This wonderful aphorism from Vint Cerf truly represents the epitome of what most RISKS readers would undoubtedly like the Internet to be. However, recent events increasingly indicate that the reality may be quite different. True Network Neutrality is still somewhat of a pipedream. But much worse is happening. Egypt has basically shut down ISPs and Internet connections for most users without very special privileges. Many nations are censoring what can be read (China, Iran, even Australia) to varying degrees. Even the ACM Risks Forum may be inaccessible to many would-be readers who would benefit from the collective wisdom that you all have contributed here since 1985. There are still efforts to provide some anonymity and accessibility for those who are otherwise oppressed by draconian controls and threats of retribution for uttering truth to power, but even these are likely to have serious risks of jamming (don't forget Estonia), unwarranted surveillance, and so on. And don't forget the pending U.S. legislation, Protecting Cyberspace as a National Asset. This would require the Department of Homeland Security to establish a list of critical systems that the President could "kill" if he deemed it necessary. This issue of RISKS again brings some of those issues to the fore. To a technologist, everything may seem to have a techy solution or approach that might help. However, the humanitarian issues tend to get lost. They are absolutely fundamental to our approaches to society—whether it is something like accessibility, or network neutrality, or integrity in elections, or abuses of social networking, or providing robust and resilient national and regional infrastructures (especially in times of financial woes). Of course, personal privacy is endangered throughout. Above all, the transnational nature of our social and technological problems must be taken into account.
[In Dave Farber's IP distribution. PGN] 28 January 2011 We are following the current events in Egypt with concern as it appears that all incoming and outgoing Internet traffic has been disrupted. The Internet Society believes that the Internet is a global medium that fundamentally supports opportunity, empowerment, knowledge, growth, and freedom and that these values should never be taken away from individuals. The Internet Society considers this recent action by the Egyptian government to block Internet traffic to be an inappropriate response to a political crisis. It is a very serious decision for a government to block all Internet access in its country, and a serious intrusion into its citizens' basic rights to communicate. If the blockage continues, it will have a very detrimental impact on Egypt's economy and society. Ultimately, the Egyptian people and nation are the ones that will suffer, while the rest of the world will be worse off with the loss of Egyptian voices on the net. However we are most concerned about the safety and security of the Egyptian people. Alongside the rest of the world, we share the hope for a positive and lasting solution to the problems that have risen to the surface there. In the longer term, we are sure that the world will learn a lesson from this very unfortunate example, and come to understand that cutting off a nation's access to the Internet only serves to fuel dissent and does not address the underlying causes of dissatisfaction. Also available at: http://isoc.org/wp/newsletter/?p=3091 The Internet Society: "The Internet is for Everyone" Greg Wood, Internet Society, InternetSociety.org http://www.internetsociety.org office: +1-703-439-2145 mobile: +1-703-625-3917
[I was thinking about running the entire Plan D message from Lauren, but his later note here gives you the appropriate link to it. PGN] http://lauren.vortex.com/archive/000805.html Greetings. Yesterday, in "'Plan D' - How To Disrupt the U.S.A.'s Internet" ( http://bit.ly/eV7Ivn [Lauren's Blog] ), I employed a concept from Stanley Kubrick's film classic "Dr. Strangelove" to draw an analogy between the specter of global warfare, and the enormous risks associated with government-directed Internet shutdowns as have already occurred in Egypt, and such has been advanced by some officials as a desirable government-controlled "Internet Kill Switch" concept here in the United States. The parallels are striking on several levels. But even I was surprised when I looked back at the original "Dr. Strangelove" footage, and realized that perhaps the characters were actually in a "Cyberwar Room"—and already were discussing various countries' abilities to use "kill switches" to shut down the Internet. See what you think ... Dr. Strangelove Explains the Internet Kill Switch: http://bit.ly/gYevUQ [YouTube] (~1.3 minutes) Lauren Weinstein (firstname.lastname@example.org): http://www.vortex.com/lauren Blog: http://lauren.vortex.com +1 (818) 225-2800 / Skype: vortex.com Co-Founder: People For Internet Responsibility: http://www.pfir.org Founder: - Network Neutrality Squad: http://www.nnsquad.org - Global Coalition for Transparent Internet Performance: http://www.gctip.org - PRIVACY Forum: http://www.vortex.com Twitter: https://twitter.com/laurenweinstein Google Buzz: http://bit.ly/lauren-buzz Quora: http://www.quora.com/Lauren-Weinstein
Swedish ISP to circumvent EU data retention laws to allow anonymous surfing http://bit.ly/euWVPZ (P3 - Swedish->English via Google Translate) "In our case, we plan to let our traffic to go through a VPN service," says Jon Karlung, who is president. It is about allowing customers to surf anonymously. Bahnhof choose a technical solution that allows them to not know what their customers do online, which they sent or are talking to. The information that they save is thus irrelevant to the police." Lauren Weinstein (email@example.com): http://www.vortex.com/lauren Blog: http://lauren.vortex.com +1 (818) 225-2800 / Skype: vortex.com
