The New E-spionage Threat

Cover Story April 10, 2008, 5:00PM EST

A BusinessWeek probe of rising attacks on America's most sensitive computer networks uncovers startling security gaps

by Brian Grow, Keith Epstein and Chi-Chu Tschang

The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.

The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address, which is registered through an obscure company headquartered on the banks of China's Yangtze River.

The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom says. Cyber attackers "are not denying, disrupting, or destroying operations—yet. But that doesn't mean they don't have the capability."


When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

But many security experts worry the Internet has become too unwieldy to be tamed. New exploits appear every day, each seemingly more sophisticated than the previous one. The Defense Dept., whose Advanced Research Projects Agency (DARPA) developed the Internet in the 1960s, is beginning to think it created a monster. "You don't need an Army, a Navy, an Air Force to beat the U.S.," says General William T. Lord, commander of the Air Force Cyber Command, a unit formed in November, 2006, to upgrade Air Force computer defenses. "You can be a peer force for the price of the PC on my desk." Military officials have long believed that "it's cheaper, and we kill stuff faster, when we use the Internet to enable high-tech warfare," says a top adviser to the U.S. military on the overhaul of its computer security strategy. "Now they're saying, Oh, shit.'"

Adding to Washington's anxiety, current and former U.S. government officials say many of the new attackers are trained professionals backed by foreign governments. "The new breed of threat that has evolved is nation-state-sponsored stuff," says Amit Yoran, a former director of Homeland Security's National Cyber Security Div. Adds one of the nation's most senior military officers: "We've got to figure out how to get at it before our regrets exceed our ability to react."

The military and intelligence communities have alleged that the People's Republic of China is the U.S.'s biggest cyber menace. "In the past year, numerous computer networks around the world, including those owned by the U.S. government, were subject to intrusions that appear to have originated within the PRC," reads the Pentagon's annual report to Congress on Chinese military power, released on Mar. 3. The preamble of Bush's Cyber Initiative focuses attention on China as well.

Wang Baodong, a spokesman for the Chinese government at its embassy in Washington, says "anti-China forces" are behind the allegations. Assertions by U.S. officials and others of cyber intrusions sponsored or encouraged by China are unwarranted, he wrote in an Apr. 9 e-mail response to questions from BusinessWeek. "The Chinese government always opposes and forbids any cyber crimes including hacking' that undermine the security of computer networks," says Wang. China itself, he adds, is a victim, "frequently intruded and attacked by hackers from certain countries."

Because the Web allows digital spies and thieves to mask their identities, conceal their physical locations, and bounce malicious code to and fro, it's frequently impossible to pinpoint specific attackers. Network security professionals call this digital masquerade ball "the at
tribution problem."


In written responses to questions from BusinessWeek, officials in the office of National Intelligence Director J. Michael McConnell, a leading proponent of boosting government cyber security, would not comment "on specific code-word programs" such as Byzantine Foothold, nor on "specific intrusions or possible victims." But the department says that "computer intrusions have been successful against a wide range of government and corporate networks across the critical infrastructure and defense industrial base." The White House declined to address the contents of the Cyber Initiative, citing its classified nature.

The e-mail aimed at Booz Allen, obtained by BusinessWeek and traced back to an Internet address in China, paints a vivid picture of the alarming new capabilities of America's cyber enemies. On Sept. 5, 2007, at 08:22:21 Eastern time, an e-mail message appeared to be sent to John F. "Jack" Mulhern, vice-president for international military assistance programs at Booz Allen. In the high-tech world of weapons sales, Mulhern's specialty, the e-mail looked authentic enough. "Integrate U.S., Russian, and Indian weapons and avionics," the e-mail noted, describing the Indian government's expectations for its fighter jets. "Source code given to India for indigenous computer upgrade capability." Such lingo could easily be understood by Mulhern. The 62-year-old former U.S. Naval officer and 33-year veteran of Booz Allen's military consulting business is an expert in helping to sell U.S. weapons to foreign governments.

The e-mail was more convincing because of its apparent sender: Stephen J. Moree, a civilian who works for a group that reports to the office of Air Force Secretary Michael W. Wynne. Among its duties, Moree's unit evaluates the security of selling U.S. military aircraft to other countries. There would be little reason to suspect anything seriously amiss in Moree's passing along the highly technical document with "India MRCA Request for Proposal" in the subject line. The Indian government had just released the request a week earlier, on Aug. 28, and the language in the e-mail closely tracked the request. Making the message appear more credible still: It referred to upcoming Air Force communiqués and a "Teaming Meeting" to discuss the deal.

But the missive from Moree to Jack Mulhern was a fake. An analysis of the e-mail's path and attachment, conducted for BusinessWeek by three cyber security specialists, shows it was sent by an unknown attacker, bounced through an Internet address in South Korea, was relayed through a Yahoo! (YHOO) server in New York, and finally made its way toward Mulhern's Booz Allen in-box. The analysis also shows the code—known as "malware," for malicious software—tracks keystrokes on the computers of people who open it. A separate program disables security measures such as password protection on Microsoft (MSFT) Access database files, a program often used by large organizations such as the U.S. defense industry to manage big batches of data.


While hardly the most sophisticated technique used by electronic thieves these days, "if you have any kind of sensitive documents on Access databases, this [code] is getting in there and getting them out," says a senior executive at a leading cyber security firm that analyzed the e-mail. (The person requested anonymity because his firm provides security consulting to U.S. military departments, defense contractors, and financial institutions.) Commercial computer security firms have dubbed the malicious code "Poison Ivy."

