Slashdot Mirror
Federal Cyberspace Policy Draft Released
mh_cryptonomicon writes "The initial public draft of the National Strategy for Securing Cyberspace was released today. This document outlines the Administration's plan for ensuring that the Net remains a 'good neighborhood.' Following the release of the plan, the Administration's Cybersecurity team will take it on the road for discussions with the people about what can and should be done to protect and defend the net. More information (and the 65 page draft) can be downloaded from the White House's Critical Infrastructure Protection site. This draft is considerably smaller than the 3300 page monster it was reported as being. Commentary is starting to pop up everywhere, including www.cryptonomicon.net/blog/."
Good article about it here. Don't worry, this is the printer friendly version, so you don't have to register.
Come on. No true thourough review will come from having "town meetings." This is just a public stunt to make people feel like they have input in drafting the policy. My bet is that this thing is already signed-sealed and delivered.
If they really wanted a quality review they'd submit it to 20-30 different universities, think tanks and businesses and individuals who are integral to studying the internet. By doing reviews in a "town meeting" format, they might as well just put it on a call in talk show and have the callers "draft" the policy.
I don't mean to put down the quality of input that ordinary "citizens" can add to this policy, a town hall is just not the way to do it.
hrumph.
tcd004
Read Richard Gere's Ass Zoo, really
Well, in the original Press release, and because one of its chief architects is an ex-M$ employee, the "secure Computing" initation, TCPA, and Palladium are sprinkled generously throughout the document. This is scary, when the federal goverment is serious consdiering M$ Palladium as the legally protocol for all computing within US borders in the future. Imagine, DRM become a legal mandate to "protect us from terrorism" and in turn Hollywood will get everything they want along the way. We all know full well how dangerous and restricting Palladium can and most likely be if it ever becomes the standard - open and free computing will end. If this happens, time to move out of the US where I can exercise my right to freely compute on the computer of my choice.
I don't know about you all, but I'm completely sic and tired of the "war on terror" being used by big gov/big business to get everythng they ever wanted at the expense of everyone else.
www.enthea.org
I realize that many, myself included believes the net should be completely free from censorship. After growing up a little and having children and responsibilities I think that this may not be the case. I personally advocate different levels of the net. Much like AOL vs the net. Where AOL is a very sheltered censored version of the net and the web being everything. There has to be some way to filter out the massive amounts of porn kiddie porn, and illegals. I admin a two offices and periodically check outgoing connection just to keep a tab on things and it amazes me how much people look at porn, and waste time lots of it. I know it's your right but damn. I would love to see the net segregated into tared domains. the first being child and educational environment friendly, the second enveloping commercial work, then the last tared no holds bard. This way parents employers have more control on content.
"Everybody has to do his own thing to protect cyberspace," he said.
Excellent, a government guideline I can get behind!
I'll take my laptop down to the beach, get stoned out of my mind, and watch this high quality version of Attack of the Clones I finally downloaded, then take a nap.
Wake me up when I've made the net secure - and try and explain it slowly, this south american shit I got utterly destroys you. I'll be laughing at stains on the ceiling 'til new years, no lie.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Simple Solution: Use UDP and an application-level error correction algorithm, plus maybe packet sequence numbers.
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
...ensuring that the Net remains a 'good neighborhood.'
Yeah, they'd better hurry up before we're inundated with spam, worms, trojans, and other unimaginable horrors. Oh, wait...
[PowerPoint] is a tool for capitalist presentation
Yeah, that was my impression, too:
"'Discussion'. Yeah. Right."
Still, from what I've heard of the plan, it's not too bad. Main points seem to be primarily relying on increased security awareness (come on, sysadmins of the clueless newbies, admit it: you've wished, at least once, that all new users of the chunk of the 'Net you control would have to get some decent training about what a virus is and how not to get one - well, that's about what they're advocating) and reliability rather than monitoring (not "scan all the traffic looking for something nasty" but "lock down the ports so nasty things don't happen" - i.e., prevention).
