The Daily Parker

Politics, Weather, Photography, and the Dog

We may know where the leaks are coming from

Diners at Mar-al-Lago overheard the President talking with Japanese Prime Minister Shinzo Abe, the latest in a string of idiotic security breaches he's made all by himself:

As Mar-a-Lago's wealthy members looked on from their tables, and with a keyboard player crooning in the background, Trump and Abe's evening meal quickly morphed into a strategy session, the decision-making on full view to fellow diners, who described it in detail to CNN.

News of Pyongyang's launch had emerged an hour earlier, as Trump was preparing for dinner in his residence. Officials had concluded the Musudan-level missile flew 310 miles off North Korea's eastern coast before crashing into the Sea of Japan.

Oy.

Meanwhile, the Sears Death Watch continues:

[B]ecause Sears and its sister company Kmartare merely shells of their former selves after they destroyed so much value over the years for employees, customers, and investors, there may be a group of stakeholders secretly hoping the end comes soon: shopping malls.

While a Sears Holdings bankruptcy might lead malls to suddenly face the prospect of being flooded with zombie retail space, they would have the chance to redevelop the stores themselves and attract new tenants who would pay them, and not Seritage, significantly higher rents.

Of course, a Sears Holdings bankruptcy carries risks for them, too. As noted, many retailers are reducing their footprints, not expanding them, so filling up the space may not be so simple, and for malls not in desirable locations, Sears Holdings' demise could be catastrophic. Credit Suisse says some 184 malls can be classified as "least valuable property" -- meaning at risk of shutting down -- and, concernedly, Sears is the anchor store in 110 of them. A Sears Holdings bankruptcy and the wave of store closings that would follow could very well jeopardize their existence.

Again, oy.

Wormtongue in the Oval

By now, everyone in the world has heard about President Trump's patently unconstitutional order to ban refugees from some majority-Muslim nations (except, coincidentally, not from those with which he has business dealings). But after his first Take Out the Trash Day, he did something a lot more far-reaching and dangerous yesterday:

President Donald Trump is reshuffling the US National Security Council (NSC), downgrading the military chiefs of staff and giving a regular seat to his chief strategist Steve Bannon.

Mr Bannon, formerly the head of the populist right-wing, Breitbart News website, will join high-level discussions about national security.

The order was signed on Saturday.

The director of national intelligence and the joint chiefs will attend when discussions pertain to their areas.

Under previous administrations, the director and joint chiefs attended all meetings of the NSC's inner circle, the principals' committee.

On the point of the anti-Muslim ban, Lyft this morning announced a $1m donation to the ACLU to protest it. Good for them. (Uber only turned off surge pricing at JFK and offered to compensate their drivers who were detained, which at the moment could be as few as zero.)

Meanwhile, Republicans who slammed trump just 13 months ago after he said that he was going to do this were remarkably conciliatory when it actually happened. It's almost as if they're opportunistic toadies, who are morally complicit in Trump's attacks on American institutions.

So, anti-Semite and power-drunk Steve Bannon scores a twofer, nicely capping the president's first horrific week in office.

And for those who want a reminder of the reference:

Thanks, Obama!

Two big Obama stories today.

First, the president has commuted Chelsea Manning's sentence. She'll be freed in May:

In recent days, the White House had signaled that Mr. Obama was seriously considering granting Ms. Manning’s commutation application, in contrast to a pardon application submitted on behalf of the other large-scale leaker of the era, Edward J. Snowden, the former intelligence contractor who disclosed archives of top secret surveillance files and is living as a fugitive in Russia.

Asked about the two clemency applications on Friday, the White House spokesman, Joshua Earnest, discussed the “pretty stark difference” between Ms. Manning’s case for mercy with Mr. Snowden’s. While their offenses were similar, he said, there were “some important differences.”

“Chelsea Manning is somebody who went through the military criminal justice process, was exposed to due process, was found guilty, was sentenced for her crimes, and she acknowledged wrongdoing,” he said. “Mr. Snowden fled into the arms of an adversary, and has sought refuge in a country that most recently made a concerted effort to undermine confidence in our democracy.”

(Brian Beutler notes that Snowden's future is pretty uncertain now, too.)

