Hacking is understanding a system better than it understands itself, and nudging it to do what you want.
Hover over any of the logos to find out more.
When you need up to the minute information about computer security or annual metrics research into accumulation risks.
When you need technical assurance about the trustworthiness and security of a device, or your networks.
When you need to understand and combat particular malware groups or binaries.
When you need training in malicious behaviour on the internet, digital self defense, or speakers for industry conferences.
A brief history of the internet, it's political and economic structure and struggles.
A tour through the dark economy of US top secret programs.
Clearly Internet Connection Records are personal data, and storing them also requires a duty of care on the part of both government and industry.
A balanced view of the good markets and bad markets.
This book delighted me greatly, both as a thought experiment, and as history of technological development.
A brief history of the internet, it's political and economic structure and struggles.
The internet was born, and is an ever evolving self transforming context. It is a business, a medium of business, a cultural phenomenon, and space to be defended.
This is the story of the dreamers and makers of the internet. The hackers, the entreprenuers, and the governers. This is a story of an ongoing struggle for control, and something that is deeply uncontrollable: information.
Not only did I enjoy reading this book, I felt some of my own history entangled within it. I remembered some parts of this history in a very personal way. That didn't detract at all from the political message about big business arguing with big brother, quite the contrary, it reminded me why I began to care about the internet.
I still believe that Computer Emergency Response Teams are the white blood cells of the internet. I was surprised they weren't mentioned here. However, their spirit was very much evoked in the comments about the IETF, ICAAN, and The Internet Society. The sheer volume of legendary characters who built the internet RFC by RFC, and dreamed of all it's varied uses is too big to recount here. That's why splinternet was written, to introduce you to a few of those characters you didn't know.
A tour through the dark economy of US top secret programs.
How do you quantify a secret economy? If even the records of how much was spent on something how can you begin to estimate or understand the impacts of such an economy. This is a question that interests me about cyber crime, but this book is not about that.
This book is a journalistic whirlwind tour of USA's top secret spending, and the political fallout of keeping those budgets secret. It also details how the US Framers of the consititution did not intend for any secret budget ever to exist in the USA. Among other curiousities explored within are how the CIA is an illegal insitution, and a very conservative gentleman once sued the US Treasury to find settle a consitutional issue about how government spending should be accounted for.
The author himself won a Pulitzer for the serialisation of these stories, and it shows in it's page turningly easy style. He does come to some quantified conclusions at the end of the book, about the size of the budget. Of course after Snowden we know the budget has increased significantly since the book was written (it was around 52.6 Billion USD in 2013). The question on readers minds should be how much does the USA spend on offensive cyber programs, and how does this compare with other countries operating offensively in cyber space.
Clearly Internet Connection Records are personal data, and storing them also requires a duty of care on the part of both government and industry.
A security and privacy program has to be put in place to protect ICRs from being lost, stolen, or leaked. To protect personal data, has a cost, and one that the government is imposing as a externality on businesses associated with internet connections. Within the UK, the ICO and the FCA/FSA can fine organisations for data breaches, acccidental or maliciously caused. Such liability is clearly stated by the two regulatory agencies with oversight of personal data in the UK, the ICO and the FSA. To quote the ICO's own website:
"There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller. The tools are not mutually exclusive. We will use them in combination where justified by the circumstances."
The ICO has a cap on the fines for losing personal data, at £500K, in their own words:
"issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010" (REF 1).
According to Breach Watch The ICO have fined £5,573,500 since 2010.
The FSA has significantly more latitude in the size of fines having levied up to £3 million against HSBC for inadaquete data security measures in 2009 (REF 2, REF 3).
Note that in that case of HSBC, the FSA didn't need a security breach to levy the fines, only evidence that the protections were inadequate. Clearly then, ISPs have some potential liability for ICR even if they do not get lost or stolen, and the FSA expects them to secure any personal data properly, regardless of it's usefulness for national security purposes. So too, does the EU, and companies may be liable for up to 4% of their global annual turnover from 2018. So the deicions made today, have a very significant financial impact on technology companies operating in 2018.
Seperate to regulatory liability, there is also an associated cost of a breach for data. If we try to examine and study that cost, we turn primarily to two data breach reports: Ponemon and Verizon. Both give us examples of the cost per record of having data lost or stolen within the UK.
Ponemon lists the associated costs of a malicious breach in the UK at $143-163 per record (£100-114) (REF 5).
