Will Obama Take Away Our Internet Before Or After Our Guns?

RIght now I'm not sure what to think about criticism of a bill giving the President a role in responding to "cybersecurity emergencies" (though I do know I hate the term 'cybersecurity').

I'm certainly glad there is recognition at the highest levels that threats to electronic infrastructure are real and that we do need good policy in place to mitigate the impact of any attacks or other failures.  Even some Federal coordination can be beneficial.

As noted in the article, however, distributed systems are better at failing gracefully than any centralized system would be, so we shouldn't be too enamoured of the idea that the President can sit in his super high-tech command center deep underground, directing our "cyber response" (gag) by barking out orders via Twitter to his IT agents nationwide.  Still, having a team in the WH that can coordinate with ISPs, application hosts, and organizations like CERT wouldn't be a bad thing.

I guess I trust the Obama administration more than I would the previous one, so perhaps I'm not reacting in an overly negative way to the passage in question because of my own biases.  I'm not entirely convinced language in the bill is so vague that the President could "take over" the Internet in the United States, but sure, let's replace that word 'direct' with something more innocuous, take a stab at defining what an emergency is.  Or better yet, direct the WH to develop a security policy based on ISO 27002 like every other organization should.

It's heartening to see such debates at least are taking place.  We rely so heavily on the Internet and other communications systems so much now that we must view them as critical assets and constantly (re)assess how to safeguard them.

ntodd

But Do They Know I'm A Dog?

Freep:

The growing interest of well-known Internet companies in personal marketable information concerns University of Vermont research librarian and associate professor Trina Magi.

When a student clicks on a commonly used research Web site such as JSTOR, FirstSearch or WilsonWeb — and they do it as routinely as earlier generations picked up the Reader’s Guide to find magazine articles — they are increasingly under surveillance.

Magi, who researched the issue over the past year, found that many library database “vendors” are evolving in the Web 2.0 social networking milieu of Facebook and My Space by offering personalized features that capture student research patterns or browsing results. That information, which over time can amount to a personal dossier, has commercial value.

Magi’s findings will appear in College and Research Libraries, a professional journal. She has won national awards for publicizing the dangers to library patrons of the 2001 Patriot Act, which allowed federal agents, acting on no more than a hunch, to scrutinize borrowing records looking for suspicious interests and forbade librarians from alerting the targets.

Magi says the 27 major “vendors” — chosen by usage patterns at the University of Vermont and 20 large American colleges and universities — fill a research need by making published information such as academic journals, specialized data bases, newspaper and magazine articles easily accessible. “We need these products,” she said.

However, those companies, which include LexisNexis, the American Institute of Physics, Cambridge University Press, EBSCO Information Services and others, have begun to personalize their Web sites, she said. Students, by revealing personal identifying information to the companies, can create a personal page and personal folders, much as they do on social networks such as Facebook.

Magi said 15 of the 27 vendors she examined now have personalized access.

“The problem is that now the vendor becomes a repository for all these people and their reading and research interests,” she said.

I have an abiding interest in Internet privacy and such, and was raised by librarians, so of course this caught my eye.  It's no surprise that corporations are mining Internet usage data to find behavior patterns and capitalize on them.

I'm still inclined to enjoy the benefits of social networking sites and other online tools, and recognize the very real downsides and the impact on privacy.  When I think of Big Brother I never fear the government (even with USA PATRIOT), but rather the corporations who gather most of my personal information for their own purposes and sometimes share it with the jackbooted thugs in power.  Small wonder corporatism and fascism go hand in hand...

ntodd

ntodd

Return To Sender

Register.com's CEO:

Please note we are not discounting the possibility of an escalated DDoS attack.
We are taking every possible precaution to protect our infrastructure and our
customers. In response we have:

- Deployed counter-measures to mitigate the attack and added capacity across the company’s network
- Setup special channels with major ISPs to re-enable customers’ services
- Isolated the profile of the attack through forensic data analysis
- Engaged the FBI and The Department of Homeland Security

We promise to update you if there is any change to the situation.

