Slashdot Mirror
U.S. IT Infrastructure Highly Vulnerable
An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are
needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations
on how the Federal government can foster new architectures and technologies to secure the
Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."
Secure, is what IT ain't!
That was fast. www.nitrd.gov was /.ed even before the article went public for non-subscribers. Or maybe it went down some other way. Netcraft says they've been running a pretty old Apache.
Is slashdotting a .gov site an act of terrorism?
or maybe the terrorist took it down to keep there secret protected...
-Tim Louden
I don't know if this is just to increase paranoia or not in the US, but if there are security issues it is better that they talk about them, bring them out into the "open" so to speak. There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.
The rock, the vulture, and the chain
What are you babbling about? Bush has increased education spending by 33% since he took office.
... true indication of the US governments commitment to security if they moved away from M$ operating systems.
Free Firefox news reader.
I'm not doubting that this report is accurate in so far as systems are insecure, but the real danger is from script kiddies and other such people, NOT TERRORISTS. Using the word so far out of context to drum up interest (and thus funding) is despicable.
Given the U.S.'s penchant for saying "Nothing could possibly happen" until after it actually happens, no one will bother to spend money on this until some huge act of techniterrorism's carried out. Like someone hacking into the White House's system and gets the video recording of Bush choking on a pretzel. Or of Clinton "not having sex with that woman".
Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
It always worries me when I see the current administration saying things like this...
:-\
highly vulnerable to terrorist and criminal attacks."
fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure
It isn't that they aren't right... It's just that whenever they go on and on about terrorists threatening our way of life it seems all they really want is to implement new ways of taking away our rights without actually protecting us at all.
Sure wish I could actually read the article.
You best watch out. I hear Federal (bang me in the ass) prison is nothing compared to Abu Ghraib.
My digital rights don't need management.
I haven't RTFA (who can, it was /.'ed almost instantly), but this sounds a bit like a segway into trusted computing -- or paladium, or whatever MS is calling it. I would love to believe they'd get the clue and go OSS, but with the amount of sugar-daddy financial pull MS has with our government officials, I just can't put any hope in that theory.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
http://lazowska.cs.washington.edu/CyberSecurity.pd f
if found this /. quite (from the bottom of the page) to be perfect: /.ed AND is supposed to be talking about a failure of communication. Anybody else like it?
"The biggest problem with communication is the illusion that it has occurred."
considering that the server was
-Tim Louden
That must be why kids here haven't had a 5 day school week in a couple years.
Here is the google cache: google cache
Here is the blurb from their page, good luck trying to get the PDF though.
The rock, the vulture, and the chain
Is it to the political benefit of the Bush administration, or the neoconservative agenda, to in some way react to the widespread and systematic vulnerability in the IT infrastructure of the U.S.?
Is there some personal gain they can derive from it, some personal goal that responding to this knowledge is convergent with?
No?
Then it doesn't matter. This advisory committee will be ignored, just as the committees and others who warned the Bush administration about the insecurity and threats in our nation's (and our nation's air travel system's) security were ignored in the weeks and months before September 11, 2001.
And if anything were to happen because of the vulnerability in the IT infrastructure, then just as before, the media, the world, will shrug and say there is nothing that could have been done, there was no way this could have been seen coming, it was not a failure of intelligence but of imagination.
Wow, you're making a broad accusation without ANY evidence to back it up. You sir, should go into indepedent media.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
The states run the education system. Its just the federal government that shoves money at the problem. When has throwning money in to a fire every helped to put the flames out.
Free Unix? Free Windows. http://www.reactos.com
Read the report and would like to respond. Could someone please tell me how to make one of those sad face things in my email?
Regards
George.
Free Firefox news reader.
/.ing the site is just a prove of conecpt and will probably be used as an example of what terrorist could do and be used to limit any rights that are left.
:-(
It will probably mean more money for monitoring individuals. Und sag night spaeter: Wir haben es nicht gewusst.
Don't fight for your country, if your country does not fight for you.
