Network Security Blog

I make no secret about being a privacy advocate, however many people misunderstand what I’m against when I talk about our government spying on us.  I firmly believe that having the ability to monitor communications, search people’s houses and generally stick their noses in anywhere are all abilities that local and federal law enforcement agencies need to have.  But there’s one caveat I believe must be in place: for any sort of monitoring and spying there has to be oversight by a third party and a way to redress problems when someone abuses this power.  This oversight is one of the primary reasons cops have to go to judges to get a search warrant and we have many of the freedoms we do in the US.  Without oversight, we’d descend into a police state that matches the worst of our criticisms against countries such as China and Iran.  This is a lesson the administrators at the the Lower Merion School District forgot in their rush to use camera’s on student laptops to spy on the kids and prove wrong-doing that may or may not have been there.

Unless you’ve been hiding under a rock for the last week, you know about this case; quick recap is that a Vice Principal used a picture captured using LANRev on school provided laptops to accuse a student of taking drugs.  This prompted a class action suit and a potential criminal investigation into the district’s use of LANRev to illegally spy on students.  There’s a lot of damning evidence available on the Internet and it’s looking likely that a number of people will be facing criminal charges.  And it’s all because these people believed they were doing the right thing in tracking their laptops and their students without some form of oversight to tell them they were being complete and utter idiots.

Absolute Software, the makers of LANRev, understand that giving customers unrestricted access to spy using their computers is a major problem; they require that a police report be filed prior to the spying capabilities of their other, similar products such as LoJack are activated.  First of all, this creates the oversight advocates such as I crave.  Not too many people are going to report a laptop stolen so they can spy on their significant other.  Secondly it creates a paper trail that lays out when and why the spying capabilities were activated.  Even after these capabilities are up and running, it’s under the control of Absolute, not the end user.  In their own words this prevents “potential vigilantism” and other abuses of power. 

If what the families in the Lower Merion School District are claiming is true, and it appears more and more likely it is, then folks like the Vice Principal at Harrington High are definitely vigilantes, someone who illegally tries to mete out punishment to a criminal.  There’s a reason we have due process and the administrators of LMSD forgot all of them in their fervor to catch students doing things they shouldn’t at home.  They also forgot that the responsibility of schools and teachers is to teach, not law enforcement.  If they truly believed there was wrong doing going on, the police should have been called in and proper procedures should have been followed.  There’s still a good probability that using LANRev without a search warrant would have been considered an invasion of privacy, but if it was done with police involvement, there’s a lot lower chance they’d be in the hot water they’re in now.  And maybe someone with a little knowledge of the law would have said, “Hey, that’s one monumentally stupid idea you’ve got there.”

Here’s an interview with the family of the student who is at the center of the Lower Meridion School District.  I’m glad I didn’t see the interview before I’d written my previous post on the situation.  If what the family says is true, almost every statement that the school has made so far is false, from claiming that the spyware was only used 42 times to the statement that it was only activated when a laptop was reported stolen.  The Vice Principal accused Blake Robbins of trying to sell drugs online with proof of a picture taken from the laptop.  What Blake says he was really holding up weren’t drugs but candy.  And the Father hits the nail on the head in saying that his biggest concern is his 18 year old daughter who also has a school provided laptop with the same software installed.

I’m not exaggerating when I say I believe that the majority of the administration at the Lower Merion School District needs to be at least suspended pending investigation if not summarily fired!  The utter lack of moral and ethical compass that was required for this situation to come about is staggering.  I can understand wanting to protect an investment, but the slide from that to spying on school children should be obvious to anyone with a shred of common sense.  Lacking that much common sense tells me these people are unworthy of being in the school system and of teaching our children basic knowledge.  The LMSD is going to have to do serious damage control and their first step has to be keeping the people involved in this mess away from children.

This situation is going to have far ranging consequences and will hopefully change the way school administrators feel about monitoring students.  If you’re school district provides computers for your children, you need to make them aware of this situation and ask them if they’re doing anything similar.  If they answer yes, demand a full audit of the system and who accessed it immediately!  Don’t take ‘no’ for an answer; get a lawyer involved if you have to.  If you’re a teacher or an administrator who has similar software installed on laptops you’ve provided to your students, disable the program immediately and begin an audit of your systems and who accessed it.  It’s better to be proactive and discover that your system was abused than find out because you’re being hit with a lawsuit.

I’m putting down the keyboard now because I can barely express the outrage I feel at this situation. 

