Why ‘cybersecurity’ is such a flawed term

Posted on by

In a sentence: it lumps three very different things — crime, espionage and warfare — under a single heading. And, as I tried to point out in yesterday’s Observer column, instead of making cyberspace more secure many of the activities classified as ‘cyber security’ make it less so.

Bruce Schneier has a thoughtful essay on the subject.

Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It’s more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there’s substantial evidence that it was built and operated by the United States.

This isn’t the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.

I dislike the “cyberwar” metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.

For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.

This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.

Yep. Remember that the ostensible mission of these companies is to make cyberspace more secure. By keeping quiet about the Regin threat they did exactly the opposite. So, as Schneier concludes,

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn’t. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

Everything you need to know about ‘mature’ organisations

Posted on by

From Nicholas Lehmann’s New Yorker piece on corporate manuals.

In 1940, a young sociologist named Robert K. Merton published an essay called “Bureaucratic Structure and Personality,” in which he coined the phrase “displacement of goals.” Bureaucracy develops, Merton wrote, because large organizations require rules and procedures, lest they fall into the administrative and financial chaos and governance-by-whim of the kind that brought down William Durant. But eventually the rules and procedures devised to help the organization achieve its goals take on a life of their own, and become “an immediate value in the life-organization of the bureaucrat.” In other words, when people orient their lives around the rules, the purpose of the organization gets lost.

Yep. Been there, done that.

Forget North Korea – the real rogue cyber operator is closer to home

Posted on by

This morning’s Observer column.

The company [Symantec] goes on to speculate that developing Regin took “months, if not years” and concludes that “capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state”.

Ah, but which nation states? Step forward the UK and the US and their fraternal Sigint agencies GCHQ and NSA. A while back, Edward Snowden revealed that the agencies had mounted hacking attacks on Belgacom, a Belgian phone and internet services provider, and on EU computer systems, but he did not say what kind of software was used in the attacks. Now we know: it was Regin, malware that disguises itself as legitimate Microsoft software and steals data from infected systems, which makes it an invaluable tool for intelligence agencies that wish to penetrate foreigners’ computer networks.

Quite right too, you may say. After all, the reason we have GCHQ is to spy on nasty foreigners. The agency was, don’t forget, originally an offshoot of Bletchley Park, whose mission was to spy on the Germans. So perhaps the news that the Belgians, despite the best efforts of Monty Python, are our friends – or that the UK is a member of the EU – had not yet reached Cheltenham?

Read on

The Imitation travesty

Posted on by

We went to see The Imitation game last night. It’s a well-made, entertaining travesty, distinguished by a terrific performance by Benedict Cumberbatch as somebody’s weird idea of Alan Turing, and marred by a few howlers — some malicious (like the idea that Turing was suspected of being a Soviet spy both in Bletchley Park and afterwards in Manchester), some merely absurd (like the idea that he christened the first Bombe ‘Christopher’ after the dead boy he idolised when they were at school in Sherborne), and some completely implausible (like the scenes in which the codebreakers have a map of the north Atlantic with paper markers setting out the positions of ships in a convoy).

Cumberbatch is clearly a great actor, and his performance is memorable. But the unsubtle, autistic Turing he portrays is substantially at odds with the Turing who, for example, was entrusted by the British government with the task of hoodwinking the American codebreaking community into thinking that the British were way behind them in breaking German ciphers.

What the film does convey powerfully, though, is the cruelty of Britain’s homophobic laws. Walking home afterwards, I was reminded of the courage of the MP Leo Abse and the hereditary peer Lord Arran, the first Parliamentarians to publicly accept the recommendations of the Wolfenden Report, and of Roy Jenkins, the only liberal (small-l) Home Secretary in living memory, who ensured that the Sexual Offences Act 1967 made it onto the statute book.

Ironically, we saw the film the day after the Chancellor, George Osborne, announced that the £42m Turing Centre would be located at the British Library next to King’s Cross.

NSA hacks mobile networks worldwide

Posted on by

Operation AURORAGOLD. Or how the NSA doesn’t believe in half measures.

Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.

One high-profile surveillance target is the GSM Association, an influential U.K.-headquartered trade group that works closely with large U.S.-based firms including Microsoft, Facebook, AT&T, and Cisco, and is currently being funded by the U.S. government to develop privacy-enhancing technologies.

Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.

Well, if you’re looking for needles in a haystack you need the whole goddam haystack.

Mean People Fail

Posted on by

Interesting essay by Paul Graham.

It struck me recently how few of the most successful people I know are mean. There are exceptions, but remarkably few.

