Rudy Giuliani's Paranoid Nonsense Tweet Is A Good Reminder That We Need Actual Cybersecurity Experts In Government

from the what-the-actual-fuck dept

Rudy Giuliani may have built up a reputation for himself as "America's Mayor" but the latest chapters in his life seem to be a mad dash to undo whatever shred of goodwill or credibility he might have left. Politics watchers will know that he's been acting as the President's lawyer, in which (as far as I can tell) his main job is to go on TV news programs and reveal stuff no lawyer should reveal. But, we shouldn't forget Giuliani's previous jobs. His earlier firm, Giuliani Partners, had a subsidiary called Giuliani Security that at least at one time claimed to do "cybersecurity." Of course, when the press explored what that actually meant, it was fairly limited.

"If you hired them on a cyber engagement, they are going to tell you what your legal obligations are and how to manage the legal risk related to cyber," a cybersecurity executive in New York who has experience with Giuliani Security and Safety and requested to remain anonymous told Motherboard. "Basically, not to prevent a Target [breach], but how to prevent a Target CEO being fired."

Still, a lot of heads spun around when Giuliani himself was named as Trump's cybersecurity advisor, because, as basically everyone recognized, he does not appear to know anything about cybersecurity.

Yesterday, Giuliani made clear just how incredibly ignorant he is of the basic functioning of the internet. As I type this these tweets are still up, but I'll post a screenshot on the assumption that someday, someone with actual knowledge will get to Giuliani and convince him to take these tweets down:

There's a lot going on here, so if you haven't been following all of this, it may take a bit to unpack. The first tweet references Mueller's recent filings against Paul Manafort, Trump's former campaign boss, for lying (again) to the Special Counsel's Office. Giuliani is making a weird unfounded claim that Mueller is specifically timing his indictments to times when the President is about to leave town for international gatherings. Considering the number of indictments that Mueller drops -- most of which don't happen when Trump is about to travel to meet foreign world leaders -- this already feels like ridiculous conspiracy mongering.

Within that tweet, Giuliani appears to make a few typos -- specifically forgetting to put a space after the period of a couple of sentences. The first time this happened, the sentence ended with "G-20." The next sentence begins "In". However, because (1) the lack of a period mushes these together as "G-20.In" and (2) because ".in" is the top level domain for India, Twitter interpreted that as a link to the website g-20.in. Some bright, enterprising person then registered such a website and posted an anti-Trump message to it, specifically this:

Whoever set up that site has since added a news update concerning Mueller's recent sentencing recommendations for Trump's former National Security Advisor Michael Flynn, who was among the first brought down by Mueller.

Lots of people were mocking supposed "cybersecurity expert" Giuliani for accidentally posting such a link and opening himself up to such a thing. But last night Giuliani decided to take the nonsense to extreme levels of nonsense, accusing "cardcarrying anti-Trumpers" at Twitter of allowing "someone to invade" his tweet to insert that link. His "evidence" for this was the fact that the second time in that same tweet where he made the same "no space after a period" typo -- creating "Helsinki.Either" -- it did not turn into a link. And... as basically anyone who has even the most rudimentary understanding of the internet (clearly not including cybersecurity expert Rudy Giuliani), the reason there is no link for that is because ".either" is not (yet) a top level domain, and thus Twitter's systems don't see it as a link and don't automatically link it.

The rest of the internet has been having lots of fun with this, mocking Giuliani, and I'm amazed that the tweet has stayed up for as long as it has. Twitter was even forced to issue a statement denying any foul play:

A spokesperson told Fortune that the company’s “service worked as designed.” The spokesperson added that whenever someone tweets a Web address, a clickable link is automatically created.

“Any suggestion that we artificially injected something into the user’s account is false,” the spokesperson said.

And while it may be fun to mock such utter incompetence put on display for the world, this really does highlight a serious problem. The lack of knowledgeable people about real online security issues in the government -- especially when computer security issues are so vital to almost everything these days -- is a real problem. We can laugh about "cybersecurity advisor" and "expert" Rudy Giuliani not understanding how top level domains and links work, but then we should be terrified to think that... who the hell is actually advising the administration on very serious issues regarding internet security, at a time when tons of entities, from lowly criminals to aggressive nationstates, are using the network to mount various attacks.

And, yes, there are actually a number of other people in the government who do truly understand this stuff. But over and over again it appears that the people appointed to the highest levels concerning these things have no clue. And that's a big deal, because computer security issues aren't something you just pick up with a crash course. They're complex and challenging and require a pretty deep level of knowledge to actually understand both the threats and the possible remedies. And, when the administration's top cybersecurity adviser freaks out because he doesn't know what a top level domain is... that should worry us all.

