“Too much law, too little tech” is one way of viewing today’s output from AusCERT 2012 – except for two things.
The first is that the delegates don’t seem to have seen it this way. Nobody seemed to doze off early this afternoon after even the third session with a predominantly legal focus (Nick Abrahams of Norton Rose following Bill Caelli following Robert Clark).
So something’s happening: the kind of content that would once have drawn cat-calls from a security conference now gets engagement.
And that brings me to the second consideration: that the security sector is growing up at last.
This author happened to be present at Interop in San Francisco, some time in the mid 1990s, that saw the launch of a now-venerable, then-startup called Checkpoint; and for many of the intervening years, security has wanted to isolate itself into siloed discussions of technology, nearly divorced from the rest of the world.
That attitude still exists. It’s still possible for a company like Pirate Pay to create what is, essentially, a denial-of-service tool specific to BitTorrent hosts, for Microsoft to provide funding for the venture, and for media outlets to completely ignore the legality of a deliberate disruption to a computer’s ability to communicate.
Strong delegate interest in legal issues arguably hints that the world outside – the real one, where people have to protect systems and worry about consequences, and where buying another newer box won’t fit in the budget and won’t solve the problem – is maturing faster than the tech press has noticed.
So it is that Robert Clark could give a pedantic and legalistic definition of “cyber attack”, and explain why Stuxnet doesn’t fit the bill; and why Bill Caelli could invoke 19th century warfare and not experience walkouts; and why people didn’t attend Nick Abrahams’ talk merely because it had the word “cloud” in the header.
The security industry is growing faster than the media’s understanding of it; [not only academic or advocacy interest].
Let’s return to Pirate Pay, for example: it represents, in part, some of the concerns that Caelli was raising: the victim of some kind of attack (in the case of rights-holders, an attack on the exclusivity of their content – ignoring, of course, the ongoing debate over copyright and the Internet) has no legal right to self-defence.
If I threaten to strike you over the head with a stick, you have the right (under NSW law, at least) to self-defence beyond merely asking the attacker to desist. I can try to defend myself by grabbing the stick, breaking the stick, or using sufficient reasonable violence to prevent the attack.
The various computer crimes acts in Australia don’t even consider the notion of a proportionate response to an attack. The computer crimes laws in the various states and at the national level merely make all interference with a communications network illegal. Even if my target is a computer that’s being used to launch traffic against me, my hands are tied: the attacker can use a stick, and I cannot even use my bare hands to defend myself.
And this goes all the way from the individual up to the company up to the country (at least, in the absence of policies and international agreement).
Nobody solved the problem today; but an industry that is showing serious interest and engagement in these issues is far, far more mature than the security business I first encountered 16 or 17 years ago.
Of course, treating the legality of self-defence as a serious issue is one thing: what of the morality of counter-attack?
Nobody, I suppose, would argue in favour of the botnet or tell me that Microsoft was morally wrong to shut down a botnet.
BitTorrent is more problematic, since you must assume that the content you’re killing is infringing content.
Before we assume the right to a counter-attack, we assume the responsibility to be a lot more sure of our facts. The level of proof that (for example) AFACT presented to iiNet was never considered to be “sufficient” by any Australian court to justify what AFACT wanted – the disconnection of users. That level of proof should not, then, be considered adequate to justify attacks on end users.
In the AusCERT opening keynote this morning, Mikko Hypponen of F-Secure told delegates that Chinese hackers use VPNs to obscure their origin – in other words, attack traffic may “originate” from Washington or Indonesia, Britain or Australia, but have its real source in China.
Well and good: but achieving that level of knowledge of the traffic demanded considerable time and effort. One hallmark of an effective counter-measure is that the deterrent needs to be deployable quickly. A gun that takes months to aim is a gun that’s too slow to use.
So the “good guys” could easily find themselves caught between legal and moral niceties and the need for speed. But it’s a much more mature debate than the solipsistic technical discussions of years gone by.
Full coverage for the next 3 days from @CSO_Australia #Auscert2012