Archive for June, 2011

Fear sells – and governments are accomplished salesmen

June 28, 2011 Leave a comment

One of the phrases I like to use in relation to security is ‘fear sells’. The more we are afraid, the more we will buy to protect ourselves. Some security vendors implement this theory as a serious strategy (most don’t). But all governments do. And what we are expected to buy from them is their authority over us.

Today, the four horsemen of the apocalypse (internet) are terrorists, pedophiles, drug & gun runners and money launderers. We have to be afraid of them so that we accept and do what we are told by governments. We have to do this so that governments can protect us from the four horsemen who will run off with our children and blow us up with dope bought with illegal money. Protect by Control is the modern slogan.

Now I’m not saying that we should not be wary. The internet is a dangerous place. But so is the M25.

Now consider this statement released by the Arizona Department of Safety:

The week of June 20, 2011, the Arizona Department of Public Safety became aware that their email system had been compromised by a known cyber terrorism group, known as LulzSec… The cyber terrorism group has posted the stolen information on their website.
DPS Victim of Cyber Attack

What is terrorism? My dictionary says simply: “the use of violence and intimidation in the pursuit of political aims.” There are lots of other definitions – but that word violence or the threat of violence is always there. Wikipedia has an interesting comment:

The concept of terrorism may itself be controversial as it is often used by state authorities (and individuals with access to state support) to delegitimize political or other opponents, and potentially legitimize the state’s own use of armed force against opponents (such use of force may itself be described as “terror” by opponents of the state).

So where do we place LulzSec (now gone, of course) and the Arizona DPS? Graham Cluley of Sophos, never a fan of LulzSec, is far more temperate and accurate. Referencing, although not talking specifically about LulzSec, he commented today, “While there’s obviously a vast contrast between DDoS attacks and the bad guys looking to steal sensitive information for financial gain, the biggest concern is the attitude towards these attacks, with hackers portraying that it’s all a bit of fun.  Companies and computer users mustn’t sit back and laugh along, thinking that these attacks won’t affect them.  Businesses need to be sure of the quality of their security systems and all of us who entrust our sensitive information to third parties should be aware that the problem could affect us too.”

He was talking about the renewed attacks against MasterCard (of which, more here). But my point is this: according to Graham, MasterCard was taken down by hacktivists, not terrorists. He’s not trying to terrorise us into accepting the need for greater internet control – he’s simply telling us how it is.

That’s what the members of LulzSec were: hacktivists. Sadly, in the long run, they do their own cause more harm than good. Because political machines like the Arizona DPS will play the fear card, turn them into terrorists and turn the people against them and their message. And sadly, most of us will believe the political machines; and we will accept more and more political control over both our physical and cyber lives in order to protect ourselves from these terrorists, pedophiles, drug and gun runners, and money launderers.


Categories: All, General Rants, Politics

Microsoft sued again. And Apple. And Sony. And others…

June 28, 2011 Leave a comment

I do like a guy who refuses to do things by half. Mediostream is suing Microsoft, Apple, Sony and others for misappropriation of trade secrets and more. It’s strong stuff:

To protect its valuable Windows monopoly against such potential competitive threats, and to extend its operating system monopoly into other software markets such as consumer electronics, Microsoft has engaged in a series of anti competitive activities. Microsoft’s conduct includes agreements tying other Microsoft software products to Microsoft’s Windows operating… etcetera and etcetera and etcetera…

It’s fascinating reading! (Courtesy of Courthouse News Service)

But it’s also inspiring. Am I too late?

Design for ICL Quattro booklets

Design for ICL Quattro booklets

Way back in 1986 – before MS Office – and working as Townsend & Taphouse, we produced a booklet for ICL, and retained copyright. The design is almost exactly the one that Microsoft subsequently used for Office (you can see the story here: Sample Design Work – circa 1986). May I suggest that the entire Microsoft Empire was built on this design? Do I deserve a percentage (even a tiny one)?

Oh damn – they changed the rotation of the pieces! And the colour shades are a bit different. And MS Office didn’t have any writing on the pieces.

Ah well. I can always dream of what might have been…

Categories: All

Christopher Shales: Great reasons to join. No reasons not to

June 27, 2011 1 comment

I’ve just read Christopher Shales’ memo entitled Great reasons to join. No reasons not to (courtesy of Guido). All the press coverage might make you think that it was the other way round: no reasons to join, great reasons not to. But it’s not. Shales clearly believed that the latter is merely the perception, and that the perception has to be changed. And that is what his memo is about.

