The Hysteria of the Cyber-Warriors

Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting: "At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."

Ignorance Leads to Fear Leads to Profit

[eldavojohn]

Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'

Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.

I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex ... and that's easy to turn into fear when you're talking to the people who are in charge of protecting us from threats. And the potential mitigation techniques are another endless myriad of complex software/hardware. All I can say is that it is highly unlikely that a Live Free or Die Hard 'fire-sale' scenario will happen. I can't in good conscious tell you it's impossible. I can tell you that the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten. Then there's the possibility of lesser attacks which are highly probable but I feel that the cost-risk ratio is all messed up. Again, I believe this is due to ignorance.

You get into a weird sort of emperors-new-clothes kind of situation when the only people who understand your problems are also the ones trying to sell you a solution. And they're just not being openly honest nor realistic with you.

Re:Ignorance Leads to Fear Leads to Profit

[sopssa]

I agree. And seems there just keeps coming more and more news about how this goverment facility was attacked, how that goverment office was hacked and how pretty much whole goverment is in cyber war with china and other "bad countries". For me it seems like US is trying to push that into peoples minds, so they can more easily create new laws to restrict internet. Seems goverments are quite afraid now that normal citizens can quite freely tell their opinions to large user base. TV and radio and other ways to tell your opinion to lots of people were restricted and under goverment control before. Freedom on the internet scares them.

Re:Ignorance Leads to Fear Leads to Profit

I agree and I would add the simple fact of life that politicians love to BS and love to be seen as though they are "with it", whatever "it" happens to be at the time. Same thing over here in the UK, all the policticians are using the prefix "cyber" on every bloody thing they can, without really thinking about it. Old gits, with about 5 years of working life left, before they bugger off to some highly paid consultant job, bandying "cyber" about like so much confetti. Just to make it seem like they understand this wonderful tech, which they love trying to take credit for putting in place!

Like most politics, all smoke and mirrors. Make the public think they getting something they asked for, make it seem like the gov is in control, while they have no more clue about the state of things than the local knitting circle!

Re:Ignorance Leads to Fear Leads to Profit

[FriendlyLurker]

Not to mention that in the process of securing against the "cyber-terrorism" bogeyman, an big added benefit for ruling elites will be removing net anonymity and related speech in the name of national security, bringing all those blogs and uncontrollable information channels under heel in a more hierarchical system - or at least more accountable to an "authorized views", type system - ("Take down that anti-war protest site and uncensored video footage - preempt information warfare against our war, sir") and of course, only authorized p2p channels and protocols allowed in this future we are manufacturing, thanks.

Re:Ignorance Leads to Fear Leads to Profit

"I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex"

And yet you're claiming that "the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten."

Not sure where you're getting your confidence from. You've basically just said that these complex systems are extremely vulnerable. Meaning, even you can't be clear to what extent these vulnerabilities can be used to cause damage.

Re:Ignorance Leads to Fear Leads to Profit

[johnsonav]

Because no one fully understands it. And not understanding something can easily lead to fear.

Understanding plays a large part. But, it's also about an individual's lack of control. Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs. Almost all of that infrastructure is out of their individual control. Their actions have no direct relationship to how likely they are to be affected by any "cyber"-attack.

People don't get this batty about hurricanes or even conventional terrorist attacks (like 9/11); not everyone is equally likely to experience such an event, and there are actions one can take to minimize their risk. Things like cyber-attacks and virulent diseases provoke more fear because they are seemingly harder to mitigate by individual action, and are seen as more equal-opportunity.

Re:Ignorance Leads to Fear Leads to Profit

[visible.frylock]

I see your point, but that can't be all there is to it. If we take sept 11 for example, it doesn't take a genius to figure out that the cockpit needs to be locked, secure from both attackers and the pilots themselves. And sure, the average person might not understand the concept of an air gap, but they don't understand how a real crack works either. So, given two possible solutions, one rational, and the other "omfg, we're gonna die unless we have a panopticon prison state!" that they're equally unclear on, there must be something else going on that makes fear the default position.

Over the years, I've started thinking it has a lot to do with controling TV. If you control what the box says, you control the reality, or at least the perceived reality, of the populace. From another angle, that's another good point for putting more strict controls on the internet, from the point of view of those in power. I'm sure they would love to turn the internet into glorified TV for content, and into a walled garden for things that actually do need a real grown up global comm system, like software updates. All without encryption of course, except for license holders.

Re:Ignorance Leads to Fear Leads to Profit

Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'

Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.

Remember Y2K?

Re:Ignorance Leads to Fear Leads to Profit

[netruner]

Agreed - the likelihood of a "fire sale" scenario is very minimal, but the odds for any given individual getting caught up in a specific attack on a "soft target" such as in the TJ Maxx case are about 1:1. I have already been involved in 3 - one of those incidents put a coworker in the sights of an identity thief. This is the issue: It's the same old game - "Security is a cost to be minimized, not a "value-added" feature of a business", "It's not like we're protecting national security info", "Why would someone want our data?". Until this old-school mindset is broken, the problems will persist and fear of consequence is the only way to motivate the decision makers in the short term.

Fear leads to anger, anger leads to hate and hate leads to suffering. - Yoda

Re:Ignorance Leads to Fear Leads to Profit

[TaoPhoenix]

IANACS though. But neat to have another acronym.

Re:Ignorance Leads to Fear Leads to Profit

[pipingguy]

When all you have is a hammer, everything starts to look like a nail. But now we have pneumatic hammers with 100 round magazines and a plethora of frightened people willing to get their hands on them.

Re:Ignorance Leads to Fear Leads to Profit

[JAZ]

Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs.

Really? I personally don't. Can you cite examples? Most of the systems that I rely on predate the computer and network infrastructure by decades. I have enough food and water around the house to last a week of normal consumption (i.e. without rationing). I'm pretty sure that I don't need a computer for my toilet to flush (I'll admit I could be wrong about that). Other than that, I rely on roads, but I don't *need* the traffic signals to work. Power is a nice to have, but again not required. what else? TV? slashdot? reddit? the IRS? the military? I'm pretty sure I can manage for quite a while without any of those.

Re:Ignorance Leads to Fear Leads to Profit

[johnsonav]

Really? I personally don't. Can you cite examples?

Sure.

Though you state later that you don't need electricity, a large percentage of the food sold in the US requires refrigeration of some kind. Most people could last a week eating just the non-perishables in their homes, but any longer and they might start running into problems.

The production and transportation network which gets that food to your supermarket is heavily reliant upon computers. Just-in-time shipping, and complex international supply chains rely upon networks of computers to function.

Even then, the employees of those companies which produce the things you need are usually paid by check or direct-deposit, not cash. How long do you think they'll continue to work if the banking system--which relies upon computers--is down, and they can't cash their checks or withdraw funds from their accounts?

Now yes, we don't strictly need computers to do any of this. We got by just fine fifty years ago, and could do the same thing today. It's the sudden transition that's the problem.

I'm pretty sure I can manage for quite a while without any of those.

Probably. But, I'm not just talking about some Mad Max style societal breakdown. The US GDP is $38 billion per day. If you could disrupt even 2.5% of our economy through a cyber-attack, thats one billion dollars per day in lost production. That's a big deal.

Re:Ignorance Leads to Fear Leads to Profit

[Svartalf]

Agreed - the likelihood of a "fire sale" scenario is very minimal, but the odds for any given individual getting caught up in a specific attack on a "soft target" such as in the TJ Maxx case are about 1:1. I have already been involved in 3 - one of those incidents put a coworker in the sights of an identity thief.

Indeed. In fact, there's quite a few soft-target attacks that're possible that people just don't give thought to that can really cause a lot of havok.

Moreover, there's a few hard-target risks that really DO exist out there that aren't getting anywhere near the attention that they need to get. While the doom and gloom prophets ARE hyping things up, there ARE things that're being left unguarded that ought not to be and could be something that CAN bring about a vast amount more damage than the gainsayers will tell you about or even realize themselves.

Re:Ignorance Leads to Fear Leads to Profit

Why would someone want our data?".

Both your post & it's parent are completely on the mark. The statement above which I quoted is part of the same mentality that leads into "If you aren't doing something wrong, you have no reason to care if you're being watched, searched, etc.".

The best quote is the old "First, they came for the xxx" but so many people's brains shut down the second they hear you say that, it has lost its effectiveness. People are back to the old mindset that bad things won't happen, and the time is ripe for abuse by the powers that be.

Just like what Hitler (and many before him), the government is putting the big scary Fear machine into effect, so that not only will people be distracted from the real sources of worry, but willing to sacrifice all personal control for whoever rides in on the white horse to save the day.

More people should read "The Prince" and then take a second look at their leaders. I'm not just saying the US, but pretty much the whole planet at this point.

Re:Ignorance Leads to Fear Leads to Profit

conscience not conscious
within not "with in"

Re:Ignorance Leads to Fear Leads to Profit

[Anne+Thwacks]

If you could disrupt even 2.5% of our economy through a cyber-attack, thats one billion dollars per day in lost production.

Here in the UK we lose a good deal more than 2.5% of our productivity through having to comply with pointless beaurocratic nonsense. The government's main response is to to add an extra layer of beaurocracy to everything.

The real cyber-security problem at the moment is the unwillingness of government to do anything at all about spam. Hell, if they can't arrest and incarcerate even the biggest and most blatent spammers, what the hell can they do about the single, lone script-kiddie who could bring down the world through a miss-placed semicolon?

Re:Ignorance Leads to Fear Leads to Profit

[Arancaytar]

probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten

That's not helping, really...

Politician: "So you would say there's about a ten percent chance?"

Re:Ignorance Leads to Fear Leads to Profit

[HungryHobo]

Look, to a great extent the net is fairly robust.
it has some weak points like the top level routing algorithms and such but the die hard thing is utter bullshit.

It takes a great deal of time and effort to break into even one system(that isn't windows or out of date or both), if your plan involves hacking many many systems, some of which aren't even on the internet then best give up now.

Re:Ignorance Leads to Fear Leads to Profit

[JAZ]

All valid points, but... 2.5% would be a huge hit - you're talking about taking down like 600,000 of America's 25 million businesses. Of course some are more important than others but when we get down to small segments that are higher value, we can get by without those for a day or two while either the computers are repaired or the work is process manually. I'm not saying it wouldn't be a big deal or that it might not be painful. But when we talk about day to day dependencies, then we're talking about survival. I am still unconvinced that I need a computers to survive.

