U.S. Spies on Chat Rooms
Probably a new way to get defense budgets

There are some thoughts I had when I read this article:

“Trying to monitor the sea of traffic on all the chat channels would be like assigning a police officer to listen in on every conversation on the sidewalk — virtually impossible.”

Sure that it’s virtually impossible but the question is: Is this legal? It’s another question with many more sense.

“The $157,673 grant comes from the National Science Foundation’s Approaches to Combat Terrorism program. It was selected in coordination with the nation’s intelligence agencies.”

Is the program will only be used for terrorists? Let me doubt about this.

“Security officials know al-Qaida and other terrorist groups use the internet for everything from propaganda to offering tips on kidnapping. But it’s not clear if terrorists rely much on chat rooms for planning and coordination.”

Will they put a “carnivore” program on every chat server of every programs availed on the internet and private ones programmed by Joe in his basement? Or will they put a bot on every channel they know of? If so, how will they intercept private conversations? If so, what will stop terrorists to create their own protocols and programs (possibly encrypted) to communicate between them? It’s a non-sense

“Because they are focusing on public chat rooms, authorities are not violating constitutional rights to privacy when they keep an eye on the traffic, experts said. Law enforcement agents have trolled chat rooms for years in search of pedophiles, sometimes adopting profiles making it look like they are young teens.”

In this case it’s probably a better idea to do cyber-infiltration of some terrorist groups than filtering traffic.

Seriously, do they really think that terrorists are as silly as they wish? Two things, or they take their dreams for reality (what I doubt) or they put another thing on the shoulders of terrorists to get budgets. It’s sure that terrorists are a world wide problem, but what I see now is that they use them to try to resolve other problems by the side. What thinker of law enforcement agencies are thinking about? Probably not what you think…

Seriously, they can’t think of things like this to arm terrorist organizations, it’s impossible. Go Infiltrate them; return back in the playground; stop losing your time in the cyberspace to try to stop terrorists…

Google Desktop
A new technology from Google; potential privacy issue for you

Today a great tool has been release by Google: The Google Desktop.

Now think about it. Someone do a program (legitimate or not). This program gets an access to the search index of the Google Desktop. He builds a distributed network with theses indexes. This distributed network can be browsed like the Kazaa network or any other distributed network. Think about the implication of such a network. Think about the information that you can search for. The perspective is awesome but also fearful. It’s probably an overview of the future world, fully networked and searchable.

Okay, comeback on earth. One problem is that it centralizes de information and made search really easy and fast. Problems can arise if anybody can have a physical access to your computer station. Then, your coworkers, boss or any other person can really easily search for a specific thing on your desktop. Have in mind that they need a physical access. It’s why doing a WindowsKey-L to lock your computer when you are not at your desktop station is a good security/privacy habit to have. As long as your computer is secure, you’ll not have any problem with the software.

One good point for your privacy is that you can choose what you want to include in the index. Go to your preference page and read the help to know how. Another one is that when he cache files he get a reference on it and don’t duplicate the information so if you delete the file he is no longer in the index file. It’s sure that there is possibly some information in the index but I doubt that this can cause problems. Finally you can manually remove individual items of the index when you perform search on it. Take in mind that Google add the information of the search result of google.com and the search result of your desktop when the browser gets the information back from Google. This said, Google never know what the search result was for your desktop, and then your privacy is safe.

I’ll do the same advice as the one I provided with the A9 post, be aware of what you are using on your computer. By the why I’m already converted to the Google Desktop and I’ll use it for sure (for the moment a less).

Information Gathering
Get an eye on your teckies

You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they don’t find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he has a problem with the topology of your enterprise’s network, he’ll probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, he’ll ask these questions during is working hours. There isn’t any problem with this fact, but who say working hours also say company’s computer and company’s computer settings like company’s email address and identification. Then they will use their enterprise email to get answers to their questions.

If you understand the problem, you’ll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprise’s network infrastructure tagged to it by the email of the so helpful employee.

What you can do? Educate them. The only thing that they want is doing their job. But sometimes they don’t see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. It’s your job, not necessary their.

If you don’t believe what I say in this post, try it. You’ll be astonished by the results.

Know you Enemy
Does he really know them?

First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that I’ll comment is 5 days old but I want to comment it anyway.

There is an article that I need to comment on. The problem with it is that he doesn’t focus on his subject, go everywhere and try to cover a wide question in a little article. The title is “Know your enemy” — cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on:

Should US companies worry about hackers in Russia and other countries?
Hackers from countries where the economy is less developed than the US
are more motivated by money than by pride when they start trespassing
on US companies – as opposed to US hackers, who are motivated more by
pride than money. (There are many other ways that you can make money
in the US.)
Also, money is a stronger motivator than pride. That’s why people
motivated by money are more dangerous. Hackers are businesspeople [if
they are motivated by money]. In most cases, they are probably just
having difficulties in their countries finding and exploring
opportunities to work.
If a company that is hacked into can explore with a hacker his or her
talents in a more peaceful way, the victim can only benefit. If these
hackers are businesspeople, they can be redirected by being offered a
better deal than the one they might get by creating pressure through
hacking.
I deeply believe in this point. It is hard, however, to generalise too
much because every case involves different kinds of people and
different circumstances.
What security measures offer the best protection against hackers?
Keep the hackers occupied if you recognise them as a threat. This
might be similar to what some countries have done with their nuclear
scientists – Russia, for example, keeps them under close supervision
and treats them well, but above all keeps them busy professionally.

The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. It’s true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, he’ll not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace.

It’s my 2 penny to the discussion.

[In addition to the post: 12 October 2004]
—————————————————
I just read Bruce Schneier’s October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. It’s interesting to see that I’m not alone to share this view. I know that many other people do too. There is the excerpt from his post:

“What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.”
———————————————–