To Be Successful: Januari 2015

Jumat, 02 Januari 2015

How Fall Out Boy Beat the Odds and Became Top 40 Survivors

Fall Out Boy's caravan of SUVs has been barreling down Interstate 95 in Florida for about two hours when Pete Wentz realizes he doesn't know where the band is headed. "Are we going to Tampa or Orlando?" Wentz asks his road manager. "Because if we're going to Orlando, I want to go to Harry Potter Land." The manager tells Wentz that Fall Out Boy are playing Tampa tonight and Orlando tomorrow, but with an acoustic radio show in the morning and an electric one at night, they have no time for an amusement park. This is news to Patrick Stump. "What acoustic show?" says the singer, from the back seat. "We didn't even practice that shit! We literally don't know how to play 'Centuries' acoustic."

Related Fall Out Boy
Fall Out Boy Pay Tribute to Chicago in 'Centuries' Video

Things are going really fast for Fall Out Boy right now: They are in the middle of a run of playing 15 radio-station festivals in just 20 days, stopping everywhere from Oakland to Duluth, Georgia. "Centuries," the band's new single, has climbed to Number 22 on the charts and racked up more than 30 million plays on Spotify. Fall Out Boy just finished their sixth album, American Beauty/American Psycho, due January 20th, and also have a song, "Immortals," on the soundtrack to the Disney animated movie Big Hero 6 (that one's climbing the charts too). Which means that, along with Maroon 5 and Imagine Dragons, they're one of the very few rock bands in the world capable of competing with the likes of Taylor Swift and Meghan Trainor in the Top 40.

Nobody could've predicted this kind of comeback, least of all the band members themselves. Fall Out Boy ruled the hearts of emo kids in the mid-2000s, scoring a half-dozen Top 40 hits in the process. But when they returned in 2012 after a three-year hiatus, poppy punk rock was dead as a mainstream sound, and dance was ascendant. "We thought that was the end of radio for us," says Stump, 30. "We thought we would go out, play some shows and, you know, whatever. This is a disco era, so to hear our songs on the radio is kinda surprising."

Wentz, the band's 35-year-old bassist and lyricist, is delighted Fall Out Boy can still make hit singles. "We'd survive without radio," he says. "Batman can go out and fight without the fucking cape. But when he shows up, people want to see him wear the fucking cape. My mission statement has always been, 'I want to be the biggest.' Patrick's has always been, 'I want to be the best.' At some point, we realized they were two different versions of the same thing."

Fall Out Boy were in a bleak place after their 2008 LP, Folie à Deux, failed to generate a big hit. The paparazzi hounded Wentz and his new wife, Ashlee Simpson, and the group members were fighting with one another. "I literally spent my twenties as the most selfish person that I know," says Wentz. "I didn't have the capacity for understanding other people's time and empathy for what other people thought about things." After the final gig on their 2009 tour, Fall Out Boy went their separate ways, barely speaking to each other for several years.

The low point seemed to come in 2012, when Stump, who had gone solo with 2011's Soul Punk, posted a shockingly frank letter on his personal blog, in which he revealed he was too broke to continue a solo tour and was getting taunted by fans saying, "We liked you better when you were fat." "People genuinely thought it was a suicide note," he says. "Every part of me wishes I hadn't written that thing." The note inspired Wentz to reach out to Stump. The pair rekindled their friendship and, soon, their band as well.

Fall Out Boy didn't want to do a quickie nostalgia exercise. "We asked ourselves, 'What would we want if the Smiths or someone like that reunited?' " says Wentz. "We'd want a new album, new song, a tour right away and don't just go play state fairs." Instead of touring, the bandmates returned to the studio and found they still had monstrously hooky songs in them. Their comeback single, "My Songs Know What You Did in the Dark (Light Em Up)," hit Number 15 on the Hot 100 in 2013.

The band spent a year and a half on the road behind its next LP, Save Rock and Roll. While on tour, Fall Out Boy began fiddling with a track built around a live sample of the refrain from Suzanne Vega's "Tom's Diner." They fleshed it out into the anthemic "Centuries," and were so psyched with the results they rushed into the studio and squeezed out American Beauty/American Psycho in three weeks.

