One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world.  Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network.  I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government.  It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors and publishers of weblogs causes uncertainties regarding impartiality, reliability, source protection, applicability of ethical codes and the assignment of liability in the event of lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices.  There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too.  The EU is a democratic, progressive entity.  Forcing these bloggers to make their "status and identity" public should not be mandatory here.

Blogs are todays pamphlets.  Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights.  What would Thomas Paine and others like him think of this restriction?

If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so.  If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly.  If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world.  Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network.  I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government.  It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors
and publishers of weblogs causes uncertainties regarding impartiality, reliability, source
protection, applicability of ethical codes and the assignment of liability in the event of
lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and
publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices.  There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too.  The EU is a democratic, progressive entity.  Forcing these bloggers to make their "status and identity" public should not be mandatory here. 

If you feel that this is a restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so.  If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly.  If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

From the Canadian Press:

Prime Minister Stephen Harper and his cabinet have exempted contracts with Parliament and Canada’s spy agency from oversight by a new ombudsman’s post that was central to the 2006 Conservative election campaign.

The government slipped the exemptions through last week in regulations that empower the contract procurement ombudsman under the Accountability Act - flagship legislation the government introduced as its first bill soon after taking office.

Opposition MPs were taken by surprise at the exemptions, saying they were unaware the Senate, the House of Commons and the Canadian Security Intelligence Service would be excluded from the ombudsman’s statutory duty to review contracts for “fairness, openness and transparency.”

The exemptions also mean anyone who has a complaint about contracts to supply goods or services to Parliament - including contracts with offices of MPs, senators or CSIS, will be unable to have them reviewed by the ombudsman.

Hey, now that seems reasonable. (insert heavy sarcasm)

Article Link

It was hyped as the first cyberwar: Russia attacking Estonia in cyberspace. But nearly a year later, evidence that the Russian government was involved in the denial-of-service attacks still hasn't emerged. Though Russian hackers were indisputably the major instigators of the attack, the only individuals positively identified have been young ethnic Russians living inside Estonia, who were pissed off over the statue incident.

You know you've got a problem when you can't tell a hostile attack by another nation from bored kids with an axe to grind.

Separating cyberwar, cyberterrorism and cybercrime isn't easy; these days you need a scorecard to tell the difference. It's not just that it’s hard to trace people in cyberspace, it's that military and civilian attacks -- and defenses -- look the same.

The traditional term for technology the military shares with civilians is "dual use." Unlike hand grenades and tanks and missile targeting systems, dual-use technologies have both military and civilian applications. Dual-use technologies used to be exceptions; even things you'd expect to be dual use, like radar systems and toilets, were designed differently for the military. But today, almost all information technology is dual use. We both use the same operating systems, the same networking protocols, the same applications, and even the same security software.

And attack technologies are the same. The recent spurt of targeted hacks against U.S. military networks, commonly attributed to China, exploit the same vulnerabilities and use the same techniques as criminal attacks against corporate networks. Internet worms make the jump to physically-separate classified military networks in less than 24 hours, even if those networks are physically separate. The Navy Cyber Defense Operations Command uses the same tools against the same threats as any large corporation.

Because attackers and defenders use the same IT technology, there is a fundamental tension between cyberattack and cyberdefense. The National Security Agency has referred to this as the "equities issue," and it can be summarized as follows: When a military discovers a vulnerability in a dual-use technology, they can do one of two things. They can alert the manufacturer and fix the vulnerability, thereby protecting both the good guys and the bad guys. Or they can keep quiet about the vulnerability and not tell anyone, thereby leaving the good guys insecure but also leaving the bad guys insecure.

The equities issue has long been hotly debated inside the NSA. Basically, the NSA has two roles: eavesdrop on their stuff, and protect our stuff. When both sides use the same stuff, the agency has to decide whether to exploit vulnerabilities to eavesdrop on their stuff or close the same vulnerabilities to protect our stuff.

In the 1980s and before, the tendency of the NSA was to keep vulnerabilities to themselves. In the 1990s, the tide shifted, and the NSA was starting to open up and help us all improve our security defense. But after the attacks of 9/11, the NSA shifted back to the attack: vulnerabilities were to be hoarded in secret. Slowly, things in the U.S. are shifting back again.

So now we're seeing the NSA help secure Windows Vista and releasing their own version of Linux. The DHS, meanwhile, is funding a project to secure popular open source software packages, and across the Atlantic the UK’s GCHQ is finding bugs in PGPDisk and reporting them back to the company. (NSA is rumored to be doing the same thing with BitLocker.)

I'm in favor of this trend, because my security improves for free. Whenever the NSA finds a security problem and gets the vendor to fix it, our security gets better. It's a side-benefit of dual-use technologies.

But I want governments to do more. I want them to use their buying power to improve my security. I want them to offer countrywide contracts for software, both security and non-security, that have explicit security requirements. If these contracts are big enough, companies will work to modify their products to meet those requirements. And again, we all benefit from the security improvements.

The only example of this model I know about is a U.S. government-wide procurement competition for full-disk encryption, but this can certainly be done with firewalls, intrusion detection systems, databases, networking hardware, even operating systems.

When it comes to IT technologies, the equities issue should be a no-brainer. The good uses of our common hardware, software, operating systems, network protocols, and everything else vastly outweigh the bad uses. It's time that the government used its immense knowledge and experience, as well as its buying power, to improve cybersecurity for all of us.

This essay originally appeared on Wired.com.