MetaSecurity: Moving forward & Offshore

Since closing the blog last year I have had periodic requests to restart it.  As it stands I would be open to anyone wishing to write on this blog around the subject of security and virtual worlds.  There aren’t too many other sources out there so keeping the blog going is a good idea.  Therefore, if anyone wishes to get involved please email me at roderick[dot]jones[at]gmail[dot]com.

I recently checked into Second Life for the first time in a long time.  Interestingly, the subject of what ‘went wrong’ with Second Life has cropped up quite a bit recently as a kind of essay question.  My own view is that Second Life had a moment where it almost did offer the metaverse of imagination.  Second Life circa 2006 did seem unbound by terrestrial law and economics.  The reports of fortunes being made in a new world were drawing in an enormous amount of interest.  However, from April to July 2007 the owners of Second Life, Linden Lab began to bind the world the United States law by introducing Age Verification and then banning Gambling from the world. This was in an environment when the US was aggressively pursuing UK executives from BetonSports, which was engaged in online gaming (so it is entirely understandable).  While seemingly sensible policy decisions at the time, these decision placed Second Life back in the terrestrial realm.  From there the promise and excitement around the world declined.

Offshore Second Life

I find myself wondering how difficult it now would have been  to offshore Second Life to maintain its ‘freedom’ and how hard that would be to do now.  Unbind it from nation-state law and regulation again.  Would it be possible to place the company behind a trust arrangement in an offshore center and place the servers behind similar extra-territorial and legal protections.  It is an intriguing idea as online environments become increasingly walled-in — creating one community, which can be transnational is a fascinating idea and would maybe re-boot the idea of a Metaverse.  Second Life is currently valued at just north of $200M so it wouldn’t be a cheap experiment but it could work as a side project in Linden Lab.

 

 

Read Full Post »

MetaSecurity Closing

After almost three years of reporting and commenting on security issues relating to virtual worlds this blog and to some degree the metasecurity project as a whole has run its course.  When I started examining virtual worlds and considering the security implications of their expansion back in 2005 the paradigm shift was undeniable.  My aim through researching, writing and speaking about virtual worlds was to educate on the new vulnerabilities and opportunities presented by the massive migration in to virtual spaces.  Through active research within Second Life and the creation of online scenarios (such as the SLLA), the presentation of material relating to virtual worlds and of course blogging I believe that the virtual environment is well on its way to being thoughtfully considered by the National Security Community within the USA and the EU.

Virtual worlds look set to expand and become more relevant as a generation of users become familiar with 3-d immersive worlds.  My own intention is to retain a watching brief over virtual worlds but not devote the necessary time to the genre that I once did.

My writings and research will now be held over at www.roderickbjones.com.

Finally thanks to Doug Crescenzi and David Grundy for contributing to the blog over the past 3 year.

Read Full Post »

Interview with Tim Stevens, author of ubiwar – conflict in n dimensions

Tim Stevens, author of ubiwar, has been kind enough to answer some questions for me concerning cyber conflict in our contemporary virtual space.  Mr. Stevens is a PhD candidate at King’s College in London researching institutional responses to cyber threats, particularly in the field of cyber strategy.  His related research interests include the political use of cyberspace, social technologies, violence in virtual worlds, and the nature of the technological accident.  I thought this would be an interesting opportunity to coalesce and discuss our respective areas of study.

Q: Do you have any thoughts on how the fusion of social media, location-based technologies, and real-time information may shape the context of cyber conflict in years to come?

A: I think your recent post addressed this question very well. My general position is that all things are possible, but most things are improbable. When I started Ubiwar, it was to look at how people exploited technological niches in pursuit of political ends, principally through the application of violence. I see that David Kilcullen has just characterised counterinsurgency as “a battle for adaption…against an enemy who is evolving.” This is a position with which I have a great deal of sympathy. As a battle for adaption, it follows for Kilcullen that COIN cannot really be strategic, and scholars of ‘change’ would generally agree with this. I’m also skeptical of the strategic impact of information technologies – what ‘Twitter Revolution’?

