Today Sec. of State Clinton went after China for their network censorship:
http://www.cbsnews.com/stories/2010/01/21/ap/tech/main6123918.shtml
However, as I see it, the issue of real significance here isn't China's censorship. The news reports of "attacks" on Google and other "unnamed" companies is the action of real significance. I'm not referring to illegal access to mail accounts. I'm referring to the explicit theft of intellectual property in the form of source code:
http://www.wired.com/threatlevel/2010/01/google-hack-attack/
In China, the coupling between government and leading companies in different industries is extremely strong. It can be hard to distinguish where a company stops and the government begins when it comes to such industry players as Baidu, HuaWei, and China Telecom.
It is reasonable to suspect and to investigate the potential that aggressive theft of source code from US companies is an activity that is being actively supported, and potentially even led, by the Chinese government. It appears that at the very least, the Chinese government tolerates such operations and private industry reuse of this stolen software.
In an age when information and intellectual property is the coin of the realm, does government sanctioned intellectual property theft constitute not just a crime, but verges on an act of war?
These kinds of acts should be investigated deeply by the government. Regardless of ultimate responsibility, we need a strong, overt response from the US government. The message must be clear and backed by strong actions that this kind of attack will not be tolerated and will be prosecuted.
A specific US response needs to include a product watch program to monitor for the use of stolen software, followed by vigorous prosecution of such illegal usage of stolen technology through available legal, diplomatic and trade channels. Reused source code will have significant bodies of unique identifiable binary code in the products utilizing the technology. This is an area where private industry has far too little power to fight back effectively, though it could play a key role in the monitoring program.
I acknowledge the private industry accountability for failing to prevent such theft. We in the software industry can and must make deeper investments in our security systems around our core property of value, our source code. DLP technologies, encryption technologies, strong multi-factor authentication for source access, and other solutions are available.
China's censorship is an important issue. That some group from China is actively stealing US company technology out from under our nose is an extremely important issue as well, and needs equal attention and even more governmental action.
At Arxan, we provide technologies to help protect software intellectual property through protection of the binary code with what we call "guards". We provide this technology in both military/classified forms to the DoD and DoD contractors, and in commercial form to commercial customers. However, to protect the source code of software from theft through systemic security holes, different measures are needed. Stronger source code security measures need to be deployed by private industry. The US government must speak out and lead in efforts to identify and prosecute those responsible and those who attempt to take advantage of such theft.
Thursday, January 21, 2010
Monday, January 11, 2010
Secure Software Marketplaces
The news today of a trojan'd application for Android phones (http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace) is a fascinating and potentially extremely significant, if not altogether expected development in the smart phone wars.
Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.
Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.
Secure 'droid app store anyone? Anyone?
Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.
Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.
Secure 'droid app store anyone? Anyone?
Subscribe to:
Posts (Atom)