Actually, that brings up a good point. Suppose Gore were President in the post-9/11 age. It seems pretty likely to me that he wouldn't have chosen a bunch of techno-illiterates and Microsoft lackeys to design a security plan. ("Strategy." Whatever.) You can argue about what he did or didn't say about "creating the Internet" until you're blue in the face, but that fact is that the people who built the modern Internet agree that Gore is a hell of a lot more knowledgeable about it than the average politician. (To say nothing about the below-average ones like our alleged President.) I don't know what we'd get from a Gore administration on this subject, but I'll bet it would be a lot better than this empty tripe.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Don't worry, the net will be safe for the next 10-15 minutes while all the hackers go get their laughs.
now we need to go OSS in diesel cars
Gee, how are we going to police something that large? Are we only applying these rules to USA-borne servers and networks? What about networks that span international waters? I mean, there is only so much they can do. The government should worry about -its- network. If the government is that worried about there being instructions for mass terrorism or conversations between terrorists, then they should try and keep it at just an information level.. Secure the places where they can attack, and don't impinge on international, and almost other-worldly, rights.
/seem/ omnipresent in the net, but there are quite a bit of Canadians, Europeans.. you name it, they're all coming online, and they're all going to be out of the jurisdiction of this here United States of 'Merka. (that's Texan for 'America'. Look! I speak George Bush!).
I say other-worldly because the Internet is not bound by the traditional geographic laws. This nation may
Trying to regulate the internet is like trying to catch a fish with a bubble wand.
Yeah. It's not going to work.
It seems that for cyberspace, as for species, the best protection is in diversity. The email worms thrive not only because Outlook is flawed, but because outlook is everywhere. The same concept applies to hardware from chips to the backbone as well.
If anything, the Gov't should play a roll as a supporter of open standards, limited patent abuse and, for starters, fixing or flushing the DMCA
I read the words "good neighborhood" and started to seriously worry. All the "good neighborhood" attempts I've seen in the past were implemented by ruthless Neighborhood Associations, complete with Codes, Covenants and Restrictions (CC&R's) attached to the land. Buy a lot in the "neighborhood," you're legally obligated to follow the CC&R's. Most of which seem to have something to do with what color paint you can paint your house, whether you're allowed to have a basketball hoop out front, or whether the garage door can be open at times other than when you're actually moving a car in or out.
Do we really want the whole Internet to be one big anal-retentive "good neigborhood" controlled by an equally anal-retentive Neighborhood Association?
The reason for this approach is not only obvious, but it's the same reason CC&R's are created. Property values. CC&R's protect the property value, not the human values of living there. They elevate the property above the people. This sounds like the same thing to me, elevating the property values of commercial entities over the human values of the average person who is using the 'net.
A few days ago, I wrote an essay called, "Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't."
www.cryptogon.com/docs/cryptogon_cyberwar.pdf
It discusses physical threats to information infrastructures that are almost never mentioned publicly.
NOTE: Acrobat 5 is required to view the document.
WARNING: The information contained in this document is intended for educational purposes only. Anyone who attempts to undertake what is described in the "Possible Terrorist Scenario" section will be committing an act of war against the states involved. I am NOT encouraging anyone to carry out what is described in that section. I am exercising my First Amendment right to free speech to make people aware of the dangers posed to the global information infrastructure. Our society relies on these technologies, and an open discussion of the threats to these technologies is necessary in order to defend them.
Security suggestions are fine, content control (other then legally persued methods) arn't.
As far as I know the article doesn't deal with censorship or porn or anything like that.
And as far as that is concerned, I think censorship is dangerous. Putting one group in control of deciding what is and what is-not appropriate is just a Bad Idea. Tools are already available for you (as an admin, and a parent) to censor, watch, control, and report those areas. A requirement for that to be freely available (from the ISP?) is one thing, but requiring all content providers to be policed by one central group is another IMHO.
A news report that I saw yesterday, prior to the final document release, seemed to indicate that this report does not take insecure software makers to task for their role in the security crisis. If the final draft of the document keeps the kid gloves on like that, then I don't think this is going to be a very useful starting point for the government.