Re:Ignorance Leads to Fear Leads to Profit

[johnsonav]

Of course some are more important than others but when we get down to small segments that are higher value, we can get by without those for a day or two while either the computers are repaired or the work is process manually.

I'm not arguing that there is a single facet of our economy that could not run just fine without computers. I am arguing that there are plenty that could not tomorrow. Changing the work flow in those instances takes time. If you have time to prepare contingency plans, you can probably continue working uninterrupted. But, if you don't have them, and know them well, that will mean downtime in the event of some kind of cyber-attack (or many other more innocent types of disruption).

For example: I used to work at a factory that made plastic film. To compete with the lower costs of production in China, we specialized in quick turn around order processing. A customer would fax/email in an order, and we would be producing, and perhaps shipping it, the same day. If there were some kind of disruption to the telecommunications network, work would have stopped within a couple hours, as we would have run out of orders to fill. There's no way to make up for that lost time, as all our machines were already running 24/7. Any downtime is production lost; it's goods which will never be produced.

But when we talk about day to day dependencies, then we're talking about survival. I am still unconvinced that I need a computers to survive.

Maybe you don't. If you have a personal, sustainable source of food and water, you might not. But there are tens of millions of Americans living in large cities who have neither. They rely, on a day to day basis, on the continued existence of our computer networks; those networks that keep the electricity on, direct food to their local grocery, and manage their money.

I'm not saying that anyone will die in one day (even though a disruption to the 911 system would surely mean that). Nor that there is nothing a person can do to prepare for such a situation (many of those preparations make sense for other, more likely disasters). Nor even that we could not transition to a computer-less economy, at least in the long term. All I'm arguing is that the period of transition will be disruptive, and people will die if it takes too long.

Think of the children, goddamnit!

[Em+Emalb]

Uh, seriously? Journalists and other people with something to gain from it take a sensationalist view point and run with it?

Holy crap, really? They do that? Huh.

Oh well. /eats some Cheetos. What's on the tube?

Re:Think of the children, goddamnit!

[Em+Emalb]

/eats some Cheetos

http://www.youtube.com/watch?v=NgFchkUFzqg

All hail Cheesus!

1 Billion Angry Chinese Cant be Wrong!!

[JesterUSCG]

If probed... Should we probe back!

Re:1 Billion Angry Chinese Cant be Wrong!!

[rezalas]

No, but millions of them could be Wong.

Comment removed

[account_deleted]

Comment removed based on user account deletion

More worried about SPAM

[Kintanon]

Of the 63 MILLION emails we've processed for our clients (About 60 companies run through our spam filter) 58 million of them are blocked as SPAM.
So only 1/12th of the email traffic we see is legit. One of our clients has its own spam filter because they process that much email all by themselves and they have closer to a 1/20 legit traffic.
SPAM is a bigger threat to the network than some hypothetical cyber-terrorist.

Re:More worried about SPAM

[Nerdfest]

Spam is an inconvenience. A foreign government (or disgruntled locals) hacking into military or infrastructure systems is a threat, whether or not it's actually happening to any degree. Having most of the susceptible systems attached to public networks is ridiculous.

No governance required.

[Dan541]

Internet security has been an issue ever since the beginning and we have been handeling it just fine. Why should it suddenly become a government issue?

Re:No governance required.

[BunnyClaws]

Because security concerns are mana for The Leviathan.

Re:No governance required.

[al0ha]

Disagree. It should be a government issue, but not solely a government issue and certainly not a clandestine government organization issue. Information and Network Security should be shared and handle by all end-points, government, commercial and private; and they should all work together and share information openly.

Bruce Schneier has an interesting essay which touches on this subject. http://www.schneier.com/essay-265.html

Re:No governance required.

[PPH]

The 'we' that you refer to is evidently not a part of the set of people that connect insecure equipment to the Internet. Good for you, but you don't represent the majority of users.

I wish there was something akin to a driver's license for the web, where a judge could order incompetents to hand it over, box their computer up and take it back to the store. But that's not likely to happen in the near future.

Re:No governance required.

[Sophacles]

I can think of a couple of reasons its a government issue.

* The government has computers on the internet. If our taxpayer money is being spent on government security, it might as well go to benefit infrastructure as well.

* In the last couple of years there has been a major increase in how comfortable "normal" people are with doing business on the internet, with potential negative impact gaining greatly.

* People are starting to take notice at how little security has been designed into a lot of critical infrastructure. For instance I work in the power grid space, and the "security" there is scary bad.

* There is a new administration, meaning different priorities. This idea has been talked about for years, now with a new boss things are gonna "change".[1]

There are probably other reasons too. I personally think it is long overdue. I think there may be some over-hype to it lately, because the * i didnt do is: The media decided they need something new for us to fear.

1. No position regarding our president is implied by my irony quotes, i just wanted to note that this may qualify as change.

Re:No governance required.

[jeff4747]

Why should it suddenly become a government issue?

Because more and more important stuff is being connected to the Internet.

Back when the web was a collection of our ugly home pages hand-coded in html-1.0 view with Mosaic, it really didn't matter if someone broke in to your site.

We don't live in that world anymore.

The post-nuclear war threat

[MikeRT]

The US no longer has to worry about nuclear war or even conventional war because we have the means of "winning" a nuclear war and can easily crush any country in a conventional war except, perhaps, the PRC. Even the European Union would not likely hold out against us in a conventional war. Our military knows that, and the majority of the world knows that. We are in a period of relative peace and stability, a Pax Americana. Thus we have to manufacture existential threats to keep the momentum going.

Going back to that post about government IT spending, I'd like to point out something about the military industrial complex that many don't realize. Just keeping the US military ready to go as a kick ass self-defense force with modest offensive capabilities is expensive. There is plenty of money to go around, and you're much more likely to see the agencies that now have to justify their existence like DHS getting in on this bandwagon than the DoD. For the traditional apparatus, it's always business as usual keeping the basic defense of US sovereignty going. For the rest, like DHS which has to find a new enemy under every bush, they have a lot of good reasons to be afraid.

Re:The post-nuclear war threat

[gtall]

The U.S. no longer has to worry about nuclear war? Probably. However, those nice N. Koreans are about as well adjusted as a squirrel after his third cup of coffee. Want to bet that even knowing full well they'd get annihilated, they wouldn't lob one in our direction if they started something they couldn't win? How about Al Qaeda and those gentle Islamic fanatics. Care to guess what they'd do with one of Pakistan's nukes if they were to, I don't know, maybe get one slipped to them as long as no they didn't ask questions?

Yes, DoD is expensive, losing a war is vastly more expensive. Let's talk some numbers, shall we. The U.S. DoD recurring budget (forgetting about Iraq and Afghanistan) is roughly $600 Billion/yr. Our recurring budget deficit is over $1 trillion. So even halving DoD's budget won't put us in the money. That doesn't count the Me Generation demanding their slice when they start retiring because there's nothing worse than a Baby Boomer who isn't made to feel the center of attention. Deficits from those nutjobs are well north of several trillion.

So no, there's isn't plenty of money to go around. Also, before you hop on the disarmament wagon train, you might want to consider that other countries reactions to the loss of the U.S. nuclear umbrella are probably not what you'd like them to be. First off, if Iran goes nuclear and the U.S. isn't around to back up the Arabs that hate us, the Arabs will want theirs too...of course they could rely on the Europeans...bwahahaahahaha...seriously, no one relies on those jokers. Hell, the U.S. is allied with them and knows better than to rely on them. Then there's the Asian countries who dearly love their Chinese brothers...as long as the their Chinese brothers don't have designs on their land, raw materials, etc...which they do. They will likely demand a nuclear counterpoint to China, Japan will find their pacifist notions are mere indulgences they can ill afford with China pushing them around, not to mention those nice well-adjusted N. Koreans.

Re:The post-nuclear war threat

There's no perhaps for the PRC. If the US fought a conventional yet total war against China, the tech is close enough that manpower alone dictates the US would lose. The US simply does not have the resources necessary to win a conventional war against China.

Re:The post-nuclear war threat

[ahabswhale]

ROFL...history is replete with examples proving that manpower isn't usually the significant factor in determining the outcome of a battle. The real question is whether the Chinese actually know how to fight a sophisticated military. They've never had to prove it. Rolling tanks over unarmed civilians doesn't count. My money is on the US despite any manpower advantage the Chinese have.

Re:The post-nuclear war threat

[Riven.exe]

The US no longer has to worry about nuclear war or even conventional war because we have the means of "winning" a nuclear war and can easily crush any country in a conventional war

Let me introduce you to my little friend

Re:The post-nuclear war threat

[Arancaytar]

There are very, very few countries the USA could attack right now without doing great harm to its own economy, and most of those countries are tiny third-world nations. The stimulus to the arms industry could no more hope to compensate for the damage to international trade, than you could violate the laws of thermodynamics.

The European Union and even the PRC could be destroyed militarily, but each of these events would cause hyperinflation in the USD, and essentially an economic apocalypse in the US. It'd be reduced to foodstamps and barter.

Re:The post-nuclear war threat

[Arancaytar]

(PS: Note that for that to work at all, the military would have to hurry like hell to get the destruction over with because they'd be out of stuff to pay their guys in a few weeks.)

Re:The post-nuclear war threat

[Paul+Fernhout]

"The U.S. no longer has to worry about nuclear war? Probably. "

The USA is terrified right now that just one nuclear bomb will be used by someone in a US city. Because of that terror, the USA is willing to change its entire structure of civil liberties (like allow broad wiretapping without warrants). The terror of just one bomb. Why did we then build about 70,000 of them?
    http://www.brookings.edu/projects/archive/nucweapons/50.aspx
    http://www.nti.org/e_research/e3_atomic_audit.html

So, US military policy about nuclear war has been wrong for fifty years. The cost of losing even one city is too big to imagine, too big to bear. So, we need a different way forward. We need a different vision of national security than unilateral dominance; we need a national security policy that is based on global mutual security.

As Einstein said, with the release of the power of the atom, everything has changed but our thinking. We need a "global mindshift":
    http://www.global-mindshift.org/discover/viewMeme.asp?resourceID=239

Fear == Revenue

[iCantSpell]

If country A were to take down country B internet connection then country A wouldn't be able to spy on country B or even get sensative info. I honestly don't think it's a big of a problem as they make it out to be.

Most of it's just hollywood and bad publishing, but the main idea behind all this is revenue.