But the malware attached to the fake Air Force e-mail has a more devious—and worrisome—capability. Known as a remote administration tool, or RAT, it gives the attacker control over the "host" PC, capturing screen shots and perusing files. It lurks in the background of Microsoft Internet Explorer browsers while users surf the Web. Then it phones home to its "master" at an Internet address currently registered under the name

The digital trail to, followed by analysts at BusinessWeek's request, leads to one of China's largest free domain-name-registration and e-mail services. Called, it is registered to a company called Bentium in the city of Changzhou, an industry hub outside Shanghai. A range of security experts say that provides names for computers and servers that act as the command and control centers for more than 10,000 pieces of malicious code launched at government and corporate networks in recent years. Many of those PCs are in China; the rest could be anywhere.

The founder of, a 37-year-old technology entrepreneur named Peng Yong, says his company merely allows users to register domain names. "As for what our users do, we cannot completely control it," says Peng. The bottom line: If Poison Ivy infected Jack Mulhern's computer at Booz Allen, any secrets inside could be seen in China. And if it spread to other computers, as malware often does, the infection opens windows on potentially sensitive information there, too.

It's not clear whether Mulhern received the e-mail, but the address was accurate. Informed by BusinessWeek on Mar. 20 of the fake message, Booz Allen spokesman George Farrar says the company launched a search to find it. As of Apr. 9, says Farrar, the company had not discovered the e-mail or Poison Ivy in Booz Allen's networks. Farrar says Booz Allen computer security executives examined the PCs of Mulhern and an assistant who received his e-mail. "We take this very seriously," says Farrar. (Mulhern, who retired in March, did not respond to e-mailed requests for comment and declined a request, through Booz Allen, for an interview.)

Air Force officials referred requests for comment to U.S. Defense Secretary Robert M. Gates' office. In an e-mailed response to BusinessWeek, Gates' office acknowledges being the target of cyber attacks from "a variety of state and non-state-sponsored organizations to gain unauthorized access to, or otherwise degrade, [Defense Dept.] information systems." But the Pentagon declined to discuss the attempted Booz Allen break-in. The Air Force, meanwhile, would not make Stephen Moree available for comment.

The bogus e-mail, however, seemed to cause a stir inside the Air Force, correspondence reviewed by BusinessWeek shows. On Sept. 4, defense analyst James Mulvenon also received the message with Moree and Mulhern's names on it. Security experts believe Mulvenon's e-mail address was secretly included in the "blind copy" line of a version of the message. Mulvenon is director of the Center for Intelligence Research & Analysis and a leading consultant to U.S. defense and intelligence agencies on China's military and cyber strategy. He maintains an Excel spreadsheet of suspect e-mails, malicious code, and hacker groups and passes them along to the authorities. Suspicious of the note when he received it, Mulvenon replied to Moree the next day. Was the e-mail "India spam?" Mulvenon asked.

"I apologize—this e-mail was sent in error—please delete," Moree responded a few hours later.

"No worries," typed Mulvenon. "I have been getting a lot of trojaned Access databases from China lately and just wanted to make sure."

"Interesting—our network folks are looking into some kind of malicious intent behind this e-mail snafu," w
rote Moree. Neither the Air Force nor the Defense Dept. would confirm to BusinessWeek whether an investigation was conducted. A Pentagon spokesman says that its procedure is to refer attacks to law enforcement or counterintelligence agencies. He would not disclose which, if any, is investigating the Air Force e-mail.


By itself, the bid to steal digital secrets from Booz Allen might not be deeply troubling. But Poison Ivy is part of a new type of digital intruder rendering traditional defenses—firewalls and updated antivirus software—virtually useless. Sophisticated hackers, say Pentagon officials, are developing new ways to creep into computer networks sometimes before those vulnerabilities are known. "The offense has a big advantage over the defense right now," says Colonel Ward E. Heinke, director of the Air Force Network Operations Center at Barksdale Air Force Base. Only 11 of the top 34 antivirus software programs identified Poison Ivy when it was first tested on behalf of BusinessWeek in February. Malware-sniffing software from several top security firms found "no virus" in the India fighter-jet e-mail, the analysis showed.

Over the past two years thousands of highly customized e-mails akin to Stephen Moree's have landed in the laptops and PCs of U.S. government workers and defense contracting executives. According to sources familiar with the matter, the attacks targeted sensitive information on the networks of at least seven agencies—the Defense, State, Energy, Commerce, Health & Human Services, Agriculture, and Treasury departments—and also defense contractors Boeing (BA), Lockheed Martin, General Electric (GE), Raytheon (RTW), and General Dynamics (GD), say current and former government network security experts. Laura Keehner, a spokeswoman for the Homeland Security Dept., which coordinates protection of government computers, declined to comment on specific intrusions. In written responses to questions from BusinessWeek, Keehner says: "We are aware of and have defended against malicious cyber activity directed at the U.S. Government over the past few years. We take these threats seriously and continue to remain concerned that this activity is growing more sophisticated, more targeted, and more prevalent." Spokesmen for Lockheed Martin, Boeing, Raytheon, General Dynamics, and General Electric declined to comment. Several cited policies of not discussing security-related matters.

The rash of computer infections is the subject of Byzantine Foothold, the classified operation designed to root out the perpetrators and protect systems in the future, according to three people familiar with the matter. In some cases, the government's own cyber security experts are engaged in "hack-backs"—following the malicious code to peer into the hackers' own computer systems. BusinessWeek has learned that a classified document called an intelligence community assessment, or ICA, details the Byzantine intrusions and assigns each a unique Byzantine-related name. The ICA has circulated in recent months among selected officials at U.S. intelligence agencies, the Pentagon, and cyber security consultants acting as outside reviewers. Until December, details of the ICA's contents had not even been shared with congressional intelligence committees.

Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified "black" budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher "Kit" Bond, the committee's vice-chairman, to supplement closed-door testimony and classified documents with a viewing of the movie Die Hard 4 on a flight the senator made to New Zealand. In the film, cyber terrorists breach FBI networks, purloin financial data, and bring car traffic to a halt in Washington. Hollywood, says Bond, doesn't exaggerate as much as people might think. "I can't discuss classified matters," he cautions. "But the movie illustrates the potential impact of a cyber conflict. Except for a few things, let me just tell you: It's credible."

"Phishing," one technique used in many attacks, allows cyber spies to steal information by posing as a trustworthy entity in an online communication. The term was coined in the mid-1990s when hackers began "fishing" for information (and tweaked the spelling). The e-mail attacks on government agencies and defense contractors, called "spear-phish" because they target specific individuals, are the Web version of laser-guided missiles. Spear-phish creators gather information about people's jobs and social networks, often from publicly available information and data stolen from other infected computers, and then trick them into opening an e-mail.


Spear-phish tap into a cyber espionage tactic that security experts call "Net reconnaissance." In the attempted attack on Booz Allen, attackers had plenty of information about Moree: his full name, title (Northeast Asia Branch Chief), job responsibilities, and e-mail address. Net reconnaissance can be surprisingly simple, often starting with a Google (GOOG) search. (A lookup of the Air Force's Pentagon e-mail address on Apr. 9, for instance, retrieved 8,680 e-mail addresses for current or former Air Force personnel and departments.) The information is woven into a fake e-mail with a link to an infected Web site or containing an attached document. All attackers have to do is hit their send button. Once the e-mail is opened, intruders are automatically ushered inside the walled perimeter of computer networks—and malicious code such as Poison Ivy can take over.

By mid-2007 analysts at the National Security Agency began to discern a pattern: personalized e-mails with corrupted attachments such as PowerPoint presentations, Word documents, and Access database files had been turning up on computers connected to the networks of numerous agencies and defense contractors.

A previously undisclosed breach in the autumn of 2005 at the American Enterprise Institute—a conservative think tank whose former officials and corporate executive board members are closely connected to the Bush Administration—proved so nettlesome that the White House shut off aides' access to the Web site for more than six months, says a cyber security specialist familiar with the incident. The Defense Dept. shut the door for even longer. Computer security investigators, one of whom spoke with BusinessWeek, identified the culprit: a few lines of Java script buried in AEI's home page,, that activated as soon as someone visited the site. The script secretly redirected the user's computer to another server that attempted to load malware. The malware, in turn, sent information from the visitor's hard drive to a server in China. But the security specialist says cyber sleuths couldn't get rid of the intruder. After each deletion, the furtive code would
reappear. AEI says otherwise—except for a brief accidental recurrence caused by its own network personnel in August, 2007, the devious Java script did not return and was not difficult to eradicate.

The government has yet to disclose the breaches related to Byzantine Foothold. BusinessWeek has learned that intruders managed to worm into the State Dept.'s highly sensitive Bureau of Intelligence & Research, a key channel between the work of intelligence agencies and the rest of the government. The breach posed a risk to CIA operatives in embassies around the globe, say several network security specialists familiar with the effort to cope with what became seen as an internal crisis. Teams worked around-the-clock in search of malware, they say, calling the White House regularly with updates.

The attack began in May, 2006, when an unwitting employee in the State Dept.'s East Asia Pacific region clicked on an attachment in a seemingly authentic e-mail. Malicious code was embedded in the Word document, a congressional speech, and opened a Trojan "back door" for the code's creators to peer inside the State Dept.'s innermost networks. Soon, cyber security engineers began spotting more intrusions in State Dept. computers across the globe. The malware took advantage of previously unknown vulnerabilities in the Microsoft operating system. Unable to develop a patch quickly enough, engineers watched helplessly as streams of State Dept. data slipped through the back door and into the Internet ether. Although they were unable to fix the vulnerability, specialists came up with a temporary scheme to block further infections. They also yanked connections to the Internet.

One member of the emergency team summoned to the scene recalls that each time cyber security professionals thought they had eliminated the source of a "beacon" reporting back to its master, another popped up. He compared the effort to the arcade game Whack-A-Mole. The State Dept. says it eradicated the infection, but only after sanitizing scores of infected computers and servers and changing passwords. Microsoft's own patch, meanwhile, was not deployed until August, 2006, three months after the infection. A Microsoft spokeswoman declined to comment on the episode, but said: "Microsoft has, for several years, taken a comprehensive approach to help protect people online."

There is little doubt among senior U.S. officials about where the trail of the recent wave of attacks leads. "The Byzantine series tracks back to China," says Air Force Colonel Heinke. More than a dozen current and former U.S. military, cyber security, and intelligence officials interviewed by BusinessWeek say China is the biggest emerging adversary—and not just clubs of rogue or enterprising hackers who happen to be Chinese. O. Sami Saydjari, a former National Security Agency executive and now president of computer security firm Cyber Defense Agency, says the Chinese People's Liberation Army, one of the world's largest military forces, with an annual budget of $57 billion, has "tens of thousands" of trainees launching attacks on U.S. computer networks. Those figures could not be independently confirmed by BusinessWeek. Other experts provide lower estimates and note that even one hacker can do a lot of damage. Says Saydjari: "We have to look at this as equivalent to the launch of a Chinese Sputnik." China vigorously disputes the spying allegation and says its military posture is purely defensive.

