Slashdot Mirror
Government Cyber Storm Ends
Bemmu writes "Mainichi Daily News and BBC News are reporting that the 'Cyber Storm' operation, for testing how prepared America is for fending off cyber attacks, has now concluded. Apparently they even used bloggers as part of the operation, as relayers of misinformation!"
Are you trying to tell me bloggers aren't reliable??? My whole worldview has come crashing down.
Clearly it han't ended and slashdot is just being used for misinformation!
Sounds realistic...
Man, I am so linking to this.
We are not wiretapping without warrants, this was just "misinformation" that was leaked to America to see how "gullible" they are. Of course, this official press release is completely legitamate and not consisting of misinformation.
- Emperor Bush
If the exercise Hurricane Pam is to Hurricane Katrina as Cyberstorm is to an actual cyber attack, then we're in deep doodoo. No smiley.
Trusted by cats.
The exercise had given the US "an excellent opportunity to enhance our nation's cyber security," the US said.
What? they finally told Microsoft to release a secure OS or else...?
Seriously, most "cyber-attacks" are as much the result of criminals, professional spammers and teenage virus writers as it is the result of the single shoddy OS they target. Both are needed for an attack to work. The rest can easily be taken care of by training IT professionals better and by selecting more secure OSes.
And no, before you ask, I'm not trying to push *nix or MacOS against Windows: while I do believe Windows is badly designed at core and will always be insecure one way or the other, if Microsoft could make it secure, it would most certainly give a lot less headaches to the DHS folks.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Cyber Storm took place on computers isolated from the net
Right... This way they're not actually vulnerable to anything, such as BotNet attacks by little script kiddies who want ad revenue. Or maybe they just were afraid of Windows Update.
After thinking that the Internet had doged a bullet from the Cyber Storm of the century, reports are now coming in that several cyber levys have been breeched and the internet is filling with spam.
I lost my sig...
I have to wonder how much MySpace, LiveJournal and other blogsites were effected by this. Did the Cyber Storms use any of these vulnerabilities to test the infrastructure?
I wonder what happens when they use crackers instead of hackers.
"The war game drew in 115 agencies from the FBI and CIA to the Red Cross, the Department of Homeland Security said."
"IT companies and state and foreign governments also played a role in responding to the mock attacks."
These "simulated" attacks are all well and good, but they are being performed by entities meant to keep the system secure. Isn't that only attacking from one angle? Did these groups attack the systems like scriptkiddies would? Like seasoned professionals not skewed or influenced by "standard corporate security measures"? Did they take into account social engineering and attacks from the inside?
That would explain the "Nude Paris Hilton demonstrates latest version of FireFox while denouncing Bush administration" links that mysteriously went to the Bonneville Power Administration.
It will be interesting to see what comes out of this. There is much work needed to be done to improve computer security and perhaps events like this will raise public profile (and funding).
People truly rely on the internet now. Perhaps it is not as important as the telephone system, at least in terms of preserving life and limb, but the economic damage from a sustained, widespread internet outage would be tremendous.
On the plus side, if the internet was unavailable, I think many people would at least temporarily rediscover the real world.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
.... that all known US Military / NATO et al. intelligence compromises have been
perpatrated by their own employees, for former disgruntled employees.
The Cyber Storm exercise appears yet again a vender dog and pony show to
impress the current check signing crowd to buying more worthless stuff.
Some years ago MS tried to wire-and-run a crusier off the Virginia coast in
a test of Windows NT at ship control with a minimal crew. NT crashed about
30 minutes into the test and the ship had to be towed back to port.
Toodles!
"It was carried out on secure computers in the basement of the Secret Service in Washington DC."
How many bloggers can be crammed into the basement of the Secret Service in Washington?
"linux" is a very common word and was not included in your search.
"The Internet survived, even against fictional abuses against the world's computers."
I've got this picture of DHS undercover agents running around screaming "the sky is falling, the sky is falling!", and then making chicken-clucking noises. Nobody panics, and they proclaim "Right then, all is well".