The gov get's more spending, the site/paper that publishes the story gets more notice, and the list could go on forever. The truth of the fact is if people knew the facts then no one would beable to sell "protection" software and computer movies would have to make sense.

Re:Are you kidding?

[boogahboogah]

I see that same type of problem every day, with front door, side door, and back door (no not THAT kind of back door) attempts each and every day from Chinese IP addresses. Don't think they're trying to get into your system ? Take a look at your log files, you'll see them. If you don't have log files ...

No email, no working

[tibman]

At my job if email goes down, work stops.. 100% shutdown. The organization has largely gone paperless. I'd imagine most other gov't organizations are the same way. That's only one service of many.. so cybersecurity is very important in my book. Unfortunately a national level of security seems impossible, offensively yes, but not defensively.

Elevating a simple scenario to a movement

[recharged95]

a. Turn off your computer.

b. Turn off your phone.

c. Turn off your TV.

d. Take that $20 bill in your wallet (better yet in a different society, you wouldn't need money)

e. Go buy a slice of pizza. Enjoy the outside environment.

.

. See that wasn't so hard.

.

That what would likely happen in a cyber attack. It's more like a 'snow' day in DC. Of course, if a physical Pearl Harbor, 9/11 or Katrina happened, you would NOT be able to do the above. As for money: if major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions, you'll be taken care of to some extent. Sure you may lose money, but life isn't going to end.

.

Therefore, this is exploiting technology for the purpose of generating 'progress'. A. That's a politician's job (to look useful in keeping your "well being" SAFE) and B. that's a skill where gov't excels (exploitation).

Re:Elevating a simple scenario to a movement

[just_another_sean]

$20! For a slice of pizza? That's outrageous! And you say we have nothing to fear.
OMG, we're all gonna die!

Re:Elevating a simple scenario to a movement

[grexluporum]

Really? Now go unplug your refrigerator, and turn off your lights. I'm not saying that this is likely to happen. Just that, yes, references to Pearl Harbor or Katrina are valid. How likely that Pearl Harbor or Katrina is going to happen is another question.

Re:Elevating a simple scenario to a movement

[jackbird]

How about an attack that corrupts over a period of months, then wipes out, a state EBT/food stamp database?

Re:Elevating a simple scenario to a movement

[spartacus_prime]

If I'm paying 20 dollars for a slice of pizza, I better get a blow job while I'm eating it.

Re:Elevating a simple scenario to a movement

Heh... Now... What would you do if your power was out? Not for a couple of days. Not for a couple of weeks. MONTHS.

There's aspects of the grid that the gainsayers are not talking about and the doomsayers are losing in the hype, desensitizing people to the real risks. There's pieces that if they're torched off in an attack (and it's very possible right at the moment under the right circumstances"...) that you'll be waiting as much as 6-12 months to replace the critical part. Generators tied to turbines- overload the system in the right way (and it's not as hard as you'd think...) and you burn them up. Some of the "right" ways are accessible to people with the right black-hat skillsets- all they need is a motive to do it.

We don't make those generator models here in the States anymore- they're built in Europe where it was cheaper to do so. There's a 6-12 month lead time on delivery for most of the models in question as they've got to be built upon order.

To say "Cyber Perl Harbor" or "Cyber Katrina" is silly.
To say what you're claiming is equally so for opposite reasons.

Re:Elevating a simple scenario to a movement

[Svartalf]

I guess that is the fear. We assume that vital systems are not only "hardened" but that they have a robust backup/restore plan. State systems that deliver vital services are a really good example where you'd assume everyone would be fired and start from scratch if auditors found there was no backup/restore plan in place. It might be a matter of degree that we're talking about here. Does every vital system need a cold site that can be made hot with yesterday's data within 12 hours? Maybe.

Unlikely.

It's because it's actually "too expensive" to make that sort of plan implemented- most of this stuff is secured only to about 1/4-1/2 of the cost incurred by a complete loss of the system in terms of security. Most of the measures would be roughly 2/3rds to two times the cost of the lost in many cases and therefore would be viewed as insane by the people responsible for the system. Now, keep in mind, the assessments are based off of THEIR loss, not the overall cost of the devastation. So, if you're worrying about only losing a million or so on a refinery (hypothetical cost, it's a lot more...) you will typically see a company only pour about 250-500k maximum (typically a lot less...they often go, "what are the odds..." on some of this stuff.) because that's the liability they're facing and they've done "due diligence" as far as they are concerned on things- why spend more than the loss will cost you directly? This doesn't get into the collateral damage from some of this going wrong because they are typically removed in many cases from the liability of that damage.

In most cases, there won't be the things you talk to in place.

Re:Elevating a simple scenario to a movement

[Anne+Thwacks]

most of this stuff is secured only to about 1/4-1/2 of the cost incurred by a complete loss of the system

Most of the stuff could be secured by ditching windows and replacing it with free software.

This _is_ /. - remember?

Re:Elevating a simple scenario to a movement

[westlake]

See that wasn't so hard.

That $2 slice of pizza implies - along with much else - the ability to move dairy and produce quickly and efficiently from the farms to the wholesale market or directly to the processing plant and from there to the fast-food outlet.

Try negotiating all the intermediate steps by cash or barter - with no telephone - telegraph - telex - fax or e-mail to monitor the traffic and speed it along.

The first and most obvious impact is that costs skyrocket. You need to field armies of commission agents, clerks and couriers.

The second is that the quality and supply of the fresh product becomes unpredictable - the tomatoes now come from a can.
 

Re:Elevating a simple scenario to a movement

[ElizabethGreene]

Except the kid at the pizza place is going to say "I'm sorry, our registers are down". After someone digs out a calculator they will start taking orders and making pies. You'll say get a calculator out, but they won't know the prices of anything because the LCD menuboards are out.

You would drive to a different store, but they someone hacked the OnStar network and bricked your car.

You would go out for a walk, but the TV weatherguy says there are multiple hurricane, tsunami, and tornado warnings. This is odd because it is sunny outside and you live nowhere near a coast.

Then your power goes out.

And your cell phone is getting DOS'd with text messages, until the provider turns the SMS service off.

And your landline phone only gets a busy signal because people are freaking out and overwhelm the Telephone system.

And it's getting really annoying with those firetrucks and ambulances racing by as they try to sort out which fires are real, and which are false reports.

...

From a terrorist and a security analyst point of view, cyberterrorism can be a very effective tool for distilling fear and panic.

Re:Elevating a simple scenario to a movement

[jeff4747]

Um....you do realize that it takes longer than a reboot to recover from a proper cyber attack, yes?

So you might be able to get pizza on day 1, if you hurry and they have one sitting around the store. The lack of an oven would kinda hinder their on-going production. (Despite being gas appliances, they have electrical ignition. No electricity and the gas is turned off for safety.)

f major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions, you'll be taken care of to some extent.

ROFL

So if somehow an audit trail managed to survive the cyber-apocalypse, the banks would magically re-create everyone's account in a day or two.

That's hilarious.

concern over cyberterrorism

[visible.frylock]

In the face of meatspace terrorism, meatspace liberties can be curtailed. That's why there's "concern" over cyberterrorism. Because the internet is not healthy for the establishment. It can spread both truth and propaganda, but currently, it tends too much toward truth for the establishment. If that sounds crazy to you (nothing on the internet but lies and pr0n!) then you haven't looked around.

FTA:

It is alarming that so many people have accepted the White House's assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration's claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

Yes, this same thing keeps happening, where a (possibly) real world problem is used to justify a curtailing of freedom, consolidation of power, and serving various agendas of people in power at the time. A cynic might say it's planned, but we're not cynical, are we?

I suggest we give it a name. Let's call it Problem-Reaction-Solution.

Welcome to psychology 101

[dave562]

Fear is one of the biggest motivators. The squeaky wheel gets the grease. As Americans, we are unfortunately conditioned by fear based language. Unless something is presented to us as scary and threatening, we tend to ignore it. In order to get funding for projects, politicans and the like have to play the fear card. They will present doomsday what-if scenarios, and threaten to put responsibility for failure on anyone who gets in the way of getting things done.

Although I agree that "cyber security" should be a priority, it would be nice if there were a way to talk about things without having to wrap them in fear and threats.

No "cyberwarriors needed", first round

[SgtChaireBourne]

Look, for the first round of clean up no "cyberwarriors" are needed. We just had yet another article about how single city, for a single Windows worm, lost millions due to clean up. In that case it lost over $2.5 million, including rewarding the designers of the security flaws to the tune of $1 million. Knocking down a water tower would probably cost less to repair. So why are not the defense and law enforcement agencies stepping in here?

It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act.

From there we can go on to hardening the net with IPv6 and dealing with the usual intelligence / counter-intelligence activities. But the first step, before we can stop the economic bleeding is to deal with the cause of the problem: the people who promote and profit from known defective technology.

Re:No "cyberwarriors needed", first round

The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out...

Are you seriously advocating killing people because they make software you don't like? No wonder no one takes you greasy fat fucks seriously.

Re:No "cyberwarriors needed", first round

[JumpDrive]

It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act [cornell.edu].

Haven't you been paying attention. These nameless faceless people have lots of money and political clout. So good luck getting the government or getting the main stream to help resolve this issue.

By the way, I think maybe your tinfoil is wrapped to tight.

Re:No "cyberwarriors needed", first round

[$1uck]

MS is not the one perpetuating the attacks, or causing the damage. There are no laws holding them responsible for creating a secure operating system. Rounding them up and punishing them is hardly legal/ethical/moral. The first thing we should do is start with laws requiring the people creating the networks/data warehouses to secure them properly. Then they'll demand a better product (from MS or some other vendor) if not they should be responsible (unless said vendor wishes to indemnify them). MS is just trying to make a buck, they're not actually attacking anyone.

Re:No "cyberwarriors needed", first round

Are you seriously advocating legal action against people because they make software thatdoesn't work? .

There. Fixed that for you.

Re:No "cyberwarriors needed", first round

You are one fanboi Dumb ass. It's not the OS security that's the problem. It's the people, their awareness and the practices of the organizations. Actually, speaking from experience, Windows Vista/7/XP are all fairly secure. Not even Linux/OSX/Solaris can save anyone from stupidity.

This is /. So you have been modded +5 insightful. Elsewhere in real world, things would be different.

Re:No "cyberwarriors needed", first round

Actually, speaking from experience, Windows Vista/7/XP are all fairly secure.
Until you find out that every last account provisioned in AD has Local Administrator rights so the CTO can install WoW on his workstation.

