Slashdot Mirror
Cyber War Mass Hysteria Is Hindering Security
jhernik writes "International cyber threat initiatives are in danger of becoming overblown, the US government's security chief told the RSA Conference in San Francisco. 'Cyber war is a terrible metaphor,' said the US government's cybersecurity czar Howard Schmidt. 'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria.'"
How is this any different from The War on Drugs, The War on ChildPorn, The War on Terror??
One way...
American businesses lose money if there is mass hysteria & people use the internet less.
There was no downside to the mass hysteria on The Wars on Things except for the truth
being lost in the FUD.
"Cyberhysteria"?
Quote from TFA
” Cyber war is a terrible metaphor,” said the US government’s cybersecurity czar Howard Schmidt.
It seems like 'Cyber War' is a terrible metaphor, but 'cybersecurity czar' is perfectly acceptable for eWeek
Violence is the last refuge of the incompetent. -- Isaac Asimov
The US Government thinks Cyber war is a stupid term now too?! Quick, everyone switch positions!! ;)
You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680
So, when it happens it's just a bad day, right?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria'.
Then how the hell do they expect to get and keep their bloated budgets?
Wait for this guy to be told to STFU; If you don't have mass hysteria how can you have a mass clampdown?
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
An intrusion attempt is an intrusion attempt, be it by a dedicated tiger team doing a pen test, some guy living in Elbonia testing his skillz, an enemy country with their intel arm probing for weaknesses, a criminal organization looking for organizations with their fly open to use as staging points for botnet C&C servers.
An attack is an attack, and an exploit check is an exploit check. Who is doing it matters less than handling it, be it someone checking if the ssh daemon is buggy, or someone calling the front desk pretending to be the CEO and demanding a password.
Ideally, people need to not focus on *who* is doing the attacks as the primary concern, but the attacks themselves.
Since there is no good definition of a cyberwar, if one defines it as a country's military or intel forces attacking another site to find a way in, it can be said that there are plenty of cyberwars going on around the globe with almost every country going against everyone else.
Since Howard Schmidt is a University of Phoenix graduate, I trust everything this guy says.
If you want news from today, you have to come back tomorrow.
I was there for the Schneier / McConnell / Chertoff panel yesterday, mostly for the lulz and got some. Perhaps the best part was when Mike McConnell (former Director NSA and Director of National Intelligence) told Bruce Schneier that he was as big a supporter of privacy as anyone else, even him. The look on Schneier's face was priceless.
But but but... without mass hysteria, how are we going to divert economic assistance to the poor into funding government initiative aimed at revoking civil liberties?!?
Mass hysteria is dogs and cats, LIVING TOGETHER!
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
...to hear a government official basically saying "calm down already." No need to worry though Mr. Schmidt, the tech community can generally think for itself when determining cyber threats and the merits of related initiatives. We're certainly not waiting for the government to tell us how, when or why to secure our systems. You get your information from us, not the other way around. "Mass hysteria" is reserved for those who give up their rights (TSA, Patriot Act, repeal of the Posse Comitatus Act, etc...) and rally behind a buffoon as soon as the corporate puppets in the US government fire up their fear mongering engines. Got to love the irony of it though. A government official uses fear mongering to quell the fear mongering from the establishment that stands to profit most from a "cyber war." The military industrial complex was bound to incorporate the tech industry one day, I just I hadn't realized that day had arrived. Greed, then religion, is the root of all evil. Now go and see Zeitgeist Moving Forward.
Less *is* more.
The Stuxnet attack seems to have worked as well as or better than an airstrike. Call it what you will, it was something pretty damn close to a an act of war.
First off, this "war" has yet to result in a single death of an otherwise healthy adult at home. So calling it a "war" is incorrect.
Secondly, from TFA:
Exactly as spies have done for the last 2,000+ years.
I'm going to disagree with Bruce on this one. At least until he further defines "offensive cyber weapons". Again, not a single, healthy adult has been killed at home because of any "cyber attack" by someone using a "cyber weapon".
The real problem is that so few organizations pay attention to basic security practices. Just look at HBGary.
It would be done within 24 hours of such an attack actually succeeding. More likely within an hour.
That's the core problem with all of these "disaster" scenarios.
They depend 100% on all-of-the-interested-parties doing nothing at all to resolve or mitigate the problem(s) during / after an attack.
