Paper covers rock, nightstick beats computer.

With revolutionary fever fermenting across the Arab world, other long-serving dictators are getting a bit jittery these days.

The demonstration effect is a powerful phenomenon- when long-suffering citizens see people in similar situations casting off the shackles of repressive regimes, they’re inclined to as “well, why not us, too?” It isn’t a coincidence that all the post-Soviet governments fell within a few months of each other, though if you want a really remarkable story read up on the extraordinary year 1848.

Living in this world of compressed news cycles and ubiquitous social media, citizens get that revolutionary bug faster and easier than ever.

That doesn’t sit well with autocrats.

So when Munyaradzi Gwisai, Zimbabwean prof and obviously ballsy fellow, decided to show a some YouTube footage of protests taking place elsewhere on the continent he got a response – before class had even finished, the police broke up the class.

The agents seized laptop computers, DVD discs and a video projector before arresting 45 people, including Gwisai, who runs the Labor Law Center at the University of Zimbabwe. All 45 have been charged with treason — which can carry a sentence of life imprisonment or death — for, in essence, watching viral videos.

Gwisai and five others were brutally tortured during the next 72 hours, he testified Thursday at an initial hearing.

From Wired’s writeup.

When you’re running a thuggish police state you can get the information you need via watching the pipes – but you also probably have informants everywhere. Authoritarians are playing a game against activists on many levels, and they can checkmate their opponents in any of them.

The trump card is the pure, brutal violence.

Mugabe is known as one of the most ruthless and vicious dictators in the world, and it appears he has managed to terrorize his own people sufficiently that the prospect of any sort of popular uprising is very remote.

“They’re too fractured and fearful,” Bloemen said of Zimbabwe’s opposition movement. “They’re inspired by what has happened in North Africa, but you have to reach a turning point, a critical mass, to convince people it’s worth it and you’re going to succeed. That’s always been the difficult question in Zimbabwe, getting that critical mass.”

Virtual protests and other actions in North Africa had a chance to grow to large numbers before the government moved against them, providing a certain degree of safety in numbers. It looks like Mugabe’s not going to make that mistake.

Naturally there’s a Facebook group decrying these actions. Unsurprisingly, most of the members do not appear to be Zimbabwean. I hope those that are have their privacy settings correct.

At the same time, the U.S. government struggles with their role in internet regulation and security. Should they have a kill switch in case of an emergency, such as a rampantly destructive bug or virus? Should the government be able to step and take control of critical infrastructure if it is compromised? These questions are brought up by a bill in the Senate (S3480), sponsored by Senators Susan Collins, of Maine, and Joseph Lieberman, of Connecticut. In addition to setting up several new government offices, the bill allows the President to issue mandatory directives to critical infrastructure companies in the event of a “cyber emergency.” Johnathan Zittrain of Harvard’s Belfer Institute explains the pros/cons/existential questions relating to this bill in a recent MIT Tech Review article.

It highlights the tricky position that the government finds itself in. On one hand, the private sector resists regulation and would like to be in charge of its own information security. On the other hand, if there is a doomsday scenario – the power goes out in the northeast in the dead of winter and there are casualties, or thousands of Americans lose their life savings due to a massive data breach – the population will almost certainly look to the federal government and ask: Why didn’t you stop this?

The U.S. is also different than other countries whose governments have interrupted internet service. Burma, Iran, and Egypt, have much lower internet penetration and many fewer ISPs. The Chinese government controls most of their internet traffic to start with. The State Department’s strategy of promoting diversity of opinions and internet penetration in foreign countries is a great way to make it harder for governments to control, censor, and manipulate internet access.

In the meanwhile, we’ll continue to struggle with how exactly a government should be involved in the business of securing our nations networks and infrastructure. The new bill is a test; it allows the President to tap an ISP on the shoulder and say “Er…if you wouldn’t mind disrupting your service for a while, maybe we could contain this virus? Please?” If the bill passes, we’ll see how exactly that works in practice.

