Archive for the 'Hacking' Category

Aug 16 2015

Interview, Dr. Engin Kirda

Published by under Hacking,Podcast

I sat down for a few minutes to talk to Dr. Engin Kirda, Chief Architect at Lastline and professor at Northeastern University in Boston.  We discussed the next generation of security professionals and his BH talk about the sophistication (or lack thereof) in modern ransomeware.  And, as with all interviews this conference, I asked about the OPM hack and retribution.

Interview with Dr. Engin Kirda, Lastline

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 10 2015

Spying pressure mounting worldwide

It’s been an interesting ride ever since Edward Snowden came out with the revelations about NSA spying efforts two years ago.  There was a huge public outcry at first, both from the side who believes spying on your own citizens is necessary and from the side who believes spying on your own citizens is a vital tool in protecting them.  Both sides of the argument have been trying to sway public opinion, with varying degrees of success, but it’s been the spy organizations that have been getting their way as judges and lawmakers side with them for the most part.  But that’s slowly changing and there’s additional pressure mounting on both sides of the argument.  It’s only a matter of time before the pressure seeks an outlet and it may be explosive when it does.

The first problem with spying by intelligence agencies in the US was that it was so secret that most courts couldn’t even get enough information about the practices to determine who had a right to sue for relief from the situation.  You can’t sue the US government unless you can prove you have standing in a case, that you are affected by the action, but you couldn’t prove you were one of the people who were spied upon if the information is too secret to be released even to the court.  So for nearly two years, that venue of combating governmental spying has been stymied.  As of last week though, that’s started to change as the US 2nd Court of Appeals in Manhattan declared that Clause 215 of the Patriot Act did not give authorization for massive collection of phone data.  The ruling also gave the ACLU standing in the case, enabling further legal action, but stopped short of declaring the spying efforts unconstitutional.  In a move that probably didn’t surprise anyone, multiple Senators and Presidential wannabe’s called for new laws to give the NSA and other agencies the power the court just denied them.

Abroad, there’s also a lot of push back against not only American spying, but against the national organizations who are cooperating with American organizations.  Germany’s Federal Intelligence Service (BND) had been cooperating with the NSA for years, feeding the American organization information directly from their telecoms and ISP’s, enabling the NSA to track German citizens in ways the BND might not be able to.  This got mostly overlooked when it was revealed that the US was listening in on Angela Merkel’s phone calls, but recent activity and the NSA’s refusal to give justification for the information they’re asking for has caused the BND to stop cooperating with the NSA and is creating quite an uproar in Germany.  Merkel’s political party has been under a lot of pressure because of the information the BND has been providing and there have even been calls for the resignation of the German Interior Minister.

That’s the recent wins on the anti-spying front.  On the other side, advocates of spying continue to push in all sorts of ways, from asking for golden keys in encryption technologies to calls for more power from legislators and less oversight by the judiciary.  Last week’s elections in the UK have emboldened Home Secretary Theresa May to call for the re-introduction of the so-called “Snooper’s Charter” in the country.  GCHQ already has significant powers within the UK and abroad, but the Draft Communications Charter Bill would extend these powers considerably and lessen any oversight on law enforcement agencies.  The good news is that even members of her own party are critical of the bill and might not be willing to back her call for further power.

Proponents of spying powers have nearly religious respect for the governments need for these powers and the government’s restraint of their use.  Theresa May seems to believe that any judicial oversight is too much and that the government can’t be restrained or the terrorists will win.  In the US, Supreme Court Justice Antonin Scalia has long held similar beliefs and has been very vocal about it.  Last year he presented to a Fordham University class on law, strongly stating that such powers are needed and cannot be limited.  This year when he went to present, the professor had given his class a new assignment: using only publicly available information, create a dossier on Justice Scalia.  The 15 page document was presented to the Supreme Court Justice and included extensive information about his financial information and family.  Rather than take this as an example of what the NSA or any other organization has at their fingertips and a warning as to why this might be dangerous, Justice Scalia blasted the teacher and his students, questioning their ethics and judgment.  It seems that it’s okay when an impersonal national agency does it, but not when a small group of students research the Justice.

