Skip to content

Would removing DMCA reduce pollution?

In response to my earlier posts on VW cheating I have heard several people say “I don’t know engines well so I don’t follow most of what you’re saying”. This is a familiar hurdle, true for most specialized technical fields.

I don’t mind hearing this because I am a believer in bridging. I see no point in shaming people who lack hands-on engine experience or have not thought deeply about the economics of transportation. A technical argument should be able to stand on its own, such that it can be explained to anyone.

So here I will attempt to build a bridge from being a long-time engine tuner to the growing number of very smart IT and infosec people without any real engine experience who suddenly now are looking into smog topics.

More specifically I will answer from experience whether removing engine DMCA immediately would help in the case of VW cheating.

Three Levels of Analytics

On the beginning end of an analytic spectrum, the thought that immediate DMCA removal “probably would help” is a binary form of assessment: see something say something. DMCA is a prior known harm. It has done harm elsewhere. When DMCA is noticed therefore its removal is a simple reaction.

Next on the spectrum is knowing that DMCA can be a harm yet wondering based on ranked data if removal will achieve an objective. Seeing DMCA used by a German car company could mean every German car company is suspect. A ranking system begs the question of how to know when and if safe transition away from DMCA is possible? Is it after German cars no longer are available for sale?

The training examples I suggest to answer this question are from other scandals related to privacy. Lance Armstrong, like VW, was a winner caught cheating. However Lance wasn’t the problem, he was a symptom of demand. He represented a far wider problem.

Using first level analytics (see Lance with privacy and say something) would not be the right approach. Likewise second level analytics are insufficient because Lance was not the only cheater.

Getting beyond level two analytics is very hard. Anyone with audit experience knows it can be a losing battle on the ground unless you have real infrastructure in place to support a search for knowledge. You have to be able to store data, evaluate and adapt. The better your tests the more your cheating adversaries will circumvent them so you need some way to win that race.

A sophisticated level of knowledge is a third level of analytics, which I will call heatmap. As signs of cheating emerge, none very special on their own, the probability is warmer overall. Privacy is not completely lost, but reliable indicators of cheating are developed broadly. This involves sensors so fast, unique and rich in detail that the cheater can not afford to keep ahead of them.

There are two more levels of analytics above heatmap unnecessary to discuss here. Suffice it to say a third level gets us to where we need; it should answer whether and when removing DMCA would be improving air quality.

I use my own experience to work through finding a third level analytics answer. It comes from tuning many engines and even making my own fuel over the last decade. Here are two reasons why I think removing DMCA is a distraction from the main issue: free market risks and the economics of performance tuning.

Free Market Risks

Removing DMCA would be great for innovation and cost improvements from shared knowledge. It would create a more free and unregulated market. That however is not going to magically make pollution stop.

More of something and cheaper doesn’t imply clean. In fact it could be the opposite as the market innovates toward more power for less money. Removing DMCA arguably means the market continues in the worst possible direction and pollution simply increases.

Can we avoid innovation going awry? Yes, with regulation specific to the objective. DMCA is a weak control for issues of competitiveness and innovation, only slightly related to the issue of keeping air clean. Removing it should come when we are able to regulate for clean air.

Removing Lance Armstrong’s privacy could actually make his cheats more pervasive and harder to detect by auditors. So could we improve detection without removing privacy completely? Absolutely yes.

Some suggest the VW cheat was caught using sophisticated testing. I think that’s an exaggeration but we still should look at the tests as an example to model. The auditor success really was in perseverance and perspective more than doing anything clever or novel. Someone kept thinking mpg and power advertised were too good to be clean, so they applied a clean-specific test where VW did not.

Take a moment to think of the VW cheat this way:

  • When you are stationary (garage, warm up in snow) you get cleaner air
  • When you drive, you get more power but it is dirty

This is exactly, and I mean exactly, what typical American customers demand of manufacturers. It is considered acceptable to pollute in the areas least likely to be measured. This is why you can buy “off-road use only” performance parts (meant to be used privately) and then drive them around on roads (publicly) without any real risk of prosecution or fines.

So with pervasive cheating and cheating ingrained in the American engine market why did regulators focus on one company? In brief because it is harder to ban pollution by cheating American consumers than it is to go after a wealthy German company with a minority of vehicles on the road.

To put this in perspective VW already had their cars banned from the California market in 2004. They came back in 2008 with some incredible new numbers and sales took off. All of this has been blogged here extensively before.

A good auditor sees improvement and immediately starts thinking skeptically; how did a small car sales winner get so good so fast (the answer is Bosch, who actually developed “off-road use only” codes). And then the auditor hunts. Sending a car across the country with sensors is not a super special or novel idea, which perhaps you have read in my prior blog posts (e.g. Jaguar boasted 62mpg in cross country test).

Auditors today are closing in on manufacturers because the market functions in a somewhat predictable manner. Changing this abruptly by opening up innovation could lead to many more polluters, groundswell of people acting more like VW (because you’ve removed VW from the equation) and even take us towards weakening of other controls focused on clean air. A focus on a winner with a clear-cut case is a very efficient form of regulation but insufficient, since the problem is widespread.

All of this says to me removing DMCA and opening up a free market without other forms of regulation in place would likely be a clean air setback. It would be like demanding the recipe for cyclist performance enhancing drugs be public in order to reduce their use. Unless cyclists and race organizers are prepared to regulate against use, releasing the recipe can lead to far more cheating and less chance of stopping it.

Performance Tuner Economics

It is well known in the engine market that DMCA does not stop people from completely reverse engineering their cars. Performance tuning firms, not to mention customers themselves, often reverse firmware and/or write their own. In fact you could say there is a symbiotic relationship where the weak enforcement of DMCA allows manufacturers to learn from the after-market crowd what power enhancements to sell next.

Note here there is literally no market for clean enhancements. You simply can not find after-market products designed to get the cleanest possible emissions from your engine.

What VW did was realize that customers wanted more power, more mpg, as they always do. This translates to more convenient “workarounds” and double-speak to avoid regulations of being clean. Thus instead of customers paying $100 and taking 10 minutes to after-market tune their engine, VW essentially modeled customer behavior and provided a solution in software.

VW probably figured why leave the fixes to after-market performance companies. They also likely saw it as a temporary workaround to get back into the market sooner (2008) instead of when they had figured out how to actually comply: both power and clean (2013). Classic product manager risk behavior.

The pervasive cheating that drives VW to do the same is both good and bad. On the one hand it is bad because the market obviously and flagrantly pollutes and no one has budget or tools to stop it at the widespread consumer level. On the other hand it is good because VW took the unrepentant customer bait for better cheats, brought it in-house, and gave regulators a one-stop shop to issue a fine and make an example for everyone to see.

Using our Lance Armstrong example, he cheated more and better than all the other cheaters, which made him the best person to take-down in front of everyone as an example. Some people say VW had 11 million cars affected and this is a lot. Unfortunately this is not a lot in the big picture of cheating.

I mentioned before that California took action in 2005 and knocked VW out of the market. This was because VW was big enough to be a centralized high-profile target but small enough and consumer-centric enough to be made into an easy example. Much more difficult would be for regulators to go after Ford, GM, Kenworth, Caterpillar, John Deere, etc..

Instead of only affecting a few million consumers a regulation at the much larger cheater level could seriously impact business processes and even shut them down. It is common to hear truck drivers complain that if they have to drive a clean engine in order to operate in California they will go out of business; lower mpg or less power to stop polluting is a very hard business decision for hundreds of millions of drivers.

