Data Architect, Ph.D, Information Technologist, Gamer
5684 stories

Security Update for the LastPass Extension


Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability.  This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.

In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.

  1. Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
  2. Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
  3. Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.

We’ll provide further updates on the patch once complete.

Read the whole story
13 hours ago
Sydney, Australia
Share this story

Passages & Plunder – Safety of the Surface

1 Share

Passages & Plunder is a board game of exploration and greed I’m working on. There’s a playtest version available, try it! This post is a design diary that won’t make much sense unless you’ve played it, so there.

The basics of colony management and Underworld exploration worked from the start. They’ve been refined a lot, different approaches tried and discarded, sure, but they worked. The ending didn’t. It’s a game where only one person can win, and with an open score there was no doubt as to who was winning. Which almost inevitably meant everyone else would not contribute to surviving, instead focusing on getting as many points as possible. While it was the intended behavior, it meant the games would end in everyone’s defeat. Lose due to score, by helping someone else win, or lose together due to the colony being overrun – not a great choice. The problem, I realised, was in players knowing who was ahead.

I’d considered obfuscating the score. What if the plundered resources (printed on expedition cards) sent to the Surface were not tallied on the track, but kept in a pile, to be counted at the end? But that would turn the game into a giant memorization exercise. And besides, there isn’t a lot variance in the amount of resources on each expedition, just knowing the number of cards in the pile would tell you enough. This didn’t seem worthwhile.

The approach I had actually tried was to have secret objectives revealed at the end of the game. “Gain 2 points for each dead colonist”, “Gain 3 points for each building”, that sort of thing. It was… okay. Along with identities that gave bonus points for specific actions (“Priest: gain 1 point each time you donate a card to the warehouse”), it also addressed another issue: single path to victory. If all that matters in the end is the score, and the score is gained by completing expeditions and nothing else, everyone behaves the same way. Moreover, it doesn’t matter how we get to the end, what state the colony is. Only the score matters.

With goals and identities, things got better. Goals introduced some uncertainty and a bit of long-term strategy. Identities varied turn-to-turn tactics. But it was 2 extra decks, 2 extra cards each player would get. It was extra bits, not an extra system. And I like systems. It didn’t feel right.

Enter Sponsors. Sponsors are an amalgamation of both goals and identities. Flavor-wise, they are the powerful organizations that are paying for the colony and expecting a return on their investment. Each sponsor has an action that earns their favor (donating a card to the warehouse earns you the favor of the Empress), and an event that advances their agenda on a separate track (the Pledge gains points each time a colonist dies). You can see how the previous ideas have been folded into this one. In addition to specific events, each sponsor likes two out of four resources in the game, and selling them to the sponsor advances that sponsor’s agenda as well.

At the end of the game, players earn bonus points based on their relative standing with sponsors and the sponsors’ agenda score. Uncertainty comes from a simple rule: at the end of each turn, players take the favor tokens they earned that turn, and secretly choose only one to keep, discarding the rest for a point each.

Finally, a dynamic system. Have you invested heavily into a particular sponsor by choosing to keep their favors? Perhaps you’ll try and advance their agenda. Is another sponsor getting ahead? Now may be the time to do them a favor or two.

It took several games to get the numbers right. It also quickly became apparent that not enough favor tokens were entering the game, with players mostly ending the turn with only one. That failed the uncertainty requirement, so I added quests: every time a sponsor’s agenda advances past a certain point on the track, the mayor takes their favor token and places it on one of the expeditions, to be claimed by whoever completes it. If a sponsor is doing well, more people have a chance to get into their good graces. More dynamic, more system!

As sponsors are a new addition, I expect they’ll still undergo some change. For instance, right now it may in fact be better to go for the second place in each sponsor rather than vying for the first. I’m not sure if that’s the way I want it to be. More playtesting is required, clearly. And I may still add secret goals back into the game, now that they have sponsors as a foundation.

Read the whole story
15 hours ago
Sydney, Australia
Share this story

Freefall 2946 March 27, 2017

1 Share

-- Delivered by Feed43 service

Read the whole story
1 day ago
Sydney, Australia
Share this story

American Snoper

1 Share

The truth will not set you free

How modern conflicts play out in the informatics sphere, what I mean when I talk about cyber war, is happening in France. After France there will be Germany, then the Scandinavian countries have their elections. There is no chance that Putin attempting to shape the world to best suit Russian interests will abate. Currently, the strongest area that he can contend in is the informatics sphere, the cyber realm, where human perception of reality is shaped.

