Slashdot Mirror
Is the Cyberterror Threat Credible?
Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."
Considering that, as of now, we can just pull money out of nowhere and just increment our debt up, it looks like that'll be the case for a looong time.
Yea, money's the real issue. With enough money, they can buy out enough hardware, encourage enough research, hire enough programmers, etc, to do almost anything. On the other hand, I'm sure that no matter what they do, their system will still have critical vulnerablilities, but that's just a fact of life.
Anyway, when we spend a quarter of the money on cyber-counter-terrorism that we do on physical defense, then people can think about beginning to complain about costs. OTOH, it's not like we really know where that money's going anyway...
http://www.TheGamerNation.com/Forums
Who cares if the power company's website is defaced or their web server brought down? That won't lead to the lights going out.
The question is not whether the threat from cyberterrorism (what a stupid term) is credible, but who in their right mind sees it necessary to put critical systems online?
If you want to take out half the internet, you don't need hackers. A backhoe works just fine. So why in the world would anyone put such important things on a network that is easily disabled?
Jesus saved me from my past. He can save you as well.
Criminals that use computers for fraud and other crimes should be described by a less stupid and emotive term than cyberterrorism.
Even if it's not credible, it doesn't mean it's okay to leave networks unsecured. Having consultants do security analysis is probably a good idea (although I don't personally know to what extent the federal government deliberately gets ripped off by those consultants, as you contend).
The threat of cyberterrorism has more to do with whether we should spend money analyzing threats to electronic infrastructure, and planning responses to potential attacks on it. Not the sort of thing you hire pen-testers for.
Personally, I don't feel in any way threatened by any word, phrase, or sentence with the prefix "cyber" in it. Cyber*, to me, means a way for non-geeks to explain something that they don't in any way understand.
Frankly, I think most terror threats aren't credible. My philosophy is that in most cases, if you're on the ball enough to understand a threat, it's not threatening. The real terrorism are the attacks (cyber and...um...Analog?) that come from behind.
In Soviet Russia, backwards is everything.
The Bush administration has been warning of a digital Pearl Harbor for years.
However, their desire to collect and to centralize information on government computers for 'homeland security' purposes makes such a threat more dangerous, not less dangerous.
If their proposals for government-accessible backdoors for all encryption were actually to become reality, then a single successful hacker could compromise millions of secure computers and documents in a single attack.
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
We live in a culture of fear.
First it's anthrax (anyone remember that?)
Then it's suitcase nukes..
Then it's bird flu..
Suddenly terrorists are going break into our computers?!
All of these are existant 'problems' blown WAY out of proportion. I'm counting the days before termites are found in the whitehouse, thus becoming the next terrorist threat.
The broader question: is the treat of terrorism credible? Considering that politicians made up the whole concept of "the terror network" from disinformation planted in european newspapers and then failed to listen to the CIA when they told them the Soviet Union was not funding terrorist groups and in-fact it was the CIA that was planting the propaganda, how can we possibly believe that terrorism is capable of any more than the few isolated incidents that have befallen the world in the last dozen years? We're talking about a total number of deaths less than a year of ordinary people driving cars on the national highways. The chances of becoming a victim of terrorism are less than the chances of being hit by falling space debris.
How we know is more important than what we know.
Maybe. But probably not. If terrorists use a computer to do something that kills people, its regular terrorism. If somebody screws with my computer, that person is not a "cyber-terrorist," he is just a regular criminal (and also, likely, a douchebag.)
So maybe what I mean is... no, it isn't remotely credible.
Who did what now?
Y2K - Nuff said.
GetOuttaMySpace - The Anti-Social Network
There's something a little strange about spending hundreds of billions to create a missile shield on the off chance the terrorists are smart enough to build a viable nuclear weapon AND deliver it on target via ICBM from thousands of miles away... but too dumb to figure out how to trigger a cascading failure with a DDOS attack.
