Slashdot Mirror
The Future of Security
Kvorgette writes "Scott Berinato in The Future of Security presents a very dark future of security in the years around 2010. Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for. The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing."
I know, different Charles Baio.
Still, unless you count Buddy, Charles provided a great role model and environment for the kids to grow up in. Security through education, not necessarily obscurity or technological whizbangitry.
To reiterate: 1) Security can only be achieved through education. 2) I would have liked to fuck the older sister on that show.
I have been pwned because my
When you got ONE company runing the whole damn show, what will MAKE them focus on security, its not like some else will/can step in to take over.
People cant see the forest for bare trees...
Hello, I'll be your Microsoft representative today.
Our newest software releases - codename "orange clothing" - are fully Secure Computing(tm) enabled, and features Digital Restriction^H^H^H^H^H^H^H^H^H^Hights Management, firewalls and authentication mechanisms built into your hardware.
You will no longer be troubled by the issues arising with "Open Source", and you are now also able to buy entire server farms straight from us - your beloved Government.
Methinks this is another promotion of proprietary software. We Barbarians will find a way to protect ourselves despite what the Government and the Borg thinks is best for us.
As is commonly the case in modern society, people focus on success at the expense of principle.
Certainly, the average joe not having access to the internet would make the internet secure, so that would appear to be successful.
The only issue is that this would be in violation of principles about freedom, principles which many people may not care about.
It's the same reason that having a corporate systems with owners removed from responsibility is problematic: only successfulness is considered, not right and wrong.
nothing like a clueless journalist to drive sales of security products up
the sky is falling again oh no
so anyone want to buy some insurance/security products/golem ?
"Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for"
Microsoft's ongoing security fixes will never mean a security Pearl Harbor. Think about it - lots of holes being fixed gradually over a long period is pretty much the equivalent of sniffing the enemy's communications.
...or at least my customers think so. I am a security consultant, and I certainly do not believe that you'll get anywhere through removal of users' freedom. Nor do most of my "expert" colleagues. In fact, that viewpoint I've most frequently heard from fairly clueless middle management most concerned with immediate, bandaid fixes to deeper problems.
Like it or not, that's what it comes down to--freedom and choice. Our job is not, like in other fields, to "get to the bottom of the problem", but to fix the symptoms. Because, frankly, the cure would be worse than the disease.
Currently, you and I, as "clued" users, have access to the resources we need. We would be needlessly crippled by DRM, technical restrictions, whatnot. We all saw how effective US export controls on encryption technology were in the long run, and a lot of us have run into situations at work where we simply couldn't do the job with the given tools (all of which had to go through months of committees and acceptance testing, whatever.)
I'll grant you that corporations have more leeway in this; a company environment is more likely (and legitimately so) to be less flexible regarding software tools available to employees. But for general use?
I've been following loads of discussions among ISPs, for example, who see nothing fundamentally wrong with limiting traffic to ports 25, 110 and 143. Nice prospects, you say? Well take this a step further--when "someone" decides that the grannies of this world, whose PCs are currently spitting worms left and right, should be locked down, do you think that the type of legislation and technological restrictions necessary to do this will differentiate between the grannies and the "clued" users?
I don't have the answers, but I strongly suspect they go in the direction of continuing education. A few years ago, most people couldn't spell "virus" (well, they probably still can't, but they at least know what it is.) Putting the spotlight on security holes and spam and and and for the average joe is what gets results, not locking shit down.
Sorry for the ramble.
Cole's Law: Thinly sliced cabbage
Relying on OS patches is useless because the true dark-side hackers won't publicise any holes they've found until they've used them.
What could be useful is - dare I suggest it - holding essential OS kernel files in ROM. Slightly awkward if you want an upgrade, but not insurmountable with socketed chips. If you use UV-erasable ROM chips, you can still burn upgrades at home but remote hacking is impossible. And your PC would start up in the blink of an eye!
When I am king, you will be first against the wall.
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios.
Unfortunately, violence happens to be the only way to secure liberty. Nothing else works.
This shit continues until finally we, the people, rise up and smite these bastards.
Of course, when we rise up, they sick Apache helicopters on our ass.
We are so fucked.
Is this truly the only Earth I can live on?
Hackers will find a root hole in Mac OS X, and use all the macs in the world to commit terrorist acts.
More Gnome developers will be assinated by the Korporation. Three have already.
Linux torvolds will be arrested, become a slave for mirosoft.
The trolls on slashdot will take over, and the GNAA members will kill micheal sims and cowboyneal
Microsoft will take Linux, KDE, and use it for the version of windows beyond longhorn, and call it Windows Kinux.
This post will be moderated -1, insightful.
The very fact that we can forecast and predict which supposedly invunerable arms of the internet will fall first according to this article is disturbing enough, a digital Pearl Harbour, perhaps a lackey term, is inevitable but will come sooner, think of how much PC hardware costs have fell proportionally to consumer selling prices, broadband+ connections are down to an all time low (same as 56k five years ago) and the growth of the internet has not went hand in hand with updates to it's infrastructure, a policing system for the net can only be a good thing, not to check into whether Joe Bloggs is downloading the 30th anniversary Metallica SACD but to ensure that the near fragmented "backbone" of the net is not exploited by next decades bugs and programming errors which the article preaches rather well
Remember, and this is just a term off my head, an ant can support it's body mass on tiny tiny legs, enlarge the ant to human size, its legs are no thicker than a pencil, it cannot support itself
The net has became an unchecked, unpoliced medium, growing every day, there will be more than half a billion new users by 2008, the digital Pearl Harbour may come sooner than we think
I use it for Slashdot, other than that... nada
the internet is still a relatively infantile concept; rules are not rigid, and everyone's feeling their way around - with standards being reviewed and re-written everyday. The future may as well be as how the author claims it to be; the net surfers of today, the slashdotters will be looked upon in the future as we do at the hippies - they had their sex and drugs - we have/had any data/information we wanted. This DOES NOT mean that I disapprove of today's internet; after all who has the right to decide on our behalf - what we can know and what we can not. But with mega-organizations like RIAA pushing harder for stringent rules(yes,though they can claim to have a valid concern), I won't be surprised if our grandkids point fingers at us and say "hey - in your days, couldn't you look up how to make bombs and hack and even look at naked women?"
|/________
|\A|ALYS|
If compilers are criminalized, then only criminals will have compilers
Open source software tools don't kill networks, people do
Comment removed based on user account deletion
Yes, and mechanics expect broken cars, teachers expect ignorant people, and doctors expect injuries. Of course, just by explaining what they "expect," security experts create more business for themselves by instilling fear in the public. Whatever.
Trusted apt-get is a fully secured, digital rights managed version of the popular package management system for Debian. However, Trusted apt-get differs in many ways. In order to avoid the situation of people being tricked into installing trojan-containing .deb files, all Trusted apt-get packages come from secured, trusted servers. Many of these are hosted in former Russian military data centres, and are easily identified by their '.ru' domain names. This is a mark of trust. Secondly, the Trusted apt-get source code has undergone a line-by-line security audit by Theo from OpenBSD. A lot of people believe that Theo isn't all that keen on Linux, but it's mostly been due to the lack of security focus. Trusted apt-get changes that. The final component is a DRM layer in apt-get, which allows for trusted, copyrighted closed source packages to be easily installed on any Debian system. This DRM layer is implemented using standard UNIX crypt() calls, so it's really portable, yet really secure.
We can all look forward to the day when downloading trusted, trojan free software is as simple as issuing a 'trusted-apt-get install gator' command (followed by a reboot. Rebooting flushes insecure code from the processor execution stack, and is the only NSA-approved way to install software safely on a UNIX/Linux system). I believe Trusted apt-get will be available as the standard package manager from Debian 4.0 onwards. Until then, apt-get play it safe.
Preventing people to access security-related information will only make things worse. Hackers will create their own tools, and find security holes on their own. Yes, there will be less people that know about the holes. But they will be able to do more damage, since there are too few people which have the knowledge to stop them.
It should be simple to write secure software. Most current operating systems (in their default configuration), assume that applications run by the current user should have all the powers and privileges of the current user. This is obviously wrong.
If I install a text editor, I probably don't want it to be able to access the Internet. It should be possible to say, "for this app here, don't let it do anything network related". That way, no matter how badly the text editor is written, it can't do any harm beyond the data it is allowed to work with. If I then want to use the text editor to print to a network print, I should be able to tweak a few options to make that possible (without enabling anything else).
Ideally, all of this would happen when an application is installed. If there were some UI that said, "This here program is asking for the following rights, is that OK?", I would immediately know what I was letting myself in for.
I know there are various ways of doing this kind of thing at the moment (virtual machines, using permissions more effectively or using different accounts for software) but none of them are particularly easy to get going.
With all of this implemented correctly, it should be possible to run any application (no matter where it came from) with out risking all the data on a PC and connected resources and to deal with security in a way that any normal user would understand.
What about creating an internet lab a virtual lab which would house numours hardware and OS systems and allow the curious a chance to present there findings and also applying them!
I am concerned that we are going to box outselves in to a "know everything" you do, when most of what is done is just benign expermentation.
In 6 years probably Windows will be vanishing. And there will be more Linux or other OS OSes based desktops than Windows.
Enforcing laws stopping users from using some services won't give anything. It's like using robots.txt to stop people from mass downloading. I can easily get wget sources and modify them not to use robots.txt file. In open source world such restrictions does not apply.
Regards
Now with Internet Spell Checking! No need to worry about an outdated spell checker, the Internet Spell Checking feature of ObviousEdit is updated every day!
Remember to click 'Yes' for Internet Access during the install.
I have been pwned because my
Diversity is what keeps the 'digital world' going. Standards specify how we communcate, but what we do with the information we process is up to the operation system/applications.
What the article suggest is that we should have a 'standard' ways of doing this, "standard software patches". Now what if someone breaks that standard and introduces a bug/backdoor a standard patch which everyone will recieve? We'll have a situation much worse that what can possible happen today.
"The federal government will mandate that users must authenticate their identity to access the Internet itself"
-Wow! Only one place 'to hit' to deny access for everyone to the internet.
What if I identify myself as someone else? Of course it will happen, then someone can wreak havoc and later the innocent neighbor will be arrested because:
'It was him, without doubt, that did all this and that on the internet. Proof? We have logs which clearly showes the perpetrator logging on to the net'
Standards and centralizing is what will bring us a 'digital Perl Harbor' (what a stupid name).
This reminds me rather of the anxiety over the Y2K bug. I think the rather doom-laden scenario being predicted here is frankly overblown.
"Then the lights wink out. Everywhere.
Then it begins to get cold."
Naturally, it leads into a Big Brother state from that point on. The article's a troll; it engages in emotive button-pushing.
I'm sorry, I couldn't finish the article, it was just pissing me off too much.
This guy is utterly clueless, I mean look at this:
Five factors distinguish the digital Pearl Harbor from the virus attacks we've suffered to date.
First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.
Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector.
OK, a couple of things. First, "it disrupts backup systems". Riiiight. So this Flaw in 'the internet infrastructure' can also get to tape backups in safes? OH NOS!!!1!
Second, "it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up."
"it attacks the Internet infrastructure--such as domain name servers and routers--and industrial systems connected to the Internet, like utility control systems.". I'm sorry but if someone connects utility control systems to the net then they are the ones who should be strung up.
The point is that bugs aren't a risk to 'national security', they are a big problem, and will be very costly to business I'm sure, but an attack or accident that has a serious detrimental effect on peoples lives, caused by security holes just shouldn't be possible.
This important infrastructure should not be connected to a fundamentally insecure network, and if you're looking for scapegoats, they should be those who allow that sort of level of insecurity. Look at that power station that got Blaster...
...most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing.
Well, of course! Most users are morons and don't deserve computers! bwahahahahahaha!
Heh, you should have linked to these spammer's front page.
**WARNING** Main banner has been hacked to GOATSE.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Yet Another Weak Prediction.
I predict in the next or previous six months you had a birthday.
And also that it will rain on July 14th sometime in the next 50 years in Ottawa.
Can I get a published article too now?
Tom
Someday, I'll have a real sig.
No his two points really do make sense ;-)
This sig has no nutritional value...
My father in law complained about his PC being slow, so I agreed to take a look at it, suspecting it was infested with spyware and such. I was right, and I wiped the machine clean as best as I could. I also installed a personal firewall, so spyware/adware should not be able to dial up to the internet at their own descretion.
What happened next is that when somebody wanted to visit an Internet page, or collect or send some email, that firewall would first ask permission for the app to contact the Internet. The first question was whether the app was allowed to contact host X.X.X.X at UDP/53. This off course, means bollocks to the average user.
The moral of this story is that you need in depth knowledge of computers, software and (TCP/IP)networks in order to tell your computer if an action can be conisidered save.
You could pose that a text-editor does not need Internet connectivity. How many of you guys use freeware/shareware that is ad-supported? How many (even payware) apps 'phone home' nowadays before even displaying anything like a splash screen?
Security of software and operating systems is primarily the responsibility of the writer thereof. You can NOT trust your average user to know what's safe and what's dangerous. You simple can't.
Viewed in that light, locking down a users rights, even on his/her own box, seems like a decent idea. It would save a lot of spam and virus trouble, and spyware firms would be out of business before the week is over.
I however think that I know what I'm doing, and I demand my rights. I'm willing to take a test of competence if needs be, but I will under no conditions give up the control of my system to anybody, especially to companies or governments.
With so much of the web's infrastructure now running on Linux systems, the question needs to be asked: "How secure is the average Linux distribution". If Linux is to continue its drive into the data center, with solid distributions like Debian and Mandrake at the spearhead, is it time for the Linux kernel to undergo the same type of rigorous, line-by-line security audit that OpenBSD has been built around? What is the opinion of Slashdot users out there who have had to implement a 'front line' Linux box, exposed to the day to day attacks that are part and parcel of an Internet exposed server? Are you wanting more security, or is Linux solid enough? Is OpenBSD really necessary, or is it mostly just hype? And are our current packaging systems robust enough to prevent the kind of trojan episodes which seem to grip the Windows 2000 Server community on an almost weekly basis. Can apt-get take us up to 2010 in secure confidence? I'd love to hear your opinions.
Scott Baio.
That would be bad for security, and Happy Days fans everywhere...
I linked to the page on purpose, and what I got was this:
Do not order from this company.
1) they spam
2)see a doctor--they prescribe drugs that you can get from a local pharmacists
3) they can't even secure their lousy web server.
"Honey, I feel a certain distance between us..." "Really? A 31ms ping ain't that bad..."
"Geer is convinced we're heading toward a broadly surveilled police state."
..
*heading toward* ?
The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing.
So every country in the world is going to implement this policy? Every last one of them? Or did the poster simply forget about non-US countries?
"Authentication doesn't scale. But surveillance does. "The costs to observe are virtually zero, so it's not a question of will it exist, but what will we do with it?" Geer asks."
The AMOUNT of information you collect can scale, but the UNDERSTANDING of that information is limited by the processing capability of the organization collecting it. Not to mention its power and ethical use are in the hands of one organization.
I'm hoping by 2010 we will have remembered not to trust the government too much. Power corrupts, and post Sept. 11 is no different than pre as far as that goes. Nor is post digital Perl Harbor different from pre.
Bad things can happen - we have to accept that or do our society great damage. Any fixed target is a soft target, and computers and the internet are no different from anything else that way. The biggest liability right now on the net is unpatched Windows machines. Fixing the problems isn't enough - the fixes must be put into action. How do we solve that problem? Dunno, unless we do it right the first time (www.eros-os.org). But a free society has to be worth any price, or it will collapse. I won't accept government oversight as the price of keeping my computer safe - that price is too high. Particularly when it won't solve anything.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I agree the article seemed to leave in abeyance any positive developments and extrapolate the negatives we currently face. The existence of the article and our awareness of the potetial problems speak to the potential to develop antidotes.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
$1/day = $1,784 cash by 2008.12.07
that and a 9mm
oh, and a DVR loaded with stuff to catch up on.
there, that's it.
-- www.globaltics.net
Political discussion for a new world
I've just made an image of my Windows 3.11 system, burned it on a disc and burried it in a cookie jar in my garden. I will survive 2010 !
what about those of us on OS X using SubEthaEdit wich allows us to do collaberative editing over the local network or over the internet?
A Smith & Wesson beats four aces -- Murphy's Law of Poker
Politicians always think it's going to be an "electronic pearl harbor" but never imagine that it will actually be an electronic Exxon Valdez, or Bophal India.
The entire assumption is that some rogue power will launch a suprise attack on mothership america, when really, a bit of crappy code created by a monolithic company will cause widespread harm to the network and the economy.
It's already happened, look at Blaster/Nachi. The amount of background noise on the Internet caused by worm traffic in the core will only increase, and interestingly, probably to the point where it will make bandwidth expensive again.
As a security professional, it is always embarrassing to hear colleagues talk like this. It's self serving, unsophisticated, and politically motivated.
Get off it.
They want to take our development tools! I say we take a leaf out of Charlton Hestons book and start the National Compiler Association.
You can prise gcc from my cold, dead hard drive!
