Slashdot Mirror
Network Webcurity Wishlist?
breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"
"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."
offer rewards for running PGPnet
To borrow a phrase; if you outlaw nmap, only outlaws will have nmap.
-Peter
How about holding various companies whose products are exploited the most (re: MS) liable for their lack of security?
- Never ever ever use the so-called-word "Webcurity" again.
...- Err
... - Thats it.
(apologies to Private Eye)Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Whaddya think, mr. attorney? Can we make this happen??
The number-one item on my wishlist would be for the government to keep completely out of network security issues -- the government should ensure security on its own networks, of course, but they shouldn't be concerned about anything else.
There's already enough laws to deal with DOS attacks and such -- more laws just means more expense for those who have to deal with them.
Twoflower
--
Twoflower
What kind of word is that? Webcurity...
What next? Homelandcurity?
-josh
Well, for starters, don't let Microsoft's Chief Security Advisor work as a security advisor for the White House.
This is a great chance to get our concerns as a community out into the public sector.
Consider this: ONE person/organization has EVERYONE'S personal and financial data online. This goes against all design architectures in both security AND engineering. A single point of failure. Imagine one bank in real life, with Barney Fife guarding it. Would you put your life savings there?
With more and more commerce occurring on the internet, the more important it is that there is some scheme to protect this important market. I am particularly concerned with one private company holding the public trust in their hands -- I am also very concerned about the government, for that matter, also holding this information!
"Coax" all carriers and providers to do egress filtering at the edges of their networks. This should help significantly in reducing DDoS attacks and should help make malicious network activity easier to trace.
the more crypto the better. and don't try to legislate backdoors into it or anything.
people need to reliaze that crypto is available to anyone with the ability to use it...it needs help in getting the average joe to use it.
most people won't use PGP or something b/c it is too complicated. crypto needs to be built into office and internet apps from the ground up. strong crypto. stuff that can't be broken.
people need to feel secure about these things. i think the govt has a lot to offer in promoting pki and such to get this in the hands of everyone.
privacy is important. the govt needs to make a proactive effort to show that they believe in personal privacy and are willing to help make it happen online.
At the very least a free one like Tiny Software. I'm sick of getting DOS attacks looking for IIS from zombies on my subnet.
An Education is the Font of All Liberty
First, stay out of the way. don't meddle in things that you know nothing about. Don't place restrictions on security meassures, a la encryption export. Don't mandate government backdoors and don't permit the likes of Carnivore and Magic Lantern.
Second, concentrate on the governments own cyber security problems. Clean up your own house before you start trampling over mine.
So what are you paying for this consultancy work you expect us slashdotters to do, for you, for free?
Seriously dude, you must be earning some big bucks, but you want us to do your job for you?
Not flamebait pal, I'm serious. If you don't know the answer, go tell your client to find someone who does, it's the least you owe them.
cmclean
"Any similarity between the hooting of a million eager monkeys and Slashdot is purely coincidental." -THEFLASHMAN
Squash anyone who talks about vulnerabilities. Squash them like little bugs, BWAHAHAHAHA.
If the government would require on all their networks IPv6 and IPSEC, that would go along way toward IPv6 and IPSEC being accepted and would improve network security. Nothing else needs to be done.
The most important and significant problem is not putting the proper resources into getting that security. Upper level management are not technically minded folk, and they don't view computers and true tools. They don't understand the costs when you try to explain it to them. "I'd like to get around $200k so that I can physically seperate out infastructure and give us added security."
Management: "I'll give you 2 un-trained contractors, a spool of thread, and a tin can."
They just don't understand, or appreciate what computers provide, but yet they get irate when something happens. Therefor the largest hurdle to overcome is getting the senior people up to snuff, or willing to to dish out the resources for what needs to be done above and beyond a simply reactionary level. To them, pro-active computer security is like flushing money down the toilet.
I understand everyones concerns with Microsoft and their Passport technology. But what would you have the government do to change it? I think this is more of a case where if you don't want to use it don't. And if a company you deal with requires its use, talk to them.
You can't have the government put a stop to a perfectly legal business practice by Microsoft just because you don't like it. I'm not sure government overcite would be a good thing either. I'm interested to know what you would want the government to do about it.
Dictate that computing environments must employ a free mix of platforms and tools so that a single crack or worm can't be used to exploit the entire company/organization/network.
"Nothing was broken, and it's been fixed." -- Jon Carroll
...to implement the death penalty for anybody using Outlook or Outlook Express on my internal networks? It would make my life a lot easier.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
A professor at the University of Massachusetts named Brian Levine pointed this out and I wholeheartedly agree:
It should be regulated that every network only allow their alotted IP to leave their network -- aka egress filtering.
For example (using unassigned addresses purely for example), if you have a 192.168.5.0/24 subnet, you should not allow 10.10.5.0/24 addresses to leave it -- aka ONLY allow 192.168.5.0/24 addresses to leave it .
If everyone did this it would solve most of the IP spoofing problems and add a lot of accountability without infringing on people's privacy. Massive DoS attacks could be traced and stopped.
Have the goverment set up standards and rateing for security in software (IE what DOD has done.)
Require ALL O/S's, EMail, Firewall, and etc. Meet or exceed the rateing and put on their software package what Security rateing does the software have.
Is there an FOIA equivalent for private companies holding data on people, along with an obligation for speedy correction -- including a good-faith attempt at propagating corrections to other data-holding companies if the misinformation was propagated?
If not, perhaps there should be.
Only the dead have seen the end of war.
doesnt' mean they're the least secure.
Exploits are still made against products that Microsoft secured over a year ago. And indeed, microsoft gets exploited the most because they are used by the vast majority of non-technical users. Can you imagine what would happen if 90% of the computer-owning people used linux? Every single hole in the OS would not only be explioted, but you could count on it being a LOT less likely that the average-joe user would *ever* update his software to fix the hole
One of these employees got bored with his coding tasks and, with no previous exposure to a broadband Internet connection, apparently decided to become a script kiddie on company time. From all outward appearances, he got pretty good at it, but one day it caught up with him: U.S. Marshals came into my office and served me with a court order that asked for many, many pieces of information that would tell them who had been cracking systems from our corporate network.
I had no problem turning this information over, as the other choice was to go to jail and let the hacker go free. However, I was appalled with the way the marshals treated me: they knew that I was just the sysadmin, not the perpetrator, but they still treated me like a criminal. When I told them that our NAT setup doesn't keep logs of every single outgoing connection from our network (as had been requested in the court order) they got really pissed off and started threatening me. At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.
So, the moral of the story here is that law enforcement needs to show more respect for sysadmins, and learn the difference between a network admin and a criminal on the admin's network. Treating everybody as though they are all guilty will only build resentment and get in the way of getting their precious case solved.
df
I am thinking specifically of Microsoft, and the Microsoft Outlook Email Viruses, but this could certainly apply to plenty of other companies.
If companies are merely licensing the use of the software to us (and we do not own it), and charging the big bucks, shouldn't they be responsible and/or liable for the consequences - damages from using it? or is this a matter of they get all of the benefits, and we get all of the problems?
"It is a greater offense to steal men's labor, than their clothes"
Maybe it's appropriate to use a stick?
If somebody gets rooted, and after being warned, does not clear the rooted box, then they could be fined. I'ld imagine very few attacks are managed from home boxes, and a significant number of DDoS attacks come from rooted boxes. It's not impossible to find out what these boxes are, and people on high end connections could be pushed to comply with the threat of fines.
As well as this, ISPs could be required to do egress filtering, to reduce the incidence of IP spoofing in attacks, amongst some other simple solutions. I imagine both of these would help to some degree at least.
howabout some laws condoning mailing lists and other security forums like bugtraq, encouraging full disclosure, and the like.
these can be made with the argument that security is not a definite thing. while there may be NO holes in operating system Y, there most likely is something that could be found. Now say OS Y secures 85% of networks. Without full disclosure, the vendor of OS Y is allowed to keep people in the dark, especially smaller customers, about any problems with OS Y.
asking congress to 'get out of the way' is only going to let things get worse, as the security community will be seen as having little opinion, while big corporations trample over common practice and common sense.
Also, a nice governmental security law would be 'Any arm of the government is only allowed to use software that has the source code availible and publicly auditable, or something that has been developed in-house.'. Does it really make sense to have company Z providing government 'security'? Sure, if company Z puts back doors in their products, and causes damage to another company, they can go to court together. But what happens when the government can't sue company Z because company Z now controls the court system with their backdoors.
Congress doesn't regulate whether individuals or corporations lock their doors, install security alarms, or any of a plethora of physical security measures. Then, why would I want them to step into the fray and regulate security responses and policies in cyberspace?
To begin with, the government doesn't move fast. Given that time scales associated with the IT was becoming smaller and smaller, the iterrations would go through many cycles before Congress knows what hit them. Attempting to regulate the arena would get in the way.
Secondly, Congress obfuscates rather than clarrifies. Look at the DMCA - which causes more problems for the industry than it solves. It's great for the conventional copyright holder but has the effect of stiffling digital advances. Congress moving to mandate information security policies or measures would be the same thing - the paradym they are working under doesn't apply well to this technology or the time scales under which it operates.
Let the industry that's used to the pace of things set the policies. Congress is better suited to time scales where change occurs in years, not days.
The little guy just ain't getting it, is he?
Based on the design and implimentation of the Internet on the whole, I think the governemnt could only do harm it as it exists today. The buisness machine has done it's damage to the concept of free thought and information already. My advice: STAY AWAY
The last thing needed is more excuses for large corporations to harass people just trying to voice their thoughts. While help in punishing hackers would be helpful to admins on the whole, I think perhaps it would do more damage than help.
That is an *excellent* suggestion. I hate "Me Too'ing", but this needs mod'ed up. Feel free to mod me down while mod'ing the parent up.
Plain and simple, getting patches and rolling them out is a pain in the ass, for most vendors products. I've switched most of my servers to BSD based systems, simply because it's easier and simpler for me to stop a service, do a cvs update against the patched source tree, compile and reenable the service, than it is for any other operating system.
Windows update is ok (the 75% of the time that it works), but there are far to many interdependancies between products - for example, to apply the latest Outlook 2000 bugfix, you need to download a 50MB patch for all of Office 2000, and have an Office 2000 disk around - since all my Outlook 2000 installs came with Small Business Server, I don't have this, and can't apply the
patch.
In short, it needs to be easier to patch systems - so simple, that people will bother to do it on a regular basis.
BBK
What I'd like to see is forcing mailserver default installs not ever to be open relay configs. One of the biggest pains right now is spam, largely enabled by open relays (besides clueless admins). Spam is theft of resources, can result in DoS, and should be outlawed.
Oh yes, force producers of email clients to use secure default settings. Deny *Script in emails, automatic opening of attachments even in preview mode etc. (thinking of Outlook [Express]). This would massively reduce damages by email worms.
Yet another point: get the ISPs to actually *do* something about abuse complaints [when they are reasonable].
The government should invest in improving and securing Internet, ATM, and telephone infrastructure. Remember reading about the key extraction test on the ATM machine a month or so ago? What if terrorists performed such an attack?
The government needs to be working to ensure security at banks and other institutions whose failure would be catastropic.
And don't make cloning illegal.
Let's not stir that bag of worms...
I would say the greatest issue is response by isps and groups who seem to have been a source for an attack. I NEVER hear back from ip address block owners, its rare, In maybe a three or four HUNDRED emails, I have only gotten one response from a person. In all honesty though, no matter of legislation or tax incentives can help that.
I think it would be best if the US Goverment, My Goverment, took a hands-off approch, but while encouraging insurence companies to give incentives to customers who maintain high security networks. Goverment Control of technology, Outlawing of the tools, will only make things worse, because only the crooks, script kiddies, and outlaws will have the tools and technology.
The internet is an international, boundless medium, and only a community effort, with the cooperation of isps and companies who hold massive networks, will keep the net free, and allow net admins to hunt down, and stop people who are doing things that cause net admins trouble in their job. I mean, I would be much happier if one isp out west would email be about one of their customers who have a box that is scanning one of my customers just about every three weeks.
There's an ongoing trend to criminalize the tools and speech used to conduct security research; This is the single most frustrating aspect of the government's involvement in network security. Lists like bugtraq and tools like nessus and nmap are absolutely vital to the health of a network-connected system. Some suggested legislation would make all security discussions criminal, some would allow such work to only be conducted by approved organizations; Both would shatter the ability of the individual administrator to effectively secure his systems. If I could make one and only one request it would be to specifically disallow legislation that attempts to let companies involved with the internet take the security ball to their private court and bounce it around, leaving individual system administrators with no tools and no forums in which to discuss their own defences. In short: keep public, individual security research legal.
Thanks, and good luck.
Ideology breeds Hypocrisy. Just how much is up to you.
Federalize computer security. Make network admins another part of the executive branch, like the FBI, NSA, or ATF. Assign agents to every buisness with an internet connection (more significant the connection, more agents). Give them the authority to break down the doors of the script kiddie attempting to zombie user's workstations and point a gun at their head.
Feminism is the wild notion that women are human beings.
1. Wide deployment of IPSec.
2. Open standards and full disclosure of vulnerabilities.
3. Client diversity in the network ecosphere. A single species (can you say 'outlook') is extremely vulnerable.
I'm a sysadmin at a major US military base, so my experiences might not apply directly to the private sector, but I'm sure there's some overlap. We run into constant legal confusion over when and where we can monitor activity, whether it's mail, web traffic, IDS logs, or whatever. We get conflicting information from all sides on the issue, and no one can point us to a set of clear guidelines or uniform policies. As a result we wind up with security policies that have huge gaps in them - not being allowed to block VBS attachments at the firewall, for example. We've since gotten around that one, but it's a constant fight.
Probably more critical is the lack of knowledgeable people. There are obviously some people at the top with a clue, and they issue some instructions that often make a lot of sense, but between them and us at the functional level there's a huge gap. When we get calls on IDS hits from our MAJCOM network operations center, for example, some of those people aren't even sure how many octets are supposed to be in an IP address. There's very little help provided in implementing the policies as they're directed - everyone's left to figure it out on their own and there's a huge amount of duplicated effort.
What we need more than money or tax breaks is this: centralized resources with tools, policies, information, and efficient channels of communication.
The Government should only do what the private sector doesn't want to do. You can set up a government organization to do anything the private sector does. They will do it half as good for twice the price.
Network security is really run by market pressure. For example, I won't buy anything from a company that wants me to email my credit card number to them! If enough people are concerned about their security those companies will either change or disappear. The only involvement I would expect from the government in this case would happen when someone stole one of those credit card numbers being emailed. Until then stay out.
(I don't even think the government should be in the business of informing users of security problems! Anyone that watches the news knows about these things! If they don't they wouldn't pay attention to the Ad Council's ads anyway)
Yes, network administrators have to be vigilant about their own security, and put in place whatever measures are necessary to ensure the integrity of their data (and their companies)
My only wish would be specific legislation proposing limited liability in cases where a 3rd party piece of software was used and an exploit found and used against said software before a security warning is made known, or security patch is made available by the vendor.
If the administrators have done their job and have all their software up to the best spec they can, but are subjected to liability against themselves for an error in a piece of software they put their trust in.. it's bad news.
Especially if the client dictates the software to be used for securing the data... man, it's just bad karma.
In the meantime, keep using multiple levels of security. Screw the overhead if you've got sensitive data...
This has got to be a first. I thought you weren't supposed to take any legal advice given on Slashdot; but here's a real, live lawyer asking for it. Did the world end while I was in the john?
Toronto-area transit rider? Rate your ride.
Or would you tell them to get out of the way?
Maybe that's a good idea: let the technologists work it out. Was it a politician who developed the first firewall, IPSec, NIDS, etc.? I don't think so.
While there is a social element to breaking networks, the solutions to these problems should NOT legislation (IMHO). Making something illegal or applying manditory monitoring does nothing to stop those who intend to circumvent/ignore those measures.
Network security should be left in the hands of thoses most capable. If any body or government should look to tackle the 'issues' - real issues - of network security, I think it should be a body of technologists and people who really do have an understanding of what network security really means.
Thank you.
...then they can use the stick.
Pass some laws making it an offense to be egregiously insecure, on the grounds that you have made yourself part of the problem, a menace to others on the public network.
If you're wide open to becoming a siteful of zombies to be used in DDOS, it's like leaving a gun unsecured - on your front lawn.
Far from costing budget money, the fines levied will be a revenue source. And the fear of the fines and the shame of the criminal charge will spur pointy-haired bosses into Getting Serious about security in a way that some tiny tax break never will.
Keeping research open is important, mikej is right on.
Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for?
BAN MICROSOFT.
-Lx?
Given Congress's track record of passing laws relating to computing which, in about 100% of cases, clearly demonstrate the fact that the people who wrote the law have no concept of how the Internet works and are responding solely to what corporate lobbyists are telling them, I'd rather if Congress would keep their dirty mitts off of this issue.
Yes, it sucks to essentially have to barricade your computers from the rest of the world and not be able to trust any external entity to help you effectively, but I'd rather have that than more weird laws making more innocuous actions criminal offenses for no apparent reason.
Of course, egress filtering also helps by preventing the DDoS traffic from reaching the single target node. But two points should then kept in mind:
1. the traffic will congest the links in that access network
2. egress filtering should be done in the stub area border router
Think again about having the government 'keep out' of security issues. It would be great for them to 'keep out' forever, but we know this is not going to happen. If they do not pass laws ALLOWING things like security auditing tools, public security forums, and the like, eventually laws will get passed contrary to those! While you have the freedom now to posess something like nmap(1), don't take this for granted! We'd like it to fall under free speach, and view anything we do with it as harmless, but other people don't. Freedom is waning.
The public is presently being trampled by corporations because the public assumes that they are free to do things that are pretty common-sense alright. IE, buy a CD and make a copy of it for your car, or for backup in case your cds get stolen (say you own 200 CDS, at $15ea, and they get stolen. That's $3000!!! Now think of those 400 disc changers and how easy it is to grab one of those if you broke into someones house). While you feel (and it is) perfectly morally alright to copy cds for your own personal use, companies are trying to ERODE these rights. All the while, the public (slashdot, etc al.) whines about this in forums, sighting 'fair use' clauses of old laws that may or may not apply. The fact of the matter is, the DMCA is a new law, and it doesn't matter if its contrary to those old laws, it supersedes it. What IS needed is a law stating that content sold to the mass consumer CANNOT be encrypted in a way to prevent copying. Something proactive.. Then let the RIAA go to court with the government and try to overturn the law. But they cannot, because they work under the law.
