Friday, September 20, 2013

Creating A New World Order on the Internet - SAC5

It was a dark day in Internet history to which the world woke up when The Guardian published Snowden's disclosures about NSA's Prism program. Then over the next few days we read how the US Government unleashed it's wrath, using 'all the king's horses and all the king's men' to get to him in Hong Kong. Since then, the story has taken many twists and turns, bringing grief and embarrassment to the US establishment as every new disclosure peels of the layers of the prism program and reveals the depth (and extent) of surveillance carried out globally. 

As it has turned out - there is no safe harbor, nothing is sacred and no one can be believed. It is akin to the world known to spies during the cold war when the world was fractured into the western world and the communist camp. 

In those times of strife a few nations rose above the demands of the powers that be to ally with them and formed the Non Aligned Movement (NAM). This eventually morphed into regional movements driven by social and commercial motives. 

Now, we been brought to the cusp of another era of global strife and mistrust with the US program that has been spying on, practically, human being on the planet. Against this power center is China which has created exceptional capability and capacity in all things cyber - offensive, defensive, proactive and preventive. The third player is Russia with it's underground players who are also very nationalist, as was proven during the known cyberwarfare attacks on Georgia and Estonia.  

Whether a country is aligned to any of these three global players is of no consequence whatsoever because, as per the disclosures, even if you are actively participating and contributing to the Prism program, you will continue to be monitored and spied upon.

So,maybe the world order needs change and the 'weak' nations need to come together to form their own support and power club. India can lead this movement, in the same way as having led the NAM many years earlier by forming a South Asian Cybersecurity Capability and Capacity Cooperation Council (SAC5). 

The South Asian Council can comprise neighboring countries, Middle Eastern and African countries with India leading the way. Collectively, these countries can share information, develop joint capabilities, conduct skill enhancement training and form a central response or early warning cell. 

Brazil has put out the clarion call for an Independent Internet and slowly and steadily the backlash against US (and Allies) resources will gather momentum like a tsunami. The Prism - NSA disclosure has implicated US corporations like Google, Microsoft, Facebook etc and resistance is bound to rise in time. says - let's break away from the Internet ! The Brazilians have also protested strongly to the US and this has led to a long phone call between the two presidents. 
So is it time for the world to polarized again and, worse, for the internet to publicly lose it's independence and be branded as a tool of American hegemony. 

The movement to break away from dominance of a few countries on the internet has been shouted out. If the South Asian countries ally and form a Council it will be another power center which will be an effective foil to any type of actions to take over this critical medium. 

As I have said earlier this is a new and different dimension and has to be understood and accepted in a different light. Mankind co-exists with the dimensions of water, air and has to learn to live with ether - better early...  before this dimension is destroyed by mankind itself. 

Monday, September 9, 2013

Innocence Lost....

Sometime back we lost our innocence. 

When wikileaks leaked Manning’s files worms crawled out affecting the pride of country leaders across the world. Egos were punctured because the cables sent by US embassy minions to their masters were judgmental in nature and revealed “private” foibles and conversations. This has been followed up by Snowden’s snowfall which is more damaging for the US Government and business than for any other government.

Over the past few months, every day we are stripped layer by layer by the revelations of the NSA’s prowess for invisibile intrusion. We thought the TSA guys were having fun seeing us in whole body scanners and sharing the pics, but it turns out that the NSA has been having more fun. Move over Guantanamo Bay that was just a small set of prisoners who could be stripped, chained or flogged – here they have the world at our fingertips, and no one looking over their shoulders.

First one learned that there was access to emails and internet conversations, the next layer included voice conversations, then came location data, followed by the revelation that IT majors like FB, Google. Microsoft, et al are participating in the program. Alongwith these businesses, some governments also howled in only to retract when the next revelation exposed their participation and remuneration. It was another shocker that told everyone about the possiblity of backdoors in commonly used software and hardware. The world started thinking about seeking safety under cover of encryption and proxy technologies only to learn that these have been seduced long ago – in other words encryption technologies have a backdoor.

So, is there anything which is safe? Maybe we have to go back to living in caves to save ourselves from this intrusion, because it seems that the only thing Uncle Sam cannot do is shove a finger up your 455. But, maybe the time is not too far off too what with the Internet of Things promising particle transportation and more!

Yes our innocence is lost – the new innocence is that “we do not look inside, we only search patterns”. The new innocence is that you are just a lump of flesh which eats, breathes, shits and screws and that’s it – simply put you are an animal and no more. Of course, this is so if you are not the most powerful man on earth, a.k.a. Mr President. Liberty, freedom, privacy and such rights are good to discuss but not to be expected in the face of secret laws and powers available with the intelligence organizations.  

In any case, even if you are Mr P there is no gurantee that someone did not dip into your smart phone or that of your wife or children. There is no way you would know, just like the world did not know until it started snowing. Quite possibly Mr Snowden carried some stuff on you and that is the major cause of the big manhunt that has been launched.

