2014-11-12

Lipstick on a postal pig

I can't help but share this lunacy with you. The (American) Center For Economic and Policy Research thinks that the problem with the US Postal Service isn't the lackadaisical, contemptuous, inefficient distribution of mail which it perpetrates. It's just not properly utilized. Instead, we should allow it to run banking services at the same efficiency with which it delivers mail:

[...] the Postal Service could improve its finances by expanding rather than contracting. Specifically, it can return to providing basic banking services, as it did in the past and many other postal systems still do. This course has been suggested by the Postal Service's Inspector General.
This route takes advantage of the fact that the Postal Service has buildings in nearly every neighborhood in the country. These offices can be used to provide basic services to a large unbanked population that often can't afford fees associated with low balance accounts. As a result they often end up paying exorbitant fees to check cashing services, pay day lenders and other non-bank providers of financial services.
Of course, the reason that banks have run a mile from providing banking services to clients with low income or dubious immigration status, running away from a steady (albeit low) income stream, is due to... government regulatory pressure. Who'd have thought that the government would have caused these problems?

Now the CEPR is proposing that a government agency can step in and fix the very real problems in banking access that other government agencies have created. I don't know whether to laugh or cry.

Incidentally, my personal experience with sending mail through the USPS - a monthly mail to a residential address within the same state, dropped in a regular post box - is that the failure rate is about 1 in 13. This is corroborated by the experience of The Advice Goddess (Los Angeles resident Amy Alkon, if you're not reading her blog or buying her books then you really should):

There is no way that the USPS could comply with the existing banking regulations in the USA without having the same order of overhead as the major US banks. I suspect their savings in property costs are insignificant; even if they could train existing post office counter staff to be bank tellers as well without any major salary inflation, all the backend systems and personnel required would kill their cost advantage. Check out the USPS compensation and benefits: "regular salary increases" means you're paid by length of service, not productivity, they get federal health benefits which are a step or three above Obamacare coverage, and they get a defined benefit retirement plan. Believe me, if you're staff at a major bank, you would sell your mother on the streets to get these benefits.

All the CEPR is doing in this article is lobbying for an increase in (unionized) federal government employees. The government, and therefore the taxpayer, is going to pick up the tab, but that's Just Fine with them. The only way I can see this working is if the USPS is exempted from most of the existing banking regulations - and if that's the problem, why not just repeal them for everyone else as well?

2014-11-04

A caricature of Civil Service placement and rhetoric

The new director of GCHQ was announced earlier this year as Robert Hannigan, CMG (Cross of St Michael and St George, aka "Call Me God") replacing the incumbent Sir Iain Lobban, KCMG (Knight's Cross of St Michael and St George, aka "Kindly Call Me God"). Whereas Sir Iain was a 30 year veteran of GCHQ, working his way up from a language specialist post, Hannigan was an Oxford classicist - ironically at Wadham, one of the few socialist bastions of the university - and worked his way around various government communications and political director posts before landing a security/intelligence billet at the Cabinet office. Hannigan is almost a cliché of the professional civil servant.

Hannigan decided to write in the FT about why Facebook, Twitter and Google increasing user security was a Bad Thing:

The extremists of Isis use messaging and social media services such as Twitter, Facebook and WhatsApp, and a language their peers understand. The videos they post of themselves attacking towns, firing weapons or detonating explosives have a self-conscious online gaming quality. [...] There is no need for today’s would-be jihadis to seek out restricted websites with secret passwords: they can follow other young people posting their adventures in Syria as they would anywhere else.
Right - but the UK or US governments can already submit requests to gain access to specific information stored by Facebook, Google, Twitter et al. What Hannigan leaves out is: why is this not sufficient? The answer, of course, is that it's hard to know where to look. Far easier to cast a dragnet through Internet traffic, identify likely sources of extremism, and use intelligence based on their details to ask for specific data from Facebook, Google, Twitter et al. But for the UK in the first half of 2014, the UK issued over 2000 individual requests for data, covering an average of 1.3 people per request. How many terrorism-related arrests (never mind convictions) correspond to this - single digits? That's a pretty broad net for a very small number of actual offenders.

