Category Archives: Security and privacy

Peter G. Neumann in New York Times

Peter G. Neumann is one of my heroes – a computer science and security expert with a sense of humor (his dry comments on the Risks Digest are legendary), inventive solutions to problems (he once built a keyboard with two pedals (for “alt” and “ctrl”) to deal with carpal tunnel syndrome) and far-reaching views on most things. He is currently profiled in New York Times, including the story of the RTM Worm, which I remember clearly, and where the RISKS Forum played a role in analyzing and stopping it.

I remember an email exchange with Peter in the mid-nineties, when I was writing a research report on knowledge management for CSC Research Services. Peter has been running the email list RISKS forever (I signed up for it sometime in 1985) and when asked about how to find people to do such a job in a corporate setting he replied:

The bottom line is that moderating a newsgroup wisely takes serious dedication to, familiarity with, and commitment to the subject matter and willingness to put oneself into an intrinsically sensitive position. It does not work well if someone is arbitrarily assigned to the task.

In other words – if you want social media to work in a company, let people loose and then support the leaders that emerge, rather than try to replicate the current organization in the new medium. Not a bad insight to have 15 years ago – before this social media thing started.

Norwegian Data Inspectorate outlaws Google App use

In a letter (reported at digi.no) to the Narvik Municipality (which has started to use Google Mail and other cloud-based applications, effectively putting much of its infrastructure in the Cloud) the Norwegian Data Inspectorate (http://www.datatilsynet.no/English/), a government watchdog for privacy issues, effectively prohibits use of Google Apps, at least for communication of personal information. A key point in this decision seems to be that Google will not tell where in the world the data is stored, and, under the Patriot Act, the US government can access the data without a court order.

Companies and government organizations in Norway are required to follow the Norwegian privacy laws, which, amongst other things, requires that “personal information” (of which much can be communicated between a citizen and municipal tax, health and social service authorities) should be secured, and that personal information collected for one purpose may not be used for other purposes without the owner’s expressed permission.

This has interesting implications for cloud computing – many European countries have similar watchdogs as Norway, and many public and private organizations are interested in using Google’s services for their communication needs. My guess is that Google will need to offer some sort of reassurance that the data is outside of US jurisdiction, or effectively forgo this market to other competitors, such as Microsoft of some of the local consulting companies, which are busy building their own private clouds. Should be an interesting discussion at Google – the Data Inspectorate is a quite popular watchdog, Norway has some of the strongest privacy protection laws in the world (though, for some reason, it publishes people’s income and tax details), and Google’s motto of “Don’t be evil” might be put to the test here – national laws limiting global infrastructures.

Computer security is about finding front doors

This excellent little piece in Wired tells about a security researchers who could spy on corporate meetings by simply scanning for conference phones with “automatic accept” configured:

Using a program that Moore wrote, the researchers found the conference rooms by scanning the Internet for videoconference systems that were set up outside firewalls and configured to automatically answer calls.

In less than two hours, they found systems installed in 5,000 conference rooms around the country, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room.

As I always say – introduce too complex technology and too onerous password rules, and you end up with people using the same password for everything, ditching passwords altogether – or writing the password on a Post-It note and taping it to the back of their keyboards.

Notes from Cory Doctorow talk in Oslo

Cory was here to launch the (New) Norwegian version of his book Little Brother, but, of course, this meeting is not as much about the book as about issues of intellectual property, DRM, legislation thereof, as well as the future of information industries such as publishing.

Cory started with “his usual talk” – interesting, as always – about how encryption works, how it is really strong but easily broken from the outside since the key must be distributed, and then on about how the publishing industry is locking up the work of artists in complicated and, given the technology evolution, largely self-defeating.

Cory structures this around three claims by the industry – that DRM works, that extensions of copyright is necessary to preserve artist’s income, and that the industry should have extra-judiciary powers to shut people out from the Internet upon accusation of copyright infringements. The last one is rather interesting, given all the things people do on the Internet today.

The issue is that we are all copyright infringers, because the rules are arcane and really geared towards the relationship between industry and professional artists, with lawyers and everything. That means that we are all vulnerable to capricious accusations, especially given today’s search technology.

(Not really a point in writing this down in detail, I guess, it will be all over Youtube and other places anyway.)

The debate featured Bjarne Buset, Bente Kalsnes, Eirik Newth and Cory. Bjarne Buset, head of digital strategy at Gyldendal (a large publisher) had the hardest task, since he argues in favor of DRM. Bente Kalsnes from origo.no, an online community, pointed out that the publishing industry has been very slow in developing alternative business models. Eirik Newth talked about how we need to sit down and do a typical Scandinavian solution, stepping off the rhetoric and focusing on privacy, users’ rights, and creators’ right.

I tried to make the point that this debate is getting too politicized. The market will fix this, it is called a disruptive innovation, and there will be a lot of noise and then some of the players will make it across and others won’t. secondly, the the debate is being polluted by a lot of idiots who say that stealing is OK, because music should be cheaper or Microsoft is evil. Like some of my (business school!) students, who copy Microsoft Office and justifies it by saying that Microsoft makes so much money and the product is too expensive.

Anyway, I had an interesting discussion afterwards with some of the usual suspects as well as Bjarne Buset. At some point him and I need to enter into a highly publicized bet as to the future of the publishing industry. In the meantime, it is rather depressing to watch the publishing industry go down the oh-so-noble road to self-destruction, just like the record industry.

Update Sept. 17: Forteller has a good post and a recording of the debate (86Mb mp3).

Update Sept. 20: Here is a (rather fuzzy) video of Cory’s talk, as usual he speaks (seemingly) ex tempore:

http://vimeo.com/moogaloop.swf?clip_id=6657959&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1

Doctorow @ Litteraturhuset from Veslebror Serdeg on Vimeo.

Risky analysis

Bruce Sterling Schneier has a good article on the dangers of risk analysis when estimating software projects – and, by extension, estimating the risk of terrorist attacks.

It is the everyday risks that kill you – largely because the effect is delayed and the risk itself not very visible. I seem to remember someone proposing that the way to get responsible driving would be not to increase the safety level of the car, but instead decrease it – for instance by outlawing seat belts and mandating a four inch sharp metal spike placed in the middle of the steering wheel.

If too much imagination can make us overly risk-averse, a heavy dose of reality might have the opposite effect.

Airport insecurity

I am thinking a lot about security now, since a discussion last week on security in the 2.0 Enterprise – where the conclusion was that we need to get away from perimeter security and over towards something asset-based, i.e. securing what really matters and not faking security by having showy and inconvenient moats and drawbridges.

This funny but deeply serious article in The Atlantic takes on the example of airport security with all its symbols and holes. As Bruce Schneier (a real security expert) repeatedly has pointed out, hijackers can no longer get into the cockpit. Furthermore, passengers would attack hijackers on sight, rather than cooperate with them. Hence, the bluff that got the 9/11 hijackers in control of four airplanes will no longer work.

But we persist in implementing security that does little but increase the cost of flying, inconveniencing everyone, and, ironically, making flying (or, at least, turning up at the airport) less secure. As the article points out, the most dangerous place in the airport is where many people are waiting closely together in an unsecured area. In other words, in the security control line, perfect in case somebody wants to repeat the Lod airport massacre.