GEEKONOMICS

Hackers broke into Citibank's network of ATMs.

To quote The New York Post:

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals accessed PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet.

How the hackers infiltrated the system is a question that still hasn't been answered publicly. All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

Software vulnerabilities send an unmistakable message of disorder into the environment. Small elements of disorder (like software bugs) lead to greater elements of disorder (like exploitation of software vulnerabilities) and more serious forms of crime (like hacking ATM infrastructure).

Open-source code used by Apple accounts for more than half the flaws

To quote ComputerWorld:

Apple Inc. issued today its fourth security Mac OS X update of the year, patching 25 vulnerabilities, nearly half of them considered critical. The company also updated Safari for the Mac to plug a hole already fixed in the Windows version of the browser and released an update to bring the operating system to Version 10.5.4.

Security Update 2008-004, which follows its predecessor by about a month, fixes flaws in a dozen components of Mac OS X 10.4 (a.k.a. Tiger) and 10.5 (Leopard), ranging from Alias Manager and the Dock to VPN and WebKit. Apple labeled 11 of the 25 vulnerabilities with its "arbitrary code execution" tag, thus slotting them into a category that vendors that rate threats would peg as "critical."

Over half of the vulnerabilities were in open-source code and components that Apple bundles or integrates with its own, a not-so-unusual position for the company to be in, according to Andrew Storms, director of security operations at nCircle Network Security Inc. "There's a substantial amount of software [patched] in the update that Apple is not directly responsible for," said Storms. "That will continue to be a problem for Apple, and its only solution will be to turn about updates sooner."

A couple of items on this post. First, because software may be "open source" does not necessarily mean it is "more secure." Openness and security are not strongly correlated. It is important to decouple the notion that because open software can be more secure, it is no guarantee that it will be more secure. 

Second, the "only solution" for Apple is not to "turn about updates sooner." Updates are a perverse incentive allowing software manufacturers to optimize legal protections for a licensing agreement the consumer could not negotiate in the first place. Updates may benefit Apple, but from a legal perspective updates do not favor the consumer.

Updates are "one" solution, depending on how liberally you might define "solution," but not the only solution. That is a technologist's view of the world. Apple can hold its supply chain accountable for defective products. Apple does this for hardware devices like the iPod and iPhone, but not for its software.

Third, it does not matter that Apple "is not directly responsible" for the code it gets from open source groups. A defective product is defective, period. The 1960s automobile industry attempted the same shenanigans by blaming third party producers for defects in its cars, but the courts deemed otherwise. The appropriate focus is not whether Apple or its suppliers caused the product to be defective, but whether the product was in fact defective.

In other words, regardless what defects Apple could have detected the vulnerabilities, and whether or not Apple or its suppliers caused the defect to occur, the product released into the global stream of commerce was defective. It does not matter how the defect occurred, even if the cause of the occurrence could be attributed to processes or production practices completely outside the control of Apple. Apple should be responsible and accountable for the products its releases for both hardware and software. Apple can and should pursue its suppliers - open source or not - for providing the company with less-than secure code.

A ComputerWorld article reported that visitors to ICANN and IANA websites (organizations that oversee the critical routing infrastructure and regulate domain names, respectively) were redirected to an illegitimate website.

Hackers hijack critical Internet organization sites

To quote:

Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site, said researchers at zone-h.org, a group that collects evidence of site attacks, including page defacements and redirects. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

Website defacement and redirection is the graffiti of the Internet. It might not appear to be a serious matter, but if left unchecked sends a message of disorder that leads to greater, more serious elements of disorder. In other words, if we don't properly care for the digital neighborhood, it sends a message to other cyber attackers inviting similar and worse activities.

The ICANN response was not reassuring in combating the message of disorder..."A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he found find out more." 

I will be speaking about the lack of consumer protection in the software market with Jack Roberts on CableTalk, Cable Radio Network.

Broadcasting 24-hours daily, CRN's radio networks can be heard from coast-to-coast on Cable Television Systems, Satellite Dish, and worldwide at crni.net. On most cable television systems, CRN is featured on the public information channel.  On digital cable systems, CRN's digital talk channels are listed right after the music service. Check your local cable listings for availability.  CRN is also available in Southern California on PAX TV KPXN Channel 30's SAP (Second Audio Program) channel.

