From My Palantir Archive: Security
May 27, 2016
I was curious about my notes about Palantir and its security capabilities. I have some digital and paper files. I print out some items and tuck them in a folder labeled “Hobbits.” In my Hobbit folder was:
Q.&A.: Guarding Personal Data From Abuse by Insiders, October 14, 2015
You may be able to locate a copy of this story by searching the New York Times or by going to your local library and using its OPAC. If that doesn’t work, you may have to delve into the flagging world of commercial databases.
In the write up, I noticed that I had circled in tell-the-truth blue this passage:
For privacy, the main worry may not be hackers as much as bad actions by authorized users. A useful concept in information system architecture is accountability oversight. Flagging people who misuse things. Revealing private things only by degree. Having access controls.
I thought of this because Buzzfeed has published a couple of write ups based on Palantir’s own information. Presumably the information could not have come from insiders because Palantir’s own security professional referenced the firm’s auditing capability.
The idea, as I understand it, is that one can use Palantir’s logs to “walk back the cat” and identify a person or persons who might have taken an action to reveal company information.
I also circled:
When a data breach is exposed, it’s a discrete event. You know what will happen, for the most part. Marketing is directed at a lifestyle.
Yeah, but Buzzfeed has published two articles and both struck me as deriving factoids from different sources.
With Socom embracing Palantir for maybe three years, my question is, “Does Palantir have safeguards in place which will make a third Buzzfeed type article a low probability or 0.000001 event?
Yikes, two articles based on what may be leaked internal information. What happens if sensitive military information goes walkabout?
I assume there is no such thing as a Hobbit alert? I need to read The Architecture of Privacy, an O’Reilly book written by Palantirians or Hobbits. I hope this is not a do-as-I-say, not a do-as-I-do thing.
Stephen E Arnold, May 27, 2016
Paid Posts and PageRank
May 27, 2016
Google users rely on the search engine’s quality-assurance algorithm, PageRank, to serve up the links most relevant to their query. Blogger and Google engineer Matt Cutts declares, reasonably enough, that “Paid Posts Should Not Affect Search Engines.” His employer, on the other hand, has long disagreed with this stance. Cutts concedes:
“We do take the subject of paid posts seriously and take action on them. In fact, we recently finished going through hundreds of ‘empty review’ reports — thank you for that feedback! That means that now is a great time to send us reports of link buyers or sellers that violate our guidelines. We use that information to improve our algorithms, but we also look through that feedback manually to find and follow leads.”
Well, that’s nice to know. However, Cutts emphasizes, no matter how rigorous the quality assurance, there is good reason users may not want paid posts to make it through PageRank at all. He explains:
“If you are searching for information about brain cancer or radiosurgery, you probably don’t want a company buying links in an attempt to show up higher in search engines. Other paid posts might not be as starkly life-or-death, but they can still pollute the ecology of the web. Marshall Kirkpatrick makes a similar point over at ReadWriteWeb. His argument is as simple as it is short: ‘Blogging is a beautiful thing. The prospect of this young media being overrun with “pay for play” pseudo-shilling is not an attractive one to us.’ I really can’t think of a better way to say it, so I’ll stop there.”
Cynthia Murrell, May 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Open Source Software Needs a Micro-Payment Program
May 27, 2016
Open source software is an excellent idea, because it allows programmers across the globe to share and contribute to the same project. It also creates a think tank like environment that can be applied (arguably) to any tech field. There is a downside to open source and creative commons software and that is it not a sustainable model. Open Source Everything For The 21st Century discusses the issue in their post about “Robert Steele: Should Open Source Code Have A PayPal Address & AON Sliding Scale Rate Sheet?”
The post explains that open source delivers an unclear message about how code is generated, it comes from the greater whole rather than a few people. It also is not sustainable, because people do need funds to survive as well as maintain the open source software. Fair Source is a reasonable solution: users are charged if the software is used at a company with fifteen or more employees, but it too is not sustainable.
