Slashdot Mirror
Separating Cyber-Warfare Fact From Fantasy
smellsofbikes writes "This week's New Yorker magazine has an investigative essay by Seymour Hersh about the US and its part in cyber-warfare that makes for interesting reading. Hersh talks about the financial incentives behind many of the people currently pushing for increased US spending on supposed solutions to network vulnerabilities and the fine and largely ignored distinction between espionage and warfare. Two quotes in particular stood out: one interviewee said, 'Current Chinese officials have told me that [they're] not going to attack Wall street, because [they] basically own it,' and Whitfield Diffie, on encryption, 'I'm not convinced that lack of encryption is the primary problem [of vulnerability to network attack]. The problem with the Internet is that it's meant for communication among non-friends.' The article also has some interesting details on the Chinese disassembly and reverse-engineering of a Lockheed P-3 Orion filled with espionage and eavesdropping hardware that was forced to land in China after a midair collision."
Surely they're not trying to suggest that my l33tness *doesn't* make me more attractive to women?
Audit your code.
Don't try to tac security on at the end, build it in from the start.
Don't assume that the other security layers will hold so yours isn't important.(when i was working in a large tech company this was the most common problem, everyone thought the security above or bellow their own applications or systems was secure enough that they didn't have to worry too much about it themselves)
Make sure your coders know enough about the various types of attack that they know what they've got to defend against.
use Default Deny not Default Permit.
don't try to Enumerate Badness. it doesn't work.
Don't rely on Penetrate and Patch . it works badly.
Don't expect average users to get educated about security, they only care about security enough to not get fired, they will also pick awful passwords 99% of the time and will use Pass1234 if asked for uppercase,lowercase and numbers.
patch your systems.
Fire anyone who writes the domain admin password on a postit and sticks it to their monitor.
Not to sound like my tinfoil hat has gotten too tight, but really is this warfare? So our grid goes down. Does this mean we can't live? Does it stop us from growing crops, transporting them on trucks, and buying them in markets? Don't we have the resources to build other technologies to provide our food and shelter? If the Chinese crippled us via Cyber Warfare, they would lose all of their economic power. We buy more of their junk than anyone else. If China used this as a method of physically taking over the US (they already own our stuff) I am sure the nukes or an EF bombs would put us all on the same playing field.
"Ones and zeros were everywhere. I even think I saw a two!" - Bender
I didn't read the whole thing but the first 10 paragraphs or so strike me as nothing but a bunch of half-informed fear mongering from a journalist who doesn't know what they are talking about.
The Navy’s experts didn’t believe that China was capable of reverse-engineering the plane’s N.S.A.-supplied operating system, estimated at between thirty and fifty million lines of computer code, according to a former senior intelligence official. Mastering it would give China a road map for decrypting the Navy’s classified intelligence and operational data.
If China had reverse-engineered the EP-3E’s operating system, all such systems in the Navy would have to be replaced, at a cost of hundreds of millions of dollars. After much discussion, several current and former officials said, this was done.
This makes no sense. Compromise of the OS binary meant that a new operating system had to be somehow created, and every system had to be reinstalled? I can't understand why compromise of a single system led to every other system being vulnerable - that would be a gaping security hole.
I keep reading these articles about "cyber-warfare" and sometimes I forget that they're talking about my field of expertise. The things they talk about are more akin to some kind of real life battlefield, and they seem to want to push that as the methodology to "fight it." Which seems to involve counter-attacks which make no sense and has little to do with patching and best practices.
Frankly I feel as if you have a bunch of Generals and politicians who have seen Operating Swordfish, Hackers, and similar Hollywood blockbusters - and think that hacking (and security) is this glamorous little battle rather than a spotty nerd installing patches, changing configuration files, and others looking for human mistakes in those configurations/networks.