Yeah, I was thinking that too. But it wouldn't even have to be due to Microsoft's bribery; I'm sure locking down everyone's computers sounds like a great idea to someone like Bush
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Thanks for the Apache update. I figured they'd been using Microsoft since it went down so fast. Microsoft is secure. I'll be sure to ask the key logger on the free internet access site I'm using (not kidding).
riding round the world on an old motorcycle
Just a single example, but when you have a principal and an assistant principal at each school, both making 100,000+ $USD, that money gets used up in a hurry. Why don't they spend some of that money on teachers to lower class size? It's a bunch of stupid politics, and the students continue to suffer for it. There are dozens of other positions like that. I can see a need for a single principal, but what about all these other stupid positions?
In the High School at the K-12 district where I worked before, the "assistant principal" fixed his three sons' grades before he got caught and had to "resign to pursue other opportunities", and the "normal principal" was caught (by me) surfing porn after hours. Fucking brilliant.
Can you tell I'm jaded?
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
Launch all zig!
This all seems a little alarmist. Our IT infrastructure is far more secure than our physical infrastructure, because our IT infrastructure has grown up under constant threats from script kiddies, trojans, and worms. 9/11 was possible because we have (or had) a basically open, trusting society. That's not true online.
Servers across the internet are under constant attack from all kinds of viruses, worms, and malicious hackers. Even the most successful viruses amount to little more than annoyances, and can be easily protected against by any systems administrator worth his salt. Like the human immune system, continuous exposure to cyber-pathogens results in our information infrastructure growing increasingly good at resisting and fending off attacks.
There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us. In fact, given the backwardness of the arab countries where most islamic terrorists come from, I think there's good reason to think they would be less competent as computer programmers than people from other parts of the world. The only significant difference between cyber terrorists and today's virus writers is motivation. Most virus writers are interested in the technological challenge, and want to show off their prowess. They don't really want to do any damage. Others are more sinister, and try to install keystroke loggers or bots in order to steal your credit card numbers or extort money from people threatened with having their servers brought down by an attack from an army of compromised computers. Cyber-terrorists, on the other hand, would want to cause some spectacular failure that would grab all the headlines. Unfortunately for them, the systems that the terrorists would like to bring down are administered by professionals, people who are a lot more sophisticated than a grandma who forgets to update her anti-virus definitions.
Finally, two more features of our information infrastructure make it resistant to catastrophic failure. First, it is resilient. Our information infrastructure is largely owned by private industry, and is supported by an army of trained to quickly get systems back up and running should they ever be brought down. Second, and more importantly, the systems that comprise the infrastructure are diverse. No program can run natively on a Cisco router, an Apache webserver, and a Microsoft SQL server. It's therefore extremely unlikely that a single program could bring the nation's cyber infrastructure to its knees.
Since it cannot be found anymore on the original place. Is there somebody with a copy of the PDF?
Can he/she make it publicly available?
Unless its a crime to do that of course. I can't read if there is an included copyright and distribution notice in it.
Clearly you dont know anything about the your own taxes, or education system. The United States Federal government provides very little of the operating income for the public schools. Almost all of the income for Education comes from local property taxes. So saying bush raises federal education funding 33% says little about the total health of the education system, becuase Federal funding only makes up a small percentage. Currently in my area fuding is dropping, many schools are closing down or reducing staff. Luckily number of students are also dropping. The fact the State and Local goverments have so much control over education makes the No Child Left Behind Act look stupid. Why would a Rebulican (Smaller Goverment, right?) make new Laws to deal with something that they normally wouldn't deal with?(To make you feel nice while they screw over a entire generation).
mnewberg.com
"Like someone hacking into the White House's system and gets the video recording of Bush choking on a pretzel."
maybe then the P2P software that can share such documents, will take the blame. then we will never have to worry about such hacks...
The only thing that piece of shit legislation does is give the kids more tests to suffer through. It adds no actual "accountability" to schools. Instead of teachers preparing their students for what they might actually need in life, they focus on only what's going to be on the test. What happens when some struggling inner-city school gets shut down because their kids don't pass their proficiency tests? They disperse into other schools and bring their scores down, resulting in less funding for those schools. Brilliant.
If Bush has added $13 billion in education funding, I'd like to know where it went. Districts all over are struggling just to keep the lights on. They are being forced to go to the voters for property tax increases. It's not a pleasant situation for anyone. The kids suffer because all their extracurriculars get cut and the property owners suffer because their taxes go up.
