Private Eyes: 2020 Incarnation

spy, espionage, reading

Patrick Radden Keefe in The New Yorker reviews a couple of recent books about the private investigation industry and its changing role. One of them, The Modern Detective: How Corporate Intelligence is Reshaping the World, by Tyler Maroney, was named a 2020 favorite by Kevin Burton Smith, who monitors PI stuff on his web site, for the Private Eye Writers of America, and for Mystery Scene.

More than thirty thousand private investigators are working in the United States, and while some of them engage in the activities that find their way into crime stories—investigating kidnappings, flagging cheating spouses or employees, and finding missing persons—a lot of what modern PI’s do is less juicy corporate work. They check out potential employees, track missing assets, scour proposals for multibillion-dollar deals, assess corporations’ potential partners, engage in (presumably) white-hat hacking, and amass opposition research from the undrained swamp of politics.

These activities are ubiquitous in the corporate world today. Globalization, deregulation, and rapid technological change have created the opportunity for whole new chapters in the secret investigations playbook, as well as new criminal opportunities and strategies.

Despite the growth in that sector of the industry, tales of insider trading, corruption, and fraud are a regular feature of the news media. You have to wonder, is the investigations business simply ineffective in curbing bad behavior, or is the malfeasance we read about only the tip of what would be a glacier-sized iceberg if the investigators’ weren’t on the job?

Says Keefe, the book “is not an exposé. It is part memoir, part how-to guide, a celebration of the analytical and interpersonal intelligence that makes a great investigator.” Those are the traits that have given Poe’s Auguste Dupin and Conan Doyle’s Sherlock Holmes nearly a century and a half of popularity. Sounds like a must-read!

World-Rocking Reading List:
The Modern Detective: How Corporate Intelligence is Reshaping the World
Kleptopia: How Dirty Money Is Conquering the World
Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage

Covid in an Era of Cyber Insecurity

12/3 Update: The attacks on health care entities attempting to address the Covid pandemic continue, with the latest hacker target–the cold chain necessary to distribute vaccines.

Since 2014, the United States has faced an increasing number of well-publicized cyber attacks. Although some have been severe, none have crossed the “traditional threshold of war,” as described by Garrett M. Graff in a November 2020 Wired article. To recap a few of these: In 2014, there was China’s theft of government personnel records and North Korea’s suspected hack of Sony; in 2016, Russia attempted to manipulate the presidential election; and more recently, we’ve seen numerous ransomware attacks on institutions and municipal governments, both large (Atlanta, Baltimore) and small.

In response to such threats, New York City created a citywide cyber command (the NYCCC) in July 2017. This centralized organization works across NYC agencies and offices “to prevent, detect, respond, and recover from cyber threats.” Geoff Brown, head of the NYCCC, described its challenges in a recent online briefing moderated by Cipher Brief founder Suzanne Kelly. A consolidated approach certainly has face validity, compared to asking a hundred different entities with personnel of varying training, skill, and interest to cobble together their own separate, inevitably not interoperable security plans. As Brown said, “We can’t predict what’s coming around the curve, but if we build resilient systems overall, we can respond well.”

Over the last year, in the face of Covid, the NYCCC has used its technical environment to “defend the defenders.” When city agencies moved to remote operations, that process also was aided by the NYCCC’s work. Not surprisingly, cyber adversaries took advantage of concerns about Covid to expand their intrusion attempts, knowing people would more quickly respond to queries and data requests that appeared to be Covid-related and ignore potential red flags.

It was incredibly sobering, Brown said, to reflect on how, in the middle of a life-threatening crisis, the health network itself became so vulnerable. As a result, NYCCC has worked with both the public and the private hearth care sectors to increase awareness of cyber vulnerabilities and strengthen their defenses. Never forget, he warned, that without extreme vigilance, the consequences can be deadly. He cited how a ransomware attack led to the recent death of a German man.

Understandably, health care systems have a fundamental concern about patient privacy, although even that makes the system subject to attack. Clearly, such attacks are corrosive, with damage beyond their initial impact, by damaging citizens’ all-important trust in governmental, public health, and social institutions.

The Perfect Weapon

The Perfect Weapon, HBO, David Sanger

In mid-October, HBO released its documentary, The Perfect Weapon, about growing cyber security risks (trailer). A recent Cipher Brief webinar featured David Sanger, national security correspondent for The New York Times, who wrote the book on which the documentary was based, and Mary Brooks, who contributed to both his book and the documentary, and was moderated by Cipher Brief founder Suzanne Kelly.

