Friday, February 25, 2011

Does Huawei Support China's Monitoring Laws?

Huawei recently published on its website an open letter to the U.S. government regarding its attempt to acquire 3Leaf and the ruling of CFIUS (Committee on Foreign Investment in the United States) which opposed it. The letter's authors have attempted to allay fears in the U.S. that Huawei has deep ties with the PLA and the State Council, and that its hardware may be utilized by the Chinese government to conduct offensive cyber operations such as sabotage or espionage.

Huawei's letter isn't remarkable for what it says, but for what it doesn't say. According to Huawei's annual financial report (2009), it is "the largest network equipment provider for China Unicom's WCDMA networks and China Telecom's CDMA2000 EV-DO networks; and it provides over 30% TD-SCDMA network equipment used by China Mobile." An early look at Huawei's 2010 annual report (by China Technology News) confirms Huawei's continuing support of China's three carriers. Since the supervision and monitoring of "all wireless frequencies, satellite orbits, telecommunications network numbering, Internet protocol addresses and Internet domains used to realize telecommunications functions" is mandated by Chinese law, and since Huawei provides the majority of the hardware for China Telecom and its sister companies, isn't it reasonable for Western governments to be suspicious that the same Huawei technology which supports the Chinese government's monitoring requirements may also be used in like manner outside of China?

If Huawei wants to convince Western governments that its hardware doesn't contain backdoors or other hidden malicious code, my suggestion as someone who regularly speaks and writes on this topic for U.S. and foreign governments is to provide details on how your equipment is being used as part of China's information acquisition and processing program within the PRC. That level of full disclosure would probably go a long way in establishing trust in a world where there currently is none.

UPDATE: This article has been cross-posted at The Diplomat's Flashpoints blog. 

What HBGary Must Do To Survive

(26 Feb 2011) Update added at the end of this post.


There's an art to recovering from a public relations disaster. President Clinton was a master of it. Children died during the Jack-In-The-Box e. Coli outbreak, and in spite of their initial poor handling of it, the executives' actions not only revolutionized the chain but the entire fast-food industry.

Greg and Penny Hoglund's strategy to recover from their sister company's public humiliation and demise bears none of the earmarks of a successful disaster recovery plan - the Triple A:

The apology has to be immediate and sincere. Jack-in-the-Box executives waited a few days, but the company's executives were clearly horrified and remorseful. Some reportedly cried during their deposition.

The apology must be accompanied by an acknowledgment of what you did wrong. Without an acknowledgement, the apology is worthless (i.e., "You want me to say I'm sorry? Fine. I'm sorry. Satisfied?") So is an apology that is accompanied with a modifier (i.e., "I'm sorry, but _____").

You must announce the steps that you are taking to ensure that what just happened doesn't happen again. Jack-in-the-Box's action plan set an entirely new standard for food service that revolutionized the fast food industry:
Within days of the outbreak, Jack in the Box called microbiologist  David Theno and begged him to give up his own business in food research to become vice president of quality assurance and product safety. He accepted and began to build the fast food industry's first Hazard Analysis Critical Control Points (HACCP) program, which attempts to ensure the safety of food at every point at which bacterial contamination can occur.
The executives of HBGary, faced with the public tar and feathering of its creation HBGary Federal, have done none of the above. Instead of the "Three A's", they've chosen to play the role of victim and deny any responsibility for what happened, the latest evidence of which was this plaque at their empty RSA 2011 booth:
Figure 1: photo taken by Paul Roberts of ThreatPost

According to this February 16, 2011 story in the L.A. Times, Jim Butterworth (VP, HBGary) said they were a victim and that HBGary Federal was a completely separate company that just shared a headquarters office in Sacramento. To date, no apology has been forthcoming from anyone at HBGary or their subsidiary HBGary Federal. Greg and Penny Hoglund could have learned a lot by emulating the actions of Palantir's CEO, Dr. Alexander Karp, whose letter of apology was timely, sincere, and included a plan of action.

