Slashdot Mirror
Separating Cyber-Warfare Fact From Fantasy
smellsofbikes writes "This week's New Yorker magazine has an investigative essay by Seymour Hersh about the US and its part in cyber-warfare that makes for interesting reading. Hersh talks about the financial incentives behind many of the people currently pushing for increased US spending on supposed solutions to network vulnerabilities and the fine and largely ignored distinction between espionage and warfare. Two quotes in particular stood out: one interviewee said, 'Current Chinese officials have told me that [they're] not going to attack Wall street, because [they] basically own it,' and Whitfield Diffie, on encryption, 'I'm not convinced that lack of encryption is the primary problem [of vulnerability to network attack]. The problem with the Internet is that it's meant for communication among non-friends.' The article also has some interesting details on the Chinese disassembly and reverse-engineering of a Lockheed P-3 Orion filled with espionage and eavesdropping hardware that was forced to land in China after a midair collision."
Audit your code.
Don't try to tac security on at the end, build it in from the start.
Don't assume that the other security layers will hold so yours isn't important.(when i was working in a large tech company this was the most common problem, everyone thought the security above or bellow their own applications or systems was secure enough that they didn't have to worry too much about it themselves)
Make sure your coders know enough about the various types of attack that they know what they've got to defend against.
use Default Deny not Default Permit.
don't try to Enumerate Badness. it doesn't work.
Don't rely on Penetrate and Patch . it works badly.
Don't expect average users to get educated about security, they only care about security enough to not get fired, they will also pick awful passwords 99% of the time and will use Pass1234 if asked for uppercase,lowercase and numbers.
patch your systems.
Fire anyone who writes the domain admin password on a postit and sticks it to their monitor.
China is just the current bogeyman.
there's no shortage of attacks from hackers anywhere, but I'm told china used to be a good place to bounce attacks through and there probably is a certain amount of corporate espionage.
You've already had examples of how things break down when the power goes out during the previous major blackouts... imagine it being nationwide and more than 48 hours in duration... you cannot cope with that... people WILL be fighting for food and water...
There were fights in supermarkets in Gloucestershire over bread and water when the floods hit in 2007...
They were minutes away from having to order the evacuation of most of the county if the flood defences had failed to protect the major electricity substation supplying a large part of the county including the city of Gloucester... the main water treatment plant was taken out by the floods and we were having to use water trucked in and distributed via water bowsers for several weeks until the plant was repaired and the water mains had been flushed out and treated
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
The article quotes Richard Clarke on a hypothetical Chinese cyber attack:
Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. . . . Aircraft are literally falling out of the sky as a result of midair collisions across the country. . . . Several thousand Americans have already died.
Firstly, China isn't going to attack the U.S. - going to war with one of your largest trading partners and a nuclear armed state would be stupid. But if China were to wage war on the U.S. then the deaths of a few thousand people and the associated chaos would be chickenfeed compared to the effects of nukes raining down on American cities. I wonder whether this kind of alarmism is meant purely to scare people into accepting increased defence spending, or whether the people at the top honestly believe what they are saying?
It does if you find the right woman :)
And don't call me Shirley.
Living With a Nerd
I didn't read the whole thing but the first 10 paragraphs or so strike me as nothing but a bunch of half-informed fear mongering from a journalist who doesn't know what they are talking about.
If you only read the first 10 paragraphs, then you haven't done the article justice. Hersh is renowned for his long-form journalism. It's old-school, I know, but he takes his time to investigate and analyse. He doesn't foist his conclusions on the reader; he presents his take on the available information and leaves the reader to think it through.
I'll be the first to admit that he's more patient -and more deliberately objective- than most of us. In fact, that's exactly what I wrote about him earlier today.
This is the same guy who broke the story of the My Lai Massacre as well as many of the most important stories about the American military over the last few decades. His sources are impeccable, and his research is world class. Do yourself a favour: load the page onto your favourite e-book reader and take the time to follow his argument all the way to the end.
Crumb's Corollary: Never bring a knife to a bun fight.
Schmidt told me that he supports mandated encryption for the nation’s power and electrical infrastructure, though not beyond that. But, early last year, President Obama declined to support such a mandate, in part, Schmidt said, because of the costs it would entail for corporations.
Oh, well then if it costs corporate America too much then it's a bad idea. But if it costs the taxpayers money, blank checks for everyone!
Yes, I am well aware that corporations pay taxes. But my point is the double standard applied whenever government mandates something. It's the same with any law. We have water restrictions in the SE - except for businesses. I can't wash my car with my little bucket and hose, but I can go to a car wash and they can use hundreds of gallons of water to wash my car - all because the legislature didn't want to dig into profits of business.
RIP America
July 4, 1776 - September 11, 2001
If you read TFA all the way through, Hersh is clearly making the case that the entire body of 'cyberwar' rhetoric is little more than a power (and budget) grab. One of the more interesting quotes comes from a security analyst who says most of the electronic espionage we see these days comes from allied countries, and it's mostly economic in nature.
