Stuxnet, Flame and security

First of all, I’d like to thank all my readers, I’ve had over 10,000 views in my first year of blogging. That’s amazing and is so many more views than I expected to ever have. Thank you for making it well worth my time to blog!

Recently a friend of my asked me to comment about the latest cyber attack, Flame, uncovered by Kaspersky, a Russian security firm. It’s still not entirely certain who unleashed the attack, but at the time I argued that it could have been Israel acting alone as they have a very capable tech sector. They put out high quality software, they have security experts and they have some serious R&D from US companies like MS and Intel.

Flame targeted Iranian computer systems, very much like Stuxnet did. At the time, it was unclear who released Stuxnet, which attacked Iranian centrifuges. It could have very easily been Israel acting alone or with some help from the US. Being a realist I fully expected the US to be involved, however I did not expect Obama to have issued the order himself. Based on history it is equally likely that Flame was initiated by the US as well.

Flame targeted data being sent over the internet such as PDF, Office and AutoCAD data and did not actively attack anything like Stuxnet did, according to Kaspersky. However, this doesn’t mean that it’s not being used by a spy agency. It’s also interesting to note that the infected computers are all outside of the US, which indicates that it could very easily be a US spy agency as they are not usually allowed to spy on US citizens.

These two programs leave me with a great deal of concern, because “the Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” Does this mean that if Iran responded with military force that our own Pentagon would argue that they were justified? I don’t think they would, but essentially they already have.

Aside from the risks of war it also gives greater leverage for a regime like Iran’s to argue for a more suppressed internet. They can now without any worry claim that they are doing it for national security. They are doing it for that reason, their centrifuges have been attacked (Stuxnet) and their people are being spied on (Flame). In addition other repressive regimes will likely use Flame as justification as a crack down on the internet. There may also be repercussions for Microsoft as Flame exploited a weakness within their auto update.

This also raises other concerns about what other types of cyber programs Obama has given the OK to. As he is the most technically savvy president we’ve had since the rise of the Internet, I think he fully understands the choices he is making. With Bush it may have been argued that he didn’t really understand as well what he was approving as he doesn’t have an in depth knowledge of how people use the internet and how systems interact with technology. He also wouldn’t have a good understanding of how viruses like this could turn against their creators. In this case Obama should. He should know that once in the wild a worm can mutate in a way that could turn against the people that released it and that we could destroy ourselves.

I think that these actions will weaken our position in any negotiations with Iran and possibly other countries that we have pushed for a more open internet. They could, rightly perhaps, argue that we only want the internet open, so it’s easier for us to infiltrate.

I don’t believe that’s the reason. I believe that the internet is the an amazing tool that has improved people’s condition to at least some extent. It has allowed for freer flowing of knowledge, but it can be used for wrong just as easily as any other media or communication tool.

A bit remiss

Sorry dear readrs, I’ve been very bad about writing any blogs lately. I’ve had some pretty big changes in the past two months as you all know. I’ve moved back from the Netherlands to the US, did some consulting work and I just started a job at AMD. Consequently, I’ve not been able to post as much as I have in the past. Big changes have been happening in my life.

Because of these changes I wasn’t able to pay enough attention to the CISPA fiasco that just occurred in the US. This law is a terrible step in the direction of data tyranny. I’m even being hyperbolic about this either. I wrote about the risks of having a voluntary data sharing program and in my review of Consent of the Networked I discussed the different data and Government regimes out in the “wild.” These concerns are valid. We need to be aware of what’s going on. Now, I have to say we pretty much blew our collective internet protest load with the SOPA/PIPA protests. Which is actually a problem. I would hazard that in many ways CISPA is as bad or worse than SOPA, however I didn’t see as much chatter about CISPA on reddit, twitter, Google+ or Facebook about CISPA as I did about SOPA.

I think there are a few reasons for this actually. First, the majority of the people were able to clearly understand the risks associated with SOPA. These risks are pretty straight forward and understandable. These risks affect us tomorrow not in some future time period. In many ways SOPA like acts can already happen today. This makes it extremely obvious why SOPA/PIPA are terrible laws and should be opposed at many levels. Second, with CISPA coming so quickly after the SOPA/PIPA protests there was likely something of a protest overload or disbelief that another law could come through so quickly that is as bad or worse than SOPA. Especially with the language that was being used at the time of SOPA. It would have broken the Internet, how could anything be worse than that? Third, there was more support by large companies for this law than for SOPA. Apparently that actually matters more than we realized. We were able to push Wikipedia, Facebook, and other large companies to protest this law. However in this case Facebook and Microsoft supported the law while Google sat on the sideline saying nothing about the law.

