Monday, November 24, 2014

Book Review: Spam Nation: The Inside Story of Organized Cybercrime - from Global Epidemic to Your Front Door (2014) by Brian Krebs

Executive Summary

In Spam Nation, Brian Krebs covers a key portion of our cyber security and cyber crime history: 2007–2013, that period when we started to learn about the Russian Business Network, bulletproof-hosting providers, fast-flux obfuscation, criminal best business practices, underground cyber crime forums, and strange-sounding botnet names like Conficker, Rustock, Storm, and Waledac. This period just happens to coincide with Krebs’s rise in popularity as one of the leading cyber security journalists in the industry. His relationship with two competitive pharmaceutical spammers—Pavel Vrublevsky and Dimitry Nechvolod—is a big bag of crazy and is the key storyline throughout the book. The competition between Vrublevsky and Nechvolod escalated into something that Krebs calls the Pharma Wars and Krebs gives us a bird’s-eye view into the details of that escalation that eventually destroyed both men and the industry they helped to create. Krebs’s weird symbiotic relationship with Vrublevsky is worth the read by itself. Spam Nation is definitely a cyber security canon candidate, and you should have read this by now.


I have been a fan of Brian Krebs for many years. His blog, Krebs on Security, has been a mainstay of my recurring reading list since he started it in 2010 and even before when he was writing for The Washington Post. Since he struck out on his own, he has carved out a new kind of journalism that many reporters are watching to see how they might duplicate it themselves as journalism transitions from dead-tree printing to new media. Krebs’s beat is cyber security, and he is the leading journalistic authority on the underbelly of cyber crime. Spam Nation is a retelling— with more detail and more color—of some of the stories he covered from 2007 until about 2013 on a very specific sub-element of the cyber crime industry called pharmaceutical spam. 

Many security practitioners will hear the phrase “pharmaceutical spam” and immediately start to nod off. Of all the problems they encounter on a daily basis, pharmaceutical spam is pretty low on the priority list. While that may be true, this subset of cyber crime is responsible for starting and maturing many of the trappings that we associate with cyber crime in general: botnet engines, fast-flux obfuscation, spamming, underground forums, cyber crime markets, good service as a distinguisher of criminal support services, and bulletproof-hosting providers.

The Story

The story really begins with Krebs’s weird symbiotic relationship with Vrublevsky (a.k.a. RedEye and Despduck). Vrublevsky was a Russian businessman and cofounder and former CEO of ChronoPay, the infamous credit card processing company that initially got started in the rogue anti-virus industry. I think it is safe to say that in his heyday, Vrublevsky was a bit of an extrovert. He followed Krebs’s blog religiously and would instigate long conversations with Krebs on stories that were fantastical, true, and everything in between. Vrublevsky would feed Krebs half-truths about what was going on in the industry and left it to Krebs to sort it out. Vrublevsky’s downfall was his deteriorating relationship with his former partner, Dimitry Nechvolod (a.k.a. Gugle). 

Vrublevsky and Nechvolod founded ChronoPay together in 2003, but by 2006, Nechvolod had left the company to pursue his own interests. He started two pharmacy spam operations called GlavMed and SpamIT. Because of the competition between these two men, the situation escalated out of control to something that Krebs calls the Pharma Wars, which ultimately scuttled the entire pharmaceutical spam industry, not just Vrublevsky and Nechvolod’s operations, but everybody else’s too. 

Krebs’s main sources of information for this book came from leaked customer and operational databases from these two men. Although Vrublevsky and Nechvolod never admitted it, they both stole the other’s data and leaked it to Krebs. Krebs had many conversations with both Vrublevsky and Nechvolod about their side of the story, and Krebs even traveled to Moscow to interview Vrublevsky personally. From these conversations and other research done by Krebs, we get an inside view of how cyber crime operates in the real world. 

Krebs set himself seven research questions:

  • Who is buying the stuff advertised in spam and why?
  • Are the drugs real or fake?
  • Who profits?
  • Why does the legitimate pharmaceutical industry seem powerless to stop it?
  • Why is it easy to pay for the drugs with credit cards?
  • Do customers have their credit card accounts hacked after buying?
  • What can consumers, policy makers, and law enforcement do [about this cybercrime]?
For the most part, he answers all these questions. I will not spill the answers here, but I will tell you that I was surprised by every single one. I thought I knew this stuff, but Krebs provides the insight and research to make you re-evaluate what you think you know about illegal pharmaceutical spam operations.

Spam Nation is about the Brian Krebs’s story too. Traditional journalists reading this book are going to hate the fact the he plays a key role in most everything that he talks about in this book. His original reporting on bulletproof-hosting providers operating in the US and elsewhere—the Russian Business Network (RBN), Atrivo, and McColo—became that catalyst that eventually got them shut down. This got him noticed by Vrublevsky and started that weird relationship that ultimately led to Krebs receiving the databases from Vrublevsky and Nechvolod. It also led him to leave The Washington Post and to start his Krebs on Security blog.

In the background, Krebs introduces us to the key players involved in the development and operations of some of the most infamous botnets that have hit the Internet community in recent history:

  • Conficker worm (author: Severa; infected 9-15 million computers)
  • Cutwail botnet (authors: Dimitry Nechvolod (Gugle) and Igor Vishnevsky; 125,000 infected computers; spewed 16 billion spam messages a day)
  • Grum botnet (author: GeRA; spewed 18 billion e-mails a day)
  • Festi botnet (operators: Artimovich brothers; delivered one-third of the total amount of worldwide spam)
  • Rustock botnet (author: COSMA; infected 150,000 PCs; spewed 30 billion spam messages a day)
  • Storm botnet (author: Severa).
  • Waledac botnet (author: Severa; spewed 1.5 billion junk e-mails a day)
From my reading, Krebs’s unintentional hero of his story is Microsoft. While Vrublevsky and Nechvolod were tearing each other apart and Krebs was trying to sift through what was true and what was not, Microsoft and other commercial, academic, and government organizations were quietly dismantling the infrastructure that these and other illicit operations depended on:

  • June 2009: 15,000 illicit websites go dark at 3FN after the Federal Trade Commission convinced a northern California judge that 3FN was a black-hat service provider. NASA did the forensics work.
  • November 2009: FireEye takes down the Mega-D botnet.
  • January 2010: Neustar takes control of the Lethic spam botnet.
  • March 2010: Microsoft takes down the Waledac botnet.
  • October 2010: Armenian authorities take down the Bredolab botnet.
  • March 2011: Microsoft takes down the Rustock botnet.
  • July 2011: Microsoft offers a $250,000 reward for information leading to the arrest and conviction of the Rustock botmaster.
  • July 2012: FireEye and Spamhaus take down the Grum botnet.
  • July 2013: Microsoft and the FBI take down 1,400 botnets using the Citadel malware to control infected PCs.
  • December 2013: Microsoft and the FBI take down the ZeroAccess botnet.
  • June 2014: The FBI takes down of the Gameover Zeus botnet.
One takedown masterstroke came out of academia. George Mason University, the International Computer Science Institute, the University of California, San Diego, and Microsoft determined that 95 percent of all spam credit card processing was handled by three financial firms: one in Azerbaijan, one in Denmark, and one in Nevis (West Indies). They also pointed out that these financial firms were in violation of Visa’s own Global Brand Protection Program contract that required fines of $25,000 for transactions supporting the sale of Viagra, Cialis, and Levitra. Once Visa started levying fines, the financial firms stopped processing the transactions. The beauty of this takedown was that this was not a legal maneuver through the courts and law enforcement. It merely encouraged Visa to follow its own policy.

Cyber Crime Business Operations

For me, one of the most enjoyable parts of Spam Nation is the insight on how these criminal organizations operate. For example, Krebs highlights why pharmaceutical operations have great customer support: they want to avoid the penalty fees associated with a transaction when a buyer of illicit pills charges them with fraud. These are called chargebacks, and pharmaceutical customer support operations avoid them like the plague. These support operations require teams of software developers and technical support staff to be available 24/7.

Pharmaceutical operations have mature anti-fraud measures—equivalent to any legitimate bank’s anti-fraud measures—because they need to keep law enforcement and security researchers out of their business.

Most spammers do not make a lot of money. The top five do, but not everybody else. Krebs points out that it takes a multibillion dollar security industry to defend against a collection of criminals who are making a living wage.

In terms of botnet management, operators rent out top-earning botnets to other operators who do not have the skill to build a botnet themselves. Renters purchase installs and seed a prearranged number of bots with an additional malicious program that sends spam for the affiliate. They pay the rent by diverting a portion of their commissions on each pill sale from spam. Sometimes, that commission is as high as 50 percent. That is why the small-timers do not make any money.

Operators launder their money in a process called factoring. They map their client transactions into accounts on behalf of previously established shell companies. They tell the banks that the shell companies are the true customers. Then the operators pay the clients out of their own pockets.

Russian law allows FSB agents (Federal Security Service, the successor to the Soviet Union’s KGB), while remaining in the service, to be assigned to work at enterprises and organizations at the consent of their directors. Twenty percent of FSB officers are engaged in this protection business called “Krusha" in Russian, which means “roof” and pharmaceutical spam operations use them as much as possible.