Crumb's Corollary: Never bring a knife to a bun fight.
several months back, a very frustrated U.S. General said that it would be a good idea to respond with conventional military strikes in response to cyber "warfare". the problem with that, and the problem with using the word "warfare" at all, is that "warfare" falls under the international treaties that make up the geneva convention.
to spell it out: should someone make a physically violent attack on a citizen of another country who did nothing more than accept an open invitation to manipulate infrastructure which should never have been open in the first place, then all citizens of that country have the right - THE RIGHT - to respond with physical violence against ALL the attacking country's citizens, and against ALL assets and territories of the attacking country.
put simply: no matter what the "excuse", if you attack one country's citizens, you have declared war on that country, and they can LEGITIMATELY attack back.
this is the definition of war.
so it is very, very stupid to link the two words "cyber" and "war" in the same sentence.
regarding the espionage issue and the infrastructure issue: it's very very simple. the best way to protect assets is not to connect them to the outside world! sometimes i have difficulty understanding why this is not understood. it's very simple: pull out the plug! to fail to take this simple precaution is to INVITE attack, and the consequences have to be accepted!
but yes: the "ownership" issue is very telling. america and europe's reliance on cheap chinese products basically places them entirely into china's debt. they really aren't kidding when they say "we own you" - why do you think the U.S. is devaluing its currency so rapidly! they're playing exactly the same trick that Hitler's government played on its war reparations of the first world war. ... we live in interesting times, boys and girls...
Security is best outsourced entirely to a company with a metal effect logo and lots of padlocks on their website.
The most important aspect of security is the visualisation shown to the end user.
All workstations should be protected by at least a green spinning cube.
Voice recognition or hand print scanners are the way forward.
Light your server room from above very slow spinning fan blades.
Factor in around one henchman in black, per 100 servers.
Have web access to all critical systems. input[type="password"]{ font-size:1000%; }
Have a physical self-destruct (as in a bomb), to destroy all your unencrypted data, if you simply get overwhelmed by Russian hackers in quasi-futuristic clothing.
The article itself is a very good read eh. (Which is probably why there are not that many comments here yet (RTA FTW). It focuses mostly on the war/espionage aspects and has very few mentions of privacy and such, downplaying it rather well. The interesting thing I learnt is that the NSA is pretty messed, [the article saying they] want security but they would rather know everything about everyone. In all, it's probably all hype eh. Sure there are implications of damage war can be brought, but as the article sometimes pointed out, it's hard to distinguish from economic spying and military espionage. In any case, the best thing that can happen (for me) is if America does decide to go ahead and give the NSA even more power they seek. When everyone is under the eye of bigbrother, there should be war. Which is fun eh. If there is no war, America would be a sucky place to live in. Canada would probably be bullied into doing the same thing, so my place would be messed too. Heh... but in all this, I find that I am really anxious for that to happen. I really want to forget everything, take out a few guns, and go out guns ablazing. Like that dude in V for Vendetta. Yarr.
China is looking for dominance on every level. I'm convinced they want to be the next superpower. Certainly, focusing on economic might is at the forefront. China isn't shoveling an ever increasing amount of money into military spending for fun. In pretty much every area you can think of technology, space, banking or infrastructure they're heavily invested. If they were interested in only economic might they would be taking Japan's approach, but obviously that's not their intent.
China is likely not intending to invade at some point. But they're very pragmatic and extremely ambitious. And like it or not, a strong China is not necessarily a good thing for America because obviously they're only looking out for themselves.
Wow. I thought the US was supposed to be "cowboy country" and so violent. When Two tornados tore through my town the power was out citywide overnight, and took a week to get back online in many neighborhoods (including mine). Nobody rioted, despite stores being closed for several days (and many stores for a month, as the buildings were badly damaged). I ran out of cat food, one open store that was without electricity was using an old-fashioned credit card reader that relied on carbon paper.
Hell, as chronicled in the linked journal, damaged bars were open the next day, with folks drinking by candle light.
They didn't even riot during Katrina.
Free Martian Whores!
I can't explain it very well, but the reason China buys so much debt is because it is part of their currency control. Basically by buying debt that temporarily removes their currency from the market, which allows them to print a lot of money but avoid that pesky inflation business. I think that's about right.
Seriously, a couple thousand dead from this is zilch. You want real scary? Use that "technological prowess" to screw up food transport from rural areas to cities for a month. Or just use the trillion dollars we owe them to corner the agricultural futures market for a month.
Something like 200 million Americans live in cities and after a month of no or little supply most would either be dead or cannibals.
That's scary.
how all these articles focus mostly on China. If this were 45 years ago, you could replace china with soviet union, and cyber warfare with nuclear holocaust. In my opinion this just goes to show how generally targeted and short sighted most american foreign policy really is. There is always something new to fear, new to hate.
Good people go to bed earlier.
Whoa. Wait a second. You mean we've been complaining all this time about shallow sound-bite and press-release "reporting" and then they slip in a REAL reporter? With an in-depth story? That requires... reading the whole thing?!