Filed Under: cybersecurity, expertise, rudy giuliani, top level domains

An Ongoing Lack Of Technical Prowess Is Resulting In Bad Laws, Bad Prosecutions, And Bad Judicial Decisions

from the ignorance-of-what-the-law-affects-is-the-perfect-excuse dept

Everyone in government is talking cyber-this and cyber-that, even though a majority of those talking don't have the technical background to back up their assertions. This leads to dangerous lawmaking. The CFAA, easily one of the most abused computer-related laws, came into being thanks to some skittish legislators who'd seen one too many 80's hacker films. ("WarGames," to be specific.)

Faulty analogies have led to other erroneous legislative conclusions -- like the comparison of email to snail mail -- which has led to the government treating any unopened email as "abandoned" and accessible without a warrant.

But the problem goes further than the legislative branch. The executive branch hasn't been much better in its grasp of technical issues, and the current slate of presidential candidates guarantees this won't change for at least another four years.

The judicial branch has its own issues. On both sides of the bench, there's very little technical knowledge. As more and more prosecutions become reliant on secretive, little-understood technical tools like cell tower spoofers, government-deployed malware, and electronic device searches, unaddressed problems will only multiply as tech deployment ramps up and infusions of fresh blood into the judicial system fail to keep pace.

Garrett M. Graff of Politico -- in a piece written for the Washington Post -- discusses how the government prosecutors' lack of tech expertise is resulting in bogus investigations and Constitutional violations.

Last year, the FBI nearly destroyed the life of an innocent physicist. In May 2015, agents arrested Xi Xiaoxing, the chairman of Temple University’s physics department, and charged that he was sneaking Chinese scientists details about a piece of restricted research equipment known as a “pocket heater.” An illustrious career seemed suddenly to implode. A few months later, though, the Justice Department dropped all the charges and made an embarrassing admission: It hadn’t actually understood Xi’s work. After defense experts examined his supposed “leaks,” they pointed out that what he’d shared with Chinese colleagues wasn’t a restricted engineering design but in fact a schematic for an altogether different type of device.

It's not just prosecutors. Graff notes that there's no "pipeline" of lawyers who can read and understand code heading to either side of prosecutions, which means defendants will be at the mercy of judges' interpretations of evidence and arguments. That's bad news as well.

As documents have surfaced thanks to the Snowden leaks and the government being more forthcoming with FISA court decisions, it's become apparent that judges issuing orders haven't been fully apprised of the technical details of the NSA's domestic surveillance programs.

The fallout from Edward Snowden’s revelations exposed numerous instances in which agency lawyers miscommunicated to courts about what the government was doing. There are two possible explanations: Either they willfully exploited judges’ lack of technical knowledge, or the lawyers themselves couldn’t fathom the programs they were trying to explain.

Irritated FISC judges have come down hard on the agency periodically, pointing out serious misrepresentations by the NSA's lawyers. Unfortunately, these discoveries have always come well after the fact. In the periods between judicial benchslaps, the agency has acted with autonomy. Forgiveness is better than permission, especially when the person approving surveillance requests either doesn't have all the information they need or is unable to interpret the information they've been provided.

The lack of expertise -- and the lack of new talent flowing in -- means this sort of thing will continue to happen far too often. Judges will be duped. Defendants will end up jailed because of the ignorance surrounding them. Bad analogies will shore up inadequate explanations. And, if you're the sort who believes "accused" means "guilty," the shortage of knowledgeable prosecutors will result in jaw-dropping "technicalities" returning suspected criminals to the streets.

In one recent prosecution of a security researcher accused of illegal hacking, an assistant U.S. attorney summarized the case to the court by saying, “He had to download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don’t even understand.” The government ultimately lost the case.

So, what can be done to fix it? Not much. Only a few law schools offer classes in cybersecurity, coding, or other tech fields. Those that do have long waiting lists. The upside is that a technically-proficient law school grad should find plenty of opportunities awaiting them. The downside is that there's not nearly as much money in the public sector as there is in the private. This may mean criminal defense will see a boost in knowledge, but that will only help those who can afford to hire top-tier lawyers.

The government, meanwhile, will likely continue to stumble over its own ignorance. Fortunately for government prosecutors, most judges are willing to cut government prosecutors a lot of slack, something only exacerbated by lawmakers pushing legislation targeting things they don't even understand.