What I’m getting to is that tactical and operational use of information technologies is a massively adaptive field and people are experimental animals. Humans are hackers, and hacking is one way of achieving success in any environment. ICTs offer myriad opportunities for exploitation by a range of actors for a wide range of strategic ends. The fusion you ask about is what others would call convergence. Technologies converge spatially and temporally, always have done. The difference now is that the temporal element has been reduced to effectively zero, as you point out, which similarly collapses space, resulting what you could call a non-locative cyberspace. If you think of ‘cyber’ as command-and-control, then we all have the ability to effect change remotely by contesting the connectivity of non-co-located actors in cyberspace.

It is significant that locative technologies are coming to the fore again. It’s almost like tieing cyberspace back ‘down to earth’, although Seymour Goodman wrote years ago that cyberspace ‘always touches ground somewhere’. Hardware hasn’t gone away, nor has the wetware of the human mind. What I suspect you’re referring to is augmented reality and ubiquitous computing. Short answer: it’s all ripe for hacking. My personal take is that guys like you look into the technical possibilities, and that’s all well and good. I’m more interested in what it actually means. What happens to the body in this space, these spaces? The internet has already had a huge impact on what used to be the relatively solid notion of subjectivity. What happens to identity in cyberspace(s)? The context of cyber conflict is ultimately us – how we internalise cyberspace, or project externally into it, is unknown. I have an idea that cyberspace is not really new anyway – it was born when we became conscious, communicative animals. In that sense, cyber conflict has always been with us, and its psychological vectors remain pretty much the same, if twisted and mutated somewhat. The physiological changes are much more murky and hard to decipher. Some good work has been undertaken on ‘presence’, for example, but it’s early days. This is approximately where my research into violence in virtual worlds is situated.

Q: Are their any fundamental aspects of cyber conflict that exist ubiquitously in all cases of cyber conflict?  If these fundamental commonalities do exist, what are they and how could they be used to remedy future cyber conflicts?

A: Well, see above. The issue of remediation is interesting though. I think that deterrence in its various forms, for example, is a psychological matrix of cost-benefit analysis, even for actors we don’t normally think of as ‘rational’. Pre-event deterrence-by-denial dissuades an initial attack. Post-event deterrence-by-denial dissuades future attacks by demonstrating the ability to recover. Deterrence-by-punishment dissuades by plausibly threatening to kick your ass if you try anything funny.

But cyber conflicts are not just psychological, any more than other forms of conflict. The physical systems on which cyberspace is ‘parasitic’, in Albert Borgmann’s phrase, are also contested, for example, and are largely what worry SCADA wonks. Martin Libicki’s recent RAND report on cyber deterrence mentions the physical, syntactic and semantic layers of cyberspace, and this is a useful way of thinking about the differing layers of contestability. He swiped this idea from linguistics without reference but I’ll forgive him for that. This is another reason why I’m not so sure cyberspace is new, which speaks to your ‘fundamental aspects’ question. How we engage in cyber conflicts throws up a host of weirdness and counter-intuitive possibilities but not all of it is ‘new’.

Q: You recently posted Neal Stephenson’s response to a fascinating questions concerning the protection of hacking tools (in the United States) under the second amendment.  How would you respond to that question?

A: Being a cheese-eating surrender-monkey I’m going to be called out whatever I say in response to this. I’m not a priori opposed to the Second Amendment but I do think it’s been hijacked somewhat over the years. US gun-control laws are in dire need of review: what’s the point in having guns to keep the government in check if all you do is shoot fellow Americans with them? In keeping with almost everyone else – including US citizens – I have to claim ignorance as to what it really means. As to whether it extends to ‘hacking tools’-code-I’m with Stephenson here. My default position when it comes to constitutional issues is generally ‘do nothing’ unless there’s a very good case for doing otherwise; I don’t think that case exists yet. Of course, we don’t even have a written constitution in the UK, so what do I know?

There’s another issue here, one that the military are currently actively exploring, and which the UN are likely to tackle at some point: cyber arms control. My initial response is: how the hell are you going to police that? Code is not amenable to the same forms of physical monitoring and intelligence regimes as kinetic weapons. Code lacks the traditional dimensionality required for control. I should think the implications of that are obvious.

