I'm sure most of you have been following, in one way or another, the developments relating to the NSA spying 'scandal'... I for one am simply stupefied that anyone would be surprised by this. For one thing, experts have been telling everyone FOR YEARS that the government was spying on them. After all, the Patriot Act basically gives the government that power.
So why is it that suddenly everyone is shocked and dismayed? Obviously, I suspect that politicians are fanning the ambers of this issue in order to score points with their constituents. But why is the media all bumfuzzled? Shouldn't the astute journalist point out that none of this is really new and that all of this has been debated in one way or another over the course of several years?
I don't think anyone in the security industry was surprised by this. Well actually, I guess we might have been surprised by peoples reaction, but not surprised by the facts.
Some people call Edward Snowden a hero while others call him a traitor. I call him stupid... He threw away his career, his girlfriend, his family, his financial future and his freedom in order to basically state the obvious. Of course, there is a part of me (you know, the little part which loves entertaining conspiracy theories) which considers that Edward Snowden was actually a spy working for the Chinese who managed to maximize his egress from the US by successfully creating all this wonderful scandal out of things that were basically all well known. It is an interesting possibility considering that Edward seemed rather focused on pointing out things like the part where the US is hacking China (well, duh...) and also the part where his escape route is Hong Kong....
Anyway... Fanciful conspiracy theories aside, everyone needs to realize that none of this is new. Acting surprised and dismayed at something that is totally obvious simply makes us look like idiots...
cheers,
Luis
Thursday, 13 June 2013
Tuesday, 4 June 2013
The Report of the Commission on the Theft of American Intellectual Property... And lunacy ensues!
Like many other people within the security industry, I took the time to read
the "The Report of The Commission on the Theft of American
Intellectual Property" which was published by "The
IP Commission". For the most part, the report is pretty
unsurprising reading. They talk about the different types of issues that
surround intellectual property theft, from patents to trade secrets to
trademarks and copyright. And at first, I was pretty sure it was going to be
one of 'those reads' where everything is pretty much something I already knew,
that was until I turned to page 81 and then stuff got really interesting... In
a bad way…
The first hint that things were going off the rails was the recommendation titled "Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." which basically entertains the notion that intellectual property holders should have the right to devise software that would lock computers down should they detect that someone may be using some of their intellectual property without permission. In turn, the said offending users whose computer has been locked down would have to go and call the police, thus being forced to incriminate themselves, in order to get the password that unlocks their computer. Not only that, but said offending users might have to pay a 'fee' in order to get that password. For those not paying attention, this is basically a redo of 'ransom-ware', evil little malware programs designed to lock down computers until owners of said computers pay a ransom. Basically, hostage taking of computers.
The fact that anyone would entertain that idea is beyond me. Not only that, but the authors of the report wrote “Such measures do not violate existing laws”… Now, I am not a lawyer, but being somewhat educated, I am pretty sure that this idea violates in some way the 4th Amendment, the 5th Amendment and the 6th Amendment. Ignoring those pesky amendments, the authors of the report have also neglected to consider the unintended consequences of what happens when there are false positives? What happens when there is a false positive and a mission critical computer gets locked down? What happens when there is a false positive and a life critical computer gets locked down? What happens when hackers figure out (and they sure as hell will) how to cause false positives at will? I don’t know about you, but as someone who knows a thing or two about hacking and computer security, I have to say that all these questions and the answers that lie behind them, scare me.
So then I kept on reading the remainder of the “Cyber Solutions” section and all semblance of lunacy seemed to calm down. That was until I read the next section titled “Potential Future Measures” and my jaw dropped. I’m not sure what the commission authors were smoking that day, but here are the recommendations they gave and my comments thereafter:
“Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves”
I could go on a rant on this, but instead I am going to ask you, the reader, to try and answer the following questions … How does anyone reliably find cyber IP thieves? Won’t cyber IP thieves just get really good at covering their tracks? What happens when retaliation ends up targeting the wrong people? Where are the checks and balances to make sure those being targeted for aggressive counter-measures are in fact guilty? Won’t this just turn into a “cyber arms-race”? I can see a lot of innocent ‘computers’ getting caught in the cross-fire on this one.
