Politics, economics, commodities, technology and war, are intertwined to form the fabric of history. When the spice trade and sailing ships determined wealth, politics changed to suit the societies that succeeded. When the demand for ships, durable goods, armaments and munitions became labor-intensive, when foundries replaced the blacksmith, gold became the priority to make the payroll. Kings and emperors became less important, as commodities traders and ship-owners demanded more control over their investments, and democracies formed to suit the need.

Similarly, in early America, farmers, merchants, tradesmen and hunters had no use for oversight and taxation that contributed nothing to their society which relied on the new land they explored, and then developed. Democracy took hold and dominated those societies that demanded free trade.

Now, we are confronted with a new order that relies almost solely on technology and the elements required to maintain dominance like satellites, servers, software and advanced weapons systems. Civil rights, and the laws that were intended to protect them, has been overshadowed by cheap labor and quantum leaps in technology that tend to devalue the individual. Commodities, especially oil, are still important, and the primary cause of war, but virtually all else in society has become a byproduct of the computer and the umbilical cord to the networks known as the Internet.

This new dynamic is what I write about. I have endeavored to examine all of the aspects and implications of the cyber-society that has developed over the last ten years, and the inevitable conclusions that will become obvious in the future; even if most of people are too busy to think about them today.

Dan Kaminsky is the guy who found that web-traffic could easily be redirected to any destination by exploiting a DNS flaw inherent to all internet use. He casually redirected traffic to a bank back to his laptop simply by impersonating the DNS identification procedure.

In March 2008, a "secret meeting" was held in Redmond, Wa., where super-geeks wrestled with the question of informing the public about the dangers involved with internet-based data transfer. Specifically, bank and credit card information, but the same flaws can be used to perpetrate a variety of scams and rip-offs not because the original website is not protected to a certain extent, but because traffic can be redirected to another site that is a mirror-image of the original. E-mail traffic is no different because passwords are easily acquired using the same techniques, so when Kaminsky mumbled the words, "I broke the internet" after discovering how easy it was to redirect traffic by essentially impersonating the 411 directory for web addresses, he was not exaggerating even a little bit.

How? He used a common technique that is known as DNS cache poisoning, which refers to the return of incorrect IP addresses to the host server, causing traffic to be diverted to another computer. The attacker spoofs the IP address of a server he controls, tricking the unsuspecting subject computer into accepting content from non-authentic servers, inadvertently downloading malicious content in the process.

I suspected that the same thing was occurring with a hosting account that used many different IP's, or nameservers, for no apparent reason. GoDaddy.com would not confirm or deny that this was occurring, even when I noticed small variations in the content, and began to also suspect that my computer was generating corrupt files.

GoDaddy.com became non-responsive when I inquired about the changes which occurred without my participation. Instead of information that would have identified the attacks, they avoided answering specific questions about content, uploads and came up with various excuses instead, like the problem requires "further review" without reply. They changed the IP on one occasion, but would not explain the other IP's associated with the website, or anything else that pertained to the account. The website NoDaddy.com has an interesting variety of complaints about GoDaddy.com, and one will find the same patterns of obfuscation in some of the communications from their support department. 

The fact that "secret meetings" are being held near Microsoft headquarters is the elephant in the room no one wants to discuss. Who elected these guys? They have more power and control than anyone except the hackers who know how to exploit the security flaws in both contemporary operating systems and DNS protocol, because virtually every office, hospital, merchant and government agency, is connected to the internet and requires access to databases that were intended to be secure, but have been easily accessed by hackers.

A range of possible attacks were demonstrated by Kaminsky, including webiste impersonation, e-mail interception, and authentication bypass via the "Forgot My Password" feature used on most websites that require one.

The story of what lies ahead was described by Kaminsky, and I will point readers to articles that discuss these flaws. But this quote by Kaminsky, supported by a number of others that are also "Black Hat" members, don't leave much room for speculation:

"There is no saving the Internet. There is postponing the inevitable for a little longer."

Stay tuned, because there will be much more subject matter to refine before these capsules will become cohesive and illustrative, and we will endeavor to connect all of them.

Kaminsky's comments were nihilistic to be sure, but also simple, direct, unequivocal, and uncommon for an expert of his aptitude. What he probably realized long ago is that computer security experts are constantly chasing the trail carved out by hackers who are constantly findng new avenues of exploitation. Kaminsky stumbled onto one of the enormous flaws that he said effected as much as 41% of all internet use. That's a big problem.

