Slashdot Mirror
U.S. Cybersecurity Report Available
Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."
I'm glad there's SOME part of TechTV G4 hasn't raped the life out of.
More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security
Electrons are free; it is moving them that becomes expensive.
here
the PDF is 3.67 megs
M$ Lawyer: But `gcc
Definitely something worth investigating, just wondering what a few billion in research dollars is going to reveal - hopefully more than "it's a problem that's difficult to fix" report.
Video Phone Blogs send video messages straight to the web.
References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.
Speak truth to power.
there's gotta be something against doing this in the patriot act
Wow. Really?
Kind of a broad term. Don't most colleges already have courses similar to this? I know my college had something that could fit into that term. Anyone else seen "cyber security classes" at their college?
It's nice that they're expanding thier portion but at the same time I believe that due to the senstivity of such issues that they should never be revealed to the public, which can create more problems than good. And one other thing we got to think of : ARE THEY TELLING THE TRUTH? After CIA, etc mess up, I can't really trust the Gov't as much as I used to.
May
Cybersecurity demands a guy with a cybershield to keep our heads from a sploding.
SAILING MISHAP
Wow, you're right. The news outlets are busting with coverage. Thanks to you we heard it here first. God bless you and your children.
Speak truth to power.
you are not refering to that gay Alex, are you?
Actually, come to think of it, perhaps incompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.
_O_
.|< The named which can be named is not the true named
The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.
And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.
The tag line, I believe, is "Defending America's Cyberspace."
More information on the SFS program can be found here:
http://www.sfs.opm.gov/ScholarshipMain.asp
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Why do I see more bureaucracy and less action?
Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny
Nothing to see here
But for how long?
_O_
.|< The named which can be named is not the true named
the U.S. department of oxymorons...
Mod me up, mod me down, flame me, praise me -- whatever you do, you help prove I exist...
That is very true. Many colleges simply have a few security courses, and that is it.
But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.
I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
i am the sysop of the internet! it is going down for 36 hours due to emergency security upgrade!
Those should be the steps (generally) for most projects.
A program that doesn't go through budget planning, cooperation with the private sector, risk assessment, remediation, and further research and development, as well as education about the program, is exactly why we have to problems that we do. People complain that programs are pushed and rushed from start to finish without any forethought or planning, and then are critical when that planning goes into place. I suppose people would prefer seat-of-the-pants development, no security considerations, isolation from the private sector, and a total lack of budgeting?
If only most projects (government or private sector) could go through such planning and still get pushed out in a timely manner! I see this as a good thing.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Looking at Slashdot for contemporary info is equally as fucking stupid. It was a joke. :P
Speak truth to power.
considering the amount of security work (dsniff, honeyd, steneography) done at umich by people such as song, honeyman, and provos, its pathetic that this coming winter semester is the first semester a security-focused class will be offered.
then again, its better late than never...
That just cut off Orlando from "homeland defense funds" for 2005, even though they get 44 million visitors a year (disneyland, etc).
The local news is sure pissed off about that. Kinda makes you wonder what their priorities are. Oh wait, Bush got re-elected, I guess the hype is over.
That'd be curricula.
u m
http://dictionary.reference.com/search?q=curricul
High-speed Road Trip (18.000KPH)
Of course, the best way to do this is throw gold dust at them... lots of gold dust.
no, it's secure so openbsd, duh! NSA made a patch for linux but it was soo complex even they can't understand it. that's what bureaucracy does. ;)
Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.
If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
its unbelieveable how they can link any and every darn thing, to 9/11/01.
its actually repulsive!, how can they link "cyber security", to "terrorism" is beyond me.
iirc, i don't believe there has EVER been a true act of TERRORISM via the great ole www.
the fact is, just because some 12 yr old kid in Michigian,
got a point & click script from google, and is now "l33t",
because (s)he can go and gather up "bots" or "drones" and take out their latest and greatest target,
doesn't exactly qualify for the mark of Terrorist.
sure its a nussiance, sure its fundamentally flawed,
but give me and the rest of self-respecting somewhat knowledgeable computer literate American citizen a kic-kat bar break!
thanks, alright? mmmk?
--kingpunk
Does it mention why every cybersecurity "czar", starting with Richard Clarke, through this Fall, has quit in disgust? I didn't think so.
--
make install -not war
http://shit.slashdot.org/article.pl?sid=04/12/05/2 317205
Comment removed based on user account deletion
One of, unless I misunderstand you. The SFS program that has been in place at many universities have been around since 2000/2001.