Date: July 2, 2008

Time: 9:50am Eastern/6:30am Pacific

ListenLive: www.crni.net

Recently, Microsoft released an updated version of its Malicious Software Removal Tool that, according to reports, removed password-stealing malware from more than 2 million PCs.

Microsoft security fix clobbers 2 million password stealers

To quote Computerworld:

One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

"These are ridiculous numbers of infections my friends, absolutely mind-boggling," wrote Matt McCormack, a spokesman with Microsoft's Malware Response Center...

The password-stealing programs are often installed via Web-based attack code that exploits flaws in multimedia programs such as Adobe's Flash Player or Apple's QuickTime Player...The attacks are often technically sophisticated, exploiting previously undisclosed bugs in Windows software...

Indeed, this is mind-boggling and ridiculous. Mind-boggling that we still consider 2 million infected hosts to be a mind-boggling number (we are now easily into the 10s of millions of infected hosts) and ridiculous that we do not castigate software manufacturers for enabling such highly foreseeable malicious activity via defects in their products. In fact, we seem to be grateful when manufacturers give us free tools to clean up after their mistakes. This stretches the definition of "free" to be sure.

Have we really become that numb to defects in software, so blasé to software manufacturing blunders, that we simply take insecure software as an inevitable and unavoidable reality?

Maybe.

Some in the information security community attempt to blame PC owners for the massive installation of malware like Taterf. Some might even argue that "previously undisclosed bugs" are not even necessary to enable wide spread infections because users can simply be socially engineered (i.e., tricked) into installing malware onto their machines. And some might even have the audacity to state that what we really need is better in-bound malware blocking and application control to inhibit what malware can do once it gets on a PC. 

These arguments have some merit, but not nearly enough.

First, stop solely blaming users for the sorry state of cyber security. Are users partly culpable? You bet. "You can't patch stupid," is an accurate, if cynical, remark made by some in the security industry, but such a remark fails to recognize that users no longer need to be "stupid" to become victims anymore.

Case in point, once upon a time, there was a significant likelihood a computer would get infected because of, shall we say, the pursuit of less-upstanding behavior by users, such as visiting porn sites and downloading cracked software. This will always be true and the title of "stupid" should be awarded frequently and copiously to those who engage in such pursuits.

Of late however (2004 forward), many normal and innocuous commercial web sites (like Circuit City's Customer Service site) have been hijacked and infected with exploit code targeted at user's internet browsers, media players, and operating systems. Just by visiting these unknowingly infected web sites, the victim's machine will become infected through no fault of the user (but the fault of the software manufacturer). Because exploits on the hijacked website attack previously undisclosed vulnerabilities on the user's PC (such as in QuickTime, Internet Explorer, Adobe Flash, or Safari) the user's stupidity is moot. Patching is moot. The user is not "stupid" in such cases, the manufacturer is, and so are we for failing to recognize this and failing to stop it.

We have spent decades in the legal profession protecting consumer rights; protecting consumers against blame for damages caused by manufacturing defects that were not the consumers fault. Let us not delay fairness in the Information Age that we did in the Industrial Age. Where users are responsible for their own behavior in cyber space (such as giving up their password to a phishing scam) surely hold users responsible for possible damages (and pursue the cyber criminal if we can). But we can not, should not, must not hold computer users accountable for something that is not their fault: poorly written software. Such responsibility should fall squarely on the shoulders of software manufacturers, but does not. 

Remember, users are merely an avenue to the vulnerabilities of software. Simply by surfing the Internet, users are at risk, not through questionable behavior, or even stupid behavior as once was the case,  but through normal, innocuous behavior. Users can be tricked by a host of techniques to be sure, but they are tricked for what I believe to be a significant and obvious reason: to exploit defects in the software they use.

