Slashdot Mirror
Is the Cyberterror Threat Credible?
Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."
Who cares if the power company's website is defaced or their web server brought down? That won't lead to the lights going out.
The question is not whether the threat from cyberterrorism (what a stupid term) is credible, but who in their right mind sees it necessary to put critical systems online?
If you want to take out half the internet, you don't need hackers. A backhoe works just fine. So why in the world would anyone put such important things on a network that is easily disabled?
Jesus saved me from my past. He can save you as well.
Criminals that use computers for fraud and other crimes should be described by a less stupid and emotive term than cyberterrorism.
Even if it's not credible, it doesn't mean it's okay to leave networks unsecured. Having consultants do security analysis is probably a good idea (although I don't personally know to what extent the federal government deliberately gets ripped off by those consultants, as you contend).
The threat of cyberterrorism has more to do with whether we should spend money analyzing threats to electronic infrastructure, and planning responses to potential attacks on it. Not the sort of thing you hire pen-testers for.
Personally, I don't feel in any way threatened by any word, phrase, or sentence with the prefix "cyber" in it. Cyber*, to me, means a way for non-geeks to explain something that they don't in any way understand.
Frankly, I think most terror threats aren't credible. My philosophy is that in most cases, if you're on the ball enough to understand a threat, it's not threatening. The real terrorism are the attacks (cyber and...um...Analog?) that come from behind.
In Soviet Russia, backwards is everything.
The Bush administration has been warning of a digital Pearl Harbor for years.
However, their desire to collect and to centralize information on government computers for 'homeland security' purposes makes such a threat more dangerous, not less dangerous.
If their proposals for government-accessible backdoors for all encryption were actually to become reality, then a single successful hacker could compromise millions of secure computers and documents in a single attack.
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
We live in a culture of fear.
First it's anthrax (anyone remember that?)
Then it's suitcase nukes..
Then it's bird flu..
Suddenly terrorists are going break into our computers?!
All of these are existant 'problems' blown WAY out of proportion. I'm counting the days before termites are found in the whitehouse, thus becoming the next terrorist threat.
Cyberterrorism is a stupid word.
But beyond that, there are easier targets.
Railroads carry tanks full of lovely chemicals like SO4 and HCl. For commercial efficiency, they often put all the tank cars together. For historical reasons, the railroads, state highways, and interstates often run close together and intersect. Not far from where I am now is an intersection of two interstate highways, two state highways, two US routes, and a railroad.
Take out the tank cars and drive away in any direction.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
The broader question: is the treat of terrorism credible? Considering that politicians made up the whole concept of "the terror network" from disinformation planted in european newspapers and then failed to listen to the CIA when they told them the Soviet Union was not funding terrorist groups and in-fact it was the CIA that was planting the propaganda, how can we possibly believe that terrorism is capable of any more than the few isolated incidents that have befallen the world in the last dozen years? We're talking about a total number of deaths less than a year of ordinary people driving cars on the national highways. The chances of becoming a victim of terrorism are less than the chances of being hit by falling space debris.
How we know is more important than what we know.
Maybe. But probably not. If terrorists use a computer to do something that kills people, its regular terrorism. If somebody screws with my computer, that person is not a "cyber-terrorist," he is just a regular criminal (and also, likely, a douchebag.)
So maybe what I mean is... no, it isn't remotely credible.
Who did what now?
I don't know about a cyberterrorist, per se, but there sure are a lot of compromised machines out there. Anyone remember the article that quoted an estimated 200,000 zombies added every day?
2 /alan-cox.html:
Alan Cox said it best in this interview http://www.oreillynet.com/pub/a/network/2005/09/1
"We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours."
There's something a little strange about spending hundreds of billions to create a missile shield on the off chance the terrorists are smart enough to build a viable nuclear weapon AND deliver it on target via ICBM from thousands of miles away... but too dumb to figure out how to trigger a cascading failure with a DDOS attack.
Truth is, if the raids on strongholds in Iraq are any indication, they can barely figure out how to upgrade to Windows 98. I'd be more worried about my government bankrupting me than anything the evil terrorists could pull off.
I'm not sure that's really what you want. IIRC, the attempts to make key escrow mandatory with Clipper were on Clinton's watch. The sooner we quit believing that one party or another is interested in freedom, the sooner we have a chance to preserve the dwindling amount of it we have left.
I too have felt the cold finger of injustice.
Fear is a fantastic way to control people and get big dollars into big lobbiests pockets. It is also a good way to divert focus from real issues.
Unfortunately these measures only give a false sense of security. All the aircraft carriers can't stop a few punks with box cutters from hijacking a plane or whatever.
Huge security measures in the internat will be equivalent to airport security. Pain in the ass (in more ways than one), queues, loss of service etc for Joe Average and ineffective.
Engineering is the art of compromise.
I don't know if it will happen from what we think of as terrorists, but I'll go on record saying that we'll eventually have a Nightmare worm.
It could have already happened, but perhaps the worm writers had a conscious. There will be a worm that 0-day exploit that compromises a common MS Windows service and isn't so polite as SQL-Slammer. Slammer infected almost every vulnerable host in the world within 10 minutes. I would call Slammer a 'polite' worm as it did no harm other than flooding networks.