Re:Are you kidding?

[TerranFury]

Yeah, but it's not cyber-"terrorism;" nothing is going to blow up. It's just espionage.

Plus, I've got to wonder how much of this is truly "hackers" from the outside, and how much is just the result of employees taking data with them -- whether they're just being sloppy, or actually malicious (e.g., ethnic Chinese with misplaced loyalties (god do I hate nationalism)).

Whatever the case, without disclosure for each "incident" of what actually happened in technical terms, we the public will never understand what's going on at any level besides "OMG HACKERS" -- which can mean anything.

Cyber Propaganda: +1, Helpful

along with the vacuous threat about a North Korean missile hurting Hawaii. Please note that the U.S. based
news machines did not echo a threat to the area EAST of Hawaii which would include the continental U.S.

In perspective, the cyber "threat" should be the least of Obama's concerns. If Obama does not get the U.S. Congress to pass a government-sponsored health care bill, he WILL lose the 2012 presidential race because of the economic disaadvantage the U.S. private health care system poses for ALL U.S.ian companies competing against the rest of the OECD countries.

With Obama's failure to implement a government run health care system, the Republican-Democrat Party can bathe in the victory of completing Newt Gingrich's Contract ON America.

Yours In Socialism,
Kilgore Trout

Re:Are you kidding?

[TerranFury]

Care to elaborate? What kinds of attacks?

Indeed

This is generally true, but this is also how Agencies and politicians have been taught to obtain funding. Get over it.

The Hysteria of FILL-IN-THE-BLANK

Some ill defined crisis exists that requires more power given to the feds by passing legislation that NO ONE HAS EVEN READ.

Terrorism, economic collapse, global warming, etc.

The current bunch has taken the baton from their historic brotherhood. And if you can't gin up a crisis, you can send out your secret police to manufacture a real crisis.

Merely self-preservation

[petes_PoV]

If you form a think-tank, or oversight committee, or regulatory office with a nice, big budget and charge them with feeding into the decision making process, that's what they'll do. They are hardly likely to say "we've checked - everything's fine". The two obvious reasons being:

There might be something they missed

If there is no "threat", they're out of a job

So it happens that every time a new office is created to look into the potential of a hazard to the country - lo and behold: they find one. Amazing!

So far as the first reason is concerned, there will always be the possibility that (maybe for reasons outside their control) the watchers were unaware of a potential problem. However, that doesn't matter - they'll still get it in the neck if a threat in their "area" materialises. Far better to say: "we've looked, but to be absolutely sure, we need more money." Since this approach can be repeated ad-infinitum, or until the money runs out it's a great way to CYA.

The second reason is simply human nature. they try to stay on the gravy train for as long as possible. If there are no BIG threats, they'll find little ones and exaggerate their importance. Or find non-existant ones and use so many weasel-words like: "could", "might", "possibly", with everyone too cowed by the infinitesimal possibility there might be something in it, to challenge their vague mutterings.

The problem is that the real problems are too hard. Things like lack of education, opportunity, addictive personalities, crime, uncertainty, greed are all much bigger problems. However they're too big for a government to fix (certainly within one or two electorial terms). So it's better to go for the "quick" fixes, that have no real cause and no real fix. That way, whatever a government does can be called a success as the threat wasn't that real to begin with.

We are paying for it

We pay for the internet structure and bandwidth. If spam is sucking our email system, then we are paying for spam filtering and spam traffic. If porn is using bandwidth, then we are paying for it. If downloading/stealing movies and songs is happening and sucking up our bandwidth, then we are paying for it. If our servers and services are going down because of ddos attacks, then we are paying for it. If criminals are stealing our credit and identities, then we are paying for it. Right now it is difficult to say what percentage of our costs are due to spam, crime, terrorism, etc. But if we continue on our current path, then these things are going to grow, and we will be paying more for them.
Now is the time to fight these problems.

A little bit of non-commercial input

[Opportunist]

I'm in security research, but none of you will be potential customers (trust me, you won't), so I needn't lie to you: It's hopeless, but not serious.

The problem is not insecure applications. It's not the stealthy superhacker from China. It's not the RBN (ok, it is, but they couldn't do jack without the original culprit). The biggest problem in IT security and internet security is (drumroll please) the user. And his inability and unwillingness to take responsibility for his crate.

There are security holes, granted. They are not the main source of malware, though. I do assume here that the average /. reader knows a bit more about his machine than "push this button to turn on, when a window opens that you don't know, panic". Likewise, a lot of you say they have no AV suit installed and never had troubles with malware. I believe you. You're probably not into dancing pigs and if you are, you don't let any arbitrary webpage gain root access to show those pigs dancing.

A lot of users do. And thus get infected. And thus become a security problem.

Governments will create a lot of laws concerning the problem, without one that actually addresses the problem: Making the user responsible for his security. I don't mean "get infected, get your pants sued off". I mean that you are required to take reasonable (!) means and surf safely, that includes not clicking on every friggin' crap you run into, that includes not opening every goddamn spam mail and run the infector. This would require educated users, and education has always been the mortal enemy of surveillance and monitoring, so we won't see any of this anytime soon. So it's hopeless.

On the other hand, the infections we face currently (which may change, but so far didn't) don't even come close to enabling anyone to cause a global network meltdown. It is a nuisance (because of spam, page infections and so on), attacks may take out certain parts of the net, but there's no global threat. So it's not serious.

Re:A little bit of non-commercial input

[cdrguru]

Absolutely, today there is no serious threat.

The problem is, should someone decide to "do" something or, perhaps more likely, "let's see what happens if ..." we are completely vulnerable. Wide open to whatever is coming down and there isn't anything that can realistically be done about it today.

Sure, it like staring up at the noonday sky wondering if a comet is going to hit today. But you can rest assured that someday, probably sooner than later, that comet is going to come calling. And if someone figured out a distribued attack on, say, the power grid in the US, it would be a huge mess.

Can you see Obama on TV asking everyone to turn off their computers?

Re:A little bit of non-commercial input

[JumpDrive]

I'd agree that a lot of media is FUD with regards to this subject, but a lot of it is fed by security groups. In fact within the company I work for I could hardly get any response or concern to the Conficker virus, because the management group has seen so many of these alerts.
Over the past 3 years, I've seen computer security budgets getting squeezed more and more for lack of concern, mostly because security companies have yelled "Fire" way to much.

With regards to government laws, the latest inundation (by sales and security consultants) with regards to email storage was enough to pretty much get management to ignore any future warnings about legal threats. Because during the investigation and discussion with legal it was determined we were better off just changing the policy with regards to storing email vs maintaining an email storage system.

Somebody else mentioned SPAM, which I would consider the biggest cost and threat to commerce on the web. But right now some of the biggest spammers I deal with are security and computer consultant companies sending emails stating here is the next biggest threat and here is the next biggest thing you have to have.

Right now I'm looking for the security web site which reiterates most of the information you have in your post and links to an application which would require less than 2 hours maintenance a week and could tell me whether something or someone is on my network doing bad things. And it needs to cost monetarily next to nothing. (Okay I'm dreaming)
I'd also settle for a web site that provides reasonably good information on securing services , something where you can go from basic security settings and drill down to more detail (accurate updated and comprehensive information), even with a payment model (like expert exchange). I have run into so many web sites with inaccurate or poorly documented information on simple things such as authentication settings (Usually they are outdated with no version information, but sometimes they are just flat out wrong, as in no one even tested it).

Re:A little bit of non-commercial input

Governments will create a lot of laws concerning the problem, without one that actually addresses the problem: Making the user responsible for his security.

Until people stop joining (and remaining on) botnets, the one attack that is really hard to defend against (DDoS) remains as a threat to just about every server. Without DDoS, "cyber security" just wouldn't be publicly debated much; everyone would just defend their systems and that would be that. DDoS changes landscape to a "we're all in this together" scenario. DDoS is why the government is involved. DDoS is why there is hysteria.

And yet the threat people mention is still the "hackers," with virtually no discussion of the people who enable them by joining their botnets. If addressing the threat isn't on the agenda yet, then it probably never will be. And if addressing the threat isn't on the agenda, then things aren't going to get better.

Making people bear the consequences of joining a botnet, is the only way to reduce the threat.

Re:A little bit of non-commercial input

[Opportunist]

Current botnets are mostly an economic endeavour. Not one of national warfare. If there was money in shutting down the internet, I'd be concerned. But why butcher the goose that lays your golden eggs?

Re:A little bit of non-commercial input

[Opportunist]

I sell that service to a selected few customers (which also limits what other customers I may offer it to... that's why I said most likely you won't ever be my customer). "Next to nothing" isn't really what I'd call its cost, though...

I've been tossing that idea of an "IT security experts exchange" webpage for a while now. There are a few reasons why I am fairly sure it's doomed to fail. First, there is something similar to this, but it is only available to a very exclusive club of security researchers. No visitors allowed. The reason is simply that a lot of 0day info is exchanged there as well, and few want to spread that info to the "wrong" people. Not that they don't have it already, but one less script kiddy to try something on a server is one less headache for us. Sorry if it sounds elitist bastard, it's actually far from an ACTA or a Bilderberg meeting, it's just that this info is of very little, if any, use to the average system and security admin, and very prone to abuse.

Believe me, sometimes it's tempting even for me... :)

But most of it, at least those exploits that are of actual use, will eventually end up on milw0rm or similar pages anyway, complete with POC and often a workaround, usually in time to be of use to a system admin. So the info is available to the public.

Re:A little bit of non-commercial input

[Opportunist]

The cruel joke is that there are no "hackers" involved at all in the threat scenario. There's no hacking involved. You're not being hacked, you're conned. Conned into executing a piece of malware or conned into browsing to a malformed webpage.

That's social engineering. A form of hacking, granted, but not what the average person would think of when the term 'hacking' is used. They imagine some geek staring at a way too bright green screen typing some cryptic crap.

Making people bear the load of their unthinking clicking would certainly increase security and reduce the (pretty much only) global threat of DDoS (but even this threat is fairly low, unless you happen to be an interesting target. There's by no means enough "firepower" to create a global, massive meltdown). This would, as I said before, require governments to have an active interest in people learning about their machines and upping their security levels, which is certainly not what they have in mind.

Paperless Government?

[geekmux]

At my job if email goes down, work stops.. 100% shutdown. The organization has largely gone paperless. I'd imagine most other gov't organizations are the same way....

