Posted
on February 1, 2010, 11:55 am,
by admin,
under
Cybersecurity.
There is an interesting piece on CNN.com of all places that postulates the real problem with the Google / China hack wasn’t the Chinese government but the US government and the backdoor computer systems installed to enable monitoring of calls and emails. Bruce Schneir, the author of several books on security, writes that changes in US law required many internet and telecommunications companies to put into place the necessary systems to easily listen in to calls and Internet traffic. It was these very systems that the Chinese hackers exploited to get access to the Gmail accounts of dissidents.
China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?
These risks are not merely theoretical. After September 11, the NSA built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the U.S. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and notables such as President Clinton.
A bit of a scare story coming from the press in Australia. Seems some in the US government have told IT executives to be extremely careful when visiting China. A bit of overkill. You are probably under more of a threat just putting an unprotected system up on the Net.
Senior executives in US IT companies have been advised by the US Government to follow extremely strict policies for visits to China which extend far beyond standard software protection.
The policies encourage them to leave their standard IT equipment at home and to buy separate gear only for use in China.
A pretty scary amount of information is obtained by DHS everytime you book a flight. A FOIA request was sent to DHS to deliver an actual travel report from DHS for a person who booked a flight online. Credit card, mileage and IP numbers were all reported to DHS, and the Feds even knew his preference for sitting in the rear of the plane.
Here is the list of stuff they obtain
- Credit card number and expiration (really)
- IP address used to make web travel reservations
- Hotel information and itinerary
- Full Name, birth date and passport number
- Full airline itinerary, including flight numbers and seat numbers
- Cruise ship itinerary
- Phone numbers, incl. business, home & cell
- Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation
Probably wouldn't be thrilled with the use of his name.
Privacy advocates and others are raising alarms about the NSA / DHS designed software Einstein 3 which is designed to detect cyberattacks before they reach government computers. By co-opting the civilian government agencies and the internet service providers, Einstein 3 will be fighting battles before the attacks reach the government systems.
Einstein 2 is able to detect malicious code during predefined code signatures, while Einstein 3 will also be able to read e-mail and other internet traffic. Civil rights group Center for Democracy and Technology (CDT) called on the Obama administration to release information about the legal implications of Einstein 3, which will be rolled out across all government agencies.
“While its predecessor merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening internet traffic before it reaches a government system,” said a CDT spokesperson.
This picture has nothing to do with this story.
The constant source of litigation, aka Google’s Book Scanning Project, may be reaching a peace treaty of sorts over in Europe. Under the terms of a proposed settlement with the EU and Google, Google will allow two non-Americans onto the review board that administers this program, and promises not to scan any books that are currently under copyright in the EU. Google is working with the Oxford Library and several other libraries to put these works online, but encountering resistance from authors, publishers and various other sorts of copyright groupies.
The neverending saga of Internet radio and royalty fees has reached a (yet another) milestone as the recording industry and radio stations reached a compromise agreement on royalties.
The new per-song rates start at 0.08 of a cent per listener for each song played and rise to 0.14 of a cent in 2015, when the agreement ends. The rates set in 2007 by the Copyright Royalty Board started at 0.0762 of a cent but more than double to 0.19 of a cent by 2010. Under the new agreement, large webcasters pay whichever is greater — the per-song fee or the percentage of revenue. Smaller commercial webcasters — those with $1.25 million or less in total revenue — would pay between 10% and 14% of their sales or 7% of their expenses, whichever is greater.
Of course those entities that have other business models than just streaming music are not excited about turning over a percentage of their overall revenues, but some groups like Pandora have hailed the agreement as literally saving their businesses.
Next up in the recording industry’s crosshairs–terrestrial radio stations that do not pay a royalty on the music they broadcast over the air. Expect some legislation on that in the next few years…
Who is behind this?
A massive coordinated attack on US government computer systems is underway, according to the Washington Post. The attacks are aimed against a variety of government websites, such as the Department of Homeland Security and the FTC. Also under attack are computers in South Korea, many of whom have fallen victim to the attacks and become bots themselves. Needless to say, the South Korean National Investigative Service has a suspect:
Yonhap news agency said the NIS had told members of parliament’s intelligence committee that the communist North or its sympathisers may have instigated the cyber attack, which caused some sites to crash.
“The NIS has been telling committee members that North Korea or a pro-North Korean force might be behind the cyber terror,” it quoted one legislator as saying.
NSA really likes the iPhone traffic on AT&T.
The Obama administration is going to announce that they will be following the Bush era plan to use the National Security Agency (NSA) to screen traffic of private Internet companies, so says the Washington Post.
Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the pilot called for telecommunications companies to route the Internet traffic of civilian government agencies through a monitoring box that would search for and block malicious computer codes.
Some technical people question whether it is possible to shield out private Internet traffic from those directed at US government websites.
The New York Times is writing about the latest arms control agreement between the US and Russia–cybersecurity. Though like most other things there is a disagreement on how to proceed.
Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.
Russian hackers are often protected by the FSB and other law enforcement officials. Regardless of which tack is taken in handling cybersecurity between the two countries, the continued corruption of the FSB is likely to make any enforcement efforts rather difficult. Perhaps Russia just wants another treaty with the US to make it feel like a world power?
The secret blogger behind the UK police blog Night Jack has had a legal setback in his quest to remain anonymous. The UK High Court has refused to preserve the anonymity of the policeman who has blogged about his work and government ministers. The BBC is reporting that because the blogging touched on political issues, he had more of a public role than he might have expected. From the BBC’s write up.
In his blog “Night Jack – An English Detective” the unnamed officer chronicled his working life in an unnamed UK town: descriptions of local criminals and his struggle with police bureaucracy.
Mr Justice Eady said the blog contained opinions on a number of social and political issues relating to the police and the administration of justice.
He added Night Jack had expressed strong opinions on matters of political controversy and had also criticised a number of ministers.
The blog has now been deleted and many of his comments can no longer be found short of searching the archive sites. We’ll see what the Times publishes and then watch the ramifications of the police bureaucracy crushing this man’s life over the next few months.
