Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybersecurity Chief Resigns

Posted by michael on from the told-he-had-to-install-all-patches-personally dept.

Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

23 of 367 comments (clear)

  1. BIG mistake by rwven · · Score: 3, Interesting

    I think we all know it's a ridiculously HUGE mistake to underestimate the importance of cypersecurity. Whoever is responsible for "not paying enough attention" to it needs to be outright fired... We're talking about every classified document in existence being at risk. Frankly i don't blame him a bit for quitting. I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case, but obviously someone needs to get their act together....

  2. Intractable Problem? by Gothmolly · · Score: 4, Interesting

    As I said at a meeting one day as people were pulling their hair out over the latest MS worms, and the failures of all of the "automatic patch deployment"-type tools out there, "Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence. I half expected to be stoned to death as a heretic. When Corporate America stops sucking on the Microsoft Tit, we'll finally see real improvements in security. As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Intractable Problem? by flosofl · · Score: 2, Interesting

      Why is that clueless?

      Now we don't store PGP/GPG plaintext passwords, but we do store plaintext KEK (Key Encryption Key) and Master Keys and what not for banking networks, ATMs, etc.. They are in a safe. It takes two people to open the safe. It takes two other people to enter the plaintext into the HSMs (There's much more involved - such as the audit trail, and so on...) I dare ya to social engineer that.

      As long as proper security controls are implemented (i.e. dual-control, seperation of duties, authentication procedures) there's nothing wrong with having plain-text for recovery purposes.

      --
      "This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"
    2. Re:Intractable Problem? by sdmacguru · · Score: 2, Interesting

      Two of the coolest things about PGP in a corporate environment are split keys and signing everything to a designated key. You can set it up such that everything gets encrypted to a master key, which you split.
      That way, when someone has locked something up and their key is no longer available, the superfriends can get together and re-unite the master key to unlock whatever. Nobody actually has to write down anything to keep from getting locked out.
      Forgotten passwords you handle by having a designated revoker to kill your old key, then make a new one. Right?

      --
      If I had some ham, I'd make a ham sandwich, if I had some bread
  3. So symptomatic of all politics by FunWithHeadlines · · Score: 4, Interesting
    Please note, this is a rant that is not directed at one political party of the other, for both do it. But since the Bush team is in power, they will have to do as an example of what I mean.

    All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.

    This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.

    Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).

  4. Cyber security needs to be tied into defense by Gary+Destruction · · Score: 2, Interesting

    Defending your country includes domestic and foreign defense both off and online. The fact that the military and various government agencies use the Internet is justification for including cyber security as part of defense. Cyber security should be part of the DoD's job.

  5. The political bottleneck by hawklord · · Score: 2, Interesting

    It can be very frustrating to someone who just wants to accomplish something when politics prevent it from happening.

  6. Things which are more likely to happen... by 26199 · · Score: 2, Interesting

    ...than winning the lottery: well, you're about 250 times more likely to be involved in a car accident than to win the lottery. And about 10 times more likely to be murdered.

    (That's over a whole year, assuming you buy a ticket every week).

    Virtually everything is more likely than winning the lottery. Their poll just shows that people don't really understand probability... (hmm. You're also more likely to be hit by lightning than to win the lottery.)

    1. Re:Things which are more likely to happen... by EvilTwinSkippy · · Score: 3, Interesting

      I propose a new measure of probability: the Franklin. One Franklin is the probability of being hit by lightning per unit time. (Kites and thunderstorms not withstanding.)

      --
      "Learning is not compulsory... neither is survival."
      --Dr.W.Edwards Deming
  7. These guys gotta toughen up! by bitslinger_42 · · Score: 2, Interesting

    Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.

    On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass :-)

  8. Why not educate people? by JavaLord · · Score: 2, Interesting

    This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday

    For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?

    1. Re:Why not educate people? by JavaLord · · Score: 2, Interesting

      want to turn on my computer and do things with it. So do most people. A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.

      But you realize with your car to change the oil every so often or take it to someone who can. You might even have it winterized every year. You probably buy new tires every few years and even get it washed sometimes.

