"The Emperor has No Clothes" - "Arrest that boy!"

I have previously commented in this column on laws that fail to connect with the reality of Information Security and which are therefore "bad". The case of Dmitry Sklyarov and the US Digital Millennium Copyright Act (DMCA) is also in this category. The DMCA outlaws the sale of copyright protection circumvention technology. Sklyarov, a Russian, was arrested when visiting the USA to present a paper on flaws in the Adobe Systems's eBook Reader at the DefCon conference.

This is a complex case, with issues of jurisdiction (Sklyarov worked in Russia, where there is no similar law) and constitutional rights (does the DMCA restrict Fair Use rights?) but it has already had a detrimental effect. A Dutch researcher, Niels Ferguson, has decided not to publish his paper detailing security weaknesses in the HDCP content protection system because of fear of prosecution when he visits the USA. Therefore, the weaknesses are unlikely to be fixed before HDCP comes into common use, and criminals will have an easier task of pirating the supposedly protected works.

The parable of The Emperor With No Clothes illustrates the value of truth - nowadays, the truthful boy would find himself in an American jail for 25 years.

Can I have Cheese on my Net Meltdown?

Some security experts seem a little too keen on predicting the end of the Internet, for example, on 29 July Russ Cooper wrote, "This doesn't alter my prediction that we're going to experience a 'net meltdown on the 1st or 2nd, I believe far too many machines are vulnerable still and will likely be re-infected. "

What is a "net meltdown"? Sounds bad - brings up images of nuclear reactor meltdowns. That implies shutting down the damaged reactor, evacuating the population within a large radius and permanently encasing it in concrete. I might be unobservant, but I didn't notice anyone doing that on 1 Aug. My Internet connection is still not covered with concrete.

Or maybe more like a cheese meltdown? Stops being firm and supportive, gets gooey round the edges, still tasty - but you might burn your tongue if you're not careful. That could describe the Internet any day of the week.

Cooper was right about "far too many machines", but the result was not comparable to a nuclear meltdown. Finding how large my firewall log was on the peak day was annoying, and we can cry over all that wasted bandwidth, but it is not a disaster. Information Security is important, but unjustified hype is not going to make anyone listen.

AVAR Conference

Three years ago a small group of Anti-Virus researchers met in Hong Kong and linked hands for a photograph. This was the inaugural event of the Association of anti-Virus Asia Researchers, an independent and not-for-profit organization that is oriented in Asia Pacific region. AVAR was the brainchild of Seiji Murakami. Murakami is a leader in Japanese Anti-Virus, developing the first local anti-virus in 1990. After his company was acquired by Network Associates in March 1997, Seiji founded Japan Computer Security Research center (JCSR) and Japan Computer Security Association (JCSA) in July 1997 in order to spend more time on promoting anti-virus activities. He also realized that there was a need for non-profit and independent anti-virus organization in Asia, and contacted other researchers around the region to form AVAR. The mission of the AVAR is to prevent the spread and damage caused by computer virus, and to develop cooperative relationship among anti-virus researchers in Asia. Although Asia is the focus of interest and activities, there is no requirement for members or subscribers to be Asian, or even in Asia, as examination of the membership list or photographs demonstrates.

There are three grades of membership: Individual, Corporate and Subscriber. Individual and Corporate Members must be proposed by a member, and approved by the Board of Directors. Members and Subscribers mailing lists keep everyone in contact - we can be discussing a "hot" topic before people in more tardy time zones are awake. There can also be longer-term differences - although the numbers are now much lower, the reports exchanged show CIH is still more prevalent in Asia than elsewhere.

AVAR Conference

However, the main AVAR activity is the growing annual conference. The second, in Korea attracted fifty participants, and the third, in Tokyo, one hundred and eighty. This year it is back in Hong Kong, at the New World Renaissance Hotel, on the 4 and 5 of December.

Widely Supported

The conference is being co-organised by the Information Security Special Interest Group (IS-SIG) of the Hong Kong Computer Society (HKCS). The Hong Kong Computer Society was founded in 1970 as a non-profit making professional body with the primary objective to promote the uses of IT in Hong Kong. The IS-SIG was established in June 2000 focuses research and discussion on security related subjects.

Many other organisations are backing the conference. Network Associates is the Platinum Sponsor, and the Information Technology Services Department (ITSD) of the Hong Kong Government is the Gold Sponsor. Symantec and Ahnlab are Silver sponsors and the Bronze Sponsors are Virus Buster (Hungary) and HAURI. Supporting Organisations include the Hong Kong Information Technology Federation, the Computing Services Centre of City University of Hong Kong, the Singapore Computer Emergency Response Team (SingCERT) and Infocomm Development Authority of Singapore (IDA).

Government Involvement

One special feature of the AVAR conference has been government involvement, with previous years speakers including the Korean Information Security Agency (KISA), the Japanese Ministry of International Trade and Industry (MITI, now renamed to Ministry of Economy, Trade and Industry) the Infocomm Development Authority of Singapore and the Chinese Tianjin Quality Testing and Inspection Service. This year government topics will include Information Security Policy in Japan and the introduction of a National Computer Virus Emergency Response Center in China.

The Art of War

However, the techies will not feel left out - two papers look at the future of virus detection in new Office versions. Other papers consider using Intrusion Detection Systems for catching viruses; and the security of Java mobile phones. Sun Tze recommended knowing the enemy and yourself, so the papers on how Worms can be successful and how best to compare AV software are entirely appropriate.

For the Corporate Security Manager, the presentation on a major corporation's virus checking service, and the one on grassroots exchange of anti-virus information will be of special interest. Anti-Virus industry leaders will make the keynote and honorary speeches. However, as the Conference Chairman, I would not like to suggest that this short list of topics are the conference highlights because that judgement should be left to the delegates, I hope you will be among them. Full details of the programme and the participation details will be on the AVAR website.