“I would have absolutely ended up in jail”  10.10.11

Excerpt from an 1995 Oral History Interview with Steve Jobs:

But it pains me because we do know how to provide a great education. We really do. We could make sure that every young child in this country got a great education. We fall far short of that. I know from my own education that if I hadn’t encountered two or three individuals that spent extra time with me, I’m sure I would have been in jail. I’m 100% sure that if it hadn’t been for Mrs. Hill in fourth grade and a few others, I would have absolutely have ended up in jail.

But then, it’s not that hard with these irritating incarceration figures in the U.S.

2002 security recommendations not implemented – US Federal cyberattacks 650% up  10.10.11

The EpochTimes on a recent report of the Government Accountability Office:

It found 41,776 cybersecurity incidents in 2010, up from just 5,503 in 2006. The GAO also analyzed the security practices of two dozen federal agencies, and gave recommendations on improving federal cybersecurity in line with the Federal Information Security Management Act of 2002. It noted, however, these implementations were not yet in place.

“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” states the report. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”

“Du sollst dich nicht erwischen lassen”  9.10.11

Margarita Mathiopoulos, “Ein Liberales Manifest”:

Es muss daher vordringliche Aufgabe freidemokratischer Politik sein, einen liberalen Wertekodex der vom Verfall bedrohten bürgerlichen Tugenden – Anstand, Sittlichkeit, Ehrlichkeit, Pflichtgefühl, Großzügigkeit, Disziplin, Fleiß – aufrechtzuhalten, um den Vormarsch der Sünden – Wollust, Gewalt, Betrug, Lüge, Laster, Selbstsucht (das 11. Gebot „du sollst dich nicht erwischen lassen“) Einhalt zu gebieten.

(Gefunden von einem eifrigen VroniPlager)

FBI’s backdoor shopping  9.10.11

While German LEAs apparently try to create backholes themselves to wiretap computers, the FBI knocks the doors in Silicon Valley for some backdoors. Evgeny Morozov in his review of Susan Landau’s “Surveillance or Security” book:

To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build “backdoors” into their products.

From a foreign-policy perspective, the Western security-by-surveillance approach is rather shortsighted, Morozov argues:

Foreign-policy interests—a desire not to empower enemies and autocratic regimes—should shape this agenda as well. But most policymakers in Washington don’t incorporate global concerns into highly technical domestic debates about seemingly obscure issues of surveillance law.

Morozov was featured in a pretty interesting, visually innovative TV documentary in late September by Dutch channel vpro.nl. Includes some good rants.

Sovereign’s code  9.10.11

Chaos Computer Club published an analysis and the binaries of the German lawful interception malware intended to intercept computer-based phone calls.

They discovered some unlawful feature bloat, potentially turning the legal eavesdropping malware into an extra-legal full-blown surveillance tool:

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. (…) [I]t is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

As so often with malware out there, communication between the malware and the command layer is poorly designed and leaves opportunities for third parties to take over the malware.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

CCC’s 20-pages analysis concludes (translated, orig. German):

“We are highly delighted that no apt expert could be won over for this morally questionable operation…”

Merkel might want to ask Putin next time.

FAZ, “Der deutsche Staatstrojaner wurde geknackt

CCC, “Analyse einer Regierungs-Malware

Frank Rieger, FAZ, “Anatomie eines digitalen Ungeziefers

Vision applied  6.10.11

Apple WWDC ’97 Steve Jobs Closing Kynote. So full of stunning insights and vision, that it’s impossible to give a single quote. Except possibly:

To focus is, saying ‘no’.

Compare those 1997 ideas with their implementation. Stunning.

Microsoft shares some lessons from the Least Malware Infected Countries in the World  4.10.11

Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.

Answer from Austria by Leon Aaron Kaplan, CERT.at:

“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”

Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:

There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers

Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.

Lessons from Germany and Japan.

Summing up:

1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low




Organisations going social  3.10.11

Tim Yeaton on mashable.com. Let’s ignore the fact that this the article is a piece of journalism in which the author implicitly praises one of his business outlets.

Another pivotal change is the fact that enterprise IT organizations are now discovering the need to “go social” and join communities as a strategy for leveraging and using more open source software, especially mission-critical components. This significant trend reflects the reality that open source use is becoming a competitive requirement. Even within the firewall of an enterprise, the trend toward collaborative development to share best practices, facilitate code reuse, and enhance developer productivity is escalating rapidly. …

While social development isn’t a challenge for Gen Y developers, it still presents management challenges for enterprises, especially larger ones. Moving at web speed and using social tools still requires some adjustment. For example, new college hires expect to be community participants, yet large enterprises may not be comfortable with this level of transparency. Although open source projects are based on the notion of transparency, collaboration and meritocracy, some corporate policies may prohibit or limit this philosophy, just like some corporate cultures may resist the trend toward openness in development.

Abstracting from software development: We’ll observe that functional units of larger organisations ever more connate with distinct communities and attempt to reap the fruits of theses communities. The trick is to identify your organisation’s gems and me-too’s to achieve the maximum degree of openness without compromsing your business model.

Meritocracy in anomymous systems?  2.10.11

Anonymous utilises meritocracy, Max Halupka and Cassandra Star, argue. An excerpt from the Abstract:

Anonymous employs aspects of meritocracy in formulating collective decisions. With all members utilising the same user-name, individualism is nonexistent. As such, the merit of an argument is based solely on its content as opposed to a pre-constructed perception of the individual and their perceived history or standing in the group. Furthermore, an individual’s mastery of the group’s culture denotes their involvement within the community and the level of their understanding in relation to its founding ideology.

That’s gibberish. Meritocracy inherently requires the ability to identify a person or at least an online persona. Meritocracy is about achieving reputation over time by certain actions of the reputable individual and the expectations and interests of the distinguishing group and the transfer of authority to the reputable person by the group. But if all individuals run around in Guy Fawkes masks and call themselves Anonymous, how do you tell the reputable person apart from the schmucks? Well, they have their leaders du jour who lead ad hoc and thereby rise through the structureless and leaderless ranks and achieve authority.

Anonymous though should not be considered a true example of a meritocracy. We argue that Anonymous utilises elements of meritocracy within its democratic decision making process, specifically the concept of merit4. These elements are drawn upon to construct an ad hoc hierarchy, filter community communications and dictate an individual’s level of involvement in the creation of multimedia pertaining to a specific cause. …

Comments which are seemingly better informed have the potential, in this instance, to influence the opinions and direction of the community as a whole as opposed to those which denote a presence of ignorance or unrealistic expectations.

Is a system that allows for taking the lead ad-hoc based on superior skills a meritocracy? There are similarities, but I doubt it’s a meritocratic system.

Cyber Crime rate escalating, says Deparment of Homeland Security  2.10.11

The art of statistics – more calls, more cyber:

Homeland Security Department (DHS) of the U.S. has said that the number of cybercrimes has sharply risen as compared to previous records. The DHS said that the cyber experts working on the Control System Security Program have tackled 342 requests for assistance so far this year, while the number of such requests in 2010 was only 116, deploying the Emergency Response Team seven times this year as compared to only once or twice in previous years.