January 26th, 2003



The Register released an article that reveals a huge, gaping hole in the U.S. Military's security. Specifically, they made it possible for *ANYONE* to register a .mil domain name, free of charge!

TheRegister didn't mention where exactly this site was, but I did a bit of poking around in Google's cache... and found the site on archive.org...

One thing that was also mentioned in the story was the existence of military sites with publically accessable traffic statistics, which could be used to locate .mil sites and networked DoD machines that are not public, not hotlinked anywhere, and which might contain (or be networked with other machines that contain) sensitive data.

Heh. They'll probably list my IP address later too. It's amusing, but I kinda wish they wouldn't do that -- it's bad netiquette!

(sidenote -- wouldn't it be funny to find out that some websites out there for extreme, illegal perversions did this too?! Then again, what can be *more* perverted than the art of killing? Sickos...)

Maybe Bush should be concerned about the other viruses...

As I mentioned the other day, a highly contagious worm played havoc with South Korea. Fortunately, the worm had a basic weakness -- it propogated itself through an obscure port. All that was necessary to frustrate the virus was to block that port. What I didn't know at the time I first posted about it, however, was that the virus also disrupted service for 15,000 Bank of America ATMs and played havoc with the computer systems for Continental Airlines.

Bush's nightmare scenario would be for a foreign power like Iraq to get ahold of some sufficiently dangerous weapon (nuclear, chemical, biological), invade another country, and then threaten to use that weapon if they were attacked. However, very few countries could really threaten the U.S. mainland currently (short of using operatives to bring such a weapon into our country) because their missile technology is lacking.

However, with viruses, worms, and the like, any country could attack the U.S. You could even design viruses, worms, DDOS attacks, etc. to specifically target the United States and its allies. The basic material for making these weapons is freely available on the Internet (as they should be) created primarily by teenagers in their spare time, and usually designed to not be destructive.

So, what would happen if a country like Iraq had just a handful of people working full-time on such weapons? After all, they know that the U.S. are willing to use computer viruses against them... and in fact already have. In 1990, prior to the Gulf War, the U.S. infected Iraq with viruses that spread all over the networks in Iraq -- by the time the allied forces' bombers arrived over Baghdad, communication networks and air defense networks had been paralyzed.

Can we *really* expect Iraq not to conduct both a defensive and offensive cyberwar? Such a war would not need to be launched from Iraq, either -- anywhere in the world with a net connection would do. Even if by some miracle Iraq does not have at least one smart person working on computer viruses, he *does* have allies and sympathizers around the world. Melhacker, a pro-Iraq hacker responsible for several major viruses in the past, has apparently designed a megavirus which is he threatening to use if the U.S. launches a war on Iraq.

Bush knows that there is a huge threat of the Internet being attacked, of course. He knows how much it can effect society and cost businesses. He may not care, however, in that a major virus attack on the U.S. could serve his purposes. It could especially be used to justify some of the government's extreme plans for creating a more "secure" Internet architecture.

Clinton pushed hard for the Clipper chip -- essentially, a government backdoor hardwired into your computer. Fortunately, the idea was defeated. However, Microsoft and Intel's Palladium / Trusted Computing Platform Alliance would also design a backdoor into your computer -- one that, yes, might make you somewhat less vulnerable to viruses, but one that could also do numerous other things, such as prevent you from playing MP3's, delete unregistered software from your computer...
and, potentially, give the government a backdoor into your computer.

The idea for Paladium was originally released as a paper called A Secure and Reliable Bootstrap Architecture, principally drafted by Bill Arbough. His former employer? The NSA. (He was a Senior Computer Scientist in their R&D division for eight years, and then a senior technical advisor.)

Just imagine how much more "useful" the concept of Total Information Awareness would be if your own computer was one of the databases that could be searched for the government to find its enemies...

and while I'm speaking in tongues...

Did anyone else notice that babelfish added to their language support lately? Russian, Chinese, Japanese, Korean... sweeeet.

Mind you, the problem with Altavista translation is that use an URL to get the results directly -- they send you to their front end -- whereas Google supports several different languages with plain old ordinary URLs. That allows you to do things like this:
... or even create bookmarklets to automatically detect and translate several languages for you.

Can't wait until Google supports more languages with their translation. One simple button to translate everything on the fly!