Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 148
Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
Of course its Microsoft (Score:1, Troll)
Because theirs is by far the most architecturally broken and bodged, therefore most insecure and vulnerable OS.
Friendly challenge (Score:2)
However, if you are to run Windows 10... (Score:1)
Maybe I "enable" my mom too much.
Re: (Score:2)
If the splash screen looks great, then the code is great. Ship it. Customers will send in beta test issues.
Re: (Score:1)
Windows' architecture isn't the problem. From that standpoint, it's really no better or worse than any other OS at any level. (Rage all you want, Linux zealots, but it's true.)
Windows' user base is the problem. Let me count the ways...
1) They don't want to know how to use a computer. This is the electronic equivalent of not wanting to know how to operate (much less maintain) a car or follow traffic laws, but still wanting to drive on public roads. Fortunately, it's uncommon for people to die because a compu
Re: (Score:1)
I'm not discounting the majority of your post, but this:
"Because of this, Windows is full of shims and hacks to keep old shit working."
Is simply not true. *Everything* in Windows is hacked together garbage, even the new stuff.
Exhibit A [slashdot.org].
Exhibit B (Score:1)
Re:No, it's kind of cruft (Score:1)
Re: (Score:2)
Your link has nothing to do with "new stuff". It is literally dated 2006... you know, when that strategy was put into effect.
Windows "Home" is problematic though. (Score:1)
Re: (Score:2)
>> Windows' architecture isn't the problem. From that standpoint, it's really no better or worse than any other OS at any level. (Rage all you want, Linux zealots, but it's true.)
No it really isn't true. Just 3 examples (believe me there are many more):
* Unlike Linux, with Windows there is no real divide between apps and the OS. With Windows, apps and OS both keep their settings in a shared place called the registry that either can access and change. Under Linux, each app generally has its own unique
Makes sense (Score:4, Insightful)
If you want peace you need to start by committing not to attack the other side, only to ever defend yourself.
Re: (Score:2)
There are no Ukrainian boots on Russian soil, didn't seem to work out that well for them.
Clearly it isn't sufficient to just defend yourself if you want peace.
It might be a good start but something else is needed beyond that.
Are you implying that Ukraine should have invaded Russia? That seems like a terrible idea for the Ukrainians. Even worse than the situation they're in now.
Re: (Score:3)
Clearly it isn't sufficient to just defend yourself if you want peace.
In a multi-lateral situation you need to form a community that represents a plurality if not a majority of military power system-wide that agrees to act responsibly and be open enough that other nations can be pretty sure they aren't just appearing to act responsibly.
Once you have that you shun the worst offenders among those not in the community to deprive but not destroy them, offering them paths back into favor if they start behaving like adults. Some (like North Korea) will take a while to get over the
In the words of Ed Grooberman... (Score:5, Funny)
"Well, the best defense is a good offense. Do you know who said that? Mel the Cook on Alice."
Let's take a step back. (Score:1, Troll)
Just as long as.... (Score:3, Insightful)
Just as long as.... as unleashing Clippy on the world is deemed a war crime.
Re: Just as long as.... (Score:1)
Re: (Score:2)
Why? So we can violate that too? (Score:4, Insightful)
Re: (Score:2)
The US failed to ratify the Geneva Conventions. (Score:1, Insightful)
Perhaps there's a good reason to call it a 'digital Geneva Convention' - It's basically a nice guideline to point to that the US browbeats others with, only to fail to ratify into law and enforce themselves.
Without an enforcement body, this is meaningless. Who would you trust to enforce it anyway, MICROSOFT? Why not just call it a digital waste of time.
Bad comparison (Score:1)
Re: (Score:1)
I don't expect Microsoft to look after my interests. That's why I actually buy books that are published on Windows internals. Yes, they exist. Windows isn't the blac
Re: The US failed to ratify the Geneva Conventions (Score:3)
Where do you buy security breeches? The normal ones I wear are forever letting me down.
Re:Sovereignty (Score:1)
Re:The US failed to ratify the Geneva Conventions. (Score:4, Informative)
The Geneva convention and it's relatives and predecessors have been enforced. Yes, it tends to be after the fact, but the war crimes tribunal hasn't had a lack of work. The international community does tend to enforce the rules, either directly or via sanctions, and it appears to have had a major effect in the world.
It's really only a big problem with the offenders are Russia, the US or China. Even then, those powers are hesitant to break international law directly: see for example the US dissembling over the use of torture.
Re:The US failed to ratify the Geneva Conventions. (Score:5, Informative)
The US is a signee of all four Geneva Convention treaties. There were three additional protocols, though the US has only ratified the third, but not the other two. The various treaties that the US has signed:
GC I: Amelioration of the wounded and sick in the armed forces (1949)
GC II: Amelioration of the wounded, sick, and shipwrecked in the naval forces (1949)
GC III: Treatment of prisoners of war (1929/1949)
GC IV: Protection of civilian persons in times of war (1949)
P III: Protection of anyone wearing Red Cross, Red Crescent, or Red Crystal to denote medical/religious personnel (2005)
Signed but not ratified:
P I: Protection of victims of international armed conflicts (1977).