But no one besides Kaminsky who attended the "secret meeting" would talk about the inherent dangers associated with an internet connection. Why? Because of the huge investment in internet-purchase market which takes in many billions of dollars, and the infrastructure that was developed to make it profitable.

Today's pirates come in many disguises, and the Windows operating system is a playground for those who specialize in finding it's many holes. Even if that were not so, the servers, DNS protocol, bots, viruses, worms and the inherently insecure wireless transfer of data, makes for almost certain cyber-chaos at some point in the future because even the most adept security experts can't keep up with those that find ways to exploit flaws, and invent new attack devices. It should be no big surprise that contingency plans are being made for a "national emergency" scenario. Or that no one has been named as a candidate for "Cyber Czar" who would be responsible for a catastrophic attack. Who wants the job? Nobody.

Is anyone immune from attack? It is very unlikely that the depth of the problems associated with internet use will be publicized any time soon. No one wants to talk about how they were hacked, their data stolen or deleted, or how it was done, so "secret meetings" will continue when something really bad happens minus the coverage of say, a hurricane or a flood.

Kaminsky only pointed out the game of catch-up will never end, nor will those in his line of work ever declare themselves victors because they will always be playing defense.

Part of the problem is the unfortunate sequence of events that led to Windows OS dominating the market. While Apple execs were too cool for school, dissing the competitive market, the Windows OS went to Big Blue and the rest is history. Too bad. On November 10, 2009 Microsoft patched 15 more vulnerabilities, and no doubt some of the patches will require patches.

If something resembling a secure OS, Apple or Linux come to mind, a lot of the gaping holes that hackers exploit would be closed. Windows is attacked more, because there are more computers using it, but not without invitations to do so built into it. The notion that store-bought security software is the only protection you'll ever need is laughable. Some are better than others, but all are known to those who want to access your computer through an internet connection, usually within a few days of their release.

To compound the problem, most people don't trace the attackers or the IP's associated with them. Many people don't even bother scanning or cleaning their computer on a regular basis. If they did, they'd find that many attacks are from foreign countries who are constantly exploiting Windows and other flaws to access data from personal computers and private networks. There are reasons for these attacks that does not include the theft of your wedding photos or your recipe catalog. They are coordinated, sophisticated, and ultimately weaken the entire system.

And what is the system? A giant bee-hive of networks that make the internet useful, but also vulnerable. Lawrence Tout of the Midas Letter pointed out that the financial markets are in a very precarious state for a number of reasons, and that "endemic corruption and computerized fraud have synergized to create a very fragile financial system. A system that is so incredibly huge, so incredibly un-transparent and so very unstable, that it currently still teeters on the brink of greater collapse." He also notes that many triggers could cause a rapid decline in the markets, and another panic selling episode similar to October-November 2008.

The primary reasons have not changed since then. "The US is now saddled with a bloated and weakened financial system riddled throughout with a huge mass of unstable and largely unknown debts, awaiting any number of possible acitivatory triggers. I put it to the reader that the majority of market pundits to not fully comprehend either this current weakness of the system OR this incredible size and interconnectedness of toxic debt and fraudulent shares. Moreover, they underestimate the total speed with which such a sytem is now capable of collapsing should the appropriate trigger arise."

One of those triggers would be the compromise of the networks which has already occurred on many occasions, but not to the point of causing a shutdown of the markets for an extended period of time. Could it happen? Sure, it happens all the time, at power plants, airports, government agencies, and if the news hasn't reached the average consumer, it's because all of these internet-based fallabilities are treated as isolated occurrences.

They are not. Whether the access allows for fraud, corruption of software functionality, or system failure, they all have the same common denominator. Shutting down a power plant wasn't possible until the internet made it possible. There is no ghost in the machine. Only hackers who exploit flaws, and do so adroitly. Rogue mainframes developing artificial intelligence and deciding to take over the world are not the problem.

The President has made it known that contingency plans for a sever network failure include "annexing" private networks with the proviso that a "national emergency" justified it.

This is a term that I have become wary of when it appears in news articles since it has justified many extra-constitutional ventures that circumvent the Constitution, the most notable being the Patriot Act. If a "national emergency" were defined as a virus that was spreading rapidly through private networks, causing failures as it went, someone would have to take action. But the notion that anyone at the government level would know how to deal with it is absurd. The expertise lies elsewhere, and if there is no Cyber Czar to coordinate the effort, who is qualified to execute the plan? What IS the plan anyway?

