the argument over the necessity of surveillance and the value of privacy has become old, as obviously it does not change what’s going on as far as legislation goes. it may, but not in the near future.

dennis henderson, a great guy, recently wrote to the funsec list:

some say surveillance works.

http://www.washtimes.com/op-ed/20060810-084233-1883r.htm
http://www.opinionjournal.com/editorial/feature.html?id=110008785
http://powerlineblog.com/archives/014970.php
http://newsbusters.org/node/6921

we’ll see…

remember the good guys have to be right 100% of the time.. the bad guys only have to be right once.

my answer is…

of course surveillance works, question often is if it is necessary. it often is to a level which is why the question becomes, how do we know it is not abused?

with security in mind, the difference between a democracy and a dictatorship is that in a democracy you blacklist, saying what is not allowed and allow everything else. in a dictatorship you whitelist and disallow everything else.
security-wise, a dictatorship is better. do you want to live in a dictatorship?

so i made the above up, but it makes sense to explain it to security
folks.

this discussion is ongoing on the funsec list.

or as this unrelated yet cool irish metal song says:

some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
feed the pigs and milk the cow, milk the cow, milk the cow,
feed the pigs and milk the cow, so early in the morning.
tuck your leg up, paddy, dear. paddy, dear, i’m over here! tuck your leg
up, paddy dear,
it’s time to stop your yawning
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
katie, she is tall and thin, tall and thin, tall and thin.
katie, she is tall and thin. she likes a drop of brandy.
drinks it in the bed at night, drinks it in the bed at night, drinks it in
the bed at night.
it makes her nice and randy.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
my man is six foot tall, six foot tall, six foot tall,
my man is six foot tall, he likes his sugar candy.
goes to bed at six o’clock, goes to bed at six o’clock, goes to bed at six
o’clock.
he’s lazy, fat and dandy.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.
my wife, she has a hairy thing, a hairy thing, a hairy thing.
my wife, she has a hairy thing, she showed it to me sunday.
she bought it in the furrier shop, bought it in the furrier shop, bought
it in the furrier shop.
it’s going back on monday.
some say the devil is dead, the devil is dead, the devil is dead,
some say the devil is dead and buried in killarney.
more say he rose again, more say he rose again, more say he rose again,
and joined the british army.

gadi evron,
ge@beyondsecurity.com.

leo stoller is targeting castlecops, apparently trying to bully them into paying him settlement money for their trademark.

castlecops are doing important work in the realm of anti phishing, for no charge.

it pisses me off considerably when injustice online is done, especially when it is done to those who can’t afford expensive lawyers!

leo stoller is known for such attacks, and apparently makes a living from it. you can read about him here, here and here.

you can read more from castlecops who are going live in a couple of minutes here:
http://www.castlecops.com/a6615-leo_stoller_targets_castlecops_trademark.html

castlecops is one of us, and it hurts us all when one of us is targeted.

gadi evron,
ge@beyondsecurity.com.

Somebody asked me:

> Rob, Did they give you these policies in advance? Any kind of writer’s
> guidance in advance?

I did, in fact, have the policy in advance, which is another and very
interesting story. This mag is part of a group, and I had previously written an
article for another of their rags. Having written the first article (and, at
the last minute, had to yell and scream when they changed the implication of the
article to the complete opposite of that intended), suddenly I couldn’t get paid
because they didn’t have a “freelance writer’s agreement” with me. So, having
wasted serious time in putting together that first article, I was eager to do
this expediciously. Maybe they could send me either a softcopy of the
agreement, or a scan, by email? Oh, no! Heaven forfend! They couldn’t make a
softcopy or scan of the agreement: the agreement itself was intellectual
property, and they wouldn’t want any possibility of unauthorized copies floating
around. (This is a mag group on high tech topics and they haven’t heard of
photocopiers?)

Anyway, the agreement is one of the more bizarre and convoluted documents I’ve
ever seen, and contradicts itself on this very point. Page two says (buried in
one paragraph) that the item supplied “has not been previously published”, while
page one says that, if it is, the supplier (that’s me) supplies the item under
the terms in the contract.

However, while I used my own previous writings, the item supplied definitely
hadn’t been published before. I’ve written extensively on the history of
computer viruses, but I’ve never before had to pare the text so sparingly,
wondering, often, if I was misrepresenting the actual situation by having to be
so terse. (But that’s always the case with magazines anyway.)

