U.S. Wants Large Cyberpolicing Powers

LindaAthena writes "Thus were the words from a French report on a meeting of the G8 nations and 150 representatives of companies from the communications and information technology sectors. A summit on cyber crime was held in Paris with the U.S. pushing for total police power to bypass due process and other countries' laws to catch cyber-criminals (as defined, of course, by the U.S.). Note that public images of nudity in France are rated "G" while U.S. protected "racial hatred speech" is a crime there. The article from Le Monde can be found in the original French or viewed in Babelfish. " A number of people have submitted this recently from the recent G8 meeting. The U.S. apparently pushed very hard for major cyberpolicing actions, while France was one of the few nations in the group that adopted a more intelligent long-term view.

discussed in congress -- see CSPAN

[maynard]

This was discussed last week in the technology and science subcommittee hearings on the love bug. See: CSPAN - Technology and Science, page, along with the Actual footage in Real Media (.rm) format.
The subcommittee interviewed these witnessed:

• Keith Rhodes, GAO
  
• Harris Miller, Technology Association of America
• Sandra England, McAfee, A Network Associates Company
• Peter Tippett, ICSA.net

The level of outright lying regarding the security issues of Windows and Outlook, along with standard congressional grandstanding in front of cameras was just astonishing -- with only one representative taking Sandra England (and the rest of the witnesses) to task for misrepresenting that the love bug affected all computers -- and was not just a Windows/Outlook problem. At the end of that exchange Peter Tippet finally agreed that [paraphrase] 'OK, 97% of all computers were affected' and then pointed out that the very features that Microsoft just discontinued (embedded scripting in document data) was a critical necessity. The most frightening testimony came from Peter Tippet (who appeared the most technically savvy) who would not admit that the problem was client side security in Windows/Outlook and instead recommended draconian laws to resolve the issue. From memory:

• Criminalizing the creation of all viruses or self replicating programs -- even for research purposes.
  
• Making "hacking" a federal crime with severe punishments
  
• criminalizing THE HIRING of "white hat hackers" so that anyone who has EVER been convicted of "hacking" will be permanently barred from employment in the computer industry.
  
• Of course they recommended against any corporation hiring "hacker" security firms and recommended that these organizations be criminalized.
  

In whole, the entire subcommittee hearing appeared entirely designed to further the cause of McAffee Associates and Microsoft, while recommending insane laws plainly unnecessary to further the cause of Internet security -- but they certainly do benefit the witnesses.

I was most dismayed by Peter Tippet, who really did appear to understand the technical arguments and seemed to just be lying through his teeth to our congress critters.

SHAME ON YOU PETER TIPPET!

Re:discussed in congress -- see CSPAN

[Danse]

Given the amount of false information that Congress is being fed, it seems to me that no good can come of this. This deserves major attention before our congresscritters go and do something REALLY dumb. We need to get real information to Congress and then maybe the ones who aren't doing this to further their own agenda (*cough* the distinguished gentleman from Washington *cough*) might actually have some factual information to go on. Are there any academics or industry leaders who might be willing to tell congress the truth? Should there be a letter-writing campaign? What would work best?

Re:We Rule

[Jordy]

You obviously haven't spent too much time with Cisco equipment. Cisco employs the same tactics that Microsoft does... if they can't beat a company, they buy the company. They charge an extrodinary premium (profit margins are in the 60% range last I checked) for their products.

It's my opinion that Cisco has purposely not enabled things like IP Multicast by default simply because it's not in their best interest to do so. They want people to use more bandwidth so they can sell bigger routers and switches. Frankly, if Cisco supported IPv6 by default on all their routers today, we'd be living in a much different world... but they won't, not until they are forced to.

Their support is spotty, they like making proprietary protocols which are completely duplicated by industry standards only to make integration with non-Cisco equipment a pain in the ass. Their online support is shotty. Their website is painfully slow.

The fact of the matter is, most successful entities, be it a corporation or a country, have gotten there by stepping on the little folks and forcing their will upon the public. This is the same for Microsoft, the US, Cisco, etc.

The US is however in a slightly different situation as the public has control over it, but is frankly too happy with our economy to do anything about it.

Another major problem comes from the fact that what people outside the US see and what people inside the US see is completely and utterly different. Britain for instance in my eyes has been extremely supportive of all of the US's military efforts in the last 10 years. They certainly aren't bending to our will because we have a lot of money.

Of course, that's just my opinion, I could be wrong.

US of A: Policeman of the World.