On November 19, 2009, blogger Matthew Lasar quoted Steven R. Chabinsky of the FBI Cyber Division in testimony to Congress:

" . . . we as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks."

And the White House Cyberspace Policy Review: "The architecture of the Nation's digital infrastructure, based largely up the Internet, is not secure or resilient."

The same assessment concluded that the Federal government "is not organized to address this growing problem effectively now or in the future."

So a takeover of private networks in a "national emergency" scenario doesn't seem like much of a solution, and the mechanics of it would probably make it impossible anyway assuming there was a "Plan" behind it.

Unfortunately, there are a gazillion unanswered questions that lead to comments like those from Kaminsky about future of the uncontrolled, and probably uncontrollable, monstrosity known as the Web. And if you're looking for answers, you won't find them in proposed legislation, or at the straw agencies that can't find a boss. Is the Internet viable in the future or reliable now?

For instance, on the day of this entry an article detailing the security flaws in the iPhone was blogged by an Intego spokesperson by the name of Peter James: “When connecting to a jailbroken iPhone, this tool allows a hacker to silently copy a treasure trove of user data from a compromised iPhone: e-mail, contacts, SMSs, calendars, photos, music files, videos - as well as any data recorded by any iPhone app."

The flaw allows a hacker to sit around iPhone users with a laptop and steal pretty much everything they could possibly want. Not very user-friendly is it? But it is another example of the hidden cost that is always downplayed when a new techno-toy hits the market. I'm not sure the people who were lined up to buy the new iPhones were thinking about the downside when they made the purchase, but who knew? The data stolen from those individuals cannot be traced, blocked, or retrieved. Those users may spend the rest of their lives waiting for the residual effect which never occurs. But it is much more likely the data is already in use, and the manifestations will only be discovered at some point in the future. They will find little gratification or success when they try and clean up the mess.

And this from Internetnews.com the same day as this entry:

"An update for OS X's Certificate Assistant patches for a NULL character vulnerability in SSL certificates. The potential risk of the vulnerability, according to Apple, is that user could be tricked into accepting an SSL certificate for a different domain than the one they intended to visit."

The article notes that these discoveries also became public as the result of Black Hat meetings, and of course our friend Dan Kaminsky.

On November 13, 2009 PC World reported "Internet secuirty experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims," citing the "open resolver" flaw inherent to these boxes that accept queries from any source. The boxes have built-in DNS servers that are shipped in an "open by default" state, which invites the exploitation of the flaw.

Amazingly enough, the article also noted that the percentage of DNS systems that are configured this way has increased from about 50% in 2007, to almost 80% today, which says volumes about the divide between warnings from security experts and the corporate response to known issues. For that reason, the dangers associated with Internet use can only multiply as hackers widen the distance between themselves, and those who are only half-heartedly trying to catch up.

Consumer ignorance, and lack of standards that could be implemented to address various problems which surface on a daily basis, are keeping the software, hardware, vendor and ISP markets propped up until, as Kaminsky said, it will fail. Not because experts didn't see it coming. But because the built-in flaws are proliferating faster than the Internet itself. The Windows OS patches that arrive regularly through Windows Update, are addressing problems that were known months, even years, before Microsoft got around to "fixing" them. Many cannot be, but are described in an encyclopedic catalog of flaws without remedy.

The founder of WhiteHat Security, Inc., Jeremiah Grossman, calls is "painfully simple" to get a computer to download hidden programs that effectively control it's destiny, and that of the owner in many respects. The range of possible consequences for malicious activity is infinite, and because we salute clarity by qualified experts at this Hub, Grossman's unabridged assessment, attribution to Associated Press:

"Computers are not to be trusted."

Now that wouldn't be an earth-shattering comment by itself, especially if you are only concerned with games, video or a good search engine. But if you're on a gurney waiting for a heart transplant, you probably don't want to hear "Damn, the Internet is down again. We'll have to wait for the CT scans and the rest of the file." And even if you were fortunate enough to avoid a system failure at a hospital, what about your stock broker, your attorney and your bank. Are their networks secure? Probably not.

The entire global economy and it's supporting cast of billions, has been built on this infrastructure, and very few people down stream seem concerned about the leaks that are springing from the dam. Maybe it's because most don't understand the complexity of these problems, and I think it is safe to say that the more one learns about computers, the more likely they become to say something like "computers are not to be trusted" when they're asked.