> If not, do you have a lawyer that you can talk to?

A lawyer? You’ve got to be kidding. That’s one of the major points with this
whole copyright issue, and it is a major factor with the file-sharing/RIAA/MPAA
business as well. Copyright law, and lawsuits, are the province of entities who
can afford lawyers, and writers can’t. Corporations can. So, supposing that
this publishing group decided to take what I submitted to them, not pay me, and
publish the feature anyway, even under somebody else’s name. How much is it
going to cost me to sue them? How much chance do I have of getting them to
even
answer the suit? If it did go to court, they’d be able to fill the court with
lawyers: if I *was* able to get anybody to take my case for the pittance I’d be
able to pay, do you truly think that I’d have any chance of winning, even with a
case as clear cut as all that?

I’ve got a lot of experience here, believe me. I’ve had all kinds of people
steal my stuff over the years. Once, somebody took 150 of my reviews, all of
which you have seen marked with the “copyright Robert M. Slade [year]” line, and
published them in his book. I raised that issue with the publisher. I have a
nice letter from a Vice President of John Wiley and Sons, stating that I have no
rights in the matter because, in their considered opinion, anything that appears
on the Internet is completely free of copyright protection. (Someday, when I
get mad enough, I’m going to scan some of Wiley’s books and put them on the net,
along with a copy of that letter.) Most recently, I found that a company had
posted my entire dictionary of security terms on their site. (In that case,
they did apologize and take it down. They had contracted out that part of the
Website, and had no idea that the contractor had delivered stolen goods. I have
no idea what happened to the contractor.) In any case, I can complain, and
sometimes I get an apology, or a request for permission. Never have I gotten
any money. Copyright law just doesn’t work for us producers.

(In related news, Canada recently narrowly missed having an amendment to the
copyright law here, Bill C60. There is an ongoing discussion about it in the
editorial and letters page of the Vancouver Sun. In todays paper [and in yet
another irony, the Sun won't let you see that at

http://www.canada.com/vancouversun/news/letters/story.html?id=36792a16-ae29-

433d-a89d-988f4fb0d8e3 unless you are a subscriber] someone from UBC is
sounding
the “file sharing is theft” mantra. I find this interesting because he talks
about getting royalties for materials he has written. I wrote some stuff for
UBC a while back. When someone signs up for the online course, UBC gets
$2,000,
and I get $5.)

(Oh, dear. I used a couple of lines from her message in this one. Now
I’ll have to get her to sign a formal release before I send this. Ooops, too
late. Hit the “publish” button already …)

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

I got asked to do a 20 year retrospective on computer viruses for a
tech magazine. (The Brain virus is thought to have been released in
1986: there is a string of “(c)1986Brain” in the body of the virus
that is presumably a copyright notice, which is highly ironic for a
number of reasons.) There were a few oddities about the request, such
as a demand for graphics. I normally don’t do graphics, but I had
such a fun time doing the article that I gave in, and finally put
together quite a piece, I thought. It was a gas going back over all
the stuff I’ve seen over the years.

You may never see it.

See, I got this phone call from the magazine today. It seems that
some of the wording in my article bears a striking resemblance to a
site on the Internet: “Robert Slade’s Computer Virus History” at

http://www.cknow.com/vtutor/RobertSladesComputerVirus.html.

This is surprising?

I’ve been writing articles, series, and books about viruses since the
darn things started. As a matter of fact, it’s a bit surprising that
they didn’t find more sites with my stuff on it, especially since
there have been dozens of examples that I’ve seen myself, over the
years, where people have used my material and passed it off as their
own.

But it seems that this outfit has a policy where they won’t publish
anything that has already appeared on the net.

I suppose that’s fair enough. Everybody is getting really antsy about
copyright violations these days, and, as somebody who does an awful
lot of writing, I suppose I should approve.

Except I don’t. The crackdown (and crankdown) on copyright and
copying is making it hard for a lot of us who are relying on our own
research and writing. After all, who else am I going to use for
material on virus history? Oh, lots of people were there, but who
else wrote it down? I do go back (and did go back, for this article)
and check on specifics, and even made corrections on items we’ve found
out more about. But, by and large, if I want to generate a decent
timeline of what happened, I have to rely very heavily on my own
stuff.

Except, now I can’t.

