Slashdot Mirror
The Hysteria of the Cyber-Warriors
Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting:
"At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."
Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'
Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.
... and that's easy to turn into fear when you're talking to the people who are in charge of protecting us from threats. And the potential mitigation techniques are another endless myriad of complex software/hardware. All I can say is that it is highly unlikely that a Live Free or Die Hard 'fire-sale' scenario will happen. I can't in good conscious tell you it's impossible. I can tell you that the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten. Then there's the possibility of lesser attacks which are highly probable but I feel that the cost-risk ratio is all messed up. Again, I believe this is due to ignorance.
I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex
You get into a weird sort of emperors-new-clothes kind of situation when the only people who understand your problems are also the ones trying to sell you a solution. And they're just not being openly honest nor realistic with you.
My work here is dung.
Uh, seriously? Journalists and other people with something to gain from it take a sensationalist view point and run with it?
Holy crap, really? They do that? Huh.
Oh well. /eats some Cheetos. What's on the tube?
Sent from your iPad.
Comment removed based on user account deletion
Of the 63 MILLION emails we've processed for our clients (About 60 companies run through our spam filter) 58 million of them are blocked as SPAM.
So only 1/12th of the email traffic we see is legit. One of our clients has its own spam filter because they process that much email all by themselves and they have closer to a 1/20 legit traffic.
SPAM is a bigger threat to the network than some hypothetical cyber-terrorist.
Check out JoshJitsu.info for Brazilian Ji
The US no longer has to worry about nuclear war or even conventional war because we have the means of "winning" a nuclear war and can easily crush any country in a conventional war except, perhaps, the PRC. Even the European Union would not likely hold out against us in a conventional war. Our military knows that, and the majority of the world knows that. We are in a period of relative peace and stability, a Pax Americana. Thus we have to manufacture existential threats to keep the momentum going.
Going back to that post about government IT spending, I'd like to point out something about the military industrial complex that many don't realize. Just keeping the US military ready to go as a kick ass self-defense force with modest offensive capabilities is expensive. There is plenty of money to go around, and you're much more likely to see the agencies that now have to justify their existence like DHS getting in on this bandwagon than the DoD. For the traditional apparatus, it's always business as usual keeping the basic defense of US sovereignty going. For the rest, like DHS which has to find a new enemy under every bush, they have a lot of good reasons to be afraid.
If country A were to take down country B internet connection then country A wouldn't be able to spy on country B or even get sensative info. I honestly don't think it's a big of a problem as they make it out to be.
Most of it's just hollywood and bad publishing, but the main idea behind all this is revenue.
The gov get's more spending, the site/paper that publishes the story gets more notice, and the list could go on forever. The truth of the fact is if people knew the facts then no one would beable to sell "protection" software and computer movies would have to make sense.
b. Turn off your phone.
c. Turn off your TV.
d. Take that $20 bill in your wallet (better yet in a different society, you wouldn't need money)
e. Go buy a slice of pizza. Enjoy the outside environment.
.
. See that wasn't so hard.
That what would likely happen in a cyber attack. It's more like a 'snow' day in DC. Of course, if a physical Pearl Harbor, 9/11 or Katrina happened, you would NOT be able to do the above. As for money: if major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions, you'll be taken care of to some extent. Sure you may lose money, but life isn't going to end.
.
Therefore, this is exploiting technology for the purpose of generating 'progress'. A. That's a politician's job (to look useful in keeping your "well being" SAFE) and B. that's a skill where gov't excels (exploitation).
In the face of meatspace terrorism, meatspace liberties can be curtailed. That's why there's "concern" over cyberterrorism. Because the internet is not healthy for the establishment. It can spread both truth and propaganda, but currently, it tends too much toward truth for the establishment. If that sounds crazy to you (nothing on the internet but lies and pr0n!) then you haven't looked around.
FTA:
Yes, this same thing keeps happening, where a (possibly) real world problem is used to justify a curtailing of freedom, consolidation of power, and serving various agendas of people in power at the time. A cynic might say it's planned, but we're not cynical, are we?
I suggest we give it a name. Let's call it Problem-Reaction-Solution.
Billy Brown rides on. Yolanda Green bypasses Gary White.
Because security concerns are mana for The Leviathan.
"Anything tastes good if you deep fry it."
Look, for the first round of clean up no "cyberwarriors" are needed. We just had yet another article about how single city, for a single Windows worm, lost millions due to clean up. In that case it lost over $2.5 million, including rewarding the designers of the security flaws to the tune of $1 million. Knocking down a water tower would probably cost less to repair. So why are not the defense and law enforcement agencies stepping in here?
It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act.
From there we can go on to hardening the net with IPv6 and dealing with the usual intelligence / counter-intelligence activities. But the first step, before we can stop the economic bleeding is to deal with the cause of the problem: the people who promote and profit from known defective technology.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Yeah, but it's not cyber-"terrorism;" nothing is going to blow up. It's just espionage.