William Gibson, *The New York Times* OpEd, 27 Jan 2011 [Browse for the full article online. PGN-ed] In January 1986, Basit and Amjad Alvi, sibling programmers living near the main train station in Lahore, Pakistan, wrote a piece of code to safeguard the latest version of their heart-monitoring software from piracy. They called it Brain, and it was basically a wheel-clamp for PCs. Computers that ran their program, plus this new bit of code, would stop working after a year, though they cheerfully provided three telephone numbers, against the day. If you were a legitimate user, and could prove it, they'd unlock you. But in the way of all emergent technologies, something entirely unintended happened. The Alvis' wheel-clamp was soon copied by a certain stripe of computer hobbyist, who began to distribute it, concealed within various digital documents that people might be expected to want to open. Because almost all these booby-trapped files went out on floppy disks, the virus spread at a pre-Internet snail's pace. Still, it did wreak a certain amount of low-grade havoc, freezing computers across the world. The hobbyists did it because they could, or to proudly demonstrate that they could, or to see what would happen, or simply because they thought it was neat. ... Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran's centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate's wheel. William Gibson is the author, most recently, of the novel "Zero History."
Follow these 7 tips to protect your IT assets—and essential company data -- from a service provider breakup gone bad InfoWorld Home / Adventures in IT / How to divorce your tech vendor January 24, 2011 http://www.infoworld.com/d/adventures-in-it/how-divorce-your-tech-vendor-089 Opening text (some deletions): Sure, hooking up with a new IT service provider is all cigars and handshakes at first. Promises are made and stars glimmer in your eyes as you sign the contract. The future looks bright. Then things start to go south. Before you make a clean break and start fresh with someone new, consider this cautionary tale of a small biotech firm in the Rocky Mountains that decided to dump its IT consultant. When the consultant got wind he was about to be canned, he installed a script that automatically blind-copied him on all emails to and from the company's top executives. He quickly discovered that the firm's lead scientist was having an affair. On the day the consultant was to be fired, he zipped up 500 racy emails and, using another executive's account, forwarded them to the scientist's wife. "It was worse than a soap opera and very tragic for the client," says Patty Laushman, CEO of the Uptime Group, an IT shop asked to perform computer forensics to prove that the firm's IT vendor was behind the scheme. "Had we known how unhappy they were with their current vendor, we would have coached them on how to safely make the switch." Of course, not all jilted vendors turn into Glenn Close in "Fatal Attraction." Most vendors who feel wronged just sue you. But with easy access to your confidential information and core business systems, the risks from a bad breakup with IT service providers are especially high.
[Should I apologise to the RISKS readership because I did not post about Mr. Zuckerberg's Facebook page being defaced? In my defence, there are just so many Facebook risks, and I was busy.] Two more articles: No one's Facebook profile is safe When both the Facebook founder and the president of France are targeted by hackers, it's time to revisit your security settings January 26, 2011 http://www.infoworld.com/d/adventures-in-it/no-ones-facebook-profile-safe-552 InfoWorld Home / Adventures in IT / The Gripe Line selected text: Demonstrating the system's adaptability—quickly, judging by the response to the Zuckerberg hack—Facebook announced two new security measures this morning. The first is an HTTPS login that allows you to visit Facebook on a secure connection. "We are rolling this out slowly over the next few weeks," says the site in a public announcement, "but you will be able to turn this feature on in your Account Settings soon." The second is called "social authentication." It takes the idea of the CAPTCHA—the security measure that asks you to eyeball mangled letters, translate them to English, and type them into a box before you can log on -- a step further. Before you can log on, the system taps your social network and quizzes you on who you know. If, for example, the site sees you logged in from Denver in the morning and London in the afternoon, it might ask you to authenticate your identity by displaying a picture of one of your own friends and asking you to choose his name from a list. (You might want to take a look at your privacy settings to be sure the hacker community can't browse for the answer.) This could prove embarrassing for those of us who are very bad with names and faces or who have a zillion friends on Facebook. Or as pointed out elsewhere, if someone knows your friends, you may be in for trouble. InfoWorld Home / InfoWorld Tech Watch January 26, 2011 Facebook rolls out always-on encryption in wake of CEO's fan page being hacked Facebook users can opt to connect via SSL over HTTP, but some third-party features still won't be secure http://www.infoworld.com/t/data-security/facebook-rolls-out-always-encryption-in-wake-ceos-fan-page-being-hacked-589 selected text: The important caveat here is that HTTPS implementation will not render Facebook sessions entirely secure: As noted in the Facebook blog, "Some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues." In other words, Facebook accounts might still be in jeopardy when used to access apps for important activities like managing virtual farms, zoos, towns, mafias, fish tanks, and the like. Does anyone else see setups for the next round of trouble?