If the Conservative party follows his advice, then I’m sure that they will increase membership. But I think he misses one fundamental point. He talks about people being either politics heavy or politics light, and the latter section is the difficult one. What he misses, however, is that the majority of people are neither wholly Labour, nor wholly Liberal, nor wholly Conservative whether they are politics heavy or light.

I voted Conservative at the last election because I was frightened by the Orwellian direction that Labour was taking our nation. The Conservatives promised to end this march into autocracy. So I voted for them. Not because I believe in everything Conservative, but because I believed them in this.

They lied. They didn’t repeal the ridiculous Digital Economy Act. It looks like ACTA will be nodded through. Surveillance has diminished not one jot. The police still maintain the largest DNA database in the world. And that’s just off the top of my head.

So who will I vote for next time? I don’t know yet. But how can I join a party with whom I have fundamental disagreement? And there’s no way I could join this Labour party despite the fact that I consider myself socialist (small ‘s’) at heart.

That’s why people don’t join political parties – it’s the perception of all or nothing. And no party in the country can match the political aspirations of the individual. They all betray us in the end.

Categories: All, Politics

Creeping Control…

June 24, 2011 Leave a comment

This is a tale of three ISPs, two governments and one LEA: T-Mobile, Vodaphone, and Virgin Media, the UK and Australia, and SOCA.

A couple of days ago, T-Mobile (I was using a dongle attached to a netbook in a car park far from home) blocked my unequivocal access to an article on James Firth’s blog. You can read my comments at the time here (T-Mobile blocks ‘Slightly Right of Centre’), and T-Mobile’s policy here (Content lock). I don’t think there is anything sinister in this. But I don’t think T-Mobile’s system is anywhere near as advanced as it claims. And I am offended by its behaviour, and will exercise my right to go elsewhere in future.

Two days ago the No DPI blog published an article describing the discovery that Vodafone is using a Blue Coat web filter. No DPI is a bit upset at this, and you can read the post here (Vodastalk; Vodafone and Bluecoat Stalking Subscribers). I asked Blue Coat’s Nigel Hawthorn, VP EMEA Marketing, to explain for me.

Nigel Hawthorn

Nigel Hawthorn, VP EMEA Marketing, Blue Coat

“Around 2005, Vodafone was concerned that children might access inappropriate content on their mobile phones, and the blame for this access could fall on Vodafone,” he told me. “So, as a measure of corporate responsibility they felt that even though parents and guardians are responsible for children’s Internet access at home, a mobile phone operator bears some responsibility when minors are using mobile phones. Of course, from a public opinion point of view, they also didn’t want a ‘Johnny’s accessing Playboy in the playground and it’s all Vodafone’s fault’ in the press.  So, they looked at various options and deployed the Blue Coat WebFilter in their network.” Blue Coat actually announced this back in 2006 (Blue Coat Provides Mobile Operators with Web Filtering, Anti-Virus, Web Acceleration and Services Platform), which is important. It demonstrates that there was no attempt to do anything secretively.

“Vodafone split users into two categories: ‘children’ and ‘adults’,” he continued. It blocks various adult categories from phones that are owned by children. But “the next step was that Vodafone decided to be even more careful and consider that any phone that is owned by someone who they are unsure is a child or adult is considered a child until the owner contacts Vodafone and confirms that they are an adult.” Which seems to be exactly the same policy as that used by T-Mobile.

I asked Nigel to take me through the technology. “What happens technically,” he explained, “is that Vodafone has ProxySG devices installed in its network running Blue Coat WebFilter. WebFilter is doing the same job as it does for large enterprises – it just categorises websites. The actual policy about what is blocked or allowed is set by Vodafone.  I believe that more than 99% of web requests are categorised by the WebFilter systems installed in the Vodafone network.  However, if a person surfs to a previously unknown site, the ProxySG asks the cloud-based WebPulse service to check out that site.  WebPulse then surfs to that page on behalf of the user and performs its various functions to try to ascertain the content categories that are appropriate (a single page can be in up to four categories).”

I had only one further question: does Vodafone send Blue Coat any user-identifiable information? “No. All we ever see is the URL, and the IP address of the ProxySG server – nothing about the individual user; and nothing else.”

Once again, I can see nothing sinister about this. In fact, even less than T-Mobile’s system, since in this case Vodafone is using an independent 3rd-party to categorise the web pages rather than imposing its own prejudices.