The report points out positive and negative aspects of Obama’s progress on cybersecurity. Though may of the criticisms are apt, I think it’s important to really emphasize the progress that has been made in the last two years. It begs the question – how fast is fast enough when developing cyber policy?

Many points are valid, commenting on the cyber czar’s lack of budgetary authority, or the scramble to pick a lead for inter-agency collaboration. Both fair points. Over the last few years both the Bush and Obama administrations have been walking around with a perverbial “Cinderella’s shoe” trying to figure out what agency should take the lead on cyber issues. For now the shoe has been wedged on DHS. Despite the organizational challenges, that seems to be a good choice for the time being.

There have been other accomplishments as well. For example, Howard Schmidt was appointed as Cybersecurity Coordinator in the White House in 2009. A bill proposed by Representative Langevin (D-RI) proposed in May 2010 (H.R. 5247) would make Schmidt’s position subject to Senate confirmation and would grant budgetary authority. The issues are evolving and moving forward. (Or at least Congress has the ability to move them forward).

Cyber Command’s first incarnations were far from centralized. As recently as 2009, the Air Force emerged as a leading entity, linking the protection of the cyber domain with Air Force Space Command.  US Cyber Command (CYBERCOM) was created just over a year later and continues to function smoothly. For a consortium of large bureaucracies, the armed services really rallied together to support the standing-up of CYBERCOM.

Cybersecurity is clearly a priority, and one that Obama continues to emphasize. It concerns protecting our private emails to classified communication, our military’s command and control capacity, our private sector intellectual property, power grids and the security of our economic transactions. Significantly, it is easy to criticize progress on cybersecurity policy just based on the amazing breadth of the vulnerabilities. In the name of promoting bipartisanship (and generally feeling less gloomy) it’s equally important to analyze what did work, as opposed to what didn’t. In a world of increasingly complex threats such as Conficker and Stuxnet, sometimes one just has to look on the bright side of life.

What will you do when they run across your backyard?

We’re in that lull after the holiday season where gyms are crowded, but the days still feel short and cold (up north at least). Most everyone probably had an experience where two relatives were arguing about the best way to stuff a turkey, or who should have to sit next to Aunt Marge at the dinner table. What did you do? Stay out of it. Neutrality. It can be a wonderful thing.

Neutrality in the most basic terms is defined by the Hague Conventions (V), which allows for neutral nations to maintain relationships with all belligerents, but forbids them from taking sides. The underlying concept is that the territory of a neutral nation cannot be violated. It has therefore been argued that neutrality can be violated when an actor launches a cyber attack that crosses another country’s networks.

This logical, albeit black and white, interpretation poses a number of significant policy challenges. Too many to cover in one blogpost.  One key issue is whether it means that the 2008 attacks against Georgia routed through US servers violated US neutrality.

Apologies for the following gross over-simplifications:

Worst case: Denial of service attacks initially emanating from Russia utilize US computers as bots. US becomes a belligerent in a conflict against Georgia. This would be slightly ridiculous. Fail.

Slightly better case: Countries agree to take responsibility to prevent their networks from being used for malicious purposes.  Not only would civil liberties groups oppose this but it would be hard to enforce on an international scale.

Status quo: It’s hard to attribute cyber attacks to any specific location, group or individual. People are unaware their machines are infected. US Internet Service Providers have little or no liability for problems of which they are unaware. Everyone passes the buck, and the cyber equivalent of the Hamburglar continues to run around our networks stealing hamburgers.

Intervening to trace criminal or illegal activity online is a sensitive issue from a civil liberties perspective. In 1994, Congress enacted the Communications Assistance for Law Enforcement Act (CALEA), requiring telephone firms to make it easy to wiretap the nation’s communication system for law enforcement purposes. This is more easily implemented to intercept phone lines, but becomes extremely complicated when one considers the idea of putting “back doors” into the internet. President Bush enacted the Patriot Act. It was, shall we say, not his most popular move in certain circles.