My main gist is that theres some things that people just take for granted, and want the government to 'stay the hell out of their lives'. But without proactive laws, they will soon find those things they take for granted outlawed due to somebody pushing the ball the other way.
You know I thought on this for a little bit and I can't think of a single thing the government can do to help. The best thing they can really do is just not meddle with it.
This sig has been temporarily disconnected or is no longer in service
Co-founder and designer at Music Nearby: http://musicnearby.com
Webcurity? Sounds like one dot-com too many. Among other problems, "curity" feels more like it belongs to *obscurity* than *security*. Besides the famous line separating the two, nobody wants an obscure website :-)
Security-related phrases in the english language are usually combinations of initial syllables. Information Security gets compressed down to InfoSec, "Defense Condition" to DefCon, and "Strategic Forecasting" to StratFor, for example.
WebSec...well, sounds like it'd be a phrase for the specific branch of Infosec dealing with external access to internal data through a tightly controlled interface. Certainly feasible, though you start hitting problems when protocols other than HTTP start getting used. (Is it a website if you don't get it over HTTP/HTTPS?)
Of course, with everything imaginable getting piped over HTTP(as opposed to SSH *grins*), maybe WebSec is appropriate...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
This brings up an interesting point, though: should Congress make it illegal for companies to give up your personal information to law enforcement without your consent (or a court order)?
-sting3r
The best and only way for the government to improve "web security" without further eroding civil rights is to mandate that all goverment and government funded institutions:
1) Operate a roughly balanced mixture of platforms from different vendors. (For example, at least three different platforms per "role" [mail server would be a 'role'] and no more than 70% in any one platform.)
This reduces exposure to worms and virii and OS or application specific exploits.
This encourages companies to ensure that their products are interoperable and standards compliant.
It also rather neatly solves the Microsoft monopoly problem.
2) Only exchange data with the public and each other using open file formats.
I don't know if this is still true but, for example, the NIH required grant submissions be delivered in Microsoft Word format. This is absurd on its face.
3) Rethink the DMCA .
-J
Current discussion on loganalysis@securityfocus.com, is that almost all systems have security logging. But since most log systems can be spoofed, how can we give Due Diligence for Admission in Court with the information that we have. Maybe some guidelines from the legal system would be nice? Rather than what happens on a case by case, depending on the savy lawyers to convice people.
Currently, most sys admins can send a page from a log and get most people either booted of a isp, or a strong talking to. But if you go to court, its almost inadmissable evidence, since it is POSSIBLE that the log has been compromised.
Thanks, but no thanks. I'd much rather stick to securing my boxes with the understanding that it's a hostile net out there than have my government tell me the One True Way to do so. Passing laws which only apply to less than 5% of the world's population will not make the net secure, and feel good legislation is something I can do without.
what kind of agreement is an End User agreement? don't you need 2 sides to agree ?
.. but how ?
why not force the companies to accept responsibility for their software? what if i lose important work because of bad software?Why shouldn't i be able to see the specs (not the features) of the software i buy ?
i mean , ok it does the job
Washington bullets will simply be known as the "Bulle
The best thing that the Government could do for security is to go away. Drop obsurd encryption regulations. Stay away from legislating security. The legislation of morality doesn't work, why would you think that the legislation of security would?
If it ain't a Model M, it's a piece of crap.
lots of providers are already doing egress filtering (if not a majority, but I can only speak for my company)
#include "coucou.h"
Basically I don't want government involved in security in the private sector. The private sector can handle security on it's own.
However, my *legal* concerns are about being labeled a criminal while my basic liberties are taken away to protect a fat corp's stash of gold.
Trial before military tribunals for people using
scripts to scan networks to try and break into
them. A few public hangings would reduce this
a lot. Right now the majority of traffic coming
into our subnet during nighttime hours is from
people running scripts trying to break into our
machines. Complaining to ISPs gets one nowhere.
I've got gigs of logs I'd be happy to send to
the tribunal.
Memo to idiots who believe the answer to security
problems is for everyone with a computer connected
to the internet to spend their days reading
Bugtraq, reconfiguring their firewall and
installing the latest patches to software: Some
people actually have a life and are tired of
having it ruined by morons.
Tell the senator to spend a week reading tech-related websites. It will become abundantly clear to him what is on our minds... Star Wars, flaming Jon Katz (which is ok by me), and the next episode of Buffy. Seriously, though, our representatives are truly not listening to what has become an increasingly larger population- the tech world. They keep wandering around asking their buddies at huge corporations how the little guys feels... they have no idea. If they are truly interested in the issues facing us day-to-day, the answer is for them to start reading the same sites we do. Period.
---- Please flame below this line ----
Something similar applies to airport security, which despite appearances is presently a joke. We should have tiger teams constantly trying to break security. We should reward those teams for success, and provide incentives to the security people as well. Instead we have FAA guys who now and then try to take an obvious gun or bomb through - same guy, same contraband, same place, every time. Quote from a screener: "Here comes Fred with the .45 again."
- Strong, unescrowed cryptography with no export restrictions. This will allow crypto to be integrated into all systems as a background service, and can be used for security against most threats (external hackers, DoS, viral attacks, etc.) /. No external contractor is quite so concerned about your security as you should be, so act like it matters
- Structural and procedural remedies against Microsoft, including the right to engage in class-action lawsuits for their lack of due care in system security issues
- R&D tax incentives under the 'war on terror' initiative. Upgrading current systems using current technology does not solve various problems, it just shifts the points of failure. New approaches and technology are what are needed, and would create 'economic stimulous' as part of the bargain
- Lower insurance premiums for enhanced security is a non-starter. We've done extensive analysis for insurance companies that wanted to enter into 'hacker' and other sorts of insurance as part of their risk management business. You can't adequately model security risks--even a thorough and detailed vulnerability assessment and penetration testing process only provides an analysis as good as the process (and staff), and only takes a snap-shot of the security as of that moment. A day later a new exploit could be released, users could install new software, a key application could be patched/updated, etc. etc. Hacker insurance is a myth
- Keep the U.S. government out of the 'protection' business, and that also means ending protection of Big Brother for the incompetent firms. Too many security 'experts,' particularly on the Defense side of the industry, are repurposed staff that have no real competence. Much of the security 'industry' is a subscription-based extortion racket. Companies with real concerns, particularly companies that are 'mission critical' (essential to the economy) should develop internal competence in safety and security issues, including massive recruiting among the exact population that reads forums like
Those are some good places to start.
Michael Wilson
www.7pillars.com
the most secure network gets some candy?
I dont know about you guys but I think that would motivate me to lock down my net
mmm... gummy bears =D
on a more serious note, competition does stimulate a better product. Involving them in our affairs might not be something thats wanted but maybe they can help increase quality of services. Doesnt that sound like the ideal outcome to you? Kinda reminds me of open source in some aspect. We have more people working on one source and more problems are discovered and fixed. Perhaps involving them in some way might be our best bet as of yet, but how can we involve them without them overstepping their bounds =] Maybe its not, "should we involve" but how can we involve them constructively and wisely. In my opinion if we dont suggest any good ideas, we are damaging ourselves more than keeping everything nice and private. If we tell them what we want/need now perhaps it will make them feel important, and still benefit us as a whole. So putting "leave us alone" aside, what should we ask of them?
I could still go for some gummy bears though =\
every dark cloud has a silver lining, but lightning kills hundreds of people every year trying to find it.
Maybe they could clear somethings up...
I'd like to have clear guidelines on mail. How long do I need to keep it? Can I just totally delete mail or do I need to maintain backups.
When can I monitor/read someone's email? It's mine (well, it's the companies) but if MGR A wants me to give her access to EMP K mail is that legal? Can I monitor how many times my boss hits his stocks? When is OK to put a key stroke logger on someone's machine (don't ask, we ended up using a modified virus)?
Is it OK to block Accounting from mail
internet? To put a brick wall on their doorway so they are trapped in their damn Accounting offices forever? (OK that's probably not legal.)
PS -- I work for Lawyers' Travel... kinda ironic huh?
This
Congress should not legislate the behavior of employees, networks sysadmins, or companies as some have been suggesting. The primary areas where Congress should be concerned are:
1. Vulnerability of our commerce systems to domestic or international attack.
2. Creating an environment that encourages companies and consumers to protect themselves.
3. Ability to obtain properly authorized evidence in the event of a warrant to pursue suspected criminals.
Item one is the most critical, and what seems to be completely ignored by our current legislators. Any scheme of encryption cracking that is available to our goverment in the event of a warrant, is also available to our enemies. Yes, the FBI may be able to read Bin Ladin's email if no encryption exists, but, terrorists would also be able to have full access to our e-commerce infrastructure, private information, etc... and have the ability to cause significant damage, especially since e-commerce is becoming a more significant part of our economy every day.
2 implies educational programs, and sponsorship of groups that promote real security.
3 is important, but may not be realistic in the context of 1.
the government of most countries should do a big push to move over to IPv6, THEN we can talk about security.
Letting only approved researchers work on systems
that don't have a legal defense fund is a recipe
for disaster.
But then so is the Outlook monoculture.
sed 's/commun/terror/g' mccarthy > bush; sed 's/terror/saddam/g' bush > bush_wacked
It is current practice of some US states to sell driver's license pictures and other personal data from their database to private firms, for various reasons. This practice should be illegal, or at the very least carefully monitored at the federal level.
"Can't you see that everyone is buying station wagons?"
End carnivore, legislation for security back doors, etc. But seriously, I would like to see a government program to set an official set of guidelines, one that the insurance companies could use. If there was an official rulebook, then I think that the insurance companies would probably jump all over it.
Other than that, maybe create some government security freeware. AV, firewall, etc. Something official to set the standard for other companies. If the government guarantees our safety in the rest of our lives, they should be looking at something like this for digital safety too.
1: Get out of our way WRT encryption and other secure technologies. We're not terrorists, we just want to keep our personal information secure. Installing "back doors" and other methods may, on the surface, seem like a good idea for national security, but in reality hackers can enter through those as easily as the government.
2: Hold vendors responsible for security holes in their products. Currently, the EULAs prevent someone harmed by a security flaw from seeking liability, even if that security flaw was deliberately programmed into the software as a "feature."
3: Recognize the role of antivirus firms such as McAfee and Symantec in protecting users. They should be unrestricted in their efforts to make and sell software that can protect computer users from harmful files, regardless of the source.
4: Realize that the best way to catch criminals and terrorists is through the use of human intelligence, which history has proven to be much more effective than randomly reading private EMails. Also, human intelligence doesn't involve threatening the liberty of normal, law-abiding Americans like many of the other proposed methods do.
5: This is probably the most important one: Remember the words of Ben Franklin when he said, "They that would give up Essential Liberty in order to obtain Temporary Safety deserve neither liberty nor safety." I would also add that, in these cases, you usually don't get the safety you're seeking in the first place.
OK, I'm provisionally accepting the premise of the question-- that something Congress might do could help Internet security-- and trying to figure out what I'd suggest.
It'd help if IP packets couldn't be spoofed (or if such spoofing capabilities were dramatically reduced).
Then any hack attempts could be tracked much, much more easily back to their origins.
In a perfect world, one might upgrade all our networks to employ IPv6 or IPsec to ensure greater packet integrity, but this is prohibitively expensive and leaves the problem largely intact on "legacy" networks.
A simpler solution, which would be greatly accelerated with a Congressional (or Executive?) national security legal mandate, would be a law requiring network owners (ISPs) to install filters on the boundaries of their networks that prevent packets from leaving their networks that didn't originate with IP source addresses owned by their networks. Egress filtering.
While this wouldn't eliminate IP spoofing (someone can still pretend to be another computer on the same network), it would eliminate someone on network A pretending like they came from network B in most cases. At that point, the NOC of the appropriate network can be contacted and the hack can be run to ground.
(Someone more network-savvy than I could articulate the boundaries of which networks should be included under the above statute. Obviously traffic being routed between networks (as opposed to traffic originating from a network) cannot be covered by such a requirement.)
Nobody likes mandates, but I think this one would significantly improve end-to-end network security. Making it a legal requirement would enable the practice to be sufficiently end-to-end to be useful. And it's inexpensive enough that ISPs have debated doing it on their own just as a measure to reduce DOS problems.
--LP
Disclaimer: I program web and TCP/IP software but am not a network admin.
Encourage the Senator to remain aware that legislation about the Internet doesn't have crisp borders. Bits don't change color when they cross national boundaries.
When you do that, you might get him to understand that such laws are not easy to enforce and will certainly involve a lot of jurisdictional disputes.
And you might encourage him to realize that it is the lowest common denominator of behavior on the Internet that represents the cutting edge of security needs.
In other words, passing legislation against US Internet users is tantamount to taking their guns away, when they can at any minute be involved in a virtual gun-fight with, for example, Chinese or Indian crackers who have no such laws hampering them.
While I do not support fining people who deploy sloppy software, or software with numerous security holes, I would like to see an interest-free software certification board formed strictly with security in mind. Such a board would not only certify software based on its code, but also the vendor's attitude towards security in general (designing security-friendly code, not feature-friendly code), and also its follow-up support (immediately addressing issues, releasing patches, etc.).
Another thing that would help GREATLY would be to push this up to an international level. We can do all we want to make the USA a happy-happy, joy-joy internet environment, but
it
don't
mean
jack.
The internet is GLOBAL, and as such the most effective solutions will be those developed at an international level. Push for a communications subcommittee in the UN to address international incidents. Apply pressure to foreign countries that are lax in cracking down on data security-related issues. France is currently one major target of complaints with the HUGE amount of scans that companies have seen from wanadoo.fr, yet neither the ISP nor the government seems concerned about it. Incidents.org has corroborated this traffic, and it is legit.
To summarize my comments: we need a way to globalize both data security issues and resolutions, as well as a certification board to offer a level of comfort to consumers that products won't be full of security holes. There are many other issues facing us out there, however I believe these two would be a HUGE step in the right direction and set the precedent for other issues to be addressed.
akad0nric0
This sentence no verb.
http should be eliminated and replaced completely with https, this would mean that third party companies such as verisign be deregulated completely. Basically what I'm saying is that everything is done securely, without a choice. Now it might sound a little overdoing it, but a lot of message board sites even ask for passwords etc, and everyone knows that a lot of people use the same password for everything. Basically this would most likely eliminated man in the middle.
First: make sure product liability applies to software products. That will, at some point, allow users to sue companies who foist lousy software on us, which in turn creates security headaches. Code Red and NIMDA are the worst examples of this to date. It could have been much worse.
Second: Congress needs to do some serious thinking about common-carrier issues for the internet. It seems reasonable to say a phone or cable company, for instance, cannot preferentially transmit information while blocking traffic from another source. Problem is, this is what we count on to block probes and flood traffic. Please try to keep RIAA, MPAA, and other intellectual property thugs out of these deliberations!
Third: it seems Dubya and his cronies don't have a really good idea how to handle security. Ask them for details on how a redundant govnet will increase security before giving them lots of money to hand out to their favorite contractors.
Fourth: push available technology. NSA with SEU Linux is a great idea. How about pushing IPv6 and IPSEC, for instance by including it in communication RFPs? That would increase the availability (from virtually nil) and help work out the bugs. How about specific funding to increase the security of notoriously insecure government computers hooked up to the net? The GAO will tell you, after they finish laughing, how well secured government nets are.
I also like the idea of computer security scholarships. Are these still around after the change in administration?
Congress has already made hacing illegal. In fact, Congress has made it a terrorist offense. If we let them make any more laws, hacking will become treason.
The best thing Congress can do it stay the hell out of the way. This is not the governments responsibility. Any halfway decent administrator can keep people out of their network or at least minimize damage should a system fall. The only thing the average administrator can't do a lot about is DoS attacks and those are already illegal as well.
-sirket
I don't need their help in defending my network. More new laws is the last thing we need.
In no particular order:
1) The Federal government should encourage, not discourage, the use of encryption, without key escrow or back doors, by not regulating encryption in any way. (The government should also invest heavily in the appropriate technology to break encryption when it needs to do so.) Without the fear of government intervention, application designers will be encouraged to add encryption to email and other software as a business advantage to themselves, thus allowing my business to communicate more securely with ease.
2) The Federal government should encourage open source and open standards by requiring the use of open source software and open standards on all government systems (except possibly military/intelligence systems). This will get more eyes on the code, thus reducing vulnerabilities and fixing them faster, and will ensure that people are unable to take advantage of unpublic holes in uncheckable software.
3) The Federal government should generally *not* regulate the internet, as this can introduce holes that cannot be fixed because of regulatory requirements. In particular, the government should not use either legislation or funding to control the use of the internet by libraries, schools and other non-Federal government institutions, or by private individuals and organizations. There are a few exceptions I would be OK with:
a) requiring "edge filtering" so that networks would not support denial of service attacks;
b) allowing wire fraud charges against people/organizations who deliberately send email without proper and valid headers (or with forged headers), so as to obscure their identity while sending unsolicited commercial email and/or perpetuating scams (note that this should be allowed for the purpose of anonymously propagating a political opinion, for example, just not for commercial use);
c) requiring organizations who control internet naming or numbering to have public accountability, as these organizations were largely granted a monopoly by the US government; opening up these processes to a standards-based system where everyone can participate; or allowing anti-trust legislation against such bodies if they attempt to coercively control internet access.
4) The Federal government should designate ISPs and online communities as common carriers.
5) The Federal government should require cable and telephone companies, as part of their FCC licensing requirements, to offer the option of access to the network for paying subscribers wihtout mandatory membership in an ISP, and in particular an ISP should not be allowed to gain monopoly status by association with a government-granted monopoly such as a cable system. This would have reduced the @Home debacle, for example, to a trivial matter. The potential for AOL/Warner is even worse down the road if something is not done to guarantee choice in broadband access.
OK, I guess I got a little away from security with those last some of that.
-jeff
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
I would tell that senator to get outta my way. We were doing pretty damn good without government involvment. We don't need your so called "help".