Meanness isn’t rare. In fact, one of the things the internet has shown us is how mean people can be. A few decades ago, only famous people and professional writers got to publish their opinions. Now everyone can, and we can all see the long tail of meanness that had previously been hidden.

And yet while there are clearly a lot of mean people out there, there are next to none among the most successful people I know. What’s going on here? Are meanness and success inversely correlated?

He concludes that they are.

Memory’s tricks

Posted on by

One of my favourite Mark Twain quotes is:

“The older I get, the more clearly I remember things that never happened.”

What brings this to mind is an interesting OpEd piece in today’s New York Times

NEIL DEGRASSE TYSON, the astrophysicist and host of the TV series “Cosmos,” regularly speaks to audiences on topics ranging from cosmology to climate change to the appalling state of science literacy in America. One of his staple stories hinges on a line from President George W. Bush’s speech to Congress after the 9/11 terrorist attacks. In a 2008 talk, for example, Dr. Tyson said that in order “to distinguish we from they” — meaning to divide Judeo-Christian Americans from fundamentalist Muslims — Mr. Bush uttered the words “Our God is the God who named the stars.”

Turns out that Mr Tyson’s memory was faulty.

In his post-9/11 speech, Mr. Bush actually said, “The enemy of America is not our many Muslim friends,” and he said nothing about the stars. Mr. Bush had indeed once said something like what Dr. Tyson remembered; in 2003 Mr. Bush said, in tribute to the astronauts lost in the Columbia space shuttle explosion, that “the same creator who names the stars also knows the names of the seven souls we mourn today.” Critics pointed these facts out; some accused Dr. Tyson of lying and argued that the episode should call into question his reliability as a scientist and a public advocate.

When he was first asked for the source of Mr. Bush’s quotation, Dr. Tyson insisted, “I have explicit memory of those words being spoken by the president. I reacted on the spot, making note for possible later reference in my public discourse. Odd that nobody seems to be able to find the quote anywhere.” He then added, “One of our mantras in science is that the absence of evidence is not the same as evidence of absence.”

But there’s another twist to this tale.

Years before he misremembered what Mr. Bush said about 9/11, Mr. Bush himself misremembered what he had seen on 9/11. As the memory researcher Daniel Greenberg documented, on more than one occasion Mr. Bush recollected having seen the first plane hit the north tower of the World Trade Center before he entered a classroom in Florida.

In reality, he had been told that a plane had hit the building, but had not seen it — there was no live footage of the plane hitting the tower. Mr. Bush must have combined information he acquired later with the traces left by his actual experience to produce a new version of events, just as Dr. Tyson did. And just as Dr. Tyson’s detractors assumed that he had deliberately lied, some Bush critics concluded that he was inadvertently leaking the truth, and must have known about the attacks in advance.

Mark Twain was right.

Origins

Posted on by

Muckross_Nov29_cropped

We had lunch on Saturday at Muckross House, Killarney, the place where my interest in photography was first awakened. It was a grey, soft day with very muted light. And yet the place was absolutely beautiful, as ever.

Larger image here.

Net Neutrality: it’s complicated even if it looks simple

Posted on by

This morning’s Observer column

The composer and aesthete Lord Berners was a famous eccentric who hated sharing railway compartments with strangers and developed a sure-fire way of ensuring that he travelled alone. He would stand at the door of his chosen compartment, maniacally beckoning people in. This being England, no one ever entered.

Nowadays, the same effect may be achieved by telling people that you wish to engage them in a discussion about net neutrality. You get the glassy smile, the sideways glance checking the location of the nearest exit, the sudden remembering of things that have to be done at that very moment, and all the other evasive tactics deployed by those who find themselves in the presence of a madman.

And yet, net neutrality is important…

Read on

Google annoyances

Posted on by

I’ve just been updating software on my machine and saw that Google was inviting me to ‘upgrade’ my Google Calendar. So I foolishly clicked to accept the upgrade. Then logged into my calendar to find that the screen is littered with corny jpegs of a birthday cake which indicate, apparently, the birthdays of my ‘friends’. Pissed of by this, I then went looking for a way of turning off this absurd and unwanted ‘feature’. But it turns out that if they are ‘friends’ from Google+ (another turkey btw) then there’s no option to unsubscribe from this toxic calendar feed.

It’s almost enough to force me to use the Apple iCal app.

There must be a way of getting round this idiotic ‘feature’. But I don’t have time to do the necessary research because I’m trying to write. Maybe I should bill Google for the ‘research time’ needed to restore what is a useful product/service to its original condition.