DMCA therefore doesn’t really stop people from innovating (albeit in non-clean direction). So it would have to be enforced far more strictly to help keep air clean. That would be a very bad thing. Harming innovation to reduce pollution sounds backwards because it is. The same resources instead of trying to enforce DMCA could be used directly for enforcing actual clean air controls. The goal being when you finally remove DMCA the resulting innovation would be pointed in a positive direction.

This is why I say stop wasting time talking about DMCA in pollution circles (a mostly non-barrier to reversing and tuning) when you directly could be addressing the actual problems of cheating for actual air quality controls.

Building a Better Solution

In conclusion, I hope I’ve built the argument well enough to stand on its own, no special engine experience necessary. We need to be building a far better surveillance network to monitor for clean air and a far more effective response system for enforcement. This probably sounds shocking so the ethics and norms of behavior have to be ironed out. We should put it in terms of other pollution success stories.

When you see someone smoking a cigarette you say something to them. If that person doesn’t comply you invoke authority. Obviously you can’t tell on the spot you are getting cancer but you have it on good authority that seeing a smoker is reason to act. DMCA of the cigarette industry, such as recipes for mixing and rolling, seem mostly irrelevant because they are.

Thus we really should ask ourselves for engines how do we build a comfortable living environment still capable of finding and stopping engine-smokers?

Imagine every loud pipe you hear is reason enough to say something. Generally loud pipes are after market power improvements that intentionally increase pollution. The ear is no perfect sensor but it’s a start (albeit California regulators have been arguing they can decouple noise from pollution). Imagine neighborhoods using air quality sensors deployed to help build a heatmap; for example monitoring outside popular restaurants collecting data on SUV emissions left behind. You then deliver to the restaurant their pollution results and fine them based on their customer behavior.

There are many possibilities of great impact to consider and plan. Arguments about removing DMCA are mostly irrelevant to clean air economics and technical problems.

Posted in Energy, History, Security.

Diesel FTW: Throw the Book at Clean Cheaters

Executive summary:

  • The majority of car enthusiasts care more about engine power than pollution. This especially rings true in America where consumers can easily modify hardware and software of their diesel engines. Ten minutes and a couple hundred dollars makes a significant change. Thus it has become common to find consumers seeking personal power gains with little/no concern for environmental impact.
  • Since the late 1940s US federal and state regulatory authorities have set standards and brought action against companies to help the market bear its responsibility for environmental impact. Consumers also increasingly have had to prove ongoing compliance with standards through smog tests linked to vehicle license. The growth of an engine tuning market for power, accelerated by the openness of car software, has forced regulators to crack down on manufacturers as well as move towards greater surveillance of consumers. The latter is less necessary and complex if the former is successful. The gap between demand and responsibility is a key to the issue. People often say “no one has died” regarding engine design despite the fact we know pollution kills and has killed (~58,000 premature American deaths per year).
  • VW was caught giving what most American consumers say they want most, more power. In some sense VW built into their cars before sale what many were doing after sales, which is a common practice. Over 480K cars were illegally fitted with the kind of “clean defeat” practice known to exist at a much larger scale on many more manufacturers led by an emerging “performance” industry. VW happens to have been the largest and most obvious violator caught, which makes it a perfect candidate for heavy regulatory enforcement. Used as a high-profile example, regulators may be able to use this example to shift consumer demand and raise awareness of pollution risk (including fines). US action against a German company also has geopolitical implications.
  • Last but not least, the cheat was unnecessary. VW product managers presumably rushed to market a bolt-on fix rather than a built-in solution. The company could have used a diesel-electric hybrid approach to achieve more power while reducing emissions, as shown with Toyota long-term success in the American market. Worse, VW left the cheats in their newer VW EA288 2L diesel that replaced the “cheater” VW EA188, despite the fact it arguably would be emission compliant anyway using urea injection technology.

Hello diesel fans, welcome back for another post on why diesel is the future of engine technology. Remember when I wrote about NASCAR cheating and included this 1976 quip from Waltrip?

If you don’t cheat, you look like an idiot; if you cheat and don’t get caught, you look like a hero; if you cheat and get caught, you look like a dope. Put me where I belong.

Fast forward almost 50 years and here we are still are talking about cheating to improve engine performance.


Since 2005 you’ve maybe known me to rant about the need for cleaner more-efficient engines and better regulation to make that happen. (e.g. Top Diesel Myths and Why Diesel Hybrids Make Perfect Sense, 2012).

After the VW trivial hack (detect front wheel movement during change in RPM) to cheat regulations I’m even more bullish on diesel and here’s why:

It’s about damn time

First, this government crackdown has been long-overdue and in the works for decades. You know the transportation and automobile lobby finally is losing the dirty fight when the EPA makes this kind of clean success story stick. It seems to me California led since 2000 and took the brunt of counter-attack from those engine enthusiasts who hate being clean.

Anyone who thinks this VW catastrophe is about VW probably does not spend much time tinkering with engines or watch closely all the fighting in the diesel market. Let me be clear here, VW was a business giving the majority consumers exactly what they wanted. And like any very large company it used its size and power to influence governance.

I’ve highlighted some things in an old advertisement here to make it more clear how the spin worked.


Even I have fallen victim to trying to promote power of diesel to make it more appealing (many blog posts in the past about diesel power being a factor).

And that’s a big insight into why this isn’t really about VW. America has a hard time speaking directly to a clean consumer segment; a small, although arguably fast growing, group of people who don’t give a crap about performance when they ask for a clean air car.

Some point to a fact that VW was running ads boasting about achieving the regulatory definitions of clean. That doesn’t mean for a second they cared. It could be they were just following regulators’ lead, talking the talk, playing the game and throwing a few dollars at some words and pictures. The American car companies’ Flex-Fuel campaign is a great example of marketing double-speak that tells insiders at least one car company still doesn’t care about the environment.

Flex fuel: car makers’ way of thumbing their nose at regulations and saying “stop asking, we still don’t care about pollution”. (Sierra Club and Bluewater Network sued to force compliance and reduce gasoline dependence. Detroit smugly responded by delivering much larger engines with higher gasoline consumption)

If you want to get angry about bogus environmental advertising take a swing first at Ford, then BMW, and then…. We have some positive examples too, that suggest clean marketing can be woven into a campaign.

The Prius was introduced by American mavericks in the Japanese Toyota executive office who wanted to test a theory. It was not a customer-driven decision, as I mentioned here in 2006. Most revealing was how clean themes actually took a back-seat to what Toyota really used to push sales:

…the answer lies in Toyota’s clever marketing campaign. To begin with, it wasn’t aimed at the mass market. Instead, Toyota thought that the first hybrid buyers would be “techies” and early adopters (people who are highly likely to buy something just because it’s new).

Americans love early cool tech. They also love luxury. And despite loving power, it was absent from the Prius campaign. You had to look at a Camry for that stuff. The environmental campaign was infused rather than dominant in the carefully targeted Prius themes. Kudos to the late great executive who pushed Japanese sensibility into our thick American tuner heads.

Ok, ok, I’m not being fair to myself or others. Those of us who long pined for environmental improvements in engines just might have grown jaded after seeing twists and turns the product managers used to delay our clean dreams. We found ourselves characterized as a small peanut gallery watching from the outskirts of the big power demonstrations that the “majority” wanted.

Calling for clean diesel regulation has felt a bit like sitting on the sidewalk eating a leafy salad watching the crowds line-up for chemically-enhanced performance-oriented meals in a brightly colored restaurant (i.e.adding hydrogen to vegetable oil to achieve fastest food).