Well, like I said, you may not get to see the history article. Or, if
they are willing to bend their policy a bit, you might. But I’m
willing to bet that their policy is more important to them. After
all, they can always get another writer to do it for them.

Of course, in all probability he won’t know anything about the history
of viruses.

Or, he can read my stuff. And reuse it.

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

I’m all for stronger Cyber Laws in the UK, as I am the first to admit that they really are quite lax at the moment, but the proposed new additions to the Police and Justice bill really are taking things too far now.

I’m happy that they plan on extending the maximum prison sentence for hacking into computer systems from 5 to 10 years. The part of the new bill that I have a huge problem with is Clause 35, which contains provisions to stop the development, ownership and distribution of aptly named “hacker tools”.

My big question on this one is, so where the hell does that leave all of us in the security industry if this goes bill gets passed? If we’re not allowed to legally use the same tools as our enemies, we are not going to be able to defend our networks adequately at all. If this gets passed, then this will end up giving the UK government even more power, and thus making corporations and security professionals powerless against hackers, thus being forced to rely on the British government to protect all computer assets in the country. So if company A gets hacked, what should we do, stand by idly and wait for the police to do something about it? This would cost the country and the economy millions of pounds! I also know for a fact that the National High Tech Crimes unit do not currently have the manpower to take on a task with as great a magnitude as this. I really hope that all parties involved in passing this bill take everything into consideration before coming to a decision, as this could have far reaching consequences for the UK as a whole.

The entire proposed Police and Justice Bill can be found online at http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.i-iv.html

phishing is a major roi (argh! management talk) source for the bad guys and specifically the russian mob (which runs a large portion of today’s phishing operations globally).

one way to change this roi calculation is by changing the economics of the business, making phishing less profitable or more dangerous for the bad guys.

here is the most recent arrest, in bulgaria, as told by a microsoft press release.

gadi evron,
ge@beyondsecurity.com.

[the france reference in the title is about the french napoleonic code legal system rather than anything about france or the french. take no offense! ]

a cool kid tried to access the internet at school.. high school.
apparently the school now uses an internet content filtering mechanism… that makes sense.

what doesn’t make sense is the story. if we are to believe the kid’s side (which i personally do), this serves to bring up the question of what the right use of censorship is and how easy it is to pass that fine line, even if by mistake, stupidity or ignorance. in this case i believe there was also malice, but go figure.

from necessary evil though censorship to framing?

more to the point though is the kid’s expectation of privacy. where can we expect privacy and where is it a dream?

our homes? an internet cafe? maybe.
schools and libraries? a friend’s computer? i am not so sure. it’s not ours and it is public, so why risk it?

more importantly though, the kid asks for help to.. now get this:
protect himself from such future false allegations by logging his own activity (rather than to bypass the scrutiny).

what do you guys say?

gadi evron,
ge@beyondsecurity.com.

I read an interesting post on Ido Kanner’s blog about the Egilman civil case. Egilman sued an individual after that individual accessed his web site using credentials of another user.

Rather than bringing his case under Title 18, Section 1030 (which governs “unauthorized access to a protected computer system”), Egilman chose to file his case under the Digital Millennium Copyright Act (DMCA) as an anti-circumvention violation. Egilman’s claim was that using a password without permission from the site owner amounted to “circumvention of a technological measure that effectively controls access to a work protected under this title [DMCA].”

The judge reviewing the case, of course, threw it out, finding no indication that an intent to circumvent existed. Rather than circumventing the protection, the defendant was simply complying with it. Egilman’s decision to pursue the case in this manner is indeed puzzling until one looks at the statute involved.

Title 18, Section 1030, offers three potential points of prosecution that would’ve been relevant to Egilman. Any person who commits any of the following actions is guilty of a felony under Section 1030:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

[...]

Given the federal court’s jurisdiction over this issue, Egilman could reasonably have convinced a judge that the defendant obtained information from a protected computer without authorization in violation of paragraph 2, or that the defendant obtained something of value without authorization in violation of paragraph 4. A less-straightforward, but still plausible case could’ve been made for illegal trafficking of a password in violation of paragraph 6.

Instead, Egilman chose to label the misuse of the password to be circumvention of a protective measure intended to protect copyrighted works shielded from public access by the site’s simple password authentication system. Though the merits of password authentication are another debate for another day, the question I was asking at this point is why in the world Egilman chose to pursue the crime as a DMCA violation?