A week ago, Virgin Media broke the news that it had written to 1500 customers to tell them they were probably infected with the SpyEye trojan. This is an altogether different kettle of fish since it isolated the ‘infected’ users with the help of the Serious Organised Crime Agency (SOCA); and despite very common praise for VM’s proactive attitude towards the security of its customers, I believe that this deserves closer examination. My understanding is that SOCA monitors known SpyEye control servers. IP addresses that connect to or are contacted by these servers are likely to be infected PCs. So it effectively gave those IP addresses to VM, who said yes, this 1500 are our customers and we’ll write to them.

But this leaves me with several questions. Why has this service been given to VM only? If it was offered to the other ISPs, why didn’t they take it? Why did VM go with a law enforcement agency rather than doing it themselves or employing a third-party security specialist (like Vodafone and Blue Coat)? For example, VM could have freely used the list of SpyEye servers maintained by SpyEye Tracker.

SpyEye Tracker

SpyEye Tracker: monitors known SpyEye control servers

Other questions are why write to the customers rather than email or telephone? Given the nature of SpyEye, that minimum of a 24-hour delay could be catastrophic for the infected users. And what if the user was a tenant in a building with an absentee landlord? The registered user might be in a different country to the actual user – and again, the delay in getting the message could be catastrophic. All in all, it doesn’t quite seem to add up.

And that brings us specifically to SOCA. SOCA is the law enforcement agency that lobbied Nominet to agree to take down UK websites that SOCA declared to be illegal. Without the need for judicial oversight. And now take a step further back to the UK Home Office, the Ministry in charge of the UK law enforcement agencies. This month the Home Office published its ‘Prevent Strategy’ (my comments: So you thought this Coalition was less draconian than New labour? Think again). It includes

We want to explore the potential for violent and unlawful URL lists to be voluntarily incorporated into independent national blocking lists…

Note that word ‘voluntarily’. In politic-speak, that means ‘without our need to get a court order’. So, put bluntly, the Home Office and SOCA are set on a course of obtaining extra-judicial control of the internet without the need for either parliamentary debate or a court order. By partnering with one of the UK’s major ISPs, that idea of SOCA and ISPs working together for the good of the people is almost subliminally injected into our subconscious. But the truth of the matter is that it is more like a form of creeping control.

Now let’s look at the final part of our story: Australia. Australia has succeeded in implementing the Home Office plan.

Starting next month, the vast majority of Australia’s Internet users will find their access censored, following a decision by the country’s two largest providers–Telstra and Optus–as well as two smaller ISPs (itExtreme and Webshield), to voluntarily block more than 500 websites from view.
EFF: Australia Heads Down the Slippery Slope, Authorizes ISPs to Filter

EFF then enumerates four reasons we should worry about this:

  • there is no transparency in the selection of URLs to be blacklisted, and no accountability from the regulatory bodies creating the blacklists
  • filtering does little to curb the trade of child pornography, much of which is traded across peer-to-peer networks and VPNs. Filtering it from the world wide web may simply push it further underground
  • there appears to be no appeals process in the Australian ISPs’ scheme, thereby making it difficult for sites erroneously caught up in the filter to challenge the block
  • the introduction of a filter sets precedent for the ISPs to filter more sites in the future at the behest of the Australian Communications and Media Authority. If the ACMA were to make the decision that sites deemed “indecent” or politically controversial–for example–should be off-limits, would the ISPs comply?

This is where we are heading in the UK, and that’s why we should worry about this relationship between SOCA and Virgin Media. I cannot prove an ‘evil partnership’ between the two; but in the EFF’s words, ‘it sets precedent’ for ISPs to get more and more involved in ‘voluntary’ blocking. What I do know is that SOCA and the Home Office would like control of the internet without judicial oversight; and that this relationship between SOCA and Virgin Media will make that all the more likely. I would be much happier if the ISPs do their filtering individually and without law enforcement or government input: T-Mobile’s Content Lock and Vodafone’s Blue Coat are infinitely better than Virgin Media’s SOCA.

Is it safe to carry on using Dropbox? Yes and No

June 23, 2011 1 comment

Dropbox is a great little company. I use Dropbox. It allows you to store your files in the cloud for free. I use it move work files between my various different platforms, mainly Windows and Mac, in various different locations.