Micro-payments, small payments of a few cents, might be the ultimate solution. Robert Steele wrote that:
“I see the need for bits of code to have embedded within them both a PayPalPayPal-like address able to handle micro-payments (fractions of a cent), and a CISCO-like Application Oriented Network (AON) rules and rate sheet that can be updated globally with financial-level latency (which is to say, instantly) and full transparency. Some standards should be set for payment scales, e.g. 10 employees, 100, 1000 and up; such that a package of code with X number of coders will automatically begin to generate PayPal payments to the individual coders when the package hits N use cases within Z organizational or network structures.”
Micro-payments are not a bad idea and it has occasionally been put into practice, but not very widespread. No one has really pioneered an effective system for it.
Steele is also an advocate for “…Internet access and individual access to code is a human right, devising new rules for a sharing economy in which code is a cost of doing business at a fractional level in comparison to legacy proprietary code — between 1% and 10% of what is paid now.”
It is the ideal version of the Internet, where people are able to make money from their content and creations, users’ privacy is maintained, and ethics is essential are respected. The current trouble with YouTube channels and copyright comes to mind as does stolen information sold on the Dark Web and the desire to eradicate online bullying.
Whitney Grace, May 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Erdogan Government Cracks down on Turkish Media
May 26, 2016
The Turkish government has been forcibly seizing and intimidating the nation’s media, we learn from “Erdogan’s Latest Media Takeover is About More than Just One Newspaper” at Mashable. Is this the future of publishing?
Turkish police fought protesters and manhandled journalists as the government wrested control of Zaman, Turkey’s most popular newspaper and, as journalist Suna Vidinli puts it, the country’s “last remaining effective voice of criticism in the press.” She continues:
“President Erdogan had long planned to take over Zaman as the paper was affiliated with Gulen Group, his main remaining adversary in his quest for absolute power. Earlier in the week, the Turkish Supreme Court — in a surprising and rare move — had released two top editors of Cumhuriyet, Can Dundar and Erdem Gul, from prison. They were imprisoned for writing about the illegal trafficking of weapons to radicals in Syria.
“Erdogan saw their release as a direct move against his authority and wowed to show who was boss. He signaled that the two journalists would be put back in prison soon and declared ‘things can get shaky in the following days.’ Hence, the takeover of Zaman was carefully planned as the most brutal confiscation of media to date in Turkish history.
“The confiscation of Zaman media group highlights some critical developments in Turkey. The government immediately took the media group offline, and a special tech team was brought in to completely wipe out the news archive and web content of the newspaper.”
The Chihan News Agency was also included in the seizure, a group we learn was the only non-governmental organization to monitor Turkish exit polls to ensure fair elections. The article notes that the remaining independent media in Turkey seem to have been effectively cowed, since none of them reported on the violent takeover. Governments, media groups, and human rights organizations around the world condemned the seizure; the U.S. State Department called Turkey’s pattern of media suppression “troubling.” We couldn’t agree more.
Cynthia Murrell, May 26, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
China Reportedly Planning Its Own Precrime System
May 25, 2016
Some of us consider the movie Minority Report to be a cautionary tale, but apparently the Chinese government sees it as more of good suggestion. According to eTeknix, that country seems to be planning a crime-prediction unit similar to the one in the movie, except this one will use algorithms instead of psychics. We learn about the initiative from the brief write-up, “China Creating ‘Precrime’ System.” Writer Gareth Andrews informs us:
“The movie Minority Report posed an interesting question to people: if you knew that someone was going to commit a crime, would you be able to charge them for it before it even happens? If we knew you were going to pirate a video game when it goes online, does that mean we can charge you for stealing the game before you’ve even done it?
“China is looking to do just that by creating a ‘unified information environment’ where every piece of information about you would tell the authorities just what you normally do. Decide you want to something today and it could be an indication that you are about to commit or already have committed a criminal activity.
“With machine learning and artificial intelligence being at the core of the project, predicting your activities and finding something which ‘deviates from the norm’ can be difficult for even a person to figure out. When the new system goes live, being flagged up to the authorities would be as simple as making a few purchases online….”
