Friday, July 26, 2019

Hardening to death

A quote from the novel Stalker (A&B Strugatski):

Let everything that's been planned come true. Let them believe. And let them have a laugh at their passions. Because what they call passion actually is not some emotional energy, but just the friction between their souls and the outside world. And most important, let them believe in themselves. Let them be helpless like children, because weakness is a great thing, and strength is nothing. When a man is just born, he is weak and flexible. When he dies, he is hard and insensitive. When a tree is growing, it's tender and pliant. But when it's dry and hard, it dies. Hardness and strength are death's companions. Pliancy and weakness are expressions of the freshness of being. Because what has hardened will never win.

I am somehow ready to share this opinion, but let me explain first.

This could be true in the cyber environment, when we observe it from the field of an expert's mindset.

When you find out that your system (computing or other set of interacting or interdependent components forming an integrated entity) is weak and exploitable, you want to harden it. You don't want to lose the control over it. You do your best and you put your personality in stake. This is what we call professionalism. You guarantee your decisions with all your knowledge and skills. Your organization relies on you and your expertise, and you do not want to fail and prove your skills inadequate.

So, the further you go with hardening without any setbacks, the more you believe in your skills and the less you are to believe in your failure. If you are reluctant to give someone a try to test your skills, which is quite understandable when you are in senior rank, the less you get objective response.

You keep hardening and hardening, you face some challenges but you find a way to manage it. Of course because you have been doing it for a long time.

But the more you harden your system, the more precise it comes to you. It becomes too big to lose. When you realize that your system is too big to lose, the higher walls you build around your system.

You have been using your resources to harden up your system, but how much did you take part of the every-day life outside the boundary? Did you protect your system to death? Did it become obsolete? Did the surrounding world change so much that you couldn’t fit your system into it? Did the surrounding world change so much that the assets you were supposed to protect did not need your protection any more and the business turned against you?

This might be a true story in many companies and agencies when considering the business needs of mobility, facing the inflexible security standards. Yesterday it was cloud computing against own premises. Today we talk about taking your business data into AI.

You are allowed keep your cyber security job only because of the need of compliancy, but the assets are somewhere else than in your System.

While Stalker is a good sci-fi novel, it is also a criticism to the soviet system. As a totalitarian system it was hardened. And as we know, it did not serve the purpose. The security did not meet the needs of the assets, while we consider the individual and his rights as the asset of the system. Other's security was more valuable than the others.

What we least need is self-sufficient admins and security professionals. Question your decisions, ask for breaking up your security architecture. Live with your assets and take care of them - not your system.

Tuesday, April 5, 2016

E-mail security and risk assessment

TL;DR : If you are running shady any business that could cause heavy worldwide negative impact when leaked: use something else than email for communicating.

The colossal data leak of Panamanian law firm Mossack Fonseca raises more than just eye brows. It raises the question why "top secret" claimed data is transferred on email.

If the leaked data is truly from the mail server (which I do not believe) it shows how little the law firm and their clients are either informed of email insecurity or they could not care less. If the firm and their clients are running shady business they screwed the risk assessment pretty well.

My thoughts are based on these conditions:

  • Avoiding taxes or laundering money 
    • do not get caught
  • Using email for customer communications 
    • emails are liable to be exposed
  • A large amount of customer data in email server 
    • you are going to lose them all at once
  • Losing a large amount of tax avoiding customers' communication at once 
    • you have a problem
  • If you have a problem for losing "only emails"
    • your emails were enough to sink you 

The risk score is usually calculated as follows: likelihood * impact. This is quite simplified, but the most common way to do it. You have to have a solid asset management done before risk assessment.

The assets

If the leak consists only emails and attachment then the law firm and it's clients did not understand what is the value of their emails. Or they did not understand the potential negative value.

Even without the attachments the email exposes the both counterparts of communication, time, location and the content of the message. And even if the content is encrypted the other data (meta data) is exposed. Only the meta data of large amount of messages itself gives you a pretty good understanding what is your business, who are your counterparts, when and how often you interact. And when you map this data with public available financial or political data it would be quite easy to make causal relationships.

Let's open the impact in this case. 

We can estimate the amount of the impact in reverse order because it is noticeable from news all over the world. The people and companies that were involved are evading the negative impact payload with varying success.

 Sigmundur Davíð Gunnlaugsson
will remain as the leader of his Progressive party,
and early elections are a possibility.
Photograph: Birgir Por Hardarson/EPA
 Source: The Guardian
The prime minister of Iceland resigned due the revelation of his family business in tax haven. A resignation from the prime minister's position is such impact that it should hit the top rank in the
impact score. Negative impact score.
Analyst's recommendation:

Well, I guess the prime minister:
a) did  not  make a risk analysis or
b) failed in impact analysis or
c) took the risk of trying his luck against the likelihood.

