My news stories on Infosecurity Magazine yesterday:
2012 : Expect DDoS botnets to be smaller, more effective and more of them!
A new analysis of DDoS attacks in the second half of 2011 predicts smaller-sized but increased numbers of specialist DDoS botnets.
28 February 2012
M2M presents new security risks that require new security solutions
We are entering a brave new world of machine to machine (M2M) technology. We know it. We have concerns about it. But are we ready for it?
28 February 2012
Gatekeeper – a new security feature or a walled garden for OSX?
Apple’s OSX 10.8 Mountain Lion due this summer will contain a new feature called Gatekeeper. Opinions vary on whether it is a genuine security feature or the cornerstone of a new walled garden.
28 February 2012
I see that various police forces have arrested 25 (and counting?) alleged members of Anonymous – although I’m not sure how you can be a member of something that doesn’t exist. Anonymous says it is an idea rather than an organization. Well, I have certain sympathies with some of the political protests of Anonymous (not all, I have to say, but certainly some). Does that make me a member of the Anonymous idea? Well, I hope The Law, which increasingly seems to be a law unto itself, doesn’t think so.
Anyway, here’s my predictions:
- we will see more arrests in more countries as those that have been arrested are investigated and the confiscated computers examined
- we will see more effective Anonymous retaliatory strikes against law enforcement websites (more effective than the very brief DDoS disruption of the Interpol site yesterday)
- the majority of those arrested will be released; but a hard core will be prosecuted vigorously for purposes of deterrence
We shall see…
My news stories on Infosecurity Magazine yesterday:
Mac users – you’re not a safe as you think
The Mac Flashback trojan installs itself by either using one of two Java vulnerabilities, or via a social engineering trick that gets the user to install it.
27 February 2012
Harriet Harman urges warning letters and site blocking
The Digital Economy Act (DEA), introduced by Lord Mandelson and rushed through parliament as one of the last acts of the New Labour administration in a process known as ‘wash-up’, is on the statute books, but is not yet enforced.
27 February 2012
OACP website hacked in protest against Canadian Bill C-30
The OACP website currently displays a simple message: “Ontario Association of Chiefs of Police – UNDER MAINTENANCE”
27 February 2012
I love it when I get to disagree with the luminaries – and they don’t come much more luminous than Bruce Schneier. But to the point… He was interviewed about ‘trust’ by The Browser, and posts the outcome on his own site here: Liars and Outliers: Interview on The Browser.
“Security exists to facilitate trust,” he says. “Trust is the goal, and security is how we enable it.”
I don’t see it. Trust is an intangible: it can be neither seen, nor touched nor measured. It is unquantifiable – it can only be felt in a subjective, relative manner. But if we cannot measure it, we cannot prove whether we have it or not. So if Schneier is right, the purpose of security is to provide belief in something we cannot prove – it is to persuade us that we have something that we may or may not have. If the purpose of security is ultimately unprovable, it is ultimately meaningless: its only effect is to give us a belief in something that may or may not, like Schrödinger’s cat, actually have legs.
I see Schneier’s relationship between security and trust more like the relationship between preachers and God: the preachers are there to try to prove the unprovable – the existence of God. Many of us believe in God just like many of us have trust. That doesn’t mean that either is valid. Ultimately, trust provided by security is just as much a blind unprovable leap of faith as is belief in God provided by preachers. Personally, I am atheist: I don’t believe the preachers. And I don’t trust, because security is a circular argument signifying nothing.
I wrote about the March 8 deadline for remaining DNSChanger victims to get clean or lose their internet in Infosecurity Magazine: DNSChanger poses a new threat to its victims.
But I had two late comments from anti-virus people currently in the States and separated by the trans-Atlantic time difference. They both echo Graham Cluley of Sophos’ comment that “if this is the only way to wake the affected users into sorting out the problem, so be it.”
Panda Labs’ Luis Corrons used remarkably similar language. “At least this will make affected people react and secure their computers,” he told me.
And ESET’s David Harley said, “Pragmatically, I don’t have a problem with this: law enforcement doesn’t have a specific responsibility for maintaining service for infected machines.”
