Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Webcurity Wishlist?

Posted by Cliff on from the bending-the-governments-ear dept.

breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"

"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."

30 of 512 comments (clear)

  1. Don't ban tools! by pete-classic · · Score: 5, Insightful

    To borrow a phrase; if you outlaw nmap, only outlaws will have nmap.

    -Peter

    1. Re:Don't ban tools! by Bonker · · Score: 5, Interesting

      This is probably the most important thing any network professional can ask for.

      Outlaw evil behavior, not the tools that enable that behavior. In many cases the tools have many, many more positive and educational uses than negative uses. In a lot of cases, the tools can be used to stop or examine criminal (cracking) behavior.
      Say what you will about Steve Gibson, but the
      guy knows a little about network security. He gives an extended discussion on how he used the tools of the IRC-based DDOS trade to help oust some script k1dd13's that were hammering his site.

      Tools like L0pht-crack, the NT password cracker tool, I couldn't have convinced my execs that a company password policy was necessary and passwords like 'password01' were unnacceptable.
      Just like we don't ban sledgehammers and bolt-cutters even though they can be used to break padlocks, we shouldn't ban network tools either.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  2. Wishlist... by gowen · · Score: 5, Funny
    My wishlist:
    1. Never ever ever use the so-called-word "Webcurity" again.
    2. ...
    3. Err ...
    4. Thats it.
    (apologies to Private Eye)
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:Wishlist... by Unknown+Bovine+Group · · Score: 5, Funny

      UGH. Webcurity? Lets nip this one in the bud.
      Webcurity is the most slashtacular word I've seen in a long time. It's cowboyNealiciousness is of almost Hemosian proportions.
      It's almost Katzian.

      --
      m00.
  3. What I Really Want by twoflower · · Score: 5, Insightful

    The number-one item on my wishlist would be for the government to keep completely out of network security issues -- the government should ensure security on its own networks, of course, but they shouldn't be concerned about anything else.

    There's already enough laws to deal with DOS attacks and such -- more laws just means more expense for those who have to deal with them.

    Twoflower

    --


    --
    Twoflower
  4. The obvious by heyeq · · Score: 5, Insightful

    Well, for starters, don't let Microsoft's Chief Security Advisor work as a security advisor for the White House.

  5. hailstorm and the like by curtis · · Score: 5, Interesting

    This is a great chance to get our concerns as a community out into the public sector.

    Consider this: ONE person/organization has EVERYONE'S personal and financial data online. This goes against all design architectures in both security AND engineering. A single point of failure. Imagine one bank in real life, with Barney Fife guarding it. Would you put your life savings there?

    With more and more commerce occurring on the internet, the more important it is that there is some scheme to protect this important market. I am particularly concerned with one private company holding the public trust in their hands -- I am also very concerned about the government, for that matter, also holding this information!

  6. Egress Filtering by jac · · Score: 5, Interesting

    "Coax" all carriers and providers to do egress filtering at the edges of their networks. This should help significantly in reducing DDoS attacks and should help make malicious network activity easier to trace.

  7. tell them by elliotj · · Score: 5, Interesting

    the more crypto the better. and don't try to legislate backdoors into it or anything.

    people need to reliaze that crypto is available to anyone with the ability to use it...it needs help in getting the average joe to use it.

    most people won't use PGP or something b/c it is too complicated. crypto needs to be built into office and internet apps from the ground up. strong crypto. stuff that can't be broken.

    people need to feel secure about these things. i think the govt has a lot to offer in promoting pki and such to get this in the hands of everyone.

    privacy is important. the govt needs to make a proactive effort to show that they believe in personal privacy and are willing to help make it happen online.

    1. Re:tell them by remande · · Score: 5, Insightful
      I'll make a stronger statement on that. Any attempt to require back doors on encryption (e.g. the Clipper Chip) will significantly increase our risk exposure. Let me illustrate.


      A back door is really a master key. Government back door schemes require the encryption to have a back door key, and for the government to have that key.


      If you're paranoid about the government like I am, you can see where giving it the master key can ruin your day. But even assuming that the government is all white hat, you're still in deep trouble.


