Slashdot Mirror
NSA Director Says the US Must Secure the Internet
Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."
Until you control all the INPUTS, you can't control the OUTPUTS
I think these folks are actually trying to use scare-tactics in order to increase their own budgets short-term,
knowing that there is no feasible method of performing such a task.
Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
Secure it from you control freaks? Sure.
We did make the Internet, and between government and business and private citizens we spent about $1 Trillion bringing it up to the state where Carly Fiorina and the other outsourcing robber-barons could use it to ship the whole information economy to India and China, cratering the return we expected from our investment, so they could pocket a few $billion in quick profit.
We'd like our money back. Someone tell Carly she owes us.
The internet is already secure for me, when using SSH to a trusted host.
Job done.
Block all traffic to .ru and .cn.
So long as the smarter people remain outside the law, it will never be secure. /generalization
Living With a Nerd
He has a masters degree in systems technology and another in physics, according to his biography, in addition to an MBA and a BS undergrad, plus lots of experience in intelligence and counter-intelligence, including in active combat scenarios, according to his biography. I suspect he's probably more "technical" than a large swath of people here, not to mention the general public. Just because he says folks doesn't mean his 'non-technical', so stfu.
The way to "protect" it is to not use it for stuff that, um, needs protecting.
Proverbs 21:19
Because we can!
Or at least that was 'good enough' of a reason for the Thunderbirds
Allwe need now are some 'net savvy puppets with supersonic jets
Wherever You Go, There You Are
Gen. Keith Alexander is absolutely correct.
It is a daunting task, but the USA should be leading the fight in securing the internet from nefarious organizations like the NSA.
I think it would be more accurate to say we need to protect ourselves from the Internet vs. we should protect the Internet.
Do really dense people warp space more than others?
Why would they be worried about securing the net when they won't secure our boarders...
You could be placed under investigation because of Who you ssh with.
They need to recruit the inventor of the Internet to help secure it. Al Gore finally has a real job!
if you read the summary about "Securing the internet" you'd know that the comment by this individual, technical or not, would give you the impression that he's a fucking moron.
I'm sure he's good at what he does, but "securing the internet" is not and will never be one of those things.
Even DNSSEC and IPv6 do nothing for "Security", because they haven't gotten back the original security issue: computers and/or users. Adding encryption, adding anything to allow anonymity and all you do is make it easier to poke holes in security. Get rid of anonymity and all you do is make it easier for people to use fraudulent identities since it assumes that nobody can be anonymous, which is also impossible. You're at the PC, and I'm behind you telling you what to do? Guess what, I'm anonymous.
Considering that security goes beyond the internet, shows how impossible the idea is. This is not even remotely reasonable.
Should the government really be trying to manage security across the ENTIRE internet? Would you rather plug 10,000 holes in an old barrel or just build a new barrel? Maybe I just don't understand the issue enough, but wouldn't a separate Government/Military/infrastructure internet be more viable and easier to implement on existing systems thus costing less? And if you really needed access to the public internet, you could control the points of entry and monitor them much easier and more effectively.
You tried your best and you failed miserably. The lesson: never try.
I didn’t realize the Internet itself was insecure.
We could talk about securing applications that run on top of the Internet, but that would be a different conversation and I am not sure that is where we want the government to be.
"We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said." That's like saying the guy who dug the foundations built the house and is responsible for it? And when he says "securing the Internet against both internal and external attackers" surely by it's nature all attacks are internal.....or external, whatever.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
The internet is basically hosted on public infrastructure. Until the government decides to lay down it's own lines (above and beyond what it currently has, which in no way would support national bandwidth requirements) and host it on hardened equipment there's little the administration can do other than wave their finger and say, "Hey you guys, make this safer!" And to be honest, this has a lot less to do with protecting us from cyber threats and a lot more to do with implementing federal taxation on usage/commerce as well as visibility of data in and out of any node on the national network without all the red tape that's currently involved. You can call me a conspiracist, but it doesn't sound as crazy when you consider all the truly critical Government/Military traffic is already hosted on dedicated government-owned lines/equipment.