Throughout this attack we have received incredible support from our customers
and want to thank you for your understanding and continued loyalty. We recognize
these attacks create significant hardships for our customers and will continue to work to maintain and earn your trust.

Too bad we customers don't have an SLA to get some cash out of the 48 hours of downtime...

ntodd

Master Of My Domain

Register.com forwards a number of my domains, including dohiyimir.org, paxamericana.net, and pinktalkradio.org.  None are working at the moment, and have been iffy for the past couple days.  I suspected a DNS issue, and that appears to be the case.  And now I have another case study for class...

ntodd

No Such Thing As No Such Agency Having Too Much Power

Raw Story:

After less than a year as director of the National Cyber Security Center, Rod Beckstrom resigned on Friday, citing a lack of funding and efforts by the NSA to dominate government cypersecurity. The Wall Street Journal has his letter of resignation, which can be read here.

In the letter to DHS Secretary Janet Napolitano, Beckstrom charged that NSA "effectively controls DHS cyber efforts" through employee detailees to NCSC from NSA, technology insertions and the proposed move of the NCSC to NSA's Fort Meade facility.

"While acknowledging the critical importance of NSA to our intelligence efforts, I believe this is a bad strategy on multiple grounds," Beckstrom wrote. "The intelligence culture is very different than a network operations or security culture."

Beckstrom said as director he objected to the "subjugation" of NCSC under NSA and had advocated for a "credible civilian government cybersecurity capability" that cooperated with NSA but didn't answer to it.

"This is a coordination body and it resides alongside or above the other centers, but certainly not below them," Beckstrom said of the NCSC in a Washington Post interview after his resignation. "In my view, it is very important that there be independence for the [center], and that it be able to carry out its role."

I'd say all these people have too much power, but certainly the NSA is the scariest one.  Be interesting to see what comes of the Obama administration's study of our infosec policies in this context.

ntodd

CyberObama

WH press release:

President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security.

This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.

"The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period.

(via Raw Story)

I still make my InfoSec students watch a somewhat aged Frontline series about "cyberwar" (I hate that term, BTW), partly because I like to ask if anything's changed in the intervening 6 years or so.  It's also instructive to consider how much is hype and realistically whether such threats can be equated with NBC attacks, even in an era where our society relies so much on information technologies.

Whatever the real threat level, I'm glad the new administration is taking a serious look at our policies and overall security posture in every arena, traditional and more modern.

ntodd

I'll Slip An Extra Shrimp On The Firewall For You

Crikey:

A proposed Internet filter dubbed the "Great Aussie Firewall" is promising to make Australia one of the strictest Internet regulators among democratic countries.

Consumers, civil-rights activists, engineers, Internet providers and politicians from opposition parties are among the critics of a mandatory Internet filter that would block at least 1,300 Web sites prohibited by the government — mostly child pornography, excessive violence, instructions in crime or drug use and advocacy of terrorism.

Hundreds protested in state capitals earlier this month.

"This is obviously censorship," said Justin Pearson Smith, 29, organizer of protests in Melbourne and an officer of one of a dozen Facebook groups against the filter.

The list of prohibited sites, which the government isn't making public, is arbitrary and not subject to legal scrutiny, Smith said, leaving it to the government or lawmakers to pursue their own online agendas.

"I think the money would be better spent in investing in law enforcement and targeting producers of child porn," he said.

Internet providers say a filter could slow browsing speeds, and many question whether it would achieve its intended goals. Illegal material such as child pornography is often traded on peer-to-peer networks or chats, which would not be covered by the filter.

"People don't openly post child porn, the same way you can't walk into a store in Sydney and buy a machine gun," said Geordie Guy, spokesman for Electronic Frontiers Australia, an Internet advocacy organization. "A filter of this nature only blocks material on public Web sites. But illicit material ... is traded on the black market, through secret channels."

