Thursday, November 27, 2014

Selective Listening Can Kill Your Business (Thank You Gordon Ramsay)

The problem of selective listening (hearing only what you want to hear while ignoring all else) has killed a lot of businesses, especially restaurants. In fact, I suspect that the problem is pervasive across all industries and government agencies.

On Kitchen Nightmares, I watched restauranteurs who were at the brink of closing argue with Chef Ramsay that the problem wasn't the tasteless, frozen, microwaved crap that they served in their almost empty restaurant. It couldn't be because "everyone loves my food".  "Who's everyone? Your restaurant's empty", Ramsay would say. Then there were owners like Sebastian (Sebastian's Pizza) and David (The Black Pearl) whose egos wouldn't allow them to take advice.

I credit Ramsay's series about failing restaurants for helping me avoid those traps and others while I launched and built the Suits and Spooks security event series. After all, a conference is a lot like a pop-up restaurant except with worse food.

I wanted more than anything to build something that was different and that would deliver value to my customers. Inspired by what I learned from Gordon, I picked interesting and unique venues. I imagined that I was creating a menu when I curated my speakers - selecting ones that would add a unique "flavor profile" to Suits and Spooks attendees.  I made sure that I greeted every attendee personally, and listened to their feedback - both positive and negative.

The result was that Suits and Spooks, launched in September, 2011, was sold to Wired Business Media in April, 2014, just two months before Gordon Ramsay announced that after 12 seasons and 123 episodes, Kitchen Nightmares would wrap for good.

So today, on Thanksgiving, I'd like to say thank you to Gordon Ramsay for producing a show that inspired me to build something that I was passionate about and make it a success.

Monday, November 24, 2014

SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”


The SEC’s Cybersecurity Disclosure Guidance of 2011, President Obama’s Executive Order 13636 on Critical Infrastructure Cybersecurity (2013) and the launch of NIST’s Cybersecurity Framework (2014) has had a major impact on publicly traded companies and financial institutions who are struggling with quantifying their risk analysis in the new domain of cyberspace.

While the SEC has not yet codified its cybersecurity guidance (Corp Fin Disclosure Guidance: Topic No. 2), it has already issued 50 comment letters to public companies that have not adequately complied with the new guidelines. In fact, that appears to be a long-standing complaint of the SEC staff who would “like [registrants] to ... get away from mind-numbing risk factors disclosures to a more targeted discussion.”

Although the SEC’s cybersecurity guidelines aren’t yet regulations, the disclosure of risk factors such as credit and liquidity have been a requirement for many years3 and a mandatory non- generic risk factor analysis of a company’s digital assets cannot be far off. The dilemma that boards and general counsels are facing today is that too much disclosure might hurt the company’s business, while too little disclosure may, at a minimum, result in the company receiving an SEC comment letter.

This white paper will explore where the SEC is headed on this issue and propose a novel solution that’s both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™.

You can obtain a copy by visiting the Taia Global website.

Thursday, November 13, 2014

Who Developed China's Laser Weapon and Other Things That Go Boom?

China has spent the last few days showcasing its latest military technology including this new laser weapon that can shoot down drones a mile away in 5 seconds after locating the target. However, if you're like me you'll want to know who built it and what else are they working on!

Well, now you can find out. Here's a 5 minute demo of our new REDACT Search product which tackles that very question. Enjoy!

Tuesday, November 11, 2014

Musashi's "The Way of Self Reliance" (Wilson translation)

Japanese swordsmanship has been a hobby of mine for almost 35 years, and the most famous of all Japanese swordsman is Miyamoto Musashi, author of The Book of Five Rings.

One week before his death, he wrote "The Way of Walking Alone" (Dokkodo). I read the translation written by William Scott Wilson, which like all of Wilson's work, was carefully constructed from primary documents. Then I looked online to see if there was a version of it that I could link to. Instead, I found an awful alternative translation that has been repeated ad infinitum.

So on Veterans Day and to honor the memory of one of the world's greatest swordsmen, I've reproduced what I believe is the superior translation of "The Way of Self Reliance", found in William Scott Wilson's translation of Miyamoto Musashi's The Book of Five Rings.