[technos]

Why do we feel the need to do this 'Play policeman and walk over any nation we don't like' crap. Makes me sick sometimes. Why were the LOVEBUG arrests made? Because the Filipinos had the FBI and Big Brother Janet insisting on it. They didn't give a flying [snip] about a college student who may or may not have written a virus. We do it to Mexico too. Just because they aren't willing to arrest and prosecute their drug offenders, we decided we're going to do it for them.

And why do we get away with it? We grease palms with easily skimmed 'Foreign Aid', sell the worst of them military weapons, and generally have a history of using the Navy SEALs to 'pick up' any world leaders we don't like. Manuel getting pissed the CIA isn't giving him his cut of the drug traffic? Let's snatch him up, play innocent, and let him hang in a US prison for crimes committed in Colombia and Panama. Nasty old dictator doesn't like having US troops on his island? Let's put some money into the rebels and let them go!!

What the hell happened to the concept of sovereignty? Gee, all these backward nations must not be able to police their 'cybercrime'. Let's walk right over them and prosecute their citizens with our laws. Oh, I forgot. They're not US citizens, so they don't get all of that nifty Constitutuinal stuff. Due process? False imprisonment? Search and seizure? Nope! Fuck them, France, Britain, Germany; They can't be trusted to prosecute their own criminals. Stupid backward Eurotrash!

Makes me sick..

Transcript link and choice quotes courtesy Tippett

[maynard]

Dr. Tippett is kind enough to provide us all with a complete transcript of the lies and distortions he told Congress on May 10th during the Science and Technology subcommittee hearings on the Love Bug. Here is his primary web page, and the complete transcript is available as a link right off his page.

Here are some long choice comments backing up my previous post:

Regarding ways to solve the virus problem Harris Miller astonishingly recommended:

If you want a closed system, a closed Internet where every e-mail message first goes to a central place, that someone scrubs it and makes sure there is nothing in there that is not intended for you, or makes sure that it goes through some kind of central processing system and slows the Internet down so that your messages come to you after they've been thoroughly cleaned by some third party, you can do that. You can have that kind of an Internet system.

And it's possible the Internet could be designed that way, and that's a possibility. In which case, you would have no responsibility. You would contract with this third party. And you'd say, "I don't want to get any e-mail messages until you've opened them all and you've looked at them. I realize that that means I'm going to get my e-mail messages a couple of hours later or a couple of days later, but that's the kind of e-mail system I want." You could have that kind of system, if you wanted to pay that price. What the consumers appear to want, whether it's business or individual consumers, is instant e-mail. In fact, they like this instant messaging. They want to be able to communicate the same way over the Internet they can by picking up the telephone or by having face-to-face communication. So they want things instantly, which means, unfortunately, in terms of the Internet, as I said, the openness of it also is its vulnerability, because in that Internet, there are people who are bad guys. There are people who do cyber- stalking. There are people who want to send you messages even if it's not a virus, who may want to prey on you or prey on young children.

IOW: One possible solution he recommends is to create a central authority which manages and could potentially censor ALL email on the Internet. WOW... that goes against EVERYTHING I've ever stood for as a System Administrator responsible for email traffic.

Here's another choice quote:

U.S. REPRESENTATIVE LYNN N. RIVERS (D-MI) asked this telling question to the panelists:

RIVERS: Well, thank you, Mr. Chair. I want to ask a different set of questions, because I sit here and listen to the conversation that's going on and I feel like people are dressing down the bank guards without ever looking into the fact that all the windows were unlocked in the bank building. And I think we should be looking at the fact that this virus attacked a software system that 85 percent of all e-mail handles in this -- that 85 percent of all e-mail is handled on that is essentially vulnerable to this kind of attack, it has been vulnerable to this kind of attack for some time -- it's Microsoft.

My understand is that in 1991, the Internet community set attachment standards. And at the time they recommended that there should not be any program that automatically executes attachments. Microsoft, in a desire to have some exclusivity in a proprietary way, decided to create Outlook with that ability. And in fact, we are dealing with a single software that is vulnerable to this attack, both to Melissa and to the "ILOVEYOU" virus.

And I guess I would like to talk about that. I mean, do we have a widespread problem of vulnerability across all programs and all companies? Or do we in fact have a problem with a single software: the Outlook system. And should we not be addressing our concerns to why Outlook persists in the marketplace with this kind of problem. I'd like to hear from all of you.

So at least one Congresscritter "gets" it, but the responses she received in reply should dismay anyone with a technical background:

RHODES (?): You do have a problem, and its pervasive across the infrastructure. Yes, Microsoft is an easy target because they own the market. But you have an environment where the software industry is delivering for a market.