Recently, however, it has had some bad press. Firstly it suddenly and apparently arbitrarily changed its T&Cs. The privacy policy includes:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

This has upset a lot of people. However, it seems to me that the company is simply complying with the law; it has no choice.

The second concern is with the more recent announcement of a freely available Dropbox Reader. This ‘product’ can apparently read anybody’s Dropbox files without needing a password to access the account. It is not produced by Dropbox. It was developed by Cyber Marshal. “Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with the Dropbox cloud storage software. These tools can run on Windows, Macintosh, and Linux systems,” says the Cyber Marshal website.

More sinister to my mind, however, is the statement on the About page:

Cyber Marshall

Lifted from Cyber Marshal’s About page

So I asked Dropbox to comment on Dropbox Reader. Would it do anything to counteract it? I haven’t had a reply. That’s a shame.

But there is really only one takeaway from this. You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.

[See also: Is it safe to carry on using Dropbox? Yes and No: Part II - 5 August 2012]

Cyber Marshal

Categories: All, Security Issues

Viviane Reding’s future Data Protection Law includes ‘serious’ breach notification

June 23, 2011 Leave a comment

Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, gave a very important speech at the BBA (British Bankers’ Association) Data Protection and Privacy Conference in London on 20 June 2011: Assuring data protection in the age of the internet. Interest has focused on her statement:

I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services.

This is something Europeans have been calling for (for example, see The Institute of Directors – talking net neutrality, compliance and breach notification with Richard Swann on this blog).

The thrust of the speech was that she would create a level playing field across Europe, so that precisely the same data protection rules would apply in every EU country.

This is what I will do for businesses.

But in return,

People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, and where and how it is stored. In light of recent data theft scandals, let me add that I expect companies to do more to keep their customers’ personal data secure.

Mandatory breach notification is seen as a key motivation for ensuring that increased security. But there are further hints for the future, including:

Take the cloud, the story goes that the data in cross-border and cross-continent flows is impossible to regulate. This is not my vision of the future… I am considering the inclusion of the “accountability principle” in my reform so that data of citizens exported to third countries is always exported with their rights attached.


Garry Sidaway

Garry Sidaway, Director of Security Strategy at Integralis

Or take the “right to be forgotten”. “Impossible” some say, “get over it”. Well, I don’t agree… I cannot accept that individuals have no say over their data once it has been launched into cyberspace.

All of this is fine a noble – but we should remember that at the moment it is just an aspiration. The devil will be in the detail; and we can already see how this will work. The phrase ‘serious breach’ already occurs:

I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers’ confidence in data security and oversight mechanisms.

‘Serious’ is underlined – not by me, but by Ms Reding. So who defines ‘serious’? Well, it can’t be the EC, because if there is no notification, they have nothing to judge. So this is in effect a pretty meaningless statement; if it is not serious, does it not have to be disclosed?

Garry Sidaway, Director of Security Strategy at Integralis believes that industry will feel compelled to comply. “Legislation and audit pressures are huge on businesses at the moment due to the global crisis,” he told me. “The auditors do not want to be caught out again and are driving and enforcing compliance and demonstration to policy – businesses who ignore the pending disclosure law will face increased audit pressures and they can’t afford to ignore that.”

Matt Peachey

Matt Peachey, VP EMEA at Veracode

Matt Peachey, VP EMEA at Veracode, however, sees potential problems. “The challenge for both governments and businesses will be in implementation. As we’ve seen recently with EU regulation around cookies, each member state looks at these areas differently. Although some EU member states, notably Germany, already have data breach notification laws in place, we are likely to see something similar to the US State-driven model, where we have multiple standards in place for enforcement, regulation and financial penalties.” And he foresees additional problems. “These can prove unduly arduous on small businesses, but could also potentially result in the consumer ignoring notifications, as they become immune to the constant noise.”

And I’d like to throw a further thought into the mix. In the UK, the Data Protection Act is enforced, well officially if not practically enforced, by the ICO. I have extreme doubts over whether it has either the balls or the teeth to take on, for example, a major bank in serious undisclosed breach. Time will tell. I hope I’m wrong – but my fear is that this will be just more PR legislation riddled with get-outs for all the companies that can afford them.



Categories: All, Politics, Security Issues

Lulz + Anonymous = AntiSec. But is it modern society that is really to blame?

June 22, 2011 1 comment

This is an exhortation: think beneath the surface of what you are told. The subject is Lulz Security and the Anonymous group. They have aligned themselves in the AntiSec operation against the Establishment; but before simply condemning them I would like us all to consider the issues.