The internet was designed to be an open and free method of communication and information exchange, and that is one of its greatest virtues. Having responsibility on a national level for actions that traverse US networks is a hard concept to implement. Laws need to be developed to clarify when a country gets dragged into a cyber conflict, and when it can maintain neutrality.

Is there an easy answer? No. But I am really glad that I stayed out of the argument about how to stuff a turkey, and I am pretty sure that on a national level it would be nice not to get unexpectedly dragged into someone else’s conflict.

Leaks from Unlikely Sources

Welcome to 21st Century Diplomacy, State Department.

The issue of whether a country should openly sanction offensive use of “cyber attack” by their military is one of touchier issues in the world of cyber warfare. Interestingly, US Cyber Command has openly expressed an interest in developing offensive cyber capabilities. Specifically, they refer to offensive operations to prevent cyber attacks on the US. Offense for the sake of defense.

Some tactics  have the potential to be both offensive and defensive – like setting up “active defenses” to infiltrate attacking computers and disable them. (Think – before the Yom Kippur War started in 1973 the only difference between offensive/defensive tanks on the Egyptian side was whether or not they were rolling forward.)

Actively infiltrating enemy systems to prevent future attack leads to a shady area; one that will eventually require international consensus on acceptable behavior. The US defines offensive information operations as ones that disrupt, degrade or deny enemy systems. Do some of these activities qualify as an attack in themselves?

In 2007, a team of researchers demonstrated that a cyber attack could blow up a power generator. This was a hopeful take on the issue. If offensive cyber attacks were like Star Trek, then every time one took place a control console would explode and an ensign would go flying across the room. Quick. Fire torpedoes.

This fits nicely in to existing international frameworks. Both Article 51 of the UN Charter and Article 5 of the NATO Treaty refer to “armed attack” when authorizing self-defense. But “offensive” cyber capabilities wouldn’t necessarily blow something up or cause direct collateral damage. (What about, for example, planting trojans in an enemy command and control system so that one could cripple them during a future conflict?)

In 1998 the Russians proposed a UN resolution to ban the development and use of cyber weapons. The resolution was largely tabled due to a total inability to define the term ‘cyber weapon’ and the fact that no one had a clue how to enforce such a resolution. Why would anyone comply if compliance was impossible to monitor?

It will be interesting to see how the international community chooses to negotiate the use of offensive cyber capabilities. In the meanwhile, it’s good that CYBERCOM is willing to bring the discussion into the open. (And there’s the ever burning question – why don’t they have circuit breakers in the future?)

The Worm Will Not Turn

Stuxnet, the worm from Russia America Israel who knows where designed to take out the American power grid Iranian Uranium refinement centrifuges BCS computer something controlled by Siemens machines has gotten a lot of attention.

Rightly so, as it’s the closest we’ve actually come to something that looks like a genuine cyber attack. The worm was exceedingly well designed by all accounts, and meant to operate in a very subtle way.

Wired follows the news of North Korea’s new nuke facility by asking “Could Stuxnet Mess With North Korea’s New Uranium Enrichment Plant?”

Answer: No.

Not unless North Korea is run by really big idiots. (Ed: which they are. CD: Yes yes, but that’s not the nuke security scientists!)

The reason? Basically any security attack that exploits bugs in software is a one-shot deal. Bugs are mistakes that get fixed when they are found; if Siemens had known about the holes Stuxnet used, they wouldn’t be there in the first place.

Let’s not think about things that are baked into the systems as design choices that can’t be changed. *cough* BGP *cough.*

I imagine within days, if not hours, of finding out there were problems with their software the good people at Siemens had patches en route to clients.

This is one of the reasons that cybersecurity is different from war and more like espionage. If you know there’s a tunnel under your embassy with listening equipment, you’d do something about it.

If the Stuxnet worm didn’t accomplish it’s mission, those particular holes won’t be available next time. Don’t despair, though; there’s probably a lot more bugs to find.

Oh, and if you haven’t been paying attention before: if you’re running nuclear equipment, be careful where you stick your USB drive, OK?