Shrike on a Withered Branch
by Miyamoto Musashi
THE WAY OF WALKING ALONE (or The Way of Self-Reliance)

  • Do not turn your back on the various Ways of this world.
  • Do not scheme for physical pleasure.
  • Do not intend to rely on anything.
  • Consider yourself lightly; consider the world deeply.
  • Do not ever think in acquisitive terms.
  • Do not regret things about your own personal life.
  • Do not envy another's good or evil.
  • Do not lament parting on any road whatsoever.
  • Do not complain or feel bitterly about yourself or others.
  • Have no heart for approaching the path of love.
  • Do not have preferences.
  • Do not harbor hopes for your own personal home.
  • Do not have a liking for delicious food for youself.
  • Do not carry antiques handed down from generation to generation.
  • Do not fast so that it affects you physically.
  • While it's different with military equipment, do not be fond of material things.
  • While on the Way, do not begrudge death.
  • Do not be intent on possessing valuables or a fief in old age.
  • Respect the gods and Buddhas, but do not depend on them.
  • Though you give up your life, do not give up your honor.
  • Never depart from the Way of the Martial Arts.

Second Day of the Fifth Month, Second Year of Shoho [1645]
Shinmen Musashi

Saturday, November 8, 2014

"Frank Martin" of the U.S. Government Grants Department Wants To Give Me $14,566

I just ended a ridiculous but entertaining call with "Frank Martin" of the "U.S. Government Grant Department" who wanted to give me $14,566 for being a good taxpayer. I stayed on the line with him for about 20 minutes because I wanted to learn as much about the scam as I could.

Here's more or less how it went:

0823 PST my home phone rings. The caller ID reads PENNSYLVANIA 267-973-6174.

A heavily accented voice asks if this is Jeffrey Carr, and then proceeds to tell me that she's calling from the government grant department.

Oh, yes. I said. The government grant department. That's part of the U.S. Treasury, right?

"That's right Mr. Jeffrey. We just need to verify your information."

[The caller reads me my street address, city, state and zip code. All are accurate.]

"Now sir, would you like to receive your grant money on a credit card, debit card, pre-paid debit card, or in your bank account?"

Pre-paid debit card, I say, as I pull out my handy (and empty) pre-paid Visa gift card that I keep for calls just like these.

"Please read me the number, sir."

I read it off the card.

"And the last four digits of your social security number"

I invent 4 digits and give them to her.

I'm now told that I've been chosen to receive a grant of between $5,000 and $15,000. My government approval number is WA23134, and I'm to call the grant manager in Washington DC at (202) 738-4264.

We hang up. I now call the DC number.


I must have let it ring 20 times. No answer.

A few minutes later, my home phone rings again.

The person I just spoke with is back and says that she'll try to connect me.

She tries twice and finally I get to speak with a grant manager named "Frank Martin", who's clearly of Indian descent. Mr. Martin wants to assure me that this program is very real, and asks me to write down the following information:
The Government Grants Office is located at 200 Independence Avenue, SW, Health and Human Services Building, Washington DC 20201. His government badge number is FM2586 and his phone number is (202) 738-4264.
So, not the U.S. Treasury.
"Jeffrey", Frank says, "are you at your computer?"
"I want you to go to this website:"
[I open a sandboxed browser.]  OK, Frank. I'm there.
"Now see the search window on the right side? Type in my name - Frank Martin."
Got it.
"Now see the 2nd entry where it says Frank Martin, and where it shows how much money I've given out in grants? That's me."

[This idiot didn't notice the "," between "frank" and "martin". The "frank, martin" he pointed me to is Martin Frank, Executive Director of the American Physiological Society.]