(Alexis Madrigal) Alexis Madrigal, The Inside Story of How Facebook Responded to Tunisian Hacks, *The Atlantic*, 24 Jan 2011 It was on Christmas Day that Facebook's Chief Security Officer Joe Sullivan first noticed strange things going on in Tunisia. Reports started to trickle in that political-protest pages were being hacked. "We were getting anecdotal reports saying, 'It looks like someone logged into my account and deleted it,'" Sullivan said. For Tunisians, it was another run-in with Ammar, the nickname they've given to the authorities that censor the country's Internet. They'd come to expect it. In the days after the holiday, Sullivan's security team started to take a closer look at the data, but it wasn't entirely clear what was happening. In the US, they could look to see if different IP addresses, which identify particular nodes on the network, were accessing the same account. But in Tunisia, the addresses are commonly reassigned. The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged: Ammar was in the process of stealing an entire country's worth of passwords. ... http://www.theatlantic.com/technology/print/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/
[More from Network Neutrality, which is full of goodies these days. PGN] "The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook." http://bit.ly/i5YBm6 (The Atlantic)
Previously, I told my wale of toe about knocking over a hard drive with thousands of MP3s that I should have known better and been more careful. With my serious insistence on safety I am deeply ashamed. Well, now needing to lock - and bolt - the door after the horse escaped I have to do something I hate, to "spend money in anger", to expend funds to fix a problem: buy a new hard drive in order to prevent a recurrence of my last problem of insufficient backup of data from lack of a place to store it. I went over to Micro Center as they are a great place to buy computer stuff and prices are very competitive, often better than many Internet retailers. I'm used to 40-pin drives so I figure I'll either buy an internal one or external USB. Internals are about $50 cheaper in the two terabyte size, USB is about $120 and internal is around $89. So I pick up an internal, especially since Seagate offers a 5-year warranty. If I don't drop it again and it goes bad, I get a replacement. No it doesn't cover replacement of data; I'm stupid but not that stupid, I will have backups. So I want to buy a Blu-Ray burner, they're around $120, but the store personnel can't find them even though they're supposed to have two in stock, until the guy brings out one, which I read the box "very" carefully. It's a DVD writer and BD disk reader, it does not write BD-R disks. One of the clerks does find one, but it's like $350, waaay over my threshold of pain. Well, if I use my old computer as a file server, make a backup on my new one, I can get by until next month and buy a BD-writer. So I get the drive home and discover I didn't even look at the box, it said right on it, it's a SATA drive. I discover I'm used to the 40-pin PATA drive type, and they are different connectors. But I decide to take a look; I open up my replacement computer and discover by sheer dumb luck its hard drive - and even the DVD burner - are SATA drives. I notice also they've eliminated jumpers on the drive, SATA drives are cable select. All I have to do is pull the DVD drive out, plug the new drive in, and I can clone it over. I tried some downloadable software from the Internet but it fails on a minor block error on the original drive in this machine. The new drive came with a CD containing a drive cloning software program, only I've removed the DVD drive, I'd have to shut down, replace the DVD, restart, set up the software, then shut down, remove the DVD and replace the other hard drive. Fortunately, last year I had bought a USB DVD burner, so I was prepared. I used that, duplicated the old disk and it knew the new partition was 1.7 TB instead of the current 72 GB. (There's a 4.9GB recovery partition and I figure there's spacing issues because propeller heads like myself think of 1TB as 1024^4 but hard drive makers call 1 TB 1000^4.) Only problem was I didn't watch and it copied by percentages, so the recovery partition will be 122GB, not 4.9. I do not want to lose over 110 GB so I have to wait until it finishes, reboots, then run it over again, this time manually resetting the size of the recovery partition. That ends up being 6GB (I can live with losing one gigabyte!) and the procedure is flawless, it even recovers from two small errors on the original disc. I move the clone disk in place of the original, reinstall the DVD player, and the computer starts up, you can't tell the difference except the computer now reports it has 1.9 TB free instead of about 50GB. I am using that computer with the new hard drive to write this message. But the other thing I want to do is have disc backups. Since my files now exceed 40GB - not counting what I lost from my music collection - I decide DVD backup at 4GB a pop is getting tedious, I should move to Blu-Ray, at 25GB a pop. Price is only about twice that of DVD, about $2 a disk. But I saw an excellent deal on Buy.Com, two BD-R spindles of 15 for $28 and free shipping, or about 2 for the price of 1. I mention my story to some friends and one notes Tiger Direct is selling Blu-Ray burners for $69. I check it out, and discover what I suspected. If you read the specifications carefully, you find it again is a DVD writer and Blu-Ray reader. I saw one for $79, again had to read its specs; BD reader, not burner. But I find one that definitely says it writes BD-R disks, and it's $109 (Internal). So I might buy that one, or I might spend a little more and get a USB model so I can take it with me if I take my backup disks elsewhere. But again, the risk here is you must read the package to make sure you do get the right product. You also need to make sure you know when what you're using has changed so, again, you get the product you actually need, not what you think you do. More than 2,500 years ago the Romans had a phrase that told us that if you're buying stuff make sure you read the package and know what you're buying: Caveat Emptor.