There are lots of idiots out there who would not be able to fix their systems. But there are also a lot of smart people who know how to fix the problem but just haven't gotten management to buy off on it yet. That will change when there is a real problem.
This goes to show you that people with a limited understanding of computer network technology should not make, set or comment on the computer security public policy. That's how we wind up with guys being dragged away by Secret Service and after being five years in jail and finally released are not even allowed to use a phone, because a bunch of idiots on the hill who think that Internet is a collection of "tubes" and network security amounts to the video-game 3d-flight from the popular hacker movies.. these guys are writing the laws that hinder the true grows and potential of the computer innovation and IT industry in general.
If we took even a fraction of the "cyber" defense spending that's being spent everywhere (on firewalls, virus scanners, spam filters, etc), and put it into a practical, usable, cabsec (capability based security) system we could FIX this problem.
Capability based security is simple in concept.... provide a program, and a list of capabilities (such as read-access to a config file, read-write access to a sandbox directory, read/write access to the internet) to the operating system. The operating system then enforces security so that NO MATTER WHAT, the program can't access any other files or devices.
If each of the system services is properly configured, and the user is provided with the tools that make it trivial to sandbox an application, then they can run code without ever having to trust it. This makes virus-scanning obsolete.
This is a default deny strategy, the opposite of what we have in place now. If it's not explicitly permitted, it CAN'T happen.
This is where your plan falls completely apart.
The way you come up with good defense is not to only figure out how it should be done. When in that mindset, we only think about how stuff should work and we easily gloss over the vulnerable parts - we're only thinking about the correct path through the system.
In addition, you need to not consider the difficulty in breaking your design. Because there's somebody out there with the knowledge and funding to do something you think is 'way too hard'. If it doesn't violate the laws of physics, it will be done.
Your solution relies on hardware and software that was developed by error-prone humans that works "NO MATTER WHAT". That doesn't happen. Ever.
- This country is headed for a disaster of cyberpunk proportions.
- What do you mean, "cyberpunk"?
- What he means is Neuromancer, Mr. President, real Philip K. Dick type stuff.
- Exactly.
- Satellites falling down from the skies! Neurotransmitters boiling!
- Forty-eight hours of darkness! Gray goo, anarchocapitalism...
- Zippies rising from the grave!
- Linguistic hacking, AIs and ghosts merging together... mass hysteria!
- All right, all right! I get the point!
.
Prisencolinensinainciusol. Ol Rait!
"When computer crime is outlawed, only outlaws will have computers!"
Line 'em up against the walls guys, line 'em up.
First the goobernment overblows the term Cyber war to get more funding, and now they want to tone it down? Does that mean they finally got enough of our money or did they find some other controllable threat to append the word "war" to, to maintain the profitable hysteria? Cause 9/11 changed everything, Brian! 9/11 changed EVERYTHING!
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
I guess he's saying that those warrant mass hysteria? That's what they're inciting, at any rate...
A trusted, proven microkernel is the only part of a system that one should have to worry about.
The way we currently do it is to trust huge swaths of code with the integrity of everything. That will never work.
Yes, but who administers such a thing?
The problem is that by putting computers in the hands of people that by definition cannot administer a complex system we have to have systems that do not need any administration. Combining this with the ability of the user to add software to the configuration is a disaster for security - the user has no clue what the software they are adding might be doing.
There are two possible solutions to this, neither of which is anyone moving towards. The first is the "App Store" model where the computer is completely locked down except for adding applications purchased through a single App Store where everything is checked, validated and secured. The other approach is that what 99% of the people with computers actually need is a "Web Appliance" that is totally locked down - no ability to add software. I suppose there is a third way where everyone with a computer is paying a service which administers their computer(s), doing things like installing software and configuration changes.
Any of these would work but both would infringe upon the rights of Russian business people to make money from the vast network of unadministered computers. It would also make it extremely difficult to reap vast amounts of money from ad networks because anyone with half a brain would block all ads from ever appearing on computers they were administering.
The end of this is that no such changes are going to take place We will always have insecure computers of which half are controlled by someone other than the putative "owner".
I think administration would be fairly simple for such a system. Instead of "installing" programs, which then entwine themselves into the OS, you would simply drop them into a folder. When you wanted to use them, one reasonable default would be that they could only operate in their own folder.