I am amazed that the administration at Lower Merion School District (LMSD) couldn’t figure out something my eight year old son realized in just a few minutes, “Spying on people in their own home is wrong.  And really creepy.”  But they obviously couldn’t, so when they supplied 18oo students with Apple laptops 18 months ago, they included software with the laptops that would allow them to track stolen laptops and remotely turn on the iSight cameras on the Macs and take pictures of the thief.  Or pictures of a student doing something unnamed and naughty in his own home.  And then use that picture as evidence to prove that a student was doing something inappropriate in his own home.  After all, who’d ever think a teenager with a laptop would do something inappropriate when home, alone, with access to the Internet and all the sites that are normally forbidden to him?

When LMSD purchase 1800 Mac laptops for their student body, they made what was obviously a legitimate decision in their eyes: place software on the laptops that would allow the district to track their investment if it was lost or stolen.  These are laptops we’re talking about, they’re highly mobile and cost approximately $2000 each, so it’s understandable that the district might want to protect their investment.  But they never told the students or their parents that the software came as part of accepting the laptops.  As far as I can tell, the software installed was most likely one of the following:  LoJack, Undercover, MacTrak, BigFix or Hidden.  All of these systems are meant to be used to track stolen laptops, have the ability to turn on the camera remotely and can take screen captures and pictures through the Mac’s iSight camera.  There maybe several other solutions, and with the exception of BigFix, these are all consumer level products that are meant for one user to track one laptop and aren’t really meant for tracking a large number of users.  This is important because an enterprise version of this spyware is going to have significant logging capabilities, where as a consumer version might be utterly lacking in logging.  Allegedly, only two administrators had access to the systems for turning on the tracking and camera capabilities of the software.  What we’ll have to see now is what sort of logging the use of the software generated.  If it’s a consumer level product, I don’t have much hope for an accurate count, unless the tracking service itself keeps a log of how often the tracking of each laptop is turned on.  LMSD maintains that they “only” used the software 42 times or less than 50, their stories are conflicting.

I’ve been working in IT for a long time and a lot of my friends and acquaintances are people who would loosely be called ‘hackers’ by the public.  I don’t mean the people who are trying to break into your computer, I mean the people who test the limits of any system they come in contact with, just to see what it can do.  Most of the people I know who are good at their IT and computer security jobs are like this; they want to push the envelope so that they know what their systems can and cannot do.  Which is why having tracking and spying software on student laptops scares the snot out of me!  I know from personal experience that one of the first things the administrators of this system probably did was test it to see what they could and could not see from using the spying software, see if they’d be detected when it was turned on and see how they’d be tracked when they did turn on the spy software.  In and of itself, this attitude isn’t a bad thing, it’s part of the nature of the business we work in and the people it attracts.  But given the sensitive nature of who and where these laptops were going to be, unless there’s a complete, unmodifiable log of everything that was done using the spyware, I’m all but certain it was abused at least once during the time it was enabled on student laptops.

Another potential for abuse is exactly what happened to crack this whole issue wide open; a well meaning, if ignorant, Vice Principal used the capability of the spyware to take a picture of a student doing something he wasn’t supposed to.  It’s not clear yet exactly what the nature of the student’s abuse was, if his laptop had been reported stolen, if the software was activated for some other reason or if this was part of a systematic spying on the students.  What is known is that the Vice Principal used pictures taken from the iSight camera with the spying software to confront a student and his family with evidence of wrongdoing in a misguided attempt by the Vice Principal to do what she considered to be the right thing.  Unluckily for her, when it comes to spying on students at home, it’s much less of a slippery slope and more of a sudden drop off into the abyss of ‘1984‘.  I guess the whole school district skipped the ethics class when they were earning their teaching credentials.

The scariest potential abuses of this system both involve people who’d purposefully and knowingly break the rules the school set around this spying system.  Imagine if one of the administrators of the spyware was a closet pedophile or simply thought one of the students was much more mature than his or her years.  Students probably had their laptops sitting on their desks and undressed in front of them fairly often; after all, normal people don’t think their laptop is going to spy on them, so why bother turning it off or closing it before getting ready for bed.  Even worse is the thought that some student or malicious outsider (the classic media definition of ‘hacker’) found out that LMSD had this software installed and was able to break into the spyware system and use it at will.  These are merely suppositions, worse-case scenarios, but they are some of the factors that LMSD should have thought of before implementing spyware on student laptops.  A system such that has this much potential for abuse should have a similarly appropriate level of tracking, alerting and logging to prevent the curious and malicious from doing unethical, illegal and immoral.  Don’t be surprised if at some point in the near future pictures of LMSD students start showing up on the Internet.