At heart, Stump and Wentz are still pop-culture geeks. They spend the four-hour trip to Tampa debating topics like the difference between Ridley Scott's Alien and James Cameron's Aliens. ("One is unsettling and leaves you uncomfortable, while the other is a giant popcorn movie," says Stump.) When I mention the 2007 video-game documentary The King of Kong: A Fistful of Quarters, Stump and Wentz spend several minutes trading lines from the film.

Soon, FOB arrive at the 97X Next Big Thing festival, where they're headlining a bill that features Young the Giant, Alt-J, New Politics and other groups that are, on average, a decade younger than they are. Fall Out Boy are shepherded into a meet-and-greet tent, where 50 fans, almost all teen girls, squeal with delight. "I hear from kids on social media that I inspired them to pick up a guitar," says guitarist Joe Trohman. "Hopefully what it does is pave the way for other bands to do the same."

When Fall Out Boy take the stage at 8:45, they're greeted with an eardrum-shattering roar from the young fans. The loudest cheers are reserved for the new songs, and security can barely keep up with the flood of crowd-surfing fans pouring over the barricades.

Fall Out Boy are dripping with sweat and buzzing when they come offstage after a final encore of "Saturday," from their 2003 debut, Take This to Your Grave. "That felt really good," says Wentz as he changes from his stage clothes into a tattered Metallica shirt. "It's crazy how young everyone was. Two circle pits broke out during a song that nobody knows from our first album. It occurred to me onstage that maybe we aren't on an island if there's so many kids like that out there. Maybe they're the movement now."

Right now, Fall Out Boy are booking a summer amphitheater tour. In the meantime, they remain an anomaly in the pop universe. "We aren't the last rock band," says Stump. "But we're the last rock band that doesn't think that pop is a four-letter word."

Stump, who just became a father, has been in Fall Out Boy since he was 17. The singer knows full well what haters think of his band – and doesn't care. "We've been saddled with several disparaging genre things," he says. " 'Oh, they're this fucking pop-punk band,' or 'They're this fucking emo band – these guys suck,' or 'They're this fucking stadium-rock band – these guys suck.' Nobody can decide why we suck – to me, that means we're doing the right thing."

Is It OK to Cheat Airlines if It Saves You Money?

Would you “scam” an airline’s ticketing policy if it saved $25? $70? $400?

A federal lawsuit is bringing public attention to “hidden city” ticketing, the technique of buying an airline ticket between two cities with a connection but ditching the rest of the trip. Say, for example, you want to fly from Boston to San Francisco but notice that a ticket from Boston to Seattle—with a connection in San Francisco—is cheaper. Once your flight lands in San Francisco, you prance out of the airport at your intended destination, pocketing the savings.

Airlines hate this maneuver—which has been around for decades—and argue that it violates the terms of the sale. Others contend that it’s no big deal. “I think it’s fair game,” says John DiScala, a travel expert who blogs as Johnny Jet. “I think it’s smart for the consumer.” Jay Sorensen, a consultant and former executive with Midwest Airlines, argues that airlines also violate the terms of sale with their customers “and then rely on the customer to write a letter to complain to get that violation addressed.” (In a phone call on Tuesday, Sorensen noted that his wife, who is also a former airline executive, vehemently disagreed.) “I think there are greater sins in life,” he says.

The world’s second-largest airline, United, along with online travel agency Orbitz Worldwide, aren't convinced. They've filed suit seeking an injunction to stop a New York programmer’s website, Skiplagged.com, from sending United ticket buyers to Orbitz.com to purchase such “hidden city” tickets. The ticketing technique “interferes with United’s ability to sell unused seats on the final leg(s) of connecting flights, resulting in the loss of revenue that United would have earned by selling the unused seats,” the company said in its lawsuit last month in U.S. District Court in Chicago. The companies also want at least $75,000 in damages and attorney fees. “This practice violates our fare rules, and we are taking action to stop it to help protect the vast majority of customers who buy legitimate tickets,” United spokeswoman Christen David said on Tuesday. The airline also says such passengers can cause delays as gate agents try to determine where a person expected on a flight may be. Passenger count also affects a flight’s total weight calculation, which can delay the plane’s departure.

