Slashdot Mirror
U.S. Gov't Planning To "Help Us" Secure Computers
BahdKo writes: "CNN reported today in this article that the U.S. government is working out a plan to help protect Cyberspace from attacks by "hackers and terrorists." This plan will include the distribution of government-provided software to help clean up insecure Windows installations. It's hard to picture myself executing government provided software on my workstation (we were supposed to be *increasing* the security of the PC's, right?)"
It's almost like the US gov't has a list of things techies hate, and they're going down the list and doing each thing, just to piss us all off.
Now, the general populus isn't paranoid about their gov't, but even so most people will balk at the gov't saying, "Here's some nice friendly software courtesy of Uncle Sam that we'd like EVERYONE to run on their computer. It, um, looks for flaws 'n stuff."
For myself, and I assume most of the geeks here, I'd want to read every single line of any code given to me to run by the gov't, compile it myself, and run it. Love your country, yes. Trust your country, never.
The only tool you've got against psychosis is experience.
But does that necessarily mean that the source is too? I think it does, but I'm just wildly guessing now.
[PowerPoint] is a tool for capitalist presentation
Because governent computers are so secure themselves... HA!
http://www.cisecurity.org/
And to clarify alot of paranoia,
These tools were built in conjunction with the Federal government, major manufacturers, service providers and academia. The are basically scanners that look for the most common vulnerabilities on systems. And no, you're not installing an NSA/CIA/FBI/TLA backdoor onto your system.
What I would like to see is Government "grants" to better security at other federal and state agencies like universities, police departments, DMVs, etc. Then open it up to businesses and whatnot. My Unv would love to find a grant to help offset the costs of a good security solution. Our physical security is a joke. Odds are, you can walk right through our office, into our server farm, take a server, and leave with it with minutes, hours, maybe even days to spare before someone even notices it's gone. A grant to help pay for a keycard system and remodeling to accomadate heightened security would be great.
So let me get this straight. They're saying "download and install this software, which looks for security problems that are most commonly caused by users being too lazy to download and install software (updates)". Does anybody else find that amusing?
Unix is user friendly, it's just selective about who its friends are.
Good. So you're not worried about that line 3029 that says:
if (slashdotId == "Wolfier")
{
openBackdoor();
sendHisDodgyWebAccessesURLsToUncleSam();
triggerIRSAudit();
}
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
> (we were supposed to be *increasing* the security of the PC's, right?)
;)
;)
I mean if the government was that incompetent, we'd already know who really killed JFK, right?
At any rate, I happen to work for the government, and I've also held a few commercial jobs, and speaking on a reletivity scale, the government network has a much better security model than any place I've ever worked.
They also have a fanatical security "reaction" team that enforces security policy, scours vulnerability lists, and watches logs daily for signs of intrusions. When that apache hole came out a few weeks ago.. they gave every website at the facility about three days to fix it, otherwise they would start black hole-ing ports of machines running unpatched servers.
Now whether we're an exception or a rule I'm not qualified to state, but the government isn't quite as stupid as you're suggesting.
I understand the reason but I do not understand the execution. Ignoring all "magic lantern" issues, this is just the wrong way to fix it. The government and some companies (Chevron??!) are going to audit the security of Windows, find the flaws and distribute a program to alter it so they are fixed...
:)
This is easier than just asking Microsoft to design a secure version of Windows? Come on, you already found them guilty of being a monopoly, perhaps a nice sentence would be "make a secure version of Windows".
If Windows insecurity is such a threat to homeland defense, shouldn't the government be cracking down on the company making the laughably insecure software? Or perhaps simply not using it since it is (by the government's own admission) insecure?
Or just demand the source code and distribute their own secure version. It worked with NSA-Linux
Finkployd
I happen to disagree, but even if I didn't I'd suggest that this is one of the times when having the source code is most important.
The US federal government is not a trustworthy entity. Various departments within that organisation are known to disregard laws concerning privacy and security and many of these also have institutional goals, official or otherwise, that involve spying on American citizens and others. Therefore a reasonable person would consider binary-only software from the federal government to be untrusted in the same way as an unsolicited mail attachment or unsigned binary files found on arbitrary web or ftp sites. The reasonable and prudent assumption is that such untrusted binaries are malware until proven otherwise.
If the government wants to convince systems administrators that its security-enhancing software is in fact *not* malware, the best way would be to provide the source code in full. If doing so exposes new vulnerabilities, the government should, before releasing the tools in any form, follow normal vulnerability reporting procedures. If Microsoft or other vendors are unresponsive, the proper procedure includes full disclosure of the vulnerabilities and their fixes. The source code to these tools constitute fixes, and should be released either in coordination with vendors or in the event that vendors are unresponsive. In short, the government should follow the same procedures regarding vulnerability disclosure and dissemination that most other people do.
Internally, of course, I expect and hope that systems would be patched as soon as possible. Naturally I would patch my own company's systems even before a vendor releases a patch if I initially discovered the problem and its solution. But internal dissemination is a separate matter.
> Why is it cool to think that the United States Government is out to spy on everyone and in general fuck things up?