While it is true reading ingredients in a McDonalds Happy Meal might give information to be safer what we really need is regulators or a lawyer in Marin to push for a social norm that even late night talk show hosts can get behind and promote to the majority. Reading ingredients doesn’t do much good if we haven’t fundamentally shifted consumption preferences.

Or let me put it this way: when I was told I could participate in a corporate-sponsored race car event I immediately started asking about how we would measure and explain pollution hitting the crowds. Knowing that cars emitted harmful poisons was insufficient, I needed to get people to question whether we really intended to poison our VIP customers. Unsurprisingly, as those around me sipped their well-labeled alcohol and ate their sugary snacks that clearly listed all the ingredients, they didn’t really see what I was so concerned about.

Later I found myself in an even bigger “our future is data-driven” corporate-marketing event focused on race cars. I asked an Indy car team manager what the brake dust and tire wear meant for people standing near the track. “No idea” was the answer. And years later I asked a F1 team the same. Same answer. Some future. Data data everywhere and not a person who, despite having access to learn about harms, wanted to alter car culture towards being safer.

The point here, after saying this is not really about VW, is that it also is not about openness and transparency of the software. Openness isn’t the fundamental problem in the case of diesel emissions cheating. The real key to driving change is a push from regulators and to create the right pull from consumers; nudge economics is what I’ve heard it called lately.

Being a minority in trying to figure out the push/pull on majority risk issues should surprise no one working in the security industry. It is basically what we’re paid to do. Nonetheless sometimes there are twists we don’t anticipate as these socio political things are hard. The other day I found this curious notice from a security software organization:

A notice by Whisper Systems, considered by some a leader in security software, said majority concerns come first and consumers must swallow their closed sole-source manufacturer distribution channel.

Open WhisperSystems has chosen to focus on serving the millions of users who have GCM capabilities before turning our attention to the small number of users who refuse to install Google Mobile Services. We understand that this is an important issue for some of our users and have our support forum available for discussions.

The arguments used by WhisperSystems to justify this position simply is not true. And they’re telling us being small is why we’re lower priority? The number of privacy-enhancing software use overall is small, so should on that measure alone Google turn their attention elsewhere first? Hey Google, maybe you should start ignoring WhisperSystems because they are only a small number of people who refuse to just be happy with default apps provided by Google.

No I think size is not the right measure to start and end with. Other measures of priority are useful.

Sorry, I digress…let us go back to talking about VW, a software company using false statements to justify their position to appease the majority with a closed sole-source manufacturer distribution channel. Oh, wait a minute.

But seriously, let’s go even further back to regulators stepping in to shape the diesel market and consumer demands. The emissions debacle is really about regulators working over a long time to clean the air. They had to choose targets wisely (deep pockets from large numbers of consumer vehicle sales) and massage timing (emerging shift in public opinion based on solid grains of truth) to move a market after it refused to go cleaner on its own.

The fact that VW didn’t see this coming and thought they could cheat regs, or wait for a GOP victory that would weaken the EPA or worse, is just sad management. Fire that CEO for being out of the loop on political winds that in reality are directed towards everyone but start with the biggest and most useful example. VW deserves the book thrown at them because that’s how this game works. We make an example to educate others and VW had its neck out, way out, the wrong direction.

To really put the game in perspective, don’t forget Ford dumped their CEO after he called for a clean car revolution. Put that in your carburetor and smoke it for a bit. A major car manufacturing board kicked out a CEO who wanted to go clean. Easy to see how VW executives thought cheating with dirty cars would help them fit right into the market, get a nod and a wink rather than a fine.

Except there was a slight problem. They underestimated the importance of a minority voice and opinion.

Here’s the real choice, which apparently they did not see. Either you clean up diesel like we know can be done (gasoline cleaned up and thrived) or you become an example of why actually you have no choice. Too many decades passed when we let the establishment give empty promises and shallow marketing about flex fuel, yada yada. Clean up your engines or we’ll disrupt this market so hard small new-comers can jump in to compete and sell a proper clean product, verstanden sie?

Look closely at 2005 as a huge turning point. California regulators (and NY and some other states of little sales numbers) basically ruled VW out of the market. Cold. No more diesels could be sold by VW. They were nailed, while at the same time the majority of other polluting diesels were given a pass.

I have yet to see any pundits bring this seminal point into focus on today’s news. Watching this fight for decades obviously puts things in a different perspective. Having been a long-time diesel tuner and having made my own diesel fuel I have a few dozens of blog posts related to this topic.

Politics ten years ago proved VW was the easy target to initiate a clean air battle, despite American trucks going on and on spewing poison all around us. That is a key to unlock the context for recent news. VW consumer cars could not emit a “we must pollute to survive” excuse as easily as a Caterpillar, Ford or Kenworth.

2010 was another massive turning point when California applied smog tests to diesels. Even I was shocked when I received my first letter from the state. We all should have seen coming yet I confess, I have to admit, I was amazed the day finally came in 2010 when I had to test my diesel. And I was proud that all my tinkering did not reduce clean.

The regulators slowly were winning these small battles in small markets to test attack methods and gear up for a major war against big air polluters. They were wise. And so at long last, after decades of waiting, here we are…thank you thank you EPA.

Grains of truth

Second, it’s really about the engineering facts. With diesel a smaller engine produces more power, more cleanly, more efficiently from more renewable sources of energy than any of its competitors.

A diesel was not intended to run on petroleum, it was designed to do the exact opposite and free owners from sole-source energy. The petroleum industry bastardized the original diesel design, making it run on their product, which is a disgrace to engineering.

I just have to get this out of the way. Measuring diesels today on petroleum fuel is, albeit necessary because history, technically a petroleum industry’s trick. Don’t fall for it. We really should be testing the latest engines on multiple sources.

Let me present the amazing Subaru STI-D (2008 or even better 2011) as an example of what every American today should be looking for in their next vehicle:


And now let me put this in context. That little tiny light engine is hugely powerful (380 lb-ft torque) while being compliant with the EuroV emissions requirements.

Diesel Emissions Standards

Fantastic progress. As an aside did you know that gasoline engines were not tested at all for particulate matter until EuroV? Shocking. So while lots of writers have jumped on VW to complain about shameful cheating to squeeze under tightening PM filtering rules, they say nothing about gasoline engines not being tested at all. Meh.

Even more to that point the people racing tend to brag about not having to be compliant with any smog requirements at all because they found “exemption” loopholes. Here’s a Subaru diesel racer proudly spewing horrible PM: Jump to 0:53

I see this nearly EVERY DAY from other engine tuners. It’s a hugely widespread problem. Truck drivers might even be the worst and most prevalent. The people gearing and wrenching just don’t talk like they are worried about being clean until regulators clamp down. A big cheater take down is a much easier way to shift majority sentiment than trying to go after every little tuner.

In 2005 I was offered numerous chip options for my engine and remapping software to undermine emission controls and boost performance. It was from a few diesel specialists but things have progressed quickly to many more collaborating on tuning software. Here is a diesel tuner comment from 2011, shortly after the EuroV generation STI-D was announced:


Who in 2011 wanted to be part of open source history? Turns out few signed up and so these guys went proprietary instead. Regulators made an example of VW, the largest car company everyone knows, despite so many lower-profile examples everywhere of the same behavior. In fact VW probably just licensed diesel tuning software from one of the performance shops any customer could buy from.