The good news is that in addition to the civil suit the Lower Merion School District has been hit with, the FBI has started an investigation into the allegations of wrong doing.  The lawsuit alone is going to cost LMSD more than losing every last laptop would have, possibly by several orders of magnitude.  The business decision to track the laptops therefore turns out to be an utter failure.  Hopefully the FBI will be able to poke around the LMSD systems deeply enough that they’ll find any abuse of the system or confirm the districts assertion that the system was only used 42 times.  This is where all the logging capabilities of the spyware will be tested and the software vendor should expect a subpoena and visit from the FBI soon.  My suggestion to the FBI would be to pay special attention to any system administrator or school official that has had their computer recently re-imaged; while not proof of guilt, given the severity of the potential crimes that could be committed with the schools spyware, it’d be worth sending out the hard drives for recovery of the previous file system.
 
I truly hope that the FBI finds that the LMSD number of 42 times the spyware was used is accurate.  That would mean that most of my worst case scenarios haven’t happened.  But I suspect that even if the system wasn’t purposefully abused, 42 only represents the number of times that the spyware was used while going through the proper processes and procedures at the school district; it might have been used or abused many more times by the people who had access to it by design or by flaw.  And even if 42 is accurate, it will be up to a jury to decide if each of those uses were justifiable and legal.  In a civil court it’s going to be much harder for the school district to defend itself than it will be when the criminal charges are brought against the people responsible for the installation of the spyware.  And I’m confident that at least one person will be brought up on charges unless the whole school district is run and managed by people who are perfect angels.  Given that the system has already been abused, I’m pretty sure that supposition has been disproven.

I’m a parent of two pre-teen boys.  I probably wouldn’t have accepted a laptop from the school for either of them personally; I have more than enough computing power at home that I don’t need to bring someone else’s computer into the house.  And if this had happened in my school district, I’d be screaming for blood.  The school administrators who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.  That may sound harsh, but these are people who thought that the security and safety of a few laptops was more important than the privacy and safety of the students who were using the same laptops.  A piece of hardware may be expensive, but it’s infinitely less important than my children and the children who live in the Lower Merion School District.  The inability to see that fact is proof of their utter lack of suitability to be working with children in the first place.

It may be that we find out that the spyware LMSD installed was never abused and that every instance of it’s use was justifiable.  But the installation and use of the system in the first place without notifying the parents and students was a utter and complete violation of these families civil liberties and right to privacy, not to mention the administrator’s ethical responsibility.  It shows that the school district placed more value on the laptops than the Constitutional rights of these families.  I find that unacceptable and hope that between the civil suit and the FBI investigation a strong message is sent to schools around the country that this sort of spying on students is not and never will be acceptable in any way, shape or form.  I hate to think about what I’d do if I ever found out my sons’ school district was spying on them in this way; there’s a reason I earned the nickname “Captain Privacy”. 

• BoingBoing:  School used student laptop webcams to spy on them at school and home
• NBC Bay Area:  School Spies on Students at Home With Webcams: Suit
• Uncommon Sense Security:  They’ve gone too far.  Waaaay too far.
• Courthouse News Service:  Big Brother is here:  Families say schools snoop in their homes with district issued laptops and webcams
• Lower Merion School District:  LMSD response to invasion of privacy allegation
• Lower Merion School District:  Letter from Dr. McGinley to parents/guardians regarding laptop security 
• Lower Merion School District:  Update from Dr. McGinley regarding high school student laptop security – 2/19/10
• Endgadget:  School allegedly uses student’s laptop webcams for espionage, lawsuit ensues
• TechEYE.net:  PA School offers practical less in George Orwell’s 1984
• ZDNet.com:  Lower Merion laptop flap:  District deactivates tracking feature
• Full text of the civil lawsuit
• Ars Technica:  School backs off on laptop spying policy in wake of lawsuit
• Techdirt:  School district says it only turned spy cameras on 42 times; FBI now investigating
• AppScout:  The “SpyBook”:  Take a deep breath people

Last year Microsoft released a tool called COFEE (Computer Online Forensic Evidence Extractor) to law enforcement agencies around the nation and around the world a couple of years ago.  While COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers; you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics, writes a report and generally gives a quick and dirty analysis of the computer.  It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that you already have on your computer and could run manually any time you want.  It’s a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.

In the last 48 hours, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download.  Which, of course, means that it’s now available on any number of bittorrent sites.  The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild.  Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.  The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.

