This blog has been in need of a redesign, so I have spent the last week tweaking my web hosting and my very own WordPress installation. Welcome to the new “Weaponized Culture,” now residing on its own dedicated domain. I will no longer be posting on this site, so please update your RSS and bookmarks.

I have already taken a poke at the whole Broadghazi gate business in “Celebrity generals, chicks with guns, and the cover of the National Enquirer.” More posts are sure to follow. I need an outlet for my writing that isn’t my dissertation, but you can expect more dissertation-flavored posts. Of course, there will be no escaping whatever new shooty-explody-hacky things that strike my fancy. I will keep at the pop culture angle as well.

See you there!

DEFCON is one of the largest and longest-running hacker cons. It takes place in Las Vegas as this nerd baccanal where hackers show off their research and party with their peers. Its founder Jeff Moss–known by his handle Dark Tangent–now sits on the Homeland Security Advisory Council and is the chief security officer for ICANN. The director of the NSA, General Keith Alexander, made a first-ever appearance in large part to woo hackers to the agency.

Despite this new air of, well, respectability, the conference is a free-for-all–heavy on alcohol, black hats, and off-color talks.  DEFCON’s unofficial “survival guide” gives a taste of what to expect: Rule #1 reminds attendees that prostitution is illegal, Rule #2 warns against using the very-likely compromised ATM, and Rule #4 admonishes anyone who would connect to the DEFCON network–using no less than six anal sex jokes.  This is not out character for a hacker con; one of my favorite presentations from HITBSecConf this year started with painful language lesson on picking up a prostitute in Malay. Once you got past that (oh, and the “fisting” references, too), there was some great information. Get the picture?

Recently, I trolled someone on Twitter who said wouldn’t attend DEFCON or Black Hat, because he preferred more secure, vetted environments. The comment is all kinds of stupid, because a convention like DEFCON is exactly where people who want to understand attackers should go–namely, anyone responsible for defending networks and hosts. However, there is no doubt that these conferences can be a hostile environment for a lot of professionals–not the least of which are women.

Make ran a story on one attendee’s response to sexual harassment at DEFCON. Her name is KC, a freelance journalist preoccupied with technology and social justice, who blogs at Single Voice.  She devised a project of Red and Yellow Cards (in the rugby or soccer vein) to call out sexist behavior.  We are talking some very serious behavior.  KC describes the catalyst:

Let it be known that I went to Defcon with a reasonable amount of armor on already. I was reasonably aware of the frat party environment I was stepping into. I have many friends who are involved with helping make Defcon roll smoothly each year, from speakers to goons. And still, nothing could have prepared me for the onslaught of bad behavior I experienced.

Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs). Or lastly, the man who, without prompting, interrupted my conversation and asked me if I’d like to come back to his room for a “private pillowfight party.” “You know,” he said. “Just a bunch of girls having a pillowfight…. fun!” When I asked him how many men would be standing around in a circle recording this event, he quickly assured me that “no one would be taking video! I swear!” I’m pretty sure this is the point where my lovely partner Morgan asked him if he thought propositions like his had anything to do with contributing to women not feeling welcome at Defcon. This was a very difficult concept for this poor soul to wrap his head around.

The cards themselves (yellow and red) received a very positive reaction from women and Dark Tangent himself, but there was some pushback from male attendees.

The project intrigued me and I have been meaning to write something, but I felt a real urgency to do so when Robert Graham of Errata Security posted a counterpoint of sorts to what he saw as punitive sexual harassment policies entitled “Sexual harassment policies: education please, not threats.”*  His bottom line is this:

Education is a better solution to this than threats. Men should be told that just because she hasn’t slapped you doesn’t mean she’s in to you, it just means she is in a social situation she’s had little experience with.

The thing about hostile, threatening policies is that they discourage legitimate speech. People become scared and go too far censoring themselves. It becomes something that can be exploited by the disgruntled to censor things that have little to do with sexual harassment. As a guy, I don’t see the cases of sexual harassment that I know exists (from reliable reports), but what I do see is the frequent exploitation of anti-harassment policies.

