[iwar] By Dr Raj Mehta - National Security in Network Era

From: Ravi V Prasad (r_v_p@yahoo.com)
Date: 2002-11-28 06:30:14


Return-Path: <sentto-279987-5368-1038493815-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 28 Nov 2002 06:35:04 -0800 (PST)
Received: (qmail 17610 invoked by uid 511); 28 Nov 2002 14:31:46 -0000
Received: from n19.grp.scd.yahoo.com (66.218.66.74) by all.net with SMTP; 28 Nov 2002 14:31:46 -0000
X-eGroups-Return: sentto-279987-5368-1038493815-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.194] by n19.grp.scd.yahoo.com with NNFMP; 28 Nov 2002 14:30:15 -0000
X-Sender: r_v_p@yahoo.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-8_2_3_0); 28 Nov 2002 14:30:14 -0000
Received: (qmail 3419 invoked from network); 28 Nov 2002 14:30:14 -0000
Received: from unknown (66.218.66.218) by m12.grp.scd.yahoo.com with QMQP; 28 Nov 2002 14:30:14 -0000
Received: from unknown (HELO web20708.mail.yahoo.com) (216.136.226.181) by mta3.grp.scd.yahoo.com with SMTP; 28 Nov 2002 14:30:14 -0000
Message-ID: <20021128143014.71865.qmail@web20708.mail.yahoo.com>
Received: from [61.11.33.31] by web20708.mail.yahoo.com via HTTP; Thu, 28 Nov 2002 06:30:14 PST
To: india_discussion@yahoogroups.com, indianmilitaryclub@yahoogroups.com, interiit@yahoogroups.com, Internet-in-India@yahoogroups.com, ISP-India@yahoogroups.com, itnerds@yahoogroups.com, iwar@yahoogroups.com
From: Ravi V Prasad <r_v_p@yahoo.com>
X-Yahoo-Profile: r_v_p
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 28 Nov 2002 06:30:14 -0800 (PST)
Subject: [iwar] By Dr Raj Mehta - National Security in Network Era
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

By Dr Raj Mehta - National Security in Network Era

About Dr. Raj Mehta

Campaigner, scientist, an author, online educator and
new media exponent--the World Wide Web, Dr Mehta feels
very few have clue as to how to use it. Presently
involved in "educating our legislators on aspects of
Net and computer security", this 50 plus alumnus of
Stanford University (worked with Nobel Laureate Dr.
William Shockley) besides having worked for Raytheon,
ITT Semiconductors, IBM R&D Labs in California holds
four basic patents related to transistor processing. 
He has successfully conducted several corporate
seminars at Hoechst Marion Roussel to introduce
Internet and the Internet technology for the corporate
use and for personal use. Author of  "Internet Users
Guide For VSNL's Gateway Internet Access Services
(GIAS)", published by Videsh Sanchar Nigam Ltd. it led
to the birth of India's first online voluntary virtual
community to help Internet Users of India  TheGuide
http://guide.vsnl.net.in
Email Address: rajm@stanfordalumni.org 

===============
Dear Ravi

Would you be kind enough to post two of my messages to
the groups mentioned below... I am in transition...
about to leave for US for few months and have not had
time to fully get familiar with your groups...

Though I have tried only a little bit to figure out
how to post... but give me links where I can go and
post. I assume that I am member or should I have to
join?

Please let me know.

raj

========================
I wrote this article, "National Security in Network
Era". It was published by "Deccan Herald" in Bangalore
as an Edit page. 

http://www.deccanherald.com/deccanherald/nov07/edst.asp
http://www.deccanherald.com/deccanherald/nov08/edst.asp

 --
Unfortunately, Decaan Herald did not publish my email
address so don't know how it was received. But  the
editor thought to be important enough to publish on
Edit page than the computer suplement. 

What I am looking for is a dialogue & critique so I
can refine it further. Needless to say that I consider
this issue to be of utmost importance and it needs to
be addressed earliest possible.