<fnord>OBEY</fnord>
I'm sorry, but the link to the spammer's site look OK from overhere (Europe). There's no goatse to be seen.
I am a Computer Engineering graduate from a one of the best CE schools in Canada.
At this time I am 2 years into a software developer's career. I work at bankS (multiple). At every stage I realise how horribly lacking my education was in security. I realise that as a "professional" I cannot tell how secure a system is. I make fundamental sercurity errors in my code.
In Skule, the only course that mentioned security was a mostly theoretic Software Engineering course. THe security it mentioned was a fault tolerance kind of security that should be required of fuctions I write. No word about unhackability.
Any real security education I have is self taught, and any I will have is going to be self taught and taught through experience. From now 'till the rest of my miserable career (I hope I never have to be responsible for software, because it is going to be hell in the next decade) is the internship I never had. The problem is, that some of these systems are made by interns who never bothered to find out how to do it right.
This article is dead on. It's scary... banks.
*sigh*
Show of hands for all of you out there who are sick and tired of reading stuff like this combined with lack of action to deal with the matter.
People say I'm crazy, I got diamonds on the soles of my shoes...
Secure programming requires additional skill and focus during design, development, testing and configuration. This drives up costs and extends schedule for any project.
Ultimately the market decides winners in the software space (usually), and everyone needs to see security as a feature worth paying more for, in terms of employees designing and building the systems, to QA testers performing thorough audits before deployment, to users comparing choices in the corporate or consumer software space.
The author argues that it will take a digital pearl harbor to affect this change. I doubt it will be as drastic. We are already seeing consumers, users and businesses move towards more secure systems (and adding more diversity - breaking the monoculture)
The pain is only going to increase as attacks grow more and more prevalent, and damage more and more severe. Instead of a single, high profile event, I think we are going to see the current trend continue and accelerate: more and more people spending more money on secure systems, and diversifying their environments.
In the software market consumers and producers are equaly responsible for the state of security - it costs more time and money and skill to build secure systems: are people paying more for the secure alternatives on the market? do people make a thorough effort to address security before purchase? Until the answer is yes, the current methods will remain the market leader. Those that ignore security (to the extent they can) will come to market faster and cheaper than their more secure alternatives.
Those that put a premium on secure systems will spend more for a solution that gives them the stability and features they require, and understand the tradeoff involved in terms of cost, time and skill.
When did Americans become afraid of their own damn shadows? Everytime I talk to somebody about anything tech related they answers are always along the same lines, "why can't we stop the big bad hacker man from hurting me?" Of course making generalizations about whole groups of people can lead to being modded troll...
This sig has no nutritional value...
If you plug a hole, it pops up again next door!
Uhm, I hate to disappoint you, but the site looks fairly intact to me. I have reports from other people as well. The only thing that seems to be altered is the "We will scam you" on the homepage. There's no trace of Goatse on that site to be found (from this side of the pond).
"Honey, I feel a certain distance between us..." "Really? A 31ms ping ain't that bad..."
It's a populist piece of scaremongering, but it raises one valuable point: the fact that there are fewer and fewer baskets to contain the vital infrastructure eggs.
If you have separate wires for power, telephone and internet and an entirely separate mobile phone network you have a fair chance that enough of them are going to stay working to allow you to repair the ones that aren't.
If your voice communications are running over IP over your powerline and the phone companies throw out their phone switches and replace them with VoIP routers which are also switching internet traffic and, incidentally, providing virtual private networks which link the utility companies' control and monitoring systems, then the chances of everything going down together are significantly increased.
The only way to stop this tendency is to change the definition of "bottom line" and that can only be done through our old friend regulation.
A bastardized version of Crass' Bloody Revolutions
You talk of overthrowing power with violence as your tool
You speak of liberation and when the people rule
Well ain't it people rule right now, what difference would there be?
Just another set of bigots with their rifle-sights on me
But what about those people who don't want your new restrictions?
Those that disagree with you and have their own convictions?
You say they've got it wrong because they don't agree with you
So when the revolution comes you'll have to run them through
You say that revolution will bring freedom for us all
Well freedom just ain't freedom when your back's against the wall
Will you indoctrinate the masses to serve your new regime?
And simply do away with those whose views are too extreme?
Transportation details could be left to British rail
Where Zyklon B succeeded, North Sea Gas will fail
It's just the same old story of man destroying man
We've got to look for other answers to the problems of this land
Vive la revolution, people of the world unite
Stand up men of courage, it's your job to fight
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This article seems to elude that we will be using today's software and security techniques in 2010.
But to me, that's 6 years of potential new discoveries and technology.
It was over 20 years ago that Fred Brooks wrote the Mythical Man-Month, and the majority of the software industry are still making the same mistakes.
If you think 6 years is going to make a bit of difference, can you please point out how the software industry is more secure than it was in 1998?
If the carpet-bombing carried out by spammers is not that Pearl Harbour, I don't know what can be.
It's just a BloJJ
Do you really think the internet is "unpoliced" ?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
... Y2K and the end of the world as we knew it? 'nuff said.
http://erichsieht.wordpress.com/category/english/
Silly twit.
The US aviaion industry became so strong precisely because the government stayed the hell away from regulating until industry had established their own standards. You don't weigh into a market like IT with rules and regulations and standards, or you will wind up far less security as politics define what security is.
IT is still very much a new industry, and no one agrees on standards yet. Stanards were established in the aviation industry when the government told folks like Boeing we need the engineering documents for things like fasteners; i.e. you need to open your standards up so everyone can use them so we can all be safe.
Let the 8000 pound gorilla set up rules and regs only after the industry has done so. Prod them along, persuade, threaten, but let standards set by IT itself, be the standards the government uses.
Dawn of the Dead
*gasp* DRM?
Seriously, what you are proposing is something along the lines of a digital signing mechanism that would allow and disallow applications at runtime from accessing certain OS capabilities.
Normally, you'd get flamed for offering such a preposterous idea, but you're actually right. (though not in exactly the methods you propose)
And the internet
I don't have the answers, but I strongly suspect they go in the direction of continuing education. A few years ago, most people couldn't spell "virus" (well, they probably still can't, but they at least know what it is.) Putting the spotlight on security holes and spam and and and for the average joe is what gets results, not locking shit down.
I agree that more computer users need to understand more about the powerful machines that they use. The current Internet's design makes it too easy for one person's maliciousness or unintentional behavior to affect all the computer they are connected to (and with the Internet, that all the computers in the world).
At the same time, we need better security tools that don't require so much education. I doubt that very many people want computer viruses or exploits on their machine. Unfortunately the current approach to security often requires that the user understand the configuraton of their machine, what all the various services & ports are for, etc. Faced with an alphabet soup of acronyms in the patch instructions, many people don't properly configure their machines. Plain english approaches would make it easy for granny to keep her computer safe without knowing the arcana of the operating system.
Two wrongs don't make a right, but three lefts do.
Today's software development processes put out systems with a high level of badness and ugliness.
(I would also suspect there to stupidness and obtuseness.)
Microsoft has to sharpen up on security. They, and the rest of the IT industry, will sharpen up by innovating less. (Gawd. Is that, like, negative innovation?)
Companies don't think enough about the common good.
Hawaiians would be wise to spend the 7. of December 2008 off line.
To be secure, we should hire 3rd world labor to read our keystrokes, or maybe logging keystrokes to a searchable database where hackers can read our passwords.
Buy buzzwords. Hire TLA's. Sell Microsoft.
Irene KHAAAAAAN!
the internet is groomed by geeks, always has been since its birth (also by us geeks), so i can't really see how the internet can be directed anyway other than the way geeks see fit.
--- any post that takes longer than 20 seconds to write, isn't worth writing
... what the article proposes is something near a monoculture of software... and thats is exactly what can cause the problem... "ok, now all follow that way of program" is a good recipe for a future disaster. Heh, maybe a better solution is to close down microsoft, or open code windows, or whatever that neutralizes that single point of failure.
With software diversity an unified attack will be at least harder, and with freedom on discussing the problems (thing that goes a bit against what is proposed in the article) certainly helps to avoid or minimize their effects.
Those that sacrifice freedom for security deserves to lose both, and that could be particulary true in the digital world.
It's a weak prediction, because it will not happen in the next ten or hundred years.
1. monoculture is down;
2. the internet is too distributed.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Funny how I would have chosen "digital Hiroshima" to describe a major and painful destruction rather than Pearl Harbour (to be sure a key event in ww2 and much less costly in human lives)...