The problem for the airline industry, of course, is that the public holds them in roughly the same esteem as cable-TV companies and tax collectors. We aren't inclined to be terribly sympathetic about protecting carriers’ pricing schemes or saying "no thanks" to a bargain. “Send them to hell, please,” wrote someone who donated $666 to Skiplagged founder Aktarer Zaman, who began raising money online in late November to fund his defense against the lawsuit. On Tuesday he boosted his target to $25,000 after quickly passing the prior $20,000 target given media attention on the lawsuit. “That's because I really don't know how much this lawsuit is going to ultimately cost, other than probably a lot,” Zaman wrote in a note thanking donors. “However, you have my word that how every cent is spent will be posted here. If there are any remaining funds, those will be completely donated to charity.” Zaman did not reply on Tuesday to an e-mail sent via his personal website.

Hidden city fares are found on almost every airline that operates with a hub-and-spoke system. These cheaper fares arise from the fact that nonstop flights typically command a premium, given that most people—especially business travelers—prefer to avoid connections when possible. That’s why American, for example, enjoys strong pricing from its Dallas-Fort Worth (DFW) hub on nonstop routes. Delta and United, meanwhile, have plenty of service on the same routes from DFW Airport, but they typically route passengers through one of their own hubs with a connecting flight. Writ large across the industry, that dynamic leads to “hidden city” fares that can amount to savings of hundreds of dollars.

“If [airlines] didn’t try to price flights to certain hubs so high, perhaps you wouldn’t have as many people trying to buy hidden city fares,” says Henry Harteveldt, a travel analyst with Atmosphere Research Group. Yet given strong customer demand, airlines would be foolish to “leave money on the table” if they can command top prices on some flights, he notes. “To a certain degree then, they encourage this type of behavior,” says Harteveldt, who doesn’t consider the practice ethical. “There’s no easy solution to this.”

One airline measure has been to void frequent-flyer miles if an airline determines that a person skipped a connecting flight. In some cases with repeat offenders, Harteveldt and Sorensen said, an airline may shut down the account or try to collect the fare difference on the flight a passenger actually used. American warns travel agents not to sell such tickets, likening the practice to “switching price tags to obtain a lower price on goods sold at department stores.”

DiScala, who travels more than 150,000 miles per year and was spending the holidays with his wife in Hawaii, says hidden city tickets have been an occasional financial temptation—but one he's avoided. “I didn’t want to lose my miles,” he says.

Predictions For 2015: There Will Be Blood

The photo above was published in April, 2013, when Google Ventures, Andreessen Horowitz and Kleiner Perkins announced the Glass Collective, which was going to invest in companies to develop apps for Google Glass, which they said was a "potentially transformative technology." Key word I suppose was potentially. Because now Google Glass is more or less dead, and good riddance to it, though it was entertaining when that woman claimed she was being persecuted for wearing Glass in a bar and then she went all Rosa Parks and the Glass dorks tried to make it a civil rights issue — that was fun. But overall: no. Glass sucked. Now it's done. This is a good thing.

I'm running the photo for three reasons. First, that fucking head! And yes, you know exactly which one I mean. Second, because those three dudes look pretty damn smug and pleased with themselves, don't they? Why, with their magic Dick Tracy glasses they can see all the way into the future, and the future is all about Google Glass! I think these guys should be forced to look at this photo of themselves every day for the rest of their lives, preferably on a pair of Google Glasses which they are also forced to wear.

But the main reason I'm running the photo is to make an actual serious point, which is that nobody in this industry ever has any idea what is going to work. Nobody. Not even these big-brained masters of the universe who are entrusted with billions of dollars. These are smart guys. The one on the left founded Netscape. The one on the right was an early investor in Google. The one in the middle was in a boy band, I think. Anyway, they're experts. They spend their whole lives trying to spot trends and pick winners, and they are paid ungodly amounts of money because they are considered the best in the world.