Indeed. Today’s tech is being used to gradually erode privacy rights around the world, all in the name of security. There is a scene in that Minority Report that has stuck with me: Citizens in an apartment building are shown pausing their activities to passively accept the intrusion of spider-like spy-bots into their homes, upon their very faces even, then resuming where they left off as if such an incursion were perfectly normal. If we do not pay attention, one day it may become so.
Cynthia Murrell, May 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Palantir: Information Leaks from Secret Outfit?
May 24, 2016
I read “Palantir To Buy Up To $225 Million Of Stock From Employees.” I am not too interested in a company trying to provide cash to workers who have to buy food in Sillycon Valley. The main point of the write up from my vantage point in wide open Harrod’s Creek is that the source of the information is a memo. I assume that outfits providing certain government agencies with services some are not supposed to know about or talk about are water tight.
Guess not.
Here’s the passage I highlighted in “loose lips sink ships” red:
The so-called “liquidity event” will be held at a price of $7.40 per share, Palantir said in a memo to staff that was obtained by BuzzFeed News.
Yo, dudes, passive voice. How? Some color, please. Also, who exactly is leaking or hacking what? Was this an encrypted message, a clear text message on a password protected system? Was the message sent using a special “channel”, available to some government contractors.
Several questions fluttered through my mind this fine May morning:
- What is Palantir doing which allows memos to find their way into the outside world?
- What about the security for some of the projects which Palantir pursues for certain government agencies?
- If Palantir itself is leaking information into Sillycon Valley channels, what’s up with the firm’s management?
- Is governance an issue at Palantir post i2 and post HBGary?
I have a compendium of 100 pages of Palantir information I have compiled from open sources. I cannot recall an internal document in my collection of research. I may offer this round up of Palantirist factoids and opinion in a for fee Cliff’s Notes-type of PDF. Want a copy? Write benkent2020@yahoo.com, please.
What’s changed at Palantir Technologies, home of the Hobbits, keeper of the seeing stone. Perhaps the seeing stone cannot perceive security issues as well as some assert. The situation reminds me of my comments to the Google about the flow of information about its projects which found its way into open source channels. The Googler with whom I spoke seemed indifferent to the issue. I concluded, “Hey, that stuff does not happen to Google.”
Right.
Stephen E Arnold, May 24, 2016
Listen Up. Hear and Know Enables Information Access in an Innovative Way
May 18, 2016
Improbable as it sounds I found myself a short distance from the offices once housing the Exalead search company. Once I used Google Maps to find my way from Opéra to the Rue Royale where Exalead had its office. GPS did not do the job. Exalead was located next to a food shop behind intrepid Parisians who parked their Smart Cars, bicycles, and motos on the sidewalk.
On this trip to Paris I was going to learn about a company with technology that performed some GPS type functions without GPS.
In addition to tracking hardware and firmware, the company called Hear and Know has a database system which sends out emails and SMS alerts to inform the team tracking an object of interest exactly where that said object is in real time. Based on my concerns about the precision of GPS centric systems, I wanted to understand the Hear and Know approach. (Yes, “hear” refers to the company’s approach to capturing audio.)
Instead of search, the company Hear and Know developed systems and methods to have information flow directly to a person who needs to know who, what, where, and when events take place. This is practical, real time, and actionable information. None of that keyword search and fuzzy geo-location implementation.
Like Google, Exalead was anchored in the world of Alta Vista, Hotbot, and Lycos. A failure to recognized the impact of mobility, pervasive connectivity, and an insatiable appetite for gizmos or firmware that leapfrog the keyword approach locked the door on traditional search. At the same time, mobile and wireless kicked open the door to new ways of thinking about information. Here and now, real time, flows, and the potential of embedding smart technology in miniaturized components.
Times change.
On the dot, Jean Philippe Lelièvre, founder of Hear and Know, walked in the door of my so-so hotel not far from the Madeleine metro stop in Paris. M. Lelièvre sat down, ordered a Badoit, and reminded me that he and I had met at a conference in a country soon to be named “Czechia.