Graham is a libertarian who has written some compelling arguments of that bent (which I commented on in “Law, Order, and the Accidental [Cyber] Guerrilla“); KC is an “anarchist” with a feminist bent. I wanted to hear the dialogue between the two, so I tweeted.

KC responded with several tweets:

I fail to see what is aggressive, angry, infantalizing or threatening about holding people accountable for their behavior [cite]

I also flat out don’t believe the whole “men don’t know better/are unaware!” excuse. [cite]

Also, let’s talk about the frustrating social expectation of women needing to to be the patient educators… (1/2) [cite]

…vs the nonexistent expectation of men simply being more responsible and sensitive at cons. (2/2) [cite]

Graham responded in kind. The gist is that shaming doesn’t solve the problem long-term while education is a better route. Frankly, I find KC’s to be the more compelling argument. I, too, am unconvinced by the “‘men don’t know better/are unaware!’ excuse.” Graham cites the misogyny among male attorneys, for example; he seems to be saying attorneys are the exception to the rule, but I think there are some uncomfortable commonalities.

For better or worse (mostly worse), I have a lot of experience with attorneys. Today, more than 50% of law students are women, and the general sense I get is that there is this growth in very hostile attitudes among thirty-something (and younger) male attorneys towards women as a perceived threat to men’s position in the workplace. The harassment isn’t some poorly articulated come-on; it is a power play to defend their turf. While I doubt women have reached anywhere near that parity in the hacking community, it is worth asking the question how much of this behavior boils down to bullying and turf-defending.

A more compelling counterpoint came from @maradydd:

If you’d like some context, one of the stories @ErrataRob is telling is mine. [cite]

My creeper didn’t learn from “stop touching my butt/asking to see my boobs.” I doubt a card would’ve helped. [cite]

Here, KC and Graham are not too far apart. The card is an educational tool–one that might not work. Indeed, all education may not work.  I sympathize with Graham’s desire to protect freedom of speech; I really do. However, I see little recourse except for the more ‘punitive’ measures such as BRUCON’s anti-harassment policy.

* – On Twitter, I initially attributed the article to David Maynor.  Both are with Errata, and both tweeted about it.  I simply hit “quote tweet” on the wrong one, and the misattribution followed from there.  Mah bad!

A commenter over at the Small Wars Council thought my theory about the possible motive of the Iranian Metasploit hijinks would make for a good movie–but, I assume, not the most credible analysis.  First, typing commands in to msfconsole is a little hard to dramatize on screen. About the closest we’ve come to making the command line sexy was having Trinity from The Matrix run an nmap scan and a fictitious SSH exploit, and Trinity did it wearing a leather outfit (see article and YouTube clip*). The real perpetrator may be doing it unshaven and in a bathrobe. At least, that’s how I do my best work. Secondly, I am, like, so totally serious about my theory of someone more interested in disrupting intelligence agencies than Iran’s nuclear program.  Here’s why:

There are certainly credible reasons why a professional intelligence agency would bang away in Iranian networks with Metasploit. If the Iranians are shutting down key parts of their network (I don’t know how vital the automation bits mentioned in Mikko’s piece are) to do forensics to figure out how the attacker is getting in, maybe blasting “Thunderstruck” is the next best thing to some fancy exploit to ruin centrifuges. Or, perhaps, some group who wants to disrupt Iran’s nuclear program is flooding them with garbage attacks to overwhelm Iranians attempts to analyze their more ‘long-term,’ targeted malware. That analysis takes time and personnel who are in short supply even in the U.S. Think of it, to borrow a phrase from one of my brilliant friends, Federico Rosario, as “a DOS attack on skilled personnel.” Others have mentioned playing “Thunderstruck” as a kind of psychological warfare on trust in terms of Iranian infrastructure.

However, these types of attacks seem every bit as likely to disrupt professional intelligence agencies’ access as help them in some way. I also am unimpressed with the PSYOPS theory, because (1) this has already been accomplished via previous malware and (2) announcing one’s presence contradicts the IC’s modus operandi in terms of being able to discretely collect information and disrupt systems.  That’s why I think there is another motive at work here. The reported worm and Metasploit hijinks may even be two separate actors.