The only thing he can do is to try as hard as he can to protect our freedoms and oppose the laws who place limits on our freedom.
In some areas, particularly National Security areas, we should give the SAs the ability to take well-defined countermeasures to counteract attacks, including tracing DoS attacks and making contact with their sources. Consider a "hack-back" capability - yes, there are "collateral damage" concerns, especially where DDoS attacks are involved, but those companies and individuals should be held liable for their poor security anyway. Give government SAs the ability to knock attackers off the Net, if they need to, in well-defined circumstances.
Other suggestions: pay the system administrators more. You're losing people to contractors at an alarming rate - and the trend toward contractors doing SA duties for federal agencies frightens me (and I'm a contractor).
Set up standard security training, and make ALL Federal SAs take it, and pass. Keep it up-to-date, and have annual refreshers. This industry IS changing that fast.
Mandate periodic security audits of all federal agency IT systems, and punish the branches that fail them repeatedly. By "periodic" I mean more than once a year - otherwise, you're not keeping up.
The US Government should be capable of the most effective anti-intrusion response. Do what it takes.
Establish a clear policy for who investigates and prosecutes computer intrusion and attacks. A quick browse over the Web will show the anguish people have when they get attacked and nobody seems to care - things haven't improved much from Clif Stoll's day (read The Cuckoo's Egg for details). Somehow, make the government guys stop fighting and arguing for jurisdiction and DO SOMETHING that shows results. Not just going after idiots like Mitnick - effective operations against people like those guys from Moscow who've been blackmailing British banks.
Above all, establish some limited liability for negligence. A computer network should be treated like any other publicly-connected conveyance - if I fall on the sidewalk in front of your house because you haven't maintained it, I can sue you. If I get DDoS attacked by a dozen computers on your network, I should be able to make you pay (something, even if it's not much) for your stupidity and culpability in not keeping your systems up to date and secure. IF you can show you were fighting back, then you're off the hook - but if you were blind, deaf, and dumb, you should share the pain.
But then, these are just MY opinions....
- Back off on making various forms of tools illegal. This just makes
it that much harder for the defenders.
- Impose liability on networks that do not do egress filtering.
- Oppose the
SSSCA
.
- Fix the DMCA
.
Crispin----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
It's all well and good to propose holding Microsoft responsible for security holes in their software, but please keep in mind that this also means that Open Source Software authors will ALSO be held fiscally responsible for holes in THEIR software.
Microsoft will be far more able to pay up for massive holes in IIS than, say, the author of BIND or Sendmail. I would imagine that one successful suit could take out RedHat altogether.
Don't hurt community-oriented authors for making their code public.
-Braddock
I've got a long list of things I do not want the govenment doing, and what they should do instead. They should not be reading my email, they should prosecute those who do as they prosecute those who use the inherently insecure potocal known as US mail. They should not be collecting information they don't need to do the job of infrastucture development, military defense and welfare. They should not be buying insecure propriatory OS such as M$ offers. I'd much rather have information kept on secure servers so that it will stay put. The government should not hand over the publically built communications infrastructure to a cartel of greedy corporate interests. Redundancy should be encouraged and inexpensive anonymous public access assured.
Security should not be an excuse to hand the internet over to either corporate of govenment censors. This is the future of publications and it must remain free. The future freedom and prosperity of our country depends on free information interchange. Business can not funtion without privacy in their plans. Individuals can not be sure what is true if they can not trust the media that brings them their news. Control of the internet by government or corporate censors will eliminate all the blessings of this new form of communications.
How exactly do you do this? Mr. Senator, that is your job. Now get to work.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
...repeal the DMCA and stop UNCITA and all other bad laws like those. Strengthen the antitrust section of the DOJ (the laws are good, we need enforcers). Make corporate lobbying a captial crime - the government must serve the people. Preserve freedom and then get out of the way! I am not holding my breathe for this.
Don't mandate key escrow. Key escrow will inhibit the adoption of encryption, and encryption is vital to both proper and secure authentication and to data privacy. Attempts by various parties to limit the widespread adoption of encryption might make their job easier but is not good for (internet) security. It is frequently said that if you outlaw encryption, only outlaws will use encryption - that is, making it illegal to use it will not stop criminals from actually doing so.
Re-think laws that make it possible to prosecute scientists for publishing the results of their research - i.e. the DMCA or parts of it.
Encourage the adoption of IPv6 - perhaps by allocating budget for adoption of this by government agencies (I mean carrot here, not stick).
I think it's important to make sure that legislation punishes offenders who do real damage to systems, but I prefer not to have laws against probes and scans etc, as it makes me think twice about testing my own systems. I manage firewall/ security for a silicon valley comapny with about 80 people, and 500+ systems (computer labs) on the network. It's vital for me to be able to run portscans on my own networks to validate security, just like it's important for me to have access to exploit code to see if my systems are vulnerable.
I think it's important to realize that there the legitimacy of cracker tools made public is that the white hats can test & lock down their systems, and that no legislation should limit their use in ways that would inhibit my ability to test & secure my systems
I would advocate that organizations do not have an interest in maintaining security since there have not been cases that establish harm caused by inadequate security. Most security breeches could have been prevented had the organization implemented well-known technical controls (keeping software patched, maintaining a firewall, keeping antivirus software up-to-date). Therefore, the organizations failed in their duty to protect their systems, which led to a breech that caused harm to a third party (customers, other ISPs, etc). These situations are similar to organizations that fail to safeguard physical assets that led to harm to a third party.
Negligence lawsuits tend to be the solution to these problems. The lawsuits force organizations to reimburse injured parties thereby causing the organization to be more proactive in their safeguards.
I would think that the reason why we haven't seen more of these cases is the difficulty in establishing 'harm'. I would advocate that a law that defined harm to include downtime, tangible damages (ie destruction of physical assets), labour costs, and lost revenue; could go a long way in encouraging these lawsuits. Additionally, it would provide metrics that insurance companies could use in establishing risk profiles.
While I hate the concept of lawsuits, I think it is ridiculous that large ISPs, Microsoft, and others, can blame the victim - when they were the ones that failed to implement common security controls (egress filters, buffer overflow checks, etc).
With Regards,
I am Bob
In the meantime, keep using multiple levels of security. Screw the overhead if you've got sensitive data...
I take it you learned the hard way? This just seems to be common sense to me, very very obvious. You don't run DNS, Web, telnet (eek), ftp, and a database with sensetive data on one box. This is just plain rediclious. There's way too much going on here that could make this sucker a very sweet honeypot.
Multiple layers is the only way to go (even if you don't have the capital, borrow some!!!), and it models itself in much the way that physical seecurity works. If it's cold outside, you don't wear shots and thongs, you layer cloths... LLA (limited liabality admins) seems a good idea, though.
Implementing even a few of these should deal with the national deficit, quite nicely. Some of the biggest costs in both public and priate spending are to fix serious problems, after the fact. The burdon should be shifted, as much as can realistically be done, to those responsible. A stitch in time saves nine. But, damn it, the tax payers shouldn't have to pay for someone else's failure to stitch.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The _only_ issue that I as a network administrator feel cannot be handled most effectively by private enterprise and individuals is that of network ownership. The current large-ISP trend is alarming in that it undermines the dynamic and free nature of the internet at large. Large ISPs mean larger pipes, fewer nodes, fewer owners of fiber backbones. This increases vulnerability to both private and government [ahCarnivorhem]] maliciousness, increases the potential for deliberate corporated mahem (anyone forget about the MAPS vs. ORBS DoS via AboveNet?), and cripples the effectiveness of anonymous publishing schemes such as FreeNet. Sadly, due to the current lack of respect by ISPs and government for individual rights, such schemes (even less sophisticated distributed file sharing systems such as Kaza/Morpheus) represent a last resort for truely free online publishing. Just make sure AOL/TW doesn't end up as my upstream, alright?
1. Let the industry regulate itself, in the hopes that more secure network equipment and software would be chosen by system administrators and users .
2. Let the government repeal ridiculous legislation which provides specific treatment to "computer crimes," and let these be handled by more general laws, such as those concerning fraud, etc.
3. In order to make the public more aware of IT security issues, the government needs to adopt policies of public security evaluation of any network eqiupment and software it's considering using in their offices. For example, if a government organization decides to use OpenBSD for their computer systems, and explains well the security features of OpenBSD and why it's good to have these security features, than chances are the general public will make a note of this, and executives in companies might start considering information security policies for their organizations.
Bush Lies Watch
id have to say the biggest threat to network security is
the good old u.s.'s use of democracy to
usurp our freedoms and liberties
every day there is more and more taken away
and it effects all levels of security not just computer based
back in the day we didnt have no old school
I'll have to confess that I'm not fond of either side when the discussion becomes focused on maintaining a balance as opposed to fostering a goal.
Case in point: software tools. Replies already run the gamut from banning Outlook to not touching NMAP. Instead of having the government trying to decide what software is good and what software is bad (my spine shivers at the thought...) how can we foster an environment where net usage continues to grow and resilency is encouraged? Would highlighting of the most guilty parties to frequent CERT advisories provide "encouragement" and loop back to financial incentives to provide better software?
Another case: anonymity vs. accountability. Instead of striking a balance and risking losses on either side, why not focus on development of the net? This leads us away from outlawing NYM servers, but also would be in line with egress controls.
You can sit on a non-moving bike trying to maintain balance, but it's a lot easier to maintain the balance when the bike is moving. Get moving to the right goals and balance comes on its own.
The opinions expressed are almost certainly NOT those of my employer....
Make the company that CLAIMS it can secure my info actually FINANCIALLY RESPONSIBLE for any losses that ocurr. Exactly how to do that is a mystery to me.
The primary reason for the lack of all forms of security is that there is no established form of responsibility. For too long the software industry has hidden behind the "user accepts all responsibility" fire wall of responsibility. What is required is that there be a required level of protection offered by network and computer security services and that users have legal recourse to recover losses should the security services fail.
I see this not coming through government legislation but through government demands. The government should require on all its system installations that there be a sign off on some level of responsibility for meeting security requirements with penalties for failure. If the government can break the ground everyone else can follow in and demand similar arrangements.
I.E. To use recent examples, Exchange will only be installed if Microsoft is willing to pay 2x the direct costs for cleaning up every virus outbreak.
IIS will be installed only if Microsoft is willing to pay 2x the direct costs of keeping patch levels current and fixing any damage from exploits.
If a company like Microsoft is unwilling to stand up for its products perhaps some third party would be willing to do the work.
If they want to implement legislation how about making software designers liable for "negligent design flaws" and for "obvious flaws".
We do Hold Companies Liable:
When they ignore repeated warnings and you get scalded so badly you have to be rushed to the hospital.
When your car's manufacturer repeatedly denies the problem, but its brake pedal makes the car race forward.
But those are sold products, not licenses. There is no similar recompense available for software.
sed 's/commun/terror/g' mccarthy > bush; sed 's/terror/saddam/g' bush > bush_wacked
Cryptography is the strongest weapon we have against cyber-terror.
Whatever is done, don't put limits on cryptography.
I design secure cryptographic-based architectures for a living. I can't design a secure information system without strong cryptography.
It's a shame that in the public eye cryptography became a "tool of terrorism" in the days following 911, when in reality it's our only hope for an attack-resilient Internet infrastructure.
At the same time, it is a merit to Congress that crypto limits have NOT yet emerged in the reactionary aftermath.
-Braddock
I realize this person is researching the topic using all available resources at his/her disposal, but do we really want the government to dictate network security to us? I certainly don't! Look at welfare. Look at social security. Look at government housing. How long do you think it would take the government to pass legislation on this topic? Come on guys, get real. As for all you whiners complaining about Microsoft products.....go make something better! Replace them! Quit your bitching, moaning and complaining. This is a republic founded on the principles of capitalism and free enterprise. Don't you think that if Bill Gates could become what he is today, that any of you are capable of the very same thing? Just because you're too lazy to do it is no excuse. To the lawyer: Tell your Congress person friend to go bark up some other tree and leave this alone. Consumers will dictate to the market the need for greater security in software, online transactions and information sharing. The market will respond in kind because they need the consumer dollars. It's all kind of symbiotic, really. We don't need Congress to tell us how to secure our networks. That is all.
"Or would you tell them to get out of the way?"
Yes. They've already "helped" us by creating Network Solutions and ICANN. I don't think we can stand any more of their "help".
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Make all government-funded development work open-sourced.
However, the goverment can do some things:
1. Deal with Microsoft's monopoly effectively. Microsoft's continued embrace, extend, kill the competition and then screw it up strategy doesn't help security one bit. They have no motivation whatsoever to fix even the simplest problems in Outlook and other swiss-cheese-like products. If there was a viable competitor in that market the two would probably attempt to one up each other on several points, including security.
2. Use more secure and more reliable software inside the government (read Linux, et al). Refuse to use/purchase products where security flaws crop up every time you read slashdot.
3. Use/support open standards and refuse to use/purchase products that rely on embraced and extended technology.
One thing that may help is if there was some independant firm that could give a qualitative and quanitative measurement of a company's security. These independant firms could review patch logs, sys admin proceedures, backup procedures, and employee training materials. They could also perform more intrusive audits, using a standard set of tools (upgraded quarterly) to attempt to infiltrate the organization. At the end, they could then give some sort of ranking, to let a company know what bases have been covered and how they rank with others in the industry.
This service is done by many security firms, but there is no real standard. All the information is propriatary, and usually secret, because a company doesn't want to publicize what holes were found. Even then, there is no real motivation to get ongoing reviews, because, if there are no visible hacker attempts, then it seems like a waste of time and money.
This might be changed by offering computer security insurance. This insurance would cover the cost of recovering after a sucessful cracking attempt, as well as any lost business. An insurance firm would evaluate the current security and ability to recover from a hacking attempt, and find a reasonable insurance rate based on the company's preparedness.
This would help in several ways. First, even though the evaluation would be between the insurance company and the insurance purchaser, the insurance rate would show up on the financial reports. Investors and reporters could compare the rate and the coverage, and make a rough determination of the fitness of the company's security measures. The rate information should be included in the financial report, since this information would help an investor decide how likely a company is to suffer financial loss due to a hacking attempt. It may require a law to get this insurance information into financial reports.
Second, it would give companies a forum to disclose successful hacks. Currently, companies keep all but the most damaging hacking attempts secret, because it makes them look bad in the eyes of investors. If there is a financial incentive to report hacking attempts (they could get some insurance money back), there may be motivation to share this critical information, and other companies may be able to secure their own systems against new methods.
Third, damage claims would be more realistic. When a cracker is caught, many companies let their imagination soar when it comes to damages, assuming fantastical scenarios like, "What if he found our most prized trade secrets, and sold them to our direct competitor, thus making us lose all the profit from that product / service?", or "What is the sum of all the salaries of everyone who ever worked on that machine?". If the company had to actually file a claim, then the insurance company would dictate the terms of that claim, what is fair game for damages and what is not. This will help put the cracker's actions into better perspective.
Fourth, once standards are formed, the government could use the standards for contractors. For instance, a contractor working with "Secret" documents may have to have a score of 90 out of 100 for the general company, and a score of 97 out of 100 for the division working with the secret data. The government may even demand scores of 100 - not unrealistic for a score based on repeatable and auditable tests.
Fifth, the insurance companies would have an incentive to discover what security measures work, and which don't. If they find that yearly training for employees to deter social engineering attacks work, then they can make that part of the standard. If randomized one-use passwords work, then it goes in. If some widely believed precaution has little effect, it can come out of the standard. In general, we'll have a better idea of what makes a secured network, and more books will be written helping small businesses meet the insurance company's demands.
Sixth, we can develop labs like UL for computer security, which can rate software, operating systems, and hardware, giving them ratings for their out-of-the-box configurations. Vendors will work harded for better ratings, and auditors will have an idea how much patching needs to be done for a particular system to be kept up-to-date. Security will actually become a selling point.
I'm not sure if there is a law that would make this happen. I'm sure you can talk to the insurance lobby, and get a rough idea why this doesn't exist yet.
Frankly, I don't see how network security is any of Congress' business.
And regardless of whether it's a good idea or not, I don't see anything in the Constitution that would grant them authority to take any action in this arena.
Thank you for using Cluetrain express, be seated and enjoy.
...some of you /.'er saying "you want us to do your job for you?" need to board the cluetrain as well...uh, Senator, law making, U.S. of A, Constitution, righting wrongs, fixing bad laws... mean anything to you?
:) .
I realize I am merely echoing what others have said, but to have a 'fellow professional' ask our opinion/advice is always welcomed.
Add to the fact that a US Senator is asking makes it even more necessary to voice out opinion.
(HELLOOOO! McFly!!!
Apologies for the brow beating, someone had to say it)
I realize it has little to do with security, but hear me out:
Consider the eBook, DeCSS, Napster, DRM, Watermarking, DMCA, SSSCA, RIAA, MPAA, Microsoft, et al.
What do all of these have in common? Bad Laws, legislation, and corporations who are twisting and perverting the legal system to thier own will, and succeeding to implement new forms of Prohibition.
You see the 1920's provided a clue to a generation: You can NOT legislate morality.
What these laws are saying is "Napster Baaad", "Fair use, Baaaad", "Freedom of speech Baaad!"...you get the idea.
Trying to "outlaw computers, fair use, tools of the trade" is a bad idea, but it is one that seems to be advancing at an alarming rate.
What is being ignored in the law making body is:
The tools of the trade (any trade), be it a lock pick, gun, sledge, bolt cutters, or, yes, a computer...these things need to be available reguardless of intent and use.
It seems most corps/senators/congressppl are afraid of "what we might do/think" and are making it illegal.
Wrong, wrong, wrong.
I think a "Digital Boston Tea Party" protesting this "Digital Prohibition and Taxation w/o representation".
But the only thing that comes to mind is lobbing modems and misc computer parts on the Whitehouse/Congressional 'doorsteps' in protest.
Ok, I've gone on long enuf, but I'll leave you with this thought:
The most powerful network security tool is called "a pair of wire cutters", after that is finding the offending wire and pulling as hard as you can
Cheers,
Moose
.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
How about holding various companies whose products are exploited the most (re: MS) liable for their lack of security?
