Brazil, Sun Tzu, and Commanding Coincidence
Last Updated on Monday, 23 November 2009 06:42 Written by Jeffreycarr Monday, 23 November 2009 06:42
“Heaven is not merely the sky or weather. It also represents larger patterns in the universe. Going with it, going against it – this is how the general aligns critical actions with these larger patterns, thereby commanding coincidence.”
- Commentary on a quote from Chapter 1 in “The Art of War: The Denma Translation” (Shambhalla, 2003)
Coincidences are something that I pay a lot of attention to, not just in matters related to cyber conflicts and intelligence analysis but in life. My personal view is coincidences should never be shrugged off, and a little digging is almost always a good thing. A lot of people have disagreed with me on this over the years so imagine my surprise when I read the above quote in a book and card set that my wife just gave to me as a birthday gift. One of the greatest generals who ever lived, and one who is still held in high esteem by China’s leadership, believes that coincidences can be “commanded” by the general who takes the broader view. Anyone who has read Project Grey Goose reports or our IntelFusion FLASH Traffic briefs know that I love broadening the context of an event!
Speaking of context and coincidence, let’s review the latest news on Brazil’s massive power outage of November 10, 2009. First, the timeline of events:
08 NOV 09: 60 Minutes airs its report placing the blame of a 2007 Brazilian power outage on hackers
09 NOV 09: Officials from Brazil’s government and from its Independent System Operator group along with the specific utility Furnas Centrais Elétricas denied it, placing the blame on sooty insulators.
10 NOV 09: A massive Brazilian power failure results in lights out for about 90 million people in Rio and Sao Paulo and the entire nation of Paraguay. The government and ONS blames it on lightning and fallen trees, not hackers.
That’s the first coincidence, which I blogged about 2 weeks ago. Here’s the new stuff:
12 NOV 09: Brazilian hacker Maycon Maia Vitali discloses a verbose exception on the ONS (Operador Nacional do Sistema) web page which would give a hacker access to ONS web servers and backend data servers. Shortly after posting this, his site went down with a notice that his account had been suspended.
13 NOV 09: A Brazilian journalist writes an article mentioning Vitali’s post and digs further, discovering that the government’s “lightning” story was an impossible event:
According to the Group of Atmospheric Electricity INPE (Instituto Nacional de Pesquisas), technicians found no electrical charge had hit power lines Itaipu, contradicting the version of the Government.Experts agree and say that weather conditions do not justify the blackout.
No word yet on what the actual cause for this outage was, but the above events, when taken as a group, demand a more serious study of what is going on inside the cloistered world of energy providers, not only in Brazil but worldwide.
SQL injection in a power companies public web server/ application is very different from gaining access to an EMS/GMS environment, which are typically air gaped from Internet connected hosts. In that regard posting is very misleading – as Vitali had nothing to do with anything that might allow someone access to cause any kind of power outage. For someone that needs help writing a web page, you should perhaps get a little more clued up on the technological aspects of this, before preaching about it like an ‘expert’.
Other than seizing an opportunity for you to take a cheap shot behind an alias and a Hushmail account, how exactly did I claim that Vitali had access to an air-gapped environment? I didn’t. I said he found a vulnerability that was susceptible to a SQLi attack which, if initiated, would enable a certain level of access to the attacker. A blackout doesn’t occur in one attack, but you don’t really give a shit about that anyway.
In the future, if you want your comment to see the light of day, grow a set of balls and post it under your real name like everyone else here does.
Hehe. Nice, Jeff.