Why Him? (Marco Carrai, Matteo Renzi and Cybersecurity in Italy)

The appointment made by Italian PM Matteo Renzi of Marco Carrai as head of the Italian cybersecurity raised a storm of criticism and concern among the IT Security “professionals” that started complaining about his lack of competence, conflict of interest and so on.

Many of the complaints (a few of them I’ve heard privately, from people that called me for that purpose), though look more like a “why him and not me?” or “what does he have more than me?” instead of a serious analysis of Carrai’s adequacy-for-the-job.

He might not be the right person for such a role, but he is trusted by the prime minister and that is all that matters.

Not the first time, not the last time but – above all – not the first critical sector where such things happens.

 

Why Italy Already Lost the World(Cyber)War

We (Italians) can of course continue to lure ourselves into believing that dealing with “password policies”, “critical infrastructure committees” and “mandatory security measures” – just to name a few buzzwords – is enough to grant a decent level of security for our networks.

We can continue, after twenty years, to listen at – and say – the very same bull… stuff we used to say in the pre-internet era about ICT security (don’t use easy passwords, don’t write it on a post-it, use an anti-virus, etc.)

We can, definitely, keep going in waiting for the next “IT guru” or “magic box” that will make the bad guys disappear from our computers.

But we still continue using flawed software and operating systems without making the software houses pay for their faults (disguised as “features”.)

We still buy things and boxes (read: hardware) believing that just because of that “we are safe”.

And we still keep a blind eye to the actual quality of the IT security in public institutions.

Two options as a conclusion: we’re either stronger than we appear to be or we are incredibly lucky.

But luck doesn’t last forever, and we need to be lucky every single minute of the day, while the attackers, just once.

The Web is ISIS’s Nuclear Bomb

The Web is ISIS’s Nuclear Bomb. This is what Loretta Napoleoni, author of books on the economic side of terrorism, wrote in an article for the leftwinger Italian newspaper Il Fatto Quotidiano.

Napoleoni claims that – as the Marxist ideology did in the past with the “word-of-mouth” or, better, “word-of-book” – ISIS’s propaganda gets its power from a new “ideology-spreading-tool”: the Internet, and thank to the Internet will last, no matter what:

Even though, hypothetically, we should succeed in taking out all of ISIS’s warriors by bombing them and killing al Baghdadi, the ideology that these people have created and their universal message will last on the Internet. 1

I don’t have enough authority to challenge the curious association Napoleoni did between Karl Marx philosophy and ISIS’s vision of the Islamic religion, but I find grossly superficial and offensive for the victims of (every) war to compare “the Web” to a nuclear bomb.

As I wrote in a post, war is made of bullets, and bullets hurt as do (nuclear) bombs. Bombs make carnage, slaughters, shred a human being in pieces, burn, annihilate, vaporize, wipe communities, blindly kill innocents, pollute lands for centuries or millennia (ask Hiroshima and Nagasaki survivors for additional info, just in case.) E-mail, newsgroups, chats, FTP (yes, Napoleoni, the Internet is not only made by HTTP) are tool of freedom designed by free people to give humans a free chance to communicate with no physical and social barrier.

Those like Napoleoni – and her cultural associates, member of the “Internet-as-a-threat Club” – should simply accept the fact that ideas are countered (and sometimes, fought) with ideas and that the worst way to challenge a disturbing statement is to censor it.

The idea that a sole statement might change somebody’s personal philosophy up to turning him into a human bomb carrier is simply wrong. Change of mind happens by way of  tragedies, loneliness, apartheid and injustice and not because of a tweet.

As per the “Internet Patrolling” advocated (not only) by Napoleoni – though sadly labelled by her as ineffective – again, let’s go back to basics: as the East Germany, Russian and Italian political police history show, to fight an enemy and prevent attacks there is no substitute for an actual, massive, ruthless and pervasive physical control. But t this is disturbing and, rightly so, nobody in the Western world is available to give a government so much power.

