Category Archives: Internet risk management strategies

The Telco Camel in the Internet Tent

I keep alluding to telcommunications companies wanting to limit the Internet. Here’s a pithy summary by Scott Bradner of how the Internet is different and what’s happening now. He notes that telephone companies were present at the earliest public demonstration of the ARPANET and AT&T was even offered an early opportunity to run it. None of the telcos were interested back then, so the followon Internet was mostly left alone both by the telcos and by government regulatory agencies.
This neglect meant that developers were free to experiment with new applications over the Internet. There was no carrier telling users what applications they could or could not run, no carrier that you had to get permission from before you were able to deploy a new Internet-based service. The Internet was just a collection of wires, most of which were bought from the telephone companies by ISPs, who paid what the telephone companies determined was a reasonable fee for use of the wires. The cost of the wire did not depend on what Internet services were running over it, just like the cost of your car does not depend on whom you transport in it. ISP customers paid the phone companies for the wires and paid ISPs for Internet service based on the size of the wire they were using. Everything was simple.

But some of the telephone companies want to change this. They want to charge Google and others to send packets to you. The fact that you have already paid for the wire and the Internet service that Google is using to send those packets is ignored. The phone companies say that they want to let Google pay more to make Google’s packets get to you “better,” but this is the blunt end of the camel well into the tent.

Blocking the power of the Internet By Scott Bradner, Network World, 01/16/06

Telephone companies always used to charge by time, which they do for the INternet in some countries, such as New Zealand, and in Europe some telcos succeeded in charging per byte for a while. Now in the states they’re moving to charge effectively by type of application. I think this means they need to fix their rates. They think otherwise, obviously. I think their thinking is a risk not only to their own businesses, but also to every business that depends on the Internet.

-jsq

Standards Organizations Not A Panacea

Joi Ito quotes Irving Wladawsky-Berger the Vice President of Technical Strategy and Innovation of IBM:

If a crunch comes between the interests of the shareholders and interests of the community, a business has to choose the interests of the shareholders. A business creating a standard that it controls and says is "open" and that people should "trust them" is not robust from that perspective. Business should prevent itself from getting into these situation. Working with neutral professional organizations makes it impossible for such conflicts to corrupt the process and is key to good open standards.

Irving Wladawsky-Berger’s definition of Open Standards 17 Jan 2006, Joi Ito’s blog

The IBM VP makes a good point about potential conflict between open standards and shareholder value. And Joi rightly applauds him for making it.

However, standards bodies are not a panacea for all ills of openness.

Continue reading

The Total Influence

Forty five years ago this month, U.S. president Dwight D. Eisenhower gave a speech that seems to have accurately predicted the future:

Until the latest of our world conflicts, the United States had no armaments industry. American makers of plowshares could, with time and as required, make swords as well. But now we can no longer risk emergency improvisation of national defense; we have been compelled to create a permanent armaments industry of vast proportions. Added to this, three and a half million men and women are directly engaged in the defense establishment. We annually spend on military security more than the net income of all United States corporations.

This conjunction of an immense military establishment and a large arms industry is new in the American experience. The total influence — economic, political, even spiritual — is felt in every city, every State house, every office of the Federal government. We recognize the imperative need for this development. Yet we must not fail to comprehend its grave implications. Our toil, resources and livelihood are all involved; so is the very structure of our society.

In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist.

Farewell Address to the Nation, by Dwight D. Eisenhower, January 1961

Eisenhower had been the commander of all Allied forces in Europe during World War II. He later went into politics as a Republican, and when he gave this speech he was the president of the United States. He knew of what he warned, and it would appear by the ongoing lobbying scandals in DC that he warned correctly.

He did propose a solution.

Continue reading

Symantec Rootkit: Example or Warning?

Doubtless everyone has heard about the Symantec rootkit. It wasn’t nearly as bad as the Sony rootkit. As F-Secure explained:
“Symantec’s rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user.”

Symnantec rootkit fuss p2p news / p2pnet

That’s all well and good, but it still created an invisible directory that miscreants could have used to hide malware.

That there’s been a big flap about this without either Symantec doing anything inappropriate with it or a miscreant taking advantage of it (so far as we know); I think it’s a good thing that public reaction has forced recall of the feature before it has done any known harm.