As I look below at the news feed, Earthtimes.org is reporting "The danger of corporate computers becoming infected by worms has risen dramatically recently," according to a new study by Microsoft.

Progress?

And if the fallabilities that are common knowledge among experts weren't enough, try out this article, AP IMPACT: Framed for child porn_by a PC virus http://abcnews.go.com/Technology/wireStory?id=9028516_me which points out the inherent danger when you open an internet connection.

As Mr. Grossman points out, it's "painfully simple" to do. Unfortunately, the judiciary is struggling with these issues, just like security experts and the public. First it is necessary to understand the capabilities of those with malicious intentions, and most people don't. Second, there must be a means of prevention, and unfortunately, there is not. "Pedophiles can tap viruses in several ways. The simplest is to force someone else's computer to surf child porn sites, collecting images along the way. Or a computer can be made into a warehouse for pictures and videos that can be viewed remotely when the PC is online."

My personal laptop was using McAfee security when it was disabled by an access violation on October 13, 2007, which simultaneously disabled Windows security logging so it wouldn't be detected. More than eight months later, the OS crashed revealing the hidden Dr. Watson file which was the last security entry in the log. During that period of time, the computer was exhibiting strange behavior, and I could find no one that would verify the content of the e-mails or attachments that had been sent. Everyone that received an e-mail for all intents and purposes disappeared, and people I'd never seen before started calling me a terrorist, a pervert, or a psycho. I have been turned down for every job I've applied for since. I suspected, or deduced, that it was because of an ongoing "investigation" into whatever the computer was generating, especially the content of a website, but GoDaddy.com would not provide information on the subject, and continues to withhold relevant data.

For this reason, I started to investigate these issues myself, and after a substantial amount of research on the subject, I decided to publish this Hub because those that infect computers with malware only need a target and a motive. When you cannot control your computer, or the DNS protocol that steers it, the range of possibilities is endless, but the outcome is almost certainly grim.

The cases described in the above article are not isolated, and those that infected the computers are elsewhere, and probably anonymously enjoying the publicity associated with their work. Notice that those who infect the computers are almost never held accountable. The viruses that do these things cannot be traced to an specific attacker, especially when physical access is used to gain control.

So, if the judiciary is going to take a computer, any computer, to be evidence in a court of law, technical expertise must accompany it. But the article also notes that the cost of analysis is prohibitive in many cases, and not always conclusive. So where does that leave the "suspect" who is charged with the content of a hijacked computer? In a bad place, while those that did the deed watch from a safe distance.

There will be many more people like Michael Fiola who will lose their life savings, their homes, their jobs, and their reputations before the magnitude of "access violations" become apparent. And those of us who become aware of these things don't always have the resources to investigate what that loss of control actually caused.

Before my computer was hijacked, I had reason to believe it would be attacked, and it was. The sophistication of the attacks was surprising even when I expected them, but the sequence of events that preceded them was not. I have asked rhetorically whether the judiciary is going to be subservient to those that not only control personal computers, but any database that exists today. Even those that store court information, records, and other data.

I'm not sure what the answer to that question may be, but as we try and analyze as many Internet issues as possible, there will be more on this subject forthcoming. I welcome input from those who may have had similar experiences, or knowledge that relates to the topics. Readers are invited to submit their input to humblejournalist at either Gmail or Yahoo. Make a paper copy, and save it. It may become useful when we explore the topic of e-mail.

I will include another interesting news link to consider what lies ahead as we move forward.

http://www.cnn.com/2009/TECH/11/17/cnet.cyberwar.internet/

Reuters certified the obvious on November 24, 2009 when Diane Bartz and Jim Finkle reported that "cyber breaches are a closely kept secret" by those companies who claim to offer secure websites and transactions.

Shawn Henry is the assistance director for the FBI's Cyber Division: "Of the thousands of cases that we've investigated, the public knows about a handful . . . There are million-dollar cases that nobody knows about," and the article notes that "companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to FBI at all."

To no one's surprise, 2008 was by far the worst year for breaches. According to CNET News more records were breached last year that the previous four years combined. Over 295 million records, 80 percent of which were payment cards, and most of the rest personal data derived from those accounts. It was also noted that "more than three-fourths of organizations suffering payment card breaches were found not to be compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards," according to the 2009 Verizon Business Data Breach Investigations Report.