Creating a documentary based on a detailed, fascinating, and chilling 340-page book is a challenge. It had to be more interesting than 000s and 111s scrolling down the screen. There was a history to lay out. Director John Maggio decided to render the technology aspects of earlier cyberattacks in broad strokes and to humanize the story by focusing on the victims. This approach not only revealed how many sectors of society are vulnerable to cyber criminals, but also how diverse are the sources of these attacks.

The first cyber attack receiving much play in the United States was North Korea’s 2014 takedown of Sony in response to a movie it didn’t like. For that segment, Maggio’s team could interview actors and executives. It was harder to get the story of the next significant attack—this one by the Iranians on the Sands Casino in Las Vegas—because the casino executives don’t want to publicize it.

Since then, attacks have continued, most recently with ransomware attacks on US hospitals already stretched thin by the coronavirus, and on local governments in Florida, for example—after crippling attacks on Baltimore and Atlanta.

Though costly and significant, these episodes have not been serious enough to trigger retribution by the US government. “They are short of war operations,” Sanger said, “and deliberately calculated to be so.” The potential for much more consequential acts definitely exists. It is known, for example, that malware has been placed in the US power grid, where it sits. Officials don’t want to talk about it, or remove it, ironically, because they don’t want the bad actors to understand our detection capabilities.

Of course, the United States isn’t inactive in this arena. In 2010, our government. and Israel used the malicious computer worm Stuxnet to disable Iran’s nuclear program, an action US officials won’t admit to even now, Sanger said. Unfortunately, the destructive Stuxnet code escaped into the wild and is now available to many black-hat hackers. Stuxnet “didn’t start the fire,” he said, “but it was an accelerant.”

Who is behind an attack can be murky. For various reason, organized crime has increasingly muscled its way into the cyber-threat business. Governments hire hackers or external organizations to create havoc, because it gives them deniability. “Not us,” they say.

The US Cyber Command’s goal is to “defend and advance national interests.” However, the job of preventing attacks is difficult. It’s a challenge that requires considerable imagination, given an environment where the risks are escalating rapidly, the technology is improving constantly, and the targets have no boundaries. You may have read about recent threats to COVID vaccine research.

What exactly are the “national interests,” when American businesses have suppliers, clients, and customers all over the world? Companies don’t want to be perceived as working against those relationships. Google, for example, declined to participate in a military program to make drone attacks more accurate. Similarly, though Microsoft and the Cyber Command were both attempting to disable TrickBot in the last few weeks, their efforts were independent and uncoordinated.

Thomas Donahue, Senior Analyst at the Center for Cyber Intelligence has said, “We cannot afford to protect everything to the maximum degree, so we’d better figure out what cannot fail,”

The documentary—and the book—lay out what’s at stake for all of us. Past posts on this topic:
* Our Biggest Threats Keep Growing
* Cyberthreats: Coming to a Company Near You

Technology & Elections

vote, voting, election

A set of articles in the current issue of Wired discuss the part technology can play in improving our elections. Skeptical, all things considered? You should be. Still, here’s what to watch for.

Candidates and Facebook

James Barnes, a Facebook employee embedded with the Trump campaign in 2016 (think about that a moment), has had second thoughts and is now working to promote Joe Biden at the political nonprofit Acronym. It produces digital media campaigns for progressive candidates and causes. By the end of summer, though, very few voters were undecided, so their campaigns weren’t making converts. One can only hope that the Trump campaign’s October efforts to outspend Biden on Facebook ads in several battleground states, according to this CNBC story, will fall flat too.
Read: PW Singer’s Like War: The Weaponization of Social Media.

The Voting Process

To be a state election official is to be plagued with nightmares. “We all knew we were headed into what would be a contentious election year,” said Arizona’s Secretary of State, Katie Hobbs, in a model of understatement in this Wired article by Lily Hay Newman. Plus, they know they have a derailing technical problem or two: In Georgia’s disastrous primary, for example, all 159 counties were using new machines for the first time. Plus, the pandemic. Officials have had to scramble to find polling places. Traditional venues—schools, community centers, churches—balked. Experienced poll workers? A vanishing species.

Texas election officials and a team of university-based computer scientists, Wired reports, have devised a way to use advanced encryption technology—homomorphic cryptography—to improve our notoriously vulnerable voting machines. (Just using the term, I’ve already approached the limit of my understanding of how it works.) The machine assigns a lengthy ciphertext to each vote and prints out a short identifier, akin to a bit.ly link. Voters can use these to verify their votes are “in there.” Part of the beauty is that votes do not need to be decrypted to be counted, so privacy is maintained.
Read: James McCrone;s Faithless Elector, about a member of the electoral college who doesn’t stick to the script or McCrone’s brand new book, Emergency Powers, about how far someone will go to hang on to the presidency. Hmmmmm.