Oh, yes. You've given out a lot of money, Frank. 
"Yes, Jeffrey, and because you've been a good taxpayer, we want to give you $14,566. Now, what is your date of birth?"
I give him a DOB a few years and a few months off from my own.
"Oh, you don't sound that old, Jeffrey. You sound like you're only 20 or 22 years old! OK, let me verify all of your information because this is a lot of money and we want to make sure that you are really who you say you are."
The line is quiet for 10 seconds while he verifies my fake DOB, fake last 4 digits of my SS, etc. 
"Very good, Jeffrey. Now may I ask what you'll be using the grant money for?"
A cruise. Is that allowed?
"A cruise? Sure. You can take a cruise, buy a car, anything you like. It's your money. Just don't use it for any illegal activities!"
Oh, no. Not me. 
"So now we are at the verification step. You must go to a store near you and send me a verification voucher. Because, you know, there are a lot of Jeffrey Carr's in the United States. We can't risk giving money to the wrong Jeffrey Carr! Do you have a Rite-Aid or something like that near you?"
How about Walmart?
"No, not Walmart. Wait, I'll check for you. OK, I see that you're close to a QFC store. How long will it take you to drive there?"
Oh, about 20 minutes.
"Do you have a cell phone?"
I can borrow one from my neighbor.

"OK, go to the store and then call me from the parking lot. I'll tell you exactly how to do the verification voucher and then I'll stay on the line until you see the money has been transferred to your pre-paid Visa card." 
"Now Jeffrey, you need to bring three things with you: a picture ID, a cell phone with a charged battery, and $275 in cash which is a fully-refundable verification fee. You understand what "fully-refundable" means, Jeffrey?" 
Um, yes. 
"So after you send us the voucher verification, your fee is then refunded back on your Visa card along with your grant money. See, we have to do it this way because it would be fraud if we asked you to send us money from your checking account or from your credit card and we aren't trying to defraud you. Only bad people ask you to send money from your bank account. That's we ask for cash."
Yes, cash is much better, Frank. Thank you.

[So now that Frank is done with his pitch, it's my turn to have some fun.]

By the way, Frank, are you at your computer?
"Yes, why?"
Well, you've been so nice sharing information about yourself, I thought you might want to see who I am. Do you know Just type in "Jeffrey Carr". I'll be the first name that comes up.
"I'm sorry, Jeffrey. My computer doesn't seem to be working right now. "
Oh, that's OK, Frank. When your computer is working again, just go to, and you can read all about this little fraud of yours online.
Frank? Are you there?


The FTC has a page for Free Grant Fiction here. This seems to be the latest iteration.

Wednesday, October 29, 2014

Cyber Threat Marketing and Political Expediency: STOP THE MADNESS

FireEye's APT28 report is the latest in a series of glossy marketing white papers which claim to reveal the workings of "state-sponsored actors", in this case from Russia. The paper fails to prove its claim of state-sponsorship (a confusing term that the FireEye report never defines) and evidences a few other bad habits described below.

However none of that really matters because Russia is currently on the White House's shit list, it's being hammered by sanctions, and the Kremlin has shown itself over the years to be more than willing to let its very talented hacker population engage in cyber attacks against its political enemies without repercussion. 

Last year when Mandiant came out with its APT1 report about China, guess who was on the White House's shit list then? 

From a marketing perspective, you can say-hint-imply-presume whatever you want. Proof is irrelevant. What counts is that the political interests of the U.S. and other western nations correspond with the marketing interests of cyber security companies. Timing - as Hesiod said - is everything.

However, even if the raw commercialism of this strategy doesn't bother you or is at least forgivable because after all FireEye and all of its competitors are for-profit enterprises, the report's authors have made some awful decisions in their analytic method.

Cherry-Picking The Evidence
"APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests. They do indicate parallel areas of interest to many governments and do not run counter to Russian state interests."
In other words, we've just included the evidence that supports our theory and excluded the evidence that doesn't. That's precisely the kind of bad analysis that's behind every intelligence failure that has ever happened. 

Calling Low Level Attacks "Sophisticated"
"Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government’s alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace."
Speaking as someone who's been researching Russian information warfare practices and, more importantly, its ongoing research and development in information security, I can tell you that the SQL attacks against Georgian government websites during the 2008 war were not even close to "sophisticated". Same with the 2008 DOD breach. Remember that when you have to explain to your boss that some unemployed Russian kid  Russian "state-sponsored" actors stole everything you own, it better be because it was "highly sophisticated".