Hannigan subsequently received a bitchslap in Comment is Free from Libdem Julian Huppert:

Take the invention of the radio or the telephone. These transformed the nature of communication, allowing people to speak with one another across long distances far more quickly than could have ever been imagined. However, they also meant that those wishing to do us harm, whether petty criminals or terrorists, could communicate with each other much more quickly too. But you wouldn’t blame radio or phone manufacturers for allowing criminals to speak to each other any more than you would old Royal Mail responsible for a letter being posted from one criminal to another.
Good Lord, I'm agreeing with a Libdem MP writing in CiF. I need to have a lie down.

Hannigan is so dangerous in his new role because he's never really had to be accountable to voters (since he's not a politician), nor influenced by the experience and caution of the senior technical staff in GCHQ (since he never worked there). He can view GCHQ as a factory for producing intelligence to be consumed by the civil service, not as a dangerous-but-necessary-in-limited-circumstances intrusion into the private lives of UK citizens. After all, he knows that no-one is going to tap his phone or read his email.

Personally, I'd like to see a set of 10 MPs, selected by public lottery (much like the National Lottery draw, to enforce fairness) read in on GCHQ and similar agency information requests. They'd get to see a monthly summary of the requests made and information produced, and would be obliged to give an annual public report (restricted to generalities, and maybe conducted 6 months in arrears of the requests to give time for data to firm up) on their perception of the width of the requests vs information retrieved. That's about 40 Facebook personal data trawls per MP, which is a reasonably broad view of data without excessive work. Incidentally, I'd also be interested in a breakdown of the immigration status of the people under surveillance.

Mazzucato and her State-behind-the-iPhone claims

This caught my eye in the Twitter feed of Mariana "everything comes from the State" Mazzucato:

The box claiming that "microprocessor" came from DARPA didn't sound right to me, so I did some digging.

Sure enough, DARPA appears to have had squat all to do with the development of the first microprocessors:

Three projects delivered a microprocessor at about the same time: Garrett AiResearch's Central Air Data Computer (CADC), Texas Instruments (TI) TMS 1000 (1971 September), and Intel's 4004 (1971 November).
I don't know about the CADC, but Tim Jackson's excellent book "Inside Intel" is very clear that the 4004 was a joint Intel-Busicom innovation, DARPA wasn't anywhere to be seen, TI's TMS 1000 was similarly an internal evolutionary development targeted at a range of industry products.

Looking at a preview of Mazzucato's book via Amazon, it seems that her claims about state money being behind the microprocessor are because the US government funded the SEMATECH semiconductor technology consortium with $100 million per year. Note that SEMATECH was founded in 1986 by which point we already had the early 68000 microprocessors, and the first ARM designs (from the UK!) appeared in 1985. Both of these were recognisable predecessors of the various CPUs that have appeared in the iPhone - indeed up to the late iPhone 4 models they used an ARM design.

I'm now curious about the other boxes in that diagram. The NAVSTAR/GPS and HTML/HTTP claims seem right to me, but I wonder about DARPA's association with "DRAM cache" - I'd expect that to come from Intel and friends - and "Signal compression" (Army Research Office) is so mind-meltingly vague a topic that you could claim nearly anyone is associated with it - the Motion Picture Experts Group who oversee the MPEG standards have hundreds of commercial and academic members. If Mazzucato's premise is that "without state support these developments would never have happened" then it's laughably refutable.

At this point I'm very tempted to order Mazzucato's book The Entrepreneurial State for the sole purpose of finding out just how misleading it is on this subject that happen to know about, and thus a measure of how reliable it is for the other parts I know less about.