RIVERS: My understanding, though, is the Java programs were not -- that most of the other programs were not effected by this virus. It was in fact a Microsoft-specific..

(CROSSTALK)

RHODES: ... can attack through Java as well. It's not -- it's a matter of distribution based on the application as opposed to Java itself being weak, but they have a thing called the Java development tool kit, and you can establish a thing called the sandbox, and you can set up these boundaries on it. But if you open Eudora, for example, and there's a web address inside there and you move your pointer over it, you can automatically launch to that web address. That's a very pernicious event as well. But that's not due to executable code, it's due to an automatic distribution of your pointer out over the web. So it's across the industry. It just becomes more apparent in the Silicon Forest, up in Redmond, Washington, because they own the market.

So Security problems with Windows/Outlook aren't inherent in to the design of those products, just a funtion of their popularity. Riggghhhhtttt....

Here Dr. Tippett defends the necessety of executable scripts which read the Outlook address book in order to find names of others with which to send email (typical Outlook security hole which he thinks necesssary -- at least until Microsoft changed their security tune I suppose):

WEINER: I mean, I don't think I've ever got a legitimate program that, when executed, goes into my address book, opens it up and starts sending messages to my address book.

TIPPETT: Oh, au contraire, there are many, many companies that automate address book re-forwarding of things as part of their business automation process.

And Finally, they recommend outlawing the hire of "hackers" who at one time have been convicted of malicious "hacking," thus permenantly revoking one's right to pursue employment instead of just fixing the problem client side:

GUTKNECHT: Thank you, Madam Chair.

And once again I attach myself to the comments made by my colleague from New York. I mean, fool me once shame on you; fool me twice, shame on me. And it seems to me, we have been fooled. And if there is a level of frustration that you're hearing from us today, it's because we've sort of been there before. I mean -- and we count on smart people like you to help solve these problems.

Dr. Tippett, I want to congratulate you for offering at least one suggestion that this committee can seriously look at, and that is some kind of legislation which makes it very clear that trying to write these kinds of viruses is a federal offense. And we ought to be very serious about it, because this is a serious offense. This is not tipping over outhouses out in the back -- you know, the out-parts of our country. I mean, that was clearly, you know -- that happened, and it still happens I suppose in some parts of the country today.

But this is a serious matter. And I want to get to something else that I think we should consider and I want you to consider, and not necessarily right now, but give us some feedback on this. Because my sense is -- and we have this on fairly good authority, it's not official -- but there's at least one federal agency that apparently is out actually recruiting computer hackers. And they're going to build their own little team to try and build a system of former -- or supposedly reformed hackers who are going to help us become more insulated.

We have an expression here at the federal level that no good deed goes unpunished. And that happens all the time -- a tax policy, marriage penalty tax, whatever you call it.

TIPPETT: My wife's favorite statement, too.

GUTKNECHT: Yes, no good deed goes unpunished. But unfortunately, I think there is sort of a growing theory. And maybe I should ask Ms. England, do you have any former hackers on your staff?

ENGLAND: No, we don't. And we basically don't hire those people.

GUTKNECHT: Well, you basically don't, but do they get hired? And I think there is a theory among some of these guys -- guys, I say that generically -- but I think there is a theory among some of them: If I'm smart enough to beat this particular system, or if I can penetrate this particular system, or whatever, that you know, the worst that's going to happen to me is that I'm going to go to jail for a few months, and I'll probably get a six-figure consulting contract from somebody.

TIPPETT: I think that -- and have stated publicly many, many, many times -- ICSA.net believes as a generic thing that hiring hackers is a bad idea for lots of reasons. One, the reason that they are hackers in the first place -- and I mean criminal hackers or malicious hackers, or crackers, to just be clear about this. The reason that they do this in the first place is because they're not thinking straight. And you're basically hiring people who aren't thinking straight, who don't understand the larger ramifications of what they do. Furthermore, people who can break things are not the same people who can fix things.

TIPPETT: And, you know, the fact that I can shoot holes through your car doesn't mean I can make a car that you can't shoot holes through. It doesn't compute. And so it makes no sense at all to me to hire Billy the Kid to make a better bank vault. I mean, that's crazy.

But whatever reason, there's an allure of these people and many of them are good at programming, although, again, many of them have underpinnings of thought processes that you wouldn't want running your IT department. You certainly wouldn't want to give them the keys and passwords to your inner workings.