In this case, it appears Egilman chose this avenue of prosecution because the malicious user was actually authorized for the purposes of Section 1030.

For many sites, a mere username and password pairing authorizes you to access protected portions of a site’s content. Some blog hosts, for instance, require nothing more than a valid e-mail address to setup an account, after which a simple username and password suffices for access to that account. Many content providers include no mention (not even in their lengthy Terms of Use agreements, that nobody reads but me) that using an account you did not create is an unauthorized use of the services that site provides.

In such cases, unauthorized means of obtaining a password (exploitation of software flaws, brute-force cracking attempts, etc.) are obviously illegal under Section 1030. The more murky legal territory surrounds cases where an attacker possesses a valid (authorized) set of credentials via some other means, in spite of not being the authorized user. This could even include cases where the attacker was informed of the credentials by a user who had obtained them illegally. This is true because Section 1030 requires an attacker to “intentionally access a computer without authorization or exceed authorized access” or to “knowingly access a protected computer without authorization” before a crime has been committed. Computer crime laws in most other nations have similar standards of criminal conduct (i.e., the prosecuting plaintiff must prove intent).

In the case of someone who had illegally acquired a password revealing it to an attacker-to-be, the leaker would face conviction under paragraph six (language that is, again, modeled in most of the developed world), but the attacker who used the stolen password could conceivably argue ignorance by claiming that he/she had no idea the access was unauthorized.

Further, a defendant charged under paragraph six could make a compelling argument that because accessing an account created by another user is not unauthorized according to the TOU (provided the credentials are otherwise lawfully obtained — an exercise to the reader) a crime has not been committed.

As a security professional, I understand that access to be unauthorized, as do most in this field. However, the legal system doesn’t provide the grounds to prosecute an offender based solely on that assertion. That means a user who willingly reveals credentials may expose himself/herself to damage and you to lost hours, without leaving you any legal recourse. In a world where people still cough up the goods to random strangers in return for candy bars and coffee, that’s an unacceptably high risk.

But don’t panic… the legal system doesn’t force you to accept the costs of moronic users. It only offers you the opportunity to do so if you don’t cover all your bases. The solution to this potential legal pitfall (and the way to avoid being caught in Egilman’s situation) is to ensure that all users who could potentially be asked to authenticate themselves are aware that using credentials to log in is a testimony by the user to be the owner of the account they correspond to as well as the credentials themselves. It won’t deter criminals, just make them easier to nab if they strike.

At the very least, Terms of Use agreements should be updated to include terms similar to the following:

You agree that you will not disclose your [insert site] account name or password to anyone under any circumstances. You agree to notify [insert site] as expeditiously as possible if you believe that your account details have been compromised. Willful disclosure of account information to a third party may result in the termination of your account at our discretion.

Use of [insert site] user identities not created by you for your personal use is not authorized by [insert site] and is a violation of these terms of use.

This absolves sites of the responsibility to deal with passwords that have been disclosed voluntarily (stolen passwords are another story) by defining that to be prohibited conduct in violation of the TOU. Further, a TOU agreement amended in this fashion also defines use of another user’s credentials to be a violation of the TOU, and specifically unauthorized.

Problem solved, right? Wrong.

Most providers only require a TOU to be read as a precondition of creating an account, with the assumption being that creating an account is a prerequisite to utilizing services. This perceived dependency, in reality, may not exist in a case such as this. Therefore, concern could arise as to whether the TOU is binding upon a person who logs in with another user’s credentials, as this person was never asked to read the TOU.

The solution to this problem? Require agreement to the TOU to log in. This can be in the form of a checkbox, text in the realm used for HTTP authentication, or say… a line or two of text between the input fields and the submit button on a login form:

Logging into this site indicates your agreement to use the services provided according to our terms of use. For more information, please read the agreement [link].

Finally… problem solved. For today. Legal issues are boring, and I’m no superstar lawyer, but not addressing this one could lead to pain down the road… even for non-legal folk.