Q: When discussing cyber conflict, you appear to become frustrated when the argument centers around hyperbole.  This is absolutely understandable.  What advice would you give to those of us (including myself) on the front lines that sometimes unconsciously fall in to this trap?

A: Well, it’s pretty simple, actually. Be conscious of who you are. If you lose sight of the bigger picture, then you have little hope of formulating realistic solutions to realistic problems. Planning involves considering worst-case scenarios and formulating strategies for dealing with them. We’ve had six decades of doing exactly that with nuclear weapons, for example. The problem with doing that is if everything is predicated on the worst-case scenario – including public discourse – the solutions we come up with are just as likely to be the worst ones. It boils down to understanding the effects that one’s own actions have, and taking responsibility for them. Perspective’s a handy tool and it doesn’t just mean looking outwards; it means examining yourself too. Being critical. If cyberspace is as important as everyone says it is, it would be wise for all those involved to think about exactly what it is they’re pushing for, and ask if their actions in any way further the interests of the global commons. If it doesn’t, then your standpoint may need to be tweaked a bit. And, for the record, I don’t think that national interest necessarily trumps all.

Q: In a society prone to finger pointing, what is the appropriate response to the nature of technological accidents?

A: I have two answers, one practical, the other philosophical. The practical answer would be to find out what went wrong. Sounds simple, right? Not always so. You’re right about finger-pointing; everyone’s so gee-ed up with their own importance, and too weak to resist the bleating of single-interest groups, that people tend to get fired before anyone even knows what the problem is. By all means hold people to account but count to five before you sack someone just because you need a scapegoat. Some of the problems of technology are ‘wicked’ ones, and require significant unpacking before action is taken. One of the problems with ‘cyber’ is that so many people are shouting that cyber defence is moving way too slowly to keep up with the environment that the fingers are pointing even before anything’s happened. There are too many people who in one breath are repeating the mantra, ‘we.must.all.work.together’, whilst tearing strips off anyone who isn’t half-as-damn-smart as they are. That’s a really good basis for co-operation. Sometimes, of course, shit just happens. Learn from it. Move on.

The philosophical argument is slightly different, and there is no right response. There are two people to bear in mind here. One is the ‘anarcho-Christian’ theorist Paul Virilio, the other Ted Kaczynski, the Unabomber. In different ways, they would both maintain that technology contains within itself the seeds of its own destruction. The technological accident is therefore something inevitable. I always paraphrase this as, ‘you invent the car, you get the car crash; invent TV, and you get Fox’. Trite, I know, but you get the point. So, the response to a technological accident in these terms is complex. You can throw your hands up and blame it on the evils of technology in a told-you-so kind of way and go and break up all the spinning Jennies, or you can stop and wonder if technology really is teleological in these terms. Does technology really have an imperative, a drive, a force beyond the control of humankind, or can its trajectory be shaped by humans? Your response really depends on whether you’re a hardcore technodeterminist in the first instance, or a social constructivist in the second. Me, I’m somewhere between the two right now, but vacillate daily. Today’s metric is 60:40 in favour of determinism. Ask me again tomorrow.

Read Full Post »

NATO to implement virtual world

Wired reports that NATO is going to implement virtual worlds to improve administrative ability especially around training and meetings.

Read Full Post »

Spime Networks and the future of Intelligence Collection

I recently had the fortune to attend a seminar by David Orban on the ‘Internet of Things’ hosted by Singularity University at the NASA Ames Research Park. This subject is of deep interest with regard to the future collection of intelligence a fact acknowledged by the National Intelligence Council’s Disruptive Civil Technologies Conference (appendix F). The basic idea surrounding the ‘internet of things’ is that all things become nodes in a global network and to some degree act autonomously or to put it another way, “Our washing machines can ask for soap”. This new or developing network creates a new category of object, known as a Spime [SPace +tIME] – a phrase coined by the science fiction writer Bruce Sterling. A Spime was defined by David Orban as an object with memory, computing capacity, location awareness and sensors. These Spimes already exist just not yet to scale. The leading driver of spime networks was initially thought to be RFID tags but actually it is smart phones that are providing the most compelling current platform. A great example of one such, spime is an application developed for the iphone by WideTag – called WideNoise. This uses the iphone to collect decibel readings posting them to a map to determine where the quieter areas in the world are. Following the presentation we divided into groups to design a Spime.

