Return-Path: <sentto-279987-5368-1038493815-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 28 Nov 2002 06:35:04 -0800 (PST) Received: (qmail 17610 invoked by uid 511); 28 Nov 2002 14:31:46 -0000 Received: from n19.grp.scd.yahoo.com (66.218.66.74) by all.net with SMTP; 28 Nov 2002 14:31:46 -0000 X-eGroups-Return: sentto-279987-5368-1038493815-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.194] by n19.grp.scd.yahoo.com with NNFMP; 28 Nov 2002 14:30:15 -0000 X-Sender: r_v_p@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_2_3_0); 28 Nov 2002 14:30:14 -0000 Received: (qmail 3419 invoked from network); 28 Nov 2002 14:30:14 -0000 Received: from unknown (66.218.66.218) by m12.grp.scd.yahoo.com with QMQP; 28 Nov 2002 14:30:14 -0000 Received: from unknown (HELO web20708.mail.yahoo.com) (216.136.226.181) by mta3.grp.scd.yahoo.com with SMTP; 28 Nov 2002 14:30:14 -0000 Message-ID: <20021128143014.71865.qmail@web20708.mail.yahoo.com> Received: from [61.11.33.31] by web20708.mail.yahoo.com via HTTP; Thu, 28 Nov 2002 06:30:14 PST To: india_discussion@yahoogroups.com, indianmilitaryclub@yahoogroups.com, interiit@yahoogroups.com, Internet-in-India@yahoogroups.com, ISP-India@yahoogroups.com, itnerds@yahoogroups.com, iwar@yahoogroups.com From: Ravi V Prasad <r_v_p@yahoo.com> X-Yahoo-Profile: r_v_p Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 28 Nov 2002 06:30:14 -0800 (PST) Subject: [iwar] By Dr Raj Mehta - National Security in Network Era Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit By Dr Raj Mehta - National Security in Network Era About Dr. Raj Mehta Campaigner, scientist, an author, online educator and new media exponent--the World Wide Web, Dr Mehta feels very few have clue as to how to use it. Presently involved in "educating our legislators on aspects of Net and computer security", this 50 plus alumnus of Stanford University (worked with Nobel Laureate Dr. William Shockley) besides having worked for Raytheon, ITT Semiconductors, IBM R&D Labs in California holds four basic patents related to transistor processing. He has successfully conducted several corporate seminars at Hoechst Marion Roussel to introduce Internet and the Internet technology for the corporate use and for personal use. Author of "Internet Users Guide For VSNL's Gateway Internet Access Services (GIAS)", published by Videsh Sanchar Nigam Ltd. it led to the birth of India's first online voluntary virtual community to help Internet Users of India TheGuide http://guide.vsnl.net.in Email Address: rajm@stanfordalumni.org =============== Dear Ravi Would you be kind enough to post two of my messages to the groups mentioned below... I am in transition... about to leave for US for few months and have not had time to fully get familiar with your groups... Though I have tried only a little bit to figure out how to post... but give me links where I can go and post. I assume that I am member or should I have to join? Please let me know. raj ======================== I wrote this article, "National Security in Network Era". It was published by "Deccan Herald" in Bangalore as an Edit page. http://www.deccanherald.com/deccanherald/nov07/edst.asp http://www.deccanherald.com/deccanherald/nov08/edst.asp -- Unfortunately, Decaan Herald did not publish my email address so don't know how it was received. But the editor thought to be important enough to publish on Edit page than the computer suplement. What I am looking for is a dialogue & critique so I can refine it further. Needless to say that I consider this issue to be of utmost importance and it needs to be addressed earliest possible. Thanking you in advance My best wishes for New Year and regards raj =============================================== National Security in Network Era by Raj Mehta (This article has been published in Deccan Herald, Bangalore in two parts in Edit Page on Nov. 7 and 8, 2002. I have sought release to be published in other newspapers, e-media and other forums) A stand-alone computer is a useful tool. Its power is enhanced unimaginable times when it is connected to other computers in a network, whether it be private network (an Intranet) or a public network (e.g. Internet). To organize and manage the complex society that we live in, computer networks are indispensable. What flows over these networks is human knowledge. It is increasing at a pace never foreseen before in history. Commerce and almost all activities of our daily living rely on this knowledge. If our functioning has to be orderly, the integrity of the information becomes a central issue. Any unauthorized alteration of information has potential of creating chaos. Among the security threats faced by present-day information-networked societies, a prominent one is information warfare. Surprisingly, it is possible to seriously damage and even destroy communication networks and computer systems that are central to modern economies and their national defense. In the extreme, the fabric that holds a nation together can be damaged to the extent that civil society becomes vulnerable to physical attack and destruction. Consider the following hypothetical scenarios that are technically quite feasible: · Infrastructure failure (railways, telecom, airways, power grids). More and more of Indian infrastructure is relying on computers and networks to provide basic services e.g. rail travel, communication, travel by air and power and possibly many others. If these networks become inoperative then life as we know today in modern India will come to a stand-still, and law and order problems could result across the country. With on-going privatization of