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (“DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity

and:

It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Resources:
Federal Curt decision (pdf)
InternetCases.com

on the surface it seems like in recent weeks people started going full-disclosure on cisco, surprising them with vulnerabilities reports on bugtraq and friends. i may be wrong and they knew of these ahead of time… if i am forgive me. it seems like “payback time” or “loss of faith” after “ciscogate”.

this possible trend is more than just disturbing, it’s dangerous to us all when it comes to a company like cisco… whether they “deserve” it or not is irrelevant. they represent most of the internet’s infrastructure and that by itself is a problem.

today when microsoft truly /wants/ to work with researchers (even if sometimes they don’t act it), the main problem they face is that researchers simply don’t believe in them. they are used to hearing things like:
“this is not a vulnerability”
“yes, we are already aware of that” (=and that is why you won’t get credit)
and many other responses, although sometimes people don’t even get a response.

myself, i never had such problems with microsoft and found them very responsive and serious in their replies.. at least in recent years.. but that’s just my personal experience and that doesn’t count.

with cisco, it can get worse. researchers may fear that if they do get a response (or work with psirt) it will be with some sort of legal document or a search warrant. still, cisco is responsive and i don’t like much the fact of full disclosure where companies actually handle reports and give due credit to researchers.

i suppose only time will tell where this will end, but it seems that much like predicted by mike lynn, raven alder and myself, exploits with cisco are going to become a very serious concern in the near future for the infrastructure.

i believe people should give cisco psirt a *chance* before going public with vulnerabilities… but if they don’t i suppose cisco and everyone else learned a valuable lesson.

what that lesson may be is a whole different blog entry. not many had a grudge against cisco before ciscogate… and lost faith is very difficult to recover.

gadi evron,
ge@beyondsecurity.com.

A matter of weeks after a recall program for Sony BMG’s “rootkit” XCP technology was put into place, security holes have been found in another protection scheme used by the company.

Reportedly, SunnComm’s MediaMax (the system the more invasive XCP was due to replace) installs binaries on the system with insecure file permissions that let local users gain privilege on systems with MediaMax installed.

The vulnerability was outlined in a report published by the Electronic Frontier Foundation (EFF) as part of its class-action lawsuit against Sony BMG, which seeks damages for consumer complaints regarding MediaMax, as well as the more controversial XCP.

Sony BMG were already in one wicked mess over XCP, with the State of Texas seeking damages against the company of $100,000 for each XCP-infected system. Now, reports of vulnerabilities in MediaMax may be used as ammunition to further consumer complaints against that controversial system as well.

If you keep up with Microsoft’s Security Advisory releases (most recently Advisory #911302), you’ll note the following disturbingly typical portion:

Microsoft is concerned that this new report of a vulnerability in [insert product] was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Microsoft has included such wording in each and every one of its security advisories that is relevant to a public disclosure and will continue to do this for the foreseeable future. It is rapidly becoming evident that what Microsoft defines as “responsible” is “conforming to the company’s wishes”. The language, aside from being overtly hostile toward a number of talented and professional researchers, is a slap in the face dealt to real efforts for “responsible disclosure”. Microsoft’s public claims to a monopoly on the moral standard of “responsibility” not only cost the company a substantial amount of credibility within the community, but also harm the efforts of researchers who seek real reform in the vulnerability disclosure process.

In the case of 911302, the ‘report of a vulnerability’ Microsoft cites is information published by a British firm regarding the Window.OnLoad Race Condition in its Internet Explorer browser. The catch that Microsoft fails to mention? The vulnerability had already been reported publicly after Microsoft discounted it as a non-exploitable flaw. The lag time between the two reports also hurts Microsoft’s case: the issue has been known since May, and the code execution possibility was reported in November.

So, in the case of 911302, Microsoft is complaining because it failed to consider the possibility that a class of race conditions (those that reliably produce calls to free portions of the virtual address space) that has historically proven exploitable would prove equally dangerous in this instance. Microsoft failed to do its homework, and then chastised the British firm (ComputerTerrorism.com) for exposing the company’s gross negligence in its handling of this vulnerability.

While I think CT should have notified Microsoft, its reasons for not doing so are compelling. A large portion of the exploit vector was already publicly known — so much so that CT’s work had probably been accomplished by other malicious actors or was trivially achievable. The malicious members of the community had the same six months that Microsoft had to identify the exploitability of this flaw. As CT’s research illustrates, Microsoft’s disinterest in the flaw was not shared by the community. Therefore, Microsoft’s claims that CT was “irresponsible” (very explicit in its advisory) are brazen at best, flat out wrong at worst.