Uh, OK, stop right there. Paperless in Government? You are referring to the US Government, yes? The same Government who requires forms filled out in triplicate just to order...more forms?

Apparently you've not caught a glimpse of that tree-killing beast up close and personal.

Re:Paperless Government?

[tibman]

About 5 years ago the government made a big push towards being paperless. Especially for the military. LESs are online, every record gets digitized now (including medical), training manuals and regulations are distributed by cd instead of book. Not only that but paper recycling is absolutely manditory, no exceptions.

Maybe it's the civilian government that is still operating primarily with paper. Military organizions only use it as a temporary means of information storage, not a primary.

The only places you run into some real tree-killing is rediculous quarterly briefings to staff officers, book sized powerpoint presentations printed and bound to be used once and recycled. That's a case of entrenched habit that the current senior officers are loath to change.

Depends on your agenda

[PPH]

Much of the data are gathered by ultra-secretive government agencies

Bush wanted to know who was moving porn in cyberspace. Obama wants to know who's moving cash. Both are legitimate concerns on the surface, but the searches will suffer from many false positives. Most porn doesn't involve kids or coerced victims. Likewise, the amount of money needed to finance another 9/11 could easily moved down below the noise level of AIG's CDS operations. While law enforcement is looking for the rare needle in each haystack, they'll be motivated to take action on the other stuff they find. Just so their supporters see that we're getting our money's woth out of the operation.

Perspective

It's all like a series of tubes.

Opposite of NSA

[get_your_guns]

NSA has the computing power to monitor all incoming threats to the US that deals with anything electronic or electrical signal and other techniques used. They can not legally use these techniques looking into the US, if you believe the television and news papers. Now, I can see how many /.'s will have their panties riding their ass when a new agency can legally look at what happens on the wires inside the US. They will probably find that many of the robots that are hitting US public IP space everyday from overseas locations are being developed and controlled (and even sold) by people here in the US. The US is almost completely dependent on the internet in one way or another and I can fully understand the need for a new command to monitor and react to these increasing threats to it's traffic on the inside of the US borders. For those that think it would be a wonderful day when the internet shuts down and they can walk down the street to buy a pizza, this would last about a day, then all the stores and restaurants would shut down because they could not resupply, get trucks on the road if they could get their orders in, or even pay their people so they keep showing up for work. What a wonderful world that would be...

Re:Opposite of NSA

[cdrguru]

You point out a huge problem: today we have little redundancy and almost no wiggle room for any sort of failure. JIT inventory means that if UPS or FedEx drivers go out on strike commerce shuts down, even the stores on Main Street. Factories operate on the thinnest of margins with no reserve capacity.

So what if Something Bad happens? In 1970 it would have mean almost nothing. Today, almost any major event is going to distrupt supply chains, inventory and commerce. The result if we are talking about paper towels isn't that bad, but how about food? In 1950 the US was probably immune to any sort of distruption affecting the food supply in cities. The stockpiles would last until things were pieced back together. By 1980 the stockpiles were less and the population greater. Now, if you prevent delivery trucks from reaching stores for two days you are going to have food riots in cities.

Read the book "The Coming Dark Age" by Roberto Vacca (Amazon). Old book, but probably more true today than ever before.

Because the threat is real

[utopia27]

There have been some very vivid demonstrations of the impacts of cyber-warfare, such as the attacks on Estonia and Georgia, Chinese and Iranian suppresion of free speech and media, air traffic control penetrations, and demonstrated penetrations of SCADA networks (power grid in particular). In Estonia, gov't services were disrupted, and the local equivalent of 911 was broken. Georgia was not as badly dinged as Estonia, largely because they're less reliant on networked services. (c.f. http://www.economist.com/displaystory.cfm?story_id=12673385 ). Power grid infrastructures (as well as telecom, oil pipelines, etc.) are highly automated in the US, and have been demonstrated to have been attacked (c.f. http://online.wsj.com/article/SB123914805204099085.html?mod=googlenews_wsj ). Having accidentally broken chunks of telecom infrastructure, I know how easy it is to create large-scale disruptions through control networks - even without ill intent. The FAA IG has reported that air traffic has already been disrupted by system breaches (c.f. http://online.wsj.com/article/SB124165272826193727.html, http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf ).

And this is the stuff that's publicly visible. There is definitely an iceberg effect here - there's a lot more under the surface that isn't readily visible to the public. There's good reason the Pentagon doesn't publish the full extent of attacks (successful and not) perpetrated against the DoD infrastructure - it's not a good idea to let attackers know how much you see (and don't). But the concern is based on real threats, and real attempts - this is not hysterical speculation. The rules of engagement haven't been defined (when is a hack attempt serious enough to merit retaliation? what's a 'cyber-exercise' v. an act of war? how definite does attribution of an attack need to be to become a diplomatic issue?). There are countries that are pushing all these envelopes to gain an edge.

So if this stuff is already going on at a low-rumble level, the threat is demonstrated, and the consequences can be foreseen, wouldn't it be irresponsible not to develop techniques and strategies to ensure this bad stuff doesn't happen?

Just because you're paranoid, doesn't mean people aren't out to get you.

Re:Because the threat is real

There is one main reason that a Warhol worm or a "digital Pearl Harbor" hasn't happened yet:

As of now, businesses are content to use the Internet as their central network. Should something happen that is devastating more than just a large number of private users having their info winding up on the black market, businesses will start creating separate networks just for their traffic.

This would make it tougher for remote attackers, and they know this. Instead of finding a host, and connecting directly, they would have to contend with getting access to a separate internal network (be it corporate internal, or shared among some companies such as a backbone for credit card validation), then launching attacks against machines from there. The internal networks could even use a totally different protocol stack than the standard IPv4 or V6.

You would see organizations hit the drawing board and come up with internal networks designed from the ground up around the concept of separation of services and air gaps.

This wouldn't just impact businesses. National governments would pass laws requiring PCs to have some type of "trusted" subsystem in order to connect to the Internet, and any device without the embedded "trust" chip would be disallowed to connect by upstream routers.

As an extreme, control of core networks would be put under the jurisdiction of the military, and armies know how to keep information secret. A person sees non classified networks occasionally compromised, but anything classified+ in the US rarely gets nailed. Instead of the Internet philosophy of connectivity, the people in charge of national networks would have a philosophy of need to know and separation. This wouldn't just be the US either. Each country would have their military take control of the pipes from the point they cross the borders on.

End result would be something to the end user that appears like the old Compuserve that requires a login before getting access to any resources whatsoever.

Re:Because the threat is real

It's a bit bigger than they're letting on to- you are right about the tip of the iceberg thing.

Fortunately, it's not been bad enough (yet!) to be more visible than the stuff the public's seen. It's a mess- really, it is. They're aware of some of the nature of the mess and trying to do a bit more about it in many areas where we really DO have something to be honestly concerned about. But it's still woefully inadequate.

The truth of the matter is:

        The gainsayers are ostriching in many cases.
        The doomsayers are hyping it up entirely too much.

We have a problem. It's very much more real than many let on to. We're doing more about it than before. But...it's not enough.

Re:Because the threat is real

[Dragoness+Eclectic]

Correct. There are more serious things that you don't hear about because they are classified, which creates a problem: because you (the general public) don't hear about them, you don't believe they exist. Unfortunately, these days many people don't trust the government well enough to accept "trust us, we know what we're talking about even if we can't show you the evidence" because of past abuses of the public trust.

So what, hypothetically, do you do know if you're in the government setting policy on this issue? You can't reveal all that's really going on for good security reasons (sure, let's tell the enemy exactly what has been successful against us and what hasn't!), but without evidence, the public thinks you are crying wolf. If you release limited information that isn't a big security compromise just to know about, the public says "Eh, that's not a big deal, you're just trying to get attention!"

What do you do?

But what role is there for the Government?

[paulsnx2]

Absolutely, spam and malware cost government and companies millions if not billions of dollars. But what is the Government going to do?

Every server placed on the Internet is exposed to traffic. If we try and shape and filter that traffic, we can certainly reduce spam and such, but at the cost to everyone. What does Obama think he is going to do to stop a "Cyber Pearl Harbor"? filter all traffic over the net? Restrict what servers can host what applications? Control what applications people install and use?

This so reminds me back when I was a freshmen in college, and I heard about all the "Languages" people used to program computers (the main one being a mainframe in the center of campus). I saw people carrying around boxes of cards, and wondered about computer "languages" and how they worked.

Well the same thing is happening about "cyber attacks" and such. There are problems, but no matter what we do to solve them, they must be solved system by system, user by user, server by server, application by application, service by service. The government can't do anything to help except to mandate standards. But that is the worst possible thing we could do. Standards necessarily mean that we replicate the same vulerabilities everywhere. Even if it takes 1000 x the effort to take advantage of a vulnerability in standard system, by definition everyone that follows that standard is vulnerable. We are far better off with diversity, where there are millions of more vulerabilities but none of them common to many applications and systems then we are having the same ones.

No mystery here. It is called genetic diversity in nature. A species without it dies.

But most likely, if we get anything from Obama's efforts, killing off diversity will be result. And that will be bad for us all.

Re:But what role is there for the Government?

[utopia27]

Why bother having armed forces? Can't we defend ourselves perfectly well with local militias? Isn't it every individual persons' responsibility to ensure the safety of their home and family?

What can government (more particularly a cyber-command) do that individuals can't or shouldn't?
- identify and neutralize active attackers - counter-attack is a valid strategy
- coordinate in a non-commercial, non-liability setting incident reports from various sources, to enable development of responses, as well as detection of patterns of threat/attack
- sponsor and coordinate development of defensive and offensive capabilities (cyber-warfare skunkworks)
- develop approaches to assess security of systems - current security is plagued by folks missing known vulnerabilities and attack modes. although your observation about standardization and homogenaity are accurate, not knowing how to assess is a vulnerability all by itself.

I can't advocate the current DoD/gov't approaches to cyber-security - they're deeply flawed. but that doesn't mean there isn't a valid role for gov't. it just means gov't needs to find its niche and perform better.

You're wrong.

[Lord+Ender]

It's fear, yes. But it is extremely well-justified fear.

I do penetration tests for large companies. It's bad. Everywhere. The only reason penetration tests are ever unsuccessful is when the tester's hands are tied. Attacker's hands are not tied. Furthermore, denial-of-service flaws are universally ignored because information disclosure is considered a higher priority, and most companies have their hands full dealing with those flaws.