Attention not Deception

Russians believed that creating a narrative that democracy was corrupt in implementation and releasing curated proof of this was persuasive. In fact, it was simply the tempo of releases keeping the Democrats (or Republicans) from ever getting any of their own messaging out. This was a successful attack because of attention budget consumption, not a narrative.

Speculation! Russia is used to a population that knows not to believe the newspapers, to read between the lines, to accept the official line in public and not question it. They very likely believe that the Americans read and accept the false narrative because it was presented, with evidence, and then the objectives of the operation were met. That is, they presented a narrative and backed it up and the op worked, the lesson they’d learn from that is that they can create narratives that people will accept. I don’t believe this is true. I believe they are thus vulnerable in that they don’t know why their operation worked.

Another way: the Russians crafted a narrative that they then “supported” with a curated set of “evidence” stolen from various people and institutions. They presented this narrative and supporting proof, pushed it hard using a number of channels (leaks, bots, propaganda outlets, etc.) and surprisingly, it worked. For them, the take away is simple: craft a narrative (in this case: corrupt democracy) and provide supporting “evidence.”

This is not why their attacks were effective (part of what helped is the extremely partisan Breitbart dominated “conservative reality distortion field.”) The main effect that the Russian hacks had, via the Wikileaks cut-out releasing portions of Podesta’s emails in a steady drip, was that they crowded out all other news stories. This total domination of the news cycle sucked the oxygen out of the room for the candidates own messaging. If the Russians want to repeat their success in France, they don’t need to go to the trouble of crafting a narrative and presenting it, they simply need to release the inbox of a TV5 reporter every other day.

Stop Kicks and Counter Attacks

There are a very few cases where the Russian influence operation was weak or stopped. This was when the WashPo exposed them, which came as a surprise and left them scrambling to react – hence Guccifer 2.0. Unfortunately for the American media, they were not capable of pressing their advantage (only VICE continued to hammer G2.)

The Russians, when they choose the time and place for action, are formidable. But when they are forced to cyber before they’re ready, then things fall apart. They cobbled together Guccifer 2 very rapidly from various parts. A cyber Frankenstein: the name of a Romanian hacker who’d just claimed to have hacked HRC’s email server; unsanitised documents already selected for DCLeaks; poorly coordinated emails and website construction. After the poor metadata hygiene was pointed out, they sanitised all future documents.

Proper planning prevents piss poor performance.

They learned that they can’t operate a real time deception (the interviews were terminated for a FAQ after they got tripped up with the Romanian language questions.) This “just wing it” approach has very seldom worked for intelligence operations. Experienced case officers know that good results come from good plans, not thinking on your feet.

Recommendation: move against them before they start ops. They have shown great agility and responsiveness, but they make mistakes then they have to wing it. Force them to wing it as much as possible.

Cyber Defoliate

The recalcitrant nature of the US IC to produce damning evidence against the Russian meddling is understandable. Burning sources and methods is extremely expensive. The problem here is that:

The fog of cyberwar is the war

Uncertainty and lack of transparency are strategic advantages that the opposition (the Russians) have used to maximum effect. This ranges from their denials of the Little Green Men in Crimea, to the denials of war in Ukraine, to the denials of hacking political targets and attempting to influence the political campaign:

[Putin]…denied allegations of Russian interference in the election, but said “maybe we helped a bit with WikiLeaks.” — Source

Troll armies work

People, human beings, only have so much energy to invest into something. Arguing with strangers on the internet is just the sort of energy sapping activity that is exhausting. A tarpit of never ending pain, frustration and boredom. This is one of the reasons that troll armies work, they exhaust people who are genuinely engaged in a topic.

The trolls enjoy what they are doing far more than the victims. This is a basic rules for radicals tactic. Indeed, most of the rules for radicals apply very well to cyber electioneering.

Recommendation: create troll counter armies. Attack the identified trolls to keep them away. A skirmish line of troops protecting civilians. Much of this could be automated with bots as well.