And yet, back in 2013, less than two years ago, these three experts really believed Glass was going to be huge. They were very passionate about it. They got into huge arguments over it.

Clearly those guys did not have a clue. And if they can't predict the future, then I sure as hell can't either. Nevertheless, making predictions for the year ahead is a thing one is supposed to do when one writes a tech blog, so here are mine for 2015.

Dick Costolo gets booted from Twitter. This one is so obvious that it's almost not a prediction. The Orcs on Wall Street are beating the drums for his removal. (Also see here.) This started months ago, when BusinessWeek quoted one of Twitter's investors saying not-nice things about Costolo. The critics have a point. Costolo is about as effective as a CEO as he was at standup comedy, which is to say, not very. The problem is I'm not sure anyone can do better. Twitter is a money pit, a company that costs more to run than it can generate in revenues. Last quarter Twitter lost about $180 million on sales of about $360 million, meaning they are spending a dollar fifty to make a dollar. Is there some magician of a CEO who has some huge idea that will transform Twitter into a money-printing machine? Doubtful. But hey, bring in Ross Levinsohn and let him take a crack at it, and two years from now you Wall Street assholes can drive him out too and find someone else. It's what you do.

Jack Dorsey gets booted from Square. The real question is how Simple Jack has managed to hang on for all these years, not just at Square but in the tech industry in general. Have you read Nick Bilton's book about Twitter? Do you know there was a time when Jack Dorsey was consciously trying to dress and act like Steve Jobs? This would be embarrassing for a high school kid, but for a grown man? Then there was his fascination with Japanese culture, waxing on about wabi-sabi over a tea ceremony. Then he was going to run for mayor of New York. Then he was in Missouri, marching. Meanwhile Square has been around for five years and is losing enormous amounts of money. The deal with Starbucks was a disaster; Dorsey got mugged. Square changes business plans and strategies the way Taylor Swift changes boyfriends. Over the summer, Dorsey bought Caviar, and now Square is going to become a food delivery company. What the fuck?

Marissa Mayer leaves Yahoo. It's not her fault. Yahoo is Yahoo. It's never going to be Google or Facebook. But there is an unwritten rule that Yahoo must have a new CEO every six to 12 months, and Mayer has already been there for more than two years. According to hedge fund manager Eric Jackson, Yahoo may actually have negative value if you strip out the value of its Alibaba stake. Now the savages on Wall Street are calling for Marissa's head. You may have noticed that this is something that the savages on Wall Street like to do. Of course there is no messiah who is going to save Yahoo. But changing leaders maybe gives the stock a pop. Or maybe the guys on Wall Street just like to stir up shit because they're bored and they have money. Marissa can go spend time with her kids. Or run for political office.

Box gets acquired. Look, I love Aaron Levie, Box's precocious 14-year-old CEO. He's great on Twitter and he is a genuinely nice guy. But Box isn't working out. Like Twitter, it's a money pit. According to its recent SEC filing, for 2014 Box will take in $125 million in revenues and lose about $170 million. To be sure, that's better than in 2013, when Box lost two dollars for every dollar it generated in revenue. But come on. Box will be 10 years old this year. If you can't make money after 1o years, what does that tell you? And what is the plan? Is the idea that Box will keep "investing in the business" and then start making money in Year 15? Or Year 20? Or maybe profitability lies forever out there, beyond the horizon, and everyone says that's okay, like with Amazon? Apparently Box still intends to do an IPO. Maybe that will happen. Even so, Box will end up being acquired. It makes no sense as a standalone business.

Carly Fiorina will run for president and lose. It's not her fault. It's a compulsion. Carly doesn't really want to hold office; she just needs to run. Someone says Carly's real goal to get picked up as a vice presidential nominee. That might be overthinking it. Carly runs because Carly runs. Carly can't get enough of Carly, and she thinks that we can't get enough of Carly either. Don't tell her otherwise! Also, she's rich, so she can keep on doing this forever. Godspeed, Carly. I for one will vote for you, just to give you false hope.

