Podcast appearances and mentions of bob flores

On this episode Bob and I talk about his career with the U.S. Fish and Wildlife service, his birding story and stories and more. How many birders have birded in Area 51?  My guess is not many.  His career path involved working at many of the great U.S. National Wildlife Refuges including the Loxahatchee NWR in Florida, the Wheeler NWR in Alabama, Kern NWR, Stillwater NWR in Nevada, and the Ridgefield and Columbia NWRs in Washington.  Bob encouages birders to ask their senators Here are contacts for the WA Senators and Representative of that area.  Senator Patty Murray Murray.senate.gov Vancouver Office (360) 696-7797 Seattle Office (866) 481-9186 Senator Maria Cantwell Cantwell.senate.gov Vancouver Office (360) 696-7838 Seattle Office (206) 220-6400 Representative Jaime Herrera Beutler Jhb.house.gov Vancouver Office (360) 695-6292 Washington DC Office (202) 225-3536 Thanks for listening.   Read more on the  Birdbanter.com  blog.  Until next time, good birding and good day!

OODA CTO Bob Gourley was joined by former CTO of the CIA Bob Flores in a discussion on the state of enterprise technology, resulting in this next in our series designed to provide actionable insights to leaders in business and government. Bob is a member of the OODA Network and was one of the scheduled speakers of our now postponed OODAcon "Future Proof". Flores has a very interesting background where he has continued to build on his experiences and education in a way that makes him the exemplar for many of us. With his degrees in statistics and years of volunteer work as an emergency responder he has a knack for quickly assessing complex situations. And his years of enterprise technology leadership have equipped him with an almost magical ability to assess technology and its relevance to enterprise missions. On top of that he has served commercial industry with hands-on technology and cybersecurity assessments and even a stint as an acting CISO for one of the world's largest banks. This interview with Bob brings insights from his background contextualized for the CEO or government leader seeking to inform decisions. Related Resources: A Decision-Makers’s Guide to Artificial Intelligence: A plain english overview with the insights you need to drive corporate decisions The Executive’s Guide to Quantum Computing: What business decision-makers need to know now about quantum superiority The Executive’s Guide to the Revolution in Biology: An overview of key thrusts of the transformation underway in biology and offers seven topics business leaders should consider when updating business strategy to optimize opportunity because of these changes. OODA COVID-19 Sense-making: A dynamic resource for OODA Network members looking for Coronavirus/COVID-19 information to drive their decision-making process. We’ll update it with new links as we encounter them. This is not meant to be a comprehensive list, but rather a compilation of the most useful resources. The 2020 OODA Cybersecurity Watch List: list can serve multiple stakeholders. Investors can find firms that have demonstrated good product-market fit and are good candidates for follow-on funding. CISOs can find companies that have demonstrated real disruptive technology potential and at least enough traction to prove they are worth considering. OODAcast on YouTube: OODA's YouTube Channel

Why We Did This – Facebook’s New Product: You. In a number of confidential strategy sessions with the Acreto Advisory team, led by Bob Flores, former CTO of the CIA, we set out to identify a number of potential mid to long-term threats that we should monitor. In studying the challenges that come with securing and adopting IoT technologies, and based on the complexities of how they operate and the dependency model that is established sociologically, we realized that Facebook, Google, and other similar tech giants are starved for data points. “It used to be that analysis of large amounts of data was limited to the biological capacity of the person. Computers didn’t used to have the processing power nor the algorithm and data sciences that they do today. Now, that’s not the case. The fact of the matter is that all these social media companies are data-starved. The more data points they have, the more they can absorb. There is no overload capacity for these social giants.” Babak Pasdar, CEO and CTO of Acreto Given recent events, and since we had one of the foremost experts in data collection in the world with us, when conversation turned to Facebook, we honed in on their data collection platform, where they are now and where they are heading in the future. We uncovered enough in that meeting to warrant a deeper dive into the Facebook machine. We studied the company, their practices, their history, their technology and even the psychology of its management team. We uncovered a lot of information and the more we uncovered, it made us want dig more. Through extensive research exploring investments, patents, acquisitions, market positioning and even management’s comments, we uncovered data that we thought was concerning. Pasdar explains, “We first became professionally interested in Facebook when we realized they have pinned their strategic future on IoTs. Where once Facebook’s information sources were limited to a handful of devices like computers and phones, with IoT integration they can collect much more granular data from hundreds if not thousands of sources.” Part of what makes addressing this challenge difficult is that the social media companies have features and functions that people want, and that they have built social environments that have become 21st century meeting grounds. These platforms are where the global community meets. All of the data points that IoT devices represent are a factor that can be difficult to overcome because there are these functionalities that