Let’s look at some of the few facts we know. Firstly, there is no evidence of what most people consider to be criminal behaviour: theft for personal gain or simple wanton destruction (it is criminal behaviour simply because what they do is against the law). Rather do they consider themselves engaged in political activism on the internet, although Lulz also claims that it is just plain ‘fun’.

AntiSec is aimed at both the government establishment and what Lulz calls the whitehat security industry:

Operation Anti-Security is in effect. Join the fleet and tear the government and whitehat peons limb from limb – #antisec winds are strong.

Government I understand. But why wage war against the security industry? Lulz offers this:

Your tax money is being used to pay for things to not be secured so that people like us can take what you expect to be kept inaccessible.

Is that a pop against the billions of tax dollars and pounds used by government to store our personal details online? Or is it a pop against the security industry that uses additional tax money to maintain, but fails to maintain, the security of that data online. Consider the following from a press release put out by Idappcom (a whitehat security company):

Yesterday, the Serious Organised Crime Agency (Soca) was subject to a distributed denial of service (DDoS) attack designed to bring down its website. Today LulzSec say they have ‘blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census’.

But Lulz says:

Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.

Idappcom added:

The attacks of yesterday were not damaging but a Twitter post today has threatened that future attacks will be.

I’ve looked. Believe me I have looked. But I cannot find a Lulz tweet that says anything like this. The nearest I can find is this:

DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes. #AntiSec

But that’s not a threat of damage, it’s a claim that they are breaking into sites and not just taking them down.

So some aspects of government and industry (and I have to add, media) are playing up the threat from Lulz. Why? Well, fear sells. If we are afraid of all hacking activity we will more likely accept the loss of personal liberty that governments demand in the name of security for purposes of control. And if we are afraid of hackers we will more likely buy security products from the whitehat industry. And the more afraid we are, the more we will buy from both government and industry.

So, sadly, I would suggest that the methods chosen for AntiSec will be counterproductive to the ends: it plays into the hands of the establishment they attack. But this is what I want you to ask yourselves: what else can the politically conscientious youth of today do? It’s not like my day back in the ’60s and ’70s. We’re not allowed to protest peacefully today: we get illegally corralled, beaten, filmed, and stored. So what I want you to ask yourselves is this: is AntiSec today’s version of taking to the streets in the way that my generation did all those years ago? And do they not have a point? Consider the illegal wars that our governments engage in. Think of the lies they tell us. Think of the way the banks control us through control of the (and usually our) money. Think of the way in which dissent is quashed. Think of Dr David Kelly. Think of the war against terror that fills the coffers of our munitions industries but has made the world less safe for everyone. I’d like to suggest this: in a few years time, AntiSec will be part of our university sociology and psychology courses. Is AntiSec the inevitable result of a government divorced from its people: discuss.

Categories: All, Politics, Security Issues

Miliband targets Cameron with detail+charity in PMQs

June 22, 2011 Leave a comment

Ed Miliband thinks he has a winning wheeze when taking on caring Cameron at PMQs. While Ed cannot see the wood for the trees, poor Dave sees the wood but not the individual trees. So Ed has begun to attack by using detail taken from a charity. The result is detail our Dave hasn’t come across from a source he cannot attack.

Last week Ed quoted from the Macmillan charity suggesting that 7000 cancer patients stand to lose £94 per week. This week (today) he attacked the proposals (actually the EU requirement) that innocent people are removed from the police DNA database, and he quoted Angie Conway of campaign group Rape Crisis, who said: “With the reporting of rapes on the increase and conviction rates still shockingly low, the evidence this database provides is vital. The more of this data we hold, the more chance we have of catching rapists.”

You cannot criticise MacMillan or Rape Crisis without appearing to be an absolute, uncaring cad. But it is so sad that Miliband is reduced to playing politics with such personally serious and potentially tragic issues. And it also shows that Miliband and the Labour party have not learned from their electoral defeat – they still want to hold database detail on all of us.

Categories: All, Politics

T-Mobile blocks ‘Slightly Right of Centre’

June 22, 2011 1 comment

Talk about the irony!

