Slashdot Mirror
U.S. IT Infrastructure Highly Vulnerable
An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are
needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations
on how the Federal government can foster new architectures and technologies to secure the
Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."
Secure, is what IT ain't!
That was fast. www.nitrd.gov was /.ed even before the article went public for non-subscribers. Or maybe it went down some other way. Netcraft says they've been running a pretty old Apache.
Is slashdotting a .gov site an act of terrorism?
or maybe the terrorist took it down to keep there secret protected...
-Tim Louden
I don't know if this is just to increase paranoia or not in the US, but if there are security issues it is better that they talk about them, bring them out into the "open" so to speak. There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.
The rock, the vulture, and the chain
If we could read the report we would see that one of the problems is the /.'ing of .gov pages.
What are you babbling about? Bush has increased education spending by 33% since he took office.
... true indication of the US governments commitment to security if they moved away from M$ operating systems.
Free Firefox news reader.
I'm not doubting that this report is accurate in so far as systems are insecure, but the real danger is from script kiddies and other such people, NOT TERRORISTS. Using the word so far out of context to drum up interest (and thus funding) is despicable.
Given the U.S.'s penchant for saying "Nothing could possibly happen" until after it actually happens, no one will bother to spend money on this until some huge act of techniterrorism's carried out. Like someone hacking into the White House's system and gets the video recording of Bush choking on a pretzel. Or of Clinton "not having sex with that woman".
Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
It always worries me when I see the current administration saying things like this...
:-\
highly vulnerable to terrorist and criminal attacks."
fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure
It isn't that they aren't right... It's just that whenever they go on and on about terrorists threatening our way of life it seems all they really want is to implement new ways of taking away our rights without actually protecting us at all.
Sure wish I could actually read the article.
You best watch out. I hear Federal (bang me in the ass) prison is nothing compared to Abu Ghraib.
My digital rights don't need management.
I haven't RTFA (who can, it was /.'ed almost instantly), but this sounds a bit like a segway into trusted computing -- or paladium, or whatever MS is calling it. I would love to believe they'd get the clue and go OSS, but with the amount of sugar-daddy financial pull MS has with our government officials, I just can't put any hope in that theory.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
http://lazowska.cs.washington.edu/CyberSecurity.pd f
if found this /. quite (from the bottom of the page) to be perfect: /.ed AND is supposed to be talking about a failure of communication. Anybody else like it?
"The biggest problem with communication is the illusion that it has occurred."
considering that the server was
-Tim Louden
Film at 11!
Could not connect to remote server: http://www.nitrd.gov/pitac/
Speaking of IT infrastructure, it seems ironic they're knocked offline after only a couple minutes of being posted on slashdot....
That must be why kids here haven't had a 5 day school week in a couple years.
Here is the google cache: google cache
Here is the blurb from their page, good luck trying to get the PDF though.
The rock, the vulture, and the chain
Dont "worry" guys, it is like this everywhere.
Canadian gov just release a month before the same kind of report and the conclusion is the same.
I work for a computer security company, and I can tell you that it is like that everywhere.
(Did I said it was like that everywhere?) (So why bother if it is like that? [yes this is ironic])
No sig for now.
How many times is Windows mentioned in that report?
Is it to the political benefit of the Bush administration, or the neoconservative agenda, to in some way react to the widespread and systematic vulnerability in the IT infrastructure of the U.S.?
Is there some personal gain they can derive from it, some personal goal that responding to this knowledge is convergent with?
No?
Then it doesn't matter. This advisory committee will be ignored, just as the committees and others who warned the Bush administration about the insecurity and threats in our nation's (and our nation's air travel system's) security were ignored in the weeks and months before September 11, 2001.
And if anything were to happen because of the vulnerability in the IT infrastructure, then just as before, the media, the world, will shrug and say there is nothing that could have been done, there was no way this could have been seen coming, it was not a failure of intelligence but of imagination.
Wow, you're making a broad accusation without ANY evidence to back it up. You sir, should go into indepedent media.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
The states run the education system. Its just the federal government that shoves money at the problem. When has throwning money in to a fire every helped to put the flames out.
Free Unix? Free Windows. http://www.reactos.com
I'll just put some duct tape on my Internets.
"Why single out the current administration, when all of these fools have been saying the same thing?"
Clinton just blew Monica. GWB is blowing the entire country. And not in a good way.
Exactly who here is trying to promote and engender a sense of terror?
Hm.
Read the report and would like to respond. Could someone please tell me how to make one of those sad face things in my email?
Regards
George.
Free Firefox news reader.
/.ing the site is just a prove of conecpt and will probably be used as an example of what terrorist could do and be used to limit any rights that are left.
:-(
It will probably mean more money for monitoring individuals. Und sag night spaeter: Wir haben es nicht gewusst.
Don't fight for your country, if your country does not fight for you.
Yeah, I was thinking that too. But it wouldn't even have to be due to Microsoft's bribery; I'm sure locking down everyone's computers sounds like a great idea to someone like Bush
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Thanks for the Apache update. I figured they'd been using Microsoft since it went down so fast. Microsoft is secure. I'll be sure to ask the key logger on the free internet access site I'm using (not kidding).
riding round the world on an old motorcycle
Just a single example, but when you have a principal and an assistant principal at each school, both making 100,000+ $USD, that money gets used up in a hurry. Why don't they spend some of that money on teachers to lower class size? It's a bunch of stupid politics, and the students continue to suffer for it. There are dozens of other positions like that. I can see a need for a single principal, but what about all these other stupid positions?