Today we still have tuners all over SF removing their compliant pipes and putting on “noise and air pollution sticks” given typical motives, which rarely include being kind to their environment. Just last night a Canadian was bragging to me about his Ducati being loud with track pipes and so much fun. I had to cut him off and explain the respiratory damage to our neighborhood.

He had no idea. None. This is the real problem. VW management decisions seem to be more a symptom if you actually get your hands dirty, know engines and talk with people about what is happening. When I meet polluters I often pull out a 2004 report on snowmobiles to try and frame how a feedback loop should work.

In recent years, Yellowstone employees suffered headaches, nausea, sore throats, and watering eyes as they worked in a haze of snowmobile exhaust. The health hazards forced the National Park Service to pump fresh air into entrance booths. When workers continued to get sick, the Park Service issued respirators. So far this winter, the Park Service reports that none of its employees have gotten sick from breathing snowmobile exhaust.

That was five years into the fight. By 2013 the environmentalists had successfully shifted social norms and manufacturers had to admit pollution was an unnecessary loophole.

The rules were 15 years in the making because of intense wrangling between snowmobile operators and environmentalists. But both groups support the plan and give credit to snowmobile makers for designing cleaner machines.

If I remember the Yellowstone ranger studies right, one consumer on a non-compliant or exception engine was the equivalent of nearly 10,000 cars exhaust. 1:10,0000 as a measure of harm. And so many people do it without thinking a second about that kind of damage because it’s all external to them or they leave it behind and go home elsewhere.

If someone in America races, runs off-road or uses engines for special purpose (commerce, showing off to friends how loud and obnoxious you can be) they turn off the environmental concerns; especially if it’s a world they just visit occasionally and don’t have to breathe daily because no feedback loop.

With no feedback Americans will make claims that controls impede an ability to win or impress, or get a job done: make a few extra bucks on a trailer full of unripe bananas they have to deliver before it turns into fruit flies. Here is a classic reaction in 2010 when California announced enforcement of diesel emissions checks would include aftermarket products and tuning:

F.U. SACRAMENTO! I’m just trying to save money by getting better gas mileage and not blow my tranny towing. ARREST THE VIOLENT CRIMINALS AND TAX THE MILLIONAIRES

Don’t get me wrong. Sometimes there are justified reasons to set aside one concern, safety, to focus on another such as performance. The nature of the problem is that a justified delay or postponement of safety concern to allow other values should be revisited quickly.

I used to run into this all the time from cloud vendors, especially Platform as a Service (PaaS) VPs who would claim security means leaving it up to developers to feel and find the right balance. They almost always were trying to escape considering risk, waiting to bolt-on something instead of baking safety into their platform.

Consider how top engineers in the elite tank design unit of the US Army have built a prototype that uses…a Subaru diesel-electric hybrid. The best engineers in the best Army in the world aren’t futzing around and they are pushing the envelope on vehicle design with diesels. Yay.

Their diesel engine can take in fuel from basically anywhere, anything (troops easily can build a quick bio-diesel generation station to use local sources of oil — waste, trees, algae, etc) that will recharge the electric motor. Imagine having no fuel supply issues as you get (or give) orders to advance into the most remote and hostile territory.

My point is after you get to this amazing point on every possible performance level, where diesel-electric hybrid is outshining other power plant designs, you wonder who on that team is really looking at pollution. Why would they? Who measures it as a success?

When there is nothing powerful enough, no external feedback-loop, to push product teams to include safety from the start, they leave it out. That totally safe Army vehicle, where safety is job one, probably has zero pollution assessment in the final tally.

But I could be wrong. To be fair, some regulations have started to show employees around heavy machinery perform better in clean air. There could be someone monitoring soldier health saying air quality must be clean to win wars. Maybe the Army thought about a sick soldier as a problem and wants cleaner vehicles for improved chance of victory.

This kind of economics problem is the problem of security industry in a nutshell; even deeper it is the problem of quality in products. Bolt-on, not built-in is like fingernails scratching the chalkboard to the security professional being dragged into the product management office for an architecture review. We don’t want to have to ask VW “so explain exactly after 30 years of diesel engines you decided to make them clean in 3 years how?”

VW could have done so much more, could have released a far superior product, many many years ago instead of letting down the environmental minority. Instead they gambled and waited for that minority to start to reach greater opinion and political leverage and by then they were caught behaving badly because they listened for too long to the wrong Americans.

It’s economics, stupid: diesel-electric hybrid launch is cheaper than cheating

Ok, but I hear people, especially young people, say they love forward-looking Musk electric cars named after a famous American. That surely is built-in because no pollutants, right? Shouldn’t all companies jump in the race towards electric cars to solve emissions?

The problem is something smells funny in the Musk office. Why is the range of the car so short (under 100 miles) when driven by engineers who build it, but the marketing claims more than double? Cutting the efficiency in half during real-world driving conditions means Musk is sucking serious energy from coal plants, am I right?

And when you look at the refueling model, how do they break away from top-down dictated energy sources if there is a special interface instead of a universal standard? My guess is this is why they released their IP, to encourage other manufacturers to standardize on their interface. Good move yet still begs the question of control.

More to the point why continue any relationship with Musk after you buy the car? Dare I say it should be seen as curiously anti-freedom to build central-control personal cars with top-down tracking of our daily driving experience. I know this is bucking the trend, given Inrix, Google maps, Bluetoad and all the others trying to monitor our every move.

In the long-run however we surely will find drivers wanting to go off-grid and disconnect from mother Musk. Denying a reasonable option by design can lead to some dangerously predictable behavior, such as tuners removing emission controls in a quest for more power. Listen to customers, but listen wisely.

If I buy a $100K Musk-cart I don’t want to be forced to continue my relationship after purchase day. Let me choose the relationship and connection based on my needs. Don’t lock me in with your service-oriented tentacles. Keep the software open and the personal data closed. I certainly don’t want Musk poking around in my internals without my authorization or shutting my car down at his whim.

No thank you. For me, Diesel had the right plan from the start. His genius coupled with Tesla’s would be the ideal car. It’s long past time to throw the book at those cheating on his grave.

So what now should we do about it?

First, further accelerate the clean air standards and regulations and raise mpg requirements now. We are far behind and the manufacturers have abused every bit of leeway allowed. It is time to take up the slack and force innovation through measured feedback (e.g. enforcement). The market is ready to bear many new options and the incumbents are using their cheats for margin to hold back progress.

Second, revisit the 2001 Right to Repair Act as I’ve said before, and ensure customers retain the rights to troubleshoot and understand fully their vehicles. There is no proven risk to opening the information. Actually the opposite tends to be found. Tuners innovate faster and so manufacturers can learn and improve from the collaboration. The catch being tuners also have to be headed towards improvement using social norms. Ask me why bulletin boards are full of how to improve performance of engines, regardless of emissions, yet never seem to talk about pulling seat-belts out.

Third, realize that car companies claim to respond to customer demand. If they don’t sell what people ask for, they lose. That allows us to focus on the problem of defining clean engine demand; changing the voices that manufacturers focus on. We could also cop out and use a Prius “new tech” model with just a hint of clean. But here are two ways we might be able to force direct clean feedback-loops into engineering: monitoring and enforcement.

It is a thorny issue but I believe the answers to monitoring are in randomness and persistence. This is exactly what testing labs did and should continue to do. Testing for environmental pollution during environmental activity is nothing new. After all we have mpg listed on cars for city and highway “conditions”, am I right? Putting sensors on a diesel and measuring it as it drives across the US is a reasonable test, as I’ve written before (#XFCoast2Coast). Even more to the point I believe it was in-field discovery of large trucks in California removing environmental protections in the mid 2000s that helped push towards 2010 enforcement of diesel smog tests.

