Category: security

Ending anonymity: the Korean identity system “debacle”

I already mentioned the problems of online bullying happening in Korea (the (online) persecution of Daniel Lee, Korea’s top actress commits suicide amid rumors, Cyberviolence in Korea), and the government’s response which consisted in imposing a “real identity” system (update on Korea’s online identity system). Ars Technica is giving us an update, which is that the system will be.. abandoned!

The best argument against laws requiring websites to use “real name” policies is South Korea’s disastrous experiment with requiring websites to collect the real names of users who post content. Freedom House told the story in a recent report:

In 2007, the internet real-name registration system was expanded to apply to any website with more than 100,000 visitors per day. Users are required to verify their identities by submitting their Resident Registration Numbers (RRNs) when they wish to join and contribute to web portals and other major sites. As RRNs are assigned only to Korean citizens at birth, foreign nationals must individually contact webmasters to confirm their identities. This included the video-sharing website YouTube, but the site’s U.S.-based parent company, Google, refused to ask its Korean customers for their RRNs. Instead, it has blocked users from uploading content onto YouTube Korea. Users are able to bypass the restriction by changing their location setting to “worldwide.” Even the Korean presidential office maintains its YouTube channel in this way.

Trying to quell extremist views by preventing them from being expressed anonymously simply isn’t going to work. The Web is a big place; no government on Earth has the reach to completely eliminate anonymous forums from the Internet. Trying to suppress anonymous posting of extremist views just forces them underground, reinforcing extremists’ persecution complex and making them even more disconnected from mainstream political debates.

After a barrage of criticism, the South Korean government has finally announced plans to abandon the system. This recent decision came in the wake of a major security breach in which information about 35 million users was reportedly stolen from two popular websites.

Link

Where are the good old days (when governments did not understand the internet)?

The topic of governments’ handling and new technologies is making the news all over the world thanks to Egypt, Tunisia, Iran or Algeria. Time has changed since the mid 1990s when the Internet was completely out of reach for governments.

  • You can really see the digital divide in action by comparing the political troubles in Ivory Coast (4.6% of population with Internet access), Egypt (21.2 %) and Tunisia (34%). In Ivory Coast, the tension centers around physical threats, embargoes and sanctions. In Egypt and Tunisia, well, you know the story. Governments tried to block access to the network among other measures to control the unrest. Shows how much the Internet has become a strategic question.
  • Governments are getting better at the whole technological game. Ten years ago, Internet was a space of total freedom because states were sometimes not even aware it existed. Now it took only three days to the Egyptian government to almost completely shut down the internet (protests started on the 25th of January, access was blocked on the 28th). It is a remarkably short time span for such a massive measure. In more developed countries, cutting the internet is not possible anymore (too many entry points, too many satellites), and the Egyptian government’s will was facilitated by a less developed network. Still, that denotes a big change: states now have a capability to react quickly to what they consider threats in the digital world.
  • Laws like Hadopi show that governments can still be both late and in denial when it comes to technologies.
  • But in a weird twist of events, the fact that laws are now outdated seem to have created an advantage for some government, like in the US:

    the law that protects your right to communicate privately through electronic means was enacted all the way back in 1986, long before email, instant messaging, cell phones and Skype existed.

    Advocates believe the Electronic Communications Privacy Act is being overwhelmed by new technology, creating an advantage for government investigations into terrorism and crime, but threatening the ability of consumers to defend against excessive intrusion.

    Some argue that the 25-year-old ECPA “affords more protection to letters in a file cabinet than email on a server,” according to a recent New York Times story on the subject

    Link

    The story is the following: lack of laws created an advantage for consumers who could do what they wanted (download, hack, spam) on the internet for years. Now that these same technologies are creating huge intelligence opportunity, the balance is shifting and consumers don’t have a fair legal arsenal to defend their rights. How ironic is that? Internet users will soon be demanding more laws to protect themselves from government abuse? What happened to the good old days when users didn’t have to worry about what their government was doing online…

Internet access “is almost a human right”

Estonian flagInterview of Lauri Almann, part of the Estonian team that was in charge of the governmental response to Web War I. His perspective is quite different from what I heard about the events so far (see Bruce Steling’s presentation at Korea University) as he sounds like everything was handled quite easily by an over-prepared group of fonctionnaires.

Mr. Almann explains that the internet is almost a human right that the government has to guarantee”. With so many vital things happening online in developed countries, governments are getting ready to handle increasingly complex threats:

There are a lot of lessons to learn from the attacks. One is that we were able to come up with a team of people that was able to start working on the attacks very fast. Although we have excellent relations with the United States and all the EU countries, having an international preparedness to deal with an attack like that is something that we are now paying more attention to. [Time for a UN body dedicated to collaboration against online threats?]

The right to use the Internet is almost a human right that the government has to guarantee. [...] We shouldn’t let the attacks affect our way of life. But we need to deal with those threats and learn from them.

Link

M. Almann also talks about the personal computer:

The fascinating thing about [botnets] is that the people who owned those computers actually had no idea they were attacking another government. The notion of a personal computer is really counter intuitive. There is no such thing as a personal computer. Everyone’s computer can be used to attack another country.

