Slashdot Mirror
Schmidt Predicts Digital Sky Is Falling
Danse writes "Former Microsoft security chief Howard Schmidt now works for the government as the vice chairman of the Critical Infrastructure Protection Board. According to this article on Security Focus, he has been touring the country, proclaiming the dangers of "zero-day viruses" and "affinity worms" that will create the kind of havoc that nothing else short of a nuclear exchange could cause. "Traffic lights, pacemakers, appliances -- all subject to outages and interruptions because in the future they're controlled via Internet, declares Schmidt. The power grid could fail catastrophically by 2005!" How do you argue with this kind of rhetoric, especially when it's being spread directly by government officials to corporate leaders?"
The fact that we have the DMCA, that freedom is being eroded in the face of national ID cards and the loss of anonymity on the net indicate that the sky is falling.
CEE5210S The signal SIGHUP was received.
Traffic lights, pacemakers, appliances -- all subject to outages and interruptions because in the future they're controlled via Internet
Why would these things be controlled via the internet? We already segregate certain high security systems from the internet to avoid even the chance of them being "hacked". I don't think a pacemaker would -EVER- be hooked up to the internet -- not only is there no point, but it's just extra risk for something to go wrong.
On the note about how to stop the rhetoric, it's simple. We need people who are educated in technology to report to the government with the TRUTH, not these fictional facts being spread to merely cause a slight fear which will (in all likely hood) raise the sales in the technology industry to "buy more secure products".
How is this news? This is the same party line as the Luddites have, only this guy has some history and a government position. So what? The Luddites have been proclaiming the end of the world because of technology for over a century. Has it happened? No. Will it happen? Maybe. Can we do anything about it if it does? No; so who the fuck cares?
blog |
My brain just imploded.
Well, as the article points out, what's interesting is the change of tone. While he was a Microsoftie, he was downplaying the impact of viruses & worms.
Now that he's in the government, these things are apparently more important.
The change of perspective and its timing is....interesting.
Don't you remember that old television series Automan?
Between shows like that, in which a computer program given life could control any electrical device, and all the poorly done "hax0r" characters on film and television, why would you expect people NOT to believe things like this?
While it seems that the phrase "snake oil salesmen" has passed out of the vernacular in favor of "really good excuse to sell product," Schmidt is really nothing more than a fearmonger. While I could imagine a worm moving through the internet fairly quickly, I can't imagine it doing too much serious harm. I mean, nothing could be much more serious that code red or Melissa or something. The net is fairly heterogeneous, so if a big chunk of end-user windows machines become infected, who gives a crap? Worst thing is a slight dip in sales at Amazon or buy.com, and McAfee, Symantec, etc get some new sales. Even a windows machine can be armored against these things if you try. Also, spreading instantly isn't even feasible. It takes time for a machine to find connected hosts, transmit and process things, etc.
What worries me most is this absurd prediction that traffic lights and the power grid etc will become part of the internet. There are no good reasons for traffic lights to be on the public internet, and lots of good reasons for them not to be. However, there are lots of good reasons to control such things by computer, and the best way to take advantage of this is by using economies of scale through the use of commodity hardware. In other words, over TCP/IP. So, the traffic light network assigns all lights an IP address. This isn't the same as being on the internet. And despite all the fearmongering it's unlikely to happen.
Remember, these people have been predicting critical infrastructure death for 10 years, and their theoretical net-wide worm actually hit 14 years ago! Be fearless, build firewalls, and update your software, and ignore this moron (though if you can use it to convince your boss you need a new dual 1.5ghz machine with a giant plasma display, go for it...)
Q:Doctor, how many autopsies have you performed on dead people?
A:All my autopsies have been performed on dead peop
Part of the reason Y2K happened nearly hitchless was due to the fact that so much hype was involved. By declaring "the sky is falling" they are preventing a problem through means of hype. However, this man is a microsoft ex-employee and I'll be quick to point out that most viruses and worms are not "computer" viruses specifically but *windows* viruses. By making a fuss he is trying to protect his "alma mater" as it were.
It looks like some big goverment, "I pat your back, you pat mine" business.
Rob
Perhaps they need to spread more FUD generated from 'reputable' sources like the government so people and corporations get scared enough to WANT government help.
The most conspiracy-engaging part of myself is saying that this is only the first step in a plan to 'prove' to us that 100% of USA civilian computer systems cannot be totally secure against attack from international adversaries and thus must not be in the hands of civilians.
Computers are incredibly powerful tools and today's machines are beyond what the scientists of 20 years ago dreamed of in the future's uber-super-computers. They can be used as powerful weapons in terms of using 'unbreakable' encryption, launching major DDOS and similar attacks, compromising systems and installing backdoors and more. They are tools for facilitating truly free speech and covertly exporting most any kind of information. Everyone with one could be seen as a threat to a government that wants ultimate control and thus this could be just the initial phase of a long-range multi-decade plan to keep all computers in the USA under physical control of the government.
