2007-05-28 21:59:25

German IT security industry sentenced to death

The german IT security industry was sentenced to death on Friday, May 18th, at 22:30.

Originally, the session was scheduled for 02:00 in the morning of Saturday, but apparently this appeared to be a bit overkill. On half past ten in the evening, the german federal council declared that it accepted the modifications to the criminal law regarding informatics unaltered. These modifications forbid the possession and use of tools which are mainly used to intercept, alter or gain access to data.

However, the german IT security industry depends heavily on the possibility to create and possess such tools. IT security is mainly created by finding security problems (e.g. data which is passed unencrypted, buffer overflows, information leaks), writing an example exploit in order to help understand the problem, and hand that to the vendor in order to have him fix it.

On the other hand, security on the user side can only be created if all of the example exploits are used against the user's system in order to determine whether or not it needs to be patched against something. Also, additional broad exploitation techniques are used to find applications that suffer from common problems. This is of course vital to a good security test of a customer's environment, because some programs may only reveal flaws in certain setups.

The decision of the german government is mainly guided by the belief that all IT security threats to german companies come from inside the country. This is however untrue. Most of the attacks are automated and come from foreign IP ranges (asian, american, etc.). This means that this law does not stop the attacks, but it takes away all means of defending against them, because the tools which are required to conduct security tests have just been outlawed.

Also, this law doesn't just impose problems on the IT security industry but also on large parts of the entire IT industry. For example, network operators heavily depend on sniffing tools to figure out parameter problems in their network flows. Falsely set parameters can slow down a network or even stop all traffic. Also, firewall rules can only be tested and debugged that way. In order to figure out network problems, it is inevitable to use the same sniffing software that could possibly be used to sniff user's passwords.

There is only one true solution to the IT security problems in this world. It is an absolute necessity to encrypt all, or at least all authenticated, traffic. Username and password authentication should also be eradicated and replaced by cryptographic challenge-response protocols, as demonstrated on the CAcert web site.

And the second necessary step is what is described as «eternal vigiliance». There is no way of avoiding this. If you want your enterprise to be reasonably safe, have an independent or even inhouse expert conduct regular security tests. Adopt security updates within a 24-hour timeframe. Avoid technologies which come with their own security problems but are advertised as bug-free (such as PHP, Java or .NET). Also, keep backups. If you do this consequently, you should be reasonably safe from attackers.

The entire legal proposal can be found under http://www.bmj.bund.de/media/archive/1317.pdf. The interesting parts are §§ 202b and c.

Posted by Tonnerre Lombard | Permanent link | File under: general, news, politics

2007-05-16 13:22:48

Microsoft finances a OOXML Wikipedia article editor

Microsoft has caused an edit war in the free encyclopedia Wikipedia by funding the standard activist Rich Jelliffe for contributing his knowledge to the articles about Open Standards, XML, OOXML and the OpenDocument Format.

Jelliffe claims in his user page, however, that his edits are unbiased by the fundings. Nevertheless, he has removed some Anti-Microsoft «biases» from some articles, and this caused a lot of irritation. Summing it up, it is not agreed upon to which degree Jelliffe's articles are biased.

Posted by Tonnerre Lombard | Permanent link | File under: general, standards

2007-05-16 12:20:29

Australian deported for breaking US IP in Australia

An australian citizen has been deported to the USA for infringing on US intellectual property - in Australia. The 44 year old man is being accused of pirating products of an american company.

Under normal circumstances, this would lead to a court proceeding against the man in his home country, Australia. Consequently, he would probably be convicted to fines, or even prison (In case he wouldn't pay the fines).

Instead, the australian, who has never before set a foot on US territory, has been deported to the USA in order to face 10 years in jail for piracy.

The whole story can be found on http://www.theage.com.au/[...]/1178390140855.html.

Posted by Tonnerre Lombard | Permanent link | File under: news, politics

2007-05-16 12:06:47

US Supreme Court: Patent System got out of control

The US supreme court ruled what a lot of people kept repeating for years already: the worldwide patent system has got out of control. The market is flooded with trivial patents, which are only used to make money from litigation and slander. To make it even worse, the power to judge the patents is in the hands of the same organization which grants it. This means that it's in the USPTO's interest to grant as many patents as possible, in order to gain money from invalidating them.

The whole article can be found at http://www.ft.com/[...]-000b5df10621.html.

Posted by Tonnerre Lombard | Permanent link | File under: news, politics

2007-05-16 11:32:37

Microsoft hit with patent suit over .Net

The patent litigation wave has again hit one of its strongest promoters. Vertical Computer Systems sued Microsoft for unlicensed use of its patent on a «Method for generating web sites» (US patent 6,826,744).

The patent covers the generation of dynamic websites using components which are abstracted by XML. So basically every web site which is created from XML could possibly infringe on the patent. DocBook created web sites come to mind.

The full article can be found at http://www.infoworld.com/[...]/HNmsdotnetpatentsuit_1.html.

Posted by Tonnerre Lombard | Permanent link | File under: news, politics