The Office of National Statisitics suggests that at least "The internet was accessed every day, or almost every day, by 78% of adults (39.3 million) in Great Britain in 2015" (REF 6). This then suggests a conservative maximum potential liability cost of 39.3 million*£100 divided by market share between the ISPs asked to store ICR. Note too, this is the potential cost BEFORE any regulatory fines would be levied. This is simply the cost of informing customers, and managing the breach. Further fines could be levied by the ICO, the FSA, or the EU regulatory bodies.
Of course, it is unlikely we would see all ICRs breached at the same time, but it is not impossible. Even a more conservative estimate, where we examine the highest potential liability for a single ISP is worth considering in a cost/benefit analysis.
BT manages roughly 7.99 million customers, and thus carries £799 hundred million potential cost of customer data records losses.
Asking private industry to carry the potential cost of breaches AND the regulatory liability for storing ICR for UK surveillance purposes, ignores the cost half of the cost/benefit equation.
A balanced view of the good markets and bad markets.
Sometimes economics aligns incentives to bring good products and services into the world. Sometimes it encourages bad behaviours with costs shouldered by society. Often, people like to tell us in *only* does one or the other. I prefer a more nuanced view of economics, in all it's beauty, but warts and all.
This book satisfied that preference, by telling tales of markets tricking consumers. The authors do provide many great examples, and also academic references, to gives us the big picture. Economics isn't a religion, it can't be all light or all darkness. Clearly it solves some problems and creates others.
The book is also written so as to be accessable to non-economists. In fact, it's a great introduction to the economics of deception. As someone who has studied deception in many forms (card cheating, magic tricsk, hacking, social engineering) I found it captured many of the principles I have read elsewhere. That's not to say it bored me, but rather that the mechanisms of deception were well presented. Importantly though, it focussed more on the incentives for those mechanisms, as an enabling environment, which is exactly the kind of subtle detail I love.
Economics is subtle driver for bad behaviour, both in wealth and poverty. We used to say 'No one cares about morality when there isn't enough to eat'. This book reminds us that the converse is also true: 'no one stops to question morality when the profits are rolling in'.
This book delighted me greatly, both as a thought experiment, and as history of technological development.
The premise; that you could collect a core cannon of science and technology to rebuild society if you could, is more subtle than first glance suggests. It suggests a prepper's book, and while it delivers there, it also begs a further question. How large a book, or other storage medium to aim for?
You might choose a cd, an encyclopedia, a whole server, or an entire library. The thought experiment continues if you choose to be more altruistic and less self-interested. What medium would you choose if you wanted it to last 1 generation, or 10 or 1,000 generations?
Regardless of continuing the thought experiment though, this book describes a dependency tree of scientific and technological achievement. So it serves well as a pop science history lesson as well as it does a though experiment. As a risk analyst and a hacker, I found it extended my knowledge both of how industrial technologies work in simple terms, but also describes some interesting examples from history when people were deprived of some infrastructure and had to rebuild it or kludge a temporary solution together
This book might not appeal to the quants among you, but it definately will appeal to the infrastructure lovers, the engineers, and the catastrophists. This is the thinking prepper's handbook to rebuilding scientific achievement.
Concinnity Risks employees like to remain very private. None the less, some of us want you to know who we are.
Éireann Leverett once found 10,000 vulnerable industrial systems on the internet.
He then worked with Computer Emergency Response Teams around the world for cyber risk reduction.
He likes teaching the basics, and learning the obscure.
He continually studies computer science, cryptography, networks, information theory, economics, and magic history.
He is also fascinated by zero knowledge proofs, firmware and malware reverse engineering, and complicated network effects such as Braess' and Jevon's Paradoxes. He has worked in quality assurance on software that runs the electric grid, penetration testing, and academia. He likes long binwalks by the hexdumps with his friends.
Éireann Leverett is a regular speaker at computer security conferences such as FIRST, BlackHat, Defcon, Brucon, Hack.lu, RSA, and CCC; and also a regular speaker at insurance and risk conferences such as Society of Information Risk Analysts, Onshore Energy Conference, International Association of Engineering Insurers, International Risk Governance Council, and the Reinsurance Association of America. He has been featured by the BBC, The Washington Post, The Chicago Tribune, The Register, The Christian Science Monitor, Popular Mechanics, and Wired magazine.
He also serves in an advisory role to ENISA: on the industrial control systems and smart grid security experts group.
He was part of a multidisciplinary team that built the first cyber risk models for insurance with Cambridge University Centre for Risk Studies and RMS.
What our clients have to say about our work.