In the High School at the K-12 district where I worked before, the "assistant principal" fixed his three sons' grades before he got caught and had to "resign to pursue other opportunities", and the "normal principal" was caught (by me) surfing porn after hours. Fucking brilliant.
Can you tell I'm jaded?
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
Launch all zig!
This all seems a little alarmist. Our IT infrastructure is far more secure than our physical infrastructure, because our IT infrastructure has grown up under constant threats from script kiddies, trojans, and worms. 9/11 was possible because we have (or had) a basically open, trusting society. That's not true online.
Servers across the internet are under constant attack from all kinds of viruses, worms, and malicious hackers. Even the most successful viruses amount to little more than annoyances, and can be easily protected against by any systems administrator worth his salt. Like the human immune system, continuous exposure to cyber-pathogens results in our information infrastructure growing increasingly good at resisting and fending off attacks.
There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us. In fact, given the backwardness of the arab countries where most islamic terrorists come from, I think there's good reason to think they would be less competent as computer programmers than people from other parts of the world. The only significant difference between cyber terrorists and today's virus writers is motivation. Most virus writers are interested in the technological challenge, and want to show off their prowess. They don't really want to do any damage. Others are more sinister, and try to install keystroke loggers or bots in order to steal your credit card numbers or extort money from people threatened with having their servers brought down by an attack from an army of compromised computers. Cyber-terrorists, on the other hand, would want to cause some spectacular failure that would grab all the headlines. Unfortunately for them, the systems that the terrorists would like to bring down are administered by professionals, people who are a lot more sophisticated than a grandma who forgets to update her anti-virus definitions.
Finally, two more features of our information infrastructure make it resistant to catastrophic failure. First, it is resilient. Our information infrastructure is largely owned by private industry, and is supported by an army of trained to quickly get systems back up and running should they ever be brought down. Second, and more importantly, the systems that comprise the infrastructure are diverse. No program can run natively on a Cisco router, an Apache webserver, and a Microsoft SQL server. It's therefore extremely unlikely that a single program could bring the nation's cyber infrastructure to its knees.
Wake me up when the Pakistanis and the Indians start depating which of them oWnZoRs Kruschev's old red phone.
Firewall vendors stock up 50%
Since it cannot be found anymore on the original place. Is there somebody with a copy of the PDF?
Can he/she make it publicly available?
Unless its a crime to do that of course. I can't read if there is an included copyright and distribution notice in it.
The /. effect.
The latest in cyber-terrorisim
Clearly you dont know anything about the your own taxes, or education system. The United States Federal government provides very little of the operating income for the public schools. Almost all of the income for Education comes from local property taxes. So saying bush raises federal education funding 33% says little about the total health of the education system, becuase Federal funding only makes up a small percentage. Currently in my area fuding is dropping, many schools are closing down or reducing staff. Luckily number of students are also dropping. The fact the State and Local goverments have so much control over education makes the No Child Left Behind Act look stupid. Why would a Rebulican (Smaller Goverment, right?) make new Laws to deal with something that they normally wouldn't deal with?(To make you feel nice while they screw over a entire generation).
mnewberg.com
"Like someone hacking into the White House's system and gets the video recording of Bush choking on a pretzel."
maybe then the P2P software that can share such documents, will take the blame. then we will never have to worry about such hacks...
The only thing that piece of shit legislation does is give the kids more tests to suffer through. It adds no actual "accountability" to schools. Instead of teachers preparing their students for what they might actually need in life, they focus on only what's going to be on the test. What happens when some struggling inner-city school gets shut down because their kids don't pass their proficiency tests? They disperse into other schools and bring their scores down, resulting in less funding for those schools. Brilliant.
If Bush has added $13 billion in education funding, I'd like to know where it went. Districts all over are struggling just to keep the lights on. They are being forced to go to the voters for property tax increases. It's not a pleasant situation for anyone. The kids suffer because all their extracurriculars get cut and the property owners suffer because their taxes go up.
The state of education in Ohio (where both of my parents are in the field) is abysmal. Over 10 years ago, the state's Supreme Court ruled our school funding system was unconstitutional. Yet here we are 10+ years later, and the Legislature hasn't done a damned thing about it. My dad is convinced they're trying to kill public education, and from what I see, it's working. People are getting laid off, everything outside of the State Board of Ed.'s required curriculum is being cut, and the kids suffer. They've even cut bussing. It's really a very unfortunate situation.
In conclusion, fuck our incompetent politicans. I'm sick of agendas (as they almost always end up screwing the common man).
I'm talking about school budgets, not bureaucracy budgets. I don't know what things are like where you live, but giving a bunch of money to special education programs doesn't help most of the students here. Heck, I'm not even talking about music and art (shameful as the state of those programs are). I think there's at least a 33% chance that Americans aren't *smart* enough to create a secure infrastructure, IT or otherwise.
When I was a kid, we only had one Darth.
You're not praying hard enough.
--
make install -not war
Slashdot may well be classed as a terrorist threat. It allows dissemination of "dangerous" information, the questioning of technical strategy, the promotion of "communist" ideals (ie: a sense of community, rather than paranoia), the repeated DDoS attacks against discussed sites,
It would not surprise me if CmdrTaco and Cowboy Neil are on the "No Fly List".
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
First person to set up a BitTorrent for the PDF gets a +5 CoolAssMoFo from me. (Useless, but cool)
- A video
- A large image collection
- A PDF file
- A "personal" website (possibly hosted on a home DSL/Cable connection
then please consider using Coral.As long as Coral can see the site, it will be in the cache, and as more /.ers hit the Coral Cache, it will be distributed around (kind of like what Akamai does, only without having to set it up in advance)
Overrated / Underrated : Moderation
...but here's a link.