Communications Minister Stephen Conroy proposed the filter earlier this year, following up on a promise of the year-old Labor Party government to make the Internet cleaner and safer.

"This is not an argument about free speech," he said in an e-mail to The Associated Press.

Uh, yeah, it actually is.  But if it will have the side effect of blocking Aussie content going the other direction and preventing Crocodile Dundee from ever getting back to these shores electronically, perhaps I'll support it...

ntodd

Is That On The Dollar Menu?

AP:

Here's some food for thought: If you have nude photos of your wife on your cell phone, hang onto it.

Phillip Sherman of Arkansas learned that lesson after he left his phone behind at a McDonald's restaurant and the photos ended up online. Now he and his wife, Tina, are suing the McDonald's Corp., the franchise owner and the store manager.

One might also consider locking one's phone, let alone leaving sensitive data on a mobile device that can be easily compromised...

ntodd

BoA Does Good

Network World:

Upon request, BoA will send a six-digit code to your cell phone via text message. When you enter the code, BoA validates the code and allows you to proceed to the icon/password verification page just described. The token expires in 10 minutes. They also offer an alternative mechanism of authentication should you be in a place unable to receive the message on your cell phone.

There are a number of really positive things to say about this scheme:

1. It is low-cost. No tokens to tote, no tokens to lose, no software to load, nothing extra needed other than what you very likely already have: a cell phone.

2. It is easy to understand and use. There’s nothing complicated about this: anyone accessing their Web site should be more than knowledgeable enough to appreciate the simplicity and elegance of this system.

3) It speaks volumes for BoA. This tells me that Bank of America understands the security risks of doing credit card business on the Web and has taken steps to make sure the person on the other end of the browser is indeed who they say they are.

Mich's correspondent, Mike Drabicky, is correct that any system can be exploited but this approach certainly jacks up the work factor. 

I am a Bank of America customer, but haven't used the new verification option yet.  SiteKey is a bit annoying to me on my slow Internet connection, so adding another layer of security might just annoy me more, though I will have to play with it.  At least I now get fairly reliable wireless reception at the house so the web loads faster and I get text messages consistently.

ntodd

Colossal Update

Reuters:

British computer experts acknowledged defeat on Friday after a German amateur radio enthusiast won a challenge to crack secret messages encoded by a World War Two cipher.

Joachim Schueth, from the German city of Bonn, managed to intercept a special radio transmission and decipher a super-complex code in less than two hours using software he wrote for the challenge.

Britain's Colossus computer, built in the 1940s to break secret German transmissions during the war and painstakingly rebuilt over the past 14 years, was still racing through its computations to come up with a solution.

Schueth's computer program actually managed to crack the hardest part of the challenge -- deciphering the code of a Lorenz SZ42 encryptor, which has approximately 16 million million million permutations -- in just 46 seconds.

"It's a brilliant piece of work, really really impressive," said Andrew Clark, director of Britain's National Museum of Computing, which designed the challenge and is overseeing the running of Colossus, based at Bletchley Park outside London.

"He's used a program that is highly optimized for this task and he's designed it very well.

"We're really pleased and very impressed. It highlights the strength of the international community working together."

Schueth was not immediately reachable for comment, but on his Web site he explained in a very low-key way how he had gone about defeating a machine that in its day was the most powerful calculator in the world and the forerunner of modern computing.

"Putting Colossus in a competition with modern computers may be a bit unfair," he wrote.

"Colossus was an ingenious construction and a landmark in the history of computing. But technology has very much evolved since: When fed with a usable ciphertext, the quick-setting program ... found the setting of all 12 wheels within 46 seconds."

The Lorenz cipher is based on wheels that can have an almost infinite range of settings.

Colossus, a truck-sized computer built in 1943-4 with the help of mathematicians such as Enigma code breaker Alan Turing, has worked out five of the wheel settings so far and is expected to complete the task in about six hours.

Gee, he didn't even have to use multiple computers on the Internet in parallel!

ntodd