Category Archives: Hacking

Security via obscurity failed… in 1903

This is a wonderful story about the hacking of Marconi’s wireless system in 1903. Marconi touted the security of his system based on a tight (and presumably not publicly disclosed) frequency bandwidth. Of course it was hacked in a public and humiliating fashion.

Security via obscurity, as effective in 1903 as it is today.

Hat tip to Bruce Schneier.

Advertisements

Rise of SaaW?

There are a couple of interesting articles on Stuxnet out recently. This article poses the astonishing possibility that it was a directed attack at the Iranian Bushehr nuclear plant. The arguments given, however, are highly circumstantial.

This article also puts forth the notion that Stuxnet was likely created by some government.

Is this the first instance of SaaW, software as a weapon?

Just a bit more complicated than that

Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.

To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.

If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.

hacking and scalping

Some hackers were apparently caught hacking TicketMaster, buying tickets, and scalping them at a higher price. The article is clear on this point, but I would assume the hackers actually paid the Ticketmaster price but then resold the tickets for a much higher price.

So these guys are being accused of both hacking and scalping. While I have no sympathy for hacker could someone explain to me why scalping is even illegal? Seriously, if an event is selling tickets for $25 that have a market value of $75, why are we criminalizing the scalpers? If the tickets were sold using dynamic pricing like hotel rooms scalpers would be out of business, the event would make more money, and customers would have less fear of getting ripped off.

What am I missing here?

MAD, MAD, MAD, MAD World

Nico Popp suggests that incidents such as the recent Google hack may lead to governments and large corporations adopting a form of Mutually Assured Destruction cyber defense.

On one hand there is a lot of sense in this, especially for governments. However I suspect retaliation would be more of a economic (or worst case military) nature.

At some level that’s exactly what is going on with the Google case. Google obviously believes that the Chinese government is behind the attack and Google has retaliated by threatening to stop censoring content in China, even at the risk of getting thrown out of the country. Of course now they seem to be backing down and both sides are now looking for a face saving compromise.

But one problem with the MAD theory of cyber-warfare is that you most often don’t have any idea who to retaliate against. At least not with sufficient degree of certainty.

So for now, MAD looks pretty unlikely in the cyber-warfare game.

What’s not being said

I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.

I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.

No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.

Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.

Misplaced Blame

Bruce Schneier writes this, in which he lays the blame for the Chinese hack of Google on the US Government. His reasoning is that since Google put in a back door surveillance mechanism to enable the US to¬† eavesdrop on Google users, it is then the US’s fault that Chinese hackers used that mechanism to hack Google accounts.

This is a little like me blaming my employer if I have an accident on the way to work.

While I agree that companies should not be making it easy for governments to spy on people, when legally required to do so it is also their responsibility to make sure that this done in as secure a manner as possible.

Also note the interesting linguistic phrase that most journalist have used in this issue. The hacking of Google is usually described as being done by “Chinese hackers”. That’s not wrong, but it missing the most important point. No one seriously believes that the attacks were not done at the behest of the Chinese government itself. That is a very important distinction.