Tuesday, June 30, 2009

Shifting from Cybersecurity to Cyberwarfare...

Its a big week in the field of cybersecurity. President Obama just announced the creation of a new "Cybersecurity Coodinator" position at the Defense Department, released his larger strategy for securing the nation's vital cyber assets, and is currently meeting with officials from the Russian government over a proposed new international treaty on the issue.

This is all great fodder for someone who's writing his doctoral dissertation on national cybersecurity policy. Let's just hope it doesn't require a total re-write :-)

There has been a marked shift in the cybersecurity debate from as recently as just a few months ago. In a field where national cybersecurity was, since 9/11, predicated on the best way to defend vital digital infrastructure, suddenly there is open talk surrounding the need to go on offense as well.

In other words, the framing of the debate in policy circles has openly shifted from cybersecurity to cyberwarfare.

As the Wall Street Journal wrote...

The military is far ahead of civilian agencies such as Homeland Security and is now focused on cyber offense as well as defense. Cyberspace, says Gen. Kevin P. Chilton, commander of the U.S. Strategic Command, is the new "domain," joining the traditional domains of air, land and sea.

This shift in framing the issue has consequences that are apparent in President Obama's meeting with Russia. As the New York Times reports, Russia favors an international treaty along the lines of those negotiated for chemical weapons, essentially looking to ban offensive weapons and tactics. On the other hand, the U.S. instead advocates improved cooperation among international law enforcement groups, basically trying to formalize the criminalization of such acts through legal channels.

The truth is that both approaches are necessary and cyberwarfare must be tackled offensively and defensively.

In an attempt to be prescriptive and add my own two cents to the debate, cybersecurity policy would be wise to address the protection of cyber assets at four separate internet layers...

  1. Infrastructure Layer - protect the physical hardware of the Internet; focus policy on the telecommunications industry.

  2. Protocol Layer - protect the network through the technical standards and protocols that allow the Internet to operate; focus policy on international standards-setting organizations like the IETF and W3C.

  3. Software Application Layer - protect the network from viruses, botnet attacks, and other programmable cyber weaponry through more secure code; focus policy on the software industry.

  4. Content Layer - engage in both offensive and defensive cyberwarfare through the informational content that is out there for all the Web to see; focus policy on ISPs, and on individual behavior.

Cybersecurity is difficult to achieve, particularly on a national level where the vast majority of assets are privately owned and operated. Previous attempts to rely exclusively on voluntary public-private partnerships are rightfully, and finally, being seen as grossly inadequate. The fact is that America is not going to build its own Great Firewall of China, and focusing only on protecting the Internet's infrastructure and government assets, as we have done in the past, just won't cut it. We desperately need a more comprehensive approach.

Monday, June 22, 2009

Should Teachers Require Their Students to Participate on Social-Networking Sites?

I just read an interesting debate in the National Education Association's monthly magazine, The Advocate, which unfortunately didn't post the article on its website. Whether you take the teacher's or the student's perspective in this debate, the question is whether teachers should be able to require their students to participate in social-networking sites, or whether doing so is an invasion of privacy?

John Damon, a professor from the University of Nebraska-Kearney, argues that social-networking is a private activity that should be kept separate from teaching and learning. Damon admits to "friending" some of his former students on Facebook and MySpace. He says that it would be rude to refuse friend requests and that such contacts "seem to me a normal part of human interaction". However, "requiring such use as a part of course requirements is an entirely different matter".

In the end, he asserts, the downsides for students to online social-networking include the potential for "unwanted entanglements", and for teachers, "unwarranted claims of harassment".

On other side of the debate, Patrick Bishop, a professor from Ferris State University, argues that the question isn't whether to use social-networking technology in the classroom, but how. "As educators, we are called to lead change, not just keep pace," he says, and "navigating the world of social-networking is a necessary skill in the current marketplace". Bishop admits to requiring his Public Relations students to create a Twitter account and join HARO (Help A Reporter Out), and portions of his course are covered via Wetpaint, a wiki-blog hybrid.

He quotes one of the best education blogs, The Fischbowl, in saying, "We are living in exponential times... preparing students for jobs that don't exist yet, using technologies that haven't been invented, in order to solve problems we don't even know about".

So which side do you come down on in this debate?

I, for one, believe the answer lies in the specific details of the class in question. If someone asks a great chess master, "What is the best move possible to make in chess?", the truth is that there is no one move that can be deemed The Best; there are only moves that might be better than others given the particular circumstances that a player finds himself in at a particular moment.