But that all being said, what do I care if some General has a boner for cyber security and wants to invest a few million in a industry I happen to profit from. Go right ahead I say. I just want them to quit attempting to alarm the general public with nonsense threads about hackers setting off a nuclear bomb, shutting down power, and otherwise ending the world.
Actually I thought the first part about the P3 debacle was fairly informative. We handed over an aircraft full of top of the line spy gear to the Chinese. We'd have been better off if the our pilot had simply gone kamikaze and taken the P3 straight down into the drink at speed rather than landing it for the Chinese to dissect. We'd have been in a position to rake the Chinese over the coals over the loss of the plane and entire crew instead of them being the ones who got to act all pissed off at the loss of their incompetent pilot (like they really gave a fuck about the pilot when they got a huge fucking prize out of the mess.)
'Current Chinese officials have told me that [they're] not going to attack Wall street, because [they] basically own it,' and Whitfield Diffie.
Something is seriously wrong when you don't control your own economy, this can not possibly be sustainable. Someone will want to cash in on this eventually and who knows if anyone will pay up?
slashdot hit the icon jackpot on this one! 5 icons! woot
He who knows best knows how little he knows. - Thomas Jefferson
A great deal of money is at stake. Cyber security is a major growth industry, and warnings from Clarke, McConnell, and others have helped to create what has become a military-cyber complex.
And...
In July, the Washington Post published a critical assessment of the unchecked growth of government intelligence agencies and private contractors.
Need we comment further?
RIP America
July 4, 1776 - September 11, 2001
Anyone who really knows the facts and fantasies of Cyberwarfare will not be posting any meaningful comments.
Fact from fantasy? Meaning that the text on your computer screen doesn't get reflected on your face and hackers really aren't edgy, thin, clean-shaven hipsters (some of whom are girls) who speak weird slang out of a Gibson novel and define their philosophies by the indie band du jour's latest hit?
Man, cyber warfare is boring.
I didn't read the whole thing but the first 10 paragraphs or so strike me as nothing but a bunch of half-informed fear mongering from a journalist who doesn't know what they are talking about.
If you only read the first 10 paragraphs, then you haven't done the article justice. Hersh is renowned for his long-form journalism. It's old-school, I know, but he takes his time to investigate and analyse. He doesn't foist his conclusions on the reader; he presents his take on the available information and leaves the reader to think it through.
I'll be the first to admit that he's more patient -and more deliberately objective- than most of us. In fact, that's exactly what I wrote about him earlier today.
This is the same guy who broke the story of the My Lai Massacre as well as many of the most important stories about the American military over the last few decades. His sources are impeccable, and his research is world class. Do yourself a favour: load the page onto your favourite e-book reader and take the time to follow his argument all the way to the end.
Crumb's Corollary: Never bring a knife to a bun fight.
Just don't use a Windows OS. (ducks and covers)
No really folks, my mum had an issue recently, the government office used an ActiveX component, over the net, to calculate annual TAX, which caused clients to become unstable and crash. The horror, the horror.
Schmidt told me that he supports mandated encryption for the nation’s power and electrical infrastructure, though not beyond that. But, early last year, President Obama declined to support such a mandate, in part, Schmidt said, because of the costs it would entail for corporations.
Oh, well then if it costs corporate America too much then it's a bad idea. But if it costs the taxpayers money, blank checks for everyone!
Yes, I am well aware that corporations pay taxes. But my point is the double standard applied whenever government mandates something. It's the same with any law. We have water restrictions in the SE - except for businesses. I can't wash my car with my little bucket and hose, but I can go to a car wash and they can use hundreds of gallons of water to wash my car - all because the legislature didn't want to dig into profits of business.