Thanking you in advance

My best wishes for New Year and regards

raj

===============================================

National Security in Network Era

by
Raj Mehta


(This article has been published in Deccan Herald,
Bangalore in two parts in Edit Page on Nov. 7 and 8,
2002. I have sought release to be published in other
newspapers, e-media and other forums) 

A stand-alone computer is a useful tool. Its power is
enhanced unimaginable times when it is connected to
other computers in a network, whether it be private
network (an Intranet) or a public network (e.g.
Internet). 

To organize and manage the complex society that we
live in, computer networks are indispensable. 

What flows over these networks is human knowledge. It
is increasing at a pace never foreseen before in
history. Commerce and almost all activities of our
daily living rely on this knowledge.  If our
functioning has to be orderly, the integrity of the
information becomes a central issue. Any unauthorized
alteration of information has potential of creating
chaos. 

Among the security threats faced by present-day
information-networked societies, a prominent one is
information warfare.  Surprisingly, it is possible to
seriously damage and even destroy communication
networks and computer systems that are central to
modern economies and their national defense.  In the
extreme, the fabric that holds a nation together can
be damaged to the extent that civil society becomes
vulnerable to physical attack and destruction.
Consider the following hypothetical scenarios that are
technically quite feasible: 
·       Infrastructure failure (railways, telecom,
airways, power grids). 
More and more of Indian infrastructure is relying on
computers and networks to provide basic services  e.g.
rail travel, communication, travel by air and power
and possibly many others. If these networks become
inoperative then life as we know today in modern India
will come to a stand-still, and law and order problems
could result across the country.  With on-going
privatization of the infrastructure sectors, relevant
network security issues will increasingly pass beyond
direct regulatory control. 
·       Pension, LIC, PF and bank account beneficiary
data alteration. 
Unfriendly elements get control of the computers and
networks of these agencies and cause their data to be
maliciously altered, thereby causing mass confusion
and disruption of life and normal activities.   Banks
for example could be most vulnerable to such attacks,
more so as they expose themselves to the risks of
Internet Banking.  Billions are known to have been
lost by such frauds with banks overseas, even as they
moved cautiously towards networked banking.  
·       Malicious alteration of data on revenue
collection and claims. 
 Computers and networks that hold important revenue
data for various government 
 departments and agencies could be compromised and
maliciously altered without even 
 being detected.  The resulting loss of revenue and
the long, drawn-out litigations among people and
between authorities and people would be unimaginable. 
Such a failure would give rise to unwarranted disputes
and turn them into bloody battles bringing unending
suffering to citizens. 
·       Immigration lapse. 
Imagine a group of terrorists approaching an
Immigration desk at any port of entry in India. The
immigration and security people who could intercept
them rely on their computers that are networked with
different International ports of entry in India and
with India’s overseas Consular offices as well.  If
the security of these computer databases were to be
breached and information on such terrorists deleted or
shielded even for a limited time, the terrorists would
be allotted visas and would enter India without any
agency being able to detect such an invasion.  Can you
imagine what havoc this could cause? 
  
In India we are moving towards mass computerization of
all of our activities. Any and all of the above
scenarios are very much possible, because of: 
·       A wide-spread lack of security-awareness, and 
·       Some inherent problems with our computer and
network hardware and software.

Prominent types of computer and network security
breach are the following: 
·       Security violation, that allows an external
hacker to take control of critical servers and
equipment. 
The use of foreign hardware/software constitutes a
threat as there are in-built mechanisms (known as
backdoors and doorbells) and components that can make
the entire information on a computer or a network
available to some agency of a foreign power.  For
example, all the hardware/software imported from USA
is known to contain features that will permit NSA
(National Security Agencythe spy agency of USA) to
control every computer and piece of hardware/software
exported out of USA. 


ARE YOU AWARE that this is part of an agreement
between the US Government and U.S. manufacturers, as a
requirement to get an export permit granted? 