Are there other reasons? Sure. It's not just about exploiting vulnerabilities in software, but exploiting vulnerabilities in software is a very powerful incentive otherwise we would not see the type and amount of concentrated research by cyber criminals and nation states into discovering software vulnerabilities. Discovering defects manufacturers failed to detect themselves gives discoverers potentially immense power over millions of systems.

Second, insisting that we need better in-bound malware blocking and application control is yet more of the same technology-centric view of security; that somehow insecure software is a technological phenomenon to be solved by yet more technological phenomena. Can products help to an extent? Yes. But these products are not complements to robust, secure software as seat belts and air bags are complementary to robust, safety-oriented automotive design; security products are counterbalances to the lack of security and software assurance practices of software manufacturers.

Complicating this situation, the security industry does not really sell security, it sells products. Analysts as well as vendors make money from all the gymnastics and prancing in the security industry. Their incentive is to sell; sell products, sell devices, and sell reports about those devices and products. Their incentive is not necessarily to protect you. Their incentive is to sell. Their hope, as well as yours, is that the security products actually work and their efficacy easy to maintain. History is not kind in this regard.

And where are software buyers now because of this? Swamped with products, swamped with appliances, swamped with best practices, swamped with myriad configuration options, swamped with sometimes contradictory and unrealistic compliance requirements, swamped with unending financial expenses, swamped with what to do and how to do it, scrambling for sanity and feeling but dazed and confused.

It is truly mind-boggling and ridiculous. 

To quote Forbes.com:

Call David Rice the Ralph Nader of cyber security. Rice's book, Geekonomics: The Real Cost of Insecure Software, is a kind of hacker's take on Unsafe at Any Speed, a manifesto that calls the software industry to account for its careless attitude toward security, just as Nader took the auto industry to task for its abysmal safety standards in 1965.

Read the rest of the article and interview: A Tax on Buggy Software

Apple's growing popularity is promising to cyber attackers. Once upon a time, Apple users could smugly (and dare I say condescendingly) claim that Mac users were safer than PC users because Macs didn't have nearly the same number of software vulnerabilities as PCs. This may still be the case to some extent, but that era is drawing to a close.

To quote a recent article from Computerworld:

Researchers spot Mac Trojan in the wild

Security researchers reported last week that they have spotted a Mac Trojan horse in the wild...

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."

This is not the first vulnerability of its kind in Apple products to be sure, and it will not be the last. When Apple languished at 3 percent market share it simply was not a lucrative target for cyber attackers. At roughly 6 percent market share, Apple is more promising (Ubuntu, at less than 1 percent market share has a long way to go).

In the software market, security is not part of the beauty contest until it is too late; that is, in the race for market dominance security is not a competitive differentiator for software manufacturers. As such, software manufacturers have no incentive to make security a priority. Features rule the race for market dominance; not security, not secure software, and certainly not software assurance.

When a software product finally becomes popular, the lack of attention the manufacturer gave to secure software and software assurance becomes more clear. In fact, as one my colleagues so eloquently remarked, "It becomes fucking obvious."  

The problem, of course, is latent defects lose their latency proportional to a product's popularity. As a result, the patching race becomes more frenetic: the vendor must issue a patch and consumers must apply the patch (or undertake other system changes) as quickly as possible before attackers exploit the defect. Consumers rarely ever win this race. If attackers keep knowledge of the vulnerability to themselves, then consumers are completely out of luck. Attackers can exploit the vulnerability at will with no fear of the manufacturer producing a patch to thwart their activities. Consumers lose either way.

The fruits of popularity are clear: the manufacturer potentially makes a tremendous amount of money, shareholders are happy, and consumers pay for this success twice. First, by purchasing the product; second, by being exploited.

Something is rotten here.

I'll be speaking with News Talk host Tommy B. about cyber security and consumer protection for software users on News Radio 970AM in Billings, Montana. The call letters are KBUL...you gotta love Montana just for that.

Date: June 26, 2008

Time: 8:30am Mountain time.

Channel: AM970 

"Who feeds Paris?"

This is a rhetorical question often asked by economists to highlight the bewildering number of activities needed on a daily basis to feed a city. Almost by magic, just the right amount of apples appear at the grocery, the butcher has the types of meats his customers desire, and even with the high price of gasoline, gas stations are not in danger of running dry any time soon. How does this happen? In essence, how does Paris, or any city for that matter, function daily?

