Slashdot Mirror
Watch For A New Set Of CyberSecurity Laws
SuperDuG writes "According to a story on PCWorld.com the Congressional subcommittee dealing with cybersecurity will be researching and legislating new cybersecurity laws. The Chair, Adam Putnam says 'We want to put something out there that makes sense, that's balanced, that accomplishes the same goals, without it being this headlong rush to prove that we're doing something for our constituents because we were asleep at the switch when there was this digital Pearl Harbor.' Perhaps it wouldn't hurt if we all took a part and Contacted Representative Putnam about how well thought out other cybersecurity laws like the DMCA have 'helped out' and were 'thought out.' At least they're actually thinking before they legislate, and it seems they're open for suggestions."
The poster says "At least they're actually thinking before they legislate, and it seems they're open for suggestions.", failed to notice they consider the DMCA 'thought out'..
hmmm... shit.
puts ("Python r0cks\n");
It might als be benificial to mention to Representative Putnam that it possible to protect individual rights as well as corperate rights, seems that capitol hill forgets that sometimes.
I tell ya what, if we all make our voices heard by hitting that contact button the intern that reads those messages is going to start to get the hint and might actually let putnam know, I mean it takes 30 seconds ...
Ignore the "p2p is theft" trolls, they're just uninformed
The DMCA essentially presupposes guilt, so ABC Corp doesn't even have to bother going to court... They just fire off a DMCA takedown notice. ISPs or other third parties little choice but to shutdown the target site - even if there's nothing illegal going on - lest they be found a party to any infringement that might be taking place.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
This would make Microsoft (and Red Hat, etc.) liable for security holes which allow virus redistribution, distributed denial of service attacks, and similar situations where the victim and the customer are different.
The "no servicing" requirement means that a patch-based or signature-based approach to security doesn't relieve the vendor of liability. The system has to be secure as delivered.
how can we have a "digital pearl harbor"
I mean the nature of the internet is decentralised so at most, there would be anoyances rather than devistation.
also, every critical system is on a closed network so our infrastructure will not fall apart.
the only thing I am left with, is that they want to protect corprate profits from script kiddies.
I am the Alpha and the Omega-3
We want to put something out there that makes sense, that's balanced, that accomplishes the same goals, without it being this headlong rush to prove that we're doing something
:)
Our government has this weird tendency towards actually thinking before it acts. And doing it the first time, rather than blundering around with large blunt instruments RIGHT AWAY because people are screaming for the government to protect them RIGHT AWAY.
But I guess someone has to blunder around stupidly to serve as an example to the rest of the world for What Not To Do.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Just too many.
If you think about it DMCA, EUCD are ill-conceived, partisan laws.
Some order must be done in order for the society to stay healthy AND alive, and some clarifications must as well be done for laws (like, for example, extending the notion of transmission channels to the internet, so that you could prosecute Child pornography or shit like that), but DMCA and its clones only represents major companies.
The scariest part of DMCA are two:
Ok, this doesn't answer your question. I hope anyway someone reads my rant but mods you up :).
WIPO SUCKS
WTO SUCKS
"I am slashbot, hear me roar!"
"Frankly, I'm finding a lack of attention and a lack of understanding by the Congress and the (Bush) administration as to the serious nature of the threat," he said. "It's not nearly as sexy, or as engaging, or as interesting as the threats that are posed by terrorists boarding aircraft, or terrorists threats to the Brooklyn Bridge
Issues that affect us all, but... Forthcoming cybersecurity legislation will be "meaningful regulatory approach to securing private-sector critical infrastructure" says Representative Adam Putnam
Shame it's only for the private sector. Ordinary decent home users would benefit greatly from a similary committee. Currently there is little or no useful media attention, which is a problem
Put it this way: if you were to hold a random sampling of U.S. citizens on cybersecurity, you would likely get a lot of semi- or un-informed views on it. The reason is simple: it's not considered important enough by society at large to have anything more than a knee-jerk reaction to it. If/when the details of cybersecurity (not just the fallout from high-profile cases) becomes a big thing in the media and in government, only then will the population at large (who are being spoonfed by popular media, remember) feel that it is important enough to become an issue.
Congress shouldn't take a "knee-jerk, let's legislate" approach to cybersecurity, Putnam answered. He noted that many people in Congress and in the public don't realize how many pieces of the U.S. critical infrastructure are controlled through networked technology. He used the example of flood-control gates on the Mississippi River or the power grids that serve stock markets.
No mention of the myriad other effects of problematic cybersecurity, such as that mentioned here, and presumably many similar more highly controlled privacy issues wrapped around the TIA and other institutional privacy violations.