* – Funny enough, that little 1:09 clip dramatizes pretty much every policy maker’s fear of an infrastructure attack on the US

A few days ago, I wrote a post entitled “Will FM3-24 fight piracy (the RIAA kind, not the swashbuckling kind)?” in which I criticized the fact that policing music, movie, or software piracy was even on the COIN Center’s radar when it was unclear that the military was getting the basics of counterinsurgency right. Today, I came across a funny anecdote in Paula Broadwell’s All In.  During then-General Petraeus’s last weeks in Afghanistan, Senators McCain, Graham, and Lieberman were in Kabul for a Fourth of July dinner with Preident Karzai:

The senators and Petraeus had dinner that evening with Karzai. At one point, the Afghan leader mentioned that he loved a song that he thought was called “Down on the Bayou.” After dinner, Petraeus put his communications team on it. His aides quickly found the tune–“Born on the Bayou,” by Creedence Clearwater Revival. For Petraeus, it brought back memories of Cadet Hops at West Point in 1972. His team burned a CD of Creedence’s greatest hits, and Petraeus gave it to Karzai two days later. The president  beamed.

Petraeus’s aids could have bought all the songs on iTunes (or whatever service–I’m an Amazon guy myself), but there’s a part of me that hopes that these greatest hits were put together from various ill-gotten MP3s in staff member’s laptops.  Either way, I love that anecdote. I hope the Taliban are Creedance fans!

As for Broadwell’s book, I am almost all the way through it. Frankly, I’m underwhelmed. The narrative is pretty drab (olive?), and Broadwell has a talent for making the most intense fire fights tedious. However, I may be simply sick of reading about warrior-intellectuals and the f’-ups of Afghanistan. If you are truly interested in Petraeus’s education, The Fourth Star is a much more readable version of the same basic narrative of genius generals and counterinsurgency. There are some interesting ‘corrections’ and political ‘readjustments’ of that COIN narrative, though.  At any rate, I’ll take a more thoughtful poke at the book once I start articulating my thoughts in the dissertation.

As I tweeted a day ago, Mikko Hypponen had an interesting blog post in which he discusses an email from a scientist working at the Atomic Energy Organization of Iran.  The details are a little unclear, but the claim is that some mix of a worm, Metasploit, and hacked computers blasting AC/DC at all hours of the night has been disrupting two nuclear facilities within Iran.  The AC/DC bit–“Thunderstruck,” as a matter of fact–has attracted the most attention.

It is hard to get a clear picture of what is going on, because there’s really two separate issues:  this worm and the possible use of Metasploit. Metasploit, of course, is not a virus; it’s an exploitation framework. Download it here if you’re curious. HD Moore, Metasploit’s creator, tweeted:

definitely a confused individual, Metasploit isn’t a worm and doesn’t ship with AC/DC’s Thunderstruck :)” (source)

However, you can indeed load an MP3 with Metasploit.  Moore explained:

you can do it today (msf> load sounds) & copy mp3 (source)

If the e-mail to Mikko Hyponnen is truthful and accurate, this strikes me as the act of an amateur–not a state, much less the US. Moreover, the fact that there is no effort to be covert makes me think this is a grand middle finger to US and other intelligence agencies. It is as if the perpetrator is saying, “You developed malware and cryptographic attacks over the course of years to penetrate computers relevant to the Iranian nuclear program; I did it downloading an app freely available to anyone.” They probably even used a commonly available exploit, too. I can’t see someone burning a 0-day to blast “Thunderstruck” to some Iranian engineers just for, as the kids say, “the lulz.”

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran’s nuclear program. That’s pure speculation, but that is the impression I get.

As part of the effort to revise FM3-24 Counterinsurgency, the U. S. Army COIN Center released a series of questionnaires in advance of the May revision conference. One thing I noticed has stuck in my craw since I first read the questionnaire in, well, question. Even though proponents and detractors of that American practice of war we call “COIN” agree that it constitutes a “wicked”–if not impossible–problem to perform as a foreign occupier, the U.S. Army at least considered taking on one more problem: music piracy.

