The Market Ticker
Commentary on The Capital Markets
2016-10-21 11:43 by Karl Denninger
in Technology , 48 references
[Comments enabled]  

Public cloud computing, that is, computers at a remote location you do not own but lease space on, which have a hypervisor and clients running under it where you do not have complete, 100% control of said hypervisor are not secure.

If you have allegedly "encrypted" data there that is accessed, modified and used on said machine then the key to decrypt said data must also be on the machine and unprotected so it can be used.  If that is the case it can be trivially stolen since the hypervisor has complete access to all of the memory and disk resources of the client process and once stolen any pretense of security vanishes like a fart in the wind.

This is the lesson of the Wikileaks "Podesta" and related hacks.  It is not that Russia was involved (or not), it is not whether the "hack" was criminal, it is nothing of the sort.  It is that many of these people had their data (email in this case) on a public cloud environment and said environment was trivially broken into and the data stolen within minutes of being targeted.

The media and "business channels" have not and will not talk about this underlying fact for the simple reason that a huge percentage of the current market bubble is being driven and sustained by these so-called "innovations" and what they've done to market valuation.

This is continually claimed to be the "future" of corporate computing, but if you follow this road, embrace this path, and do so with data that needs to be secure then this is what's coming to you, whether you like it or not.

View this entry with comments (registration required to post)

2016-10-21 07:03 by Karl Denninger
in Editorial , 1256 references
[Comments enabled]  

Last night there was somewhat of a ritualistic dinner held.

It was the Al Smith dinner, a white-tie affair, and a ritual that Presidential candidates, very late in the game, have usually taken part in.  This year was no different, with both Hillary and Trump sporting their white-tie best.

But this is not your usual sort of passe' thing. No, it's a benefit, and as are many benefits in New York it was stuffed with priestly types and an extraordinary price tag -- but, as is frequently the case when there are so many with a priestly bent headlining the event the money actually goes to a decent cause -- in this case Catholic Charities.  And, I might add, rumors are that they raised a record amount.  Bravo.

This dinner is in fact a roast, and The Donald went first.  He served up a menu that began with some self-deprecating humor, as is the usual fare.  But then, after getting the crowd nice and warm, with chuckles and even roars of approval, he dropped the hammer:

"Hillary is so corrupt -- She got kicked off the Watergate Commission.  How corrupt do you have to be to get kicked off the Watergate Commission?"

It didn't end there, and there were boos.  Of course there were boos: Trump was in a hard-left, hard-Democrat audience.

But Trump didn't use last night to level charges, he dropped truth bombs.  That Hillary was fired from the Watergate commission isn't an accusation, it's a fact.  That she and her campaign traded slurs against Catholics (and I remind you, this was a Catholic Charities event) in their emails isn't a charge either -- it is also a fact.  Yet there she sat, in a room full of Catholic bishops and priests, raising money for Catholic Charities -- people who, by her own admission, she believes hold anachronistic beliefs that require an "Arab spring" sort of cleansing, and that's just what she thinks Government ought to actively promote -- under her administration, of course.

Donald didn't roast Hillary, he BBQed her.  That Hillary had the audacity to show up for such an event after what she and her campaign have traded in emails about Catholics was the height of hypocrisy bar none, and Donald gave her no quarter.  The audience was squirming, but that's what you have to do from time to time -- take that sacred cow up on stage, praise it, lay down a few laughs, and then show the world by giving a good yank on the cord that the reason it won "largest cow" at the fair is that someone stuck a 4" drain stopper up it's butt.

It's funny how, when nobody can cheat, nobody can get the questions beforehand because there aren't any and you get the lectern to yourself for a few minutes you really get to find out who always seems to find a way to use marked cards at the poker table (begging the obvious question as to who their confederates are) and who plays chess -- a game where it's damn hard to cheat and being able to think ahead of the other guy is crucial to success.