Partnerships, called partnerkas, between spammers and dodgy advertisers that act as an intermediary for potential sponsors are essential. In this way, sponsors keep their distance from the illicit aspects of the spam business and can unplug from one partnerka in favor of another whenever they want. Some refer to this as organized crime (think The Godfather), but it is more like a loosely affiliated network of independent operators.

With all of these best business practices, you can see why the operators do not see themselves as criminals. They are just businesspeople trying to run a business.

The Tech

Cyber crime runs on technology. In the pharmaceutical spam business, some tech is unique, and other tech is shared with other kinds of cyber crime operations. Unique to pharmaceutical spam is a technique called black search engine optimization (Black SEO). Pharmaceutical spammers hack legitimate websites and insert hidden pages (IFrames) with loads of pharmaceutical websites links. The more links that the common search engines like Google and Bing index, the higher the pharmaceutical sites get in the priority list when normal users search for pills online.

Also unique to the pharmaceutical spam business is a good spam ecosystem. It must have the ability to keep track of how many e-mails the system delivered and how many recipients clicked the link. It must scrub e-mail addresses that are no longer active or are obvious decoys and harvest new e-mail addresses for future operations.

Not unique to pharmaceutical spam are the forums. Forums are the glue that allows the loosely affiliated network of independent operators to communicate with each other. Forums are a place that allows newbies an opportunity to establish a reputation and lowers the barriers to entry for a life of cyber crime. There are forums for every language, but most are in English. Members enforce a strict code of ethics so that members who are caught cheating other members are quickly banned. Social networking rankings give members a way to evaluate potential partners. A single negative post may cost an individual thousands of dollars. Because of that, most amicably resolve issues. Sometimes newbies get labeled as a “deer,” members who unintentionally break one of the forum’s rules. More-serious infractions might find a member in the blacklist subforum defending himself or herself from fraud allegations.

New forums start all the time, but some have been in existence for more than a decade, indicating process maturity for self-policing, networking, and rapid information sharing. New forums allow open registration, but mature forums set up various hurdles for membership that are designed to screen out law enforcement and hangers-on. Most have sub-rooms for specialization such as the following:

  • Spam
  • Cyber banking fraud
  • Bank account cash-out schemes
  • Malicious software development
  • ID theft
  • Credit card fraud
  • Confidence scams
  • Black SEO
Forums have many members (tens of thousands in some), but they exist to make money for the administrators. Admins offer additional services to improve the user experience. They offer escrow services—a small percentage of the transaction cost held until both sides agree that the other held up its end of the bargain—and stickies—ads that stay at the top of their sub-forums that range in price from $100 to $1,000 per month.


In Spam Nation, Brian Krebs covers a key portion of our cyber security and cyber crime history: 2007– 2013, that period when we started to learn about the Russian Business Network, bulletproof-hosting providers, fast-flux obfuscation, criminal best business practices, underground cyber crime forums, and strange-sounding botnet names like Conficker, Cutwail, Grum, Festi, Rustock, Storm, and Waledac. This period just happens to coincide with Krebs’s rise in popularity as one of the leading cyber security journalists in the industry. His story, and the story of two competitive pharmaceutical spammers who eventually destroyed the lucrative moneymaking scheme for all players, is a fascinating read. It is definitely a cyber security canon candidate, and you should have read this by now.


“Spam Nation: The Inside Story of Organized Cybercrime - from Global Epidemic to Your Front Door,” by Brian Krebs, published by Brilliance Audio, 18 November 2014, last visited 13 November 2014,


“Blue Security folds under spammer's wrath,” by Robert Lemos, Security Focus, 17 May 2006, last visited 13 November 2014,

“Click Trajectories: End-to-End Analysis of the Spam Value Chain,” by Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Mark Felegyhazi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage, last visited 13 November 2014,

“Experts Warn of New Windows Shortcut Flaw,” by Brian Krebs, Krebs on Security, 10 July 2010, last visited 13 November 2014

“Krebs on Security: In-depth security news and investigation,” by Brian Krebs, last visited 14 November 2014,

“PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs,” by Damon McCoy, Andreas Pitsillidis, Grant Jordan, Nicholas Weaver, Christian Kreibich, Brian Krebs, Geoffrey M. Voelker, Stefan Savage, and Kirill Levchenko, Usenix, August 2012, last visited 13 November 2014,

“Russian Business Network Study,” by David Bizeul, 11 November 2007, last visited 12 November 2014,

“Shadowy Russian Firm Seen as Conduit for Cybercrime,” by Brian Krebs, The Washington Post, 13 October 2007, last visited 12 November 2014, 

“The Partnerka – What Is It, and Why Should You Care?” by Dmitry Samosseiko, Sophos, Virus Bulletin, September 2009, last visited 13 November 2014,

“The Sleazy Life and Nasty Death of Russia’s Spam King,” by Brett Forrest, Wired Magazine, August 2006, last visited 13 November 2014,

“The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns,” by Brett Stone-Gross, Thorsten Holz, Gianluca Stringhini, and Giovanni Vigna, last visited 13 November 2014,

“Top Spam Botnets Exposed,” by Joe Stewart, SecureWorks, 8 April 2008, last visited 13 November 2014,

Tuesday, November 11, 2014

Book Review: The Practice of Network Security Monitoring: Understanding Incident Detection and Response (2013) by Richard Bejtlich

Executive Summary

Richard Bejtlich is one of the most respected security practitioners in the community. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory and the hands-on tutorial on how to do network security monitoring the right way. The book is a primer on how to think about network security monitoring and incident response. 
For seasoned security practitioners, working through the examples in this book will only increase your understanding of the subject. For the beginners in the crowd, Bejtlich provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability. Newbies working through the examples in this book will demonstrate to themselves, once and for all, if they have what it takes to work in this field. This book is absolutely a Cybersecurity Canon Candidate and you should have read it by now.


I have been a fan of Bejtlich for a long time. He has been a cyber security book reviewer for many years and he was the inspiration for me to start doing my own book reviews. He is a no-nonsense kind of guy and has been practicing and advancing the craft of network security monitoring and incident response since he started in the industry as a US Air Force officer in 1998. Since then, he has risen in the ranks at some prominent security-minded companies—Foundstone, ManTech, and GE—and today he is the chief security strategist for FireEye. He knows a thing or two about network security monitoring and response. I happen to agree with his general philosophy of cyber security defense, and this book provides an introduction to that philosophy as well as an in-depth, hands-on look at the best open-source tools available. 

The book is a primer on how to think about network security monitoring and incident response, and for the beginners in the crowd, it provides step-by-step instructions on how to install, configure, and use some of the best open-source tools available that will help any security program improve its network security monitoring capability.

I am often asked what skills a wannabe cyber security analyst needs to get into the cyber security industry. My glib go-to answer, and the first question I ask any candidates asking to work for me is, can you install a Linux distribution on your home computer? If a newbie cannot get through that basic exercise, he or she should probably seek employment somewhere else. After reading this book though, I plan to up my game. My new question is, can you work through all of the examples in this book and make sense of it all? If you can, you may have a future in the cyber security industry as a SOC analyst or an incident responder. If you struggle with this book, then cybersecurity might not be for you.

The Network Security Monitoring Story

In my own career, I have routinely seen organizations buy and deploy every shiny and new cybersecurity tool that they could get their hands on and deploy them within the enterprise. Their leadership’s grand strategy seemed to be that shiny equals good. In my early days, I may have even subscribed to that theory. Today, I do not have the energy to chase every bright light that appears on the cyber security market. I mostly just want to see what I have already deployed work the way that I thought it should when I originally bought it. 

Network Security Monitoring Is More Than Just a Set Of Tools

Buying and deploying new technology is relatively easy compared to training the people and developing the processes necessary to fully use it. Organizations tend to forget this. They think that if they just buy the latest tool—pick your tool, it does not matter which one—that it will miraculously configure itself, monitor itself, and forcefully eject any intruders by itself. In the real world, this does not happen. Bejtlich agrees: 

“Products and technologies are not solutions. They are just tools. Defenders (and an organization’s management) need to understand this. No shiny silver bullet will solve the cybersecurity problem. Attacks have life cycles, and different phases of these life cycles leave different evidence in different data sources that are best exposed and understood using different analysis techniques. Building a team (even if it is just a team of one) that understands this and knows how to effectively position the team’s assets (including tools, people, and time) and how to move back and forth between the different data sources and tools is critical to creating an effective incident response capability.”[1] 

In a previous job, I had all of the best toys pumping mountains of data to a 24/7 security operations center, but finding an advanced adversary in all of that data was way too hard. The SOC analysts performed Herculean tasks, but we did not have the processes in place, nor the people trained to develop the processes, to fully use all of that advanced technology. It was frustrating. The bottom line is that if you buy the tool, make sure you spend some resources training your people and developing a plan to incorporate the tool into your overall security program.

Bejtlich also says that your traditional tools are not going to help much with our brand new cloud environments.[1] Customers of cloud environments just do not have access to the networks that a network security monitoring team needs. As we move more and more to the cloud, this can be either a liability or a major opportunity for a young entrepreneur to solve the problem.