An economist might answer that is this the result of a healthy market economy, albeit an incredibly complex market economy, where, in the case of a large city, millions of self-interested transactions determine the market price for a particular resource and market participants buy and sell accordingly. At base, the "magic" that makes all this happen is you and your desire for a better life...not only to eat apples, but possibly to sell apples at a reasonable profit to those who might want them. Markets have tremendous influence on the lives of everyone, even those who think they might not be part of a market.

But there is more to the story. “Who feeds Paris” is economic perspective of the world. It assumes one very important...no, critical aspect: reliable infrastructure.

From an “infrastructuralist” point of view - pardon my creative license - you and your self-interest might be the magic that make market economies work, but it is physical infrastructure - roads, water, natural gas, electricity - that makes it possible for "the magic" to flourish and grow. Without infrastructure it is extremely difficult to grow apples in large quantities, get them quickly to market across vast distances inexpensively, keep them cool while on the shelves, and allow you to view them in the store at night when shopping after work.

We might not always recognize the importance of infrastructure – dare I argue that many take it for granted – but in modern vibrant economies infrastructure is always (hopefully) there for us.

Infrastructure does not run itself, of course. It needs people to manage it. Lots of people. But even lots of people are not enough. Modern infrastructure is of such grand scope and scale, that infrastructure's human managers could not possibly oversee electricity, water, and gas distribution efficiently or effectively without the help of another form of magic:

SCADA.

SCADA is an acronym for Supervisory Control And Data Acquisition. SCADA is the software that controls pumps, turbines, valves...the stuff of infrastructure that keeps everything moving, flowing, and pumping. It is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. In essence, SCADA is the pulmonary system of cities, and indeed, entire countries. As such, the "health" of SCADA is very important to the health of nations as well as the wealth of nations.

But there is a problem.

A Heart Attack Waiting to Happen

The pulmonary system of countries is plagued by what I would call "genetic defects." These defects are not the result of ad-hoc evolutionary processes - as is the case with pulmonary disease in humans - these "genetic defects” are the result of insufficient manufacturing practices in creating the DNA of infrastructure: the software.

Software is what runs our infrastructure now...it is the foundation of our civilization...the DNA of infrastructure that tells it what to do and how to do it just as the DNA of a human cell tells the cell what to do and how to do it...and yet software, even in our most critical SCADA systems contains an uncomfortable number of defects.

Like any genetic defect, it may complicate your life. It may also kill you.

A recent article highlighted the potential impact of insecure software in our SCADA systems:

Critical Flaw Left Utilities Vulnerable to Attack for 5 Months

To quote:

A vulnerability found in utility control software is raising serious questions over municipal security. The issue…could have let attackers take control of water treatment plants, natural gas lines and potentially even nuclear power plant equipment. The systems in question, created by Citect, allow remote management of machinery at various plants.

Water treatment centers in Louisiana and North Carolina both use the technology, as do natural gas facilities in Chile and pharmaceutical manufacturing centers in Germany. The [software] bug, Core Security [who discovered the defect] says, could have handed hackers control of any of those systems -- theoretically giving them the power to stop an entire city's water treatment or knock out power to tens of thousands.

Ivan Arce from Core Security remarked, "The problem [with this software] is a classic example of buffer overflow from the '90s. It's not a very sophisticated thing, [which] makes it surprising."

In other words, this is an old, even common, software manufacturing foible that could have - should have - been avoided, but was not.

It’s the Incentives, Stupid.

It should not be surprising that such a “simple” software vulnerability appeared in a SCADA system, because it also appears regularly in our internet browsers, media players, and operating systems. Such a “simple” defect, along with myriad others, appears in all types of software because all software manufacturers – no matter the assumed importance of the software they create – oftentimes lack the necessary incentives to create software worthy of its role in our civilization or to patch the software in a timely manner (it took over 5 months to fix the discovered defect in the SCADA system).

Ivan when on to state,  "This [software] could have been done better -- especially on such a critical software. It's not somebody's FTP server. It's software that is critical and should be addressed in a more timely manner."