Until then, it remains an issue for the interested parties and the various lobby groups, and now for the "private sector" affected by this committee. The average internet user doesn't understand the implementations, the "downsides" discussed ad nauseam on Slashdot, or the current infringements on privacy laws by the Bush administration and their agents, so there will be no popular upswing, no attempt to popularise privacy and security for Mr. Average Midwestern Suburbian, who currently doesn't spend as much time as we do reading up on "niche" issues such as this.
Ultimately, the population is only as interested in an issue such as cybersecurity as they are directly affected by it. Otherwise, it depends how the media portrays it. Think DMCA, think The Geneva Convention, think The Universal Convention on Human Rights. The US media targetted the DMCA issue at the public by suggesting that "hackers" would benefit if it wasn't in place. The Patriot Act was introduced to wide public acclaim because the media suggested "Terrorists" would benefit if it wasn't in place. The Geneva convention is flaunted in Guantanamo Bay, and the US public lets it past because the media doesn't highlight it.
If the general public - the majority of voters - are not negatively affected by the multivarious issues in cybersecurity - including things currently covered by wiretapping laws, TIA etc., and erosion of personal privacy - then it takes too much effort for them to take interest, and too much effort on the media's part to educate them.
Until it becomes an issue of general relevance, the voting public won't care, input will be limited to private sector industries, and their liberties will be further eroded until they have a mode of thought equivalent to "newspeak", with only the single state department/media line to go along with.
jer
We may be human, but we're still animals
- Steve Vai
Politicans already overuse Pearl Harbor in situations where it is actually relevant, such as national defence. It's used for a catch phrase to mean if we let down our guard, we will be overwhelmed at any moment. It's a way to not explain exactly what they mean, which serves them well because the situation in intelligence gathering and warfare now is so different than it was in 1941.
So even using it in that context is a bit of a "Bavarian Fire Drill". Using the threat of a hacking attack and associating it with Pearl Harbor is even sillier. If this country faces a bad hacking attack, or major attempt on our internet infrastructure, what will it mean? I'll have to sklp read people's Live Journals for a few days? Some web pages will get defaces? Some banks records will get broken into? e-Mail will get choked with wormed messages? None of these things are very pleasent, but I don't think we will see a cyber attack that leaves thousands dead and billions of property smoking and burnt. In fact, I think comparing the effects of some "lost productivity" to an event like Pearl Harbor is somewhat tasteless.
Hopefully I didn't put any [] around my words.
we were asleep at the switch when there was this digital Pearl Harbor
Riiight, and passing a law through congress that made it illegal for Japan to attack the US would have stopped Japan how exactly?
New laws are not required, everything that should be illegal is under current law. Laws do not stop terrorists or foreign governments from attacking. It won't even stop ordinary people from attacking.
-- iCEBaLM
The security cert. card in my wallet just went off like a vibrator. Can you say job security? :D
How can they compare the attacking of some computer systems to an attack that left 2,300 people dead?
Karma: Can only be portioned out by the Cosmos.
Once upon a time a messenger service discovered that by having all their messengers wear rocket powered roller skates they could deliver things in record time, beating their competitors into the dust. Soon every messenger service relied on rocket powered roller skates, the original company went broke and a few larger companies dominated the delivery business. People hardly shopped or went to the bank any more. Everything was handled by messengers wearing rocket powered roller skates. Commerce doubled and the economy briefly soared.
Then some asshole discovered that by dropping pencils on the sidewalk you could cause spectacular crashes. Packages were lost, messengers and pedstrians were killed, and commerce was interrupted. All manner of security precautions were invented. Radar-equipped skates appeared. The sidewalk hackers used hair-fine tripwires. Police and private guards patrolled the streets. The hackers went through the sewer system.
Congress passed some laws making it a crime to possess anything that could be placed on a sidewalk to trip up a rocket powered roller skater. Civil libertarians were outraged, but what else could be done?
Doing away with rocket powered roller skates was unthinkable, because everything would go back to being unbearably slow. Banning non-messengers from the sidewalk was similarly unthinkable. Building special secure sidewalks just for rocket powered roller skaters would be too expensive. The whole beauty of rocket powered roller skates was that they could use existing sidewalks.
The real problem was that the messenger companies had all jumped into relying on rocket powered roller skates without anticipating their weaknesses. They never really came up with a solution, just ways to stay one step behind the problem. But who could blame them? They had to stay competetive. It was always the hackers' fault. Maybe if enough of them got thrown into prison they would learn their lesson. If ordinary people had to live their lives differently, well... they were the ones who insisted on fast deliveries weren't they? The industry was just responding to demand.
Eventually ordinary people just didn't use the sidewalk anymore. It would expose them to too much danger and litigation. For all their communications and physical needs they relied exclusively on messengers on rocket powered roller skates, never leaving their homes. And they lived happily ever after.
