Google believes its systems are being attacked by China, in order to gain information on Chinese human rights activists who happen to use Gmail. Well, duh. What prominent company or government isn't being targeted by Chinese state-sponsored hackers? (Perhaps the nation of Togo.)

The interesting part is Google's response: a threat to stop doing business in China. That would mean closing its office there, and shutting down Google.cn (the Chinese version of its search engine, with government-friendly censored results). If Google follows through on this threat, it will send a simple message: play nice or we'll take our ball and go home. Hopefully they will also release more details about the attacks, so that the rest of us can learn to better defend ourselves.

Of course, China's economy is huge, and the loss of business with one foreign company probably wont have a measurable impact (unless it's Walmart). However, it's still a powerful symbolic gesture. If China wants to be treated as a serious member of our modern global society, they need to stop acting like Mongol invaders from the 13th century.

Maybe if more companies took a similar stance (and followed through), then China would rethink its hostile cyber strategies. Or would they just be sneakier about it?

Green text. Black background. I’ll tell you why right now. I’m an old school DOS guy. My first word processor was Wordstar and that’s the word processing program I came to associate with the fugue-like state of maximum productivity: the Zone. This is why I continue to favor colored text on a black background in my current favorite editor, Textmate. The coloring reminds me of an primal safe place where the tool is serving its purpose — to get the hell out of the way so I can go be exponentially more productive.

This is why, as engineers, we stick with something that works for us. This is why the ancient likes of vi and Emacs continue to flourish. Once we find a tool that works for us, once we’ve chosen that tool, it becomes ours and remains ours. It allows us to get foamy.

I've had similar experiences with Dreamweaver and other WYSIWYG tools, where they are just too helpful and end up jumbling up my carefully formatted code. To be honest, I never even really liked working in Eclipse, either. It's just too distracting, and again, too "helpful" for my taste. But like Rands says, to each his own.

via Rands In Repose

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”

via Threat Level

[Sandia's] Thunderbird supercomputer will periodically run a million virtual machines all at once, all with botnet client software. By setting this large network of systems into operation, the researchers, Ron Minnich and Don Rudish, hope to better understand how botnets operate.

It's a cool idea, and could probably keep me busy forever. The only issue I have with this project is that the time and money would be better spent on trying to improve the fundamental security issues of our computing model, rather than just learning about a symptom (in this case, botnets). Still, it sounds like fun, and will hopefully produce some actionable knowledge in a year or two.

via Sandia to boot behemoth botnet -- Government Computer News.

This leads us to the odd conclusion that strict control is something that matters a lot on relatively useless projects and much less on useful projects.

That might not sound intuitive at first, but it makes sense after reading what he has to say.

The article (PDF) is available here: http://www2.computer.org/cms/Computer.org/ComputingNow/homepage/2009/0709/rW_SO_Viewpoints.pdf.

The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks... Both nations agree that cyberspace is an emerging battleground.

Russia favors an international treaty along the lines of those negotiated for chemical weapons... The United States argues that a treaty is unnecessary.

Basically, it sounds to me like both countries want to continue cyber attacks against each other. The difference is that Russia wants to have a treaty in place so that it can continue to deny what it does, whereas the US would rather not bother with such a thin veil of cooperation.

Cyber attacks aren't like chemical warfare. First of all, it's nearly impossible to identify who is attacking you over the Internet. And even if you do have a clue as to which country a hacker is coming from, how will you be ever be able to openly prove that he is working for that country's government? This quote from the WSJ says it well:

In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.

I think we have more important things to deal with regarding cyber security than pointless treaties. It's time for new solutions to this new and different problem.

NY Times: U.S. and Russia Differ on a Treaty for Cyberspace

U.S. and Italian authorities said Friday they arrested a group of hackers and conspirators who allegedly stole from phone companies around the world. The illegal profits funded terrorist activities, Italian officials alleged.

A federal grand jury in New Jersey indicted three people Friday, including one man who has been linked to al Qaeda. The three suspects, who live in the Philippines, are accused of providing Pakistani nationals in Italy with access to stolen phone lines.

via Alleged Hacking-Terror Effort Thwarted - WSJ.com.

Macworld reported in January that illegal copies of iWork '09 and Photoshop CS4 – distributed via peer-to-peer networks – were infected with a trojan called iServices. It now appears that the botnet created from this trojan has been activated, marking this the first time a Mac OS X botnet has appeared.

A sign of things to come? Maybe. But still no reason to panic.

via Macworld UK.

Rather than rehash what's already known about Conficker.C, I'll just point readers to an excellent Q&A post from F-Secure. Question number one:

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

If that's not enough information for you, read the rest of their post, and stop freaking out.

Update: I just read an interesting post on this topic from Verizon Business Security (Risk, Group Think and the Conficker Worm), which I saw thanks to TaoSecurity.

If we are going to go down the path of starting over, why not go right to the root of the problem, and fix our hardware? Now that we know what kinds of vulnerabilities exist in our existing designs (based on the von Neumann architecture), we could create a new hardware platform that has security and privacy protections built in. This would naturally lead to a new kind of software, which could take advantage of the new hardware features and architectural decisions, to keep itself secure. Since the Internet is just a collection of networking hardware and software, it would obviously also benefit.

In fact, by rethinking the very basic underpinnings of computer design, we can propagate the results throughout the entire CPU-based world, not just the Internet. Trying to fix only one part of the problem, such as by creating "a 'gated community' where users would give up their anonymity and certain freedoms in return for safety" would be a disaster. Not only would it quickly be broken and misused, like every other attempt to do something similar, but it would eliminate one of the best features of the Internet that caused it to thrive in the first place.

Sadly, I doubt we will ever be able to "start over" on something like this (IPv6, anyone?). I mean, there are so many aspects of life that could use the benefit of hindsight and a redesign, like politics, tax law, health care... but they are too entrenched in society to be replaced by better systems. That makes for good job security for those of us in the computer security field, as long as we can put up with the feeling of continuous frustration, knowing that a true alternative is possible, but we are essentially powerless to pursue it.