Sadly, the world is pretty seriously confused about malicious code (aka malware) and its relationship to software security. I tried to address the basics in a video recently released by Invincea. We posted a copy on the Justice League blog: http://www.cigital.com/justiceleague/2011/01/19/malicious-code-and-software-security/
2nd Workshop on Ethics in Computer Security Research (WECSR 2011) Bay Gardens Beach Resort, St. Lucia http://www.cs.stevens.edu/~spock/wecsr2011/ March 4, 2011 CALL FOR PARTICIPATION The workshop is an international platform for discussing ethical issues in computer security research, where researchers, practitioners, policy makers, and others can contribute. Presentations, panels, and invited speakers will be featured in this year's instance. The workshop is held in conjunction with Financial Cryptography and Data Security 2011. Topics: Ethics, Role of IRBs, Electronic voting security, Botnets, Human subject research, Take-down research, Data sharing, Shaping the future IMPORTANT DATES Reduced registration rate cut-off: February 11, 2011 Please send any questions to spock + wecsr2011 @ cs . stevens . edu Further details can be found at http://www.cs.stevens.edu/~spock/wecsr2011/ INVITED SPEAKERS Alex Halderman (University of Michigan) Ethical Issues in E-Voting Security Analysis Christopher Soghoian (Indiana University) Enforced community standards for privacy-violating research PROGRAM Papers: Security Research with Human Subjects: Informed Consent, Risk, and Benefits. Maritza Johnson, Steven Bellovin and Angelos Keromytis (Columbia University) Ethical Dilemmas in Take-down Research. Tyler Moore (Harvard University) and Richard Clayton (University of Cambridge) Ethical Considerations of Sharing Data for Cybersecurity Research. Darren Shou (Symantec) Panels: Human Subjects, Agents, or Bots: Current Issues in Ethics and Computer Security Research. Panel moderator: Elizabeth Buchanan Panelists: John Aycock (University of Calgary), Scott Dexter (Brooklyn College, CUNY) and Dave Dittrich (University of Washington) Moving forward, building an ethics community Moderator: Erin Kenneally (UC San Diego/CAIDA/Elchemy) Panelists: TBD Rump session: There will be a rump session for presenting recent research and controversial ideas and topics. SOCIAL PROGRAM There will be excursions the day before and after the workshop, as well as a reception the night before the workshop. ORGANIZERS All FC'11 (http://fc11.ifca.ai) workshops are organized by: General Chair: Steven Murdoch, University of Cambridge Local Arrangements Chair: Fabian Monrose, University of North Carolina Chapel Hill PROGRAM COMMITTEE: Program Chair: Sven Dietrich, Stevens Institute of Technology Michael Bailey, University of Michigan Elizabeth Buchanan, University of Wisconsin-Milwaukee Aaron Burstein, University of California Berkeley Nicolas Christin, Carnegie Mellon University Michael Collins, RedJack Marc Dacier, Symantec Research Roger Dingledine, The Tor Project David Dittrich, University of Washington Kenneth Fleischmann, University of Maryland Rachel Greenstadt, Drexel University Erin Kenneally, UC San Diego/CAIDA/Elchemy Engin Kirda, EURECOM Howard Lipson, CERT John McHugh, University of North Carolina, Chapel Hill Peter Neumann, SRI International Vern Paxson, University of California, Berkeley / ICSI Len Sassaman, KU Leuven Angelos Stavrou, George Mason University Michael Steinmann, Stevens Institute of Technology Paul Syverson, Naval Research Laboratory The Workshop on Ethics in Computer Security Research is organized by The International Financial Cryptography Association (IFCA).
Please report problems with the web pages to the maintainer