Hints of the perils perceived within America's corridors of power have been slipping out in recent months. In Feb. 27 testimony before the U.S. Senate Armed Services Committee, National Intelligence Director McConnell echoed the view that the threat comes from China. He told Congress he worries less about people capturing information than altering it. "If someone has the ability to enter information in systems, they can destroy data. And the destroyed data could be something like money supply, electric-power distribution, transportation sequencing, and that sort of thing." His conclusion: "The federal government is not well-protected and the private sector is not well-protected."

Worries about China-sponsored Internet attacks spread last year to Germany, France, and Britain. British domestic intelligence agency MI5 had seen enough evidence of intrusion and theft of corporate secrets by allegedly state-sponsored Chinese hackers by November, 2007, that the agency's director general, Jonathan Evans, sent an unusual letter of warning to 300 corporations, accounting firms, and law firms—and a list of network security specialists to help block computer intrusions. Some recipients of the MI5 letter hired Peter Yapp, a leading security consultant with London-based Control Risks. "People treat this like it's just another hacker story, and it is almost unbelievable," says Yapp. "There's a James Bond element to it. Too many people think, It's not going to happen to me.' But it has."

Identifying the thieves slipping their malware through the digital gates can be tricky. Some computer security specialists doubt China's government is involved in cyber attacks on U.S. defense targets. Peter Sommer, an information systems security specialist at the London School of Economics who helps companies secure networks, says: "I suspect if it's an official part of the Chinese government, you wouldn't be spotting it."

A range of attacks in the past two years on U.S. and foreign government entities, defense contractors, and corporate networks have been traced to Internet addresses registered through Chinese domain name services such as, run by Peng Yong. In late March, BusinessWeek interviewed Peng in an apartment on the 14th floor of the gray-tiled residential building that houses the five-person office for in Changzhou. Peng says he started in 2001 with $14,000 of his own money so the growing ranks of China's Net surfers could register Web sites and distribute data. "We felt that this business would be very popular, especially as broadband, fiber-optic cables, [data transmission technology] ADSL, these ways of getting on the Internet took off," says Peng (translated by BusinessWeek from Mandarin), who drives a black Lexus IS300 bought last year.

His has indeed become a hit. Peng says the service has registered more than 1 million domain names, charging $14 per year for "top-level" names ending in .com, .org, or .net. But cyber security experts and the Homeland Security Dept.'s U.S. Computer Emergency Readiness Team (CERT) say that is a hit with another group: hackers. That's because and five sister sites controlled by Peng are dynamic DNS providers. Like an Internet phone book, dynamic DNS assigns names for the digits that mark a computer's location on the Web. For example, is the registrar for the name at Internet address, the China-based computer that was contacted by the malicious code in the attempted Booz Allen attack, according to analyses reviewed by BusinessWeek. "Hackers started using sites like so that the malware phones home to the specific name. The reason? It is relatively difficult to have [Internet addresses] taken down in China," says Maarten van Horenbeeck, a Belgium-based intrusion analyst for the SANS Internet Storm Center, a cyber threat monitoring group.


Peng's and sister sites have become a source of concern to the U.S. government and private firms. Cyber security firm Team Cymru sent a confidential report, reviewed by BusinessWeek, to clients on Mar. 7 that illustrates how has enabled many recent attacks. In early March, the report says, Team Cymru received "a spoofed e-mail message from a U.S. military entity, and the PowerPoint attachm
ent had a malware widget embedded in it." The e-mail was a spear-phish. The computer that controlled the malicious code in the PowerPoint?—the same China-registered computer in the attempted attack on Booz Allen. Although the cybersyndrome Internet address may not be located in China, the top five computers communicating directly with it were—and four were registered with a large state-owned Internet service provider, according to the report.

A person familiar with Team Cymru's research says the company has 10,710 distinct malware samples that communicate to masters registered through Other groups reporting attacks from computers hosted by include activist group Students for a Free Tibet, the European Parliament, and U.S. Bancorp (USB), according to security reports. Team Cymru declined to comment. The U.S. government has pinpointed Peng's services as a problem, too. In a Nov. 28, 2007, confidential report from Homeland Security's U.S. CERT obtained by BusinessWeek,

"Cyber Incidents Suspected of Impacting Private Sector Networks," the federal cyber watchdog warned U.S. corporate information technology staff to update security software to block Internet traffic from a dozen Web addresses after spear-phishing attacks. "The level of sophistication and scope of these cyber security incidents indicates they are coordinated and targeted at private-sector systems," says the report. Among the sites named: Peng's, as well as his,, and Homeland Security and U.S. CERT declined to discuss the report.

Peng says he has no idea hackers are using his service to send and control malicious code. "Are there a lot?" he says when asked why so many hackers use He says his business is not responsible for cyber attacks on U.S. computers. "It's like we have paved a road and what sort of car [users] drive on it is their own business," says Peng, who adds that he spends most of his time these days developing Internet telephony for his new software firm, Bitcomm Software Tech Co. Peng says he was not aware that several of his Web sites and Internet addresses registered through them were named in the U.S. CERT report. On Apr. 7, he said he planned to shut the sites down and contact the U.S. agency. Asked by BusinessWeek to check his database for the person who registered the computer at the domain name, Peng says it is registered to Gansu Railway Communications, a regional telecom subsidiary of China's Railways Ministry. Peng declined to provide the name of the registrant, citing a confidentiality agreement. "You can go through the police to find out the user information," says Peng.