Good... tell you what NSA, you go ahead and when you've managed to actually track down the spammers and the phishers and we have some "extrordinary rendition" (I was thinking of rendition more in the soap sense), then I'll believe you're serious. /It's fun to be an Internet Touch Chick //but I DO so wish they'd take me up on the challenge
The Digital Sorceress
...Why doesn't the government worry about securing their own networks before acting like they have the "expertise" to secure the entire internet.
The real Sig captains the Northwestern. This one captains
The first step is to stop movie and music piracy, right? Truly the biggest threat to our country (if you ask any politician getting big campaign donations from Hollywood and big media, that is).
SJW: Someone who has run out of real oppression, and has to fake it.
A typo is not the same thing as a flawed argument, unless you're losing.
Just add an "s" to your "http"!
At some point in history, there were doctors who were convinced that the four humours were the chief actors in the body, and developed some pretty strange and barbaric rituals to regulate their levels. The finest doctors at that time went to the finest schools and received the best education in the world, as far as they were concerned. The trouble was that everything they believed was absolutely untrue. The foundation of every bit of their knowledge was built upon a lie.
Receiving a good education does not ensure that you are right or wrong, but it means you are very highly trained in the existing hubris of your culture. So I'm sure this guy worked very hard, and filled out all the right forms and kissed ass at the appropriate times and wrote brilliant regurgitations of his professor's theories to clamor his way to the top of the bourgeois dog pile of the desperately successful. But that doesn't mean his ideas are worth a damn.
And it also doesn't mean that they're not worth a damn. But the guy works for the government, and specifically, the part of the government that exists to protect American (corporate) interests above all else. His job is to make the internet safe for commerce, not to protect the free flow of information. He's got his hammer, and he intends to find some nails.
The Internet is quite secure, it's the software systems that are attached to the internet that are not. Time to develop a trusted opererating system and a secure browser.
"...a network that many security experts see as hopelessly broken and flawed by design."
wait, what?
DNSSec is intended to prevent query cache poisoning. It's not a catch-all silver bullet and its not meant to be. Similarly, requiring IPSec in IPv6 solves certain problems, while leaving others untouched.
There will likely never be 100% security, for if there were, then you would have a 100% unusable system. But that doesn't mean that the current situation can't be made better. I just get the impression that a lot of people around here equate freedom with a reasonable expectation of getting away with a crime and have greasemonkey scripts to auto-respond with the Franklin security/liberty quote.
Why not concentrate on the folks who are exposing critical systems to the internet - if, in fact, they are?
I know folks in the defense industry - all the critical stuff has not physical path to the internet. To access that information means switching machines.
Same goes for other industries. I mean, network admins aren't stupid - it's pretty obvious that if it's really critical you don't connect it to the internet. Even the PHBs get that.
RIP America
July 4, 1776 - September 11, 2001
Trying to secure the internet is like trying to stop air flowing through a screen door. They might have better luck securing critical infrastructure and implementing a backup communication channel for that infrastructure should the internet be compromised.
"secure the internet against internal and external attackers?"
What does external mean here? The first thing that comes to mind would have to be some kind of E.T..
Someone explain what 'external' means in relation to the internet. Unless it's referring to some kind of physical world outside of the internet..!!
Is there a world outside of the internet!!?
nobody said the current situation can't be made better. That has absolutely nothing to do with the statements at hand.
Assuming you can make anything secure, however, is a completely false statement, and is specifically what was said. "We're going to secure the internet" is likewise a false statement.
This press statement makes me really worried. Considering the recent news about Congress wanting a kill switch for the Internet, an NSA announcement that it will "secure" the internet sounds like spin.
Have you ever heard the joke about how different branches of the U.S. military "secure" a building? The NSA puchline would be "rig the building for demolition, then put the Big Red Button right next to the light switch.
Between my experience with STU-IIIs and being a Dune fan ("He who can destroy a thing, controls a thing") I'm really worried that the NSA has been tasked to create an internet kill switch, and that the "security" efforts they will soon recommend will be a pretext for the kill switch's creation. The NSA is the logical government agency to implement a kill switch, and designing the new security system would give them the access they'd need. Normally I hate conspiracy theories, but this is just creepy to me.
