Port 80

I don’t frequently refer to documents with terms like “critical” and “must read,” but Symbiot Security’s recent whitepaper (PDF) on the rules of engagement of information warfare is such a document. Symbiot has recently gotten a fair bit press coverage in the IT world for their decision to release a security system designed to launch counterattacks against crackers targeting corporate networks. (Full disclosure: I previously blogged on the subject.)

However, despite the fact that this document has garnered the most attention from IT professionals, this document should be read by every single Internet user, because it heralds a fundamental change in the way security on the Internet will work. In this case, Symbiot’s marketing slogan that “the rules of engagement for information warfare will change forever” is not so far off the mark. Symbiot is crossing a very large line with their new product: For the first time, home and business computer users may be the targets of major attacks from security professionals. The whitepaper explains how Symbiot plans to implement their technology and some of the justification behind it, but the overall impact of that technology requires a deeper analysis. Internet users everywhere are in for a wild ride, and it’s important that we look at why.

(more…)

I have never been a particular fan of France’s foreign policy. However, the latest display of Gallic gall is utterly breathtaking.

BEIJING, March 16 (Reuters) - China and France held joint naval exercises for the first time on Tuesday, four days before Beijing’s rival, Taiwan, holds presidential elections.

Chinese and French helicopters landed on board each other’s warships off the mainland’s eastern coast in what China’s Xinhua news agency called the “largest-scale joint drill held by Chinese and foreign navies”. …

French President Jacques Chirac, keen to strengthen ties with China and win French business a firm footing in the rapidly growing market, sided with China in January in opposing Taiwan President Chen Shui-bian’s plan to hold a referendum on missile defence alongside presidential elections on March 20.

Let me restate that, just so the facts are on the table: A Western democracy has just used its military to intimidate another democratic nation in support of a Communist dictatorship. This follows on the heels of Chirac’s statement in January that any referendum that changed the status quo would be “irresponsible.” This is what “Liberty, Equality, Brotherhood” has come to: a declaration that it is irresponsible for a nation to decide, through a free election, that it doesn’t wish to be part of a dictatorship with expansionist tendencies and no respect for human rights.

I wish I could say that this was unprecedented behavior from the French, or from any other Western democracy. Unfortunately, the Czechs learned in 1938 what happens to small nations when the French begin negotiating with dictators over your fate. Let us hope that the French come to their senses and recall the events of the 1940s before they start working to translate the Munich Pact into Chinese.

Update

Wretchard over at the Belmont Club is drawing the same analogy, but with regards to the Spanish election, not France. Isn’t it wonderful how countless members of the blogosphere can read The Rise and Fall of the Third Reich and figure out that appeasement fails, but much of the population of Europe cannot? Spain and France were both ruled by Fascists not to long ago — it would behoove them to examine how exactly dictators operate. (And, in all fairness, some of the Spanish get it, but many do not.)

3/21/2004: Updated again to fix a typo and to improve the accuracy of my reference to Chirac’s statement on the “irresponsible” nature of the Taiwanese referendum.

My good friends, for the second time in our history, a British Prime Minister has returned from Germany bringing peace with honour. I believe it is peace for our time…
Go home and get a nice quiet sleep. — Neville Chamberlain, 30 September 1938

In Neuromancer, William Gibson wrote about “black ice” - offensive computer security systems. ZDNet is running an article suggesting that this concept is one step closer to becoming reality.

Although the article is filled with misgivings about the system, I think that it’s a concept whose time is rapidly coming. The problem with the Internet as present is that is an anarchistic system, but is not recognized by most of its users as such. As a result, there is a large amount of outright negligence among those Internet users with regards to security. Countless help desk technicians and sysadmins have tried to spread the message over the last few years that security is everyone’s responsibility, but this message has been getting lost. Perhaps it’s time to apply some consequences for running an insecure system which is then hijacked and used for DDoS attacks, spamming, or hosting of illegal content.

The article makes much of precisely these hijacked users as a reason who this system is a bad idea, painting a picture of havoc unleashed upon hapless bystanders: “You may be taking out grandma’s computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up.” However, if Grandma has let her system go unpatched and un-firewalled for the last few months, opened unsolicited attachments, and generally been lax in security, the fact of the matter is that Grandma has been grossly negligent with her system’s security.

The best analogy is one of a car: If Grandma has left her Oldsmobile unlocked on the street with the keys in the ignition for the last three months, and it is taken for a joyride down Main street by a pair of teenagers, Grandma doesn’t have much of a right to complain if the police dent the car in the process of stopping it. By failing to apply basic due diligence, Grandma has left herself open to the risk of incurring damage if others hijack what she has failed to secure.

This particular issue — the ethics of negligence in computer security — is one that I have been mulling over for a few days. I hope to write a longer post, or perhaps a paper, on the subject next week in an attempt to do it justice. As more and more critical infrastructure is connected to the Internet, and as the Internet becomes more and more critical to financial transactions, it’s time to take a long, hard look about the consequences of irresponsibility on the Internet.

There is one major difference between Gibson’s “black ice” and the computer security issues we are faced with today - “black ice” was a lethal defensive system. We haven’t yet seen the first fatality from a computer virus. However, this may just be a matter of time.