may be highly desired or necessary for the social media perspective as it relates to people and our attitude towards ‘connecting’ with others. It’s really an all or nothing thing to have these features. What we’re doing, first and foremost, is identifying the problem. We are also offering organizations and consumers a balanced choice so that they can share the information they want to share, they can utilize the services of the platform in the granular way they desire to share or engage, and they are empowered and able to not give away the data that they want to protect or keep private. Facebook has proven it can be a kingmaker. Despite the company’s public relations lines, it’s clear that every party and every politician, for any seat, will engage in Facebook hacking. We define Facebook hacking as utilizing publicly available resources, along with coercion and manipulation of people, technologies and process to gain advantages. Advantages that can be for a cause, God, pocket book, or country. Facebook hacking is not just limited to politicians, but also extends to adversaries including those who wish physical and economic harm upon others. The stage has been set for compromising and manipulating entire communities. When thinking about securing IoT devices, we think like hackers do. How do we break it or steal it? How do we manipulate it or prevent it from functioning? How do we destroy it? These are the questions we can ask. Hacking is not direct or simple. Many times, hacking involves a complex orchestration of multiple components that typically has many permutations. When thinking through this, we realized first, how integral IoT devices are to social media, and second, the impact they have on privacy and on how we live our lives. If Facebook and Google can know as much about you as they do today with just a handful of devices such as your computer, your phone, or your watch, picture how much they would know about you and how they could manipulate you – and how they could manipulate societies, economies, or even democracies – when they have thousands of highly granular data points for each individual they track. Facebook’s reach is astounding. The organization collects a constant stream of data from one-third of the world’s population, and have their roots nestled in half of the world’s web sites. In Acreto’s Facebook Dossier, the team makes the case for Facebook as spyware and a personal information trafficker. Along with the dossier, Acreto is announcing new technology specifically designed to protect and prevent direct and indirect data leaks to Facebook and other data collection platforms such as Google, among others. Facebook’s New Product: You. Overall, the dossier explains how Facebook is intrusive for users and non-users alike. Most notably of recent events, the Cambridge Analytica scandal revealed a vast, deeply intrusive analytics manipulation with Facebook at its core. The extraordinary amount of private data collected from Facebook was used to target conservatives during the 2016 US presidential election. The information gathered from multiple testimonies to US and European legislators and regulators shed light on Facebook’s IoT strategy and sets the stage for intrusion of privacy of historic proportions. Nothing is more illuminating about Facebook’s strategy of data collection than their recent acquisition of Onavo, dubbed a “mobile data analytics company”, but in actuality, a ‘man-in-the-middle’ masquerade to collect, store and analyze all user communications for Facebook’s use, benefit, and profit. Facebook came, Facebook saw… and Facebook continues to conquer: this time, your IoT devices. “Cambridge Analytica is the canary in the coal mine to a new Cold War emerging online. Soon the so-called ‘Internet of Things’ will become the norm in American households. Algorithms will soon be driving our cars and organising our lives. This is not just about technology today, we have to seriously consider the implications for tomorrow. To put it bluntly, we risk walking into the future blind and unprepared.” Christopher Wiley, Cambridge Analytica whistleblower Cambridge Analytica and its parent company, SCL Elections, used a suite of political psyops tools in more than 200 elections around the planet. The vast majority of the targets were third world and underdeveloped countries, many without the resources or knowledge to defend themselves. These efforts were in preparation for their biggest effort to date: The US 2016 Presidential Elections. As we have rounded the corner for the 2018 mid-term elections, Facebook and their capabilities loom large, especially when there is no buy-in from the topmost echelon of political leadership. Your data is no longer your own. Facebook wants it all and they want it now to weaponize their most valuable product — The User. To read more about Russian nation state hacking of the US Elections and how cyberattacks come together, check out a two-part collaboration between Acreto CEO, Babak Pasdar, and former CTO of the CIA, Bob Flores, here. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Bloomberg Spy Chip – Bullshit? This is Part 1 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’. Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security. In a recent blog, Babak Pasdar highlighted a Bloomberg report that claimed China had embedded hardware spy chips on servers from Supermicro. Supermicro provides data-center servers used by many companies from small startups to the likes of Amazon and Apple. Bloomberg claims that the spy chips were discovered by a security auditor hired by Amazon AWS. This audit was part of an acquisition due diligence of Elemental Technologies, a platform specializing in multi-screen video processing. Bloomberg claims that Amazon and Apple are among the organizations impacted by the alleged Chinese spy chip. And one-by-one they have all denied that the story has merit. However, Bloomberg, a model agency in news reporting, has refused to offer any additional information or alternatively to pull the story. There is a lot about this story that doesn’t pass the smell test. If Supermicro servers have been compromised, it is a huge story. Though not a household name like Dell or HP, Supermicro is one of the top data center server platforms on the market. It is considered to be a good product with global availability at a fair price. In the article, Bloomberg makes a pointed accusation yet offers evidence that at best is vague. In the previous blog, we asked several questions: Who was the Security audit company that discovered the spy chip? How did they get access to schematics to do chip by chip validation of the hardware? Schematics that in any scenario would be considered trade secrets. If the spy chips were secretly installed by a Supermicro contractor as the article claims, who QA'ed the hardware and why was the chip not discovered during the QA process? Given the emphatic and detailed denials by both companies and the U.S. government, why has Bloomberg not released more detailed data to back up their claims? The implications are that China has backdoor access to countless systems, hosting applications and data, impacting thousands of companies and millions of individuals. The integrity of corporate, government and critical infrastructure is at stake – as well as personal data for large swaths of the population. Is This Realistically Possible? Bloomberg provided very little detail, and what they did provide was at best vague and not evidence-worthy. Based on the information they did provide, the industry take-away is that this vulnerability is via the server’s IPMI interface. IPMI is an always-on IoT embedded in a server to manage the hardware, even if the server is powered off. As presented, the IPMI platform can theoretically be manipulated to function as a back door, providing access to the server’s network, system memory and the system bus. You can learn more about this in Pasdar's previous blog on this issue on our website. Having said that, for Bloomberg’s vague spy chip explanation to work, you need a Supermicro motherboard with an on-board IPMI, and then many, many, many things have to line up for the compromise to work. First, an Internet accessible IPMI connection with stateful outbound access is needed -- something no self-respecting organization with even a moderately experienced infrastructure team would have. The chip Bloomberg presented in their article is just physically too small to store and execute the necessary code to fulfill its purpose, so it would also need to connect and download software from an external server. Hackers will never use an external server they own that references back to them. It would lead authorities right to them and there would be no plausible deniability. The server is most likely another compromised system on the Internet. Moreover, the external server's address isn't hard-coded into the chip. Compromised servers are disposable since the compromise may be discovered and addressed at any point – or the system moved or decommissioned. If this occurs, the entire effort of the compromise would be a complete waste. A process like fast-fluxing or something similar would be used to enable the spy chip to connect to an ever-changing botnet network of external servers. Fast-fluxing was specifically developed to control botnets without compromising the bot-master's identity. It is a technique where the spy chip and the external server would meet to communicate at a particular fully qualified domain name (FQDN) at a particular time. Many Different FQDNs spanning many different domains may be used to deliver content to the spy chip based on the then valid compromised IP addresses hosting the malware. The spy chip then needs to integrate into the server's OS, on-the-fly, during the boot process. This requires injecting the appropriate code for the specific OS used on the server. The OS could be one of dozens, if not hundreds of possible options since the Supermicro B1DRi motherboard that Bloomberg claims is compromised, is certified compatible for many different OSes and associated versions. This includes 32-bit Red Hat, SUSE, Ubuntu and FreeBSD as well as many versions of 64 bit Red hat, Fedora, SUSE, Ubuntu, Solaris, FreeBSD, Centos and Windows. Further, it also supports multiple hypervisor versions of VMWare, KVM and Xen Server, not to mention Amazon AWS's proprietary hypervisor. Each one of these OSes needs a different code. Even each version of the same OS may require an altogether different code to be injected into the compromised system. Consider how quickly the spy chip would have to act to intercept local boot code, determine the OS brand, distro and version from a smattering of code flying on a computer's bus, perform the fast-flux operation and fetch the appropriate compromise code from the appropriate server. All of this -- which is a lot -- needs to happen for the spy chip to work. Next Up: Bloomberg Spy Chip – Bullshit? Part 2: Let’s Break Down the Claims. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