The reality is that ‘cybersecurity’ is a huge field. When I tutor students about how to write, I tell them to picture a funnel – start with your broad topic and narrow it down to a fine point. Policy and discourse on cyber is still somewhere near the top of the funnel. But it’s surprisingly accessible. Even for those of us who don’t have highly technical backgrounds. In fact, the international relations aspect of cybersecurity is fascinating. Recent reports that China managed to secretly reroute 15 percent of world internet traffic through their information infrastructure highlights the fact that the discussion is coming none-to-early. There are reports that Russia is developing it’s own Silicon Valley, which could be good economically but would also enhance Russia’s cyber warfare capabilities. It is often quoted that the internet was developed more for interoperability than to address security concerns. The silver lining? Russia is still expanding its tech industry. New technological developments, such as the adoption of iPv6 have yet to take hold. The field is still growing and evolving. This means that there is still room (to a certain extent) to get in at the ground level.

Artist's depiction of a firesheep based on multiple witness statements.

Eric Butler has developed a brilliant piece of software called Firesheep that makes web site identity hijacking easy and fun for all. (Ed: First the iCow, now the Firesheep? CD: Agreed, it would behoof them to switch it up a bit.)

The concern is easily explained. When you log into many sites (Yes, Mr. Zuckerberg, I’m looking at you) your login information is communicated encrypted. This is an improvement from no encryption at all, since people can’t get your password.

The problem is that the web is stateless. The computers that happily dish up your Twitter feed, Facebook status updates, or whatever other sites you’re looking at does not know anything about you between times you communicate. As in, each image on each page you load.

The end result is rather like Memento. The server can’t remember who your friends are or what photo album you were viewing or which page of tweets you were on; it only knows what you’ve asked for. So it keeps a little reminder in the form of a cookie.

(As an aside, “cookie” has to be the worst name ever. Well, almost. Really it’s a ticket that tells the server that you’ve paid, who you are, and what you are here to see.)

So you prove who you are, you get an ticket, you see stuff, you keep handing the absent-minded clerk the ticket to remind him what you were looking for, you go about your business.

But nothing after the password bit is encrypted. So if I’m a baaaa-d boy I can grab your ticket, make a copy of it, and hand it to the server myself; the amnesiac isn’t gonna know the difference.*

So if I want I can get into your Facebook account, change your profile, mess with stuff, masquerade as you, hassle your parents, break up with your girlfriend, etc. All kinds of stuff you’ll feel sheepish about.

But first you need to grab the ticket. This is a lot easier on wireless networks, where every bit of content is by definition broadcast into the ether. So if you’re not politely ignoring it, you grab the cookies, then hustle off to steal the login. Like lambs to the slaughter.

OK, maybe that explanation wasn’t so simple after all.

Anyway, Firesheep makes this trivial. It’s a Firefox extension, so you can just drag it into your browser and away you go. It’ll sniff your network, vacuum up connection cookies, and the let you go have your fun.

The answer really is simple: encrypt everything. If your cookies are locked in an iron-bound tunnel, then no one can steal your tickets and therefore your identity.

This concept has been around forever and been exploitable by bad guys just as long, but now that there’s a clear, simple demonstration of it I imagine it will get fixed rather faster.

All you Web 2.0 entrepreneurs too cheap to just encrypt all your traffic, I’m ashamed of ewe.

By the way, wasn’t someone just saying something about darknets?

* Really we have to make this metaphor more complex, because they can tell where you’re coming from too.

The WSJ doesn’t provide many details apart from that “a highly sophisticated hacker” got in earlier in the day, and that the server was “wiped out” though “no data was lost or stolen.”

A word of caution: campaigns have been known to blame those mysterious and omnipotent hackers when things go wrong. (See. Lieberman, Joe, 2006) Much less embarrassing than admitting that it was your own fault. More likely would be that someone got in on a more typical vector. FreedomWorks.org appears to by a typical Drupal site; if so, they may simply have failed to keep it patched up to current.

I’d be surprised if professional-grade hackers were involved. While they may have been offline during an important time, I see they’ve still managed to raise $200K for the Beck fundraiser that was supposed to have been disrupted.