My tax dollars hard at work...
"We are all geniuses when we dream"
- E.M. Cioran
Is the data light on my internet connection still pegged.. Was not before this thing started...
But, but, but... Like, it so HAS to be true! I mean, like, 20 people on my Livejournal friends list linked to it just today.
I like how the article ends:
There was no effect on the internet.
The exercise was the latest in a series of simulated attacks, including a gas attack on the New York subway.
------------
New York Subway, Interior
A loud booming noise, followed by the sound of escaping gas is heard. People fall on ground, writhing in agony. Two gas-masked figures enter.
OFFICER ONE: Remain calm, people! I am with the ATF, and this subway gassing was just a test of our nation's emergency contingency plans! Please resume what you were doing before!
OFFICER TWO: Errr....
OFFICER ONE: No effect on the Internet whatsoever! AMAZING! You there! I'll have a foot-long Italian sub. I can get that toasted, right?
Please stop stalking me, bro.
If the internet werent so free, and filled with information, people would not spend so much time on it. In the real world, no library or public place has this much information. In the real world there are thousands of laws. In the real world it is much more difficult to organize hundreds of people into one place and get them to socialize.
Apparently they even used bloggers as part of the operation, as relayers of misinformation!
Astroturfers are terroristss.
*golf clap*
Well, that explains most of the recent Slashdot headlines.
-David
IANACE (I am not a computer expert) but I have to say that Science Fiction, poor as some of the plots are, has already taken this game to a level that that US, or any government, cannot even imagine. The plot in The Terminator and The Matrix is only going a little further than what reality is probably already producing.
What the world knows of virus and malware programs is only what has been discovered AND disclosed to the public. It is quite probable that there are malicious programs out there that are stealthily eating away at personal and business data or waiting till the right moment to do so, or worse, transmitting small bits and pieces of it back to the 'boss' on a regular basis. The latter has already been shown to be effective.
Any exercise done to improve or test computer security is farsical in comparison to what the imagination of any geek can dream up. No, I don't have the program sheet for the tests done, but I do know that they cannot have tested for security against what I can dream up... and trust me, if I can dream it up, its probably already being done.
Imagine a program that replicates itself, is small, does not trigger AV software, is executed by the computer user, does no damage, but propels itself across the networks until it finds itself on the computer of some user whose first name is Bill, and belongs to the domain microsoft.com. Now, every time that Bill lets his screen saver run, or recalculates some values in MS Excel, the program looks to see what the oldest file on the computer is, and queues it for transmission to another host when such transmission is likely to be unnoticed. (you figure out when that would be). Its not so hard to see such a program working, and going undetected by AV software. Yes, yes, I'm sure you could figure out how to catch it, but the time from zero-day to erradication would be a long time indeed.
The selectivity of this program would make it very difficult to identify and get rid of. Especially if it is passing data from one infected machine to another so that final destination is impossible to find. I hate to say it, but Tor and BT could be used for impossibly complex industrial and government spying.
The only way to stop malware is to disconnect the network cables, or very strictly control what passes over them to your computer or network. That gets difficult when such programs can mutate and then try tunneling via http etc. An http post request would be difficult to defend against if you are running an http server?
Now, to get modded down: Didn't the US government think they were prepared for natural disasters? I'm sure that people in charge of such things do all they think reasonable to be prepared, but that force5 program is just waiting for them....
Support NYCountryLawyer RIAA vs People
Using bloggers to relay misinformation is another blunder by the government. It only stands to reason that since most of them can't get things straight, they'll actually end up relaying correct information.
Naturally I'm one of the bloggers for whom that does not apply.
I though by now everyone would realize the only way to achieve true Internet security was SkyNet.
How many comments do we need asking "what if this", "what about that", "why don't they make Microsoft fix their insecure OS", etc? I for one, am excited that the government even attempted this exercise. The smart folks who were involved with this definitely learned valuable lessons. Likely, as was seen with hurricane Katrina, communication was the biggest obstacle. Even the PHB's will notice the major problems. Please keep in mind that the government is a large bureaucracy and as such, is large and hard to change.