Recommendation: they don’t react well to evidence that implicates them. There is a reasonable chance that putting strong dossiers out early will make them less aggressive, less effective, and reduce their freedom of movement.

Learning the wrong thing

A number of erroneous “Lessons Learned” have been drawn from the cyber conflict around the US election. There were a number of issues at play.

  1. Systems compromise: usually abbreviated as “the DNC hack” it actually involved a large number of penetrations. Some were typical passive monitoring espionage (accepted norms of behaviour), there was a lot of additional hacking of think tanks, strategy centres, sympathetic voter roll databases, individuals at the centre core, and peripheral people that had useful information or access.
  2. Leaks: this includes several waves of leaked mail spools by Wikileaks, and a number of other communications channels including sympathetic news agencies (such as The Intercept, Breitbart, and Info Wars.) The main lesson the Russians learned here was that using their own platform (DCLeaks) was a failure because it didn’t have sufficient page views to consume attention, they needed established channels with credibility and large audiences.
  3. State propaganda: Russia Today and other controlled media was used to provide an alternative news source that was completely under Russian editorial control. This allowed for significant releasing of information to shape and support the narrative.
  4. Shadow Brokers: the Russians used very expensive signals to throw the US intelligence community into disarray when they should have been working to counter Russia ops more aggressively. This was very well done and involved weeks of preparation work before being released at the strategically appropriate time.
  5. Defeat in Detail: Facebook and other “filter bubble” systems have allowed the voting electorate to become splintered into smaller spheres of like minded “echo chambers.” The opposition was able to craft a specific message for each echo chamber and control the information within each target. This is extremely powerful.

Garbage In, Garbage Out

The lessons that journalists, Services, and many in the public are drawing from the Russian influence operations against the US, as well as the rash of independent freelance influence operations (see: Macedonian teenagers, random dude out for a quick buck, etc.), are mostly just wrong.

The biggest take away that Europe, for example, seems to have developed is a firm belief that “setting the record straight” or providing a central authority of “true facts” will allow them to defeat disinformation. This is wishful thinking at its worst. There are a number of reasons that this will not work, but I’ll limit myself to a few of them:

1. Fact Checking Doesn’t Work

There was no lack of fact checking during the US election, but it had little impact. People simply didn’t care, “I know too much about a good story to let the truth get in the way,” and “never underestimate the ability of people to rationalize anything.”

2. Ammunition, Not Information

People read news for ammunition, not information. It seems unlikely that those committed to voting one side or the other are much concerned with verifying the validity of a story. They want something to be outraged by (high valence), or they want something to reinforce their pre-existing world view.

3. Disinformation Doesn’t Require Falsehood

Creating a narrative doesn’t require lying. As a classic example, say that the UK Air Force reports that their guided munitions have a 74% accuracy the papers could run either “Over a Quarter of Bombs Miss” or “Almost Three Quarters of Bombs Hit Target.” Both variants are true, but present the same fact from different angles. Examples of how using distorted versions of facts to achieve aims are extremely prevalent. Media outlets are more than happy to present facets of a story that align with their interests. The opposition will happily supply these media outlets with data for favourable stories.

Direct Channel To The Opposition

Historically, the KGB loved telephones (and other systems) that they knew where monitored by their opposition. They believed, in many cases correctly, that the opposition would believe whatever intelligence they collected from the surveillance was reliable, AAA rating. The KGB thought of these surveilled systems as a direct channel to the opposition where they could control was revealed and when it was revealed. The typical KGB technique during this time (everyone good still does it) was to place only fragmentary hints about a narrative, and allow the opposition to reach the conclusion themselves. People believe conclusions they have drawn themselves better than those told to them, so the KGB was basically enlisting the oppositions analysts to become champions of the disinformation.

I suspect that the current FSB views certain channels of communication in the same way. My speculation is that they are treating Wikileaks as a “tapped phone.” They know that they can feed data into Wikileaks and it will be published in a reasonable time (they probably have very good models of how long it takes from “leak” to publication.) They can basically reveal the information they want the opposition to know about, via a cut out, that leads to a response, a reaction, by the Western Services.

Take their horse out the race

In France there are two very clear outcomes that work well for Russia: either Fillon gets elected, or Marine Le Pen. The early polls showed that the likely second round of voting would be a run off between MLP and Fillon. A win-win for Russia.

