Archive for February, 2006

In the context of all the incendiary harangues and self-righteous bloviation about the Mohammed cartoons, Flemming Rose, the editor at the Jyllands-Posten who made the decision to publish them, has written a thoughtful piece on his actions, including this snippet:

I acknowledge that some people have been offended by the publication of the cartoons, and Jyllands-Posten has apologized for that. But we cannot apologize for our right to publish material, even offensive material. You cannot edit a newspaper if you are paralyzed by worries about every possible insult. I am offended by things in the paper every day: transcripts of speeches by Osama bin Laden, photos from Abu Ghraib, people insisting that Israel should be erased from the face of the Earth, people saying the Holocaust never happened. But that does not mean that I would refrain from printing them as long as they fell within the limits of the law and of the newspaper's ethical code. That other editors would make different choices is the essence of pluralism.

I suggest that you read the whole article, here.


Read Full Post »

Trust, Fraud, and Email, part 1

I have a deep suspicion that we're seeing phishing attacks and spam grossly undercutting the utility of email as a communication medium, simply because you can't trust anything you get via email these days. Something's gotta change, but what? Problem is, most of the proposed fixes are technological, whereas many of the problems are people- and management-related, for example idiots who connect unprotected machines to the Internet and let them become parts of bot-nets and spam-spewers.

Some of it is just corporate incompetence, too. Here is a great example (in it, drop down to the heading "The New Face of Phishing") of a new phishing attack, one of the most clever I have seen. As it starts out,

"Phishing is a difficult enough form of fraud to avoid for most computer users, but when some of the biggest names in the financial industry fail to do their part to detect and eliminate these online scams, consumers often are placed in an untenable situation."

I mean, I have gotten used to getting emails from myself touting printer ink, or from people imitating PayPal in broken English, asking for my account number and PIN, but when things that are this well done come down, its hard to believe anything anymore. And what about the corporate incompetents that allow the errors that make all this possible? I mean, its one thing to be attacked, its another to shoot yourself in the foot. Or worse, your customer.

But I work for a company that needs to communicate with its customers via email, they have even asked for it, but getting past the filters, the whitelists, and now what should justifiably be great skepticism . . . its getting almost not worth it on both ends of the conversation.

So, then, what will replace email? Some thoughts later.

Read Full Post »

This from the Associated Press:

WASHINGTON — The government concluded its "Cyber Storm" wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.


Participants confirmed parts of the worldwide simulation challenged government officials and industry executives to respond to deliberate misinformation campaigns and activist calls by Internet bloggers, online diarists whose "Web logs" include political rantings and musings about current events.

The Internet survived, even against fictional abuses against the world's computers on a scale typical for Fox's popular "24" television series. Experts depicted hackers who shut down electricity in 10 states, failures in vital systems for online banking and retail sales, infected discs mistakenly distributed by commercial software companies and critical flaws discovered in core Internet technology.

Good that they are doing these things, but why will it take them until summer to figure out what happened and issue a report? And what kind of things will they recommend? Past performance doesn't give much comfort. What should the role of the Federal government be in this, who will take ultimate responsibility? What further freedoms will we be asked to give up to make the Internet "safe?"

I know, I should be more positive and give them some slack, but these are the people who orchestrated the response to Katrina.

Read Full Post »

Even before the shooting starts, and almost always after it does, the network attackers crank up. In Africa, rival factions in the various civil wars blast at each other via website, and occasionally try to mail-bomb or othewise take down the opposing sites. The Indians and the Pakistanis have a constant low-level battle going, and the last time they started shooting it escalated within hours to a full-scale hack attack on each other. Most recently, Azeri hackers defaced a number of Danish websites in retaliation for the dissing of Mohammed via cartoon.

So here we sit. Businesses and government have developed a high degree of dependency on the Internet for their normal operations, we even have telcos aggressively marketing Voice-Over-Internet-Protocol (VOIP) telephony to all and sundry. Even our power transmission grid, which is in itself running at near-maximum load levels in normal times, uses the Internet as a communication medium among its control centers. So I ask, given all this, who is defending this resource, and how? I grant you that we can't defend the Internet outside our borders, but what are we doing here to secure ourselves?

