Category Archives: Government

European Parliament Votes for Internet Freedom and Security

Sometimes a legislative body gets the picture and shows some spine:
Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against “three strikes”, the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.

In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with “civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness”, all core values of the European Union.

… And Guy Bono, the author of the report, had this to say in the plenary:

“On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion.”

European Parliament to Sarkozy: No “Three Strikes” Here, Posted by Danny O’Brien, EFF, April 10th, 2008

The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn’t hard. Even if the vote had gone the other way, it wouldn’t have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.

-jsq

Auditing Georgia Government Security

93177422govheadshot3finalpreview.jpg Georgia’s governor wants to standardize information security reporting across the entire state government:
The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor’s Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

Gov. Perdue Signs Executive Order Strengthening Georgia’s Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

top_hansom_cab.gif Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn’t adequately protect taxpayers’ information and promises to do better. His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That’s why corporations fear a breach reporting reputation system. That’s also why we need one.

-jsq ~

Traffic Control Viewed as ISP Risk

pirates.jpg Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what’s happening in China:
Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to “purify” the Internet — an apparently urgent task. “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state,” President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

The Great Firewall: China’s Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don’t know how, that article provides tips. Continue reading

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq

Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.

-jsq

Chinese Firewall Viewed as Vacuum

greatwall.jpg In addition to the Chinese national firewall being used as a Panopticon that encourages self-censorship, other uses are now emerging:
Further to our earlier story on visitors to Google Blogsearch being redirected to Baidu in China, new reports have surfaced that would indicate that China has unilaterally blocked all three major search engines in China and is redirecting all requests to Baidu.

Cyberwar: China Declares War On Western Search Sites, by Duncan Riley, TechCrunch, 18 October 2007

Sort of an involuntary proxy, going somewhere other than where you thought.

Note the distinction between censorship and this new action:

…the redirect to Baidu would indicate an economic motive; if the Chinese Government were serious about censorship alone we would have reports of page not found/ blocked messages, not redirects to Baidu. The Chinese Government is clearly using its censorship regime to the economic benefit of a Chinese owned (but NASDAQ listed) company.
And also remember that there are U.S. government sponsored web panopticon projects. Research so far, or so far as we know.

-jsq

PS: Seen on Dancho Danchev‘s blog.

Web Panopticons: China and U.S.

panopticon.gif Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People’s Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

University Researchers Analyze China’s Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

Continue reading

Brooklyn Tornado

brooklynnytransit.jpg

How soon they forget:

It wasn’t just the tornado in Brooklyn — the first in recorded history in the borough — it was the huge quantities of rain that flooded basements and stranded rail and road commuters from Mineola to Midtown.

End of the world as we know it? By Carl Macgowan, Newsday, 10:51 PM EDT, August 8, 2007

Sounds kind of like "who could have predicted it?"

Continue reading