Larry Page will step aside. Page will take a non-executive role and be replaced by that other guy who already runs most of Google but whose name you can't remember which is fine because that's the way he likes it.

Uber will have an earth-shattering IPO. The financials will be great, the growth will be staggering and everyone knows Uber and likes the service so mom-and-pop investors will be clamoring for shares. Home run. Nobody will care about all the bad behavior anymore because money talks and bullshit walks, as Goethe once wrote. Uber haters (and there are many) will go nuts, which will add to the fun. Airbnb and Dropbox will go public too, as Fred Wilson predicts, but Uber will be the sensational deal of the year.

Oculus Rift will suck and so will the Apple Watch. These I stole from Fred Wilson, but he's right. Nobody wants to sit around for hours with those big fucking goggles strapped to their head. Apple might sell a lot of watches to the faithful, and no doubt the bozos will line up outside stores again just because they love to stand outside in lines. Look at me! I'm so techie! Tim Cook will claim it's a huge victory. Apple will constrain supply to make it look like there is huge demand and they're selling them as fast as they can make them and they're way ahead of plan. But this is not iPhone Redux. The watch is a limited thing, and won't move the needle.

Andy Rubin announces a new product. I have no idea what it is, but he's up to something. Rubin left the Android team at Google to run the robotics program. Then he left last year to do some kind of skunk works. This is the guy who created Danger and sold it to Microsoft, then created Android and sold it to Google. Whatever he does next will be worth paying attention to.

Hackers do something serious. I mean something that makes Sony look like a prank. Something that really fucks people up. Something that will appear to be state-sponsored and we're left to guess about who is behind it. Maybe it's Putin getting back at us for wrecking the ruble. Or maybe it's carried out by Iran, or China. I hope this doesn't happen, but I fear it will. The future of warfare is computers fighting computers.

There will be blood. I can't predict exactly when the crash correction will happen. I thought it would have happened already, frankly. So maybe it happens this year, or maybe it's next year. But you know it's going to happen. For one thing, there were more IPOs in 2014 than in any year since 2000. Some will remember what happened back in 2000 right after all those companies had all those IPO. Surely it cannot be a good sign when a bunch of money-losing tech companies go racing into the public markets. For the past few years the VCs who claimed there was no tech bubble supported that assertion by pointing out that the crazy valuations were confined to privately held companies. Thus the public wasn't exposed to the risk. But now those companies are going public. Doesn't that mean the public is now exposed?

And now the stock market is hitting all-time highs, and Facebook is trading at 72 times earnings, and Twitter has a $20 billion market cap even though it is losing huge amounts of money, and Salesforce.com has a $37 billion market cap even though it doesn't have any earnings either, and back in September Marc Andreessen said something about how the market was going to turn and that some of these tech companies were burning money too fast and they were going to "vaporize" and ohmygod a fucking food delivery startup just raised $220 million at a valuation of $2 billion and Snapchat just raised money at a $20 billion valuation even though they have no revenues and the company is burning cash like crazy and now I'm starting to get that feeling where I know it's not an actual heart attack but I still think that maybe it is a heart attack and I should probably go to the emergency room just in case.

Wait! Don't freak out! Take deep breaths. Everything is going according to plan. Unless you're working for one of those money-losing startups, you'll be able to sit back and enjoy the show — the cries and lamentations, the gnashing of teeth, the paper fortunes wiped out overnight, the smug bratty tech pricks going back to work as baristas. It is going to be glorious.

District 9 director reveals concept images of the Alien movie he was secretly working on

The Alien series may have taken a sharp turn downhill after its second film, but District 9 director Neill Blomkamp is — at least somewhat — interested in stepping in to save it. Blomkamp posted over a half-dozen pieces of concept art to Instagram yesterday depicting an Alien movie that he was working on, without any studio's knowledge or approval. Blomkamp's film seems to take place after Aliens, but in a world where the series' third film was never made, allowing Ripley and Hicks to work together again. The film also would have gone inside the mysterious and manipulative Weyland Corporation and put Ripley in what looks like a semi-organic Xenomorph flight suit.