The state of education in Ohio (where both of my parents are in the field) is abysmal. Over 10 years ago, the state's Supreme Court ruled our school funding system was unconstitutional. Yet here we are 10+ years later, and the Legislature hasn't done a damned thing about it. My dad is convinced they're trying to kill public education, and from what I see, it's working. People are getting laid off, everything outside of the State Board of Ed.'s required curriculum is being cut, and the kids suffer. They've even cut bussing. It's really a very unfortunate situation.
In conclusion, fuck our incompetent politicans. I'm sick of agendas (as they almost always end up screwing the common man).
I'm talking about school budgets, not bureaucracy budgets. I don't know what things are like where you live, but giving a bunch of money to special education programs doesn't help most of the students here. Heck, I'm not even talking about music and art (shameful as the state of those programs are). I think there's at least a 33% chance that Americans aren't *smart* enough to create a secure infrastructure, IT or otherwise.
When I was a kid, we only had one Darth.
You're not praying hard enough.
--
make install -not war
Slashdot may well be classed as a terrorist threat. It allows dissemination of "dangerous" information, the questioning of technical strategy, the promotion of "communist" ideals (ie: a sense of community, rather than paranoia), the repeated DDoS attacks against discussed sites,
It would not surprise me if CmdrTaco and Cowboy Neil are on the "No Fly List".
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
First person to set up a BitTorrent for the PDF gets a +5 CoolAssMoFo from me. (Useless, but cool)
- A video
- A large image collection
- A PDF file
- A "personal" website (possibly hosted on a home DSL/Cable connection
then please consider using Coral.As long as Coral can see the site, it will be in the cache, and as more /.ers hit the Coral Cache, it will be distributed around (kind of like what Akamai does, only without having to set it up in advance)
Overrated / Underrated : Moderation
...but here's a link.
There are actually programs around the country to address this, flying under the banner of "Information Assurance". I happen to be in one of the six initial NSA-approved programs.
The problem here, as I see it, is not a lack of opportunity or even expertise; it is a problem of making advanced degrees and training cost effective. For instance, I have a classmate who is running at around $120K of debt from school, from undergraduate work to his MSc. While this is not representative, it is quite rare here to see individuals who are able to balance the work-train equation. In short, it really doesn't seem cost-effective to get an advanced degree, especially a MSc as most of these Information Assurance programs offer.
I do not claim to know the environment that has brought us to this, but what I do know is this: just as a recent article in the Journal of Higher Education has pointed out, it would be helpful if we could stop treating student loans as raw "debt", and perhaps more akin to an investment. While I enjoy the thinking behind the SFS Cybercorps, the lack of support through a PhD is a huge oversight in my mind. Until it becomes cost effective to retain brilliance and pay for it, we will continue to face problems endemic to the situation at hand. To wit: if I have no scruples, and know that computer crime / digital tresspass is typically not vigorously followed up upon, maybe I would embark on a kleptography spree. If, however, I was essentially told, "train with us for as long as you like, and then work with us" (e.g. extending Cybercorps to PhD levels of work), then I would come out with a better degree, a guaranteed job, and a good future. Granted, without any moral scruples, it may well be the case that a computer crime spree would just be a natural application of talent.
that some of them thar gummermint mofo intarweb geniuses are putting together a contigency plan to save the pron. For god sakes won't somebody think of the pron!!
I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".
I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?
Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.
But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.
I located two other government sources here and here.
Another poster also found it here.
I'd like to point out that while there is no direct mention of Trusted Computing, it calls for a "fundamentally different architecture", some sections mostly later in the paper apprear to describe Trusted Computing functionality, the experts they cite all appear to be Trusted Computing speciallists and proponents (in particular David Spafford was the author of the semi famous WHY_TCPA and TCPA_REBUTTAL papers), at least some of the committee members appear to have Trusted Computing ties, and an earlier Cyber Security Advisor gave a speech at the Washington D.C. Tech summit calling for Trusted Computing and for ISPs to eventually make it a mandatory part of terms of service for internet access. A call to fight worms and viruses and to Secure the National Information Infrastucture against terrorist attacks, to defend against Osama bin Laden himself. Yes, he actually cited bin Laden by name. chuckle.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
This information filters into the brain of a person who had sent two emails during his first term of office, and one of those was just to confirm that his account was set up right.