·       Distributed Denial of service attack (DDoS). 
If any of the infrastructure computers or networks can
be overwhelmed by someone with malicious intent, or
routinely by someone wanting to use Internet from any
of the computers, the whole of the subject service can
be made inoperative by mass sending of information
packets, made to appear as hardware failure.  Of
course if such machines are connected to the internet,
they are even more at risk.  This type of attack has
happened to servers connected to parts of the global
public network  internet, e.g. yahoo.com and others,
who lost their service for several hours. 


·       Hardware & Software Flaws: 
Of course there are other types or means associated
with and exploiting many technical errors (bugs) which
are present in all computer and network hardware and
software.  For any particular model or generation of
hardware or software, such errors get discovered and
corrected by the manufacturer or supplier only over a
considerable period of time, measured in months or
years, if at all.  Owing to the continual development
and adoption of new hardware and software, this is an
ever-present problem. 
The above stated instances are only a tip of the
iceberg, the most glaring examples of how our security
is being compromised. 

The point I really want to drive home is that it is
our responsibility to reduce our vulnerability to such
threats.   We know there are unprincipled and criminal
people and predatory and hostile countries that we
have to deal with from time to time.   If we do suffer
harm through computer security breaches and
information warfare now and in the future, the fault
lies with us for not being sufficiently vigilant to
know what is going on even now, and in failing to take
steps toward better security and privacy. 
 
To deal with the threats to our computer networks (and
hence to our way of life) a two pronged strategy is
outlined below :One new laws must be enacted which
will address the threats was we know and perceive now.
Second, a new initiative to educate (a neglected
aspect of present computer/network era) every user
connecting to the network MUST be under taken to use
computer/network safely; only then any network can
ever be secured. 

What can Parliamentarians do to help achieve
preparedness against, and prevention of, such
devastating calamities?   The following may comprise a
tentative Computer/Network Security Agenda: 
1.      Establish Advisory Committees that are
receptive to hearing opinions and ideas of experts so
as to function as a cohesive conduit between
government agencies and well meaning knowledgeable
experts.  This will enable cautionary advice to be
heard and awareness to be established at various
levels.  It will further enable the nation to review
and act upon nationalist issues in these areas.  Such
Committees may be constituted as multi-disciplinary
bodies and must include senior Parliamentarians,
nominees from concerned ministries, Security,
Intelligence and Defense agencies, and exponents of
academic research as well. 
  
2.      Legislate -  Mandate that for every
hardware/software imported in the country, its vendor
shall have to submit for examination, the source code
(human readable listings) of any software coded with
the equipment and of all proprietary software as well,
without “gagging” (i.e. contractually preventing
public disclosures of adverse findings of) the
examiners. This is not unusual in present times. We
won’t be the first ones to require this. Peru has
already set the precedence for this. Mexico, Germany,
Finland, Korea, Thailand, Philippines, France, Taiwan,
China and some others are considering in some degree
or the other such requirements.  There are even
similar moves at the State level in California, USA. 
  
3.      Move towards mandatory declarations (in a
phased manner) for all business, trade, banking,
infrastructure and industrial establishments who are
networked to publicly disclose legally binding
management assurances to the effect that adequate
actions have been or will be taken within a definite
time scale in order to achieve preparedness for better
security against information warfare, whether by an
actual nation, or other entity.  And further make it
well known that full audit and disclosure in this
regard is on the agenda for being implemented in
future.  


4.      Mandate that compulsory public liability
insurance be procured by all such establishments for
meeting public liability claims arising from any
adverse sufferings that could be caused as a result of
their network security inadequacies.  A specialized
cell to assess insurance claims as well as premium
rates and rebates applicable to adequately complying
establishments will surely induce better security
implementation. 


5.      Make it mandatory for all telecom and Internet
service providers to embark on mass communication
program that will spread awareness amongst users of
their services, and make them more knowledgeable to
report risks, threats and violations.  Those who
comply may be given rebates in license fees that will
help in partly meeting the costs of such a mass
communication exercise.


