Tuesday, January 20, 2015

A cynic’s view of 2015 security predictions (first part)

Better late than never, but the first of a series of blogs from me covering my ever cynical view of security predictions has now been posted to the NCC Group website.

Check out https://www.nccgroup.com/en/blog/2015/01/a-cynics-view-of-2015-security-predictions-part-one/ today. And more to come later this week.

I think yo'll enjoy it ;-)

Thursday, January 15, 2015

A Cancerous Computer Fraud and Misuse Act

As I read through multiple postings covering the proposed Computer Fraud and Misuse Act, such as the ever-insightful writing of Rob Graham in his Obama's War on Hackers or the EFF's analysis, and the deluge of Facebook discussion threads where dozens of my security-minded friends shriek at the damage passing such an act would bring to our industry, I can't but help myself think that surely it's an early April Fools joke.

The current draft/proposal for the Computer Fraud and Misuse Act reads terribly and, in Orin Kerr's analysis - is "awkward".

The sentiment behind the act appears to be a lashing out response to the evils that have been recently perpetuated by hackers - such as the mega breaches, DDoS's, password dumps, etc. - without any understanding of how the "good guys" do their work and operate at the forefront of stopping these evil-doers.

For those non-security folks, the best analogy I can think of is that a bunch of politicians have been reading how attackers are using knives to cut and stab people in their criminal endeavors, and that without knives those crimes would not have happened. Therefore, to prevent knife-based crime, they legislate that carrying a knife, manufacturing a knife, or using a knife to cut flesh, is punishable with 20 years prison.

Unfortunately, the legislation is written so poorly and generic, that the definition of "knife" includes butter knifes and scalpels - and overnight the medical profession of surgery becomes illegal. Even the process of helping those poor souls that have been stabbed by a criminal can no longer be saved by a scalpel wielding doctor.

That, in a nutshell, is what many feel the impact of this act will be on the Internet security industry. Penetration testing, bug hunting, and vulnerability research will be caught by this and, as Rob Graham postulates, there is reason to speculate that even posting a link to a vulnerability could land bot the poster and the clicker on the wrong side of the law.

One of the budding industries that will feel this the most will be threat analysis and companies/services that focus on early alerting and attribution of cybercrime. And that in my mind is particularly ominous.

Now, with that all said, is the act salvageable? Maybe - but it'll need a lot of work. I've heard a few folks argue that this US act is very similar to the UK's Computer Misuse Act of 1990. I mostly agree that a parallel act in the US would be helpful in dealing with the current plague of cybercrime, but what's been proposed thus far has the polish and refinement of a rusty piece of barbed-wire.

The only organization that'll benefit from the act as proposed right now is the US' privatized incarceration services.

-- Gunter