Filed Under: expertise, law, policy, politics, technology

UK Government Forbids Publicly-Funded Scientists And Academics From Giving Advice It Disagrees With

from the la-la-la-la-la-not-listening dept

Three years ago, Techdirt wrote about the Canadian government muzzling scientists and librarians, in a clear effort to prevent them from pointing out that some of Canada's policies were scientifically stupid. That was a blatant attempt to censor those who had not just inconvenient opinions but also awkward facts that would have made life difficult for the Canadian government. The UK wants to do something similar, by forbidding scientists and academics from using their expertise to push for changes in policy -- even in private. As The Guardian reported:

The proposal -- announced by the Cabinet Office earlier this month -- would block researchers who receive government grants from using their results to lobby for changes to laws or regulations.

For example, an academic whose government-funded research showed that new regulations were proving particularly harmful to the homeless would not be able to call for policy change.

Similarly, ecologists who found out that new planning laws were harming wildlife would not be able to raise the issue in public, while climate scientists whose findings undermined government energy policy could have work suppressed.

The new policy is contained in an amendment to the agreement that all those receiving grants from the UK government must sign. As the press release announcing the move explained:

A new clause to be inserted into all new and renewed grant agreements will make sure that taxpayer funds are spent on improving people’s lives and good causes, rather than lobbying for new regulation or using taxpayers’ money to lobby for more government funding.

That might sound reasonable, especially the last part about not being able to lobby for more funding. It is aimed mainly at organizations that receive government grants, but many academics believe that it is so loosely worded that it will also apply to them, and will prevent them from pushing for new regulations in any circumstances. Even if that is not the UK government's intention, the mere existence of the policy is bound to have a chilling effect on the academics, since few will want to run the risk of having their grants taken away by inadvertently breaking the new rules.

Academics aren't the only ones who are worried. Recently, a group of MPs who sit on the important House of Commons Science and Technology Committee wrote a letter to the UK government expressing their concern that:

The "anti-lobbying" clause to be inserted into new grant agreements will create a barrier to evidence-based policymaking and will have unintended effects on the work of [Parliament's advisory] select committees.

Specifically, the politicians on the House of Commons Science and Technology Committee wrote:

We are concerned that the Cabinet Office's announcement has created ambiguity, and that researchers will become reluctant to present to us the policy recommendations that arise from their work. Academics may also become unwilling to take on advisory positions in Government or Parliament, and may even feel uncomfortable speaking at conferences where policymakers are present, for fear of falling foul of this clause.

The well-known UK academic and medical campaigner Ben Goldacre has written a powerful and informative piece explaining why he believes his "lobbying" of politicians serves an important function. He says:

I don't just want this ban overturned: I want to see more academics talking to policymakers, and I want the public to know what we do, so that they can decide if it's good or bad.

Indeed, he suggests that rather than forbidding academics from lobbying for new regulations, they should be encouraged and even trained to do so:

If you're an academic who lobbies, then don't be shy, and don't be scared: you should share your experiences, and your techniques. If you want to waste even more time on activities with no credit and no hope of funding, then perhaps we could set up a course, or a forum, to pool knowledge on better ways to interact with [the UK government]. And lastly, if you’re a politician, and you really want to ban this activity, then shame on you. You're a failure, an obstacle to good progress, and an outlier. But there's one final piece of happier news. You won't last long.

Let's hope he's right.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: academics, expertise, lobbying, policy, scientists, uk

FBI Wants To Lead The Nation's Cyberbattalions, But Can't Seem To Recruit Enough Cannon Fodder

from the dodgy-agency-dodged-by-respectable-parties dept

The FBI's cyber-initiatives may be doomed to fail. While it seems to have little problem acquiring and deploying new technology and techniques, it's finding it very hard to talk people into running all of it, as Alexander Martin at The Register points out.

The Federal Bureau of Investigation is struggling to hire computer scientists, according to a Department of Justice audit of the feeb's attempts to implement its Next Generation Cyber Initiative.

A 34-page audit report (PDF) from the DoJ notes that, while making considerable progress, the FBI has "encountered challenges in attracting external participants to its established Cyber Task Forces".

The Inspector General's report provides additional details on how far behind the agency is falling on its hiring goals. Even the hiring process itself is holding the FBI back.