Do you really think he'll GET this and act on it?
We're so doomed.
How easy is it to cause trouble? Ask the antisocial 14 year old shopping at hot topic that thinks IRC botnets are "0mfg sup3r 1337 pwnt r0x0r!!111". It would be easy to track said person and penalize them legally by fostering ISP 'spy' programs for such activity, but that will immediately cause a privacy/rights backlash. I think it's fair to say at the current time there is no true solution, only an option that will make the bleeding less obvious. The internet and it's anon. nature is great. It's one of the main reasons for the explosion of the internet.. people can freely express themselves without fear of being treated differently or outcast or whatnot. Such freedom of expression is awesome. But if it's so easy to be anonymous... how can you catch those who abuse the system on a scale that is effective and efficient without throwing privacy and personal rights out the window?
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
I had just written an article not only on this topic but about the fact they keep putting too much emphasis on "terrorism" and not on the other 75% of people who would just as easily get in.
"It's better to be a pirate then join the Navy"
"Electronic Pearl Harbour" used to be all the rave a couple of years ago, now it only collects 553 hits on google. The names change but crying wolf won't go out of style anytime soon. I read somwhere that Tom Daschle refered to the Shavio situation as medical terrorism, can't find a reference to it though. It might have been a bad joke but how are you supposed to know?
Yeah, and starting a preemtive war on another country based on false pretenses can't be considered illegal?
XP zombie
maybe it's time to start regulating/banning all operating systems until they pass some networking security standard.
The WHOLE point of the internet (or at least so I've read) was to create a communication infrastructure that could withstand a NUCLEAR attack. "Terrorists" are like mosquitoes compared to that.
It goes on to say that
... Cha-ching !!!!
"fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure"
Read as
seriously.
Clark Kent is Superman's critique on the human race.
select * from base where originalOwner = 'you' and currentOwner != 'us'.
0 rows returned.
I thought this was old news, having to deal with the theory of scale free systems, power-laws, etc. Most nodes on the internet are leaf nodes or have only a few connections to larger nodes which in turn feed into still larger nodes on up to supernodes which tie everything together. The probability of a node have some number of links is inversely proportional to the number of links raised to a power.
It turns out that this design has a couple of advantages. For one, the network diameter grows only logarithmically with the number of nodes. There's a fairly low bound on the number of hops between any two nodes, and the average is even better.
It's also quite robust in the face of random outages. As the vast majority of the nodes are leafs or small local networks, removing any single node at random tends to have only small local effects. Since there are so few of them, the odds are heavily against a critical node going down.
As nice as it is, the scheme isn't so robust against targetted damage. Destroying just a handful of nodes brings the system to its knees.
The startpoint for a decent environment should be a way to interconnect (or 'internetwork'?) various computer systems and local networks using data links with redundant, multiple pathways (or 'routes') so that the failure of a single route would not affect the overall functionality of the internetwork.
Since the US government is worried about this, maybe one of their own divisions - say the Department of Defense? - should look into this.
In the end, maybe technology spin offs from this could be used for the benefit of the civilian population too?
Just an idea.
AT&ROFLMAO
The same as "The War on Poverty" or "The War on Drugs".It's not even that bad. Look at what happened with the other worms (slammer in particular). Banks were off-line. And the total number of businesses that failed was
"Cyberterrorism" is worse than an insult. No one dies in "cyberterrorism". No one is worried that they MIGHT die.
Just look at the sniper attacks in DC. People were worried and they stayed home, they kept their kids out of school, etc.
Slammer hits and people get annoyed at their computers. Big deal.
But "cyberannoyance" won't get votes.
People have emotional reaction to words and most of them don't have the knowledge to evaluate the REAL threat (or the desire). Tell them that THEY are in DANGER and that the NEXT ATTACK could be WORSE | DEVASTATING | HORRIBLE BEYOND IMAGINATION and you can get them to do just about anything.Yep. But the "risk" is that you might lose some money / time.Yep. But so what? Until the customers lose something of value, completely (no getting the bank to reverse the charges), they won't demand anything that limits their activities.
They will happily support politicians who want to get "tough" on "cyberterrorism" and "crack down" on those "cybercriminals", but they will still open every email attachment.