Instead, because Fillon had betrayed Sarkozy, or someone else similarly powerful within his party, he was knifed in the back. His petty embezzling was exposed and his poll numbers collapsed. Somehow, he has managed to stay in the race. Then there was a crucial rally for him. If he fails to draw a large crowd, he’ll probably have to drop out. The rally was rained out. Somehow, despite all this, Fillon is not done.

So what?

This is extremely interesting because it was not an anti Russian meddling counter attack, but rather internal French politics as usual. The result though, has been wonderful. Fillon was significantly more palatable than MLP so with him floundering, that makes for an interesting opening. It also takes one Russian horse out of the race, limiting their options and reducing their “win states.”

Now, the most recent development, both Fillon and MLP are under investigation. Misuse of public funds. MLP is essentially broke, she has only Russian money available to her. If she takes it, that’s going to look bad. If she doesn’t take it, she won’t have sufficient funds. Combined with the investigation, this may lead to both MLP and Fillon being forced out of the race due to circumstances.

Recommendation: take the Russian horse out of the race. Remove their incentives to interfere. Although they will likely still make some moves, even just as spoilers, they are robbed of the opportunity for victory. They have no winning outcome.

Speculation: Russia will target the investigations and attempt to damage the people or institutions involved, such as the judges or prosecutors. They’ll also figure out a way to get MLP some much needed cash.

For now?

Right now, who knows what will happen in the weeks before the election. There is a lot that can happen still.

The most likely action is that Putin will continue to attack Macron. Probably not using a coordinated barrage like the beginning of February which saw Wikileaks, Russia Today and a few other outlets attempt to push a narrative (“Macron is a Rothschild banker,” which apparently has strong negative connotations for French voters.)

If I had to guess, I believe that curated “leaks” of Macron staff emails and Telegram conversations are going to be used to make him look bad. This is very likely to happen, I think, regardless of whether Fillon or MLP are still viable candidates.

Macron has been playing this poorly with regards to the Russians. Earlier this month he complained about “thousands of cyber attacks per day from Russia” which is, quite frankly, horse shit. Wasting credibility on such a meaningless event is only going to hurt him in the long run when he’ll need to counter the real attacks.

What is to be done?

What Macron needs to do is to make sure that his staff are locked down as securely as possible (GMail, 2FA, etc etc), and move his inner circle to a non attributable compartmented comms system. For example, using Threema on dedicated iPhones with Reservoir Dogs style code names for principals. Migrate regularly to new equipment, names, etc. This will make the job of penetrating the external layer harder and it will make the job of the analysts dealing with exfil from the inner circle (assuming they can get it) much harder. It contains and restricts the damage of a penetration and exposure, and it raises attacker costs in term of resources, some of which don’t scale (eg time).

The French DGSE, CERT and other elements need to respond immediately to “leaks” by revealing their origin in Russia. The affected candidates need to demonstrate immediately whether the documents leaked have been tampered or altered. This will help to reduce the credibility of additional future leaks. Immediately attack the lies, mistakes, and fabrications for what they are. The Americans made the mistake of sitting back and hoping for the best. It seems to me that the Russian way of cyberwar is not very capable of responding to counter attacks, so rather than attempt to preserve secrecy or dignity (both of which are lost anyway), use the opportunity to expose the active manipulation of the Russian intelligence services. This will help to reduce the credibility of future leaks.

Read the whole story
2 days ago
Sydney, Australia
Share this story

WikiLeaks and the Economy

1 Share
I have this theory about how my work coincides with the health of the economy. For my job, I develop computer security and forensic tools. When people are happy and employed, they usually don't do bad things. That, in turn, means that companies don't need someone like me or the tools that I provide. During the last few years of the Obama administration, the economy was booming, layoffs were down, and people were generally happy. My workload dropped to a trickle.

In contrast, when people are unhappy at work or companies begin layoffs, then people start doing bad things. And that drives up the need for forensic tools and the kinds of services that forensic experts (like me) provide. Work began picking up a few months before last year's election. But this has been an amazingly busy month. (Why haven't I blogged in a few weeks? I've been too busy!)

