s ex-wife, entered. She was a beautiful woman, remarkably pulled-together under the circumstances. She exuded calm at the moment. When Diana said “This is Lisa Pease,? Susan also recognized my name immediately. She thanked me for a condolence message I had e-mailed the night before, which she had read and appreciated so much she forwarded it to others. She asked me if I would read the Emperor’s New Clothes piece at the ceremony because she thought it told the story and might add a little levity to the ceremony. All his family at some point mentioned something about Gary’s great sense of humor. I remember when I first wrote it, I had sent a copy to Gary, and he had very much appreciated it. Of course I said yes.
The next person I met was the man I had passed at the elevator: Kurt Webb, Gary’s younger brother. They were only 13 months apart in age hence the resemblance. They don’t look that much alike, but the essence is there.
As each new person entered, Mike Ruppert quietly and quite delicately, I’ll add, asked all the appropriate questions, and pointed out the rumors that had been floating on the Internet. Each family member in turn confirmed yes, suicide, no question. Yes, there were two gunshots, but the first one so missed the brain that Gary had to shoot again. Yes, Gary had left a suicide note. When Ruppert mentioned some suggested the suicide note was a forgery, Susan’s eyes flew wide with shock, as she said there’s NO way that was a forgery. She said he had written each of his children a personal note. He had sent boxes to his Mother’s house, but she thought that was just temporary because he was moving. But he sent her things like his baby shoes, and so forth. He knew he wasn’t moving. He had had his motorcycle stolen, something he really loved, just prior. Sadly, the motorcycle was recovered, but Gary was not around to see it.
Kurt said early on and more than once, there’s nothing we can do or say now to bring him back. I’m sure the family all wonders why they didn’t see the signs, why they didn’t do more. But as Kurt described it to me, it was as if Gary was sinking into a vortex; there was nothing any of them could do to bring him back. From what I heard, Gary was seriously, perhaps even clinically depressed, but he never wanted to burden his family with that and would always put on a good show for them. He was a proud man who didn’t want to ask for help. But, as Diana said when she spoke about him, he was always there for others. When she had a cancer scare in her family, she had asked Gary to help her find out whatever he could. And like the true journalist he was, he went to the library and gave them the best information he could find.
I wish so much I had known he was hurting. I would have tried to help. I’m sure all of us who knew him or cared about him would have tried to help. And maybe all our help wouldn’t have been enough. We’ll never know.
Many people started arriving. Diana came in with a fax from Robert Parry. She said they had asked him to come and he said of course, but he had not allowed enough time to clear security and missed his flight. Instead, Parry sent a moving statement, which I had a copy of but may have left at work. He said that Gary Webb’s story was a tragic reminder that information is not a birthright. It has to be fought for, and sometimes even died for. It was incredibly powerful and eloquent and short, a miraculous combination. I’ll try to get another copy and will post on my blog for all to see.
One man came in who had never met Gary Webb or any of his family. He was one of the many who came solely because he wanted to honor the memory of the journalist who stood up and told the truth. I talked to him for a while, and when he asked my name, again it was, “Lisa Pease!? Turns out he had read the book Jim DiEugenio and I had put together, The Assassinations. The man had talked to his children about how unreliable the press was, and told me he had put together a list for them of “truthworthies? - those who could be trusted to tell the truth. He told me Gary and I were both on that list, which I took as a tremendous honor. I told his story to another man, a friend of Gary Webb’s that I talked to afterwards at the reception downstairs. That man asked, how can you tell who is reliable and who isn’t? I told him, learn any one really big and important news story in depth. Find out who is telling the truth and who is not. Then follow those people. People who tell the truth about the important stories tell the truth about other stories. People who lie about one important story will lie on another, and so on. He said, so it’s really about the people doing the reporting? Yes, I said. Another person standing by said, that’s really a good way to go about it. I hope people start paying attention to bylines. There are good people out there working to tell the truth, and then there are the others who are working to gain and preserve their position, which usually means not telling the truth.
The room could only hold about 300 people. It was packed - I’m sure we represented a fire hazard. People were lining the walls and sitting in the aisles, with more gathered in a herd just outside the side doors at the front and back of the room. As the crowd was gathering, I was off in a side hallway with a copy of the Emperor’s piece, reviewing it since I hadn’t read it in years. I noticed Gary’s brother standing nearby, looking so completely sad, so completely alone. I went over to him and said, I think you could use a hug. He answered, I think I could and I threw my arms around him and just held him. I felt his energy rush out of him like water running up the beach, but I kept holding him and his energy regathered, like water flowing back to the sea, and we broke and he regained his composure. He even was able to make a wry comment when I asked if he was the older or younger brother. He’s younger, by 13 months.
Kurt opened the ceremony. He talked of his brother as first, foremost, and always, a writer. He talked about how as kids they had gotten a play mimeograph machine, with rubber type blocks you could put in it to print out pages. Kurt wasn’t that into it, but Gary loved it, and put together little pages of print that he’d then proudly show to his parents. Gary knew his calling from the start. He wanted to be a reporter. In High School, he wrote up an editorial for his school paper criticizing the drill team for putting women in military uniforms and changing their batons to guns and flags. The cheerleaders were outraged, and Gary’s newspaper advisor suggested he apologize. Why should I apologize for expressing an opinion, Gary had asked. He never did apologize.
He was nearly through school when he had to drop out, but managed to get a mentor at a local paper and learned the ropes from the inside. He threw himself into his work, not content to just be a stenographer, but to seek out the story behind the story. All he ever wanted to be was a writer. And above all, Kurt said, Gary always wanted to seek out and tell the truth.
When Gary worked on the Dark Alliance story, he spent months working nights and weekends, staring at pages deep into the nigh