While the process may start with a recruitment event attended by 5,000 interested candidates, the inability of candidates to meet the FBI’s specific eligibility criteria reduces that number to approximately 2,000 eligible candidates. Subsequently he told us that only about 2 candidates out of such a group are actually hired by the FBI. Another FBI official told us that the FBI loses a significant number of people who may be interested because of the FBI’s extensive background check process and other requirements, such as all employees must be United States citizens and must not have used marijuana in the past 3 years, and cannot have used any other illegal drug in the past 10 years. Another factor may be that private sector entities are able to offer technically trained, cyber professionals higher salaries than the FBI can offer.

The whitehat hackers the FBI would like to hire are looking for more pay and a less-intrusive hiring process. The FBI's hiring process and wage scale are unlikely to be responsive (though the latter is far more flexible than the former) to these demands. As long as coders can get better pay from employers that don't subject them to this level of pre-hire intrusion, the FBI will always find its staffing trailing its capabilities.

While the Five Eyes partners mentioned in the report have expressed their support of the FBI's cyber-focused joint task force, it's clear the public has not. But that part of the equation isn't mentioned in the OIG report. It may have been discussed off the record, but there's no acknowledgment that the post-Snowden climate -- combined with the exposure of FBI misconduct ranging from national security letter abuse to its series of entrapment-esque terrorism busts -- have made the FBI a less-than-desirable employer. Its reputation isn't entirely toxic, but it has managed to alienate a large portion of the tech crowd it wishes to hire. Director James Comey's continued assault on encryption isn't helping anything.

It's doubtful the deployment of a G.I.-bill-but-for-coders will fix this, but that's what the agency is looking to do.

One FBI official explained that the FBI is offering several incentives to recruit individuals including school loan repayment, reimbursement for continuing education, and hiring at higher salary levels on the general pay scale. He also added that the FBI is providing training opportunities for existing personnel including certifications and enrollment in the Carnegie Mellon University Master’s program in Information Technology as retention tools. In addition, in December 2014, the FBI announced to its employees a similar program at the New York University Polytechnic School of Engineering.

The good news is that once someone's hired by the FBI, they tend to stay, despite more lucrative opportunities elsewhere. But that's of little use when the problem is acquisition, rather than retention.

As of January 2015, however, 52 of the 134 Computer Scientist positions remained vacant and 5 of 56 field offices did not have at least 1 computer scientist, as planned.

Working for the FBI isn't like working for another tech company. The job also has a social cost that won't be addressed by student loan assistance and training opportunities. To work for the FBI, especially for someone who identifies as a "hacker," is to say goodbye to a large number of your colleagues. While the private sector doesn't lack for non-disclosure agreements, the FBI's disapproval of "shop talk" with friends and family carries hefty federal weight behind it. Normal small talk starts to resemble a series of probative queries. This may only exist in the minds of those interacting with friends and colleagues who have taken jobs at the FBI, but it's enough to make things uncomfortable.

The FBI may believe its problems are mostly of the pay scale variety, but there's more to it than purely fiscal concerns. The agency may do good work, but it has engaged in questionable investigations and activities almost since its formation. Leaks and FOIA documents have done further damage to its reputation in recent years. The FBI, despite its technical prowess -- appears to be anti-tech, at least in terms of fighting against any advances that impede its surveillance techniques. The agency, for the lack of a better word, is untrustworthy. The FBI appeals to candidates' idealism during the recruitment process, but over the years, it has repeatedly acted without integrity. Because of that, it will always have a problem finding whitehats willing to work for an entity that often seems to be in the "blackhat" camp.

Filed Under: cybersecurity, doj, expertise, fbi, recruitment, technology

DailyDirt: Educating Adults

from the urls-we-dig-up dept

Elite schools aren't getting any cheaper, and college tuition seems to be rising faster than a lot of other goods (though the net price may not be). So what are aspiring university students to do? Here are just a few interesting links on the future of education.

• One proposal for college students to try to pay for rising tuition fees is for schools to take a cut of their students' future earnings in lieu of upfront tuition. Indentured servitude 2.0 might kill the classical liberal arts education, but oh well. [url]
• Baby boomers might be able to take college-level classes via iPads and chatrooms, but do they really want to? Mobile classes sound useful for students of any age, so why target just the baby boomers? (This exercise left to the reader.) [url]
• Sal Khan discusses the future of credentialing -- and how schools might be separated from the role of providing proof of proficiency. The future of microcredentials could offer a way for anyone to obtain proof of expertise in a narrowly-defined domain. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post.

Filed Under: college, credentialing, education, expertise, khan academy, microcredentials, schools, tuition, universities