Citizen as Sensor

The Spime I developed in conjunction with two of the SU students was an Intelligence tool – ‘citizen as sensor’. Taking as a start point the success that the Ushahidi project had in tracking both Kenyan post election violence and war-time activity in the Gaza strip we speculated on what an autonomous app might look like, which ran on a smart phone applying a similar theme. Using the idea of unique sound signatures our app, in its first iteration, ‘listened’ for sounds to report them back to a central database. Sounds such as gunfire, military vehicle movement or even militia on horseback provide a unique signature, which could then be used to provide a much richer intelligence picture of events on the ground. Over time other sensors could be layered into the app to monitor the environment for chemical or biological agents or to provide rapid analysis of images. As a system we conceived of this as an open environment. As a quid pro quo for participation, the citizen has the option to subscribe to areas of local interest for feedback, planning and awareness.

The technology clearly already exists for this kind of app, identifying unique sound signatures using a smart phone is present in shazam [which identifies the song playing in a particular locale] the collection of unique sound signatures is also beginning to extend in a variety of different areas including mosquito’s. Therefore empowering global citizens to collect a richer level of local intelligence is clearly currently within reach and could be used for their own benefit.

Of course the downside of such a system would be the ability of the bad actors to also use and abuse the data. So far studies on the effectiveness of systems like Ushahidi have shown it remains effective even allowing for misinformation attempts. However, this remains a potentially insurmountable concern. Secondly is the actions of national governments who could shut down cell networks or put pressure on hardware providers to take certain applications down [this last scenario is becoming a constant with Apple’s iphone]. There are some potential solutions for this, P2P cell phone functionality seems like an obvious one, as well as the broad adoption of open platforms such as Android.

While Spime networks seem futuristic they are already here and present current opportunities to collect a richer intelligence picture than was previously possible. It takes little imagination to conceive of a DHS or even NYPD smart phone applications that monitors local conditions based on sound signatures and feeds them back to both government responders and the community of users. The future of intelligence collection may be sitting in the Apple App Store.

Read Full Post »

State of Play VI Security Panel

Last Saturday (20th June) I hosted a Panel at State of Play VI on Security and Surveillance in virtual worlds.

My thoughts on SoPVI and the panel are published here.

http://sopvisecurityseminar.blogspot.com

Read Full Post »

Solid Oak and loss of IP to Green Dam

From Financial Times:

US makes official complaint to China over internet censorship

By Richard Waters and Joseph Menn in San Francisco,,Daniel Dombey in Washington and Kathrin Hille in Beijing

Published: June 22 2009 03:00 | Last updated: June 22 2009 03:00

The US has complained officially to China over its strict new internet censorship rules as tension builds over an issue causing consternation among international technology companies and Chinese internet users.

The development is a rare direct intervention by the US over internet freedom, which has steadily risen in importance as an issue between the two countries in recent years, in part because US technology companies see censorship as a back-door way of keeping them out of the Chinese market.

China has ordered PC makers to load internet filtering software from a Chinese company, Green Dam, on all machines that go on sale in China from July 1. While officially directed at filtering out pornographic material, the order has raised concerns that it could give officials a far more powerful tool for blocking political content.

“We view with concern any attempt to restrict the free flow of information; efforts to filter internet content are incompatible with China’s aspirations to build a modern, information-based economy and society,” said Ian Kelly, a state department spokesman.

The US embassy in Beijing said representatives had met officials at the ministry of industry and information technology and the ministry of commerce on Friday.

According to people familiar with the matter, the US representatives delivered the US objections following a script sent from Washington. The diplomatic move, known as a démarche, is used as a sharp expression of displeasure that often precedes a more involved international dispute.

“We are concerned about Green Dam both in terms of its potential impact on trade and the serious technical issues raised,” said Mr Kelly.

Chinese officials took action against Google late last week, ordering the search company to block access to international sites. Beijing said the action was a punishment for linking to pornographic material, though US internet executives say it was designed to direct public anger against a foreign internet service and distract attention from the Green Dam affair.