I was away from the office. Access to the internet was only via T-Mobile. But I was reading a fascinating but frightening blog by the well-known terrorist, James Firth, CEO of the Open Digital Policy Organization. I urge you to do the same: Premier League joins group lobbying for web blocking, proposing confused “voluntary” scheme – overseen by the courts

It describes another typically secretive attempt to persuade government to instigate internet blocking on behalf of rightsholders. The irony? Up pops a little message from T-Mobile: “The website you are trying to access is blocked by Content Lock as it contains content that is unsuitable for under 18s.”

Content Lock

T-Mobile's Content Lock censorship tool

Me? Under 18?

I didn’t ask for this. I certainly didn’t pay for it. I am not under 18. And I don’t use credit cards. So, basically, I’m stuffed by T-Mobile – who, once this subscription runs out, I shall never use again.

But it does show the danger of these ‘voluntary’ blocking schemes, by whomever, for whatever: they will be used for censorship, and there will be nothing we can do about them. So we simply mustn’t allow them.

The infosec market in China

June 21, 2011 Leave a comment

At HSBC we never underestimate the importance of local knowledge. So says the Hong Kong and Shanghai Bank Corporation; Europe’s largest bank and one that, at the time of writing, is rumoured to be contemplating a move from London back to its origins in Hong Kong.

This article was written for, first published by, and reprinted here with the kind permission of
Infosecurity Magazine.

It is already the largest international bank in China, and the advice inherent in its advert is crucial for any company seeking to do business in China: understand the local culture and its differences to western culture.

Key to this is the Chinese attitude towards intellectual property. Yicun Chen, an intellectual property specialist and one-time assistant professor at Zhejiang University City College in China, wrote:

In contrast to individualism in the West, collectivism – a traditional and socialist value – substantially influences the cultural, social and legal areas in China. Collectivism has a long tradition based on Confucianism, which prioritizes the needs of the group over the rights of individuals. Historically, there was little protection of individual rights, especially in the intellectual property field. Copying and sharing created works without any compensation was widely accepted in traditional China.
The Impact of ACTA on China’s Intellectual Property Enforcement

Matthew Cheung

Matthew Cheung, principal research analyst, Gartner

This view is shared by Gartner principal research analyst Matthew Cheung. “Historically, because China has traditionally been ruled by the Emperor, the citizens don’t have ownership of their personal privacy or personal data – everything is owned by the government/emperor. Basically, the Chinese people don’t realise that they have the right to own data or privacy.” And if they don’t own personal privacy or data, neither does anyone else other than the state. So from the early days of Confucius, throughout the history of the empire, right to modern communist China, the driving force is the collectivist state and not the individual.

How does this affect the western company seeking to do business in China? “You have to understand,” explains Cary Conrad, Integralis’ president North America, “that to the Chinese mindset stealing is when you take something physical from one place to another. But if you’re just appropriating technology and copying it, that’s not theft, that’s good business.”

So at one level, taking product to China that is dependent upon intellectual property is a risky business – and let’s face it, security products are full of patented and copyrighted ideas. “There’s no moral problem for the Chinese to reverse engineer a chip by hooking it up to a test bed, sucking out the object code and then putting it back in another,” continued Conrad. “There are some smart engineers and there are some very smart people in that market.” And incidentally, this attitude could also explain the consistent suspicion in the west that the Chinese government condones cyber-espionage – it is, after all, just good business.

Cary Conrad

Cary Conrad, president North America, Integralis

But the potential problem, and you should decide for yourself whether this is just hypothetical, could affect a company’s worldwide business and not just its business in China. Conrad again: “So here’s what’s going to happen; a firewall that does everything a Cisco firewall does in a miraculously similar fashion is going to hit the marketplace. Instead of costing $1000, it’s going to cost just 200 bucks. So the western integrator and distributor is going to look at this product and say, well I can resell this for a lower price and at a higher margin than I could resell a similar western product.”

It’s effectively the same product, but having been manufactured with China’s lower labour costs and with no R&D overheads, it can be exported to the west, rebadged by an OEM and sold without the buyer necessarily knowing it’s come from China. And all because of good business practices in China.

That’s the first lesson: if loss of intellectual secrets would seriously impact your business, think very carefully before going to China. But there are other problems. “I think the first thing,” says Gartner’s Cheung, “is the regulation about encryption technology. When you import your product into China – say a security product such as a router or a switch that has some sort of encryption technology – then you have to hand your encryption algorithm/technology to the Customs people. Many of our clients are concerned about this because they consider their encryption as a trade secret, and they don’t know whether the Chinese government will leverage that platform to steal their IP. This is one critical issue; but the government insists it is for national security – and that’s why it is with Customs and not the Ministry of Commerce. So far, vendors such as Cisco, are doing OK complying with this law.”