With proper routing, redundancy, spare capacity, it could be more robust, but there is no mandate for that, but mainly pressure to drive costs lower and lower. So you get an internet which is very low cost, and very powerful, but not very resilient to major problems.
Love many, trust a few, do harm to none.
Shame on Ohio for being so in bed with the Military neo-con industrial complex.
Ohio is a disgrace for being so addicted to Air Force dollars.
So next time run an honest electorial system, throw the neo-con facists out of office, and maybe you can do something with education.
Until then education doesn't matter because as we all know neo-cons dont care what you know as long as you agree with their 'everyone but us are slaves' point of view.
Let them keep building their walled communities and giving over everywhere else to huffers and criminals.
That is the contract on America that currupt rububbacan states like Ohio have given the rest of us.
Shame on Ohio.
1. Allow companies (who have a vested interest in profit over security) to develop products that bastardize existing standards, or create ones that are not operable with others. Allow the masses using these products to freely connect to the internet and cause all sorts of havoc.
2. Allow companies (and gov't agencies) to outsource maintenance, development and support of IT functions to second and third-world countries -- none of which have a vested interest in keeping our infrastructure safe and secure -- let alone our citizenry.
3. As a result of step 2, enrollment in IT/CS related fields plummet. U.S. no longer a leader in CS.
In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.
I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.
Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.
These people must be really, really smart
"software is a major vulnerability"
"endless patching is not the answer"
Did they recommend BREAKING UP THE OS MONOPOLY CHIEFLY RESPONSIBLE FOR THE MAJORITY OF THE PROBLEM?
I didn't see that one
None. Neither any other operating system. Microsoft had one representative in that committee.
Akk! I goofed on Spafford, ignore that sentence. The TCPA papers were by Safford [no P], different person. My bad, ignore that part.
But I think that is more than made up for by this item, David Patterson is on Microsoft's Trusted Computing Academic Advisory Board. Chuckle.
They list Carl E. Landwehr (one of their invited experts) as "Program Director" at the National Science Foundation, but more specifically he is the Trusted Computing Program director. Which also happens to be where they say we need $90 million a year in government grants.
And here's a link to the former presidential Cyber Security advisor Richard Clark's Global Tech Summit speech that I mentioned. Quote: "TCPA is not enough. It is a a good beginning, but it is not enough". He goes on to say that we need "a way of forcing down patches" (which can only be enforced through Trusted Computing) and that ISPs and carriers insist that firewalls be installed (again only enforceable through Trusted Computing). To Secure the National Information Infrastructure against bin Laden. Oh, and by the way the Trusted Computing Group has announced they are working on routers that enforce exactly those things, forcing down patches and verifying that firewalls are installed and compliant. If you're not compliant then the router would deny you a net connection except strictly to receive the patches to come into compliance.
Amit Yoran (another invited expert) is the more recent president's Cyber Security Advisor who just resigned becuase he was frustrated that the government wasn't making *mandatory* action for those changes to Secure the National Information Infrastructure. He didn't want to just make recommendations and wait for businesses and the market to change, he wanted the government to regulate and force things along.
I'm too tired to try and research everyone. Neeeeed sleeeeeep. But I'd wager there's more Trusted Computing ties and support among them.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Who is this GW, the submitter mentions?
Having worked on some .gov systems over my time the bigget problem is often that the resources are spread very thinly across the country. They really need each department to invest in people that will just focus on keeping things upto date.
Primary focus can be desktop and internet facing systems. This can be made alot easier. Windows update for example is much more reliable than it has been in the past (not perfect but better). And most unix systems are compatable with systems like pkgsrc which would make it much easier to at least try and resist incoming attackers.
Having centralised management and control over all systems would be a great start. Thats something that many countries have however from my experience many american departments have different staff in different offices/regeons making the mismatch in staff quality and skillset diverse enough to affect security.
Wasn't there a similar report a few years back that concluded that, while there was a risk of 'cyber-terrorism', the potential damage really wasn't that great.
The thing that gets me about the terrorist threat scare-mongering is how incompetent it makes the terrorists appear. There was a report over here (UK) recently saying that there are potentially hundreds of terrorists at large in the UK. If that is the case, and they really hate the West so much, why are there not people dropping dead left and right? Surely several hundred well-trained, dedicated people with access to weapons and poisons, as they are made out to be, could cause mayhem if they wanted to.