So let me make this as clear as possible: A single individual could shut down pretty much any large company. A group of individuals (say, from a hostile government) could halt operations in multiple simultaneous companies. Target a few large supply-chain management companies and a few large payment-processing/banking companies, and it would be relatively easy to shut down the economy for a while.

That means food rots on delivery trucks while paychecks stop flowing to employees. And don't think we will all switch over to doing things by hand during such an attack. The infrastructure to do so has been dismantled. We are entirely dependent on digital transactions these days.

Why hasn't such an attack happened? Is the probability really "low" as you suggest? It's just a matter of motivation. There isn't much profit in doing such a (tedious) thing for the eastern-european hacker crime groups, nor for the bored teenagers. There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.

Ignore the sound-bites security companies feed the media, but don't ignore the problem. This is perhaps the weakest part of our nation's defense infrastructure.

Re:You're wrong.

Wow, a security tester saying we need to do more security tests until security improves. What next? Military contractors saying we need to build more military hardware until some off-the-cuff benchmark is met? No, wait. We've done that one already. What about oil companies saying we need to drill....nope, my bad. Medical insurance companies improving hospitals? Done that. Auto manufacturers building more fuel efficient cars until the country meets its goal? Done that, too. Private education companies saying the education system is messed up? Construction companies judging how bad the nation's infrastructure is?

And having private companies run the government has worked so well in the past.

Re:You're wrong.

There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.
Yah... because if we went to war with a sophisticate nation you don't think one of the first thing we'd blow up would be their communication systems?
In a real war you'd probably have a day or two before the whole communication network is rendered near unusable state. And the only reason you'd get a day or two is because radar normally comes first to make the rest of the attacks easier.
How effective will your internet attacks be when half the country is without power and every big switching station is blown to crap?
And conversely, assuming a war on equal footing, how âeffectiveâ(TM) will a DoS attack be on... say... Bank of America when a bomb has already blown their data center to pieces?

Re:You're wrong.

[Lord+Ender]

...aaaand you did not refute a single one of my points, Mr. Coward. Typical.

Re:You're wrong.

[Lord+Ender]

My point is that you can shut down the economy with a very small effort. It could be done much more easily and inexpensively than trying to plant an ICBM on, or fly a bomber over, every power plant in the country.

Furthermore, banks have disaster recovery plans to operate from alternative datacenters if a natural disaster or fire wipes out one of their buildings. Such DR plans don't help much against hackers and DoS attacks.

Re:You're wrong.

[Svartalf]

I'd have to concur- and this doesn't even get into the problems with the infrastructure that we're looking at.

I won't say things like "Cyber Perl Harbor" (Geez... The Hype is completely over the top on that one...) but there really IS a serious problem with some of the things in that space and it's much more of one than the people calling this stuff "annoyance" attacks and the like.

Re:You're wrong.

[twostix]

Umm no. You are the person that this articles talks about. It's in your interest to over hype the risk and given it's your area you of course believe it's the most important thing in the world.

A single individual with a $500 gas axe from the local hardware store and a 4x4 could cut the power to any major city for weeks in a few hours simply by taking the bottoms out of remote high voltage power lines that feed most cities.

A group of individuals could cut power for months.

Or how about dumping a few thousand litres of arsenic in the local water supply? Or hell, just blowing up the water pipes?

That would be far worse than anything computer related.

Yet we don't hear about the deadly danger posed by the millions of kilometres of unguarded high voltage power lines across every country or the unguarded dams or anything else, yet in war these are the first targets for sabotage.

What good are your computers without power?

A bit of perspective is in order.

Re:You're wrong.

[fredrickleo]

Indeed, why hasn't it happened yet?

You would think there would be any number of Iraqi or Afghani nationals and sympathizers living abroad with access to the sophisticated infrastructure and possess the knowledge required to carry out one of these attacks.

So, why hasn't it happened yet? If it's as easy and devastating as you assert, why isn't it happening all the time?

In my opinion, it's not as easy as you suggest, and the personal penalties for getting caught engaging in "cyber terrorism" far outweigh the potential damage you can inflict.

Re:You're wrong.

[ghighi]

I second this statement. What I learned in my short time studying computer security is that there is a potential for large damage to be made.

I would even go so far as to say i'm surprised no large scale attack ever happened. We can be thankfull that the bad guys switched from a "damage dealing" to a "money making" state of mind.

What's even funnier is that all the technology and good practice are readilly available to *greatly* mitigate the risks but there is a clear lack of skill and will in most places.

Re:You're wrong.

[Lord+Ender]

Iraqi and Afghani nationals and sympathizers are not necessarily terrorists. That's an absurd statement for you to make.

It takes specialist knowledge to perform these attacks. And there really aren't a huge number of terrorists in the world. It was surprising that AlQueda was able to find three of them smart enough to pilot airplanes. Doing what I suggest would require broader and deeper knowledge of diverse IT systems, datacenters, and corporate culture. This sort of knowledge is hard to come by when you're hiding in Pakistani caves, dodging predator drones. But, as I said, it's not hard for a modern state to acquire such skills.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Are you kidding?

[ThosLives]

This is why I think that true security lies not in keeping people from obtaining information, but from setting things up so that it is irrelevant if people obtain that information.

Consider the situation where someone knows all the internal workings of, say, the JSF, but it's designed in such a way that that knowledge would not allow someone to prevent the use of the JSF.

Or consider "identity theft": what if it didn't matter if someone stole your "identity" because there was nothing they could do with it anyway? (Now, in that case, the tradeoff would likely be some loss of convenience.)

So I'll say it again: true security is knowing that you're safe* even when people get to places where you normally wouldn't want them.

*Of course, the definition of "safe" is fairly tricky in this instance. I would probably define "safe" as something along the lines of "suffering no direct immediate or prolonged-exposure-based physical harm."

Because Cyber-Security isn't Free!

[ThatsNotPudding]

It must be paid for by the complete destruction of every person's privacy*.

* - Politicians, Cyber-Security Vendors, and Fatherland Security excluded, natch.

Re:Are you kidding?

[steelfood]

Everybody, governments, companies, content creators, privacy advocates, have the same problem: digital information is cheap to disseminate.

If somebody breaks into a library of secret documents, there's a limit to how many copies they can make and take out. Even if they were to scan and store every page in every folder in every cabinet, it's still extremely time-consuming.

If somebody breaks into a computer full of secret documents, it takes seconds, maybe minutes, to copy the whole thing. And, the person doesn't have to be physically located by the computer. The person could be halfway around the world, or just right next door but seem halfway around the world.

What it amounts to is that secret-keeping is becoming more and more difficult. Actually, this isn't true. The difficulty of secret-keeping hasn't changed. But society desires convenience. And little do people know, these two concepts are mutually exclusive.

Furthermore, while convenience is individual, keeping secrets is communal. "Secret" is a term that only has meaning within the context of systems, i.e. only people inside the system know the secret, while people outside the system do not know. The problem is when one individual wants convenience and compromises secrecy for it, then the secret is effectively compromised.

Everybody just wants to have their cake and eat it too. That kind of logical impossibility will not happen, no matter how much we might desire it.

just follow the money - scam the gov for big $$$

[Hobyx]

The reason why is clear if you've ever listened to these people make their cases in congressional hearings - they get hella PAID for scamming the government. For whatever reason, senators and state reps have a soft spot for this particular thing they have no understanding of. They feel the fear and dish out contracts by the truck-load.. maybe it's a way for them to seem "tough on crime" without actually doing anything; maybe it's favoritism or otherwise; but it works time after time. I for one find it appalling. 90% of what these "experts" profess in their doomsday cyber war talks are complete bull and no one is allowed to publicly counter their presentations with things like, oh, the truth for instance.

Ignorance Leads to complacency Leads to 0wn3d

Get your head out of the sand. There are governments, specifically the PRC who have military doctrine surrounding "force multiplication" using cyber attacks against US. Russians are doing the same.
Here is an excerpt from Unresricted Warfare (Google it), written by a Chinese General:

"However, the Americans are not necessarily in the sole lead in everything. The new concepts of
weapons, which came after the weapons of new concepts and which cover a wider area, were a
natural extension of this. However, the Americans have not been able to get their act together in
this area. This is because proposing a new concept of weapons does not require relying on the
springboard of new technology, it just demands lucid and incisive thinking. However, this is not
a strong point of the Americans, who are slaves to technology in their thinking. The Americans
invariably halt their thinking at the boundary where technology has not yet reached. It cannot be
denied that man-made earthquakes, tsunamis, weather disasters, or subsonic wave and new
biological and chemical weapons all constitute new concept weapons [16], and that they have
tremendous differences with what we normally speak of as weapons, but they are still all
weapons whose immediate goal is to kill and destroy, and which are still related to military
affairs, soldiers, and munitions."

Nuff said.

Re:Are you kidding?

[networkBoy]

some pretty good ones, and many lame ones.
I have a machine running apache on linux that hosts some "sensitive files". Nothing that a government would want, but something that people who would want to mod certain hardware would want. I had one attack that tried to exploit an IIS vulnerability relentlessly for over an hour against my machine. It was funny because the files it was looking for didn't even exist, and had the script kiddie thought about it, would have checked the server type prior to launching the attack.

on the other end of the scale I had an attack that spidered the whole site, then probed likely holes in the filesystem where tidbits may have been found. I.e.: /index.html /content/file.html /content/collateral/images/picture.png

they would attempt directory view of /content/collateral/ to see what else was there (too bad directory listing is deinied by default in my .conf file)
-nB

Re:Are you kidding?

[tburkhol]

Its kind of a big deal when the U.S. military can't keep its data secure.

But what are the consequences of that failure? Katrina crippled a 200 mile stretch of coastline, displaced millions of people - many for months, shut down 25% of US oil and gas production for weeks, and resulted in billions in direct costs and who knows how much in indirect costs and lost productivity. What's the scenario where cyber warfare does something on the same scale? Or what's the scenario where a cyber attack sinks 18 warships?

I can understand where a cyber attack could black out the northeast for a few hours. Even a day or two. I can imagine, at just about the limit of my imagination, where a cyber attack might take over drones in the air long enough to deploy their ordnance inappropriately (although I don't think that's what people discussing "cyberterrorism" are talking about), but I can't imagine that happening for a second shift, as the first incident would certainly ground the entire drone fleet.

Big scary words. "Cyber-Katrina" "Virtual Perl Harbor" I've never seen an actual scenario on that scale, and I don't think I will.

They know what they are planning to do to others..