Changing Times

One of the things that has been on my mind for the last few months has been WikiLeaks. WikiLeaks was originally intended as an outlet for whistle blowers. It was explicitly created as a forum for disseminating stolen/authentic documents from anonymous sources.

I'm not going to focus on whether WikiLeaks is a good idea, or even if is has benefited society or harmed innocent people (the answer is "yes" to both; it just depends on which leaked documents you view). Rather, I've been very concerned about how WikiLeaks has evolved from a mostly unbiased outlet to a clearly biased tool.

One of the really obvious changes happened right before the presidential election. Shortly before the election, WikiLeaks released information that damaged the democratic candidate. The release was immediately criticized as being an attempt to sway the outcome of the election. WikiLeaks founder, Julian Assange, denied the allegation. And in the last few months, there has been revelations that Russia used WikiLeaks explicitly to influence the election.

It is still unclear to me whether WikiLeaks was a willing participant in how they influenced the election, or whether they were stealthily manipulated by Russia. Was the active participation part of an intentional collaboration with Russia, or were they just amazingly naive about how they are used?

However, actions from WikiLeaks over the last few weeks show a very explicit focus on maliciousness. If WikiLeaks was not intentionally evil then, they certainly are now. The two events are the release of a Cisco exploit, and the attempted blackmailing of major computer companies.

The Cisco Exploit

Part of a recent dump at WikiLeaks included information about a vulnerability in some Cisco routers. The flaw (CVE-2017-3881) involves the Cluster Management Protocol (CMP) processing code. There is currently no patch available. The official workaround requires disabling telnet on all Cisco routing products.

This vulnerability was picked up by the media on March 19th.

There's a web site call Down Detector that tracks real-time network outages. For the last few days, people who use Comcast as their ISP have been seeing widespread outages that last hours (or even days). Here's a sample screen capture showing the outage map on the morning on 2017-03-24:

The map shows Comcast outages in major population zones -- but not everywhere that Comcast is located. To me, this looks like a targeted cyber attack. It also suggests that Comcast has been significantly compromised. This type of access could even impact their billing systems; I wouldn't be surprised if Comcast eventually announces the theft of all customer information.

I sent a couple of tweets to @comcast and @comcastcares about these outages. Usually they respond with a generic, unhelpful message. Or a request to follow them and PM them with personal details. But this time, they just ignored me. I couldn't even find any statements by Comcast about these outages. Whatever it is, they seem to be keeping it quiet.

While I couldn't find anything from Comcast, I did find a case-study by Cisco about how Comcast is using Cisco routers for their primary infrastructure.

My educated hunch is that (1) WikiLeaks released the Cisco exploit without thinking about the impact, and (2) Someone weaponized the exploit and used it against Comcast. (Consider this a prediction -- I'm still waiting for details to be released.)

WikiLeaks as Extortion

If you have a new exploit, then you have a few options:
  • You can keep it secret. This usually implies a maliciousness where you intend to use the exploit for your own gains.

  • You can sell it to someone else. This implies that someone will pay to keep it quiet and that they will use it for their own gains.

  • You can release it publicly, like the Cisco exploit. This implies an irreverence toward the vendor and consumer safety.

  • Or you can report it to the vendor. There are many different ways to responsibly disclose a vulnerability to a vendor. However, blackmail isn't one of them.
As reported by media outlets, "WikiLeaks won't tell tech companies how to patch CIA zero-days until its demands are met". As reported by Motherboard:
This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.

The specific demands have not been made public. (I'm betting that at least one demand covers not assisting government or law enforcement, which would be ironic considering how WikiLeaks assisted Russia in influencing the election.) Meanwhile, the companies have responded with public statements that range from not having enough information to evaluate the claims, to saying that many of the exploits are old and already patched.

WikiLeaks used to be about helping whistle blowers and disclosing secret abuses. But that's not the case anymore. The motives at WikiLeaks have changed. They have evolved from a government collaborator/conspirator (assisting Russia) to an extortionist that cares nothing about the community's safety and privacy.

Keeping Busy

The final outcome from these most recent actions by WikiLeaks is not going to be a happier world. Between irreverence and extortion, companies are going to view WikiLeaks as a malicious element. And nothing from these actions will result in more privacy or a safer environment for users and consumers. In effect, WikiLeaks has seriously damaged their own reputation and no longer considers the harm they cause.