And here comes the brilliant solution: let’s fall back on the Internet and blame “the Web” as a radicalization tool.

No, Napoleoni, ideologies will not last because of a blog. They will stand until there will be inequality in world, it means until the end of time.

  1. Orginal text in Italian: Anche se, ipoteticamente, riuscissimo a stanare con le bombe tutti i guerrieri dello Stato Islamico e a far fuori al Baghdadi, l’ideologia che costoro hanno creato ed il loro messaggio universale in rete rimarrà

War is fought with bullets

True, the monumental unscrupulousness of the ICT business (which sells systems
without concerns for the security side), and the naïveté of its clients (trusting hardware instead of good practice and appropriate security processes) built today’s western digital infrastructure as a Colossus with feet of clay.

True, this made the Western World a soft target for computer-related criminals and terrorists.

True, a lot of damage can be done in a short time by a committed digital strike.

But don’t forget that war is fought with bullets, real bullets.

And bullets do hurt.

Italy To Storm Playstation Networks? The Steve Jackson Game Case Strikes Back

According to Andrea Orlando, Italian Minister of Justice, Italy plans to fight  the war on terrorism on Playstations.

In a press conference, Mr. Orlando said that new technologies are exploited by terrorists, and it is imperative to keep pace with the innovation, by allowing the capability to wiretap chat (whatever this means) and Playstations.

Apart from the merit of the issue (we might either agree or not about the strategy, but this is a horse of different colour) what matters is the clear uneasiness of the Minister in  talking about topics he’s clearly not knowledgeable in.

I really wander how the law enforcement agencies will be able to extract something useful by wiretapping network games that deal with assaults, terrorist actions, covert operation and so on.

Will they be able to sort the truth from the game?

Are we on the verge of a new Steve Jackson Games scandal?

The usual approximation showed by a politician in charge of taking the lead on technology-related issues shows that key decision on such a sensitive matters are made elsewhere, by someone else not at all well versed in the matter. And it would be interesting to know who this “Mr. Someoneelse” actually is.

To have a better grasp on the operative issues before talking to the Press,  maybe it wouldn’t had been a bad idea  for the Minister to spend some spare time playing Call of duty or Splinter cell.

 

Hacking Team: A Class Action Against Adobe?

After the Hacking Team scandal, everybody and his cousin is calling for a “death sentence” against Adobe Flash, accused of being the “vessel” that allowed Hacking Team’s malware to land on users’ PC and smartphones.

A logical consequence of this  vulnerability and its exploiting by several malwares, including those made by Hacking Team, would be a class-action against Adobe that, as a matter of fact, released a “bugged-by-design” application.

But this is not going to happens against Adobe, as against the other (big or small) fishes of the software pond. We are much too “programmed” to accept a software fault as an act of God instead of either a mistake or a deliberate marketing choice.

Will things change after the Hacking Team scandal? I don’t think so, thus get ready for the next viral infection, information theft or denial of service: is just business as usual.

Hacking Team: The True Culprit

In 1999 Mark Minasi wrote The Software Conspiracy: Why Companies Put Out Faulty Software, How They Can Hurt You and What You Can Do a book about.

In 2004 Alan Cooper wrote (and I translated the Italian version for Apogeo) The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity.

There have been, and still are, countless warning about the careless attitude toward security of the software houses’ marketing strategies (take a beta, call it final and release it.)

So, why the “concerned” journalists and activists only blame Hacking Team and Hacking Team-like companies, instead of involving in their outcry those who sold the world a bunch of crappy and vulnerable software?Secure programming and security by design are not “options”: by refusing to incorporate security into the roots of a software project would be like designing a car without worrying about the functionality of the brakes.And now we are facing the consequences.

Hacking Team: Silence On The Wire

Sometimes, what isn’t told is more important then what actually is.

None of the Italian mainstream primetime talk shows, usually very fast in arrange a panel of “experts” to help Joe Sixpacks’ audience understanding what’s the fuss, spent a single second with the Hacking Team case. And the news already lost its momentum on the newspapers.