But reading between the lines, I suspect that any anger is really directed not at the infected users being apathetic with their own security, but that the nature of the infection makes further infection likely. Such users are being apathetic with other users’ security; and that’s really not on.
Yesterday, with great fanfare and trumpets, President Obama announced he was looking after his people and protecting their privacy. “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” he announced. And he gave them an Online Bill of Rights. It’s not quite a We the People moment; but it’s probably not a bad election speech.
And true to form, the EU immediately jumped in with ‘it was our idea, guv’. “USA jumps aboard the ‘Do-Not-Track’ standard” screams Neelie Kroes in her latest blog. “Good news today as the White House supports efforts for online service providers and web browsers to implement a ‘do not track standard’ – just as we have been doing here in the EU.”
But if there is one thing I have learnt about government announcements and reports, it is simply do not place too much credence on the apparent suggestions in the headlines and major paragraphs. The devil, and government always has a pandaemonium of devils, is in the detail. In this instance I simply point to a Washington Post analysis: Web privacy guidelines viewed as ‘win’ for Google.
After a year of negotiations, the White House on Thursday unveiled privacy guidelines for these firms that urged them to install “do not track” technology on browsers but fell short of requiring it. Tech giants, in particular Google, breathed a sigh of relief. They would agree to curb some tracking activities, but it would largely be on their terms and wouldn’t hobble their cash cow.
I’ve written about the new House of Commons report on the electro-magnetic pulse threat on Infosecurity Magazine: The Electro-Magnetic Pulse threat to national infrastructures.
But lookee here:
However, certain states such as Iran could potentially pose a realistic threat in the future, even if it does not currently do so, if nuclear non-proliferation efforts are not successful.
The grammar’s wrong. And House of Commons Committees don’t get their grammar wrong.
But remove ‘such as Iran’ and ‘even if it does not currently do so’, and the grammar’s good again:
However, certain states could potentially pose a realistic threat in the future if nuclear non-proliferation efforts are not successful.
Added later? Affirming the specific nuclear threat from Iran? Politicking in action?
The Pirate ship must sail into the sunset – but if you believe that you must be as inept as our politicians
The music industry has won its case against the ISPs in the High Court. Of course, it wasn’t targeted at the ISPs (they didn’t ‘defend’ themselves), it was targeted at The Pirate Bay. The music industry wants the ISPs to block access to The Pirate Bay (I’ve written about it on Infosecurity Magazine: It is confirmed: The Pirate Bay is a pirate). They’ve won, and TPB will almost certainly be blocked by UK ISPs come this summer.
It’s all very contorted logic and all pretty pointless. The Pirate Bay doesn’t host the files in question; so how are they logically guilty of breaching copyright? It is because they facilitate and even encourage the act. But how is that really different from a motor manufacturer who advertises, boasts about, and sells a motor car capable of exceeding the legal speed limit? Is the motor industry equally guilty of facilitating and encouraging breaches of the speeding laws?
The ISPs absented themselves from the argument. Their position is that they will do what they’re told. That’s sad. I had hoped that they would fight tooth and nail for their customers. I used Pirate Bay just recently to look at a copy of the supposed correspondence between Symantec and the pcAnywhere hacker. As a journalist, I didn’t merely have a right to do that, I had a duty to do that – so I don’t believe I broke the law in doing it, nor that TPB broke the law in allowing me to do that. But lawful use of TPB by lawful users is going to be penalised because of the unlawful acts of copyright infringers downloading from somewhere else.
It’s just that TPB is the easy target. Prosecuting individual downloaders is more difficult and more expensive even if more logical. So instead, the solution is to prevent everyone, lawful and unlawful, gaining access to TPB for both lawful and unlawful purposes. When you use a sledgehammer to crack a walnut, you generally end up smashing the nut as well as the shell.
And, as I said, it’s all so pointless. Righard Zwienenberg, a senior research fellow with ESET in The Netherlands, gave me the Dutch experience.
In The Netherlands, he told me, two of the largest ISPs, Ziggo and XS4All, are required by court order to block TPB. They are appealing (which is more than I can say for the music industry – or even the UK lilly-livered ISPs; but I digress). For now, the blockade stays on PirateBay.org and its (pre-listed) IP numbers. Smaller ISPs were pressured to join the blockade, but declined.