[strangeattraction]

There is hysteria because they know what we can do offensively to other countries with cyberterror. They also know that we are just as vunarible as our enemies. But as usual it will all be alot of what if, maybe that. I grew up during the cold war. Russia was portrayed as this unstoppable juggernaut. The reality was that it was all smoke an mirrors. Their system colapsed mostly on its own, simply because it was unworkable. Most of this hype is thrown out by people who stand to make large sums of money by "protecting us." Beware the defense industrial complex.

cyber-Katrinas

WTF - you still haven't fixed New Orleans after the real Katrina - are you lot totally deranged or on drugs? WTF is going on?

You must mean this data

[FriendlyLurker]

plans for the JSF fighter were sold.

Fixed that for you. Seriously, you must mean ALL THIS DATA.

Target sited - Game On!!!!

[sgt_doom]

You nailed it exactly, Good Citizen FriendlyLurker - one cannot improve upon your excellent and spot on post.

scary equals good practice

When establishing what your security risks are it is good practice to account for the worst case scenario. In other words, improve airport security before planes are highjacked, not after.

I suspect that's the main reason for the scary scenarios being presented, not financial gain (in most cases).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Irrelevant Info

[TaoPhoenix]

We can brainstorm this on email if you like.
It's just about my top interest topic.

Organizations vs individuals

[gmuslera]

The danger/damage scales with the size of the attacker? Internet (or at least, some monocultures on it) is so vulnerable that single individuals alone did a lot of damage in the past. And is so big the hole that individuals and very small organizations are swarming to get a share of the cake. Spam, small/medium botnets, phishing, etc are doing pretty well without implying something big behind, and in a way that could be hard to get the people behind it, at least with current freedom, rights to privacy and so on.

Before worrying about the possibility that big organizations, governments, etc trying to do damage you must go to the small fishes, and with current technology you probably can't, at least without harming a lot freedom and privacy in internet worldwide.

Sold "as-is"

[SgtChaireBourne]

MS is not the one perpetuating the attacks, or causing the damage...

Re-read the post: those who promote and profit from known defective technology are at fault. That spreads out the blame to include all those Certified Gold Partners and M$ monkeys who go around posing as IT experts. In fact, the licensing partially takes M$ off the hook by stating that it is made available "as-is" and without claims to suitability for any particular task. They know their products can't cut it.

The fault also lies on all those Certified Gold Partners and M$ monkeys who go around posing as IT experts who end up promoting M$ products in place of suitable technologies. In some ways, more of the fault is on them because of the licensing. It is these "experts" that were supposed to choose between competing technologies and choose safe, low-maintenance, low-cost options to boost productivity. What happens then once they start knowingly and consitently doing the opposite?

Look at melamine. It's safe and legal to make, distribute and put into product. Melamine is not safe or legal in food. M$ products might be fine for some home gaming, if one has thousands to put into good hardware and is willing to do just about anything to avoid getting a real gaming console. However, replacing working, mission critical systems with ones known not to work does call into question what kind of legal action needs to be taken against the actors.

Willful negligence, gross negligence and criminal mischief -- if the deeds are with physical product, versus "oops, sorry, nuttinwecuddadonaboddit" for software? Oh, come on and join the 21st century. The "with a computer" clause doesn't magically absolve people of criminal wrong doing.

Homogenous networks

Homogenous networks are a big problem. In English: most computers on most networks run exploitable versions of Windows. The non-windows % is about 10% (mac + linux + sun + everything else). Almost all networks are TCP/IP. And almost all data these days is kept on computers connected to the internet. And almost all online machines use a web browser with JavaScript, Java, and Flash turned on.

This means almost all computers on-line can be compromised through the same means, either remotely or thru a client-side script. And no matter what you're looking for, it's probably on an internet-connected computer. That's why this is happening.

Steps as simple as:
- mixed-networks: Macs + PC, Linux, though these can introduce more vectors for attack
- non-IP networks, like IPX
- air-gaps, meaning computers and networks not connected to the internet
- paper or CD copies locked in a cabinet

Not everything needs to be on a computer or on the internet. We're are shooting ourselves in the foot by being so intellectually lazy.

Pax Americana at the Galleria, maybe

Without any regard to the veracity of your "manufacture existential threats" premise, the notion that we as a nation "are in a period of relative peace and stability" is complete and utter hogwash.

The USMC, US Army, elements of the USN, USAF larger IC, as well as significant chunks of our allies' armed forces, are really and actually at war--real and actual ordnance, rounds and other kinetic weapons are really and actually used against them, even as we are "speaking."

Pax Americana might be the case at the mall, but our armed forces are feeding the slipped loose dogs of war, and have been for coming up on 8 years!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Are you kidding?

[Lillebo]

Curb your enthusiasm, neither China, Iran or Russia wants to engage the US in military conflict - no body does. All they want is to keep the status quo and not worry about the US trying to "secure vital resources outside union borders". Thus, the more they know about your lameass fireworks, the more stable the world really is. Military intelligence theft is therefore a good thing, and should let you sleep more comfortly. Sharing is caring :)

Re:Are you kidding?

[jc42]

Care to elaborate? What kinds of attacks?

Oh, you know; pings from lots of different addresses. That's a "DDoS" attack, y'know.

(Yeah, I know; the military security guys aren't that dumb. But many of their superiors are, and they have a strong incentive to play up such things. That's how you get funding, after all.)

Re:They know what they are planning to do to other

[gujo-odori]

While I pretty much agree with what you say, OTOH there *is* a real threat there. The Soviet Union had a lot of smoke and mirrors, but they also had the capacity to really screw Europe in a ground war or pretty well wipe out the United States and Europe if a nuclear war had started. Combine that capacity with a stated goal of bringing the world to communism and their demonstrated willingness to use force to do so, and you have pretty well-grounded fear of what they might do.

I'm in the email security business, and I do see a good parallel to the cold war. Right now, the bot herders are, generally, using their bots for profit - spamming and spreading malware. However, what if, instead of compromising PCs and using them as bots, bot herders instead decided to use them as weapons? They could cause some deaths through disruption of 911 services, and could probably cause more economic damage than 9/11. You'd have to look long and hard to find a company of any size that didn't have at least a few infected PCs inside the firewall, and often even a few infected servers. Those machines have trusted access to other machines, and could be used to attack not only those machines, but the networks to which they are connected. Take down banking networks. Take down the power grid. Take banks and financial websites offline. Take other company websites offline. Take down government systems. Sure, all (well, probably just most) of that stuff can be restored from backup, and power grids can be restarted, but that's an awful lot of disruption and an awful lot of economic recovery cost. Do that at the onset of a shooting war and it could make the difference between winning and losing for the side that does it most effectively.

Critical infrastructure of any kind should not be connected to the Internet at all. Leased lines or frame relay are best. At the very least, if the Internet has to be involved in some way, it should go through a hardware-based VPN that talks to nothing but the other endpoint(s) of the VPN. However, that's not nearly as good as a leased line or frame relay. If it connects to the Internet at all, it can be taken down, or at least made unavailable via DDOS.
A leased line or frame relay isn't perfect, either, of course. It's not impossible to penetrate telco or ISP systems to the level necessary to disrupt that, but it's much, much harder. The closest you can get to perfect security of a network is to own the infrastructure that connects the end points, and have none of it ever touch the Internet (think: your own fiber in the ground). I've heard of that sort of thing being around in D.C, together with Men in Black who show up if you accidentally cut said fiber, but nobody except the government is likely to have either the deep pockets or the permits to do that sort of thing.

Re:Are you kidding?

[pipingguy]

Its kind of a big deal when the U.S. military can't keep its data secure.

"Having the plans" is not enough. You have to have people able to interpret them and put them into action. Critical elements are often left out of engineering documentation and there's also always that stuff which was figured-out on the shop floor and never written down.

Slashdot's comments are frequently amusing, as armchair experts bolstered by 30 second's worth of Google search know everything. And are smug in their ignorance. They're probably the type that eventually gets into politics for all the wrong reasons.

For cryin' out loud...

[mozzis]

Much of the data are gathered by ultra-secretive government agencies -- which need to justify their own existence...

It seems like the OP is trying to justify his or her own existence - face it, you can't escape self-interest no matter what your side is in a political discussion. The secretive government agencies just might have some data that justifies their paranoia. There are methods which could come with estimates as to how true that is. But the blatant opinion of the OP and quite a few of the replies is hardly any more authoritative.

The Stupidity of Geeks

You built this fucking mess and yet you cant think your way out of this or paper bag.

A) The User- preach security through obscolesence meaning, each boot is a fresh OS, virtualized, no more long term cache or temp files that are anything but temp. You built it broken in the first place and now wonder what to do. Computing is not for the avg dunce, its too powerful and insecure to leave them to it. They need the technical equivalent of their technobility, aka the DUMB TERMINAL.

b) Govt and Private Sector infrastructure- in the case of National Security or Governmental
      biz data, there is no reasonable logic you could ever rely on as to why its need to be
      accessible for the lazy convenience of the world, get it off the fucking network you
      fucking dumbasses. If some fucking dork has to get on a plane to come and see, so fucking
      be it!

        Better yet, create gatekeepers who allow access, humans who make you jump through hoops
        to get to the data. If you dont pass they lob a cruise missle at your ass for being a
        dick.

        Private Sector data is a tad more difficult since it could hamper commerce but if the
        idea is to build in security then build it in by building it the fuck in meaning, stop
        being cheap asses and get the best on the job. Your making billions off selling a
        product or a service or both and then take more profit when you whore their information
        out, you fuckwads.

I swear you fucking geeks are feckless cunts who created this shitpile and now lament with your hands on your ears, "what are we to do".

Cyber Security

I remember back when "Cyber" meant anything on MMOs, and "Cyber Security" meant that you had to be-careful that you're not "cybering" with "another-dude-wannabe-chick".

Anyway, all this talk about cyber warfare always make me remember when journalists report about a website that has been attacked. "Look at all those 404s, they are looking for hidden web pages and try to exploit them, then maybe upload a trojan and then log your keyboard, and then get your social security number, steal your identity, etc, etc". I also remember a journalist reporting a story about an art gallery web site owner who complained about cyber crime. They showed the http access.log and said "Look at all those GETs in the IMGs!!!! I'm being robbed blind here, and I can't charge for each image the thieves download.

Sgt. Doom I hope YOU & FriendlyLurker aren't r

Man... in keeping with what sgt. doom said?