      That master key is worth hundreds of millions of dollars in the right hands. Organized crime could use that key to commit credit card fraud on millions of credit cards. This is also a great way for terrorists to get funding. Depending on the crypto scheme, it could be used to forge communications, rerouting shipments. If I had the Master Key and needed a couple of hundred pounds of plastic explosive, that would be my first idea.


      And that key can't be kept very secure if it's being used. Thousands of people, whether law enforcement officials or court officials, will have access to that key. Out of a thousand people, somebody's going to be bribable for a mere one or two million dollars. Or be required to hand over the key to get their loved ones back. Or write down their password and have their office computer broken into. It won't be too hard for a determined criminal to get that master key.


      I am a big fan of crypto, but I would honestly prefer no crypto to back door crypto. At least if you have no crypto you know you're not being spied on.

      --

      --The basis of all love is respect

  8. IPv6 and IPSEC by PineHall · · Score: 5, Interesting

    If the government would require on all their networks IPv6 and IPSEC, that would go along way toward IPv6 and IPSEC being accepted and would improve network security. Nothing else needs to be done.

  9. Most important and significant problem by Cesaro · · Score: 5, Insightful

    The most important and significant problem is not putting the proper resources into getting that security. Upper level management are not technically minded folk, and they don't view computers and true tools. They don't understand the costs when you try to explain it to them. "I'd like to get around $200k so that I can physically seperate out infastructure and give us added security."
    Management: "I'll give you 2 un-trained contractors, a spool of thread, and a tin can."

    They just don't understand, or appreciate what computers provide, but yet they get irate when something happens. Therefor the largest hurdle to overcome is getting the senior people up to snuff, or willing to to dish out the resources for what needs to be done above and beyond a simply reactionary level. To them, pro-active computer security is like flushing money down the toilet.

  10. just because they get exploited the most by eclectric · · Score: 5, Interesting

    doesnt' mean they're the least secure.

    Exploits are still made against products that Microsoft secured over a year ago. And indeed, microsoft gets exploited the most because they are used by the vast majority of non-technical users. Can you imagine what would happen if 90% of the computer-owning people used linux? Every single hole in the OS would not only be explioted, but you could count on it being a LOT less likely that the average-joe user would *ever* update his software to fix the hole

  11. As a recipient of a subpoena... by dfeldman · · Score: 5, Interesting
    A few years ago I worked as a sysadmin at a moderately large company. We had a pretty big turnover problem because our company's marketing efforts tended to attract job applicants who were "green" college grads, lazy, troublemakers, and looking for a "fun" workplace with foosball tables and free snacks. Needless to say, they did not fit in at the Fortune 500 company where I worked.

    One of these employees got bored with his coding tasks and, with no previous exposure to a broadband Internet connection, apparently decided to become a script kiddie on company time. From all outward appearances, he got pretty good at it, but one day it caught up with him: U.S. Marshals came into my office and served me with a court order that asked for many, many pieces of information that would tell them who had been cracking systems from our corporate network.

    I had no problem turning this information over, as the other choice was to go to jail and let the hacker go free. However, I was appalled with the way the marshals treated me: they knew that I was just the sysadmin, not the perpetrator, but they still treated me like a criminal. When I told them that our NAT setup doesn't keep logs of every single outgoing connection from our network (as had been requested in the court order) they got really pissed off and started threatening me. At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.

    So, the moral of the story here is that law enforcement needs to show more respect for sysadmins, and learn the difference between a network admin and a criminal on the admin's network. Treating everybody as though they are all guilty will only build resentment and get in the way of getting their precious case solved.

    df

  12. Responsibility by Alien54 · · Score: 5, Insightful
    I do not know how you would do this, or what the right way to do it is, but I would like to see some responsibility for writing or creating secure systems.

    I am thinking specifically of Microsoft, and the Microsoft Outlook Email Viruses, but this could certainly apply to plenty of other companies.