-Tim Louden
I read your comment and then your name. I thought that you name said "Tim Laden". And I said to myself, may be he knows cause he is Bin's brother.
There are actually programs around the country to address this, flying under the banner of "Information Assurance". I happen to be in one of the six initial NSA-approved programs.
The problem here, as I see it, is not a lack of opportunity or even expertise; it is a problem of making advanced degrees and training cost effective. For instance, I have a classmate who is running at around $120K of debt from school, from undergraduate work to his MSc. While this is not representative, it is quite rare here to see individuals who are able to balance the work-train equation. In short, it really doesn't seem cost-effective to get an advanced degree, especially a MSc as most of these Information Assurance programs offer.
I do not claim to know the environment that has brought us to this, but what I do know is this: just as a recent article in the Journal of Higher Education has pointed out, it would be helpful if we could stop treating student loans as raw "debt", and perhaps more akin to an investment. While I enjoy the thinking behind the SFS Cybercorps, the lack of support through a PhD is a huge oversight in my mind. Until it becomes cost effective to retain brilliance and pay for it, we will continue to face problems endemic to the situation at hand. To wit: if I have no scruples, and know that computer crime / digital tresspass is typically not vigorously followed up upon, maybe I would embark on a kleptography spree. If, however, I was essentially told, "train with us for as long as you like, and then work with us" (e.g. extending Cybercorps to PhD levels of work), then I would come out with a better degree, a guaranteed job, and a good future. Granted, without any moral scruples, it may well be the case that a computer crime spree would just be a natural application of talent.
that some of them thar gummermint mofo intarweb geniuses are putting together a contigency plan to save the pron. For god sakes won't somebody think of the pron!!
I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".
I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?
Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.
But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.
During a critical moment when the American navy is thwarting the Chinese invasion of Australia, the Pentagon may rely on the Internet to send critical information to an undisclosed location in Japan. The Chinese would likely attempt to destroy the communications links: radio, satellite, fiber-optic, etc. All these links could be an integral part of the Internet.
That critical information to Japan may contain the exact time when the Japanese air force launches operation VA ("Victory in Asia") by beginning the bombardment of Beijing. Only such force will compel the Chinese to free Tibet and to stop the invasion of Australia.
The Y2K problem was generated by a lot of people who wanted to make a lot of money. Sure there were a few systems that had minor problems, but nothing serious. No doubt a lot of fear was generated by people (who maybe knew better, but probably not) running around shouting "all computers have clocks and when we hit 2000, boom, we all die." Now it's true that all computers have clocks, but the more technical name is oscillator, which is a tiny piece of quartz which vibrates and produces very stable electrical frequencies (ideal for digital logic chips). They couldn't care less what time it is or what year. More than 10 billion US dollars were spent on insurance protection because people didn't know any better. Now we have the spectre known as terrorism. There are two parties in play. One party consists of genuine people who have their pet bullshit cause. If it was worth anything, merely stating it would be enough to generate followers. Guns can't get you there. The other party in play are those who would seek their own gain by providing 'protection' against the first (reguardless of whether they can actually provide any security or not). It isn't just civil liberties that can get killed, many companies --people selling whetever to prevent whatever-- can make millions. Public statements about problems --whether they are real or not-- can have real effects on share prices of companies selling 'service and security'. In the end, 'being prepared' can generate millions of dollars, and in the end the extra security really did provide protection, even if it was only psychological/irrational.
Here is a link to the Coral cached copy of the story.
I located two other government sources here and here.
Another poster also found it here.
I'd like to point out that while there is no direct mention of Trusted Computing, it calls for a "fundamentally different architecture", some sections mostly later in the paper apprear to describe Trusted Computing functionality, the experts they cite all appear to be Trusted Computing speciallists and proponents (in particular David Spafford was the author of the semi famous WHY_TCPA and TCPA_REBUTTAL papers), at least some of the committee members appear to have Trusted Computing ties, and an earlier Cyber Security Advisor gave a speech at the Washington D.C. Tech summit calling for Trusted Computing and for ISPs to eventually make it a mandatory part of terms of service for internet access. A call to fight worms and viruses and to Secure the National Information Infrastucture against terrorist attacks, to defend against Osama bin Laden himself. Yes, he actually cited bin Laden by name. chuckle.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
This information filters into the brain of a person who had sent two emails during his first term of office, and one of those was just to confirm that his account was set up right.
Do you really think he'll GET this and act on it?
We're so doomed.
Wasn't there a big stink awhile ago about how "evil doodlers" were watermarking images to spread secret messages?
Logically, if they attempted to attack the internet, they would destroy these alleged channels they use to communicate.
It is more likely they would just hack popular web to spread propaganda, much the same as our FCC controls radio signals to spread propaganda.
Wouldn't be surprised if the threat is just another way of convincing us to give up freedoms, in this case, freedom of speech. Unfortunately, most of us are dumb enough to believe it.
The "Presidential Information Technology Advisory Committee" eh?
The actual reality behind the dangers present in the current it infrastructure has very little to do with this group's function in writing this report, which was essentially to frame up another scare document proping up our "War President" and his administration's "message" of terrorists being everywhere, waiting to strike, to deprive of us of our blessed Freedom and Liberty (because they hate it) and murder all our women and children etc etc
Don't Believe The Hype
-*-
hitting bottom never felt so good
I got 5 points, what do I win?!