My academic estimate is that he ruined both his political and business career soundly. This is the materialized impact.

The law firm impact:
If the law firm is helping it's clients to cover their shady business the law firm can run that business as long as it is kept out of the newspapers. In other way round: "we are out of business if we or our clients get caught". Well they did. If one of your client gets caught you might have a problem. If you lose them all ..  Any law firm should understand it's role and provide secure manners for it's clients, otherwise the law firm wouldn't be trustworthy -> game over.
A regular recommend for a risk analysis conclusions of getting out of business: AVOID IN ALL CIRCUMSTANCES. 

The law firm:
a) did  not  make a risk analysis or
b) failed in impact analysis or
c) took the risk of trying their luck against the likelihood.

If both the law firm and their clients did share the risk impact shouldn't they do something about it? Usually if the company or the client sees that the other part could cause a top scale damage it would be at least twenty four page of juristic jargon in the contract.

And then the likelihood

It would be quite hindsight to say that the likelihood in this case should be at the top also. Let's find even a little more analytic approach. If the client data was sitting in the email server database it was exploitable. And if it was exploitable it was only a matter of time to be milked out.

One of the biggest failures of having an email server as a container of classified customer data is that it is connected to the internet. It has a connection even it has multiple security layers. It is the nature of email over internet. The boundary protection is mostly adequate for regular companies, but if the profit of hacking is high enough, then all the firewall-antivirus-SIEM-systems are only a hindrance.

The likelihood rises with a very varied client security culture. Sometimes it needs only one weak spot, and all other countermeasures are useless. And usually the weakest link is the human. I wouldn't bet that all of the law firm's clients have state of the art security systems. Not even 1% of these:

Such information that could cause huge scale damage when exposed should be classified. And the classification should cause additional security measures according to the damage size. For instance NATO CONFIDENTIAL documents are kept in a totally separated systems. No attack surface - no public exposure. This is how the governments usually do it. But the businesses seldom do because extra security costs and will cut your share. 

It is said that running a business is a risk - this is one of them.


I used to be a security consultant and some of my clients were FORTUNE500-businesses. Mostly only the government clients were concerned what kind of information I store into my laptop and how do I protect the email. It is sadly common that email is widely used for transferring company strategic data. 

If you store customer data, protect it better than yours. If you release your data to a service provider, demand that it protects it better than you can.

If you store confidential data of your customer, be sure that a  hack into your own system does not expose your client data. Be sure that if you fail to protect one customer's data do not let all other customers' data leak at the same time.

Be sure.

Saturday, February 23, 2013

A two-way communication in UAV rescue?

I am doing a small research to design a two-way communication concept into a search&rescue service, where UAV (unmanned aerial vehicle, for instance a balloon, a copter, a disk or a fixed winger) could relay a two-way communication between the rescue service and the victim.

The rescue service (like firefighters) already try to establish a two-way communication (conversation) with the victim on a ground mission, but I am not aware of such when using an UAV. 

I need help from the audience, do you know any UAV/UAS that is equipped for two-way communcation between the rescue service and the victim?

Here are some description what I am looking for:
The benefits of the conversation could be such as:

  • a response from the rescue service (we have found you)
  • a response from the target (I know that I am searched for)
  • orders to the target (the help is on the way, wait there for one hour)
  • a conditional response from the service (storm is coming, the nearest shelter is one km north from your place)
  • a conditional response from the target (my leg is broken)
  • instructions to the target (first aid)
  • an announcement from the rescue service (stay inside due the chemical leak)
  • an announcement to the rescue service from third party (someone other needs help)

The conversation does not need to have same method for both ways:

  1. The rescue service detects the victim with a heat sensor (one way communication from the target to the rescue service)
  2. The UAV starts hovering or orbiting around the target
  3. The target shows light signals with a flashlight (one way communication from the target to the rescue service)
  4. The UAV gives a response with light or sound (one way communication from the rescue service to the target) 
The communication methods could be such as:

Light signals
The rescue service and the target could communicate with lights. This needs light devices for both parties. The UAV could be equipped with signal lights.

Sound signals
The rescue service and the target could communicate with sounds. This could be a voice conversation or other sounds that a human and a machine can produce. The UAV could be equipped with microphone and loudspeaker.

Data signals
The rescue service and the target could communicate with electronic devices, such as computers or cellular phones. The UAV could be equipped with telecom base station.

With best regards,

Antti Savolainen

Saturday, July 14, 2012

How safe is a plastic bag?