Also keep in mind that the information security profession is still very immature. Remember that doctors and lawyers "practice" their professions. Do we "practice" information security? Engineers are legally required to submit their designs for peer review for all municipal projects. Is that same level of review required for information security for government efforts?
We still have quite a way to go, but we are making steps forward.
WTF...
Considering the massive digital leakage that has been being reported (information leaking from all sorts of places, includintg the IRS - the real reason they dropped teletax).... and the most popular OS being one produced by what is primarily a marketing company, not even a secondary technology company, but a legal firm and buyout company (Microsoft)...where their own anti-spyware disables third part anti-virus software (Symantec - a cpu and resource hog)...
Lets get real here. Stop wasting Tax payer money on theories and the following of Bushes faith path.
If you want to be secure, don't connect to open lines with non-secure systems. And even better, get your priorities straight.
The only thing real about this is that its genuinely misinformation itself. Where even those participating are the most gullable.
Want to protect the US againts misinformation? Get rid of the Bush administration... tell thenm to move to iraq and set up a remote office from there.
What the hell is cyber security worth if there are other worse and more down to earth and real problems than playing "the matrix"
Computers are tools created by man and as such they can and do break, leak, etc... just like any other man made tool.
The difference is that breakage is taken into consideration to reduce physical harm.
Man made tools sould not be relied upon in critical matters unless they have been designed to fail in such a manner they is safer (consider the auto industry..)
Now there is the other side of this "cyber storm" that of not protecting the American public, but of deceiving teh american public.....But the government already knows how to do this as the war on iraq has proven beyond doubt and the government (1 person, no conspiracy just the nature of politicians that would then obviously inherently play on it) can and does resort to threaten the resources it needs into co-operation (anthrax threats on teh new media to help bang war drums....)
Putting all this into perspective - see recent slashdot story regarding an adware company hiring one individual to impliment something that then took down a critical care hospital network.....
Its the american way....shrug
The US government/military has its own telephone exchange system, separate from the public telephone system. I'd imagine they would also by now have their own digital communication network.
It also seems the NSA failed to update their system to handle the y2k problem, as their system went down (all of them) for sime number of consecutive days...
I think for anyone to do the accounting of governemnt failures in system maintainence and honesty to teh american people, it would clearly expose where the real national security risk really are.
The cats - they are not truly Tabby! They are all Maine Coon!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't think of any way they could really fight misinformation from blogs successfully other then forcing the "wrong" blogs down, since most might not be so trusting of a politician saying "I'm not bad. I'm good. I'd never do anything crooked".
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
What I want to know is how exactly one would go about simulating a "cyber attack". Or more precisely, what exactly is a "cyber attack"? Quite frankly, I have never been a fan of the whole "cyberterrorism" thing. To me, the "threat" seems abstract, ill-defined, and reeks too much of Y2K-style overreaction-through-misunderstanding. For starters, I wonder how a "cyber attack" be different from the kinds of attacks that we see day in and day out, like the literally hundreds of attempts by zombie machines to gain access to my machine each and every day (it's a fact of life)? What kind of platform would these attacks be launched from? Are we talking about some hackers trying to break into government computers or network of computers trying to flood traffic (noting that accumulating a large enough pool of such machines to do damage on a large scale--not just knocking a site or two down--without being caught is not trivial)? Furthermore, one has to wonder how they can accurately simulate such a thing when technology varies so much and can change so fast. What sort of attack will it be? Different systems, different software, different versions, etc. will react differently to attacks.
/.), and I have to wonder if these people really knew what they were doing or if they were just holding an worthless excercise with a nice flashy headline-grabbing name.
I'm not saying that this simulation is bullshit per se; I grant that there is certainly the possibility that the simulation was well-planned enough to address a wide array of realistic scenarios, but in my personal experience, a significant portion of IT-saavy people are really not that competant (not to mention many of the sorts of ill-informed comments on sees on
Sounds like bullshit to me.