RIP America
July 4, 1776 - September 11, 2001
several months back, a very frustrated U.S. General said that it would be a good idea to respond with conventional military strikes in response to cyber "warfare". the problem with that, and the problem with using the word "warfare" at all, is that "warfare" falls under the international treaties that make up the geneva convention.
to spell it out: should someone make a physically violent attack on a citizen of another country who did nothing more than accept an open invitation to manipulate infrastructure which should never have been open in the first place, then all citizens of that country have the right - THE RIGHT - to respond with physical violence against ALL the attacking country's citizens, and against ALL assets and territories of the attacking country.
put simply: no matter what the "excuse", if you attack one country's citizens, you have declared war on that country, and they can LEGITIMATELY attack back.
this is the definition of war.
so it is very, very stupid to link the two words "cyber" and "war" in the same sentence.
regarding the espionage issue and the infrastructure issue: it's very very simple. the best way to protect assets is not to connect them to the outside world! sometimes i have difficulty understanding why this is not understood. it's very simple: pull out the plug! to fail to take this simple precaution is to INVITE attack, and the consequences have to be accepted!
but yes: the "ownership" issue is very telling. america and europe's reliance on cheap chinese products basically places them entirely into china's debt. they really aren't kidding when they say "we own you" - why do you think the U.S. is devaluing its currency so rapidly! they're playing exactly the same trick that Hitler's government played on its war reparations of the first world war. ... we live in interesting times, boys and girls...
clearly, it does not fit with your belief structure: it is beyond your ability to cope, so you dismiss it.
ironically it's worth pointing out that the story is probably beyond the journalist's ability to cope as well, resulting in much garblement.
but - yeah. please read between the lines, and try not be quite so dismissive. there's more going on here than meets the eye.
Security is best outsourced entirely to a company with a metal effect logo and lots of padlocks on their website.
The most important aspect of security is the visualisation shown to the end user.
All workstations should be protected by at least a green spinning cube.
Voice recognition or hand print scanners are the way forward.
Light your server room from above very slow spinning fan blades.
Factor in around one henchman in black, per 100 servers.
Have web access to all critical systems. input[type="password"]{ font-size:1000%; }
Have a physical self-destruct (as in a bomb), to destroy all your unencrypted data, if you simply get overwhelmed by Russian hackers in quasi-futuristic clothing.
The US has already declared war on (their NATO partner) The Netherlands for housing the International Court of Justice. In the US, declaring war is a national sport.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
..the one that shows idiocy of before unheard proportions, and which makes me wonder how some people can attain such a high position anywhere..
Lynn also alluded to a previously classified incident, in 2008, in which some N.S.A. unit commanders, facing penetration of their bases’ secure networks, concluded that the break-in was caused by a disabling thumb drive; Lynn said that it had been corrupted by “a foreign intelligence agency.” (According to press reports, the program was just as likely to be the product of hackers as that of a government.) Lynn termed it a “wakeup call” and a “turning point in U.S. cyber defense strategy.” He compared the present moment to the day in 1939 when President Franklin D. Roosevelt got a letter from Albert Einstein about the possibility of atomic warfare.
But Lynn didn’t mention one key element in the commanders’ response: they ordered all ports on the computers on their bases to be sealed with liquid cement. Such a demand would be a tough sell in the civilian realm. (And a Pentagon adviser suggested that many military computer operators had simply ignored the order.)
Insane... simply insane... and they want to protect us... with liquid cement
WTF
my words fail to describe this
The article itself is a very good read eh. (Which is probably why there are not that many comments here yet (RTA FTW). It focuses mostly on the war/espionage aspects and has very few mentions of privacy and such, downplaying it rather well. The interesting thing I learnt is that the NSA is pretty messed, [the article saying they] want security but they would rather know everything about everyone. In all, it's probably all hype eh. Sure there are implications of damage war can be brought, but as the article sometimes pointed out, it's hard to distinguish from economic spying and military espionage. In any case, the best thing that can happen (for me) is if America does decide to go ahead and give the NSA even more power they seek. When everyone is under the eye of bigbrother, there should be war. Which is fun eh. If there is no war, America would be a sucky place to live in. Canada would probably be bullied into doing the same thing, so my place would be messed too. Heh... but in all this, I find that I am really anxious for that to happen. I really want to forget everything, take out a few guns, and go out guns ablazing. Like that dude in V for Vendetta. Yarr.