Operate Like You Are Compromised: Kill Chain Analysis

In a previous blog, I said that kill chain analysis is one of the three great innovations that have come down the pipe from the security community this past decade.[2] Bejtlich says that Lockheed Martin’s paper on kill chain analysis[3] is unique because followers of the philosophy align their security program along the same lines that adversaries must use to penetrate their victim’s network. 

He confirms the notion that I have had for a few years now that the very old “defense-in-depth” model—which we all adopted in the early 1990s to keep the adversary out of our networks—is dead. It is simply not possible. On the other hand, it does not necessarily mean that you have a disaster on your hands just because one or more adversaries manage to work their way down a couple of links of your kill chain.[3] The idea is to detect these adversaries before they can accomplish their ultimate goal: crime, espionage, hacktivism, warfare, mischief, or whatever. Bejtlich says, 

“Prevention eventually fails … Rather than just trying to stop intruders, mature organizations now seek to rapidly detect attackers, efficiently respond by scoping the extent of incidents, and thoroughly contain intruders to limit the damage they might cause.”[1]

My own personal goal is early detection, quick eradication, and automatic prevention of those observed attacks going forward before these adversaries can claim victory. With the old defense-in-depth model, we were trying to prevent all penetrations into the network. Bejtlich says,

“It’s become smarter to operate as though your enterprise is always compromised.”[1]

Kelly Jackson Higgins interviewed Steve Adegbite, the director of cyber security for Lockheed Martin (LM), in 2013 regarding how LM used kill chain analysis to discover that the company’s RSA token deployment had been compromised.[4] Adegbite said that

"The goal of the Kill Chain is to make sure [the adversaries] don't get to step 7 [of the Kill Chain] and exfiltrate.”[4]

In other words, it is acceptable for adversaries to penetrate your networks as long as you have installed the processes to contain the damage they might cause. 

Network Security Monitoring as a Decision Tool, Not a Reaction Process

Bejtlich’s take on network security monitoring is subtly different than what I would expect from most other security practitioners who have not had a lot of experience actually doing it. According to Bejtlich, these practitioners use network security monitoring for forensics and troubleshooting.[1] His take is to use the discipline as a decision tool for how to contain the detected adversary. He also believes you have to measure your team’s effectiveness by measuring things like 
  • How long it takes to detect adversaries once they have entered your network
  • How long it takes to contain adversaries once you have detected them

In the 2014 Verizon Data Breach report,[5] researchers show that of the 1,367 known data breaches in 2013, security teams discovered less than 25 percent of them (341) within days of the initial compromise. Security teams discovered the rest (1,026) many days and weeks later. Bejtlich says that for a network security monitoring program do be effective, teams must measure how they reduce that time.[1]

Incident Response and Threat Intelligence Go Together

Bejtlich talks about the various approaches to handle a breach within your organization. Some incident response teams elect to identify the compromised asset, take it offline, maybe do some forensics on it, re-image it, and then put it back online so that they can wait for the next breach to happen. I call this the whack-a-mole approach to incident response. This process provides you no context about what the adversaries did and why. Other organizations engage their threat intelligence group and are able to understand the impact of what these adversaries are trying to accomplish. Bejtlich explains that incident response teams can frame the attacks from different perspectives: a threat-centric approach andBottom of Form an asset-centric approach.[1] He says that threat intelligence teams track adversaries by campaigns but that incident response teams respond to the adversary’s actions in waves.[1] He provides practical guidance about what kind of skills and capabilities an incident response team and intelligence team require.

So that’s the story: build a network security monitoring program by deploying the right tool, training your people how to use the tool properly, and developing the processes necessary to incorporate the tool into the overall program. Assume that your network is already compromised, and aggressively track adversaries down the kill chain. Remember, the network security monitoring team’s goal is to prevent adversaries from accomplishing their goals. Use the program to make decisions about how to contain the adversary quickly and efficiently, and use your intelligence team to understand the context of how and why the adversary is attacking your network.

Let’s talk about the tech.

The Network Security Monitoring Tech

This is where it gets really good. The theory is one thing—and I like the theory part—but the actual doing is what really matters. Bejtlich provides a hands-on tutorial on how to deploy the best open-source tools to do network security monitoring. If you are a young person thinking that you want to be a cyber security professional or if you are transitioning careers and you think cyber security is something you can handle, get this book and work through the examples. If you can do them, then I want to talk to you about a job. If you can’t, then maybe consider a less technically demanding career.

Bejtlich says that there are two types of network security monitoring data: full content and extracted content. He says that network security monitoring tools help analysts review these different data types and make a decision about containment based on an organization’s network security process. [1] He points practitioners to Doug Burks’ Security Onion (SO) distribution to get three types of tools: data collection, data presentation, and packet analysis.

Data Collection Tool: 

  • Argus

Data Presentation Tools:

  • Tcpdump
  • Tshark (the command line version of Wireshark)
  • Argus’s Ra client
  • Dumpcap in concert with Tshark

Packet Analysis Tools:
  • Wireshark
  • Xplico
  • NetworkMiner


Richard Bejtlich is one of the most respected security practitioners in the community. If he is speaking somewhere, take the time to hear what the man has to say. The same goes for his writing. If he publishes something, we should all take notice. In The Practice of Network Security Monitoring, Bejtlich provides the theory of and the hands-on tutorial on how to do network security monitoring the right way. He tells you why you should be doing it and how it should work together, and he gives you step-by-step instructions on how to deploy and use the best open-source tools available. If you are already a seasoned security practitioner, working through the examples in this book will only increase your understanding of the subject. If you are a newcomer to the subject, working through the examples will indicate once and for all if you have what it takes to work in this field. This book is absolutely a cyber security canon candidate, and you should have read it by now. 


[1] "The Practice of Network Security Monitoring: Understanding Incident Detection and Response, " by Richard Bejtlich, No Starch Press, 2 August 2013, last visited 29 September 2014,

[2] "Help Me Obi Wan – You’re My only Hope: Three Cyber Security Innovations to Give You Courage," by Rick Howard, Terebrate, 10 June 2013, last visited 30 September 2014,

[3] "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," by Hutchins, Cloppert & Amin, Lockheed Martin Corp., 2011, last visited 29 September 2014,

[4] "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack," by Kelly Jackson Higgins, DarkReading, 12 February 2013, last visited 30 September 2014,

[5] "2014 DATA BREACH INVESTIGATIONS REPORT," by Verizon, 2014, last visited 1 October 2014,

Sunday, November 2, 2014

Why I Vote

Executive Summary

This Tuesday, the people of the United States will vote for 36 Senators, 435 Congressional Representatives, 36 State Governors and three Territorial Governors. In order for Republicans to take control of the Senate, they need to win six additional seats. USA Today predicts that there are 7 races too close to call. In order for Democrats to take control of the House of Representatives, they need to win 17 additional seats. USA Today predicts 24 races that are too close to call. In the gubernatorial races, USA Today predicts 12 races that are too close to call as either Republican or Democrat. The country faces big issues in the coming years. I vote because I refuse to abdicate my only way to directly influence the process. I vote because it is my responsibility as a citizen. I vote because I am angry that politicians on both sides of the aisle think it is a good thing to restrict some citizen’s right to vote or rig elections in their favor and I can not abide that. I vote because I like the recurring ritual that reminds me about how hard it was for our founding fathers to establish this experimental participative government of potential exceptionalism. I hope you will join me.


I originally wrote this essay a couple of years ago to explain to my friends and colleagues why I am so passionate about voting. I updated this essay last November in time for my state's off-year gubernatorial election. I thought I would update it a bit for this year's midterm elections.

I am not a political junky. I don't spend endless hours consuming the philosophical blatherings from the likes of Rush Limbaugh, John Stewart, Bill O’Reilly or Rachel Maddow. I don't have a burning issue; at least not one that I am so passionate about that I accost little old ladies that do not agree with me in an effort to bend them to my will. What I do have is a deep seated awareness, an understanding so to speak, that many people around the world do not benefit from the same privilege of participative government that I have simply because I happened to be born in this country. 

A few years ago, I took a taxi to the O’Hare Airport from my hotel in Chicago. Through the usual conversation you have with these folks, I learned that my taxi driver, a delightful fellow by the name of Nicky, came from a small country on the east coast of Africa called Eritrea. When he was three years old back in 1993, his country declared independence from their current dictator. By the time he was eight, his family had moved to a refugee camp within the country because the next dictator had dumped them into a war with the neighbors (Yemen and Ethiopia). The regime was so repressive that the lives of Nicky’s family were in danger. Nicky’s parents took the extraordinary step of shipping all three siblings, including Nicky, to America at the first opportunity. When Nicky told me that, I immediately thought about my own kids. How bad would it have to get in my country before I would decide to ship my kids to another place to preserve their safety and future? And how lucky am I that the chances of something like that ever happening in the USA are a million to one? 

When I get in these moods, I often remind myself about America’s founding fathers. 