Truth is, if the raids on strongholds in Iraq are any indication, they can barely figure out how to upgrade to Windows 98. I'd be more worried about my government bankrupting me than anything the evil terrorists could pull off.
I'm not sure that's really what you want. IIRC, the attempts to make key escrow mandatory with Clipper were on Clinton's watch. The sooner we quit believing that one party or another is interested in freedom, the sooner we have a chance to preserve the dwindling amount of it we have left.
I too have felt the cold finger of injustice.
Fear is a fantastic way to control people and get big dollars into big lobbiests pockets. It is also a good way to divert focus from real issues.
Unfortunately these measures only give a false sense of security. All the aircraft carriers can't stop a few punks with box cutters from hijacking a plane or whatever.
Huge security measures in the internat will be equivalent to airport security. Pain in the ass (in more ways than one), queues, loss of service etc for Joe Average and ineffective.
Engineering is the art of compromise.
And have it flash the BIOS with 0's as its first action, then force reboot after spreading. That's data loss and hardware loss. Unless we start hot-swapping motherboards.
I was working at home on 9/11, and yes: CNN was down until they put up a no-graphics static page. Slashdot was up and running just fine.
Anent to the article, I think the so-called cyberterror threat is not so much Al Qaeda as it is Eastern European organized crime, and the threat is more centered towards e-commerce (Amazon, eBay, gambling sites) than public infrastructure.
Al Qaeda wants to perform acts that make people afraid to go to work, not acts that keep them from bidding on Beanie Babies or playing Texas Hold-em. DDos-ing Amazon or Partypoker.com isn't the sort of deadly blow against the infidels that gets them out of bed in the morning. Yuri and Vladimir, on the other hand...
But the real "cyberterror" threat is the potential US Government overreaction towards any potential threat, real or imagined. Since the early '90s, the government has viewed the Internet as something big, scary, and untamed. COPA, DMCA, you name it, they'll regulate it. Even now, look at the way the Federal Election Commission has been eyeballing political blogs: free speech or political contributions?
If there's a threat, it'll be from Capitol Hill or 1600 Pennsylvania Avenue, not some cave on the Afghani-Pakistani border.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
It's actually extremely easy to wipe the BIOS on most PCs if you can get to ring 0 (not too hard under Windows). Alternatively just write garbage to nvram... same effect on a lot of bioses (especially if you manage to enable the password with a garbage value). Joe public is not savvy enough to recover from this..
OTOH a virus that did this wouldn't propogate very far because it's destroying its host. There's more to be gained by keeping the host running and infecting other machines. eg. Delete NTLDR and your box will keep working, but won't boot next time around.
For starters, not pissing off other countries, by having abusive/manipulative policies. I'm sure there are other ways to ward off an attack of any sort, and the easiest way is to not have that enemy in the first place!
Zhrodague.net - I do projects and stuff too.
Once there is a budget for saving lives, the next question is how can it be spent to maximize the amount of lives saved/dollar. Since terrorism is so low on the causes of death, and it's so expensive and difficult to fight, I can't imagine a program of heavy counter-terrorism getting a very good return: not compared to medical research or sanitary infrastructure or even safer car designs. There should be more research on just how effective various government programs that are designed to make people safer, as far as cost per person saved/helped.
I know it's hard to put things in terms of how many people weren't killed because a certain program prevented it, but that really depends on the individual program: some have easy to measure results and some don't. We should be spending most of the budget on programs that are known to work. Lack of data isn't a reason to put more trust in something; only actual results are. I'm not seeing any real information about how many lives are being saved by counter-terrorism programs either domestic or abroad, by invading Iraq, or by invasive laws like the Patriot Act. I mean, that's the supposed reason for all these things; to make us safer, right? There are real results from new and improved medical treatments, car designs and many other programs. These successful programs are losing the funding that could be saving lives at a higher (and much more predictable) rate to programs that cater to fear.
