Amazon’s Silk – security by sniffing?  2.10.11

Om Malik asks David Ulevitch, CEO of OpenDNS and facilitator of phishtank.com, about his view Amazon’s Silk browser. Next to the optional classic end-to-end browsing mode, the browser can route all the traffic via Amazon’s cloud machines to “optimize and accelerate the delivery of web content” (Amazon Silk FAQ), to “troubleshoot and diagnose Amazon Silk technical issues” (Amazon Silk Terms and Conditions). David replies:

I think it’s brilliant. Not sure if people are wary of Amazon doing it since they will see all your traffic but SOMEONE should be doing this. Performance is one reason, but security benefits could be added too. Ultimately I think the idea of decoupled browsing makes a lot of sense. I’d rather a remote exploit run in a VM in the cloud instead of compromising my mobile device and rooting my phone.

While there is some ambiguity in Ulevtich’s wording, my interpretation is that he supports the idea of centralised access points for web surfing end users, which function as kind of content washing machines deleting malware, phishing sites and similarly insecure web content.

Will the sanitizers coalesce with the privatizers? Chris Espinoza:

The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet.

Fire isn’t a noun, it’s a verb, and it’s what Amazon has done in the targeted direction of Google. This is the first shot in the new war for replacing the Internet with a privatized merchant data-aggregation network.

And what does this from Amazon’s Silk FAQ mean:

What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://example.com).

John Healey on discussions about an international internet security treaty  1.10.11

Irrespective of David Eaves’ speculations about the underlying motives of the U.S., UK and the remaining Open Government Partnership cosigners, internet security certainly is a subfield of strategic foreign policy thinking. On the Atlantic Council website, John Healey has summed up the current status quo of the discussions for cybersecurity treaty. The Sino-Russian UN proposal for an “International Code of Conduct for International Security”. Healy has an excerpt addressing Twitter revolutions (Russia’s and China’s noospheric soft belly) …

The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security. 

… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):

Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).

(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)

Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.

But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.

“round the clock Internet surveillance”?  30.9.11

African news outlet coastweek.com reports from the ongoing Internet Governance Forum:

According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.

Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.

Has Touré really called for “round the clock Internet surveillance”?

Anyhow, the design of coastweek.com makes me feel 15 years younger.

The Geopolitics of Openness  30.9.11

Interesting argument by David Eaves regarding the Open Government Partnership:

The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)

Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)

It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)

This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.

More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.

It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.

Symantec’s latest report on its beloved billion-dollar baby  29.9.11

431 million adults, $388 bn, marijuana, cocaine, heroin – cybercrime adds up to just an EFSF per year according to the folks at Symantec:

For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

The research methodology:

Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).

Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).

20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?

StrategyOne – Evidence-based communications:

As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.

As to the methodology of the report, which is by the way not available as a PDF:

  • A list of questions asked is not attached.
  • Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
  • Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
  • Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
  • Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?

Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.

 

SABMiller: Conficker virus cost us £7.2 million  29.9.11

More an more reports on the costs of Conficker have trickled in recently. Here’s another one from the CISO (you know that acronym, right?) of brewery giant SABMiller, producing delicious booze such as Foster’s, Miller, and Grolsch:

“Last April, I had to close down the Romanian operation for four hours because of the Conficker virus. It cost us £7.2 million [the revenue target lost, based on how much the breweries would have produced for sale during that time]”

He sold the halt of the beer production site to his board by arguing that

that the effect on the company’s market capitalisation would be far worse if SABMiller had manufactured and sold poisoned stock

Shouldn’t attack vectors for Conficker be barricaded by now? Of course, they could have their corporate network still running on old, un-patched Windows platforms. (Businesses have been strong supporters of the “never change a running system” mantra, though remaining IT vulnerabilities in aged gear challenges this stance.) But “poisoned stock”? Where should that come from? Do they run their beer SCADA systems on machines that would not discover a manipulation of its software stack? Where is the link between Conficker and “poisoned stock”?

DHS, DoC ask for anti-botnet policy input  28.9.11

Joint request by May, Strickling, Beers:

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.

I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.

Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.

Update. Joel Harding with regard to Microsoft’s role in botnet response:

DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?

Merkel’s Moment, a Schmittian emergency  28.9.11

Margarita Mathiopoulos is with her back to the wall because of her ongoing plagiarism investigation. I guess she’s first among the Transatlanticist wing of the German foreign policy elite to put it that bluntly:

If it fails, the blame will be on Germany. … All eyes are on Berlin. There is a strong, if silent, expectation in European capitals — as in Washington — that Germany will not forget its historic obligation to those who helped it rise out of the ashes of World War II and reunite.

… and pulls a Schmitt (Carl, that is):

First and foremost, Merkel and Sarkozy can and should declare that the euro zone is in a “state of emergency.” This would allow them (…) Although this would require revising the Lisbon Treaty, a state of emergency would make it possible to take action immediately.

…and asks to give the Germans some boots that are not made for walking:

Germany will only agree to the introduction of eurobonds to spread the responsibility for government debt across the euro zone if sinning countries can be punished.

The Digital Public Domain: Relevance and Regulation  28.9.11

Brief, informative literature review by Leonhard Dobusch on public domain, its conceptualisation, political regulation, and societal relevance. One of Leonhard’s arguments is that we have no systematic model about the real-world phenomena that can be categorised as public domain:

Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)

This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)

Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.

Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society” hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.

Dr .de  22.5.11

In Germany, there appears to be a hidden, implicit, rarely outspoken two-track system:

  1. the show-off doctorate with little scientific value and
  2. the real scientific doctorate based on dissertations that actually contribute to scientific knowledge.

The show-off doctorate is the product of the high social value of a doctorate in Germany, incompetence, co-optation or naiveté (in dubio pro latter) of supervisors and university bodies conferring doctorates, combined with some trickery of eager climbers. […]