U.S. cyber security experts say it's doubtful that the Chinese government would allow the high volume of attacks on U.S. entities from China-based computers if it didn't want them to happen. "China has one of the best-controlled Internets in the world. Anything that happens on their Internet requires permission," says Cyber Defense Group's Saydjari. The Chinese government spokesman declined to answer specific questions from BusinessWeek about

But Peng says he can do little if hackers exploit his goodwill—and there hasn't been much incentive from the Chinese government for him to get tough. "Normally, we take care of these problems by shutting them down," says Peng. "Because our laws do not have an extremely clear method to handle this problem, sometimes we are helpless to stop their services." And so, it seems thus far, is the U.S. government.

Grow is a correspondent in BusinessWeek's Atlanta bureau . Epstein is a correspondent in BusinessWeek's Washington bureau. Tschang is a correspondent in BusinessWeek's Beijing bureau.

What do you really need?

Image shamelessly taken from: This other blog


Maslow's hierarchy of needs

I haven't looked at the hierarchy of needs before, although it has been in my mind during conversations with my therapist.  You know? The more I look at this list the more I realized that I am ok in some areas but am so lacking in those same areas when I really come to think of it.

Physiological needs are pretty much taken care of and don't need much dwelling on.

Neither is safety.  One of the biggest resolutions I've made recently is that, if/when I leave a job or a situation, it'll be on my terms, not anyone else's. I've done well enough on my evaluations and performance reviews that, save me screwing up an inch short of WWIII, I won't get fired, at least I hope I won't.

When we get to the top 3 items in this little pyramid is where I find myself struggling and finding behavior in myself that I have never approved of and which I hate seeing in me.  I've become judgmental; I've allowed my friends (and so called friends) actions dictate how I deal with them, some times not realizing that I am guilty of the same behavior I'm so sharply criticizing in others.  I want sexual intimacy (who doesn't?) but I have to be honest and accept the fact that I don't like being vulnerable to the degree that being in a relationship entails. 

Over the last 5 years or so I've managed to build my walls to the point where I won't jump down someone's throat just because they made me feel vulnerable, but the walls have never been strong.... I've never been one of those "thick skinned" people who will smile and nod regardless of how brutal you are with them. Quite the opposite: I'm strong enough to be able to function in a team environment but not strong enough to handle when a team exercise becomes mud slinging 101. 

And this is how I get to self esteem which is, perhaps, the weakest of all my needs in terms of being fulfilled, (even if it's the weakest need on my own eyes only). As I said before, self esteem is shaky but it exists. I am good at what I do even if sometimes I wonder whether what I'm doing is correct or not, whether other people are actually giving a damn about what I'm doing or not, whether what I do makes a difference or not and whether it matters if it's me doing what I do. I had one of those situations today as a matter of fact. I got assigned to do a survey and it was painful to get it over with; then I sent out a draft to the rest of the team and I got... 1 feedback response! then today we had a team meeting where everyone started picking it apart.... My thinking, at the time, was that it would have been wonderful to get that feedback as I was putting the report together rather than bitching about it at a meeting.... Intellectually I know everyone is busy and has a shitload of stuff to do, but if this is reflecting on the entire team then they owe it to themselves to make sure it's the best product we can make, right? Someone in the gallery is saying that it's only because of the standard I hold myself to or that it's frustration with how things are currently happening at work and that's partly it but I'm also feeling like I'm working on a vacuum and I don't like that.

Intellectually I know I've achieved a lot yet I don't feel like I have.  Someone used to tell me to be careful with always giving 100% because people would start expecting nothing but 100% from you and I think that has been the case here and at SJSU.  Give your 100% but don't do it consistently or set the expectations of your peers and managers accordingly.

At the top level of the hierarchy I'm lacking in spontaneity, lack of prejudices and creativity. I'll speak to each one of them in turn:

Spontaneity: For the first time in a long time, I am concerned about boundaries, particularly after getting my hands slapped for doing what I thought was necessary. Perhaps too concerned, to the point where I'm not making decisions but only carrying out other people's instructions and not enjoying my work because it is not really mine and the situations and people I'm with because there is resentment all around.

Is it satisfying? Most definitely not... necessary? yes, at least until I solidify what my position is or until I'm accepted at UGA and move out for my "next 4 years" 🙂

Creativity: Since I was deemed to be "spending too much time in extra curricular activities on university time" I've tried to keep those to a minimum. Unfortunately, those extra curricular activities included most, if not all, my creative and "shut brain down and let the brainstorm happen" time.  It is frustrating because there are a lot of things that I think we should be doing and we may well be, but there's no way for me to find out because I don't get those pollination times that I so like.

Lack of prejudices (and the adoption of other people's annoying behavior): Over the past few months I've become judgmental and prejudiced.  I've also allowed myself to take some behaviors of those people I don't particularly care for.


  • Utada Hikaru (Automatic)
  • Linkin Park


  • Managing Humans
  • How to get $20 out of a stubborn coworker


  • Blogging and putting off writing papers


  • Reruns of JAG and NCIS

Trickle Theory

From randsinrepose


Back at the start-up, we were shifting gears. After six months of talking about shipping a product, we needed to ship a product and nothing gets everyone’s attention like a deadline. The good news was that QA had been doing its job and there was a pile of work in our bug database. The bad news was that no one had looked at the database in months.

We had a Rent-a-VP at the time, and as temporary executives go, he was sharp. He quickly deduced our goal — “Ship a Quality Beta” — but he also quickly discerned that we had no idea about the quality of the product because of our pile of untriaged bugs.