Update: it seems that associating the DoE (US Department of Energy) with the lithium-ion battery is also something of a stretch. The first commercial lithium-ion battery was released by Sony and Asahi Kasei in Japan. The academic work leading up to it started with an Exxon-funded researcher in the early 70s . The only DofE link I can find is on their Vehicle Technologies Office: Batteries page and states:

This research builds upon decades of work that the Department of Energy has conducted in batteries and energy storage. Research supported by the Vehicle Technologies Office led to today's modern nickel metal hydride batteries, which nearly all first generation hybrid electric vehicles used. Similarly, the Office's research also helped develop the lithium-ion battery technology used in the Chevrolet Volt, the first commercially available plug-in hybrid electric vehicle.
That's a pretty loose connection. I suspect, since they specifically quote the Volt, that the DofE provided money to Chevrolet for research into the development of batteries for their cars, but the connection between the Volt and the iPhone battery is... tenuous.

For fuck's sake, Mariana. You could have had a reasonably good point by illustrating the parts of the iPhone that were fairly definitively state-funded in origin, but you had to go the whole hog and make wild, spurious and refutable claims just to bolster the argument, relying on most reviewers not challenging you because of your political viewpoint and on most readers not knowing better. That's pretty despicable.

2014-10-22

State-endorsed web browsers turn out to be bad news

Making the headlines in the tech world this week has been evidence of someone trying to man-in-the-middle Chinese iCloud users:

Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts. This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.
MITM attacks are not a new phenomenon in China but this one is widespread, and clearly needs substantial resources and access to be effective. As such, it would require at least government complicity to organise and implement.

Of course, modern browsers are designed to avoid exactly this problem. This is why the Western world devotes so much effort to implementing and preserving the integrity of the "certificate chain" in SSL - you know you're connecting to your bank because the certificate is signed by your bank, and the bank's signature is signed by a certificate authority, and your browser already knows what the certificate authority's signature looks like. But it seems that in China a lot of people use Qihoo 360 web browser. It claims to provide anti-virus and malware protection, but for the past 18 months questions have been asked about its SSL implementation:

If your browser is either 360 Safe Browser or Internet Explorer 6, which together make up for about half of all browsers used in China, all you need to do is to click continue once. You will see no subsequent warnings. 360's so-called "Safe Browser" even shows a green check suggesting that the website is safe, once you’ve approved the initial warning message.

I should note, for the sake of clarity, that both the 2013 and the current MITM reports come from greatfire.org, whose owners leave little doubt that they have concerns about the current regime in China. A proper assessment of Qihoo's 360 browser would require it to be downloaded on a sacrificial PC and used to check out websites with known problems in their SSL certificates (e.g. self-signed, out of date, being MITM'd). For extra points you'd download it from a Chinese IP. I don't have the time or spare machine to test this thoroughly, but if anyone does then I'd be interested in the results.

Anyway, if the browser compromise checks out then I'm really not surprised at this development. In fact I'm surprised it hasn't happened earlier, and wonder if there have been parallel efforts at compromising IE/Firefox/Opera/Chrome downloads in China: it would take substantial resources to modify a browser installer to download and apply a binary patch to the downloaded binary which allowed an additional fake certificate authority (e.g. the Chinese government could pretend to be Apple), and more resources to keep up to date with browser releases so that you could auto-build the patch shortly after each new browser version release, but it's at least conceivable. But if you have lots of users of a browser developed by a firm within China, compromising that browser and its users is almost as good and much, much easier.

2014-10-13

Corporate welfare from Steelie Neelie and the EU

I used to be the starry-eyed person who thought that governments pouring into a new concept for "research" was a good thing. That didn't last long. Now I read The Reg on the EU's plan to chuck 2.5 billion euros at "Big Data" "research" and wonder why, in an age of austerity, the EU thinks that pissing away the entire annual defence budget of Austria is a good idea.

First, a primer for anyone unfamiliar with "Big Data". It's a horrendously vague term, as you'd expect. The EU defines the term thus:

Big data is often defined as any data set that cannot be handled using today’s widely available mainstream solutions, techniques, and technologies.
Ah, "mainstream". What does this actually mean? It's a reasonable lower bound to start with what's feasible on a local area network. If you have a data set with low hundreds of terabytes of storage, you can store and process this on some tens of regular PCs; if you go up to about 1PB (petabyte == 1024 terabytes, 1 terabyte is the storage of a regular PC hard drive) then you're starting to go beyond what you can store and process locally, and need to think about someone else hosting your storage and compute facility.