More research labs, in cooperation with local air quality authorities, should be funded to sample and exhaust the possibilities. The fact that it was a European wing of the US International Council on Clean Transportation (ICCT) that unraveled the VW cheats is a great example to expand from. Resources should be allocated to grow independent and creative ISEA (Identify, Store, Evaluate, Adapt) centers to put manufacturers through rigorous tests, while also scaling up existing ERM (Easy, Routine and Minimal Judgment) smog tests for everyone else — simple scheduled stationary assessments.

Enforcement, given a shift of social norm, becomes easier to solve as this issue drags along. VW has been the whipping standard for over a decade but it makes little sense to pretend that this issue is only about them. Fines for big manufacturers is a start, but let’s also keep an eye on tuners and commercial organizations/fleets as well. Those claiming a test “in the wild” or “during use” must account for the consumers pulling a similar cheat after manufacturers hand over the ECU.

Again I want to reiterate that what VW was caught doing is basically what every diesel tuner forum everywhere talks about. In the older hardware cases I knew big diesel truck drivers who put the original chips back in their engine during a smog test and then swap again when they hit the road. Revising software is clearly easier. Social harms aren’t really part of these folks’ equation. The answer to that is not pervasive surveillance of any potential tuner (testing everyone in the wild) but rather a more systemic approach to encourage behavior change.

While I agree with openness and am a huge proponent of right to repair, the VW situation is a good example of where open software would solve a different problem set than the one directly in front of us. Simply calling for open software, even just escrow, in this case may shift pollution problems worse by expanding cheats undetected, pushing tuners the wrong direction. Enforcement through social pressures and localized testing (ala the seat-belt shift from resistance to desire for self-compliance) must be a consideration.

In conclusion, I’m grateful we finally are seeing California clean air battles with diesel reach the federal level. It has been too long a wait for the book to be thrown.

With any luck the EPA action will be a big help to a certain little American car manufacturer in excellent position to deliver a superior product — clean diesel for freedom and fun to those who have such a desire, even if we’re still a minority. Shame about not being able to crack-down on pollution much sooner, like back in the 1980s…

Subuaru Style

In conclusion, and given the wisdom of NASCAR experts on cheating, put VW where they belong.

Posted in Energy, History, Security.

Should You Trust the AirBnB Platform?

Lately one of my favorite jokes in SF is we haven’t reached peak yet because no one has tried to start AirBnBurrito. How can we just continue to order burritos without some kind of abstraction to improve our burrito experience? Why isn’t there a burrito sharing platform?

Platform is the hot new buzzword. We’ve never seen platforms of sharing like these before. Think disruption. Think possibilities.



For example if you put a smooth asphalt platform down where you live, then people can drive toxic chemical emitting boxes of death all around you. Those significant increases of disease in your home area from passers-by are a benefit, really, because they spur innovations in health care. Now that you have created a platform that leads to lead poisoning and asthma you can create a platform to search for how to remove lead poisoning and asthma…

I hear you saying broken window fallacy but wait, wait hear me out.

If you put a wireless transmission platform down, or even a spinning disc with recorded music platform down, you can give musicians pennies on the dollar for their work. You can build lavish studios and host amazing parties and promotional events on the backs of the kids who actually create music and then spit out those used up kids as the next batch of kids arrives.

Too much snark in my historic examples? Ok let’s be serious, the question should arise every time you hear the word AirBnB whether you have good reasons to trust a platform. What if history is just repeating itself, benefiting a few by allowing a clever shield scheme to avoid direct responsibility for harms that are externalized or spread widely? Platform risk is complicated and should not be treated lightly.

A platform company evangelist or product manager will probably you their developers are all responsible people who can be trusted implicitly to do the right thing; no need to have oversight because people are just naturally good. In reality, however, when you talk to the platform engineers behind closed doors you will often find a modern version of Sinclair’s 1906 novel “The Jungle”; history has some very important lessons to be remembered.

“Developers are our worst enemy” a car ride sharing platform security team member revealed to me recently, explaining further that “developers are so sloppy with credentials we had to hang one to make an example to the others”. This is a fine point. If we don’t make examples, or talk about security issues directly and openly, a platform may enable very bad things.

In 1906 the meat-packing industry was so poorly managed that the death of employees was a very real and pressing concern. Thus Sinclair wrote his book about the need to protect worker rights. The US government, loathe to be too leftist, pivoted from complaints of worker rights to create an agency that protected consumer trust in food and drug platforms (FDA).

Today the new “sharing industry” data is so poorly managed that invasion of privacy is a very real and pressing concern…any guesses the direction regulators eventually will go?

With that in mind take into consideration a new light-hearted story called “Airbnb Shares The Keys To Its Infrastructure

Pfffffft. Right off the bat I have to wonder whether the title is meant to make infosec professionals spit tea all over their monitor. Because that’s what I did.

To be fair I would gamble the title was really meant to be some kind of innocent “sharing” reference. Cue the little bunnies and kittens fluffing around. So tempting…

But to the trained security professional ear it comes across as nails on chalkboard “AirBnB goes on vacation and leaves your doors unlocked”

Ok, but nevermind the title. It is just a title. Let’s get right to the meat of the issues within the story. Let’s go right to the paragraph about…

Search for the word security: 0 hits

Search for the word confidential: 0 hits

Search for the word privacy: 0 hits

Search for the word risk: 0 hits

Search for the word trust: 1 hit!

While renting out an apartment or a house when it is empty is certainly not a new idea, Airbnb has taken it all to a new level and has built the idea of trust – of the people you are renting from as well as the people you are renting to – into its system, which has no doubt been a catalyst that has propelled its business.

Wat. Trust is built into wat system. Wat

Color me shocked. First, their supposed “new level” trust system actually has been proven to be antiquated and quite primitive. It has run into easily predictable failures that any hotel, let alone a reasonably thoughtful individual, would be prepared to handle.

…logic and decency would suggest that when you’re in danger, as Mr. Lopez claimed to be, Airbnb would come to your rescue. And in the wake of this episode, Airbnb said on Friday that it was clarifying its policies to make sure that its employees know to always call the police when someone reports an emergency in progress.

AirBnB management was unprepared for an emergency, leaving customers and employees in an untenable trust relationship. Is that the “new level”?

Second, in the text of this new story about keys to infrastructure the closest mention to anything security related that I could find was a little bit on segmentation, and that was only because a failure of availability.

We actually had to do a big cluster migration at the end of last year to separate all data infrastructure into two separate mirrored clusters: one to run all of the business critical jobs – things that have to be run and done on time – and another one for ad hoc queries. When we had it all running on one cluster, people were so interested in learning from the data that the ad hoc queries could get in the way of some of the business critical work.

They actually had to separate clusters because load. Not because privacy. No, the lack of privacy control is exactly what led to the availability failure.

Let me just say that again to be clear. Segmentation is not described as a safety issue but only in terms of performance. And yet to me the age-old problem of having too many chefs in a kitchen is an obvious safety issue much more than a performance one.

If you’re like me you’re now dying to know how privacy is being protected in the AirBnB world of sharing data as widely as possible for profit. Surely there must be some importance of privacy meant to be implied somewhere…especially in paragraphs like this one:

Airbnb actually teaches classes in SQL to employees so everyone can learn to query the data warehouses it maintains, and it has also created a tool called Airpal to make it easier to design SQL queries and dispatch them to the Presto layer of the data warehouse. (This tool has also been open sourced.) Airpal was launched internally at Airbnb in the spring of 2014, and within the first year, over a third of all employees at the company had launched an SQL query against the data warehouse.

