The CyberWire Daily Briefing 03.26.13

Cyber Trends

Think layers of security is all that? Think again (CSO) Of 1,800 serious malware NSS Labs tested, some always managed to get through -- no matter what combination of protection was used

Putting Out Fires With Gasoline (Dark Reading) Spending for security and identity products is going up, but here is a sobering thought that should give you pause--our solutions may be part of the problem

Web trackers are totally out of control (IT World) More than 1,300 tracking companies are following us across the Web. But who they are and what they know is a mystery to most. I'm getting that paranoid feeling again. You know, the one where you think someone or something is stalking you across the Web, watching everything you do and then suddenly just showing up as if their presence was just a random coincidence. Except that this isn't paranoia or coincidence. To be specific, I'm being followed by this ad for Jitterbug phones

Transparency Reports Should Be Standard Practice (Threatpost) Transparency report With less than three full months gone in 2013, Facebook, Apple and Microsoft all have admitted publicly to serious security breaches, something that would have seemed like an elaborate practical joke just a couple of years ago. But the times and the climate have changed, and if you needed more evidence of these facts, it arrived last week in the form of the first Microsoft Transparency Report

NatGas Cybersecurity getting a lot more Visibility (Smart Grid Security) Thanks to colleague H. Chantz for spotting this article and sending this way. As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically: Anyone can blow up a gas pipeline with dynamite

Hackers hit energy companies more than others (Fuel Fix) Energy companies faced more targeted malware attacks in a six-month period last year than businesses in any other field, with hackers sometimes breaking into systems to steal geologic and financial data, according to a Houston network security firms research. Alert Logic is releasing a report Tuesday detailing the incidence of attacks on its customers in different industries and the digital weapons hackers used in their attempts to infiltrate systems from April 1 to Sept. 30 last year. FuelFix examined the report ahead of its general release

Cyberattack risk high for oil and gas industry (Fuel Fix) In the months since a virus ripped through 30,000 of Saudi Aramcos computers, the worlds largest oil company has become the canary of the industry, warning others of the serious threats already lurking on their systems. Although the attack did not disrupt Saudi Aramcos oil and gas operations, the companys top man warned, in a recent interview with FuelFix, that the risk to the industry remains high. Chief Executive Officer Khalid Al-Falih said that despite aggressive efforts by Saudi Aramco and others to guard against online threats, operations throughout the energy industry will remain in danger unless all companies adopt strong Internet security measuresWhat happens to one company affects us all, Al-Falih said

Legislation, Policy and Regulation

Tallinn Manual Interprets International Law in Cyberwar Context (Threatpost) When nations eventually adopt ground rules for conflict in cyberspace as they apply in an actual kinetic war, the Tallinn Manual on the International Law Applicable to Cyber Warfare, is likely to be their key reference material in doing so

U.S. Gov't: Laws of war apply to cyber conflict (Foreign Policy) [Free registration required.] A NATO initiative by which legal experts have articulated laws for the cyber battlefield -- is set to make its stateside debut. But the United States says it is already ahead of the document's recommendations: it insists the existing laws of war are sufficient to govern the use of cyber weapons."Existing international law applies to cyberspace just as it does in the physical world," said Christopher Painter, the State Department's coordinator for cyber issues, during a forum at George Washington University last Thursday. "That is a very important concept

State Department pushes for international norms of cyber conduct (FierceGovernmentIT) While the use of sanctions isn't completely out of the question, the State Department's primary role in U.S. cybersecurity policy is to establish and promote international norms of acceptable conduct in cyberspace, said a department official during a March 21 hearing of the House Foreign Affairs subcommittee on Europe, Eurasia and emerging threats. The department is particularly keen on spreading the idea that the theft of intellectual property is not acceptable behavior in cyberspace, said Christopher Painter, coordinator of the State Department's office of cyber issues. Some governments are naturally in line with U.S. thinking on cyber policy issues

On Iran and Pre-Emptive Cyber Attacks (infosec island) Early in February of 2013, many news outlets came out with articles about the US Government having a 'secret legal review' on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to 'legitimately' having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack

DRDO's Zero Day (Financial Express) As our most sensitive defence information undergoes the throes of a targeted cyber attack, Mehak Chawla examines the threats facing our critical information infrastructure and how technology can take control

Our Internet Surveillance State (Schneier) One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks. Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement, was identified and arrested last year by the FBI. Although he practiced good computer security and used an anonymous relay service to protect his identity, he slipped up

Products, Services, and Solutions

Twitter Verification Has More To Do With Being Good At Twitter Than With Identity (TechCrunch) Twitter has done a great job at keeping the whole "blue badge" verification process a mystery. If curiosity eats away at you like it does me, you're in luck. A new video from comedians Hari and Ashok Kondabolu, featuring Anil Dash who has around 500k followers, shows the magical transformation from start to finish

Fingerprints Instead Of Credit Cards? YC-Backed PayTango Aims To Make Payments Work Through Biometrics (TechCrunch) As a mechanism for payment, the credit card remains just as hardy as ever. It has so far defied the threat of mobile phones, and less plausibly, QR codes, among many other forms of payment. One YC-backed startup is betting that fingerprints and other forms of biometric identification may be the payment method of the future though. Called PayTango, they're partnering with local universities

Brocade adds new FC management tools (IT World Canada) Update to Network Advisor has new monitoring and visualization capabilities to make Brocade fabrics more reliable. There's also a new 96-port FC switch. Let's face it: running a storage area network isn't the glory side of IT. But with a few tools it can be easier

Technologies, Techniques, and Standards

Lieberman Software Survey Reveals Staff Ignore IT Security Directives - Even If They Were to Come From the CEO (Dark Reading) More than 80% of IT security professionals believe that corporate employees deliberately ignore security rules

Security damn well IS a dirty word, actually (The Register) Sysadmin blog An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords. The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges - but does not explore - a few important points that are increasingly critical to consider in the context of any serious discussion about IT security

Arguments Against Security Awareness Are Shortsighted (Dark Reading) When I read Bruce Schneier's recent blog basically stating security awareness is a waste of resources, I perceived a general misconception about the fundamental concepts of security awareness that are actually very critical to the discipline of awareness and security as a whole. This misconception actually highlights why many security awareness programs suck. Bruce uses the term "security awareness training." There is a very distinct difference between "Security Awareness" and "Security Training." Security training provides users with a finite set of knowledge and usually tests for short-term comprehension

Don't Make Users A Security Punching Bag (Dark Reading) Too many security pros today take it upon themselves to blame dumb users for all of the security ills befalling IT organizations, particularly when users fall for phishing and other email-based attacks. But many of todays most advanced attacks are through web channels and are so well-designed that even the most advanced training techniques may not teach users how to detect them. According to many security pundits, it is time to stop with the blame game and look in the mirror."I honestly don't see the value of employees being listed as the weakest link, mainly because humans are the ones doing everything to begin with

MISSION IMPOSSIBLE: 4 Reasons Compliance Is Impossible (Dark Reading) Compliance, like security, is not a constant. It happened again. I heard a boastful manager tell the CEO the job was finished and with great confidence brag to his boss their organization was fully compliant. The CEO nodded with increasing approval, mentally embracing the idea that his worries on the matter were behind him for good. No money-grubbing consultant was going to fool him about "risks," and technical managers would no longer dare ask for larger budgets for compliance needs. In his mind, the task had now been addressed and the goal reached, never to look back again

Anatomy of a 'feature' - should JavaScript be allowed to change a web link after you click on it? (Naked Security) A young web coding enthusiast from Manchester, UK, recently published a thought-provoking hackette intended to highlight the risks of relying only on "look before you click." Paul Ducklin wants to know what you think of it

IPv6 Focus Month: IPv6 over IPv4 Preference (Internet Storm Center) Initially, most IPv6 deployments will be "Dual Stack". In this case, a host will be able to connect via IPv4 and IPv6. This brings up the question which protocol will be preferred, and if multiple addresses are possible, which source and destination address are used. RFC 6724 describes the current standard how addresses should be selected, but operating systems and applications, in particular browsers, do not always obey this RFC

Banks join forces to develop open standard for electronic OTC trading (Finextra) A group of leading sell-side banks has set up a working group that will work towards the creation of an open industry standard protocol for client and trader enablement on electronic trading platforms. Currently, enabling clients to trade with dealers on OTC electronic platforms is a manual process, requiring a significant amount of rekeying of data from internal dealer systems onto those of the venues. In January investment banks came together to try and fix the problem, launching the Trading Enablement Standardization Initiative (Tesi) and vowing to work with execution venues and other stakeholders to create a tighter integration between the dealer systems and the venues.

Database Security Restart (Dark Reading) I'd mentioned a couple posts back that I was being asked to jump start database security programs for several companies. Some large enterprises, some small, but the basic problem is the same: They need to get a handle on the current security situation and plan how to improve across the board. So in concept this is pretty simple, just figure out where they want to be, and build a plan to get there. In reality, getting consistency across the company is a big challenge. Each firm has some exiting tools to automate the mundane security tasks, but the quality of the tools and resources varies greatly, as does the lever of security and compliance requirements. Fundamentally they all have the same basic question: "Where do I start?" To form a plan, let's start with three basic questions

Who has responsibility for cloud security? A Network World roundtable (Network World) The Cloud Security Alliance provides some great guidance in this area, and the cloud computing security working group is expanding all these models, and ultimately these responsibilities need to be contractually assigned during the procurement process

Investigating evidence of hack useful for protection: Trend Micro (ARN) Security vendor sees value in investing the evidence left behind by cyber criminals in protecting against attacks. If businesses are not looking for that evidence regularly within their networks, there is a risk that the intruder will go undetected, according to Trend Micro strategic markets VP, Blake Sutherland

Big Data Debate: Will Hadoop Become Dominant Platform? (InformationWeek) Will Hadoop become the hub from which most data management activities will either integrate or originate? Two big data experts square off

Marketplace

JIE not an attempt at DISA domination, says DISA official (FierceGovernmentIT) The Joint Information Environment is not an attempt by the Defense Information Systems Agency to take over all the Defense Department's data centers, said Tony Montemarano, DISA director of strategic planning and information. The JIE is "not about DISA controlling the world, DISA ueber alles," he said. "The military departments have got formidable capabilities…it makes no sense to turn them off." He spoke March 25 at ACT-IAC event in downtown Washington, D.C.

Security clearance a sales weapon (Parramatta Sun) Technology organisations are realising that government security certification can open doors to the wider business world. Typically, certification by the Australian government's intelligence agency, Defence Signals Directorate, is used to enable suppliers to work with top-level government agencies, but some are also using it as a marketing tool to build trust and increase sales to the private sector

Small Suppliers Must Beef Up Security (Dark Reading) As larger companies shore up their defenses, attackers have changed their focus to the smaller companies that supply goods and services to enterprises, in hopes of gaining access to the larger targets' networks and data. The trend appears to be gaining steam. In the first half of 2012, small businesses alone accounted for 36 percent of all targeted attacks, up from 18 percent at the end of 2011, security firm Symantec said in July

General Dynamics Sets Up Cybersecurity Rapid Reaction Force (Motley Fool) General Dynamics (NYSE: GD ) is advancing the war on cyber hackers. The company's Fidelis Cybersecurity Solutions (FCS) unit this morning announced the recent opening of a new cybersecurity facility in Columbia, Md., where it has assembled a network defense and forensics team to help public and private clients "combat advanced cyber attacks by assessing their security posture; designing, building and managing a security infrastructure that is capable of discovering and containing advanced threats; and responding to sophisticated attacks quickly and effectively when they occur"