the infrastructure sectors, relevant network security issues will increasingly pass beyond direct regulatory control. · Pension, LIC, PF and bank account beneficiary data alteration. Unfriendly elements get control of the computers and networks of these agencies and cause their data to be maliciously altered, thereby causing mass confusion and disruption of life and normal activities. Banks for example could be most vulnerable to such attacks, more so as they expose themselves to the risks of Internet Banking. Billions are known to have been lost by such frauds with banks overseas, even as they moved cautiously towards networked banking. · Malicious alteration of data on revenue collection and claims. Computers and networks that hold important revenue data for various government departments and agencies could be compromised and maliciously altered without even being detected. The resulting loss of revenue and the long, drawn-out litigations among people and between authorities and people would be unimaginable. Such a failure would give rise to unwarranted disputes and turn them into bloody battles bringing unending suffering to citizens. · Immigration lapse. Imagine a group of terrorists approaching an Immigration desk at any port of entry in India. The immigration and security people who could intercept them rely on their computers that are networked with different International ports of entry in India and with India’s overseas Consular offices as well. If the security of these computer databases were to be breached and information on such terrorists deleted or shielded even for a limited time, the terrorists would be allotted visas and would enter India without any agency being able to detect such an invasion. Can you imagine what havoc this could cause? In India we are moving towards mass computerization of all of our activities. Any and all of the above scenarios are very much possible, because of: · A wide-spread lack of security-awareness, and · Some inherent problems with our computer and network hardware and software. Prominent types of computer and network security breach are the following: · Security violation, that allows an external hacker to take control of critical servers and equipment. The use of foreign hardware/software constitutes a threat as there are in-built mechanisms (known as backdoors and doorbells) and components that can make the entire information on a computer or a network available to some agency of a foreign power. For example, all the hardware/software imported from USA is known to contain features that will permit NSA (National Security Agencythe spy agency of USA) to control every computer and piece of hardware/software exported out of USA. ARE YOU AWARE that this is part of an agreement between the US Government and U.S. manufacturers, as a requirement to get an export permit granted? · Distributed Denial of service attack (DDoS). If any of the infrastructure computers or networks can be overwhelmed by someone with malicious intent, or routinely by someone wanting to use Internet from any of the computers, the whole of the subject service can be made inoperative by mass sending of information packets, made to appear as hardware failure. Of course if such machines are connected to the internet, they are even more at risk. This type of attack has happened to servers connected to parts of the global public network internet, e.g. yahoo.com and others, who lost their service for several hours. · Hardware & Software Flaws: Of course there are other types or means associated with and exploiting many technical errors (bugs) which are present in all computer and network hardware and software. For any particular model or generation of hardware or software, such errors get discovered and corrected by the manufacturer or supplier only over a considerable period of time, measured in months or years, if at all. Owing to the continual development and adoption of new hardware and software, this is an ever-present problem. The above stated instances are only a tip of the iceberg, the most glaring examples of how our security is being compromised. The point I really want to drive home is that it is our responsibility to reduce our vulnerability to such threats. We know there are unprincipled and criminal people and predatory and hostile countries that we have to deal with from time to time. If we do suffer harm through computer security breaches and information warfare now and in the future, the fault lies with us for not being sufficiently vigilant to know what is going on even now, and in failing to take steps toward better security and privacy. To deal with the threats to our computer networks (and hence to our way of life) a two pronged strategy is outlined below :One new laws must be enacted which will address the threats was we know and perceive now. Second, a new initiative to educate (a neglected aspect of present computer/network era) every user connecting to the network MUST be under taken to use computer/network safely; only then any network can ever be secured. What can Parliamentarians do to help achieve preparedness against, and prevention of, such devastating calamities? The following may comprise a tentative Computer/Network Security Agenda: 1. Establish Advisory Committees that are receptive to hearing opinions and ideas of experts so as to function as a cohesive conduit between government agencies and well meaning knowledgeable experts. This will enable cautionary advice to be heard and awareness to be established at various levels. It will further enable the nation to review and act upon nationalist issues in