It isn't "cool", it's a simple recognition of the facts. Did you miss the news last month when it came out that the FBI had a 2^16 page file on one of CA's uni presidents in the 70's, simply because they didn't think he was "tough enough" on liberal professors? Or the earlier revelation that they had a whopping big file on that Dangerous Enemy of the Republic, Albert Einstein?
These people have been at it so long that their primary motive for spying now is that they've forgotten how else to act.
> Slashdot views are so far to the left that they've wrapped around to those of the ultra right Montana Freemen.
What has Left-Right got to do with it? Not wanting to be spied on is "normal".
Sheesh, evil *and* a jerk. -- Jade
Aiigh! This suddenly reminds me (particularly that juicy, slurpy opening quotation) of those old '50s propaganda items like Appreciate America, where "patriotism" and "being a good American" (whatever that means) are automatically equated with "doing your part" (not incidentally what everyone else is doing).
So let's all be good Americans, well, those of us who are Americans (--points finger--), and spy on our neighbours, secure our piece of cyberspace, and whatever else our fearless leader says we should do, because then those damn Commi^H^H^H^H^Hterrorists won't be able to eat us all up as we sleep in our (all-American) beds at night.
Theme music: "Exhuming McCarthy," REM, Document
I'm not a geek, I'm just a clever script.
Propping up that such poor 'down-on-its-luck company'? I think that the government should FINE Microsoft for each standard hole that each customer out there has; not fix the problems for it using public money.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!""from attacks by "hackers and terrorists."
Enough statements like this and there will be no effective difference between the two.
Watch out, script kiddies: first you could get the death penalty, now you may not get a trial.
Alas, Babylon.
Don't blame Florida.
Blame the puffy, middle aged guys named Chuck who think that the right to own firearms is the only civil libery that matters, since it's the only civil liberty you can use to make an exciting loud noise and put holes in cans.
Blame the old people who don't understand the modern world, and as such believe all of the knee-jerk blame laying that demagogues spew out on cable news channels 24 hours a day.
Blame people who see the whole world in moronic stereotypes. Blame the people who think that speech ought to be free only when it matches their own opinions. Blame the people with severely outdated understandings of capitalism who believe that big corporations can self-police and the market can self-regulate. Blame the people who are so cowardly that one terrorist attack which kills a few thousand people is justification enough to toss our most valued rights out the window. Blame the people who think that the flag (and not the hard-won liberties it symbolizes) is sacred. Blame the people who think that their religion should be forced on everyone, and think the founding fathers secretly wanted it that way despite rather obvious evidence to the contrary.
Most of all, then, blame an education system that doesn't teach people how to think in an objective or independant manner. Blame parents who don't teach their kids to evaluate information or ask questions.
But don't blame Florida -- those ballots were pretty confusing.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
They're releasing this software to check how well their backdoors inside America's Army worked. Duh!
And even if it isn't open, why not? Whether it's designed to be auditable or not, it's gonna be audited. Bigtime.
NSA has two mandates - 0wn non-Americans' b0x3n, and help us secure our b0x3n against non-Americans. This seems to be part of the latter mandate.
For those speculating that this isn't an NSA thing to secure your boxes, but is instead a sneaky way to get you to install FBI trojanware - finding proof of such a claim would probably be the greatest prize in hackerdom.
With that much fame at stake, you don't think every hacker and cracker on the planet isn't gonna be disassembling every last byte of this code, looking for precisely this sort of evidence? Once the binary's released, there'll be no way to put the cat back in the bag once an army of determined reverse-engineers goes over it. With that many eyes, even trojans/bugs in closed-source apps are shallow.
Our government may be dumb, but they're not that dumb. So odds are very good that this is merely what it claims to be - a quick-and-dirty tool to help secure a system.
Much as it can be fun to imagine otherwise, sometimes a cigar is just a cigar.
That is not entirely accurate. All government developed software may wind up as public domain, but I would guess that most, if not all, of it will not be available for at least 20 years after it's written. If all the software (and especially source) was public, we'd have some major security holes and exploits possible. Just think about it.
We've got gov't programs running major systems (though NT on Aircraft Carriers, IIRC). A lot of gov't created systems are running gov't machines. Much of the software is so specialized that it's probably not much use to any of us, but there's a few pieces that if crackers got a hold of would be disastrous.
Just to illustrate this, one of the guys I worked with (he left, maybe a week after I started) had worked with the DoD before working here. Me, being the inquisitive student, asked about it. He told me that most of their programmers and engineers don't know what they're working on. The engineers get told, "build this part," not "build this part for this machine."
Programmers are treated more or less the same way. They're not told to write a program. They're told to write a class, or maybe just a function. They aren't told what they're working on, just to code. The higher ranking/clearance guys then put it together.
So, eventually, yeah, maybe we'll get to see the code. But there is a lot of classified stuff in the government. You don't get to hear about everything.
And, correct me if I wrong, we don't even get to see the code for the America's Army game, do we? Of course it wasn't developed by them, just for them. Thoughts?