There was a recent security seminar sponsored by the Georgia Tech Information Security Center by Gene Spafford who is the director of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security), where he mentioned the problems with security and the software industry. One of his slides in his presentation showed that Windows NT and Windows 2000 (combined), RedHat Linux and Solaris are respectively the first, second and third on the lists of OSes that have had vulnerabilities discovered in the past five years.
Legislation that aims to punish companies for writing insecure software would harm almost every company that writes any software that is aimed at being used in a server/multi-user environment since security is an absolute that most non-trivial software does not reach.
Secondly, who will be forced to pay when it comes to Open Source vulnerabilities? wu-ftp is notoriously broken , as is telnetd , sendmail, BIND and some would consider recent bugs in the Linux kernel as OS vulnerabilities. Opening the door to lawsuits to software developers for writing software would probably kill a number of projects rather quickly.
I'd rather that we let capitalism take its course. If customers want secure products then they should stop buying insecure products or they should communicate to the vendors that security is of importance to them. As long as consumers (both individuals and corporate entities) continue to accept the status quo then no change will be made but I don't believe that lawsuits will solve anything except make some lawyers rich and significantly increase the cost of software as the effects of the lawsuits are passed on to consumers.
Provide incentives for building security into products and networks. Push ISPs to block obviously spoofed addresses, and to implement more robust routing protocols with trustworthy authentication. Push for open review (and maybe open source) for security critical software. Use the purchasing power of the US government to push these things. Allow companies to be held liable for negligence, when their poor security causes damage to third parties. Allow software makers as well to be held negligent in not using "due care" in making their software free of security holes (hint: there is a vast literature out there on software engineering that can be used to establish the due care standard). Don't pass more silly laws outlawing "hacking tools", and don't make the big emphasis on prosecuting petty hackers. If most sites had adequate security to begin with, these petty hackers wouldn't stand a chance. Basically, facilitate market mechanisms that force the true cost of poor security to be suffered by those who deserve to suffer.
thanks to government regulations:
Houses cost more than they need to
Medical Insurance/Proceedures/Drugs cost more than they need to
Automobiles cost more than they need to
we have the DMCA
no I dont think we need any more of their "help"
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
I guess it's been said in other ways, but our government must accept and be OK with the fact that encryption is for everyone. Not just the good guys. Furthermore, government must accept that encryption means that they will not be able to monitor everything, or everyone.
1) Leave crypto and its propoenents alone
2) fix dmca so that we can troubleshoot and talk about problems we find with our systems without fear of retribution via dmca from big corporate
3) don't even think about making #2 worse by adding SSSCA into the mix
4) if you're going to make laws about viruses, trojans, etc either both bo2k and magic lantern are naughty, or both should be left alone because they have legitimate uses
5) we know more about technology, when we speak, do us the courtesy of listening
Mr. Senator, there is something you can actually do for us.
It even involves you getting to pass a law, which I know is something you Senators greatly enjoy.
It is:
REPEAL THE DMCA SO WE CAN GET SOME DAMN WORK DONE.
Thanks for taking my valuable time (because I pay for your time, too) to listen.
The problem is distinction. Systems administrators are not (and should not be) required to be licensed. This makes having tools which could be used for testing or black hat hacking always open to targeting by unsophisticated law enforcement. We've seen this time and again on Slashdot.
Our current internet is impossible to completely secure and still offer usable services. A big problem with security are ISP's that require you uninstall any firewall software before they will support you. Firewall software on broadband should be required, not by law, but by the ISP being responsible. No firewall, no connection.Same for virus engines and current virus signature data files.
The other big security hole on the internet is the constant bugs found in software such as Outlook and Outlook Express by Microsoft. Other vendors are guilty too, but by far the most problems are with MS products, and they just keep turning up. Part is sloppy code, part is just the way simplistic programs have to be written for the (now) average user. Harry Homeowner doesn't understand a lot about computers, nor does he want to. He wants to get on AOL or MSN, cruse the internet, and get his e-mail. As long as the most common user is of this type, security of all types will be very difficult to implement.
Another part of the problem is that many non-technical people keep looking for the magic bullet to fix all the security problems, and want to pass laws to make it so. They forget that a law in the United States has no effect in China, and vice-versa.
We will always have rogues with us. That will never change. There are some simple things we can do to improve security, one being that outbound filtering be emplaced. This doesn't require a law, but a bit of effort on the part of a router owner.
As simple as it is to use, the internet is far from simple. Most people that use telephones don't understand how they work, and the same is true for computer users. Any law requiring one thing for forbidding another will have very little long term effect on computer security for the mid-level black hat. At most, you will make life a bit harder for script kiddies, but not for long and not very much. Conversely, you will be making our (honest administrators) life difficult.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
I agree with you because I find the original poster's statement to be incomplete. I would reword it, "Making something illegal or applying mandatory monitoring by non-technologists does nothing...." In response to your rebuttal, the punishments you described were (for the most part) established by those with experience, if not expertise, in social psychology. If punishments and deterrents are developed by those with a knowledge of network secutiry, they're much more likely to be effective (and not overreaching) than those developed by politicians without the background necessary to make intelligent decisions about technology.
Virg
1. First, we need to get tougher on computer criminals. We are not doing enough investigation and when we do catch someone they get a slap on the wrist. Free Kevin? Hell no... Fuck Kevin! Can't do the time, then don't commit the crime.
2. OSs that are ripe with security holes. I geuss that leaves... Microsoft.
3. Do not outlaw software that will allow me to test my network... nmap, BO, et al.
4. Let government set an example for the private sector by taking greater interest and care with their own networks. It would be nice to see more local govt agencies using Linux or BSD for critical network systems. Not only that, but publicly stepping up and saying that they are taking that approach.
5. It would also be nice to see local govt sponsoring security and networking cons and get-togethers for local businesses so that those businesses are given more exposure to security ideas and resources.
6. OSs that suck. See 2.
Mk.
My biggest concern is the woeful state of computer security research in the U.S. Due to crypto restrictions in the U.S., foreign firms offering commercial cryptographic products have gained a major competitive advantage. This has translated into more R&D money for these firms. The crypto regulations were repealed. But now history is repeating itself, due to congressional meddling with Intellectual Property laws (DMCA, and it's ilk). It's had a chilling effect on security research in this country. Similarly, the Sklyarov arrest resulted in foreign security experts being very wary of even attending conferences in the U.S.
At a time when the U.S. needs to strengthen our computer security infrastructure, congress has managed to handicap the very people needed to accomplish this goal.
So, bottom line, change the laws (starting with the DMCA), before all computer security research moves offshore.
[Insert pithy quote here]
Cannot be trusted. Anything you say or do will be taken out of context and used against you and all the rest of us.
Why? Because without liability most executives treat these risks in the abstract. To many of these executives, security events are acts of third parties, and they would rather insure than address the issue appropriately (assuming they have bothered to understand the issue in the first place). Worse, they then conspire to hide the event. If the information gets out, they might get sued by shareholders, or worse.
More importantly, we need "safe harbor" regulation that gives these executives protection from criminal prosecution to the extent they disclose. If there is an event, they disclose it. If they fail to, and some whistle blower drops a dime to the feds, the executive goes to prison. Period.
How many times must it be said that security through obscurity does not work. Yet network defenses are weak because all of these corporate executives will back and fill to cover their own malfeasance or nonfeasance. The art of the cover-up is alive and well. Without this, infrastructure protection falls down.
And any efforts to silence the black hat side would be a mistake. The level of communication is constructive, as it is the only reliable source which might be used to strengthen defenses! If you don't see it coming, don't count on corporate america to disclose!
Problem is that many Republican pols see this as some sort of gift to the trial lawyers bar - just creates more civil liability and we all spend the next 50 years in court. The Dem pols see this as unnecessary criminal liability and a new source of intrusion into personal lives. And both sides of the isle get substantial contributions from corporate america, and none of those "giving" CEOs want any risk of going to jail. Even if their criminal negligence puts national health and safety at risk (read power grid/water/telecommunications infrastructure).
You did ask...
Quis Custodiet Ipsos Custodes "Who Keeps the Keepers Themselves" ~ Juvenal
Make it a law that the ISP's have to validate that a packet coming from their network out to the Internet has a valid source address that originates from within their network. This will make it much more difficult for DOS attacks to take place anonymously. They should block and log all packets with source addresses that are RFC Private source addresses or addresses that could not have originated on their network.
This is a simple thing for any ISP to do.
This will allow the ISPs to work together to
quell DOS attacks when they take place and
track down machines that have DOS trojans so
they can be cleaned.
This would be my NUMBER ONE suggestion for reducing DDOSes and improving internet security in general. Egress filtering (Removing packets originating from inside your network if their source address doesn't correspond to your IP range) would go a long way towards shutting down the skript kiddies.
There is no magic bullet but this would be a big help.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Whether that be in the form of grants or scholarships, or business initiatives, whatever. There needs to be a push to get the word out to people who are NOT technical or technically minded.
I've been to seminars where the speaker is just talking broadly about the subject of information security, yet the questions he is getting from the attendees belies their ignorance. People don't know what a firewall IS, never mind which one would best suit their business.
BIG business has this concept down, now it's time to take it to all levels of business in the US. Financial initiatives, educational seminars and workshops, that will start the ball rolling, and hopefully not plunge us into financial chaos. There's enough chaos in the world today.
-A.C.
Both are considered "weapons" that can be used to "attack" others (or, in the case of crypto, facilitate attacks, although strong crypto is still considered a "weapon" by the government, right?)
Both are also tools that can (and mostly are) be used for legitimate purposes
Both suffer from attacks from their critics who can't differentiate between the inherent goodness/badness of a tool and the goodness/badness of the intent behind the use of the tool.
Both suffer from the radical polarization of viewpoints on both sides of the issue.
The only difference that I see is that we don't have a Constitutional Amendment that says "the right of the people to use BackOrifice shall not be infringed..." Perhaps that's what we need?
I know many people who are pro-"gun rights", and by making these parallels, I've started turning them into pro-"Crypto and Internet Security" people as well. After all, if they passionately believe in the right to defend themselves from the threat that may come through their front door, they will believe in making all the information available for defending from the threat that may come through their cable box!
(I might add that while examining these isues, I've come to understand and sympathise with the pro-"Gun Rights" people a bit more. I still don't agree with all their points, but at least I understand their basic beliefs.)
Decriminalize the publication of information. Throwing someone in jail because they talk about an encryption system or they reverse engineer a protocol, is stupid.
Criminals, by definition, will not obey they law. Criminalizing research and information sharing hinders only the legitimate researchers and security professionals.
If a product/services is secure, it has nothing to fear from scrutiny.
Learning HOW to think is more important than learning WHAT to think.
I personally think this is a very important effort, though it brings lots of juicy scenarios to mind where holes in software are exploited to generate fines and many suits are filed against the software vendor.
Whenever I get dragged into a meeting where people are going on about this stuff I can't help but think that it would be cool if the person who was able to access the "personally identifiable information" got to keep the $250K!
Left shift 1 for e-mail...
Security needs to focus on the system administration. Most security problems can be prevented by proper SA practices, which include selecting appropriate software for the particular environment, keeping that software properly upgraded, and configuring it correctly. But it is not just the lowly system administrator; the problem includes the management overseeing the system administration as well. Management needs to not just dictate that security is a requirement, but also make the decisions that do not hinder it (for example, management should not mandate a particular software program, but rather, set requirements that need to be accomplished). And network administration is also a big part of this. Both system administration and network administration need to work closely together, or even be the very same unit (or the same person in smaller businesses or business units).
now we need to go OSS in diesel cars
Should they offer discounts for external audits of corporate security? How far should those audits go? Who makes sure the auditors know what they're doing?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A key component of enhancing network security is to maintain (or improve) the pathways in place for vulnerability reporting. CERT, BUGTRAQ, the NYTimes, etc, are frequently responsible for encouraging vendors to respond rapidly to holes in their systems, and are undoubtedly responsible for getting many people to install those patches.
Recently, at least one large unnamed software company which has had a security PR problem apparently has raised again the ugly suggestion that reporting bugs publicly is irresponsible. (Bad software doesn't cause people to break into systems -- it's people saying that the software is bad that causes people to break into systems.) Other people have suggested closed lists so only "appropriate" people hear about vulnerabilities. It is very important that the government not get boondoggled into restricting access to information about security vulnerabilities.
There are those who argue that making available exploit code as part of a description of an attack is a large part of the problem (somehow they think there is some magic involved in turning words into code and almost no one can do it). It's unfortunate that public demonstration of an exploit, not mere description, is frequently needed to actually get a vendor to acknowledge a vulnerability.
Instead of limiting information, why not pressure vendors to write better code in the first place (c'mon, who thought that having your email client execute arbitrary script code in an email was a *good* idea?), and to respond rapidly to problems without having to be splattered over the NY times.
Your points are good, but in the current political climate, talking about securing personal information is unlikely to sway too many people.
Instead, talk about the needs of businesses to protect their business data. This is not a weasel move; it is a genuine and important need.
We do not want people to break into bank transfers and steal money. We do not want every virus that comes out of the Phillipines to wreck most businesses in the country for a few hours. We do not want monopolies to be able to swipe trade secrets.
Unfortunately, most "security" measures that I have seen in Congress actually reduce security for businesses. This, ostensibly, is to make it easier for the government to do surveilance on bad people. The fallacious has been the notion that security can be strong enough to prevent corporations from breaking in but not strong enough to prevent the government from breaking in. However, despite what the NSA may say about its superior computers and people, any weakness that is deliberately built into a security system can always be exploited by a clever or lucky individual with far fewer resources.
This is compounded by the fact that there are far more businesses that are doing good and essential work for the economy than there are bad people who need to be put under surveillance.
America currently has to many special interest laws. The courts cannot seem to administer the current laws in a timely, consistent and approprate manner. By adding new laws what is the congressman going to achieve?
America is currently invading a soverign country, and strongly suggesting it will once again attack other nations.
The president, who's election read like a putsch, has garnered more and more executive powers, did congress vote to invade Afghanistan?
The current political climate reads more and more like animal farm.
Egress filtering would be orders of magnitude cheaper to implement.
1. Retain the freedom to publish details about security holes.
We've already seen the chilling effect on free speech here in America. Many security conferences are moving outside the borders of the USA, worried that many of their experts could be imprisoned under the DMCA.
More importantly, the congress is going to have to make some tough choices -- one of them will be whether or not code is free speech.
You can tell your Senator friend that if the act of publishing a security hole is banned, that won't stop the black hat hackers from publishing the information.
2. Encourage insurance companies to offer "hacking" insurance.
The current model for security reporting is bad. Software vendors don't want to announce security holes for fear of bad press. Web stores running on insecure servers don't want to admit they were hacked or they'd lose their customer base. But even though you paid $10,000 for this software, it comes with no warranty -- the company assumes no liability for it whatsoever.
Hacking insurance solves this by setting rates for companies based on the software they're using. Higher rates would be asessed for insecure software running a e-commerce webserver. It protects e-commerce sites against losses they might incur from hacking.
More importantly, over time insurance companies will act like a industry force, publishing ratings on the relative security of software, and thereby forcing software vendors to react in the first place.
3. Don't reward software companies who release insecure code with the power of the FBI and the Justice Department.
The FBI has become the enforcement wing for Microsoft. It's sad that the real issue of Melissa and IL0VEY0U were that Outlook had security holes so big you could drive a truck through them. Unfortunately, Microsoft used the FBI as a PR cro-bar to turn public opinion away from their software insecurities to those that took advantage of them.
It's like Ford releasing a car with locks that didn't work and then using the police investigations to spin the media focus to concentrate on the perpetrators, not the defect.
4. Privacy Privacy Privacy
The industry failed to come up with a working privacy protection plan for the consumer who does web browsing. They came up with a lite protocol that will appear in IE6. If websites are compliant to the new standard (which many of them aren't), websites will break under IE6, and users will find themselves shutting those features off the web browser in order to access their favorite web sites.
Senators, if anybody, should be completely aware of all the issues surrounding privacy. They, themselves made it illegal for cops to obtain video rental records without a warrant, while allowing medical records and social security numbers to fly through the ether completely unrestricted.
I recommend the following for starters:
1) Websites should NEVER be allowed to store a credit card number or an SSN on a hard drive after the transaction as completed.
2) Credit Bureaus must allow people access to their own credit history -- for free -- and must tell people when a credit report was sent and to whom it was sent to. This is the fastest way to stop the number of growing identity fraud cases.
3) SSN's and other personal information such as medical records should be treated like copyrighted works. Organizations must ask the owner's permission before it is given out to others.
4) Limit the collection of personal infomation online. This is in essence, so called, "cyberstalking." If I were to do it, it's probably illegal. If companies do it, it's okay.
5. Back Doors and click-through licenses
Software companies should not be allowed to introduce back doors for the purpose of disabling software. Often these are announced in the EULA. For example, after installing Microsoft Media Player the user has given approval to Microsoft to disable *any* software on the computer.
You can be sure that hackers are well on their way to figuring out how to exploit Media Player for illegal purposes.
;^)
The number one thing they could do is to stay out of it. There are very few things the Government does well or efficiently.
Keep it simple and examine the history and alternative niche areas of the internet to learn what works and what doesnt. Based on that presumption I would recommend the following:
Examples include nmap, tcpdump, sniffit, et al. Why? Because these tell you as well as them that you have holes in your network. Removing access to these tools simply provides ignorant people who don't know how bad their situation really is.
History shows that the Operating Systems and Applications which have a high disclosure rate have become the most secure in the world. Those who attempt to hide their defects have done little to improve their overall security record.
Permit it, Embrace it, Promote it! It's the solution to both Security & Privacy. Someone already posted that encryption should be more the default than the exception - He's right.
This will only feed the problem that small ISP's can barely stay alive in the industry from competition. If you add regulatory overhead, they will be forced to leave. The resulting companies may be able to address some aspects of Security, but you have created the bigger problem of centralizing everything into a few camps. Bad Strategy! Even if someone like AT&T has servers located everywhere - there is a better chance that they are the same rather than different. One good security hole and you drop 35% of the internet overnight!
I mean it.
The government can do nothing but damage.
Almost no-one catches security intruders, when they do, there's no existing barrier to prosecution or lawsuits within the US. And I think it would be wrong to push for treaties or other measures to make extredition and trial more convenient. There are ligitimate differences of opinion on what constitutes computer intrusion, and being forced to send a 15 year old off to Germany to stand trial won't help.