6.      Establish and keep upgrading security
standards to be complied with for securing networks
that are in use by public, government and business.  


7.      Consider suitable amendments in policies for
procuring imported telecom and network equipment,
computer hardware and software. 


8.      Develop indigenous hardware software through a
National Centre for Information Networks. 
Finally it must be said that we do have some awareness
in India about Network Security. There is a Government
of India website devoted to this:
http://www.itsecurity.gov.in, but unfortunately, it is
a collection of material from US or other sources.  
We don’t have something which is developed
indigenously. There are courses organized by STQC-IT
Services for system administrators and IT managers.
From my perspective this is not nearly enough.

A Network or the Internet has to be viewed as a chain.
Every link, especially people, is important.   As the
adage goes the a chain is only as strong as its
weakest link. So every computer on the network has to
be as secure as any other and every person manning the
computer has to be as knowledgeable as any network
professional. Only then is true security possible. 
Security awareness has to go down to every user who
logs on to any network.

Traditionally, Switzerland was the secure neutral
crossroads, strongly self-defended, but remaining the
neutral meeting place for government and commerce.
India is poised to take that same position in
networking, but the strong self-defense must grow to
the needs. The balance to keep international ties
while establishing that growth is difficult, but not
impossible. It will take will, work and wisdom -- a
new acronym for WWW.

A dynamic policy for an effective digital security in
the new Internet Millennium can establish India as a
global center for an International Network Economy.
The cost of maintaining an effectively secure digital
network infrastructure is lower than the cost of any
remedial action, even when damages are comparatively
small. Regions of the world that are prepared in this
way will become a magnet for use of their
infrastructure. India can and become Switzerland of
the Network Age.
Here's India's greatest chance to become a world
leader of an International Network Economy by creating
the desired secured infrastructure. Let India not miss
it!

========================
About Dr. Raj Mehta

Campaigner, scientist, an author, online educator and
new media exponent--the World Wide Web, Dr Mehta feels
very few have clue as to how to use it. Presently
involved in "educating our legislators on aspects of
Net and computer security", this 50 plus alumnus of
Stanford University (worked with Nobel Laureate Dr.
William Shockley) besides having worked for Raytheon,
ITT Semiconductors, IBM R&D Labs in California holds
four basic patents related to transistor processing. 
He has successfully conducted several corporate
seminars at Hoechst Marion Roussel to introduce
Internet and the Internet technology for the corporate
use and for personal use. Author of  "Internet Users
Guide For VSNL's Gateway Internet Access Services
(GIAS)", published by Videsh Sanchar Nigam Ltd. it led
to the birth of India's first online voluntary virtual
community to help Internet Users of India  TheGuide
http://guide.vsnl.net.in
Email Address: rajm@stanfordalumni.org 

================================
TCPA (Trusted Computing Platform Alliance) is greater
threat to Network Security than anything so far--
Security Nightmare is about to begin.....

Hello, 

I think this topic needs to be discussed and paid
attention to asap basis. 

One of the top executives in dominant Indian software
company thought my article on National Security (
http://guide.vsnl.net.in/articles/topics/security/national_security/index.html
) was ominous, that is nothing compared to what is in
store for us, starting 3rd quarter 2003. Network
Security nightmare is about to begin.  Read below the
TCPA faq
<http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html> ...

Unless both Government of India and the leading
Software industries take a proactive stance we will
lose our sovereignty. 

Of course there is silver lining for India if we
choose to capitalize on it immediately.  For starters
if  we make our own microprocessors that by bypass the
TCPA standards, there will be enormous need for them
around the world .. . If we play it right we can give
Intel good run for their money.

We have to go indigenous with Hardware/Software if we
are to be counted as anyone in IT field. We can't go
on being dependent on Foreign countries to give us the
basics of IT... Hardware and Software. And companies
who dominate the software field should take bold lead
in this matter.

Regards

raj

==============================

Very well done.  I wish I had time to summarize it. 
In the mean time pass it around.
Especially see points #24/25 at end of:

   Linkname: TCPA / Palladium FAQ
        URL:
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

 Remember the CryptoAPI flap?  Now put that on
steroids.

