When Things Go Wrong: Response and Recovery

Originally posted on the Truss blog

When building systems with threats in mind, it’s not enough to just plan, not enough to just raise the cost to a bad thing happening — we still have to have an idea of what we’ll do when the bad thing happens despite our best efforts.

Truss modernizes government and scales industry through digital infrastructure. Information which is sensitive to individuals and to the welfare of the organization flows through the pipes we set up. Whether hospital records, the move locations of a military family, or financial data, Truss takes the best care possible in setting up infrastructure which mitigates the likelihood of a breach. We also have a plan for such a breach, in case it happens anyway.

At RightsCon, I moderated the panel The Rules of Cyberwarfare: Connecting a Tradition of Just War, Attribution, and Modern Cyberoffensives with Tarah Wheeler, Tom Cross, and Ari Schwartz. The question was this: if “cyber”* is a fifth arena of war (the existing domains being land, air, water, and space) what is a just response to a cyberattack which follows the international expectation of deescalating?

The panel and audience knew that the responses which are happening now — the assumption of “hack back” against other state adversaries, the use of CFAA against people who might otherwise entertain the thought of being a patriotic hacker — we don’t agree with. The Computer Fraud and Abuse Act (CFAA) is what makes breaking those terms of service that are too long and dense to read fully a federal crime. That’s right, logging into your partner’s bank account after their death in order to pay the house’s electrical bill is a federal crime, and it’s the same law that’s used in most of the “hacker” cases you read about in the news. It’s also the number one reason the infosec professionals I know and love refuse to work with the government. The ACDC bill which allows “hacking back” is an exception to CFAA which means you can attack a computer that’s attacking you. Except of course it’s not that clear-cut.

Which brings in the questions that many folk in the audience had. What about attribution (the ability to know who is taking the action)? This is hard in digital space because it’s easy to attack something from behind someone else’s IP address. What about asymmetry (an imbalance between those in conflict with one another)? Is it ok if one country attacks the other in cyberspace when the other country is just beginning to get online? These are hard problems, but we can’t wait until they are solved to have conversations about responses. If you’re having a hard time moving on without those hard problems being “solved enough” first, you’re not alone – the audience also had a deeply difficult time with it.

But what would be acceptable? If there was a breach of military moving data, do you think it would be responded to differently than the malicious changing medical records? Do you think who the adversary is would matter? Does the immediate or the potential future impact on those involved matter more? Where is the line between war and espionage? We ended the panel with the a comparison to disaster response, so attendees would have a framing to continue the discussion.

Disaster response also focuses on preparedness (stockpiling water for the next Bay Area earthquake), response (digging our neighbors out of the rubble), and mitigation (enforcing building codes which make collapse in an earthquake less likely). We are terrible at recovery. When it’s time to rebuild, the money, attention, and volunteers have dried up. Huge swathes of Far Rockaway (2012) and New Orleans (2005) are still a wreck from hurricanes.

The same is true for online attacks — whether doxxing (the nonconsensual revealing of personal information) or DDoSing (a distributed denial of service attack is when many computers all pester your computer for a response, not allowing it to say anything). We spend so much attention on battening down the password hatches and doing incident response that most don’t think about what being whole again after an attack that might happen anyway looks like. And so much of infosec and government work is about trying to prevent the Bad Thing from ever happening. Plan A is to make a perfect system. But we must own up to Plan A rarely being the plan that works out. Don’t your contracts also have release clauses in them? Planning for worst case isn’t inviting calamity, it’s being pragmatic.

One of our engineers recently said, “I would rather throw away some work than have to be under a too-tight deadline later.” This was said as Plan A seemed less and less likely due to bureaucracy and too many moving parts. But Plans B and C were being procrastinated on by our government protective cover. Why? I see the cost of exploring options in government as high, with extremely limited resources to work with. This means all sorts of fragility and resources wasted putting out fires when Plan A didn’t work exactly as planned. A balance of ownership, accountability, and flexibility would have helped alleviate this difficult situation. Additionally, setting aside resources for recovering from inevitable failure helps the entire system be more robust.

While Truss doesn’t specialize in the actual recovery (there are firms and insurance providers who do focus on response and recovery plans), we know it’s a necessary part of a complete plan, and you should, too. Good luck out there today, and remember to keep in mind what you’ll do if it doesn’t all work out.

* Note that I have a deep visceral reaction to the word “cyber,” but it’s the word that has been thoroughly adopted in this discipline and so it has been used here for the sake of readability. The confusing image for this post is the inoculation to having to use the word.