In my opinion laws go too far already. Computer security breaches should fall under tort law, not criminal law. Anything that could directly harm a person by intrusion shouldn't be on a network. (like radiation beam-line control, or other physical control device).
((lambda (x) (x x)) (lambda (x) (x x))) http://www.endpointcomputing.com a scientific approach to custom computing.
Force disclosure of vulnerabilities and consequences when they are known. First this will drive consumers (at least business consumers) to the most secure products. Second it requires vendors to produce security exploits in a timely fashion if they wish to have closed source products which most do and have a right to. In addition set up some liability process such that companies can recoup losses for problems that are not immediately disclosed and corrected. Kinda like an automobile recall. If they choose not to issue one and someone gets hurt because of it...can you say large money award?
Oh, wait, I get it: Take a word, lop of the first syllable, then just put 'web' in front of it. Extra points for ignoring all rules of etymology, or for "inventing" a "word" that a) is not needed and b) doesn't not actually convey the intended meaning without some side explanation.
Java is the blue pill
Choose the red pill
In some areas, particularly National Security areas, we should give the SAs the ability to take well-defined countermeasures to counteract attacks, including tracing DoS attacks and making contact with their sources.
This is what Cliff Stoll did when nobody gave a damn during the German Hacker incident. Except, of course, they weren't DoS attacks, there were r00ting.
I wonder what would have happened with that investigation in today's climate? Would he have been sued for allowing the hacker to run free? What would law enforcement have done? IIRC, the only TLA that paid attention to him was the CIA.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
1) Criminalize the intentional falsification of header information - primary target is Spam senders and IP address spoofing.
2) Make it absolutely legal to defend my property (servers, IP address space, etc) through any means available (NULL routing, reverse hacking, packet amplifiers, RBL, etc...)
Ron Gage - Westland, MI
This is the lamest post I've seen.
.just my $0.02
A lot of nonsensical drivel, that has nothing to do with web/network security, at least not in the first page, and after reading about 3/4 of that, I wouldn't even bother reading the rest of it.
Sorry I'm Anonymous, too lazy to create an account, most people know me as Uhh or Arvoreen, which I'll (attempt to) use when I get around to registering.
. .
Secondly (and I haven't seen this mentioned elsewhere) TAKE IT SERIOUSLY. Put the resources in: hire people, or train the people you have (or BOTH!) Almost every place I've ever worked in my professional IT career has taken a slapdash, it'll-never-happen-here, why would anyone hack us? -type approach to security. Some well known institutions have an absolutely scandalous disregard for the basic principles of info-sec. Perhaps it's time to put some pointy-haired bosses on the stand and ask them to justify their pigheaded disregard for stuff that we all know is common sense. (I've a personal interest here; I've been trying to get a job in fulltime info-sec for the past
Finally, don't listen to the zealots on this thread who will be saying "ban Microsoft!" Properly secured MS boxes can be as secure as a good Unix. (That means: don't run IIS; don't run IE or Outlook; use *nix for your network infrastructure; educate your end-users; make sure you have management buy-in to what you're doing.)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I would ask congress to leave it alone. It's not their problem to fix. The networks belong to who they belong to, and it's up to them to decide how to use it.
Doesn't the GPL state that no warranties whatsoever (not even 'fitness for a particular purpose' (did I get that right?))?
Awww man, not previewing sucks...
;)
Anyhow, my previous post continues:
.. are given?
Two words, only two damn words.
Making security tools illegal or restricted will doubtless work as well as the war on drugs in promoting innovation (as well as disrespect for a government whose current strategy towards being respected is to promote a world situation wherein we are besieged by terrorists from all sides as well as within - this being the replacement for the old model where government legitimacy was maintained by implicit conspiracy with the Soviet Union to terrorize each others' populations and allies).
Remember, the more enemies we can cultivate, the surer the civilian support for the institution of 'strong government' and a proud imperial role in the world. Don't get me wrong. I support the war on Muslim fundamentalism. I only question the extension of it to domestic computer professionals and errant teenage hobbiests. The saner extension of it would be to include our domestic fundamentalists, who truly threaten science, culture and civilization. Of course, no one becomes Senator by openly taking them on. But no one who wants to see progress in technology and our economy puts one of them (cough, Ashcroft) in control of laws limiting technology.
"with their freedom lost all virtue lose" - Milton
Was your resident script-kiddie using IP-spoofing?
Dear Mr. Reading Comprehension,
Please READ the damn post before asking your stupid questions.
Here, I'll make it easier for you:
our NAT setup doesn't keep logs of every single outgoing connection from our network
90% of computers run M$ products.
90% of hack attempts, Worms and Viruses target M$ products.
String Up Bill!
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
The Objective is not to punish accidentally inescure systems.
The Objective is to punish verndors that are purposefully or recklessly insecure. The way to do that - as they do it in any other field - ist to establish and maintain a set of "state of the art" security practices. Deviation from these would shift the burden of proof to the vendor.
Frankly, I would absolutely love a law on the books that says "any email program may never ever interpret, receive, display or send anything but character strings of ISO approved character sets, structured by line breaks." (= Plain Text). If you do otherweise, you are fully liable for any and all kind of damage that results from this difference.
f.
The same thing happened to the auto industry as it matured. Today we have strong warranties on cars, strong liability laws, and cars work very reliably. The auto industry kicked and screamed about regulation for decades. But in the end, they built better cars. It's time to do the same for software.
I'd suggest, as a start, that software which will open "executable content" (which can contain viruses, etc.) without the user's explicit permission for each opening make the vendor of said software liable for negligence should any harm result from said action. This liability must not be waiveable. That puts the burden on mail readers and web browsers to protect the user against incoming attacks. Don't accept any arguments that this is technically infeasible; it's not.
I do not want or need to waste my time consulting a lawyer to find out whether or not my networks security is within the confines of another moronic law. In other words the government never makes things simpler or better when it comes to these things (Take California gun laws for instance) they only make it more confusing and more difficult for me to do my job. For example, lets outlaw the ability for people to publish their security exploits. Now the black hats have all the information they need to destroy my network, but I don't have the information to prevent it.
In a competitive OS environment, security would be a selling point in today's new world. But it isn't. All these Word and Outlook viruses are Microsoft-specific.
Microsoft products are regularly cracked for two reasons. The first is that, being a monopoly, they are ubiquitous. If Yale was the only company in the nation making padlocks, criminals would only study Yale padlocks and learn to crack them, no matter how well they were built.
The second is that Microsoft is not particularly security-conscious. The road to Windows started in DOS, which needed no security--it couldn't be networked! All the DOS-based Windows--3.1, 95, 98, ME--either have no security or had security put in after the fact. Only Windows NT, 2000, and (perhaps, I don't know) XP were built with security in mind at the beginning.
Even with that, Microsoft has made a conscious decision to promote ease of use over security. It's always a trade off: security is obnoxious. If you don't believe me, think back to the last time you misplaced your car keys. Microsoft's decision has been wonderful in giving the average user unprecedented access to information, but just as wonderful in giving the average computer criminal unprecedented access to everyone else's information.
DoJ vs. Microsoft is still going on, last I checked. Anything that creates competition in the OS market will help secure the Internet. Vendors are likely to make security a selling point, and criminals will have to learn to crack multiple platforms to commit their crimes.
--The basis of all love is respect
Another slashdot poster has noted the real problem with network security -- being able to contact the administrator of a network when you see malicious attacks coming from it.
I'd hate to see something like this being legislated, but it certainly wouldn't hurt if the goverment would try to spearhead an effort to provide a canonical location to get contact information.
I/O Error G-17: Aborting Installation
That would probably because it's from the automatic complaint generator. I'm sure someone knows the URL.
If corporations are people, aren't stockholders guilty of slavery?
We do not need any more laws thank you. In fact, if you could get some of the current ones taken off of the books, that would be nice.
... maybe it is time that laws and policy intended to apply to technology issues be at least in part, developed by those that understand the technology. Politicians looking to lock in one more block of voters for the next election are far from qualified to be making these types of decisions.
And while we are at it, if you could actually require the FBI to respect privacy and quit trying to monitor everything "just in case", I sure would appreciate it.
I guess there is one more thing
R*
-friends don't let friends spam-
Don't protect private companies and individuals from anyone but the government. We can take care of ourselves.
Don't protect the government from law-abiding citizens. We're at sufficient disadvantage already.
Don't protect the privacy of convicted criminals.
Don't create laws that favour any one kind of entity over any other, except law-abiding citizens and corporations over convicted criminals.
Don't legislate exclusions of liability for security breaches. Let the civil courts decide who, if anyone, is responsible for damages due to security breaches.
Don't restrict or attempt to restrict cryptography, and strictly prohibit the three letter agencies from planting or distributing intentionally weakened or defective cryptographic tools.
Don't allow the three letter agencies to wiretap data connections without meeting constitutional requirements - it does nothing to improve security and most likely decreases it by creating additional copies of sensitive information.
Most importantly of all - *DO* build trust in the security community by passing and strictly enforcing JUST, FAIR LAWS in all matters concerning digital security, copyright law, privacy, and civil liberties. In other words, do your job as statesmen and earn the respect and trust of all the citizens you supposedly represent. Your job is MUCH easier to do when we can trust you, and sadly, your record makes that outright impossible.
Comment removed based on user account deletion
Require immediate disclosure of security holes as soon as they are discovered rather than when the patch is ready.
Sure, Microsoft argues (due to repeated corporate embarassment) that this is bad and helps the exploiters but this argument is absurd.
If I am made aware that there is a serious problem in program X then I need to make a choice. Add extra monitoring, turn off that program alltogether or switch to a different program that provides the same function. So if Sendmail has a severe enough problem I may deem it worth the effort to switch to Postfix. IIS is full of holes, I'll switch to NetBSD/Apache.
Perhaps I will decide that the risk is less than the cost of switching or shutting down and just cross my fingers.
The point is that everyone has different levels of secrets and each administrator must make a decision based on the level of risk, the options available and the level of damage that is likely.
To argue otherwise is to argue that we shouldn't tell drivers their Explorer tires may explode and kill them until we figure out how to make a better tire or we shouldn't tell the airlines that their rudder may jam and cause a crash until we know how to fix the rudder. Absurd!
"The Objective is to punish verndors that are purposefully or recklessly insecure."
You obviously missed the point. Sun and RedHat are just as reckless at releasing insecure software as Microsoft. Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design.
You might get what you wish for, but you may not like it.
All countries -but some european- follow american law in digital matters. This, as most slashdotters will testify, is pretty stupid but hey, not all countries have such a strong congressional lobbying system. I know its to much to ask for, but it would be nice for some of us if the US congress was more aware of this responsability.
With respect to digital security I think I have a couple of general principals that should apply:
1) Network security is different to conventional security in that you try to protect assets that are, in themselves, digital. This doesnt imply that this digital assets cannot affect human or material assets although, in themselves, they are digital as are the means for stealing them or tampering with them.
It follows then, that its not improper digital behaviour (if there is such a thing) what you need to make illegal, its plain old normal-space behaviour extended to cyberspace through digital tools.
So, laws governing things on the internet should be an extension of plain material laws. This is something the private sector doesnt like, they want to make their own little countries in the net, where only they can rule. Thats why they need to regulate cyber-behaviour to fit their own private interests and to grow their existing power insofar as intellectual property goes. That is to say that they want more power in cyberspace than what they have in reality.
So, in short: Cyberspace law is just law, and it should rule behaviours only. Not research, Not programmes (which are only tools), plainly evil behaviour that cause the tools to become accesories to commit crimes. (the obvious analogy is hammers and people vs. programmes and people...you dont have a hammer amendment or jurisprudence, you have a behaviour -like using a hammer to kill your children- governing law). Another analogy is shoplifters in a Music'n More store and pirates. You dont ban cassetes because you can make copies of it, you ban people copying for selling and stealing in the stores.
Also, you dont say that shoplifters are terrorists, they are robbers and thieves, not terrorists.
2.- Open markets create more wealth than closed ones.
This is the secret of the american economicall strength. It provides economic freedom so that all have an oportunity to be a competitor in most markets (i know its not perfect, but its better than most). If law allows enterprises to patent basic tools such as e-mail, or on-line selling technology, or playing DVD's with Linux, whats happening is that you are giving a patent of the hammer or the screw or toothbrushes. And everyone producing something like it can be legally burdened by the holder. Anyone can build a hammer, its been there forever. Well, same thing goes for most computer systems. They are easy to build and its easy to create alternatives to most of them. If you patent them you will be killing the enormous natural potential of software to create competition thus hurting consumers.
3.- Monopolies are real bad....there is a real tight law
Alex.
NO SIG
1) Do not outlaw security tools.
2) Put limmitations on what ULA can stipulate
with regards to liability and tie to the way the
product is positioned (e.g. if product is sold
as "the most secure crack proof firewall"
ULA shouldn't stipulate that the maker has no liability if it gets ckracked).
3) If software doesn't work as advertised a user
should be able to return it for full refund.
Mass certification might encourage increased ease-of-use in "secure" clients. Routine use of encryption and digital signatures, while not full-proof (especially depending on the quality of implementation), would be a big step towards better on-line security for both companies and individuals.
Authenticating its citizens seems like a natural role for a government.
Of course, the Verisigns of the world would oppose this because it would amount to institutionalized competition.
Paraphrasing Bruce Schneirer; We already have laws in place for stealing, copyright, etc. Just because someone is using a new technology to commit the same old crimes doesn't mean new laws are needed.
Keep the Classic Slashdot.
One problem adminstrators of Educational and nonprofit organizations often face is that they don't get help from law enforcement as long as they can't prove or argue damages. Law enforcements these days only seems to care for businesses and Goverment institutions.
.org's Web Site).
A good Example here is the DOSed University. Universities or others that run a free community service (like IRC servers) get virtually zero help when their system (or even their whole networks) get blasted off the net by some DOS script kiddy, while OTOH armies of FBI agents start running when Yahoo or Amazon is in trouble.
Law enforcement should
- consider gangs of electronic vandals (like IRC war clans) organized crime and prosecute them accordingly
- consider attacks and damage against public and community institutions a heavily aggravating element during sentencing (so the yahoo hacker will have to serve less or equal time as the guy who DOSes a university IRC or some poor
- allocate prosectution resources in a way that they can give equal priority to the finding of a script kiddy regardless if he DOSes Boeing or the Younameit Community College Web Site.
f. (who thinks that script kiddies who 'packet' IRC servers (and such, whole Networks) for such childish reasons as to take over a competing clan's channel are one of the lowest forms of life, somwhere between the cholera germ and the common spammer).
I agree with the ideas put forth here in principle, but having security insurance would mean that (as in any insurance) some companies are going to try insurance fraud and intrude on their own machines and try to claim damages. Without an investigation and guilty party found, how can you be sure it's not an inside job? The insurance companies are likely going to refuse to pay if they arbitrarily decide it's an inside job (they'll surely have some clause) or the insurance rates will be prohibitively high.
A similar sort of scenario would be arson done to collect insurance, but with arson it is generally more traceable and definitely more localized (the arsonist had to be physically present, meaning they're likely still nearby and very likely seen by witnesses), with computer attacks if the attack is forwarded, spoofed, etc. and originated from somewhere in Russia, you'd be hard pressed to find out if the CEO didn't just contact Russian-Insurance-Fraud.ru from home to arrange the attack.
However, if there is some decent check for preventing security insurance fraud, then anything that increases security and accountability of corporations can only be for the better.
The problem with that attitude is that, to get real security, you have to do things in a secure way everywhere. That means that everybody has to be thinking in terms of security... and not only that, but thinking in terms of things that will actually help, rather than just giving a false sense of security. That takes a certain mindset, and the only way to develop that mindset is to think about ways to break security, to see examples of how security is broken, and to see how existing security measures work, both so you can improve them and so you can avoid screwing them up.
If you restrict access to information, you end up with only two sets of people who have a clue:
-
-
Security is everybody's problem, and that means everybody has to understand it. When you release information widely, you educate 100 good guys for every bad guy. When you try to keep everything secret, you hold the good guys back more than the bad guys.A small group of overworked security specialists. These people can't do it all, and, if the rest of the world is poorly informed, they won't be listened to. In addition, in an environment where information is tightly restricted, it's very difficult to recruit and educate new security specialists.
The bad guys. Being more motivated than the general population, the bad guys will get most or all of the "restricted" information through their own networks.
I'm not saying that there's never a reason to keep anything secret, but there should be a presumption in favor of openness. You should try to keep something secret only when:
It describes the details of an actual vulnerability that hasn't been fixed, and provides information useful in exploiting that vulnerability, AND
Having information about the vulnerability would not, in itself, permit people to protect themselves, AND
You're reasonably sure that large numbers of bad guys don't already know about it. In network security, large number of bad guys will definitely find out about it within a few months, if they haven't already found it independently. That means that keeping anything secret for a long time will never work.
In government, the sorts of things we need to watch out for are:
Excessive classification. It would be nice to see more legislative sunsets on classification, and more requirements for review of the decision to classify something. Patent secrecy orders are especially suspect.
Programs where government information is shared only with "trusted private sector partners". Not only is this intrinsically bad, but it encourages cronyism and corruption, and can create economic problems by raising barriers to entry in security-related industries.
Misguided weakening of "sunshine laws" like the FOIA. Because information is power even more in the Federal bureaucracy than in most places, there's an incentive for agencies to hoard it for political reasons. When all else fails, these laws often serve, not so much to free the underlying information, as to expose the illegitimate reasons it's being held secret.
The occasional calls for outright banning the release of scientific or engineering information, in the style of the idiotic Feinstein "bomb making information" law.
To me, the withholding of security risk information is a form of fraud. It is the same as rolling back the odometer on a used car. It is the same as selling Pintos with exploding gas tanks and the same as selling flammable pajamas to children. Companies must be required to release security risk information about their systems in a timely manner. They must be legally liable for damages that result from security issues between the time they discover the problem and the time they warn users of the problem. These kinds of penalties will force companies to create secure systems in the first place. And, to warn people in a timely manner so that they can take action to protect themselves. Although it is tempting I don't think the developers should be required to fix the system. But, a list of all outstanding security problems must be included in advertising and on the packaging of any system. People have to be able to make an informed decision about what systems to use. We put warning labels on beer and cigarettes, we require people to wear seat belts, we require the disclosure of the ingredients of all our food, we have lemon laws to protect us from unscrupulous car salesmen, and we have product liability laws that cover every physical thing we purchase. But, we have no equivalent legal protection from the purveyors of software snake oil.