Today, every government wants their own NSA with enough powers to run every sort of surveillance on their citizens. What will be done with the data is anyone’s guess – maybe it will help run genocides and progroms more effectively. Or get to play ghetto-ghetto by segregating people based on caste, color, religion etc. At the cost of development, Governments are spending billions on technology selling the dream of nirvana that follows thorugh an e-governance portal or a new registration card, and it does not matter whether you can read or write, or whether you have had a square meal in a day.

Innocence lost forever, welcome to the new order Kalyug is now the C-Yug  where C=corruption, chamchagiri, cronyism, chutiyapanti, conmanship, carpetbaggers, cybercrime, computers and any other C which you can define negatively.

So what is happening is that we are all without clothes, having been stripped, layer by layer and naked for NSA eyes.

I wonder – are we a number or a name in the NSA records? Is this numeric, alpha-numeric, with or without capitalization. Or is it a continuation of the numbers given in Auschwitz and Dachau .. that may be apporpriate. Will we soon start hearing ‘arbeit macht frei’ or will it be embedded into our flesh at birth. Are we going to see Mr President in a new role as the oracle from Minority Report?

Mommy is that what Big Brother’s look like.

Wooooohhh !

Wednesday, June 5, 2013

Software Asset Mis-management... who deserves to be hit?

It was another day and I was excited when I learned about another possible 'victim' of the SAM missile. Am putting them here for record...

Case 1 - Last month a close friend who is the IS head got the review call and I was happy to help him face the notice and the threatening discussions that followed when he pushed back. Yes, he pushed back and the License Manager was sort of surprised and changed tracks. Eventually it was a bad one and everyone was smelling bad too. To cut the story short his company was wrong in the license use - they have a good quantity of licenses but needed more. They were plain lazy and this requirement kept going under against other "priority" budget items. Well they had to spend about Rs. 85 lacs ($ 150k) within a week of closure. 

So much for the budget ! All I can be happy about is that they are compliant and I could help them save about Rs. 40 lacs ($ 70k) - pro bono work to help a friend. 

Today a fellow consultant provided information about a bank that is presently under scrutiny. Now this is different - it is a bank and they are covered only about 15% with licenses. And the balance 85% these guys are using pirated stuff. Well they are desperately trying to move to open source and I am waiting for them to be HIT. They deserve to be HIT and HIT BAD and i hope that the s/w vendor that is reviewing them includes a penalty too. 

I did offer to help and may provide advice too, but it is going to cost them if I am called. I know that they will not agree to pay my fees and will just seek advice (which I am not going to offer).

In any case I do not think they can be saved and I will really not be happy doing this.


Am I being judgmental ? I don't think so as it is my prerogative. However, as I repeatedly say - I do not support piracy. Especially if the person (or entity) can afford to buy the software. I am against strong arm tactics against ignorance bred due to complexity, and will continue to speak out my mind whenever I come across an instance. 

In the above cases both could afford to buy licenses, one was delayed in purchasing and had a friend at the helm, so I wsa okay in my support. The other could afford to buy but did not do this on purpose and deserve to be penalized. If I can get a share of the amount they will have to spend it will be my good luck :)

More SAM as and license stories as I keep going hunting.

Sunday, May 19, 2013

Discovering SAM

Software Asset Management (SAM) and meFrankly I do hope people read through such long articles.

I chanced upon SAM in the course of my infosec consulting and was very impressed with the requirements of the practice. I also realized that a majority of software users are unaware of their license compliance requirements and are clueless about the benefits of SAM. Going deeper into SAM practices and requirements I decided that I shall take this as an area of specialization for my practice.

So I begin to review tools, standards, best practices and gaining more experience. One day I attended a seminar where BSA was a sponsor and after the talks I tried to get to talk to the person who had presented on software licensing etc. I was in for the first rude shock of my InfoSec career when I was brushed off with the comment that Big-4 are qualified for this work and that I need to be certified too … which means I should spend about $2,000 with BSA.

Walking away I wondered if I shall learn rocket science or develop some super powers by paying 2k. Today I am seriously thinking about spending this money just to get to know (firsthand) what is it that BSA teaches. I mean I have seen a lot of practices and would seriously like know if this is what is taught for the 2k!

Well after this I got down to doing my own thing, helping clients achieve compliance with their license requirements.

Until one fine day when I was to visit New Delhi and called BSA for an appointment – surprise ! I am told that they are not available for a meeting – this is disclosed after I have shared my objective for the meeting. And my objective is that I want to work with BSA guidelines in my SAM practice.

In this interim I tried to reach out to some of the License Managers with the software majors and guess what – no one had the decency to respond to my request to meet me so I can request an understanding of their licensing practices to include in my advisory service. Yes I found that there are a couple of other organizations like BSA and I found one with an Indian country manager. This Country Manager is ex-BSA head and I managed to connect with him on Linked In. After connecting I sent him a message asking for a meeting and guess what – after 6 months or so I am still waiting for a reply! Even he does not want to meet me to discuss issues of piracy and how I can work at my level to wean my clients away from this practice.

