Pentagon: cyber-attacks an act of war

Today’s Wall Street Journal reports that the Pentagon will say that cyberattacks from foreign countries are acts of war.  As someone in the business I have a few questions.

First, with botnets being widespread within the United States, how will the Pentagon determine with sufficient reliability that an attack will have been originated from outside the U.S?

How will they determine that the attack would have been originated by a foreign government?  This is a difficult distinction to make.  By way of example, some time ago, Cambridge researchers uncovered an attack originating from China on The Office of His Holiness the Dalai Lama in California.  Was the government of China responsible?  Maybe.  Is it not more likely we would see asymmetric attacks?

Just because you believe a government has committed an act of war, does it mean one goes to war?  In the U.S. that power is reserved.  Only Congress can declare war.  However, in practice, it is the president who initially engages in armed conflict.

Once at war, how would we respond?  Clausewitz and Sun Tsu tell us that one only goes to war to effect a change, and with the confidence to win.  Would we therefore bomb to the stone age attackers?

I would like to believe that before we make any firm statements that we have clear answers to the above questions, lest a cyber Casus Belli lead to a repeat of Viet Nam or Iraq.

A New Role For Eliot

As many of you know I have a long history within the Internet Engineering Task Force (IETF), having been involved since 1989.  The IETF is responsible for many of the underlying protocols that computers use to talk with one another for purposes such as Email and the Web.  I have served as the chair of two working groups, a research group, and have written numerous drafts and requests for comments.

As of late I have been involved with the International Telecommunications Union (ITU).   The ITU is a U.N. organization whose origins date back to at least 1869, long prior to forming of the U.N. The ITU has developed numerous data communication standards, including X.509, which is what web encryption uses, as well as many of the codecs that are used on the network to transmit voice and video.

Last May I was able to join the United States delegation to the World Telecommunications Development Conference (WTDC) in Hyderabad India.  Now I have been asked to serve as the Internet Architecture Board liaison to the ITU-T.  My role will be first and foremost to see that liaisons (messages between the organizations) are properly handled by the IAB and IETF.  I will advise the IAB and IETF on how the ITU-T functions, and the context around particular liaison statements.  Occasionally I will assist in drafting liaison statements.

These organizations operate quite differently.  The IETF is driven by individual participation, where people needn’t even attend meetings to participate in decisions.  The ITU-T is an intergovernmental organization in which only governments may make decisions, although others may advise.

This is an important role at an important time, because when these two organizations do not cooperate at some level, they end up duplicating and competing with each other’s work.  That can lead to more expensive products or products that do not work well together.

Android Phones the next security threat?

Take it as an axiom that older software is less secure.  It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true.  In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned.  Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks.  The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android?  According to the PC Magazine article, the logic lies with who is responsible for updating software.  Apple take sole responsibility for the iPhone’s software.  There are a few parameters that the service provider can set, but other than that they’re hands off.  Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone.  Guess which model is more secure?  Having SPs in the loop makes the Internet more insecure.  Google needs to reconsider their distribution model.

How to get a Time Capsule to actually work in IPv6 without wireless

I have an unusual home configuration, in that I have a routed network.  If you don’t know what this means, stop reading now as you are wasting your time.  While the Apple Time Capsule advertises IPv6 capability, getting it working is rather difficult.  To start with, if you do not use the wireless capability of the device, the controls are really non-obvious.  For another, the Time Capsule appears to ignore the default route capability in routing advertisements.  Hence a manual configuration is required:

Time Capsule Configuration

Looking to the left, one must select “Router” from the IPv6 mode and not “Host” as one might logically expect.  Then, because RAs are not being handled properly, one must manually enter the default route (the long way).

Finally, because you are supposed to be routing, you need to enter some address for the “LAN” side.  My prefix is 2001:8a8:1006::/48.  Note I’ve dedicated a bogus network ::8/64  to the effort.  All of this allows me to do what should have happened automatically; not your typical Apple Plug-N-Play style, is it?  For a company that claims to be IPv6 Ready, I’d say Apple still has a ways to go.  Sadly, they’re better than most.

Microsoft Does Something Right?!?!

You know how when you install software, usually there’s a lengthy license that nobody ever reads?  Don’t lie- you don’t read it either. Apple and iPhones are the worst, where they suggest that you read something like 56 pages of license on your iPhone.  YEAH RIGHT.

Well, I just installed an update for Mac Office 2011 and here is the entire license:

MICROSOFT OFFICE FOR MAC 2011
PLEASE NOTE: Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. You may use it with each validly licensed copy of Microsoft Office for Mac 2011 software (for which this supplement is applicable) (the “software”). You may not use the supplement if you do not have a license for the software. The license terms for the software apply to your use of this supplement. Microsoft provides support services for the supplement as described at www.support.microsoft.com/common/international.aspx.

That’s it.  And it’s simple to read, and its meaning is clear.  Nice, eh?  Of course I’m sure the main agreement is still very long (I don’t know– I didn’t have to agree to that since this is a corporate copy, lawyers probably did).