The only way a company should be able to get out from under these penalties is to declare the product "dead", notify all customers of record that no more security support will be given for that product. Declaring the software dead should also require that the source code and/or system designs as well as any patent and copyrights to the system be released to the customers so that customers can arrange for other sources of security support for the system. At that point the company would not be allowed to sell, distribute, or accept any sort of payment including royalties and support payments for the software.
Stonewolf
I work at a major Tier 1 hosting provider and network security is always a huge concern. The largest issue the confronts my customers in terms of security is liability. I feel that the onus needs to be on the companies that owns the solution to provide adequate security. Many times I see customers say "I don't need a Firewall much less an IDS, no one would want to hack my website". Well unfortunately this makes them vulnerable for crackers to open up the box and turn it into a warez FTP site. Suddenly their bandwidth shoots out of control and we bill them for their usage. The customer in question then says that they are not liable for the bandwidth because it was not their traffic, despite the fact we spell out in their contract that they are liable for misuse of their servers. Additionally, some customer machines will be taken over for a DDOS. Say Customer X has no security and their box is compromised. Customer X's box then participates in a DDOS against Microsoft.com, and when Microsoft's attorneys go through the lists of who attacked them they sue Customer X. I'm not sure if this needs to be legislated, but I do feel companies need to be aware that they are responsible for their own security and to try and shuffle the blame on to a 16 year old script kiddies that compromised their machines is just showing their negligence in not providing adequate security. If you would like more examples of this for your research feel free to email me at adambruce09@hotmail.com
Sorry, We don't need congress to help in anyway except not to pass any laws that could be used to infringe upon our constitutional freedoms. Encourage full disclosure. Do not be misguided/misled by information and initiatives put forth by mega-corporations that try to compensate for their ethical shortcomings.
Red Hat's product is selling decisions. "This we take, that we don't". So maybe writing code isn't their business, but selecting code is. And therefore they should be held responsible, at least by their paying customers.
f.
And lets say Sysadmin A is fired from job for downloading too much pr0n, he could launch the "Net Nuke" back at his old bosses.
Read my plan to save the Bengals
To them, pro-active computer security is like flushing money down the toilet.
In order to change this, in the context of this discussion, are you suggesting that congress legislate free clues?
A Stanford law professor has already theorized that owners of hacked sites could be held liable. While I'm not aware of any cases having been brought, it will happen. Right now, it's just credit card number gets stolen, script kiddie buys pr0n, owner reports fraud, credit card company charges back. It would fall to the porn site to seek recourse, and I can think of few less sympathetic plaintiffs than a porn site. One of these days, this will change. Remember: It's always easier to count the money spent doing something than the money lost by not doing it.
The truth about Scientology, Xenu, and you: Operation Clambake
There isn't a contract involved in using open source, so no-one can be held liable.
Closed software vendors on the other hand should be held liable because you have paid them for a particular piece of software, and there is no way they should be allowed to get away with a clause in the license that says "we make no guarantee that this software works or does anything useful..." (or similar).
By paying for something you expect the goods to be of saleable quality, and if they are not then you can return them and get your money back, or if it causes you losses (by not being secure for example), then you should be able to sue the manufacturers. This is the way it works in every other industry, and software should be no exception.
Bear in mind that because no money is exchanged for Free Software, it is perfectly fair for there to be no guarantee or implied guarantee that it works.
The most important thing is to push for the correct approach. By that I mean whenever one talks about anything "digital" or "computer"/"internet"-related, commonsense dissapears, most people tend to look at relations as if a different balance was needed. It is not. Cyber tools are like any other tools. Companies that offer computer-related products should be accountable for damages, like any other company. Products that involve risk should stamp that clearly in the manuals. Tha most secure way to use software should be described in detail. If one promisses and sends a bill, one has to deliver, or else compensate. Things like that. Think of software as an automobile. It's so simple! That would answer many other questions.
One thing, though, *is* different: the absence of an a clear geographic location for things and people on the net. This can only be dealt with through international cooperation. I would advise your Senator not to try and push for unilateral measures, as seems to be the norm in the US with this administration, because that would make it far more difficult to iron-out differences in the future.
I don't want to see any new legislation on this. Congress does not have a good track record on such issues. In particular, we need to be free to use cryptography to protect our systems. We also need to be free to disseminate information, so repealing the DMCA would be helpful.
It's simple, really. I sit here almost every day reading through posts on Slashdot and am often absolutely amazed with the solutions that are proposed. Even a simple glance at this thread can tell you that there are thousands of geeks who have incredible ideas that they are willing to share for the benefit of all.
If it were considered a necessity to consult with people who are highly involved in communities being affected by pending legislation, things would be a lot better off. Most of the comments already posted have been clear, concise, well thought-out, and are easily understood. If legislators gave priority to these types people, such as business owners, the Slashdot community (I wish), sysadmins, and security consultants, instead of giving everyone an equal say in such matters, or even just a recommendation from a single advisor advisor on the matter, legislation like the DMCA never would have been passed.
Now don't get me wrong; I'm a die-hard Libertarian. I think everyone should get an equal say in every matter, but let me use a simple analogy. Who would you trust to defend you in court? A team of diversely-minded career lawyers, specializing in your type of case, or a few close friends (one each being an actor, a gourmet chef, and a carpenter), your next-door neighbor (an interior decorator), your old college roommate (a neurosurgeon) and a man you picked up on the side of the street wielding a sign that reads, "Will work for food"?
No comment.
Seems from the post that the Senator is concerned with Acts, Current Laws, compliance issues, etc that govern the current state of affairs within the US.
Under my wish list I would reclassify the Internet as a new controllable entity state with its own governing bodies, under UN direction.
I only say this, because if we cannot create any global legislation on issues, the US (and others) will always fall victim to predatory attacks.
The only reasons I can see that, the senator may not push something like this forward, is due to the feeling of control, and influence that the US thinks it has over the internet because of its business ties, but it is this same business ties, and income producing entities that lose if we pile on more laws that only exist within our borders. So If the DMCA passes globally through a UN resolution, then fine, most of us will accept it, and globally we would carry out initiatives to stave off attacks.
The DMCA issue comes from the fact that although other nations may use bully code to give us black eyes, our mother Fed does not defend us, or let us use code to prevent this from happening over and over again because we are not permitted to touch certain 'tools' that are only available to the bullies because there mother countries don't care.
Mabidex
www.brainclone.com
Yeah, the GPL does state that, and I'm sure Microsoft's EULA probably says they aren't responsible for security holes too.
The question is: ARE they anyway.
-Braddock
If you want to improve network security, ensure
that protocols and algorithms that would improve
security are not patented, and are therefore
usable by anybody who needs them. The (recently-expired) RSA patent forced many projects
to use less well tested algorithms.
Also, get rid of all export restrictions on software. Export restrictions on "strong"
encryption force companies to use less-good
algorithms.
That's "Mr. Soulless Automaton" to you, Bub.
When a person applies for a job he is given a company application:
Full Name, Social Security, etc.
Do I think it is personal, sure... should it be given to authorities? Only with a warrent.
At this time I can find anything on anybody... Why give information away?
Oye, ad-hoc thoughts...
A trivial definition of curtilage. Namely I own my boxes, I own my networks, I own the services that are offered. I have the right to dictate how those boxes, networks, and services will be used, since I am the one who paid for and built them. If you have any questions about this stance, subscribe to something, some day... the fact that I may be a "home user" or "major provider" should not make any difference.
Right now, any arbitrary, anonymous vendor has more rights to my stuff than I do via EULA "at any time" clauses. In some cases, any anonymous box has more legal rights to my stuff than I do. And finally, even the lowest end-user has the ultimate legal right to bind us to any legal agreement they're dumb enough to click on, even if they have no authority to make such a consent. All of this because curtilage is largely undefined, and where it is, it is grossly inconsistent.
The lack of curtilage is exemplified on two basic fronts.
a) Easter eggs in software. A product is offered with a specific functionality, e.g. an "office suite". The suite will often contain undisclosed and very irrelevent "features" that are flat-out undesired. Q.V. any package that may use resources that are not directly related to their explicit purpose - an application may attempt to "report home" to the vendor and STEAL network services. Or, things as trivial as packages that modify your browser's start page. Huh? Sorry, such things are outside the scope of intent, and violate turf.
b) If I initiate a packet stream that produces an effect that is explicitly against the intent of a service provider - namely, unauthorized utilization of bandwidth (theft of service), unauthorized utilization of CALs (theft of service), unauthorized utilization of CPU cycles (theft of service), unauthorized utilization of storage devices (theft of service... realize that all of the aforementioned are regularly "leased" by companies for serious cash), insertion of data, deletion of data, modification of log files... I go to jail. Some other idiot does that exact same thing because "you can make your sex life better," it's called Spam. Sorry, that should be trespass, tampering, theft of service, and anything else that applies to the results of an "evil packet stream". The exact same events occur, Period.
Other stuff - present "opt-in spam" laws fail, since the definition of "opting in" requires no authentification by the end user. First case and point - No user in our organization is authorized to subscribe (opt-in) to any mail list, and they don't. Yet we regularly get junk sent to them, all claiming to be "opt-in". That'd be a neat trick. Second case and point - it's quite trivial for me to subscribe you, Mr. Arbitrary Email Address, to any spam list I want. No effort is required of these "opt-in" lists to validate the authenticity of the request.
Culpability for negligence / intent. Code Red & Nimda demonstrated two very big things. a) Microsoft sucks, and b) Most users and admins are typhoid maries. The patch against the CRV vector had been out for quite a long time before CRV came to town. Fine. Then, it hit, and spread like crazy. It made the news... it made ALL the news. And to this day, there are still boxes out there that are spreading it, boxes that are actively attacking our systems. If a user gets an outlook virus, and that macro sends itself to everyone, fine - the first time, there's no intent. But when that user keeps using that box, day after day, and that box keeps attacking MY systems, sooner or later the law needs to recognize that there IS some form of intent present. That person is potentially killing me by their actions; they are *certainly* costing me money. Addressing this might have a nice "social" side effect, btw, of making a certain vendor a little more cautious towards exactly *where* they decide to implement scripting features...
Slightly along these lines, again curtilage. The current license model allowed by law is grossly incorrect. The typical computer system (be it a home PC, or a 15 server setup like I have here) consists of three entities. First, there's the hardware owner. He owns the box, and has ultimate say as to what that hardware does. Next, there's the software [license] owner. That person can say what happens with a package, but has no implicit rights to the box it runs on. Lastly, there's the end user, who has the right to type. The present model does not address this. If my 5 year old neighbor sits at my keyboard, using a program my wife bought, he has full proxy authority for me. He can commit me to mortgages, bind me to EULAs, whatever... by simple virtue of the fact that he's physically able to.
help me i've cloned myself and can't remember which one I am
Let's look at this on a higher level.
Do we really need more laws?
If this guy realy wants to be a servant of the people how about going through the old, dusty laws and getting rid of them.
You know, the ones like swinging a lantern in front of a horseless carriage. These guys in government really need to 'clean house' not 'shop more'. I know it's not as sexy, but being a servant is not a sexy job.
-- www.globaltics.net
Political discussion for a new world
Stop ignoring the wishes of the victim. I was involved in a case where a mid-level manager called law enforcement about a fairly serious intrusion. After the FBI became involved, the CEO stepped in and said they didn't want to prosecute if it would result in publicity for them. So what happens? They not only brought the case to court, but issued a press release, making the case front-page news.
Prosecutors need to stop ignoring victims' wishes. They also need to stop grandstanding for the media on cases like this. A lot more companies would report incidents and cooporate if they knew that the case would end in a quiet plea deal instead of a high-profile trial.
1. Don't make it illegal to do research or learn about security issues. It is necessary in order to provide security.
2. Don't make it illegal to announce security flaws and exploits. It is critical that information about security holes be open and available.
3. Prosecute people who cause damage by using software with malicious intent - not for developing software.
4. Either require Microsoft to fix their pathetically broken security model or allow people to recover damages from them for security lapses. The situation with Microsoft software vis a vis security is ludicrous.
5. Mostly keep the government out of the way - there is nothing the government or a bunch of new laws can do to make networks or the Internet more secure.
6. Encourage the FBI's NIPC to develop some minimum level of expertise and competence. Right now, there doesn't seem to be any. All they do is parrot what Microsoft tells them.
Legislatively, this is probably most easily dealt with under commercial law/UCC as a "fitness for use" issue. I buy some piece of internet software, I expect it to provide internet functionality without endangering my system through obvious security vulnerabilities. Software that fails to abide by this is simply unfit for purpose.
Why introduce any new laws? Simply enforce this one. If there is some loophole that exempts software form fitness requirements (IANAL), then cl,ose the loophole - don't replicate the law's effect with yet another law enacting a software-specific concept of commercial fitness.
There is a real lack of recourse for us end-users. It seems like the ones most unable to actually solve electronic security problems are the ones who get left with the responsibility for dealing it. How about incentives for insurance companies and credit card companies to help audit elecronic security, like some sort of government mandated identity theft insurance that companies should have.
ok, i've heard 600 comments on how they need to get out of our hair...we also need to think about the other side of it.
i've had cause before to contact the various federal authorities at my job. i'm a sysadmin at a web host and we get the occasional child porn idiot trying to sneak by us.
whenever we've had cause to talk to the authorities (usually the FBI or the secret service) they've always been very cool about the entire affair, come down to take the evidence, make sure they subpoena us so we don't get sued for releasing the info, etc. the only problem is, it's a bitch to drill down through the local hierarchy to get to the people you need to talk to.
so i'd suggest to the gov't, clean up the ease of use for us. make it a more direct contact between the sysadmins who can track these people and the agents who can kick in their doors. i'm sure more people would report network intrusions and the like if they had a simple, easy to use, web-based form to fill out with the intrusion information (assuming it's fixed and they just want the fbi to track/find the guy and bring him to justice) to just help make getting the ball rolling a little easier.
just my $0.02
-dk
Dream with the feathers of angels stuffed beneath your head.
As 8-bit theatre likes to put it... "Less talkie, more cookie".
"I'm not Dev/Null, I'm a rock!" Dev/Null, from VtM: Redemption
Cleaning your own networks first and let us who know what we're doing clean ours?
Sounds fair to me doesn't it ?
The last thing i want is some senator or congressman with no clue about the issues he is trying to legislate to stick some dumb ass law down my throat. We had ENOUGH OK? ENOUGH ? Tell your congressman to go to his funding dinners and get 'donated' some money from some coorporation and let us deal with OUR networks the way we want to. Not the way MS wants to or whoever the hell is bribing him.
A senior US Senator. Yeah -- right. The clueless asking someone even more clueless to compile a list about something neither of them knows squat about. What a joke.
Wait a minute: is this some kind of cheap troll?
expanding beyond network security... Software in general needs to have standards of quality assurance of some sort that the software firm can prove their product adhears to. Yes, this will require longer cycles of product release to get a certified product on the market. This is a good thing: my cup of soup tells me what I'm eating. So should my software. When someone builds a building, do you have to click the box that says "the building contractor is not liable if the ceiling falls on my head" ?
Reread all the great replies above and below. Then take a good look at security tools, and then tell your colleagues that the best tools and techniques were developed with the cooperation and a shared dream of privacy/protection that the entire world shares. Extremely brilliant and caring people from everywhere have made network security possible.
Recognize the shared effort, and common dream in here, and it might, just might, someday propogate into reality.
Allow for the sending of SPAM (unsolicited bulk email where one message sent to over, say, 100 addresses lacks "substantive" evidence of differentiation) but require every US sender (regardless of whether they use a foreign network to spam) to provide a working, monitored US phone number for people to call to remove themselves from the list. Require all SPAM senders to utilize a valid return address which is also utilized for the same purpose of list removal. Require all SPAM senders to be banned from reusing, reselling or otherwise recycling any email address on the same list or any other list of involuntarily acquired email addresses they control (entity-wide erasure of involuntarily acquired email addresses). Require all SPAM senders to secure written permission from their internet infrastructure carrier to send unsolicited bulk emails (otherwise those carriers are frequently subject to retaliatory security attacks by disgruntled users). Forbid SPAM list generators from selling email addresses acquired involuntarily. Allow maximum penalties of 1 year and/or $50,000 fine for violation of these disclosure laws designed to protect US consumers from rampant fraud and harrassment from unscrupulous bulk emailers. This will solve a lot of our security problems with email without restricting "ethical" bulk email or otherwise normal unsolicited commercial communications by email. Monir
Perhaps even moreso in the case of RedHat as they are just blindly redistributing stuff others wrote and have no input in the design
No, I don't. If Red Hat started to distribute GnomeOutlook some day, they deserved to be sued to Hell and back.
Red Hat's product is selling decisions. "This we take, that we don't". So maybe writing code isn't their business, but selecting code is. And therefore they should be held responsible, at least by their paying customers.
Actually, Red Hat is a MAJOR contributor to Open Source development, employing such luminaries as Alan Cox (kernel) and Rasterman (enlightenment). RedHat had the fix for the ptrace exploit out in THEIR release of 2.4.9, but the fix didn't make it into the general kernel tree until 2.4.10. Also Red Hat puts a LOT of development effort into the GNU tools, such as gcc and glibc, so I don't think it is quite fair OR accurate to say they are "blindly redistributing stuff others wrote and have no input in the design". Companies that hire Open Source developers andd tell them "Develop Away" are a major factor in the current state of OSS technical excellence. Were it not for the RHATs, Caldera's, SUSe's and IBM's of the world, Linux would be nowhere NEAR its current state.
utter rubbish
We all need to realize that MS is our daddy, and we should be thankful that Bill Gates even deigned to grace us with his vision and intelligence.
Get them to start the ball rolling on IPV6!
Normal people worry me!
I always lean towards less government interaction as any good Republican or Libertarian would do. So of course, the only stuff congress should do is make suggestions.
