Slashdot Mirror
Obama's Portrait of Cyberwar Isn't Complete Hyperbole
pigrabbitbear writes "It's hard to imagine what cyberwarfare actually looks like. Is it like regular warfare, where two sides armed with arsenals of deadly weapons open fire on each other and hope for total destruction? What do they fire instead of bullets? Packets of information? Do people die? Or is it not violent at all — just a bunch of geeks in uniforms playing tricks on each other with sneaky code? Barack Obama would like to clear up this question, thank you very much. In an op-ed published in the Wall Street Journal the president voiced his support for the Cybersecurity Act of 2012 now being considered by the Senate with the help of a truly frightening hypothetical: 'Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud,' Obama wrote, describing a nightmare scenario of a cyber attack. 'Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.' All because of hackers!"
...and I can't say that about his predecessor.
I keep wondering who will be responsible for cleaning up the thousands or millions of pc's that get infected (or re-infected) years after a "cyber" war is over. I have never heard an answer to that.
Obama's Portrait of Cyberwar Isn't Complete Hyperbole
No, it's only 99.8% hyperbole. Someone has calculated the half-life of the current set of "crises", and decided that we need another urgent problem to address.
To ensure perfect aim, shoot first and call whatever you hit the target
I think it would be an excellent idea to harden our infrastructure and make our social and political systems for responding to change more resilient. That does not mean that spinning tales of disaster that can only be averted through legislation is anything other than hyperbole, though. I have yet to see anything about this cybersecurity bill that does not involve centralization (reducing resilience) or regulation (reducing diversity and thus making attacks more effective because more widespread), and so far nothing that really looks like it would actually harden our information infrastructure in any meaningful way.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
I have an answer . . . MyCleanPC!!!1! I just installed it on my PC and I'm re++--_#*$NO CARRIER
Bankers have already pulled off a caper far worse than the unlikely scenario described here. Obama can direct his justice department to hold these bankers responsible under laws that already exist. How serious can he be about protecting America when he refuses to prosecute criminals who have damaged our national security so thoroughly?
Give me Classic Slashdot or give me death!
In the '80s the United States sent oil pipeline controls with a trojan in it to the Soviet Union....it's not far fetched.
"Obama does a good job of facilitating thinking..."
And I can't say that. At all. I'd be lying.
This is nothing but fear-mongering to sucker people into increasing the power of the federal gov't. "Oh but it won't be used in that way"... since when has that EVER been true?
"It's time to strengthen our defenses against this growing danger" is how the op-ed ends. I agree. I would assume that most would also agree as well.
The challenge of course is agreeing in what does "strengthen our defenses" mean. To me it means disconnecting critical systems from the Internet. Yes, that means that it will take more people to operate those systems and it means less centralization. These things will make it cost more; but security has always (and will always) have a cost in terms of money / resources and convenience. In the case of critical infrastructure, these costs are worth it.
and I can't say that about his predecessor.
His predecessor invoked much thinking as well however much of it prefixed, or suffixed with, "wtf?", "lol" and "lmao"
Join the Slashcott! Feb 10 thru Feb 17!
I can't say that I agree with his content, but Obama does get Joe SixPack to realize that power plants and trains switches can be inadvertently connected to the internet (and to wonder what else it connected.) Hyperbole it is, but it's useful for the non-specialist.
A straight-forward set of solutions to some of these potential problems:
- A human being with a brain is left still ultimately responsible for the operation of trains, planes, etc... "the computer gone haywire" scenario becomes one of inconvenience and slow-downs vs. disaster and death
- Double checking of automated processes... the treatment plant is not a "set and forget" operation, humans should be monitoring the quality of the drinking water and the output of the treatment plants using manual devices--these are double checks for any automatic monitoring
- Disconnect critical systems from public (and sometime even private) networks. There is no reason to allow remote operation of many of these plants and facilities, so that's first and foremost (if it doesn't NEED to be remote controlled, then don't allow it). Second, for many of these systems simply making sure that they are connected only to secure and private networks would do wonders for preventing outside hacking, and while you're at it eliminate gateways between public and private networks.
At the end of the day it comes down to the human factor. Keep human's located at the equipment, and properly trained in it's operation (and recognition of malfunction) and these disasters will be easily averted.
Stuxnet is one example of what is possible. Stuxnet however was designed to be highly targeted and controlled. Most security experts believe it was designed against Iran's nuclear program. It also was designed to delete itself after a while. Yet this highly focused attack was able to damage an estimated 1100 centrifuges. Image what an indiscriminate attack would do.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Yeah, look what a disaster that Y2K thing turned out to be.
How much effort went into preventing it?
I wrote a memo in the early 90s telling management that they should develop a policy of fixing YY code any time a program came up for a bug fix.
Of course they didn't listen. Thank all the gods, I was gone before the panic set in.
Sheesh, evil *and* a jerk. -- Jade
Y2K wasn't a disaster because a lot of people put in a lot of effort to prevent from being one. I put in hundreds of hours on it, and I was just one average systems guy in one IT department.
Yep, lets ignore the millions of dollars spent on prevention and just focus on the fact that nothing bad happened. That's like if they upgraded the levies 2 months before Katrina and then flooding didn't happen and everyone said "what a waste of money those levies were!".
Obama does a good job of scaring the shit out of people and saying, "Let the government be the solution. Let us spy on your web habits via your ISP, and your cellphone via tracking. And oh yeah, we've decided to expand the TSA's mission to busstops, train stations, along highways, and at pulic facilties like malls and hotels."
In that respect he's a hell-of-lot-smarter than George "duh" Bush but ultimately it's the same fucked-up destination. Let both the (D) and (R) president burn in hell.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
1. Give them 2 years to hire or retain by contract people who can repair or do maintenance on site.
2. Make it a class six felony to knowingly connect an industrial system to the public internet for any reason other than an exigent circumstance for which a reasonable practitioner would not regard the on-site staff as capable of handling or for which there is insufficient time to fly out a practitioner capable of performing the work.
3. In the event of loss to limb or property, make trebble damages built-in to the civil site.
4. In the even of loss of life, make elevation to felony murder mandatory with execution mandatory for all parties involved in the event that the death toll goes beyond a few people.
That's how you wake them up and institute change post haste.
I work for a company that does networking for many railroads, and on every project that we've done the entire train control network is isolated from the rest of the world. That's one of our basic rules, it should never touch the internet. I can't speak for our competitors, but it seems like they would do the same.
This space for rent, inquire within.
On the other hand, if someone malicious were to get physical access to the network, it may be a different situation.
This space for rent, inquire within.
Maybe you were scratching yourself at that time, but I spent many hours fixing applications because of the Y2K bug. If it wasn't for the effort of thousands of geeks all around the world, instead of a few systems failing here and there we could have had a huge problem worldwide.
What are you doing in a nerds website? Comments like yours usually come from laypeople who have no idea what had to be done because of Y2K.
If the world's IT systems have had a meltdown, every body would be blaming the geeks for not having done anything. Because the geeks made a great job, guess what, nothing happened. Then people blamed the geeks for having been alarmist, instead of thanking them.
That's a big problem with us, geeks. When you do a great job, nobody notices it because things go smooth. If you fuck up, everybody notices you.
It does make you think. If Bush and the GOP think that Dems are government solution crazy....why in the hell did they start the massive gov't surveillance programs in the first place. Did they not think the Dems would 'improve' upon them?
I fully believe if Bush hadn't started this dive into moral failure the Dems wouldn't have done it on their own, if only because the GOP would have, rightly, decried the invasions of privacy. But because of 'terrerism' somehow it was ok...
Bush's fault for starting it, Dems and Obama's for continuing.
People in cars cause accidents....accidents in cars cause people
>>>Strawman. Stop using them.
There's no strawman. Obama really has expanded the TSA to busstops, train depots, post offices, et cetera. It's not my fault you don't keep-up with the news and remain unaware of that fact.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
In the '80s the United States sent oil pipeline controls with a trojan in it to the Soviet Union....it's not far fetched.
Subtle but important difference - the story is that the russians were known to be stealing control software so the CIA arranged for the copy that they stole to contain sabotaged code.
When information is power, privacy is freedom.
Not even regular is like that. Regular was is two or several sides having people who are armed and those who get to pay and suffer.
Let's say for example, China and America had an all out war: in that case the common American citizen and the common Chinese citizen have a LOT more in common than the common American or Chinese citizen have in common with their leaders.
The whole thing of equating the policy of war profiteers with the people in a country is fascist bullshit. It's usually, and certainly often when America is involved, not "country A fighting country B", it's "group X (elites in countries A and B) fighting group Y (the people in countries A and B)".
Seriously, pay some fucking attention already.
So at this point there have been two real world examples of government sponsored hackers targeting a specific foreign government's infrastructure via trojans and viruses.
1) The United States attacked Soviet oil pipeline controls.
2) The United States and Israel attacked Iranian nuclear facilities.
Hmm... there seems to be a common element...
I'm not saying it was a bad thing to stop the Iranians; But it is an interesting fact to note that in CyberWar just as in Nuclear War there is only one nation that has ever actually used these methods.
- For the complete works of Shakespeare: cat
The real question is how government will respond to this perceived threat. They could push for better software and system security. Instead, they'll likely use the fear of this threat to increase their size and find yet another way to restrict people's freedoms.
Cyber "war" is just applied mathematics. Get it right, and you're untouchable. Its impact is unreliable and the expenditure is out of all proportion to its impact. Give me what was spent on Stuxnet and I could do far more damage to infrastructure than that ever did.
[FUCK BETA]
I should really make a locked-down *nix appliance that secures devices behind a keyfile-secured VPN or SSH tunnel and requires cryptknock before allowing access, and a software suite (like PuTTy and some scripts) to make connecting easy from a Windows computer, and then sell the setup for a ridiculously high price calling them "unbreakable infrastructure security terminals."
If that big dumb idiot who ran HBGary can be a rich executive, why not me?
"When information is power, privacy is freedom" - Jah-Wren Ryel
And why? What the president is saying isn't 100% bullshit, which is a difficult thing to swallow - for me, too, and I voted for him. Of course it isn't nearly the truth, either. The truth lies somewhere in between "nothing will happen" and "The only way to be sure is to nuke it from orbit" and it shifts.
I will tell you this, not long ago there were some oil pipeline explosions in Russia (not the USSR). The explosions happened just as Russia was starting to make a big dent in middle east oil production and, coincidentally, just as American oil interests were turned away from investment in Russia's oil industry. There was a massive pipeline explosion. It took Russia years to recover fully and by then the Middle Eastern oil situation had stabilized and they were able to over supply Europe once again. The explosion gave the US interests breathing room.
It was caused by code put into the valves by US firms that effectively reversed the oil flow.
Yeah, we did it, and the message was that either Russia does it themselves or they play nice with the US. And now China did the same thing to us.
Serves us right.
The war is here, son. Strap on your slide-rule and tape up your glasses. Uncle Same wants you.
How so? Obama came into office on "hope" & "change", and he just helped consolidate the police state Bush kicked off even more. Oh, and he went from torture to "kill lists", and he payed banks for being too greedy for their own good. He didn't change a fucking thing, he just lubed it up for you, all nice and sophisticated and bullshit-y.
No, all he (well, his handlers) did was pulling one on you, and you just sit there and celebrate it with empty phrases like "he facilitated thinking". For fucks sake? What does that even mean? Your BRAIN would facilitate thinking, IF you had one.
I'm pretty sure they simply implemented the same policies that are chugging along all the time, anyway, and this time with the diction of Tuvok instead of dumb smirks.
Actually, you could say they merely applied a different CSS file to the exact same fucking HTML.
OH LOOK, IT'S A NEW WEBSITE I NEVER SAW BEFORE!
Gah...
Only kibbitz I have is Obama made a calculated decision to go with Mandate vs Gov't Single Payer in order to try and get some GOP support.
In a world without political calculations (& Unicorns!) I think he'd have done away with said insurance megacorps...
People in cars cause accidents....accidents in cars cause people
Give me what was spent on Stuxnet and I could do far more damage to infrastructure than that ever did.
Woh there, cowboy... put your gun back in its holster. The reason for the expense is that Stuxnet was a subtle, precise strike. The main advantage of which is that it didn't give Iran a clear Casus Belli against Israel. No kidding it would have been cheaper and far less complicated to just drop some bombs on Iran's centrifuges... but that could have led to pretty brutal regional conflict. Why use a baseball bat when you can use a scalpel?
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
I can't say that I agree with his content, but Obama does get Joe SixPack to realize that power plants and trains switches can be inadvertently connected to the internet (and to wonder what else it connected.) Hyperbole it is, but it's useful for the non-specialist.
yeah, but it's not because Americans has too much freedom on the internet. It's because goverment contractors are incopetent with basic security.
That's the 100% false hyperbole that The Man is shoving down your troat.
He is not saying the truth, it would be "hi citzens, we screwed up wasting all your tax dollars on systems a 5yr old could misuse and then we added insult to the injury by connecting them online. now we are going to prosecute all the bad contracts we made and fix it with secure applications"
instead he is saying "the internet is dangerous, we will collect information from everyone everywhere and will violate all your privacy, because the internet is dangerous"
How the hell can i use my mod points on the article? it's clearly flamebait.
Because to be that type of success, you need considerably salesmanship talent, connections in the right places and a fair bit of luck.
This is completely backward. Infosec is actually applied anthropology. Humans will get the math wrong. They will get the design, the implementation, the policies, the procedures, the operation wrong. Security is about assuming mistakes will be made and overlapping protections to the extent that the impact of those inevitable fuck-ups is minimized.
That was the thing about Stuxnet that people don't seem to get. It's a brilliant chess move; if you accept the premise that those centrifuges need to go (which frankly I did, but it's up to you), it's hard to argue that the "strike" that destroys every centrifuge without so much as an injury is inferior in any respect to a bomb which is almost certain to kill people.
But the real thing is that the evidence that it was US/Israel that wrote Stuxnet/Flame only rises to the level of "likely, but rumor", and Iran would have a very hard time starting a war over that. Bombs are a lot easier to justify in that respect - "they invaded our sovereignty and bombed us" vs "they set us back a few months and made us spend money".
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Nothing is as horrible as being trapped in a monopoly.
Sort like before HCR? Employer provided health-care is it's own monopoly, meaning you can't switch jobs if you have a pre-existing condition.
I really don't understand why people distrust a government program 'that they have actual say in' versus a corporation that they have ZERO say in how it's run. You don't get to vote for who runs it, you don't get to vote for what you want it to do.
before HCR reform Insurance companies were perfectly allowed to cancel your coverage because you cost them too much money. You really want that as your health care system?
People in cars cause accidents....accidents in cars cause people
And very few morals.
Vote monkeys into Congress. They are cheaper and more trustworthy.