      All that is needed is a basic computer class (ie like getting your drivers licence), an auto-updating virus scanner and adaware type software. I don't think that is much harder than what anyone has to do to own a car.

    2. Re:Why not educate people? by Piquan · · Score: 2, Interesting

      A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.

      A car is a tool for one job: driving. A computer is a tool for lots of different jobs, some of them very complex. If people wanted a computer to do only simple things, then we wouldn't be in this mess: ActiveX and JavaScript-enabled email would never have come along, for instance.

      But users constantly demand more capabilities. Not without cause, mind you, but that's not the point. The users want to be able to send emails that make a dancing baby go along the bottom of their computer screen. If John's computer can read the dancing-baby email but Jane's can't, she'll want to change her software be able to read the dancing-baby email. We gots to have the dancing baby! And that's a normal desire for Jane to have, nothing inherently bad about it.

      The problem is, it's not clear to Jane that this is unsafe. She sees John's dancing baby. Maybe she sees that John's computer crashes more often, but she doesn't link that to the dancing baby. Why should she?

      I'd like to be able to step into my car and tell it, "Take me to Fry's" and off it goes. I can sit and chat with my friend while we travel, none of this pesky watching the road. The technology to do this is around today, but it's unsafe. Since car manufacturers take on liability, nobody's built this car.

      The vendors of computer technology are not like car vendors. Insecurity on a computer doesn't automatically mean unsafe (that is, it's uncommon for people to be killed by computer problems). So technology vendors aren't liable if their products are insecure. That means that technology vendors have the freedom to develop insecure solutions to meet market demands.

      Now, Theo the Technology Vendor builds a product that's secure, but won't show the dancing baby. Bill the Technology Vendor sells a product that's insecure, and will show the dancing baby. Of course, Bill doesn't tell people that his product is insecure. He might not even know it. So who does Jane get her technology from? (Followup: who now has money to develop and market the next product?)

      I'm not saying it's the users' fault. I'm not saying it's the vendors' fault. That's a losing game: the vendors point the finger at the users, the users point the finger at the vendors, and all anybody gets is the finger. I'm simply saying that, as long as users demand complex capabilities, and vendors provide them without regard to security, the situation will not be resolved.

  9. Re:Security is a hard job by recharged95 · · Score: 2, Interesting
    Security is a very hard job indeed. Cause the best security is when you don't notice it. It's abstract like objects, interfaces, freedom, and trust (Hmmm, could be why s/w development is hard ;) ).

    Considering it's in agreement that "take away electricity & technology, we're back in the stone ages" is very true and easy to understand for those wish harm on the US as well as the connected world. Computers are tools and can be used as weapons or utility, make your choice. And with computers more interconnected to that environment (business, society, etc...), protection of privacy, from malicious code, intrusion or exploitation should be top priorities.

    I'd take the job, anyone here should offer. It's important for anyone in technology. Success or fail, we'll learn something. I'm surprised Yoran doesn't offer any notable "lessons learned".

    Then again, from experience, I feel his pain trying to get things working at DHS. Oh well, the clock is ticking--at least those who oppose us donot have much technology...yet. I hear Iraqis have better cellphones (EDGE) than we do here...

  10. Re:Well... by Speak+Forcefully · · Score: 2, Interesting

    Giving one day's notice was the SMART thing for this guy to do. I do not know of a single person who resigned with two weeks notice that was NOT immediately escorted out the door. Giving anything beyond immediate notice to an employer like Bush would be nuts. No doubt this guy had already calculated the kind of "organization" he was involved with, and likewise chose the most EFFECTIVE way of exiting. I just hope he remembered to turn the lights out on his way out.

  11. Re:no Digital Pearl Harbors by johnjaydk · · Score: 2, Interesting
    There is not going to be a Pearl. It's a gradual process where things gradually gets more and more broken. It's not going to be a single big event. You wont be that lucky ;-)

    The only way to make people aware of the problem is for somebody to fly a beowolf cluster of zombies into the statue of liberty ... on tv. Fat chance for that to happen.