Unhappy companies, unhappy users, unhappy consumers... sounds like job security to me. Now, back to work!
Read the whole story
2 days ago
Sydney, Australia
Share this story

Lessons From the Deadliest Chemical War That Didn’t Happen

1 Share
Soviet Pioneers in 1937. Viktor Bulla photo via Wikimedia

Britain and Germany were loaded to the gills with chemical weapons but avoided them on the battlefield


Since the end of World War I, the only substantial chemical attacks in warfare have occurred in East Asia and the Middle East. Japan poisoned Chinese troops with gas in the 1930s. Egypt dumped poison gas on Yemen in the 1960s, and Iraqi dictator Saddam Hussein killed thousands with chemical weapons in the 1980s. Most recently, chemical attacks have occurred in Syria and Iraq.

But how is it that chemical weapons were rarely used during World War II in Europe, when both Nazi Germany and the United Kingdom possessed vast stockpiles of these weapons of mass destruction?

It retrospect, it’s clear that had either side used chemical weapons, the war could’ve rapidly changed — and escalated — into a chemical conflict neither side was confident they could win. Think of it as a precursor, of sorts, to the nuclear standoff between East and West during the Cold War.

Germany’s chemical arsenal at the onset of World War II was both much larger and deadlier than what its military had during the First World War. In 1939, Germany for the first time weaponized sarin, a highly volatile, odorless liquid that turns into a gas, attacks the nervous system and kills quickly.

Between the wars, Britain considered using poison gas to suppress rebellious tribesmen in northwest India and Iraq. Winston Churchill, then Secretary of State at the British War Office, favored chemical weapons and believed them to be more humane than conventional bombings.

“Gas is a more merciful weapon that high explosive shell and compels an enemy to accept a decision with less loss of life than any other agency of war,” Churchill argued. “The moral effect is also very great. There can be no conceivable reason why it should not be resorted to.”

Churchill favored lachrymatory agents, hence tear gas, for the most part. While Churchill did contemplate using mustard gas in Iraq, ultimately Britain did not resort to chemical attacks on the “recalcitrant natives.”

Italy did use mustard gas on a large scale in Ethiopia in 1935 and 1936, and Japan used poison gas in its war in China but opted not to against the Western powers. In 1942, Britain secretly supplied chemical weapons to Australia, which stored them across the continent as part of a contingency if Japan gassed the country first.

A German He 111H in 1940. Photo via Wikimedia

Following the evacuation from Dunkirk, the British military readied chemicals to defend the British Isles in case of a German invasion. “We should not hesitate to contaminate our beaches with gas if this was to be to our advantage,” Churchill told his cabinet in May 1940. “We have the right to do what we like with our own territory.”

In 1942, British scientists from the Porton Down military research center began experimenting with anthrax as a biological weapon. In one infamous case, they tested this bio-weapon on sheep on the uninhabited island of Gruinard off the Scottish coast. A government quarantine of Gruinard did not end until 1990 following extensive decontamination efforts.

These experiments were in preparation for the grotesquely named Operation Vegetarian, which aimed to to scatter anthrax-infected linseed cakes across Germany. Had the plan been put into action, cattle would have eaten the cakes, died and spread the anthrax into the civilian population, while also depriving Germany of an important food source.

And though the British had vast stockpiles of gas — and were well capable of dropping them on German cities, which they were firebombing — the Soviets did not have such a program, nor did they possess an air force with the range and strength needed to penetrate German air defenses.

Thus, it would have made more sense for Germany to deploy gas against the Soviets, especially after the war shifted to the Red Army’s favor. Nazi Germany was, after all, utterly unscrupulous when it came to scorched earth tactics on the Eastern Front. But Germany did not — at least on a large scale.

Here, Britain’s stockpile may well have saved untold numbers of Soviet soldiers. In 1942, Churchill stated publicly that Britain would use its chemicals against Germany if it were to turn such weapons against the USSR.

“We know the Huns, which is the reason why we are keeping up our effort and why we are building up our storage of chemical weapons,” Churchill declared in a May 10, 1942 radio address. “I would say that should Germany again attack our ally, Soviet, with more chemical weapons, then we will start using such gas in our attacks on German cities and towns.”