And adding to the pressure cooker of the spying argument, China and Russia have signed an agreement not to hack each other.  It’s probably more accurate to say they’ve agreed not to get caught at it, but this means that their considerable resources will be at least partially turned away from each other and to different projects.  There’s probably not many people who won’t identify the US as the primary target of the freed up hackers, but there are plenty of other places they can put their efforts.  In a lot of ways, it’s like to gangs agreeing not to horn in on each other’s territory while they deal with a third gang.  Add in Russia’s upcoming data localization laws and things get very interesting, very quickly.

“May you live in interesting times.” certainly applies.  There’s pressure from all sides, some wanting to increase spying, some wanting to curb the capability of Western law enforcement agencies.  Both sides have valid points, but it’s a trade-off between the security that such spying might provide versus the damages to civil liberties and personal freedom that it causes.  There’s been almost no proof that spying by international agencies makes us safer, but by the same token it’s hard to express clearly how spying damages the lives of average citizens.  In many ways this is going to be one of the defining issues of the early 21st century and will determine the future of our civilization.  Do we defend our liberties or do we give governments the power to protect us from ourselves?  Only time will tell.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

May 04 2015

Dad, I want to learn to hack

Published by under Family,Hacking,Social Networking

My teenagers, like many teenagers, are curious about what their father does for a living.  They’ve been to maker faires, security conferences, unconferences, Defcon, BSides, Hack in the Box, and they’ve really enjoyed them all. They’ve heard me talk about all sorts of current events in the context of computer security.  Quite frankly, I’m a little surprised they still want to hear about security and privacy considering my propensity to monologue (aka rant) about most things security related at the drop of a hat.  But they’re both sponges and given that security has become something that’s in the public awareness, they’re still interested in security, and by extension, hacking.  Or maybe it’s security that’s ‘by extension’, because the idea of breaking into something will always be sexier than the idea of securing it.

This weekend that curiosity hit a critical threshold and the oldest Spawn asked “Dad, how can I learn to hack?” Now, I’ve never been a hacker, just a tinkerer who understands a little about a lot of things, so I did what many good security professionals do when faced with a question:  I went to Twitter.  And I got a lot of good suggestions from folks like Wim Remes (@wimremes),  Improbably Eireann (@blackswanburst), Andreas Lindh (@addelindh), Adrian (@alien8) and Erik Wolfe (@ArchNemeSys), just to name a few.  I also got some cynical feedback from Sid (@trojan7Sec), but that’s fodder for a different blog post.

Before I get to the list of sites sent to me, I have to mention another experiment I’m trying with the Spawn and for my own education.  As my co-worker, Larry Cashdollar (@_larry0), suggested I have a Raspberry Pi 2 with Kali Linux sitting in the living room waiting for the Spawn to get curious enough to start poking around on it.  I taught them how to use Putty to log into it and let them go, but it is a bit intimidating for a first time Linux user and it’s mostly sat there untouched so far.  That being said, the very first thing Spawn0 did was to change the admin password on me and lock me out of the system, until he came into my office giggling like a maniac.  It was a proud Dad moment.

So, without further ado, here’s  a list of the suggestions:

  • Untrusted – This was the first suggestion I received and the one that Spawn0 immediately latched onto.  He completed everything but the last level in one afternoon.  His feedback was that it’s not exactly a ‘hacking’ tutorial, but that it’s interesting and fun none the less.
  • Metasploitable – Another request by Spawn0 was a suggestion for a Linux VM for him to play with and learn on.  Metasploitable is a great tool for exactly that, especially when it’s coupled with the Kali Linux RPi system for testing from.
  • Over The Wire – “learn and practice security concepts in the form of fun-filled games” pretty well sums it up.  I’ve always maintained that security and hacking are more about the thought processes behind decisions than they are about the technology and this helps build the foundations for those thoughts.
  • Hack This Site – This one came in while he was in the depths of Untrusted, so it hasn’t been tested yet.  I played with it when it first came out and I’m interested to see how it’s evolved and how a young adult can learn from the site.
  • Cybrary.it – More of a library than a tutorial, there’s still a lot of information to be gained from this site.  I’m not going to encourage the Spawn to become a CISSP, though I may point him in the direction of the CCNA.  Foundational networking is more important than having knowledge that’s a mile wide and an inch deep.
  • Hacking: The Art of Exploitation – Back to my theme of understanding the foundations, this book looks at the underlying ideas of hacking. Originally published in 2003 and updated in 2008, it’s still recommended reading today.  Thanks to my team at Akamai, I brought home a copy of Future Crimes by Marc Goodman from RSA, and both of the Spawn are taking turns reading it.  Might explain the uptick in hacking interest.
  • Mathy Vanhoef – I was pointed to the Memory Hacking blog post, but there’s a lot of crammed into a few posts on this site.  Probably beyond a beginner, and some of it’s beyond my understanding as well.

