Book Review: An electronic Pearl Harbor is closer than you think

Book Review: An electronic Pearl Harbor is closer than you think

“Sandworm,” Doubleday, by Andy Greenberg

The Obama administration did not issue a single public rebuke after hackers knocked sections of Ukraine’s power grid offline on frigid December nights in 2015 and 2016. The unprecedented cyberattacks on civilian populations presaged the most devastating malware attack to date _ the June 2017 onslaught of NotPetya, which also targeted Ukraine but went further. Hobbled, too, were international business partners including Danish shipping multinational Maersk and pharmaceutical giant Merck. Damage was in the billions. In the U.S., hospital surgeries were impacted.

In “Sandworm,” Andy Greenberg sets out to track down the hackers behind those attacks, and his page-turning narrative sounds the alarm: We have failed to adequately confront a looming, existential threat. Our largely unquestioning dependence on digital technologies compounds the threat of a digital doomsday. The more reliant we become, the greater the potential peril. Power generation, health care and other vital services are at risk. Foreign agents have penetrated vital U.S. infrastructure, though the U.S. could also threaten global stability if its cyber-capabilities are carelessly loosed.

The 316-page real-life thriller takes the reader to the front lines of global cyberconflict, where U.S., Ukrainian and other computer security researchers painstakingly work to solve the authorship riddle. It concludes that the culprits _ initially dubbed ‘Sandworm’ by researcher John Hultquist after his team finds a reference to the Frank Herbert novel “Dune” in their code _ are the same state-backed hackers who wreaked havoc on the 2016 U.S. presidential elections, stealing and exposing Democratic National Committee emails and breaking into voter registration databases in at least two states.

andygreenbergThe military-backed Kremlin cyber-agents, it turns out, were also behind hacking of global anti-doping agencies and the U.S. power grid _ and knocked 2018 Winter Olympics networks offline during opening ceremonies.

When he gets technical _ no way around it, really _ Greenberg, a senior writer at ‘Wired,’ keeps the geek jargon to a minimum. His previous book, “This Machine Kills Secrets,” explores how digital tech and the global Internet _ where we are all publishers _ have transformed whistleblowing and leaking, keying off the WikiLeaks saga.

In “Sandworm,” Greenberg exposes the still uncharted world of global cyber-competition _ a perilous new front in warfighting that lacks norms and rules of engagement where human casualties seem inevitable. He describes, for one, how a nation’s own espionage tools can be dangerously turned against it and its allies, how programs written by U.S. National Security Agency uber-hackers to break into computers running on Microsoft operation systems wound up being exploited by Russian military hackers. Were they pilfered? Or leaked? That remains unclear.

“Sandworm” ranks with the multiple books by James Bamford and with Clifford Stoll’s 1989 “The Cuckoo’s Egg” as essential reading for grasping digital technology’s role in the evolution of global conflict.  It takes us well past the intrigue of cyber-espionage to contemplate _ now that the Trump administration has endorsed the use of offensive cyber operations _ how a global digital arms race might spiral out of control.

Wiring the Planet – 1993

Thanks to Patrick Kroupa for keeping this story alive online – From a package I wrote introducing folks to an erstewhile invention of the military-industrial complex _ later hijacked by telecommunications conglomerates and the micro-targeting advertising industry _  called the Internet:

Wiring the Planet — MindVox!

Sunday, May 23, 1993

By Frank Bajak

Somewhere in the ether and silicon that unite two workstations 11 floors above lower Broadway, denizens of the cyberpunk milieu are feverishly debating whether anyone in government can be trusted. Elsewhere amid the colliding electrons, people read a rock musician’s rage about the computer information service that somehow obtained and posted his lyrics without permission. This is the 12-by-20-foot bare-walled home of MindVox, today’s recreation hall for the new lost generation’s telecomputing crowd. You can enter by phone line or directly off Internet.

Patrick Kroupa and Bruce Fancher are the proprietors, self-described former Legion of Doom telephone hackers who cut the cord with computing for a time after mid-1980s teen-age shenanigans. But back they came, deciding to take the code-writing prowess of their circle, write some real idiot proof software” on top of a Unix operating system and build a primo thoughtspace for meetings of minds. ‘We just saw that a lot of interesting technologies were not being used for anything but file-servers,’ says Kroupa, describing the thousands of dial-up bulletin board systems in which callers often find little more than downloads of software and dirty pictures.

