S. 773

...now browsing by tag


CyberInsurgency – A True Story

Friday, July 24th, 2009

One nation under martial law, the military stands guard against the population. This following days of protest by many who feel the results of the recent election were fabricated. The voice of dissent is publicly silenced with lethal force.  Terrestrial and satellite signals are jammed, including cell phones and foreign broadcast.  The modern police state, a heavy net of surveillance monitors all domestic communications.  In a series of arrests hundreds of people become political prisoners. Authorities raid media outlets, journalists are beaten as their equipment confiscated.  In an effort to dilute the information that leaks out of the country, the military has its own legion of users creating thousands of propaganda blogs.  Despite this opposition, protest continues. 

The riots continue today, a month after the election.  Protesters clash with troops who respond with tear gas.  In undisclosed locations, skilled technologists formed loose alliances to assist the people.  Their goals are as simple as educating people in the use of encrypted communications and services providing anonymous network routing.  This offers civilians a chance to send information securely, and speak their minds without fear of repercussions. 

Government restrictions have been well established. The public is allowed only a limited connection; access has been restricted to 128 kilobytes per second. Their traffic thoroughly inspected, routed into proxy servers, the content filtered, websites are blocked, and services rendered unreachable. Dissenting opinions are intercepted, and confirmed with torture and silenced by death.

In public channels outside of the country, people of various ideologies work together. Unable to free the citizens of that country from physical oppression, they hope to at least provide a means of communication. From around the world they have gathered to brainstorm new ways for the oppressed to maintain access to public web services. Political opinions put aside, a diverse group of people discuss various methods of circumventing control systems.   

Having stumbled into one such a meeting of the minds, I recognized it as a rare opportunity to observe and participate in an electronic insurgency. Though the subject serious and the consequences of failure well understood, the discussion mostly remained technical in nature. This separation from the human aspect of the crisis was enough to allow for the sort of wild creativity that seems to come naturally to successful people. For example, the suggestion of utilizing enigma machines transmitting over Morse code is not the simplest solution. However, it is the idea that is an engine for a train of thought that could eventually arrive at some new solution.  In the end, it was not necessary to reinvent the wheel, and the focus turned towards how to spread existing encryption and privacy technology. The solution must be easy to understand and implement by people with limited technical skills.

Instructions were provided to use FirePGP in combination with GnuPG to send and receive encrypted emails in Gmail. Once their messages are secure, the correspondents require a method to protect their identities. Squid and Tor proxy server software were suggested to anonymize the traffic. Additional details are available for the operation of a Tor-relay, with the goal being to prevent the government to locate sources of information. Other systems are under development to offer civilians access to open communications channels outside their country, and away from the control of their regime.

It was several days after the election before the mainstream media started its coverage. CNN was using information from Twitter, from ultimately unverifiable sources.  A psychological operation was under way to influence the rest of the world, and confuse or expose insurgents using the service. Acting as a live forum for dissent, Twitter was asked by the US State Department to delay scheduled maintenance in order to prevent a possible outage.

This is the story of an international community working together to promote freedom of speech, and private communications in Iran. Public dissent is an event that most governments including the United States have plans to suppress.  They too monitor civilian communications for threats against their authority. Protest has already been caged into ‘free speech zones’. Similar to Iran’s jamming of communications, Executive Orders exist in the United States giving the government the ultimate authority over everything including transportation routes, communications, and even the civilian population who could be used for labor. The planning behind readiness exercise 84 (REX84) shows the government is willing to use its power to detain people who question their authority. Studies such as Operation Cyberstorm show that the United States and its allies are already preparing to defend against activist computer operators, foreign and domestic. Coming legislation, if passed, would require a license to practice computer security. This could classify some unlicensed technologists as terrorists, where they would be no better off then their colleagues in Iran just trying to get an unapproved message out to the world.


Martial Law in Tehran-Monday June 29th 2009

Martial Law in Tehran-Monday June 29th 2009

U.S. satellite feeds to Iran jammed :: InfoWar Monitor :: Tracking Cyberpower

U.S. satellite feeds to Iran jammed

Iran blocks TV, radio and phones – but web proves more difficult | Technology | guardian.co.uk

Iran blocks TV, radio and phones – but web proves more difficult

Mousavi’s wife blasts arrests | Philadelphia Inquirer | 07/24/2009

More than 500 remain in prison, including many top politicians from pro-reform political parties, human-rights lawyers, journalists, and activists

Google Translate

This week a letter sent to the 10 thousand to 10 thousand blog mobilization base in commissioning and production of the “Mhtvahay value” is the Internet space.
http://www.bbc.co.uk/persian/iran/2008/11/081119_mg_basij_filtering.shtml (original link)

Greenwave Info

dedicated to spreading useful information about the current protests in Iran.