Deal weavers (Deal Pipeline) Defense technology and cybersecurity company KEYW Holding Corp. continues to scour the M&A field for acquisition targets. KEYW, of Hanover, Md., has made a name for itself in the defense and cybersecurity world due in part to a unique style of dealmaking, a distinctive corporate culture and operating on the cusp of a cutting edge and highly dynamic sector. While the company has gone on a strong acquisition tear for the past two years, it has done so without participating in a single auction. Rather, it has found targets through an extensive network of contacts and long-term partnerships delicately coaxed into existence through the web spun by its executives

Firms Partner to Curb Cyber Crime (This Day Live) An indigenous firm, Proxinet Communications is partnering an American company, FireEye Incorporation, in a bid to help curb cyber crimes in the West African region. The move was disclosed recently in Lagos at a press briefing by the FireEye Regional Sales Director, Middle East, Turkey and Africa, Mr. Ray Kafity

CACI to Design Natl Defense University War Games (GovConWire) CACI International (NYSE: CACI) has won a position on a potential three-year contract to help the National Defense University develop curriculum and other classroom instruction programs such as war games. The indefinite-delivery/indefinite-quantity contract contains two base years and an option year, with a $21 million ceiling value, CACI said Monday. NDUNational Defense University's aims to help

Research and Development

Mobile location data identifies individuals (The Register) One of the arguments in favour of anonymous mobile location tracking, nanely that it doesn't provide enough information to identify individuals, has been slapped down by a US-Belgian study. An anonymous trace of one phone's movements, plus a small amount of external data, can pick out one person out of millions

Security Patches, Mitigations, and Software Updates

Apple Patches Password Reset Vulnerability (Dark Reading) Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period

Novell GroupWise Messenger import Command Remote Code Execution Vulnerability (Zero Day Initiative) This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise Messenger. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file

HP Intelligent Management Center mibFileUpload Servlet Remote Code Execution Vulnerability (Zero Day Initiative) This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability

Mozilla Foundation Security Advisory 2013-19: Use-after-free in Javascript Proxy objects (Mozilla) Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution

Cyber Attacks, Threats, and Vulnerabilities

Spear Phishing Cause of South Korean Cyber Attack (Threatpost) It appears that a spear phishing campaign was the genesis for the wiper malware infections that ultimately knocked several prominent South Korean banks and broadcasters offline last week, according to a malware analysis performed by researchers from the Finnish cybersecurity firm F-Secure

South Korean Wipers and Spear Phishing E-mails (F-Secure) News broke last week of a "wiper" malware that affected South Korean banks and broadcasting companies. NSHC Red Alert Team has published a detailed analysis of the malware here. There were several hashes mentioned for the same component, which suggest multiple operations under the same campaign

How South Korean Bank Malware Spread (InformationWeek) Attackers used stolen usernames and passwords for legitimate AhnLab Patch Manager accounts, set wiper software for staggered deletes to maximize damage

North Korea defector sites report cyber attack (Phys.Org) Specialist anti-North Korean websites and organisations run by defectors in South Korea said they were the victims of a coordinated cyber attack Tuesday. Free North Korea Radio, Daily NK and North Korea Intellectuals Solidarity, all operated by

ADP Payroll Invoice themed emails lead to malware (Webroot) Over the past week, we intercepted a massive ADP Payroll Invoice themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC. Detection rate for the malicious attachment:MD5: 54e9a0495fbd5c952af7507d15ebab90 detected by 24 out of 46 antivirus scanners as Trojan

UPS Hacked by Tunisian Cyber Army (eSecurity Planet) Customer names, addresses, e-mail addresses and phone numbers were exposed. Members of the Tunisian Cyber Army recently breached the UPS Web site via a vulnerability in its UPS Customized Envelopes subdomain, which is now offline for maintenance

Blunder exposes 83,000 Kiwi quake claimants' details (HITB) Details of every claimant in the New Zealand Government's Canterbury home repair programme have been disclosed by accident, the country's Earthquake Commission (EQC) said. A spreadsheet emailed by the commission containing claim numbers and addresses of properties could be set to reveal details of from all 83,000 people who have filed 98,000 claims in the wake of the devastating Christchurch earthquake, the commission's chief executive Ian Simpson told New Zealand media this afternoon