Not fully covered in the article are:
  1. The attempt to use copyright controls to control
things outside
     the purvue of copyright holders, by making the
machine only run
     "approved" software.  This is the ultimate in
what the anti-trust
     suit was supposedly going to prevent.

  2. The capacity of the remote authentication server
to shut down
     absolutely anything -- It's handing a "master
key" to someone
     outside.  Consider _that_ if "terrorists" or
hostile foriegn
     powers have or grab the "master key".

Compare CWIN in Richard Clark's speech, supporting the
m$ monopoly and
the TCPA -- merge CWIN with Palladium -- what do you
get?

       http://www.bsa.org/resources/2002-03-16.99.pdf

TCPA is NOT an increase in security, it's a
centralization of
vulnerabilities to allow cyber-catastrophes to have an
even greater
reach!   You'll find a LOT of background for the
"Plan" .pdf in
this speech.

"Fritz" chip design for TCPA/Palladium machine
override of user operations.
    http://www.atmel.com/atmel/acrobat/2015s.pdf

    Intel have announced that from the second half of
2003, the
   Pentium 4's successor will support Palladium. This
chip, to which I
   referred above as the `Hexium', has now been
officially named
   `LaGrande'

The underlying strategy is to make a strong
cryptgraphic wall
of division between "approved" computing (aka
controlled by
someone else), and things like OpenSource

Now, note the mad rush to XML-in-everything, and
consider that the
XML "definitions" (schemes ... I forget the right
term)  are already
shifting to copyrighted limited-distribution items
that would almost
certainly fall under the purvue of TCPA restrictions.

So, instead of providing lack of inter-operability
through secrecy,
they do it via international Copyright treaties, and
national laws.
Secrecy has been reverse-engineered around time after
time.  The only
way around this plot, is to have great security
(better security)
APART from this kind of "centralized control" embodied
in TCPA computing.

Bookmark http://www.robotwisdom.com/log2002m11.html
and scan through the
current month ^^^^ ^^ and modify URL for prior months,
or use
"RWWL archives" links at bottom of page.

India needs to launch it's microprocessor industry,
bootstrapping from
Motorola, if absolutely necessary.  There's going to
be an ENORMOUS
global cry for something that isn't Intel - probably
by 2nd half 2003.
Will they have to cut-over game boxes to get 'em?


Interesting software history - - well done.
   http://www.cbi.umn.edu/iterations/ceruzzi.html
History, ends with ...
     Linux evangelists might learn from the experience
of Marc
     Andreessen, when he was touting the Netscape
Navigator as a
     competitor for Windows. In an interview he
described Windows as "a
     partially-debugged set of device drivers."[66]
Bill Gates and Steve
     Ballmer did not think that was funny. Today,
Netscape is buried in
     a corner of America Online.[67] Neither
Andreessen nor Jim Clark
     have been forthright about why Netscape
ultimately lost the browser
     war to Microsoft, but the hubris of statements
like that one did
     not help. Someone should have reminded Andreessen
of the folk
     wisdom, "you don't tug on Superman's cape."
Unless you are IBM. In
     any event, what started out as a footnote to the
Microsoft
     antitrust trial, something that Linus Torvalds
claimed was "...just
     a hobby, [and] won't be big and professional..."
is turning out to
     be quite interesting. We shall see.




=====
Ravi Visvesvaraya Prasad & AssociatesManagement Consultants in Information Technology, Internet, Telecom, Softwarervp@lycos.com, rvp@excite.com, rvp@yifan.net, rvp@50g.com, rp@k.sthttp://42.4t.com, http://37.s5.comModerator of the following discussion groupsSoftware Industry in India at http://groups.yahoo.com/group/sw-indTelecommunications Industry in India at http://groups.yahoo.com/group/tel-ind

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get 128 Bit SSL Encryption!
http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 12:01:54 PST