Usama is his first name, not Bin.
How easy is it to cause trouble? Ask the antisocial 14 year old shopping at hot topic that thinks IRC botnets are "0mfg sup3r 1337 pwnt r0x0r!!111". It would be easy to track said person and penalize them legally by fostering ISP 'spy' programs for such activity, but that will immediately cause a privacy/rights backlash. I think it's fair to say at the current time there is no true solution, only an option that will make the bleeding less obvious. The internet and it's anon. nature is great. It's one of the main reasons for the explosion of the internet.. people can freely express themselves without fear of being treated differently or outcast or whatnot. Such freedom of expression is awesome. But if it's so easy to be anonymous... how can you catch those who abuse the system on a scale that is effective and efficient without throwing privacy and personal rights out the window?
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
Gotta keep that "superpower" global dominance for cyberspace in check, GW. Get it on!
I had just written an article not only on this topic but about the fact they keep putting too much emphasis on "terrorism" and not on the other 75% of people who would just as easily get in.
"It's better to be a pirate then join the Navy"
"Electronic Pearl Harbour" used to be all the rave a couple of years ago, now it only collects 553 hits on google. The names change but crying wolf won't go out of style anytime soon. I read somwhere that Tom Daschle refered to the Shavio situation as medical terrorism, can't find a reference to it though. It might have been a bad joke but how are you supposed to know?
Yeah, and starting a preemtive war on another country based on false pretenses can't be considered illegal?
XP zombie
maybe it's time to start regulating/banning all operating systems until they pass some networking security standard.
The WHOLE point of the internet (or at least so I've read) was to create a communication infrastructure that could withstand a NUCLEAR attack. "Terrorists" are like mosquitoes compared to that.
It goes on to say that
... Cha-ching !!!!
"fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure"
Read as
seriously.
Clark Kent is Superman's critique on the human race.
select * from base where originalOwner = 'you' and currentOwner != 'us'.
0 rows returned.
I thought this was old news, having to deal with the theory of scale free systems, power-laws, etc. Most nodes on the internet are leaf nodes or have only a few connections to larger nodes which in turn feed into still larger nodes on up to supernodes which tie everything together. The probability of a node have some number of links is inversely proportional to the number of links raised to a power.
It turns out that this design has a couple of advantages. For one, the network diameter grows only logarithmically with the number of nodes. There's a fairly low bound on the number of hops between any two nodes, and the average is even better.
It's also quite robust in the face of random outages. As the vast majority of the nodes are leafs or small local networks, removing any single node at random tends to have only small local effects. Since there are so few of them, the odds are heavily against a critical node going down.
As nice as it is, the scheme isn't so robust against targetted damage. Destroying just a handful of nodes brings the system to its knees.
From the "slap-the-threat-of-terrorism-everywhere" department:
The following pillars of Western Democracah are hereby also identified as being hideously vulnerable and must be RADICALLY PROTECTED BY NEW LAWS:
- Roads (public)
- Motor vehicles
- Food
- Buildings
- Water
- Air
- Books
- Magazines
- Furniture
- Electricity
- Gas (liquid)
- Gas (er, gassy)
- Speech
- Thought
- The moon
- Everything else that we might think could be fucked up by somebody who has a grudge against anything.
Please bend over and kiss all you freedom goodbye. You owe it to your children's future.
"And the meaning of words; when they cease to function; when will it start worrying you?"
The startpoint for a decent environment should be a way to interconnect (or 'internetwork'?) various computer systems and local networks using data links with redundant, multiple pathways (or 'routes') so that the failure of a single route would not affect the overall functionality of the internetwork.
Since the US government is worried about this, maybe one of their own divisions - say the Department of Defense? - should look into this.
In the end, maybe technology spin offs from this could be used for the benefit of the civilian population too?
Just an idea.
AT&ROFLMAO
As we all know, Al Gore invented the internets, but it's W who will finally make them safe!
The same as "The War on Poverty" or "The War on Drugs".It's not even that bad. Look at what happened with the other worms (slammer in particular). Banks were off-line. And the total number of businesses that failed was
"Cyberterrorism" is worse than an insult. No one dies in "cyberterrorism". No one is worried that they MIGHT die.
Just look at the sniper attacks in DC. People were worried and they stayed home, they kept their kids out of school, etc.
Slammer hits and people get annoyed at their computers. Big deal.
But "cyberannoyance" won't get votes.
People have emotional reaction to words and most of them don't have the knowledge to evaluate the REAL threat (or the desire). Tell them that THEY are in DANGER and that the NEXT ATTACK could be WORSE | DEVASTATING | HORRIBLE BEYOND IMAGINATION and you can get them to do just about anything.Yep. But the "risk" is that you might lose some money / time.Yep. But so what? Until the customers lose something of value, completely (no getting the bank to reverse the charges), they won't demand anything that limits their activities.
They will happily support politicians who want to get "tough" on "cyberterrorism" and "crack down" on those "cybercriminals", but they will still open every email attachment.
With proper routing, redundancy, spare capacity, it could be more robust, but there is no mandate for that, but mainly pressure to drive costs lower and lower. So you get an internet which is very low cost, and very powerful, but not very resilient to major problems.
Love many, trust a few, do harm to none.
Que cantidad de idioteces
Shame on Ohio for being so in bed with the Military neo-con industrial complex.
Ohio is a disgrace for being so addicted to Air Force dollars.
So next time run an honest electorial system, throw the neo-con facists out of office, and maybe you can do something with education.
