There is no great Firewall of China….

The headline reads: “Donald Trump Is Right About One Thing…Ish” and while the Huff Po isn’t exactly a great objective news source, this one deserves a read to illustrate why it is difficult to simply complex problems.

So the idea of a “cyberwall” sounds good, after all everyone has heard of a “firewall” and know they are used to protect networks or individual computers. For those who might be confused by the title of this blogpost, there is no one single “great firewall” of China in terms of any one system, the repression of freedom of speech online is a whole bunch of techniques, tactics, technology, and procedures that provide “defense in depth” to the Chinese government.

The problem isn’t that firewalls don’t work, the problem is that a “cyberwall” of defense to stop bad people getting in is an impossible task. Utterly impossible. The very nature of the technology that underpins the internet ensures that attackers can generally route around a network barrier if the network has multiple access points (which the internet does)

When I wrote about RADAR and information theory I really tried to dumb it down because I didn’t want to talk about how RADARs work (a very broad subject that quickly gets into some very fun math) but how the applicable theory behind information warfare determines what you need to do to nullify the advantage of stealth. In short even if any given technique has a counter, you can’t do them all at once so you have to accept some vulnerability to conduct operations.

Here I don’t want to talk about IP routing except also at the very low level of “it makes getting information from one place to another even if you break communication links” possible. And this is why a “cyberwall” won’t work. You need to communicate, and just like locking yourself behind a big fortress wall stops you from communicating with people on the other side, so would a big “cyberwall.” And since the point of the internet is communication, it doesn’t make sense to segregate the networks that way.

The other point is that the very idea behind a fortress is that you want to protect something of high value. The biggest threat in the cyber realm isn’t external though, the “Enemy Horde” is a minor concern compared to the “disgruntled employee” or CEO with lax security practices. Most of the high profile hacks in the last few years have involved some form of Social Engineering to get people to compromise their own security, and a “cyberwall” does not stop that attack vector.

Another reason why a “cyberwall” is a bad (and dangerous) idea is that it creates the false sense of security in that “someone else” is taking charge of cyber security. That is not the case. When you have such an open medium as the internet, you really need to harden every node to the best of your ability. Unpatched servers, routers, personal computers, smart phones, devices in the “internet of things” are not the responsibility of government, (there is no government agency that will come down and give a private corporation or individual a fine for having an unpatched *nix server). And if you own an iPhone or Android device, YOU own a *nix server.

So if you want to defend cyberspace, the only real way to do it is to harden nodes, ALL of them. There is no “soft, high value asset” that can be protected by a cyberwall since the entire set of systems connected to the internet are open to idiotic users who click on the links in spearfishing emails.

Instead of creating a “digital cyberwall” to “protect America” we need to encourage and teach security best practices. However the Government is probably not the right agency to do this, right now the FBI case against Apple has essentially taken the tone of, “well if you won’t create custom cracking software for us, we’ll just have the courts force you to turn over all your source code!” in order to force Apple to choose between losing its intellectual property or making its intellectual property poisonous on the free market. The FBI can do this because Apple has a vested interest in maintaining a closed source operating system for security reasons (as well as to stop cheap Chinese knockoffs of iDevices). Honestly if the FBI does succeed in getting a court order to force Apple to turn over the source code, the very best thing Apple could do is make the source code open source. This would comply with the court order, but also make the court order irrelevant as the hackers and security professionals of the world went to down and pointed out other security errors, made modifications, and essentially made the IOS as mutable as android.

I don’t think it will come to that though, the FBI is simply trying to use the courts to get a backdoor into Apple’s phones because it has a court case where it thinks it can get enough public support to succeed. When the public finds out that the iPhone in question was owned by the employer of the shooter, not the shooter, and that the FBI screwed up by ordering the employer to reset the iCloud account…. Just saying that forcing Apple to create custom software because the FBI screwed up doesn’t seem like a good reason at all, especially when the government was the shooters employer AND should have had policies in place to ensure proper use of that phone for work purposes.

So, the government in the form of the FBI does not have a vested interest in your security. The NSA most certainly does not have a vested interest in your security. So trusting that same government to defend you with a “cyberwall” is ludicrous from multiple fronts. The government can’t be bothered to encrypt background investigation material at the Office of Personnel Management, so why in the world would they bother to actually PROTECT your information?

Practice good cyber security. Patch your systems. Stay up to date as best you can. Don’t piss off hackers.

Comments are open.

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to There is no great Firewall of China….

  1. roger says:

    > if the network has multiple access points (which the internet does)
    but your home machine probably doesn’t.


    • rthtgnbs says:

      That is a good point, but I’d like to add that if you bought a computer in the last five years or so, it will probably come with multiple access points, network interface card, wireless network adapter, modem, bluetooth, and some still have IR data links. And if you are using an operating system that is even remotely recent it has the capability to be a member of multiple networks at the same time….

      Obviously not all of the interfaces will be enabled, but I think it is a mistake to assume that “one connection” means you only have to secure one connection. Device hardening is only as good as the weakest link in your digital “circle of trust” so to speak.

      After all, when was the last time you checked the firmware date on your router? access point? printer? smart TV? The threat surface is larger than just an internet connection.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s