My pet example: twenty random terrorists with no previous record spend a couple of days travelling round the country separately injecting ricin into random food items in supermarkets using hidden syringes. They'd cause mass panic and paralyse the food system as everything has to be checked.
Unless the threat isn't as great as it's made out to be, of course.
The security of a network is a combination of factors:
Technological
Physical
Social
We can fight the battles in the technological front till we're blue in the face, but the temp at the front desk is a hole you'll probably never close.
In my head obvious questions this document failed to address are as follows:
How many people have access to your data center?
How many people have access to your most remote networked buildings?
Scrolling through this document there is no mention of the greatest security challenges facing IT today. Worms have been around since before the public internet, and as IT warriors we fight those battles constantly.
Ignoring the other aspects of "cyber" security is folly and tantamount to IT security suicide.
Case and Point: It's pretty damn hard to remotely hack a slidecard door access system's logging system if all it is a direct serial cable to a serial line printer.
For those who aren't aware Richard A Clarke was the former cyber security and counterterrorism czar, national security counselor to three presidents (including Democrat Bill Clinton), and a trusted member of Bush's own advisory staff until May 2003. Putting aside partisan feelings on the man, he knows what he's talking about.
Would any of us have tolerated the preventative measures before that stuff happened?
Much of what you say, ScentCone, is thoughtful, passionate and enlightening. I have no argument with most of what you said, especially in terms of its spirit, which I will take the liberty of characterizing as socially-conscious and altruistically-oriented. But I do want to object to what you seem to imply in the sentence I quoted above.
Despite the horrors and ramifications of the Spanish train attacks and the destruction of the World Trade Center, no free citizen shoud tolerate the kinds of restrictions upon civil liberties as outlined in the Patriot Act. In another context, and with all due respect to those who lost their lives and livelihoods in the wars of the last thousand years, the acts you refer to as terrorist acts are acts of rebellion, acts which seek to destroy the empire which dominates the world.
I'm not saying such acts of rebellion are exemplary or laudable, though some may consider them to be so. I am also not comparing these acts the hormone-driven execution of Columbine-esque revenge fantasies by barely post-pubescent computer literates. I am, however, allowing that these acts do have different meaning for some who are just as passionate and thoughtful but in ways that are opposed to the dominant world order.
In any case, relinquishing our freedoms because we are afraid to die will secure us nothing, neither freedom nor or lives. I think someone said something to this effect much more eloquently nearly years ago. Amazing how it's still true today.
blog
Agreed, "cyber terrorism" isn't very likely imho, given the sort of lifestyle that leads to hacking skills vs. the sort of lifestyle that leads to being pissed off at thousands of citizens in a shopping mall. There's a danger of someone with the skills and few scruples being hired by a sociopath, but personally I think these things are far too rare to be seriously worrying about, and they're pretty much unstoppable anyway. It's the age-old question: how do you stop someone determined to kill you, even at the expense of their own lives? Simple answer is that you can't. But you can probably prevent it, with better mental healthcare, fairer treatment of other nations, etc.
However, cybercrime such as theft is much more likely, and needs to be taken seriously. And this whole phony war against terror thing is just distracting people from that, imho.The original impetus for the InterNet was to design distributed computer network for the miltary to survive nuclear war. The Dept of Defense Advanced Research Projects Agency funded InterNet and computer research until Gore's superhighway funding in the 1980s.
Granted we are looking at non-military sources of threat, and there are some key weak spots in the system.
When I was a kid my family went to Disneyland. We checked our luggage at the ticket counter, walked to the gate and got on the plane. No security scanners, no checking of any kind. People on the plane could have been carrying handguns in their pockets. No big deal. Then people started taking advantage of this huge gaping security hole and actually hijacking planes, and things changed.
I think MOST security in the world follows the same principle: safe & secure = nothing bad has happened yet. Think about all the public places you visit all the time... shopping centers, movie theaters, schools... where large crowds are assembled on a daily basis and there's great potential for mass mayhem, except it hasn't happened enough for people to worry about it yet. Eventually that will change. Everything does.