It needs to be pointed out that is owned and jealously guarded by Microsoft.  I won’t be surprised if they start going after people to get this removed from the Internet.  Surprisingly the folks at What.cd say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement.  It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself.  Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.

Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool?  Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy?  Should we be reporting people who make it available?  Or should we be reviewing the tool ourselves and proposing ways to make it better?  This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference.  While this is interesting, it’s nothing top secret or even that revolutionary.  I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised. 

Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools.  There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it.  For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased. 

If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use.  I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret. 

I knew about the Miranda act and the Fifth Amendment, but I’d never really realized how little protection they offer if you decide to talk.  The words “Anything you say can and will be used against you” really mean exactly what they say.  I’m not much of a trouble maker, despite what some of my previous employers might say, but after watching a pair of videos from the University of Alberta (watch them below or on the Law is Cool site), the only words I’m going to say to a police officer from now on are going to be “I want to talk to my lawyer”. 

The point that the professor makes again and again is that there is nothing you can say to a police officer that is going to help you.  You are infinitely more likely to say something that can be used against you, even if your innocent, than anything you say helping you.  The part that surprised me, is that even if you say something that could help you to the police, your attorney can’t use it in your defense.  That may just be the law in Canada, but I’m not willing to take the chance.

Even if you’re completely innocent and were just a witness to a crime, do yourself a favor and have a lawyer present.  It’ll cost you some money, it’ll cost the police some time, but it might make the difference between potential problems and walking out of the police station at the end of the interview.  People get excited and make mistakes, and things sometimes come out the wrong way.  Better to remain silent and be thought a fool than open your mouth and remove all doubt.  The officer in the video states several times that the police are allowed to lie in interviews; in a worse case scenario, what you thought was just making a statement could turn into a full on interrogation if you misspeak, even if it’s an honest mistake. 

This should make the holiday season interesting; my BiL is a Southern California police officer and I don’t think he’d see the humor in me bringing a lawyer to the family get togethers.

It takes a brave man to admit publicly that he almost fell for a phishing email, especially when he’s the head of one of the biggest law enforcement agencies in the world.  It takes an even braver man to admit that his wife has forbid him from doing any online banking in the future.  But that’s exactly what FBI Director Robert Mueller did earlier this week; he told the world that he almost fell for a phishing scam recently. 

I can’t blame Director Mueller in the least.  Like most people who have a semi-public email address, I get several hundred spam and phishing emails a day.  If I let my account go for a weekend, it’s not uncommon for me to end up with over a thousand messages in my spam folder and 40-50 that make it through several layers of protection to my in box.  And of those I can dismiss 90% with a glance.  But it’s that last fraction of a percent that really worries me.  I have to take a long close look at them and I still don’t know sometimes if they’re really phishing attempts or just poorly written emails from one of the dozens of people I have legitimate business with.  If there’s any doubt in the end, I delete them without the email.  I’m sure I’ve deleted some real emails from time to time, but I’d rather not take the chance.

I wish it was as easy of saying “You’re bank will never send you a link to click on”, but the truth is there’s a lot of banks that really will send you links in an email.  To make matters worse, some of them will use odd domains or redirect through other company domains.  It’s easier for them to market too you if they can send you a nice easy link to click on for that new mortgage.  And we’ve all encountered marketing and sales professionals who don’t get it even if you try to explain until your blue in the face.  Some IT professionals don’t understand it any better and I’ve even run into some security professionals with the same weakness.  Phishing emails are purposely confusing and as close as possible to the real thing as they can get in order to get through.

I hate the to bang the drum of “we’re losing the cyberbattle”, but right now, I think the tide is in favor of the bad guys.  And I think it’ll get worse before it get’s better.  But unlike 10 or even 5 years ago, the FBI and other law enforcement agencies are getting geared up to make a real difference in the war.  We’ve got a few years before the tide starts to turn again, but I think we’ll start seeing some effect much sooner.  The FBI’s arrest of 33 people in Operation Phish Phry is a good start, but it’s only a drop in the ocean. 

Update:  Thanks to Walt Conway for letting me know I had the wrong link and sending me one for Operation Phish Phry as well.

