“I would have absolutely ended up in jail”  10.10.11

Excerpt from an 1995 Oral History Interview with Steve Jobs:

But it pains me because we do know how to provide a great education. We really do. We could make sure that every young child in this country got a great education. We fall far short of that. I know from my own education that if I hadn’t encountered two or three individuals that spent extra time with me, I’m sure I would have been in jail. I’m 100% sure that if it hadn’t been for Mrs. Hill in fourth grade and a few others, I would have absolutely have ended up in jail.

But then, it’s not that hard with these irritating incarceration figures in the U.S.

2002 security recommendations not implemented – US Federal cyberattacks 650% up  10.10.11

The EpochTimes on a recent report of the Government Accountability Office:

It found 41,776 cybersecurity incidents in 2010, up from just 5,503 in 2006. The GAO also analyzed the security practices of two dozen federal agencies, and gave recommendations on improving federal cybersecurity in line with the Federal Information Security Management Act of 2002. It noted, however, these implementations were not yet in place.

“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” states the report. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”

“Du sollst dich nicht erwischen lassen”  9.10.11

Margarita Mathiopoulos, “Ein Liberales Manifest”:

Es muss daher vordringliche Aufgabe freidemokratischer Politik sein, einen liberalen Wertekodex der vom Verfall bedrohten bürgerlichen Tugenden – Anstand, Sittlichkeit, Ehrlichkeit, Pflichtgefühl, Großzügigkeit, Disziplin, Fleiß – aufrechtzuhalten, um den Vormarsch der Sünden – Wollust, Gewalt, Betrug, Lüge, Laster, Selbstsucht (das 11. Gebot „du sollst dich nicht erwischen lassen“) Einhalt zu gebieten.

(Gefunden von einem eifrigen VroniPlager)

FBI’s backdoor shopping  9.10.11

While German LEAs apparently try to create backholes themselves to wiretap computers, the FBI knocks the doors in Silicon Valley for some backdoors. Evgeny Morozov in his review of Susan Landau’s “Surveillance or Security” book:

To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build “backdoors” into their products.

From a foreign-policy perspective, the Western security-by-surveillance approach is rather shortsighted, Morozov argues:

Foreign-policy interests—a desire not to empower enemies and autocratic regimes—should shape this agenda as well. But most policymakers in Washington don’t incorporate global concerns into highly technical domestic debates about seemingly obscure issues of surveillance law.

Morozov was featured in a pretty interesting, visually innovative TV documentary in late September by Dutch channel vpro.nl. Includes some good rants.

Sovereign’s code  9.10.11

Chaos Computer Club published an analysis and the binaries of the German lawful interception malware intended to intercept computer-based phone calls.

They discovered some unlawful feature bloat, potentially turning the legal eavesdropping malware into an extra-legal full-blown surveillance tool:

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. (…) [I]t is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

As so often with malware out there, communication between the malware and the command layer is poorly designed and leaves opportunities for third parties to take over the malware.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

CCC’s 20-pages analysis concludes (translated, orig. German):

“We are highly delighted that no apt expert could be won over for this morally questionable operation…”

Merkel might want to ask Putin next time.

FAZ, “Der deutsche Staatstrojaner wurde geknackt

CCC, “Analyse einer Regierungs-Malware

Frank Rieger, FAZ, “Anatomie eines digitalen Ungeziefers

Vision applied  6.10.11

Apple WWDC ’97 Steve Jobs Closing Kynote. So full of stunning insights and vision, that it’s impossible to give a single quote. Except possibly:

To focus is, saying ‘no’.

Compare those 1997 ideas with their implementation. Stunning.

Microsoft shares some lessons from the Least Malware Infected Countries in the World  4.10.11

Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.

Answer from Austria by Leon Aaron Kaplan, CERT.at:

“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”

Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:

There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers

Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.

Lessons from Germany and Japan.

Summing up:

1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low




Organisations going social  3.10.11

Tim Yeaton on mashable.com. Let’s ignore the fact that this the article is a piece of journalism in which the author implicitly praises one of his business outlets.