Great. SQL being taught internally to everyone is just great. Everyone is being told to crowd into the kitchen and sharpen their knives.

What I’m really looking for, however, is an explicit statement more like “Airbnb actually teaches classes in privacy to employees so everyone can learn to protect customer data…”.

Instead I hear a company talk light-heartedly about giving keys to everyone, training everyone to dive in and start without any mention of due diligence or care.

The article is alarming because it emphasizes trust and then gives basically no reason at all to believe in it. Is consumer safety of any real concern? If this doesn’t get regulators poking into AirBnB I am not sure what should.

And all that doesn’t even touch on the logical inconsistencies. For example contrast these statements from the same person:

  • “the bad part is that Mesos, by its nature, is a layer of abstraction and it obscures some things from you”
  • “I intuitively believe that we are making the most of our engineers to push the business forward and doing it in a cost effective way on AWS” [because abstraction obscures some things from you and that’s just great. it’s so great i look back and wish i had increased obscurity 45%]

Just to reiterate the lesson being taught here: The bad part is abstraction; it obscures things from you. That’s bad. So we should push the business forward and in a cost effective way with abstraction. Bad is good for business. See?

But forget about the illogical flaws in reasoning for now. That’s just typical of cloud platform hype. Instead ask the tough questions about whether AirBnB gives you any reason at all to trust them if they’re sharing keys to your data.


So anyway as I was saying you may want to read the new piece about hot platforms and how AirBnB is doing fun stuff these days. It’s a good fluff read on the platform. Check it out and enjoy.

Posted in History, Security.

6 Things Washington Doesn’t Get About Hackers

That’s the title of the original article someone tweeted today from foreign policy. I don’t really know who the author is (Micah Zenko – @MicahZenko) and it doesn’t really matter. The article, pardon my French, is complete bullshit. I’ve been a hacker for more than two decades and it pains me to see this supposed guide for policy.

Executive summary

After years of someone socializing at parties in conferences…ahem, researching hackers, six very unusual and particular things have been painstakingly revealed. You simply won’t believe the results. This is what you need to “get” about hackers:

  1. Wanna feel valued
  2. Wanna feel unique
  3. Wanna be included
  4. Wanna feel stable
  5. Wanna be included
  6. Wanna feel unique

Again, these shocking new findings are from deep and thorough ethnographic research that has bared the true soul of the hidden and elusive hacker. No other group has exhibited these characteristics so it is a real coup to finally have a conference party-goer…ahem, sorry, researcher who has captured and understood the essence of hacking.

Without further ado, as a hacker, here are my replies to the above six findings, based on their original phrasing:

1. Your life is improved and safer because of hackers.

Agree. Hacking is, like tinkering or hobbying, a way of improving the world through experimentation out of curiosity. Think of it just like a person with a tool, wrenching or hammering, because of course your life can improve and be safer when people are hacking.

Some of the best improvements in history come from hacking (US farmers turning barbed-wire into ad hoc phone lines in the 1920s, US ranchers building wire-less relays to extend phone lines to mobile devices in 1960s).

Arguably we owe the very Internet itself to hackers helping innovate and improve on industry. Muscle cars at informal race days are another good example…there are many.

Unfortunately Zenko goes way off track (pun intended of course) from this truism and comes up with some crazy broken analysis:

…products were made safer and more reliable only because of the vulnerabilities uncovered by external hackers working pro bono or commissioned by companies, and not by in-house software developers or information technology staff

This is absolutely and provably false. Products are made safer by in-house hackers as well as external; you don’t want too much of either. To claim one side is always the good side is to show complete ignorance of the industry. I have worked on both sides many times. It should never be assumed one is the “only” one making the world improved and safer.

2. Almost every hack that you read about in your newspaper lacks important context and background.

This phrase makes little sense to me. As a historian I could easily argue everything lacks background that I like to see, yet many journalists do in fact use important context and background. I think his opening phrase was meant to read more like his concluding sentence:

The point being that each publicly reported hack is unique onto itself and has an unreported background story that is critical to fully comprehending the depth and extent of the uncovered vulnerabilities.

Disagree. Not every public reported hack is unique onto itself. This is a dangerously misleading analytic approach. In fact if you look carefully at the celebrated DEFCON 23 car hacking stories both obscured prior art.

Perhaps it is easy to see why. Ignoring history helps a hacker to emphasize uniqueness of their work for personal gain, in the same way our patent process is broken. Lawyers I’ve met blithely tell patent applicants “whatever you do don’t admit you researched prior work because then you can’t claim invention”.

Yet the opposite is really true. Knowledge is a slow and incremental process and the best hackers are all borrowing and building on prior work. Turning points happen, of course, and should be celebrated as a new iteration on an old theme. My favorite example lately is how Gutenberg observed bakery women making cookies with a rolling press and wondered if he could do the same for printing letters.

I would say 2009 was a seminal year in car hacking. It was that year hackers not only were able to remotely take over a car they also WERE ABLE TO SILENTLY INFECT THE DEALER UPDATE PROCESS SO EVERY CAR BROUGHT IN FOR SERVICE WOULD BE REPEATEDLY COMPROMISED. Sorry I had to yell there for a second but I want to make it clear that non-publicly reported vulnerabilities are a vital part of the context and background and it’s all really a continuous improvement process.

It was some very cool research. And all kept private until it started to become public in 2012, and that seems to be when this year’s DEFCON presenters say they started to try and remotely hack cars…even my grandmother said she saw this 2012 PBS NOVA show:


No joke. My grandmother asked me in 2012 if I knew Yoshi the car hacker. I thought it pretty cool that such a wide audience was aware of serious car hacks, although obviously I had that scope wrong.


And going back to 2005 I wrote on this blog about dealers who knowingly sold cars with bad software of severe consequences (unpredictable stall).

To fully comprehend the depth and extent of “uncovered vulnerabilities” don’t just ask people at a publicity contest about uniqueness. It’s like asking the strongest-in-the-world contestant if they are actually the strongest in the world.

If you’re going to survey some subset of hackers please include the hackers who study trends, who seek economical solutions and manage operations, as they are the more likely experts who can speak to real data on risk (talent) depth and extent.

Being an “expert” in any field is about a willingness to learn, and teach, every single day — in a changing landscape. As much as the younger hackers would try and have the journalists believe there is no shortcut (aside from platform and audience reach); true expert hackers simply have for a long time embraced a routine (wax on, wax off).

But here’s the real rub: if you take the stunt hacks of great publicity (a strong man event in the circus) as totally unique and not just a trumped-up version of truth, you will let real liabilities slip away. You will be distracted by fluff. It’s dangerously wrong to underestimate threats because you simply believe a self-promotion snowflake story.

Journalists and hackers can easily collude, like a circus MC and the world’s strongest man, motivated by bigger audiences. The real and hard question is whether some group’s common knowledge is being exposed more widely, or you are seeing something truly unique.

3. Nothing is permanently secured, just temporarily patched.

Agree. This is self-evident. But the author misses the point entirely.

First, this third section completely contradicts the prior one. The author now makes the fine point that hackers are always learning and borrowing from prior hacks, telling a story of continuous improvements…after telling us in the second section above that every public hack is unique unto itself. More proof that the section above is broken.