Trump has, through this campaign, showed that he's a grandmaster at laying traps and getting people to step in them.  This makes thrice that he's managed to punk the news media, getting them to cover what they didn't want to not by lying to them but rather by leading them to believe through context that they were going to see something other than what showed up.

Last night may have garnered Trump some boos in the room, but they were boos driven by discomfort of the truth being shoved in the face of so many who claim to wear a robe and stand for universal truth, given by God -- yet who have backed a candidate, publicly and otherwise, that has woven her entire professional and political life from a lie.

View this entry with comments (registration required to post)

As I pointed out in Leverage.... yep.

We didn't pursue this because it does not mesh with naval power and nuclear weapons, both of which are incompatible with the isotopes that are produced by the breeding version of these units.

Yet they are both safer and more-efficient than "conventional" nuclear plans.

Of course that didn't matter to those who killed it, did it?

View this entry with comments (registration required to post)

2016-10-20 16:26 by Karl Denninger
in Technology , 851 references
[Comments enabled]  

Let's focus just for a minute on the oft-repeated claim that the US Government's "agencies" have "declared" that Russia is behind the Podesta (and other) Wikileaks releases -- that is, they stole the data.

There's no evidence to support that which passes even the most-rudimentary sniff test.

You have one guy who's made that claim in the US -- Clapper.  The same Clapper who knowingly lied before Congress in the past.  Yes, that Clapper.

Now it is certainly true that Russia is likely capable of such a hack.  Then again the hack itself, as I've pointed out, isn't especially surprising given that it appears many of these "email accounts" have been sitting on public cloud-provided email services.

By definition such 'services' are not secure and cannot be made secure. That people like Podesta are using them for sensitive private matters (which the government is NOT entitled to copies of) such as campaign work is proof of their stupidity -- and little more.

Folks, I can set anyone up with a system that is virtually hack-proof for email, yet for those emails where you don't care about security you can still exchange them with anyone else.  I use such a system myself, built by myself.  Key to this sort of design is that unencrypted emails that you wish to be secure against tampering, interception or both are never stored on the server.

This is obviously unsuitable for the government and its official business (which is why they don't do that) because the government relies on being able to see what is going on both for routine business purposes and to comply with FOIA requests.  Obviously a classified network is an entirely different thing but an unclassified network used for government business stores and distributes unencrypted email because if it was otherwise nobody, including legitimate government oversight organs, could access it!

Let's assume you want to send me a secure email.  All you need to do is email me first, and ask me to reply to you.  Doing so will give you my public key for S/MIME.  You now use that key to encrypt your message (which modern email clients can do automatically) and send me the message you wish to send "securely."  Commonly-available client software which can do this includes Outlook (Microsoft's), Thunderbird, BlackBerry's Android phones (the Priv and DTEK50) and reasonably-recent Apple iPhone software, among others.  You can obtain a key pair for such a purpose from a number of places on the Internet, some of them free, and the better ones do not require that anything other than your public key ever touch their infrastructure, so the risk of them leaking your private key to others is zero (since they are never in possession of it.)

Said email can then pass through however many systems and be stored in however many places but if stolen it is unreadable (unless you saved an unencrypted copy in your "sent" folder), because the only place my private key happens to reside is on devices that I have physical control of.

It is most-specifically not on the server where the email resides!

Here's the important point to remember when it comes to public key cryptography: Once you encrypt the message to send it not even you can decrypt it again!  That is, the key you used for encryption is worthless to decrypt; you need the other half and you don't physically have it nor is it on the server.  Only the person you targeted the transmission toward has it.

So now to break in and steal that email you cannot "just" break into my server and steal the database or files full of messages (you get a bunch of encrypted messages, which you can't read) nor can you intercept the messages while they're being sent (ditto.)  Instead you have to steal both the encrypted message and an unlocked copy of my private key, which exists in unlocked form only while I'm actually using it and it is only present on my personal devices.