Secure Vote Counting

In this election, several states will use “risk-limiting audits” to validate results. These methods link the scale of the audit to the victory margin. If a candidate wins big, even a small sample of randomly selected ballots can confirm the results. In closer contests, a larger sample is needed. Bottom line: Unfortunately, processes, equipment, and practices vary widely, state to state, and nationally, the lack of investment in improving them contributes to a loss of faith in our elections that eventually damages every one of us.

Good Covid Ideas from Bill Gates

Bill Gates has probably spent more time thinking about public health—not just in the developing world—than almost anyone who isn’t a medical epidemiologist. In a 2015 TED talk, he warned about the likelihood of a pandemic and his bottom-line was, “We’re not ready.”

Being right isn’t always gratifying. Yet, in the current issue of WIRED, Gates doesn’t cast blame on the skeptics. “We can do the postmortem at some point. We still have a pandemic going on, and we should focus on that.”

His message is for public officials and private industry alike. A particularly urgent need is for a rapid self-test for Covid 19. Most tests today, which require people to wait days for results, are essentially useless, Gates says, and a big barrier to quicker test results is the insurance reimbursement system. Tardy tests are reimbursed at the same rate as timely ones. Why not build in a financial incentive for speedy response and a penalty—including no reimbursement at all—for delayed results?

Another shortfall is that the US should help the vaccine companies build extra factories for the billions of doses that will be needed around the world if the pandemic is to be effectively stopped. Although this would be expensive, he says it’s a fraction of the money that will be lost in a tanking worldwide economy. “In terms of saving lives and getting us back to normal,” that expenditure is a smart and essential investment. Interesting.

Dust Off Your Library Card

chalk outline, body

You see so many reviews of brand new crime novels on this website because, as you may know, I read and review them for the fantastic UK website CrimeFictionLover.com. Occasionally, I dig into my book pile and find something not suitable for CFL. Possibly it’s a book that’s been out a while, a new book already reviewed by CFL or in one case below, great non-fiction. A post for another day is a list of not-crime books. There is such a thing!

***Identical
By Scott Turow (2013) – if you want a novel full of twists and turns, this one has it. If you want a novel that stretches the bonds of plausibility, you have that too. Twin brothers Cass and Paul (Castor and Pollux, get it?) couldn’t be more different. One is running for city mayor, the other about to be released from jail after 25 years. He pled guilty to the murder of his girlfriend Aphrodite Kronon. Confusions worthy of the ancient Greeks and arising from twinhood are here, fairly predictably.

****Statute of Limitations
By Steven F. Havill (2006) – This is one of Havill’s meticulous police procedurals set in small-town New Mexico. I’ve read three of them, and I love them! A retired police chief abandoned after collapsing from a heart attack, a body in an arroyo, a late-night attack—this Christmas season is certainly not filled with goodwill toward mankind. Under-sheriff Estelle Reyes-Guzman doesn’t miss a beat.

****The Aosawa Murders
By Riku Onda (2005), translated from the Japanese by Alison Watts – Newly published in English, the scenes in this prize-winning book are like a set of still lifes. Different points of view describe a crime in which 17 members of a single family were murdered, with only one survivor, a young blind woman. Gradually, the crime is pieced together. Lovely writing, stellar cover.

***False Light
By Claudia Riess (2019) – This is the second outing for amateur sleuths, art experts, and randy spouses Erika Shawn and Harrison Wheatley. Their challenge this time is to decipher a coded message from a famous art forger, now dead. Supposedly, it will identify some of his works masquerading in prestigious collections as the real thing. It’s a great set-up, and if you’re a fan of art world skullduggery, you may enjoy this, but I found the denouement implausible.

*****Breaking and Entering
By Jeremy N. Smith (2019) – Subtitled “the extraordinary story of a hacker called ‘alien,’” this is the nonfiction story of a woman’s career from her exploits as an MIT undergraduate through to her current role consulting with banks, government agencies, and others on security issues. Cybersecurity is their big concern, and she and her team are cyber experts, but they also routinely prove to clients that good old humanware can be their weakest link. Fascinating.