It doesn't sound like Blomkamp's vision will be leaving the page anytime soon, however. On Instagram, Blomkamp says that though he loves the concept, he doesn't think that he's going to be working on it any more. "Woulda rocked," Blomkamp writes. "Was a mental stroll into the world Ridley Scott created." An unverified Twitter account linked to Blomkamp elaborates, writing, "I just feel like I might do something else instead." The good news for anyone hoping to see this movie made is that Blomkamp isn't stopping because the studio made him — in fact, he doesn't even think the studio knew he was working on it. And as he tells one commenter on Instagram: "Fox never said no."

King Abdullah of Saudi Arabia Is Hospitalized With Pneumonia

King Abdullah of Saudi Arabia has pneumonia and needs temporary help from a breathing tube, the royal court said Friday.

The king, who is 90, has a history of medical problems, and his health is scrutinized for any hint of a leadership change in Saudi Arabia, an absolute monarchy and regional American ally that is one of the world’s most important oil producers.

In a statement quoted by news agencies, the royal court said the king was in stable condition at a military hospital. He was transferred there on Thursday after having been admitted to King Abdulaziz Medical City Hospital in Riyadh, the capital, on Wednesday for unspecified tests.

The statement said an examination “revealed pneumonia, which required the provisional insertion of a tube on Friday evening.”

It added that “that step was crowned with stability and success,” but it left unclear how long the king would remain hospitalized.

The new uncertainty about the king’s health came against a backdrop of deep Saudi influence on a number of major global issues.

The biggest is plunging oil prices, caused in part by Saudi insistence on maintaining current high production levels in an effort to drive out higher-cost producers elsewhere and gain more control over the global market.

Saudi officials, presumably acting under the king’s orders, have shown no inclination to curb production, despite complaints by others, including the country’s regional rival, Iran.

The king’s health difficulties also come as Saudi Arabia has exerted itself more forcefully in the conflicts in Syria and Iraq. Most notably, Saudi Arabia is actively participating in the American-led bombing campaign against extremists there.

Crown Prince Salman, 79, the king’s half brother and presumed successor, has increasingly acted as Abdullah’s representative, most recently standing in for him at a summit meeting of Persian Gulf countries in Qatar last month. Crown Prince Salman is also Saudi Arabia’s deputy prime minister and defense minister.

Another half brother of the king, Prince Muqrin, 69, is second in line to the throne.

Abdullah is the country’s sixth king, having assumed the throne in 2005.

A Hacker's Hit List of American Infrastructure

On Friday, December 19, the FBI officially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures. The Sony hack saw many studio executives’s sensitive and embarrassing emails leaked online. The hackers threatened to attack theaters on the opening day of the offending film, The Interview, and Sony pulled the plug on the movie, effectively censoring a major Hollywood studio. (Sony partially reversed course, allowing the movie to show in 331 independent theaters on Christmas Day, and to be streamed online.)

Technology journalists were quick to point out that, even though the cyber attack could be attributable to a nation state actor, it wasn’t particularly sophisticated. Ars Technica’s Sean Gallagher likened it to a “software pipe bomb.”

But according to cyber-security professionals, the Sony hack may be a prelude to a cyber attack on United States infrastructure that could occur in 2015, as a result of a very different, self-inflicted document dump from the Department of Homeland Security in July.

Here’s the background: On July 3, DHS, which plays “key role” in responding to cyber-attacks on the nation, replied to a Freedom of Information Act (FOIA) request on a malware attack on Google called “Operation Aurora.”

Unfortunately, as Threatpost writer Dennis Fisher reports, DHS officials made a grave error in their response. DHS released more than 800 pages of documents related not to Operation Aurora but rather the Aurora Project, a 2007 research effort led by Idaho National Laboratory demonstrating how easy it was to hack elements in power and water systems.