This is Part 2 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’. Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security. Bloomberg Spy Chip - Bullshit? Part 2 Now let’s break down Bloomberg’s claims further. In the article they present a graphical image of a Supermicro motherboard and strip away components until the spy chip can be seen. The motherboard they present is a Supermicro B1DRi with an AOC-GEH-i4M add-on module. As shown on the Supermicro web site, the B1DRi is designed to host up to two Intel E-2500 v3 slash v4 CPUs and up to 256 Gb of 288 pin DDR4 memory and can be mounted to a sled with its own hard-disks. However it is not a standalone server and needs to be mounted in a Blade Enclosure to function. The enclosure provides power, hosts a network switch and most importantly has a shared IPMI management board plugin. If the spy chip works through the IPMI, how can Bloomberg show the spy chip placed on the motherboard, when the IPMI for the board is an external module in the enclosure? It looks like the IPMI must be individually linked to each server blade to manage that blade. The IPMI IoT is an external module plugged into the enclosure and to be used, it needs to be individually assigned to each of up to 16 server blades in the enclosure. If that is the case then there is a 1 in 16 chance of compromising a server and even then, it would be opportunistic and inconsistent depending on which blade the IPMI may be set to manage on boot. Now – let’s discuss the chip Bloomberg presented in the article. If the insanity of the logistics to effectuate this hack is not enough to make you call Bloomberg’s story Bullshit, then their presentation of the spy chip should. The chip presented IS NOT A SPY CHIP, it is an RF Balun. A standard, off-the-shelf Surface Mount Device (SMD) that converts between balanced signals and unbalanced signals, hence the name Bal-Un. If you look at the Stesys or Farnell websites, they are two of the many component providers who sell them. You too can have one for a mere $1.67. And if the pictures were supposed to be mere examples of what a spy chip might look like and the type of motherboard it could be embedded on, they certainly did not present it that way. Also, consider that a motherboard is an incredibly complex piece of equipment. These types of motherboards need to be extremely high performance and extremely compact at the same time. This makes them extremely dense. They are almost always multi-layer boards where traces connecting the various electronic components exist on as many as a dozen different layers. And these systems are delicate, their operation requires the various electronic components to operate harmoniously. Frankensteining hardware to the system would be at the very least — challenging. The majority of people within a company involved in R&D, design, procurement, manufacturing and testing of the motherboards are often sequestered into groups with access that is limited to specific functional domains. Very few people have complete access to the designs and schematics for the entire board. And this almost never includes subcontractors or some small security company out of Canada doing technical due diligence for a mundane acquisition. Furthermore, the people charged with manufacturing are typically not the same people who do quality assurance (QA). The job of QA is to test every permutation of every function. We have to believe that QA’s most fundamental tests would catch something as overt as communications where the spy chip tries to identify, fetch and inject packets on-the-fly. The number of people that would need to be turned or paid off would be staggering. As many as 30 – 50 people would need to be engaged throughout the supply chain spanning multiple companies and countries. An amateurish and incredibly messy way to run a covert op. How Everything Comes Together. Because of the vague assertions, it is tough to argue definitively that any one aspect of the article is wrong, however when you put it all together: 1. We don’t know of many security companies that do reverse engineering on PCs as part of their due diligence. 2. Schematics are trade-secrets and almost never available for complex multi-layer motherboards. How could the security company have had access to schematics? 3. The sheer number of people that need to be involved in implementing the spy chips is staggering and doesn’t make sense for this type of effort. 4. The QA process, one known to be particularly meticulous, never caught the issue. 5. The ridiculous complexity of the hack where the sun, the moon and the stars have to align for it to work. 6. Not only is this compromise overt and easy to identify, but the vast majority of organizations have built-in defenses against this attack vector — especially Apple and Amazon. 7. The need for an Internet accessible IPMI network. 8. The need for the chip to fast-flux, connect to a remote system and pull-down compromise code while the system is booting. 9. The complexity of pulling a different code set on-the-fly for each of the hundreds of unique operating system and revision combinations. 10. The B1DRi motherboard being part of the blade system without any on-board IPMI, which can only be managed one blade at a time. 11. The vagueness of the charges and lack of any supplemental follow up, while Bloomberg continues to sit silent. 12. And trying to sell us that an off-the-shelf $1.67 RF Balun is a spy chip. For these reasons, many of us believe the Bloomberg story just doesn’t have a leg to stand on. Bloomberg has made explosive allegations. They have had a drastic negative impact on Supermicro’s stock price — down 50% as of this writing. Their story is barely, if at all, viable. The information they provided was amateurishly vague. Their silence in the face of the backlash speaks volumes. And yet they continue to stand by their story and not recant. Add Bob Flores and Babak Pasdar to the growing list of skeptics. If you have evidence, then present it and if you were conned it is understandable – but please stand up and own it. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

On this What’s Working in Washington EXTRA, we spoke with Bob Bigman, president of 2BSecure; Bob Flores, co-founder and partner of Cognitio Corp; and Bob Gourley, founder and CTO at Crucial Point LLC, to discuss the hurdles cybersecurity still faces in ensuring the protection of the country's most important systems. Other topics include why D.C. continues to be a hotbed for cybersecurity, and the innovations that will bring the industry into the future.