Ged Carroll

Category: security | 保衛 | 정보 보안 | 情報セキュリティー

According to Wikipedia security can be defined:

Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change. Security mostly refers to protection from hostile forces, but it has a wide range of other senses: for example, as the absence of harm (e.g. freedom from want); as the presence of an essential good (e.g. food security); as resilience against potential damage or harm (e.g. secure foundations); as secrecy (e.g. a secure telephone line); as containment (e.g. a secure room or cell); and as a state of mind (e.g. emotional security).

Back when I started writing this blog, hacking was something that was done against ‘the man’, usually as a political statement. Now breaches are part of organised crime’s day to day operations. The Chinese government so thoroughly hacked Nortel that all its intellectual property was stolen along with commercial secrets like bids and client lists. The result was the firm went bankrupt. Russian ransomware shuts down hospitals across Ireland. North Korean government sanctioned hackers robbed 50 million dollars from the central bank of Bangladesh and laundered it in association with Chinese organised crime.

Now it has spilled into the real world with Chinese covert actions, Russian contractors in the developing world and hybrid warfare being waged across central Europe and the middle east.

  • Internet freedom

    A couple of stories related to internet freedom that came to my attention this morning.

    Internet freedom in China

    First off today’s New York Times magazine has an indepth feature about the challenges that China presents to Internet companies seeking a Chinese audience. Google’s China Problem (and China’s Google Problem) by Clive Thompson is balanced and well written. There are some interesting aspects to it:

    • The censorship is open rather than furtive
    • It involves self-censorship as a key element in it’s execution
    • Chinese people interviewed do not view freedom of speech as an absolute binary state (you’re free or you’re not) but as a continuum and are prepared to make trade-offs; so Google’s ‘Do the least evil’ approach makes more sense
    • The role of chat and forums in Chinese internet usage is far higher than we’re used to
    • The assumption that the US readership of the article enjoy ‘absolute’ freedom of speech and a resulting internet freedom

    The last point brings me on to the text of a speech given by US attorney general Alberto R. Gonzales at National Center for Missing and Exploited Children. 

    US threat to internet freedom

    Vigilant civil rights activists have noticed a number of items in the speech which would extend the government powers of censorship and surveillance well beyond child pornography with the implication being that in future US legislation freedom of speech and internet freedom may not be the absolute that it once was.

    Lauren Weinstein of pressure group People for Internet Responsibility made the following post to the Interesting People email list:

    In a speech a few days ago, Attorney General Gonzales announced DoJ plans to send Congress new legislation to control “pornography” and (apparently) ultimately to require activity log and other data retention by Internet Services (in follow-up interviews, Google and other search engines have been specifically discussed). Gonzales is pitching this legislation using child abuse as the hook. That is, he is arguing for tools to use against child abuse and child pornography — certainly a “third rail” issue these days where virtually everyone will support enforcement efforts. However, it’s also clear that the DoJ seems to have no intention of limiting such tools *only* to child-related areas. The legislation itself is currently titled: “Child Pornography and Obscenity Prevention Amendments of 2006”

    A transcript of the Attorney General’s speech is here:
    http://releases.usnewswire.com/GetRelease.asp?id=64319     Note this key quote: “This legislation will help ensure that communications providers report the presence of child pornography on their systems by strengthening criminal penalties for failing to report it. It will also prevent people from inadvertently stumbling across pornographic images on the Internet.” Requiring the reporting of child pornography on systems (when it is known to exist) is something that few people would argue against, obviously.

    But let’s examine the second sentence again: “It will also prevent people from inadvertently stumbling across pornographic images on the Internet.” This seems to be addressing the entire broad category of non-child “pornography” (which of course can be defined in any number of ways in different locales and contexts), and suggests a requirement (here we go again!) for proactive ratings/controls (presumably ID or credit

    card based for “offensive” materials) for all (U.S.) Web sites. So this isn’t just about children, it’s likely about broader government controls over many U.S.-based Internet entities (of course, Gonzales doesn’t effectively address the issue of Web sites outside the country). Gonzales goes a lot further in another quote:

    “The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area. As a result, I have asked the appropriate experts at the Department to examine this issue and provide me with proposed recommendations. And I am going to reach out personally to the CEOs of the leading service providers and to other industry leaders to solicit their input and assistance. Record retention by Internet service providers consistent with the legitimate privacy rights of Americans, is an issue that must be addressed.”