P II: Protection of victims of non-international armed conflicts (1977)
The Geneva Convention treaties are signed by a number of countries who seek to use them as a weapon against their enemy ("they broke the convention treaties, they should be tried for war crimes!") while they don't follow them themselves.
Re: (Score:2)
For a little context, the Hague conventions of the early Twentieth Century are, as far as I can tell, the first codification of the laws of modern war in treaties. I believe they're still the basis for much of it, although those conventions were found a trifle lacking in WWII. The Geneva Conventions, as far as they relate to war, are extensions of the Hague.
Good luck at that... it isn't just nations... (Score:4, Interesting)
Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students. Unlike conventional weapons that require expensive physical objects, a massive DDoS can be launched from a cast-off 486 as the top level command console as it can from a high-end supercomputer.
The main focus needs to be on "Great Wall of xxx", "xxx" being the country. If this isn't thought of now, it will be done by the government when some cyber-terrorism event happens that gets knee-jerk reactions going (think the USAPATRIOT act.) China has their Great Firewall. Iran is building their own Internet. Australia is in the process of building their nationwide firewall. Blocking attacks from other countries is going to be an issue sooner or later.
A second focus needs to be on LARTing IoT makers to follow a ground up security design. A hub (or hubs for redundancy) and spoke system, so IoT devices do their communication through a hardened hub that only allows the devices to communicate with what sites the signed manufacturer's manifest allows (and 0.0.0.0/0 is not allowed directly.) As it stands now, there is actually a punishment for IoT makers to design any security in their products. Mainly because if v1.0 has a security hole, when IoT maker makes 1.1, all the owners of Device 1.0 will upgrade or else face being pwned. If the IoT maker did updates, they would lose out on that revenue, plus to them, every dollar spent on security is a dollar with no ROI. Unless pressure is placed on IoT makers, we will be seeing exponentially worse DDoS attacks when every fridge, microwave, smart TV, sex toy, and doorbell be used for it.
Re: (Score:3)
This is what struck me as well. They explicitly want to address government sponsored cyberattacks, while ignoring cyberattacks by everybody else. Interesting approach for a company that has a very cavalier attitude towards privacy
Re: (Score:2)
This is what struck me as well. They explicitly want to address government sponsored cyberattacks, while ignoring cyberattacks by everybody else. Interesting approach for a company that has a very cavalier attitude towards privacy
Well only the US Government really has the authority to make MS complicit in such attacks.
Re: (Score:2)
Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students.
Just because it does not address every threat doesn't mean that a digital treaty is not worthwhile. For one thing, state sponsored attacks are likely to be far more sophisticated than what "disaffected college students" can do. When the US conducted Operation Olympic Games [wikipedia.org], they set a dangerous precedent in digital warfare. And history shows that rules can be applied to warfare. Not perfectly, to be sure, but perhaps better than no rules at all.
Useless idea (Score:4, Interesting)
Re: Rules (Score:1)
Re: (Score:2)
Rules get ignored and circumvented. Devices and software have backdoors. I don't see how to make sense attempting to apply the concept in one area to the other.
Sorry, poor terminology choice. I should have said "exceptions" or "loopholes."
Re: (Score:1)
Re: (Score:3)
Well how would they know what rules to break if no rules exist? You take the fun out of being a three letter agency!
Enforcement (Score:5, Insightful)
How do you enforce a digital Geneva convention?
You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.
Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.
Re: Taking seriously (Score:1)
Re: (Score:2)
How do you enforce the non-digital one? ;)
Re: (Score:2)
How do you enforce a digital Geneva convention?
You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.
Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.
How's the US violating it in Gitmo? (I'll give you a hint: the GC covers uniformed soldiers)
Re: (Score:2)
Re: (Score:2)
The Hague convention says that civilians get the same protections, provided they carry arms openly and fight more or less according to the laws of war, before their enemy has intervened. If the perfidious Canadians were to cross the border and attack the Twin Cities, I'd have the legal right to pick up a rifle and start shooting as a lawful combatant. That right ends the moment the US Armed Forces show up, which in this particular case would be before I could get a rifle.
Re: (Score:2)
If you can't store data safely, you better not store it at all.
The only thing that needs to happen to clean up this whole mess is to make people and corporations FULLY responsible for any data collected and any damage done to anyone by the data being leaked. You'll see that data snooping end pretty fucking quickly that way.
Re: (Score:1)
"So yeah, you crashed the economy"
"You owe us one economy. Better get started on that.
Re: (Score:2)
Too big to fail? Are we there yet again already? Companies being exempt from law because if we could slap them with a fine that isn't but a slap on the wrist, they take our economy with them, essentially holding our economy hostage?
Any corporation "too big to fail" must be broken up, anything "too big to fail" is a threat to the economy in general.
Nice (Score:4, Funny)
Please don't attack, we cannot defend! (Score:1)
Hey, Microsoft!