I don’t necessarily want either of my underlings … I mean children … to follow in my footsteps and become security professionals, but I’m a strong believer in exploring as many different interests as possible.  And anything they learn about hacking, from the underlying philosophies to the technical details, will be helpful in their future.  No matter what they decide to do with their lives, knowing how to program, how to hack and how to things work at the bits and bytes level are going to be important in their futures.  And it gives me an excuse to dust off some of my own skills as well.

More suggestions for sites to add to the list are appreciated.

Edited to add suggestions from Twitter:

  • From @gianluca_string – Exploit Exercises – A host of virtual machines to beat upon and break.  Gianluca Stringhini says he’s using in his hacking class this semester.
  • A glaring oversight when talking about teaching kids to hack was HacKid Conference.  Both of the Spawn consider this to be the best experiences they’ve ever had at a security conference.  Wish I could take them again, but living in the UK makes it unlikely. (hat tip to @beaker and apologies for missing this the first run through)
  • From @EricGershman – PicoCTF – This was a competition targeting middle and high school students from last year, but it’s been continued with access given to teachers for tracking of their students.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Oct 14 2014

Wake up to a POODLE puddle

TL:DR – Disable SSL immediately.

As of this morning SSL appears to be dead or at least dying.  The POODLE vulnerability in SSL was released last night, basically revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to make a plain-text attack against the encrypted traffic.  This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.

I’m not going to try to explain POODLE in detail, or give you a nice logo for it.  Instead I’ll just point to the better articles on the subject, a couple of which just happen to be written by my teammates at Akamai.  I’ll add more as I find them, but this should tell you everything you need to know for now.

Update: It’s estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic.

And since there’s not an official logo for it yet, I present …. The Rabid Poodle!

Rabid Poodle

Rabid Poodle

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Aug 03 2014

Last Hacker Standing, Episode IV – The Last Hope

Published by under Family,Hacking,Humor,Podcast

Well, I told you I couldn’t go that long without recording a podcast.  And a couple of weeks ago I got together with my friends Chris John Riley and Dave Lewis and started a new project, Last Hacker Standing.  In the inaugural podcast, we talk news (straight up, with a twist), alongside our wonderful guest Katie Moussouris from Hacker One.  I’m going to try to have fun with this one, not taking it too seriously.  Not that I ever took the Network Security Podcast all that seriously, of course.  Our format is going to be a podcast twice a month, with a guest who will join us to talk about news stories for the first half and talk about themselves for the second half.  We do reserve the right to change this format whenever we please.

Last Hacker Standing, Episode IV – The Last Hope

LastHackerStanding_singleFace

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Jul 17 2014

Root my ride

Published by under Government,Hacking,Risk

If you’ve never watched the anime Ghost in the Shell(GITS) and you’re in security, you’re doing yourself a great disfavor.  If nothing else, watch the Stand Alone Complex series as a primer of what we might expect from Anonymous in the future.  I know my friend Josh Corman tries to sit down to watch it every year or two in order to refresh his memory and help him understand what might be coming down the pipeline from chaotic actors.  And the authors of the manga/anime have a impressive understanding of what the future of hacking might bring in the long term.  Probably a better idea than the FBI does at least.

Earlier this week the Guardian got a copy of an unclassified document the FBI had written up exploring the future of driverless vehicles and the dangers they pose to the future. Their big revelation is that driverless cars could let hackers do things they couldn’t do while driving a normal cars.  In other words, since they wouldn’t have to actually be driving they could hack while the car drove itself.  Which ignores the fact that it’s already pretty easy to get someone else to drive a car for you, presumably much better than a driverless car will be able to do for many years.  If I’m going to commit a crime, I’d rather have someone I can trust at the wheel, rather than take my chances that the police might have a back door (pun intended) into my car’s operating system.

The Guardian story also hints that the FBI is concerned about driverless cars being hacked to be used as weapons.  I have to admit that this is a concern; hacking a target’s car to accelerate at the wrong time or muck with the car’s GPS so that it thinks the road goes straight when it should follow the curve of the cliff wouldn’t be a massive logical stretch.  Also doing the same to use a car to plow into a crowd or run over an individual is a possibility.  However, both of these are things an unskilled operator could do with a real car by cutting the brake lines or driving the car themselves, then running from the scene of the crime.

I think it’ll be much more interesting when driverless cars start becoming common place and young hackers decide they don’t like the feature set and/or controls that are present in the car.  It’s a logical extension to think that the same people who root phones and routers and televisions will eventually figure out how to re-image a car so that it has the software they want, to give the vehicle the capabilities they want.  I know that the Ford Focus has a whole community built around customizing the software in the vehicle, so why will it be any different for driverless cars in the future.

The difference with the driverless car will be that I could strip out many if not all of the safety protocols that will be in place, as well as the limiters on the engine and braking systems.  I want to pull off a robbery and use a driverless car for the get away?  Okay, ignore all stoplights, step on the gas and don’t break for anything.  You’d probably be able to rely on the safety features of other driverless cars to avoid you and you wouldn’t have to worry about the police issuing a kill signal to your car once they’ve read your license plate and other identifying codes.  I’d still rather have an old fashioned car with an actual driver, but at some point those might be hard to get and using one would cause suspicion in and of itself.

On the point of a kill signal, I strongly believe this will be a requirement for driverless cars in the future.  I’m actually surprised a law enforcement kill switch hasn’t already been legislated by the US government, though maybe they’re waiting to see how the public accepts smart phone kill signals first.  Around the same time as the kill switch is being made mandatory, I expect to see laws passed to make rooting your car illegal.  Which, of course, means only criminals will root their cars.  Well, them and the thousands of gear heads who also like to hack the software and won’t know or care about the law.

The FBI hasn’t even scratched the surface of what they should be concerned with about driverless cars.  Back to my initial point about Ghost in the Shell: think about what someone could do if they hacked into the kill switch system that’s going to be required by law.   Want to cause massive chaos?  Shut down every car in Las Angeles or Tokyo.  Make the cars accelerate and shut down the breaks.  Or simply change the maps the car’s GPS is using.  There are a lot of these little chaos producing tricks used through out the GITS series, plus even more that could be adapted easily to the real world.

Many of these things will never happen.  The laws will almost definitely be passed and you’ll have a kill switch in your new driverless car, but there’s little chance we’ll ever see a hack of the system on a massive scale.  On the other hand, given the insecurity we’re just starting to identify in medical devices, the power grid and home networks, I’m not sure that any network that supports driverless cars will be much better secured. Which will make for a very interesting future.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 16 2014

Patching my light bulb?

Published by under Cloud,Hacking

You know things are getting a bit out of hand when you have to patch the light bulbs in your house.  But that’s exactly what the Internet of Things is going to mean in the future.  Everything in the household from the refrigerator to the chairs you sit in to the lights will eventually have an IP address (probably IPv6), will have functions that activate when you walk into the room and will communicate that back out to a database on the Internet.  And every single one of the will have vulnerabilities and problems with their software that will need to be patched.  So patching your lights will only be the start of the wonders of the Internet of Things.

We already know our televisions are tracking our viewing habits.  Not just what we watch from the cable boxes, but what shows we stream, what content we download and they’re enumerating all the shares on our networks to find what’s there as well.  For each new device we add to the home network, we’re also adding a new way for our networks to be compromised, to allow an outsider into our digital home.  How many home users are going to be able to set up a network that cuts these digital devices off from what’s important on the network?  How many security conscious individuals are going to bother?