And then there’s the effort, and the sheer cost of that effort, to consider. For example, you must “have a local presence in China” explains Cheung. They call it the ‘legal person’. You have to register the company in China; and there are many other rules and regulations. If you operate a website you have to apply for a licence – an internet content provider licence. And you have to file your trademark, your patents, and copyright – you can’t just use existing overseas copyrights  – you have to do it all again in China.

“Security companies must also look at the competition in China,” he adds. “There are many, many local vendors there exploiting the PRC [People’s Republic of China] market, both hardware and software; so you need to evaluate your market very carefully. The government sector is particularly sensitive. You might well be required to be 50% or more developed in China. So, if you are dealing with the Chinese government or its agencies, you will need to partner with someone else in China so that when you make up a deal you can be sure that about 50% of that deal, the costs of that deal, should come from China.”

“If you’re doing it for the first time,” adds Conrad, “it’s going to cost about five million bucks just to set up shop in China.” But if doing business in China is so difficult, why should we bother? “There are billions of people in China,” he says. Quite simply, the market is huge and getting bigger.

Konstantin Sapronov

Konstantin Sapronov, security researcher, Kaspersky Lab

One of the biggest players in the Chinese infosec market, and with pretensions to become even bigger, is Kaspersky Lab – or more specifically, Kaspersky Lab China. Security researcher Konstantin Sapronov explained the importance of the Chinese security market. “Jia Juan,” he said, “the vice general manager of the Research Centre for Software and Information Service Industries at CCID Consulting[2], has said that the size of the information security product market reached CNY 9.294 billion [USD 1.41 billion; £0.88 billion] in 2009, with a 17.2% rise year on year.” It is predicted to reach a compound annual growth rate of 21.5% in 2011 and 2012. “CCID has further reported,” added Sapronov, “that the market is likely to enter a fast-growing phase in forthcoming years. Its size is estimated to be CNY 16.658 billion [USD 2.53 billion; £1.58 billion] by 2012, and it will enter a growth period after 2012.”

“In terms of the size of the market,” adds Cheung, “well, if you want to grow, China really is a mass market: very vast and very big – and it’s still growing. I think all of the risks are actually manageable. You have to deal with the IP issues, and you have to think about how to protect your IP. But recently we have seen a growth of IP litigation in China, with companies seeking to protect their intellectual property. And when you look at Chinese companies, they are actually very aggressive at filing their patents. Something like 80% of new patents are granted to Chinese local companies rather than foreign companies.

“Is it worth going to China? Yes, it is really worth going to China. You have to manage your risk in China; and you have to understand the culture and how the market operates and what is the competition; and all these things you must understand in order to make the right decisions. Because when China steps onto the world stage it will  be the second largest economy in the world. And any major company that does not go to China will be irrelevant within a few decades. So I would say, to keep your business sustainable, you simply have to go to the China market.”

Terry Pudwell

Terry Pudwell, chairman, Assuria

But it’s still a scary place if you’re not an IBM or a Cisco or a Microsoft. What if you’re a just a small, albeit thriving, niche security company? An Assuria, a provider of “automated vulnerability assessment, compliance, configuration assurance and log management solutions” for example? Assuria’s chairman, Terry Pudwell has had a close look at the market; and has decided, for now at least, not to go in.

“I looked at the possibility of building a channel in the PRC market; but I eventually shied away for a number of reasons. Firstly the IP issue – who knows if there is any real protection at all? Localisation is another issue – your costs are unquantifiable until the right partners can be found. ‘The legal person’ is a whole other area of concern; and the costs and effort required to travel to and build a business in China could be crippling.

“The bottom line I think for us,” he continued, “was that the perception, and it may only be a perception, is that China is too difficult and that there are other, easier markets to try to crack. I eventually decided that the only sensible way to progress in China, for a small company like Assuria, is to work with a major such as IBM!”

That’s what Assuria is doing – working with IBM China to bring its SIM/Log Management product to the PRC market. That might be the solution. If the IBMs of the world have to go to China, the Assurias might be able to go with them.

CCID Consulting Co., Ltd. (SEHK: 8235), a Hong Kong-listed consulting firm
Kaspersky Lab

Categories: All, Security Issues

Get every new post delivered to your Inbox.

Join 139 other followers