He called a meeting with me, the QA manager, and the tech support manager. His advice: “Triage every single bug in this fashion and tell me how many bugs we’ve got to fix in order to ship this Beta.” And then he left.

Every single bug. 537 bugs. You gotta read the bug, possibly reproduce it, and then make an educated team decision. Let’s assume an average of five minutes per and you’re talking about… crap… 45 hours of bug triage. It’s an impossible task. I’ve got features to fix, people to manage, and I haven’t seen the sun on a Saturday in two weeks.

Let’s take a brief segue and talk about the huge value that exists in a bug database. In just about every company I’ve worked at, the only source of measurable truth regarding the product is the bug database. Marketing documents get stale. Test plans become decrepit. Test case databases slowly mutate into the unusable personal to do list of QA. The bug database is the only source of data regarding your product.

I know this. I know that once I’ve effectively scrubbed the bug database, I’ve got the single most informed opinion regarding the product.


537 unscrubbed bugs? 40+ hours of bug drudgery?

Please. I’ve got a product to ship.

My normal approach when faced with an impossible task is analysis because analysis gives you data, which in turn allows you to make a confident decision. So, I do what I did above: carefully estimate how long it will take to complete… 5 minutes x 537 = impossible. This fair estimate freezes me with fear. How in the world am I going to get my other five jobs done whilst scrubbing 40 hours of bugs? Once I’m good and lost in that fear, the impossible task, I’m no longer thinking abut getting the task done, I’m thinking about the fear.

My advice is: START.

“But Rands… I’ve got three hundred tests to run and one day to…”

Stop. Go run one test. Now.

“Wait, wait, wait. Rands. Listen. They need this spec tomorrow @ 9am…”

Shush. Quiet. Go write. Just a paragraph. Now.

Welcome to Trickle Theory.

Our Villain

My traditional first move when managing impossible tasks is to put the task on a to-do list.

“There! It’s on the list. AaAaaaaaah… didn’t that feel good? It’s on the to-do list, which must mean it will be done at some point, right?” Wrong. Putting the task on the to-do list does one thing: it avoids The Critic.

Every story needs a villain and in this piece our villain is The Critic. This is your internal voice which does careful and critical analysis of your life and he’s gained a powerful place in your head because he’s saved your butt more than once.

He’s the one who told you that offer from the start-up smelled too good to be true. You remember that company, right? The one that simply vanished three months after you declined that stunning offer letter. It was The Critic who said, “How in the world can they afford to give anyone this type of offer when I don’t even understand their business model?”

The Critic was the one who calmed you inner nerd and convinced you to not buy HDTV three years ago and he told you not to trust that fast talking engineering manager who emphatically guaranteed his team would be done on schedule. The Critic said, “People who talk fast are moving quickly to cover up the gaps in their knowledge.”

The Critic was right. The Critic gained credibility, but for this piece, he’s still the villain.

I know it feels great to get that impossible task on the to-do list. I know it feels like you actually did something, but what you’ve done is avoid conflict. You know that if you start considering the impossible task, The Critic is going to chime in with his booming voice of practicality, “RANDS, what are you THINKING? NO ONE ADDS FEATURES TWO WEEKS BEFORE A SHIP DATE!”

“Ok, alright, you’re right, but the boss wants it and when the boss gets something in his head it takes a lot of work to blah blah blah…” Now, you’re justifying, you’re worrying, and you’re arguing with The Critic when what you should be doing is starting.

Nothing Happens Until You Start

Let’s first break down impossibleness. For the sake of this article, there are two types of impossible tasks. First, there are impossibly dull tasks. This is work which requires no mental effort, but is vast in size. Bug scrubbing is a great example of this. At the other end of the spectrum are impossibly hard tasks. These are tasks like, “Hey Rands, we need a new product by Christmas. Yes, I know it’s October. Ready. Go!”

Oddly, attacking both boring and hard tasks involve the same mental kung-fu where your first move is starting.

Such silly, trivial advice… start. Still, take a moment and examine your mental to-do list or just look at your written one. How many terribly important tasks have been there more than a month? More than a year? Embarrassing, huh? It’s not that they’re not important; it’s just that you didn’t begin and you didn’t begin because the moment you think about starting, The Critic weighs in, “How will even start? You’ll never finish! You don’ t even know where to start.”

Begin. Go read the first bug. Don’t think about how many are left. Go to the next one and watch what happens. In just a few minutes, you’ll have made something resembling progress. Two more bugs and it’ll start to feel like momentum. Progress + momentum = confidence. The moment you see yourself tackle the smallest part of the impossible task, the quieter The Critic becomes because you’re slowly proving him wrong.


The second piece of advice is simpler than the first, which is hard to imagine. Iterate. Once you’ve kicked yourself out of stop, iterate becomes a little easier, but if you’re truly tackling an impossible task, The Critic simply isn’t going to shut up.

“Wow, you’ve closed five bugs… Only 532 more to go, sport!”

Iteration and repetition aren’t going to silence The Critic. Progress will. A beautiful thing happens when you point your brain at an impossible task. Once you’ve begun and start chewing on whatever the task is, you’ll start to see inefficiencies and begin to fine-tune your process. This is how an engineer who tells you, “It’s going to take two weeks to write that code” comes back after the weekend and says, “It’s done”. He honestly believed that it was a two week task, but as soon as he started chewing on the problem, he realized he’d written similar code a year ago, which, with a half a Saturday of tweaking, provided the same functionality.