Oops.

The Aurora Project exposed a vulnerability common to many electrical generators, water pumps and other pieces of infrastructure, wherein an attacker remotely opens and closes key circuit breakers, throwing the machine’s rotating parts out of synchronization causing parts of the system to break down.

In 2007, in an effort to cast light on the vulnerability that was common to many electrical components, researchers from Idaho National Lab staged an Aurora attack live on CNN. The video is below.

How widespread is the Aurora vulnerability? In this 2013 article for Power Magazine:

The Aurora vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment—whether it generates power or is essential to an industrial or commercial facility.

The article was written by Michael Swearingen, then manager for regulatory policy for Tri-County Electric Cooperative (now retired), Steven Brunasso, a technology operations manager for a municipal electric utility, Booz Allen Hamilton critical infrastructure specialist Dennis Huber, and Joe Weiss, a managing partner for Applied Control Solutions.

Weiss today is a Defense Department subcontractor working with the Navy’s Mission Assurance Division. His specific focus is fixing Aurora vulnerabilities. He calls DHS’s error “breathtaking.”

The vast majority of the 800 or so pages are of no consequence, says Weiss, but a small number contain information that could be extremely useful to someone looking to perpetrate an attack. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which [Pacific Gas and Electric] substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”

The publicly available documents that DHS released do indeed contain the names and physical locations of specific Pacific Gas and Electric Substations that may be vulnerable to attack.

Defense One shared the documents with Jeffrey Carr, CEO of the cyber-security firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld. “I’d agree…This release certainly didn’t help make our critical infrastructure any safer and for certain types of attackers, this information could save them some time in their pre-attack planning,” he said.

Perpetrating an Aurora attack is not easy, but it becomes much easier the more knowledge a would-be attacker has on the specific equipment they may want to target.

* * *

In a 2011 paper for the Protective Relay Engineers’ 64th Annual Conference, Mark Zeller, a service provider with Schweitzer Engineering Laborites lays out—broadly—the information an attacker would have to have to execute a successful Aurora attack. “The perpetrator must have knowledge of the local power system, know and understand the power system interconnections, initiate the attack under vulnerable system load and impedance conditions and select a breaker capable of opening and closing quickly enough to operate within the vulnerability window.”

“Assuming the attack is initiated via remote electronic access, the perpetrator needs to understand and violate the electronic media, find a communications link that is not encrypted or is unknown to the operator, ensure no access alarm is sent to the operators, know all passwords, or enter a system that has no authentication.”

That sounds like a lot of hurdles to jump over. But utilities commonly rely on publicly available equipment and common communication protocols (DNP, Modbus, IEC 60870-5-103,IEC 61850, Telnet, QUIC4/QUIN, and Cooper 2179) to handle links between different parts their systems. It makes equipment easier to run, maintain, repair and replace. But in that convenience lies vulnerability.

In their Power Magazine article, the authors point out that “compromising any of these protocols would allow the malicious party to control these systems outside utility operations.”

Defense One reached out to DHS to ask them if they saw any risk in the accidental document dump. A DHS official wrote back with this response: “As part of a recent Freedom of Information Act (FOIA) request related to Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised.”

Weiss calls the response “nonsense.”

The risk posed by DHS accidental document release may be large, as Weiss argues, or nonexistent, as DHS would have you believe. But even if it’s the latter, Aurora vulnerabilities remain a key concern.

Perry Pederson, who was the director of Control Systems Security Program at DHS in 2007 when the Aurora vulnerability was first exposed, said as much in a blog post in July after the vulnerability was discovered. He doesn’t lay blame at the feet of DHS. But his words echo those of Weiss in their urgency.

“Fast forward to 2014. What have we learned about the protection of critical cyber-physical assets? Based on various open source media reports in just the first half of 2014, we don’t seem to be learning how to defend at the same rate as others are learning to breach.”