Footnotes:
For all you coders out there, I meant "=", not "=="; in my opinion the NSA getting involved assigns the value "kill switch" to "secure".
Joke punchline origin: every piece of NSA designed hardware I've handled has a kill switch built in, and one of my biggest headaches was people asking "what does (PRESS) this do?". Quote from the STU-III handbook:
The STU-III battery backup allows power to be removed, as in a power failure or unplugging the unit to move it, without losing the encryption data. The zeroization button bypasses this backup and erases the encryption data. After zeroization, the STU-III must be rekeyed and the CIKs must be remade. The STU-III is zeroized:
In an Emergency. - If the STU-III is ever in danger of falling into hostile hands, zeroize it to prevent the adversary from obtaining a functional unit. . .
By Accident. - The accident usually follows an employee's curiosity. The employee starts playing with the buttons and zeroizes the unit. Be sure to brief your employees on the importance of not pressing or playing with the zeroization button. Refill the STU-III using a new seed key [or operational key].
Travel the Galaxy! Meet fascinating life forms...
also, the franklin statement is very very accurate, and very much a concern when it comes to the US government, which is well known to throw around abuse of power and let judges settle the constitutionality of their horrible decisions in the first place.
The government clamoring for more security tells people that a: they want to monitor everything, b: they want to control everything, and c: who cares about the actual citizens of the US?
Forget the republican angle on it, this has been a corruption issue more than 30 years in the making at this point.
A house can be considered secure when doors and windows are closed and locked. Is the hose secure from criminal invasion? No
The house is secured from unauthorized access. Can the house be secured? No
So, How do you stop criminal entry? Stop the criminal. In the process of stopping the criminal can the home be used? No
Using the home will endanger or at least penalize the private home owners, and may inadvertently criminalize the home owner,
because there is a pot-plant growing (not for use/distribution) in the back yard.
Anyway good police work, investigation tools, reasonable response (offensive and defensive) weapons, and sensible laws are (IMO)
the only acceptable ways to stop criminals without harming your people, culture, economy....
Any blanket solution to crime (like the drug-war and god-sex laws) is always dumb as dirt and will never work.
Crime is flexible "Asymmetric" you can only lose while playing catch-up.
Good police work always adapts to the crime and times to get the dirt on the perps.
Holy-Drug/Sex/Alcohol... laws always create an ungovernable underground economy that makes citizens criminals (USA is the example).
When citizens are made criminals, then you must increase the protection for the remaining parochial-dogma citizens.
Good security always starts at the borders (points of entry). [i.e. Doors, Windows, Customs, Air/Sea Port, Top-Level gateways and routes...].
The laws already exist to stop criminals and locks and latches won't help US, EU, RU, CN....
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Adding encryption, adding anything to allow anonymity and all you do is make it easier to poke holes in security.
You can always poke holes in any security scheme, but that doesn't mean it's not worth trying. Locks can be picked. Passwords can be guessed. Social engineering is always going to be a problem. Still, we do these things.
Security is not about making unauthorized access impossible. It's about making unauthorized access difficult and risky so that fewer people try, and fewer still succeed.
But we don't want you (the NSA) to secure the internet..
Have you fscked your local propeller head today?
He has a masters degree in systems technology and another in physics, according to his biography, in addition to an MBA and a BS undergrad, plus lots of experience in intelligence and counter-intelligence, including in active combat scenarios, according to his biography. I suspect he's probably more "technical" than a large swath of people here, not to mention the general public. Just because he says folks doesn't mean his 'non-technical', so stfu.
No "technical" person would ever say such a stupid thing, like "US must secure the Internet".
I know quite few people with lots of degrees and shit, but they're still dumb as a brick.
No, we can't secure the whole internet. What we can do, however, is make highly critical segments more secure. Part of that is physical security, part of it is better monitoring infrastructure, such as fiber tap splitters off to an IDS system at a backbone peering point. vendors such as Net Optics make just such a device, among others.