You Have to Earn the American Exceptionalism Title

When these remarkable men, all well educated and mostly self-made, signed the Declaration of Independence, they may as well have signed their own death warrants. If the colonies had lost the war for independence against the British, the royal authorities would have rounded up these “traitors” for public executions faster than you could say Jack Sprat. When I think about this act of disobedience, I am humbled that these men-among-men were prepared to give their lives in support of an idea; an idea that there could be a better way to govern. And it makes me consider if I have any beliefs within my own personal philosophy that are so strong that I would willingly give my life, and the fortunes of my family, to preserve them. 

These are heavy thoughts and I will not try to address them here. But when voting time comes around in my state, even for the off-cycle elections, the idea that I would not cast a vote or exercise the privilege that was so hard-fought and won by our founding fathers (and mothers) does not occur to me. Voting for me is about being a man and the example I set for my own children. It is about being an appreciative citizen and not taking for granted the privileges won by the spilt blood of our ancestors. And it is about giving back to the community, in some small measure, in order to preserve these rights that men and women thought were so important in our country’s early days that they were willing to lay down their lives for it. 

In every election, both sides of the isle talk about American Exceptionalism. Some think that America is the best country in the world. Others think that it is arrogant to claim that title when the US clearly lacks in several key metrics that might be used to choose the winner of such a competition. In my mind though, neither side gets the point. It is not whether or not America is the best. The real point is that when you consider all of the countries in the world, America has a good chance to be remarkable; not to be the best but to behave in an exceptional manner. Every time an opportunity for the country arises where we can choose to display excellence and we intentionally decide to do something that is less than excellent, we do not live up to our potential. Voting is one of those chances. By choosing to vote, we are living up to our exceptionalism potential. 

That is fairly lofty and snobbish view. Here is a more practical one. So you think that your vote does not matter? Well, the people that we elect sure do. 

Voter Suppression Attempts - Oh No You Didn't

At the conclusion of each decade, the US government completes a constitutionally mandated census to ensure that the number of House of Representative seats reflects the population size within each state. [1][2] Within a tradition that has been going on since the beginning of the nation, the party in power takes the opportunity to redraw congressional district boundaries in a way that will best enable their party officials to get re-elected in the next election. This is called gerrymandering. [3] After the 2010 census and midterm elections, Republicans altered 210 congressional districts and Democrats altered 44 out of a total of 435 (58%). [4][2]

In June of 2013, the US Supreme Court rejected a key piece of the landmark 1965 civil-rights legislation called the Voting Rights Act that restricted nine southern states from changing voting laws without permission from the US Federal Government. [4][5] Since then, state officials from across the country, not just the original nine states, have been busy trying to restrict voter laws. They have been passing new legislation requiring ID cards at the voting place, reducing early voting periods, curbing voter registration drives, changing absentee voting rules, eliminating same-day registration and making it harder for criminals who have served their time to restore their voting rights. Not all states have managed to pass these sweeping changes, but 21 states have one or more of these restrictions in place for the 2014 midterm elections. [5] Last month (October 2014), a Texas federal district court judge (Nelva Gonzales Ramos - appointed by President Obama) struck down Texas’s voter ID law citing it as “an unconstitutional poll tax.” [6] A poll tax is a tax mandated by government as a pre-requisite to voting. In the past, United States government leaders used poll taxes to disenfranchise black voters after the civil war but they also had the effect of impacting poor white citizens and women in general after Congress passed the 19th Amendment (Woman’s Right to Vote). [7] In 1964, Congress passed the 24th Amendment that, among other things, made Poll Taxes unconstitutional. In her decision, Ramos is saying that restricting voter laws in Texas is an unconstitutional poll tax. [8]

Whether or not you think that gerrymandering machinations or voter suppression laws have any effect on the voting process, your elected officials do. Many spend at least a portion of their working term in their state legislatures manipulating the system so that they can restrict their opponent's views at the polls or at least rig it so that they have a better chance of getting re-elected. For me, that just makes me angry. Even if I did not have an opinion on some of the most important issues of the day -- abortion, climate change, gay marriage, Obama Care, pick your favorite -- the idea that an elected official of mine would try to stop me from rendering my opinion at the polls makes me want to to show up just to spite them and hopefully vote them out of office.

The Joy of Community Citizenship

And I have to say, the physical act of voting, for me anyway, is inspiring. I usually go early, before work, so that I can ensure that the normal chaos of the day does not interfere with the voting process. Elections in Virginia, my home state, generally occur in the spring and the fall. The early mornings are usually cool but sunny. When I arrive at the polling station, other like-minded people are doing the same thing. There is a sense of community and purpose; never said out loud but inferred as you say good morning and make small talk with the volunteers and voters that are there with you. My favorite part is standing in line waiting for my turn in the voting booth. I get a big kick out of watching the volunteers, mostly retired old folks, who ensure that the mechanics of the voting process go smoothly. When I get to the desk where the volunteer finds my name on the voter list and checks it off, I can’t help but get a sense of belonging; an inclusiveness within a larger idea that is good and something to care about. And finally, after I make my selections, and turn to walk out of the building, a volunteer always shakes your hand, slaps a “I voted” sticker on your chest and says thanks for voting. 

That is a good morning. 


For me, voting is not something that is a decision. It is just something that I do. I do it because it is my responsibility as a citizen. I do it because I am angry that politicians on both sides of the aisle think it is a good thing to try to restrict some citizens’s right to vote or rig elections in their favor and I can not abide that. I do it because I like the ritual that reminds me how hard it was to establish this government of potential exceptionalism. On November 4 (Tuesday), the people of the United States will vote for 100 Senators, 435 Congressional Representatives and 36 Governors. In order for Republicans to take control of the Senate, they need to win six additional seats. USA Today predicts that there are 7 races too close to call. In order for Democrats to take control of the Congress, they need to win 17 additional seats. USA Today predicts 24 races that are too close to call. In the gubernatorial races, USA Today predicts 12 races that are too close to call as either Republican or Democrat. [9] The country faces big issues in the future. I vote because I refuse to abdicate my only direct way to influence the process. I hope that you will join me.


[1] "About What We Do," by The United States Census, Last Visited 3 November 2013,

[2] "One Million-Scale Congressional Districts of the United States," by National Atlas, Last Visited 3 November 2013,

[3] "A modest proposal to neutralize gerrymandering," by David Brin, Salon, 20 October 2013, Last Visited 2 November 2013,

[4] "Tea Party's House Seats Might Not Be All That Safe," by Karen Weise, BloombergBusinessweek, 14 october 2013, Last Visited 31 October 2013,

[5] “States With New Voting Restrictions Since 2010 Election,” by Brennan Center for Justice, New York University of Law, Last Visited 1 November 2014,

[6] “Voter Suppression Backfires in Texas and Wisconsin,” by Ari Berman, The Nation, 10 October 2014, Last Visited 1 November 2014,

[7] “Poll Taxes,” by David F. Forte, Professor of Law, Cleveland-Marshall College of Law, The Heritage Guide to the Constitution, Last Visited 1 November 2014,!/amendments/24/essays/186/poll-taxes

[8] “The 24th Amendment Ended the Poll Tax January 23, 1964,” by The Library of Congress, Last Visited 1 November 2014,

[9] “2014 Mid-Term Elections,” USA Today, Catalina Camia, Lee Horwich, Paul Singer and Katie Smith, Last Visited 1 November 2014,


“2014 Gubernatorial Election Information,” by the National Governors Association, 11 August 2014, Last Visited 1 November 2014, 

"Court Upends Voting Rights Act," by Jess Bravin, The Wall Street Journal, 25 June 2013, Last Visited 3 November 2013,

"Everything That’s Happened Since Supreme Court Ruled on Voting Rights Act," by Kara Brandeisky and Mike Tigas, ProPublica, 1 November 2013, Last Visited 3 November 2013,

"Florida Defends New Effort to Clean Up Voter Rolls," By LIZETTE ALVAREZ 9 October 2013, New York Times, Last Visited 2 November 2013,

" 'Outrageous' or overdue?: Court strikes down part of historic voting rights law," by Bill Mears and Greg Botelho, CNN Politics, 26 June 2013, Last Visited 3 November 2013,

“The Dangerous Legal Rule Behind The Supreme Court’s Latest Voter Suppression Decision,” By IAN MILLHISER POSTED, ThinkProgress, 18 OCTOBER 2014, Last Visited 1 November 2014,

“The State of Voting in 2014,” by Wendy R. Weiser and Erik Opsal, Brennan Center for Justice at New York University School of Law, June 17, 2014, Last Visited 1 November 2014,

"The Voting Rights Act Is in Peril on Its Forty-Eighth Anniversary," by Ari Berman, 6 August 2013, The Nation, Last Visited 3 November 2013,

"Virginia election officials purging almost 40,000 voters," by Reid Wilson, 17 October 2013, Washington Post: Gov Beat, Last Visited 2 November 2013,

“Voter Suppression: How Bad? (Pretty Bad),” by Wendy R. Weiser, The American Prospect Longform, Fall 2014, Last Visited 1 November 2014,

Wednesday, August 20, 2014

Book Review: Lexicon (2013) by Max Barry

Executive Summary

Lexicon is an exciting story that is really about social engineering taken to the nth degree. It is not a cyber security canon candidate, however, because it does not meet the criteria established last year,[3] but it does share some connective tissue with one of my favorite canon candidates, Snow Crash, and offers some practical advice about how modern media consumers can protect themselves from media manipulation. This is not a must-read for the cyber security professional, but it is wonderful beach read if you are looking for something fun to take with you on your next vacation.