With my studied Kentucky suaveness, I asked: “What’s up?”
The answer was that Lelièvre’s company continues to attract customers from government sectors as well as commercial operations. Hear and Know works in the technical space described as “radio solutions for traceability and security.” Founded in 2012, Hear and Know tackled the problem of imprecise location of objects like cargo or persons of interest. GPS is okay for finding one’s way to Opéra from Madeleine to the Sorbonne. For many information tasks more precise geo-location coordinates are necessary. Examples range from tracking shipments of nuclear material, persons of interest, individual packages within containers, fire and rescue, and myriad other use cases. GPS is okay, just not as precise as many assume.
The company’s technology combines a miniature radio transmitter which fulfills requirements of traceability, geolocation, and secure data transmissions by authentication and encryption. The system transmits its ID. The “tag” allows the user to find the asset, the vehicle, the person or the package on which the miniaturized component is attached. The firm’s engineers have designed the device to perform other functions; for example, temperature, pressure, and audio. What makes the hardware interesting is that a Hear and Know device can function as what Lelièvre calls an “effector.” I interpreted the concept as making a Hear and Know device function as an “alarm” or a signaling device for another hardware or software system.
In addition to tracking hardware and firmware, the company called Hear and Know has a database system which sends out emails and SMS alerts to inform the team tracking an object of interest exactly where that said object is in real time. Based on my concerns about the precision of GPS centric systems, I wanted to understand the Hear and Know approach. (Yes, “hear” refers to the company’s approach to capturing audio.)
In my talk with Lelièvre we did not discuss military applications of the company’s technology. During my flight from Paris to Kentucky, I thought about the value of embedding Lelièvre’s devices into weapon systems. If those weapon systems find themselves “out of bounds,” the devices can activate a disabling mechanism of some type. A smart weapon that becomes stupid without the intervention of a human struck me as an application worth moving to a prototype.
Lelièvre described a use case in which Hear and Know’s radios are deployed for a person of interest. The locations and other details flow into the Hear and Know data center and allow an investigator to formulate a statement of fact along the lines:
John Doe was on MM/DD/2016 at HOUR:MINUTE at the address LATITUDE/LONGITUDE.
Another application is the use of the Hear and Know devices to monitor individuals with a medical condition; for example, people with Lyme disease allows the family to know the family member’s location and support them if help is needed.
These data can be displayed on a map in the same way Geofeedia presents tweets or Palantir shows the location of improvised explosive devices. The difference is that Hear and Know provides:
- Nearly undetectable radio form factors
- Adjustable transmission frequencies
- Multi-month operational autonomy
- Email and SMS alerts about location of tracked object or person.
Hear and Know has remarkable technology. At this time, the company is best known in Europe. It customers include:
- Atos
- BPIFrance
- Esiglec
- Mov’eo
- Thales
US law enforcement, intelligence, and commercial enterprisers are wrestling with pinpoint tracking in real time. My view is that the Hear and Know technology might lead to some hefty revenue opportunities. The company has begun to probe the US market. In January 2016 , Hear and Know received a silver medal certificate for innovation at the January 2016 Consumer Electronic Show in Las Vegas.
Hear and Know will be participating in the Pioneers festival in Vienna May 23 to 25, 2016 and in the Connected Conference in Paris, May 25 to 27, 2016. This summer, their next step will be looking for partners and fundings in the US.
To contact Hear and Know, write sales@hearandknow.eu.
Stephen E Arnold, May 18, 2016
Google Moonshot Targets Disease Management, but Might Face Obstacle with Google Management Methods
May 17, 2016
The article on STAT titled Google’s Bold Bid to Transform Medicine Hits Turbulence Under a Divisive CEO explores Google management methods for one of its “moonshot” projects. Namely, the massive company has directed its considerable resources toward overhauling medicine. Verily Life Sciences is the three year-old startup with a mysterious mission and a controversial leader in Andrew Conrad. So far, roughly a dozen Verily players have abandoned the project.