Even if the Hoglunds were to come to their senses and begin the hard work of acknowledging their role in this scandal, apologize for it, and announce a plan of action that will prevent it from happening again, an awful lot of time has already gone by and their motivations for switching strategies at this late date would be suspect. However with an apology comes the remote chance that they could rebuild trust and integrity over time. Without it, there's no chance at all.

(Update 26 Feb 2011) According to Ars Technica, on 18 Feb 2011, Aaron Barr issued the following statement via his Twitter account: "My deepest personal apology to all those that were negatively effected [sic] by the release of my e-mail into the public."As I pointed out in my original post, this doesn't qualify as an apology because there's no acknowledgement that he did anything wrong. Instead, it's a passive-aggressive attempt to put the blame on someone else.

Thursday, February 24, 2011

The Middle East Internet Scorecard

Arbor Networks continues to do impressive work in their analysis of Internet traffic flow as it relates to current events; in this case the social uprising that's sweeping the Middle East. Read Craig Labovitz's analysis at Arbor's blog. A .pdf of their report is available as well.

Thursday, February 17, 2011

In Defense of Palantir

I used to live in Manhattan many years ago and apart from the great restaurants and museums that you could literally walk to, the one thing that really stands out in my memory is the non-stop flow of energy that sweeps you up and propels you to compete, accomplish, create, and win whatever it is that you're in the City to do. After I left, I never had that experience again until I came to Palo Alto to meet with Dr. Karp, Shyam Sankar, and a few of their hard-working engineers on the Project Grey Goose experiment. To this day, Palo Alto seems to thrive on an almost electrical charge that's generated by the potent mixture of extremely bright people and extremely ambitious VCs both working to solve extremely tough challenges and make a profit while doing it. The downside of that wonderfully exciting energy is that it takes its toll on you. There are incredible pressures to bring in business and meet the requirements of very demanding customers. Add to that the complexity of selling to the U.S. government and the fact that it takes 3 years on average to get your first sale, and you've got a real pressure-cooker environment.

Palantir Technologies competed against everyone else in their market and won much more often than they lost. During Project Grey Goose, I had my pick of software applications to do open source analysis with, including i2, but no one even came close to what Palantir's engineers had created. When I heard about i2's lawsuit against Palantir, I couldn't believe it. I wouldn't have used i2 if they'd paid me. The fact that i2 and Palantir settled doesn't mean Palantir was guilty of anything. Any inference that they were is grossly unfair and, as far as I'm concerned, has no merit whatsoever.

As far as Palantir's cyber team assisting Aaron Barr's doomed company HBGary Federal, bad judgment is not a hanging offense. If it were, the human race would have been wiped out a millennia ago. There's a well-known adage that says "Good judgment comes from experience, and experience comes from bad judgment." In the case of Team Themis, there was enough bad judgment to rebuild the Bering Land Bridge. The people responsible are paying the price for it, as they should. I don't know anyone at HBGary/FED or Berico, but I know the principals at Palantir along with some of their engineers and I really hate seeing them get treated so unfairly. Alex Karp has been nothing but generous to me with his time and his advice, particularly between 2008 and 2009 when I was really struggling to launch my consultancy GreyLogic after I left Microsoft. The same with Shyam Sankar, who offered to cover my costs when an international client of mine was passing the 60 day mark on getting my invoice paid. Neither Alex nor Shyam needed to do that. We weren't close friends. Project Grey Goose had already run its course as far as publicity for Palantir was concerned. There was no incentive for them to assist me yet they did.

As far as I'm concerned, that's the bottom line. We're all flawed, and we often act in our own self-interest. What stands us apart from our neighbors is when we are kind or generous to others without benefiting by it. As far as I'm concerned, Palantir Technologies' core values and those of its CEO and Director are both sound and worthy of emulation, and they have my full support. 

Wednesday, February 16, 2011

While GoDaddy Is Having Server Problems ...

The timing on this is a bit disconcerting. After I left last Monday due to a censorship issue over this post, I moved "Digital Dao" to my own domain ( hosted by GoDaddy. Today, only two days later, was inaccessible due to a 403 error. When I called GoDaddy support, there was a recorded message saying that they were having hosting issues and were working on the problem. Until that gets resolved, I forwarded the domain to The fun never ends.