There have been a lot of stories this week I wish I had the time to write about, but given the choice between blogging or getting ready for traveling to Kyoto, Japan to speak at and podcast from the FIRST conference, preparation has been winning out.  My wife is going with me and she’s been shouldering a lot of the mundane, pedestrian tasks, but I don’t think she can write up reports for me or get ready to make presentations in my place.  Of course, if I could teach how to do those things for me I would have a lot more free time; which I’d probably fill up immediately with more blogging or maybe tweeting.  Spending more time on Twitter is exactly what I need (that’s sarcasm, for anyone who doesn’t follow me on Twitter).  As silly as it may sound, I’m also starting preparations for Black Hat and Defcon, even though their nearly six weeks away.  By the way, it was revealed late yesterday afternoon that Adam Savage from the Myth Busters will be speaking at Defcon 17!  My kids may force me to take them to Las Vegas just so they can see him.

First off, I have a cluster of stories on PCI.  MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual audit by a Qualified Security Assessor (QSA) by December 31, 2010.  I still haven’t talked to anyone who had an idea this was coming, other than in very general terms, so it’ll be interesting to see how this will this plays out over the next couple of months.  I need to catch up with Avivah Litan some time and find out where Gartner’s negative view of QSA’s come from.  Three more PCI stories that are related are “Weak Security enables credit card hacks” from AP, “Security issues weigh most heavily with acquirers, research says” at Digital Transactions and “Best practices for protecting banking sites” at BankersOnline.com.  It’s good to have a story with some solutions, or at least ideas, to go with some posts about all the security problems we’re facing. 

Next up is a couple of stories about some of my co-workers.  The guys over at Spider Labs got called in to look at some malware that was found on ATM machines in Europe.  With the right ATM card and a few keystrokes, bad guys could have the ATM machines spit out reciepts with card numbers, PINs, expiration dates and nearly everything else that’s on the Track 2 data.  Then the software can quitely erase itself so minimal evidence is left behind.  The You Shot the Sheriff conference is going on this weekend in Sao Paulo, Brazil and a pair of the guys from Spider Labs will be presenting on Rich Internet Applications and the risks they pose.  Potential disaster because of Silverlight and Adobe AIR?  Not possible (again with the sarcasm).

Finally, I have four unrelated stories:  First of all Jeremiah Grossman is asking the Feds to make it legal to hack .Gov and .Mil sites.  We know these sites are mostly insecure, we know hackers are already attacking them, so why not set some rules of engagement and let white hat and grey hat hackers attack them as well, provided they report the findings back to the site owners?  The idea has some merit, but I’m still on the fence for this one.  Speaking of government web sites, the Department of Homeland Security now has a blog.  Now if Secretary Napolitano would just stop by the Bay Area for a short chat like her predicessor did, I’d be very happy.  Of course, it may be that asking lighting to strike twice is unreasonable of me, but I can dream.  Dave Shackleford has a post about an interesting book, “Adventures of an IT Leader“.  I don’t have time to get a copy from Amazon for the flight to Japan, but it sounds like interesting reading. 

The last story is “the evolution of a blogger’s ego” by Jason Alba.  Any blogger who says they don’t have a fair amount of ego tied to their writing is lying, either to themselves or to you.  It’s not a bad thing to be proud of your writing, but some of the yardsticks bloggers have been using to measure their success have been superceded by new measurements.  Comments on your blog used to be what’s important, now it’s how many tweets, retweets, friendfeed comments, etc. which are important.  The conversation’s getting more and more fragmented between bloggers and their audience, but it’s also getting more interactive daily. 

I’ve got another PCI related post to write this weekend, so that’s it for now.

Let’s put filtering on the every computer in the country because we want to protect our 14 year old boys from seeing any inappropriate images, because that’s always worked so well in the past!  Or at least that’s what the Chinese government is saying about their new piece of ’security software’, Green Dam.  Like something as simple as a filtering software is going to stop a semi-intelligent teenager from finding pictures of women on the Internet?  And if it is somehow fairly effective, what’s to stop them from going out and finding a magazine or three?  Of course, all the talk about  ‘protecting our youth’ is just a smoke screen for having an excuse to put a program on the computer that stops any sort of activity that might possibly be considered subversive by the Chinese government. 

I find Green Dam interesting for two reasons.  The first is that this isn’t just a web traffic monitoring program; it monitors all behavior on the computer and will terminate any program that has ‘inappropriate information’ entered into it.  The example giving by Telecom Asia states that simply typing in ‘falundafa.org’ into Notepad is enough to get the program terminated.  Even if you’re not trying to get to the actual site, Green Dam is set up to stop you from having any sort of information including the URL in use on your computer.  I guess if you stretch your imagination a little bit, this might be something that’s needed to protect the youth of China from the corrupting influence of Falun Dafa.  Or if you’re cynical, it’s just another way the Chinese government is trying to make sure that anything even vaguely subversive never sees the light of day.