Adventures with the TSA

In the last month, I’ve had two interesting experiences with the TSA. Both times, the airline ended up saving the day. I’m writing this not as a “LOOK HOW BAD THIS HAS BECOME!” as I have friends in targeted demographics as well as friends on lists who consistently get detained, and they already write far more eloquently and intimately about that side of things than I could wish to. This is more a “look at what this is like, for someone who is socially aware but also not in a tracking system” (that I know of).

What’s in a Name?

The back issue on my end is this: I like my first name, but it’s not my social name – that’s “Willow,” my middle name. I have no desire to change my names, especially not to simply make the job the state has taken on easier. This means, when I travel internationally, my full name is listed with the airline from my passport, which also means my frequent flier programs have FIRST MIDDLE LAST. Which means when I book an intra-continental flight, my FIRST LAST shows up, while MIDDLE LAST are on all of my locally-relevant IDs (driver’s license, credit cards, academic IDs, etc). I have usually just brought an ID which indicates my first initial, and everything’s dandy.

This hasn’t been an issue until the last two months, when it has suddenly become enough of a red flag that merits extensive measures be taken that I’m not a dangerous person. Which means going through all of my stuff and a thorough pat down. Which is often used as a threat, not as a heads up. As someone who has consistently opted out of scanners which can store and transmit images of your body (and therefore into pat-downs) for the past 5 years of heavy travel, I’m pretty acquainted with the less aggressive version of this process. I asked to see the policy stating that they had a right to touch me, based on my name. TSA informed me that no one is allowed to see their policies, and to please wait on a supervisor.

A gold sticker replicates a TSA-agent's badge and reads "TSA Team Boston, Junior Officer" with the Department of Homeland Security emblem and eagles all over the place.I waited. And waited. My flight began to board. I was still on the other side of security. Finally, I went to the airline desk and told them what was going on, and they changed the name on the ticket to match the ID I had on hand. I made my flight. I’m not sure if the airline did a legal thing, so I’m not naming them, but holy shit am I grateful.

Victory point: the TSA staff felt so badly about their process and supervisor being so shitty that they gave me a junior TSA agent sticker. To which Jenbot responded “You’re just two more pasties away from the world’s funniest private screening.”

Nonconsensual Pat Downs!

Last night had significantly less humor. I, for once, went for the full-body scan thing. My emotional fortitude to opt out of every process is slowly being worn down, which just pisses me off even more. I hate rolling over and showing my belly, but I also hate being touched by strangers who think I’m a fucking villain 3+ times a month. The scan showed an “anomaly in my pants” (lulz), and the female-identified TSA agent started patting me down before verbal acknowledgement nor even eye contact were made. I stopped her, saying I hadn’t consented to a pat down, at which point she indicated the anomaly and stated a pat-down needed to happen. I said I understood, but I hadn’t yet consented. She asked if there was going to be a problem, I said “with you touching me without my consent? Yes.” She then deployed the mantra of “going through all of my stuff and a thorough pat down,” but this time with about 3 additional TSA agents, a manager, and 2 federal officers around me, with them holding onto my stuff.

I balked. I’d rather spend another night where I was than deal with this (I was in a lovely place with lovely people). They tried to take my ID to scan it for a report I wouldn’t see. I instead put on my boots, got my bags (they didn’t resist my taking my things, but they also didn’t make it clear in any way it was possible), and walked towards the airline counter to sort things out. As I was walking away, one of the federal officers told me in a surprisingly friendly tone that if I attempted to make it through a different security line that night, I would be arrested and criminal charges pressed against me.

The airline informed me that I could use the ticket’s cost towards a future flight, but that they couldn’t book me on another flight the next day free of charge. That was between me and the TSA. I went back to the security line and talked with state officers, the TSA manager, and their manager about my general work, large-scale conflict resolution, sexual assault survivors, trans friends, and the TSA’s lack of empathy and effectiveness. I should have left the last part out, but I was pissed off. They allowed me to go through the process that night, if I were willing to go through the pat-down and stuff-going-through. And fuck it, my going home was more important in that moment than my civil liberties. And yes, I’m also well aware that basically no other demographic would have been able to have this privilege (because while it was personally deeply uncomfortable and not ok, it was still a systemic privilege to be able to have a re-do).