Which is the reverse of how things work. As long as there isn't a monoculture, it's simply too much work to make a computer virus that attacks more than one or two types of systems. FWIW, the Morris Worm was designed for two, Sun 68K and VAX/BSD I think, but one could only spread via Sendmail debug mode. I'm pretty sure that the only multi-platform worms/viruses since then have been Word macro viruses. Part of the reason is that modern exploits are mostly buffer overflows, which are very much not cross-platform, or CGI bugs, which are normally only present on web servers.
I think it's much more likely that someone will learn to hack IOS and write a router worm than for us to see a multi-architecture virus/worm again. Too bad that a side effect will be enough people learning PowerPC code to start attacking OS X systems while they're at it.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Well, to disable and restrict users from having the tools and utilities would be a fantastic way to keep your job until you are older than dirt. Although, I guess a minimal downside to the folks that abhor sharing their knowledge would be that the knowledge would die whith you.
Then again it could be given to the government to "control". I'm sure I am just a conspiracy nut!
sheep mere sheep!
I'm sure there a number of projects out there that try to make patching and update a standard process. However I've seen a patching solution that is as the HTTP protocol is to the web. Or in otherwords are there any RFC's, ISO or such that go to making a patching standard.
This article is both bogus and dangerous. It's just a 2004-revamped prophecy of the apocalypse:
:-)
The apocalypse:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your lands and you will be saved when the world ends in year 1000")
4) Profit! The church is the richest state in the world.
This FUD:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your freedom and you will be saved when the time comes!")
4) Profit! Corporations control mankind.
It seems so obvious to me that's scary! A few points worth considering - let's dispel the FUD:
- The article says that every computer has 200,000 bugs in 2010. Omits to mention that in a multi-cultured internet (different computers, OSes, software) most computers would have a different set of bugs and therefore an attack couldn't possibly take down the whole, totally redundant infrastructure.
- If the internet goes down, everything (economy, electricity...) falls with it. Omits to mention that such statements should be proved.
- A more rigid security system would be more secure. False, people like Kevin Mitnick have been getting inside the world's most secure servers with very little problems, by using social engineering. Now, unless you can actually program the way the mind of people works, well, there's little you can do about it.
- Look who's talking. Uhm, a security expert suggesting more security - more than a little conflict of interest there...
I'm sure there are many more loopholes in this article, I leave to the reader the task of finding them
By the way, if someone told you "You're gonna die tomorrow! Do as I say and you will be spared!", how would you regard him/her?
My Stack Overflow user
I thought you were serious there for a sec. Then I started to feel like an idiot. Then I laughed.
You make some good points. I'd just like to mention that backups don't always contain what one hopes they do.
You might be unusually thorough and check all of your backups (week after week) to verify that
a) the content matches what's on disk
b) the content matches what you expect
but not everyone is so thorough. The less thorough might get caught by a more sophisticated attack that corrupts backups for a few weeks then cripples the system...
Just a thought.
"we demand rigidly defined areas of doubt and uncertainty!"
DNS always strikes me as the weak point in the internet for the following reasons. 1. It relies on a small number of root servers to provide authority. 2. It runs over a connectionless protocol UDP. 3. It passes through a lot of firewalls with little or zero inspection. My disaster scenario looks like this. 1. Someone looks for a hole in a common DNS library on a common platform (gethostbyname or similar on W*ndows) and finds an exploit that exposes the listening socket to attack. This works because: Machines that are connected to the net are making constant DNS requests so that the return sockets are frequently open. Also by the very nature of DNS replies can come from anywhere and ether spoof the source address or just pretend to be a root server. 2. Flood the DNS root servers for a period of time greater than 24 hours so that the DNS records of all domains expire. To be honest you don't need (2.), you just need a good exploit (like slammer). The key is to take out DNS for over 24 hours and watch things grind to a halt.
I mean, even if I am a Linux zealot, it is widely known that monocultures are most vulnerable to viruses. This sheme applies in software.
With something open like Linux it would be much harder to get in that kind of trouble. And if not that, then Microsoft has to reform itself with Linux as a counterpart.
Look, there still is a catholic church, even now that Luther is a few hundred years dead. But still he made a difference. The catholics pope had to make a change if he wanted his church to survive, and so he did.
With something as radical as opensource software as a competitor it is hard for Microsoft to stick with it's sloppy security. They are getting better even now.
I bet they will improve even more. And even if not, the plain fact that there are Linuxbased machines around wich might be not as vulnerable (even if it was just because they are not such a widespread target) means that there will be some systems up.
I guess that's why it s important that there is choice in software, even Apple or Win98/3.11 is an option here.
Of course in the case of a true perfect storm scenario this wouldn't apply but the pure existence of something different than Microsoft would help to make it harder for any Pearl Harbour scenario to happen.
cu,
Lispy
Wow! It pays to increase your word power!
That's a word I haven't actually heard in used since... um... since... um... Oscar Hammerstein II used it in the lyrics to a song in "South Pacific." ("I'm as trite and as gay as a daisy in May/A cliche comin' true!/I'm bromidic and bright/As a moon-happy night/Pourin' light on the dew!")
Which makes about as much sense as the article.
Bromo-Seltzer, anyone?
"How to Do Nothing," kids activities, back in print!
Instead of a big bang scenario I could imagine a change through software liability.
Just imagine some slightly bigger then average small country (France? UK? Germany?) picking up the lead and explicitly cover product liability for software products. No more chickening out with boilerplate "click I AGREE" licenses.
Software companies would either have to be good enough or gone from that market. In this scenario e.g. Microsoft might have a really hard time to hold up against the courts. They might decide to leave that market. That would result in trouble for lots of businesses, but they will get over it. And then a reasonably big market might be open for something better. Don't be too optimistic, that other choice would have to be really better.
Such a small change could lead to a change in the IT industry much faster then any horrible catastrophic event in cyberspace (which also invariably leads to loss of life and property in popular articles). The change would spread out to the world really fast. And even if other countries didn't copy that legal model exactly it would leave us with a choice of software that is up to such a legal model.
When it becomes a crime to own a compiler, only criminals will have compilers.
Maybe our self-declared gun freak ESR was on the right track after all, eh?
The problem with the idea of a "digital pearl harbor" is the question of whether anyone would notice it. The metaphor suggests a peaceful world where computers and computer users are free to play in the wild with no fear until black Sunday finally comes and takes away all our innocence. The problem is that we don't have that innocence.
Try to bring up a Windows2000 workstation, freshly installed with no patches, and connect it to the Internet. In minutes it will be infected by a virus. Any one of the major security stories of the past five years would far exceed Pearl Harbor in terms of actual impact upon the information world. In fact, problems such as SQL slammer are more like the invasion of the Mongols, and the spam problem is global thermonuclear war.
who are those slashdot people? they swept over like Mongol-Tartars.
This is the same (faulty) logic that says that restricting guns stops crime.
Any criminal will, of course, simply ignore a law that prevents them from doing what they want to. That is after all the definition of a criminal -- someone that commits a crime (breaks the law).
The only thing that restricting access to any tool does, is stop those people you don't care about -- those that obey the law. Everyone really knows this, but this is really about control, not security or safety.
Can You Say Linux? I Knew That You Could.
Be careful-this article hardly seems legitimate. The article is simple fearmongering written by an author who only seeks to stir up attention of any kind. Unfortunately slashdot has furnished that attention. Allow me to expound on my position with some evidence.
./ers make it out to be, they simply exist to make money and dominate the market. Good security equals good money.
The author is the same one who wrote "Patch and Pray", an article that starts off with "It's the dirtiest little secret in the software industry: Patching no longer works. And there's nothing you can do about it. Except maybe patch less." Somehow I sense a pattern of fearmongering and irrational, attention whoring claims by this guy.
But let's analyze the article slashdot posted on its own merits. Here are a few choice quotes taken directly from the article:
digital Pearl Harbors are happening every day.
That kind of defeats the point of calling something a "Pearl Harbor" doesn't it? The author is just trying to make things sound scary by wielding historical words.
TIPPING POINT: On Dec. 7, 2008, computer systems around the world go down simultaneously. They do not come back up.
That's right, they do not come back up. The machines all catch fire or something, so you can't repair them.
This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs. If you don't have cash, you go hungry. Then the lights wink out. Everywhere. And it begins to get cold.
If you put that in a movie script, any studio would laugh in your face at the lack of realism. Yet this kind of nonsense flies in computer security articles?
People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.
It just gets better and better! but there is a bright side if you read on....
"[in 2010] the average PC, while it may cost $99"
Yes. They are actually stating that they expect the average PC to cost $99 in 2010. This makes it obvious where they're getting the rest of their numbers from: straight line approximations. Take what's happened during the last two years and assume the same thing keeps happening for the next ten. There's a word for that, and its not statistics-it starts with b and contains an s.