Who cares? We're both screwed anyway. In Canada, you'd better be mortally threatened if you want treatment today. In America, you'd better have insurance or we're going to ship you down to the county hospital and hope you don't die en route.
Why did Kevorkian go to jail for euthanasia? Our HMO's have been letting people die for decades.
Memorandum
To: Rep. Putnam
From: Slashdot
L1nux r00lz! M1cr0$haft sux0rz! LOLOLOL
Toronto-area transit rider? Rate your ride.
Oh yeah, you mean like the gun registry that has ended up costing at least over 5 times the original estimate and that likes to "crash" and lose a few days' worth of applications when it's overloaded? Or maybe like the government's promise to eliminate child poverty by the year 2000, with the result being that child poverty is higher now than in 1993?
My Dad use to say the only bebenfical politican is a dead one..
why not repeal the DCMA and start over?
Don't Tread on OpenSource
That's going straight into the Mixed Metaphor file. A triple!
Shop as usual. And avoid panic buying.
I just had my "annual treatment" for termites. The termite guy made a big showing going around my house with a hose connected to his truck which was supposedly dispensing termiticide. Yes, lots and lots of fluid came from the hose, soaking it in pretty good. He told me the termiticide was a pyrethrin based material. Ok. I asked for a jug of it while he had hose in hand for spot treatment should I find a spot missed. No way. He could not, by "law", dispense the material other than as directed. So, it all went onto the ground in front of me.
Ok, now he presents me with the form to sign regarding completion of the treatment. There is a spot on the form where the chemicals used and quantity are supposed to be filled in. But he leaves it blank, because there wasn't an active infestation that was specifically treated. Apparently, under "law", I do not need to be informed as to what chemical he sprayed all over my property.
Now, here's the part that infuriates me, the next day, I go out to feed my cats and there's ANTS all over my cat food bowl. Now I figured that strong fresh dose of termiticide would have done away with all those ants.
Had I been able to recover a sample of whatever he sprayed on my property, I could send it off to a chemist friend who has a gas chromatograph in his garage and ask him to run a spectra on it and look for pyrethrins. I strongly suspect the termite man just made a show of spraying water on my property. To add insult to injury, I destroyed much of my vegetable garden on his advice that the poisons would be absorbed into my edibles.
Its all this closed-source ( not the price, but the reassurance that I know what I am getting ) that concerns me so. I am *personally* responsible for the expenses of maintaining my house, it does me no good to try to blame someone else, so having some termite company to blame it on does not help me. I feel I have a right to know what chemicals and in which strength is placed on my property, and I feel I have a right to verify this.
I am getting really fed up with all these laws prohibiting the understanding ( possibly reverse engineering if the vendor is uncooperative ) of what I am receiving in return for money. This seems so unfair to me because the quality of the money can be so easily verified, but I am supposed to accept, by laws passed by Congress, the word of the vendor on what it is I am buying.
I know I am being a little hot-headed on this issue, but the problem is I am personally responsible. In a large business, it wouldn't make that much difference on whether or not lots of damage resulted from some delegate's failure to perform, as I could delegate the problem and wash my hands of it, while still retaining my employment status and retirement plans. ( This is the main reason in my mind why business executives would choose to go with some system that keeps them ignorant of its inner workings. ) On my level, when I am personally responsible, I want the ability to verify anything. It really cripes me to have my rights to verification annuled by law.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
There already was a digital Pearl Harbor...it starred Ben Affleck and it really sucked. Let's not let it happen again, OK?
Am I the only one who is annoyed by people throwing around phrases like "Digital Pearl Harbor"?
What in the world would that be? Do they expect every computer to burst aflame and melt into a puddle?
Or maybe more sensibly they mean wide scale security breach, oh like Code Red 1 through Code Red n.
The first is just stupid, the later has been happenning on monthly bases for the last 3 years. And yet it doesn't seem to count as "Digital Pearl Harbor".
So perhaps somebody would like to enlighten me as to what in hell they're expecting?
are two different topics, but both have a complex fused relationship.
.... No one (or few) attacks, because failure is highly probable, the enemy cracker, phreaker, ... forensic tools collect incorruptible legally admissible evidence for prosecution, and prosecution is internationally pursued. ... they always do the most evil and/or wrong thing with ridiculous and righteous intentions. Supporting the static defense (first), then identify your potential enemy, your active enemy, their communications, operations, tactics and versatility (ability to attack, evade, and change with situations, people, and places), ... you must be able to hunt them down and prosecute with (if possible) civilized methods to whatever extent is required for victory (enemies surrender, go to jail, or die [limited options]). ...) intent is a vast waste of valuable resources needed for homeland defenses not virtual reality graffiti artist. Reasonable, measured, and proportional responses should be considered, public-image making can be absurd and wasteful.