Lexicon[1] is not a cyber security canon candidate because it really does not talk about anything specific to cyber security, but it shares its premise about the origination of human language with a candidate-favorite called Snow Crash.[2][3] It is a run-and-gun conspiracy thriller in which the evil cabal, called the Poets, has mastered the art of persuasion to such a degree that its members can manipulate individuals, groups, and the media to accomplish their goals. They do this by analyzing the target in terms of emotional, intellectual, and personality state to discover just the right “trigger words” that will completely destroy any resistance in the target’s mind. As the author, Max Barry, compels the reader to turn just one more page with this adventure, he also makes the reader think about the implications of manipulation attempts in our own society, the origins of languages in the human world and why there are so many, the more banal implications of the state collecting surveillance data on individual citizens, and the implications of our own bias as we consume information from the media.

The Story

After they receive extensive training on Poet techniques at an exclusive private school in Virginia, very similar to the Harry Potter's Hogwarts School of Witchcraft and Wizardry, newly graduated Poets receive their code names. The Poets’ leader is called W. B. Yeats. The main heroine is called Virginia Woolf, and her mentor is called T. S. Eliot.

The Poets did not start out as evil. At the beginning, they simply learned how to manipulate individuals by quickly assessing their target’s mental state and looking for weakness. One consequence of that practice is that they learned how to hide their own weaknesses from their fellow Poets to prevent manipulation from within. Because of that active suppression of sharing intimate details with their friends and loved ones, their ability to sympathize with the non-Poet population, and even their own members, eroded over the years to the point that the Poets’ leadership considered non-Poets to be nothing more than another form of cattle to be managed and experimented on in order to fulfill the Poets’ goals. 

Before she became Woolf, Emily was a prodigy. Poet recruiters plucked her off the streets at a young age because of her con-man skills and sent her to the private school in Virginia. But she is a rebel. She fights the suppression of her personality and is eventually exiled to a small and remote Australian town called Willow Creek until she becomes mature enough to handle the discipline it takes to be a full-fledged Poet.

There is the inevitable falling out between the Poets’ leadership and a group of Poets that feel the organization has gone too far. That confrontation is the catalyst to the entire story. Poet researchers discover something they call a “Bear Word”: a word so powerful that, when issued with a command, will compel any human to immediately comply. The Poets’ leader, Yeats, decides to experiment with the Bear Word at Willow Creek, which is now the home of the story’s prodigy, Emily. Yeats deploys the Bear Word with the command of “Kill” at the local hospital to see what will happen. Every person who sees the command immediately attempts to comply. The town becomes a bloodbath that is similar in scope to any modern-day zombie movie. Because of the actions taken at Willow Creek, the Poet organization fractures into two groups: supporters of Poets and disgruntled former members. Yeats begins to terminate any former colleagues who oppose him. How this manifests, and how Emily figures into the story, is the basis for the run-and-gun action.

The Tech

The tech in this book is not Internet gadgetry. There are no computer hacks in the story, but the entire Poet skill set is really social engineering on a grand scale. Although the Poets’ ability to manipulate individuals and groups is purely the result of Barry’s wonderful imagination, some of the skill sets he portrays for defending against manipulation are more practical.

One important skill in this defense is an understanding of how news organizations present information to the masses. Most news organizations try to present the facts as they currently know them. Many try to report objectively. The news consumer must remember, however, that the news people within the media are making choices about what to put into a story and what to leave out. News people also do not have to prove anything. They can imply. In most cases, the consumer will probably never hear anything more about a particular story. By choosing which facts to present and which facts to leave out, the news organization can lead consumers down the path for them to make their own conclusions about what happened without actually having to state it out loud.

This leads to the second important skill in the defense against manipulation: getting out of your comfort zone and consuming information from media outlets that you do not agree with. Especially today, when every issue is so polarizing, it is easy to tune into your media outlet of choice—Bill O’Reilly on the right and John Stewart on the left to name two—and hear spoken back to you exactly what you want to hear because you already totally agree with it. By staying within their own political media information bubble, consumers get manipulated into thinking that their side is the only reasonable way to think about any particular issue, and that is simply just not the case.


Lexicon is an exciting story about social engineering. It is not a cyber security canon candidate because it does not meet the criteria established last year,[3] but it does share some connective tissue with one of my favorite canon candidates, Snow Crash, and offers some practical advice about how modern media consumers can protect themselves from media manipulation. The story is really about social engineering taken to the nth degree. I personally loved the idea that an evil cabal could be run by a group of literature majors using their favorite poets’ names as code names. This is not a must-read for the cyber security professional, but it is wonderful beach read if you are looking for something fun to take with you on your next vacation.


[1] “Lexicon,” by Max Barry, published by Penguin Press, June 2013, last visited 1 August 2014,

[2] "Book Review: Snow Crash by Neal Stephenson (1992)," by Rick Howard, Terebrate, 10 November 2013, last visited 1 August 2014,

[3] "Books You Should Have Read by Now," by Rick Howard, Terebrate, 16 February 2014, last visited 1 August 2014,


"'Lexicon,' a Thriller by Max Barry," by Graham Sleight, The Washington Post, 15 July 2014, last visited 1 August 2014,

"Lexicon Could Be Max Barry's Smartest Dystopia Yet," by Michael Ann Dobbs, Io9, 31 July 2014, last visited 1 August 2014,

Monday, June 30, 2014

Book Review: No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (2014) by Glenn Greenwald

Executive Summary

No Place to Hide is a strange concoction: part exposé, part autobiography, and part screed “against the man.” It is not what I would call an example of rigorous journalistic reporting. It is more like storytelling with commentary. The story part includes the details of when and where Edward Snowden stole a treasure trove of classified U.S. government documents regarding warrantless mass surveillance of U.S. citizens and released them to a select few journalists. It also includes the details of how the author, Glen Greenwald, corralled the story and how that has affected his life.

The commentary part includes what Greenwald feels about the impact of Snowden’s released documents. He discusses how the documents show just how deep the rabbit hole goes in terms of mass surveillance against U.S. citizens, U.S. allies, and potential enemies. He argues that Snowden is really a hero and not a traitor and highlights how the government’s response to the debate is to attack the messenger and not the issues. 

Governments have a lot of opportunities to present their side to this debate. Greenwald is one voice on the other side that has grabbed center stage because of his relationship with Edward Snowden. Because of that, we should pay attention to what he has to say. Despite the less-than-stellar journalistic rigor, No Place to Hide is a cyber security canon candidate, and you should have read it by now. 


Glenn Greenwald and other journalists began releasing a seemingly endless supply of classified U.S. government documents to the public in summer 2013. Those documents describe just how deep the rabbit hole goes in terms of U.S. government surveillance of its own citizens and allies and in terms of potential threats to the U.S. government.[1][2] Ever since, politicians, military leaders, and talk show pundits alike have attempted to characterize Edward Snowden—the man who stole the documents from the NSA and released them to the journalists—in an unfavorable light. They say he is a traitor.[3] They say he is a coward.[4] They say he is a spy.[5] They say he is a hacker.[6] They say he was just a low-level analyst with no understanding of the impact of what he did.[7] They say he was an insider threat.[8] But all of these characterizations, whether they turn out to be true or not, divert the conversation away from the main issue. None of these accusations address the most pressing question that we all, as American citizens, should be asking ourselves: Should the U.S. intelligence community be allowed to spy on U.S. citizens without the benefit of a warrant and without the benefit of a checks-and-balances system managed by a trusted third party? Glenn Greenwald does not think so and wrote No Place to Hide to make the case.

The book is a strange concoction: part expose, part autobiography, and part screed “against the man.” Greenwald tries to accomplish many tasks here, and I think because of that, the important messages within it are not as clear as they should be. He tries to set the record straight on the mechanics of how Snowden was able to position himself with two U.S. government contractors—Dell and Booze Allen Hamilton—and as an employee of the NSA and the CIA in order to steal secrets that exposed the U.S. government’s surveillance programs on U.S. citizens. But Greenwald does not provide enough detail to make sense of the story. Readers must seek other sources to fill in the gaps. 

He attempts to make the case that government-sponsored, unwarranted, and secret searches of American citizens is a trespass on the U.S. Constitution and America’s notions on privacy rights, but his argument is fuzzy. Everything Greenwald says is absolutely true, but the way he says it is not convincing. If you want a concise and elegant explanation why this is an issue that everyone should be concerned about, not just U.S. citizens but all citizens from around the world, watch Stephen Fry’s short video on the subject.[9]

He also launches an attack on the Fourth Estate, claiming that journalism has completely failed in its presumed adversarial role against the government and has not monitored and checked abuse of state power. He loses his credibility because instead of writing about the story, he is writing about himself in the story. It comes across as whiny.