    If companies are merely licensing the use of the software to us (and we do not own it), and charging the big bucks, shouldn't they be responsible and/or liable for the consequences - damages from using it? or is this a matter of they get all of the benefits, and we get all of the problems?

    --
    "It is a greater offense to steal men's labor, than their clothes"
  13. Don't criminalize security research by mikej · · Score: 5, Insightful

    There's an ongoing trend to criminalize the tools and speech used to conduct security research; This is the single most frustrating aspect of the government's involvement in network security. Lists like bugtraq and tools like nessus and nmap are absolutely vital to the health of a network-connected system. Some suggested legislation would make all security discussions criminal, some would allow such work to only be conducted by approved organizations; Both would shatter the ability of the individual administrator to effectively secure his systems. If I could make one and only one request it would be to specifically disallow legislation that attempts to let companies involved with the internet take the security ball to their private court and bounce it around, leaving individual system administrators with no tools and no forums in which to discuss their own defences. In short: keep public, individual security research legal.

    Thanks, and good luck.

    --
    Ideology breeds Hypocrisy. Just how much is up to you.
  14. Re:Holding Companies Liable by jspey · · Score: 5, Insightful

    More specifically, if you pay for some software and it has security holes that a reasonable and prudent check should have found before it went on sale, and those security holes cause you problems (like lost time, lost money, lost business, whatever), then you can at least try to get the purchase price of the software back from the publisher. Seriously. Lots of software has holes in it. But if I buy win2k and install it, and the default install turns on IIS, and IIS has enormous holes in it that should never have made it past quality control, then I should be able to get the cost fo the software back from microsoft when I suffer problems from their poorly designed software.

    If you make the penalties for unsafe software too large, no one will write software. But there needs to be some sort of incentive for companies with so large a market share that they don't care how crappy their software is to make their software safe.

    Mr. Spey

    --
    Cover your butt. Bernard is watching.
  15. Enforce the laws we have... by moonboy · · Score: 5, Insightful


    • No New Laws - The government has a habit of throwing more laws at a problem (yes and money too). We don't necessarily need more laws, just proper enforcement of the existing ones. (or maybe I should say, no laws just for the sake of creating them....no hollow laws to appease the general pulic and press...if new laws are made, they must be effective!)
    • Crypto - No more restrictions on crypto.
    • Tools and Methods - The government shouldn't ban tools and methods used to work in network security. These are very necessary to increase the level of security. Like another poster said, if you ban them (ie, make their use, possession, etc.) illegal only the "bad guys" will have them.


    --

    Co-founder and designer at Music Nearby: http://musicnearby.com
  16. He was lucky to work for your company by sting3r · · Score: 5, Insightful
    One of my co-workers was scamming people on eBay from home, and one of the disgruntled customers called our local police department to whine about it. The police came down to our place of employment and started talking with the managers, and the managers literally turned white and started handing over records. This was without a warrant or court order, mind you. Last I heard, they had turned over the employee's entire HR file, his entire mail spool, and his desktop computer. Needless to say they did not want him to work there anymore after that day.

    This brings up an interesting point, though: should Congress make it illegal for companies to give up your personal information to law enforcement without your consent (or a court order)?

    -sting3r

  17. Get out of the way. by SecurityGuy · · Score: 5, Insightful
    The *LAST* thing I want is a legislative "solution" to a problem the so called experts can't even agree on. Full disclosure or not, is scanning illegal, should it be, etc. Legislative solutions are far too often nothing more than new problems. Copyright violation is a problem. The DMCA is supposedly the solution. Terrorism is a problem. The solution, apparently, is to pass laws undercutting privacy and liberty in the states. Crime via computers is a problem, their solution was key escrow (thankfully not implemented), and now the FBI is writing computer viruses (Magic Lantern).


    Thanks, but no thanks. I'd much rather stick to securing my boxes with the understanding that it's a hostile net out there than have my government tell me the One True Way to do so. Passing laws which only apply to less than 5% of the world's population will not make the net secure, and feel good legislation is something I can do without.

  18. Make it illegal for states to sell personal data by zoward · · Score: 5, Insightful

    It is current practice of some US states to sell driver's license pictures and other personal data from their database to private firms, for various reasons. This practice should be illegal, or at the very least carefully monitored at the federal level.