***Net Force: Dark Web

photo: openDemocracy, creative commons license

Jerome Priesler’s new techno-thriller, Net Force: Dark Web carries on a series created by the late Tom Clancy and Steve Pieczenik, but lacks the immersive, gotta-turn-the-page qualities of Clancy’s work. It’s certainly true that cybersecurity becomes more consequential by the day, but this book doesn’t make the case.

True to current thriller-writing style, it comprises short chapters of a few pages that skip around to cover the actions of a large number of players, among them: black hat hackers versus white hat hackers, corrupt African leaders, the President of the United States and her new cyber-initiative team, CIA and FBI operatives, parking garage attendants, and moms with kids. In other words, a lot. Too much, in fact. If an author expects to maintain your interest for around 700 pages, the length of the paperback version, at least some of those characters should be written in enough depth to make you care about them.

The story starts strong, with a prologue set in 2023 in Malta (why this was a “prologue” and not just Chapter 1, I don’t know, as it’s contemporaneous with the rest of the story and integral to it). A young woman who has something to do with software development flees through city streets, trailed not just by men in vehicles, but also by a drone following her every twist and turn.

Just as you’re rooting for her escape, in a nice reversal, she’s captured, and you learn her pursuers are CIA and she may not be one of the good guys after all. Then the action moves to Romania where black hat operators plan to use the woman’s clever software to take control of a wide array of computers. They probably can’t anticipate the full ramifications of their project, given the near-future pervasiveness of the Internet of Things. The CIA wants the woman’s help, but she’s resisting.

I won’t go into how all the other plot threads and descriptive elements merge with this set-up, except to say some of them don’t. The entire Africa plotline was extraneous to the story; deleting it would have reduced the page count. Likewise, Priesler describes every new character at length, whether they reappear or not. You may regret struggling to remember all those backstories.

What makes a techno-thriller work is confidence that the author has the technology down pat (good examples are Ghost Fleet or This is Gomorrah). Inevitably, a moment arrives when the author goes out on a limb, when you must suspend disbelief and just hang in, but I never reached that point of trust. As far as I can tell from his past works, Priesler has not written this type of book before, and it shows.

Photo: openDemocracy, creative commons license

Go Like Hell! On Screen

The new movie, Ford v Ferrari, is based on the exciting 2010 book, Go Like Hell: Ford, Ferrari, and Their Battle for Speed and Glory at Le Mans, by AJ Baime. The movie, directed by James Mangold, stars Matt Damon, Christian Bale, and Tracy Letts (trailer). It opened while I was in Egypt and audiences love it! (98% audience score on Rotten Tomatoes). Critics too: 91%.

I’ve listened to the book twice over the years. If the movie is as good as the book, it’s a must-see. It is for me, no matter what. Here’s my review of the book, read by Jones Allen.

Go Like Hell is the story of classic duels of machine and driver in the French countryside.There’s just enough biography of Henry Ford II (the Deuce) and Enzo Ferrari to understand the motivations of these two rivals, willing to stake their fortunes, their companies’ futures, and (all too often) their drivers’ lives on this grueling competition.

The Deuce believed—correctly—that supremacy in the racing circuit would lead to sales of Ford cars. The components that had to be developed to survive the 24-hour race at Le Mans were testaments to product reliability as well as power, and many advances originally developed for racing vehicles—such as independent suspensions, high-performance tires, disc brakes, and push-button starters—have found their way into passenger cars.

For Enzo Ferrari, whose interest in consumer cars was always secondary to racing, the point was being the world’s best and proving it in the world’s most prestigious and dangerous sports car race, Le Mans.

If you’re at all familiar with auto racing’s “golden age,” the big names are all here: Carroll Shelby, AJ Foyt, Dan Gurney, Phil Hill, John Surtees, Ken Miles, Bruce McLaren, and an upstart kid from Nazareth, Pennsylvania, who took the pole position in the Indianapolis 500 the year I saw that race, Mario Andretti. To get an idea of the speeds they achieve, Baime notes that at top speed, they complete the 100-yard distance of a football field in one second.

This was a fast, fun read that shifts between Dearborn, Shelby’s racing car development team working for Ford in Southern California, and Ferrari’s workshop in Maranello, Italy. For a Detroit girl like me, whose grandfather, father, and many uncles worked for the Ford Motor Company, it was a thrill a minute! But even for people who don’t get goosebumps when they hear those Formula One engines roar, Baime’s cinematic recreation of the classic Le Mans races of 1965, 66, and 67, with all their frustrations, excitement, and tragedy is a spectacular true story.