This indicated one of the reasons to not overplay the threat of hackers, by the way – if someone blows up your house, well, that’ll take a while to fix. If the wipe out the contents of your server, if your sysadmins have done their job well you’ll be back online in hours.

It’s also possible that activists opposed to FreedomWorks’ agenda were involved – anything’s possible – but as that’s what the group would like you to believe I’d have to see some credible evidence before thinking it was more than a malicious vandal.

No Boss, You Can't See What I'm Searching For.

Compute cycles are no longer the limiting factor on shoveling all the bits through an iron-bound SSL pipe.

Privacy concerns are going to lead more people in this direction. At the same time, law enforcement types are going to scream bloody murder about this, but I see it as inevitable.

As someone who works with activists in countries where the governments are Bad News, I like this trend.

Microsoft Saves the Day

I grew up as a practicing member of the Cult of the Mac. As such, Microsoft was clearly of the Forces of Darkness.

They’re redeeming themselves now. Russia famously used illegal pirated software as an excuse to kick the doors in and shutter NGOs that were doing annoying things like advocating for universal human rights.

The BSA was doubtless salivating at implementing that stateside, but Microsoft, scenting a PR nightmare, instantly offered a blanket license for international non-profits.

It was a bit vague. To their infinite credit, MS has continued working through it and now are expanding and systematizing the program. I don’t expect that the FSB will now shrug, throw up their hands, and leave the NGOs alone, but at least it removes one method for their strangulation of civil society.

Microsoft’s move is a nod to reality. When I suggest open-source software solutions in international settings, the common sentiment is “We already have free software. It’s called Windows and MS Office.” Piracy is rampant to the point of ubiquity.

The prodigious piracy problem has very serious cybersecurity implications. It’s hard enough to get people to keep their operating systems and software patched generally. If your software is not legit, you’re that much less likely to be interested in – and sometimes capable of – keeping it up to date.

This often means they have to be the tool of a repressive state by implementing censorship.

Well, sunshine, as Justice Brandeis observed, can be the best disinfectant. Google is hoping this will be the case with their new Transparency Report.

It’s not particularly sophisticated; just a bunch of pins (way too many pins) for governments that have submitted takedown or data release demands. Clicking on them gives you a bit more detail. There’s also a simple list of numbers for each country. (C’mon guys, you’ve got a lot of smart peeps with 20% of their time free; i’m sure you can do something prettier.)

It’s a start, anyway. The insidious problem of online censorship is that you may never know it is happening; this is one step towards making it clear to all.

Interesting highlights:

• Russia has, according to the site, issued zero takedown requests.
• China? Google can’t say. Whether they have issued any or not is a state secret.
• And the state that’s demanded the most data from Google? The United States.

Check it out

(h/t: NYT Bits, one of my faves.)

The Hill had a piece recently talking about Republican Senatorial angst around Chinese networking electronics giant Huawei providing equipment to Sprint.

Huawei, like all firms of any importance in China, has significant ties to the CCP leadership and the People’s Liberation Army.

The idea is that Sprint, being a major provider of IT to the US military, might be compromising security by putting hardware in place that might already be hacked in the physical hardware itself.

Some parts of the Senators’ argument can be dismissed – Huawei sold equipment to Iran? So did the lovable Finns – but the underlying anxiety is valid, if a stretch.

Hardware hacks – some sort of embedded trojan in the physical wiring of electronics – are largely theoretical. I’m not familiar with any examples of them being successfully deployed.

Doing really sneaky things via embedded hardware trojans would be quite difficult. Since they are literally hard-wired, they cannot adapt or respond to their environment or changing circumstances. However, it would be relatively easy for a particular circuit to turn the CPU to slag when activated.

No need to lose too much sleep over this. Yes, you can’t really examine circuits without electron microscopes – but the nefarious effort is literally stamped on the circuit board for those with eyes to see, and some of those eyes are owned by the Pentagon. They’re keeping tabs on this stuff. Right, guys?