Shutting Off the Tap?

The U.S. Court of Appeals raised questions Friday that may curtail the ability of government to extend wiretapping rules to the internet. A Clinton era law permitted the Federal Communication Commission to extend wire-tapping rules to telephone networks and the government argued that these rules should be broadly interpreted to include the internet as a whole.

The dispute arises from government regulations that would impose extensive wiretapping requirements on universities and libraries, which critics see as a mandate to build central surveillance hubs for law enforcement.

"the organizations behind the lawsuit say Congress never intended to force broadband providers--and networks at corporations and universities--to build in central surveillance hubs for the police. The list of organizations includes Sun Microsystems, Pulver.com, the American Association of Community Colleges, the Association of American Universities and the American Library Association."

Defenders of the rules argue that emerging technologies such as Voice over IP (VoIP) are self evidently "telephone communication" and as this technology gains in popularity it could seriously hamper the ability of law enforcement to catch "…criminals terrorists and spies".

It seems to me that the controversy is bogged down in interpretation, and the ability of the legal community to keep up with technology that is on constant flux.

"the FBI has claimed, the need for "standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication."

However, the issue is not as cut and dried as the government is trying to claim.

"In an unusual twist, some of the FCC commissioners who unanimously approved the wiretapping rules have acknowledged that the agency was on shaky legal ground. Then-Commissioner Kathleen Abernathy, for instance, said at the time that she had "concern that an approach like the one we adopt today is not without legal risk."

The ramifications for privacy advocates are clear, the people I feel sorry for are the agents who will have to sift though untold billions of text messages on collage campuses where the content amounts to little more then jejune critiques of last nights American Idol performances and chatter about the latest freshmen defenestration. In the meantime grab the popcorn folks, this could be a dogfight!

Fighting Fire with Fire

I thought I would post this holiday tale that brings me a bit of a chuckle every time I think about it. There are a number of truisms in computer security, one of which is that most malicious worms, Trojans, and viruses are a result of clever social engineering (Read about the Anna Kournikova worm here).

I was working in an office for a large real estate concern and like most offices these days there was a fair number of employees packed into a cube farm. Well it was Christmas time and the air crackled with anticipation of holiday cheer. There was a goofy little flash game that everyone seemed to be downloading called Elf Bowling. It was so infectious that it seemed everyone was at their desk playing it, as you walked down the isle of the cubes you could hear the sounds of Elves being knocked down and see the wacky screens as the typically stoic employees started to cut loose in anticipation of the festive holiday.

I was concerned that the untested, unapproved, and decidedly unproductive software was corrupting my meticulously constructed desktop image. There was little I could do though, I did send out an e-mail warning of the dangers of downloading unapproved software but that had about as much effect on reducing the problem as tearing a single page out of War and Peace would have on shortening the novel.

Then I got a call from a woman who wanted to know if "Elf Bowling" was, in fact, some kind of hard drive destroying virus. "I don't think so…" I told her, "why do you ask?"

"Because I just got an e-mail saying it would erase my hard drive on Christmas Eve", the women said.

Sure enough, everyone in the office got an e-mail from the company postmaster that said something to the effect of:

"Warning… the Elf Bowling program is actually a virus that is programmed to erase your entire hard drive on Christmas Eve. If you have installed this program we urge you to delete it immediately from add / remove programs."

Calles started pouring into the help desk to remove the "virus", people were stopping me in the halls asking if they should remove it. My response was that non-standard software should never be installed on our desktop images without approval and I left it at that. It didn't take an afternoon and suddenly the cubes were silent, Elves suddenly ceased being knocked down like bowling pins by ball-sized ornaments. There were no more hoots of delight over Santa converting a 7 - 10 split. It occurred to me that it took someone with a mind like a hacker to make people "do the right thing".

I never found out who sent the e-mail message, and I'm not sure I approve of the outright deception (while obnoxious, Elf Bowling was not a Trojan), but sometimes when the chips are down it pays to think like a hacker and frankly it gets better results.

So this ends our Christmas tale and in the spirit of season I leave you with the words of the immortal Gene Autry who opened his album of Yule tide music (featuring Rudolph the Red Nosed Reindeer) with this greeting,

"Happy Holiday's folks whereever you may be."

God, Love, Sex, Money

No, this is not a come-on for some kind of internet scam; these are the four most used passwords on the internet today.

According to the CERT/CC (Computer Emergency Response Team/Coordination Center), a federally funded organization based at Carnegie Mellon University, an estimated 80% of all network security problems are caused by bad passwords.

I thought this was especially chuckle worthy since the very same observation was made in the often criticized film (by computer geeks anyway) "Hackers". The reason people tend to use "easy" passwords is not rocket science. The fact is that increasingly, we have so many systems that require an identity it can overwhelm anyone (particularly CEOs).

This is why Identity Management solutions are increasingly becoming as important to organizations as anti-spam and anti-spyware software. There are still a number of people, security professionals included, who seem to be convinced that simply training users to invent more secure passwords is an effective strategy. But the enlightened security professional realizes that "Educating Users" is # 5 on the list of Six Dumbest Ideas in Computer Security.