The same applies to small, duller impossible tasks. Above where I estimated it’d take 5 minutes of triage for each bug, I didn’t take into consideration that
after about 50 bugs, I was going to be really good at scrubbing bugs. I’d start to identify people who generally wrote good bugs versus those who didn’t have a clue. I’d learn the problematic areas of the product and learn where I could make snap judgments regarding bug viability. What was a five-minute triage window for the first 50 bugs was one minute for the next 50 and that turned into an average of 15 seconds per bug for the second hundred when I really got rolling.

This means that my original estimate of needing 45 hours for bug scrubbage turned out to be roughly 7 hours. What I thought would take a week is actually going to take one solid day.

Do not believe that this gives you the authority to slice every single estimate by 5. Turns out that impossible tasks, upon consideration, actually are terrifically hard. Believe this; an individual tends to be very bad at work estimates until they’ve begun the work.


Crap. You’ve been saddled with an impossible task and after a weekend of no sleep you have confirmed, yes, the task is impossible. In fact, you’ve started, you’ve iterated, and you still have no clue how to actually complete the task. Story time.

This spring I had a crew come up to clear some brush on the property. Now, the property is a pleasant combination of oaks, bays, and redwoods, but much of it had become overgrown and inaccessible. My first thought when I moved in was, “Hell yes, I’ve got clearing mojo!” My thought after one weekend of clearing, when I was partially successful at clearing up 50 square feet of 5 ACRES OF FOREST was, “Impossibly boring”.

This attitude gave me a unique curiosity when the crew of three men showed up, chain-saws in hand, to clear the land. They had no issue starting and they clearly had the iteration thing down, but they also demonstrated the last and most component to Trickle Theory: mix-it-up.

It went like this: one guy would cut and drag brush into the fire, another would cut trees down, and the third would trim fallen trees. This went on for a while and then they’d all switch. Now, drag guy was cut guy, cut guy was hauling wood guy and trim guy was stack guy. During lunch, I sat down and asked, “When do you guys switch jobs?”

“When we’re bored.”

Beautiful, beautiful Trickle Theory. How cool is this? If you’re working on an impossibly hard or impossibly dull task and you find yourself mentally blocked by boredom or confusion, stop and do something else. The benefits of stopping are stunning.

First, stopping smacks The Critic squarely across the face. See, he’s also the voice in your head saying, “Uh, if we don’t work hard on this, we’re screwed”. And the longer you sit there grinding out the impossible task when you don’t want to, the louder he gets.

Second, stopping to do something else is fun for you and your brain. It breaks the cycle of whatever tasks you’re doing and points your grey matter at a whole new problem and your brain loves new, it consumes new with vim and vigor, and that puts spring in your proverbial mental step.

Third, and most important, even though you are stopping, your brain is bright enough to keep background processing the impossible task. This is why we find so much inspiration in the shower; you’re stopping and letting your brain wander, and your brain is smart. Your brain knows how important it is to rewrite that feature in two days and your brain is always working on that feature whether you know it or not.

“Wait, wait, wait. Rands, let me get this straight. Your suggestion when I’ve got a looming impossible deadline is to stop working on my deliverables?”

What I’m saying is, when you’re facing an uphill mental battle with yourself regarding the impossible task, it’s time to choose another battle… that isn’t a battle.

Entropy Always Wins

My life appears to be an endless series of tasks which are geared to slightly tidy up my world. Viewed as a whole these tasks represent a lot of work. Viewed against the actual amount of entropy in play in my small part of the world, these tasks represent a futile effort.

Fact is, your world is changing faster than you’ll ever be able to keep up with and you can view that fact from two different perspectives:

1) I believe I can control my world and through an aggressive campaign of task management, personal goals, and a CAN DO attitude, I will succeed in doing the impossible. Go me!


2) I know there is no controlling the world, but I will fluidly surf the entropy by constantly changing myself.

Surfing entropy takes confidence. This isn’t Tony Robbins confidence, this is a personal confidence you earn by constantly adapting yourself to the impossible.

# September 25, 2006

Beginners mind versus the mind that just wants to begin

"In Japan we have the phrase Shoshin, which means 'beginner's mind.' The goal of practice is always to keep our beginner's mind. Our 'original mind' includes everything within itself. This does not mean a closed mind, but actually an empty mind and a ready mind. If your mind is empty, it is always ready for anything; it is open to everything. In the beginner's mind there are many possibilities; in the expert's mind there are few."

- Shunryu Suzukin

From left to right: Dad, cousin's son, me. Circa 1999It is a good question, isn't it? How to keep from filling your mind with the everyday bullshit that people want to dump on you versus how to keep an open and fresh attitude, how to keep the beginner's mind versus what the world is trying to heap on you?

I've been thinking a lot about dad, as I haven't in a while. The more time passes and the closer I get to 40... yeah, yeah, I hear the gallery pointing out that 34 is not close to 40. Yeah, it isn't but it's damn closer than 20 or 25, isn't it.... now the gallery can Shut The Fuck Up (STFU from now on).

The picture to the left is the last one I have with my dad; it was taken in 1999 at a cousin's home. From left to right: Dad, cousin's son, me.

There are always those little things that catch you by surprise when you're flying low. They don't always make sense; like the fact that my side burns and temples are whiter and whiter every time I look in the mirror and that my dad was mostly white haired when we last saw each other.  Or the aborted trip to Spain so he could get his PhD and how upset I was about that.  Or the time when I found out he had passed away and how much I didn't cry but how guilty I felt about not crying afterwards.

When I let my guard down those little (and not so little) depressing thoughts sneak by and kick my ass hard.