Of course, to have a reformation, you need a Martin Luther...Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand.
You mean like, oh, Bill Gates? Microsoft wants better security already-they just can't implement it correctly, and many of their plans are misguided. But anybody in MS who could avert the next Blaster would get a promotion, not the axe. The company isn't quite the demonic hive some
TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.
Now this guy is trying to hype yet another crazy how-to-program-better-with-process scheme. Let me guess, he's co-authoring a book about TSP and PSP? Yep, they reduce coding errors by a factor of 10, cure cancer, and bring about world peace.
We're reaching our limit with the angst. Popeye once said, 'I've had alls I can stands and I can't stands no more.' We're reaching that point."
Just imagine how those lines would go over in a security presentation in your company. "Boss, we have too much angst!"
And even features within programs, like the ability to forward e-mail messages, will be shut off.
Yes, that's right, the article made that prediction. You won't be able to forward email. Sure.
The federal government will mandate that users must authentic
Look at it this way; the viruses and worms that haunted the net at the time was more or less friendly, concept-like viruses. It could've been much worse. What if the viruses that roamed the the net would:
Destroy your data / the operating system silently (shredding your files so that they can't be recovered).
Mail your documents to everyone in your contacts-registry. (Eg. mailing corporate files to competitors)
Hopefully; the reason why the viruses wasn't dangerous was because: If you have the skill to write such a virus, you can probably imagine the consequences.
What are your thoughts on the subject?
In majority of the jobs and software projects that I've ever worked the concept of security and intgerity has never been of much a concern to management. More an afterthought. Now to be clear most of the projects I'm talking about here are embedded network components and servers.
I've always seen it as my responsiblity to try and write code that is secure. At the end of the day I'm trying to protect against such attacks. But even for all my diligence there is going to be some sort of mistake that can be exploited.
And for anyone who thinks for a second that I've been sloppy then just consider the OpenSSL library and the number of security holes found in it over the last year. This has been written by experts in computer security and cryptology, yet exploits and vunerablities are still found in it.
Now add to this managements concern to ship the project early or by certain unreasonable deadline, even if the system is plagued with bugs.
So when the product ships, a security hole exploited in it and the exploit traced back to a certain piece of code. Who should take the fall for it?
What about advances in security technology? Tageted IDS is still in its infancy. What about CERT's research into survivable systems engineering? Patch management software is going to suddenly go the way of the Dodo?
From my understanding the general concensus is that SOX auditing will eventually include all systems which run the business - not just the ones involved in financial reporting. That auditing requires a verified disaster recovery procedure and security documentation.
Am I saying there is absolutely no chance it could happen? No. But a lot of security people much better than me are going to have to be lobotomized before I think a digital "Pearl Harbor" is plausible.
I don't want knowledge. I want certainty. - Law, David Bowie
The parent post is right. The article is a bunch of FUD. Nothing like a clueless journalest to drive up sales of security products!
Kerio PErsonal Firewall version 4. It doesn't do everything you talk about, but it has much of what you ask for. Of course not being integrated in the OS makes it subject to some overrides, but it's pretty good security all in all. It does as you suggest on network access. If a program tries to access the network, or if a program is listening for network access and something tries to access it, kerio pops up and asks if that is ok. You may permit it on a one time basis or permenantly. It also features some program controls and can be set to ask if a program is allowed to run, to run after it's been modified, and to run other programs.
It, of course, has controls to set defaults so you can set it to always allow programs to run, and not ask every time, or permit all outbound network access but always deny all inbound access. It also has a more standard firewall that will do filtering based on application, protocol, port (if applicable), and direction or any combination thereof.
It's really good software and does provide most of the security that you want. It's also free for personal use. Windows only though. www.kerio.com
From such technically irrelevant fluff emerge huge sales.
Apparently, Danielle Steele has taken some networking and comp-sci courses at her community college.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
The new version of Kerio, by default, just asks if a given application ought to be allowed to connect to the Internet (or get a connection from the Internet). It still requires a bit of technical understanding, but not so much that you couldn't educate the average user. You need no understanding of TCP, you just need to read the window and see if the application listed is one you want to do what it is asking to do.
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios. Parent is right about the article writer's agenda.
or similiar
2)
in 2010 nobody will be using windows3)
This just does not and cannot happen in a heterogeneous IT environment such as the one we have today, and the one that we will have to an even greater extent in 5-10 years. A virus that destroys a win2000 installation is not going to have much effect on a Solaris system, or the other way round. Additionally, important backups are kept in a non-networked environment, for this very reason. The only way that these can (possibly) be taken out is to launch a gradual attack over a long period of time, but such an attack would not go unnoticed over the entire globe without the alarm being raised. Besides the author talks specifically of an instantaneous attack.4)
The authorities have proved startlingly ineffective when it comes to locating the point of origin of attacks in recent years. In the cases where a perpetrator has been (correctly) identified, this has generally been at the perps wishes (confession, inclusion of email address, registered server, IP address etc).5)
Again recent history has shown a remarkable lack of international cooperation when it comes to identifying and extraditing "hackers" (lets not pick up on the misuse of this word here). Additionally, where are you going to apportion for flaws in the open source software that the backbone of the internet mostly runs on today, and will do so almost entirely in the future?6)
There will be a surge in the corporate purchase of such software, but it will be extremely easy to circumnavigateI remember reading about an old computer system, I believe it was a Burroughs computer, that used software to enforce security policy. Executable programs would only be loaded and run if they had a magic attribute set. Users could not set the attribute. Only a limited number of trusted programs, like the system's compiler, could set the attribute. The compiler contained and enforced security policy. It would not allow the user to compile a program that violated the system's security policy. This allowed the system to have enforceable security checks that were implemented in software instead of special purpose hardware.
I believe that current popular operating systems are fatally flawed at the architectural level. Fixing the thousands of implementation bugs will not solve the architectural problems.
Mea navis aericumbens anguillis abundat
I wouldn't put it under beautiful terms like "at the expense of principle", the solution the article suggested is just simple minded and naive.
[Flamebait mode on]
The final part of the article is just a long winded version of "shut you computer up and you're safe"... The author is obviously over-generalizing the issues here. How to keep the bad guys off the Internet? "Human lockdown!" says the article. Yeah that is possible when you're talking about keeping bin Laden and his evil minions from entering USA. But the Internet? How can you even identify who is the bad guy on the Internet? Do you assume that I am a terrorist by looking up my personal data and know I know enough to break into systems? Is that infected computer somewhere on Earth leaving Nimda and Code Red marks daily into my Apache log a terrorist? How can you even define what (let alone who) is a terrorist/bad guy/whatever bs term the media has cooked up, on the Internet? We can't even effectively deal with viruses on the Internet, now you're talking about identifying individual users and lock them down one by one? Turn the Internet up-side-down and make it a closed system? Requiring everyone going to the Internet to autheticate against some kinda global security database? Prosecute me becoz my Outlook Express is sending I love you? LMAOROFL!!! That is just dream talking! I can see some silly US senators proposing this thing soon, only to realise there're other countries on planet Earth besides the US of A, who just won't give a damn to your new fangled Internet Security laws. Only to realise the Internet is nothing like the physical world where you can easily seal areas off, identify criminals, destroy your enemies with brute force, etc.
"the integration of applications becomes unethical as well as physically impossible" I have no idea what the hell this mad man is talkig about! The whole Internet is "an integration of applications" itself, from my Mozilla to Slashdot.org's web browser that's an integration. From my Mozilla to Windows XP or the Linux kernel that is another integration. From KDE to XFree86 that is an integration. From a simple Hello World in Linux to glibc there's an integration. The whole world of computers existed becoz we could build it piece by piece with INTEGRATION! The author doesn't seem to have any idea what sort of "integration" he's talking about. Really, delete "integration", and we're going back to the good old abascus. And yeah, an abascus is pretty secure, I think.
[Flamebait mode off]
Yeah, my comments may not be very logical and very emotional. But what? Common sense told me the last part of the article is bullshit. A simple and naive "solution" to a whole different set of circumstances. Like what a child would react to seeing a war cartoon, "yeah, kill all the bad man and the world will come to peace, forever!!!!!!1111oneone". But kid, do you really know who is who in a real war?
I am not sure why they used that for an analogy as Pearl Harbor was not a surprise attack. Pearl Harbor was deliberately allowed to happen so as to force the American people into WW2 and to make sure the Japs didn't know the US had cracked their codes.
The only way Pearl Harbor would be applicable is if you were using it in the context of Microsoft deliberately allowing crippling attacks on it's software so as to push through a new system whereby it (MS) has ultimate control.
Geez, get it right!