You know how the chemical industry uses a diamond to warn users of the risks of a substance right? How about doing the same for software? Here's the 4 areas I'd like to see:
1. Possibility of hidden holes vs. freely-available source:
Any software that's not open source will die on this one. How can your software be secure if there may be backdoors?
2. Establishment:
Any software that's been around since the sixties is going to be tested more than something written last year. Also, its easier to find help on newsgroups/webboards for established software.
3. Customization:
Most programs can be customized through a GUI interface, through the editing of a text file, or both. Traditionally, text files allow the most customization, but a killer GUI could also score well on this point. Also, software that is not released under a GPL-like agreement cannot be strengthened by an administrator. This sub-point could be probably be broken off into a new area.
4. Platform independance:
If the administration should change from one OS to another, its desirable to keep the same software. Flexibility in this regard equals safety. New-hire administrators are more likely to be knowledgable about software available for any platform. Also OS vendors who build security software for their own OS only are more likely to be concentrating on profitability over security.
Of course, these standards may be tough for some software vendors to acheive (no names here!). But that doesn't make them unimportant.
If we would have had these standards a long time ago, I don't think we'd be in the mess we are today.
Free unix account: freeshell.org
This comment just reiterates what is said by many of the earlier comments. On top of that, the use of BR tags to grab more screen space for this crappy comment is really annoying. Slash should incorporate a filter to remove excess whitespace, remove purposely narrow columns, and remove the typewriter font from a comment if it is used throughout.
How is the government supposed to deal with this?
You've obviously learned about recursive cliches.
Now please make a donation to the RNC.
That's the Republican National Committee if you've
been living in a cave.
The information on a job application is useless. Don't think law enforcement can't find this without going through your employer. Seriously, anyone with enough desire and resources would be able to get your name, last few addresses, SSN, employment history, place of birth, drivers license number, mother's maiden name, and other similar stuff. And it wouldn't take all that much time (you could gather all of the above within a week or so).
There are no Constitutional protections in the kind of transfer of information you're talking about. If the company wants to hand over the info, you can't stop them. If the company doesn't want to hand over the info, it will take a court order/subpoena/search warrant to get it. If you work for a company like that, they're crazy.
The Daily Build
Maybe the solution is education. I doubt the jury in the case had a clue what the issue was or how you secure a network in the first place.
And if you don't know about the case, goto http://www.lightlink.com/spacenka/fors/.
Good luck, Randal. May the Schwartz be with you.
I no longer live in California, but I'd love to see some changes in the state.
In a nutshell, intelligently enforce the laws you have.
One. Fund a specialized law enforcement group dedicated to cybercrimes committed by individuals and organized crime gangs located physically in the state. The group should consist of state marshalls, prosecutors, lawyers, judges, and a civilian oversight committee. Recruit from computer science programs at state universities, or require experienced judges and prosecutors to attend graduate level CS programs at least part time. The oversight committee should be paid, at levels to rival good silicon valley firms, so that experienced engineers can spend a couple of years helping to guide law enforcement efforts.
The cybercrimes group should go after trade secret thieves, spammers, scammers, slammers, crammers, and others who feed on the naivete of consumers, or who interfere in the operations of companies. They should target phone companies who slam/cram consumers, arresting corporate officers on criminal charges as warranted. They should actively track down individuals and groups who send out UCE, since spam clogging my servers is the largest single cost I have as an administrator. There should be an undercover unit targeting criminal groups who dupe individuals with "guaranteed 100% opt-in 5 million email addresses CDROM". There are many confidence/scam operators in California who have no fear of prosecution, because there hasn't been a single arrest in the last decade for any hi-tech scams in the state.
The group should have a very publically advertised way of being contacted, and should give priority to administrators like myself who want to start legal proceedings against criminals inside of California. The people taking the complaint should have a thorough understanding of network issues, system management, and technology in general. That means you will have to pay them competitive salaries, which will make this the most expensive law enforcement group in the state. Don't worry about the cost, the value to california businesses and voters^Wtax pay^W^Wresidents will be worth it.
Two. Criminalize aiding and abetting identity theft. This means the state should stop selling records to marketing firms. California needs to rework its incorporation laws to dis-allow companies from compiling marketing databases for sale to others. Any corporation that compiles in depth information on individuals (putting together name, address, SS#, CDL# and photo, tax history, property records, medical info) and then sell it should have its charter revoked immediately, and criminally prosecute the directors.
I'm regularly in touch with my counterparts on the west coast of the US, and I hear their complaints on a regular basis. The FBI has dropped *ALL* cases that don't directly involve shit that happened in September. Local cops are completely incompetent to do anything more than write speeding tickets or bust kids with joints. There is no state organization to fight cybercrime. The admins spend most of their time keeping their long distance voice traffic on the best carrier when they get slammed once a month. They deal with a level of spam which equals 80% of their incoming traffic, much of it from dialups inside of California. They have to deal with employees walking out with 40 CDROMs full of locally produced code who start at a competitor the next day, who one month later have an identical product that even duplicates the bugs. Hackers at the firewall are insignificant compared to all the other criminal activity going on.
Look at the Avant! case, where a handful of engineers walked out of Cadence, and the next week started selling an identical product at half the price and made millions of dollars in profit. The only way Cadence could prosecute was to pay for training for the judge and prosecutor, pay the whole investigation costs, and it still took most of a decade for the criminal parts of the case to occur.
There are organized gangs selling spam-kits to unsuspecting idiots all over California. They take a bunch of money up front from the scammees, in promise of huge returns down the road for selling "penis enlargement" and MLM scams. Until now, these scammers have had no fear of prosecution, because there isn't a cop or judge in the state who will (or able to) apply the law.
There are arguments that most of these things should be left to civil action. The problem is that civil action costs lots of money, and the civil courts tend to ignore complex cases that don't have huge amounts of money on both sides. The PUC is incapable of dealing with crammers, and have declared that any consumer who is hurt can throw millions into a civil case and hope to win. With consumer protection at the lowest in California history, its time for the government to step back into enforcing the law.
Arguments about the internet being international are just a red herring. The laws are already on the books, some jurisdiction has to start applying them first. So what if most of the scammers leave the state? Fine, but I doubt it will happen, the drug dealers didn't all leave with tough new anti-drug laws. I'd be willing to bet very few people have enough money to start a new life in another state, spammers are lazy bastards. Kick down a few doors, prosecute some spammers and make some press about it. You might only make a small dent in spam, but I'll take anything I can get.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Anybody who can install PGP unassisted can run it by following the instructions in my PGP Quick Start Guide article at 8wire.
Tech Public Policy stuff
It seems every other post starting a new thread has been moderated to 5, and most of them are shite. What is going on?
I don't think MS has the 'no warranty of fitness for a particular purpose' clause. Noone would buy their shit if they did.
Guy probably has his own ideas, but he's willing to admit he's human. He's offering you a chance to influence what he tells his client.
Yes, it does make him look good. Yes, he's getting it for free. You get the opportunity to get your itch scratched by allowing a senator to pay big money/favors for advice from a source he trusts - a source who may mouth your words.
Who do you think that senator is going to listen to more, some random crank email, or an 'expert' he paid for?
-- Ender, Duke_of_URL
I was offered a better opportunity recently, which allowed me to leave a fortune 500 company where I was the engineering manager providing ISP services to thousands of end users. While in that position, I often asked myself this same question and came up with the following wish list.
There are a couple of things that the government can do to make computer networks and computing more secure.
1) Repeal the DMCA. When security problems are found in an implementation of an algorithm, this law makes it illegal to talk about the problem or to implement a solution.
2) Repeal patent law as it applies to software. Software is well protected under copyright law as a work of art. The underlying function (algorithms used) for every program out there is a subtle change to prior art. It's just that no one but large corporations have access to the courts to successfully challenge these ludicrous restriction's on sharing mathematical equations with one another.
3) Allow end users to sue companies that keep there products closed and security problems a secret.
4) After fixing the above. Get out of the way as the free market takes over and those with bad software are forced to compete or go out of business.
- Require all U.S. ISPs (especially AOL) to use egress filtering on their border routers. This may not put a complete end to DDoS, but it will certainly ease the burden imposed on the 'net by script kiddies. This is especially necessary in light of the fact that a 'feature' of the home edition of Windows XP is that consumer Windows users now have the ability to forge IP headers;
- Leave crypto alone. It is a necessary component of secure e-commerce as well as being a component of criminal communications. There are enough ways to snoop on the bad guys already without disabling an already-struggling sector of the economy. Besides, how are you going to keep the black hats from having crypto when all they need is a copy of gcc and a modestly talented programmer to write their own crypto software. It sounds over-simplified but it is true that "When crypto is outlawed, only outlaws will have crypto.";
- Get competent, disinterested technical advice before legislating technical issues. Have your advisor give you both the pros and the cons of the issue, then vote in the best interest of the people who elected you, NOT the corporations that financed your campaign;
- Give serious consideration to passing legislation banning some of the more abusive EULA provisions, especially disclaimers of ALL liability for consequential damages. American law has enough safeguards in place that holding software companies responsible for damages they cause by, for instance, gross negligence (like not releasing the patch to cure the Code Red vulnerability until the exploit was "in the wild") will NOT destroy the industry.
- Repeal the DMCA and put the SSSCA on the rubbish heap. The RIAA, MPAA and the BSA are powerful enough that they don't NEED a class os special crimes just to protect them. Additionally, "standardization" and "certification" of "security measures" will make the digital world less, not more, secure
- If you feel you really MUST pass some laws regarding 'net abuse, give us some anti-spam, anti-online-fraud and anti-identity-theft laws with REAL TEETH!
.utter rubbish
Require all federal agencies to put a Quality Of Service term in their contracts with ISPs that require the ISP to provide back-tracing services for spoofs. Require that the ISP provide tracing at least 3 ISPs away (which means that they have to have an agreement with all of their customers and peers for 2 levels).
Basically think of a service that ISPs fail to provide, and don't legislate its existence, just legislate that federal entities must contracturally require it from their ISPs. If it's cheap to provide, they'll offer it to private sector companies too.
I would like to thank the /. community for some truly outstanding and thought-provoking comments. You can be sure that a summation of these comments will be reviewed by the Senator over the Christmas holidays. This is an area of urgent concern for him. I will submit a draft of the summary to the /. editors and perhaps they will post it for your review. Thanks again for the time you have taken to respond. Bill
is good software made by responsible vendors. As a corporate IT shill,I'm the guy you want to hear from, and here's what I say: Shoot down legislation making it impossible to impose standards of performance. Stand up to corporation lobbyists who seek special privilege. In short, stay involved but use your brain! Consumers of all kinds need protection from the monopolistic megalithic manufacturers who stifle competition on the one hand and then provide poorly engineered solutions where once an industry prospered.
"If...you can't be a good example, then you'll just have to be a horrible warning" - Catherine Aird
SolidBlue.biz
Ace905
I think its kind of funny that most of the posts here advocate punishing the admins who blow it, security wise and no one really seems to care about punishing the ppl who are doing the hacking. Read steve gibson's article about his brush with a script kiddie, its very revealing. The most interesting part to me was not so much the technical details of the whole thing, but the fact that no law enforcement or isps really cared to do anything and both steve and wicked knew that. Look, if you dont start actually arresting some of these script kiddies what difference will any of the laws make?
As I see it, the thing that would help the most would be to educate stupid people. This starts in the IT industry where time to market always wins over quality of product. Just as important is the education of individual users. If anyone simply thought about what they put on their computers, how much easier would it make life?
It's like owning a car. In fact let's assume a Pinto. The IT industry has made some decisions that are going to kill some people before long. And all in the name of the almighty dollar. Now most of us own Pintos and as long as we do, we need to maintain them, change the oil, put gas in them, rotate the tires, etc. Unfortunately we insist on filling them up with mud, broken glass, and sugar, and proceeding to drive around on a dark, unmarked road.... on the wrong side. And despite all of this, every 2 years we buy a new Pinto because somebody has painted it a different color, moved the antenna to another side of the car, and put an antenna ball on top.
Yeah, I don't think tax breaks, or government standards are going to do it. Maybe something like the IT Americorps.
It is already illegal, and has been for thousands of years, to destroy or deface someones property. Computer data is no different, it is just property.
It is already illegal, and has been for thousands of years, to defraud people with false promises, or pretend to be someone, or to make up things about people to hurt them and their reputations. To do such things with a computer is no different, it is just fraud.
Get the idea? Hundreds of millions of different laws do not protect anyone just because they threaten action. Having the state intrude into private matters just because they're on a computer is no more welcome than having the state put a microphone on the dinner table because someone might mention "bomb".
In the same way, once the police have a warrant, on probable cause and attested to by oath or affirmation, specifying the particular place to be searched and the information to be gathered, I don't care if it's a computer, a cardboard box or a fiber-optic cable.
The best thing Congress could do is first to repeal all those exceptions that ensure they are not subject to the laws they pass for everyone else.
Then enforce the bill of rights. All of them.
One of the funniest events in Congress occurred back in the early 1990's, when they were debating another of those "anti terrorist" bills. One congressman submitted an amendment to the bill which was simply the text of the 4th amendment to the constitution.
The amendment was loudly and vigorously defeated as it "would gut the teeth out of this important legislation!"
There is a very important moral to that story if you look for it.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
This ComputerWorld Article talks about.
_______________________________
"I'm not Conceited...I'm just a realist..."
IPv6 sucks. It's an awful, complex and burdensom answer to a simple problem, just like any government project.
IPSEC is being developed indepent of government, if you like it then use it. Advocate it, but do not force its use.
IPSec will "improve" network security in some ways, but all communications being in binary would be even better! Imagine how hard it would be if no one could read your mail, because it's saved in a code, maybe the ASCII code! Or EBSIDIC even!
Oh, that's right, everything is already encoded in binary, it's just easy to decrypt. When crackers have access to a trusted machine on one end of an IPSec tunnel, the machines on the other end of the tunnel are then open to attack. IPSec secures lines, not hosts, and it not any kind of answer alone. Just like binary.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
I think the misguided and idiotic Federal ITAR laws that banned the export of cryptography as "arms" is a perfectly good working model.
Crypto allows you to be secure in your documents and information. Guns allow you to be secure in your person and effects. Both also can be misused for criminal action by criminals, just like anything and everything else ever invented or imagined.
The right of the people to keep and bear arms shall not be infringed.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
the best thing that government can do about computer security is stay the fuck out. There is not a single solitary computer security issue for the government that is not 100% entirely one way - that is everything and all control and authority is supposed to flow to the government and public is supposed to just accept the gradual criminalization of doing a credible good job. There is not single computer security issue for the government that does not involve eroding the ability to actually perform computer security.
So Mr. Lobby please go back to your Congressperson and tell them that the number one issue for the government is to pull its collective head out of its ass and leave the heavy lifting to the people who have some skin in the game.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
When Uncle Sam tells me he wants to set up a filter at the local ISP, I know exactly what he means. I have not forgotten what he told me yesterday.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Whether they like it or not the Internet is global and a set of US Security Laws ignored by the rest of the world would be silly.
It will put our economy in an even worse position than it already is by making it *very* difficult to innovate new software and hardware products.
Also, having a uniform security system for every piece of digital equipment is a terrible idea. As we in the security community have learned, the more popular/pervasive a security technology is, the more likely it is to be attacked. A secutiry system with 100% pervasitivity will no doubt lead to extremely vulnerable digital equipment.
Competition in web servers and web clients is essential to improved security. Currently there are basically only two choices. Microsoft's IIS, which has proven insecure but comes with virtually all computers sold, and Apache, which is complex and takes an expert to setup and administer.
A healthy market would see dozens of high quality products competing and winning on their merits.
To increase competition I suggest.
* requiring that Microsoft un-bundle their web server and client from the Windows - this would encourage competition and let the market improve security
* eliminate software patents or make them much harder to get and much shorter (17 months)
Each of these steps would encourage competition and result in improved security of products in use on the net, both here in the US and around the world
Shouldn't these same rules apply to our own profession? While a lot of people learn Linux on their own time and learn all the security issues as with windoze, shouldn't the requirements be the same as those in place for locksmiths?
They are both concerned with security and they both sell/recommend products that have certain defects/security holes in them.
If the "client" decides to go with the cheap lock, neither the locksmith or the company selling it are liable! They got what they paid for!
While I don't think certification is at all a reflection of the persons skill, it does give a place to start and does teach something.
So how can we make MS or Linus or whoever is responible liable for making the tools of security(and their antithesis) without making the security experts atleast have some baseline knowledge?
Owning the tools to hack/unlock without a proper license should be illegal as much as using those tools.
I'm not suggesting that knowledge should be locked up with the key thrown away. The bad guys have the same tools and read the same articles as the good guys in Locksmithing, but just owning the tools should be almost as much of a crime as using them!
Just a thought.
I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector.
TROLL! Identify this senator that
has a good feel for government security issues
and does not understand what is going on
in the private sector.
Obviously he does not. Maybe I'm not charitable
enough to give him credit for asking now, so
shoot me.
Odds are 99 out of 100 he voted for the
Patriot Act, no?
An anonymous Senator, kiss my ass.
netboy
Also, there is a BIG difference between not understand what is going on in the private sector and concerned about what is going on.
Too many people bitch about what Congress does, but also THEN bitch at them for asking what people actually think! Which one is it?
There are serious consequences about the laws being made right now, as so many people have pointed out. It is not helpful to throw tomatoes from the gallery at people who are actually trying to listen and do the right thing before we have to live with any more poorly thought out laws.
I assume he did vote for the USA Patriot Act - but considering only 1 Senator voted against it (Feingold), your "odds" were certainly right. But the odds were actually 98 out of 99.
At no point when using free software do you agree to a contract controlling your /use/ of the software. You get a chunk of code, and the right to do whatever you damn well want with it, within the bounds of copyright law. It's only when you redistribute that code that you run up against the license.
/do/ with that software, as well as various stuff about redistribution. That's the difference between the two cases.
When you buy a piece of software from MS, you agree to a contract specifying what you can
himi
My very own DeCSS mirror.
You can do this by prohibiting by statute the export from the US of these things:-
You can allow these behaviours inside you own Juristiction by all means if that is necessary Constitutionally, but the rest of us in this World which we jointly share are totally sick and tired of having them impact on us causing some not inconsiderable expense and inconvenience.