Part of the reason why I want to go to Chile in December and why I'm getting everything ready for UGA and USU before September is that I want to have as much disposable income as possible before I go.  I want to make sure that I can afford the trip.

Another part of the is that I want to put the past to rest and, finally, be able to move on.  Until I spend time with family and friends and finally come to terms with my dad not being with me anymore I don't think/feel like I'm ever going to move on.... The images, both good and bad will stay with me until I'm ready to face them and say "Yes, you're a part of me but a part that I can now live with, a part that doesn't hurt to think about."

It's not forgetting who I am or where I came from but it has more to do with the fact that, while I need to acknowledge where I came from, that's not who I am any longer. I think that my time here in the US has really (re)defined who I am, what I do and where I'm looking at going professionally; it has shaped my attitudes and my work ethic way beyond what they were when I moved here. It has polished my actions and reactions to personalities from what they were when I arrived to where I can look at something and dissect it without getting angry about it and where I have really learned what life is all about.

I miss people whom I haven't seen, f2f or online until recently. I thought I had put this all behind, that I had accepted that my friends from my "growing up" years were there to talk if I really wanted to. But we lost track of each other then I moved to the US and it was as if I had never known them and then, boom! They come back into my life as if they had never left, and I wonder if they ever did.


It's the end of the world as we know it (and I feel fine)

That's great, it starts with an earthquake, birds and snakes, an aeroplane -
Lenny Bruce is not afraid. Eye of a hurricane, listen to yourself churn -
world serves its own needs, regardless of your own needs. Feed it up a knock,
speed, grunt no, strength no. Ladder structure clatter with fear of height,
down height. Wire in a fire, represent the seven games in a government for
hire and a combat site. Left her, wasn't coming in a hurry with the furies
breathing down your neck. Team by team reporters baffled, trump, tethered
crop. Look at that low plane! Fine then. Uh oh, overflow, population,
common group, but it'll do. Save yourself, serve yourself. World serves its
own needs, listen to your heart bleed. Tell me with the rapture and the
reverent in the right - right. You vitriolic, patriotic, slam, fight, bright
light, feeling pretty psyched.

It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine.

Six o'clock - TV hour. Don't get caught in foreign tower.
Slash and burn, return, listen to yourself churn.
Lock him in uniform and book burning, blood letting.
Every motive escalate. Automotive incinerate.
Light a candle, light a motive.
Step down, step down. Watch a heel crush, crush.
Uh oh, this means no fear - cavalier.
Renegade and steer clear! A tournament, a tournament, a tournament of lies.
Offer me solutions, offer me alternatives and I decline.

It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine.

The other night I tripped a nice continental drift divide. Mount St. Edelite.
Leonard Bernstein. Leonid Breshnev, Lenny Bruce and Lester Bangs.
Birthday party, cheesecake, jelly bean, boom! You symbiotic, patriotic,
slam, but neck, right? Right.

It's the end of the world as we know it.
It's the end of the world as we know it.
It's the end of the world as we know it and I feel fine...fine...

Sure as hell change is scary! But it's in that scariness that I find my mental health and peace of mind. I started my application to UGA's PhD program in IT.... I can hear the gallery crying "It's about fucking time." And it is but now I'm 100% into it and nothing will stop me from getting there.  Application is done, all I need is to contact the department to make sure that I'm sending the right information to the right  people. I'm also applying to USU's Doctoral Program in IT as an insurance measure and for the additional challenge.

This is my way of telling my instincts that I'm sorry for not having paid attention to them and to my brain to say it's time to start the next challenge.

I'm also starting to think beyond the PhD programs I'm applying to now. I have to be optimistic about getting accepted to at least one of the schools above. But I also have to be realistic enough to know that I may not.  In that case I may just go for a doctoral degree at Berkeley's School of Information or maybe a doctorate in curriculum studies and teacher education at Stanford and take it from there.

I didn't see it then, but it turned out that getting fired from Apple was the best thing that could have ever happened to me. The heaviness of being successful was replaced by the lightness of being a beginner again, less sure about everything. It freed me to enter one of the most creative periods of my life.

Steve Jobs' Comencement @ Stanford

It is so freeing and relaxing to be in this situation! I think it's the first time in months that I can relax and not worry about what's coming next, at least until I take the GRE in June 🙂

Supernatural or Superserious?

R.E.M (Accelerate)

"my brain is the key that sets me free" - harry houdini, 1874-1926

everybody here
comes from somewhere
that they would just as soon forget
and disguise

at the summer camp where you volunteered
no one saw your face,
no one saw your fear
if that apparition had just appeared
took you up and away
from this base and sheer

of your teenage station.

nobody cares
no one remembers
and nobody cares

yeah you cried and you cried
he’s alive he’s alive
yeah you cried and you cried and you cried and
you cried
if you call out “safe”
then I’ll stop right away
if the premise buckles
and the ropes start to chafe
the details smart
but the story’s the same
you don’t have to explain,
you don’t have to explain

of your teenage station.

yeah you cried and you cried
he’s alive he’s alive
yeah you cried and you cried and you cried and

realized your fantasies
are dressed up in travesties
enjoy yourself with no regrets

everybody here
comes from somewhere
that they would just as soon forget
and disguise

yeah you cried and you cried
he’s alive he’s alive
yeah you cried and you cried and you cried and
you cried

now there’s nothing
dark and there’s nothing weird
don’t be afraid i will hold you near.
from the seance where you first betrayed
an open heart on a darkened stage.

a celebration
of your teenage station.

inexperience, sweet, delirious.
supernatural, superserious.
inexperience, sweet, delirious.
supernatural, superserious,