    Again, we see that protecting children — the goal that we all support — is being used as the raison d’etre to likely later propose broad data retention requirements on all manner of Internet services. Ironically, this is occurring shortly after calls for mandated data *destruction* legislation that arose in the wake of the DoJ vs. Google records battle (where I strongly supported Google’s stance).cted that this sequence would occur — though it is happening even faster than I expected. Record retention is a particularly risky area. DoJ might be expected to argue (as Gonzales implies) that such records would only be demanded in cases involving children.

    That’s today’s line. But in a general records retention environment, you cannot a priori retain only the records related to child abusers whom you don’t already know about — you must retain *everyone’s* records. While the criteria for records access might be child abuse today, does anyone seriously believe that calls for access to user log data will not massively expand over time, to the extent that such data is available? Of course it will. If the data exists, all manner of ostensibly laudable reasons for government digging through users’ Internet activities will be forthcoming. And that will create a wholly different kind of Internet, where ultimately our every action on the Net may be subject to retroactive inspection. The term “slippery slope” is definitely applicable.

    We need to see the specifics of legislation before detailed comments will be possible. But the handwriting is on the wall, and it does not bode well for either Internet users or Internet-related services.

    More related content here.

  • America’s Secret War

    I recently finished reading America’s Secret War: inside the hidden worldwide struggle between the United States and its enemies, George Friedman’s book on the war on terror as George Bush calls the fight against Al Qaeda. America’s Secret War is interesting for a number of reasons. It discusses the war in a dispassionate manner, it slices rather more neatly than the media has ever been able to splitting the facts and propaganda from each other. Most importantly, in my mind it highlights a war that was not about oil or weapons of mass destruction, but a very expensive ‘Kirby Cleaner’ pitch. Years ago in an effort to make money, I considered selling these overpriced vacuum cleaners (even more overpriced than a Dyson). Anyway a key part of the sales person from Kirby is when they do a demonstration with a machine and show you what it is capable of (think HSN or QVC-type demos in your own living room).

    According to Friedman, the invasion of Iraq was part of an effort by the Americans to persuade the Saudi’s to get serious on terrorism. A demonstration of regime change through ‘shock and awe’ to show what happens to rogue regimes.

    George Friedman is a respected and very credible geopolitical pundit and heads up Stratfor.

    Who is Stratfor?

    Stratfor is an organisation which provides analysis of global and regional political and socio-economic issues to companies, organisations and government agencies. It has a client base made up of a wide range of blue-chip companies including the usual suspects in the energy sector, defence contractors, management consultancies and the media.

  • Gates on spam

    Gates on spam

    Bill Gates wrote to me regarding the latest thinking by Microsoft (ok so its a Microsoft marketing ploy to make me think that Chairman Bill cares even for heretics like me) and some of their partners to curb spam. The mail is interesting, however I have a few concerns on the content of the email by Gates on spam:

    • the industry initative lacked networking manufacturers like Nokia, Juniper or Extreme Networks
    • no computing powerhouses like Sun Microsystems, Oracle, IBM, Apple
    • there was no reference to non-windows PC users (Mac, Unix, Linux, Symbian smartphones, PalmOS etc)
    • there is no independent experts on the panel like Phil Zimmerman

    From: billgates at chairman.microsoft.com

    Subject: Preserving and Enhancing the Benefits of Email – A Progress Report

    Date: 28 June 2004 21:47:34 BST

    To: *********** at ***.com

    During the past year, Microsoft has taken a number of important steps to help curb the epidemic of junk email, which is a major headache for computer users worldwide. We’ve made significant progress, including blocking more than 95 per cent of all incoming junk email – an average of 3 billion messages a day – on Hotmail. But more work remains to be done. We’re committed to finding additional ways to counter this costly nuisance.