Times have changed, and these past automotive battles have faded. But, hope is on the horizon. According to a 5/22/15 Jordan Golson story in Wired, new rules under consideration “could make Formula One exciting again.” Yea to that!

This is Gomorrah

night sky, light pollution

By Tom Chatfield – The potentially nefarious capabilities of the Internet have seeped from science fiction to technothrillers to non-fiction to the morning news. Now comes a debut novel on the topic by someone who is not only a technology expert but an entertaining storyteller.

Azi Bellow is a 34-year-old hacker holed up in a garden shed in South London with a load of computer equipment, exploring the dark web. In Azi’s world, it’s hard to know whom to trust, but he does trust his online friend Sigma. She feels the same, and when she finds herself in trouble asks for Azi’s help. She’s assembled extensive evidence that 50 confirmed Islamic martyrs are not actually dead but have acquired new identities. Naturally, no security service is looking for them.

Sigma believes these terrorists obtained fake IDs from Gomorrah, the darkest corner of the dark web, but now she’s on the run. Almost immediately Azi’s inner sanctum is invaded by a woman named Anna who makes it clear that he must help Sigma or Anna will reveal his quasi-legal and illegal activities to the authorities.

Thus is a thrilling cat-and-mouse game launched, with the urgency of Sigma’s situation prying Azi out of the shed into the real world. They flee England, and later he seeks refuge in Athens and, finally, Silicon Valley. It’s hard to stay ahead of Gomorrah.

Chatfield’s writing is full of sly commentary on technology and human (mis)behavior that will leave you laughing, crying, or both. While Anna and her team aren’t very likeable, Azi is, along with his venal childhood friend Ad and the desperate Sigma. All are experts at manipulation and establishing “…a context within which someone’s only choice is to do what you want, even if (especially if) they believe the decision is up to them.”

Tom Chatfield is the author of several nonfiction books (and TED talks) exploring digital culture. He’s been a visiting associate at the Oxford Internet Institute and advises numerous organizations about technology and media. He was a launch columnist for BBC’s worldwide technology site, BBC Future. In the acknowledgements he says, “Unlike reality, fiction has an obligation to make sense.” And for most of This is Gomorrah, Chatfield’s constructed reality does make sense. By the time it becomes too crazy, you will have already decided to trust him and just go with it!

Photo: woodleywonderworks, creative commons license.

A Puzzle Puzzle

Don’t ask me why these pictures are upside down. They are correct on my WordPress editing screen! ?

This jigsaw puzzle has been calling me since I received it as a gift last year. It depicts Thomas Moran’s famous painting, The Grand Canyon of the Yellowstone, which our family had just seen. Moran’s Yellowstone paintings were so admired, they helped lead to the declaration and preservation of Yellowstone as the first national park in the United States and, probably, the world.

And, here is the completed puzzle. Perhaps you’re struck with how different it is from the painting, how much redder and, in person, how much darker. All those murky reddish blacks on the right, those murky greenish blacks on the left (hidden by the light reflection), those murky blacks, and acres of taupe. Granted it’s weird, but I don’t consult the box when assembling a puzzle, just to make it that little bit harder; in this case, the picture on the box wouldn’t have been much help. But maybe it holds a clue to why the difference between the picture and the pieces. Oh, yes. Here it is: “Printed in China.”

Perhaps it wasn’t merely printed in China. Perhaps it was also cut with a jigsaw in China, its 1000 pieces disassembled, and 1001 of them sealed in their plastic bag. That would go a ways to solving another puzzle. See that extra blue piece? It’s a dupe. If you’re working on this puzzle and missing a bit of sky, I have it.

At the same time, you may have noticed the finished puzzle is missing three pieces. I have three pieces left over. But they don’t fit those spots. Maybe they’re dupes too. In the hundred or so puzzles I’ve assembled in my lifetime, I have never seen this before.

Where was quality control? Did the manufacturer think bagging up any old 1000 (or 1001, in this case) pieces would be good enough? After all, wasn’t that a 99.6% accuracy rate?

I realize that a jigsaw puzzle is not a fate-of-the-world consumer item, but you have to wonder about a mindset that allows the sloppy handling of something so simple, yet precise, and what happens when something critical, yet precise, isn’t quite right. Like a component for your driverless car or nuclear power plant or corporate computer system. I think we know the answer to that.

In the movie Puzzle, the character Agnes says the rewarding thing about doing a jigsaw puzzle is, when you get to the end, you know you’ve made “all the right choices.” The folks involved in the supply chain for this product did just the opposite.