Hat Tip Mike Wendland

I Blame Society

I ran across this screed which I thought was pretty darn insightful, it's called "The Six Dumbest Ideas in Computer Security" by Marcus Ranum and it offers some fairly unqualified contempt for ideas that have become axiomatic in the realm of computer security.

Some of the things that made the list like the idea that user education is an effective way to enhance security is laid to waist by the observation that:

...the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.

Indeed. But the one that really got me thinking was #4 on the list and was entitled; hacking is cool.

One of the best ways to discourage hacking on the Internet is to give the hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems, right? Wrong! "Hacking is Cool" is a really dumb idea.

The essay points out that this phenomenon is largely a cultural problem. Hackers are portrayed as "cool" in the media, in books, and on TV. The media tends to lionize the "Hacker" as smart, industrious, and ambitious, I'm mean, so what, so is a Don of the Mafia.

…by portraying hackers, variously, as "whiz kids" and "brilliant technologists" - of course if you're a reporter for CNN, anyone who can install Linux probably does qualify as a "brilliant technologist" to you. I find it interesting to compare societal reactions to hackers as "whiz kids" versus spammers as "sleazy con artists." I'm actually heartened to see that the spammers, phishers, and other scammers are adopting the hackers and the techniques of the hackers - this will do more to reverse society's view of hacking than any other thing we could do.

What is not portrayed as "cool" is good engineering, anyone remember the WWII movie, "Sea-Bees of the Navy"? It was John Wayne making the guys who built bridges and air strips look not only cool, but downright heroic. Maybe we need a movie that makes engineers out to be heroes and the Hackers the villain (which, perhaps not so ironically is exactly the opposite of the plot of the film "Hackers" starring a young Angelina Jolie).

That hacking (or cracking as some prefer) takes a bit more training then vandalizing a vending machine is not all that relevant, both are pointless exercises that are destructive at best and downright criminal at worse.

Hat Tip Fred Avolio

Does Technology Cause Crime?

There is, at least I thought, an interesting aside today in a Tech News World article about proposals in the UK and the USA to use National Identity cards as a solution to identity theft. As content providers are reminded, almost on a daily basis, a technological solution to stopping content piracy is an exercise in futility. And so it goes with Identity theft, at least according to Dr. Emily Finch of the University of East Anglia.

…Finch believes increasing reliance on technology is leading to a breakdown in the vigilance that consumers used to exercise when it came to their personal information.

"There is a worrying assumption that advances in technology will provide the solution to identity theft whereas it is possible that they may actually aggravate the problem," Finch said.

"Our research has shown that fraudsters are tenacious, merely adapting their strategies to circumvent new security measures rather than desisting from fraudulent behavior," Finch said. "Studying the way that individuals disclose sensitive information would be far more valuable in preventing identity fraud than the evolution of technologically advanced but ultimately fallible measures to prevent the misuse of personal information after it has been obtained."

Certainly criminals are a tenacious lot, and it is difficult to imagine any technological solution that could render a network 100% safe or an individual’s identity 100% secure. It’s like my dad used to say about locks on doors and gates, “…they are there to keep the honest people honest”.

This of course highlights one of the primary truisms issues that many in the security field hold as vital to any security regime; it is up to every individual to be vigilant where security is concerned, otherwise security just doesn’t work.

Indeed...

Identity Management Crib Notes

TechWorld has a useful introduction on Identity Management and Provisioning in a two part series.

Part One talks about the challenges of Identity Management and some of the pitfalls.

Part Two gives managers some tips and suggestions on managing people who are joining or leaving an organization.

It's a quick read, check it out.

What Can a Privacy Credential Accomplish?

Washington Technology has an article up regarding a proposed privacy credential that is backed by major technology companies including IBM Corp., Mitre Corp. and SRA International Inc.

The Certified Information Privacy Professional/Government (CIPP/G) credentialing program is the first publicly available privacy certification for government professionals, according to the International Association of Privacy Professionals.

The idea of this credential is to provide those who work in government information management positions a program to better understand the challenges that go hand in hand with dealing with sensitive data. Since this is aimed at management, and not technical people, the credential will be focused on "relevant privacy laws, regulations and policies, including the Freedom of Information Act, the Privacy Act and the eGovernment Act".

"There is a need going forward for agency employees at both [the] federal and state levels to be knowledgeable and confident in applying the relevant laws and best practices for balancing citizen privacy and civil liberties with the necessities of a modern-day connected world," Trevor Hughes, executive director of the IAPP, said in a news release.

As more and more business gets conducted over the internet, managers are making decisions about topics for which they don't understand the fundamentals. But will this credential actually help? That's hard to say, it might be like chicken soup, can't hurt. Another good thing is that this is an initiative spearheaded by industry in partnership with non-profit groups such as Ponemon Institute; federal and state governments are pretty much out of the picture. So this is being driven by need rather then pure politics. But my question is what good will it actually do?

I suppose that simply increasing awareness of the issues involved could be a net positive. Also if these kinds of credentials are required for certain management positions in state and local government it could lead to more managers having a better understanding of what security is all about. At best it could lead to better application of "best practices" and a baseline understanding of these policies by a much broader cross section of managers. At worse it's a marketing tool used by companies to push their flavor of the week security solution.

Let's hope it's a step in the right direction.

Update: On the other hand if it can stop this....


(Hat tip Scott Adams)