How or should the manual address what the United States government considers to be criminal activity that is ignored, sanctioned, or unable to be countered by the host nation government (eg, growing poppies, pirating CDs)? [emphasis added]

That is question #15 in the revision questionnaire, falling under the heading of “Operational Environment/Threat.” Although I have attended the COIN Center webcasts discussing the progress, I did not attend the revision conference itself so this idea may have been squashed a long time ago. However, I do think it is telling that the Good Idea Fairy made even a fleeting appearance with this suggestion.

Think for a moment on the issue of piracy whether it is software, music, or movies. In the United States, piracy persists even though we do not have a flourishing insurgency, the government exerts robust control over its territory, and potential penalties are not unsubstantial. Yet, someone thinks it is a good idea to have warfighters police music piracy in a country where not only the host nation (let alone the village and tribal units) could care less. Do you want to drive some impoverished vender to the insurgency over someone else’s intellectual property? More importantly, do you really want Americans braving IEDs and ambushes to protect some tiny sliver of an entertainment company’s bottom line?  Let the host nation sort that out once they have a marginally functional state–and, frankly, whoever inherits the Afghan state, such that it is, will have their hands full not meeting the same grisly end as Mohammad Najibullah.

It has been far from proven that the United States military establishment can perform even the basics of counterinsurgency. It is not simply that the U.S. has bigger fish to fry; the U.S. has not learned to catch fish–much less filet and fry them. The more I read in terms of reportage like like Rajiv Chandrasekaran’s Little America the less confidence I have in leadership to engineer anything approximating a favorable outcome in Afghanistan.

In the past, I have written about the PEO Soldier’s self-congratulatory reinvention of the wheel and DepSecDef Ashton Carter’s comment that PEO Soldier’s magazine was not “playing to our strengths.”  Last week, the Army announced that it was banning the use of MagPul Industry’s highly-regarded PMAG as well as other polymer magazines such as Tango Down’s ARC magazine. Clearly, the good idea fairy is at work here.  There is not much I can add to Matthew Cox’s story “In Reversal, Army Bans High-Performance Rifle Mags” but let me highlight a portion:

This seems to be a complete policy reversal, since PMAGs are standard issue with the Army’s 75th Ranger Regiment and they have been routinely issued to infantry units before war-zone deployments.

Soldiers from B Troop, 3rd Squadron, 61st Cavalry Regiment, had been issued PMAGs before deploying to Afghanistan in 2009. On Oct. 3 of that year, they fought off a bold enemy attack on Combat Outpost Keating that lasted for more than six hours and left eight Americans dead. Some soldiers fired up to 40 PMAGs from their M4s without a single stoppage.

Militay.com asked TACOM officials if the Army had discovered any problems with PMAGs that would warrant the ban on their use. TACOM officials would not answer the question and instead passed it off to Program Executive Office Soldier on Thursday evening before the four-day Memorial Day weekend.

TACOM’s message authorizes soldiers to use the Army’s improved magazine, which PEO Soldier developed after the M4 finished last against three other carbines in a 2007 reliability test. The “dust test” revealed that 27 percent of the M4’s stoppages were magazine related.

The improved magazine uses a redesigned “follower,” the part that sits on the magazine’s internal spring and feeds the rounds into the M4’s upper receiver. The new tan-colored follower features an extended rear leg and modified bullet protrusion for improved round stacking and orientation. The self-leveling/anti-tilt follower reduces the risk of magazine-related stoppages by more than 50 percent compared to the older magazine variants, PEO Soldier officials maintain. Soldiers are also authorized to use Army magazines with the older, green follower until they are all replaced, the message states.

Military.com asked the Army if the improved magazine can outperform the PMAG, but a response wasn’t received by press time.

As the article indicates, the magazine is a common failure point. Even with the vaunted reliability of the AK system, a dented magazine can cause a stoppage. The only rationale that I can see behind this is that not every polymer magazine is great. There are many imitators of the PMAG and ARC that would be downright dangerous for warfighters to use. However, disallowing all polymer magazines is every bit as dangerous. While people fall in love with the whiz-bangery of The Next Carbine™, it is important to remember that better training, better maintenance, and better magazines would all save lives.



Get every new post delivered to your Inbox.