Computers can very easily be hacked and turned into ghosts used to launch large scale attacks. The Estonian government knows this, and we can only hope that they will meet with French officials at the next European summit and show them how unrealistic and irresponsible the Hadopi law is.

Bruce Sterling on the Estonian Cyberwar

Here is the talk Bruce Sterling gave at Korea University last week about the Estonian Cyberwar.

In this eye-opening presentation, Bruce explains what happened to Estonia earlier this year when the country’s infrastructures got down following by a massive DDOS attack. He shares his theory that a Russian group of hackers called the Zhelatin gang might be behind the attacks, and were actually only flexing the muscles of the world’s largest and most powerful botnet.

[kml_flashembed movie="http://video.google.com/googleplayer.swf?docid=-7558943156938354525" width="400" height="326" wmode="transparent" /]

Anybody who is involved in the infrastructure side of a large business should watch this. We’ve been warned.

La Suisse est toujours plus visée par les cybercriminels

Des courriels de hameçonnage (extorsion de données confidentielles en usant de la bonne foi des internautes) rédigés en allemand ont fait leur apparition. [...]

Pour la première fois, des cas d’espionnage économique menés à l’aide d’Internet et ciblés contre des entreprises suisses ont été observés. Les attaques venaient d’Extrême-Orient. Les pirates exploitent toujours plus les failles de sécurité des applications, comme les programmes de traitement de texte ou les logiciels antivirus.

Lien

Cela devait arriver un jour ou l’autre… Méfiez-vous de vos emails!

Microsoft, apple, and security

Microsoft is again splitting IE and windows (after tying both things to get around antitrust laws, as in “don’t ask us to take internet explorer down because it would mean removing tons of features from our operating system”)…

Back in the mid-1990s, security experts warned Microsoft that integrating a Web browser deeply into Windows was a mistake. A decade and countless security vulnerabilities later, Microsoft is tacitly conceding the critics had it right. The new version of Internet Explorer to be released as part of the Vista version of Windows this fall [...] loses much of the privileged relationship with Windows that the Microsoft browser has long enjoyed

Link

but still gives a few security advices to competitors, more specifically to Apple:

As crazy as it sounds, a member of Microsoft’s security team has blasted Apple for failing to coordinate its security efforts and to issue proper security advice.

Link

Microsoft is really full of surprises, I guess the only definite lesson here is that it’s so big you can’t classify it anymore. It’s a bit of both, evil and good at the same time.

Windows more secure than Linux and Unix?

The Register

Linux and Unix experienced more than three times as many reported security vulnerabilities (2,328) than Windows (812), according to the mighty US Computer Emergency Readiness Team (CERT) annual year-end security index.

Seems there is a real need to reconsider a few evidences of the IT industry. But:

Despite posting fewer vulnerabilities […], it is attacks on Windows that still cause more concern and generate most headlines.

The reason is that […] Windows has greater potential to cause harm because of its presence on desktops in the hands of users who receive self-propagating worms, click on email attachments and download malicious code. And while it seems just as each hole is fixed, a new vulnerability is unlocked elsewhere in the vast Windows code base.®

If Windows is 3 times safer but also 1000 times more common than Linux it becomes the most dangerous system in absolute terms. Statistics. Is the spread of an OS its worse enemy? Probably. I once heard someone wishing Apple would never make it big so that “OSx could remain unattractive for hackers”.

Peurs de l’eBanking

The Register: E-banking security provokes fear or indifference

Forrester concludes that an estimated 600,000 from a total of 15m subscribers have ditched online banking as a direct result of security fears.
Forrester reckons that users are confused and banks need to step up their efforts to educate customers about online fraud.

C’est incroyable que les problèmes rencontrés soient avant tout liés à des choses aussi simples à combattre que la confusion et le manque de formation des clients. Quand une mauvaise ergonomie et une mauvaise communication commencent à coûter très cher.

ebanking fears

The Register: E-banking security provokes fear or indifference

Forrester concludes that an estimated 600,000 from a total of 15m subscribers have ditched online banking as a direct result of security fears.
Forrester reckons that users are confused and banks need to step up their efforts to educate customers about online fraud.

Bad usability and communication are starting to cost a LOT of money.

Des produits Microsoft plus sûrs

La dernière version du serveur web de Microsoft – Internet Information Server 6 – est solide comme un roc et certainement plus sûre qu’Apache.

Ce n’est pas une brochure publicitaire de la société de Bill Gates qui le dit, mais John Udell. Et quand John Udell parle en général on écoute. C’est incroyable de voir comme Microsoft est en train de réussir l’un des tournant les plus risqués et les plus compliqués de son histoire. Pour une entreprise que tout professionnel de l’informatique se devait de pointer du doigt pour être crédible ils ont fait un sacré bout de chemin. Les voilà en train de battre une des applications emblématiques de la communauté open source sur le terrain de la sécurité. Comme quoi il suffit parfois de peu de choses : recruter quelques stars, écouter ses clients, en prendre un comme porte-parole et se mettre au travail. Bravo messieurs dames.

A lire ailleurs: Hackers look outside Windows for flaws.