I share your concerns about so-called "Trusted Computing" and in general any form of DRM which leaves the owners of computing infrastructure at the mercy of the suppliers of its components. It's not particularly about computing. Such a situation would be intolerable in any industry.
However, I think for the record I'd like to point out that Spaf is consistently on the technically sound side of the debate here. I say this having grown up with him in the USENET days when it was a pretty small club and fools were not suffered gladly. His was always the voice of reason.
Take a look around and see for yourself. We want his point of view on the PITAC.
Parity: What to do when the weekend comes.
Publish information about how poor the security is in an ebook and get arrested? Publish information about a vulnerbility in an OS and risk being sued?
Why would anyone want to do security research that may help existing systems when the only thanks you will get is a court date?
Anarchists never rule
Especially since that internet thingy was originally developped to be decentralised and able to withstand a 'nukular' attack.
:P)...
Seems something went wrong after ARPAnet screwed the pooch (or FIDOnet
-- Waht? Tehr's a preveiw buottn?
The letters came with a warning what you should do if you had opened them, and one US bio-scientist was AWOL at the time, so I think it can be safely assumed the idea was to scare the US government into investing more money into counterterrorism, especially biologic weapons research.
Maybe the guy simply wanted more money invested, or wanted to support the PATRIOT act.
The letters became really scary only when it was discovered that mail workers could be affected by the powder escaping out of the letters in transit.
I'm still trying to figure out what people mean by 'social skills' here.
You know, I really wouldn't be that worried if ... Osama bin Laden ... himself ... was sitting at my computer.
Tell ya what, Mr bin Laden and Mr Saddam can have a field day 'hackin' ... i'll even tell them they can 'type startx' to make things look prettier.
"We don't control the internet, but we want to"
The Internet was never meant to turn out the way it is today - it was designed so that everyone could access everything. Unfortunatly, this methodology sets you up for failure when you try to secure things down. If we want to be truely secure, we need to redesign the Intraweb from the ground up. (Including physical cabling) Now what are the cnances of that happenning?
...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
I'm sure Microsoft would love that. Then they would have some sort of basis for pushing DRM, and could cause all sorts of problems for free OSes.
And the l33t shall inherit the 34r7h.
And they want to make ISPs require TCPA for Internet access?
I'm sure that TCPA advocates will be telling us that this is impossible...
Of course, the Titanic was unsinkable, too.
Tech Public Policy stuff
http://www.johntaylorgatto.com/underground/toc1.ht m (remove stupid space in URL)
Imagine that to surf the net you will have to purchase license plates, ask government's permission and even probably make a writtent test. Then you you will have to call ISP and provide them with your license number and number stored in your PC and some secret word given to you by Cyber Agency of Great Emperor (CAGE) and after all that your PC (only this one, not that one) will be allowed to connect and even download a site or two. Oh, yeah, i completely forgot - from now on patches are mandatory. You are not going to drive at night without lights on, are you ? The same thing is here - your firewall is updated by ISP every 500 miles ... sorry, i ment 1GBytes.
wireless community networks and satelite can create some problems, but overall this is definitely doable.
Spaf is consistently on the technically sound side of the debate here.
:)
Ah good, I'm glad to hear the panel wasn't stacked, or at least not completely stacked.
A question, are Gene Spafford and Eugene Spafford one and the same? Or two different researchers in the field? I was doing some googling and came across both and got comfoozled. Bad enough I was already mixing up Safford and Spafford, heh.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
When has throwning money in to a fire every helped to put the flames out.
Why don't we cut the funding to your local firestation, light up your house and find out?
Je ne parle pas francais.
"fundamentally new approaches are needed" Read: "we need Great Chi.. er, USA Firewall".
What modern Obelix would say today? Of course, "Those crazy Americans!".
Uhmmmmmmm, I guess I'll have to add this news item to one about chinese spys working for islam that are trying detonate a 'dirty' bomb in bostin next to senitor Kerry's campign head quarters during bushes swearing in.
Home page at Purdue: http://www.cerias.purdue.edu/homes/spaf/.
Oh, and you could still be right about PITAC being stacked. Not to impugn any of the participants, but there seems to be a remarkably odd representation of industry there.