Second, have you ever played a sport? Soccer/football? Have you ever studied and instrument? Studied a subject in school? Have you used a tool like a wrench or a screwdriver? No screw is permanently turned (I mean we’ve even had to invent self-tightening ones). Nothing in science is permanently learned.

Believe it or not there is a process in everything that tends to matter more than that one time you did one thing.

Constant. Improvement. In Everything.

It is shocking to travel through countries where progress ended, or worse, things fall apart and reverse. It really hits home (pun not intended) how nothing is permanent. But the author instead seems to think hackers are some kind of unique animal in this regard:

“Cybersecurity on a hamster wheel” is how longtime hacker Dino Dai Zovi describes to me this commonly experienced phenomenon…I spoke with Zheng and Shan after their presentation, and they explained that the hack took them about a month of work, at night after their day jobs.

That’s common human behavior. You work at something over and over to get good at it. There’s nothing really special to hackers about it. They’re just people who are spending their time practicing and trying things to get better, usually with technology but not exclusively.

4. Hackers continue to face uncertain legal and liability threats.

I don’t really believe Washington doesn’t get this about hackers. I mean laws are uncertain, and liability from those uncertain laws is, wait for it, uncertain. Kind of goes without saying, really, and explains why we have lawyers.

Sounds better to me as “people continue to face uncertain laws and threats of liability from hacking”. Perhaps it would be clearer if I put it as “hackers continue to face uncertain weather”. That’s true, right? The condition of uncertainty in laws is not linked to hacker existentialism.

So I agree there is uncertainty in laws faced by people, yet don’t see how it belongs in this list meant to tell Washington about hackers.

5. There is a wide disconnect between cyberpolicy and cybersecurity researchers.

When are researchers and policy writers not far apart? How is a general disconnect from policy writers in any way unique to hacking, let alone cyber? You can please some of the people all of the time or all of the people some of the time, etc.

there are still too few security researchers and government officials willing or courageous enough to communicate in public

Actually, I see the opposite. More people are rushing into security research than ever before precisely because it gives them a shot at being a public talking head. Ask me what it was like 20 or even 10 years ago when it took real courage to talk.

I’ll never forget the tone of lawyers in 1996 when they told me my career was over if I even spoke internally about my research, or ten years later when I was abruptly yanked out of a conference by angry company executive. People today are talking all the time with less risk than ever before; practically every time I turn on the radio I hear some hacker talking.

Have you seen Dan Kaminsky on TV talking about PCI compliance requirements in cloud? He sounded like a happy fish completely out of water who didn’t care because hey TV appearance.

Some younger hackers I have met recently were positively thrilled by the idea that someday they too can be interviewed on TV about something they don’t research because, in the spirit of Dan, hey TV appearance. As one recently told me “I just read up on whatever they ask me to be an expert on as I sit in the waiting room”.

Anyway, public communication not really about finding courage to be turned into a big TV talking head, it’s about negotiating for best possible outcomes (public or private), which obviously are complicated by politics. Many hackers don’t want celebrity. They’re courageous because they refuse unwanted exposure and communicate in public but not publicly, if you know what I mean.

6. Hackers comprise a distinct community with its own ethics, morals, and values, many of which are tacit, but others that are enforced through self-policing.

False. Have you taken apart anything ever? Have you tried to make something better or even just peek inside to understand it? Congratulations you’ve entered a non-distinct community of hackers at some point in that process.

There is no bright line that qualifies hackers as a distinct community. It is not an “aha I’m now part of the hacker clan” moment. Even when hackers publish some version of ethics, morals, and values as a rough guide others tend to hack through them to fit better across a huge diversity in human experience.

Calling hacking distinct or exclusive really undermines the universality of curious exploration and improvement that benefits humans everywhere.

We might as well say political thinkers (politicians) compromise a distinct community; or people who study (students) are a distinct community. Such things can exist, yet really these are roles or phases and ways of thinking about finding solutions to problems. People easily move in and out of being politicians, students, hackers…

Real executive summary:

If there is anything Washington needs to understand it is everyone is to some degree a hacker and that’s a good thing.

Posted in Security.

Larger than Life ( Stawka większa niż życie )

Today in 1939 Hitler and Stalin signed the Molotov-Ribbentrop Treaty (non-agression pact) secretly dividing Poland. To add perspective I thought I would mention a classic spy video series that is not widely known outside Poland.

Polish television, from March 1967 to October 1968 (18 episodes), told the story of secret agent Stanisław Kolicki (codename J-23), who carried a secret mission in the Nazi army as Hans Kloss. Perhaps the most famous line of the protagonist is “Mow mi Janek”:

Call me Mike

Call me Mike

The series begins in 1941, two years after the Nazis and Soviets conspired to divide and conquer Poland. Episode one shows a young Pole, Stanislaw Kolicki, escape from Konigsberg camp on the Soviet side. He begins cooperating with Soviet intelligence by providing information about German troop concentration along the border. Soviet intelligence notices a confusing similarity, identical appearance, with a captured German Hans Kloss on the German side. Codename J-23 is born and Kolicki makes a daring run into German occupied territory. He begins organizing a counterintelligence network until the Gestapo become suspicious of radio communications and hunt him. He manages to fake his own death and escape back to the Soviet side. He then convinces Soviet intelligence to allow him to return. J-23 infiltrates the Abwehr again, this time as a “real” Lieutenant Kloss posted to Nazi military intelligence.

Posted in History, Security.

A Common Security Fallacy? Too Big to Fail (KISS)

Often I have journalists asking me to answer questions or send advice for a story. My reply takes a bit of time and reflection. Then, usually, although not always, I get an update something like this:

Loved what you had to say but had to cut something out. Editors, you know how it is. Had to make room for answers from my other experts…I’m sure you can understand. Look forward to hearing your answer next time

I DO understand. I see the famous names of people they’re quoting and the clever things they’re saying. They won, I lost. It happens. And then I started to wonder why not just publish my answers here too. That really was the point of having a blog. Maybe I should create a new category.

So without further ado, here’s something that I wrote that otherwise probably never will see the light of day:

Journalist: Tell me about a most common security fallacy

Me: let me start with a truism: KISS (keep it simple stupid)

this has always been true in security and will likely always be true. simpler systems are easier to secure because they are less sophisticated, more easily understood. complex systems tend to need to be broken down into bite-sited KISS and relationships modeled carefully or they’re doomed to unanticipated failures.

so the answer to one of most common security fallacies is…

too big to fail. also known as they’re big and have a lot to lose so they wouldn’t do the wrong thing. or there’s no way a company that big doesn’t have a lot of talent, so i don’t need to worry about security.

we’ve seen the largest orgs fail repeatedly at basic security (google, facebook, dropbox, salesforce, oracle!) because internal and external culture tends to give a pass on accountability. i just heard a journalist say giant anti-virus vendors would not have a back door because it would not be in their best interest. yet tell me how accountable they really are when they say “oops, we overlooked that” as they often do in their existing business model.

for a little historic context it’s the type of error made at the turn of the century with meat production in chicago. a book called “the jungle” pointed out that a huge fast-growth industrial giant could actually have atrocious safety, yet be protected by sheer size and momentum from any correction. it would take an object of equal or greater force (e.g. an authority granted by governance over a large population) to make an impact on their security.

so the saying should be “too big to be simple”. the larger an organization the more likely it could have hidden breaches or lingering risks, which is what we saw with heartland, tjx, target, walmart and so on. also the larger an organization the less likely it may have chemistry or incentives in place to do the right thing for customer safety.

there’s also an argument against being safe just because simple, but it is not nearly as common a fallacy.