Continued: "75 percent were from external sources, 39 percent involved multiple parties, 32 percent involved business partners and insiders were implicated in 20 percent. Three fourths of the breaches were undiscovered and uncontained for weeks or months."

But rather than become inundated with statistics, suffice it to say that the problems associated with Internet commerce particularly are becoming worse, not better. This scenario begs for an analogy, like a beautiful, modern, new home that is so infested with termites that it must collapse at some point, as has been predicted by some experts. Hackers are becoming more adept and proliferate, not less. Countermeasures are not stopping, or even slowing, the outflow of supposedly "secure" data, and almost all useful data is stored in vulnerable systems and networks. If 295 million records were compromised last year, who's left? Infants without social security numbers?

(Sure hope a Cyber Czar is appointed soon to fix all of this).

Of course, contemporary technology serves many purposes, so another Hub at this address will attempt to explain the "How" element, now that the "What" becomes more obvious as it pertains to contemporary technology. This from InternetSecurityNews.com, an excellent source on these subjects thanks to John Stokes and other contributors.

'A blogger has released audio of Sprint's Electronic Surveillance Manager describing the carrier's cooperation with law enforcement. Among the revelations are that Sprint has so far filled over 8 million requests from LEOs for customer GPS data.

By John Stokes

Christopher Soghoian, a graduate student at Indiana University's School of Informatics and Computing, has made public an audio recording of Sprint/Nextel's Electronic Surveillance Manager describing how his company has provided GPS location data about its wireless customers to law enforcement over 8 million times. That's potentially millions of Sprint/Nextel customers who not only were probably unaware that their wireless provider even had an Electronic Surveillance Department, but who certainly did not know that law enforcement offers could log into a special Sprint Web portal and, without ever having to demonstrate probable cause to a judge, gain access to geolocation logs detailing where they've been and where they are.

Through a mix of documents unearthed by Freedom of Information Act requests and the aforementioned recording, Soghoian describes how "the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time."

The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real oversight or reporting requirements should be shocking, but it isn't. The courts ruled in 2005 that law enforcement doesn't need to show probable cause to obtain your physical location via the cell phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.

Soghoian's lengthy post makes at least two important points, the first of which is that there are no reliable statistics on the real volume and scope of government surveillance because such numbers are either not published (sometimes in violation of the legally mandated reporting requirements) or they contain huge gaps. The second point is that the lack of reporting makes it difficult to determine just how involved the courts actually are in all of this, in terms of whether these requests are all backed by subpoenas.

Underlying both of these issues is the fact that Sprint has made it so easy for law enforcement to gain access to customer data on a 24/7 basis through the use of its Web portal and large compliance department. Regarding the latter, here's another quote from Paul Taylor, the aforementioned Sprint/Nextel Electronic Surveillance Manager:

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."

All of those people are there solely to serve up customer data to law enforcement, and other comments by Taylor indicate that his staff will probably grow. Sprint only recently made the GPS data available through the Web portal, and that has caused the number of requests to go through the roof. The company apparently plans on expanding the menu of surveillance options that are accessible via the Web. Taylor again:

"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just [because of] the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in."

I'm sure they'll find some way to deal with the "millions and millions" of warrantless surveillance requests, and no one will bother to even curb the practice, much less stop it. I've been reporting on this exact metadata/surveillance issue for years now, and it just gets worse. The stressed, jobless, indebted public doesn't care, and Congress doesn't either. If I'm still on this beat in 5 years, I'm sure I'll still be rewriting this same story for the thousandth time . . . '

Thanks again, Mr. Stokes. Which leads us directly to the subject of InfraGard, the FBI "fellowship" of private citizens, prominent business execs, and hackers that is supposed to "promote timely dialog" with over 350 representatives at Fortune 500 companies. Like Bob Parsons at GoDaddy.com? Probably, but the list is unavailable, and their activities are tantamount to the establishment of yet another secret society in the name of national security.

The ACLU has correctly identified the program as nothing more than the establishment of a "privileged class" that enjoy special treatment in exchange for essentially stolen private data. A vast spy network that reports to FBI offices in at least 90 cities. There has been much written about this arrangement which would have been summarily rejected prior to the 9/11 and the Patriot Act, but the ACLU, The Progressive, and others have offered educated analyses, and are easy to find with a simple search.

So there you have it. All the ingredients for some really interesting news stories, as well as harbingers of what's to come. Isn't technology fun?