It’s interesting to watch the ‘what we can do’ run amok with little or no regard for ‘what we should do’.  Ever since the first computers were built we’ve been fighting this battle.  But as it moves from the corporate environment as the battlefront to the home environment, it’ll be interesting to see how the average citizen reacts.  Will we start seeing pressure for companies to create stable, secure products or will we simply continue to see a race to be first to market, with the mentality that “we’ll fix it later”?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jul 08 2014

What to see at Security Summer Camp

Published by under Hacking,Public Speaking

It’s coming, and there’s no avoiding it.  That week in Las Vegas when security practitioners from across the globe come together to attend Black Hat, Defcon and BSides LV.  We jokingly call it security summer camp, but if you set foot outside of the hotels and casinos in the heat of the day, chances are you’ll fry your brain and that lily white skin hackers, and people living in London, seem to cultivate so well.  It’s probably the biggest gathering of serious security professionals, less serious security practitioners and general troublemakers from nearly every country in the world and people come to see the talks, catch up with old friends, make new friends and party.  It should probably be called the security frat party, but that’d be even harder to get past bosses and accounting departments than it already is.

Personally, the social aspects of the event is why I go to conferences.  Not the parties, though I drink more at these events than I would normally, but instead the meetings with friends to find out what they’ve been up to, what they’re working on and what the tides of change have brought during the previous year or so.  I go to a few talks at each event, but the reality is between the podcasting and my social circles, if there’s a really good talk, I can probably arrange to talk to the speaker face to face.  And in most cases, you can too, if you’re willing to put yourself out there and treat the speaker with a modicum of respect while hunting them down.  Just don’t be too stalker-ish about it.   Most of the people who talk at these events are approachable, especially if you buy them a drink and treat them like people.

But I do try to make a few talks every event, simply because there are still some things that are better experienced watching a person present on stage.  I understand how a vulnerability works better if I can talk to the researcher, but seeing the narrative a storyteller develops, seeing the persona they project on stage is a totally different experience than talking to them once their energy level has resumed their normal steady state.  And a few people in the security industry are such showmen that it’s worth seeing their talk even if you can talk to them in person later.  Or maybe because of it.

In any case, here’s my short list of the talks I’m going to try to see during the week:

Black Hat, August 6th, 09:00 – CyberSecurity as Realpolitik, Dan Geer

Black Hat, August 6th, 14:15 – Government as Malware Authors, Mikko Hypponen

Black Hat, August 6th, 15:30 – Pulling Back the Curtain at Airport Security, Billy Rios

Defcon, August 8th, 14:00 – Defcon Comedy Jam – aka The Fail Panel – I’ve been helping on this one for a few years.  Expect bad behavior

Defcon, August 9th, 10:00 – Mass Scanning the Internet, Graham, McMillan, Tentler

Defcon, August 9th, 12:00 – Don’t DDoS Me, Bro: Practical DDoS Defense,  Self, Berrell

And one I can’t see because I’ll be headed to the airport

Defcon, August 10th 15:00 – Elevator Hacking, Ollam and Payne

I haven’t seen the BSides talk tracks yet, but I’ll update the post once I do.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jul 06 2014

The dominoes of Internet Balkanization are falling

Published by under Cloud,Government,Hacking,Privacy,Risk

We knew it was coming; it was inevitable.  The events put in motion last June played right into the hands of the people who wanted to cement their control, giving them every excuse to seize the power and claim they were doing it in defense of their people and their nation.  Some might even say it was always destined to happen, it was just a matter of how soon and how completely.  What am I talking about?  The Balkanization of the Internet.  It’s happening now and with Russia entering the competition to see who can control the largest chunk most completely, it’s only a matter of time before others follow the lead and make the same changes within their own country.

Let’s make no mistakes here, there have been countries and governments that have wanted to circumscribe their boundaries in the virtual domain and create an area where they control the content, they control what the people can and can’t see and they have the ability to see everything everyone is looking at as long as the Internet has been in existence.  But prior to the last year, very few countries had either the political impulse or the technical means to filter what came into and out of their countries except China and a few countries in the Middle East.  China had this power because they’d recognized early on the threat the Internet posed to them and the countries in the Middle East have comparatively limited Internet access to begin with, so filtering and controlling their access is a relatively easy exercise.  In both cases though, the efforts have been coarse with plentiful ways to circumvent them, including the use of Tor.  Though it now looks like Tor was itself has long been subverted by the US government to spy as well.