Thus, in a vacuum, you might argue that teachers absolutely should be able to require their students to participate in social-networks, or, conversely, that they absolutely shouldn't. However, when applied to a particular circumstance, the answer might become a lot more clear. For example, should a Computer Science class on Web Programming require that online social-networking be integrated into the curriculum? Absolutely. Should a fourth grade English teacher require the same thing? Absolutely not.

As always, teachers need to strike a delicate balance between empowering their students while simultaneously acknowledging the other responsibilities their positions afford them as well.

Friday, June 19, 2009

Cyberwar in Iran (and what you can do about it)...

It's been a full week and the Iranians are still protesting in the streets, and the government is still cracking down on them. One of the largest stories the media has grabbed hold of is the role that cyberspace is playing in the uprising, however, before everyone has a Twitter-gasm, it's important to note that the details of this cyberwar don't reveal anything that's actually new.

Here's how the Iranian government has been cracking down in cyberspace over the past few days. As the Wall Street Journal reported, the government has slowed the speed of the Internet and limited access to specific websites. This is actually a more subdued approach - believe it or not - compared to how the Chinese government allows high-speed access with extensive censorship, or how the Myanmar government severed internet access completely for the entire country during their 2007 uprising.

The Iranian government is throttling bandwidth, which some critics argue is "almost the same as shutting off the Internet, since it makes accessing Web sites slow enough to discourage users". In the days immediately following the election, Internet traffic over broadband connections was down 54%. As one Iranian engineer described it, "The government can say it didn't disconnect the Internet, but the reality is you can't really use it."

So what can aspiring hacktivists do to help those twittering Iranians?

First of all, read Cory Doctorow's, "Cyberwar Guide for Iranian Elections". He offers a brief, 7-step plan for non-computer nerds to follow if they truly want to help the protesters. Some of these include instructions as simple as DO NOT publicize Proxy IP Addresses or bloggers' identities. It is a common sense reminder for people who too often have been tweeting recklessly in their haste to help.

Second, you can participate in what are called Distributed Denial of Service (DDOS) attacks. These have been around for years and remain controversial, but the basic concept is that the official Iranian government websites can be taken offline if their servers receive too much web traffic. For example, if thousands of people simultaneously go to the Iranian government's portal, their servers may become crippled by the wave of traffic. A few software tools exist to make DDOS attacks easier to execute with less people. PageReboot is a particularly good one (and all the more effective if you change the "Refresh rate" to only 1 second).

Third, you can setup a proxy server. This may require slightly more technical expertise, but the idea is that, since the Iranian government is censoring specific IP addresses, hacktivists need to give the protesters new IP addresses they can use to get through a government firewall and reach the outside world. People can create a proxy server either by using a pre-existing software tool like Tor, or else follow these instructions.

Fourth, and along similar lines, Iranians need to know which proxy servers are available to them (just because you set one up doesn't mean they'll know how to find it). So if you create or discover a working proxy that's accessible from within Iran, spread the word, but in a responsible manner. There are ongoing lists of working proxies like this one, updated regularly, which you can contribute towards.

Finally, as a very simple and symbolic show of support, Twitter users have been encouraged to change the foreground color of their avatar to green. You can use this link to make the change for you in one click.

Again, what is remarkable to those of us who study cyberwarfare for a living is that none of this is actually new. All of these tactics, both on the part of the government and the hacktivists, have been put into practice repeatedly for years. Perhaps the scale of the engagement is comparatively larger, but not necessarily by huge leaps and bounds. It'll be interesting to see if the hacktivists, with their new recruits, can sustain these freedom-fighting activities once the furor over these particular Iranian election results eventually quiet down.

Tuesday, June 16, 2009

Following the Iranian Protests Online...

In response to an election that was supposed to be extremely close, hundreds of thousands of Iranians are pouring into the streets of Tehran to protest its official results (which showed a much larger than expected victory for Ahmadinejad, signaling "voting irregularities", otherwise known as election fraud). It is against the law in Iran for people to hold public protests.

For those of you who don't want to wait until tomorrow morning's newspaper to follow the breaking developments over there, here are a few ways to track the story online through citizen journalism.

  • Twitter Search - Twitter is hands-down the best source of second-by-second information for breaking news in Iran. People on the ground and around the world are discussing every breaking update they can find using the #IranElection hashtag.