Probably the single best thing the government could do would be to set up strong security requirements for software used by any federal government branch, and enforce those requirements. Setting a high standard would force vendors to get a clue if they want to sell to the federal market, and as a by-product consumer and business software would get some help as well.
Your right to not believe: Americans United for Separation of Church and
Well, despite all it's security holes, I'd gather this was pretty important from a design standpoint. :)
I wondered when this would finally start to kick off. There are many things that I have doubt about with this government and their obvious manipulations but due to lack of knowledge there is an element of doubt who is telling the truth. As a CCIE, networks are something I consider I know a bit about and this rings alarm bells.
There have been a few articles now in the press that state there could easily be a terrorist attack on the internet which I merly laughted at but it seems that average joe in the street thinks that a bunch of Afganistan cavemen could seriously achive this.
To me, this is an obvious attempt to censor the internet by using fear tactics which work due to peoples ignorance. I'm tired of this annoying propaganda and manipulation by what is meant to be a government of the people and for the people.
This site is very interesting and certainly worth seeing the other side of the story, maybe this is why censorship is so important?
Regardless, the net doesn't need this "protection" and I wonder if this "protection" is for my benifit in any case.
A journey of a thousand miles starts with a brutal anal raping at airport security
Al Gore had in creating this document.
Am I the only that found all that eye-candy and gee-whiz stuff in the PDF more than a little distracting? The government should concentrate more on publishing the information than on making a pretty wrapper for it.
...for values of "the people" that equal Sony, Microsoft, and the RIAA.
No more Max Headroom re-runs for this man.
Let's get this straight: here is one reason and actually one reason alone why the internet is as big a deal as it is. There is one thing that made it grow at the ridiculous rate it has. SEX. Period. Sure, it comes in handy for all kinds of things, (and yes I know it was ARPAnet and some guy in Bern ;) who made it happen) but the only reason the net has grown so fast and so large is pr0n. Only a couple of years back did regular businesses come into the picture. But only because the infrastructure was in place. And why is that? Because porn made it possible. Don't laugh, don't mod this 'funny'...it's true!
So what is this 'good neighborhood' crap? Just because you might be a hypocritical puritan doesn't mean you can deny the past.
BTW, I'm all for a better classification of the net; it's always baffled me that there isn't a TLD .sex or .xxx where all adult/erotic sites must reside by (inter)national law. That would have a direct impact, as censoring (by parents or employers) would be easier to implement...but something like that would be a too easy solution, wouldn't it. (yeah, I can see circumventions too, but that would be exceptions to the rule).
-- Waht? Tehr's a preveiw buottn?
OT but I just wonder if everytime someone uses the term "cyberspace" like this if William Gibson just wants to kill himself?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
But I agree with your main point. There's an epic power grab going on that puts our future at risk, and we're all watching it happen. One of the real tragedies of the terrorist attacks is it was the beginning of the end of freedom in America.
Nothing, you have done more then enough already. . . . .
(just get the heck off the net already and leave us alone!)
Need help treating your acne? Come here!
"* Do they take software makers to task for poor quality software and/or insecure software which create the majority of security expenses for industry and the government?
* Do they demand more accountability from software vendors for these flaws, including potentially requiring opening specs or even source code up for inspection before using the software in mission-critical systems?"
Feds: "Well, gee. Doesn't the DMCA do that already? What more do you want us to do?"
Actually the document is not half bad, the problem is not in the document, it is in the follow through.
Since the document proposes neither a tax cut nor a politically opportune war I don't expect it to get a great deal of follow through from the Whitehouse.
I certainly don't expect the proposals to be made mandatory in any sense by this administration in this term, but then that was never going to happen whoever was in office. This is the 'cooperation phase' of regulation where self-governance is attempted.
The real decision will be taken in 2004/5 by which time the areas where self governance has failled will be apparent and the question of coercion will appear again.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Yes. I cried on 9-11 deep tears of sorrow - knowing that as people died in the burning/crushing embers, so did our freedom.