Unfortunately for myself and others who take a skeptical or even cynical view to every public report of a "sophisticated state-sponsored" attack, the reporting agency or corporation never shares their raw data. And whatever is shared is scrubbed. 

APT28 isn't a Person or Persons. It's a Thing
Cyber security companies that monitor networks and threat actors rely almost exclusively upon technical attributes when they establish a "group". It's not like a street gang unit at your local PD that can tell you the gangs that operate in an area, who the members are and where they go when they leave. They don't who the members are, or how many there are, or what nationality they are, or who they're working for, or how long they stay before moving on. Visit and pick any hacker group that does high-profile defacements. Do a search by group name and find one with a history spanning just one year. Start with the earliest defacement and add the aliases of the group's members to a spreadsheet. Jump ahead a few months and check to see if the names have changed. Jump ahead a year. Members come and go, and when they go they take with them the tools and resources that they are comfortable with using. Or perhaps they'll discover new tools with a different group and in a few months, jump again - this time with different TTPs than they had a year ago. Are they still "APT28"?

"Stop The Madness"
To quote Mr. Wonderful, "STOP THE MADNESS!" Reports like these cannot be trusted to give a factual assessment of the real-world capabilities of any government's activities with their resident hacker populations. And they positively do not reflect the capabilities of any government's security services.

They are (1) a way to gain market share through garnering headlines and (2) a way to gain favor or secure contracts with government agencies who are catering to their customer - the Executive Office of the President.

Wednesday, October 22, 2014

"Hunting For Seeds That Remain Uncultivated, For Ideas That Lie Dormant"

From time to time I like to share gems of insight that I've discovered in the works of others in hopes that someone else will benefit besides myself. I'm always the first one awake in our house (usually before dawn) so I make a double expresso and sit down at my desk, which faces East overlooking the Hood Canal. Ellis' book is a collection of ancient Egyptian texts so it's fun to open it up randomly and see where you land. This is what I opened to this morning, around the time that dawn was breaking.

Thoth Speaks:
The ibis and the ink pot - these are blessed. For as the ibis pecks along the bank for a bit of food, so the scribe searches among his thoughts for some truth to tell. All the work is his to speak, its secrets writ down in his heart from the beginning of time, the gods' words rising upward through his dark belly, seeking light at the edge of his throat. We are made of god stuff, the explosion of stars, particles of light, molded in the presence of gods. The gods are with us. Their secrets writ only in the scrolls of men's hearts, the law of creation, death and change inscribed in the blood and seed of man's love. In the beginning and at the end, the book is opened and we see what in life we are asked to remember. 
Hear, then, my words, the ringing of my speech, as the heart and the scroll of this life fall open. Truth is the harvest scythe. What is sown - love or anger or bitterness - that shall be your bread. The corn is no better than its seed, then let what you plant be good. Let your touch on earth be light so that when earth covers you, the clods of dirt fall lightly. The soul of a man forgets nothing. It stands amazed at its own being. The heart beats the rhythm of its life. The lungs breathe the ions of its own vibration. The mind recalls its thoughts. The glands respond to its emotions.  
The body is a soul's record. And when a man's life ends, his body is given back to gods and the gods shall see what use their laws have been. They shall see the deeds its hands have made, the sparks of light its heart set in the world. They shall see whether or not their love, their powers have been wasted, whether the plants it has grown were nourishing or poison. And like the ibis, the gods shall circle about him, hunting for seeds that remain uncultivated, for ideas that lie dormant, thoughts left unexpressed.  
They shall find new seeds from the plants he has tended. And these shall be planted again in the clay of a new man and he shall be sent back to the world until all the gods have seen fit to create in man is cultivated, and then, in final death, he shall be welcomed home as one of them.
- From "Awakening Osiris: The Egyptian Book of the Dead" by Normandi Ellis, Phanes Press, Boston 1988, p.55-56