Kill-switch: Egypt vs. the US

In response to protests, the Egyptian government took the unprecedented step of disconnecting its Internet from the rest of the world. Egyptians can no longer reach Twitter, Facebook, or other "subversive" websites. While Iran and Tunisia partially restricted the Internet during their protests, they did not go to this extreme of turning it off completely.

While extreme, this is exactly the ability our president wants (it's unfair to blame it on the current president -- our previous president wanted the same ability). The proposed "Protecting Cyberspace as a National Asset Act" would give the president broad powers to disable the Internet after declaring a "cyber emergency", specifically, shutting down links to the outside world.

Such things are always well intentioned, but often become a bigger problem than the threat they are designed to address.

Egypt is a good example. It has been under a near continuous "state of emergency" since 1967. Under their Emergency Law, constitutional rights are temporarily suspended, censorship legalized, and police powers extended. Most countries have similar laws for temporary states of emergency. However, Egypt's "state of emergency" has been permanent -- it was declared by president cum dictator Hasni Mubarak when he took power in 1981. Mubarak used the  powers enabled by this law to turn off the Internet.

You'd like to imagine that this could not happen here, but you'd be wrong. The U.S. passed similar (in nature, but not degree) laws in response to the 9/11 terrorist attacks. These laws have been in continuous action ever since, the temporary emergency has become permanent. The "terrorist threat level" chart has never been below "Yellow - Elevated". Continued abrogations of our civil liberties in the Patriot Act (now up for renewal) are justified by this ongoing emergency. Reasonable sounding laws, such as the "Terrorist No Fly" list, are as often used to track petty criminals and political dissidents (like hackers Jacob Applebaum and Moxie Marlinspike) as they are to used to stop terrorists.

The populace supports such laws because they believe in the competence of government. This belief is misplaced. I know from personal experience that federal networks are the least secure on the Internet. It's irrational to believe that, if given more authority, that they would be any better at securing our networks. I'm all for passing cybersecurity legislation -- but that legislation should start with the government's own networks. Only when the legislation proves effective at securing government networks should it be extended to protecting everybody else's.

In his farewell address, President Eisenhower warned about the "unwarranted influence, whether sought or unsought, by the military industrial complex". Unlike the later hippies, Eisenhower didn't believe that there was some sort of conspiracy in the "military industrial complex". According to Eisenhower, the military and arms industry honestly believed they were acting in America's best interests -- they were just wrong.

We see why this is wrong in the current Egypt conflict. Our interests are tied with the current government. For one thing, we have troops stationed in Egypt, and provide them $1.3 billion a year in military aid. Therefore, we are caught in the impossible position of not being able to choose sides. Whereas the U.S. unequivocally supported the protesters in Iran, they equivocate with regards to Egypt. Vice President Biden recently supported Mubarak, saying that Mubarak is not a dictator, and questioned what it is the protesters really want. Biden is wrong, our government is wrong, Mubarak is an evil dictator and must go. If we didn't have military interests in Egypt, we would be able to unambiguously support the protesters.

The comparison I'm trying to make is with the "cybersecurity industrial complex". The above bill is supported by the cybersecurity industry from Symantec to SANS. While such organizations will benefit from cybersecurity regulation, there is no conspiracy here: they honestly believe the Internet will be better with more regulation.

But it won't be. It much the same way that a stronger military does not lead to greater prosperity, a more secure Internet will not lead to greater prosperity. A strong military spread throughout the world has instead mired us in conflicts of interests for which there is no easy answer.

Take, for example, the Wikileaks-inspired DDoS attacks. After companies like MasterCard and Visa refused to process donations for Wikileaks, activists bombarded their servers with attacks from all over the Internet. It's exactly the sort of attack against the financial system that might justify "emergency" powers. I agree to some extent, the DDoS attacks were a little bit like terrorism. But on the other hand, I would also say that they are a little bit like free speech protests. Our government is put into a difficult situation: is it protecting MasterCard because it's enforcing the law? Or is it trying to suppress Wikileaks?

It was Senator Joe Lieberman who drafted the cybersecurity bill. It was also Lieberman who called up companies like Amazon and MasterCard and suggested (aka. threatened) them to stop doing business with Wikileaks. There is no conspiracy here, Lieberman honestly believes his actions will lead to a more prosperous America. But it serves as a great example how the drive to "secure the Internet" can be conflated with "suppress dissent".