I think from this stand point, people that weren’t happy with CISPA but didn’t understand the importance likely didn’t do anything about it. However, whenever a fantastic website like Wikipedia blacks out in protest for a law it will get people who are only on the fence about the law to actually do something about the law.

CISPA and SOPA are both bad but in very different ways. CISPA is something of an abstraction of risk. Losing your privacy when so many people already voluntarily give up so much information about themselves on Facebook and Twitter might not seem like as big of a deal. The secondary abstraction is a lack of understanding of the impact of the data sharing. It’s unclear of what exactly the Feds would do with the data once they have it. It’s unclear how data sharing would occur within the government. However, it is likely that the data would be shared throughout the government including the military. Which many privacy experts are say essentially legalizes military spying on US civilians. The third problem is that many people also feel that if you aren’t doing something wrong you don’t have anything to worry about. However, this is a fallacy as even people who are doing things that aren’t wrong can get in trouble. I’ve discussed the cases where people are fired for posting drunken pictures on Facebook. Additionally, this type of law represents the biggest of the big government that we can imagine. There’s no reason why the government needs to know what we’re doing in this level of detail.

It’s going to be a long and difficult fight to keep our internet free. However, it’s something that we must do and I believe we can do it. We will just need to keep vigilant and work together to ensure that our internet stays our internet.

Free-market, Small Government and Regulations

The free-market has been used to argue against regulations and for small government for years. However, I believe that the major supporters of using the free-market argument are disingenuous in their application of the argument. In addition, the free-market is a flawed theory which needs to be revisited by neoclassical scholars and adjusted.

The free-market theory comes from the idea that there is an invisible hand that guides the market towards equilibrium between supply and demand. This assumes that once the equilibrium is hit it will stay at that point until there is some shock to the system which would find a new equilibrium. Each time that there is a shock, the invisible hand would push the market into a new equilibrium. This idea came as a side comment in the Wealth of Nations. This idea has become enshrined in the minds of neoclassical economics in a manner that Newtonian Physics was presumed to be accurate. In both cases the theory is incorrect. Relativistic Physics has replaced Newtonian, but in Economics the free-market is still the prevailing mechanism for policy creation. There has been no evidence for an invisible hand at all. In fact Metcalf created the theory of a networked economy which argues that the value of a good becomes more valuable as more people use it. I’ve mentioned this in the past. Essentially, this will prevent any equilibrium from every being found as the price can increase and people will still adopt the networked item because it’s becoming more valuable to the user. Or the price can remain constant even when it should drop for other factors such as a reduction in cost of production. A perfect example is the iPhone. According to research Apple has a whopping 72% margins on the iPhone, even if production was moved to the US Apple would still make 42% margin on the iPhone. There also is an over production of the iPhone and strong competition, which would indicate that the iPhone should drop prices as they are capable with that large of a margin. This market has a great deal of competition and has a large number of companies producing, which indicates that it Apple should be under pressure to drop prices. However this isn’t happening because of the networked value of the iPhone. There are a huge number of apps for the phone, the apps are high quality and the product works well with other iPhones. The market has had no impact on the cost of the iPhone.

However, free-market champions would look at any effort to change the labor practices of Apple as wrong headed and regulation that isn’t required. The Market isn’t demanding any change to labor practices because the market can bear the current prices and the demand indicates that people don’t care about labor practices. However, it’s well known that there are no alternatives to Apple’s iPhone that are produced in an ethical manner. So voting with your money wouldn’t actually work here. The problem arises because there is something of a monopoly in the manufacturing of the smart phones in FoxConn. In this case there is a market failure. Which is something that neoclassical theorists argue cannot occur. The market cannot send a signal to firms because there is no mechanism in which the market could send a signal. This is can be understood if you view this industry as a networked economy. Where you see the ties between manufacturers and handset companies, which would show a massive connection to FoxConn.

Efforts to regulate the manufacturing of devices have been argued as the reason for moving the manufacturing to other countries. However, this is not the case in the case of Apple, as they would still have huge margins. It’s because the company is attempting to maximize profits, not reduce costs to be profitable. The same arguments have been used to argue for smaller government. Saying that since there are no market failures the government should not intervene in the industry.

