EU Citizens Warned Not To Use US Cloud Services Over Spying Fears

This Slashdot piece of news was referred to me. The funniest part is the comments. Go check.

Strangely, people tend to read this piece of news as just "Oh, the US is doing some privacy-breaking spying." whereas I read it as "Oh, Europe is going to rebel. Will be funny."

Le bienfaiteur anonyme dans le nuage

Je viens d'apprendre l'histoire horrible du suicide d'Amanda Todd, cette jeune Canadienne qui a été persécutée sur les réseaux sociaux par un inconnu qui savait tout d'elle. Pour mieux comprendre l'histoire, autant l'écouter elle-même quand elle présente son cas, peu avant son suicide :



Qu'en dire ?
Le taux de suicide des jeunes est de l'ordre de 0,5 à 3 sur 10 000 dans les pays développés. Les taux de tentatives de suicide sont encore plus haut. Et ceux de comportements à risques mortels en toute connaissance de cause sont encore encore plus haut. Aussi, le suicide en soi ne m'étonne pas.

Ce qui m'étonne par contre pour cette pauvre malheureuse, c'est surtout qu'elle n'ait pas trouvé à rebondir alors que ses parents étaient au courant (déménagements, changements d'école) et qu'elle-même semblait avoir bien conscience du problème.

Facebook dans l'affaire ?
L'internet et les réseaux sociaux ne me semblent statistiquement pas un terreau digne d'un intérêt spécifique dans la lutte contre le suicide. Par contre, le rapport de cette fille en particulier à ces médias mérite d'être étudié. La mise en scène de son propre cas est un phénomène étonnant, proche de la mise en scène du suicide. Non pas un appel à l'aide mais un rejet de la honte sur les autres. Je ne suis pas médecin mais je pense que c'est un sujet d'intérêt.

Surveiller l'usage des réseaux sociaux ?
Des collègues ou des relations qui connaissent mes activités professionnelles m'ont souvent interrogé sur la façon de mieux surveiller leurs enfants. Ils sont inquiets de ce qui peut passer inaperçu sur les réseaux sociaux. La crainte du violeur ou du kidnappeur rencontré sur internet est omniprésente, la crainte aussi que l'enfant ait simplement trop de "mauvaises fréquentations" qui lui ruineraient la vie.

Ma première réaction est toujours de bien clarifier que je suis RSSI d'entreprise, pas RSSI familial. Je suis professionnel, on ne se refait pas.

Ma seconde est de rappeler que rien ne remplace une vraie relation de confiance avec l'enfant. S'il vient demander conseil, s'il ose parler de ses doutes, de ses peurs, s'il ose avouer ses maladresses avant que le pire ne soit arrivé, alors le risque sera réduit de beaucoup. (Note : c'est la même chose en entreprise entre le RSSI et l'informaticien. Une relation de confiance est primordiale.)

Et si le réseau social participait à la lutte contre le suicide ?
C'est une remarque d'informaticien : on sait faire de la publicité ciblée, on sait corréler les informations reçues de divers réseaux sociaux, pourquoi ne mettrait-on pas en place des robots, des applis iPhone, Android ou Facebook, qui préviendraient les services SOS Suicide d'une personne qui pourrait passer à l'acte ? Il y a clairement des signes avant-coureurs qui pourraient être récoltés par le cloud.

Divers cas d'usage et d'utilité peuvent être envisagés :

• Détection automatisée des personnes à risque,
• Premiers secours automatisés ou accélérés,
• Transfert automatisé ou accéléré du cas à des contacts de proximité de la personne,
• Récolte en ligne de données-clés permettant de connaître mieux et plus vite le cas de la personne,
• Prévision de rechute ou de passage à l'acte pour des personnes connues,
• Étude statistique des facteurs clés qui peuvent contribuer au comportement suicidaire (par recherche des similarités entre les cas).

Ainsi, le réseau social ne serait plus seulement l'outil du tortionnaire mais aussi celui du médecin. Plus seulement un lieu où le réseau amoncelé renforce la pression sociale et les préjugés mais aussi un lieu où l'on casserait les cercles vicieux en mettant à profit l'irruption possible d'un bienfaiteur anonyme.

La peur du Cloud : réinterprètons !