My thought is that I help my client go legit and avoid the hassle of a software audit / review / raid but it seems that all these people (organizations and software vendors) who are “supposedly” protecting the rights of license owners are not interested in having informed users.
Maybe they are afraid that an informed user will be legit and these people would have spent money hiring the big-time auditors for no reason.

Another thing I have learned is that SAM compliance audits contribute about 25-30% of the sales revenue for any of these software majors. No wonder this is highly secretive, with an expensive entry barrier and very very grim.

So, me and SAM are apparently not getting along very well. The reason is that I am a simpleton and a straight shooter and cannot understand this stonewalling. I do understand the desperate lives of these ‘license compliance’ people and the power they wield – sort of paradoxical. I do know about the modus operandi and my lawyer and consulting friends provide more case studies.

Nothing is likable here. I mean – these guys are selling software which is insecure. They issue patches in more numbers than one visits the washroom to clean up. These systems and applications are compromised and breaches take place. And if you read the license terms it is like they have done you a big favor by allowing you to use their dirty stuff. To add insult to injury, a goon in a suit may visit you at any time, shove his/her script into your network, probe your crown jewels and unleash the grim reaper on you.

Thank you for buying my software. I am not a monopoly, I am an autocratic oligarchy. And, since I was a child I wondered why Open Source existed – am I happy there is another world.

OK so SAM is not a clean thing. I call it a baby iceberg. Just because it has the smallest visible threat surface but may be the biggest threat-in-waiting. Keep the APTs, DDOS attacks, malware etc aside – this is a WMD, a pet which will turn rabid without warning and bite you.

Enough said and until the day ethics, morality and decent business practices are considered important it will be good if you prevent the WMD going off in your organization. Make sure you track every single license you purchase and install. Keep a license register and log installations, removals and retirements. Be careful not to use unlicensed software or cracks, even if it is only to test. Do not exceed the number of installations you are entitled to under your agreement. If you do not know make sure you ask your vendor to arrange a training and awareness session BEFORE you sign the PO. Oh yes, if there is an upgrade then make sure you ask this question twice because you may be entering into a grey zone.

Licenses take pride in being complicated and big. In fact everyone is unusually impressed by a document which is long, very verbose, with paragraphs in capital letters  dispersed throughout the document, numbered paragraphs, complex internal cross references,  no spelling errors and lots of legalese. That’s why you just clicked ‘accept’ and then next > next > until ‘finish’ – what you do not realize that (possibly) you violated some term of the license during installation itself !! hahahah – yes sir – read it closely and the agreement assumes that the person installing the software is authorized to legally bind the company with the terms that are being accepted. 

Sunday, April 7, 2013

Cyberwar Anonymous v/s Israel

It's wartime folks, except there are no people being killed, no guns, no tanks or bombs. It's a silent war focused on bringing down a country. And the problem is that this country, Israel, does not know whom to hit back at ! The attackers are from all over the world - different countries, nationalities and hiding behind multiple proxies. 

Anonymous says Israel crossed a "line in the sand" so they declared war !

As on today this is what is making news.. 

Anonymous making History, CyberWar begins, Israeli hackers hit back
Anonymous Hackers from Iran,South Africa, Palestine,Pakistan and many others countries ,start first ever cyber war against a country, #OPISRAEL messages goes round on every social media about thousand of Israeli website defaced and hacked. .
Anti-Israel hackers stepped up their attempts to pull down Israeli sites over the weekend, with numerous attempted denial of service (DDoS) attacks against Israeli government sites. Hacker sites listed numerous websites they claimed to have disabled, and several sites reported slowdowns on Saturday night, but nearly all the sites the hackers claimed to have taken down were operating normally.
Israeli Elite Strike Force worked on Saturday night to pull down more sites. The group started attacking sites in Pakistan Friday but took off for Shabbat. Read more…

As cyber-war begins, Israeli hackers hit back

Quran Cited on Hacked Israeli Police Website Cyber War against Israel on Holocaust Memorial Day 

Major Israeli Government website Down,Mossad Agents emails Online

Details of 1500 Mossad agents is posted on Google Drive; about 19k Israeli FB pages are down; #OpIsrael says "When the government of Israel publicly threatened to sever all internet and other telecommunications in and outside of Gaza, they crossed a line in the sand,"

Israel Set Up a Hotline Prepares for April 7 Anonymous Attack

Friday, April 5, 2013

Information Security education, training and more...

For a very long time I have been thinking about the dearth of 'good' education or training in the InfoSec domain. 

Then there is the thought of how will any new person get into the domain, considering that we all seem to have landed here by accident, providence, interest or plain luck in being at the right place at the right time !

I put my thoughts into a small presentation and am working on creating an Information Security Management program which will be good for the non-technical manager and the technology geek manager, as both will learn about their missing pieces. 

Check this concept document and your feedback will be welcome !