In other words you now have to catch me, personally, using said key and manage to get the device out of my hands and into yours, then get said device to divulge the key, before the device locks itself or detects your attempt at tampering (at which point you're screwed since they key is no longer unlocked and/or it has been destroyed!)

Is this possible?  Sure.  But it's a hell of a lot harder than stealing the email itself.  Why do you think the FBI, when they go to bust someone they think might be doing something illegal (like trafficking in kiddie porn) always want to catch the perp with his computer on and unlocked?  It is for this very reason -- seizing a computer that has an encrypted disk but is turned off is frequently going to result in them having exactly zero means of retrieving whatever is on there.  The only way around that is if there is a back door that will trick said device into divulging the encryption key (such as was the case for the infamous California shooter's iPhone.)

So what we have here is a group of people who are intentionally using insecure means to communicate and then whining when one of their own people leaves the front door unlocked.  Does this require some "Grade A" hacker to break in and rip it all off?  Oh hell no it doesn't; in fact, all it requires is that you be stupid, and apparently plenty of these people are.

Where did the hackers come from?  I strongly doubt it was Russia.  I would not be at all surprised to discover that it's nothing more than third-rate folks who send out spams that look like "password reset" requests; it only takes one time you fall for that and then, well..... yeah.  (Or something equally stupid, such as using the same password in a dozen different places, some of which use insecure hashing systems, one of those files gets stolen and the password cracked.  Now I don't have to break into anything since I have the actual password!)

All of this underlies one reality that I pointed out in an earlier column though, which is why none of the media will talk about this, why my phone hasn't rung with a request for an interview on the matter nor has anyone else's who knows what they're talking about: The moment it gets into the public consciousness that "cloud" computing is never secure at any time any a key is on said cloud or unencrypted data is stored or used there the "value" of all these public cloud companies, which are a huge part of the valuation bubble in the stock market today collapses.

So to summarize:

  • The campaign is full of stupid people who have been passing around sensitive data without encryption.  These are the people who the candidate, incidentally, thinks ought to be running in the country if she wins.  It ought to be obvious that putting stupid people in public office is a bad idea.

  • There are moderately easy ways to avoid this problem for sensitive communications where no central authority needs to be able to get to them for legitimate purpose.  The campaign decided not to do that, however, which goes directly to point #1 -- they're stupid.

  • Responding to a question about a leaked email with a "where did you get that" sort of response is demonstrable evidence that the allegations raised about said content are true.  If they're false (that is, the email was falsified and not really sent) then you'd instead get a categorical denial. Why would someone ask "where you got it" if they never said it in the first place?  A denial doesn't mean that the allegation isn't true, but questioning the source instead of the content is nearly-always an admission that the content is factual. Use your head folks.

  • The underlying issue related to these hacks is that so-called "public cloud" providers are insecure if, at any time, unencrypted data or the keys to decrypt said data are on said machines.  The value of a whole bunch of "new economy" bubblicious companies depend on this not making it into wide public consciousness because the minute that it does nobody is going to consent to their health data, their financial data or anything else that's personal and sensitive being put on this sort of infrastructure ever again.

In other words blaming Russia is a distraction intended to keep you from paying attention to both the content of the emails (which certainly appear to be factual given the reaction to their release thus far) and the fact that a whole host of data about you is being similarly stored in similarly-insecure fashion by literally thousands of companies.

View this entry with comments (registration required to post)

Ed: I hesitated to write on this topic, although I noted it at the time.  I'm choosing to write on it now because I'm not the only one who noticed it (obviously) but others are writing about it in public, so my doing so cannot do further harm.

All military powers have secrets.  Some of them are more-serious than others, in that the harm done if they're revealed varies.  When it comes to the modern age information about our nuclear weapons programs is some of the most-secret, and with good reason -- you never want an adversary to know what you're capable of and you especially don't want them to know both what you can do and how long it will take you to do it.