“But “if they are getting off the roller coaster before it gets to the first dip,” something looks seriously wrong, said Rob Enderle, a technology analyst who has tracked Google since its inception. Those who depart well-financed startups usually forsake potential financial windfalls down the line, which further suggests that the people leaving Verily “are losing confidence in the leadership,” he said. No similar brain drain has occurred at Calico, another ambitious Google spinoff, which is focused on increasing the human lifespan.”
Given the scope of the Verily project, which Sergey Brin, Google co-founder, announced that he hoped would significantly change the way we identify, avoid, and handle illness, perhaps Conrad is cracking under the stress. He has maintained complete radio silence and rumors abound that his employees operate under threat of termination for speaking to a reporter.
Chelsea Kerwin, May 17, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Anonymous Hacks Turkish Cops
May 16, 2016
Anonymous has struck again, this time hacking the Turkish General Directorate of Security (EGM) in its crusade against corruption. The International Business Times reports, “Anonymous: Hacker Unleashes 17.8 GB Trove of Data from a Turkish National Police Server.” It is believed that the hacker responsible is ROR[RG], who was also deemed responsible for last year’s Adult Friend Finder breach. The MySQL-friendly files are now available for download at TheCthulhu website, which seems to be making a habit of posting hacked police data.
Why has Anonymous targeted Turkey? Reporter Jason Murdock writes:
“Anonymous has an established history with carrying out cyberattacks against Turkey. In 2015 the group, which is made up of a loose collection of hackers and hacktivists from across the globe, officially ‘declared war’ on the country. In a video statement, the collective accused Turkish President Recep Tayyip Erdo?an’s government of supporting the Islamic State (Isis), also known as Daesh.
“’Turkey is supporting Daesh by buying oil from them, and hospitalising their fighters,’ said a masked spokesperson at the time. ‘We won’t accept that Erdogan, the leader of Turkey, will help Isis any longer. If you don’t stop supporting Isis, we will continue attacking your internet […] stop this insanity now Turkey. Your fate is in your own hands.’”
We wonder how Turkey will respond to this breach, and what nuggets of troublesome information will be revealed. We are also curious to see what Anonymous does next; stay tuned.
Cynthia Murrell, May 16, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Facebook and Law Enforcement in Cahoots
May 13, 2016
Did you know that Facebook combs your content for criminal intent? American Intelligence Report reveals, “Facebook Monitors Your Private Messages and Photos for Criminal Activity, Reports them to Police.” Naturally, software is the first entity to scan content, using keywords and key phrases to flag items for human follow-up. Of particular interest are “loose” relationships. Reporter Kristan T. Harris writes:
“Reuters’ interview with the security officer explains, Facebook’s software focuses on conversations between members who have a loose relationship on the social network. For example, if two users aren’t friends, only recently became friends, have no mutual friends, interact with each other very little, have a significant age difference, and/or are located far from each other, the tool pays particular attention.
“The scanning program looks for certain phrases found in previously obtained chat records from criminals, including sexual predators (because of the Reuters story, we know of at least one alleged child predator who is being brought before the courts as a direct result of Facebook’s chat scanning). The relationship analysis and phrase material have to add up before a Facebook employee actually looks at communications and makes the final decision of whether to ping the authorities.
“’We’ve never wanted to set up an environment where we have employees looking at private communications, so it’s really important that we use technology that has a very low false-positive rate,’ Sullivan told Reuters.”
Uh-huh. So, one alleged predator has been caught. We’re told potential murder suspects have also been identified this way, with one case awash in 62 pages of Facebook-based evidence. Justice is a good thing, but Harris notes that most people will be uncomfortable with the idea of Facebook monitoring their communications. She goes on to wonder where this will lead; will it eventually be applied to misdemeanors and even, perhaps, to “thought crimes”?
Users of any social media platform must understand that anything they post could eventually be seen by anyone. Privacy policies can be updated without notice, and changes can apply to old as well as new data. And, of course, hackers are always lurking about. I was once cautioned to imagine that anything I post online I might as well be shouting on a public street; that advice has served me well.
Cynthia Murrell, May 13, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph