Slashdot Mirror
Cyber War Mass Hysteria Is Hindering Security
jhernik writes "International cyber threat initiatives are in danger of becoming overblown, the US government's security chief told the RSA Conference in San Francisco. 'Cyber war is a terrible metaphor,' said the US government's cybersecurity czar Howard Schmidt. 'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria.'"
How is this any different from The War on Drugs, The War on ChildPorn, The War on Terror??
One way...
American businesses lose money if there is mass hysteria & people use the internet less.
There was no downside to the mass hysteria on The Wars on Things except for the truth
being lost in the FUD.
"Cyberhysteria"?
Quote from TFA
” Cyber war is a terrible metaphor,” said the US government’s cybersecurity czar Howard Schmidt.
It seems like 'Cyber War' is a terrible metaphor, but 'cybersecurity czar' is perfectly acceptable for eWeek
Violence is the last refuge of the incompetent. -- Isaac Asimov
'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria'.
Then how the hell do they expect to get and keep their bloated budgets?
An intrusion attempt is an intrusion attempt, be it by a dedicated tiger team doing a pen test, some guy living in Elbonia testing his skillz, an enemy country with their intel arm probing for weaknesses, a criminal organization looking for organizations with their fly open to use as staging points for botnet C&C servers.
An attack is an attack, and an exploit check is an exploit check. Who is doing it matters less than handling it, be it someone checking if the ssh daemon is buggy, or someone calling the front desk pretending to be the CEO and demanding a password.
Ideally, people need to not focus on *who* is doing the attacks as the primary concern, but the attacks themselves.
Since there is no good definition of a cyberwar, if one defines it as a country's military or intel forces attacking another site to find a way in, it can be said that there are plenty of cyberwars going on around the globe with almost every country going against everyone else.
You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680
You presumably missed the mass debunking of that claim a few days ago?
I was there for the Schneier / McConnell / Chertoff panel yesterday, mostly for the lulz and got some. Perhaps the best part was when Mike McConnell (former Director NSA and Director of National Intelligence) told Bruce Schneier that he was as big a supporter of privacy as anyone else, even him. The look on Schneier's face was priceless.
But but but... without mass hysteria, how are we going to divert economic assistance to the poor into funding government initiative aimed at revoking civil liberties?!?
...to hear a government official basically saying "calm down already." No need to worry though Mr. Schmidt, the tech community can generally think for itself when determining cyber threats and the merits of related initiatives. We're certainly not waiting for the government to tell us how, when or why to secure our systems. You get your information from us, not the other way around. "Mass hysteria" is reserved for those who give up their rights (TSA, Patriot Act, repeal of the Posse Comitatus Act, etc...) and rally behind a buffoon as soon as the corporate puppets in the US government fire up their fear mongering engines. Got to love the irony of it though. A government official uses fear mongering to quell the fear mongering from the establishment that stands to profit most from a "cyber war." The military industrial complex was bound to incorporate the tech industry one day, I just I hadn't realized that day had arrived. Greed, then religion, is the root of all evil. Now go and see Zeitgeist Moving Forward.
Less *is* more.
Mass hysteria doesn't work in cyberspace. Mass hysteria only works on unwashed masses, not on a hacker culture with a long history of circumventing barriers, especially artificially imposed barriers. In cyberspace, everyone can hear you scream, so you have to be subtle. A deep packet inspection here, a closed port there. If you go off darking fiber willy-nilly, you'll awaken the wrath of the hackers on their home turf. You won't know what hit you.
When our name is on the back of your car, we're behind you all the way!
First off, this "war" has yet to result in a single death of an otherwise healthy adult at home. So calling it a "war" is incorrect.
Secondly, from TFA:
Exactly as spies have done for the last 2,000+ years.
I'm going to disagree with Bruce on this one. At least until he further defines "offensive cyber weapons". Again, not a single, healthy adult has been killed at home because of any "cyber attack" by someone using a "cyber weapon".
The real problem is that so few organizations pay attention to basic security practices. Just look at HBGary.
It would be done within 24 hours of such an attack actually succeeding. More likely within an hour.
That's the core problem with all of these "disaster" scenarios.
They depend 100% on all-of-the-interested-parties doing nothing at all to resolve or mitigate the problem(s) during / after an attack.
There are lots of idiots out there who would not be able to fix their systems. But there are also a lot of smart people who know how to fix the problem but just haven't gotten management to buy off on it yet. That will change when there is a real problem.
This goes to show you that people with a limited understanding of computer network technology should not make, set or comment on the computer security public policy. That's how we wind up with guys being dragged away by Secret Service and after being five years in jail and finally released are not even allowed to use a phone, because a bunch of idiots on the hill who think that Internet is a collection of "tubes" and network security amounts to the video-game 3d-flight from the popular hacker movies.. these guys are writing the laws that hinder the true grows and potential of the computer innovation and IT industry in general.
If we took even a fraction of the "cyber" defense spending that's being spent everywhere (on firewalls, virus scanners, spam filters, etc), and put it into a practical, usable, cabsec (capability based security) system we could FIX this problem.
Capability based security is simple in concept.... provide a program, and a list of capabilities (such as read-access to a config file, read-write access to a sandbox directory, read/write access to the internet) to the operating system. The operating system then enforces security so that NO MATTER WHAT, the program can't access any other files or devices.
If each of the system services is properly configured, and the user is provided with the tools that make it trivial to sandbox an application, then they can run code without ever having to trust it. This makes virus-scanning obsolete.
This is a default deny strategy, the opposite of what we have in place now. If it's not explicitly permitted, it CAN'T happen.
This is where your plan falls completely apart.
The way you come up with good defense is not to only figure out how it should be done. When in that mindset, we only think about how stuff should work and we easily gloss over the vulnerable parts - we're only thinking about the correct path through the system.
In addition, you need to not consider the difficulty in breaking your design. Because there's somebody out there with the knowledge and funding to do something you think is 'way too hard'. If it doesn't violate the laws of physics, it will be done.
Your solution relies on hardware and software that was developed by error-prone humans that works "NO MATTER WHAT". That doesn't happen. Ever.
- This country is headed for a disaster of cyberpunk proportions.
- What do you mean, "cyberpunk"?
- What he means is Neuromancer, Mr. President, real Philip K. Dick type stuff.
- Exactly.
- Satellites falling down from the skies! Neurotransmitters boiling!
- Forty-eight hours of darkness! Gray goo, anarchocapitalism...
- Zippies rising from the grave!
- Linguistic hacking, AIs and ghosts merging together... mass hysteria!
- All right, all right! I get the point!
.
Prisencolinensinainciusol. Ol Rait!
A trusted, proven microkernel is the only part of a system that one should have to worry about.
The way we currently do it is to trust huge swaths of code with the integrity of everything. That will never work.
You're right... you can't fix stupid.
A different analogy might help here.
The current default permissive systems are equivalent to handing over your wallet to the cashier at the checkout counter, and hoping they will only take the right amount of money, and not use your info to sell your house before you get home. When you run a program, it can do anything you can do.
Granny is a lot smarter than you give her credit for, she knows not to hand her purse to the checkout person at the store. She only hands over the appropriate instrument of payment instead of everything. If the system is properly designed with good UI affordances, it should be very obvious when you're handing that kind of power over to something, instead of just letting it run in a sandbox.
However, if Granny does the right thing most of the time, the population of compromised machines would be far lower than today's levels... if you make targets harder to get, and fewer, then botnets get to be much tougher to run, etc.
It's worth trying, isn't it?
Thanks for sticking with this thread, I think its important to work out a way to express this better so more people can grok cabsec.
Capability based security isn't perfect. Would it be fair to say it's a better system?
The purpose of an operating system is to fairly and securely share the resources of the computer. If the programs running get direct access to hardware without the ability of the OS to manage it, the OS isn't really doing its job... it's more of a program loader (think MS-DOS). Thus the OS should always manage things like network connections, disks, memory, CPU, etc.This is why programs go through the operating system to access the internet.
Here's another way of looking at it.
When you configure a firewall, one of the first rules you put in is default deny. This makes management practical. Instead of blocking threats as you become aware of them, you start with a list of protocols you support, and specify the rules for each.
The current way we do things is like subscribing to a service that lists known bad IP addresses, and ports, then adding each of those as a block rule to our firewall, on an ongoing basis. The rule lists would get very large, very quickly. The firewall performance would plummet.
Additionally, the firewall would not protect against a new hostile host until it was detected, investigated, confirmed to be bad, then put into the services list of bad hosts, then propagated through to the firewall. During this time you're vulnerable to threats from that host.
Delays enumerating bad are always more costly than delays enumerating good, in terms of security.
A capability based system is like that default-deny rule in the firewall. The program can only modify the files, folders, networked resources, that are provided to it, assuming write access is part of that provision. A really strict system would even limit the CPU clock cycle rate and/or count... to prevent system hogging.
Would you agree that this is a much saner way to do things?
Thanks for your time and attention.