Although the major is still labeled as Computer Science or a variation thereof, all courses in the masters program are geared toward cyber security.
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.
It also offers certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
It is still a rather new thing, though. There are only a handful of universities (albeit a suprising number) offering these programs.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.
The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduates should consider continuing education. In our program, the students learn the same fundamentals as a "regular" CS student, but then must learn in courses such as:
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.
They also earn certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
They must also carry out special side research projects as well.
Yes, burn out is initially high until the students become accustomed to having a lot asked of them, but the students make it through it and come out as highly competitive professionals (and highly paid), and the agencies they go into often pay to send them to school to keep up with technology trends. In five years, they can expect to be right back in the classroom (while working), but they will be paid for this. They are also paid to go to conferences. I would say that, after they emerge from the fire, most of them actually have a better understanding of the fundamentals because they get to apply them in a specific area, and also concentrate beyond the narrow focus of getting something to work, but to get it to work securely. They still go through the basic programming, operating systems, networking, and other courses as the other students do.
Also, because of their constant presenting and paper-writing in addition to their regular studies, they come out of the program as personable professionals who can write and speak in a public forum, basics that are often neglected in other programs.
The students in this specialization don't get out of the fundamentals. Call it fundamentals+.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Combustible rubbish read to the torch of any one ambitious to illuminate his name.
In Dr. Johnson's famous dictionary patriotism is defined as the last resort of a scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. (from The Devil's Dictionary)
"Evil thrives when good men do nothing"
That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.
You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.
You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.
However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
"When the going gets weird, the weird turn pro" -- HST
Give the kid a break!
Can we please shorten this report to two simple words?
Common Sense
My career in computing security; which consisted mainly of securing sites for small companies; taught me that much of what is going on is lack of clear policy and common sense.
Much of what I see missing can be traced back to the lack of a clear, well thought security policy.
This one document (often not more than a simple statement) is the root of all security related activities within an company or organization.
It have collaped and wet my pants while laughing at what I have seen for 'security' at some organizations.
An example: A company with some of the greatest tools and equipment; firewalls, VPN, the whole works. But with no clear documentation on how to configure what. Everything kept between the ears of the lead sysadmins. If they quit or get laid off (which happens); all this information gets lost.
Firewall set nice and tight (nothing in at all except VPN and port 80 to a machine on a security island). However, the VPN was configured with shared passphrase that was 'secret' and with no restrictions on what IP can initiate a connection.
Or VPN's that have proper certificates but with no revocation lists. Road Warrier VPN clients with the passphrase hard coded on the box and not having to be keyed in: Stolen laptop - direct acces to company VPN to inside network.
Or, nice tight firewall and VPN; but with open wireless ports inside (easily reachable from the parking lot or common building lobby or better still, the public cafe on the ground floor).
What realy keels me over laughing is how vendors are allowed free access to the company network. And how that access it not properly terminated upon conclusion of the contract.
Couple this with no clearly written and fully agreed upon (throughout the entire enterprise) security policy. Easy path to desire.
Luv you all
Cleara
Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in our security infrastructure read about that scenario is close to zero.
In the meantime cyber security is left up to the private sector via contracts with the government. What I find appalling is the milking of government by these contractors. You've all already heard of Halliburton and KBR milking the government in Iraq, but have you heard of contractors doing that here on US soil, in the IT field where things are supposedly "more efficient?"
Don't know what I mean? Let's say a bid is requested by government for a specific site security analysis/surveillance. If done right, it only needs say 2 or 3 people. But the contractor, knowing that there's not much competition in the field of security, bids and tells the government it's a 10 man job. So they put together a team of 5 people (other 5 are ghosts), and guess who does the brunt of the job? A select 2 or 3 persons of the team. Guess who pockets the salary of the 5 ghosts? The company and the management. Once the job is done, the guys sit around twiddling their thumbs, sitting until the contract runs out.
I don't think contracting services for cyber security is the most efficient way to secure government networks. It works, yes, but we'll see if the problems catch up to the current system.
Linux at home
...which is precisely the proper way to group this sort of study as far as I'm concerned (as opposed to offering a MS with a specialization in "cyber security").
...
Here's the not-yet-extant Univ of Illinois - Urbana Champaign certificate program in Computer Security description
They'll probably supplement it with Network Security stuff, Intro to Crypto,
(1) fund a bunch of NSF grants for folks to develop hacker detection tools or short of that detail practical hacker detection mechanisms and make a recommendation about whether the US gov't should subsidize a move to IPv6 (will this provide us better hacker detection; hacker prevention?) What might making this move save us?