BTW, was anyone else ever creeped out by the totalitarian-themed "Charles in Charge" theme song?
Charles in charge of our days and our nights
Charles in charge of our wrongs and our rights
and I see!
I want
I want Charles in charge of me...
WTF?!?
Tippett argues that if we simply extend the present situation into the future, the level of complexity and vulnerability we would create will make a digital Pearl Harbor inevitable--and before 2010.
If we simply extend the present situation... but who is simple-minded enough to believe our world works like this?
"That [scenario] is appealing because it's one of the simplest things you can do with computers: restrict their abilities," says Peter Tippett, CTO of security vendor TruSecure and noted security expert.
Dear Peter, if you want to restrict all abilities of a computer which can possibly be used in a dangerous way, you'll have to pull the plug.
Tom's Rules For Reasoning About Tool Security:
- It's not the tool that's dangerous, it's the person using it.
- Every tool can be used to harm another person.
- Making a tool illegal won't prevent a determined person from using it.
Tom's First Conclusions From His Rules For Reasoning About Tool Security:Just as the "Project for a New American Century" (PNAC) *needed* a "Pearl Harbor" to implement its police state plans, the forces that wish to shut down and control the information age need a "Digital Pearl Harbor" to implement their digital police state plans.
The phrasing "Digital Pearl Harbor" is used in a fashion very similar to how "Pearl Harbor" is used in the PNAC documents.
For further reading (also: google "PNAC pearl harbor")
Two years ago a project set up by the men who now surround George W Bush said what America needed was "a new Pearl Harbor". Its published aims have, alarmingly, come true. : John Pilger :12 Dec 2002
The cabal of war fanatics advising the White House secretly planned a "transformation" of defense policy years ago, calling for war against Iraq and huge increases in military spending. A "catalyzing event -- like a new Pearl Harbor" -- was seen as necessary to bring this about.
March 10 -- Years before George W. Bush entered the White House, and years before the Sept. 11 attacks set the direction of his presidency, a group of influential neo-conservatives hatched a plan to get Saddam Hussein out of power. (...) And in a report just before the 2000 election that would bring Bush to power, the group predicted that the shift would come about slowly, unless there were "some catastrophic and catalyzing event, like a new Pearl Harbor."
So when events start leading up to "Digital Pearl Harbor" ... make sure you've got all the apps and source code you care about on local storage. Because everything that in any way possible could be utilized by a "digital terrorist" is going to be banned and taken off the net.
We have experienced a bunch of hooligans that take control of boxes but do not even do anything nasty. For example, what if SQL Slammer had propogated, slept for a few minutes and then tried to log in as dbo/dbo and then walked the sysobjects table blowing database tables away, or worse, randomizing non-key data. They would have manage to get into an appalling number of business databases (where security really can be lax enough to use default databases. Even the safe used for sensitive papers in the Manhattan Project used the default combination - see Surely Your Joking, Mr Feynmann.) This sort of attack would have caused huge monetary losses. And even this sort of attack would probably not kill people, unless said database was in a hospital. That would be akin to a 'digital Pearl Harbor'
Think global, act loco
there is no such thing as a 'independant review' unless its done by nasa or the gov, every review is paid for, and everyone 'in' the industry know it. :)
Liberty freedom are no1, not dicks in suits.
The twin notions: that 24/7 surveillance of every computer in the US is possible, and that a national AAA system is not possible are presented and no reason is given - we are just to accept these 'facts' because they appear in the article.
[Set Cain on fire and steal his lute.]
Wow. That is insanely stupid. I *cannot* believe this. You must have made this up, no one in their right mind could have come up with this. I'm going to RTFA now...
(later) Wow. Never underestimate the stupidity of the press with regards to computers.
The World Wide Web is dying. Soon, we shall have only the Internet.
The last thing we need in a discussion of security is half-baked and thoroughly debunked conspiracy theories. People wearing tinfoil hats should be automatically excluded from these discussions.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Putting curfews on the street works too.
Do not allow anyone outside after dark.
Curfews really cut into the crime rate.
Those restrictions won't hurt society at all.
NOT!
If it werent for bad karma,
I'd have no karma at all.
However, seeing as A) "requiring" signed drivers has not affected quality during the last 4 years and B) past and current predatory marketing practices, I'd say it looks a heck a lot more like market control. It does, even at face value, make it very difficult for smaller developers.
But that's neither here nor there, that platform is too far out of date.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
if the entire infrastructure of a country depends on a single operating system (a virus could not disrupt more than one OS) - it will be a digital pearl harbour.
after PA the US military learned some useful things (at the expenses of taxpayers and soldiers, but this is another issue). After the digital PA the US corporations will learn something else, and maybe heads will roll.
I hope that people will get angry enough with monopolies and dirty business tactics to screw the customer to make corporations change.. but I fear that's utopy.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
This is the stuff Hollywood movies are made of. To paraphrase the old saying, 'the worst kind of lie is the one with a grain of truth.'
This is just alarmist paranoia, and it is more than somewhat untrue. It first posits that a massive breakdown of our infrastructure will instantly lead to massive chaos.
Just like the way the North-Eastern US and Ontario descended into chaos during the blackout in August. I recall being a victim of that unfortunate few days without power. I remember, the second I heard there was no power I got out of my car and started smashing windows and "bustin' heads," because, as they say, a widespread loss of infrastructure will lead to some sort of descent into complete madness, complete with the strong turning on each other.
In fact, ATMs were down, the banks couldn't possibly guarantee all deposits. But wait! There is this funny thing called deposit insurance. Oh yes, that's right. There are safeguards in place to keep runs on banks from happening. It turns out that banks that are a member of the Canadian Deposit Insurance Corporation have insurance! This means that deposits up to $60,000 are guaranteed, despite anything that happens to the bank itself. If you have more than $60k just rotting in some bank when it could be better invested (not to mention splitting it into multiple accounts), you deserve to lose anything above the $60k anyway.
"Deposit insurance protects eligible deposits at CDIC member institutions in case of the failure of a member institution. If a member institution should fail, CDIC will reimburse you for any insured deposits you have with the failed institution." (source: CDIC: How Deposit Insurance Works
OECD countries cooperate on banking regulations in order to harmonize regulations among those countries so that they can avoid collapse and contagion among them. The Basle Committee on Banking Supervision, which is part of the Bank of International Settlements, is a forum where experts formulate regulations and guidelines that are widely, and voluntarily, adopted by national central banks worldwide in order to stimulate investment and encourage prudent banking, and discourage failures of any magnitude.
The argument that Panic is a key part of a digital Pearl Harbor is, I suppose, plausible, except there would be no panic. "Panicking" Wall Street, thus "destabilizing the financial sector" is this funny plot mechanism that people who don't understand economics (but have a thumbnail view of from the econ 100 that they dropped out of halfway through the first semester) will use in their Hollywood screenplays of those apocalyptic movies that have a frightening tendency to star Kevin Costner. This article really does read like a treatment of some ridiculous movie, with all the theatrics about "if you don't have cash, you go hungry. Then the lights wink out. Everywhere. And then it begins to get cold." Do people in 2008 not have sweaters? In this time far into the future, are all the trees deforested so no one can build a fire?
Assuming that the global financial system is so fragile that everything would just collapse is wrong, and not really worth the time I'm putting into this comment. Witness the Asian crisis of 1997-98. I must be getting senile in my old age, but I forget how many people tragically lost their lives because of the panic that ensued after the world's banking sectors collapsed. Oh right, there was a slowdown of investment, and some investors lost their shirts and some banks in Indonesia, Thailand, South Korea and Malaysia were closed or consolidated, and some people did tragically lose all their savings, but nothing close to the chaos described in this article happened. Those governments got smart, implemented tougher restrictions and accounting standards that kept banks fr
The Funny thing is, that centralizing the whole f###ing fleet made the Perl Harbor incident possible in the first place.
"[in 2010] the average PC, while it may cost $99"
That line alone discredits the article.
I bought my first computer in 1983. Total cost was about 2000 DM. Since then, I've bought quite a few machines. Speed and memory have exploded, but the price has been almost the same. In fact, if anything I would guess it has gone up, not down.
I wonder what insight the author has to claim that a 20-year trend will radically break during the next 7 years?
Assorted stuff I do sometimes: Lemuria.org
that this story is submitted today, as it was on Martin Luther King Day in 1990 that the AT&T long distance service crashed due to a poorly implemented software update and provides us with both an example of the inherent weakness of a Software Monoculture, and the efforts of law enforcement to misrepresent such events in order to increase government regulation over communications. (I wrote more about this in another post.)
Giving in to pressure to limit access to information, and to allow a centralized service manage our personal privacy and security, will do nothing to increase the security of the internet and will do everything to limit our expectations of privacy and personal liberties.