The unfortunate thing is that these arguments immediately disappear when it comes to protecting the profits of record industries. The same free-market advocates then move to argue that intellectual property must be protected. Essentially, creating protection for a specific product through IP causes a market failure and prevents the market from operating at its most efficient because there are not other competitors in the market. Creating IP requires a huge regulatory framework from the mechanisms of registering, logging complaints and prosecuting actors that infringe on the IP.

This type of industrial policy is typically derided by the small government fans, as it is a type of regulation that selects a “winner” (IP owners) over “losers” (non IP owners). Which may be fine. However, whenever this selection pushes our government to select a winner (Music) over the fastest growing, possibly only growing, part of our economy (internet based companies) there is a serious risk to the future. As I’ve mentioned before these laws represent huge risks for innovation.

These laws are SOPA and PIPA, which I’ve discussed extensively. However, the next round of internet regulations come in the form of CISPA. This bill, which requires allows companies to share extensively with government agencies. This type of sharing of user data and information about the activities going on at the company would not go over very well from the the free-market advocates if this was a request for data about customer data for car dealerships or steel mills. Essentially, this is going to increase the cost of doing business in the US. This may prevent companies from working in the US and prevent innovation. If I was to create a company that dealt with social data I would not want to do so after the passing of this bill. It would be likely that I would be blackmailed into giving the government data about my users that I had no desire to give them.

The internet is the perfect example of a networked economy. Facebook’s value comes from the fact that it has a huge user base. This is true for Google, Amazon and Instagram (List of companies that support CISPA). Without the users the services is literally worthless. With the users a company without any revenues can be worth $1 Billion (Instagram). The difference between this bill and other bills like SOPA and PIPA is that the agreement is bidirectional. The government will likely help Facebook and Google fight Chinese attacks and give information to each other about the activities of online hacktivist groups like Anonymous. It is likely that 4chan will end up giving over IP data and other information related to anonymous and Anonymous users.

This is regulation that the internet doesn’t need and will stifle innovation. The government already has these powers, which maybe why the Obama administration is opposed to CISPA. It is also ironic that Obama plans on sanctioning countries that use Tech to abuse human rights specifically committing genocide. A whistle blower has recently announced that the NSA has intercepted 20 TRILLION emails and likely has copies of all of these stored somewhere. The passing of CISPA and any other law of similar persuasion  would likely protect companies like AT&T from future lawsuits for being complicit with these activities.

For devotes of the Free-Market these laws create market distortions and will cause serious harm to innovation on the internet. For people that understand networked economies, this will greatly undermine the value of these networks as users will likely change their behavior to mitigate the amount of information the Government can compile on them. CISPA and its sister laws SOPA and PIPA represent big government actions attempting to control and regulate industries that do not need to be regulated. In this case there is no market failure that needs to be addressed. Privacy is something that the users have been pushing for and Facebook and Google have steadily improved on those accounts. Surprisingly industry is doing a decent job at regulating itself. Finally, regulations being pushed by advocates of small government and free-market smack of hypocrisy and a lack of understanding. These laws require a deep understanding of the internet and how the market of the internet works. Without this understanding terrible laws will be passed that will damage our privacy and freedoms. For the issues that this law would protect from there are other methods that could be employed to gain the desired results without passing laws.

Contact your congressional members to fight against this bill.

Are we talking past each other with the net neutrality debate?

I started reading (yes another book) “Internet Architecture and Innovation” on my flight to Portland Tuesday night. It’s going to be a really interesting read, if you like the internet, economics and innovation of course. One of the first parts discusses the history of the internet and a design principle called end to end. This means that when something is transmitted certain events must happen. There are two meanings to the same principle though, which complicates things. In one version only peers can “talk” to each other and share the information. This isn’t exactly literal, because if I’m skyping the data isn’t just between skype on my pc and yours, it goes through many, but the idea is that only your pc and mine know we are skyping. In the second method, some intermediaries might know that we are skyping, through something called deep packet inspection where a router is able to read the information it processes. Both ways are still called end-to-end. Which is obviously a problem.

Another easy example. One version would require equal up and download speeds, the other doesn’t. Let’s say you have a picture and want to upload it, in the one version it would take you the same time to upload as to download it the next day back to your pc. We know this doesn’t happen.

Until reading this book I really thought that the internet was truly designed in an equal and neutral manner. However, this isn’t the case. Using these two design principles results in an internet that looks very different and we would expect it to evolve differently based on which understanding was applied.