But Microsoft isn’t the only major corporate organization trying to muzzle researchers by way of public character assassination. Remember Michael Lynn, the researcher sued by Cisco for violating supposed industry standards of “responsible disclosure”? Lynn’s only crime was publishing an exploit for a long-fixed vulnerability in Cisco’s IOS after Cisco failed to acknowledge the hole in release materials for the relevant IOS update.

Remember SnoSoft? The group was threatened with legal action by Hewlett-Packard after exploit code for HP’s software leaked from its laboratories.

When these practices are criminalized, the meaning of “responsible disclosure” has clearly been coopted by corporate interests to mean “what is deemed acceptable by the affected vendor.”

To further illustrate this, I offer you a hypothetical scenario:

A vendor was informed of a vulnerability in its software in early August. The vulnerability was of exceptional severity, and yet the vendor failed to acknowledge this fact. Though a fix was planned, the vendor made no effort to coordinate the release of fixes for different affected products and would offer no immediate timeline for release. In February, 180 days later, the vulnerability is disclosed to the public, with fully-applicable workarounds, in the absence of a vendor-supported fix.

If that vendor were Microsoft, how many people can seriously doubt that we’d be seeing the same exact wording replicated in the advisory on that vulnerability?

The irony of this, of course, is that Microsoft, HP, Cisco, et al, are shooting themselves in the foot. All of those named would do well to give up the deluded vision that the world will soon return to a culture of non-disclosure, granting vendors indefinite timeframes and the absolute freedom to (mis)handle vulnerability information as they choose. History and today’s experience both tell us that trust in vendors on security issues is naive and misplaced.

Unfortunately, the insistence of vendors on using the term “responsible disclosure” as a tool of their hopeless agendas undermines what little hope any of them have to see real reform in the way vulnerability information is handled.

So, if the corporate agenda doesn’t qualify, what is responsible disclosure? What better source for a community standard than CERT. It’s one of the few bodies with some credibility in the research community that is generally respected by vendors. CERT sets a 45 day baseline to disclose vulnerability information. While this is, in practice, rather toothless, I wish CERT would stick to it, and I wish more members of the community would adopt this relatively moderate standard in a more rigid manner than CERT has done.

Using a community clearinghouse as the source of a semi-standard approach to “responsible disclosure” would force vendors to explain why they consider the disclosure policy of an industry leader “irresponsible”, undermine their legal claims and subject them to large amounts of bad press. Vendors who fail to acknowledge this policy as de facto standard could be handled mercilessly by both the community and the legal system, with clear basis in community standard.

In addition to debunking false vendor claims of “irresponsible disclosure”, this standard could also be used to establish community precedent that vendors have an obligation to promptly fix vulnerabilities. Any that choose instead to publicly demonize researchers should face a taste of their own medicine — in the form of lawsuits — for this slanderous conduct.

It is time that the vulnerability disclosure debate moved from special interests into the open community, because it is only then that we can hope for a standard of truly responsible disclosure that offers customers real protection and forces some degree of accountability upon commercial vendors for the effects of their ineffective security processes.

I can already picture it, in a few years people will conduct, like they do – or should do – today for fire drills, cyberattack drills were they will test the durability and readiness of of their employees and company for a cyberattack.

Until that happens, the Japanese government has decided that it will forceask a few public and private companies to play part in an exercise to see how well prepare they are for an Internet based attack.

These exercises are planned to:
“… experts will check computer security by gauging the time and work necessary for the participants to normalize their networks”.

Haa? what will they be checking? I would check whether they were able to penetrate them or not, not whether they were able to normalize their networks. Normalized means that they were penetrated, but were able to regain control, they should be investigating how they gained control in the first place!

Anyway it would be interesting to see what are the results from this exercise, whether it will become more a routine for the Japanese government/companies, and whether it will be endorsed in other countries.

what constitutes a crime?
what crime is more serious than another?

both questions of great magnitude that i fear to even begin and approach in this blog. still, whatever the answer is there is one thing i am sure of; it isn’t black and white.

in the changing world we live in with constant revolutions of a grand magnitude happening continually, with a global economy, internet society and many others, we all try and cope. our world is used to a major revolution in our way or life and how we think once every few dozens to hundreds years, allowing us time to adjust.

in today’s world we no longer have that luxury.