Its absolutely sickening how the right-wing christian fundamentalists nuts used this tragedy to push there own agenda, and the Democrats didn't put up any fight at all... instead they asked how high do you want us to jump?
The pace and breath in which this epic power grab is happenening is totally surreal... no questioning of it on ANY of the main media, cover-ups and wagging the dog rule the day, as we watch the greatest criminals in history take over the world and rob us blind (Enron, Worldcom, Halliburton)... And now they are going after $7 Trillion in Oil in Iraq regardless of what the world thinks. The sure proportions of the power grab are enormous and disheartening to the extreme. Personally I don't see ANY serious counter-trends at all, except very bad ones - more real terrorism in our borders, greater world instability, greater hatred for americans. And to think just three years ago, the future looked brighter than ever. Wow, what a turn-around. This New World Order crap obviously has been in deep and secretive planning for years... I suspect ever Sicne George Senior lost the election in 92.
www.enthea.org
Freaking busybodies...
I will put my router up on cinderblocks in my front yard if I damn well want to...
-- Terry
Interesting point. I've been looking into emigration myself. There's just one problem... There's nowhere left to run.
There are no more frontiers. Well, none I can get to anyway. Sure I could disappear into a jungle, or forest, or even the ocean, but I wouldn't really be safe from the forces that made me want to flee. Just ignored, for now. Until the next invocation of "the public good."
There are also no countries I've looked into that don't have the same sorts of state welfare systems, stupid legislatures, corrupt executive branches, and immoral corporations that I desperately want to get away from.
But... If you know of place where there isn't much crime or pollution, where there are no politicians standing in line to be bought by the highest bidder, where the leaders are wise and benevolent, where the people live in harmony and don't mind each other's business, I'd love to know about it. Sadly, I believe such a place only exists in fiction anymore, if it there ever was one.
It's not spelled "DRAFT", it is spelled "DAFT"
;)
get it right.
The Kruger Dunning explains most post on
R4-2 A public-private partnership should perfect and accelerate the adoption of more secure router technology and management, including out-of-band management. R4-3 Internet service providers, beginning with Tier 1 companies or R4-10 The private sector should consider including in near-term research and development priorities, programs for highly secure and trustworthy operating systems. If such systems are developed and successfully evaluated, the Federal government should accelerate procurement of such systems. in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development. R4-17 The PCIPB s Awareness Committee, in cooperation with lead agencies,
They do realize that "trustworthy computing" name was originared by Microsoft, and has absolutely nothing to do with computer user's security and everything with software companies' "security" from the user, whoever he might be? Don't they?
Contrary to the popular belief, there indeed is no God.
We should all start using the terms "electronic telegram" for e-mail, "electronic brain" for computer, and "electric papyrus horseless carriageway" for the Internet. These are all considered modern terms.
If tits were wings it'd be flying around.
Not to be politically incorrect, but the US has probably made some enemies who have a bit more backing (for example PRC, North Korea, organized crime, etc) and a lot more technical savvy. If you think that the only threats are from grass-eating starving cavemen too embroiled in their own local fights, then you're underrating the other players in the the game of global realpolitik.
Maybe most of these aren't directly terrorists (only supporting of same), but they certainly have intelligence aims and wouldn't mind causing the US economy some dislocations. Continuance of Foreign Policy or War by other means and all that jazz.
And organized crime might love to have access to a lot of wonderful law enforcement data, and lord knows they have the money to hire a few good (well, maybe not good but competent) hackers.
Now, I do agree that the US Gov't is taking advantage of the situation to clamp down on some other things - kinda like Canadian authorities using the invocation of the War Measures act at various times to deal with unrelated but annoying things like street-people, vagrants, etc.
But there IS a threat. Just because you're not getting kicked in the groin every day doesn't mean someone doesn't have it on their list of things to do.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Who reported that it was 3300 pages???? I saw Richard Clarke about 2 months ago, and he had a draft with him at the time. Nobody got to see it, but it was in an envelope and couldn't have been more than 80 pages... I don't think it was ever envisioned as being more than that.