Indeed. Citect could have done better, but what incentive does Citect or any software manufacturer have, really? Good intentions? Best efforts? We’ve heard assurances before by some of the biggest and most respected software manufacturers on the planet about their software: “trustworthy,” “unbreakable,”…

And they haven’t been. At great cost to us.

Such assertions by software manufacturers are vacuous and cheap to make. Is this truly sufficient for infrastructure, critical or otherwise?

Ivan goes on to state:

Every software is vulnerable. Every single piece of software is man-made -- and if it's man-made, it's prone to errors. The important thing is not just how many bugs are out there, but also how prepared are the different organizations ... to react in a timely and precise manner."

True. All software is vulnerable. Software is man-made, yes. But the important thing IS EXACTLY HOW MANY BUGS ARE OUT THERE. The promise of "fast patching" as a means to protect critical infrastructure is truly a counsel of despair.

Software defects send an unrelenting and unmistakable message of disorder into cyberspace. This message carries consequences that we are only now beginning to understand in the form of cyber crime, cyber espionage, and, in the case of infrastructure, possibly cyber war. Attackers smell weakness like blood in the water and software is full of weaknesses. The number of defects matters…and matters greatly.

Security researchers (i.e., hackers) are doing for software manufacturers what software manufacturers failed to do themselves. This isn't about perfect software...it is about responsible development of the software that runs our lives and our economies. It is also about strong consequences for those manufacturers that fail to abide by their responsibilities to us as citizens, consumers, and fellow human beings.

We might not know how to make perfect software, but software manufacturers do know how to make better more secure, more reliable software...and have known how to do so for over 40 years. But there is little incentive to do so. Software is man-made. This is true. It follows then that without meaningful incentives aimed at the human creators of infrastructure’s DNA, the genetic diseases brought on by insecure software will plague infrastructure more, not less.

No More Prayers

With human genetic defects, we are at the mercy of Mother Nature until we disassemble and understand the Code of Life. We can exercise regularly, and we can eat right and hope everything works out swimmingly. In the meantime, Mother Nature can ignore our prayers for miraculous healing as she pleases.

But with cyber genetic defects, we are at the mercy of our software manufacturers; other humans within our reach and grasp that make decisions based on their self-interest and not on ours. We should not and must not treat software manufacturers like the pantheon of gods: unaccountable, selectively detached, and arbitrarily interested in our well-being when it suits their purposes. We can and should hold software manufacturers to account when they make their defects our vulnerability.

"Who feeds Paris?" is a rhetorical question. "Who protects Paris?" is not.

When someone steals your laptop and doesn’t give it back, that’s bad. It is worse when someone steals your laptop and then gives it back to you.

The Beijing Olympics are upon us and according to a recent USA Today article:

National security agencies are warning businesses and federal officials that laptops and e-mail devices taken to the Beijing Olympics are likely to be penetrated by Chinese agents aiming to steal secrets or plant bugs to infiltrate U.S. computer networks.

Equipment left unsupervised for just minutes in a hotel or even during a security screening can be hacked, mined and bugged… There is a high likelihood — virtually 100% — that if an individual is of security, political, or business interest to Chinese … security services or high technology industries, their electronics can and will be tampered with or penetrated...

Wow. Sounds like China bashing, scare mongering, US propaganda to me. Well, not really. There is a fine line between scare mongering, anti-China sentiment, and stating the facts as we know it. And we know the facts pretty well, or, at least well enough to make these rather pointed and upsetting statements publicly. That said, what is unfortunate to me is that the article did not highlight the issue strongly enough.

Both France and Russia have publicly admitted to one extent or other to actively spying on U.S. businesses and U.S. business people. In fact, it’s not just U.S persons, but any competing business or individual. To quote the Pierre Marion, Director of the French Intelligence Directorate, “This espionage activity is an essential way for France to keep abreast of international commerce and technology. Of course, it was directed against the United States as well as others. You must remember that while we are allies in defense matters, we are also economic competitors in the world.”

And these are our friends.