The idea of trusting code to do what it says on the Tin is the big problem here... not the user. If the user has a system that makes everything inherently sandboxed off from everything else, they have a very good shot at not fouling things up. This is especially true if it's obvious and transparent when you have to drag and drop access to the system folder into a task... if the normal experience never required that, they would know its dangerous.
The users aren't as stupid or foolish as a lot of techs believe.
So if I want to download a file for one app, then use it with another, I have to download it again? If you make it easy to change the defaults for convenience, that's what will happen. If you make it annoying (like with win7), people use something else.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
No, you wouldn't have to download it again, you just give one access (as required to do the job) to the other. I think all of this could be done in a very open, transparent, consistent, and friendly way.
And then grandma still downloads the "awesome screensaver" and clicks whatever warning popups come up telling her that the screensaver will do horrible things because "she wants to see the cute kittens". You can't use technology to fix stupidity.
Because that microkernel runs on magic pixie dust, not hardware with it's own vulnerabilities.
I don't think there is any Mass Hysteria. The masses don't care about this.
It's not perfect, and there is no pixie dust, just different underlying design choices.
Having a micro-kernel which is mathematically proven to do what it says is a big step forward.
Having ONLY the micro-kernel run in protected mode, and be the only thing you MUST trust reduces the attack surface by multiple orders of magnitude/
Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to get access to the network, does it? This prevents the drivers from secretly sending info out on the internet.
It's not a perfect system, but if you can limit the number of bugs which can possibly take out the OS to a few instead of thousands, isn't it a major step in the right direction?
You're right... you can't fix stupid.
A different analogy might help here.
The current default permissive systems are equivalent to handing over your wallet to the cashier at the checkout counter, and hoping they will only take the right amount of money, and not use your info to sell your house before you get home. When you run a program, it can do anything you can do.
Granny is a lot smarter than you give her credit for, she knows not to hand her purse to the checkout person at the store. She only hands over the appropriate instrument of payment instead of everything. If the system is properly designed with good UI affordances, it should be very obvious when you're handing that kind of power over to something, instead of just letting it run in a sandbox.
However, if Granny does the right thing most of the time, the population of compromised machines would be far lower than today's levels... if you make targets harder to get, and fewer, then botnets get to be much tougher to run, etc.
It's worth trying, isn't it?
My girlfriend missing her pill causes me mass hysteria, cyber-warfare does not cause mas hysteria
Why do I need to go through the operating system to access the Internet?
Sure, it's the most convenient way. But the NIC doesn't care if there's an operating system.
Then perhaps you shouldn't suggest it as the perfect system?
Hysteria?
America?
Why, that would be totally uncharacteristic. Everybody knows the American public is a collection of calm, rational, stoic people who would never be swayed by hyperbolic fearmongering into a harmfully disproportionate response to a real or perceived threat.
That noise? Oh, that was just the sound of a million sarcasm meters exploding at once...
Thanks for sticking with this thread, I think its important to work out a way to express this better so more people can grok cabsec.
Capability based security isn't perfect. Would it be fair to say it's a better system?
The purpose of an operating system is to fairly and securely share the resources of the computer. If the programs running get direct access to hardware without the ability of the OS to manage it, the OS isn't really doing its job... it's more of a program loader (think MS-DOS). Thus the OS should always manage things like network connections, disks, memory, CPU, etc.This is why programs go through the operating system to access the internet.
Here's another way of looking at it.
When you configure a firewall, one of the first rules you put in is default deny. This makes management practical. Instead of blocking threats as you become aware of them, you start with a list of protocols you support, and specify the rules for each.
The current way we do things is like subscribing to a service that lists known bad IP addresses, and ports, then adding each of those as a block rule to our firewall, on an ongoing basis. The rule lists would get very large, very quickly. The firewall performance would plummet.
Additionally, the firewall would not protect against a new hostile host until it was detected, investigated, confirmed to be bad, then put into the services list of bad hosts, then propagated through to the firewall. During this time you're vulnerable to threats from that host.
Delays enumerating bad are always more costly than delays enumerating good, in terms of security.
A capability based system is like that default-deny rule in the firewall. The program can only modify the files, folders, networked resources, that are provided to it, assuming write access is part of that provision. A really strict system would even limit the CPU clock cycle rate and/or count... to prevent system hogging.
Would you agree that this is a much saner way to do things?
Thanks for your time and attention.