(2) get serious about primary education in this country; our university grad programs in all of the sciences and engineering fields are 1/2 full of folks who will never be able to work for the DHS (well, maybe NEVER is too strong but cyber security is a national issue and something we will need US nationals to work on)... we need US technologists!
Here is what I did for one of my clients:
First thing; Clear security policy. Goes something like this:
You get the idea. This master policy shall be clear and simple at the highest level. Group and organizational policies shall include more detail as applicable to the group. However, they must all trace back to this master policy. When possible, the application of industry standards shall be spelled out as they relate to this policy.
It goes without saying that everyone involved (customers, vendors, partners, and employees) shall get the appropriate training. The more clear and concise the policy, of course, the less time would have to be spent on detailed training.
Idealy, all of this should be established and clearly agreed upon by everyone within the enterprise before a single piece of equipment is touched or configured.
Now that you have a clearly written and agreed upon policy, it's time to impliment it. Here are some suggestions that I like to employ that can pretty much transcend most security policies:
Firewall off everything except VPN. Don't even trust SSH from outside your company lan. If you must, trush SSH to a hardened box in a security island that is a lobby gateway to yet another single hardened box inside the lan that you can lobby gateway to any other box on the lan.
Use a colo or managed host for web if possible. If not, definately put this on a security island with as little as possible (and tightly controled as possible) access to inside the company LAN.
Use certificates for VPN access. Use a revocation list that can be accessed by the VPN clients. Have tight restrictions on how often the revocation lists have to be updated.
Road warrier machines should be set up so that private key is either smart card based or with a prompt-able password. You dont want to have your airport laptop thief access to the company VPN.
Impliment (as part of your policy) and ENFORCE a strict no wireless policy from inside the company without manditory VPN. Enforce the requirement that all WIFI access points be provided by IT or some authorized organization. Enforce this by war-walking throughout facility and conficating unauthorized WIFI sites. Invoke an internal 'fine' if you must to get this message across.
Allow NO vendor, partner, customer, etc. full unrestriced access to your internal lans. Restrict their access. Partners's networks shall have VPN access only to those subnets within your network they need to fulfill their jobs. This can be implemented via VPN and access control lists. I have done this with the open source VPN solutions and iptables. Don't claim that it cannot be done without spending $100k's on equipment. And PLEASE remember to terminate this access when the contract is completed. You did remember to implement and use that revocation list, did you?
Do not allow transient vendor access to your company network. If you need services from a vendor that you have not had a relation with in the past; you should either drive (YOU having your hands on the keyboard) while they tell you what to do; or you should be CLOSELY shoulder surfing while they are doing their thing. I do not allow any new or temporary vendor unattended access to a system on our networks.
Have a CLEAR, DOCUMENTED and AGREED policy and procedure of what to do when someone leavs. This
Cleara
So some overpaid gov't mooch/schmuck is given this "CyberSecurityForTheHomeland.doc"
Said mooch is then told to, "Put this into PDF format, Wilson."
So...
"Thanks, Wilson. You sure are computer-literate!"
And who knew that OpenOffice can "Export to PDF"?
The US gov't sucks so much.
A-Day
..or the University of Nevada, Las Vegas already has a computer security curriculum (well, a few classes in the CS dept. from which I have received a degree or two). This includes information security and a general computer security. Also at UNLV is the Center for Cybermedia Research part of which is a computer security research lab.
What is your penile percentile?
7. Profit!!!
Aside from the encouragement to add Information Assurance curriculums to major colleges, this document says nothing. Somehow they even think the "BSA" is related to computer security.. ha ha ha.
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
I think the deal was that users' computers could have some trojan installed which, when activated, would cause the computer modem of the infected machine to dial 911, thereby flooding the (local) emergency response lines... standard DDoS.
So there'd have to be some way to geographically target certain areas in order to have a concentrated impact but that's the idea as I recall.
Bush's staff was warned and clinton's staff tried to get them to take Al Qaeda serious. Bush went so far as helping to to fund Taliban (which was simply channeled to Bin Ladin) with at least 30 Million dollars (but it was meant to help stop the poppies). After 9/11, Bush has done nothing real for security except soem cosmetic covering.
