The News – 11/28/01

 

In this Issue:	Recommended Reading
Software Quality and Cyberterror Threats	I realize this is the only newsletter you’ll ever need, but if you want more in-depth detail, check out:
Shameless Self Promotion Department
Don’t Believe What You See	Stan Hustad’s The Coaching Connection
Sometimes the Magic Works

 

Software Quality and Cyberterror Threats

Soon after the September 11th attacks, President Bush named Richard Clarke, who had been Clinton's counter terrorism czar, as special adviser for cyberspace security and chairman of the president's Critical Infrastructure Protection Board. It’s a big job, so let’s all wish Clarke luck. He’s going to need it. Take a look at just some of the challenges Clarke is facing:

• The General Accounting Office (GAO) recently announced that two-thirds of Federal agencies, including the Departments of Defense, Agriculture, Education, Energy, Justice, Labor, Transportation and Treasury and eight other departments, failed a government-wide test of computer security. The GAO also found that most agencies are doing a poor job installing readily available patches for commonly known software vulnerabilities.
• Faced with a near doubling of attacks on military computers in the past year, US Army Maj. Gen. Dave Bryan, commander, Joint Task Force-Computer Network Operations (JTF-CNO), has asked Pentagon leaders for permission to strike back using a new, classified technology. “We are no longer going to be passive. If they hit us, we'll be hitting them back real soon,” he said.
• According Capt. Jim Newman, who leads the Navy's "Red Team," the group of 20 sailors and civilian personnel who attempt to break network defenses, some Navy networks have virtually no protection from cyber attacks. So far this year, there have been 40 instances of root access (complete control over computer) and 16,000 incidents attempts to enter a Navy system.
• The Silver Lords hacking group has launched a new defacement campaign in support of Al Qa'ida. According to the Alldas.de defacement archive, Silver Lords is credited with defacing 1,233 Websites, a staggering 44 percent of all defacements recorded worldwide.
• According to Vincent Gullotto, the senior director of McAfee Avert Labs, the overall number of viruses being detected each month is decreasing, but the severity of new viruses is increasing. Macro and VBS (Visual Basic Script) viruses are becoming less prevalent and more generally defended against, and malware writers are turning to worms, which are able to spread themselves without user interaction.

Clarke says that cyber attacks on the nation's critical IT infrastructure could potentially cause “catastrophic damage to the economy.” Given the threats mentioned above, this could be an understatement. To protect against cyberterrorism, Clarke urged more spending on IT infrastructure and security.

Clarke is going to have some pretty powerful tools to fight cyberterror, many of which raise significant civil liberties problems. Last month, President Bush signed the Mom and Apple Pie, er, USA Patriot Act anti-terrorism legislation. Now government investigators have broad powers to track wireless phone calls, intercept e-mail messages, monitor computer use, and listen to voice mail messages.

This bill is driving civil rights advocates up the wall. Laura Murphy, director of the Washington office of the American Civil Liberties Union said the new law enables “the investigation and surveillance of wholly innocent Americans.” Even the law’s supporters have to agree this is true.

Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, offered just one example of the changes the law has wrought. In criminal investigations, investigators collect vast amounts of information, including information about people not involved in illegal activity, such as witnesses or acquaintances of the accused. This extensive personal information can now be widely circulated among agencies. Thankfully, a four-year sunset clause causes many of the law’s provisions to expire after four years.

But who will stop the FBI? The agency is developing software, called “Magic Lantern,” that is capable of inserting a computer virus onto a suspect’s machine and obtaining encryption keys. This enables agents to read data that had been encrypted by the popular public key program, PGP (Pretty Good Privacy.) This software represents a step up from the controversial email snooping software called Carnivore, which has been useless against suspects clever enough to encrypt their files. These tools are only the tip of the iceberg, however.

In the meantime, individual users’ attempts at increasing their security are being thwarted in a number of ways. Even though most security experts urge home PC users to run an inexpensive personal firewall, the major high-speed Internet service providers discourage firewall use, citing configuration problems. This is rather like shooting yourself in the foot, because unprotected consumer PCs have formed the basis for the recent Code Red and Nimda attacks. Both worms take over unprotected Windows PCs, turning them into zombies. The zombies further spread the infection and can band together to launch Denial of Service (DoS) attacks. The result? ISPs’ networks are swamped, and legitimate users are prevented from using the Internet.

So what can a citizen do? More and more articles are being written saying we should all just bend over and take it. We have no privacy. The monopoly operating systems are all buggy, but if people would just stop pointing that out, everything would be OK. Law enforcement doesn’t really need a reason to investigate us anymore, but, heck, you’re not a criminal are you? And the government tribunals will only execute foreigners, so what’s the worry?

In the next SNS, I’ll present a really good reason for businesses in particular to be worried about the war on cyberterrorism. Seems we’ve signed a little treaty that makes businesses responsible for the hacking of their employees.

 

Briefly Noted

• Shameless Self-Promotion Dept.: Next week, StratVantage is debuting a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to sweep the newspapers, magazines, and newsletters clogging their inboxes into the trash.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor will provide a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter containing links to the Top 10 Must Read articles needed to stay current.
  CTOMentor
  
  
• Don’t Believe What You See: We’ve officially crossed over into the post “I’ll believe it when I see it” era. It’s definitely been coming, what with all the digital special effects in movies these days. The most compelling evidence of this milestone is a movie sent to me by a relative (all 8 megabytes). The short movie, called 405, by Bruce Branit and Jeremy Hunt, demonstrates yet another hazard of driving in Los Angeles. You’ll need Windows Media Player, RealPlayer, or another Windows-Media-capable plug-in to view the movie. The link below takes you to the movie site. But don’t click the link to watch it if you’re not prepared to wait while 8MB downloads! After you watch the movie, contemplate the fact that the two moviemakers made it in their spare time over three months using a consumer digital camcorder, readily available digital image manipulation software, and three high end consumer PCs.
  405
• Sometimes the Magic Works: In a previous SNS, I reported on that bane of pundits’ existence: a bad prediction. So now I feel like I can crow about one that turned out right. In a presentation last May, I stood up in front of an audience of telecom folks and said that, despite what some analysts were saying, telecoms lacked many if not most of the characteristics necessary to become successful Application Service Providers (ASPs). This did not sit well with many attendees, despite the fact that I pointed to a couple of telecom companies that might have a chance: Qwest and Cable & Wireless.
  
  Well, C&W recently folded its a-Services division due to lack of demand from small- and mid-sized enterprises for hosted application services, according to C&W a-Services President Jeremy Thompson. In a great example of spinspeak, Thompson said there was “delayed interest in the marketplace.” In other words, nobody was buying. “We still believe fervently in software as a service,” he said. “It's just that we got to market too quickly,” the fact that hundreds of ASPs are making a go of it notwithstanding.
  InteractiveWeek