European Parliament Votes for Internet Freedom and Security

Sometimes a legislative body gets the picture and shows some spine:
Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against “three strikes”, the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.

In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with “civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness”, all core values of the European Union.

… And Guy Bono, the author of the report, had this to say in the plenary:

“On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion.”

European Parliament to Sarkozy: No “Three Strikes” Here, Posted by Danny O’Brien, EFF, April 10th, 2008

The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn’t hard. Even if the vote had gone the other way, it wouldn’t have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.

-jsq

Auditing Georgia Government Security

93177422govheadshot3finalpreview.jpg Georgia’s governor wants to standardize information security reporting across the entire state government:
The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor’s Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

Gov. Perdue Signs Executive Order Strengthening Georgia’s Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

Censorship as Security: GoDaddy Delists Cop Rating Web Site

ratemycop_2.jpg This is security?
A new web service that lets users rate and comment on the uniformed police officers in their community is scrambling to restore service Tuesday, after hosting company GoDaddy unceremonious pulled-the-plug on the site in the wake of outrage from criticism-leery cops.

GoDaddy Silences Police-Watchdog Site RateMyCop.com, By Kevin Poulsen, ThreatLevel, March 11, 2008 | 8:42:42 PM

Heaven forbid we should have public oversight of public servants.

This is customer service? Continue reading

New School: New Book by Adam Shostack

51jF+BW+JAL._SS500_.jpg Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.
We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven’t read the book yet, since it’s not published yet, but if it’s like the material he posts in his blog, it’s a good thing.

One of his commenters doesn’t get it: Continue reading

Privacy in Germany: Courts Support It

papier.jpg Interesting that Germany has more respect for privacy than the U.S. does:
Government surveillance of personal computers would violate the individual right to privacy, Germany’s highest court found Wednesday, in a ruling that German investigators say will restrict their ability to pursue terrorists.

The Karlsruhe-based Federal Constitutional Court said in a precedent-setting decision that data stored or exchanged on a personal computer is effectively covered under principles of the constitution that enshrine the right to personal privacy.

“Collecting such data directly encroaches on a citizen’s rights, given that fear of being observed … can prevent unselfconscious personal communication,” presiding judge Hans-Juergen Papier said in his ruling.

Court Shoots Down Computer Surveillance, By MELISSA EDDY, Associated Press Writer, 27 Feb 2008

Although apparently Germany also has lazy cops who think spying on individuals is their birthright, just like in the U.S. Not regular police, mind you, but
…secret services’ ability to use virus-like software to monitor suspected terrorists’ online activity.
The court rightly said suspicion is not enough:
“Given the gravity of the intrusion, the secret infiltration of an IT system in such a way that use of the system and its data can be searched can only be constitutionally allowed if clear evidence of a concrete threat to a prominent object of legal protection exists,” Papier said.
And a judge has to approve it.

Now that’s risk management.

-jsq

Encrypted BitTorrent: Take That, Comcast!

tf-shirt-2.jpg Why am I not surprised?

Several BitTorrent developers have joined forces to propose a new protocol extension with the ability to bypass the BitTorrent interfering techniques used by Comcast and other ISPs. This new form of encryption will be implemented in BitTorrent clients including uTorrent, so Comcast subscribers are free to share again.

BitTorrent Developers Introduce Comcast Busting Encryption, by Ernesto, TorrentFreak, on February 15, 2008

BitTorrent itself is a hack to route around slow uplink speeds by using many uplinks all at once, so why not another hack to encrypt BitTorrent headers to make them harder for the likes of Comcast to detect?

Continue reading

Censorship Connected with Violent Terrorism

turkey_kerincsiz.jpg Over in Turkey:
Kemal Kerincsiz, the lawyer who tried to prosecute Orhan Pamuk, Hrant Dink, Elif Shafak, and several other writers for “insulting Turkishness,” has been arrested with 32 others following an investigation into a weapons cache discovered in Istanbul last year.

That investigation uncovered evidence of active plots to assassinate Pamuk, three politicians, and a prominent journalist and to stage a series of bombings in the coming year, according to reports appearing in the Turkish Press. One source, CNN Turk, has reported that Kerincsiz and twelve others have been charged with inciting people to armed revolt.

Pamuk Prosecutor Arrested, Charged in Plot, PEN American Center, January 28, 2008, seen on Bruce Sterling’s Beyond the Beyond.

I wonder how many other cases like this there are?

-jsq

Availability Is Not Security If an Abandoned Sea Anchor Cut the Cable?

art.cable.jpg I see in some fora people are still arguing that security involves countering malicious actors, and availability alone is not security, even if people are depending on availabity.

Were all those recent cable cuts in the Med. and the Persian Gulf not security issues, even though some of the affected companies are now planning to spend $300-400m on physical security to fix the problem?

If the culprit had been a Russian mobster or Al Qaeda or the CIA rather than (in one case) an abandoned ship anchor, then it would have been security, but now it’s not?

-jsq

U.A.E. Cable Cut of 30 Jan 2008

There’s been a lot of talk about the numerous cable cuts in the Mediterranean Sea and the Persian Gulf in the past few weeks. It’s interesting to see the Internet route around damage. Here is a visualization of the first cable cut, off Alexandria, on 30 Jan 2008.

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

top_hansom_cab.gif Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn’t adequately protect taxpayers’ information and promises to do better. His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That’s why corporations fear a breach reporting reputation system. That’s also why we need one.

-jsq ~