Of course, this is just a far-fetched conspiracy theory. You are welcome to accuse me of throwing FUD because that's what this probably is.
And while there's some tongue in cheek in this, I really think that 90% of the reason why FUD like this is out there is because of what people see on TV/Movies.
Law and order depicts "worm" that "takes control of your computer just be recieving an email!". Hackers: teenagers in bad oufits can crack into any system in the world (including being able to hack into a system by using phone lines taped together). Speed 2: leech loving man takes over a boat from his room with "fiber optic converter" (actually a data com port switch, I believe). The Net (another Sandra Bullock film) has a woman who's whole identity can be erased (especially when the FBI, Pentagon, and everybody else use the same anti-hacking software, which incredibly is used by evil hacker types).
In movies, anything (microwave, blender, vacuum, whatever) can be controlled by evil computer programs. Don't ever put your computer in charge of your house, or else it will develop artificial intelligence, and try to kill you by making electric cords whip around your neck (I never figured out how that worked).
Joe Public has no idea of how technology works - to him, it's indistinguishable from magic, so why couldn't it work? So when a man stands up and tells people a virus can circle the world 0 seconds, those who pray to the gods of technology in the hopes that their television doesn't turn off must believe.
We don't believe in monsters or demons, so we invent them in the form of hackers and superintelligent teenagers with a vengeance. We don't believe in gods, so we invent them in a government that knows all, sees all (when it's own FBI is 10 years behind the technology curve).
Good god, but I hate human ignorance.
52 Weeks, 52 Religions with John Hummel
Well, as the article points out, what's interesting is the change of tone. While he was a Microsoftie, he was downplaying the impact of viruses & worms.
/., and even we cannot be bothered to get off our asses and become politically involved. How can we expect those whose livlihoods are less directly affected to cast aside their apathy and conditioned reluctance to get actively involved when we can't be bothered to do it ourselves?
... and profoundly depressing.
Now that he's in the government, these things are apparently more important.
Hmm. I wouldn't be too certain there isn't a Microsoft agenda behind this ('Once you work for [ the CIA | Microsoft ], you always work for [ the CIA | Microsoft ]').
With our elected leaders deep within Hollywood's pockets, and the confluence of Microsoft's Palladium agenda to extend and encode their software monopoly into the hardware itself with the media cartels' Digital Rights Management agenda, this is exactly the kind of rhetoric I would expect from someone pusing either, or both, of those agendas.
The Digital Sky is falling, but not because of any foreign terrorists or script kiddiez. It is falling because several powerful cartels, a software monopolist, and our government are joining forces to eradicate the free wheeling internet as we know it in order to replace it with a medium they can better control, something that will resemble Just Another Media Outlet far more than it will the internet as we know it today.
If this steamroller isn't stopped it will be the end of Free Software, the end of the peer-to-peer nature that is inherent in the design of today's internet, and the end to free exchange of information via digital media. In short, it will be the end of freedom as we have come to know it.
And you know what. By the time anyone notices, much less cares, it will be far too late. We are the most affected here on
The change of perspective and its timing is....interesting.
You said it! Interesting
The Future of Human Evolution: Autonomy
Exactly. But what I think you are missing is some of the other potential conflicts of interest that still might remain with George Schmidt. Does he own Microsoft stock? With this new FUD tone and Microsoft's new focus on security, is he trying to drum up new business for the company thus boosting their stock price/performance?
Visit Jonesblog and say hello.
> So now you guys in the US have someone in the government that is fighting windmills.
Remember, this guy is now part of an Administration that follows a policy of using the threat of foreign terrorism to terrorize the public into accepting legislation, policy changes, and major reorganization of government agencies. The key for reading this guy, just as for the rest of them, is to look beyond the FUD and see what his agenda is.
Sheesh, evil *and* a jerk. -- Jade
For everyone screaming how bad it would be for a pacemaker to be on the 'net: get a freaking clue people! Ever hear of transmit-only? This would absolutely be a Good Thing(tm). If the pacemaker had some problems, then it could easily alert either someone -- whether it be the user to preemptively protect them, or to automatically call 911 on behalf of the user.
Anyone who engineers anything as critical as the controls to a pacemaker or a traffic light to be remotely configurable or writable is just asking for trouble.
Just because something has an IP adress and can be remotely monitored, does not mean that it needs to have ANY remote access to any functionality that could cause a problem.
Yes, we can (and will) design things stupidly enough so that this will be a problem, but that's more our fault than anything else. Like leaving your car unlocked with the keys in the ignition at 3 AM downtown. It's just not smart.