It would probably make more sense to run new lines, or light up some dark fiber, and move all the government stuff onto that, then have a few border crossings, like peerage points, where "real" internet access can be controlled and monitored to prevent breach of systems which aren't already on separate networks. They might do that already, I can't really say for sure.
Although, it still doesn't keep some random employee from doing something stupid on the inside, you can at least mitigate the impact. Then maybe, just leave much of the rest of the infrastructure as-is and have fend for ourselves, or whatever.
But yeah, we can just be picky and pedantic instead of just agreeing that there's a point of "good enough" that's more secure than what we have but less secure than just not having the system in the first place, or locking it away in a concrete bunker with no power.
"We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,"
Protect it from who, what and why?
And if you are serious, start by getting rid of spam. And if you should somehow manage that, you have most likely also killed the (free) internet as we know it.
Carbon based humanoid in training.
You don't deal with issues like this by inaction, or by battening down the hatches while leaving a giant pipeline of hackers and botnets flowing from China into the US.
You pull the plug on the root servers recognizing China until THEY shut them down.
Actions speak louder than Fear.
-- Tigger warning: This post may contain tiggers! --
There are ways the US government can do some in advancing Internet security as a whole. Some that come to my mind (usual long list):
1: Subsidizing an OATH compatible OTP system. Perhaps get Aladdin/SafeNet or RSA to make tokens which support numbers that change every 30 seconds, and apps for devices. Now, a thief has to do more than just slurp a password to compromise a bank account. They would have to actively mess with the Web browser. This leads to #2.
2: A ZTIC-like system. This way, transactions are confirmed actively, so malware present on the system can't actively transfer money even if a bank account's password is compromised. This can be a hardware device, or a phone app.
3: Crypto contest for a RSA successor. RSA has stood strong, but another public key algorithm that is quantum computer resistant is needed. Of course, this isn't an easy task, compared to making symmetric key algos.
4: A backbone between businesses similar to NIPRnet, but for civilian transactions.
5: A civilian CAC for client certificates, with good mechanisms in place to deal with cards that are lost, stolen, locked out due to bad PIN retries, or accidentally microwaved.
6: SELinux's successor. Preferably a hybrid between it and AppArmor. The more technology in keeping applications to just what they need to run, the better.
7: This isn't directly Internet affecting, but perhaps find some R&D into backup technologies? It used to be a while back that companies were through about backups, and if you even thought about being a sysadmin, you knew how to do dumps, tars, full/incremental/differential backups, tape rotations (grandfather/father/son), offsite tapes, and so on. These days, people don't even bother with backups, and if they do, they think the cloud can do it, forgetting the time it takes to suck all that info back through a WAN connection on restore. Yes, backups are boring as all get-out, but in case other security measures fall apart, backups are what one uses to piece things back together.
...and secure our physical borders?
Amazing how everyone immediately thinks of encryptions and sniffers in terms of security.
But how many well-placed bombs would it take to take down the entire internet (or at least most of it). It's not nearly as redundant a network as some would like to believe, and if you can take down the backbone, the trunks have nothing to talk to.
I know you can't ask Slashdot to read the article, but can't we even read the summary anymore? From the headline "US Must secure the Internet" (A change from the actual headline "US has a duty to secure the internet" to the actual NSA Director "has a responsibility to take a leadership role in securing the internet") maybe you can say they're talking about making online ID mandatory so all activities can be traced to an individuals internet license ID. Or something. But they're not. They're talking about providing expertise and advice to help others secure both public networks (like the Internet) as well as private networks (such as corporate and government networks.) This is similar to how the FDA advises the public on the proper temperature to cook your hamburger to to avoid e.coli, but doesn't send in the stormtroopers if their spy sats detect you BBQing undercooked meat. You can say that, given the government track record for incursions into their own networks, they have no business telling others how to secure their networks. And you'd probably be right, but you wouldn't be saying anything that TFA didn't say.