    --
    "Can't you see that everyone is buying station wagons?"
  19. Suggestions for the Government by shanek · · Score: 5, Insightful

    1: Get out of our way WRT encryption and other secure technologies. We're not terrorists, we just want to keep our personal information secure. Installing "back doors" and other methods may, on the surface, seem like a good idea for national security, but in reality hackers can enter through those as easily as the government.

    2: Hold vendors responsible for security holes in their products. Currently, the EULAs prevent someone harmed by a security flaw from seeking liability, even if that security flaw was deliberately programmed into the software as a "feature."

    3: Recognize the role of antivirus firms such as McAfee and Symantec in protecting users. They should be unrestricted in their efforts to make and sell software that can protect computer users from harmful files, regardless of the source.

    4: Realize that the best way to catch criminals and terrorists is through the use of human intelligence, which history has proven to be much more effective than randomly reading private EMails. Also, human intelligence doesn't involve threatening the liberty of normal, law-abiding Americans like many of the other proposed methods do.

    5: This is probably the most important one: Remember the words of Ben Franklin when he said, "They that would give up Essential Liberty in order to obtain Temporary Safety deserve neither liberty nor safety." I would also add that, in these cases, you usually don't get the safety you're seeking in the first place.

  20. US legislation != Internet legislation by jet_silver · · Score: 5, Insightful

    Encourage the Senator to remain aware that legislation about the Internet doesn't have crisp borders. Bits don't change color when they cross national boundaries.

    When you do that, you might get him to understand that such laws are not easy to enforce and will certainly involve a lot of jurisdictional disputes.
    And you might encourage him to realize that it is the lowest common denominator of behavior on the Internet that represents the cutting edge of security needs.

    In other words, passing legislation against US Internet users is tantamount to taking their guns away, when they can at any minute be involved in a virtual gun-fight with, for example, Chinese or Indian crackers who have no such laws hampering them.

  21. My Wishlist by medcalf · · Score: 5, Insightful

    In no particular order:

    1) The Federal government should encourage, not discourage, the use of encryption, without key escrow or back doors, by not regulating encryption in any way. (The government should also invest heavily in the appropriate technology to break encryption when it needs to do so.) Without the fear of government intervention, application designers will be encouraged to add encryption to email and other software as a business advantage to themselves, thus allowing my business to communicate more securely with ease.

    2) The Federal government should encourage open source and open standards by requiring the use of open source software and open standards on all government systems (except possibly military/intelligence systems). This will get more eyes on the code, thus reducing vulnerabilities and fixing them faster, and will ensure that people are unable to take advantage of unpublic holes in uncheckable software.

    3) The Federal government should generally *not* regulate the internet, as this can introduce holes that cannot be fixed because of regulatory requirements. In particular, the government should not use either legislation or funding to control the use of the internet by libraries, schools and other non-Federal government institutions, or by private individuals and organizations. There are a few exceptions I would be OK with:
    a) requiring "edge filtering" so that networks would not support denial of service attacks;
    b) allowing wire fraud charges against people/organizations who deliberately send email without proper and valid headers (or with forged headers), so as to obscure their identity while sending unsolicited commercial email and/or perpetuating scams (note that this should be allowed for the purpose of anonymously propagating a political opinion, for example, just not for commercial use);
    c) requiring organizations who control internet naming or numbering to have public accountability, as these organizations were largely granted a monopoly by the US government; opening up these processes to a standards-based system where everyone can participate; or allowing anti-trust legislation against such bodies if they attempt to coercively control internet access.

    4) The Federal government should designate ISPs and online communities as common carriers.

    5) The Federal government should require cable and telephone companies, as part of their FCC licensing requirements, to offer the option of access to the network for paying subscribers wihtout mandatory membership in an ISP, and in particular an ISP should not be allowed to gain monopoly status by association with a government-granted monopoly such as a cable system. This would have reduced the @Home debacle, for example, to a trivial matter. The potential for AOL/Warner is even worse down the road if something is not done to guarantee choice in broadband access.