    Twitter has become so essential in providing Iranians a media outlet that the website's scheduled maintenance last night was put off so as to not give the Iranian government a chance to censor the site's content.

    Twitter has even become an organizing tool for the opposition, as Mousavi1388 has been posting the call for rallies in Tehran using the site.

    Also, there has been a movement among Twitter users to change their avatar color to green as a show of support for the protesters.

  • YouTube Videos - A simple YouTube search for terms like "Iran protests" or "Iran riots" will show you some incredible footage of what's happening without any of the filters imposed by the traditional media.

  • First-hand Accounts in Blogs - If all cyberspace was good for was regurgitating the same material that the traditional media was putting out there, then why would we bother? Take advantage of the internet by reading first-hand accounts from people who are actually in Iran. One of the better blogs throughout this drama has been Revolutionary Road, if you need a place to get started.

  • Flickr Images - For those of you who are more interested in photo journalism, Flickr is your scene. Again, a simple search for something like "Iran Riots 2009" will yield tons of results for you to sift through.

    Many of these photos, posted by ordinary Iranians on the ground, also go a long way towards contradicting the government's claims that all of the protests have thus far been peaceful. Take a look and judge for yourself. This is citizen journalism at its finest.

What seems to be getting lost in this whole story is that, in the end, the results of the election probably won't even matter from our point of view. As much as the Western press would have us believe that these protesters are in favor of staging a new revolution to overthrow their theocratic government, the truth is that all of these protests are only a show of support for another politician who has also been approved of by Iran's clerical establishment. In other words, both candidates are the mullahs' guys. Mousavi may be slightly more "reformist" than Ahmadinejad, but he too was only allowed to run for the presidency after the mullahs approved him and judged that he would not pose any substantial threat to their rule.

The protests and riots are definitely a big deal for a society which hasn't seen this kind of anti-establishment fervor in decades. However, we ought to be careful not to look at this situation through a Western lens and interpret events as something other than what they are to the people who are living them.

Wednesday, June 10, 2009

Vanity URLs Come to Facebook...

Facebook is voluntarily creating a major headache for itself. This Saturday, June 13th, at 12:01am, Facebook is giving its 200 million users the option of creating a vanity URL for themselves. In plain English, this means that your home page web address will be transformed from its current ugliness into something that can have meaning, like your name...

Personally, I plan on scooping up http://www.facebook.com/rdomanski.

But while this may seem like a nice little feature, here's the potential headache. Vanity URLs a great for people who care about things like "branding strategies" and "search engine optimization", however, they're not so rosy for others.

A number of Facebook protest groups have already formed. They represent users with privacy concerns, like not necessarily wanting their profiles to be more easily found by co-workers and mild acquaintances. Most likely, these folks will register a Vanity URL anyway to protect themselves and keep it private, although this will lead to a problem where lots of in-demand URLs are taken, but not used (in a practical sense).

Which brings up another problematic issue: cybersquatting. Sheisters have long since adopted the practice of squatting on URLs with people's names (remember "www.suricruise.com"?) and then selling the URL back to the should-be owner for a marked-up price. Welcome to Facebook, guys! These people are awful and have been trying to extort money from me for years in my pursuit of acquiring the "Domanski.com" domain name. As Ben Parr describes, "The inevitable result will be an online gold rush for common names, key phrases, and brand names. We can imagine users stealing the brand names of rivals [or frienemies] just to keep it out of their hands".

Expect the resulting fist-fights to follow in a blog post next week.

Ultimately, most Facebook users will welcome the Vanity URLs because it's a cute little thing to have (and because most people unwittingly do care about branding their cyber-identity without realizing it anyway). And there's nothing wrong with that. It was just nice to not have to deal with these headaches up to this point.

Friday, June 05, 2009

What is it with Facebook and Breasts?

Anyone who has been on the internet knows that pictures of naked breasts aren't exactly hard to find. Sometimes they even seem impossible to avoid. Mainstream websites have rightfully sought to crack down on nude or pornographic content, to protect the kids, of course, but Facebook seems to have a particularly hard time in applying common sense norms to determining when pictures of breasts are acceptable versus when they're pornographic.

Case in point. A woman named Sharon Adams, diagnosed with breast cancer, recently uploaded photos of the scar on her breast which resulted from her mastectomy. The photos were accompanied by a description of her fight against the disease and offers of encouragement to other women to go for regular check-ups.