Risk management includes not knowingly including attractive nuisances in software.

-jsq

United States of Microsoft

Richard Forno, a principal consultant for KRvW Associates and a former senior security analyst for the House of Representatives, believes that Microsoft is a threat to national security. The White House, Congress, and Department of Defense all run Windows and send and receive e-mail on MS Exchange Server—exploitable Microsoft products that offer a “target-rich environment for malicious code.”

Microsoft vs. Computer Security Why the software giant still can’t get it right. By Adam L. Penenberg Slate Posted Monday, Jan. 9, 2006, at 1:10 PM ET

Golly, I wish somebody had thought of that sooner, like maybe Dan Geer about two years ago. Continue reading

Malaysian Broadband

Malaysia is planning on fast broadband and IT infrastructure, notes James Seng. Malaysia is aiming at broadband in use in 75% of households by 2010.

Meanwhile, the U.S. seems to be heading for control of speed and use of the last mile by a small number of big telcos, with speeds less than a tenth of what Malaysia is aiming for.

James remarks that Malaysia’s plan looks like Korea’s. In other words, like a plan that’s already working in another country.

Funny what can be done when a country decides to actually do something instead of squabbling.

-jsq

The Wolf in the Image

As an example of how, even though people cry wolf too much, nonetheless sometimes, as in the current the Microsoft WMF vulnerability, the wolf really is at the door, or in this case in the image. Unlike many web-related vulnerabilities, this one doesn’t require the user to do anything to take effect, because it’s an image vulnerability. Internet Explorer (IE) just goes ahead and executes the vulnerability when it sees such an image. Recent versions of Firefox at least ask the user before opening the image, but many users will say yes because it’s an image, and people think images are safe.

Microsoft has not provided a fix, even though this problem has been around for a week or more now. SANS is predicting that Microsoft won’t provide any fix for Windows 98, instead if you want to be safe, you’ll have to upgrade.

Meanwhile, an individual has provided a patch that seems to work, and SANS has tested it and approves.

What does it mean when the world’s largest software vendor can’t release a timely patch to one of the worst-ever vulnerabilities in its software?

Continue reading

Crying Wolf: One Reason People Don’t Pay Attention to Big Risks

Here’s one reason people don’t pay attention to big risks: too many times they’ve heard that things will fall apart in a big way, such as overpopulation as predicted back in 1968 (by which prediction we should have probably 10 billion people on the planet now), and some of the more overblown Y2K predictions; many of these are cataloged in an article by Michael Crichton.
Notice that in 1968, when Ehrlich published his book The Population Bomb, world fertility was already in decline. Ehrlich was thus urging people to do what they had already been doing for about 10 years. It’s not clear whether he knew this or not. But certainly when he said, “The battle to feed all of humanity is over….At this late date nothing can prevent a substantial increase in the world death rate…” he was simply wrong. As you see, after his book appeared the death rate remained flat in developed countries, and it continued to fall for another 10 years in developing countries.
Fear, Complexity, & Environmental Management in the 21st Century Washington Center for Complexity and Public Policy, Washington DC, November 6, 2005, By Michael Crichton
Crichton remarks that Erhlich was merely crying out in desperation to urge what’s already happening. However, Crichton also neglects to mention that a quite significant government initiative, the One-Child Policy in China, was promulgated after Erhlich’s warning and has apparently had a significant effect on population growth in China, which is now expected to peak somewhere around 1.5 billion in about 2025. In other words, China chose to change its demographics to start acting like a developed country before it became one. Crichton also doesn’t mention improvements in food production that weren’t known to be possible when Erhlich wrote. Erlich was in fact wrong in his predictions, but Crichton is also wrong in implying that things would have gone as well if nobody had tried to do anything to change the situation. Continue reading

Sony: Legal Reaction

Michael Geist has some interesting comments about the provisional settlement of one of the lawsuits against Sony for its rootkit DRM.

Perhaps his most important point is that that settlement will only have effect in the U.S., not, for example, in Canada.

This particular suit settlement would require Sony not only to recall all the affected CDs, but also to stop using the software that implemented the rootkit and to disavow the relevant portions of the EULAs. It even would require free music downloads, which would be one of the things Sony was trying to counter with the DRM in the first place. Continue reading