“Recommend to Congress and the administration that U.S. funding to the World Health Organization (WHO) program budget in whole or in part be withheld”
YES! Because world health and intellectual property thieves are two closely tied entities… Sarcasm aside, this is an asinine idea. For one thing, a considerable amount of WHO resources would have to be diverted to developing, maintaining and auditing a regulatory system designed to make sure the WHO never deals with anyone who might be involved in intellectual property theft (i.e. for example, third world countries). Secondly, it would also require foreign agencies that the WHO deals with to have regulatory compliance as well. After all, nothing spells regulatory compliance more than impossibly impoverished third world countries in dire need of medical assistance. This entire idea ends up offloading the cost of IP theft on organizations and countries that are already stretched thin…
“Recommend that Congress and the administration impose a tariff on all Chinese-origin imports, designed to raise 150% of all U.S. losses from Chinese IP theft in the previous year”
Once again, YES! Let’s make ALL AMERICANS pay (through a dramatic rise in the cost of goods) for the theft of intellectual property originating from China. Obviously, the Chinese government will retaliate with their own tariffs which will end up closing the door to China for many US producers, thus costing jobs. But then again, the WTO might have something to say about this…
The first hint that things were going off the rails was the recommendation titled "Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." which basically entertains the notion that intellectual property holders should have the right to devise software that would lock computers down should they detect that someone may be using some of their intellectual property without permission. In turn, the said offending users whose computer has been locked down would have to go and call the police, thus being forced to incriminate themselves, in order to get the password that unlocks their computer. Not only that, but said offending users might have to pay a 'fee' in order to get that password. For those not paying attention, this is basically a redo of 'ransom-ware', evil little malware programs designed to lock down computers until owners of said computers pay a ransom. Basically, hostage taking of computers.
The fact that anyone would entertain that idea is beyond me. Not only that, but the authors of the report wrote “Such measures do not violate existing laws”… Now, I am not a lawyer, but being somewhat educated, I am pretty sure that this idea violates in some way the 4th Amendment, the 5th Amendment and the 6th Amendment. Ignoring those pesky amendments, the authors of the report have also neglected to consider the unintended consequences of what happens when there are false positives? What happens when there is a false positive and a mission critical computer gets locked down? What happens when there is a false positive and a life critical computer gets locked down? What happens when hackers figure out (and they sure as hell will) how to cause false positives at will? I don’t know about you, but as someone who knows a thing or two about hacking and computer security, I have to say that all these questions and the answers that lie behind them, scare me.
So then I kept on reading the remainder of the “Cyber Solutions” section and all semblance of lunacy seemed to calm down. That was until I read the next section titled “Potential Future Measures” and my jaw dropped. I’m not sure what the commission authors were smoking that day, but here are the recommendations they gave and my comments thereafter:
“Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves”
I could go on a rant on this, but instead I am going to ask you, the reader, to try and answer the following questions … How does anyone reliably find cyber IP thieves? Won’t cyber IP thieves just get really good at covering their tracks? What happens when retaliation ends up targeting the wrong people? Where are the checks and balances to make sure those being targeted for aggressive counter-measures are in fact guilty? Won’t this just turn into a “cyber arms-race”? I can see a lot of innocent ‘computers’ getting caught in the cross-fire on this one.
“Recommend to Congress and the administration that U.S. funding to the World Health Organization (WHO) program budget in whole or in part be withheld”
YES! Because world health and intellectual property thieves are two closely tied entities… Sarcasm aside, this is an asinine idea. For one thing, a considerable amount of WHO resources would have to be diverted to developing, maintaining and auditing a regulatory system designed to make sure the WHO never deals with anyone who might be involved in intellectual property theft (i.e. for example, third world countries). Secondly, it would also require foreign agencies that the WHO deals with to have regulatory compliance as well. After all, nothing spells regulatory compliance more than impossibly impoverished third world countries in dire need of medical assistance. This entire idea ends up offloading the cost of IP theft on organizations and countries that are already stretched thin…
“Recommend that Congress and the administration impose a tariff on all Chinese-origin imports, designed to raise 150% of all U.S. losses from Chinese IP theft in the previous year”
Once again, YES! Let’s make ALL AMERICANS pay (through a dramatic rise in the cost of goods) for the theft of intellectual property originating from China. Obviously, the Chinese government will retaliate with their own tariffs which will end up closing the door to China for many US producers, thus costing jobs. But then again, the WTO might have something to say about this…
Anyway, I apologize if I’ve been a bit rant’ish, but I expected something
a lot smarter from a group of people who should definitely be more level
headed.
Subscribe to:
Comments (Atom)