Posted in History, Security.

Roll Your Own Kali 2.0 ISO

I noticed the good Kali folks have pre-released steps to make your own ISO for their upcoming 2.0 release.

# Workshop 01 – Rolling your own Kali 2.0 ISOs

I also noticed the steps do not work as written, mostly because files moved from archive to www. So here’s what worked for me:

Use existing Kali instance to prepare

$ sudo apt-get install live-build

This will install debootstrap 1.0.48+kali3, live-boot-doc 4.0.2-1, live-build 4.0.401kali7*, live-config-doc 4.0.2-1, and live-manual-html 1%3a3.0.2-1

Clone the builds

$ git clone git://
$ cd live-build-config

Add tools

$ echo “cryptsetup
> gparted
> amap” >> kali-config/variant-light/package-lists/kali.list.chroot

Enable SSH service at boot

$ echo ‘update-rc.d -f ssh enable’ >> kali-config/common/hooks/01-start-ssh.chroot
$ chmod 755 kali-config/common/hooks/01-start-ssh.chroot

Add your own public SSH key

$ mkdir -p kali-config/common/includes.chroot/username/.ssh/
$ cp ~/.ssh/ kali-config/common/includes.chroot/username/.ssh/authorized_keys

Add unattented install option

$ vi kali-config/common/hooks/02-unattended-boot.binary


cat >>binary/isolinux/install.cfg < label install
menu label ^Unattended Install
menu default
linux /install/vmlinuz
initrd /install/initrd.gz
append vga=788 -- quiet file=/cdrom/install/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan

$ chmod 755 kali-config/common/hooks/02-unattended-boot.binary
$ ls -al kali-config/common/hooks/

Create the unattended seed

$ wget -O ./kali-config/common/includes.installer/preseed.cfg

Install wallpaper (BlackHat or DEFCON blue)

$ wget -O kali-config/common/includes.chroot/usr/share/images/desktop-base/kali-wallpaper_1920x1080.png

NOTE: the images/desktop-base directory has disappeared in later builds. just add it back in with mkdir

Build the ISO

$ ./ –variant light –distribution sana –verbose

After successful build the live-build-config/images subdirectory will have a 900M “kali-linux-light-sana” iso file.

* NOTE: If you want to use another platform such as Ubuntu 14.04 you may find the usual package (sudo apt-get install live-build) causes problems. When you run the script it checks versions and fails like this:

ERROR: You need live-build (>= 4.0.4-1kali6), you have 3.0~a57-1ubuntu11.2

It should be possible to meet the dependencies and edit config files using the Debian live-build:

$ git clone git://

However because “kali” is specified in the live-build version check…after several attempts on other systems to work around I gave up and took the easy path — use an old kali system to build a new kali.

Posted in Security.

Saving the Bobcat: Lessons in Segmentation and Surveillance

California has just passed a statewide law banning harm to the bobcat.

The decision of the Commission reflects a growing sensibility in this state that wildlife should not be stalked, trapped, shot, or beaten to death for sport or frivolous goods

The move came after it was revealed that attackers had advanced in two significant ways: monitoring the Internet to find targets and then using lures to pull the targets out of state parks where they were protected.

trappers monitor social media for wildlife lovers’ bobcat photos to determine where to set their traps

Bobcats under attack

The state finally was forced to react after 30,000 signatures called for action to deal with the obvious social harm. California decided to expand scope of protection from porous safe zones to the entire state.

Those familiar with PCI DSS compliance realize this is like a CIO agreeing to monitor every system under their authority for motivated attackers, instead of defining scope as only those few servers where PII should be found.

Justification of a statewide ban was based not just on evidence of attackers bypassing perimeters with ease. Conservationists pointed out that the authorities have failed to maintain any reasonable monitoring of harm to state assets.

[California] could not determine whether trapping jeopardized the species because they had no current scientific data

Thus we have an excellent study in nature of what we deal with constantly in infosec; a classic case of attackers adapting methods for personal gain while community/defenders are slow to build and examine feedback loops or reliable logs of harm.

Should it have taken 30,000 signatures before the state realized they had such obvious perimeter breaches?

Fortunately, bobcats now are protected better. The species will have a chance of survival, or at least protection from attack, as scientists figure out how best to design sustainable defenses.

Action taken sooner is far better than later. Once the species is driven to extinction it may be impossible to restore/recover, as has been the case with many other animals including the bear on the state flag.

Posted in Security.

Howto: Delete old Docker containers

I’ve been working quite a bit lately on a secure deletion tool for Docker containers. Here are a few notes on basic delete methods, without security, which hints at the problem.

  • List all current containers
  • $ docker ps -a

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    e72211164489  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        ecstatic_goodall
    927e4ab62b82  hello-world  "/hello"  About a minute ago  Exited (0) About a minute ago        naughty_pasteur       
    d71ff26dbb90  hello-world  "/hello"  4 minutes ago       Exited (0) 4 minutes ago             hungry_wozniak        
    840279db0bd7  hello-world  "/hello"  5 minutes ago       Exited (0) 5 minutes ago             lonely_pare           
    49f6003093eb  hello-world  "/hello"  25 hours ago        Exited (0) 25 hours ago              suspicious_poincare   
    6861afbbab6d  hello-world  "/hello"  27 hours ago        Exited (0) 26 hours ago              high_carson           
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
  • List just containers weeks old
  • $ docker ps -a | grep “weeks”

    CONTAINER ID  IMAGE        COMMAND   CREATED             STATUS                        PORTS  NAMES
    2b29b6d5a09c  hello-world  "/hello"  3 weeks ago         Exited (0) 3 weeks ago               serene_elion          
  • List all containers by ID
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’

  • List all containers by ID, joined to one line
  • $ docker ps -a | grep ‘ago’ | awk ‘{print $1}’ | xargs

    e72211164489 927e4ab62b82 d71ff26dbb90 840279db0bd7 49f6003093eb 6861afbbab6d 2b29b6d5a09c          
  • List ‘hours’ old containers by ID, joined to one line, and if found prompt to delete them
  • $ docker ps -a | grep ‘hours’ | awk ‘{print $1}’ | xargs -r -p docker rm

    docker rm 49f6003093eb 6861afbbab6d ?...

    Press y to delete, n to cancel

Posted in Security.

Today in History: Antoine de Saint-Exupéry Disappears

On July 31 in 1944 Antoine de Saint-Exupéry flew a Lockheed Lightning P-38 on a morning reconnaissance mission, despite being injured and nearly ten years over the pilot age limit. It was the last day he was seen alive. A bracelet bearing his name was later found by a fisherman offshore between Marseille and Cassis, which led to discovery of the wreckage of his plane.

Saint-Exupéry was an unfortunate pilot with many dangerous flying accidents over his career. One in particular was during a raid, an attempt to set a speed record from Paris to Hanoï, Indochine and back to Paris. Winning would have meant 150K Francs. Instead Saint-Exupéry crashed in the Sahara desert.

Besides being a pilot of adventure he also was an avid writer and had studied drawing in a Paris art school. In 1942 he wrote The Little Prince, which has been translated into more than 250 languages and is one of the most well-known books in the world. Saint-Exupéry never received any of its royalties.

It brings to mind the rash of people now posting videos and asking their fans to pay to view/support their adventures.

Imagine if Saint-Exupéry had taken a video selfie of his crash and survival in the Sahara desert and posted it straight to a sharing site, asking for funds…instead of writing a literary work of genius and seeing none of its success.

Posted in History, Security.