GUTKNECHT: Well, the real question for all of you, and maybe you want to answer it now, maybe you don't, maybe you can write us a letter or maybe we can talk about this the next time we're together after the next outbreak, but the question is, should we make it illegal for software companies to hire someone who has been convicted of computer hacking? And think about that, maybe you want to answer now, maybe not. But I think we need to think about that.

MILLER: Mr. Gutknecht, I think the question is being asked in too black and white a fashion. I think we'd all agree that hiring people who have perpetrated criminal activity, been investigated and/or convicted, that's a clear no-no and where companies and government should not be hiring them.

But there are a lot of these people in a gray area who are clearly -- do think differently, I would agree with Dr. Tippett, but believe that they have a mission in life, which is to help take on the big corporations and find their vulnerabilities and then turn that information over to those big corporations or over to the anti-virus companies, the companies that, for good reasons, Ms. England doesn't want to -- people Ms. England doesn't want to hire, yet they do because they like to beat the authorities, they like to beat the big companies. They're going to go find that vulnerability somehow or other and then turn that information over.

And that's -- those are people that fall into this, kind of, gray area. Now maybe you wouldn't be comfortable having that person working at the CIA or the National Security Agency or DOD, but maybe that person, in fact, is the person who goes that extra mile to find the extra vulnerability that the DOD officials themselves didn't find, or that the companies themselves didn't find. So I appreciate the fact that we'd like to think that the role is black and white; that there are black hats and white hats and that there's a clear difference, but I think the reality is that there are some people somewhere in the middle. I don't think that they are malicious in the sense that they want to do bad things. They may unintentionally do bad things, which would fall into my category of someone who should be prosecuted, but they have something to contribute to fighting crime.

GUTKNECHT: If I could just paraphrase what you said, there are people who love to do crossword puzzles, and this is the biggest, best crossword puzzle and they just want to prove that they can actually beat that crossword puzzle.

MILLER: That's right.

GUTKNECHT: So they are not necessarily malicious. So there are -- OK, that -- thank you.

MILLER: And I think that in my testimony, I referred to a study done by two professors at George Washington University -- two psychologists who'd done some work for the CIA, and, in fact, people who do these kind of things fall into a lot of different categories. Yes, there are malicious people. As I said before, punish them. Don't let them go with some Twinkie defense.

But there are people who are just antiestablishment, but they're not necessarily trying to create havoc in the congressional offices or bring down a bank. They just want to show that they're smarter than the programmers at Microsoft, or the programmers at Symantec, or the programmers at Oracle, or they're smarter than the DOD experts and they may have something to contribute.

I'm just disgusted by this... if you've read down this far you ought to just go and read the whole thing. Be prepared to puke... this just makes me sick.

The problem is...

[Millennium]

No one's got it right. Not one nation there has a truly intelligent view.

Look at the corporate-run United States. We have our free speech (much to the Radical Religious Right's chagrin) but no right to privacy.

Then check out Europe. Most of the nations there view privacy as a fundamental right, but can and do restrict free speech. Sure, it's against things like racism, but it's still wrong to censor anything, because the second one voice is silenced it sets a precedent by which all other voices are by definition jeopardized.

France is no more intelligent than the US in that regard. Sure, they have different views on nudity (whereas many Americans consider all nudity to be pr0n, it takes more than that to be consdered pornographic just about anywhere else). But they do ban other forms of speech. Yes, hate speech is a terrible thing. I have the distinct displeasure of living near a whole family of racists, so I know how bad it can get. But if no one has the right to censor me, then no one has the right to censor them either. And yes, it is annoying to have to put up with them (while I might not be the target of their race hate, I am still distrusted on religious grounds). But it's the only fair way.

The Declaration lists "life, liberty, and the pursuit of happiness" as inalienable rights. Note that happiness is not a right, only the pursuit of it is. In other words, you certainly have the right to try to be happy. But if you fail, your rights haven't been violated just because you aren't happy. This is something we as Americans seem to forget often; I'm guilty of it sometimes too. But the fact is, even in a truly fair system we're all different people, so we all have to put up with crap from others at some point.

I'm sure I'll run up against the Radical Religious Right and the Terminally Insecure, I mean Politically Correct, for this. But if we're going to be fair, and the people do want fairness, then no censorship can be allowed at all. Privacy must be inviolable without a warrant issued by a court of law. Intellecctual property must be maintained, but so must fair use of that property.