i often struggle with how law enforcement today operates. organizations whose business it is to keep the public safe are years behind on what’s actually going on. where they are not behind they often face policy from above that tells them not to work on “cyber”-issues (i hate “cyber-”) as there are far more pressing matters about.

that policy is correct. catching murderers and rapists is by far more critical than catching the kid next door in his latest “computer prank”. plus, petty theft is something the public cares about. “hackers”.. well. we are often proud of our overly intelligent kids and the feats the accomplish.

as i already said though – nothing is ever black and white unless it is how we view it. online crime is no longer about kids. it is not a bored employee who hates his boss and tries to hack the company’s servers after-hours. online crime is a business.

much like with every other society, the “attacker” may be a bored kid, a disgruntled employee or a small-time criminal. the “attacker” can also just as easily be the mob, a competing company (industrial espionage) and maybe even a nation.

who owns a gun in our world? who owns a gun in the “cyber-”world? the comparison is very acute.

today, this is not just fud. internet crime is no longer (only) about kids trading bots like candy. today it is about organized crime taking over and investing vast amounts of money in r&d of both their /technological/ and /operational/ capabilities.

we often do not see behind the scenes, but if we do take a few choice cases -
1. the israeli trojan horse scandal, where leading companies hired private investigation firms to spy on their competition using trojan horses. the price-tag was 17k uk pounds per computer being tapped, per month.
2. google it, but there were similar cases discovered in the last 6 months in both the uk and the us.

i’ve personally been approached about doing such illegal “thingies” two times, thus far. once by a middle-man and once by the ceo of a global private investigation firm. i didn’t take the jobs but it is pretty obvious that “hidden” world is very much alive. we just don’t hear about it _very_ often.

what we do hear about, see and get annoyed by every day is phishing. it is public and might give us some sort of an indication to what this is all about.

the apwg reports thousands on thousands of new unique phishing sites every month. losses from phishing in the us amount to 10-20 million usd for some banks.

in germany, there is a phishing attack every few days by several different scammer groups. in each such attack about 2000 people get fooled and about 6 people do not get their money back (banks are very good at moving money around).
on average, about 6k euro are lost per person. that’s 1.2 million euro per year, for one group. these numbers keep increasing.

it is estimated that globally, in the first half of 2005 roughly half a billion usd were lost for scammers from phishing alone.

all these numbers do not include damages, recovery and money paid for prevention.

what does this mean?

it means there is clear-cut roi (return on investment – bahh, management talk) to the bad guys. they are not going to stop as long as the economics of it are in their favor and the only way to change the economics is to make it not worth their while.
today they do not take much of a risk though, do they?

a second important point is that indeed, this is no longer just an online issue. money is real. the attackers are not bored kids, they are more often than not the russian mob.

as an example for a meat-space connection; earlier this year a woman got her account cleaned up at a branch of her bank in the west coast, following her account details being phished.
a week later a fedex package came in to a different branch of the bank – in the east coast.
that package held a fake check meant to re-fill that account.

law enforcement has made incredible improvements in both ability and willingness to cope with online issues, especially these past two years. still, they are under-staffed, often burdened by handling computers for meat-space cases over actual “cyber-” cases and the policy guys upstairs still do not see the problem for what it is.

that’s it in a nutshell. next time, as time allows, maybe we will go into what actually gets done, who the players are and where we are all headed.

gadi evron,
ge@beyondsecurity.com.

this was just posted by paul vixie, and i believe it is the shortest and most to-the-point summary of the problem that i’ve seen.

the discussion was about alternate roots and people using alternate roots, causing chaos on the internet by hurting the stability and flow of the domains/dns system, and thus the internet.

some may say, they suck! others may say – who can blame them?

—————————————-

(“christopher l. morrow”) writes:

>> so… why is it again that folks want to balkanize the internet like this?

the dreams fulfilled and/or still promised by the internet mostly involve
some kind of disintermediation, increases in freedom or autonomy, that kind
of thing.

in that context, centralized control over things like address assignments
and tld creation is like fingernails on a chalkboard. a lot of folks feel
that “if it has to be centrally controlled, then $me should be in charge”
or at best “if it has to be centrally controlled, then $me want a voice.”

this desire is more powerful than any appreciation or understanding of the
benefits of naming universality or address uniqueness. human nature,
especially when individuals interact with herds, is predictable but not
necessarily rational.

