Remembering the Old Ways

Or: Making sure you know what to do if technology fails.

The Daily Telegraph in London has a very interesting story today about how the US Navy is re instituting celestial navigation training as part of their training for recruits:

The reason for this is simple and sound: they want to make sure that if computer-based navigation is crippled or compromised, navigators can still navigate.

In my mind this is a brilliant piece of realistic forethought. The fact is that we are becoming so reliant on the Internet and apps and have been for long enough now that people are growing up totally lacking some critical skills to survive if those go away.

Just two years ago we read about how many people under 25 can’t read maps.

Like many security people, my favorite SciFi TV show is Battlestar Galactica because it outlines a very realistic scenario that can come about with too much networking and technological reliance and too little back up and off-line capability.

It’s good to see the US Navy watched the series and got the memo.

“Hackback”: A New Approach

Today we read about the likely death in a drone attack of an ISIS hacker/warrior/cyber-jihadist:

In the infosecurity world, we’ve heard for years about the idea of “hackback“, basically an offensive response to an offensive action. Every couple of years this idea comes back around as someone gets frustrated with feeling like the attackers have all the advantages (and fun) and wants to take the fight back to them.

It’s an understandable idea. And, in some measured cases may even make sense. But as a blanket rule, no it’s not a good idea.

This latest development shows that “hackback” doesn’t need to be contained to computer tactics: a physical or kinetic response is just as (if not more) effective.

The bigger story though is how this shows that the idea of “infosecurity” is more and more an empty concept and that it’s all just “security”.

Premera Data Breach

Premera Blue Cross today just announced a major data breach affecting 11 million people in Washington, Oregon and Alaska. It also affects other Blue Cross members that got treatments at their facilities.

The information stolen is very serious and can enable identity theft.

I’ve got more information on the Trend Micro blog here.

Clinton Official Statement: Email Security Sections

Following up my posting of the relevant section of the press conference transcript, Business Insider has posted the full official statement as well. Here are the relevant sections related to email security.

Was classified material sent or received by Secretary Clinton on this email

No. A separate, closed system was used by the Department for the sole purpose of
handling classified communications which was designed to prevent such
information from being transmitted anywhere other than within that system,
including to outside email accounts.

How did Secretary Clinton receive and consume classified information?

The Secretary’s office is located in a secure area. Classified information was
viewed in hard copy by the Secretary while in the office. While on travel, the
Department had rigorous protocols for her and traveling staff to receive and
transmit information of all types.

Where was the server for her email located?
The server for her email was physically located on her property, which is protected
by U.S. Secret Service.

What level of encryption was employed? Who was the service provider, etc?

The security and integrity of her family’s electronic communications was taken
seriously from the onset when it was first set up for President Clinton’s team.
While the curiosity in the specifics of this set up is understandable, given what
people with ill-intentions can do with such information in this day and age, there
are concerns about broadcasting specific technical details about past and current
practices. However, suffice it to say, robust protections were put in place and
additional upgrades and techniques employed over time as they became available,
including consulting and employing third party experts.

Was the server ever hacked?

No, there is no evidence there was ever a breach.

Was there ever an unauthorized intrusion into her email or did anyone else
have access to it?


What was done after her email was exposed in February 2013 after the hacker
known as “Guccifer” hacked Sid Blumenthal’s account?

While this was not a breach of Secretary Clinton’s account, because her email
address was exposed, steps were taken at that time to ensure the security and
integrity of her electronic communications.

Clinton Press Conference Transcript: Email Security Sections

For those following the Clinton Email Situation, I’ve gone ahead and taken the full press conference transcript that Time posted and have pulled out the sections that pertain specifically to questions around the email server and its security.


QUESTION: Did you or any of your aides delete any government- related e-mails from your personal account? And what lengths are you willing to go to to prove that you didn’t?

Some people, including supporters of yours, have suggested having an independent arbiter look at your server, for instance.

CLINTON: We did not. In fact, my direction to conduct the thorough investigation was to err on the side of providing anything that could be possibly viewed as work related.

That doesn’t mean they will be by the State Department once the State Department goes through them, but out of an abundance of caution and care, you know, we wanted to send that message unequivocally.

That is the responsibility of the individual and I have fulfilled that responsibility, and I have no doubt that we have done exactly what we should have done. When the search was conducted, we were asking that any email be identified and preserved that could potentially be federal records, and that’s exactly what we did.

And we went, as I said, beyond that. And the process produced over 30,000 you know, work emails, and I think that we have more than met the requests from the State Department. The server contains personal communications from my husband and me, and I believe I have met all of my responsibilities and the server will remain private and I think that the State Department will be able, over time, to release all of the records that were provided.

QUESTION: Madam Secretary, two quick follow ups. You mentioned the server. That’s one of the distinctions here.

This wasn’t Gmail or Yahoo or something. This was a server that you owned. Is that appropriate? Is it — was there any precedent for it? Did you clear it with any State Department security officials? And do they have — did they have full access to it when you were secretary?

And then separately, will any of this have any bearing or effect on your timing or decision about whether or not you run for president? Thank you.

CLINTON: Well, the system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.

So, I think that the — the use of that server, which started with my husband, certainly proved to be effective and secure. Now, with respect to any sort of future — future issues, look, I trust the American people to make their decisions about political and public matters. And I feel that I’ve taken unprecedented steps to provide these work-related emails. They’re going to be in the public domain. And I think that Americans will find that you know, interesting, and I look forward to having a discussion about that.

QUESTION: Were you ever — were you ever specifically briefed on the security implications of using — using your own email server and using your personal address to email with the president?

CLINTON: I did not email any classified material to anyone on my email. There is no classified material.

So I’m certainly well-aware of the classification requirements and did not send classified material.



CLINTON: Because they were personal and private about matters that I believed were within the scope of my personal privacy and that particularly of other people. They have nothing to do with work, but I didn’t see any reason to keep them.

Comment Article on the Clinton Email Server Issue

My latest posting over at Geekwire is my analysis and commentary on why Hillary Clinton using a “homebrew” email server is a major security problem.

Comments on the Stratos Digital Wallet Card

I got to talk with KIRO Radio here in Seattle recently about some of the risks with new, untested digital wallet cards like the new offering from Stratos. Plus, my comments on how cash may make a comeback.