Until then education doesn't matter because as we all know neo-cons dont care what you know as long as you agree with their 'everyone but us are slaves' point of view.
Let them keep building their walled communities and giving over everywhere else to huffers and criminals.
That is the contract on America that currupt rububbacan states like Ohio have given the rest of us.
Shame on Ohio.
The real danger is from the bleeding of our future by a 'don't tax and spend the future' republican group of trust fund baby neo-con facists.
They will create any scare at all to justify their further bleeding of our future for their future.
And they will pit various groups against each other, demanding that they have access to everything everyone else does.
But they won't let you in to their secret indoctrination rituals at the various 'elite' schools.
The current form of government is more fuedal than democratic. The people running the government don't seem to care that they are destroying the infrastructure of America. All they seem to care about is their secret agenda (which we can't even know).
So, script kiddies, who cares. But they make a nice boogie man for the neocons to scare the rest of us with.
What did Pete Townsand say? Won't get fooled again? Well, he was wrong.
When you are dealing with liars, like the current administration, then you can't believe anything that they say.
This can be a problem when you have people that still give them the benifit that the high office of President has traditionally bestowed.
The neocons don't really care, it seems to me, what happens to the ordinary person. Would they, if they could get away with it, ignore some major threat so that they can use the result of their neglect as a way to foist upon us some new and ardous form of facism?
Could they do that? Let bad things happen and then do a power grap? Can they be that currupt?
1. Allow companies (who have a vested interest in profit over security) to develop products that bastardize existing standards, or create ones that are not operable with others. Allow the masses using these products to freely connect to the internet and cause all sorts of havoc.
2. Allow companies (and gov't agencies) to outsource maintenance, development and support of IT functions to second and third-world countries -- none of which have a vested interest in keeping our infrastructure safe and secure -- let alone our citizenry.
3. As a result of step 2, enrollment in IT/CS related fields plummet. U.S. no longer a leader in CS.
In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.
I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.
Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.
These people must be really, really smart
"software is a major vulnerability"
"endless patching is not the answer"
Did they recommend BREAKING UP THE OS MONOPOLY CHIEFLY RESPONSIBLE FOR THE MAJORITY OF THE PROBLEM?
I didn't see that one
Akk! I goofed on Spafford, ignore that sentence. The TCPA papers were by Safford [no P], different person. My bad, ignore that part.
But I think that is more than made up for by this item, David Patterson is on Microsoft's Trusted Computing Academic Advisory Board. Chuckle.
They list Carl E. Landwehr (one of their invited experts) as "Program Director" at the National Science Foundation, but more specifically he is the Trusted Computing Program director. Which also happens to be where they say we need $90 million a year in government grants.
And here's a link to the former presidential Cyber Security advisor Richard Clark's Global Tech Summit speech that I mentioned. Quote: "TCPA is not enough. It is a a good beginning, but it is not enough". He goes on to say that we need "a way of forcing down patches" (which can only be enforced through Trusted Computing) and that ISPs and carriers insist that firewalls be installed (again only enforceable through Trusted Computing). To Secure the National Information Infrastructure against bin Laden. Oh, and by the way the Trusted Computing Group has announced they are working on routers that enforce exactly those things, forcing down patches and verifying that firewalls are installed and compliant. If you're not compliant then the router would deny you a net connection except strictly to receive the patches to come into compliance.
Amit Yoran (another invited expert) is the more recent president's Cyber Security Advisor who just resigned becuase he was frustrated that the government wasn't making *mandatory* action for those changes to Secure the National Information Infrastructure. He didn't want to just make recommendations and wait for businesses and the market to change, he wanted the government to regulate and force things along.
I'm too tired to try and research everyone. Neeeeed sleeeeeep. But I'd wager there's more Trusted Computing ties and support among them.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Who is this GW, the submitter mentions?
Having worked on some .gov systems over my time the bigget problem is often that the resources are spread very thinly across the country. They really need each department to invest in people that will just focus on keeping things upto date.
Primary focus can be desktop and internet facing systems. This can be made alot easier. Windows update for example is much more reliable than it has been in the past (not perfect but better). And most unix systems are compatable with systems like pkgsrc which would make it much easier to at least try and resist incoming attackers.
Having centralised management and control over all systems would be a great start. Thats something that many countries have however from my experience many american departments have different staff in different offices/regeons making the mismatch in staff quality and skillset diverse enough to affect security.
Wasn't there a similar report a few years back that concluded that, while there was a risk of 'cyber-terrorism', the potential damage really wasn't that great.
The thing that gets me about the terrorist threat scare-mongering is how incompetent it makes the terrorists appear. There was a report over here (UK) recently saying that there are potentially hundreds of terrorists at large in the UK. If that is the case, and they really hate the West so much, why are there not people dropping dead left and right? Surely several hundred well-trained, dedicated people with access to weapons and poisons, as they are made out to be, could cause mayhem if they wanted to.
My pet example: twenty random terrorists with no previous record spend a couple of days travelling round the country separately injecting ricin into random food items in supermarkets using hidden syringes. They'd cause mass panic and paralyse the food system as everything has to be checked.
Unless the threat isn't as great as it's made out to be, of course.
The security of a network is a combination of factors:
Technological
Physical
Social
We can fight the battles in the technological front till we're blue in the face, but the temp at the front desk is a hole you'll probably never close.
In my head obvious questions this document failed to address are as follows:
How many people have access to your data center?
How many people have access to your most remote networked buildings?