Read, L
What really bothers me is that if somehow a virus was released on the internet that managed to take it down, that all of a sudden, banks would shut down, gas companies would shut down, causing chaos. If your company is providing a Very Important service that would be crippled by an attack on the internet, get your goddam important information OFF the internet. I think it's that simple. If financial records rely exclusively on that sort of thing, then we are in for one hell of a catastrophe if we are ever physically attacked in the United States.
Secondly, this "software development freeze" is probably the worst idea I've ever heard. I cannot believe these people are "security experts." Apparently, they want to "lock in" all software functions at Maximum Security Level. This is a horrific display of hubris. No one can say that this program or that computer is perfectly, unquestionably secure. There will be a problem, and what they are proposing is to make all computers the same. I think there was an article last week about how the uniformity of computers might in fact cause this "Digital Pearl Harbor."
Really, the name chosen for this er, "event," seems more like Terrorist FUD than any serious analysis of the situation. --Stephen
Did you ever notice that *nix doesn't even cover Linux?
Sounds more like a _Perl_ Harbour to me.
We are so fucked.
Not really. The fear that they try to instill in us every day really reflects the fear they have of us. If we credulously believe that alQuada actually -exists- then we are complicit in our demise.
What's really happening, has happened over the millenia time and time again: large societies go through phases, essentially in the same order:
- Crashed and dead;
- Gradually enlightening;
- Renaissance;
- Decline and regression/repression;
- Militarization;
- Crashed and dead.
Rinse and repeat.
(these ideas stolen from Megatrends)
What's really happening under the surface:
- Everything's broken and hopeless;
- People start to realize that their actions actually can be effective, opposed to what they've been convinced. Without the cacaphony of poli'tics and nay-sayers, heretics are not discouraged from standing up and proposing new ways;
- Many of the new ideas actually work, and all benefit from the crazy ideas of the 5%, as the tide rises;
- Poli'tics learn the new landscape and take measures to aquire control of key levers. Cheaters get rich by shortcuts -- stifling competition, using inside information, and nastily propagandizing things they don't like;
- No one is paying attention to The King/Party/whatever (herding cats), or worse, speaking out against The Party, so a two-pronged attack against the people:
--- FUD - always a useful tool for control. ("The govt has increased to Threat Level Orange -- there may be an attack on New Year's Eve or New Year's Day or New Year's Week... somewhere." Just as everyone is traveling... take your shoes off. But oh, don't worry about thousands of unchecked shipping containers in ports) (Where TF are all the terrorist attacks that we've been promised, these past three years?)
--- Repression - possible only if you control certain levers. Stalin, Kim Jong Il, and Saddam knew nothing else.
- Eventually the few originals give up, but the society keeps riding that pony, whipping it harder, and getting fatter all the time.
- So progress peters out.... everything stinks, but no one can locate the source of the smell.
- Either the poli'tics give out (Athens, Soviet Russia), or are overthrown (French, American Revolutions).
(these ideas are my original)
I propose that, because at least 40% of Americans are convinced that the Bush White House, operates much the same as West Wing on TV, they are hopelessly stupid. But the rest have a chance.
{rant} Education is the center, and the key, to living well. It's something that no one can ever take away from you, and you can never have enough. Our (passing) renaissance was really due in large part to quality public education for the masses (now gutted), and to the old GI Bill. (That GI education plan made far more back for the government in taxes from higher incomes, than it ever, ever cost) If you actually study and do the work/thinking, you will be sincerely transformed. More horsepower; you can rise above the muck and see more things, and see them much better. There is no better source of self-generated self-confidence, in any situation. {/rant}
Campaign finance reform is national security.
C'mon, the net is a convenience, not a necessity.
People are not going to starve and die in
snowbanks if the Internet goes down, even if
it goes down for a month.
This article reads just like many articles written by so-called "experts" about the dire Y2K "bug". All the world's computers going down at once? Please.
Proverbs 21:19
Obviously most actions against information systems pale in comparison to the loss of actual people. Unfortunately, increasingly we are relying on these same crappy commodity information infrastructures for critical systems... oops.
Gloom, doom, FUD, but no solutions. The easy solution, a heterogenous network. Windows, linux, *bsd in substantial amounts everywhere. Give DRM'ed, locked down Windows to the clueless home users, that what Windows market is for, those with more money than skills or sense. Linux and *BSD on the servers and the desktops of skilled workers and corporate drones.
The fear of backup systems going down is valid for Windows solutions, but a secure UNIX backup box should use a read-only filesystem, or any server for that matter.
Hrm.
But all in all, I think it's good to see stuff like this on slashdot. At least you see it discussed and disbunked. And it's a good laugh. Well, maybe not a slightly pained one.
sig is my sith nature.
if someone created a Knoppix-like bootable "secure" distro
That's exactly what we are doing here! Askemos is a (gpl'ed) P2P layer, distributed on Knoppix-booted CD. It has a permission system as widely applicable as set theory can get you. And set theory is the means we use to proof that you can't abuse the administrative account.
It's 6 years of potential new discoveries and technology, but such things don't make it into the mainstream instantly. Banks still rely on mainframes running 30-year old COBOL code. Average users today are still using Windows 98 (which is itself almost 6 years old), or even Windows 95. I wouldn't be surprised if a great many people were still using today's software and security techniques in 2010, regardless of what happens on the security front between now and then.
Use Ctrl-C instead of ESC in Vim!
I don't know about removing the freedom of computer use, but I'm surprised that something really catastrophic hasn't happened yet. The nastiest worms and viruses we've seen on a large scale haven't even done anything truly malicious. I'm just waiting for the one that spreads itself far and wide, destroying data. When (not if) that happens, we're going to see some serious crap hit the fan.
Use Ctrl-C instead of ESC in Vim!
recipe for an orwellian nightmare:
1. invent an enemy which can't be defeated.(terrorists) and attribute a tragedy to them (9/11) to get the people good and fired up.
2. go to war with them, even though it is pointless and the people and governments you are killing had nothing to do with #1. (Afghanistan, Iraq).
3. use the war as an excuse to remove freedoms and lock people up for previously un-criminal activities(patriot act)
4. last, but not least, remove legality of all forms of mass communication from private interests and citizens and only allow one monolithic corporation to do it (run, of course, by NSA).
Looks to me like we are in the home stretch ; )
l8,
AC
If the United States institutes such a barbaric policy as a digital "lockdown", it would only have the effect of stifling technological innovation. This would be akin to committing economic suicide. A "zero-tolerance" policy for insecure software would sufficiently deter all but the wealthiest corporations from taking the risks associated with software development, but only in the US. The fear of accidentally introducing a defect, or vulnerability into a product would mean that the process of innovation itself becomes a liability. The lack of competitive pressure in the domestic market from smaller developers, would permit the larger software companies to slash research spending, in order to increase their profit margin; amid all of this they would become complacent. All of a sudden, software in the US would begin to look quite static when compared to the rest of the world (which by now is adopting Linux, and other OSS at an phenomenal rate). The gradual decrease in market share for US, in the software industry, becomes a flood. Pretty soon the US is behind the rest of the world in other sectors, as software in foreign countries becomes cheaper, faster, better and ironically, more secure.
Yep, I don't buy the article either.
With all the spam and virii passing across the Internet today, too many people and organizations just can't be bothered to make their systems secure. So how am I to accept that some sort of security mentality will take root and then rule in 2010? Especially since I will be able to put my 2004 computer on the net then, as we can do with a 286 today?
Also, the 911 event in the USA did NOT slap down draconian securty measures across the globe. Hence, a "Pearl Harbor" event on the Internet itself (primarily affecting the West) is still unlikely to involve such security measures globally. The Internet is too fractious; like "terrorism" today, even the threat of an Imperial military with global reach hasn't stopped it.
What this article is essentially predicting is an end to Microsoft's OS dominance. It won't even require a "Pearl Harbor" event, since the combination of MS's constant weaknesses, combined with Open Source's strengths, have been arguing against MS for some time now. MS is heading for less market share, or less revenue, at any rate. (For instance, how much of that $100 computer in 2010 will be a MS license? $50? If so, then why not buy a Linux computer for $60? Or do you really think that MS will write "Windows AC" (Windows 2010: the Arthur C. Clarke Edition) for $10 per copy?)