these areas. Such Committees may be constituted as multi-disciplinary bodies and must include senior Parliamentarians, nominees from concerned ministries, Security, Intelligence and Defense agencies, and exponents of academic research as well. 2. Legislate - Mandate that for every hardware/software imported in the country, its vendor shall have to submit for examination, the source code (human readable listings) of any software coded with the equipment and of all proprietary software as well, without “gagging” (i.e. contractually preventing public disclosures of adverse findings of) the examiners. This is not unusual in present times. We won’t be the first ones to require this. Peru has already set the precedence for this. Mexico, Germany, Finland, Korea, Thailand, Philippines, France, Taiwan, China and some others are considering in some degree or the other such requirements. There are even similar moves at the State level in California, USA. 3. Move towards mandatory declarations (in a phased manner) for all business, trade, banking, infrastructure and industrial establishments who are networked to publicly disclose legally binding management assurances to the effect that adequate actions have been or will be taken within a definite time scale in order to achieve preparedness for better security against information warfare, whether by an actual nation, or other entity. And further make it well known that full audit and disclosure in this regard is on the agenda for being implemented in future. 4. Mandate that compulsory public liability insurance be procured by all such establishments for meeting public liability claims arising from any adverse sufferings that could be caused as a result of their network security inadequacies. A specialized cell to assess insurance claims as well as premium rates and rebates applicable to adequately complying establishments will surely induce better security implementation. 5. Make it mandatory for all telecom and Internet service providers to embark on mass communication program that will spread awareness amongst users of their services, and make them more knowledgeable to report risks, threats and violations. Those who comply may be given rebates in license fees that will help in partly meeting the costs of such a mass communication exercise. 6. Establish and keep upgrading security standards to be complied with for securing networks that are in use by public, government and business. 7. Consider suitable amendments in policies for procuring imported telecom and network equipment, computer hardware and software. 8. Develop indigenous hardware software through a National Centre for Information Networks. Finally it must be said that we do have some awareness in India about Network Security. There is a Government of India website devoted to this: http://www.itsecurity.gov.in, but unfortunately, it is a collection of material from US or other sources. We don’t have something which is developed indigenously. There are courses organized by STQC-IT Services for system administrators and IT managers. From my perspective this is not nearly enough. A Network or the Internet has to be viewed as a chain. Every link, especially people, is important. As the adage goes the a chain is only as strong as its weakest link. So every computer on the network has to be as secure as any other and every person manning the computer has to be as knowledgeable as any network professional. Only then is true security possible. Security awareness has to go down to every user who logs on to any network. Traditionally, Switzerland was the secure neutral crossroads, strongly self-defended, but remaining the neutral meeting place for government and commerce. India is poised to take that same position in networking, but the strong self-defense must grow to the needs. The balance to keep international ties while establishing that growth is difficult, but not impossible. It will take will, work and wisdom -- a new acronym for WWW. A dynamic policy for an effective digital security in the new Internet Millennium can establish India as a global center for an International Network Economy. The cost of maintaining an effectively secure digital network infrastructure is lower than the cost of any remedial action, even when damages are comparatively small. Regions of the world that are prepared in this way will become a magnet for use of their infrastructure. India can and become Switzerland of the Network Age. Here's India's greatest chance to become a world leader of an International Network Economy by creating the desired secured infrastructure. Let India not miss it! ======================== About Dr. Raj Mehta Campaigner, scientist, an author, online educator and new media exponent--the World Wide Web, Dr Mehta feels very few have clue as to how to use it. Presently involved in "educating our legislators on aspects of Net and computer security", this 50 plus alumnus of Stanford University (worked with Nobel Laureate Dr. William Shockley) besides having worked for Raytheon, ITT Semiconductors, IBM R&D Labs in California holds four basic patents related to transistor processing. He has successfully conducted several corporate seminars at Hoechst Marion Roussel to introduce Internet and the Internet technology for the corporate use and for personal use. Author of "Internet Users Guide For VSNL's Gateway Internet Access Services (GIAS)", published by Videsh Sanchar Nigam Ltd. it led to the birth of India's first online voluntary virtual community to help Internet Users of India TheGuide http://guide.vsnl.net.in Email Address: rajm@stanfordalumni.org ================================ TCPA (Trusted Computing Platform Alliance) is greater threat to Network Security than anything so far-- Security Nightmare is about to begin..... Hello, I think this topic needs to be discussed and paid attention to asap basis. One of the top executives in dominant Indian software company thought my article on National Security ( http://guide.vsnl.net.in/articles/topics/security/national_security/index.html ) was ominous, that is nothing compared to what is in store for us, starting 3rd quarter 2003. Network Security nightmare is about to begin. Read below the TCPA faq <http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html> ... Unless both Government of India and the leading Software industries take a proactive stance we will lose our sovereignty. Of course there is silver lining for India if we choose to capitalize on it immediately. For starters if we make our own microprocessors that by bypass the TCPA standards, there will be enormous need for them around the world .. . If we play it right we can give Intel good run for their money. We have to go indigenous with Hardware/Software if we are to be counted as anyone in IT field. We can't go on being dependent on Foreign countries to give us the basics of IT... Hardware and Software. And companies who dominate the software field should take bold lead in this matter. Regards raj ============================== Very well done. I wish I had time to summarize it. In the mean time pass it around. Especially see points #24/25 at end of: Linkname: TCPA / Palladium FAQ URL: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html Remember the CryptoAPI flap? Now put that on steroids. Not fully covered in the article are: 1. The attempt to use copyright controls to control things outside the purvue of copyright holders, by making the machine only run "approved" software. This is the ultimate in what the anti-trust suit was supposedly going to prevent. 2. The capacity of the remote authentication server to shut down absolutely anything -- It's handing a "master key" to someone outside. Consider _that_ if "terrorists" or hostile foriegn powers have or grab the "master key". Compare CWIN in Richard Clark's speech, supporting the m$ monopoly and the TCPA -- merge CWIN with Palladium -- what do you get? http://www.bsa.org/resources/2002-03-16.99.pdf TCPA is NOT an increase in security, it's a centralization of vulnerabilities to allow cyber-catastrophes to have an even greater reach! You'll find a LOT of background for the "Plan" .pdf in this speech. "Fritz" chip design for TCPA/Palladium machine override of user operations. http://www.atmel.com/atmel/acrobat/2015s.pdf Intel have announced that from the second half of 2003, the Pentium 4's successor will support Palladium. This chip, to which I referred above as the `Hexium', has now been officially named `LaGrande' The underlying strategy is to make a strong cryptgraphic wall of division between "approved" computing (aka controlled by someone else), and things like OpenSource Now, note the mad rush to XML-in-everything, and consider that the XML "definitions" (schemes ... I forget the right term) are already shifting to copyrighted limited-distribution items that would almost certainly fall under the purvue of TCPA restrictions. So, instead of providing lack of inter-operability through secrecy, they do it via international Copyright treaties, and national laws. Secrecy has been reverse-engineered around time after time. The only way around this plot, is to have great security (better security) APART from this kind of "centralized control" embodied in TCPA computing. Bookmark http://www.robotwisdom.com/log2002m11.html and scan through the current month ^^^^ ^^ and modify URL for prior months, or use "RWWL archives" links at bottom of page. India needs to launch it's microprocessor industry, bootstrapping from Motorola, if absolutely necessary. There's going to be an ENORMOUS global cry for something that isn't Intel - probably by 2nd half 2003. Will they have to cut-over game boxes to get 'em? Interesting software history - - well done. http://www.cbi.umn.edu/iterations/ceruzzi.html History, ends with ... Linux evangelists might learn from the experience of Marc Andreessen, when he was touting the Netscape Navigator as a competitor for Windows. In an interview he described Windows as "a partially-debugged set of device drivers."[66] Bill Gates and Steve Ballmer did not think that was funny. Today, Netscape is buried in a corner of America Online.[67] Neither Andreessen nor Jim Clark have been forthright about why Netscape ultimately lost the browser war to Microsoft, but the hubris of statements like that one did not help. Someone should have reminded Andreessen of the folk wisdom, "you don't tug on Superman's cape." Unless you are IBM. In any event, what started out as a footnote to the Microsoft antitrust trial, something that Linus Torvalds claimed was "...just a hobby, [and] won't be big and professional..." is turning out to be quite interesting. We shall see. ===== Ravi Visvesvaraya Prasad & AssociatesManagement Consultants in Information Technology, Internet, Telecom, Softwarervp@lycos.com, rvp@excite.com, rvp@yifan.net, rvp@50g.com, rp@k.sthttp://42.4t.com, http://37.s5.comModerator of the following discussion groupsSoftware Industry in India at http://groups.yahoo.com/group/sw-indTelecommunications Industry in India at http://groups.yahoo.com/group/tel-ind __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get 128 Bit SSL Encryption! http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 12:01:54 PST