All in the basement of the secret service eh.. You'd hate to see what I do in my basement..... ^_-
Missionforce bad, but Cyberstorm 2: Corporate Wars was terrible.
Did you even read the summary?
/.er
Typical clueless
Some mock attacks were aimed at causing a "significant cyber disruption" that could seriously damage energy, transportation and health care industries and undermine public confidence, said George Foresman, an undersecretary at the Homeland Security Department.
Then why are they on the pulic internet amd not their own private one? I guess cost is one factor.
qz
Apparently they even used bloggers as part of the operation, as relayers of misinformation!
That one's gotta hurt! Expecting some awesome replies to that one.
What exactly can the government protect us against online? Nothing.
This is just some wh00ped up bullshit to create a perception that The Government is here to help you. What a crock. Ah, well, surely the study will prove that more expenditures are needed to "avert a cyber disaster" and we'll all pony up the dough at gunpoint to give their cronies some revenue.
Any takers on whether Halliburton, Diebold, or Tomorrow's Pet already own or will soon own a subsidiary specializing in network security?
I jusrt though I would post and let you alkl know I and so fducking frunk right now I am in New York and r drunk and hahq reading the interweb. Jesus H Christ thank god at least call of duty runs on my mac.
Here is an example of "misinformation".
Fear is the mind killer
The do not protect you,
just justify what they do.
never pull a fast one is Doom, Executive Edition.
My question: which blogs and what misinformation? I'm curious...
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
This is one of those projects that the taxpayers payed about 20 million dollars for, but could have been done by the taxpayers for free. Reminds me of the 300,000 dollar toilet
No, not actual bloggers. The simulation included the use of simulated bloggers to spread dis/misinformation and thus exacerbate the attack spread. All part of the wargame, folks -- nothing to see here.
Apparently they even used bloggers as part of the operation, as relayers of misinformation!"
... nevermind, I got nuthin'
In Russia...
Why am I reminded, by reading this post, of the Bush admin response to Katrina?
An amazing similarity. In either scenario, the bodies on the ground weren't consulted as to whether or not the problem was serious.
As for recovery in New Orleans and that general area, it will be a very long time if ever coming. Why? Even to me, sitting in front of a monitor a thousand miles away, its extremely obvious that the only recovery the feds are interested in is just enough to the port itself to get the oil flowing again, or move that traffic to some other port. I expect the current facts are about 75% has moved, 15% is still to be repaired out in the gulf, and maybe 10% is now moving through the port of New Orleans.
Away from New Orleans, we have gas for our cars, and enough natural to keep our feet warm most of the time. And until somebodies feet are cold, in an office with the clout to do something about it, and his local gas pumper demands cash before turning on the pump to fill up his 3 bedroom suv, the situation is not going to markedly improve.
And the saddest part is the displaced blacks, many of which have a 2nd rate education because they had 2nd rate schools in their neighborhood because we've had a 2nd rate government for the last 90 years, maybe more, are going to get a hell of a lot colder and hungrier before its all said and done.
If we, the voting public, do not reclaim the theory that the government is OF the people, BY the people, FOR the people, then I fear this 230 year old experiment in Democracy will have come to naught.
These next elections folks, take a good look at ALL the candidates, not just the big two cats currently engaged in a sometimes entertaining, always maddening spitting match, and vote for the bext man/woman for the job, regardless of the job, and regardless of the party. I know full well there are wannabe candidates out there that could do a far better job than what we've had for at least the last 50 years. But when they can't afford to get a word in sideways between the republicrats and their pissing matches, its not a fair fight.
So pay attention folks, if you want to save the democratic form of government. It takes YOUR participation to make it work, so learn about ALL the candidates, and then VOTE. (And I don't think it needs to be said, but I will anyway, BUT NOT on Diebold machine)
Like Ben Franklin said, Democracy is a very bad form of government, but all the others are so much worse.
--
Cheers, Gene
I am a computer expert.
