You know those “private, internal emails” that get sent around within your organization, never meant to be seen by outsiders? Well, one day, they may in fact be seen – and this is an example of what could happen.
The exposure of what appear to be email messages from the Climate Research Unit of the University of East Anglia show conversations between leading climate change researchers which were obviously not meant for mass distribution. The messages exposed include:
- Drafts of scientific papers
- Unflattering comments about climate change skeptics
- Discussions in which scientists talk about using “tricks” to deal with statistical inconsistencies in their work.
Of course, the critics of the theory that human activity are having a field day with this: “‘This is not a smoking gun; this is a mushroom cloud,’ said Patrick J. Michaels, a climatologist who has long faulted evidence pointing to human-driven warming and is criticized in the documents.” According to the Times article, “The evidence pointing to a growing human contribution to global warming is so widely accepted that the hacked material is unlikely to erode the overall argument. However, the documents will undoubtedly raise questions about the quality of research on some specific questions and the actions of some scientists.”
Whether or not you believe that human activity is messing with the climate, there is a lesson to be learned here. Unlike the ephemeral casual hallway conversations we have with our coworkers, electronic communications like email, instant messages, and in some cases phone calls leave artifacts which can surface long after they are written and which may, when viewed in isolation, provide a very different picture than what was intended. And hackers are now the only threat… emails may also be exposed in the course of legal discovery during litigation. Yikes!
The moral of the story? When writing an email or IM, you need to think about what message it would give when read by an outsider, out of context, months or even years after the events which prompted it. Another way that life is getting just a bit more complicated in our modern age…
For most people, coming down with the H1N1 flu is a temporary, miserable annoyance. However, (like regular seasonal flu), H1N1 (aka Swine Flu) can rapidly turn from an annoyance to a life threatening condition. There has been a lot of press coverage of the flu and you might be fighting flu info overload. However, take a few minutes to read this article from New Scientist to get a balanced overview of the risks and the steps you can take to protect yourself and your loved ones. And stop kissing pigs.
The NSA is one of the most secretive of the US Government’s TLAs (three letter agencies), which makes sense since it is charged with intercepting, decrypting and analyzing communications for the intelligence community. However, in addition to its role in SIGINT, the NSA is also tasked with helping the government and private industry secure systems against cyber attack (information assurance). If you go to the agency’s web site, you’ll find a number of configuration guides which provide security advice for products such as computer operating systems, database servers, and Cisco routers. These guides are a great use of our tax dollars (IMHO) – they help protect government systems from attack and (with some modifications) are helpful to private industry. So why am I telling you this?
This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release. According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.
So, is Microsoft helping the NSA get access to millions of computers worldwide? Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak. But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions. Maybe it is time for the government to separate the jobs of protecting information and gathering information.
One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets. After all, widget production figures don’t need the same level of protection as the nuclear launch codes. I think a lot of security professionals pass the NSA documents by because of this perception. What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency. For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:
- Home users
- Educational institutions
- Small and medium sized businesses
- Large enterprises
- Critical Infrastructure Providers
- Financial Institutions
I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet. Having some very basic standards (and some teeth to back them up) would do two things:
- Provide incentives to enterprises to secure their systems
- Provide a generally accepted security baseline
- Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.
I think that there would need to be private sector involvement in developing these documents, of course. It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.