A Treaty for Cyberspace
Here's a quick summary:
The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks... Both nations agree that cyberspace is an emerging battleground.
Russia favors an international treaty along the lines of those negotiated for chemical weapons... The United States argues that a treaty is unnecessary.
Basically, it sounds to me like both countries want to continue cyber attacks against each other. The difference is that Russia wants to have a treaty in place so that it can continue to deny what it does, whereas the US would rather not bother with such a thin veil of cooperation.
Cyber attacks aren't like chemical warfare. First of all, it's nearly impossible to identify who is attacking you over the Internet. And even if you do have a clue as to which country a hacker is coming from, how will you be ever be able to openly prove that he is working for that country's government? This quote from the WSJ says it well:
In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.
I think we have more important things to deal with regarding cyber security than pointless treaties. It's time for new solutions to this new and different problem.
NY Times: U.S. and Russia Differ on a Treaty for Cyberspace
Alleged Hacking Effort Thwarted
U.S. and Italian authorities said Friday they arrested a group of hackers and conspirators who allegedly stole from phone companies around the world. The illegal profits funded terrorist activities, Italian officials alleged.
A federal grand jury in New Jersey indicted three people Friday, including one man who has been linked to al Qaeda. The three suspects, who live in the Philippines, are accused of providing Pakistani nationals in Italy with access to stolen phone lines.
via Alleged Hacking-Terror Effort Thwarted - WSJ.com.
First Mac OS X botnet activated
Macworld reported in January that illegal copies of iWork '09 and Photoshop CS4 – distributed via peer-to-peer networks – were infected with a trojan called iServices. It now appears that the botnet created from this trojan has been activated, marking this the first time a Mac OS X botnet has appeared.
A sign of things to come? Maybe. But still no reason to panic.
via Macworld UK.
The end of the world and Conficker.C
There is way too much hype about Conficker.C and what it may or may not do on April 1. I'm not sure who is feeding the media, which is fueling the hype, but it's very counterproductive. There are worse threats out there than this one botnet, and focusing all of our attention on Conficker is letting the others go unchecked.
Rather than rehash what's already known about Conficker.C, I'll just point readers to an excellent Q&A post from F-Secure. Question number one:
Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.
If that's not enough information for you, read the rest of their post, and stop freaking out.
Update: I just read an interesting post on this topic from Verizon Business Security (Risk, Group Think and the Conficker Worm), which I saw thanks to TaoSecurity.
We need more than a new Internet
It's nice to see the New York Times write on the topic of Internet security, and actually focusing on a more radical solution than normal. The article basically says, Internet security is so broken that we need to start over with a "new Internet." Sounds like fun, but that seriously misses the point.
If we are going to go down the path of starting over, why not go right to the root of the problem, and fix our hardware? Now that we know what kinds of vulnerabilities exist in our existing designs (based on the von Neumann architecture), we could create a new hardware platform that has security and privacy protections built in. This would naturally lead to a new kind of software, which could take advantage of the new hardware features and architectural decisions, to keep itself secure. Since the Internet is just a collection of networking hardware and software, it would obviously also benefit.
In fact, by rethinking the very basic underpinnings of computer design, we can propagate the results throughout the entire CPU-based world, not just the Internet. Trying to fix only one part of the problem, such as by creating "a 'gated community' where users would give up their anonymity and certain freedoms in return for safety" would be a disaster. Not only would it quickly be broken and misused, like every other attempt to do something similar, but it would eliminate one of the best features of the Internet that caused it to thrive in the first place.
Sadly, I doubt we will ever be able to "start over" on something like this (IPv6, anyone?). I mean, there are so many aspects of life that could use the benefit of hindsight and a redesign, like politics, tax law, health care... but they are too entrenched in society to be replaced by better systems. That makes for good job security for those of us in the computer security field, as long as we can put up with the feeling of continuous frustration, knowing that a true alternative is possible, but we are essentially powerless to pursue it.