Churchill later insisted to Gen. Hastings Ismay, his chief military assistant, that it was “absurd to consider morality on this topic when everybody used it in the last war without a nod of complaint from the moralists of the Church. It is simply a question of fashion changing as she does between long and short skirts for women.”

Practical deterrence, not morality, kept British and German chemical weapons in storage.

One incident of particular note occurred in in December 1943 when more than 100 German Ju-88 bombers descended on the Italian port of Bari and destroyed several Allied ships, most of them cargo and transport vessels. Among the losses was the SS John Harvey, a U.S. Liberty ship secretly loaded with 2,000 mustard bombs which the vast majority of her crew didn’t even know about.

Chemicals released in the raid killed 83 military personnel out of 628 wounded, and the Allies rushed to cover up the presence of mustard gas at Bari for fear that Germany would conclude that a chemical attack was imminent. In fact, the Allies only planned to have that gas on hand to retaliate against a German attack.

By summer 1944, Germany was fighting a two-front war in mainland Europe and defeat was inevitable. With its own demise over the horizon, Germany still did not resort to chemical weapons in the field. The Nazis did, however, use the pesticide Zyklon-B to kill Jews and other minorities during the Holocaust.

As Allied troops landed on the beaches of Normandy in June 1944, Germany could have targeted them with chemicals or nerve agents which the landing force had no protection against. But Hermann Goering, chief of the Luftwaffe, revealed at the Nuremberg trials that the German army’s heavy reliance on horses meant that a retaliatory Allied chemical attack would have severely hindered its logistical backbone.

Otto Ambros, a scientist close to the Nazi leadership, also presented to Adolf Hitler an exaggerated account of how devastating an Allied counterattack would have been had Germany deployed chemicals. Whatever the cause, it’s retrospectively evident that the Allied and Axis powers in Europe effectively deterred each other.

Incidentally, the later use of chemical weapons in the Middle East demonstrate a noteworthy pattern.

British soldiers ready for a chemical attack during the 1991 Persian Gulf War. U.K. Ministry of Defense photo

In 1960s Yemen, the Egyptian army was not deterred from using poison gas by Yemeni royalist forces since, of course, they could not respond in kind.

However, during the 1973 Yom Kippur War between Israel and a coalition of Arab states, none of the warring parties used such weapons, even as the Israelis advanced into Egypt and Syria and attained positions which could threaten their capital cities — given Israel’s possession of nuclear weapons.

Iraq is another case in point. Although Iran initiated a chemical weapons program in 1983, in response to Iraqi chemical attacks during the Iran-Iraq War, there is no concrete evidence that Iran ever retaliated in kind.

In the late 1980s, the Iraqi regime invited U.N. chemical experts to show them purported victims of Iranian gas attacks. Credible sources concluded that those individuals were likely victims of Iraq’s own careless use of these poisonous weapons.

Saddam’s army inflicted 50,000 chemical casualties on Iran during the war, with Tehran unable to mount an effective deterrence. He even gassed an Iranian city, Sardasht, killing 10 civilians and injuring up to 650. Tens of thousands of veterans of that war suffer from the effects of these weapons to the present day.

Now contrast this to the 1991 Persian Gulf War. In that case, the U.S. military made clear to Saddam that any use of non-conventional weapons would have resulted in a devastating non-conventional, hence nuclear, U.S. response.

That doesn’t mean America would have nuked Iraq, but the threat — worded by U.S. Secretary of State James Baker — was vague enough to imply it. Consequently, Baghdad did not deploy these weapons to the battlefield, even as U.S.-led forces decimated Iraq’s army.

These four Middle East case studies demonstrate that chemicals were only deployed by states when their opponents had no matching capability, if any capability at all. The pattern repeated itself in Syria when the Assad regime carried out chemical attacks in eastern Damascus.

During World War II in Europe, similarly matched capabilities meant these weapons sat in their stockpiles. This de facto deterrence possibly saved hundreds of thousands, if not millions, of civilian lives.

Lessons From the Deadliest Chemical War That Didn’t Happen was originally published in War Is Boring on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read the whole story
2 days ago
Sydney, Australia
Share this story
Next Page of Stories