“And of course,” says Righard, “the block does not work.” Using a foreign proxy or TOR will simply bypass the blockade. “We also suddenly have PirateBay.nl, PiratenBay.nl/org, and others that are all identical copies of the original PirateBay.org, and that are not blocked as they do not belong to PirateBay.org. So their IP numbers do not fall under the verdict of the court.”
Righard believes that this sort of action does little to help prevent piracy, and nothing to promote the music industry. “There are so many other Torrent sites to use. And the site itself does not carry any illegal content. It’s more like the ads section of a newspaper. If I want to sell my old vinyl records, will the newspaper first check if they are not stolen? If I want to sell music tapes, will they check if they are original or copies?”
The threat to our society comes more from our own governments than from terrorists. Terrorism is scary – but just look at the facts. More people die crossing the road every day than from ‘terrorists'; but there is no attempt to stop us crossing the road. There are some light regulations and lots of advice, but no heavy-handed restrictions or surveillance. So why the internet?
In the name of terrorism and other scary things like copyright our democratic governments are beginning to act like fascist dictatorships – and I don’t think that is an extreme description. Consider this last month. In New Zealand two helicopters landed on a private lawn. Armed ‘policemen’, instructed by the FBI, invaded the property and broke into a panic room in which sheltered the suspect and his family – including his pregnant wife. The crime? Suspected copyright infringements.
Last week the UK’s Serious Organised Crime Agency (SOCA) took down rnbxclusive, a music sharing website, and posted a laughably histrionic warning (which Boing Boing points out is more like a phisher’s message than an LEA notice). Again, the crime is copyright. A bright red message warns downloaders that they are breaching criminal law and subject to 10 years in prison. It talks about fraud and delivers the music industry’s propaganda.
Looking at this in detail, I understand that ‘downloading’ is a civil offence, not a criminal offence. That means that downloaders are being considered as part of the conspiracy to defraud, which would be a criminal offence. But as a highly respected UK lawyer told me, “I think that the claim that a downloader is, as such, entering into a conspiracy with a site operator is far-fetched to the point of approaching absurdity.”
And just yesterday it emerged that UK ISPs are going to be forced to retain details of who we email and who emails us and where we go on the internet for every one of us for at least a year for MI5 inspection. In short, the government has blanket surveillance on all of us without requiring any judicial oversight – in the name of fighting terrorism.
Quite simply, when governments behave like this, what are they trying to defend? It is no longer a society or culture or belief system that is worth any pride. Governments are destroying our society far faster and more effectively than terrorism ever will.
Somebody said to me, “What do you think about SOCA taking down rnbxclusive?” I knew nothing about it – so I went and had a look. This is what I found.
The IP address simply resolves to my ISP. But given the noted time, SOCA can now require from that ISP details of who, that is, me, was using that address at the time. Gotcha.
And look at what they threaten. “You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.” I am being threatened by SOCA.
Now you could say that the threat pertains to the message in red: “If you have downloaded music using this website…” But the layout separates the two. The implication is that the two sentences are not directly connected. It is a pure, blatant threat designed to frighten me, and any other visitor. And it stinks.
The next sentence is even more illuminating. “As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.” That is not a statement from a law enforcement agency; that is a statement from the music industry. And, needless to say, I know more genuine experts who would disagree with this claim than I know of music ‘experts’ who would support it. What is SOCA doing disseminating music industry propaganda?
I am not alone in my concerns. Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, comments, “It is fair to question whether the involvement of SOCA has diverted resources from investigating serious public threats such as people trafficking, drug importation and gun running and it is laughable to suggest that anyone downloading a few songs from a music blog constitutes organised crime.”
SOCA, remember, is the Serious Organized Crime Agency.
I will go one step further. This is the future of the internet for everyone if we allow ACTA to be ratified. We will see more and more notices like this pertaining to anything that governments and rightsholders don’t like. It is the beginning of the censorship of the internet. We’ve already got it in the UK courtesy of the absurd Digital Economy Act. So the world must stop ACTA now, and the UK must repeal DEA now.