The other part I find interesting (and funny) is that it appears at least part of the code for Green Dam is completely stolen code.  Not that the company responsible for ‘creating’ Green Dam admits this as fact or even is willing to admit it as a possibility, but finding code and update instructions for Solid Oak’s product in Green Dam is pretty conclusive evidence.  Given that much of Asia has long held copyright issues to be someone elses problem, as long as it’s Asia that’s doing the stealing, this doesn’t really surprise me.  Unluckily, it doesn’t appear that any bugs in the original code have been fixed.

The especially disturbing part of Green Dam is that given the base of it’s code, it could easily be updated to monitor all traffic and activity on one computer or all of the computers that have it installed.  I have to assume that the Chinese government will have a mechanism already in place to update particular computers and begin monitoring and tracking everything that’s happening on the systems.  As if what they’re doing already wasn’t enough.

All it took was a hacksaw and a few minutes underground and someone was able to take down internet, phone and cell phone coverage for much of the south Bay Area here in California.  Four fiber optic cables in San Jose and two more in San Carlos were cut yesterday effectively taking most of Silicon Valley off line and causing thousands to lose their connectivity and be without services for hours.  And now AT&T is offering a $100,000 reward for any information that will help them catch the person who cut the cables.

So why would someone cut these six cables?  This had to be someone who had some experience with AT&T, Verizon and Sprint, since they knew not only where to find the cables underground, but knew which cables to cut to cause the maximum damage.  Which means this was thought out and intentional.  My first thought is that it’s some Hollywood movie caper where the bad guy’s are trying to silence an alarm at one of the businesses affected by the outage so they can perform dastardly deeds undisturbed.  My second thought is that it’s someone using this to cover up some sort of wire tapping they’re putting in place while everyone’s attention is gathered elsewhere in the infrastructure.  Someone who’s not a governmental agency, due to the loud nature of the event; they’d be much quieter and just install something in the basement of AT&T. Except that’s already been done.

But the reality is probably closer to a disgruntled employee who was recently laid off by one of the companies affected by this event.  Someone who knew enough about the infrastructure to understand where the systems would be most vulnerable, know how to get to the cables and know how to cut the least of them to be the most effective.  While the overall infrastructure of the Internet and our communications systems are generally robust, this event proves that connectivity to a specific area can be easily disrupted if you know where the pressure points are and how to affect them.  This might be knowledge that can be gained in some other way, but the simplest explanation is that it was someone who’d worked on theses specific networks and knew exactly how to cause the most damage quickly.  If you’re someone who’s recently been laid off by one of the companies affected, don’t be surprised if you get a knock on your door by an investigative agency in the next couple of days.

In reality, this wasn’t much more damage than might be caused by a severe winter storm downing a couple of trees, but the amount of press coverage it’s created is far more damaging to the telecom companies than a downed tree would be.  It shows that despite all the redundancy that they advertise, or at least is assumed by most people, they still have portions of their networks that can be taken offline with a couple snips.  This is not the sort of embarrassment that any company wants to have aired so publicly.  No wonder they’re offering such a big reward; the PR to recover from this is going to cost them a lot more than the reward itself.  And what if the vandal strikes again, perhaps somewhere even more vital?  Some sort of explosive placed in the right part of downtown San Francisco could take a heck of a lot more than 60,000 people offline for a long time.  Don’t be surprised if we see this labeled as ‘terrorism’ and have the alert level raised in the Bay Area until this person is caught.

Update:  I wish I’d seen this article before writing my own.  I hadn’t know there were contract negotiations going on between AT&T and the folks who do a majority of their repair work.  That could provide a heck of a lot of motivation to someone who’s affected by the lapsed contracts.  And explain why a hacksaw was used instead of something more destructive.

PCI was under fire today during a US House of Representatives subcommittee meeting.  If you didn’t watch the meeting while it was in progress or watch the tweets myself, Anton Chavukin and a few other security professionals were sending, you missed what will end up being a very important meeting for the future of PCI.  Our representatives asked some very pointed questions and both Robert Russo from the PCI Council and Joeseph Majka from Visa were put on the hot seat.  The representatives from Michaels and the National Retail Federation definitely were in an adversarial position to the PCI Council and the card brands.  It made for great spectator sport. 

The video’s supposed to be available soon, so if you’re interested in PCI, take a little while and watch this. It was only the opening round in what promises to be a very interesting set of meetings to determine the future of PCI. 

Do the Payment Card Industry Data Security Standards reduce Cybercrime?