One aspect to the article, I do agree with, although it's an unintended undercurrent since it critques modern Capitalism. The article's gloom and doom suggests to me that to avoid such digital attacks, you shouldn't digitize operations to such a degree that they can become catastrophic. Look at the national power grid; computerizing operations to the extent that extreme remote controls are possible, makes the grid very vulnerable. And there's another factor here: economizing. The "remote controls" of tree trimming in Ohio was one factor in the Aug 2003 blackout; in fact, these "controls" were so "remote", that they were being underperformed.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
...most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing Reading can be dangerous much much more. Users must be permitted to read only approved books. All another books should be destroyed and our libraries must have only a right source of books.
I think he meant Perl Harbor.
... and the high-horse you rode in on. You should have taken computer science, because you obviously have a clue, but that PhD in english has left you unemployed with so much free time that you insist on spouting off hurtful garbage about the best website in the world, windowsupdate.com. I mean, slashdot.org. I bet you can't even patch a kernel!
(oh, and I like what you said about trolling in protest, I'm just not in the best shape right now.)
Changing random bits in random files, making small random changes to Excel spreadsheets, changing a few bits in the BIOS, changing bits in crypto keys, de-authorizing installed applications, and changing contact lists would make computers too unreliable to use. Corporate America could be nibbled to death by mice.
Not with a bang, but with a wimper.
When you take a class about computer crime, the frist thing they teach you is that you don't crack codes by doing computer work, you crack codes by social engineering. Same goes for most other security breaches. There's obviously a place for both, but the point is that all the computer restrictions in the world won't make sensitive systems secure, as long as there are people who work there.
"The idea of having an OS on a bootable CD works" Yes it does, check out the master ...
http://www.all.net/
Dig around and read the papers, there is lots to learn.
~hylas
Digital Pearl Harbor? The former Presidential Fearmonger should've trademarked that term back in 2000. He could've spared us from this abuse. Or maybe all of the fearmongers could've read this for some good material. Or something.
The author insults my intelligence by cheapening the memory of Pearl Harbor.
Use Evolution instead of Outlook? Bewa
Security depends on both design and implementation.
The point about standards is that they act as a point of reference for design. That allows multiple implementations to interoperate correctly.
When we have multiple implementations, we have some options when it comes to security. That gives us a dimension along which products can compete with each other.
Now it's true that a published standard might in theory enshrine some particular vulnerability, but in practice a lot of eyes are on it. Doing things in some secretive, proprietary way means that society tends to learn about design problems after they become widely manifest.
This is a core insight of cryptosystem design, by the way. A system whose security depends on the secrecy of the mechanism is extremely vulnerable.
internet may be in its infancy.
however, it is far from being an infantile idea.
an infantile idea is something a baby would think,
i doubt any baby could conceive internet.
The invasion of the Mongols evicted tens of thousands of people from their homes and ruled an enormous empire, a fragment of which became China. He's remembered almost a thousand years later as one of the most fearsome figures of history.
Global thermonuclear war would destroy civilization as we know it.
Think about it this way - in a thousand years, do you think anyone's going to give a shit about Blaster? Within 5 years it won't be remembered outside the computer community, and within 10 it will be an answer to a trivia question.
So, in closing, please shut the hell up. You're making us all look like ignorant children.
"Never attribute to malevolence what you can explain by simple stupidity."
OK, so it's a stupid plot coming out of Redmond. Monoculture is a vast sort of stupidity. Including monoculture applied to signing.
My other car is a 1984 Nark Avenger.
This may be cliche, but security through obscurity doesn't work. You can lock the 'net down as much as you want, but the people who break it will be more powerful than they are now. Not to mention, this is a very limited view of the world, while the US may or may not be on the verge of a police state, the rest of the world cannot be counted on to lock down. And seriously if the Canucks thirteen klicks north can access all the porn/source code he wants don't you think Joe American is going to want the same freedoms?
I don't see a lock down lasting long, I mean everyone likes their freedoms
why pompus security "experts", becuase suddenly we can't survive this digital pearl habour without their sage like guidance. i mean honestly they've been spewing tripe like this since the 90's, even using the association of pearl harbour is so corny it makes me want to spew.
If you mod me down, I will become more powerful than you can imagine....
Are you an idiot, or just totally lacking of perspective?
Neither. I understand what a metaphor is, and didn't even posit the original metaphor that kicked off this conversation.
The invasion of the Mongols evicted tens of thousands of people from their homes... (blah blah blah)
The Pearl Harbor attack taught the United States that it cannot leave the rest of the world to itself and expect to be left alone. It culminated in the only nuclear attack (yet) in world history. What's your point? Does the metaphor break the rules only when the comparison happens to matter to you personally?
who are those slashdot people? they swept over like Mongol-Tartars.
Ok, I wasn't aware of that option. Anyway my point is: if you have sources, you can easily turn off functionality you don't like.
You even don't have to be an experienced programmer. Just basic programming knowledge is necessary in most cases.
This looks like a computer magazine colmnist dusted off his old Y2K article, did a search and replace to change "Y2K" to "Digital Pearl Harbor" and added some more gloom and doom predictions: No more web, no more email, no more software development. This is not to say that security vulnerabilities and software quality aren't serious problems (just as some of the Y2k issues were serious problems), but the catastrophic events he forecasts are extremely unlikely, and the "solutions" he proposes are worse that the problem, even if the catastrophe he predicts takes place.
Remember what really happened on Jan. 1, 2000. Lot's of web pages displayed the year as "19100" (and wouldn't have if their CGI scripts had been coded correctly).
Evolution does not apply (yet thankfully) to computer viruses.
The goal of a (malicious) virus writer is not to produce a virus that stays 'alive' forever. It is to CAUSE DAMAGE. As long as the virus spreads sufficiently before killing all of its hosts, it will suceed in causing a lot of damage, even if it means that doing so kills all of the viruses.
A biological virus has to survive to be succesful. A malicious virus does not.
Dead on.
:-)
copy, paste, send
even the NYT editors know how to get around this and they still published it. It would be easier, and maby even possible, to simply ban attachments.
(still laughing...)
Authentication can scale. Most leading edge security systems ( physical security) have been developing and pushing super scaleable international authentication systems. What crap.
He thinks everything runs Windows. It doesn't, and this is the reason why his "Digital Pearl Harbor" can't happen. Unix boxes are much more secure than Windows boxes, and even failing that, most of the important* information is stored on mainframes anyway.
Quite frankly, it doesn't matter if all Windows PC's go down and can't come back up; the resulting drop in traffic due to Windows worms no longer propogating would mean that our internet experience would get better, not worse.
Furthermore, I know for a fact that mainframes aren't subject to the massive vulnerabilities that Windows PC's are. Even if all the Windows and UNIX boxes were hacked, it still wouldn't be a major catastrophe simply because the overwhelming majority of financial institutions and large corporations use mainframes for their crucial data. Consumers could care less if the local bulk-mailer loses their customer database, and it isn't likely that such a "catastrophe" would prevent their bank from dispensing cash, etc...
* - I've heard it stated that more than 90% of all the data processing done in the world is done with mainframes. So yes, taking out all Windows and UNIX boxes might knock down the Internet, but it won't erase your bank account or stop your bills from coming.
The society for a thought-free internet welcomes you.
I'm tired of media pundits announcing that there's a "Digital Pearl Harbor" on the horizon.
I doubt it's ever going to happen. Not like they think, anyway.
Just read CERT, Bugtraq... there are new exploits, worms and viruses coming out every day. Not a day goes by without someone trying to hack into the Pentagon or the telephone company or the power grid.
What's the difference between that and the so-called "Digital Pearl Harbor"?
And while I'm thinking about it -- who is a terrorist going to find to write some "super worm" who is more capable than a 16 year-old with modem?
This piece ticked me off.
I just want to get my entire neighborhood rigged with 802.11g, and say screw the ISP, we'll all share in one big hodgepodge of grid-like distributed networking love, and no one will be able to tell who did what when.
Stuff like this just makes me want to quit my job and go work for the FSF or the EFF, and fix it (why them? because they're central organizations for the OS movement, that's why - OSDN might work, too).
There are security models out there already - many of them. The trick is focusing and condensing them into a readable list of best practices that even the new kids can understand.
There are security resources available now - identification and alerts regarding exploits, announcements regarding fixes, but unless you're really interested in your OS, you don't always get the message (or know what it means..).
I find it frustrating to deal with people who don't understand their computers - but the fact is there will ALWAYS be those people, and it's inevitable that those people will be put in charge of something they're completely clueless about - like running a server. People are idiots. It's inevitable that some numbskull will put a completely unprotected server out there because they just don't know any better.
Education *IS* the solution, and part of education is making the answers we already have easier to find and understand.
If we as an educated, computer-grokking, code-generating community can figure out a way to serve security concepts to the masses as a digestible tidbit, then we can tell the FUDers to go take a flying leap.
'Waste of a good apple' -Samwise Gamgee