If the program can actually think, I'll be impressed. The only algorithms humans have been able to come up with would take far more than the combined processing power available on the planet to simulate anything approaching a human consciousness.
And, if the program doesn't have a human consciousness, it can't mutate as you describe:
That gets difficult when such programs can mutate and then try tunneling via http etc.
No program is smart enough to "mutate", wholly on its own, to try tunneling via http. If a program tunnels via http, that means the programmer intended it to.
The kind of "mutation" you may be thinking about would be a program rearranging itself such that it does exactly the same thing, but the file is wholly different. Or a program doing things randomly enough that AV software, depending on fairly predictable behavior, won't catch it.
And then there are things like Gentoo. Almost all the software on my system is compiled from scratch on my system. And since much of it (the kernel!) is evolving quite quickly, such that often I can't even apply legitimate patches properly, I doubt any virus would be able to modify the Linux source code, on its own. It is possible to rootkit a box, but it's not really possible to "rootkit" source code, and every now and then I reinstall my box from source. For a virus to withstand that, it would have to at least be of human intelligence.
And I'll admit, the possibility of a human-created, human-controlled virus is quite scary. Construct a bot-net, distribute updates to your bots, keep them connected only loosely, and keep your vectors of communication and infection fairly random and always new. If you wanted to be destructive, you can always send an "update" which flashes any firmware it finds on the target system -- even if you don't know about many kinds of firmware, you'll know enough to destroy a pile of dells.
That would at least partly solve the problem of "at least human intelligence". But you'd still have to be doing it manually.
But, for your first step, you need a way in. And you'll never get into my box. Why? I don't do stupid things like download untrusted software, or open random email attachments, and I run a fairly secure Linux, so you probably aren't getting in unless I make a stupid mistake. Which I'm not going to do.
I'm not saying everyone's immune, and I'm certainly not saying Microsoft is immune. And you're right, the only way to absolutely guarentee security is to disconnect. But it is possible to build a system such that, while it's not absolutely secure, it's at least as secure from the network as it is physically, meaning that even if someone targeted you specifically, it'd be easier to get into your building than to get into your network.
And by then, unplugging does almost nothing to improve your situation.
By the way, Hollywood has some very interesting ideas, but most of science fiction is written by people who have little understanding of how the science involved works, whether it's computer science, physics, whatever. And especially when it comes to "hacking", much as I enjoyed the Matrix, I have yet to see a movie that is even close to reality. The closest I ever saw was in a Matrix sequel, Trinity actually used an ssh client, instead of some made-up interface.
To give you an idea, go back and look at older movies and science fiction. Isaac Asimov almost never mentions computers, and certainly never has the idea of a laptop, even as he has people flying through space in ships they built themselves. For that matter, often we see old scifi representing computers as being sentient, but still extremely slow at performing any calculation, still using tape reels and such. Or we see someone's idea of virtual reality, like, say, Tron, which includes MANY sentient programs, even a whole civilization of programs, complete with religion, philosophy.... and the graphics absolutely, positively suck co
Don't thank God, thank a doctor!
"Did you even read the summary? Typical clueless /.er"
Yes, and the summary and all of the articles that I've read never discussed How they dealt with the threat of bloggers spreading misinformation. Of course, they can't--that would give valuable aid to the enemy.
How would the government respond--in theory, during a crisis--to misinformation being spread via a popular blog? Do you have any guesses?
I don't think that it's a huge step to say that--during a crisis, of course--whoever hosts the blog would would be asked to shut it down. Do you?
All these comments and not a single WOPR reference? "Do you want to play a game, Dr. Faulkner?" I read this article and this was the very first thing that came to mind...
"Apparently they even used bloggers as part of the operation, as relayers of misinformation!"
*Whew!* I knew it! I knew that there was no way that they would have let Bush be President. I told my friends "I think that it's some sort of misinformation campaign, maybe they're just testing us!", and I was right! So now that it's over, do we get to find out who the real guy in charge is?