Scrolling through this document there is no mention of the greatest security challenges facing IT today. Worms have been around since before the public internet, and as IT warriors we fight those battles constantly.
Ignoring the other aspects of "cyber" security is folly and tantamount to IT security suicide.
things were made worse by Bush paying off BG and pushing MS everywhere in the government. Any place that GWB had direct control has been forced to convert to Windows. I love the speaking of security while converting our country to a land of total insecurity.
Case and Point: It's pretty damn hard to remotely hack a slidecard door access system's logging system if all it is a direct serial cable to a serial line printer.
For those who aren't aware Richard A Clarke was the former cyber security and counterterrorism czar, national security counselor to three presidents (including Democrat Bill Clinton), and a trusted member of Bush's own advisory staff until May 2003. Putting aside partisan feelings on the man, he knows what he's talking about.
People in the U.K. already know this. That's why they won't pass a legislative trojan-horse like the Patriot Act in Parliament.
"Flyin' in just a sweet place,
Never been known to fail..."
Would any of us have tolerated the preventative measures before that stuff happened?
Much of what you say, ScentCone, is thoughtful, passionate and enlightening. I have no argument with most of what you said, especially in terms of its spirit, which I will take the liberty of characterizing as socially-conscious and altruistically-oriented. But I do want to object to what you seem to imply in the sentence I quoted above.
Despite the horrors and ramifications of the Spanish train attacks and the destruction of the World Trade Center, no free citizen shoud tolerate the kinds of restrictions upon civil liberties as outlined in the Patriot Act. In another context, and with all due respect to those who lost their lives and livelihoods in the wars of the last thousand years, the acts you refer to as terrorist acts are acts of rebellion, acts which seek to destroy the empire which dominates the world.
I'm not saying such acts of rebellion are exemplary or laudable, though some may consider them to be so. I am also not comparing these acts the hormone-driven execution of Columbine-esque revenge fantasies by barely post-pubescent computer literates. I am, however, allowing that these acts do have different meaning for some who are just as passionate and thoughtful but in ways that are opposed to the dominant world order.
In any case, relinquishing our freedoms because we are afraid to die will secure us nothing, neither freedom nor or lives. I think someone said something to this effect much more eloquently nearly years ago. Amazing how it's still true today.
blog
Agreed, "cyber terrorism" isn't very likely imho, given the sort of lifestyle that leads to hacking skills vs. the sort of lifestyle that leads to being pissed off at thousands of citizens in a shopping mall. There's a danger of someone with the skills and few scruples being hired by a sociopath, but personally I think these things are far too rare to be seriously worrying about, and they're pretty much unstoppable anyway. It's the age-old question: how do you stop someone determined to kill you, even at the expense of their own lives? Simple answer is that you can't. But you can probably prevent it, with better mental healthcare, fairer treatment of other nations, etc.
However, cybercrime such as theft is much more likely, and needs to be taken seriously. And this whole phony war against terror thing is just distracting people from that, imho."Where do you draw the line? 3000 people dead? 300? 30? 3? I say that someone who deliberately sets out to cause havoc, knowing that their actions will cost jobs, induce fear, require cleanup, new security measures, etc.... that person is terrorizing their audience/victims, and is a terrorist. Some are more effective at smashing store windows during witless demonstrations than they are killing people, and some are more effective at burning cash in the economy as businesses, schools, and grandmas fight malware, and some manage to kill thousands of people - but they all, by choice and deed, are causing pain, expense, suffering, and sometimes death. Those are terrorists, varying only in scope and effectiveness."
The word "terrorist" *has* an actual definition, though the US legislature has somewhat disregarded it due to the utility the term "terrorist" has in passing a bill -- sort of like "communist" in the 50s. A terrorist is simply someone who imposes terror on civilians to produce political influence.
An assassin who kills a President for personal reasons (with no intention of trying to push through a political agenda through fear) is not a terrorist. However, Hitler would have been a terrorist due to the violence and threats of violence that he used to cow his political opposition.
Computer 'terrorism' whil juvinile maybe anoying. IT IS NOT the same as someone physically walking into a building conditioned to blieve death = change. Chang = now. Now meens kaboom. You don't think their different? Try it.
The original impetus for the InterNet was to design distributed computer network for the miltary to survive nuclear war. The Dept of Defense Advanced Research Projects Agency funded InterNet and computer research until Gore's superhighway funding in the 1980s.
Granted we are looking at non-military sources of threat, and there are some key weak spots in the system.
When I was a kid my family went to Disneyland. We checked our luggage at the ticket counter, walked to the gate and got on the plane. No security scanners, no checking of any kind. People on the plane could have been carrying handguns in their pockets. No big deal. Then people started taking advantage of this huge gaping security hole and actually hijacking planes, and things changed.
I think MOST security in the world follows the same principle: safe & secure = nothing bad has happened yet. Think about all the public places you visit all the time... shopping centers, movie theaters, schools... where large crowds are assembled on a daily basis and there's great potential for mass mayhem, except it hasn't happened enough for people to worry about it yet. Eventually that will change. Everything does.
I share your concerns about so-called "Trusted Computing" and in general any form of DRM which leaves the owners of computing infrastructure at the mercy of the suppliers of its components. It's not particularly about computing. Such a situation would be intolerable in any industry.
However, I think for the record I'd like to point out that Spaf is consistently on the technically sound side of the debate here. I say this having grown up with him in the USENET days when it was a pretty small club and fools were not suffered gladly. His was always the voice of reason.
Take a look around and see for yourself. We want his point of view on the PITAC.