Kroupa is a towering 25-year-old high school dropout in a black leather jacket with long hair gathered under a gray bandanna, three earrings and a hearty laugh. “America online looks pretty, but is pretty devoid of intellectual content,” Kroupa says of the popular information service. His chronicle of an angst-ridden odyssey from an adolescent hacker known as ‘Lord Digital, to cyberspace saloon-keeper is suggested reading for MindVox newcomers. Fancher is 22 and more businesslike, but equally in love with this dream he left Tufts University for.


A year in digital insecurity – nothing, and no one is safe

I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

A week after AP’s Peru drug investigation published, a landmark arrest

Eight days after we published my investigation on how more than a ton of cocaine was being flown daily out of the world’s No. 1 coca-producing valley right under the Peruvian military’s nose, we have a significant development.

For the first time in more than a decade, an officer of Peru’s armed forces has been arrested for drug trafficking.  An army lieutenant, he had worked in the valley for eight years and collected bribes of $10,000 per flight that likely were shared with his superiors, the prosecutor told me. That’s the same sum that an accused narco pilot had told me local military commanders got per plane.

blowing-up-airstriMy months of reporting were now being substantiated by events. Intercepted phone conversations made it clear that Lt. Wilmer Eduardo Delgado Ruiz was the bag man. Or rather his wife was, as the money was transferred into her account.

Former Peruvian army Maj. Evaristo Castillo, who blew the whistle on military drug trafficking in the 1990s, says drug corruption is _ as it was then _ systematic in the military, as top to bottom as the command structure.

One arrest is no guarantee of a housecleaning. Just ask Castillo. None of the generals he publicly denounced for drug trafficking was ever convicted of it, he told me. Castillo’s military career was wrecked because he blew the whistle, was disloyal. He spent seven years in exile. And, as one of his four sons (also Evaristo), told me, their hopes of following their father into the service were also extinguished.






The Disappearing Mississippi Delta – A Preservationist’s Tour

Hurricane Katrina’s 10th anniversary is upon us and much attention is being paid to rebuilding and recovery. A bigger question is how much longer New Orleans and the disappearing lands around it will last. A great river delta is dying. (See my AP colleague Cain Burdeau’s fine feature from Delacroix). Richie Blink, a local boat captain, lives to save it.

Of the 55 classmates who graduated from his Plaquemines Parish high school in 2005 with Richie Blink only about a half dozen stuck around. Blink tried moving to Baton Rouge, where he worked at the airport and got his pilot’s license, but the land drew him back. What’s left of the land, that is.

Blink won’t quit on the Mississippi River Delta, which is disappearing at the rate of a football field an hour in what some have called the Western Hemisphere’s biggest environmental disaster after the deforestation of the Amazon.

He’s lobbying and cajoling to broaden coastal restoration projects and save the delta from the seeming death sentence rendered by human activity. (View ProPublica project Losing Ground)

One goal is to rebuild a 50-mile buffer against ocean storm surges that has been erased in a single human lifetime, a buffer that might have eased the hurt to New Orleans from Hurricane Katrina.

Mostly open bay just over the levee that shields the Mississippi from the Gulf of Mexico


Blink sets off from the wharf at Buras _ where Katrina made landfall _ in a fisherman’s skiff into a mostly open bay with sparse clumps of marsh grass.

We’re 70 miles southeast of New Orleans on the right bank of the Mississippi. This is the sliver of land, sheltered on both sides by 20-foot-high levees, that those who remain inhabit. Rebuilt homes on the peninsula _ including the high school _ are raised on piles driven deep into sandy soil.

Blink shows us where engineers have built an “oyster break” in the shallow water by the wharf. It’s a concrete honeycomb designed to help rejuvenate the oyster population .

He opens up the throttle and the boat slides through heavily brackish water.

“When I was a kid, this was all little bayous, meandering streams. I spent a lot of time here,” he says.

Shrimp boat in mostly barren salt marsh


We pass a working shrimp boat and an old abandoned fishing camp on stilts.

A little more than a decade ago, the place was crawling with alligators and other wildlife, a teeming coastal swamp. Now, the Gulf of Mexico is in charge.

Man-made berm on the Gulf of Mexico side


We pull up to a barrier being built by barges that dredge the bottom and hurl muck over the berm. This is land-building. And it’s expensive.

The government has spent $300 million building a barrier a few miles away across more than 30 miles of coastal islands fronting the gulf.

It’s six feet high in some places.

But it’s not holding back the tide. Sea levels are on the rise with global warming. But that’s the least of it.

The reason the Mississippi Delta has been sinking by much as a meter a century is human engineering. It’s part of the reason half of New Orleans is now below sea level.