It’s obvious that for consumers the first option is better. Where the network behind the internet is neutral and a “dumb” pipe. Why is it better? Because no one would be able to intercept your data or change the speeds you get your information or even cap your data downloads. This is bad for network owners because they can’t charge or filter as easily for specific content. They simply become a pipe that information flows through.

The differences in incentives and contexts which the design rules are applied drives this discussion. Since the participants believe they are talking about the same thing there is confusion over the disconnect. This leads to an obvious other problem, our clueless elected officials. They don’t understand how the internet works at the simplest level, let alone the esoterics of the minute differences in this argument. It is no wonder they have tried to do back door deals to get this topic to go away.

This also has led to confusion within the internet community of how the telcoms can say that the internet wasn’t developed as a neutral platform. In a way they are correct, in other ways they are wrong. It was just a matter of what was being discriminated. Before it was up vs down speeds, now it could be content. Which to them is no different. For us, it matters a whole lot more.

Book review: Consent of the Networked by Rebecca MacKinnon

I just finished Consent of the Networked today. This title, of course, is a play on the idea of the consent of the governed. Where governments are only able to govern with the express permission of the people it governs. We have seen recently with the Arab spring that it is possible to reject the govdrnment and show that the governed do not consent.

The book starts with a discussion of how the internet is different than traditional governments. As, most people are aware the internet is international, operated by many different actors including individuals governments and companies, and is not has some of its own rules and norms which are different than the physical world.

Because of the diverse set of stakeholders for the internet the way we (an average person) is different based on the country you live in, the network you are using and the relationship between your government and businesses from other countries. Then toss in advocates that use the internet to promote democracy (or are progovernment) and human rights experts and we have a very messy situation that will likely lead to more and more conflict.

Some of these conflicts are unsurprising, such as countriess like China, Iran and prefall Egypt and Tunisia want greater and greater control of their internet and networks. Which the US State department doesn’t want and puts the countries in great disagreement over the future of the internet. However this is not the only source of conflicts. There is conflict in the US itself.

The State department is pushing for more circumvention tools and techniques to make it possible to get around firwalls. TOR is one of these I’ve talked about in the past. However, the US legislature is pushing for more control and better access to what data is flowing and ways to block it. These laws, SOPA, PIPA and now CISPA all attempt to contol the internet in the name of IP or cybersecurity. However, they are methods that allow censorship and control over the internet. The US is not the only country implementing these laws, the UK has and the EU parliment is still considering ACTA.

MacKinnon also indicates that these actions help to validate countries like China. In some cases the support comes from artists like Bono or the RIAA when they say they want the same abilities as China for blocking access to content. However, the laws can only do what companies are capable of providing to governments and consumers and other agencies.

Copyright laws would be useless if companies had not created ways to inspect data and then stop the transfer. Some of this comes in tne form of filters and blockers for parents. These can be applied at the national level. Cisco and other major western comoanies provide equipment through sales to countries like China for the firewalls and censorship abilities.

These are not the only way businesses are complicit with repressive regimes (in many cases the equipment is essentially off the shelf), MacKinnon also describes the cases of Yahoo and other companies where they hand personal information over to the regimes. In some cases this has led to death for the person whose information was requested. Of course this isn’t just in China, but the same companies hand data over in the US and other democracies.

At this point human rights groups and other rights groups have become more active around the world on matters of the internet. A large portion of her book deals with these problems with through a human rights perspective. I believe that this is a good way to look at these problems. This levels the field across socio-economic levels. It begins with the assumption that protection of data should be universal. It frames the perspective that she argues for netizens to engage and to be active in address these issues.

She argues that we can’t expect the next CEO of Facebook to be benevolent as Zuckerberg has sort of been. The netizens need to pressure companies and governments for better clarity of what our data is being used for, how long it is stored and why it is collected. This important, because we “consent” by clicking I accept without reading and with no control over a change in contract. Anger at changes Facebook has made lead to changes, so as a group we have the ability to effect change at companies. We have also seen what collective action can do to government in light of the SOPA and ACTA discussions.

These matters are important because they affect all of us. This book does an excellent job explaining what is at stake. It provides a perspective from the developing world and the people under dictatorships. It highlights the fine line we are currently treading and that countries like the US and UK could easily slip from democracy into digital dictatorships where the views of a select few are paid a great deal of attention and the rest are ignore and censored.