But then Edward Snowden came forth with a huge cache of documents from inside the NSA.  And it turned out all the things that the US had long been shaking its finger at other governments about, things that the US considered to be immoral and foreign to individual freedoms, were the exact things that the NSA had been doing all along.  Sure, it was only foreigners.  Oh, and only ‘people of interest’.  And people with connections to people of interest.  Four or five degrees of connection that is.  And foreign leaders.  And … the list goes on.  Basically, the logical justification was that anyone could be a terrorist, so rather than taking a chance that someone might slip through the cracks, everyone had become a suspect and their traffic on the Internet was to be collected, categorized and collated for future reference, just in case.  Any illusion of moral superiority, or personal freedom from monitoring was blown to shreds. American politicians carefully constructed arguments to assume high ground and tell other countries what they should and should not do torn down and America suddenly became the bad guys of the Internet.  Not that everyone who knew anything about the Internet hadn’t already suspected this had always been going on and the that the US is far from the only country performing this sort of monitoring of the world.  Every government is monitoring their people to one degree or another, the USA and the NSA were simply the ones who got their hands caught in the cookie jar.

The cries to stop data from being sent to the USA have been rising and falling since June and Mr. Snowden’s revelations.  At first they were strident, chaotic and impassioned.  And unreasonable.  But as time went by, people started giving it more thought and many realized that stopping data on the Internet from being exfiltrated to the USA in the Internet’s current form was near unto impossible.  One of the most basic routing protocols of the Web make it nearly impossible to determine ahead of time where a packet is going to go to get to it’s destination; traffic sometimes circumnavigates the globe in order to get to a destination a couple hundred miles away.  That didn’t stop Brazil from demanding that all traffic in their country stay on servers in their country, though they quickly realized that this was an impossible demand.  Governments and corporations across the European Union have been searching for way to ensure that data in Europe stays in Europe, though the European Data Protective Directives have been hard pressed to keep up with the changing situation.

And now Russia has passed a law through both houses of their Parliament that would require companies serving traffic within Russia to stay in Russia and be logged for at least six months by September of 2016.   They’re also putting pressure on Twitter and others to limit and block content concerning actions in the Ukraine, attempting to stop any voice of dissent from being heard inside Russia.  For most companies doing business, this won’t be an easy law to comply with, either from a technical viewpoint or from an ethical one.  The infrastructure needed to retain six months of data in country is no small endeavor; Yandex, a popular search engine in Russia says that it will take more than two years to build the data centers required to fulfill the mandates of the law.  Then there’s the ethical part of the equation: who and how will these logs be accessed by the Russian government?  Will a court order be necessary or will the FSB be able to simply knock at a company’s door and ask for everything.  Given the cost of building an infrastructure within Russian borders (and the people to support it, an additional vulnerability) and the ethical questions of the law, how does this change the equation of doing business in Russia for companies on the Internet?  Is it possible to still do business in Russia, is the business potential too great to pull out now or do companies serve their traffic from outside Russia and hope they don’t get blocked by the Great Firewall of Russia, which is the next obvious step in this evolution?

Where Brazil had to bow to the pressure of international politics and didn’t have the business potential to force Internet companies to allocate servers within it’s borders, Russia does.  The ruling affluent population of Russia has money to burn; many of them make the US ‘1%’ look poor.  There are enough start ups and hungry corporations in Russia who are more than willing to take a chunk of what’s now being served by Twitter, Google, Facebook and all the other American mega-corporations of the Internet.  And if international pressure concerning what’s happening in the Ukraine doesn’t even make Russia blink, there’s nothing that the international community can do about Internet Balkanization.

Once Russia has proven that the Balkanization of the Internet is a possibility and even a logical future for the Internet, it won’t take long for other countries to follow.  Smaller countries will follow quickly, the EU will create laws requiring many of the same features that Russia’s laws do and eventually even the US will require companies within it’s borders to retain information, where they will have easy access it.   The price to companies ‘in the Cloud’ will sky rocket as the Cloud itself has to be instantiated within individual regions and the economy of scale it currently enjoys is brought down by the required fracturing.  And eventually much of the innovation and money created by the great social experiment of the Internet will grind to a halt as only the largest companies have the resources needed to be available on a global scale.

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Next »