Shostack + Friends Blog Archive

 

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and engaged with the historic events going on there. Further, I think it’s important to be engaged.

A number of folks challenged me, for example, “Care to enumerate some of those lessons? The big ones I see are risks of centralized bandwidth control, lack of redundant connections.”

There’s a number of ways that information security professionals can engage with what’s happening.

A first is to use what’s happening to engage on security issues with their co-workers and management on issues like employee safety, disaster recovery and communications redundancy and security. This level of engagement is easy, it’s not political, but it uses a story in the news to open important discussions.

A second way is to use Egypt as a source of what-if scenarios to test those sorts of plans and issues. This gives strong work justification to tracking and understanding what’s happening in Egypt in detail.

A third way is to use Egypt as a way to open discussions of how our technologies can be used in ways which we don’t intend. Often times, security technologies overlap with the ability to impose control on communications. Sometimes, for example with Tor, they can be used to protect people. Other times, they can be used to cut off communications. These are difficult conversations, fraught with emotion and exposing our deep values. But they are difficult because they are important and meaningful. Oftentimes, we as technologists want to focus in on the technology, and leave the societal impact to others. I think Egypt offers us an opportunity to which we can rise, and a lens for us to engage with these questions in the technologies we build or operate.

There’s probably other ways as well, and I’d love to hear how others are engaging.

3 comments on "Egypt and Information Security"

  • Caspian says:

    I’m mostly avoiding this discussion in the workplace, since we’re all pretty heavily polarized over politics here anyway. It has, however, opened up a discussion or two at home, and in public. People (in general) aren’t aware of the impact that things like “internet killswitches” have until you can show them an example, and this is a pretty good one.

    The other thing that is becoming a major engagement point is sidechannel messaging- This is a basic topic in most security intro lectures, and is a pretty big deal, but I feel like most of us rarely think of it outside of DRP and BCP scenarios. In the absence of a GSM network, people started usingdialup, faxes, landlines, and in some cases, radio. Radio briefly became an issue.

    Telecomix attempted to set up an amateur radio network for getting messages into and out of egypt, only to be told by a number of Hams that they “shouldn’t make radio political” because they’d ruin it for the other hobbyists. This sparked a pretty heated discussion in the community on exactly what the nature of an emergency is, and how international radio operators should respond. Unfortunately, there isn’t a clear answer, and there are people who would rather not see Amateur Radio used for this type of response. It should be pointed out that in other uprising situations, hams and pirates have provided incredible support, sometimes at the risk to their own lives.

    Obviously, this issue gets deeper when you start looking at the radio licensing process and the history of spectrum control, etc… all of which seem remarkably similar to some of the attempts made to control the internet.

    For the record, Telecomix operators and listeners did pick up a number of morse code transmissions, some well ahead of government announcements. None, however, were calls of distress (they didn’t expect any, either).

  • digi says:

    Unrest in Egypt has been building for years but lots of people here were in the dark on matters of foreign policy – for years didn’t know how to parse what was being told about Egypt from those visiting us from there or who had moved here to live – now their situation has finally erupted with enough media attention in a way we can almost make sense of – for infosec maybe a lesson to try and pay more attention to those alarms just below your current attention threshold, that you ignore because you don’t understand, repeated alarms that seemed low level or maybe that we ignore but don’t understand could be precursor to some massive event. 9-11 had a similar element, it shouldn’t have caught people by surprise, it wasn’t the first act of terrorism, wasn’t even the first attack against WTC. Can’t trivialize the human cost, talking about it or comparing it to infosec is very difficult in that sense because of the human suffering.

    On top of dysfunctional risk monitoring, a foreign policy of entangling alliances can make you do stupid decisions with your own treasure, or if you don’t have any, going into debt to do things like buying tear gas for tyrants year after year. On infosec side, maybe if the public mostly recognizes your information business as wholesome and legitimate, but you are also at the same time using your bandwidth to subsidize and distribute hard core pornography or spamming or have rogue employees in your business doing that secretly, maybe public opinion will turn against you at some point when that goes horribly wrong and people start wising up to what’s happening on your IP’s and they get blacklisted.

    You’re lucky to have a helmet when everyone around you starts throwing rocks (investment in infosec defense early will pay off later even if nobody else is doing it).

    +1 to caspian’s comment on side-channel – invest in comms that arent on a kill switch and cant be spammed with propaganda or ddos – preferably comms that aren’t owned by your oppressor.

    If you were late to join the protest dont expect to get there quickly in a car when everyone else is driving a car too – even a bike would be faster (have redundant connectivity and backup transport protocols set up even if they seem anachronistic and slower than modern non-crisis tech they will be worth more – I heard of a laptop hooked to a cell phone w/data connection saving a data center once because it was able to download a patch that could then be applied to all the other machines to bring them back up).

    Large nonviolent groups demanding the police step down should plan to do some self-policing and plans to fill the void after the police leave to keep it nonviolent. “Anti-government” is pointless. Anti-bad-government is a human right you just have to be able to replace it with something good afterwards. Neighborhood watch groups – groups within the larger protest group that can act as “white blood cells” to identify the troublemakers – visual and verbal reminders for everyone to stay peaceful makes it easy to identify those who are trying to destroy the peace because their out-of-place violence makes them identifiable as the minority (which majorities are good at silencing). (IDS systems, verifying data matches a ‘known good’ pattern rather than trying to think of all the bad patterns, internal scanning of systems on your own network for anomalies, malware, etc)

    Protect the creators of the information you are trying to secure. A mob isn’t smart enough to understand why they shouldn’t kill the messenger – and the opposition wouldnt mind journalists being eliminated – so that’s a threat to your system. If the truth will make you free then those who would make you slaves aren’t going to be protecting journalists with integrity who share the truth. “Truth is treason in the empire of lies.” Protect elements of your information system that are reporting on what is going on to reduce the fog of war and mitigate risk. Think of APT, think of what core systems rootkits are trying to subvert in your info system.

    Provide extra protection and training for your first responders like health care workers treating the injured – seen in Egypt protecting themselves against infectious disease with gloves and masks and plastic aprons while tending to wounded, also realize how overburdened they are and give them breaks – (stress of incident response similar for network admins, teach admins safety principles of response – like when a domain admin is going in to investigate a problem on a compromised machine they probably shouldn’t be logging in with domain admin creds ).

    Just as the army didn’t panic and start shooting into the crowds, sometimes it is wise for incident response to not panic and realize there is value in not turning off power to all production servers and/or flattening-repaving when an abnormal event occurs. “Don’t Panic”

    Along those lines, always take a towel with you. 🙂

    If you are the oppressed demanding freedom from the oppressor – try devoting at least some of your resources to helping guard the treasures the oppressor is currently guarding, since that will immediately become your responsibility afterwards. Just like some career politicians will “never let a good crisis go to waste” in their crisis-and-leviathan power grabs (notice which ones can’t mind their own business and let Egypt be Egypt right now), professional criminals try and use the distraction as an opportunity to steal the national treasures (Iraq antiquities, 9-11 WTC gold, Egyptian mummies, etc.).

Comments are closed.