PC makers face an additional dilemma over deciding whether to install the software following a claim by Solid Oak, a California software company, that much of the code has been copied directly from its own internet filtering product.

Read Full Post »

Dot.Sim Boom

Interesting commentary from Dr. Roger Smith – CTO for the US Army.  Link to pdf here.

As web 2.0 appears to be on life-support both as a terminology and perhaps as a business model (giving everything away for free and hoping one of the big players buys you out).  Maybe its time for a new phrase and a new boom…..welcome to the Dot.Sim boom!

By all accounts Second Life is weathering the economic crash quite well – and by some measures is now rated as the second most popular game after WoW.  Link to Neilsen graph here. It should also be remembered that it has a couple of decent built in revenue providers – virtual land, subscription fees and even ‘taxes’ on moving linden $ around.

Read Full Post »

New Post on CTBlog: ISC report into 7/7 and Information Clouds

New post on CT blog:

The Intelligence and Security Committee (ISC) in the UK was established by Parliament as part of the 1994 Intelligence Services Act to examine the work of the intelligence and security agencies in the UK.

The ISC was asked to review information, which emerged following the CREVICE trial in April 2007 that Mohammed Siddique KHAN and Shazad TANWEER (two of the four 7/7 bombers) had come to the attention of MI5 during the CREVICE operation. The question bluntly asked was, “If MI5 had come across Mohammed Siddique KHAN and Shazad TANWEER before, why didn’t they prevent this outrage?”

The full report of the ISC findings can be found here.

At its heart the report re-states the previous answer to the central question posed – – lack of resources and legal restrictions prevent the kind of large-scale surveillance required to cover all terrorist leads. Individual readers of the report will have to judge whether that is a satisfactory response.

However, one of the most illustrative parts of the whole document is on page 9 where a diagram is published detailing the number of phone-calls assessed as relating to international terrorism, between unique parties, between January 1 and 1 April 2004 (period of the CREVICE investigation). Diagram shown below:

From this enormous bundle of data the report states 4,020 calls were linked to CREVICE – with the vast majority of those eventually assessed as being, “not related to the bomb plot itself, or even the wider facilitation network, and were in fact wholly innocent or irrelevant”. What is left is therefore, an interesting piece of contemporary artwork.

While clearly technology can provide an edge in certain circumstances its capabilities and limitations need to be clearly understood. This diagram solely relates to telephone calls, a diagram today would need to include, twitter, IM, VoIP, Email, Facebook email or even in-game chats. The data would form an enormous cloud behind, which plotters could operate.

There isn’t a clear solution to this and a number of industries are attempting to penetrate this burgeoning cloud of data to find meaning in the tweets and chirps. One potential important lesson to be drawn from this particular ISC report is that excess data can be used to hide a plot — this is contrary to the idea of terrorists passing torn paper notes to each other to avoid electronic detection. A ‘useless information’ bomb could create countless link analysis diagrams that ultimately lead nowhere, hiding the real intent. Information, unlike truth may not in fact set you free.

Read Full Post »

SOCA and Games

The Director General of the UK’s Serious Organised Crime Agency (SOCA) claimed at the launch of the agencies annual report that video games were being used by crime bosses locked up in UK jails to communicate with their associates on the outside.  This in turn caused a row with the head of the UK Prison service who claimed no such thing was happening.

A couple of comments immediately come to mind.  Why if you know prisoners are using online games to communicate with their associates outside of prison would you alert them to the fact you know – they are doing that – when you could actually monitor this traffic and prevent crime.

Secondly, in response to this claim a prison service spokesperson said,

“Prisoners have never been allowed access to wireless enabled technology such as that used in some games consoles. Nor would they ever be allowed access to such technology.  A decision was taken some years ago that the then-current generation of games consoles should be barred because the capability to send or receive radio signals is an integral part of the equipment.”

This is a little disturbing as it isn’t about wireless technology – its about connecting to the Internet.  I can only hope this was a misunderstanding.

The overall impression though, is that neither side in this argument fully understand the technologies they are referring to.  It does however seem that prisoners do.

Read Full Post »