The above 2 situations describe exactly how security is done today in the computer world. MS has known defects and easy hit points. All that most MS admins do is wait until they are hit and then clena it up (all the while blaming the attacker and not taking any responsibility). It is followed with wasting lots of money on security software, of which they will routinely hide their own personal agenda in the security budget (new toys, etc). But they real problem is that after spending 10x what they need to, they still have not solved the unlieing problem; that is the running of a insecure OS. In fact, it is in their best interest to remain on it, so that it appears as though they are doing a lot of work (all the while hiding).
Plain and simple, computer security is most like American security as described today.
So when do I get my Intrusion Countermeasure Electronics?
When it comes to cybersecurity it really comes down to every individual taking that little bit extra effort :)
forum.lucidnow.com
Everything is for the Fatherl...I mean Homeland now. Sei...Good Bless America!
Just in case the reader forgot this fact while reading the rest of the exec summary, the next chapter, the Introduction, starts with "On a fateful day in September 2001, our lives changed forever as a handful of terrorists proved they had the means to destroy on a level equal to their hatred.".
Having grabbed the readers attention, the rest of the report goes on to do the following
a. Narrate an administrative history of the establishment of DHS and the cybersecurity divisions within it
b. Provide volkswagen loads of justification for the existence of said departments - based on various criteria, all liberally illustrated with suitably scary numbers
c. Lay the groundwork for greater control and monitoring by the departments, of all computing and telecommunication resources in the country, regardless of who owns/operates them.
d. Attempts a definition of cybersecurity - which is a good thing.
e. Provides more volksvagens full of information designed to prove that legislative and administrative machinery are acting diligently and responsibly along the road to better security. This also absolves the departments themselves from any potential blame in the event of a screw-up - "all our bases are covered"
f. Throws in some pseudo-wise statements about educating mom-n-pop about how to protect their store computers and generously mentions that it will fund education in related matters. Remains to be seen if they will just restructure existing funding, reallocate under a new head and claim a job well done there.
Not at all the level of analysis, detail or accountability information you'd expect. Of course, John Q.Public is told that his representatives are in the loop, so don't worry, sleep tight. Its almost as if the report was specifically designed to NOT reveal any information. We'd rather not tell you any more, thank you, cuz you and your neighbors might all be security risks.
See that long UID - that's what you get for lurking too long
They could if the deadline would be a realistic guess instead of a "we need to be faster than anyone else" management decision.
Linux is not Windows
ha! No, I was not but you have a valid point.
Alright, there were too many to go around replying to each individually, so for all the people who posted lists of why the document/writer/government sucks:
(x) ???
(y) Profit!
Phrases like "everything needs to be protected best" are little more than rhetoric. Another common vacuuous phrase is "common sense".
The question "From what threats" needs to be answered before any reasonable defense can be formulated.
I've seen lots of bombastic lists of "security
assertions" from pundits. Often CPA firms like to mandate these lists (and soon the government), but
these lists seldom are accompanied by analytical
back up. They are security 'cliches'. Things like
1. Use a firewall, 2. Have strong passwords, 3. Lock your doors, etc....
These cliches, although arguably good in a vague
general sense, may not be relevant to a particular security (or budget) situation.
You need to figure out exactly what threats you
face, estimate the costs associated with them, prioritize them, analyze the results and design your policy specifcially to counter the threats that your budget and analysis justifies.
USENIX, among others, have had the information and trained for these capabilities for a great many years; it is the so-called leaders in Government and Business who have ignored the issue; what is some new-hire BSCS going to affect?
Number one issue with security: top down support. And unless organizations have changed in the past couple of years, especially Government, (DOE, etc.) it is a waste of time. They are just looking for funding and empire building.
The subcommittee does not recommend cybersecurity industry or standards regulation at this time. Industry may do more than government could regulate. Because the threat and the technology move so quickly in this area, the nation cannot afford for industry to be hamstrung by outdated laws and regulation that could impose temporal minimum requirements.
Randy Hall
"Safe computing is like safe sex, use some precaution and don't be a slut and download everything you can click on."
You say that like its a bad thing. =D
for once working with other countries on security, instead of operating under the delusional belief that any laws they pass are going to be effective since the majority of the world's population isn't going to have to abide by them?
People don't follow basic security.
At one client our basic security recommendations (get a lock for the server room. install a patch panel in the wiring closet, removing 40+ crimps) took 6 months to happen. Our most advanced recommendation? Move your mail/web servers off-site so you're not allowing inbound traffic, since we know you can't handle a DMZ.