Parity: What to do when the weekend comes.
Publish information about how poor the security is in an ebook and get arrested? Publish information about a vulnerbility in an OS and risk being sued?
Why would anyone want to do security research that may help existing systems when the only thanks you will get is a court date?
Anarchists never rule
What do you think of a nation that uses Windows NT for controlling their warships? ... ... oh, yes, transaction of taxes on Mr. Weaponsmiths account.
... ... makes me funny)
But on the otherside for what else than shooting overprized, tax-paided rockets against oil keeping nations are they for
Ups, OT.
And may gods love be with you
(Money, money, money
I see that the government is trying to classify "security experts" and "network administrators" in a different boat, saying that very few security experts are hired across the US inside universities. Well they have it all wrong. Network administrators who cannot identify if their network as been compromised should not be network administrators. If anything, improve the security related classes in which you become a network administrator. MCSE is nice, but how much real world security knowledge does that certificate teach you? security expert? what is the difference? You do not have to be an expert to monitor your own network. That is just another glorified I.T title that people use to try to make more money for themselfs.
Especially since that internet thingy was originally developped to be decentralised and able to withstand a 'nukular' attack.
:P)...
Seems something went wrong after ARPAnet screwed the pooch (or FIDOnet
-- Waht? Tehr's a preveiw buottn?
The letters came with a warning what you should do if you had opened them, and one US bio-scientist was AWOL at the time, so I think it can be safely assumed the idea was to scare the US government into investing more money into counterterrorism, especially biologic weapons research.
Maybe the guy simply wanted more money invested, or wanted to support the PATRIOT act.
The letters became really scary only when it was discovered that mail workers could be affected by the powder escaping out of the letters in transit.
I'm still trying to figure out what people mean by 'social skills' here.
You know, I really wouldn't be that worried if ... Osama bin Laden ... himself ... was sitting at my computer.
Tell ya what, Mr bin Laden and Mr Saddam can have a field day 'hackin' ... i'll even tell them they can 'type startx' to make things look prettier.
"We don't control the internet, but we want to"
The Internet was never meant to turn out the way it is today - it was designed so that everyone could access everything. Unfortunatly, this methodology sets you up for failure when you try to secure things down. If we want to be truely secure, we need to redesign the Intraweb from the ground up. (Including physical cabling) Now what are the cnances of that happenning?
...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
Fortunately, we live in a civil society. Forget IT, let look at other ways nefarious evil-doers can do us in. Blow up a railroad track. Set stuff on fire. Break into your home. Kidnap you. Etc.
We do not live in armored houses, drive armored cars, or wear body armor. Why not? Well, because we live in a civil society, that's why. That's no mere pollyanna daydream, either. We absolutely depend on the general good-will, or at least forbearance, of those around us to survive.
There are so many ways someone could throw a wrench in the works. So sure, IT infrastructure is vulnerable. Does that mean we're just inviting terrorists into our living room? Nonsense. We should take reasonable precautions. We should also not allow a bunch of loud-mouthed political hacks to cause us to spend inordinate amounts of money on a bunch of horse pucky.
I'm sure Microsoft would love that. Then they would have some sort of basis for pushing DRM, and could cause all sorts of problems for free OSes.
And the l33t shall inherit the 34r7h.
And they want to make ISPs require TCPA for Internet access?
I'm sure that TCPA advocates will be telling us that this is impossible...
Of course, the Titanic was unsinkable, too.
Tech Public Policy stuff
Gee-- What didja expect??? Spend trillions and trillions giving rich mother fuckers tax breaks, handing out perks and no-bid contracts to energy buddies and big industry, and generally screwing the country out of all its budget surplus and monies allocated to homeland security.... what did you expect??? Its gonna SUCK. But don't blame me, you assholes elected him again.
http://www.johntaylorgatto.com/underground/toc1.ht m (remove stupid space in URL)
"Trusted Computing" is the name of a program -- and philosophy of design -- that NSF picked years ago for its research programs. 20 years ago, "trust" picked as the term for the Orange Book series....systems can never be totally secure, but we can try to enhance our trust in them.
The TCPA effort has taken the "trusted" and applied it to a particular effort of theirs that embodies hardware enforcement of certain properties. The system can be used to enforce a boot path, run only signed software, etc. DRM is simply one use.
The use of "trust" in the PITAC report is *NOT* the same as the TCPA. Rather, it is more aligned with the first definition. People familiar with the field of infosec understand the distinction. Sadly, there aren't enough people who really understand the field.
Imagine that to surf the net you will have to purchase license plates, ask government's permission and even probably make a writtent test. Then you you will have to call ISP and provide them with your license number and number stored in your PC and some secret word given to you by Cyber Agency of Great Emperor (CAGE) and after all that your PC (only this one, not that one) will be allowed to connect and even download a site or two. Oh, yeah, i completely forgot - from now on patches are mandatory. You are not going to drive at night without lights on, are you ? The same thing is here - your firewall is updated by ISP every 500 miles ... sorry, i ment 1GBytes.
wireless community networks and satelite can create some problems, but overall this is definitely doable.
Spaf is consistently on the technically sound side of the debate here.
:)
Ah good, I'm glad to hear the panel wasn't stacked, or at least not completely stacked.
A question, are Gene Spafford and Eugene Spafford one and the same? Or two different researchers in the field? I was doing some googling and came across both and got comfoozled. Bad enough I was already mixing up Safford and Spafford, heh.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
When has throwning money in to a fire every helped to put the flames out.