>> i’m confused by the reasoning behind this public-root (alternate root)
>> problem… it seems to me … that there is no way for it to work, ever.
>> so why keep trying to push it and break other things along the way?

i think it’s because of what margaret mead wrote:

“never doubt that a small group of thoughtful, committed people can
change the world. indeed, it is the only thing that ever has.”

the internet is supernational. control over it is held by the ruling
political party, and their backers, in one country. thus there’s plenty of
money and power ready to back the next hair-brained scheme to break the
lock, even if (as i expect) lack of naming universality would be worse
than lack of naming autonomy.
– paul vixie

—————————————-

gadi evron,
ge@beyondsecurity.com.

i really like it when people invent new terms.

it can be spit and spim for spam coming from sources other than email. it can be pharming for phishing that is done by “misusing” dns. it’s always “new” and always invented by a commercial company.

annoying, but it’s how things are. one has to find ways to get media attention.

the latest invented term is “ransomware”:

http://www.networkworld.com/buzz/2005/092605-ransom.html

basically, a trojan horse will get on your machine and without warning will at some point encrypt your files. then the attacking party will demand some cash for the files to be restores/opened.

it’s a pretty cute idea, but it is nothing new. the whole idea behind trojan horses is to be able to do stuff such as this, covertly, whether for quiet spying or for overt annoying and destroying.

true, this way of employing the said trojan horse is fascinating, but no more than that.

leaving the trojan horse itself behind, let us discuss the concept of online extortion for a bit.

online extortion is one of the silliest ideas i ever heard. not because it doesn’t work out for the bad guys, but because it simply makes no sense to the good guys.

say you are in meat-space and you run a convenient store in down-town [bad city here]. a gang comes by and threatens that if you don’t pay them protection money they will burn down your store.
it is pretty clear that in fact:
1. they will burn down your store if you don’t pay up.
2. it is likely that they will not burn down your store if you do.
3. they will come back for more if you pay them.
4. it is also likely that if another gang comes by and demands some money, the original gang will protect you from the new one.

online, you have no face. you never really know who you are talking to. you have no guarantee that they are real, what they mean toward you and if they are trust-worthy.

say somebody emails your ceo and says: “pay up 10k bucks or we will ddos you out of business”.
that can be rough on any company and especially on companies whose business models are based on being online, still -
say you pay up:
1. what prevents the bad guys from attacking you anyway?
2. what prevents that bad guys from not attacking you regardless, wasting their resources on someone who won’t pay?
3. the bad guys cannot protect you from other bad guys.
4. there are so many bad guys out there, who is to say others won’t attack you?

and besides, meat-space basics apply here – if you give them money, they will come back and they will also bring friends. unlike real life they cannot burn down your store. whatever they do you can most likely come back from it and you can most likely also prepare for it.

the solution is simple. if your business model demands internet access and you make money off the internet, you should invest in protecting yourself accordingly.

ddos is a problem, but one that you can cope with, especially if you plan ahead and consult with the right people, beginning with your uplink isp and ending up with people who actually understand ddos and security.

trojan horses? “ransomware”? it all comes down to planning security for your organization – in-depth.

besides, as part of your business continuity plan (plan security, it’s not a bad idea) you could.. *shock* backup your files regularly?

i can’t teach anyone how to do security in one blog entry, but the points i am trying to make are:
1. security is something you need to invest in, over time and as part of a through plan.
2. online extortion is a scam,

any of these threats can hurt you but you can either respond to them as a micro-issue and make sure that because somebody smuggled something on an airplane using their shoes no one will ever again smuggle anything on an air plain using their shoes, or you can make sure airline security is better all-together. there is always a new threat out there, dealing with each on-the-spot doesn’t really work and will end up draining more funds.

as to online extortion, i do not belittle the issue in any way. i do believe though that most who are forced to deal with it do not really understand the problem.

the times come where meat-space organized crime is getting involved with a lot of what’s going on online, and if we don’t get ready now, we will simply fall behind.

i’d like to thank paul schmehl for a conversation we had on the subject a couple of years back, he gave me some very good ideas to consider.

also, i am waiting to hear from dan hubbard from websense to find out what really happened in the story discussed (see url to article above).
[ having just heard from dan this issue is dated back to may 2005:
http://www.websensesecuritylabs.com/alerts/alert.php?alertid=194 ]

gadi evron,
ge@beyondsecurity.com.