Iran | OpenNet Initiative <–very comprehensive and informative.

Iran continues to strengthen the legal, administrative and technical aspects of its Internet filtering systems. The Internet censorship system in Iran is one of the most comprehensive and sophisticated in the world. Advances in domestic technical capacity have contributed to the implementation of a centralized filtering strategy and a reduced reliance on Western technologies. Despite the deeply held commitment to regulating Internet content, authorities continue to be challenged in their attempts to control online speech. Political filtering related to the 2009 presidential campaign, including the blocking of Facebook and several opposition party Web sites, brought renewed attention to the role of filtering in Iran.

pastebin – FirePGP tutorial – post number 1465774

Instructions on how to use the Firefox extension, FirePGP, in combination with GnuPG, to send and receive encrypted emails in Gmail.


rbox: Squid proxy server

rbox-tor: easy to use Tor server

Tor: Relay Configuration Instructions

Configuring a Tor relay

Twitter Retains Spotlight in Iran Coverage – Digits – WSJ

Another delay is being requested, this time by the State Department

NedaNet Resource Page

resource page for NedaNet, a network of hackers formed to support the democratic revolution in Iran.

NSA Spying | Electronic Frontier Foundation

The U.S. government, with assistance from major telecommunications carriers including AT&T, has engaged in a massive program of illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001.

Executive Orders | Bill Clinton’s Executive Order 12919


Rex 84 – Wikipedia, the free encyclopedia

Rex 84, short for Readiness Exercise 1984, is a plan by the United States federal government to test their ability to detain large numbers of American citizens in case of civil unrest or national emergency.


National Cyber Exercise: Cyber Storm
National Cyber Security Division

GovTrack: S. 773: Text of Legislation, Introduced in Senate

a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

S.773 Cybersecurity Act -quick summary.

Friday, June 12th, 2009

The 2009 Cybersecurity act as proposed by Jay Rockefeller, is little more then a business plan.  It is designed to sell products and services, yet is narcotic enough to seem benign to bankers. The Act is prefaced with the promise of defending global trade and commerce, though it sets unrealistic goals for international compliance with new standards.  What we really have is an attempt by the intelligence community to monopolize on the information industry by way of their private partnerships.  In effort to maintain this advantage, mandatory licensees will be required to practice cybersecurity or to operate critical infrastructure.  The President and the CyberCzar will have total power to decide what is critical infrastructure. The point here is that while the Internet might not seem like critical infrastructure, there are many agencies that rely on it, and the operations centers which maintain these sections of the net might be required by law that their employees are federally certified.  In order to ensure there are plenty of willing federal employees, the Act would create a national cyber challange, where the best and brightest from high school and on up would have the opportunity to compete for cash prizes, and that elusive government job.  While those lucky winners are being used up, the bill proposes cyberawareness education starting in kindergarten.  They even have plans for a smokey bear type campaign to really get the youngsters interested.  Summer programs and internships will pave the way for even the youngest of students to do their part in the battle against cyberterrorists.


The Government has the right to refuse your internet service at anytime, for any reason.

S.773 – The Cyber Security Act of 2009 – part 3

Friday, June 12th, 2009

S.773 The Cybersecurity Act of 2009 pt3

This is part three in a series reviewing the proposed cybersecurity legislation.

(e) FCC NATIONAL BROADBAND PLAN- In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.

At the end of section 6, I decided to carry this last paragraph over to the next article. Under the bailout bill funding will be provided to create new problems for protecting national infrastructure. This includes the new smart grid for energy transfer, and a new advanced air traffic control technology. The FCC is responsible for reporting on the security of the commercial internet, and will receive bailout money for evaluating the network’s security.


This is a mandatory national computer and infrastructure security license. It
will include anyone who is engaged in network or computer security at the federal level, and operators of systems deemed critical by the president or his advisor.  Critical systems can include internet operations.  Federal and local emergency response systems are already dependent on the internet. In the case of a national emergency or in wartime the government does reserve the right to commandeer all forms of communication.  This act would require anyone operating any of these systems to receive approved training to qualify for a license to practice the security trade within the United States.  The vague nature of critical systems could mean that anyone who operates publicly accessible private equipment may be required to obtain this license to operate the internet.


The IANA is a government contract. The work is currently being carried out by ICANN. This group has been approved by the Defense Department since the IANA contract was handed over. The bill makes it clear there will be no changing of this situation without review, consideration, and approval.


This sets a three year timetable to develop a strategy for implementation of a secure Domain Name System (DNS).  This is a political issue.  The industry has already developed methods of securing the domain name addressing system. It is the role of the government to resolve the issues of foreign and domestic implementation. Federal, and critical systems will be required to participate in the secure DNS.  Internationally it would fall under the Department of State and the President to convince other nations to adopt the system.