Here's an example. Suppose you have a collection of overhead imagery of the United Kingdom, in the infra-red spectrum, sampled at 1m resolution. Given that the UK land area is just under 250 thousand square kilometers, if you represent this in an image with 256 levels of intensity (1 byte per pixel) you'll need 250,0000 x (1000 x 1000) = 250 000 000 000 pixels or 250 gigabytes of storage. This will comfortably fit on a single hard drive. If you reduce this to 10cm resolution - so that at maximum resolution your laptop screen of 1200 pixel width will show 120m of land - then you're looking at 25 TB of data, so you'll need a network of tens of PCs to store and process it. If, instead of a single infra-red channel, you have 40 channels of different electromagnetic frequencies, from low infra-red up to ultra violet, you're at 1PB and need Big Data to solve the problem of processing the data.

Another example, more privacy-concerning: if you have 1KB of data about each of the 7bn people in the world (say, their daily physical location over 1 year inferred from their mobile phone logs), you'll have 7 terabytes of information. If you have 120 KB of data (say, their physical location every 10 minutes) then this is around 1PB and approaches the Big Data limits.

Here's the press release:

Mastering big data could mean:
  • up to 30% of the global data market for European suppliers;
  • 100,000 new data-related jobs in Europe by 2020;
  • 10% lower energy consumption, better health-care outcomes and more productive industrial machinery.
My arse, but let's look at each claim in turn.
  • How is this project going to make it more likely for European suppliers to take over more of the market? Won't all the results of the research be public? How, then, will a European company be better placed to take advantage of them than a US company? Unless one or more US-based international company has promised to attribute a good chunk of its future Big Data work to its European operations as an informal quid-pro-quo for funding from this pot.
  • As Tim Worstall is fond of saying, jobs are a cost not a benefit. These need to be new jobs that are a prerequisite for larger Big Data economic gains to be realized, not busywork to meet artificial Big Data goals
  • [citation required] to quote Wikipedia. I'll believe it when I see it measured by someone without financial interest in the Big Data project.

The EU even has a website devoted to the topic: Big Data Value. Some idea of the boondoggle level of this project can be gleaned from the stated commitment:

... to build a data-driven economy across Europe, mastering the generation of value from Big Data and creating a significant competitive advantage for European industry, boosting economic growth and jobs. The BDV PPP will commence in 2015[,] start with first projects in 2016 and will run until 2020. Covering the multidimensional character of Big Data, the PPP activities will address technology and applications development, business model discovery, ecosystem validation, skills profiling, regulatory and IPR environment and social aspects.
So how will we know if these 2.5bn Euros have been well spent? Um. Well. Ah. There are no deliverables specified, no ways that we can check back in 2020 to see if the project was successful. We can't even check in 2017 whether we're making the required progress, other than verifying that the budget is being spent at the appropriate velocity - and believe me, it will be.

The fundamental problem with widespread adoption of Big Data is that you need to accumulate the data before you can start to process it. It's surprisingly hard to do this - there really isn't that much new data generated in most fields and you can do an awful lot if you have reasonably-specced PCs on a high-speed LAN. Give each PC a few TB in storage, stripe your data over PCs for redundancy (not vulnerable to failure of a single drive or PC) and speed, and you're good to go. Even if you have a huge pile of storage, if you don't have the corresponding processing power then you're screwed and you'll have to figure out a way of copying all the data into Amazon/Google/Azure to allow them to process it.

Images and video are probably the most ripe field for Big Data, but still you can't avoid the storage/processing problem. If you already have the data in a cloud storage provider like Amazon/Google/Azure, they likely already have the processing models for your data needs; if you don't, where are all the CPUs you need for your processing? It's likely that the major limitations processing Big Data in most companies is appropriate reduction of the data to a relatively small secondary data set (e.g. processing raw images into vectors via edge detection) before sending it somewhere for processing.