And in the end, some things will result from this that people won't like. You might run across something that offends you, or -God forbid- you might have to do your job as a parent and keep your own eyes on your own kids. Law enforcement, restricted again by law to using only the means they're legally allowed to use anyway by the Constitution, probably won't be as good at catching The Bad Guy. Piracy will still take place. But it is worth it, because the alternative is worse: a Big Brother state with mandatory pay-per-use media across all channels, perpetual copyrights and patents, and no concept of fair use whatsoever.

Is this REALLY an issue?

[sredding]

According to this arcticle on Wired:
The session drew up talking points for the July summit in Okinawa of the G8 -- the United States, Japan, Germany, France, Britain, Italy, Canada, and Russia -- but did not propose a global "cyberpolice" or other new crime-fighting agencies.

It also states:

U.S. Assistant Attorney General James Robinson poured cold water on talk by French officials that Washington wanted to a global "cyberpolice" that could be a threat to civil liberties. He said U.S. Attorney General Janet Reno had never even suggested to him that she was interested in this idea and added: "That's certainly not been anything we have proposed here."

Curious... I checked other sources.

ZDNET has this to say: In his speech, Chevenement highlighted the trans-Atlantic gap by rejecting the idea of an international "cyberpolice" supported by U.S. officials eager to crack down quickly on computer crime. "Nothing could be more wrong," he declared. "Sovereign states can develop the capacity to act, first at home and then in international cooperation."

I don't think the CyberPolice issue is still on the table for the next summit in July. Of course, if everyone wants to get there panties in a wad about the U.S.'s meddlesome, high handed foriegn policies, please, don't let this stop you. Bash away.

US vs. EU

[nezroy]

This will probably be yet another attempt by the US to implement International law as a fait-accompli, forcing the rest of the world to agree using political and, always more important, economic pressure. Typically this has worked well for the States, with Europe typically divided amongst themselves on petty issues and Asia staying out of everything that looks to hurt the stock-market. But with the EU chomping at the bit to test the limits of its new political and economic union, it will be interesting to see how they stand against the US's age-old bully tactics. And when was the last time you heard of Japan taking a firm stand on any issue that wasn't clear-cut economics, as far as the International arena is concerned? I'm guessing the US is in for a surprise this time, facing the most unified European front they've ever seen. And is Japan's standpoint a harbringer of things to come? I think it would be wise for the EU to catch this changing wind quickly, grabbing support where it arises. Perhaps they could change their name to the EBU (Everybody But the US) and start sending open invitations to the rest of the globe...

Textbooks

[Paul+Neubauer]

"High school chemistry textbooks have the same information, maybe we should censor those too?"

This has already happened. Whether it was intended or coincidence I can't say for sure, but I have my suspicions. Probably, "But if we publish that we could be sued if some idiot ignores the warnings and..."

Find a textbook from the mid-1950s. Say, Modern Chemistry by Dulle, Brooks, & Metcalfe. Turn to the chapter on nitrates. Read. Read the warnings, too. Now go look at a recent chemistry text. Notice that something isn't there?

Warning: Off-topicness follows.

This could be from fear of litigation and such, or it could be from high schools, in the USA anyway, trying to teach chemistry by the theory, as in colleges, rather than 'descriptive chemistry' as in the 1950s. The 1950s text is a good text. Reading it one gets a 'feel' for the subject, the detailed theory can (and should) come later, to answer to nagging "but why does.." questions. I have a suspicion that the subject is considered difficult and boring today as it is first taught in a boring and difficult manner.

Any censorship is bad

[FascDot+Killed+My+Pr]

Unless France's view was "ban all censorship, period" it isn't all that much more intelligent.

The Internet is not like television. The Internet is an enormous, distributed library. If we conduct periodic purges of the library based on the whims of the moment ("nudity is bad, now it's good; racism is good, now it's bad; cold fusion is a myth, cold fusion works great, no wait--it's a myth after all") we'll end eventually losing all the contents.

Q: So what about things like Napster and FreeNet? "How are artists supposed to make money?"

A: However they want. But technical progress will not and can not stop because of some individual's (or individuals') need for economic support.

Q: What about porn? My children will be scarred if they see a breast.

A: So keep them away from porn sites. Only YOU know what your policy is, so only YOU can enforce it. In any case, it's not my job to raise your children.

Q: What about bomb-making information? Oklahoma City/Columbine, blah blah blah.

A: There are so many answers to this I don't even know where to start. How about: "The same bomb-creating information that blew up an empty school last week can destroy an invading force next week." Or maybe: "High school chemistry textbooks have the same information, maybe we should censor those too?"

The only solution that works for all problems is education. Education requires information. Therefore censorship makes solving problems harder.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?