The national cybersecurity awareness campaign will come complete with mascots and public service announcements. There will be awareness training beginning in the first years of school.  The goal of this is to not only create awareness of potential threats, but also to create an information and technology workforce for the future.


In an effort to bring the United States to the front of this digital arms race, funding will be directed to research and development. The National Science Foundation will be given priority in researching how to design and build systems that are secure and reliable when first deployed.  They will develop the ability to audit software, so that it “implements stated functionality and only that functionality”. Part of this will involve “selected secure coding education and improvement programs”, where the Director of the Foundation will look at ways to integrate secure coding into the “core curriculum of computer science programs” and “other programs where graduates have a substantial probability of developing software after graduation”. Colleges and universities regularly receive funding from the NSF, if this amount is over one million dollars, these institutions will release to the Foundation their statistics on computer since students, and those in related fields.  These figures will include the number of students likely to enter software design or development, whether or not they received secure coding education, and what classes they were enrolled in.  The NSF would like to evaluate these programs, and measure the effectiveness of the students “to master secure coding and design”.
The NSF will also research identity and information assurance, including the ability to “determine the origin of a message transmitted over the Internet”. The Foundation will provide support towards building new protocols for Internet security. There will be grants awarded for the creation of internet test labs “sufficiently large in order to model the scale and complexity of the real world networks and environments”. These labs will be used for playing war games, or “to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real world environment”.  There will also be work done towards the balance of security and privacy, and the problem of insider threat.


The Federal Cyber Scholarship-for-Service program pretty much introduces itself.  I can not restrain my self from mentioning this was one of the solutions I reached independently.  I phrased it as “trucker school” like training.  Instead of paying for expensive training, licensing, and equipment, these things are provided with the promise that the student will work for the company for some period of time. This is an alternative solution to the current certification process.  Since operating the Internet is not quite the same as piloting eighteen wheels of Detroit iron, the government plans to start the kids off early.  They will provide “a procedure for identifying promising K-12 students”.  These promising students would be eligible for summer programs and internship “that would lead to certification of Federal information technology workforce standards and possible future employment”.  Just like with trucking school, once the class is complete the job is guaranteed.


The goal of this challenge is to “attract, identify, evaluate, and recruit talented individuals”. The competition would also serve to “stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration”. If they don’t get the recruit, they will still have access to their work.  These widely advertised challenges will be available for high school and college students. Institutions will also be allowed to compete for the millions of dollars in prize money.

The Secretary of Commerce will have access to all internet and critical networks “without regard to any provision of law, regulation, rule, or policy restricting such access”. The Department of Commerce will serve as a clearinghouse of related information, acting as liaison between the government and the private sector.


This section simply gives value to risk.  It will create a market for risk management, require “cybersecurity to be a factor in all bond ratings”.


This section calls for “a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States”.  There are several acts specifically mentioned, but it also includes “any applicable Executive Order or agency rule, regulation, or guideline”.

When the government starts discussing an “identity management and authentication program”, they must also address the privacy concerns which follow along with it.


The President will develop a strategy for security. This strategy should include a long term plan. It will respect national security, and include the private sector.  In the event of an emergency the President has the power to restrict, shutdown, or disconnect the internet. This applies to Federal and critical systems in time of emergency, or in the interest of national security. The President also will “designate an agency to be responsible for coordinating the response and restoration” of the systems restricted or shut down.  There will also be a department or agency which will “review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment.” There will be “periodic mapping of…..critical infrastructure information systems or networks” to “measure the effectiveness of the mapping process”.  The President will also have the power to enforce regulations, and bestow ‘cyber-related’ certifications to United States people.


Starting in 2013, this review will provide an unclassified summary, and include recommendations for improvement.


The Director of National Intelligence and the Secretary of Commerce will make a yearly report to Congress on “cybersecurity threats” and “vulnerabilities of critical national information, communication, and data network infrastructure”.


The President would “work with representatives of foreign governments” to encourage global adoption of America’s new standards.


This section is an attempt to address the ‘supply chain’ vulnerability. There is need for “review and approval of high value products and services”, and so there must be “the establishment of appropriate standards for the validation of software to be acquired by the Federal Government”, including “independent secure software validation and verification”. This act would require the approval of the Secure Products and Services Acquisitions Board for any product or service subject to federal standards.

This marks the end of part 3. A summary will be provided later.

S.773 – The Cyber Security Act of 2009 – part 2

Monday, June 1st, 2009

This is the second part in a series concerning the Cybersecurity Act of 2009. s773.  As per request I have broken a large single page into sections. If you liked it the other way let me know. Please forgive my use of the term -cyber-, and any other marketing buzzwords. I’m just reflecting the terminology used.

s.773 Cybersecurity Act of 2009 part 2.