And I am disappointed. I was hoping for the same gladiatorial panache that Greenwald displayed in the “Munk Debate on State Surveillance” in May [10] in which he peppered former NSA Director Michael Hayden with questions, but this panache was absent in No Place to Hide.

That said, this is an important book. Without Greenwald putting constant pressure on the American political establishment in order to challenge the need for such invasive programs, we would not be talking about it now a full year after the initial revelation in the Guardian newspaper in June 2013. And I believe we all must continue to talk about it. Just because No Place to Hide is not as clear as it could or should be does not mean that it does not have value.

This debate about how intrusive the U.S. intelligence community can be on American citizens, on American allies, and on potential American threats and about what the American political leadership decides to do about it will impact the character of the country forever. We have to get this right.

The Law

In order to understand the significance of the situation, we have to start with the Founding Fathers. According to Greenwald, they passed the Fourth Amendment because of their experience with the British before and during the American Revolution.[1] The Founders agreed that it was acceptable for a government to search individual citizens if it had probable cause of wrongdoing and produced a warrant approved by a judge attesting to the fact, but they viewed the practice of a government using a general warrant to make the entire citizenry subject to indiscriminate searches as inherently unacceptable.[1] The language in the Fourth Amendment to the U.S. Constitution is simple, elegant and clear. It is part of our Bill of Rights, and we fought a revolution to get it: 

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”[1]

According to Greenwald, 

“It was intended, above all, to abolish forever in America the power of the government to subject its citizens to generalized, suspicionless surveillance.”[1] 

Greenwald quotes U.S. Supreme Court Justice Louis Brandeis, in the seminal 1890 Harvard Law Review article “The Right to Privacy,” to make his point: 

“[R]obbing someone of their privacy was a crime of a deeply different nature than the theft of a material belonging.”[1]

After 9/11, Americans were afraid and rightfully so. More than 3,200 citizens died in a scant two hours due to the results of a well-executed, surprise, terrorist attack the likes of which had never been seen before on American soil. 

The US’s reaction was immediate. Not even a month later, President Bush signed a Presidential Directive called the Presidential Surveillance Program that granted an unprecedented amount of surveillance powers to the NSA, in pursuit of terrorist activities, that allowed bulk collection of metadata from U.S. citizens.[11][12] Shortly after, the U.S. Congress passed the Patriot Act that essentially made President Bush’s Directive the law of the land.[12][13] Section 215 of this act was the first legislation that authorized metadata collection.[12][14] The Patriot Act also authorized the FBI to compel Internet service providers, credit card companies, and phone companies via a national security letter (NSL) to provide information relevant to a counterterrorism or counterintelligence investigation. They could also impose gag orders to prohibit NSL recipients from disclosing that they received the NSL.[15] This change eliminated the former law enforcement restriction of collecting intelligence on only a foreign power without a warrant.[16]

According to Greenwald,

“What made the Patriot Act so controversial when it was enacted in the wake of the 9/11 attack was that Section 215 lowered the standard the government needed to meet in order to obtain “business records,” from “probable cause” to “relevance.” This meant that the Federal Bureau of Investigation, in order to obtain highly sensitive and invasive documents—such as medical histories, banking transactions, or phone records—needed to demonstrate only that those documents were “relevant” to a pending investigation.”[1]

In the mid-1970s, America clamped down on the intelligence community after scandals regarding CIA assassination plots and other abuses emerged in the public. As these things normally do over time though, the Patriot Act caused the pendulum to swing in the opposite direction in regard to how much leeway America wanted to give its intelligence community. We had taken almost all of the safeguards off of the intelligence community and told them to never let another 9/11 happen again. 

What We Learned from the Leaks

According to Greenwald,

“Snowden’s files indisputably laid bare a complex web of surveillance aimed at Americans (who are explicitly beyond the NSA’s mission) and non-Americans alike. …Taken in its entirety, the Snowden archive led to an ultimately simple conclusion: the US government had built a system that has as its goal the complete elimination of electronic privacy worldwide.”[1]

I think the biggest revelation about the Snowden leaks was not that the NSA was spying on U.S. Citizens, although that was a big one, but that our assumed liberal minded Internet start-ups were in on the deception. [1] According to classified documents that Snowden stole, the NSA had deals with most of our favorite Internet companies to collect information directly from their servers pertaining to U.S. citizens, companies like the following:

  • Apple Inc.
  • AOL Inc.
  • Facebook
  • Google Inc.
  • Microsoft Corp.
  • Yahoo! Inc.

According to the documents, Microsoft vigorously cooperated with the NSA to allow access to several of its most-used online services: SkyDrive, Skype, and[1] Facebook and Google claim that they gave data only when the NSA presented a warrant. On the other hand, it is public record that Yahoo! fought the NSA in court against participating, but the company lost the case. Twitter declined to make it easier for the government to access Twitter data.[1]

The next biggest revelation was that the NSA indiscriminately collects millions of phone records every day from Verizon without a warrant and from both within the United States and from other countries. [1] This is the so-called metadata collection process that has been in the news from the start.

One revelation that the Fourth Estate has not talked about much is that President Obama signed a Presidential Directive in November 2012 authorizing the Pentagon to start planning for aggressive cyber attacks. He directed the military to draw-up potential overseas cyber targets.[1]

The biggest hypocritical revelation came from the documents that showed that the NSA is involved in economic espionage. The NSA targeted the Brazilian oil giant Petrobras, as well as other companies from Venezuela, Mexico, Canada, Norway, and Sweden for economic purposes, not terrorism.[1] In light of the recent U.S. Department of Justice (DOJ) indictments against five military Chinese hackers for conducting cyber economic espionage against the US,[17] this seems to be a little two-faced.

The Pro-surveillance Response: Discredit the Messenger

One thing that comes out loud and clear in this book is that Greenwald is acutely aware of the way the pro-surveillance side attempts to redirect the attention from the issue at hand. Instead of debating the merits of the American intelligence community spying on its own citizens, it first wants to flog Edward Snowden for breaking the law. It wants to criticize Greenwald for not being a great journalist. It accuses Snowden of running off to Taiwan and then to Russia to avoid incarceration as if that motive somehow weakens the revelation that the NSA collects all electronic communication, or at least as much as possible, from within the United States without a warrant. The pro-surveillance side says that if Snowden’s whistleblower attentions were so honorable, he would come back to the states to face the authorities. None of that matters, or if it did, it is at least secondary and causes confusion within the citizenry when we debate the topic: Should we sacrifice the tenants of the Fourth Amendment for the sake of a little more security?

The Pro-surveillance Response: If You Have Nothing to Hide, Then You Have Nothing to Worry about

Personally, I hate this argument. It is another misdirection by the pro-surveillance side and does not address the issue. What the pro-surveillance side wants you to think is that if you are a law-abiding citizen, then the only people who will be negatively impacted by mass surveillance are the criminals and the terrorists and all the rest of the bad people. According to Greenwald, 

“Governments have long convinced populations to turn a blind eye to oppressive conduct by leading citizens to believe, rightly or wrongly, that only certain marginalized people are targeted, and everyone else can acquiesce to or even support that oppression without fear that it will be applied to them.”[1]

In other words, this argument really implies that if a U.S. citizen completely conforms to the way the U.S. government wants you to think, then you are not at risk. The danger though is when an individual citizen starts to think that the U.S. government may not be doing the right thing and decides that he or she may want to speak out against it. There are plenty of examples of the U.S. government collecting intelligence on its citizens when leadership felt threatened by a dissenting voice: The FBI’s surveillance on Martin Luther King Jr.[18] and President Nixon’s Watergate operation[19] are just two famous examples. There are so many divisive issues in our culture today—gun control, abortion, universal healthcare, etc.—that there is no way that an individual citizen won’t be on the wrong end of an argument depending on who wins the next election. If your side loses, then you are no longer in conformance. In today’s technology terms, it is so easy to collect intelligence and discover dissenting voices that entire swatches of the population could be affected. This “if you have nothing to hide” argument is really not an argument about protecting us from the criminals; it is about suppressing dissenting voices, and that is scary.