Plus, I've got to wonder how much of this is truly "hackers" from the outside, and how much is just the result of employees taking data with them -- whether they're just being sloppy, or actually malicious (e.g., ethnic Chinese with misplaced loyalties (god do I hate nationalism)).
Whatever the case, without disclosure for each "incident" of what actually happened in technical terms, we the public will never understand what's going on at any level besides "OMG HACKERS" -- which can mean anything.
I'm in security research, but none of you will be potential customers (trust me, you won't), so I needn't lie to you: It's hopeless, but not serious.
The problem is not insecure applications. It's not the stealthy superhacker from China. It's not the RBN (ok, it is, but they couldn't do jack without the original culprit). The biggest problem in IT security and internet security is (drumroll please) the user. And his inability and unwillingness to take responsibility for his crate.
There are security holes, granted. They are not the main source of malware, though. I do assume here that the average /. reader knows a bit more about his machine than "push this button to turn on, when a window opens that you don't know, panic". Likewise, a lot of you say they have no AV suit installed and never had troubles with malware. I believe you. You're probably not into dancing pigs and if you are, you don't let any arbitrary webpage gain root access to show those pigs dancing.
A lot of users do. And thus get infected. And thus become a security problem.
Governments will create a lot of laws concerning the problem, without one that actually addresses the problem: Making the user responsible for his security. I don't mean "get infected, get your pants sued off". I mean that you are required to take reasonable (!) means and surf safely, that includes not clicking on every friggin' crap you run into, that includes not opening every goddamn spam mail and run the infector. This would require educated users, and education has always been the mortal enemy of surveillance and monitoring, so we won't see any of this anytime soon. So it's hopeless.
On the other hand, the infections we face currently (which may change, but so far didn't) don't even come close to enabling anyone to cause a global network meltdown. It is a nuisance (because of spam, page infections and so on), attacks may take out certain parts of the net, but there's no global threat. So it's not serious.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There have been some very vivid demonstrations of the impacts of cyber-warfare, such as the attacks on Estonia and Georgia, Chinese and Iranian suppresion of free speech and media, air traffic control penetrations, and demonstrated penetrations of SCADA networks (power grid in particular). In Estonia, gov't services were disrupted, and the local equivalent of 911 was broken. Georgia was not as badly dinged as Estonia, largely because they're less reliant on networked services. (c.f. http://www.economist.com/displaystory.cfm?story_id=12673385 ). Power grid infrastructures (as well as telecom, oil pipelines, etc.) are highly automated in the US, and have been demonstrated to have been attacked (c.f. http://online.wsj.com/article/SB123914805204099085.html?mod=googlenews_wsj ). Having accidentally broken chunks of telecom infrastructure, I know how easy it is to create large-scale disruptions through control networks - even without ill intent. The FAA IG has reported that air traffic has already been disrupted by system breaches (c.f. http://online.wsj.com/article/SB124165272826193727.html, http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf ).
And this is the stuff that's publicly visible. There is definitely an iceberg effect here - there's a lot more under the surface that isn't readily visible to the public. There's good reason the Pentagon doesn't publish the full extent of attacks (successful and not) perpetrated against the DoD infrastructure - it's not a good idea to let attackers know how much you see (and don't). But the concern is based on real threats, and real attempts - this is not hysterical speculation. The rules of engagement haven't been defined (when is a hack attempt serious enough to merit retaliation? what's a 'cyber-exercise' v. an act of war? how definite does attribution of an attack need to be to become a diplomatic issue?). There are countries that are pushing all these envelopes to gain an edge.
So if this stuff is already going on at a low-rumble level, the threat is demonstrated, and the consequences can be foreseen, wouldn't it be irresponsible not to develop techniques and strategies to ensure this bad stuff doesn't happen?
Just because you're paranoid, doesn't mean people aren't out to get you.
It's fear, yes. But it is extremely well-justified fear.
I do penetration tests for large companies. It's bad. Everywhere. The only reason penetration tests are ever unsuccessful is when the tester's hands are tied. Attacker's hands are not tied. Furthermore, denial-of-service flaws are universally ignored because information disclosure is considered a higher priority, and most companies have their hands full dealing with those flaws.
So let me make this as clear as possible: A single individual could shut down pretty much any large company. A group of individuals (say, from a hostile government) could halt operations in multiple simultaneous companies. Target a few large supply-chain management companies and a few large payment-processing/banking companies, and it would be relatively easy to shut down the economy for a while.
That means food rots on delivery trucks while paychecks stop flowing to employees. And don't think we will all switch over to doing things by hand during such an attack. The infrastructure to do so has been dismantled. We are entirely dependent on digital transactions these days.