The relationship between the national intelligence agencies, and the private information technology sector has long since been consummated.  There exists a tight federal and private partnership, with the majority of intelligence work being outsourced from the federal level to the corporate.  This legislation is nothing more then a formality. It makes the partnership public knowledge, and gives the intelligence industrial complex an official voice in the white house.


    (a) IN GENERAL- The President shall establish or designate a Cybersecurity Response Advisory Panel.
    (b) QUALIFICATIONS- The President–
    (1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
    (2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

The President will select people who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.

This is quite a broad section of potential appointees. There is no mention about how the selection process would be carried out, or what makes one person more qualified then another to serve on the panel. The President is neither qualified to carry out the selection process, nor able to comprehend the details of recommendations given to him.  Instead it would be necessary to create a “National Cyber Security Czar.”  A sort of interpreter to advise the President in terms he can understand, and to give the President’s speech writer terms most people can comprehend.  I suspect what we will ultimately see is the creation of a new cabinet position, a ‘Secretary of Cyberdefense’. Though it seems this has been done in the form of the National Cybersecurity Center.

US Cyber Head Quits Over Threats To Democracy

Rod Beckstrom, the head of the Department of Homeland Security’s National
Cyber Security Center, said last week he would be stepping down
effective March 13.

In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom said
the NSA “dominates most national cyber efforts” and “effectively controls
DHS cyber efforts through detailees, technology insertions and the proposed
move” of the NCSC to an NSA facility at the agency’s Fort Meade, Md.,

In addition to the NCSC there is also the position of White House Cybersecurity Chief. With regards to part one of this article, I feel it important to note that the acting White House Cybersecurity Chief Melissa Hathaway was Senior Advisor to the Director of National Intelligence, Mike McConnell and Cyber Coordination Executive, she specialized in cybersecurity strategies with consulting firm Booz Allen Hamilton.

President Obama made an announcement in regards to the nation’s cybersecurity direction. Included in this plan is the appointment of Chief Cybersecurity Coordinator. It seems they will not be going with the title ‘czar’ this go round. It makes sense for the first people to be approached for positions on the panel will be people already currently employed in the service of the government. Those quoted in the findings would be an excellent example of potential panel members.  Despite the new campaign from the Department of Defense to recruit hackers out of high school, I strongly doubt there will be any application process for independent civilian admission onto the panel. With Ms. Hathaway on the inside, and her former boss on the outside, it seems that not only has the chess board been set, the game has been played and what we are seeing is the results of the match finalized and put down on paper.

Spies for Hire, US pays Carlyle Group to spy-2/3

Click to continue »

S.773 – The Cyber Security Act of 2009 – part 1

Thursday, May 14th, 2009

S. 773: Cyber Security Act of 2009

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

The summary is quite honest to the actual intent of the bill. It is designed to protect commerce, and global trade. An act to ensure the continued exploitation of the Internet. Just looking at the initial sponsor, and the groups represented in the findings it seems quite obvious this act has been dreamed up by businesses and government agencies as a way of soliciting additional funding in the form of contracts. Essentially using tax payer money to expand their operations while projecting the illusion of securing ‘cyberspace’. Cyberwar profiteers getting their feet in the door for more government funding.
We already have the majority of intelligence work done by agencies such as the NSA being outsourced to businesses like Booz Allen Hamilton. Now we see the same people giving dire warnings of an eminent terrorist threat. The reaction to these warnings it the Cyber Security Act, and the solution is to channel more resources to the people giving the warning.

Rockefeller – Cybersecurity

Sen. John Rockefeller [D-WV]Great-grandfather was once the worlds richest man is considered the richest person in history. Infamous for his Standard Oil monopoly.

Cosponsors [as of 2009-04-18]

Sen. Olympia Snowe [R-ME] – Daughter of a Spartan, popular Senator from Maine. Known for her ability to influence the outcome of close votes. Consider a RINO by some. She is also known as a Rockefeller Republican.

Sen. Bill Nelson [D-FL] Former astronaut. Member of the Book and Snake secret society at Yale.

Sen. Evan Bayh [D-IN] Claims his wife’s corporate roles hold no sway over his votes. Recently formed the ‘Blue Dog’ caucus, where it is suspected he is supporting corporate agendas.

Capitol Hill’s corridors are now filled with corporate America’s lobbyists, who are working to assure that our middle class and those who aspire to it have as little representation as possible

Once the church was the dominant power in society, and churches dominated the skyline. Following the church was industry, and steeples were replaced with smoke stacks. From this industry grew enormous wealth. Soon the towering bank buildings facilitated the fluidity of these corporate industrial assets, and again their structures loomed over the city. What I noticed was a transfer of power from the banking and finance sector into telecommunications. Information is the currency of today. Where you have something of value, there will always be threats against it.

Cyberspace is the marketplace of information, and just like in the physical world there is also a black market.

Click to continue »

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player