But, the majority of TFA is talking about how the government plans to improve the security of their own networks, and the steps that they have already taken. Very little is spent talking about their planned "leadership" roll in helping secure public and private networks across the country. It sounds an awful lot like leadership by example, however. There's no mention of new laws making security features mandatory, for example. More like just providing advice on how to secure a network, with examples of how they have improved their own security. It's being criticized as being overly broad and generalized. Which, again, is probably valid, since it's exactly the field of the people leveling the critiques. But nothing sounds malicious at all. Nothing sounds like, as people have been saying, they plan to eliminate anonymity by making all internet connections require a traceable license. That's pretty absurd, and if it's been brought up by the government, it wasn't by TFA or anybody in it. What he's saying is, the internet is important, and the government has a duty to protect it from attacks. Such as, a DDoS or other sort of attack taking down key points and knocking a substantial amount of the country offline. That would be a serious blow to the economy, so yes, the government does have a duty to do what it can to prevent that kind of attack.
Last but not least, is the quote that ends TFA.
ASCII stupid question, get a stupid ANSI
but disliking the us govt for what all govts do just makes you look silly
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
When the Internet becomes self-aware security will greatly improve. The extermination of humanity will begin. As so many Slashdotters remind us daily, humans are the weakest link in any security scheme.
NSA Director Says the US Must Secure the Internet
As of 10am EST this morning I have completely secured the Internet. The NSA director and my immediate management have been notified. I closed the ticket.
wrap the tubes with tape.
Nullius in verba
The "Internet" provides a pipe into my network. My network is secure. I am not sure how anyone would go and secure the inter-networking connection between my network and others. Well, yes, I can see the value of hardening the infrastructure (protecting fiber-optic and cable links). And, taking this literally, that is the meaning.
But, for some reason, I am sure that is not what is meant. What I suspect is that anyone who connects to the main backbones, or a subsidiary will need to have some confirmation that they will not be a source of "attacks". (leading us to attempt to define what "attack" means).
Maybe the US will finally secure its own government computers (preventing the fiasco started by McKinnon).
I am still not sure what "securing the Internet" means.
Just another "Cubible(sic) Joe" 2 17 3061
... or doesn't see the sub-contractor profit in it.
Look, it all goes back to the same reality.
If physical security is compromised (and it can, has been, and always will be), then the rest of the security is entirely and completely ineffective.
Since even a military base has weaknesses for physical security, there really isn't a solution.
This isn't an advertisement for anarchy, it's just reality.
Want to know what the best thing is that can be done for security? Best practices. Create them, know them, have everyone follow them. Why? Because it's the (best) you can do.
I'll meet you all in the undernet.
"Now I am become Death, the destroyer of worlds"
Perfect Online Resource Kontrol - PORK
Do they know, "kontrol" doesn't start with a K... /singing
a responsibility to take a leadership role in securing the Internet against both internal and external attackers,
When the man says "external attackers" does he mean people who are not current users and should be forcibly kept out of the internet, or does he mean *reaaaally external* attackers, such as the Borg?
1) Air Gap
2) Sneaker Net
3) f28R^VD(*
4) Profit!
They've been working themselves up to this for a while now, and it appears that the lead-in propaganda campaign has heated up. I can't believe that I haven't seen another post discussing this yet. It fits perfectly with TFA/TFS. Two words.
Trusted Computing.
Here is a paper by Ross Anderson on some of what implementing Trusted Computing will mean.
This had better be nipped before implementation or there won't be another chance. The internet is a tool with more than one use, just as with nearly any tool. While the internet has tremendous power to empower, inform, and enrich, it also has tremendous power to monitor, control, and suppress if Trusted Computing is allowed to be implemented.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
who said there wasn't any room to improve? try reading the comments again. I didn't say it can't get better, but to declare it secure is another statement altogether.
More secure, that's a legitimate statement. But "securing the internet"? please.
They should have thought of that in the seventies.
Or how about security eye for the promiscuous guy.
Je me souviens.
From credit card scammers, or from Wikileaks?
Run your browser of a bootable USB stick or better a Live CD... Get a Ham Radio for a Modem, Other people can too. Implement your own security. If you decide to be a sheep you will end up as mutton on someone's plate.
