Social impact of surveillance

In the last couple of weeks the news have been full of information about the extent of the surveillance under which western governments are keeping their people.

NSA

I don’t believe that anybody who really thought about this subject before has really been surprised by these news. Governments everywhere in the world and history are spying on their people as long as governments or rulers exist. This may be due to the fact that the people in power are a very small minority which is scared that we normal people would do the same as they do like bending or ignoring the law and start trying to take things into our own hands but it may as well be that they have honest intentions and are just trying to protect us from the few bad elements in our society. Who knows! As nobody is really in contact with these people we can only guess about their intentions.

Beside a lot of interesting new logos and discussions this uncovering has shown one thing for the first time and this is the magnitude in which especially the US government has the resources to store data nearly for forever to have time to process them!

It has a reason that the brain is forgetting things over time and why all western countries have laws which see to it that information about most offences have to be deleted after a certain time. I believe that nobody wants to be judged by the stupid things he did or said in his youth. Not you, not I and certainly not the politicians who gave their agencies card blanche to store all data they could put their hands on for an unspecified duration.

People say things. These things, said in a certain context, are not always what you really mean or want to express as they are strongly influenced by the situation in which they are said and your emotional state at this moment. People who are around at this time are able to judge what was said according to its context and therefore willing to forget the words and take the emotional meaning for it. I have my doubt that the recording devices and computers which are storing all these communications are able to capture the context as well and therefore put the words into their rightful settings. This way of data capturing and context free analysis automatically leads to big mistakes and I believe that some of them could already be seen in the news lately.

If everything what we say is recorded, did anybody think about the consequences this will have on our society?

I don’t believe so and I also cannot (or want to) believe that anybody wants to live in a world where everything he says (or in the future thinks) will be captures for replay and analysis forever!

Posted in Internet, Society | Tagged , , | Leave a comment

Cyberwar, the non-existing threat

The internet provides us with a huge bunch of opportunities as well as with many threats. One threat, according to what you can read when it comes to governments funding “Cyberdefence Agencies”, seems to be a Cyberwar. I believe that although there are many threats coming with the internet something like a Cyberwar is a non-existing threat.

To support my arguments let us first have a look at the definition of Cyberwar. Depending on which language you choose for Wikipedia the definition of Cyberwar is a little different. Most people seem to agree on the following definition:

Cyberwar – a war which is conducted substantially in the cyber or virtual domain.

This definition compares the Cyberwar with a conventional, kinetic war which in my eyes leads to a couple of problems. Military doctrines of retaliation and deterrence have no real meaning in the virtual world of the internet. The same you can hardly win, loose or hold ground in a space which has no clear boundaries.

But it comes even worse. Whereas in the real world opposing forces know each other it is not that easy to determine if an attack in the internet is really another state attacking you or just a bunch of script kiddies in this state running a DDOS attack against one or several server in your country. At the same time it is possible that the final force attacking your infrastructure is not at all in the country from where you see the attack coming but only uses these routers to hide their origin. In a word, you will have a hard time if you finally want to identify your enemy in the internet, especially when the attack is short. An ongoing attack will eventually identify the forces behind the attack.

The next problem arises when we think further. A war is conducted using weapons.

A weapon is a tool used with the aim of causing damage or harm (either physical or mental) to human beings. In human society weapons are used to increase the efficacy and efficiency of tasks such as hunting, fighting, the committing of criminal acts, the preserving of law and order, and the waging of war.
– Wikipedia–

Apart from some unlikely incidents I think everybody would agree when I say that it is nearly not possible to harm a human using whatever sort of cyber weapon. Independent of which sort of cyber weapon you deploy the damage will most likely stay in the virtual world, damaging software infrastructure and therefor interfering with services provided by the internet.

When I am already thinking about cyber weapons, I have a hard time to find one which really qualifies as weapon at all. Viruses, Worms or whatever doesn’t qualify as weapon. It is like spreading a disease. It cannot be controlled and directed towards an enemy, it might as well kill you own kin once set free.

Another argument against the occurrence of a cyber war lies in the velocity of the development in IT. It would take an enormous effort to build up an arsenal of cyber weapons and maintain them. The whole industry is constantly closing up the network infrastructure implementing security measures and correcting bugs. Keeping up with this development would mean that your arsenal of weapons has to be constantly extended with new weapons because the old ones don’t work any more.

My conclusion is that at the time being we are not able to fight a real Cyberwar. We cannot certainly identify who attacks us and we have no real cyber weapons for an attack and the damage we can do is only of temporary impact. Most likely important infrastructure will simply be disconnected from the internet to protect it in the case of an ongoing attack.

This assumption shall not fool anybody about the means of cyber supported warfare. Naturally it makes absolutely sense to combine a real world attack with the corresponding means in the internet. A temporary black out of your enemies communication can support and hide a real world attack and the temporary aspect of such an attack is in this case unimportant.

The usage of the internet for espionage, terrorist attacks or even such a direct sabotage as with the Stuxnet virus do not qualify as Cyberwar. The same applies for the misuse of the internet for criminal purposes.

Posted in Internet, Security | Tagged , , | Leave a comment

Living Security

The fine line between being suspicious and getting paranoid is a hard to find balance.

Several years ago I helped a client to secure his internal network. After the installation of numerous virus scanners, firewalls and other security tools we came into a discussion about the updates. I told him that luckily most of the modern software is able to update itself so that he should not be overly concerned.

After we implemented backup strategies and I told him to check regularly if the updates of all security software and the backup is working he came up with the statement that now he is all around secured.

This was the moment when I unfortunately had to destroy his illusions.

Security is nothing which you can install !
Security is not a fixed process either !

What you are doing is to install security measures to higher the threshold for someone who is interested in your data or systems to break in. It is the attempt to reach a balance between your requirements for safety and the usability of your computers and internet connection. You can and should review and check these measures on a regular base but there is no guarantee that you will be safe.

You should always keep the following facts in mind:

  • The technological progress in IT is much faster then your software can be updated.
  • There will always be bugs in software which enable a professional Hacker to break into your systems.
  • There is always someone who is interested in getting your data or access to your computers.

Time to get paranoid?

Not at all. Its just the way it is. When you close the door behind you when you leave your house there will never be a 100% safety that nobody is able to break in. With computer security is just the same. Try to lock up your systems without making it impossible to use them. There might always be someone around who wants to break into your house, alarm system installed or not. Just be suspicious! Don’t open attachments when you are not sure about their origin, run system scans when the system seems to be reacting strange and call for help when you really think someone broke into your system. The same as in real life holds true for the electronic life. Don’t Panic!

Posted in Security, Thoughts | Tagged , | Leave a comment

Going Online

Hi all,

welcome to my website!

In the future you can expect articles on all kind of security aspects, stories around computing and programming on this site. Would be nice to make this a communication platform so if there is anyone who wants to contribute, has a question or an idea for a subject to write on, please send me a mail.

Even though I am working in security sensitive areas of IT for a long time now I still consider myself not an expert in all matters of security so if you find errors or misconceptions, lets discuss them. I will accept all controversial comments as long as they are not abusive.

Posted in Blog | Tagged , | Leave a comment