Conclusion

We will have nothing as bad as the dictator Hosni Mubarak, but similar sorts of things can happen here. We put too much trust in our government to protect our interests, when in fact it's the government itself that is a threat to those interests.

What makes the Internet a force for freedom in the world is precisely because it's outside the control of any government -- even a benign and friendly government as our own. We should keep it that way.

Don't get trolled by the World's #1 Fraud

The World's #1 Fraud has a new trick up his sleeve: posting on his blog endorsements from cybersecurity experts. This generates a huge number of links back to his site. Good press, bad press, it doesn't matter in the googleverse: what matters is only the number of links back to your site. People get angry at him for lieing about an endorsement, and respond with a blog post (like this one) disavowing it.

We aren't going to play his game, we aren't going to link back to him, or mention his name. We are going to show pictures instead (hopefully google doesn't OCR them). We disavow the claims in the following picture. Indeed, we recommend the opposite: he's not an expert, you'd be an idiot to pay this guy any money.

Update

This guy's douchebaggery knows no bounds. He's also registering domains with the person's name, then using that website in his endorsements. Here is an example where is registered a domain for our very own Marisa (no, that's not her domain name in the picture):

Comment on "Layer 8: Connecting the risk dots."

(This post is a response to the blog post at "Layer 8: Connecting the risk dots," mostly because I typed the whole thing out on the site and then couldn't figure out the captcha to submit it. )

From shrdlu at Layer 8:

"A vendor—or analyst firm, whatever—produces a paper touting the conventional wisdom that it’s a lot cheaper to fix software vulnerabilities early in the SDLC than just before or after deployment. And I can get behind that idea, certainly. But the reasoning being produced to support it often ends up to be circular. [...]

When it comes to counting the investment against the cost to fix actual breaches, the whitepapers mostly get vague. They list all the vulnerabilities found, describe how bad they were—but don’t actually show that they led to specific breaches that incurred real costs. They’re assuming that a vulnerability is bad and needs to be fixed, regardless of whether the vulnerability is EVER exploited."

"Just saying that it’s a problem because it says right here that it’s a problem is what we’re doing too much of today."

Is this a call for better attack trees? For instance, instead of just saying "SQLi is bad" we say "This line of code will lead to this SQL database being deleted because it is not sanitized. It ranks a 5 on the 'Oh Sh*t' scale."

Do we really need to see people burned to know the stove is hot? We make preventative business decisions all the time, many that require an even bigger leap of faith than security spending. Managers understand the logic of that kind of spending, but I think the reluctance to do so is actually risk calculation. The organization doesn't need the security pro to tell them what the financial effects of the breach would be; they know and we can't. When they choose not to use a secure coding program they are accepting that risk.

"We need to trace a discovered vulnerability from its creation, through the SDLC, into deployment, and then connect it to an actual breach, leading to a real monetary loss suffered by the business. THERE’S your ROI"

I agree that nothing motivates the management like a breach on the news. The greatest security programs are operating with the goal to never let a serious bug happen AGAIN. But there are companies that can survive this kind of gamble, and companies that can't. Companies putting lives at risk have a different prevention obligation than companies that make video games. Also, remember there are intangible costs to a breach like brand image and company culture, but also intangible benefits like learning from the process and justifying change that can't be measured with ROI equations.

This is why “fixing it now vs fixing it sooner” is a flawed argument. The premise is that you MUST fix, and that’s what executives aren’t buying. We have to make the logic work better.

The call for logic and evidence of breaches feeds in to this premise. You're saying that if we can just get more data then we can justify the fix to management. If you're using historical evidence to justify fixing a bug, you need only look hard enough. Somewhere there is a scary example of the bug in an exploit that burned someone else. The premise of the argument is not a judgement that everything must be fixed. It's not the job of a security pro to tell the executive what must be fixed, only the ways the software can be broken. The conventional wisdom of fixing sooner presupposes that the bugs being fixed are worthy of fixing, and therefore would have been cheaper to fix sooner.

Anyway, I think it's a hard situation to manage because the bugs *are* technical, and a manager most likely won't be able to see the vulnerability, and will have to take someone's word for how real it is. This is where the conversation usually diverges toward scanning vs. pentesting to prove criticality. The way I see it, any day you don't end up on the news is a day your security program is working, because you can't be invisible on the 'net. If there's a hole, people know about it, and if they can't or won't exploit it, then that's a success.

Adrian Lane, over at the Securosis Blog, had a great comment on shrdlu's post as well. He said, "Failing in order to justify action is still failure."