A friend who happened to be in the airport at the same time (small world is small) had seen some of this happening, and waited past security for me to be sure everything was all right. I’m deeply thankful for this act of kindness and manifestation of social fabric. Also that the TSA manager enacted the pat-down, as a personalized moment of “I know I’m a part of a fucked up system.” I made it through security at the core of the airport just as my flight was meant to be taking off in a peripheral gate, but I jogged to my gate anyway. And the goddamn airline held an entire flight for 15 minutes just so I could still get out that night. So much gratitude.

Internal Consistency is How the Terrorists Win, Apparently

It’s worth noting here that I fly a fair amount. I also tend to detect patterns and systems fairly well. I dread the inevitable next agent-splaining of how TSA policies work, which are always attempts to be kind and to let me in on “how things work,” but are never remotely consistent. Fuck you. The haphazard nature of enforcement has little to do with “let’s keep ’em guessing!” and far more to do with “what equipment is working today and what rules we’ve been chop-busted about most recently.”

Which Just Adds To…

The cycle we’re caught up in right now does little to nothing to “catch the terrorists” (which is also just slapping a band-aid on a gaping wound of systemic problems) and a whole lot in further ostracizing and demeaning historically marginalized demographics.

I have no idea what to do with this – the work I can’t not do (for passion, for frustration, for specialization) merits traveling a fair amount. The people I love are a distributed lot. But I also can’t handle instances like this happening too much more before… something has to change. Me, or it.

Here’s something I used to do a lot more, and which now I’ve been worn down out of doing, so I can still have emotional capacity for other things I care about. And that also pisses me off.

Is it secret, is it safe?

Being in Berlin reminded me that I haven’t been around the hackers I know and love since my last round of gadget aquirement. A lot of conversations have been happening recently around the usability of crypto-aware tools (including an event in DC on Jan 11th that GWOB is doing with OpenITP – you should go!). What we fail to talk about are how easy many existing things are out there, and what they are. Here are some things we did:

Encrypt all the things!

Why this matters: when interacting with law enforcement, you can plead the 5th around your password, but the hardware itself can be seized, albeit sometimes for a short time. During this, they can take an image of your disk, IE, scan and copy anything on it. By encrypting your device, all they will see is adsfliu9p8aerkadfov8c79234hfgia etc instead of “ohai.”
File Vault

  • A Mac. It’s not as hard as you think. With a solid state drive, it takes about 45 minutes. Let it run tonight while you head to bed. For a Mac, plug it in, launch System Preferences > Security and Privacy > File Vault > Encrypt.
  • An Android. Also not difficult. Settings > Security > Encrypt Device. Again, you’ll need to leave it plugged in and have a bit of patience with it.

Password Management

Why this is important: helps you not fall into password reuse issues by allowing you to only remember one strong password, and loading in non-human-memorable passwords.
On Mac, I went for 1Password. It costs some money, but it’s hella easy to use, and I can share an encrypted file via dropbox between my multiple devices so I can still access accounts. While I’m plugging in these accounts to 1Password, I’m slowly changing all my less-secure passwords for randomized ones.

Communications

drawn for Morgan Mayhem’s Center for Civic Media talk on Coercion Resistant Design

Why this is important: While we’ve achieved HTTPS in most places, within and between larger “clouds” data is not actually sent encrypted. In order for you to maintain your privacy, it’s important for anything you send to be encrypted. All of these are usable in the exact same way from a user standpoint as the things they replace. They just also encrypt the traffic. Try them out.

I already use Adium for Off The Record (OTR) and Thunderbird for Pretty Good Privacy (PGP) on my Mac. I’d use Jitsi but it crashes anytime I’ve tried. Waiting until it works. That said, I also want the messages I send on my phone to be encrypted.

  • ChatSecure : chat on phone
  • TextSecure : already installed, but worth mentioning
  • Threema : also encrypts images etc! Let me know if you’re on it, definitely needs critical mass in order to be usable. I’m K69NNHXE
  • Orweb : Tor browser on phone
  • Orbot : Tor node on phone

Self-Hosting

Why this is important: you control your data. Or at least someone you can go punch in the face does. I am also incredibly hungry at this point of writing this post and thus this section lacks detail.
Uberspace : I like this group out of Berlin. They’re pretty great.
Ownweb : All the functionality of calendar, contact storage, etc. Works beautifully on Uberspace.
edit: Make that OwnCloud. Thanks, Natanji! Also, hosting on your own of course requires the mental and technical to maintain those servers.

Is it safe?

When is the last time you ran a backup? Why not right now?

<3 to all the fine folk who helped out with this : Tomate, Herr Flupke, Morgan.