    Over the next 12 months, we will begin to introduce several additional innovative technologies and processes that should further reduce the volume of junk email reaching customers’ inboxes. Because you’ve subscribed to receive executive emails from us, I’d like to update you on what we’re doing in this area. On the Web at www.microsoft.com/execmail, I’ve posted an in-depth explanation of Microsoft’s technology vision and strategy for ending the junk email epidemic as a major problem. I hope you’ll take a few minutes to read it.

    Thank you.

    Bill Gates

    More posts related to Gates on spam here.

  • Free party clampdown

    An old clubbing pal of mine from Birkenhead Si forwarded on this interesting article in the Western Morning News. According to the article police are preparing to use the wide ranging powers of the Anti Social Behaviour Act 2003 to clamp down on unauthorised open-air gatherings – a free party; in conjunction with provisions already made by sections 63 – 67 of the Criminal Justice and Public Order Act 1994. With its definition of music as an emission of a succession of repetitive beats, thus allowing unscheduled opera performances but not young peoples music.

    While I can understand people’s concerns over noise; I am more concerned about the right to associate, freedom of expression (by speech, music or visual media) and the two standards allowed in the law making free party attendees second-class citizens.

    And politicians wonder why so many voters are apathetic?

    May it have something to do with:

    • the persistent erosion of voters rights?
    • a lack of clear differentiation between many of the social policies of both major political parties?
    • legislation that no longer represents the social mores of much of the electorate?
    • a collectively small amount of life experience amongst professional politicians, the significant majority of which are trained lawyers?
    • a cynical political process that means that politicians go after softer targets rather than dealing with the big policing issues in the UK, such as organised crime, rise in violent crime, white collar and corporate crime?

    Si also generously included a link to lots of information on where there might be a local free party here, just remember its free as in speech; the parties do cost money to put on. More culture related posts here.

  • Microsoft security spin

    I read a classic piece of spin in The Business, Microsoft races to stop bank account hackers by Tony Glover. Tony who has been shortlisted in a category for Business Journalist of the Year wrote “Technicians at the US software giant Microsoft are working flat out to prevent a new security threat that this week could give criminals access to computer systems used worldwide by banks and governments.”

    The general threat that Tony outlined called phishing has been covered for quite a while by national newspapers, something that wasn’t made clear in the article. In fact eBay, HBOS and Barclays customers have all been exposed to phishing attacks. The article was an excellent piece of PR work (my hat goes off to the members of the Microsoft press team) that failed to point out:

    – Phishing has been going on for quite a while now, though the vulnerability in Microsoft Internet Explorer is new. It is one of many security vulnerabilities in the product and phishing as a security risk is well understood

    – Microsoft was trying to plug yet another security gap in their software that facilitates phishing? . Despite repeated promises to get tough security, Microsoft have failed to do so

    – Using an alternative browser like Opera can help prevent the risk of phishing (though nothing in IT systems can be labeled foolproof)

    – It is yet another good argument against software bundling like Microsoft (and increasingly Apple) have been doing and is an excellent riposte to critics of the EU competition commissions case against Microsoft. Bundling of software restricts the ability of competition to spur innovation and improvements in both quality and service

    Free Internet calls move a step closer on page six goes on to talk breathlessly about a new feature in Microsoft Office that provides Internet calls. Its not that big a deal, I know of people who used Skype and before it Net2Phone and other over the net software phones. In fact Stephen Waddington, managing director of geeky PR firm Rainier was quoted in a newspaper case study talking about his firms uses of voice over the ‘net for international conference calls a few years ago.

    In addition, many instant messenger programmes such as Yahoo! Instant Messenger, AIM and iChat offer audio and video calls between users. Another fallacy in technology circles is the concept of ‘free’, you’d think that technology marketers would be mature enough to realise that nothing ever comes for free, even ‘free’ pirated MP3s or DiVX movie files via a P2P network is partly financed by banner advertisements, spyware and adware in the P2P software itself. Freeware is often produced for altruistic reasons, even if it is to build a community of users or make ones mark with an elegant solution to a problem. In the case of ‘free internet calls’ it will help increase sales of broadband connections, where calls leave the domain of a connection between IP addresses over PCs some sort of ‘interconnection charge’ will be due. Its not new, its history repeating.