    So I guess we have to deal with the alternative. Users are lame. It's their priviledge. So we have to create an environment where it's safe for them to be lame.

    Now there is a challenge...

    --
    TCAP-Abort
  12. Re:I just don't believe it! by jc42 · · Score: 2, Interesting

    Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work.

    No, they don't. If they did, they would never buy anything from Microsoft. They'd all be buying Macs.

    And don't try to claim that they're ignorant of Windows' user hostility. Jokes about the difficulty of making computers do anything right are part of the general culture. And people with even the slightest bit of computer awareness are always aware of Apple. I've overhead many forms of this exchange:

    Person1: I hate my fuckin' computer; it never works right.
    Person2: Hmm ... I never seem to have problems like you're having.
    Person1: Yeah, but you use a Macintosh.
    Person2: <shrug/>

    No, there's a simple reason they buy the most user-hostile computers: marketing. They buy it because they've been told over and over that it's the only computer that people ever buy. And this happens because Microsoft has an advertising budget larger than the total operating budget of all those zillions of little computer companies like Apple or Sun or whoever.

    Also, they don't want to be thought of as nerds, which is how they think of Mac users.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  13. Re:I shouldn't have to care about malicious code by potus98 · · Score: 2, Interesting

    ...It's not usually a DIY job. Same with designing a microwave.

    Exactly!!! Certified experts have already designed those products for use by Joe-average. He can cook all kinds of meals without needing to install new gas fittings, adjust microwave frequencies, or fiddle with particle beams. :-)

    I have argued for years that the general, home-user PC device should have matured into appliance-level sophistication (ie: easy to use) YEARS ago. The "complexity" of the modern PC operating systems are total overkill.

    Now, depending on which programs I elect to use, I would agree that an increased level of knowledge is necessary. For example, if I load Quicken for Small Business, I better understand something about accounting, finance, banking, etc...

    But if all I want to do is read e-mail, surf the web, and play a game, I should ONLY be required to understand the complexities of entering URLs, knowing the difference between Reply and Reply-to-all, and that I want to play the Recruit level -not the Frag-Master level.

    ...As soon as you increase the complexity of the system, you run into problems.

    That's my point! PC's are waaay too complex for their most common uses. That we (the tech industry) have delivered machines that require so much care-and-feeding just for the O/S is a complete embarassment. And to add insult to injury, we (the tech industry) often maintain the arrogant attitude of "well, if they're too stupid to use it, they don't deserve to read e-mail..." instead of saying to ourselves "you know, Joe-average shouldn't have to deal with all this crap just to access some basic communication services."

    --
    This one gang kept wanting me to join cause I'm pretty good with a bo staff.
  14. Re:To everyone saying people are stupid by winwar · · Score: 2, Interesting

    "The average person isn't apathetic or stupid."

    Look, they may not be stupid (in the dictionary sense of the word) but stupid is often used in place of ignorant. But they ARE apathetic. How else do you explain the low voter turnout? If 100% of the population was involved, even minimally, in voting or civics in general, this country would be a different place...

    "The average Joe does want to learn."

    Uhh, maybe. Some do, but many do not want to expend any effort to do so or learn anything that conflicts with their preconceived notion of how the world is. And if you don't want to expend effort, then you really don't want to learn.

  15. Re:no Digital Pearl Harbors by Anonymous Coward · · Score: 1, Interesting

    You mean like taking out the Colorado DMV for a week?

  16. I don't blame him a bit! by Patchw0rk+F0g · · Score: 2, Interesting

    I have four different programs protecting my computer at the moment (admittedly, I'm using Windows 2k, due to software considerations), and I STILL have daily... nay, almost HOURLY notices that I've been breached at some point or another. At one point, I had to resort to almost 24 hours of purging to rid my system of unwanted, illicit, and interferring spyware in my system. Call it unwise surfing, but by my mind, the net should be as free as Yahoo or Google... but ever notice that Spybot blocks TONS of spyware on MSNBC? Hmmmmm.... Not seen any comments about THAT on here... Bill? You listening?

