This leads us to the odd conclusion that strict control is something that matters a lot on relatively useless projects and much less on useful projects.

That might not sound intuitive at first, but it makes sense after reading what he has to say.

The article (PDF) is available here: http://www2.computer.org/cms/Computer.org/ComputingNow/homepage/2009/0709/rW_SO_Viewpoints.pdf.

The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks… Both nations agree that cyberspace is an emerging battleground.

Russia favors an international treaty along the lines of those negotiated for chemical weapons… The United States argues that a treaty is unnecessary.

Basically, it sounds to me like both countries want to continue cyber attacks against each other. The difference is that Russia wants to have a treaty in place so that it can continue to deny what it does, whereas the US would rather not bother with such a thin veil of cooperation.

Cyber attacks aren’t like chemical warfare. First of all, it’s nearly impossible to identify who is attacking you over the Internet. And even if you do have a clue as to which country a hacker is coming from, how will you be ever be able to openly prove that he is working for that country’s government? This quote from the WSJ says it well:

In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.

I think we have more important things to deal with regarding cyber security than pointless treaties. It’s time for new solutions to this new and different problem.

NY Times: U.S. and Russia Differ on a Treaty for Cyberspace

U.S. and Italian authorities said Friday they arrested a group of hackers and conspirators who allegedly stole from phone companies around the world. The illegal profits funded terrorist activities, Italian officials alleged.

A federal grand jury in New Jersey indicted three people Friday, including one man who has been linked to al Qaeda. The three suspects, who live in the Philippines, are accused of providing Pakistani nationals in Italy with access to stolen phone lines.

via Alleged Hacking-Terror Effort Thwarted – WSJ.com.

Macworld reported in January that illegal copies of iWork ‘09 and Photoshop CS4 – distributed via peer-to-peer networks – were infected with a trojan called iServices. It now appears that the botnet created from this trojan has been activated, marking this the first time a Mac OS X botnet has appeared.

A sign of things to come? Maybe. But still no reason to panic.

via Macworld UK.

Rather than rehash what’s already known about Conficker.C, I’ll just point readers to an excellent Q&A post from F-Secure. Question number one:

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

If that’s not enough information for you, read the rest of their post, and stop freaking out.

Update: I just read an interesting post on this topic from Verizon Business Security (Risk, Group Think and the Conficker Worm), which I saw thanks to TaoSecurity.

If we are going to go down the path of starting over, why not go right to the root of the problem, and fix our hardware? Now that we know what kinds of vulnerabilities exist in our existing designs (based on the von Neumann architecture), we could create a new hardware platform that has security and privacy protections built in. This would naturally lead to a new kind of software, which could take advantage of the new hardware features and architectural decisions, to keep itself secure. Since the Internet is just a collection of networking hardware and software, it would obviously also benefit.

In fact, by rethinking the very basic underpinnings of computer design, we can propagate the results throughout the entire CPU-based world, not just the Internet. Trying to fix only one part of the problem, such as by creating “a ‘gated community’ where users would give up their anonymity and certain freedoms in return for safety” would be a disaster. Not only would it quickly be broken and misused, like every other attempt to do something similar, but it would eliminate one of the best features of the Internet that caused it to thrive in the first place.

Sadly, I doubt we will ever be able to “start over” on something like this (IPv6, anyone?). I mean, there are so many aspects of life that could use the benefit of hindsight and a redesign, like politics, tax law, health care… but they are too entrentched in society to be replaced by better systems. That makes for good job security for those of us in the computer security field, as long as we can put up with the feeling of continuous frustration, knowing that a true alternative is possible, but we are esentially powerless to pursue it.

Obama plans to keep his BlackBerry
There will be plenty of security and legal hurdles. Here’s one already: “The security question was inadvertently highlighted on Friday as Obama’s BlackBerry tumbled from his belt as he exited his limousine and got onto his plane…”

Widest night/day megapixel lens without distortion for the security industry
This is cool for those into physical security or surveillance: “Theia leveraged their patented Linear Optical Technology platform with all-optical barrel distortion correction to provide a nominal 110 degree horizontal field of view…” The article has a picture showing the difference from a regular wide angle lens.

Frankly Speaking: What would really make software more secure
Not a bad idea, although I’m not sure how I feel about yet another expensive software certification process: “…SANS says some state governments are already thinking about requiring software suppliers to certify in writing that their code is free of the errors on the list.” Hasn’t the federal government already tried similar approaches?

npr.org

Perhaps the economic downturn does help cyber criminals become more successful, simply because there are more desperate people out there to be scammed. Suddenly, a chance to “win $50 from Bank of America” might be just too tempting to resist. After all, “it’s a ripe economy to take advantage of people,” ² according to a McAfee cybercrime strategist. (Nice job title.)

On the other hand, I’ve also seen claims ³ that corporations are performing more internal investigations into employee fraud and misuse of resources. I believe this type of criminal behavior is much more likely to rise, since people generally feel less guilty about taking advantage of their employers, as opposed to outright stealing from a stranger. It’s a bit like how taking home a box of pens from work might not be a big deal, whereas doing the same from a Staples store is much more obviously theft.

There is also one more reason why laid off or unemployed computer geeks might turn to criminal means: it’s the only job they can get. It’s obviously a tough job market, even considering that IT jobs are better off than most other fields. If you’ve got hacking skills and need to make some money, I suppose it’s possible that you might be tempted to work for a criminal organization. Once again, I don’t believe that usually-honest people will start joining the mob out of desperation; we’re just not that bad off yet. But I did come across at least one example ⁴ of an unethical corporation hiring hackers to help them exceed the limits on rain forest logging. It’s hard to know if this is an unusual case, or if it’s becoming more rampant.

The bottom line is that companies (and government agencies) need to be even more vigilant against the insider threat. It’s always been there, and it always will. The best we can do is try to mitigate it. Personally, I’m not too worried about IT workers turning to cybercrime – the crooked ones are already there.

What was that saying about judging a book by its cover?