October 26, 2010
- So Karim, your organization wants to learn a few tips? As it fights the main power standing in our way, I do not mind helping you but I thought you were keen on spectacular actions. Why your sudden interest in discrete moves?
- Dear Jin Lian, our ennemies think of us as coming straight from the Middle Ages. Little do they know. To prosper, we do push the whole world back to feudal anarchy, turning Irak into a new Lebanon for instance. But to highly educated engineers like me, cyber attacks look so promising.
- Funny the media claim Stuxnet was designed to sabotage the Iranian uranium production. Yet as James Blitz, Joseph Menn and Daniel Dombey rightly note (*), "the big concern is [... whether] states and even terrorists could deploy malicious codes with the aim of sowing mass destruction".
- We did not wait for them to tell us. Our cannon fodder may blow themselves up but it's such a waste to lose talent that way, like Mohamed Atta.
- So what can I do for you?
- Jin Lian, the very word algorithm honors one of my ancestors (1). I need no one to teach me how to write code and my specialty is day zero exploits. Unfortunately I can't afford to spread a virus indiscriminately and have some idiot stumble on it and alert the whole world before it does its thing at the target at the appointed time. I must get the right people to inject it close to its target. Isn't spying about recruiting such people?
- Forgive me Karim if I mention Sun Zu wrote about deception when roots were something your ancestors ate in their caves but you're right. People are the weakest point in any system and we have perfected how to use them. You either bully them or you con them and sometimes you do both.
- Forget the theory. Say I want my virus on Tom's computer, and better not Dick's nor Harry's.
- If you learn of something Tom does not want his wife to know, you're halfway there. Put his mind at rest. Tell him he only needs to copy a few confidential documents from his machine to your USB key. But even if Tom's darkest secret is to be obsessed with elm disease (2), you have an in.
- You must be joking?
- Patience behooves students. If I know where are Tom's office and his house, what is the probability to get another pair of IP's in these two areas searching for "elm disease" on a regular basis? And how difficult it is to set up and promote a good site on this topic so that Google ranks it among its top ten on "elm disease"? Sooner or later, Tom will click on this link to your site, designed to deliver a virus to the IP linked to his office location.
- That's a bit far fetched. How can you be sure Tom will be foolish enough to click on some unknown site without taking some precautions?
- You want to bet? Suppose my site is first to publish in full some report quoted in an appropriate trade publication, the general media even.
- OK, so Tom is obsessed. But the trigger you rely upon does not happen everyday and certainly not when you need it with any degree of certainty.
- So instead of targeting Tom alone, you look at his friends and family. Give me ten of these people and I can do it within a window of a month. Not everyone can be extra cautious all the time. Your virus will hit Tom courtesy of an email from an impeccable source, say, his daughter in college.
- Wonderful Professor Jin Lian! But pray, how do you get all this very detailed personal information you need about Tom and those he trusts?
- Have you never heard of recursion, Karim? You dream of blowing up nuclear power plants or causing markets to flash crash. I have nurtured a network of insiders at companies like Amazon and Netflix, Facebook and Google, Comcast and Verizon, down to names you wouldn't recognize.
- I see.
- No Karim you do not see a thing. The systemic lack of confidentiality built in what Richard Waters pleasantly calls the profile aggregators' "muscle cars" (**), is not a trivial matter. Naturally not for those so profiled, but neither is it for those trying to take advantage of them. You need expertise.
- So that what we are going to pay for.
- To remix Richard Waters, no aggregator can prevent our hands from reaching into his "cookie jar". To mix metaphors, we keep the lid open with back doors created by our viruses. Still, while an aggregator covers almost every Internet user, we cannot expect him to compile as rich a profile as we need on a given target. He goes for breadth before depth. So we must pool data from them all.
- Don't all aggregators swear all their records are anonymized?
- Quite true, correlating records among databases and between them and real names is not so straightforward but analyzing social contacts and preference lists for clues work great. It's a matter of persistence and ingenuity. Besides our own experts, ask people at MIT and the University of Texas at Austin. And of resources. What researchers find, we industrialize.
- I get the picture but how can you guarantee your database is complete and perfect?
- It is neither. Still, from friends to preferences, most profiles are compiled from online actions, not declarations. Who apart from you and me will go to the length needed to play the spy and live a lie effectively? Whenever critical, we can also pay throw-away insiders to look up specific records for us. They may get traced, fined and fired for breaching company rules. But compared to yours, our cannon fodder fare pretty well.
- What if the US gets serious about privacy? Have you heard of ePrio's approach to eprivacy? It claims one can have one's cake and eat it too.
- With you around, not a chance. National security and pronaocracy play in our favor. Nobody will ever move to fix privacy concerns. Did you read Matt Bai (***) and David Brooks (****) on how money influences elections? For Brooks, it is a colossal waste of resources. For Bai, it unseats people in power, whoever they are. You would think the US strive to go back to the Middle Ages on their own.
- We still think they need some help on the way but I'm afraid tapping you for information is going to cost us some. You must have sizable expenses.
- Remember Karim, increase oil prices and your generous donors should prove grateful. As for us, we live off the country. If you read Brooke Masters, Joseph Menn and Mary Watkins (*****), you'll see "reported thefts of information and electronic data have risen by half in the past year". I dare say part of it help finance our operations, including this trip to meet with you.
Courtesy of a well appointed Jakarta hotel, a waterfall conveniently protects Jin Lian and Karim' s privacy. Among a throng of busy MBA's browsing the international newspapers, who would take notice of two more smartly dressed guests enjoying their breakfast?
Happy Halloween! The one night when it is allowed and fun to feel a bit scared of what we block out of our minds the other 364 days (3).
- (*) ......... A code explodes, by James Blitz, Joseph Menn and Daniel Dombey (Financial Times) - October 2, 2010
- (**) ....... The importance of protecting consumer privacy, by Richard Waters (Financial Times) - October 21, 2010
- (***) ..... This Donation Cycle Catches G.O.P. in the Upswing, by Matt Bai (New York Times) - October 21, 2010
- (****) ... Don't Follow the Money, by David Brooks (New York Times) - October 19, 2010
- (*****) . Increase in data theft outstrips physical losses, by Brooke Masters, Joseph Menn and Mary Watkins (Financial Times) - October 18, 2010
- (1) for more details see al Khwarizmi in the wikipedia.
- (2) for more details see Dutch elm disease in the wikipedia.
- (3) for past Halloween fillips, see the index to Major Themes for these fillips