    OK, I guess I got a little away from security with those last some of that.

    -jeff

    --
    -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
  22. Re:Holding Companies Liable by jspey · · Score: 5, Insightful

    That works if you're a private company. What happens when a soccer mom gets her cable modem turned off because someone exploited some hole in IIS that she installed on her computer without knowing it? Never mind that to fix the hole she'll have to d/l the patch from the microsoft website, which is kind of tough when you don't have web access anymore.

    Sure, after the patches are out then it's your own responsibility to fix it. But some of the holes and/or default configurations have no business being in a piece of published commercial software.

    Mr. Spey

    --
    Cover your butt. Bernard is watching.
  23. Some suggestions by jd · · Score: 5, Insightful
    • Security should fall under some form of "trades description act" - eg: what you're offered is what you get. A firewall that isn't, secure transactions that aren't, or privacy that's sold, should be actionable. That isn't about the limits of technical skill, it's about fraud that merely happens to involve computer technology.
    • It should be illegal for an ISP to prohibit customers from implementing security on their machines (except where that security is, itself, a hazard to other machines)
    • Where the technology exists to prevent criminal abuse, and an ISP neglects to use it for reasons OTHER than financial or technical, then that ISP is an accessory to the crime, and should be held accountable as such.
    • Insurance companies should have the right to carry out periodic audits of computers belonging to customers they insure, and modify premiums according to the flaws encountered.
    • Customers of companies should have a similar right to scan the companies they deal with (and vice versa), so that neither side can claim ignorance of the status of the other, prior to transactions taking place.
    • As things stand, "important" web transactions are secure, and all others aren't. This is the same as placing a large, neon sign over the hidden wall-safe. It is no longer hidden, or safe. I would like to propose that unsecure, or only partially-secure websites be subject to penalties, where such a policy results in a breach of security.
    • Finally, where concious and deliberate inaction results in an expense to any emergency service, security agencies, etc, the organization responsible should be expected to reimburse those costs, in full. (Note that this is for inaction alone. You can't sensibly penalize those who make a genuine effort, even when that effort fails.)


    Implementing even a few of these should deal with the national deficit, quite nicely. Some of the biggest costs in both public and priate spending are to fix serious problems, after the fact. The burdon should be shifted, as much as can realistically be done, to those responsible. A stitch in time saves nine. But, damn it, the tax payers shouldn't have to pay for someone else's failure to stitch.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  24. Something you can actually do by Syberghost · · Score: 5, Insightful

    Mr. Senator, there is something you can actually do for us.

    It even involves you getting to pass a law, which I know is something you Senators greatly enjoy.

    It is:

    REPEAL THE DMCA SO WE CAN GET SOME DAMN WORK DONE.

    Thanks for taking my valuable time (because I pay for your time, too) to listen.

  25. Stop Gov't Interference w. Security Research by rlp · · Score: 5, Insightful

    My biggest concern is the woeful state of computer security research in the U.S. Due to crypto restrictions in the U.S., foreign firms offering commercial cryptographic products have gained a major competitive advantage. This has translated into more R&D money for these firms. The crypto regulations were repealed. But now history is repeating itself, due to congressional meddling with Intellectual Property laws (DMCA, and it's ilk). It's had a chilling effect on security research in this country. Similarly, the Sklyarov arrest resulted in foreign security experts being very wary of even attending conferences in the U.S.

    At a time when the U.S. needs to strengthen our computer security infrastructure, congress has managed to handicap the very people needed to accomplish this goal.

    So, bottom line, change the laws (starting with the DMCA), before all computer security research moves offshore.

    --
    [Insert pithy quote here]
  26. You do your part and I'll do mine by The+Man · · Score: 5, Insightful
    I can take care of script kiddies, virus outbreaks, and idiots who install IIS. It is Congress's responsibility to do only two things: (1) require that the computers and networks belonging to the federal government are as secure as humanly possible, especially those which may contain citizens' records, and (2) protect law-abiding or possibly law-abiding citizens from the three letter agencies by forcefully restricting their activities to legitimate investigations using constitutionally "white" - not "grey" or "marginal" or "illegal as hell" methods. That applies to computer crimes as well as all others, and for practical purposes it should restrict the TLAs to prosecution of known crimes involving federal computers, and pursuit and analysis of foreign intelligence.