Although I'm sure every slashdotter is going to hate to hear it, there is an easy solution to stop the majority of the problems...
/.ers won't like that. No incomming connections means more problems trying to use Gnutella/Kazaa, no IPSec for you. You couldn't really connect to your home system from elsewhere, unless you can tunnel to a port on a system with a globally valid IP address.
To prevent half-assed administrators from being susceptible to worms passed over the network, all basic home internet services should be on private IP addresses, via NAT.
No incomming connections so no worms canexploit services like IIS.
There will be no spoofing of IP addresses, so DoS attacks can be tracked down easilly.
ISPs could easilly monitor, trace down, and possibly block abusive machines/servers, so services like subseven would be detected, and can be blocked without stopping legitimate traffic.
Service prices could drop, since fewer addresses are needed.
Of course, there are many reasons that
Yes, e-mail viruses are still a problem... but it wouldn't allow anyone to get remote access to your system.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
> "lock down the ports so nasty things don't happen"
Oh, I dunno about that. I've been getting email for the past 15 years or so on an mit.edu account where I get several virii each day, and so far none of them has done any harm at all. Of course, I use a plain-text mail reader on a FreeBSD system, so they can't do any damage. The messages that contain a virus are usually pretty obvious. If they grow to hundredss per day, it'll be a problem, but so far it's less of a bother than the Chinese "big5" spam messages.
The real public education should include pointing out that the "virus" problem is 99% due to Microsoft's insistence on delivering software that is susceptible to such things, despite the fact that we unix geeks knew how to prevent the damage before there was even a Microsoft.
Publicising the fact that viruses are almost entirely a Microsoft problem would go a long way toward getting the problem fixed. We should be asking the media and the National Strategy for Securing Cyberspace people why they aren't pointing this out.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I think that this is important because the problem areas I had with the previous proposals (national databases, etc.) and I think that although the federal government should be more incolved in CERT and other security organizations, I think the Administration is right that this is best accomplished by public-private partnerships.
The initial idea if a national network operations center would have created an interesting target, which could have been compromised as well, and the appoitntment of a privacy czar might have added legitimacy to the dubious effort, so I am glad to see the whole thing dropped.
All and all, I like this draft.
LedgerSMB: Open source Accounting/ERP
What if the US Calvary charged in to save the besieged settlers and instead of breathless thanks, they were greeted by a veteran settlers who simply replied "Thanks. We've got it covered."
In most of the traditional forms of security, the US Government tends to lead in expertise. The Government understands law. It understands espionage, counter-espionage and intelligence. It understands military issues. And it understands police forces. But information security is something new. It has lagged behind the civilian sector in this field. And no amount of wild hyperbole or cold-war era terminology will help.
This new policy simply demonstrates the issue even more. There is nothing new here. It is all very standard concepts from an industry that has been on the "front lines" of infosec for decades before the US Government decided to take an interest. By now, they have things fairly well covered.
That's not to say the US Government can't be of any help. They can add an air of legitimacy toward infosec issues for those who are foolish enough to ignore the current situation without a nod from the Government. They can support existing infosec infrastructure (and ensure that those programs they already run remain running). They can support further development of security applications and research.
But they can't lead the charge.
...I originally thought the title of this article said Federal Cyberspace Policy Daft .
Murphy was an optimist.
The open source community is no better than Microsoft and other closed source vendors when it comes to releasing insecure software. The open source community needs to get its act together and use type-safe languages. Continuing to use C and C++ for security-critical software is just plain irresponsible.
Don't give me any of that bologna about good programmers never leaving holes in their software. OpenSSL was audited and still had an exploitable buffer overflow bug. Apache has had a number of security holes. Virtually every major open source program has had multiple security holes.
So what if the open source community patches their software quickly? A patch doesn't negate the fact that a buffer overflow bug never should have happened in the first place. Besides, some of those buggy programs will continue to be in use years from now.
(offtopic)
:P
Actually, in my case, it's so 1989. Click on my sig.
Our BBS name has always been Cyberspace BBS.
What's this Submit thingy do?