The way the Net is currently implemented, there's no way to secure it. PEBKAC. I'm skeptical it can be secured in any form, because people are frickin' stoooooopid. This is not to say we shouldn't *try*, any more than we should *try* to stop all murders from occurring. I know this will be an unpopular thing to say on SD, but nearly all shenanigans would stop if a way could be found to erase anonymity. Criminals depend on not being identified or caught; this is why more houses get burgled at night. Before you cry foul at the idea, realize that the world is getting ever more connected and therefore ever more vulnerable. All information and all media will be on the Internet. Sooner or later a decision will have to be made as to whether anonymity or a usable world is more important.
Realized there was oil in the Internet...
Why else would the US want to 'secure' it?
[The Universe] has gone offline.
Receiving a good education does not ensure that you are right or wrong, but it means you are very highly trained in the existing hubris of your culture.
Great phrase! Have you read Masks of the Universe? Here are some excerpts from the introduction (pdf):
The theme of this book is that the universe in which we live, or think we live, is mostly a thing of our own making. The underlying idea is the distinction between Universe and universes. It is a simple idea having many consequences.
We don't see the world as it is, we see it as we are.
-- Anais Nin
I wouldn't say DNSSEC doesn't do anything... A year and half ago with a few minutes of UDP packets you could change any DNS record you wanted at an ISP... DNSSEC will hopefully help improve things. I'm not saying its an end to end solution like PKI but hey take what you can get.
The government also has come under fire for attempting to tell companies how to improve their security while suffering a slew of embarrassing intrusions on its own public and classified networks. The most well-known of these attacks is the compromise of a classified Department of Defense network through an infected USB drive in 2008.
From DoD Takes Criticism From Security Experts On Cyberwar Incident posted this Saturday "this James Bond-like scenario doesn't stand up to scrutiny."
Falcon
Should there be a Law?
CERN disagrees.
CERN does not disagree. CERN was the birthplace of the World Wide Web" and the internet is much more than just the web. Here's A Short History of Internet Protocols at CERN from the horse's mouth.
Falcon
Should there be a Law?
They almost made XP too good, the push to upgrade from XP stumbled out of the starting gate a bit.
..crap.
Seriously, what every government is obliged to do is secure their own damn networks and protect the private data of citizens.
The rest of the Internet is none of their business (well, except jailing the SPAM-ers and black hat hackers). ISP's have to take care that things work out (data flows through the tubes), and everyone has to make sure to either not have sensitive data on their end or properly secure it.
You have a door with a lock on your house and you shut it closed when you leave. You don't expect some government force to babysit your entry. Why should they do with the "Internet" then?
Receiving a good education does not ensure that you are right or wrong, but it means you are very highly trained in the existing hubris of your culture.
Compare the amount of evidence going into medical learning at the heyday of the humor theory and today. You'll find considerable more evidence going into medicine today.
Yes, there is a layer of interpretation on top of any collection of evidence. But if you collect evidence densely enough, and around the same problem from many angles, I believe you will converge towards an objective truth.
This approximate truth (and the methods for finding and improving it) is among what you learn when you take a university education today. I think. At least in the natural sciences and social sciences (I don't know what you do in the humanities, but I guess you argue and discuss a lot).
We must secure the air! Did you know anyone can just reach out and touch it!?! Anything could be in the air. From now on we will be providing government-issued plastic bags to all citizens. Simply place the bag over your head, secure with the included duct t... I mean, highly technical securing device and enjoy your new-found safety. You won't come into contact with any unsecured air particles for the rest of your life!
But if you collect evidence densely enough, and around the same problem from many angles, I believe you will converge towards an objective truth.
Or, you could just fill peoples' heads with lots of lots of data and yet fail to impart even the slightest qualitative understanding of what it all really means... which, if the kind if mentality displayed by the average MD is any indication, is exactly what's happening in medical schools.
Oh, I see your mistake--you forgot there is such a thing as credit. If I can't absorb $10,000--I'll borrow it and pay it back monthly. And not at your usurious 50% APR ($416/mo), but more likely at <10% APR (<$132/mo).