XSS Flaw in WordPress Plugin Allows Injection of Malicious Code (Threatpost) Wordpress bugsHardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week's first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject malicious Javascript or HTML code on any vulnerable site

Lime Pop Emerges as the Latest Strain of Android Enesoluty Malware (Threatpost) A new variant of Android.Enesoluty, the Android data-stealing Trojan that spreads through spam messages, has recently surfaced in Japan. This time the malware is reportedly being spread through a malicious app, Lime Pop, that disguises itself as a popular game

Grum Spam Botnet Is Slowly Recovering After Takedown, Experts Warn (Softpedia) In July 2012, we learned that Spamhaus, FireEye and CERT-GIB managed to shut down the command and control (C&C) servers utilized by Grum, a spam botnet that was the worlds third largest at the time. A couple of months later, FireEye experts reported that the botnets masters started reinstating its C&C servers. At the time, since there were only a couple of new servers, no major spam-related activities were identified

Windows Trojan Found Targeting Mac OS X Users (Security Week) Researchers at ESET have discovered a Trojan that initially focused on Windows users, but appears to be changing direction. The Trojan now has its sights on Mac OS X users, and its actions have prompted Apple to update XProtect with signatures to detect it. The Yontoo Trojan spreads on Windows by pretending to be a video codec

Malware abuses Chromium Embedded Framework, developers fight back (Computer World) A new version of the TDL rootkit-type malware program downloads and abuses an open-source library called the Chromium Embedded Framework that allows developers to embed the Chromium Web rendering engine inside their own applications, according to security researchers from antivirus vendor Symantec. In an effort to temporarily block the abuse, CEF project administrators suspended the framework's primary download location on Google Code. The TDL malware generates profit for its authors by redirecting the victims' search results to websites and services of a dubious nature, by displaying pop-up advertisements for various products and services or by infecting computers with other threats as part of a pay-per-install malware distribution scheme

Researchers uncover vSkimmer malware targeting point-of-sale systems (Computer World) A new piece of custom malware sold on the underground Internet market is being used to siphon payment card data from point-of-sale (POS) systems, according to security researchers from antivirus vendor McAfee. Dubbed vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them, McAfee security researcher Chintan Shah said Thursday in a blog post. The malware was first detected by McAfee's sensor network on Feb. 13 and is currently being advertised on cybercriminal forums as being better than Dexter, a different POS malware program that was discovered back in December

Palo Alto Pinpoints Older Ports That Are Letting In Malware (CRN) The Palo Alto malware analysis issued Monday found that Web browsing dominated as the source of undetected malware, accounting for 68 percent of total

Unpatched Remote Access Tools: Your Gift To Attackers (InformationWeek) Three-year-old "TeamSpy" espionage campaign should be a wake-up call. Lock down your remote-access tools, or else

Apple's two-factor authentication would not have helped iForgot security hole (InformationWeek) Apple's (NASDAQ: AAPL) new two-factor authentication security for Apple ID and iCloud accounts could not have protected users against a security hole in its iForgot password reset page uncovered Friday, according to security firm Kaspersky Lab. It seems there was a three-day waiting period for the two-factor authentication to take effect, a waiting period that began on Thursday, noted Kaspersky Lab's Anne Saita in a blog

6 Emerging Security Threats, and How to Fight Them (eSecurity Planet) Hackers are nothing if not creative, so it's important for enterprise security pros to educate themselves about emerging security threats like these six. The security threat landscape changes constantly, with malicious hackers developing new ways to compromise your systems as older vulnerabilities are discovered and patched. So it's important to be aware of the threats to enterprise security that are coming over the horizon and heading this way

Major websites hacked leaving users vulnerable (CSO) MSN and NBC vulnerabilities leave 'ransomware' on unprotected PCs. Many Internet users think that so long as you visit well-known websites you'll be safe online. Yet ,recent research from AVG's Web Threats Research Team has identified two cybercrime campaigns coded into some of the internet's most popular sites