Second, the non-partisan Congressional Budget Office has estimated that, should Republicans repeal the Affordable Care Act, it could lead to 18 million people losing health insurance right away and another 12 million in 20 years:

The bill that the budget office analyzed would have eliminated tax penalties for people who go without insurance. It would also have eliminated spending for the expansion of Medicaid and subsidies that help lower-income people buy private insurance. But the bill preserved requirements for insurers to provide coverage, at standard rates, to any applicant, regardless of pre-existing medical conditions.

“Eliminating the mandate penalties and the subsidies while retaining the market reforms would destabilize the nongroup market, and the effect would worsen over time,” the budget office said.

The office said the estimated increase of 32 million people without coverage in 2026 resulted from three changes: about 23 million fewer people would have coverage in the individual insurance market, roughly 19 million fewer people would have Medicaid coverage, and there would be an increase in the number of people with employment-based insurance that would partially offset those losses.

Republicans complained that they will pass an alternative plan, but no one is taking this seriously. Because they're not.

 

American authoritarianism

I grew up in Chicago, so I have some recollection of how things were before Harold Washington's mayoral administration. Particularly under the first Mayor Daley, large sections of the city lived under authoritarian rule. It wasn't pretty.

New Republic's Graham Vyse explains what this might look like nationally. It won't be The Hunger Games—and that's part of the problem:

Tom Pepinsky, a government professor at Cornell University, recently argued that Americans conceive of authoritarianism in a “fantastical and cartoonish” way, and that popular media—especially film—is to blame.

“This vision of authoritarian rule,” he wrote, “has jackbooted thugs, all-powerful elites acting with impunity, poverty and desperate hardship for everyone else, strict controls on political expression and mobilization, and a dictator who spends his time ordering the murder or disappearance of his opponents using an effective and wholly compliant security apparatus.”

“If you think of authoritarianism as only being The Hunger Games and Star Wars, you’re likely to focus on the wrong types of threats to democracy,” he said in an interview. “You’re out there looking for something unlikely to happen and you’re missing the things much more likely to happen.” Such as legal gerrymandering, he said. “One way to not lose elections that’s very common and essential to Malaysia is the construction of so many safe legislative seats that the party doesn’t need to get most of the voters to get most of the seats.”

In other words, it's already happening in places where Republican governments rule with minority popular votes, such as in North Carolina and (starting Friday) at the Federal level.

Meanwhile, Josh Marshall lays out pretty clearly how Trump and Putin are trying to destroy the EU and NATO, which average Americans might not care about until they're gone.

The next few years are going to suck.

The OPM hack

Wired has a good, long article on how millions of security clearance documents were stolen from the Office of Personnel Management:

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives.

The hackers...delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Scary stuff.

Meetings all day

All of these articles look interesting, and I hope I get to read them:

Oh, fun! Another meeting!

Security expert: Don't blame the user

Bruce Schneier points out that we software developers have more responsibility to protect users than they have to follow all of our instructions:

The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

I'm sometimes guilty of it, too. Though, I also feel that users can do really stupid things that ought not to be our responsibility. After hearing countless stories about fraud, why do some users give credit card numbers to complete strangers, for example?

Later, when I'm done with all this coding...

Some articles to read:

That's all for now. More conference calls...

NSA has a very bad week

Via Bruce Schneier, the NSA lost control of a crap-ton of hacking tools sometime before 2013, and managed to stop the bleeding only after discovering Edward Snowden's leak:

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I've found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic. And it does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.

From an operational standpoint, this is not a catastrophic leak. Nothing here reveals some special "NSA magic." Instead, this is evidence of good craftsmanship in a widely modular framework designed for ease of use. The immediate consequence is probably a lot of hours of work down the drain.

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps—which are easy to modify—the most likely date of acquisition was June 11, 2013 (see Update, however). That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks, as the NSA furiously ran down possible sources, it may have accidentally or deliberately eliminated this adversary’s access.

So, yeah. The NSA had a bigger problem than Edward Snowden until he broadcast his leak and sent their plumbers into overdrive. And even then, they didn't properly secure the data.

Link round-up

We had nearly-perfect weather this past weekend, so I'm just dumping a bunch of links right now while I catch up with work:

Back to the mines.