The EU is about to hand a couple billion euros to favoured European companies and university research departments, and it's going to get nine tenths of squat all out of it. Mark my words, and check back in 2020 to see what this project has produced to benefit anyone other than its participants.

2014-09-25

Signs that the terrorism threat might be overblown

Or maybe just a sign that the US education system is a pool of sharks...

Modern terrorism getting you down? Don't worry, it's an opportunity for you! Sign up for a certificate in Terrorism Studies!

In the program, you will develop an understanding of terrorism and counter-terrorism. The online program is suitable for students interested in pursuing a career in homeland security at local, state, or federal levels; joining national and international counter-terrorism agencies; conducting research on terrorism in academia; or seeking opportunities in relevant industries.
Presumably it's also suitable for students interested in pursuing a career in terrorism? Or maybe this is an elaborate honey trap by the FBI, but I suspect that a) they don't have the motivation and b) they can't afford to fund the course.

2014-09-19

Don't ask for your emails to be deleted

Darrell Issa, Republican congressman from California (yes, amazingly they exist) releases the oversight report on the initial rollout of Healthcare.gov and it wasn't pretty. The bulk of the report was based off emails that they managed to retrieve from Health + Human Services and their CMS subsidiary, and the report authors did a nice job of excerpting the damning snippets from the emails that confirmed everyone's suspicions about the rollout: the grunts implementing and testing the site knew darned well that it wasn't ready, but they were overridden.

I don't find any particular reason in the report to believe that the President knew the site wasn't ready; it looks very much like he and his advisors were assured that everything was in hand, and he had no particular reason to disbelieve it. The problems occurred lower down in the hierarchy:

Mr. Sivak showed Mr. Baitman emails that were made public by Congress in the wake of Healthcare.gov's disastrous launch. In these emails, dated September 27, 2013 [launch date was Oct 1st], a CMS official working on the FFM development, wrote "the facts are that we have not successfully handled more than 500 concurrent users filling out applications in an environment that is similarly in size to Day 1 production." In response, Mr. Baitman wrote "Frankly, it’s worse than I imagined!" Mr. Sivak replied, "Anyone who has any software experience at all would read that and immediately ask what the fuck you were thinking by launching."
Indeed, we were asking almost exactly that question. And there was no naivety about motivations:
How did one week Henry Chao tell us there was no way Account Transfer would be ready, then a meeting at the White House and a week later, oh, yeah, everything is back on track, we’ll meet the dates? That’s what I mean by WTF. You could definitely see the CYA moves coming a mile away
Doublethink is clearly very important for project managers. Henry Chao was one of the prime Healthcare.gov project managers and it appears he knew that the site was heading to disaster, but for some reason he couldn't or wouldn't articulate this to the administration.

Issa, of course, has plenty of partisan reasons to bash the administration and the Healthcare.gov backers, but it's hard to conclude anything other than that this launch was destined to crash and burn spectacularly, that this was known well in advance, and that it was egregiously mis-managed. That Mikey Dickerson and his crew managed to retrieve some semblance of success from this state was amazing, but not something that should be relied on by any future project manager.

Once again, the maxim "Do not write anything in an email that you do not want to see on the front page of a major newspaper" is confirmed. The usual wisdom around this is a combination of a) mail is transferred in the clear between servers on the public internet, although this is changing, and b) the risk of including the wrong person on your To: or Cc: lines. This report highlights a third option: the risk that your email will be retrieved during a legal discovery process. If you send your email from a company email system it'll be archived there and prone to later legal discovery even if you and the recipient delete it. This also applies if any of your recipients use a company or government email address.

The Verge provides a nice summary of the highlights in the report if you don't have the stomach to read the whole thing.