In this light, it is far from surprising that China might consider conducting the same activities as well as deny it emphatically (“The so-called accusation of the Chinese military espionage against the U.S. is groundless and fabrication with ulterior motives.").

Of course, espionage is status quo. Many readers might be surprised to find out that acts of espionage – especially cyber espionage – are not illegal in international law. Sure, individual nations might make espionage a criminal offense, but not in the international realm (which also means it is very murky whether you can legally go to war over it).

The fact that espionage is largely ignored by international law might make some of us squeamish to some extent... I mean, they’re actively stealing stuff from other people, mannnn…but this is the reality of international economic competition and a globalized economy. Competition is good, but it has its darker, and some might say “necessary” elements.

Some nations dabble in espionage, and others engage in it aggressively. According to a 2007 report by the U.S. Director of National Intelligence, China's espionage services are "among the most aggressive in collecting against sensitive and protected U.S. targets." But don’t think just defense contractors or government agencies are the only targets. Food service companies have been the target of remote cyber attacks also.

It's not whether you think you are a target, it's whether the adversary thinks you are worth targeting.

So In 2008, people will flood into Beijing bringing with them their iPhones, laptops, Blackberry’s (World Phone, of course), you name it. And these devices might be unfortunately lost ("I know I just put in down, now where did it go?"), borrowed ("Excuse, Mr. Smith, we need to examine your laptop before your flight, there seems to be a problem…"), outright stolen ("Hey, who’s been in my room and where's my stuff?"), or the worst of all cases:

“Oh, here it is [laptop, iPhone, whatever]. It’s right here. Now how did I miss that?"

The best thing about espionage – especially cyber espionage – is that you don’t actually have to keep anything as the perpetrator.  You can remotely copy a database by exploiting a software vulnerability from 8,000 miles away and leave the hard drive just were it is. You can also take a physical device like a mobile phone, do something to it (which I’ll get to shortly), and give it right back with the owner none-the-wiser, if not a little confused ("...must had too much to drink last night").

Now, I know there are plenty of people out there that might retort, ”Oh, our hard drives are encrypted, this isn’t going to be a problem for us.”

Really?

The best thing that could actually happen to you is that your laptop is stolen and you never get it back. Encrypted hard drive or not. The worst case is when someone “borrows” your laptop, inserts an implant without your knowledge and then gives the laptop back to you. This implant, which could be hardware, software, or both, will happily siphon and record all the information as your hard drive goes about decrypting it to display on the device's screen. The implant will then send that information to heaven knows where, probably hijacking your internet browser when you're not looking (this circumvents your firewall protection, by the way, because most peoples' firewalls permit outbound traffic from their browser).

Hard drive encryption? Please.

Now, outside of the Olympic context, for many people hard drive encryption makes sense. So my cynical retort needs to be diluted just a bit. Why? Because unless you, your company, or your company’s information is important enough, or “of interest” to the adversary, you are probably not a target and therefore hard drive encryption is perfectly fine. This is true for 99 percent of the people out there. Hackers without nation-state backing will have a hard time constructing the hardware implants necessary for conducting these types of operations without being detected.

But when the world comes to your doorstep in the wake of world-wide and none-too-obvious cyber espionage activity emanating from Chinese networks, well, hell, why not throw the net a little wider when the visitors-come-a-visiting and see what happens? It's a cornucopia when the world comes to you! And who among the US populace would really believe statements by U.S. Intelligence about cyber-espionage after slip ups on Iraq and Iran…oh, and the 130,000 Russian troops that swarmed into Afghanistan in the 1980s right under the nose of the CIA. But I digress.

Congressman Mike Rogers says it most succinctly, "the Chinese will take full advantage of any opportunity to not only take a peek at what's on electronic devices but also to implant them."

I’ll tell you what I tell my private clients when traveling to known adversarial nations, “If you care in anyway about what’s on that device, and you care what comes back, leave it at home. Purchase a new device for the trip and toss it upon return. And for Heaven’s sake, don’t connect it to anything.”

If you’re going to the Olympics this year, enjoy! Bring back good memories…but only on an analog, not a digital camera (hint, hint).