Thursday, January 04, 2007

Qatar's Internet security

The Gulf Times announced today that OISSG is holding free security training seminars in Doha over the next couple of weeks. OISSG is a not-for-profit organization dedicated to information security. Sounds tempting, until you realise it's a sales opportunity. Expect to be frightened by cyber-criminals; baffled by the complexity of the problem; and have doubts raised about your ability to protect your systems. "Don't worry, for a small fee, you can have peace of mind by buying our stuff."

If only there was a local IT security organisation looking out for the best interests of Qatar. Well, there might be soon. Q-CERT is being set up and is recuiting. From the job specs and application procedures, you could be forgiven for thinking the jobs are limited to US academics. However, Q-CERT is undeniably a good thing - I just wonder whether its main focus will be to protect the new universities and financial centre, or whether it will also try to fix some existing problems.

The recent wikipedia silliness has exposed a security vulnerability that is politically charged. Resident web-surfers know their requests are funneled through an automated filter, which occasionally protects them from their own seedy surfing habits (or just blocks sites at random). It is also well known that there is no censorship in Qatar. Bafflingly contradictory? Nope. The local ISP does the filtering, and it is operationally independent from the government.

The filter is now a well-publicised single point of failure, which any technologist will tell you is a tempting target for an american teenager. Knock out the filter, and you knock out web access for an entire country. Will Q-CERT recommend removing the filter? If so, it might be tough to find the decision-maker responsible for censorship when the role was abolished in 1996.


Morad Rayyan said...

Honestly, I don't think Q-CERT will be able to affect QTEL's security policy nor its short term strategy..

But I agree with you, it will be nice to have a local organization that is dedicated to such a keep us aware of such security issues or even offer training seminars.

Nigel said...

The reason many security organizations have no influence is that they are continually telling government and industry "something really bad might happen soon". The really bad thing hardly ever happens.

Eventualy, policy-makers become weary and ignore the warnings. There's no way to publicise every threat and still retain trust.

Anonymous said...

Hi Nigel,
I am planning to come to Qatar in 3-4 months time. But I am very curious about internet restrictions in Qatar. Some say even using Skype is forbidden. Can you tell me anything about this?. Thanks...