Another pivotal change is the fact that enterprise IT organizations are now discovering the need to “go social” and join communities as a strategy for leveraging and using more open source software, especially mission-critical components. This significant trend reflects the reality that open source use is becoming a competitive requirement. Even within the firewall of an enterprise, the trend toward collaborative development to share best practices, facilitate code reuse, and enhance developer productivity is escalating rapidly. …

While social development isn’t a challenge for Gen Y developers, it still presents management challenges for enterprises, especially larger ones. Moving at web speed and using social tools still requires some adjustment. For example, new college hires expect to be community participants, yet large enterprises may not be comfortable with this level of transparency. Although open source projects are based on the notion of transparency, collaboration and meritocracy, some corporate policies may prohibit or limit this philosophy, just like some corporate cultures may resist the trend toward openness in development.

Abstracting from software development: We’ll observe that functional units of larger organisations ever more connate with distinct communities and attempt to reap the fruits of theses communities. The trick is to identify your organisation’s gems and me-too’s to achieve the maximum degree of openness without compromsing your business model.

Meritocracy in anomymous systems?  2.10.11

Anonymous utilises meritocracy, Max Halupka and Cassandra Star, argue. An excerpt from the Abstract:

Anonymous employs aspects of meritocracy in formulating collective decisions. With all members utilising the same user-name, individualism is nonexistent. As such, the merit of an argument is based solely on its content as opposed to a pre-constructed perception of the individual and their perceived history or standing in the group. Furthermore, an individual’s mastery of the group’s culture denotes their involvement within the community and the level of their understanding in relation to its founding ideology.

That’s gibberish. Meritocracy inherently requires the ability to identify a person or at least an online persona. Meritocracy is about achieving reputation over time by certain actions of the reputable individual and the expectations and interests of the distinguishing group and the transfer of authority to the reputable person by the group. But if all individuals run around in Guy Fawkes masks and call themselves Anonymous, how do you tell the reputable person apart from the schmucks? Well, they have their leaders du jour who lead ad hoc and thereby rise through the structureless and leaderless ranks and achieve authority.

Anonymous though should not be considered a true example of a meritocracy. We argue that Anonymous utilises elements of meritocracy within its democratic decision making process, specifically the concept of merit4. These elements are drawn upon to construct an ad hoc hierarchy, filter community communications and dictate an individual’s level of involvement in the creation of multimedia pertaining to a specific cause. …

Comments which are seemingly better informed have the potential, in this instance, to influence the opinions and direction of the community as a whole as opposed to those which denote a presence of ignorance or unrealistic expectations.

Is a system that allows for taking the lead ad-hoc based on superior skills a meritocracy? There are similarities, but I doubt it’s a meritocratic system.

Cyber Crime rate escalating, says Deparment of Homeland Security  2.10.11

The art of statistics – more calls, more cyber:

Homeland Security Department (DHS) of the U.S. has said that the number of cybercrimes has sharply risen as compared to previous records. The DHS said that the cyber experts working on the Control System Security Program have tackled 342 requests for assistance so far this year, while the number of such requests in 2010 was only 116, deploying the Emergency Response Team seven times this year as compared to only once or twice in previous years.

Amazon’s Silk – security by sniffing?  2.10.11

Om Malik asks David Ulevitch, CEO of OpenDNS and facilitator of phishtank.com, about his view Amazon’s Silk browser. Next to the optional classic end-to-end browsing mode, the browser can route all the traffic via Amazon’s cloud machines to “optimize and accelerate the delivery of web content” (Amazon Silk FAQ), to “troubleshoot and diagnose Amazon Silk technical issues” (Amazon Silk Terms and Conditions). David replies:

I think it’s brilliant. Not sure if people are wary of Amazon doing it since they will see all your traffic but SOMEONE should be doing this. Performance is one reason, but security benefits could be added too. Ultimately I think the idea of decoupled browsing makes a lot of sense. I’d rather a remote exploit run in a VM in the cloud instead of compromising my mobile device and rooting my phone.

While there is some ambiguity in Ulevtich’s wording, my interpretation is that he supports the idea of centralised access points for web surfing end users, which function as kind of content washing machines deleting malware, phishing sites and similarly insecure web content.

Will the sanitizers coalesce with the privatizers? Chris Espinoza:

The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet.

Fire isn’t a noun, it’s a verb, and it’s what Amazon has done in the targeted direction of Google. This is the first shot in the new war for replacing the Internet with a privatized merchant data-aggregation network.

And what does this from Amazon’s Silk FAQ mean:

What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://example.com).

John Healey on discussions about an international internet security treaty  1.10.11

Irrespective of David Eaves’ speculations about the underlying motives of the U.S., UK and the remaining Open Government Partnership cosigners, internet security certainly is a subfield of strategic foreign policy thinking. On the Atlantic Council website, John Healey has summed up the current status quo of the discussions for cybersecurity treaty. The Sino-Russian UN proposal for an “International Code of Conduct for International Security”. Healy has an excerpt addressing Twitter revolutions (Russia’s and China’s noospheric soft belly) …

The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security. 

… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):

Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).

(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)

Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.

But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.

“round the clock Internet surveillance”?  30.9.11

African news outlet coastweek.com reports from the ongoing Internet Governance Forum:

According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.

Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.

Has Touré really called for “round the clock Internet surveillance”?

Anyhow, the design of coastweek.com makes me feel 15 years younger.

The Geopolitics of Openness  30.9.11

Interesting argument by David Eaves regarding the Open Government Partnership:

The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)

Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)

It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)

This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.

More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.

It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.

Symantec’s latest report on its beloved billion-dollar baby  29.9.11

431 million adults, $388 bn, marijuana, cocaine, heroin – cybercrime adds up to just an EFSF per year according to the folks at Symantec:

For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

The research methodology:

Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).

Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).

20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?

StrategyOne – Evidence-based communications:

As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.

As to the methodology of the report, which is by the way not available as a PDF:

  • A list of questions asked is not attached.
  • Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
  • Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
  • Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
  • Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?

Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.


SABMiller: Conficker virus cost us £7.2 million  29.9.11

More an more reports on the costs of Conficker have trickled in recently. Here’s another one from the CISO (you know that acronym, right?) of brewery giant SABMiller, producing delicious booze such as Foster’s, Miller, and Grolsch:

“Last April, I had to close down the Romanian operation for four hours because of the Conficker virus. It cost us £7.2 million [the revenue target lost, based on how much the breweries would have produced for sale during that time]”

He sold the halt of the beer production site to his board by arguing that

that the effect on the company’s market capitalisation would be far worse if SABMiller had manufactured and sold poisoned stock

Shouldn’t attack vectors for Conficker be barricaded by now? Of course, they could have their corporate network still running on old, un-patched Windows platforms. (Businesses have been strong supporters of the “never change a running system” mantra, though remaining IT vulnerabilities in aged gear challenges this stance.) But “poisoned stock”? Where should that come from? Do they run their beer SCADA systems on machines that would not discover a manipulation of its software stack? Where is the link between Conficker and “poisoned stock”?

DHS, DoC ask for anti-botnet policy input  28.9.11

Joint request by May, Strickling, Beers:

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.

I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.

Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.

Update. Joel Harding with regard to Microsoft’s role in botnet response:

DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?

Merkel’s Moment, a Schmittian emergency  28.9.11

Margarita Mathiopoulos is with her back to the wall because of her ongoing plagiarism investigation. I guess she’s first among the Transatlanticist wing of the German foreign policy elite to put it that bluntly:

If it fails, the blame will be on Germany. … All eyes are on Berlin. There is a strong, if silent, expectation in European capitals — as in Washington — that Germany will not forget its historic obligation to those who helped it rise out of the ashes of World War II and reunite.

… and pulls a Schmitt (Carl, that is):

First and foremost, Merkel and Sarkozy can and should declare that the euro zone is in a “state of emergency.” This would allow them (…) Although this would require revising the Lisbon Treaty, a state of emergency would make it possible to take action immediately.

…and asks to give the Germans some boots that are not made for walking:

Germany will only agree to the introduction of eurobonds to spread the responsibility for government debt across the euro zone if sinning countries can be punished.

The Digital Public Domain: Relevance and Regulation  28.9.11

Brief, informative literature review by Leonhard Dobusch on public domain, its conceptualisation, political regulation, and societal relevance. One of Leonhard’s arguments is that we have no systematic model about the real-world phenomena that can be categorised as public domain:

Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)

This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)

Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.

Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society” hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.

Dr .de  22.5.11

In Germany, there appears to be a hidden, implicit, rarely outspoken two-track system:

  1. the show-off doctorate with little scientific value and
  2. the real scientific doctorate based on dissertations that actually contribute to scientific knowledge.

The show-off doctorate is the product of the high social value of a doctorate in Germany, incompetence, co-optation or naiveté (in dubio pro latter) of supervisors and university bodies conferring doctorates, combined with some trickery of eager climbers. […]