Now the more serious issue here, though, is that an uninformed government employee is scaremongering for power. Nothing new. But with the stock market doing as it is (buy at 6000, I say) this kind of talk is doing direct harm to the country.
This guy needs to shut the hell up.
In Capitalist America, bank robs you!
The truth helps. Just keep speaking the truth, and tell your friends, people on the bus, folks at work.
There are a couple of important points to consider.
* Systems related to national security shouldn't be on the internet in the first place. Sure, that's what its was designed for, to be a comm network that would survive a nuclear strike and still route packets. Of course, plenty of government networks are already physically disconnected. Not firewalled, just not connected. So no Slashdot reading on your power grid terminal. Until we actually start building secure software, cause we don't now, some systems absolutely have to stay disconnected, or connected only through separate, encrypted, physically secure networks.
* Instead of feeping creaturism, maybe its time to actually start worrying about security, ala OpenBSD. Could it be that people would put up with substandard office software and not-so-intuitive file browsers if we guarenteed them that the financial data on their computers would be safe? Would you pay extra for your internet-connected pacemaker (which will probably send data to your doctor) if you knew that somebody couldn't hack it and turn it off? Would your Mom put up with having to learn a confusing operating system if it meant that her Quicken data wouldn't get stolen? I bet mine would.
* And maybe, just maybe, we, as software engineers should stop living up to the low expectations of the marketdroids and the PHBs (oooh look, shiny GUI) and start demanding more of ourselves. The reason that propoganda like this punk is spewing travels so fast is that the computer-using public has been conditioned to expect so little (Oh, another reboot? No big deal. Server's down? Eh, kick it, I'll go get a cup of coffee.)
So, I'd tell people to stop whining, stop freaking out, and stop bowing to the government-media complex's instinct to make everything a damn crisis. Instead of worrying, do something. If you're a software dude, start thinking about robustness and security instead of pretty. If you're a (l)user, start learning how to secure your stuff, and start demanding that they companies you buy from do the same.
Outside of a dog, a book is a man's best friend. Inside a dog, its too dark to read.
While Apache servers didn't get rooted by Nimbda, or by its cousin Code Red, they were still affected. Of course, it was more of a DOS attack since the Apache daemons were attempting to respond to the bogus requests but it was an attack nonetheless. I've seen the load shoot through the roof on Apache servers the had been targeted by nimbda/code-red infected system. I should note that this was a strange case where someone fired up an NT system (for testing) that they were unaware had become infected and both systems were inside a firewall. Makes a good case for having another layer of firewalls (and, perhaps, an IDS) inside the LAN just to protect your servers from goofy situations like this.
CUR ALLOC 20195.....5804M
This is mostly all garbage because there is still to much hardware and software diversity. Sure this could POSSIBLY HAPPEN if everything was running off Windows on an x86 chip. But still now that is not the case There are still differnt breads of processors SPARC, MIPS, GX, ARM, Aplha, etc... And there are differnt Operating Systems that run each Processor. So making a killer worm that will distroy all Computers is near impossible because there is to much diversity. and I for one would want to keep it that way, actually I want to get more diversity. More different ways of solving the same problems is a good method each set may have bugs and holes but each one will be a different set of bugs and holes. Just as long as we dont follows MS idea of using a x86 chips and XP for every thing eltronic we should be OK.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Nope, no sig
This is what I have to say to Mr Schmidt:
;)
Y2K
The end of the world was predicted. Nothing happened. Why? Because good people worked their asses off and prevented the Y2K "damage".
Hint: want to avoid 90% of all problems on the Internet? Follow this three step program:
1. Avoid ALL M$ products like the plague.
2. Whatever system you use, keep it up-to-date, apply the patches and the security upgrade religiously.
3. Whatever system you use, lock down all un-necessary services and ports.
4. Whatever you do, don't put everything on the Internet! Pacemakers, energy grid and air-traffic systems don't have anything to do on the Internet. period.
And no, I won't buy Palladium just because it's the One True Technology That Will Save Our Sorry Asses From Evil Hackers!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Oh really? "Sheeple" want fridges that print out grocerly lists? Fuuny, I don't remember any of the "Sheeple" I've talked to wanting those things. Where did I hear about stuff like that... oh yeah, it was here on /.!! Seems like either Microsoft or people here would want stuff like that, but people who are happy watching a 20" TV with mono sound are unlikely to want such things.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
See their download page.
Anyone else see where this is going? The FORMER HEAD of MICROSOFT SECURITY (and quite frankly, microsoft and security should *snicker* never *snicker* be used in the same sentence together).
Obviously... Microsoft is very very happy now. They got the x-head of their security to be high up in government PROTECTION. Now this chicken little is running around squawking. Ya, I can see the next *initiative*... Paladium anyone? Government sanctioned because some LOSER who couldn't design a SECURE HOUSE LOCK is squawking.