2014-09-08

Take the upside and you own the downside

I was annoyed by this inane Reuters article on the fate of the UK's gold stash:

An independent Scotland could lay claim to a part of the United Kingdom's 310-tonne gold reserves if votes go in favour of the "Yes" campaign this month, with ownership of Britain's bullion hoard up for negotiation along with other assets.
If I were Scotland, I'd run as far as possible from the £7.8bn pile of gold bricks. The reason I'd do this is because if I take on a fraction of the assets of the UK, I have no argument against also taking on its liabilities:
As of Q1 2013 UK government debt amounted to £1,377 billion, or 88.1% of total GDP, at which time the annual cost of servicing the public debt amounted to around £43bn, or roughly 3% of GDP.
Why would you take (say) 10% of £7.8bn when you'd also have to assume 10% of a £1400bn liability? You'd have to be stark staring bonkers. Alex Salmond isn't a rocket scientist, but even he would realise how dumb this would be.

2014-09-06

New clamping down on information in China

Spotted this on a net security research blog yesterday: someone is trying to snoop on the web traffic of Chinese students and researchers:

All evidence indicates that a MITM [man-in-the-middle] attack is being conducted against traffic between China’s nationwide education and research network CERNET and www.google.com. It looks as if the MITM is carried out on a network belonging to AS23911, which is the outer part of CERNET that peers with all external networks. This network is located in China, so we can conclude that the MITM was being done within the country.
To decipher this, readers should note that CERNET is the Chinese network for education and research - universities and the like. The regular Great Firewall of China blocking is fairly crude and makes it practically difficult for researchers to get access to the information they need, so CERNET users have mostly free access to the Internet at large - I'm sure their universities block access to dodgy sites, but to be fair so do Western universities. What's happening is that someone is intercepting - not just snooping on - their requests to go to www.google.com and is trying to pretend to be Google.

The reason the intercept is failing is because Google - like Facebook, Yahoo, Twitter and other sites - redirects plain HTTP requests to its homepage to a HTTPS address, so most people bookmark those sites with an HTTPS address. Therefore the users were requesting https://www.google.com/ and the attackers had to fake Google's SSL certificate. Because of of the way SSL is designed, this is quite hard; they couldn't get a reputable Certificate Authority to sign their certificate saying "sure, this is Google" so they signed it themselves, much like a schoolchild signing a note purportedly from their parent but with their own name. Modern browsers (Chrome, Firefox, modern versions of IE) warn you when this is happening, which is how the users noticed. The Netresec team's analysis showed that the timings of the steps of the connection indicated strongly that the interceptor was somewhere within China.

The attack doesn't seem to be very sophisticated, but it does require reasonable resources and access to networking systems - you've got to reprogram routers in the path of the traffic to redirect the traffic going to Google to come to your own server instead, so you either need to own the routers to start with or compromise the routers of an organisation like a university. Generally, the further you get from the user you're intercepting, the greater your resources need to be. It would be interesting to know what fraction of traffic is being intercepted - the more users you're intercepting, the more computing resource you need to perform the attack because you've got to intercept the connection, log it, and then connect to Google/Twitter/Yahoo yourself to get the results the user is asking for.

The attempted intercepts were originally reported on the Greatfire.org blog which observes that there were several reports from around CERNET of this happening. Was this a trial run? If so it has rather blown up in the faces of the attackers; now the word will circulate about the eavesdropping and CERNET users will be more cautious when faced with odd connection errors.

If the attackers want to press on, I'd expect the next step to be more sophisticated. One approach would be SSL stripping where the interceptor tries to downgrade the connection - the user requests https://www.twitter.com/ but the attacker rewrites that request to be http://www.twitter.com/. The user's browser sees a response for http instead of https and continues with an unencrypted connection. Luckily, with Twitter this will not work well. If you run "curl -I https://www.twitter.com/" from a command line, you'll see this:

HTTP/1.1 301 Moved Permanently
content-length: 0
date: Sat, 06 Sep 2014 17:23:21 UTC
location: https://twitter.com/
server: tsa_a
set-cookie: guest_id=XXXXXXXXXXXXXXXXX; Domain=.twitter.com; Path=/; Expires=Mon, 05-Sep-2016 17:23:21 UTC
strict-transport-security: max-age=631138519
x-connection-hash: aaaaaaaaaaaaaaaa
That "strict-transport-security" line tells the browser that future connections to this site for the next N seconds must use HTTPS, and the browser should not continue the connection if the site tries to use HTTP. This is HTTP Strict Transport Security (HSTS) and Twitter is one of the first big sites I've seen using it - Google and Facebook haven't adopted it yet, at least for their main sites.