Hillary said the following in the debate last night:

“But here’s the deal. The bottom line on nuclear weapons is that when the president gives the order, it must be followed. There’s about four minutes between the order being given and the people responsible for launching nuclear weapons to do so.”

Hillary probably knows exactly what those timing constraints are because as Secretary of State she had to know.  But such information is extremely sensitive and thus highly classified, almost-certainly at an SAP level (that is, "beyond top secret" as is claimed in the referenced article) because it would give an adversary critical data on our response to a potential attack and allow them to know what they must achieve to get inside our "OODA" loop.  If an adversary gets inside that loop in a fight for your life you usually die.

"OODA" stands for "observe", "orient", "decide" and "act".  It is the basic principle on which essentially all combat decisions rest.  In order to make wise decisions in combat you must perform all four steps, in order, for each offensive or defensive act you take.

All of these steps take time.

There is a romanticized view of war that comes in no small part from the media and entertainment industries -- that one decides to do something and it "just happens."  The number of films that put into a real-time context the fact that this is never how it occurs in real life is very small -- but certainly not zero.  For instance, Pearl Harbor showed the Doolittle Radier sequence, which had a huge time delay (hours) between the irrevocable decision to "go" (when the planes left the deck) and the outcome for the crews (those who didn't die were almost to a man captured in China and tortured horribly.)

The decision to use nuclear weapons is one of the greatest responsibilities that a President may be called upon to undertake.  There is nothing, ever, about the process for their release that is not considered sensitive and essentially all of it is classified at Top Secret or better.  This is especially true when it comes to latency between an order and execution; we have spent an enormous amount of money over the decades since WWII putting in place and maintaining surveillance on a world-wide basis for the explicit purpose of detecting our adversaries intentions during their latent period between a command and the launch event, and both we and our adversaries have spent a hell of a lot of money shortening those windows.

Early ICBMs were liquid-fueled and it took quite a long time to fill the missile tanks before you could fire them.  This was a tremendous deterrent to their use, in that if we detected such a fueling we could fuel our missiles and thus prevent the nightmare scenario -- being caught with warheads raining down on you while your retaliatory strike capability is on the ground!

These timelines have been dramatically shortened over the years, but it still takes time to complete that OODA loop should the horrifying reality of having to use nuclear weapons occur.  The amount of time it takes is a very serious secret that simply must never be leaked because if you do then an adversary knows what they must achieve in order to catch you with your pants down.

The Cuban Missile Crisis was as serious as it was precisely because Russia's decision to place those missiles on the Cuban coast dramatically shortened the warning time that we would have from a "go" order being given and cities in the southeast -- including Miami -- being reduced to a smoldering ruin.  That was why we nearly went to war; the presence of such weapons in that location made a decision to shoot by Russia an act that would get inside our nation's OODA loop given the technologies of the time.

For 60-odd years the threat of overwhelming response has kept our world free of offensive nuclear weapons use.  That threat is reliant on nobody knowing exactly what they must achieve to get inside their adversary's OODA loop and kill them before they can respond.  That is why such information is by any realistic determination one of any nuclear nation's mostly-closely guarded secrets and Hillary Clinton revealed that secret on national television last night.

What's far worse is that given her former position we know what she revealed was not a guess.

This singular statement last night, standing alone, should result in Hillary's immediate arrest.

It won't, but it damn well should, because she just gave away, on national television, exactly what an adversary must achieve in order to kill us all and she did so not as a matter of guesswork or hypothesis but from actual, classified knowledge.  At the same time we damn well ought to demand the arrest and prosecution of James Comey, who quite-clearly intentionally threw his investigation into prior classified material mishandling by Hillary and had he not Hillary would have been under indictment and thus unable to leak said information last night.

"What difference does it make" won't do as an excuse when all that's left of us is a smoldering hunk of charcoal.

View this entry with comments (registration required to post)

Main Navigation
MUST-READ Selection:
The CERTAIN Destruction Of Our Nation

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.