Why don't we cut the funding to your local firestation, light up your house and find out?
Je ne parle pas francais.
"fundamentally new approaches are needed" Read: "we need Great Chi.. er, USA Firewall".
What modern Obelix would say today? Of course, "Those crazy Americans!".
Uhmmmmmmm, I guess I'll have to add this news item to one about chinese spys working for islam that are trying detonate a 'dirty' bomb in bostin next to senitor Kerry's campign head quarters during bushes swearing in.
Home page at Purdue: http://www.cerias.purdue.edu/homes/spaf/.
Oh, and you could still be right about PITAC being stacked. Not to impugn any of the participants, but there seems to be a remarkably odd representation of industry there.
In a committee setting, the effect tends to manifest in what is not said when reporting its consensus position. The PITAC report makes interesting reading with this in mind. It's an excellent introductory overview to information security, and I have no reason to fault any of its observations. For example:
But it does not suggest that there are immediate, practical steps that organizations can take to reduce security risk. It doesn't classify sources of security risk. It doesn't observe that some organizations are found to be much more secure than others, it doesn't inquire into why that might be, and it doesn't identify specific platforms or strategies that, if encouraged, would be expected to lead to a more secure information infrastructure.
In my view, these would have been useful and appropriate themes to cover in a report of this nature. I consider their absence a significant and remarkable shortcoming of the report. But from a committee perspective, asking for more research funding is so much safer. Then we don't get into the sorts of direct questions that might create discomfort for some of the industry members. A knowledgeable reader can make this inference, and so to that extent the report has maintained integrity. Unfortunately, the report was not intended for a knowledgeable audience.
Parity: What to do when the weekend comes.
MosNews | March 21 2005
On the pretext of fighting international terrorism the United States is trying to establish control over the world's richest oil reserves, Leonid Shebarshin, ex-chief of the Soviet Foreign Intelligence Service, who heads the Russian National Economic Security Service consulting company, said in an interview for the Vremya Novostei newspaper.
Using the anti-terrorist cause as a cover the United States has occupied Afghanistan, Iraq and will soon move to impose their "democratic order" on the Greater Middle East, Shebarshin said. "The U.S. has usurped the right to attack any part of the globe on the pretext of fighting the terrorist threat," Shebarshin said.
Referring to his meeting with an unnamed al-Qaeda expert at the Rand Corporation, a nonprofit research organization in the U.S., Shebarshin said: "We have agreed that [al-Qaeda] is not a group but a notion."
"The fight against that all-mighty ubiquitous myth deliberately linked to Islam is of great advantage for the Americans as it targets the oil-rich Muslim regions," Shebarshin emphasized.
With military bases in Afghanistan, Uzbekistan and Kyrgyzstan, Shebarshin said, the United States has already established control over the Caspian region -- one of the world's largest oil reservoirs.
"Flyin' in just a sweet place,
Never been known to fail..."
I think it's worth pointing out that the *real* problem (as usual) is not just technical issues, but also the end of the content and that i could jump out of heaven every stone about the weight of a firearm. Because that's just the way of being a citizen is the acceptance of those obligations.
I like to go to one central place for music, movie and tv-series downloads where i know the quality of the content and that i indeed support the ones producing it. I'll happily pay for such a service.
I hope that i indeed support the ones producing it. I'll happily pay for such a service.
The only thing necessary for the innocent to be free. He simply wants to be free. He simply wants to be free. He simply wants to be killed. I see so much sickness. I fear what the hell you're babbling on about.
::BIG FAT GRIN::
:D
You're right about the audience. It was The President's Information Technology Advisory Committee making a report to Bush. And yes, it is most unfortuate.
Sorry, I couldn't resist
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
No problem here downloading the pdf and reading it offline. From my near-20 years experience with Fed and state gummint, I can pretty much guarantee that whatever the correct solution is, the top honchos will do the exact opposite or nothing at all. I can also guarantee that you can tell when they're lying every time you see their lips move. There are big IT sec programs being run in this part of the country (north-central VT and NH, at Norwich University and Dartmouth) but to get in them you must already be at guru-expert status or pay zillions to take the grad-level programs, with the obvious exception of the cadets, who then go on to active duty. IT sec at the local, state and Fed levels is utterly laughable, despite everything that's happened since 9/11. And as has been noted before, the physical infrastructure in the U.S. is wide open. I find it amazing that an attack on the food and water supplies hasn't been carried out, not to mention the power grids, bridges and dams. And twelve years ago I used to drive a lot near Newark Int'l Airport and see the planes stacked up prior to landing, sometimes a dozen of 'em at once. How easy it would be, I thought, for a coupla guys in each of 3-4 vehicles triangulating their surface-to-air rockets, and bringing one after another down into the vast grid of power stations and oil and LNG tanks below. But I only recently saw mention of this in the mainstream news as a possibility. Then there's the hilariously open borders and coasts; I estimate 3-4k illegals of Mideast ethnicity crossing from Mexico every year, not to mention the thousands coming in from Canada legally. Meanwhile, my wife, who is 5'10" with red hair and blue eyes and otherwise the very map of Ireland face, gets jacked up for searches almost every time she flies anywhere for her job. As the guys in turbans and goatees, and Mohammed Atta clones stroll idly by onto the plane. I expect an attack on a major target w/dirty nuke and possible simultaneous jamming of IT networks and phone systems anytime in the next 2-5 years. A couple of those and we'll all be back to circa Anno Domini 1900. A good time to brush up on our hand tool and animal husbandry skills, also; load up on ammo.