Cyber-security "Scare"

A recent post via Information Age suggests that a chip made in China and used in US Military systems has a backdoor that could allow a problematic source of cyber attacks on systems using these devices.  A subsequent posting from Errata Security suggests this is a bogus story and there is not a deliberate Chinese effort to modify the chips to gain access to US Military systems.
However, the same Errata Security posting acknowledges that the backdoor exists and that the chip is used in some military systems -- particularly those that use COTS (commercial off the shelf) technology, and even that the the chips are made in China.
It seems to me that the back-door exists, and is available for abuse for those who know how ... it isn't clear to me that field programmable gate array devices (FGPAs), where this apparently exists, is the type of device that script-kiddies are likely to target.  But, there are more sophisticated bad guys out there -- the June 2010 Stuxnet virus is a proof of this, and the potential for attacking military targets.
The only thing "bogus" about this report as far as I can tell is that it suggested that the Chinese deliberately re-engineered the design to incorporate the back-door ... that would be a painful thing to do without the CAD files needed to edit the design. But it is either optimistic, or overly nationalistic to assume that China or any other high technology country might not have the capability to utilize such a "feature" or to modify designs to incorporate such features.
This is quite parallel to the 1988 Morris Worm situation where back-door aspects of tools in UNIX, some of which were 'debug' features, were used to penetrate and then propagate one of the first computer worms. That these aspects of the systems were not created for malicious use, did not prevent their abuse. Fortunately in that case the intent of the abuse was not malicious, the Internet was new and UNIX a fairly rare beast. Today's world is different, and we might be wise to be a bit scared of cyber abuse and attack vectors.
Two key messages for computing professionals are to be found in this tale:

  1. Don't leave in back-doors and debug paths - the "enable" for these need to be carefully considered, and disclosed to buyers/users so they can lock down these paths.
  2. If you happen to be using electronic devices -- be aware that there are attack paths you may not have anticipated and are beyond the scope of your "firewall" security.  
If this feels uncomfortable, it should. Cyber-security is both non-trivial, and has high potential for abuse and damage. The motives of the potential bad-actors are varied, from financial gain to military or quasi-military objectives. It is not clear to me that we are really well informed, much less sufficiently protected.


Got Klout?

Ok, I figured I had to find out what Klout is about. Could I match Justin Bieber? He has a 100 rating on Klout, rumor has it that he can get free upgrades, restaurant meals, etc. -- the bottom line is that he had klout before Klout existed -- so to speak.
Klout evaluates your online presence in the areas where Klout evaluates your online presence -- such as Facebook, LinkedIn (although I'm not as sure of this), Twitter, Google+, -- yea verily, even Blogger. It looks for followers and friends, but even more for re-tweets, references, etc.  When other folks point to your stuff and tell others about it, it increases your Klout.  All of which makes real sense.
Once upon a time there was Google, and they made money by associating the things sought (search) with things that could be bought (ads)
Then there was Facebook -- where friends count.  Or more specifically, when you "l.ike" something, your friends find out. -- sort of an online "word-of-mouth" recommender system. Logic, folks will take more interest in the things their friends find interesting. [Result -- massive IPO valuation expected.]
Klout is a logical extension of this -- evaluating how influential your web presence is, and assigning it a number. I understand that 50 is the magic target (for those under 50) -- and if your Klout is low you may not get that job, or upgrade -- well let's face it, why treat someone well if their Klout is zero?
So there is a new game to play ... for Klout score ... room for mutual backscratching (I'll K+ you if you K+ me, or I'll cite your blog, etc. etc.) -- and it could make sense, if Klout has any Klout.
For example, members of IEEE (or AMA, or the Sierra Club) could create Klout Klubs, endorsing, recommending, and otherwise promoting each other on Klout.  From this both the individuals Klout would raise, and there is the potential to establish visibility for the overall Klout of the organization.
There is the other side of this ... I find that Vint Cerf has no Klout. -- this doesn't make sense in my book. At least Tim Berners-Lee has Klout ... although it seems to have been declining according to their graphing. These are two folks I'd listen to any time they choose to speak.

What Klout misses is the dialog that occurs outside of the "big 10" social media sites.  Besides the Reddit, Wired and Technorati sites; there are the thousands of sites where folks interact outside of the public eye.  Somehow I think the folks that really have Klout tend to interact there, not on "main street".  But, for a certain class of influence (think People Magazine, not Nature) I suspect Klout has -- well, some impact.


Test "Drive"

I've started to play with Google Drive, which promises to be rather interesting.  I tweeted this yesterday and got a response about checking the Service Agreement. This is always wise for any product, and I've periodically checked Google's and found it to always acknowledge the users ongoing copyright ownership. But then there is also a problem, which Google has tried to address, but starts to become problematic when we look at Google Docs, Drive and other "cloud storage" areas.
Google has to make and hold certain copies of content to provide the service.  Clearly if I create or upload a document, it must have at least one copy on a Google server and probably backup copies as well.  If I put a video up on Youtube, I must grant Google the performance rights to present that to the public since that is the  intended use.  And this blog entry is another example, Google must be able to display it publicly --- and in reality that means a copy gets transferred to every viewer's browser (and may reside there in a cache or temp file for some period even if they do not chose to "save" the web page -- which of course is an apparent copyright violation as well.
But, Google Docs and Drive have a different objective (in my mind) and should have different rules.  I want to have a spot where I can have content stored in the cloud, accessible by more than one of my computers, and in some cases shared with family or associates, etc.  It is not my intent to allow this content to become available on the public web, etc. In fact, some content I have with financial and/or other personal information is content I'd like to store on the cloud, share between my computers but not have visible for any other users.
So here is an excerpt from the March 1, 2012 version of Google's Service Agreement:
Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.
And herein some problems lie.  The right granted to Google to create derivative works is un-bounded (I'm an author, I might want to store my short stories or novel in the cloud); the public display and distribution of content is antithetical to my desire to have content I consider private stored in the cloud.  
There are additional terms of service for Apps:
By submitting, posting or displaying Content on or through Google services which are intended to be available to the members of the public, you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, adapt, modify, publish and distribute such Content on Google services for the purpose of displaying, distributing and promoting Google services. Google reserves the right to syndicate Content submitted, posted or displayed by you on or through Google services and use that Content in connection with any service offered by Google.
This at least acknowledges the issue of "which are intended to be available to members of the public".  There is also additional wording about confidential materials, but it is unclear how I might flag content as confidential, and without such indication, how I could hold Google responsible for treating it the same way they might treat other materials.
I'm not alone in my concerns here, other articles have been posted related to concerns with the terms of service. Security Watch, ZDNet which has it wrong -- Google is not assuming ownership, just too many non-exclusive rights. New Legal Review provides some feedback from Google on these matters -- pointing to one underlying issue which is the use of commonly applied legal phrasing that is out of date with respect to the kinds of services being offered.
Some folks are paranoid about  Google being forced to share content with US Government agencies (or other legal jurisdictions depending on where the data/user reside) ... which is simply a fact of life.  Government entities have some rights (ideally with due process, but not always) that they can exercise to obtain your files.  A recent Wired Magazine alluded to an NSA facility being built in Utah, which they say will have a copy of everything on the web, all emails, all phone calls, etc - world wide.  That appears to be a bit beyond NSA's remit at this point, but some subset of this is likely to be true. There is a revenue opportunity for the US Government in this --- NSA could provide a cloud data storage service, it would avoid redundancy.  Moreover, I suspect they have better security than Google, and their terms of service are likely to be less ambiguous.