Looking at our government doesn't give you much comfort — this is the government (at all levels, not just the feds) who failed to take action on 15 years of recurring warnings from the engineering community about the vulnerability of New Orleans to flooding, and who even in the face of an over-the-top storm bearing down on them seemed to be (collectively) deer in the headlights. The National Critical Infrastructure Protection group has been captured and folded into the Department of Homeland Security and renamed the National Infrastructure Advisory Council, a chillingly-vague title for a group with such presumably critical responsibilities. I note that none — none — of their working papers is dated later than 2004 and are mostly agency-startup fluff pieces acknowledging the problem but not even proposing an approach to solving them.

Now, one line of reasoning says that "protection plans are being developed and they have to be secret, have faith in us" but this is not a comforting line of thought. Our government's history with even basic day-to-day system development is not reassuring, witness the recently-dumped FBI records system, dropped after $200,000,000 was spent on it over 10 years, and nothing of use came of it. Or the Do Not Fly database, which can't keep US Senators off it, and lists 6-year-olds as confirmed terrorists (and this system is presumably some kind of priority!). Or the Department of the Interior's Indian Trust Fund database which the GAO required them to remove from public visibility. Will they somehow do better on very complex, fast-evolving, and even more technologically complex systems?

Maybe the government has engaged legions of hackers, of which we certainly have some of the best in the world, ready to be called up to a) protect us from attack, and 2) launch a devasatating counterattack. Why do I doubt they have done this? Is it because the current administration has such a loathing for anything Federal and such a tendency to suggest that everyone protect themselves? That's certainly the message that came from New Orleans.

Maybe the solution is to do a kind of "open-source" review of our approach to securing the Internet. This kind of peer review is what makes encryption systems so hard to break, because thousands of eyes are looking for flaws and proposing fixes. I don't know, but I'm worried.

Oh, and in the last round of serious India — Pakistan attack-hackiing, its generally accepted that the Pakistanis won. This should give us some pause: the Indians are our friends, and the Pakistanis are not necessarily so.

Read Full Post »

Progress Stomps On

The once-dominant telegram, has, after 150 years, fallen to the onslaught of e-mail, instant messaging, and cellular text messaging. Western Union has announced as of January 27th 2006, that it will no longer accept telegraphic messages.

In my grandfather’s day, and he was once a telegraph boy on the railroad, you went into a telegraph office and wrote down your message on a pad of paper, and the operator keyed it in Morse code onto the line. It was then relayed a couple of times end ended up, say, in San Francisco, where the last operator copied it down, typed it, and sent a messenger on a bicycle off to deliver it for you — in mere hours! Grandpa taught me quite a bit of the code when I was young and to the end of his days considered it a very useful thing for anyone to know how to do.

Later, of course, the brass-and-wood telegraph key was replaced by the teletypewriter (which Western Union invented), which printed messages on long strips of paper, which were glued onto a message blank and sent out. Eventually they dispensed with the strips and just printed on the paper.

Western Union had the opportunity to purchase the patents on the telephone right after it was invented, but declined to do so on the theory that “no one will accept a verbal communication for any serious business purpose, they will insist on seeing it in writing.”

But don’t snicker at them as backward, WU has a long history of great innovation and practical engineering. In 1861 they completed the first fully transcontinental telegraph line, in 1871 they started transferring money “by wire” (and the term is still called that in banking, even when its done via the Internet), in 1933 they invented the singing telegram, in 1935 they introduced inter-city faxing, in 1943 they were using microwaves to send messages between cities, in 1958 they invented the Telex, in 1974 they launched Westar, the first domestic communications satellite (and had 5 in orbit in 1982), and in 1993 they invented the first branded prepaid long-distance telephone card.

So, I guess they’re entitled to dump the telegram if they want to.  Still, I’ll kind of miss it.

Read Full Post »