By stringing levees up and down the length of the Mississippi to protect homes and businesses from flooding, we have robbed the great river of vigor, diminishing the flow of silt that, since the last ice age ended 7,000 years ago, made the delta. Once meandering, the river is now straight-jacketed. Successful river control has degraded coastal wetlands.

The greatest flood danger now comes not from the Mississippi but the ocean, as Katrina proved.

Worsening matters, the energy industry has since the 1930s dug some 20,000 miles of canals in the delta to extract oil and natural gas and service pumping operations.

Add to that as aggravating factor the introduction of an invasive South American rodent, the nutria. It devours root systems _ yet another coastal erosion engine at work.

The toe of the boot that is Louisiana is wasting away. The physical version we know from maps is no longer true. The boot is not solid. It is gossamer.

“This is the dying side of the river,” says Blink. We head back to the marina. Blink runs the skiff up on its trailer.

It’s time to head over to the Mississippi and drop in there. We’ve done the bad news piece of our vanishing coastline tour.


Buras, Louisiana


Blink works as Coastal Zone Program Manager for Plaquemines Parish. He ensures coastal restoration projects are built as designed. The job dovetails with his passion of fighting to preserve a peninsula that four in five residents abandoned after Katrina.

Blink sits on the parish’s Coastal Zone Advisory Committee and is active in the Louisiana Lost Lands Foundation that Pulitzer-winning journalist Bob Marshall and his wife Marie Gould created.

They run educational tours of these wetlands in kayaks. And Blink plants cypress trees, well over 10,000 to date, to fight the ravages of sinking soils and salt water seepage.


We cross the Mississippi to its left bank, what Blink calls the bank of hope.

Mississippi River lock, left bank, Buras, Louisiana


A few locks separate the river here from marshlands and estuaries to the northeast.

But there are also breaches, crevasses they’re called. We drop down one, the boat swirling in a churning whirlpool.

Below a crevasse, fresh water spills into a healthy tidal marsh


Soon, we are motoring through true tidal marsh. We hear songbirds, see fish jump. Marsh grass, cattails and lotus pods abound. A farmer still grazes cattle on land above one bayou.

Blink navigates into a narrow channel where grass gets caught in the outboard’s propeller.

He is taking us to a cemetery whose graves _ several score _ date back to the 1830s. The most recent is from 1976 and relatives still tend it, cutting the grass and even bringing flowers from time to time.

Video: Disappearing Tombs

Point Pleasant cemetery


Blink does his best not to get too heartsick. But he has no illusions.

Stacked up against the coastal reconstruction campaign he champions are an influential lot: oyster and shrimp fishermen, the oil and gas industry.

He realizes that he and others who are bound sentimentally to the disappearing delta and are trying to turn back the rising tide will most likely have to settle, if they want to stick around, for what climate scientists call adaptation.

“Either your house will be on stilts,” he says, “or on an earthen mound.”

Gaming Twitter – Measuring how Venezuela’s rulers marshal bots

Quite a bit of behind-the-scenes work went into Hannah Dreier’s story on how Venezuela’s ruling party, having successfully squelched most independent voices in traditional media, uses automated robot accounts on Twitter to try to dominate political discourse online.

We started with a few scripts (computer programlets) written for us by a Twitter programmer who wishes to remain anonymous. They were used to passively identify the bots that instantly retweet hashtags issued by various state- and party-run accounts. Hannah then passed the scripts along to three academic groups, who also used programs of their own.

_A Northeastern University PhD candidate, working under the supervision of an MIT adviser.
_The University of Washington’s team. It did it’s own research, “Political Bots and the Manipulation of Public Opinion in Venezuela”
_The Data Science lab at Utah State.

Takis Metaxis on the project also helped. Their results here.

And we checked in with Emilio Ferrara, part of the team at the “Truthy” project that created “Bot or Not.” – I recommend “The Rise of Social Bots”

Here is a partial image of what one script identified as bots:  TwitterBots



Peru decrees warrantless geolocation tracking

Most businesses are closed the day before Peru’s Independence Day so it’s a good time to issue a decree that you’d rather people not scrutinize. Except what’s becoming known as “The Stalker Law” is getting plenty of attention.

Taking advantage of special powers conferred on his government by Congress, President Ollanta Humala decreed on July 27 that police can track people’s location in real time using their cell phone signals. No warrant necessary. Telecoms need to hold onto the data for three years. Crime is getting bad, after all.