* * *

In many ways the Aurora vulnerability is a much harder problem to defend against than the Sony hack, simply because there is no obvious incentive for any utility operator to take any of the relatively simple costs necessary to defend against it. And they are simple. Weiss says that a commonly available device installed on vulnerable equipment could effectively solve the problem, making it impossible to make the moving parts spin out of synchronization. There are two devices on the market iGR-933 rotating equipment isolation device (REID) and an SEL 751A, that purport to shield equipment from “out-of-phase” states.

To his knowledge, Weiss says, Pacific Gas and Electric has not installed any of them anywhere, even though the Defense Department will actually give them away to utility companies that want them, simply because DOD has an interest in making sure that bases don’t have to rely on backup power and water in the event of a blackout. “DOD bought several of the iGR-933, they bought them to give them away to utilities with critical substations,” Weiss said. “Even though DOD was trying to give them away, they couldn’t give them to any of the utilities because any facility they put them in would become a ‘critical facility’ and the facility would be open to NERC-CIP audits.”

Aurora is not a zero-day vulnerability, an attack that exploits an entirely new vector giving the victim “zero days” to figure out a patch. The problem is that there is no way to know that they are being implemented until someone, North Korea or someone else, chooses to exploit them.

Can North Korea pull of an Aurora vulnerability? Weiss says yes. “North Korea and Iran and are capable of doing things like this.”
More From Defense One

The Military’s New Year’s Resolution for Artificial Intelligence
Will the Flak Jacket of the Future Include Organic Sensors?
Can Japan Kickstart an International Cyber Alliance?

Would such an attack constitute an act of cyber war? The answer is maybe. Speaking to reporters at the Pentagon on Friday, Pentagon Press Secretary Rear Adm. John Kirby said “I’m also not able to lay out in any specificity for you what would be or wouldn’t be an act of war in the cyber domain. It’s not like there’s a demarcation line that exists in some sort of fixed space on what is or isn’t. The cyber domain remains challenging, it remains very fluid. Part of the reason why it’s such a challenging domain for us is because there aren’t internationally accepted norms and protocols. And that’s something that we here in the Defense Department have been arguing for.”

Peter Singer, in conversation with Jason Koebler at Motherboard, says that the bar for actual military engagement against North Korea is a lot higher than hacking a major Hollywood movie studio.

“We didn’t go to war with North Korea when they murdered American soldiers in the 1970s with axes. We didn’t go to war with North Korea when they fired missiles over our allies. We didn’t go to war with North Korea when one of their ships torpedoed an alliance partner and killed some of their sailors. You’re going to tell me we’re now going to go to war because a Sony exec described Angelina Jolie as a diva? It’s not happening.”

Obama said Friday that there would be some sort of response to the hack, but declined to say what. “We have been working up a range of options. They will be presented to me. I will make a decision on those based on what I believe is proportional and appropriate to the nature of this crime,” he said.

Would infrastructure vandalism causing blackouts and water shutdowns constitute an act of war? The question may be moot. Before the United States can consider what sort of response is appropriate to cyber attacks, it must first be able to attribute them.

The FBI was able to finger North Korea for the hack after looking at the malware in the same way a forensics team looks for signs of a perpetrator at the scene of the crime. “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” according to the FBI statement. (Attribution has emerged as a point of contention in technology circles, with many experts suggesting that an inside hack job was more likely.)

An Aurora vulnerability attack, conversely, leaves no fingerprints except perhaps a single IP address. Unlike the Sony hack, it doesn’t require specially written malware to be uploaded into a system—Malware that could indicate the identity of the attacker, or at least his or her affiliation. Exploiting an Aurora attack is simply a matter of gaining access, remotely, possibly because equipment is still running on factory-installed passwords, and then turning off and on a switch.

“You’re using the substations against whatever’s connected to them. Aurora uses the substations as the attack vector. This is the electric grid being the attack vector,” said Weiss, who calls it “a very, very insidious” attack.

The degree to which we are safe from that eventuality depends entirely on how well utility companies have put in place safeguards. We may know the answer to that question in 2015.