Take a look for yourself at one of the pictures in question, posted here. Does this seem to you like pornography that is going to corrupt minors?

Well, Facebook apparently thought so because they decided to immediately remove the images, using the nefarious label, "sexual and abusive".

Sharon Adams' counter-argument was 100% on the mark as she responded by saying, "For Facebook to claim they were sexual and abusive was absurd. Facebook has online groups about sexual positions and some groups which are bordering on racist [not to mention hate groups and Holocaust-denial groups] - but they ban this."

Thankfully, common sense eventually prevailed. A major online protest occurred among Facebook's own users which pressured the website to ultimately reverse its decision and lift the ban.

But why is that even necessary? We shouldn't need to collectively organize mass protests in order to convince websites to utilize good judgment.

What's worse is that this story isn't even unique; it comes on the heels of a previous case where Facebook banned images of breast-feeding mothers - a ban which held in place until another protest action (on behalf of a group that came to be known as "lacktivists") similarly pressured the website to relent once again.

It's a bizarro world indeed when insanely gratuitous pictures of college kids throwing drunken sexual orgies are considered permissible, while photos designed to prevent breast cancer by encouraging mammograms are banned as being obscene and pornographic.

Facebook really dropped the ball on this one. Again.

Thursday, June 04, 2009

Bing: Reviewing Google's New Competition...

The internet search industry is unquestionably its most lucrative. Google has a stranglehold with about 60% market share in the U.S., followed by Yahoo with about 20%, and everyone else sucking in their dust. Really, when was the last time you did an internet search and didn't use either Google or Yahoo?

Well, Microsoft has decided to dip into its coffers and build an improved search engine of its own. Called Bing, it supposedly analyzes data in a different way than Google, which they say leads to better search results.

To test the validity of such statements, I ran a few simple queries on Bing, entering "Rob Domanski" as the search term. Comparing the results side-by-side between Bing and Google, there really wasn't much difference; they both displayed largely the same links, just in a different order. Bing did seem slightly better in terms of filtering out results which were completely not related to me, however they still blew it by not listing this blog's home page - apparently unable to figure out that all of the individual Nerfherder pages stem from there.

Whatever. Bing is hardly going to revolutionize anything. Like Google, it still neglects to include features that would greatly enhance its service, such as integrating Twitter search and social media rankings into its algorithm. Bing's major value is simply being yet another player in the space, tweaking differences only at the margins. But that shouldn't be necessarily overlooked. The internet search industry, led by Google, needs more market competition in the long-term, and Microsoft has the means of fostering exactly that.

It's in all of our best interests for them to stick with it.

Wednesday, June 03, 2009

Wikileaks Publishes List of US Nuclear Sites...

Balancing the need for a free press with national security concerns has always been a defining characteristic of American democracy.

Over the weekend, the US Government Printing Office accidentally revealed the nation's confidential report on its civilian nuclear programs. This report was not intended for public disclosure, but was meant to be read only by the International Atomic Energy Agency, and thus was marked as "Sensitive, but Unclassified".

As Ars Technica reports, "although the document was quickly pulled, the genie is out of the bottle: the report lives on at Wikileaks."

Wikileaks is a website whose stated purpose is to publish "classified, censored or otherwise restricted material of political, diplomatic or ethical significance". In the past, it has exposed both government and private sector corruption and has been a safe haven for whistle-blowers.

While this may be a noble purpose, does anyone else think that Wikileaks is going too far by pubishing confidential information about all US civilian nuclear sites?

Granted, this information was not officially "Classified", but its troubling nonetheless. Part of what makes Wikileaks so effective is that it makes sure that it can't be easily shut down by national governments. As of this morning, it is hosting the report from sites in Sweden, US, Latvia, Slovakia, UK, Finland, Netherlands, Poland, Tonga, and Europe. Also, Wikileaks outwardly declares that "online submissions are routed via Sweden and Belgium which have first rate journalist-source shield laws." As a result, "it's safe to assume that, even if the US attempts to take action to have it pulled, it will be a long, drawn out fight that will probably wind up ensuring that any interested parties have the opportunity to get their copy in the mean time".

National security concerns ought to trump whistle-blower claims in this case, however, the architecture of the Web renders even the U.S. government rather helpless to rectify the problem, at least in the immediate-term. The bureaucrat at the US Government Printing Office who accidentally published the report ought to be fired for negligence. But it's still almost unbelievable how, in the Internet Age, the unwitting actions of just one individual can place us all in harm's way.