    Don't protect private companies and individuals from anyone but the government. We can take care of ourselves.

    Don't protect the government from law-abiding citizens. We're at sufficient disadvantage already.

    Don't protect the privacy of convicted criminals.

    Don't create laws that favour any one kind of entity over any other, except law-abiding citizens and corporations over convicted criminals.

    Don't legislate exclusions of liability for security breaches. Let the civil courts decide who, if anyone, is responsible for damages due to security breaches.

    Don't restrict or attempt to restrict cryptography, and strictly prohibit the three letter agencies from planting or distributing intentionally weakened or defective cryptographic tools.

    Don't allow the three letter agencies to wiretap data connections without meeting constitutional requirements - it does nothing to improve security and most likely decreases it by creating additional copies of sensitive information.

    Most importantly of all - *DO* build trust in the security community by passing and strictly enforcing JUST, FAIR LAWS in all matters concerning digital security, copyright law, privacy, and civil liberties. In other words, do your job as statesmen and earn the respect and trust of all the citizens you supposedly represent. Your job is MUCH easier to do when we can trust you, and sadly, your record makes that outright impossible.

  27. That goes for information, too by Hizonner · · Score: 5, Insightful
    There's an attitude out there that says people should have to justify their access to information about security... not just network security. You hear a lot of bleating in the press about how "just anybody" can get access to information about how to do dangerous things, and how we (whoever "we" are) need to clamp down on that in various ways.

    The problem with that attitude is that, to get real security, you have to do things in a secure way everywhere. That means that everybody has to be thinking in terms of security... and not only that, but thinking in terms of things that will actually help, rather than just giving a false sense of security. That takes a certain mindset, and the only way to develop that mindset is to think about ways to break security, to see examples of how security is broken, and to see how existing security measures work, both so you can improve them and so you can avoid screwing them up.

    If you restrict access to information, you end up with only two sets of people who have a clue:

    1. A small group of overworked security specialists. These people can't do it all, and, if the rest of the world is poorly informed, they won't be listened to. In addition, in an environment where information is tightly restricted, it's very difficult to recruit and educate new security specialists.

    2. The bad guys. Being more motivated than the general population, the bad guys will get most or all of the "restricted" information through their own networks.

    Security is everybody's problem, and that means everybody has to understand it. When you release information widely, you educate 100 good guys for every bad guy. When you try to keep everything secret, you hold the good guys back more than the bad guys.

    I'm not saying that there's never a reason to keep anything secret, but there should be a presumption in favor of openness. You should try to keep something secret only when:

    1. It describes the details of an actual vulnerability that hasn't been fixed, and provides information useful in exploiting that vulnerability, AND

    2. Having information about the vulnerability would not, in itself, permit people to protect themselves, AND

    3. You're reasonably sure that large numbers of bad guys don't already know about it. In network security, large number of bad guys will definitely find out about it within a few months, if they haven't already found it independently. That means that keeping anything secret for a long time will never work.

    In government, the sorts of things we need to watch out for are:

    1. Excessive classification. It would be nice to see more legislative sunsets on classification, and more requirements for review of the decision to classify something. Patent secrecy orders are especially suspect.

    2. Programs where government information is shared only with "trusted private sector partners". Not only is this intrinsically bad, but it encourages cronyism and corruption, and can create economic problems by raising barriers to entry in security-related industries.

    3. Misguided weakening of "sunshine laws" like the FOIA. Because information is power even more in the Federal bureaucracy than in most places, there's an incentive for agencies to hoard it for political reasons. When all else fails, these laws often serve, not so much to free the underlying information, as to expose the illegitimate reasons it's being held secret.

    4. The occasional calls for outright banning the release of scientific or engineering information, in the style of the idiotic Feinstein "bomb making information" law.