I hope he's NOT right!

(AND, that those of us interested in helping others in this area (computer security) + learning MORE about it, ourselves, aren't just "playig into the hands" of the "wannabe ruling elite" etc. et al... who DO use "fear" & the "hype of fear" to create more "controls")

APK

P.S.=> Of course, one also has to realize, that the "hacker/cracker" types out there, right now, profiting via their bogus actions, would say exactly what you BOTH have said, & sell it as "fear the hand of gov't. & the 'ruling powers that be' and their psychological + other forms of control", as well... hard to decide WHICH view to take & hold as "true" really, imo @ least... apk

The Physical Danger is actually quite low...

The real threat is from the web is actually how easily it exposes the true nature of what the government does. The truth is a bigger danger to national security than worst damage any hacker could ever do.

by creating a cyber war

[nimbius]

youve effectively avoided the meatgrinder aspect of traditional war, which means you can increase recruiting and start at least coming close to quota. people can still be drummed up, things can still be sold, patriotasm maintained and politicians given worth.

weve had to create a more efficient war that can be turned on and off depending on respective correlation to circus attention span and appetite for peanuts. that, and we just dont seem to have much money or support for our current real world wars so i cant blame the marketing department for trying on this "cyber" one.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Are you kidding?

[pipingguy]

The most amusing people on Slashdot are the conceited, dysfunctional nerds who argue with statements they know are true and launch personal attacks for no reason other than to satisfy their own anti-social tendencies.

I agree. Have you ever worked in a large engineering organization? I mean companies that design/build bridges, refineries and that scale of project.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Are you kidding?

Most of the files broken into focused on the design and performance statistics of the fighter, as well as its electronic systems, officials said. The information could be used to make the plane easier to fight or defend against.
However, the officials insisted that none of the information accessed was highly sensitive data.
The plane uses stealth and other highly sensitive electronic equipment, but it does not appear that information on those systems was compromised, because it is stored on computers that are not connected to the Internet, according to the defense officials.

I will bet you a good pile of money that the files which WERE "compromised" contained carefully polluted data. They want the hackers to think they got away with a good haul, when they probably were, in all reality, raiding a honey pot. This info will then be used by foreign agencies to help design their defense/intrusion/detection systems... and then those systems will completely under or over-estimate the capability of the actual craft.

This is one of the oldest games in the espionage book.

The important point is- notice that they straight up admit the really secret stuff isn't even online. There IS a reason why the other stuff WAS accessible- it was intended to be stolen.

It's also highly likely that this is part of a Canary Trap type operation, which is a prettty simply formula. Give "sensitive" documents/data to several people, each one gets a version that is slightly different in a very subtle fashion. When the data gets leaked, or more importantly, when OUR spies in the foreign country see that data come over, we can tell who leaked it, when, and where. And then feed them even more bogus data.

But go ahead- believe everything you see in the news. Just don't be surprised when it all ends up being completely wrong. This wouldn't be the first time that CNN was directly implicit in lying to the public on behalf of the US military... just look at the "embedded reporters" during the Gulf War.

Hysteria of the Cyber-Warriors

Did that feature Jon Pertwee or Tom Baker?

Other countries are taking this a bit seriously.

[blakedev]

The United States is just trying to keep up. Whether or not it's hysteria, we have had various attacks on critical components of our infrastructure, notably the power grid, from Russian and Chinese hackers. Iran also has an entire division devoted to cyber-warfare. I read in Soldiers magazine (I was at MEPS waiting to swear in) and saw an ad for a new unit of the Army, the Army Network Warfare Battalion, and they're looking for soldiers from the intelligence (35) and signal (25) fields, as well as those with CS and programming experience.

install a password

[chris.evans]

and you will be safe :-0 I promise... but I will have the password list and cracker.

The so called black hats want their sheep

[mrmeval]

In the ecosystem of good/bad/profit/free/loss the people who make their lively hood from a system are those that will defend it without threat or coercion. Leave the black hats who earn their living off the weak and stupid to protect the system to their benefit with careful nudging when they get out of line.

batty is in the eye of the beholder

[vaporland]

Well, I've never experienced a terror attack personally, but I have been through the eye of more than one Category 5 hurricane, and I can assure you people go pretty batty over that. Besides, what would you call the election of Bush in 2004 if not batty behavior, given what an obvious fuckup he made of the Iraq war and plundering the US Treasury?

Re:batty is in the eye of the beholder

[johnsonav]

Well, I've never experienced a terror attack personally, but I have been through the eye of more than one Category 5 hurricane, and I can assure you people go pretty batty over that.

Sure, in the midst of the hurricane people go pretty batty. But, when it's not hurricane season people don't lose too much sleep over the possibility of hurricanes sometime in the future.

A hurricane, in the words of Donald Rumsfeld, is a known unknown. You don't know exactly when or where one will strike, or how strong it will be; but, you do know quite a bit about hurricanes in general, what you can do to minimize your risk, and what kind of warning you'll have before it hits. In short, there's something you can do. You have some control; even if that control is only an illusion.

But, for most people, a cyber-attack is an unknown unknown. With a hurricane, you know the variables that you don't know the value of: landfall location, strength, storm surge, etc. With a cyber-attack, most people don't even know what variables they don't know the value of. Because they don't know this, they have no options to weigh, no cost/benefit and risk/reward calculations to make. They have no control. And they have no idea what they don't have control over. To a person in that type of situation, it is scary.

You know how horror movies (i.e. Alien, Jaws) are always scarier before the full reveal of the monster? It's because you can always imagine something far more terrifying than you can ever be shown. For a lot of people in the US, and around the world, 9/11 was like that first scene of Jaws with that girl night-swimming: It let them know that there was something out there to be scared of, but only giving the faintest hints of the true monster which lurks off camera. People have become aware that their world is filled with countless unknown unknowns. And now, we have to live with their fear.

Re:batty is in the eye of the beholder

[vaporland]

You flinch more when you've been hit a few times. I lived in the tropics for 19 years and there were two reactions to hurricane season: low level terror, or just ignore it. In 1995 we had many many storms pass within a couple hundred miles before veering off, then Luis and Marilyn whacked us with category five one-two punches. You wanna see terror? Wait until you've lost your roof in the first store, when you hear that the next storm will hit within 24 hours, but the airport is closed and you cannot leave the island...

They get what they ask for

[Optimus6128]

Maybe all the fuzz behind "hackers" is overrated but I'd like that something could wipe out all this leet hax0r, viruz spread, spam, junk on the web trends. Maybe particular measures won't do anything and we should educate people. Many young people are more attracted by the "hacker" breaking into networks myth than doing something creative in their computer. A wrong in my opinion and destructive trend is in the minds of people.

I am using the term "hacker" here in quotes to mean the new definition. As everyone understands it. I wish 99% of the people were talking about pioneer programmers and not cyberanarchists when using the term. And I wish they'd respect creativity on a computer and not cyber attacks without a true reason. But the former does not sounds "cool" to them :P

If there are government measures towards cyberattacks today it's because of the young people thinking it's cool and respected to bring mess to the internet, not the mass media. The so called "hackers" (with the new definition always) are preserving the bad notion and wrong ethics.

For maximum hilarity

[Arancaytar]

Run s/cyber/cybersex on any article related to this topic.

Re:Are you kidding?

[Proteus+Child]

When the Iranians take control of a predator drone with full armament and turn it against our bases in Iraq, something blows up.
On this particular point you might want to look into Peter W. Singer's unclassified research on military robotics. If his data is to be believed, some of the US' older drones were compromised and repurposed while on mission a couple of years ago. The remaining Predators (and later generations of the hardware) supposedly had their C&C gear replaced to get around those attacks. If I recall his presentation correctly, UAVs are now controlled via satellite and not ground based radio because to get a stronger signal to the drones the attacker would have to be above them, and in the regions those drones are deployed that's really not possible.

Re:Are you kidding?

[Proteus+Child]

I will bet you a good pile of money that the files which WERE "compromised" contained carefully polluted data. They want the hackers to think they got away with a good haul, when they probably were, in all reality, raiding a honey pot. This info will then be used by foreign agencies to help design their defense/intrusion/detection systems... and then those systems will completely under or over-estimate the capability of the actual craft.

You're assuming that the powers that be would let the techies do such a thing. In all probability they wouldn't. The people in charge don't differentiate between a compromised machine and a honeypot full of bad data that's meant to be compromised. Not only does it look bad (due to lack of clue on this particular topic) but they're not really willing to accept the risk (however small it might be) that the cracked honeypot could be misused as a staging point for another attack. Throw a firewall of some kind in front of or on that honeypot that make it ineffective in a DDoS attack (for example, by limiting outgoing ICMP to one packet every 60 seconds) and that is still considered far too much liability to assume.

Also, it takes time to create realistic looking but worthless data to seed a honeypot with. That's a lot of billable time that's would better be spent auditing system logs, examining security alerts, watching for patch updates, and writing code. It's hard to justify that kind of money right now. A faster way of going about it would be to take real data and doctor it sufficiently that it looks good but is useless. The line between "useless" and "attackers can figure out what the data should really look like" is a very fine one, and that's a risk that few are willing to take, even with known-unusable information (botched projects, false starts, what have you).

Hysteria?

[stanjam]

I don't think it is hysteria. Crimminal activities on the net already cost us, as a country, LOTS of money, and there has been a lot of damage. Cyber-terrorism, and cyber-warfare is a real phenomena. Take a look at what happened to Estonia. The whole country was essentially shut down! Now the US is a bit more protected than Estonia, but that doesn't mean it could not happen here. One successful attack could have huge ramifications. We know that countries like China are ramping up their efforts to create a cyber-warfare division. The United States is as well. Not only do we need to defend against possible attacks, but we need to also have the capability of going on the offensive. With a cyber-attack first strike, we could cripple a country, take down their command and communications capabilities, stop their propoganda machines, and cause panic. All without ever launching a single plane! It has already been shown that the Internet can be attacked, and that our enemies could do us a lot of damage with the right tools, knowledge, desire. We MUST, as a country, defend our interests, and protect our people. This isn't about protecting your ability to download porn. It is about keeping the economy running, banks running, planes and trains, the electric grid, and communications.

what if someone posts everyone's personal info?

a few million people's personal info leak here, a few million more there, every month you read about more.. and those are just what is made public

pretty soon you are talking about big money

question: what would happen if someone were to publish the name, social security number, mothers maiden name, etc. for everyone in the usa?

would it implode?