Residentially... if people would buy a $20 router it would begin to solve problems (which residential ISP's should bundle anyways). The number of times I've cleaned up after exipred definitions (I had to renew that? I wondered what that big red box was), or even no virus protection. ISP's: cut a deal with norton/mcafee to bundle virus protection with monthly service. As long as they're your customer they're protected, and you might even save bandwidth! Make it a negative billing option - include it unless people specifically decline it because they are willing to take full responsibility for managing it on their own. And block those Netsky & friends emails already.
I use Macs to up my productivity, so up yours Microsoft!
I appologize. I misquoted the title. You can find a review of this book here:8 f/
http://www.unixreview.com/documents/s=1357/urm010
CERT Guide to System and Network Security Practices
by Julia Allen
Addison-Wesley 2001
ISBN: 020173723X
I somehow combined the "CERT Guide to System and Network Security" with a course I was taking called "Secure System Administration and Accreditation." My mistake.
I am not sure about your comment on firewalls. Firewalls are still are and should be used.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
You are assuming that I am buying into something someone else is selling.
You don't sound like a dick at all. In fact, you sound like a fair part of the American public.
It is true that "blowing something big up" might have a larger physical impact, but the strength of a nation is often determined by its information. When you stop or compromise the flow of information, you can really make an impact. It was not Bush or Cheney or any member of that administration that brought me to that conclusion.
I can't change your mindset and nor do I blame you for having it.
However, you cannot convince me that creating jobs for these students by creating government positions for them, and that securing a nation to the best of our abilities is a bad thing. It is not a propaganda directed at the general public (that is what the war is for; most citizens don't give a flip about what sort of security runs in our government's 1s and 0s) but simply good practice. They are training people for the job of considering that "Hey, this VoIP network is terribly insecure and could have x impact" so that the rest of the public does not have to. It's not the intention of getting every American citizen scared to death about how our computer networks are being run (although information awareness and homeland opsec is an important and useful concept) as much as doing what we can to make sure those systems are secure for if our day 0 comes. In fact, in this area of study, it's not about hyping people into accepting the violation of personal rights in exchange for security because many of these young students are some of the most vehement of privacy activists, but understand the importance of securing government systems.
They say hindsight is 20/20 after any tragic event occurs; what is the problem with endeavoring to look ahead while also creating jobs and educating students in an area in which they are interested?
If one says that system security is hype and that it shouldn't be pursued to all reasonable means, then I pity the system that person admins.
For once we are pursuing an area of defense... and this is still a bad thing?
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Actually, I would hazard a guess that a fair amount of our students take more than the thirty required hours for their Masters degree, oftentimes auditing courses for no credit so that they still get the instruction, but do not graduate early.
I can think of at least five students who are auditing an Operating Systems course for no credit toward their degree, although I suspect there will be many more.
My own experience with AI (although not in the strict sense) comes from a combination of a Neural Networking course I opted to take as well as research on autonomous robots, although the Advanced AI course is open students to take (with permission) if they prefer that route. So, I would still stand by my assertion that for many students, it is a fundamentals+ route.
I don't know many schools that offer or encourage this, but it seems more commonplace at our university for graduate students to take 12-15 hour semesters (note: graduate students. At most schools, it seems those students take 6-9 hour semesters instead) to expand their interests in other areas, and to extend their knowledge into more advanced areas of the fundamentals (like OS). I would personally qualify that as a high workload, but perhaps I misunderstand you.
I am certainly not trying to raise my own university above the others (although I am proud of my university), as I imagine that some of other schools have similar successful programs in this area. It seems that the advisors for that program demand a lot from their students.
(On a side note: I have a picture of Mudge from @stake and I from this summer when he visited the university. The students in these programs, it seems, are not completely cut off from the industry market, although I understand that this was not what you were asserting.)
Although you are correct in calling it more of a Security specialization because, overall, the degree is still labeled a Computer Science, but carries with it lots of security (as well as forensics and similar) courses. Not everyone in the Computer Science program opts to take security courses. Although those outside the security area also seem less likely to carry a heavy workload that is not required. Of course, that is true of any major.
I believe this might be an instance of my poorly explaining myself and misunderstanding you. For that, I appologize.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I believe this might be an instance of my poorly explaining myself and misunderstanding you. For that, I appologize.
I appreciate the more detailed answer. And good luck!
It appears that the guide is available as pdf files at this location http://www.cert.org/security-improvement/
/* TODO: Spawn child process, interest child in technology, have child write a new sig */