Add this handy new tactic to your Big Bag of Security Tricks: pulling the plug so the network or Website goes dark. No access, no vulnerabilities, no problems.
Right.
If you're sitting there thinking this approach has all the subtle complexity of, say, duct tape, you'd be mostly right. But in their own unique ways this week, Mozilla and an Iranian cellphone network provider each cut the power; one case was proactive, the other reactive.
In the cat-and-mouse game that now passes for political discourse in Iran, authorities have discovered just how tough it is to really lock things down -- especially technology. Thanks to proxy servers, IP spoofing, and assorted other workarounds, Iranians are still disseminating images, videos, and tweets.
So as the re-appointment of Mahmoud Ahmadinejad becomes a fait accompli, the government warned it won't tolerate any criticism of dissenter trials. The mass trials reportedly were prompting fresh protest among a roiled electorate.
And maybe the government learned a few things about information control in the wake of the Iranian Twitter-storm last month. "One of the country's main cellphone operators Irancell, co-owned by South Africa's MTN, warned customers Sunday it would be suffering unspecified 'technical' problems over the next three days, which coincide with the anticipated unrest," according to the Los Angeles Times.
We can all agree this is an impotent response at best. You don't need a live cell network to take pictures or film or blog. It removes one prevalent access option, and at most, is a minor inconvenience to anyone intent on getting the word out. But scheduling technical problems into the network is so transparent in its timing that it's equal parts laughable and sad.
Mozilla found itself in a more reactive security situation this week, after discovering that a third party it had hired to run its online store had experienced some sort of unspecified (but apparently major) security breach.
"Mozilla discovered that GatewayCDI, the third party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach," the software vendor said on its company blog yesterday. "Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised."
Users clicking on the site get this message: "The Mozilla Store has been closed for maintenance."
The company said it also temporarily closed its International Mozilla Store as a precautionary measure; that site is run by another third party. A third site, the Mozilla Community Store, is operated on a separate system and was not affected by the breach, the company said.
We often hear data and Internet access characterized as the "Keys to the Kingdom." What if the real key was the person or board of directors or clerical council who order a site switched off?
Information may indeed want to be free, but first it has to get out of jail. Sometimes there's a good reason for it to be there (like the need to assess the extent of a breach, in Mozilla's case). Human volition, not Web servers or html pages or other content, is the biggest key on the security ring. It's also the one most prone to whimsy.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. Register here to join the Security Clan and for a chance at all kinds of free stuff.
I dunno who thinks its a new tool.I use it regularly and all the time,whenever things get uncomfortable or inconvenient on my Company network.Rather than waste time searching for the source of the problem,just pull the whole thing down step by step for 30 minutes and then bring everything back online slowly and thus isolate the problem.I agree that its not a first rate solution,but you are an overloaded IT Security Pro;who doesnt have a lot of options but rather has to get the job done on time-It works well,very very well.
Preach it! Pulling the plug has long been a fave way of handling those pesky issues until a solution can be implemented. (your choice of plugs depending upon the problem) Everyone seems to want to execute some magical IT trick that will amaze the masses and garner the brass ring, but in the end, did it work, how long did it take and will it last. Gimme that old time decision!
Depending on the severity of the issue, I can imagine someone pulling the plug on a high-availability server and/or any attached UPSes, etc. And again -- depending on the severity of the situation -- if I were in IT, I wouldn't wait til corporate or legal signed off on my action plan. "Sorry, but somehow in our haste to mitigate the internal breach, the electrical power was inadvertently cut off. Whooooops."
I hope this won't inspire some bone-headed legislator to pass even more new compliance regulation requiring the Fortune 500 to keep everything plugged in all the time (though the electrical utilities and UPS suppliers would love it).
You raise a great point, tsaleem, and the short answer is yes; I'd fully expect a government or military to cut the fiber or take out a major Internet server hub (or several) in the event of a Mumbai-like incident. It will be unilateral, last for at least 48 hours, and will completely up-end the status quo in the same manner 9/11 did.
And that may be where the Internet is a little too much like television in terms of passive consumption. No one forces us to visit any Websites (with the possible exception of that really aggreesive pop-up spam) no more than anyone forces to watch the garbage on TV (CW, Fox News, Home Shopping... your guilty video pleasure here). Turn it off, go outside, breathe deeply. Repeat as needed.
LOL... thanks for your response, Leland... we do indeed have a sort of built-in switch at the ballot box, though it's feels more like the needle on a meter we collectively push, at least until a Supreme Court or clerical council tell the electorate who the real winner is ;->
The off switch has definately been used in the past, and one of the best tools to test High Availability servers. As those HA servers usually work on a power outage, or denial of service type attack.
One of the thoughts that came to mind when thinking of these actions, was how does one treat the power off tool? How is it classified in a well defined InfoSec program. Would you classify this as a denial of service as you completely dropped the entire system, or would it be classified as a 'routine maintenance' issue and never make it to the threat and vulnerability collection?
The other though besides mulitple shut offs for HA type servers, but what is the legal classification from state privacy rules for this particular behavior? Will it need your company's general counsel approval to switch off major sites, do you ask for forgiveness later option? Or is the off switch, just another opensource tool?
High Availability, Fail-over type power switches, UPS systems, etc., will all need to be included in this action, as we have for so many years tried so hard not to allow a system to be powered off with out permission in one form or another.
Liked how you made me think of some other areas that you could be faced with just powering off a device, system, etc.,
Great read Terry! It is quite humorous to learn about Irancell’s strategy to combat the anticipated spike in traffic; an utter act of desperation.
On a more serious note, do you think this “off switch” strategy is a good move in a situation where technology could be facilitating acts of terror? (Mumbai attacks come to mind). It would interesting to know the opinions of other readers as well.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
If you were serious about good dental hygiene, you wouldn't floss, brush, then gargle only to tear into a package of Oreos five minutes later. Why, then, are so many of the world's biggest companies essentially doing the same thing where enterprise security is concerned?
Since security startups that scan baggage and passengers are all the rage now, this is probably as good a time as any to reconcile ourselves to racial profiling and other stereotyping that will come with them.
Google (Nasdaq: GOOG) is engaging in some very high-stakes gamesmanship, and it's picked an appropriately formidable opponent in the shape of the Chinese government.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
The city of San Francisco is on the leading edge of using the Internet to provide government transparency. It is providing WiFi for its have-nots, and its DataSF.org initiative is putting the city's valuable data back in the hands of its citizens, with innovative results.
Steve Saunders talks about the risks inherent in uncontrolled, widespread profiling of Internet users, and how one day this practice could form the basis of a new industry, the Outernet, which in economic terms will have outgrown the commercial value of the Internet itself.
Search companies and social networks are collecting incredibly detailed information about their users, says Steve Saunders, who predicts that these 'profiles' could one day become commodities to be bought and sold by companies on 'profile markets' or 'identity exchanges’ – the digital DNA equivalents of the financial and commodities exchanges on which stocks, oil, and gold are traded.
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