For as many times as we accidently bomb some afgani wedding, can't we accidently bomb redmond? Please? Purty Please? With sugar on top?
Anyone who engineers anything as critical as the controls to a pacemaker or a traffic light to be remotely configurable or writable is just asking for trouble.
Unfortunately, remote adjustment of medical implants (including pacemakers and drug-delivery systems) is sometimes life-critical, often greatly health-enhancing. So many of the devices are remote-accessable. Some of them (such as implanted defibrilators) also log info about the patient (i.e. when / how many times he had to be de-fibbed) and can be interrogated remotely.
But "remotely" means "via a nearby inductive loop (or the like) on a special-purpose device", not an internet link. (The interrogation device, of course, will have a computer in it and might be networked - but that's a separate issue.)
But don't you think the people who design the device and its software don't KNOW that? Medical device hardware and software is built by engineers working to a standard above that of telephony, which is in turn far beyond mil spec. (Yes you can get screwups. But they really do put in the effort. The management knows that killing a couple patients will kill the company, and they have the money to pay for good work rather than cutting corners.)
anything that has incoming can be flooded to death whether it wants to respond or not
Not true. Anything with an incoming link can have the link itself DOSed and taken down for the duration of the interference. Any radio can be jammed, too. But a communication module can be designed so that it doesn't exhaust resources needed by the rest of the system, and so that it will recover from the exhaustion of its own resources as soon as the attack ends.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Even a google search couldn't help me.
Does the rest of the world know something that I should?
They don't have to be on the net. I used to work for a government department that controlled traffic lights. From my workstation I could change the state of almost any traffic light in the state. From my workstation I could also browse the internet.
Consider then a virus that allowed someone to put a back door into my workstation. They would then have the ability to sniff passwords and ultimately give them control over the traffic lights.
A similar thing could be said for any device which can be controlled from a machine which is either connected to the net, or can be accessed by other machines ultimately connected to an untrusted network.
While the chance is slim that any of this could happen, don't discount the possibility just through your ignorance of how these systems could be attacked. Sure the traffic lights aren't directly connected to the net, but that's not the point.
Fear: When you see B8 00 4C CD 21 and know what it means
Ah! It does this by turning your heart on and off really fast, just like the way sound was produced on the old TRS-80s?
While I'm the first person to acknowledge that marketing pushes a lot of products on people that they don't really want or need, both of your examples here fail.
Day-timers are great for people that have 50 contacts and 5 items on their todo list. My mom used to carry around one of the 5x8 ones that was quite full. It didn't even fit in her purse, so it was very inconvenient. I kept demonstrating my PDA to her, that it was indeed easier to use than the laptop she used at the office, etc. Finally she lost her day-timer and freaked out. There was no way she was going to recall all the appointments she had made over the coming weeks and months. Luckily, she had only left it at an associate's office who called her the next day. She immediately switched to a PDA and within a month was able to use it far more efficiently than the day-timer. If she loses that, it's all on her laptop at work.
As for cell phones, I'm quite happy with mine. As long as you don't go nuts and start thinking that just cause it's ringing you have to answer it, you'll be okay. I turn it off when I don't want to be interrupted, and I put it on vibrate when I carry it so no one else is ever bothered by it. Two recent examples of being useful. Saturday we were driving to a friend's party an hour away. The driver had written the directions incorrectly, so I called my friend on the highway to get the right junction. Then Sunday a friend called while I was shopping to see if I wanted to head to another friend's house for the day -- he was just leaving home and could pick me up on the way. That's convenience and new opportunities that I'm glad to have.
That one idea for a new gadget (internet-enabled pacemakers) sounds like a bad idea doesn't mean they all are. If you could work out the security issues completely, network-enabled traffic signals could be very useful. Imagine an ambulance leaves the station in an emergency. The system operator could have the traffic signals along its path go red in both directions and ring they're own sirens, giving advanced notice to cars and pedestrians to clear the street.
As for worrying about giving your son a laptop, I wouldn't lose any sleep over it. I had legos as a kid (no home computers), so I said, "Hang on. I'll put away my toys and be right over." And I don't feel I'm somehow scarred by it. :) Computers are tools, like toys, books, and guns. The key is to educate your children in their proper use before you let them use them. Some tools may have bigger consequences in misuse than others, and that should be discussed as well.
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
Bull. Hype and the labor of countless millions of IT folks turned into dumpster fillers did not solve y2k for us. It's more like y2k was a fraud. Funny how all my old equipment still works with no effort on my part at all. Systems not designed to be fail safe are flawed.
Never the less, it's a good thing you brought up y2k as it's the easiest way to fight the FUD:
Y2K and war are now perpetual. Right!
You will only suffer continuous computer failure if you use M$.
Friends don't help friends install M$ junk.
The problem is this:
Got time? Spend some of it coding or testing