    --
    When the going gets weird, the weird turn pro. ~~ Hunter S. Thompson
  17. I took the "security test"... by scruffyMark · · Score: 4, Interesting
    It says I need to be more vigilant. Funny thing is, I'm employed in infosec. It's a pretty laughable survey - it pretty much assumes the worst, so the best you can do is slightly better than the worst.

    I guess the answers their scoring system didn't like were

    • I don't have antivirus software (when someone comes out with an OS X virus, maybe I'll think about it). Actually I lie - I just remembered I have clamav, although it's not integrated into the system - doesn't automatically do anything at all, I just use it to scan the odd "important message" email attachment. Ah well.
    • When I get unexpected attachments, I open them to see what they are. Of course, I don't double-click them; I run file, strings, maybe clamav, a text editor if it's written in a scripting language. What blows my mind is, people get infected by trojans that arrive as password protected zip files - I mean, even the malware is user-unfriendly and people still manage to get bit.
    • I use file sharing. I chose to interpret that liberally - I run sshd, and occasionally need to transfer files via sftp.
    • I don't disconnect the computer from the internet when I'm not using it - like I said, I run sshd.
    • I haven't made backups recently. I admit it, I'm a slacker in that regard.
    • I don't have the phone number of my cousin, the computer guru, next to the computer in case something weird happens. Right.
    • The security of my "Internet browser software" is not set to high - that one cracked me up. I mean, why pretend you don't mean IE? No other browser has that "low/medium/high" security interface.
    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht

  18. RE: flip the power on and go? by King_TJ · · Score: 2, Interesting

    No, you're probably a bit spoiled by being a Mac user - but you're not wrong at all!

    As just one (of countless!) examples I run across in my line of work (on-site PC service), I was trying to help a guy out this afternoon who had spyware/virus problems crippling his Windows XP machine.

    He's no dummy either. He has a PhD in Physics, and works from home as an editor for college textbooks.

    This is about the 5th. time in 6 months or so that I've had to help him fix these types of issues. Originally, he was running Windows ME on his Gateway Pentium 4 system, and viruses pretty much made the computer unusable. I spent the better part of an afternoon removing the viruses and all the spyware I could find - but a lone remaining virus was a "downloader trojan horse" and apparently re-downloaded and installed numerous virii after I left.

    After a second round of cleanup, I seemed to have it all fixed - but about a month later, it seems a few things got past his Symantec Personal Firewall and started causing tons of pop-up ads and other issues, so I was called out yet again!

    Finally, he just asked us to wipe the drive and start fresh. We did, and made sure to do every possible Windows update, install the latest ZoneAlarm firewall, etc. etc.

    So then, he decides to take the plunge and upgrade to Windows XP (since ME was a regularly crashing/blue-screening piece 'o junk anyway). We did that for him, and applied Service Pack 1 and everything else available at the time.

    Well, after a couple weeks, voila - more rampant spyware/virii problems! He already tried both SpyBot and Ad-Aware SE 1.05, the very latest AVG Anti-Virus updates, and more, yet he couldn't eliminate the problems - and it was hindering him from doing his work.

    I tried everything I could think of, including hours of manually deleting things. (XP likes to keep temporary files inside hidden sub-folders under the "Documents and Settings" directory, and I've found many viruses hide out in there, for example.) I got everything clean that I could find, and all the scanners report it clean, yet each time you launch Internet Explorer - it redirects you to some spyware/ad-ware web site and starts trying to install a bunch of garbage via Active-X!

    Nobody should have to go through all of this B.S. just to get some work done from home! This is a disgrace. This guy isn't even "surfing porn sites" or any of the stuff people like to point fingers and accuse people of if their PC gets infected....

    I've already suggested maybe he should make his next computer a Mac.... Several of his co-workers made the switch recently, already, and seem to be pleased. He's just concerned with the fact he owns so many PC only software packages and doesn't want to buy the same things over again to get a Mac native version....