Over all i give this book 4/5. At times the book was somewhat repetitive but it was to ensure the point was made. This book should be read by any cyber activist, developmental scholar and student of dictatorships.

Content and implicit threats

I’m reading “consent of the Networked” right now. The book is about digital rights, privacy, government and the internet. Once i finish I will write a review for the Urban Times. I found out about the book through TechDirt’s book club. One of the major points the author makes about repressive regimes is the activities of pronationalist actors that are not truly part of the government.

These actors are typically regular people and act as hackers, journalists or progovernment rally organizers. They are found in many countries including China, Iran, the former regime of Tunisia and Libya. In a way these groups are a counter weight to “organizations” like Anonymous, dissent groups and the “liberal” media. However, these organizations are unlikely in the US and Europe right?

Well according to the author now. These groups do exist in the US and in some cases are formal business like HBGary. Some of them actually work for the US government and others do with a wink and a nod. These groups help monitor internet users and potential members of groups like Anon. In many cases this extends the impression of continual  observation by the government and other actors, which can lead to self censorship and self selection for activities.

Has this happened to me? You bet it has, but I didn’t really think much of it at the time or how it could really impact me. One of the times happened during a Facebook conversation about Wikileaks, which I was supporting. The person I was discussing doesn’t like me much and thinks I’m “a rube.” He suggested that I should get a job which requires security clearance so I would get an understanding of how things actually work and that I was niave. Of course I disagree with the fact that I’m niave and I view the world in a much more complex manner than his black and white view. However, I had been thinking of applying to a government type position and he told me I should be careful what I say, which he is correct. This then led me to rein in my views and self censor. This had serious implications on how I discussed topics for some time.

The other times are slightly different and after I started blogging. For one my brother is in the Boarder Patrol which gives him clearance and my sister does stuff she can’t talk about. So, to some extent, I don’t want to negatively impact their ability to work either. This does have a moderating affect as well.

The final source was actually my dad writing to me about my post about anonymous and my discussion of using DDoS as potentially a source of public demonstration on the internet. I was not surprised that he suggested I be careful, he did retire as a Major in the Army Reserves. However, when responding I told him I was already being careful with my wording due to self censorship. I already expect that I’m likely to have my material spring up on someone’s radar due to the content I write about. So, I do try to be careful.

In a democracy where these threats should be minimized we have to worry about it. Why should the rest of the world be different or any less oppressive?

The importance of the internet

To all my loyal readers, I really apologize for my lack of posts this month. I’ve been busy with finishing my Master’s thesis, which I finished on Friday. I’m currently hunting for jobs, and will be able to post more diligently. Hopefully, I’ll get back into the groove I was in before I finished.

The Urban Times asked me to tweet some reasons why I love the internet. I think this was a great idea, it really got me thinking about how I use the internet and interact with the world. There are so many different levels possible to use the internet. In some ways, people look at the internet as something bigger than it is, and other times as less than it is.

For example. the RIAA and MPAA assume that Google is the end all be all of the internet. They act as if the internet is directed by and for Google. However, this isn’t the case, Google has to keep up high quality services and constantly be on the look out for new rivals. If Bing or some other search engine was significantly better, people would migrate to that service.

This brings up a larger point. In many cases it’s really simple to see the internet as simply websites and how we interact through these websites. Either through consuming content (many news websites), creating content (blogging and YouTube) or sharing and interacting with each other (Reddit, Twitter and Facebook). However there are many other routes to enjoy the internet. Gaming, discussion boards about specific topics, chatting through instant messaging programs and voice calls through Skype and other competing services. That doesn’t even touch upon the myriad of IRC channels and other systems users enjoy that I’m completely ignorant of the workings of and use of.

The problem with copyright activists and congressional leaders that are trying to restrict the internet, is that they don’t understand the different levels these things interconnect. Most likely they are concerned with the static pages of websites that link to content. It is through their ignorance that they do not understand how these laws would impact the highly fluid world of social media and content creation.

Memes are an important tool to remind us that we do not create content in a vacuum. Someone starts it with a picture or some turn of phrase and it catches on and some one remixes it and reuses it. However, that initial picture someone still owns. At the same time, the idea is like a dirty joke. It goes from person to person and no one really knows who created it. In the end we all own the joke or meme. Preventing the freedom to share, recreate, remix and reshare would destroy not the internet, but our culture. Our ability to share is what makes us human.

The internet has extended that ability to thousands of new people that had never been connected before in new and exciting ways. That is why I love the internet.