Next week, nobody will ever remember what happened and in a couple of months everything will be back to business as usual…

My Two Cents on the Hacking Team Hack

What happened to Hacking Team neither is the first nor will be the last time a security company that lives by the sword, dies by the sword. Neither this is the first nor will be the last time that huge quantity of critical data are made available through the Internet.

So, to some extent, there is actually nothing new under the sun in the fact itself. This is why – putting aside the legal issues involved – I can hardly understand all the rants aimed at Hacking Team.

It is interesting, though, analyze the “claims” that some “expert” did about the story. To make my points, instead of talking about someone in particular, I’d rather refer in general to the accusations made against HT, so:

  1. Hacking Team has been “unethical”. A company is just supposed to be legally compliant. Ethic is a horse of different colours: it’s a personal thing, is relative and – thank to the French Revolution – is not mixed with laws. As soon as Hacking Team didn’t break any law by selling its stuff, it can’t be blamed because “money doesn’t smell”.
  2. Hacking Team sold its technology to human-rights bashing countries. While I’m in the digital rights world since 1994, I wasn’t aware that there were so much human-rights (keybord) warriors… Anyway, as soon a state has a seat in UN, and the sell is compliant to international laws and treaties (such as the Wassenaar Agreement), doing business with it shouldn’t raise any concern (as international weapon dealers are well aware of.)
  3. Hacking Team has jeopardized investigations and covert activities all around the world. No, the investigation have been jeopardized by the choice made by governments of “going private” instead of developing in house its intelligence-gathering tools, and by the lack of a “Plan B” in case things – as just happened – screwed up. In particular, is rather curious that nobody checked the fact that the HT’slicense was associated to the customer identity in clear, instead of using a nickname or a cipher.
  4. There will soon be a “black” Hacking Team’s software clone that will be used against the “good guys”. This malware is far from being the “only kid in town” and the Internet is full of brilliant (rogue) programmers able to build a “HT-like” software. So this statement is just a nonsense.
  5. The are hints suggesting that Hacking Team’s malware has been exploited to plant fake evidence in the targeted computer. So what? Blackmailing is a standard tool-of-the-trade in the intelligence world and the way this is done is irrelevant. And to shut down the disturbing voice of a political opponent it’s easier to frame him with conventional means (drugs, sex) that are cheaper while very effective, then using a costly and complex to manage application.
  6. Hacking Teams’s software is untraceable and now can and will be used without control. No, HT malware is not invincible and while it is able to fly under the antivirus’ radars, it doesn’t mean that there are no defense. Guess how you can reduce its’ might? Use pure text emails, don’t click links and attachments, check your machines and data-traffic for odd behaviours… In other words, stop using  wisthle&bell operating systems and fancy features and go back to basics. Ain’t no fancy, but is safer.
  7. Hacking Team helped intelligence agencies to gain access to everybody’s computer. Again, so what? Are intelligence agencies around the world supposed to play bridge, instead? As much as I dislike the fact, I cannot but pragmatically accept that the powers-that-be can do whatever they want, without actual accountability. They call it “democracy”.

Post Scriptum: Though I met David Vincenzetti about eighteen years ago at the Department of Computer Science in the Milan University and a couple of times in the following years, I never worked with or for him.

 

How Do Cameron and Obama Are Going to Forbid This?

cipherThis is – the news is as recent as today – what the Italian Polizia di Stato found during a Ndrangheta (organized crime from Calabria) related investigation.

Although the cipher, in this case, is not that hard to handle for an expert codebreaker it shows that “old school” systems still work.

So, following the announced ban of side-to-side encryption application made by US Presidente Obama and UK Prime Minister Cameron (coupled with the statement by Italian Home Affair Ministry) I wonder how they’re going to fight this “new”, dangerous way to exploit the encryption.

Maybe outlawing paper and pencil?