Thursday, February 18, 2010

Cyber Attacks from China and Europe

Google says the huge cyber-attacks are coming from China. I don't doubt that. This article says another gang in Eastern Europe has released the “Kneber bot,” Trojans that reproduce themselves in all connected computers making all connected computers “cooperate” to give the thieves what they want, i.e., logins, passwords, financial data, etc. The largest, so far, invasion of corporate computers to date. I don't doubt that either. I wonder if some of this is our own fault.

A few years ago I sat in on a job interview for my company's Supervisor Customer Relations Management (CRM) Software Engineer position, a position that would be my immediate supervisor. My Division's Director wanted my opinion of the candidate and asked me to participate. The candidate was an American who had spent the previous five years (my memory may be off a year or so) in Europe as a lead CRM programmer for a well known European Company, although I can't remember the company's name. He knew ALL the latest buzz word and HOT topics in the programming world, although after two years in retirement, I can't remember those either. But, he was HOT! Just ask him.

Before I go further I should tell you about CRM systems. They are the programs that keep your data, your personal identity and your credit card stuff and your banking stuff. While there may be differences between one company to another, all CRM systems have a common purpose and common programming “code” no matter who writes the code. Most use encryption to protect important data, but programmers decide what's important and what's not, and programmers come with various skills, personalities, experience AND personal predilection on what's important. Also, encryption algorithms are known the world over, even though there are laws against “exporting” the highest security encryption programs. And, how many programmers know about the law? Not all of them. So, you may be the best and brightest (and honest and concerned) programmer, but there are others out there determined to get in your code.

So, this guy says one of his responsibilities is supervising a group of CRM programmers in Beijing, China. Huh? “How's that work?” I asked. We, he says, send the specs to the Chinese programmers along with templates and base code and the Chinese fill in the blanks to make a usable Windows screen or Web page or middle-tier dynamic library or database structure. They (the Chinese) return the completed work and he reviews and tests it. His company “outsourced” important programming to China.

Do you trust them? How do you know they, or even the Chinese Government, isn't appropriating your code for their own uses?” I asked, or words to that effect.

Oh,” he says. “We have them sign an agreement that they will not give or sell our proprietary code.”

Huh?... There you go! There's that honor system where “they” trust you just because you signed an agreement. Well, I signed one of those statements too. I made a promise and I'll keep it. But China? A country where the over 70% of millions of computers run on pirated software? A country where an individual “can't” keep his promises if the government doesn't want him to? A country that is “determined,” under any circumstances and by any means, to become the world's greatest economy? Personally, I wouldn't trust any Chinese programmer farther than I can spit to keep their promise no matter how honest that programmer is.

As far as I know, Google doesn't know where the attacks are coming from. Is it a criminal? Or is it the Chinese Government? Or is it Google's Chinese competitor who is taking over Google's Chinese market? From the news, the Chinese Government is opposed to Google's stance. I haven't heard China say that it's investigating the attacks, which would be appropriate and reasonable if the attacker is a criminal or competitor.

Ever since NAFTA and CAFTA, U. S. companies “outsource” work for cheap labor. The software industry is no different. When you call tech support, you're likely talking to someone in India, probably an employee of Satyam, Inc. or Mahindra Corp., or maybe Vietnam, Taiwan, Singapore or Philippines. When they ask for your “last four” of your Social Security Number or Credit Card, they can see the first seven or twelve numbers. They can see your stuff. They signed that statement too. They know the code that keeps your stuff. It only takes one or two dishonest programmers to build the bots that get your stuff.

We didn't hire the guy. He knew too many buzz words and, as I recall, asked too many questions about our company “bonus” structure; more interested in pay than the job. And, as an after thought, how would we ever find out if some of our proprietary code made it to one of his Chinese friends? Perhaps for a nice little sum of money​? We would never know.


No comments: