Arbor Networks: Security to the Core

In the film “The Manhattan Project,” a high school student builds a small nuclear weapon to bring attention to a covert nuclear weapons research lab located near his suburban home. The ending of the film is a tense standoff between the high school student, the US Federal Bureau of Investigation (FBI), the US Army and a nuclear weapons researcher who coincidentally was dating the student’s mother (played by John Lithgow). After the standoff, during which the weapon nearly detonated, everyone sighs a breath of relief and the student rushes to a nearby door so that he can escape to the outside where his friends have gathered. Walking through the door, Lithgow’s character turns toward his Army superior and says “Too many secrets, too many secrets…”

In 1992, six years after the movie’s release, the film “Sneakers” again highlighted the phrase “too many secrets,” this time in an anagram – “Setec Astronomy” – which was the code word for a US National Security Agency (NSA)-engineered device that could crack any software encryption. The moral of the film is that spying is a dangerous game, one that the US government should not be allowed to partake in without supervision.

Putting aside socio-political concerns regarding government-initiated wiretaps, there exists a certain irony that now exists within corporations that have become some of the largest customers of computer security vendors. In recent years, spyware has evolved to the point where individuals and organizations use it to generate considerable sums of money. Installed unwittingly onto thousands of computers, including corporate systems, attackers can monitor keystrokes and collect data. Malware such as worms and mass mailing viruses take care of the distribution aspects of getting spyware installed on computers so that those responsible can sit back and watch the cash roll in. Corporations have dedicated considerable time and expense to the problem of spyware and are constantly trying to keep their employees informed on the risks of spyware.

While the spyware industry is widely considered to be criminal, there are spyware vendors whose software is seen quite differently. Certain producers of spyware provide their software to corporations that wish to spy on their employees. Though some employees are informed that they are being spied on, many others are monitored without their knowledge. In many respects, the same type of information is monitored by “commercial” spyware. Just as “malicious” spyware can capture keystrokes allowing an attacker to learn credit card numbers and other private information, corporate monitoring via spyware can capture the very same information.

The great irony we’ve arrived at is that many of the organizations that have deployed spyware for monitoring their own employees are now fighting spyware. I imagine a malicious software author expressing the same sentiment expressed by Christopher Guest in the film “The Princess Bride” when they think of this very irony, “how marvelous”. It is not my place to espouse whether or not I think employee-spying, excuse me, monitoring is ethical. I do, however, enjoy the irony; how marvelous.

This entry was posted on Monday, May 22nd, 2006 at 3:00 pm and is filed under Critical Infrastructure, Legal, Spyware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.