Why hasn't such an attack happened? Is the probability really "low" as you suggest? It's just a matter of motivation. There isn't much profit in doing such a (tedious) thing for the eastern-european hacker crime groups, nor for the bored teenagers. There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.
Ignore the sound-bites security companies feed the media, but don't ignore the problem. This is perhaps the weakest part of our nation's defense infrastructure.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Comment removed based on user account deletion
This is why I think that true security lies not in keeping people from obtaining information, but from setting things up so that it is irrelevant if people obtain that information.
Consider the situation where someone knows all the internal workings of, say, the JSF, but it's designed in such a way that that knowledge would not allow someone to prevent the use of the JSF.
Or consider "identity theft": what if it didn't matter if someone stole your "identity" because there was nothing they could do with it anyway? (Now, in that case, the tradeoff would likely be some loss of convenience.)
So I'll say it again: true security is knowing that you're safe* even when people get to places where you normally wouldn't want them.
*Of course, the definition of "safe" is fairly tricky in this instance. I would probably define "safe" as something along the lines of "suffering no direct immediate or prolonged-exposure-based physical harm."
"There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
Everybody, governments, companies, content creators, privacy advocates, have the same problem: digital information is cheap to disseminate.
If somebody breaks into a library of secret documents, there's a limit to how many copies they can make and take out. Even if they were to scan and store every page in every folder in every cabinet, it's still extremely time-consuming.
If somebody breaks into a computer full of secret documents, it takes seconds, maybe minutes, to copy the whole thing. And, the person doesn't have to be physically located by the computer. The person could be halfway around the world, or just right next door but seem halfway around the world.
What it amounts to is that secret-keeping is becoming more and more difficult. Actually, this isn't true. The difficulty of secret-keeping hasn't changed. But society desires convenience. And little do people know, these two concepts are mutually exclusive.
Furthermore, while convenience is individual, keeping secrets is communal. "Secret" is a term that only has meaning within the context of systems, i.e. only people inside the system know the secret, while people outside the system do not know. The problem is when one individual wants convenience and compromises secrecy for it, then the secret is effectively compromised.
Everybody just wants to have their cake and eat it too. That kind of logical impossibility will not happen, no matter how much we might desire it.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
some pretty good ones, and many lame ones.
I have a machine running apache on linux that hosts some "sensitive files". Nothing that a government would want, but something that people who would want to mod certain hardware would want. I had one attack that tried to exploit an IIS vulnerability relentlessly for over an hour against my machine. It was funny because the files it was looking for didn't even exist, and had the script kiddie thought about it, would have checked the server type prior to launching the attack.
on the other end of the scale I had an attack that spidered the whole site, then probed likely holes in the filesystem where tidbits may have been found. I.e.: /index.html /content/file.html /content/collateral/images/picture.png
they would attempt directory view of /content/collateral/ to see what else was there (too bad directory listing is deinied by default in my .conf file)
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Comment removed based on user account deletion
We can brainstorm this on email if you like.
It's just about my top interest topic.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
MS is not the one perpetuating the attacks, or causing the damage...
Re-read the post: those who promote and profit from known defective technology are at fault. That spreads out the blame to include all those Certified Gold Partners and M$ monkeys who go around posing as IT experts. In fact, the licensing partially takes M$ off the hook by stating that it is made available "as-is" and without claims to suitability for any particular task. They know their products can't cut it.
The fault also lies on all those Certified Gold Partners and M$ monkeys who go around posing as IT experts who end up promoting M$ products in place of suitable technologies. In some ways, more of the fault is on them because of the licensing. It is these "experts" that were supposed to choose between competing technologies and choose safe, low-maintenance, low-cost options to boost productivity. What happens then once they start knowingly and consitently doing the opposite?
Look at melamine. It's safe and legal to make, distribute and put into product. Melamine is not safe or legal in food. M$ products might be fine for some home gaming, if one has thousands to put into good hardware and is willing to do just about anything to avoid getting a real gaming console. However, replacing working, mission critical systems with ones known not to work does call into question what kind of legal action needs to be taken against the actors.
Willful negligence, gross negligence and criminal mischief -- if the deeds are with physical product, versus "oops, sorry, nuttinwecuddadonaboddit" for software? Oh, come on and join the 21st century. The "with a computer" clause doesn't magically absolve people of criminal wrong doing.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Comment removed based on user account deletion
Its kind of a big deal when the U.S. military can't keep its data secure.
"Having the plans" is not enough. You have to have people able to interpret them and put them into action. Critical elements are often left out of engineering documentation and there's also always that stuff which was figured-out on the shop floor and never written down.
Slashdot's comments are frequently amusing, as armchair experts bolstered by 30 second's worth of Google search know everything. And are smug in their ignorance. They're probably the type that eventually gets into politics for all the wrong reasons.