The Electronic Frontier Foundation’s Katitza Rodriguez wrote that it provides the cops with “detailed footprints of our daily lives.” Most people don’t realize how much data their cellphones collect about them minute by minute. And even if they disable ¨location services¨ on their cellphone, they can´t turn off location tracking. It’s build into the wireless network.

Rodriguez says the surprise decree follows a global pattern of governments encroaching on their citizens’ digital privacy with limited debate.

The government, observed Miguel Morachimo, director of the Peruvian digital rights NGO Hiperderecho, tried to accomplish something similar three years ago in legislation that failed. Now it has achieved what it could not democratically: “To bypass all Peruvians’ right to privacy.” He’s thrown down the gauntlet in this post (Sp.).

Another digital rights legal expert, Erick Iriarte, considered the decree not very well thought out (Sp.). It lets judges retroactively declare inadmissible the geotracking information, which includes who you talked to, where you were, physically, the time and duration of the call. But what happens to the information collected. Can Peru’s police be trusted with it?

President Humala, his Cabinet chief and the ministers of interior and justice signed the decree. No debate in Congress. The same day, a different decree was issued creating the crime of ¨murder-for-hire” in Peru’s legal code.

Humala enters his last year in office as very much the lame duck and with crime worsening. His approval rating in last weekend’s GfK poll was 15 percent.

Markoff interview with @edge on tech future – Silicon Valley Zeitgeist

This interview with John Markoff, the dean of technology journalism along with Steven Levy and Bruce Sterling, is long-winded but well worth a read. I like, especially, his skepticism on robotics and automation decimating the workforce.

“We’re at that stage, where our expectations have outrun the reality of the technology.”

I agree with him that augmented reality will likely be the next killer app. I think it will be driven by the military-industrial complex. Markoff says it The Next Big Thing may not come from Silicon Valley, which he thinks may have plateaued.

He also bemoans what the current tech bubble has done to northern California. Rents at $3,000 for a one-bedroom apartment. Foreigners buying up luxury condos as investments and leaving them empty. People commuting to work in Wi-Fi equipped buses owned by private companies while the public transportation system crumbles.


Secure Messaging Scorecard – From EFF

Prying/preying eyes and ears a problem?

I had a source tell me today that he uses Hushmail to communicate with people who are under surveillance in a hostile digital environment. Not advisable. I sent him this link to the Electronic Frontier Foundation’s terrific Secure Messaging Scorecard (via Wickr encrypted chat).

Below is a a screenshot of a portion of the scorecard. Thumbs up to Jitsi (My preference for secure audio chats)! Thumbs down to Hushmail.

And while we’re promoting the organization _ EFF senior attorney Hanni Fakhoury, a Californian of Egyptian descent, told me it has doubled its staff in the past four years _ I will link to its handy Surveillance Self-Defense guide, available in English, Spanish and Arabic and coming soon, says Hanni, Portuguese.


eff secure messaging

The Greenpeace / Nazca lines saga and press freedom

I have occupied myself with little else since we learned on Jan. 7  that a provincial prosecutor planned to ask a judge in Nazca to throw our photographer Rodrigo Abd in jail at the request Peru’s Ministry of Culture because he had covered Greenpeace’s Dec. 8 stunt at the Nazca lines.

Peru GreenpeaceThe court hearing has twice been postponed. It is now set for Jan. 27. We have made our case publicly that Rodrigo and the Reuters videojournalist who also covered the action on assignment should not be jailed during the preliminary investigation. The Foreign Press Association of Peru and the Inter-American Press Association asked that all criminal proceedings be halted against the two journalists.

Now, Greenpeace has weighed in.

In a note delivered yesterday to the prosecutor , executive director Kumi Naidoo of Greenpeace International stressed that the journalists “were not involved in the planning, preparations, or  execution” of the action, according to spokesman Mike Townsley.

In the note, Townsley told me via email, Naidoo explains Greenpeace’s press strategy/policy a bit.

“A large part of Greenpeace’s force for positive change comes from generating debate about public interest issues. As such, journalists are contacted to independently cover campaign activities. These journalists are always and necessarily independent from these activities. Their  independence is derived from journalistic ethics and standards that demand, among other things, telling the story from an objective perspective. It is their independence that gives them their professional credibility. A clear distinction should be drawn between the people organising events and the  journalists covering them. The rights of journalists to gather and report on news must be respected and protected.”

The note may sound self-serving, and indeed Greenpeace does cultivate the news media like any organization that seeks publicity. But do consider that Rodrigo’s visual documentation of the Nazca lines action provided people with independent information that helped them assess it and form their own opinions. That’s our role in a free society.