I agree 100% with your comments. Just as I'm appalled by the French court's Yahoo! ruling, I'm also appalled by the recent extra-jurisdictional attempts in the USA Patriot Act to rope in conduct outside of our borders. Same with the Dmetry case. In the short term, I think many of these are going to be held unconstitutional. But it is going to be ugly in the meantime. I will be sure to mention your comments. Thanks.
Sorry - "WEBCURITY" was a typo for Web Security. I wasn't trying to coin some lame new term.
haven't you ever heard of opting NOT to install IIS upon win2k installation? it can be done. maybe if you had more experience with being a good admin as opposed to demeaning reliable software...
A great set of folks to ask about this kind of thing would be the Electronic Freedom Foundation. They have members with expertise of both law and technical issues, and I'm sure they'd be more than glad to provide whatever assistance they can.
does the word 'webcurity' mean?
Alright, Slashdot editors, STOP MAKING UP NEW WORDS. THIS INSTANT. RIGHT NOW.
ok i love you bye bye
It was a stupid typo - not a really annoying new term. Sorry.
I'm a network Administrator, not a programmer, and certainly not a genius. I dont really care about whose software I use but I would like a really healthy debate to flush out the worst choices.
If we are going to have only one Network Operating system company fine, but make them put their code in the hands of unbiased people who can advise me when I'm too busy or stupid to keep up with the issues.
Imagine it in biological terms. Monopolistic evolution is allowing our computer environment to become one specialised creature. Anything that can kill or take information from this system can do so _everywhere_. What an oportunity for terrorism, foreign powers, or dissafected locals\criminals.
I'm not bashing microsoft except to say that what man makes man can destroy -- its too big a target.
I follow all the advice I can find, but I dont trust the keepers of the code.
Copyright and patents on a universal Operating system become like patents on life sustaining drugs. Security is compromised if they are left in one companies hands.
Only open frank discussion, where everyone knows the data clearly leads to expert understanding. It is this 'understanding' that network people implement and financial people understand.
Force microsoft to open its source code, there will be problems then solutions and finall... security.
Increase funding for NSA's secure Linux project, and make sure that whatever secure code enhancements and tools they develop are available under an open source license so that they can be audited in turn, and the code folded into other OSes besides Linux.
Also, increase the funding to allow them to do more security auditing of open source code.
Please try to keep posts on topic.
Try to reply to other people comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
Problems regarding accounts or comment posting should be sent to CowboyNeal.
If the government attempts to implement a legal solution to the problem of web security, it is unlikely that it would be a success. But this not with standing, the problem is not striclty our own. Black-hat hackers come from all over the world. Some of them don't even speak enough english to understand any network security laws. Tightening down domestically will not solve the problem. The best solution is to let the white hats work, let the admins use all the tools possible to defend their networks, and let the people that best understand the problem deal with it.
Ash nazg durbatuluk, ash nazg gimbatul, ash nazg thraktuluk agh burzum-ishi krimpatul.
there's just one thing the gov can do about network security: promote crypto.
as long as we have unencrypted protocols, we will never be secure.
of course, there are tons of other issues, such as shoody applications, the usual bugs even in good ones, low-level exploits such as the argus one, lazy admins not patching their systems, etc., etc. - but the gov can't do anything about any of those.
Assorted stuff I do sometimes: Lemuria.org
A legislative and legal recognition of the hacker ethos would be a benefit to our nation's security.Rule number one:"Information should be free".Granted we are a capitalist society.However I assert that the unpaid R&D that was initiated by the MIT Model Railroad Club yes, I'm old school and that continues today in the form of snort and whatever latest IIS hole has been discovered whilst I write this is an enormous advantage to our nation.It would serve our legistators well to protect that misunderstod asset.Not legislate, not regulate, but allow it to continue its laissez faire development.Granted we are a thorn in the side of the M$ crowd, but we are also their impetus to continue developing their market.
Government serves our national interest best when it acts as an extension of the will of the citizenry.We, the people, desire that information should be free and that the 'Net should remain self-regulating, untaxed, and sigh potentially insecure.
Let's see: my two favorite classes of people: an attorney and a senior US senator. How much are you billing your senator for your time on slashdot? How about if you roll up your sleeves and do some of your own research-- or at least get one of your ambitious partner wannabees to do it for you.
Two months ago, I left a clean e-mail address with a bank and now the spam is rolling in. Either some employee is on the take, the bank itself sells personal data, or the bank's intra net got cracked (not improbable given their practices and technology). We could rule out the first two if the sale personal data were illegal or carefully monitored.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Anti-spam law would improve on the security of Internet as a whole.
Spamming is not considered an offense in most US states, in federal law, as well as in most other countries.
However, the implication of spamming is that it can cripple a single Internet host today and could cripple the whole Internet tomorrow.
Not only is spamming content often dubious, but the act of spamming should be regarded as an attempt of denial of service.
United States attitude regarding spam is an example for other countries to follow. By making it an offense, and by convicting spammers, we can make the Internet a more secure place.
As many slashdotters know, Verisign doesn't always follow through on that assurance. It would be nice if congress established a similar set of verification guidelines, and backed it up with legal force. Naturally, a certificate authority could be held liable if they claim to verify a signature without actually verifying it.
It would also be nice if an organization wishing to be a certificate authority, could get a license, and a name in the .sign.us domain.
Finally, it would be nice if certificate authorities were prohibited from disclosing any personal information (like IP numbers of people who checked a certain signiture) without a court order.
The other use of a gun is to defend oneself or others against being killed or harmed. That's why we issue guns to police officers. Not because we want the police to kill people, because we want the police to protect people. Private citizens need legal access to guns for the exact same reasons the bodyguards protecting the president or, heck, Britney Spears need access to them.
And since you don't need to fire a gun for its presence to be a useful deterrent, the presence of guns can actually act to reduce harm to humans. I'm not saying guns always reduce death and violence and harm, but they sometimes do, and that's all the pro-gun side really needs for the guns/nmap analogy to hold up.
I play Nerd-Folk!
Judging from the volume and content of postings on the subject of Congressional involvement in the security issue, it is safe to say that many are hostile to the thought of new laws to regulate securing computer networks. This is entirely understandable considering the past history of govt. involvement in the Internet - NetworkSolutions long run as Internic and the DMCA quickly come to mind. Even though Congress does not act in Internet Time, involvement at a federal level is a necessary step in remedying some of the security problems for two reasons: 1) Many cybercrimes go across state lines, needing a federal jurisdiction, and 2) Only the federal govt. is large enough to place enough leverage on foreign nations from which international 'crackers' operate for those nations to take seriously.
With that said, Congress will have to limit the scope of their involvement in the issues regarding to securing the Internet if such a thing can happen. Here are a few suggestions of what any legislation and/or action should include:
1) Quantify Internet-related activities into the appropriate categories that already exist and determine what laws that already exist on the matter. To use an extreme example: If you use your computer and broad-band connection to steal $20,000,000 from a bank, does that make it anything other than theft? Also, the intangible products and services need to be recognized that they are in fact products and/or services extending liability to the companies who sell them and protection to the consumers who buy the products. This should be a relatively straightforward task; it would probably surprise those involved at just how unremarkable all things related to the Internet and computers really are and how little the difference between
physical and virtual realities. Only after this task is completed and only if the problem areas left require federal jurisdiction, new laws should be created.
2) Legislation should not outlaw the use of computer security tools and/or discussion and research about computer security. Although matches can be used for arson, the matches themselves are not responsible for criminal behavior.
Information about computer security fall into a similar category. Restricting this information is more harmful than productive.
3) Congress might find it fruitful to allocate the funds to setup a board of 'experts' from all computer-related fields to spend 2 years assessing the security situation for the federal government computers. This body would determine the current state of affairs of the systems, looking for any obvious flaws in the system - hopefully plugging the holes - and determine the real cost of any damages imposed by malicious crackers on the various systems. Maybe just studying a small subset of the networks would be sufficient.
In sum, Congress should place Internet and computer related fields in their proper contexts and apply existing laws to cover them. This will most likey take care of 95% of all cases out there. For the margin, new laws can be applied. Congress should be mindful not to restrict the rights of the people any further in their attempt to address the security issues. Finally, a serious study of the problem should be made in a real world situation - the federal government's computer systems provide a perfect setting for this test. Considering that there will be no quick fixes or magic bullet legislation to the problems the security faces, they should take their time and find out what needs direct involvement from the legislature and what can be left to the industry to contend with.
Probably, just holding companies such as MS liable for security failures in their systems would go a long way to improving the state of affairs. If only computer-related things were understood in their proper place... Hindenburg, Titanic, Challenger, Outlook Express security.
yes thanks
cmclean
"Any similarity between the hooting of a million eager monkeys and Slashdot is purely coincidental." -THEFLASHMAN
Dear Congress et al,
We're thinking IT would be a good idea to help J. Public begin to understand just how important our rights to privacy are, instead of using hypenosys, to lull him into believing that corepirate 'america' loves him.
IT would also be important to at least acknowledge the existence of the good GNUs, as opposed to pretending that they are a whimsical fad, that should disappear soon. If you did that, the U.S. would save billyuns right away.
best regards,
your friend,
harry brown
The design of the Internet requires that all entities on it act cooperatively. It was never designed to provide fair and equal service to all adversaries. Corporations are required by their shareholders to act in an adversarial manner wherever their profits are concerned.
This means that the Internet must evolve into a network run by a single organization (such as Microsoft or AOL) where dissent and creativity are not allowed to exist.
If this is the goal of Congress, then no action is required. But understand that this means you are writing off the investment which was made to date (and turning it over to the eventual winner) and that you will never again see an economic boom like the one we experienced in the 90's prompted by the growth of the Internet.
On the other hand, if Congress deems it important for the United States to maintain a strong technological superiority, and is interested in restoring the "capacity to innovate" which the Internet brought to us, then steps must be taken to ensure that the Internet can act as a fair and level playing field for all entities.
Since the Internet requires (at a technical level) a fair administrative regime, and since corporate ownership of the Internet cannot allow this to happen, Congress must choose between legislating an Internet structure which does not discriminate between players, or replacing the technology of the Internet with a system which can handle an adversarial administrative regime.
The former would require "common carrier" status laws for network service providers, and may also require de-valuing intellectual property protection, since IP and copyright law is the weapon of choice for corporate aggression on the Internet.
The later would require replacing the technology, at the TCP/IP level, with a new technology which enforces a fair and level playing field.
The risk to Congress, should it fail to take these actions is that the Internet Community will perceive the loss of the fair and level playing field as damage, a route around the problem, making foreign territory the location of choice for innovation and technological advancement.
In summary:
Look very carefully at the way the Microsoft Monopoly case is being handled. Nothing has yet been done to remedy their monopoly practices.
Require Internet access providers to provide service on a fair basis, including legal prohibition on "engineered structural damage" as are created by filtered routing, content-sensitive routing, and such.
So what does all of this have to do with increasing the security of the Internet? Security has to focus on the structural level; it's not an after market add on. The insecurity we have today was designed-in. It will have to be designed out, not painted over.
A new kind of meat designed to appeal to vegetarians.
Nearly all the legislative approaches I am aware of concentrate on prosecuting perpetrators of security breaches or those who create/posess the tools to do so. This is ultimately not very likely to yield satisfactory results - the Internet being a global medium and all, you might find it hard to prosecute that albanian script kiddie, or the Afghani virus writer.
I believe that the best thing the government can do is to help establish a credible full disclosure infrastructure. A "not-for-profit" security organisation managing the release of vulnerability information, together with patches etc. By creating a formal infrastructure, run at arms' length, the government could signal how important Internet security is, and help establish best-practice.
It could be backed up by some kind of deal which requires all government IT suppliers to disclose to this body, and all other suppliers to have a nominated security adminstrator who monitors the new vulnerabilities and takes appropriate action.
The key issue with Internet Security is that the majority of incidents are due to poor security postures by many organisations. The inter-connected nature of the internet means that one organisation which is compromised provides a spring board for attacks against many others. Surely the common weal is served better by encouraging (though not forcing) those companies to "patch up" than by trying to outlaw tools/actions/thoughts.
It's all very well in practice, but it will never work in theory.
I wish I had some links to research on this, but there are several studies that show people who are trusted behave in a more trustworthy manner. If you treat someone like a criminal, you'll likely get those results. There is a term in psychology for this effect.
By 'protecting' the public from this information, you will effectively be turning many of those 100s of good guys into bad guys. Many reasons for that. Some of us want to understand things. It would be that much more interesting, and that much less problem for my conscience, if the evil government were supressing the information.
Ironically enough, the people that would be most likely to feel repressed are the same people that could use the information in a bad way.
PE- Professional Engineers
Many engineers- mostly civil, but many mechanicals and electricals are licensed by the state. For example, an electrical engineer with a PE would work on firmware for a control system for a water treatment plant.
Just a thought. Of course, it would require a great change in the people hire for such jobs. It takes a long time to get the PE, and the test for it is extremely difficult.
Not a major issue against Steve Gibson of grc.com
Usually it's incompetent admin that makes the system unsafe. require admins to be certified (like accountant , barristers et al) require the company who want a website to have it externally audited for security in order for them to be allowed a website.
This will also make me and others loads of money
and give me a license to print more
perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
1. Give me back my rights to fair use for copyrighted materials. If I buy the rights to view a movie, I should be allowed to copy that movie to ensure that I can always access said movie. CSS is just a way of controlling distribution, not the copying. (Sell it for $20 in the US, but release it 2 years later in Europe for $50.)
2. The security industry can sort these issues out. Let the free market be free, and follow it's lead.
3. Kill the DCMA. Enough said!
4. Stop pandering to the lobbists from the RIAA and friends. Tell them to take a hike!
5. Remove the ability of software houses to foist crap on us without warranty. Where would we be if we treated cars the same way as software? The software industry has known how to prevent security problems since the 70's. Input validation, and bounds checking. The only reason they don't is because they are either lazy or have an unrealistic project timeline, making them take shortcuts.
6. Live by the same rules you enfore on others. For example; Why isn't congress forced to contribute to SS? If the rules are good enough for US, then they are good enough for you.
7. Kill the key escrow idea once and for all. A bad idea revisited, is still a bad idea. You can't get the horse back into the barn!
8. Hacking isn't terrorism! Leave it alone.
9. Enforce the laws we already have instead of creating new ones!
10. Reign in John Ashcroft. He's on a spree of killing all our rights in the name of terrorism. To paraphrase Ben Franklin, I think: "People who would give up their freedom for security deserve neither." The burden of living in a free society is dealing with those who would abuse their freedoms. Deal with it!
11. And exactly how are you going to enforce our anti-hacking laws on other countries? We maybe a great nation, but Congresses jurisdiction, according to our Constitution, remains to be those things not controlled by the States, and the borders of the United States. Maybe a civics class is in order for our Congresspersons.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the /. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking /. what is important to them and letting a Senator know - for what its worth. That's all.
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk.cyberlaw if you want to add any more comments.
Several posters have been upset that a lawyer would "lobby" and work behind the scene to work for "clueless" Senators.
/. crowd what they think is important. And I have recieved some amazingly interesting responses. All this is about is one guy asking /. what is important to them and letting a Senator know - for what its worth. That's all.
Perhaps I should have cleared this up from the start.
I am NOT taking any fee for this. Nada - never will.
The reason why I did it was because I was very concerned with the USA Patriot Act and I realized that the network security community has to start interacting and informing Congress about what is important to them. Unlike the RIAA and other large software developers, there is no concerted influence in Congress for network security concerns. I thought I would start a ball rolling by asking the
Without wanting to get preachy, we need MORE people to contact their Congress people and share their concerns. That's all I did and I got a good reception from one of the most security conscious and open market Senators.
So, there is nothing underhanded going on here. Perhaps it is the distrust because I'm a lawyer. But I was first in networks before law and I am extremely alarmed by what is going on in DC at the moment. As a result, I also pro bono for EFF.
I urge the network security to become more active with the laws that are being written and write your Congress people. They will listen. Thanks for the comments. I'll post the summary of the comments on my web site at http://denmarket.dk/cyberlaw if you want to add any more comments.
That's a funny comment, DeanOh. But no... as you can read on comment #499, I'm not taking a thing - but I can understand where you're coming from.
My first and foremost wish, by a wide margin, would be: repeal pretty much everything passed in the last couple of years. When our sites are attacked, we go down a checklist: 1) Was there over $10K in damages? If not, stop here. 2) Will trying to prosecute the hackers most likely just result in bad PR and pissed-off hackers? Yes, almost always, end of story. In short, we're not getting much protection, and we don't really expect any. The Internet just doesn't regulate well, and your average legislation seems to be clueless and harmful. We need protection of our privacy, but we only get the opposite. We need open scrutiny of security problems, we get the opposite. I've written to my representatives, and it seems clear that they don't understand the bills well enough to do anything much but vote like their whip told them to. At this point I am afraid of suggesting anything beyond the stringent enforcement of antitrust law, just because I'd be afraid that they'd totally screw the bills up. So I's happily settle for as little government intervention as possible.
Second, there is the real problem of bad PR - but if the system was not locked down well, then people should know if their info, for example, is vulnerable. The problem is that it is a management decision, and they end up blaming IT even after they slashed the budget. I don't have any solutions here. I think you'll see litigation in this area that will reduce mgmt incentive to be preoccupied with the negative consequences of PR.
Third, there has actually been a recent proposal that might help - Critical Information Infrastructure Act (I think) that will encourage companies to cooperate with the gov't and each other without fear of the Freedom of Info Act or anti-trust. There are some things that can happen at the federal level. Most Congressional staffers are clueless about network security issues (they can't be up on everything...), but hopefully there is someone they listen to that you can get to. And I've found that the "IT" advisor is really open to positive criticism - people just have to be heard.
I think some of the legislation that is under consideration will not ADD burdens to infosec, but hopefully strip down some of the burdens. But I agree, we should be VERY careful what we ask for, because we might just get it - in the form of a political compromise.
That's not even fucking _vaguely_ a word.
I am so smart. I am so smart. S-M-R-T. I mean S-M-A-R-T. *curtains catch fire*
I don't know how it happened, but it was a TYPO. I tried to straigten it out. So NO - I was not trying to coin some lame new term!