The Pro-surveillance Response: Terrorism Is Scary

Greenwald makes the point that the U.S. government’s answer as to why it needs a mass surveillance program is that terrorism is scary.[1] I have worked for security vendors for the past decade, and I recognize this tactic. In the security space, we all recognize this as the fear, uncertainty, and doubt pitch. The idea is that we try to scare the hell out of you so that you buy our product. This is exactly what the U.S. government is doing here. When Greenwald asserts that the mass surveillance program has not stopped a single terrorist plot, the U.S. government has no answer other than that terrorism is scary.[1]

U.S. Hypocrisy

On 19 May 2014, the U.S. DOJ indicted five Chinese nationals for the crimes of “computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”[20][21] I attended a dinner of government officials in Washington, DC, just after the DOJ made this announcement, and of course the subject came up for discussion. I was struck by the hypocrisy of the announcement in light of the Snowden revelations and said so, but the government officials present drew the distinction between national security espionage and economic espionage claiming that the United States engages in only national security espionage while China engages in both. According to Fred Kaplan at Slate magazine, President Obama pushed this negotiating point with Chinese President Xi Jinping at a Summit in Palm Springs in 2013.[20] According to Greenwald, NSA spokespeople claim that the agency

“does engage in computer network exploitation but does ***not*** engage in economic espionage in any domain, including ‘cyber.’”[emphatic asterisks in the original][1]

I was stunned that American officials would draw that very thin line there, but Greenwald points out that there really is no line at all and uses more Snowden documents to prove it. In No Place to Hide, Greenwald says that the NSA intercepted communications on the Brazilian oil giant Petrobras and routinely collected information from various economic summits.[1][22]

James Lewis, famous analyst for the Center for Strategic and International Studies, says there is a distinction between collecting intelligence regarding international economic questions and sharing that intelligence with U.S. companies to improve their bottom line.[23] He says there are many reasons why the state may want to know about the economic situation regarding a certain country, but that does not mean that the government collects it with any eye toward giving American companies an advantage.[23] He says that the U.S. law called the Economic Espionage Act specifically gives the United States permission to collect on bribery and non-proliferation issues but nothing else.[23]

However, as Glyn Moody from TechDirt opines regarding the Petrobras revelations,

“Or, you know, it could provide US companies with insights about which were the best lots in the forthcoming auction of seabed areas for oil exploration, or about highly-specialized deep-sea oil extraction technology, in which Petrobas is a world leader. After all, why wouldn't the NSA drop some useful hints about such things to US companies as a way of justifying its huge budget?”[32]

I am not a foreign policy expert by any means, but I don’t see how pushing an obvious double standard in negotiations with the Chinese can bear any fruit. It is one thing to agree on what is out of bounds and what is in bounds in terms of acceptable cyber espionage on the world stage, but to formally indict five Chinese citizens for a crime that you are also perpetrating seems disingenuous at best and absolute hubris at worst.

The Argument against Mass Surveillance for Anti-terrorism

Greenwald cites five reasons why mass surveillance is a bad idea:

  1. The practice of mass surveillance is likely unconstitutional.[1][24]
  2. President Obama’s own review panel said that the metadata program was not essential to preventing terrorist attacks.[1][25]
  3. Mass surveillance collection, as opposed to targeted collection, makes finding terrorists more difficult.[1]
  4. Mass surveillance is a draconian reaction when you consider the statistically small chances that you will die from a terrorist attack.[1][26][27][28]
  5. Even if mass surveillance were necessary, allowing the government to do it without transparency is counter to the Founding Fathers’ design of the country.[1]


On 16 December 2013, U.S. District Judge Richard J. Leon ruled that the government did not make its case concerning the need for mass surveillance in order to protect against terrorism in a timely manner. According to Leon, 

“The Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time sensitive in nature… Thus, plaintiffs have a substantial likelihood of showing their privacy interests outweigh the Government’s interest in collecting and analyzing bulk telephony metadata and therefore the NSA’s bulk collection program is indeed unreasonable search under the Fourth Amendment.”[24]

Review Panel Conclusions

In the wake of the Snowden revelations, President Obama directed a review of the entire program on 27 August 2013. On 18 December 2013, the panel published its findings. [25] Panel members acknowledged that 

“In addressing these issues, the United States must pursue multiple and often competing goals at home and abroad.”[25]

The following are those goals:

  • Protecting the nation against threats to its national security. [25]
  • Promoting other national security and foreign policy interests. [25]
  • Protecting the right to privacy. [25]
  • Protecting democracy, civil liberties, and the rule of law. [25]
  • Promoting prosperity, security, and openness in a networked world. [25]
  • Protecting strategic alliances. [25]

With that said, the panel could not find any pressing need for the metadata collection program:

“Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.”[1][25]

Mass Surveillance Collection Makes Finding Terrorists More Difficult

Greenwald points to the NSA’s less-than-stellar record at preventing any number of terrorist plots in recent history:

  • The 2012 Boston Marathon bombing. [1]
  • The attempted Christmas Day bombing of a jetliner over Detroit. [1]
  • The plan to blow up Times Square. [1]
  • The plot to attack the New York City subway system. [1]
  • The string of mass shootings from Aurora to Newtown. [1]
  • Major international attacks from London to Mumbai to Madrid. [1]

He believes that the reason the record is so poor is that the actual collection of all of that data makes it harder to find and prevent terrorism activities compared to other more traditional law enforcement activities driven by warrants. 

Is Mass Surveillance Necessary to Solve a Statistically Small Risk

This is the classic risk equation that all security people are used to evaluating. Anybody can come up with a terrorism scenario that would be devastating to the country. As security professionals, our job is to evaluate these scenarios across a two-dimensional risk matrix. On the x-axis, we plot how likely is it that this scenario will actually happen from “not very likely” on the left to “will absolutely happen” on the right. On the y-axis, we plot how impactful the scenario is if it were to happen from “no impact” on the bottom to “will materially impact the country” on the top. None of us has unlimited resources. Because of that, we focus on the risks that end up in the up-and-to-the-right section on our risk matrix. These are the scenarios that are likely to happen and that will have a meaningful impact if they do. The fact is that for most terrorism scenarios, they tend to sit in the up-and-to-the-left section on the risk matrix. The chances of them happening are not too likely, but if they do, they will have a medium to large impact. 

These terrorism scenarios are outliers because they are not that likely to happen. According to Greenwald, 

“The number of people worldwide who are killed by Muslim-type terrorists, Al Qaeda wannabes, is maybe a few hundred outside of war zones. It’s basically the same number of people who die drowning in the bathtub each year.”[1]

Greenwald’s point is that we should seriously consider if we want to deconstruct the Fourth Amendment to protect ourselves from such an event, an event that is scary for sure, but an event that is not likely to happen.

Mass Surveillance without Transparency Is Counter to the Founding Fathers’ Design of the Country

There has always been a tension between national security and government transparency. James Madison -- one of the Founding Fathers and a primary contributor to the American Constitution -- believed that 

Transparency was an essential cornerstone of democratic governance. [29]

And Patrick Henry’s said that 

The liberties of a people never were, nor ever will be, secure when the transactions of their rulers may be concealed from them.[30]

Greenwald points out,

“Democracy requires accountability and consent of the governed, which is only possible if citizens know what is being done in their name. The presumption is that, with rare exception, they will know everything their political officials are doing, which is why they are called public servants, working in the public sector, in public service, for public agencies.”[1] 

The point is that whatever we as a nation decide is the legitimate use of the U.S. intelligence apparatus, we must also insist that the mechanical process of that apparatus be completely transparent to the American citizen.

Why the Leaks Were Good

Putting aside the issue of whether Edward Snowden is a hero or a criminal, Greenwald contends that his release of the Snowden documents to the public has far more positive impact to the United States and to the world at large than any negative consequences that may have occurred to the U.S. intelligence apparatus because of it. Greenwald lists the following positive outcomes from the Snowden leaks:

  • The entire world is debating the merits of the ubiquitous state surveillance, pervasive government secrecy, and the value of individual privacy.[1] 
  • The world is challenging America’s hegemonic control over the Internet.[1]
  • Journalists are reconsidering the proper role of journalism in relation to government power.[1]

Thoughts on Snowden

Throughout No Place to Hide, Greenwald presents a personality picture of Edward Snowden. Compared to Chelsey Manning,[31] the other notorious whistleblower in recent U.S. history, Snowden thought long and hard about what he was doing. He may have been naïve and uninformed, but Greenwald’s picture of him is of a person who has seen an egregious wrong, thought about what to do about it, considered the consequences for him and the nation, and executed a plan to try to create change. Greenwald quotes Snowden, 

“My sole motive is to inform the public as to that which is done in their name and that which is done against them. The U.S. government, in conspiracy with client states, chiefest among them the Five Eyes—the United Kingdom, Canada, Australia, and New Zealand—have inflicted upon the world a system of secret, pervasive surveillance from which there is no refuge. They protect their domestic systems from the oversight of citizenry through classification and lies, and shield themselves from outrage in the event of leaks by overemphasizing limited protections they choose to grant the governed.”[1]

“I’m not afraid of what will happen to me. I’ve accepted that my life will likely be over from my doing this. I’m at peace with that. I know it’s the right thing to do.”[1]

For all of the things he may be—traitor,[3] coward,[4] spy,[5] hacker, [6] low-level analyst,[7] insider threat[8]—Snowden is definitely a man of his own conviction. You may not agree with what he did, and you can point to his naiveté about the impact of what he did to the intelligence establishment, but he stood up for what he thought was right and decided to do something about it regardless of how that affected his own personal life.

The Solution

In No Place to Hide, Greenwald would prefer not letting the U.S. government spy at all, but he recognizes that is probably a bridge too far. In the meantime, he offers these four intermediate solutions that are not that unreasonable:

  • Enact legislation that will provide oversight, accountability and transparency for the entire intelligence community. [1]
  • Convert the FISA court into a transparent judicial system so that there is an adversarial relationship to both sides of the argument. [1]
  • Encourage international efforts to build new infrastructure so that all traffic does not go through the US. [1]
  • Encourage individuals to adopt COMSEC tools and demand that vendors make them easy to use. [1]


No Place to Hide is not what I would call rigorous reporting. Greenwald conveys what happened to him as he followed this story and thus became part of the story himself. As I sought to corroborate the details presented within, I found I had to go to other sources to fill in the gaps. 

That said, his telling of the story is important enough to the security community, the United States and to the world at large that I think it is required reading. He discusses everything from the Fourth Amendment and why it should be anathema to all American citizens to allow the government to spy on its communications without a warrant, to NSA programs and their scope, to the government’s justification of mass surveillance by attempting to discredit Snowden. He then lays out the arguments against mass surveillance without a warrant, describes why the world is better off today because of the Snowden leaks, and describes the detailed timeline from when Snowden initially contacted Greenwald to their meetings in Taiwan to Snowden’s eventual escape to Moscow. Finally, Greenwald describes his reasonable solution for the problem: better legislation to provide oversight, accountability and transparency for the entire intelligence community, convert the FISA court into a, adversarial judicial system, encourage international efforts to build new infrastructure so that all traffic does not go through the United States and finally, encourage individuals to adopt COMSEC tools so that all intelligence agencies have trouble intercepting communications.

Greenwald tries to present a lot of complicated material in No Place to Hide. He was not completely successful at doing so, but he is writing about the fundamental principles of how we want the United States to behave in the digital world. Governments have a lot of capability to present their side to this debate. Greenwald is one voice on the other side that has grabbed center stage because of his relationship with Edward Snowden. Because of that, we should pay attention to what he has to say. Despite the less–than-stellar prose, No Place to Hide is a cyber security canon candidate, and you should have read it by now. 


[1] “No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State,” by Glenn Greenwald, Published by Metropolitan Books, 13 May 2014, last visited 6 June 2014,

[2] “NSA collecting phone records of millions of Verizon customers daily,” by Glenn Greenwald, The Guardian, 6 June 2013, Last Visited 30 June 2014,

[3] “Congress Flips Out About 'Snowden The Traitor' As They Try To Pass Legislation To Stop The Program He Revealed,” by Mike Masnick, TechDirt, 5 Aug 2013, Last Visited 30 June 2014, 

[4] “INSIDE THE MIND OF EDWARD SNOWDEN,” by Tracy Connor, NBC News, 28 May 2014, Last Visited 14 June 2014,

[5] “Snowden: 'no relationship' with Russian government,” by Peter Cooney and Warren Strobel, Reuters, 29 May 2014, last visited 14 June 2014,

[6] “Edward Snowden's interview: 10 things we learned,” by Catherine E. Shoichet, CNN, 29 May 29 2014, last visited 14 June 2014,

[7] “Defending His Actions, Snowden Says He’s a Patriot,” by Elena Schneider and Steve Kenny, The New York Times, 28 May 2014, last visited 14 June 2014,

[8] “Federal agencies embrace new technology and strategies to find the enemy within,” by Christian Davenport, The Washington Post, 7 March 2014, last visited 14 June 2014,

[9] “Stephen Fry on surveillance: there is something squalid and rancid about being spied on - video,” by Stephen Fry, The Guardian, 7 June 2014, last visited 14 June 2014,

[10] “Munk Debate on State Surveillance: Greenwald/Ohanian vs Hayden/Dershowitz,” Munk Debates, Moderated by Rudyard Griffiths, 3 May 2014, last visited 14 June 2014,

[11] "The Taming of the Spook," by William Saletan, Slate, 1 July 2013, last visited 20 August 2013,

[12] “General Alexander at Black Hat 2013: Privacy vs. Security vs. Transparency,” by Rick Howard, Terebrate, 20 August 2013, last visited 11 June 2014,

[13] “Timeline of NSA Domestic Spying,” by the Electronic Frontier Foundation, last visited 20 August 2013,

[14] "Transcript: Newseum Special Program - NSA Surveillance Leaks: Facts and Fiction," by Harvey Rishik, Robert Litt, M.E (Spike) Bowman, Kate Martin, Gene Policinski, Ellen Shearer, Joel Brenner, and Stewart Baker, 26 June 2013, last visited 20 August 2013,

[15] "National Security Letters: A Little Less Secret?" by Alex Abdo (Staff Attorney, ACLU National Security Project) and Hannah Mercuris, Free Future: Protecting Civil Liberties in the Digital Age, 9 May 2012, last visited 20 August 2013,

[16] "A Review of the Federal Bureau of Investigation’s Use of National Security Letters," by the U.S. Department of Justice, Office of the Inspector General, March 2007, last visited 20 August 2013,

[17] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” the Department of Justice, 19 May 2014, last visited 18 June 2014,

[18] “FBI tracked King's every move,” by Jen Christensen, CNN, 29 December 2008, last visited 16 June 2014,

[19] “The Watergate Story,” by The Washington Post, last visited 16 June 2014,

[20] “Why Did the Justice Department Indict Five Chinese Military Officers?” by Fred Kaplan, Slate magazine, 21 May 2014, last visited 16 June 2014,

[21] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” by the Office of Public Affairs, the United States Department of Justice, 19 May 2014, last visited 16 June 2014,

[22] “NSA accused of spying on Brazilian oil company Petrobras,” by Jonathan Watts, The Guardian, 9 September 2013, last visited 16 June 2014,

[23] “U.S. Policy on Economic Espionage,” by James Andrew Lewis, Center for Strategic and International Studies, 7 December 2011, last visited 18 June 2014,

[24] “Civil Action No. 13-0851,” by U.S. District Judge Richard J. Leon, U.S. District Court for the District of Colombia, 16 December 2013, last visited 17 June 2014,

[25] “LIBERTY AND SECURITY IN A CHANGING WORLD: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies,” by Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, and Peter Swire, the White House, 12 December 2013, last visited 17 June 2014,

[26] “The Black Swan: The Impact of the Highly Improbable,” by Nassim Nicholas Taleb, Random House, 22 April 2007, last visited 17 June 2014, 

[27] “Terrorism Deaths, Injuries, Kidnappings of Private U.S. Citizens, 2011,” by the U.S. Department of State, 31 July 2012, last visited 17 June 2012,

[28] “You’re More Likely to be Killed by a Toddler than a Terrorist,” by Washington’s Blog, 12 June 2013, last visited 17 June 2014,

[29] “Government Transparency and Secrecy: An Examination of Meaning and Its Use in the Executive Branch,” by Wendy Ginsberg, Maeve P. Carey, L. Elaine Halchin, and Natalie Keegan, Congressional Research Service, 14 November 2012, last visited 18 June 2014,

[30] “Government transparency directly related to our liberty,” by James Zachary, transparency project of georgia, 16 April 2014, last visited 18 June 2014,

[31] “Bradley Manning Uncovered U.S. Torture, Abuse, Soldiers Laughing As They Killed Innocent Civilians,” by Matt Sledge, The Huffington Post, 21 August 2013, last visited 18 June 2014,

[32] “Latest Leak Shows NSA Engaging In Economic Espionage -- Not Fighting Terrorism,” by Glyn Moody, TechDirt, 9 September 2013, last visited 18 June 2014,


“A Guide To The Career Of Edward Snowden,” by Eric Lach, TPM, 20 June 2013, last visited 14 June 2014,

“Cryptocat,” by Arlo Breault, Dmitry Chestnykh, David Dahl, Daniel "koolfy" Faucon, Andreas "Gordin" Guth, Frederic Jacobs, Nadim Kobeissi, last visited 18 June 2014,

“Edward Snowden: A Timeline,” by Matthew Cole And Mike Brunker, NBC News, May 2014, last visited 14 June 2014,

“Edward Snowden timeline of events,” by the Associated Press, Politico, 1 August 2013, last visited 14 June 2014,

“Espionage and Covert Operations: A Global History” (24 lectures recorded course), Chantilly, VA: The Great Courses, 2011. 

“NSA collecting phone records of millions of Verizon customers daily,” by Glenn Greenwald, The Guardian, 5 June 2013, last visited 14 June 2014,

“Officials’ defenses of NSA phone program may be unraveling,” by Greg Miller and Ellen Nakashima, The Washington Post, 19 December 2013, last visited 16 June 2014,

“Off-the-Record Messaging,” by Ian Goldberg, OTR Development Team, Last Updated 28 September 2013, last visited 18 June 2014,

“September 11 Anniversary Fast Facts,” by CNN Library, CNN, 11 September 2013, last visited 11 June 2014,

“Snowden's Army record: short,” by Tom Vanden Brook, USA TODAY, 10 June 2013, last visited 14 June 2014,

“Snowden's Instruction PGP video to GGreenwald,” by TheDigitalfolklore, YouTube, 14 May 2014, last visited 18 June 2014,

“The Newsroom finale 1x10 - The Greater Fool speech,” by Sloan Sabbath (Olivia Munn), written by Aaron Sorkin, HBO, 26 August 2012, last visited 7 June 2014,

“Timeline of Edward Snowden's revelations,” by Joshua Eaton, Aljazeera America, last visited 14 June 2014,