Start making secure software, redesign the piece of garbage you call an OS to actually have security as something that's not just tacked on and an afterthought and you wouldn't have to cry for mercy now.
No, we need a right to strike back (Score:3)
A guaranteed right for civilians to strike back against state-sponsored attacks that should not be targeting them should be enshrined into law. All forms of warfare. Collateral damage? No fucking longer, because it will be your ass.
Re: (Score:2)
None of your HOSTs files protects against state-sponsored attacks. That one got proven by plenty of state actors already.
Give up on your shitty outdated 'security' as this modern world barely even uses HOSTs any longer.
Re: (Score:2)
"By the way, Khyber - Are YOU doing better than I have on this front?"
I've never had an attack or network penetration, ever, because I'm smarter than you. I've never had to write a HOSTs program, because unlike you, I'm not stupid enough to get infected by anything, and I'm smart enough to use dedicated hardware that's impervious to OS workarounds.
You, on the other hand, and your outdated security friends, have tried to beat my system, and you've all failed miserably. So, please, come back when you're actua
Re: (Score:2)
I've built my own protocols. This is why you can't touch my stuff.
It's called PROPER PROGRAMMING - something your 16,000 lines of code is not.
Re: (Score:2)
Hey, guess what? My internal to router block list is only TEN lines long and runs a thousand times faster than your shitty hosts file.
You needed 16,000 lines to do what I could do in ten. You're fucking PATHETIC and so are the people that trust and support you.
Re: (Score:2)
"Documented facts"
>nothing but a bunch of other 3rd world 'security' people having their words repeated by you
Meanwhile, as I've proven (and as Microsoft has proven) time and time again, HOSTs is bypassed by the OS and browsers AT WILL.
You fucking moron.
Re: (Score:2)
>fake name and fake life
Meanwhile, as Vice President of one of the oldest mineralogical societies in California, I've secured their entire network exactly as I described and ran a full-out attempt to get any ad to display on our computers.
ZERO ADS DISPLAYED.
I just block the largest ad networks off the bat by wildcard IP and it's fucking done in my router. ZERO ADS TOUCH ME.
Apparently, you're not smart enough to figure out that the ad companies paid for static IPs for easy configuration, in whole blocks.
Re: (Score:2)
"Windows doesn't block hosts fool (only 4 windows update)"
I didn't say Windows blocks HOSTs - now you're putting words in my mouth you incompetent fuck.
But it still bypasses it for Windows update? THAT IS EXACTLY WHY HOSTS IS USELESS!
If I fucking say YOU DO NOT GO THERE and yet the computer STILL GOES THERE, then HOSTs is BROKEN.
That you cannot accept this logic is proof that you're insane, untrustworthy, and a FRAUD.
Re: (Score:2)
Ahh, the moron looking at OLD NEWS (in which the e-mail was proven a FAKE - the header was TWO LINES LONG. Obviously fake.)
See how stupid you are? Now I have you, Alexander P Kowalski, for libel, and the proof is right here, where you can't touch it, hide it, or deny it.
Now to hunt you down and file suit.
Re: (Score:2)
"Where do hosts get bypassed no mind? Windows Update ONLY stupid fuck!"
And every browser, and any program can be programmed to bypass HOSTs, proven time and time again with a simple GOOGLE SEARCH - how? Ignore fucking DNS resolution in the OS and do it yourself (ever hear of ZenMate for Chrome? It does exactly that.)
USELESS. This is why IP blocking works best.
BTW, you can simply bypass HOSTs if a piece of malware simply removes the user permissions from HOSTs. Pretty shitty 'security.'
Re: (Score:2)
Thanks for the extra libel evidence.
I love it when you lose so hard you have to resort to personal attacks.
I'm going to love to even more when the news of the lawsuit comes to bite you in the ass.
Including domestic ones? (Score:2)
Does that mean that NSA, FBI, IRS, etc. would not "attack my server?" This is the most
idiotic idea that anyone ever not thought through. Its a total non-starter. I thought even
Clintonite Democrats from Washington and California were smarter than that.
Article I (Score:2)
Just Use Non-State Actors (Score:2)
Why? (Score:2)
Are security protocols that broken at larger organizations or is it just Microsoft asking for government protection from improving and finding bugs in their software?
It's easy to defend against a security attack, you could use perhaps a large amount of sites small enough to be managed by a 2 or 3 man team and then connect those sites with a network that takes different routes around when one goes missing. We could have ARPA develop the thing and call it ARPAnet.
Nonsense (Score:2)
The NSA isn't snooping on Facebook and Gmail because they expect to find Chinese and Russian military secrets there. Almost all active conflicts now are asymmetric warfare where at least one of the parties aren't enrolled in regular armies of any kind, it's just people. They don't dress up in uniform, they don't have any particular military infrastructure, they hide among the civilian population in civilian buildings and use civilian tools. The general population's freedom, privacy and anonymity will come u
How about digital NATO instead, (Score:3)
In the Future (Score:2)
Sorry, that's juvenile and I should know better, but these little outbursts of virtue signalling from them get my goat. And I haven't even got a goat.