It's certainly possible to write an impolite worm. One that doesn't just spread itself, but after 20 minutes of attempting to spread itself decides to stop all of your services and then wipe the data off your hard drive. If a computer isn't directly affected, it will probably be affected downstream by the network traffic or reliance on Windows network services. Those that managed to survive may have a hard time finding other surviving resources.
Hopefully the business world has backups, but can you imagine the global disaster that would follow? In 30 minutes almost every computer in the world is down. Airlines will be grounded, you may lose electricity, you might not be able to order a mocha frappancino(tm) at your favorite fourbucks.
(Not to be judgemental, but in today's world if it doesn't target Windows it's not the Nightmare worm)
Kind thoughts do not change the world
I was working at home on 9/11, and yes: CNN was down until they put up a no-graphics static page. Slashdot was up and running just fine.
Anent to the article, I think the so-called cyberterror threat is not so much Al Qaeda as it is Eastern European organized crime, and the threat is more centered towards e-commerce (Amazon, eBay, gambling sites) than public infrastructure.
Al Qaeda wants to perform acts that make people afraid to go to work, not acts that keep them from bidding on Beanie Babies or playing Texas Hold-em. DDos-ing Amazon or Partypoker.com isn't the sort of deadly blow against the infidels that gets them out of bed in the morning. Yuri and Vladimir, on the other hand...
But the real "cyberterror" threat is the potential US Government overreaction towards any potential threat, real or imagined. Since the early '90s, the government has viewed the Internet as something big, scary, and untamed. COPA, DMCA, you name it, they'll regulate it. Even now, look at the way the Federal Election Commission has been eyeballing political blogs: free speech or political contributions?
If there's a threat, it'll be from Capitol Hill or 1600 Pennsylvania Avenue, not some cave on the Afghani-Pakistani border.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Yes, I know that deaths due to terrorism is low statistically-speaking. Honestly, it's not something that I spend awake nights worried about. Overall, I'm probably a lot like you in feelings about the terrorist threat. Statistically speaking, it's so far into the noise that maybe it should be ignored.
The problem with this way of thinking, though, is that most ordinary people believe that terrorism is not an act of God, and that it is, in some way, a preventable issue. When it comes to auto accidents, ordinary folks want to put controls on those items that can lower the risk of death (preventing DUIs, speed limits, mandatory seat belt laws, etc). It's the same with other deadly issues--like how people want McD's to have healthy choices on their menus because heart disease is so prevalent (now, whether people make good choices is another issue...). Or smoking--how much energy/money has been spent on getting people to stop?
People can accept deaths. It's a normal fact of life, and it sucks when it hits close to home. It sucks even more when those deaths could have been prevented with simple measures. If a party got out of control and a guy that was totally blitzed got behind the wheel and kills your wife/husband/mom/sis/friend/etc, you'd be pretty darned pissed and that incident would leave a hole inside you that might not ever heal completely. That's reality. Also, you, being a responsible citizen and registered voter, would be so upset and hurt that you just might demand more steps be taken to prevent others from feeling how you do. So, you call your local politian.
Economically speaking, no deaths are without consequenses. If it's preventable, then it can be calculated how much the solution would cost and how many deaths it would prevent. Those "non-dead" people earn incomes and pay taxes. If those expected taxes are greater than the proposed solution, then we have a winner. Of course, not all decisions are made based on pure economics. Many people are simply willing to pay higher taxes in favor of more safety, just because we like not having to go to our loved one's funerals.
I do understand what you're saying, and the rational part of my brain agrees. The part that hates going to funerals, though, tells me that if a death can be prevented, maybe we should go out of our way a bit to prevent it.
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
The DOD already operates a separate internet for classified material. It's known as the Secret Internet Protocol Router Network, or SIPRNet. So yes, an alternative "G-Internet" is more than feasible - it already exists.
No, staying technologically superior makes a lot of sense. Even if it is to fight an enemy that does not exist yet.
Staying technologically superior is also a form of corporate welfare. Same with war. Without going into the obvious politics of war, was the $30 Billion Shock and Awe phase of the war needed? We could have done just as much damage dropping $10 million worth of diesel fuel and nitrate in 50 gallon drums from cargo planes. But who would that have helped out? Not GE, Lockheed, Boeing, or anyone else who makes high precision implements of death.
Call me an idealist, call me a purist, but if we rewarded technology for the sake of technology, not for how many people it can accurately kill, then maybe people wouldn't want to attack the U.S. Don't believe that "They hate our freedom" line, it's a lot more complicated than that. If a country acted benevolent, didn't cowtow to corporate interests, and took a leadership role, both in its own society as well as in global matters, as well as (and not just) a moral compass, then do you think that country would be the target of attacks? If the U.S. said that they were going to develop a cure for aids, paid for that, and then licensed out the manufacture of the pharmaceuticals, then do you think that there would be a pissing match with African nations over patent controls?
Everyone says that technology is not a panacea, but even still, we've yet given an honest attempt to prove them right. We're still all stuck on that greed thing.