A far-fetched example of the nature of safety and security

 Originally published at in Finnish on Fri 18th November 2011. The bottom line argument is added later.

..if you really have to buy one.

 When considering the safety of a plastic bag, it is good to approach the issue from two aspects: The purpose and the conditions of usage.

The common purpose of a plastic bag is to carry suitable items or to keep them under such condition that does not become harmful to the content of the plastic bag.

The Purpose


The purpose of the usage has a strong link with the objects of the action. This could be for instance carrying a bottle of milk home from the grocery (AKA functional requirement).

This action has quality objectives. You have to get the bottle home. And the milk should be kept cold until stored in the fridge. The ultimate objective (business requirement) of this action is to enjoy cold milk later, where the plastic bag has only a milestone objective - so it has only a support function to the enjoyable glass of milk. The safety (or security) needs of a plastic bag are sufficient tensile strength and paddings.

In most of the cases a plastic bag does not have any protection against heat or bounces. Those are conditional threats (they do not exist all the time), so we have to have handle them separated from the purpose (the time we want to carry milk).

The Conditions


The usage conditions have an effect on the safety. If you carry that milk bottle in a summer heat, it is quite sure that the milk is not drinkable after a while. Every 2 degrees in Celsius up halve the usage time. And drinking spoiled milk could be harmful to your health (safety). And it is nasty to your roommates too..

So the plastic bag does comply with the safety needs only in limited conditions. The business/functional requirement becomes a safety requirement in two cases:

  •     The safety of the ultimate action is not guaranteed in any other way
  •     The product could become harmful to its user in certain conditions
The plastic bag's safety objective (control objectives) from the conditions point of view is that it must maintain it's functional features in common conditions. You should not put it on the heater. It is also wise to guide the user to avoid the harmful conditions.



You can evaluate the plastic bag's safety from the point of the misuse. You can choke if you pull the plastic bag over your head and there are no other holes big enough. You can find the purpose (to pull the plastic bag over your head) and the conditions (no other holes) form the previous sentence. Those are only described as threats.

Should we ban the carriage of a bottle of milk on a crisp fall eve only because someone could get choke on the plastic bag?


As a summary..


If you are concerned about the security of [anything], do not handle it apart from the essential action. There are many security details, for and against. You should estimate them from the points of the purpose, usage and misuse. Use the very same estimating tools and methods that you use in other decision-making - for instance in investments. What do we gain, what we could lose, how to guarantee the benefits and how to protect against the stranded investments?

Compare the need for freedom of speech with the need for cencorship to protect internet users from unpleasant content. Are the protective measurements justified or do they turn against the purpose?

Saturday, June 30, 2012

The Middle East heat and European-Asian connections?

Many of the European-Asian Internet connections cross the Middle East both land and sea cables. The more these two continents are financially connected with each other the more valuable are the cable connections. There are still American-Asian and European-American connections, but their capability will take a huge hit if for instance TAE-network gets disconnected. And there are satellites, but how much there will be capacity left if a full spectrum war breaks out in the Middle East.

I bring some aspects for you:


Sea cables through Egypt
(C) http://www.cablemap.
If this map is even close accurate, the European-Asian sea cable connections rely on Egypt. Egypt finally got their president, but the situation is not stabilized yet. During the Arab-spring's censorship, Egyptian government stated that they would leave international interconnections untouched. The uprising did not disturb the connections or did it? But what if the election result does not calm the situation but takes a step towards a civil war?


Trans Asia-Europe Optical Fiber Cable crosses some stormy areas like Georgia (remember the conflict in 2008) or northern Iran. What happens to the connections if Iranian situation escalates? Will TAE-network be a hostage to get ransom in exchange for support? In such situation, does the connection benefit more than disconnection? Which side of the front would a disconnection serve more? Both sides have to consider pros and cons.
TAE-network in Middle East


If Syrian civil war breaks out to a full-scale conflict, then the TAE could get hit in several places even it does not cross Syrian borders. One part of TAE-network goes through Kurdistan in South East Turkey and Northern Iraq. It is obvious that the Kurds will take the opportunity towards sovereignty during an escalated conflict. As well, Turkey could use the moment for defeating Kurds rebellions inside Turkey, Syria and Northern Iraq. Sabotage, collateral damage and strategically disconnection are more likely options what come to the consequences of conflict escalation.

The future?

There are several sea cable projects on-going in Africa. Are those enough to backup cable through Egypt?
Russian Future Sea Cable

Russia is laying the Russian Optical Trans-Arctic Submarine Cable System (ROTACS) cross the Arctic Sea, it should be an alternative to TAE.

Kazakhstan went to IPv6, congratulations!

PS. How many times you have typed The Middle Earth instead of the Middle East?