read ron paul's book, "End the Fed". it's an incredibly well-written and well-informed book, showing the disastrous economic reality that is the United States. the financially irresponsible decisions made by successive governments is merely stacking up trouble, and the longer it is "delayed" by further irresponsible decisions, the larger the crash will be.
the main problem is that the U.S. dollar is the de-facto international reserve currency. this is why china has had a policy, for the past 18 months at least, of lending to all but the U.S. - and i mean really large amounts of money - but on the condition that the reserve currency is the RMB. and given the stability and growth rate of china's economy, it's a good deal.
Since we're using cyborgs for warfare now, at least we don't have to worry about soldiers getting injured as much, it's easier to rehabilitate someone with cybernetics.
I find his statement accurate, once you stop to consider every major corporation is trying to get into china to "do business", meaning they cooperate and base their profits on access. And big transnationals are all on wall street.
When the remnants of Hurricane Ike came though our area, we lost power for about two weeks. A pretty large area including rural and urban areas were out. Most of the rural areas were on wells. Well pumps don't work without electricity. There were no fights. There were no hoarders or scalpers. (Well... Generators did disappear quickly) We had no perishable food for a couple of weeks, but we survived without cannibalism.
There was less civil unrest than your standard UK Soccer/Football match.
he happens to see on the street. Sweet.
Best Slashdot Co
how all these articles focus mostly on China. If this were 45 years ago, you could replace china with soviet union, and cyber warfare with nuclear holocaust. In my opinion this just goes to show how generally targeted and short sighted most american foreign policy really is. There is always something new to fear, new to hate.
Good people go to bed earlier.
"...a Lockheed P-3 Orion filled with espionage and eavesdropping hardware that was forced to land in China after a midair collision."
Thanks to the pilot who disobeyed orders.
Whoa. Wait a second. You mean we've been complaining all this time about shallow sound-bite and press-release "reporting" and then they slip in a REAL reporter? With an in-depth story? That requires... reading the whole thing?!
The problem is summed up in this paragraph:
One person's security is another person's insecurity. You can't secure citizens without making government nervous, and you can't widely deploy crypto and then control who gets to use and who doesn't.
The problem that a lot of people seem to be missing is that the Chinese control the US 100% - up until the point where we say they do not. The US has two solutions: devalue the currency such that the debt is worthless and probably pointless as it could be paid off by anyone, or simply repudiate the debt, saying we don't owe it anymore.
There is no "international court" that would rap the US on the hand to say "No, no, you have to pay." If the President were to declare the debt null and void the US would take a big hit worldwide in terms of credit but the Chinese would be left holding the bag. A worthless bag.
Their solution would be to crash the economy first and be holding all the natural resource cards or at least as many as they could grab. They are doing the latter today with holding rare earth metals and making exclusive deals in Africa and South America. At some point they control enough resources that no matter what the rest of the world has to do their bidding.
I'm betting that isn't allowed to happen.
Sure, they don't want to crash Wall Street. It would, however, be in their interest to trigger "unrest" in the US in the form of riots over food, electricity and heat.
Read in friday's NYT that the carlyle group is buying up IT security companies as fast as they could snatch em up!
resist propaganda
Diffie is quoted to have said:
"I'm not convinced that lack of encryption is the primary problem [of vulnerability to network attack]. The problem with the Internet is that it's meant for communication among non-friends."
Is that second sentence correctly quoted? It would make more sense to me if it said the Internet was *not* meant for communication among non-friends. (That is, it was meant only for communication among friends.) But perhaps I am not catching the point he was trying to make.
Can anyone offer an explanation of why the quote as given makes sense?
I was unable to find an email address for either Diffie or for Hersh to inquire directly to either of them.