.... Software should be treated the same. The car OEM can be deceitful or proactive in fixing the problem, and the OSD of the software should be required to proceed with equal haste to deceive or repair.
Cyber-Security (I think) has three major facets:
(1) Static Defense, mission to maintain all necessary daily business processes for the users, LAN, Enterprise, and external relationships - by doing all the right things to create (to the most professional extent possible) an impregnable IT/IS/IM/CT (collaborative technologies [AKA: Synergy Tech]) network/environment
(2) Active Defense, mission to develop and deploy H/S/N technologies and training that support the static defense for the government, military, and business in an intelligent cooperative coordinated manner. Remember reactionaries are like suicide-fanatics
(3) Open Source and Open Standards to address the problem of "Security Through Obscurity", because today there is no way to develop a Cyber-Security plan that addresses proprietary interest. This does not imply that software and/or hardware copyright should be abandoned for GPL/CopyLeft, but the only planning possible for the unknown (of proprietary hardware protocols and applications, and software) is to accept promises and pray for miracles. Standards of required procedures for business, government and military when compromises occur must include reporting security anomalies and problems and schedules and penalties on resolving security anomalies and problems, and when someone intentionally hides information about security anomalies and problems, then criminal fines and jail sentences must be enforced at the highest levels responsible in business, government and military. A security violation "Sleeping on Duty" and/or attempts to defraud can kill thousands of citizens in a surprise attack. Duplicity and treason have much in common, to me, in times of war.
There are many fine points, but for me the, three points, above are the big-picture. Reactionary investigations and arrest of script-kiddies and hackers with no provable malicious (defacing a website is a prank, not an attack, devastation, destruction, dead people, murder,
On software liability it should be addressed in much the same way as any other liability is handled. The laws are adequate, but legislatures, courts, and lawyers want to make technology hardware and software something unique.
If I buy a dangerous car and the OEM knows, then
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
since the internet is not breaking down international barras it will need laws of some sort.
Why do you think the internet needs special laws?
If someone comits fraud on the internet, is it not fraud?
If someone publishes unchecked and untrue slander about someone on the internet, is it not slander?
Someone stealing credit card info is breaking the law whether or not they use a computer to do it.
Invasion of privacy is invasion of privacy whether it is an illegal wiretap, an x10 camera, or a peeping tom. Monitoring my email should be considered the same. And I'd be willing to go to court to make that point, Patriot Act or no.
Most any crime you can imagine that occurs on the internet has a real world counterpart. If a person defrauds 10,000 people using the internet, they should face 10,000 counts of fraud. How else would you do it. Does the magic word internet somehow change the nature of the act? The real world has more than enough laws to cover most immoral acts, and some that are not immoral. Let the standing "real world" laws govern the net. Let the courts ague out the questions of jurisdiction as they did for mail crimes and telephone crimes.
Lets not start asking for new law without real cause for it. Inflammatory language like "Digital Pearl Harbor" is just designed to rile up the voters, and new internet laws will just make money for some lawyers (read: Bleak House)
Treaties between countries about tracking down and prosecuting the lawbreakers make sense, but laws pertaining to "internet crime" do not. We already have laws to prosecute criminals, no matter what medium they use to comit them.
Read, L
Look, you show me one remarkable scientific advance that came from outside Christendom. One. Go on. Have at it.
Stonehenge showed a remarkable knowledge of astronomy. The Chinese were able to predict eclipses and invented gunpowder. Einstein, an atheist, was one of the most remarkable minds in recent history. Charles Darwin advanced our understanding of evolution, and he was, at best, agnostic. Thomas Edison, while not a pure scientist, was a great inventor and an atheist. Isaac Asimov, Stephen Hawking, and Benjamin Franklin are all either agnostic or atheist.
Your problem is that you mistake wealth and religion. How many scientific advances have come from areas converted to Christianity by missionaries? Have you seen a lot of great scientific work suddenly coming from Christians in poor South American countries?
Science comes from the educated and education comes from wealth. Had Europe and North American been primarily Buddhist, Hindu, Muslim, some other faith, or atheist, their contribution to science would have been the same.
Haven't you been receiving a PILE of extra spam in your inbox of late? Haven't you been reading about all the viruses which have been causing 'havoc'? Heck, didn't you watch the propaganda-saturated Terminator 3?
Damnit, man! You're clearly not taking your pills or tuning into enough CNN! There's a war on, mister! And so what if it's a make-believe war?! The Great Muppet-President has a schedule to keep, you ungrateful boat-rocker! What are you? Some kind of godless-commie-fag-comic book reading-pot smoking-cab driving terrorist? Don't you appreciate that people died so that you could have your freedoms!?
Why, I oughta call TIPS on your ass and tell the FBI what library books you've been borrowing!
Don't make me come down there!
-FL