In a committee setting, the effect tends to manifest in what is not said when reporting its consensus position. The PITAC report makes interesting reading with this in mind. It's an excellent introductory overview to information security, and I have no reason to fault any of its observations. For example:
But it does not suggest that there are immediate, practical steps that organizations can take to reduce security risk. It doesn't classify sources of security risk. It doesn't observe that some organizations are found to be much more secure than others, it doesn't inquire into why that might be, and it doesn't identify specific platforms or strategies that, if encouraged, would be expected to lead to a more secure information infrastructure.
In my view, these would have been useful and appropriate themes to cover in a report of this nature. I consider their absence a significant and remarkable shortcoming of the report. But from a committee perspective, asking for more research funding is so much safer. Then we don't get into the sorts of direct questions that might create discomfort for some of the industry members. A knowledgeable reader can make this inference, and so to that extent the report has maintained integrity. Unfortunately, the report was not intended for a knowledgeable audience.
Parity: What to do when the weekend comes.
MosNews | March 21 2005
On the pretext of fighting international terrorism the United States is trying to establish control over the world's richest oil reserves, Leonid Shebarshin, ex-chief of the Soviet Foreign Intelligence Service, who heads the Russian National Economic Security Service consulting company, said in an interview for the Vremya Novostei newspaper.
Using the anti-terrorist cause as a cover the United States has occupied Afghanistan, Iraq and will soon move to impose their "democratic order" on the Greater Middle East, Shebarshin said. "The U.S. has usurped the right to attack any part of the globe on the pretext of fighting the terrorist threat," Shebarshin said.
Referring to his meeting with an unnamed al-Qaeda expert at the Rand Corporation, a nonprofit research organization in the U.S., Shebarshin said: "We have agreed that [al-Qaeda] is not a group but a notion."
"The fight against that all-mighty ubiquitous myth deliberately linked to Islam is of great advantage for the Americans as it targets the oil-rich Muslim regions," Shebarshin emphasized.
With military bases in Afghanistan, Uzbekistan and Kyrgyzstan, Shebarshin said, the United States has already established control over the Caspian region -- one of the world's largest oil reservoirs.
"Flyin' in just a sweet place,
Never been known to fail..."
::BIG FAT GRIN::
:D
You're right about the audience. It was The President's Information Technology Advisory Committee making a report to Bush. And yes, it is most unfortuate.
Sorry, I couldn't resist
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
No problem here downloading the pdf and reading it offline. From my near-20 years experience with Fed and state gummint, I can pretty much guarantee that whatever the correct solution is, the top honchos will do the exact opposite or nothing at all. I can also guarantee that you can tell when they're lying every time you see their lips move. There are big IT sec programs being run in this part of the country (north-central VT and NH, at Norwich University and Dartmouth) but to get in them you must already be at guru-expert status or pay zillions to take the grad-level programs, with the obvious exception of the cadets, who then go on to active duty. IT sec at the local, state and Fed levels is utterly laughable, despite everything that's happened since 9/11. And as has been noted before, the physical infrastructure in the U.S. is wide open. I find it amazing that an attack on the food and water supplies hasn't been carried out, not to mention the power grids, bridges and dams. And twelve years ago I used to drive a lot near Newark Int'l Airport and see the planes stacked up prior to landing, sometimes a dozen of 'em at once. How easy it would be, I thought, for a coupla guys in each of 3-4 vehicles triangulating their surface-to-air rockets, and bringing one after another down into the vast grid of power stations and oil and LNG tanks below. But I only recently saw mention of this in the mainstream news as a possibility. Then there's the hilariously open borders and coasts; I estimate 3-4k illegals of Mideast ethnicity crossing from Mexico every year, not to mention the thousands coming in from Canada legally. Meanwhile, my wife, who is 5'10" with red hair and blue eyes and otherwise the very map of Ireland face, gets jacked up for searches almost every time she flies anywhere for her job. As the guys in turbans and goatees, and Mohammed Atta clones stroll idly by onto the plane. I expect an attack on a major target w/dirty nuke and possible simultaneous jamming of IT networks and phone systems anytime in the next 2-5 years. A couple of those and we'll all be back to circa Anno Domini 1900. A good time to brush up on our hand tool and animal husbandry skills, also; load up on ammo.