Une remarque pour les blogueurs du Cloud qui s'appuient sur des enquêtes statistiques du type : opinion des DSI.
Il faut réinterpréter la « peur du Cloud » : quand un DSI dit que la sécurité du Cloud est sa première préoccupation, il ne veut pas dire que la confidentialité, l'intégrité ou la disponibilité du Cloud lui font peur. Il veut dire que la pérennité des habitudes, des services et des budgets de sa DSI sont menacés par le Cloud.
C'est une peur rationnelle : comme beaucoup de managers expérimentés, il a surtout peur que les choses changent trop vite et qu'elles ne soient plus contrôlables.
Alors, à mon avis, il faut nuancer les chiffres sur la peur de l'insécurité dans le Cloud.

Back on my 2010 security predictions

For an ITsec worker, every year comes with some pieces of satisfaction and a lot of frustration. For instance, you'll hear about rocket-science ITsec techniques and observe that your neighbour's techniques are more snail-like, ostrich-like or dodo-like :-(

I did a few predictions at the beginning of the year of what would happen in the ITsec field, let's see if they actually happened.
What I wrote back then is given in yellow and today's comment is in white.

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   Did not happen. There are traces of some attacks on Google's OS but nothing the depth of what happens on Windows. (so far)
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   Did not happen. But I hear Symantec is on the subject and it's quite promising.
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
   Clearly did not happen, though there are a few examples of such viruses.
   
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
   Happened. I saw many examples of considering fingerprints as a good means of authentication, which it often is not, and worst of all: some companies start relying on "private questions" to enable users self-resetting their passwords.
   
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
   Certainly happened, though those companies will not make a failure report before they've withdrawn, which is no easy thing ^^ The funniest story I heard (nothing written, sorry) is that of a web development company whose managers decided to cloud infrastructure, thus turning Apache settings, PHP settings and so on into read-only, contractual, data.
   
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
   Happened, even Microsoft got into the market.
   
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
   Happened, see Day's comment on the original article: pleaserobme.com, a site that harvests Twitter to guess whose homes are empty and easy to rob. One could also quote personalized ads or so many articles on the web.
   
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
   I don't know yet whether governments will fail, but the current wikileaks wars certainly are an example.
   
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
   Did not happen, so far as I'm aware.
   
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.
    Did not happen, I just read too many people interested in that.
    

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
  There's certainly some change, but I can't identify it so far. People seem to start being aware of the "information-side", as opposed to the "technology-side"...
  
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
  No change.
  
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
  No particular change.
  
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
  They didn't, though they reacted by adding sandboxes to the software. Makes me think of old families that had many children to "avoid" child mortality...
  
• That my government stops being such a liberty killer about IT.
  Not happening before the next election...
  
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
  I don't know whether my readers did consider this situation. Did you?
  

A little thought about computing clouds and physical security

Clouds are not so cloudy that they don't sit on God's green earth.
I was thinking that with so much data concentration, and data of so much value, what would prevent people to break physically into data centers to rob data?

After all, who says data banks says data hold-ups...

I can think of four reasons why they wouldn't make a hold-up to steal data from a data center:

1. It's probably easier to steal it online.
2. It's certainly safer to steal it online.
3. If you're breaking into a place you've never been, finding what you're looking for may be messier for a data center than for a bank.
4. The adoption rate of this kind of crime would probably be very slow: burglars are not accustomed to data centers and black hats are not accustomed to hold-up parties. They probably don't share a lot of "good practices".

Yet, these barriers do not seem to apply to States and polices. They can easily break into a data center, they do not fear any defence from the "victim", they have all the time they need, and they probably can gather people accustomed to both heated situations and computer hacking.

So I was thinking that data of interest to a State should probably not be stored within its reach.

However, I don't have a clue how the visibility of a criterion such as the geographical situation of data may evolve in the next years for the cloud customer :-|

Security predictions for 2010 and a few wishes

As usual, nothing posted on this blog is related to my job at my employer. These are merely thoughts gathered from readings on the web and personal considerations.

(If you're wondering why I didn't post this in January, think that holidays spent in Sicily, Romania, Hungary and Serbia are worth being late. I really love the Carpathians.)

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
     
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
• That my government stops being such a liberty killer about IT.
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?