Alternatively the interceptor may try to compromise a reputable certificate authority so it can forge SSL certificates that browsers will actually accept. This would be a really big investment, almost certainly requiring nation-state-level resources, and would probably not be done just to snoop on researchers - if you can do this, it's very valuable for all sorts of access. It also won't work for the major sites as browsers like Chrome and Firefox use certificate pinning - they know what the current version of those sites' SSL certs look like, and will complain loudly if they see something different.

The most effective approach, for what it's worth, is to put logging software on all the computers connected to CERNET, but that's probably logistically infeasible - it only works for targeting a small number of users.

So someone with significant resources in China is trying to find out what their researchers are searching for. Is the government getting nervous about what information is flowing into China via this route?

2014-09-03

Surrender monkeys don't eat balut

A fascinating shit-storm is brewing between the Philippine Army and the UN Disengagement Observer Force as a result of recent events in the Golan Heights:

The Philippine military said Monday that a U.N. peacekeeping commander in the Golan Heights should be investigated for allegedly asking Filipino troops to surrender to Syrian rebels who had attacked and surrounded their camp.
[...]
When the besieged Filipino troops sought his [Gen. Catapang's] advice after they were ordered to lay down their arms as part of an arrangement with the rebels to secure the Fijians' release, Catapang said he asked them to defy the order.
It seems that in order to facilitate negotiations for the release of 45 Fijian soldiers captured by the (al-Qaeda affiliated) Nusra Front rebels - such capture perhaps due to less-than-stellar planning by UNDOF - the UNDOF commander decided that yielding to the rebels' demands for the Filipino troops to give up their weapons would be just dandy. After all, what could possibly go wrong?

Gen. Catapang is Chief of Staff of the Philippine Armed Forces, so can't really rise any higher in the command structure, and isn't well-known enough to run for high government office, so he's got no real motive to puff up his role in this dispute. I'm inclined to believe the main thrust of his account. Since the army has been in near-continuous counter-insurgency campaigns, with the communist NPA in the central Philippines and the Islamic groups in the south and south west, they've accumulated quite a lot of experience with fanatic groups and have presumably absorbed the lesson that doing what your opponent tells you to seldom works out well.

It'll be interesting to see if the resolution of the dispute is made public:

Catapang said an investigation would allow the UNDOF commander to explain his side and the Philippine military to explain why it advised the Filipino peacekeepers to defy his order.
I doubt the second part will take very long. I'd start with "Because it was bloody stupid" and work up from there. Catapang, as a 4-star general, comfortably out-ranks UNDOF's 2-star leader and so there's no insubordination problem I can see. The first part would be educational though: just what did the UNDOF commander think would happen if the Filipino troops had laid down their arms as ordered? And what involvement did the UNDOF commander have in the Fijians being captured in the first place? The Philippine Army is withdrawing from the UNDOF mission in the Golan, presumably because they have no appetite for being put in the same position again when UNDOF decides that covering its backside is more important than the safety of the troops in its command.

It seems that si vis pacem, para bellum is still true: if you want to keep the peace, you have to be prepared to kick the ass.

Update: Richard Fernandez at the Belmont Club is well worth reading on this topic:

In the past the UN apparatchiks have relied on the faithfulness of their subordinate commanders to take a bullet for the team. "Theirs not to reason why, theirs but to do and die." But Tennyson had never been to the Philippines where the word for blindly following orders is tanga – or sap.