Academia

Luring Young Web Warriors Is a Priority. It's Also a Game (NY Times) In the eighth grade, Arlan Jaska figured out how to write a simple script that could switch his keyboards Caps Lock key on and off 6,000 times a minute. When friends werent looking, he slipped his program onto their computers. It was all fun and games until the program spread to his middle school

The Department of Homeland Security Would Like to Talk to Your Hacker Teens (BetaBeat) Football team doesn't look so cool now, huh? (They still look cool.) The high school years! It's hard being the Department of Homeland Security. Foreign agents are constantly trying to slip inside the D.H.S.'s computer systems. But America's hotshot hackers either go for the private sector ($$$) or somewhere you can go on the offensive, like the N.S.A. (which, let's face it, sounds super-badass). So, according to the New York Times, the agency, desperate for recruits, is now making like a college football program and hunting for recruits at high school hacking competitions

Lunarline Renews Cybersecurity Partnership with UMD (MarketWatch) Lunarline, Inc. today announced they will continue their partnership with the University of Maryland (UMD) establishing collaborative activities in cybersecurity for a second year. The partnership promotes cybersecurity education, research, and technology development through the Maryland Cybersecurity Center (MC2). UMD and Lunarline plan to leverage each other's resources, expertise, and unique perspectives to develop innovative cybersecurity expertise and technology solutions

Warrior to Cyber Warrior Graduates Its First Cohort Of Cyber Security Students (IT News Online) Lunarline, a cyber security company, and Echo360, the leader in active learning and lecture capture solutions

Litigation, Investigation, and Enforcement

MMS Is Not an Illicit File-Sharing Service, Appeals Court Says (Wired) The Multimedia Messaging Service is not an illicit file-sharing protocol, a federal appeals court ruled, setting aside Monday a complaint from an MMS-greeting-card supplier that claimed the nation's largest telecoms helped consumers infringe via MMS texting

Chinese Citizen Guilty Of Data Theft (Washington Post) On Monday, Sixing Liu, a Chinese citizen who worked at L-3's space and navigation division, was sentenced in federal court here to five years and 10 months for taking thousands of files about the device, called a disk resonator gyroscope, and other defense systems to China in violation of a U.S. arms embargo

No Skype traffic released to cops or spooks, insists Microsoft (The Register) Microsoft's Skype subsidiary didn't hand over any user content to law enforcement, according to the software giant's first ever report on how it deals with official requests for data. As previously reported), Microsoft's transparency report revealed that Redmond received 75,378 requests from law enforcement agencies worldwide last year, involving 137,424 user accounts

Design and Innovation

European Innovation Varies by Country (IEEE Spectrum) In the aftermath of financial crisis, German enterprises lead the pack in investing in the future

Security Manager's Journal: R&D's new security lab is a promising step (ComputerWorld) The R&D department will have a sandbox for testing the company's software products. For once, security isn't last. It's a great thing when a security manager doesn't have to go into battle mode every time a new corporate initiative emerges. When other departments show signs that they aren't putting security last, I can relax a bit. But just a little bit. Even in those cases, I want to have input

The US can battle wealth inequality by letting startups IPO earlier (Quartz) We are holding back the middle class in America. But it's not for the reasons you think, and the culprits are not those most people think of. Rather, the US government has systematically cut the middle class out of the most important wealth creation opportunity for the next 50 years. Through a series of byzantine regulations, the government has made it virtually impossible for working Americans to enjoy the fruits of America's greatest strength: innovation

With Big Data, we are creating artificial intelligences that no human can understand (Quartz) Computer systems currently base their decisions on rules they have been explicitly programmed to follow. Thus when a decision goes awry, as is inevitable from time to time, we can go back and figure out why the computer made it. For example, we can investigate questions like "Why did the autopilot system pitch the plane five degrees higher when an external sensor detected a sudden surge in humidity?" Today's computer code can be opened and inspected, and those who know how to interpret it can trace and comprehend the basis for its decisions, no matter how complex