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
Perhaps you're thinking of that other Clinton. Clinton banned assault rifles and large capacity magazines. Clinton also ignored Al-Quaida when they blew up Americans in Saudi Arabia and Africa.
How do you make money from Cyber Terrorism? Right now, cyber crime is all about making money. When someone figures out how to make lots of money hacking power companies, they'll start hacking power companies.
The current Al-Qaeda mindset is for blood and guts. There's no fear to be generated by dropping someone's porn connection for 8 hours. Certainly foreign governments could potentially do great harm, but what is the point? Take out a trading partner? That's good for business. This is the reason web pages don't get defaced anymore. No money in it. Instead that hack the site and put up spyware/trojan installers, or run a phishing scam for a few hours.
I don't believe we'll see a major Cyber Terrorism type event unless we actually get into a major scuffle with another powerhouse, or Al-Qaeda figures out that dropping communications just after a major attack can amplify the fear by introducing uncertainty in coincidence with something fearful.
In any case, the most likely attack vector is a physical attack against cyber assets. Blow up substations, major telco POPs, radio/tv transmission towers. You get the point.
-SHP
The combination is quite deliberate to spread FUD.
If you ever watch the news on TV, they constantly want to portray the Internet as this newfangled thing (still) that vague and murky and might bite you at any second. I think that's simply out of touch for most people (actually I think the TV industry is just jealous) but the FUD must play well with some of them because the mechanics of it isn't so easy to grasp as say any other appliance, like a blender or how TV generally works.
Combined with the vogue word of this decade, terrorism, voila: a whole new genre for the powers that be to terrorize, er, I mean inform others with propaganda.
It's the same old shit (SOS) put in a new dress.
I disagree with that statement. How many times has the "If but one death could be prevented..." mantra been passed around? Too many people expect EVERYTHING to be risk free, and often propose and avdvocate extreme measures to gain that certainty. No matter how absurd the measure might be for the majority of the people. And if CHILDREN are involved? Oh my god.
Look at all the handwaving currently going on regarding video game violence, dispite the fact that teen violence levels are at the lowest they've been in decades. But no, SOMETHING caused Columbine, and that something must be eliminated.
And if it can't be eliminated one way, they'll try another. A "defective" product? Sue the company. An unforeseen drug interaction? It's class action time. Some kid jumps off a bridge because a character in a game did so? Obviously, it's time to ban all games.
We demand perfection, every time, all the time. And if it's not perfect, then someone, obviously, is to blame.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Requirements:
1. It must be easy for them to understand.
2. It must be something they will follow (lots of pictures), and not a white paper.
3. It must be colorful
4. It must have a goal of educating the user and not taking their money.
5. I prefer it be securemypc.com rather than joe.blog.com/files/02/05/security101.htm
I have seen guides with this in mind but they are mostly all crap. The task is not hard and I see people clearly explain it over and over to people on web boards but I have yet to see a _good_ website where I can just say to them "go here http:"
Certianly if people can spend billions of dollars and have hundreds of orginizations to clean up the damage these systems cause than someone can write a simple to follow guide for the end users that do care...right?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
The sooner we quit believing that one party or another is interested in freedom, the sooner we have a chance to preserve the dwindling amount of it we have left.
I agree in principle - but it's also kind of unproductive to take the 'long view' and always claim precedent for everything bad going on right now. We don't have time machines, we can't change history- you have to focus on the present and the people who are perpetrating bad things right now. As far as two party politics go, if the elected official does bad enough, then you vote them out, you don't play games with trying to predict the future with what the opposing candidate might do, you focus on punishing the people in office right now who are screwing up right now. If you keep punishing both parties that way long enough, if every official is only there for one term, maybe they'll learn better eventually, or a third party will pop up.
The other thing is the more examples from history you point out, the further back you go, the more someone is going to think that it all turned out mostly all right so there's nothing to get excited about (even though the reason things did turn out all right back then was because people did get excited and took up arms and fixed it).