Slashdot Mirror
Why Chinese Hacking Is Only Part of the U.S. Security Problem
An anonymous reader writes "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.' 'The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security."
US security sucks? Now, now, there's no need to become all yoddle! After all, the US has been propagating that which is unseen to the foreign admissive. Why don't we all just get all along, and become brothers in rancid?
First off, demand that every software vendor provide a list of files that their product installs, where those files are installed by default and different checksums/hashes/etc for them.
It should be possible to boot a machine with a live CD (or PXE) and inventory every single file on that machine and identify the origin of each of them.
At least you'd know whether a machine was cracked or not.
Right now, with existing anti-virus, all you can say is that a machine does not have anything that matches the signatures that you have right now.
Start with designing operating systems that are secure and language enviromnments that are secure rather that feature rich marketing shows. Don't put the blame on the programmers that have to work with shoddy designed infrastructure. Change the infrastructure.
I find the summary to be quite myopic in terms of security -- it thinks that there's a technological solution for every security problem. In reality, as long as humans have access to data -- they can be deceived, tricked or otherwise made to inadvertently disclose said information to a third party. I doubt there will ever be a technological solution to address this 100% -- you can make walls and try to idiot-proof your network, but then you will discover that someone has invented a better idiot.
.....In an hour, you'll be hungry again.
The whole idea that China should be 'held responsible' for the hacking is just plain silly on it's face. Governments and private corporations have been spying on each other ever since the first cave man tried to keep a secret.
Can you imagine during the cold war of the US President went to Stalin and said "please stop spying on us"? Because that's exactly what's been suggested here.
sounds like an excuse to spend more money, on more stuff that they already have/don't need.
take a look at the IT/data security invested in the automotive/pharm industry, and then ask yourself, "well, why are they so secure?"
Do you expect medical professionals to be able to cure every disease and infection ever? Do you expect automotive engineers to be able to build mechanically perfect vehicles? No. Of course the attitude the majority of people take towards online security is a joke, but no more so than saying "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration."
Cyber espionage, crime, and warfare exist through the same mechanisms that allow viruses to become resistant to treatment: adaptation. Systems can be designed to be harder to break, systems can't be made to be impenetrable. The language used in this article is just the same old IT-focused yellow journalism we've all come to expect on the subject.
That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
In mainstream corporations none of this is going to happen until security issues impact the bottom line. And then it will be corps typical approach, of addressing specific instances. The military too, Adobe and Windows are used all over the place.
That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?
Yea - Sergei from totallylegitbankwebsite.ru
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Cue the "But software is hard and we can't do it well" cries from the incompetent.
Forget the arguments of "software - a non-regulated industry", that's noise. The reality is:
- Businesses: make hacking illegal and unload the cost to keep us secure to the govt; the businesses purpose is to make money not security
- Army: buddy, it worked for lulsec. But now you're on your own, we can't do it
Questions raise, answers kill. Raise questions to stay alive.
In one example I saw, the, um, mistake in security implementation was committed by a belarussian contractor who had a strong feeling against the U.S. oil interests in Georgia (Eastern Europe) and was working at a U.S. mega-corporation...
/.
Hiring certain political persuasions to do mission-critical work for mega-corporations is something I would look out for. I specifically mean hiring anti-U.S. personalities to perform work for U.S. infrastructure has its weaknesses.
When mega-corporations implement critical infrastructure (e.g. login credentials) they would be using sympathetic professional contractors, probably from the U.S., the U.K., France, Germany, Japan, Australia, New Zealand, Canda of course. Not BRIC. That's my 2c
Every piece of technology we use is made in China. And we're just now thinking about this??? Duh!!!
Karma: Bad
No, Captain Obvious was demoted to a Lieutenant long ago.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
outsourcing lack of QA, golf course meetings, ect also plays a role even more so when IT is out of the loop and the PHB makes the calls.
It is clear that they are talking specifically about technological vulnerabilities. Also, in the given context of a military/national security type of system, only trained personnel are allowed to access them. However imperfect, that's as good as it gets in terms of dealing with social engineering or the dumb-user problem.
Ever hear of Mata Hari?
http://en.wikipedia.org/wiki/Mata_Hari
But to know the side effects, wouldn't you need the code? Which is exactly the opposite of what you are saying about releasing betas.
A thug with a crowbar in meat-space is no different than some hacker on the Internet with a SQL injection.
Automobiles, airplanes, nuclear power plants, bank vaults, and other physical constructions are regularly identified with security flaws or weaknesses.
You know how to hack an armored Humvee full of infantry? With an IED. Life is dangerous. So is the Internet.
Most people don't live in bunkers. We accept the risk that all types of horrible things can happen, and we worry not. Wood and brick houses are regularly leveled by Mother Nature. We could all live underground, but we don't (well, those of us no longer in our parent's basement). People in Florida, Oklahoma, and Kansas could invest in hardened building construction processes and rebuild after a storm with concrete and high tech alloys, but they don't. Wood houses replace the splinters of the last house a tornado shredded, and people move right back in. New Orleans flooded, and people moved back into the below-sea-level bowl.
Stop thinking in abstract, academic terms. Life isn't black & white. We live in shades of gray, where no position, method or object is absolutely secure.
Life is full of imperfections. Humans make mistakes. Entropy. Chaos. Envy. Greed. Hatred. Sh*t happens (aka Acts of God).
Computer security flaws are "surprising" only to the fools who think the world is safe. Given that technology has reduced the distance between tribes, we're all witness to see how friendly humankind really is, err, isn't.
If you've ever been on the wrong side of war, mugging, rape, or other acts of violence - even bullying - then you should know there are those among us that operate with an "eat or be eaten" mentality. Humans are still animals. That lock on your front door isn't going to stop thugs intent on a home invasion, because they're going to break through the window, or crowbar the door-jam, or cut through the vinyl siding, drywall and a few inches of insulation with a machete...
The Internet and air travel has rendered all of us so close, we're holding hands. Americans in close quarters with the Chinese, Russians, and Islamic radicals... Are we all singing Kumbayah? Umm, no. People are doing what people do...we compete, steal, destroy, oppress, deceive, and occasionally rain Hellfires from above.
Just wait until nano, bio, and robotics really take off. Some kid in India may unleash Pandora's Box with a super-flu that wipes out a few billion of us, and this article we're reading is worried about computer documents?
Computer security is a fad, like bank security in the wild west. Give it a few decades, and it's all OBE as we move on to the next thing. A vault by itself doesn't stop the enemy, just as a computer by itself isn't impregnable. At some point, you need force-on-force conflict to effectively defend what's yours from others.
Do you really think there won't be another Alexander, Attila, Genghis, Caesar, Cortez, or Hitler? Humans can be loving, but they can also be ruthless. Terrorists are out there trying to reboot civilization so they can have an easier grab at power. Through dissolution of the family model, worship of the dollar, competition for resources and all sorts of other factors that come with scaling society beyond a village, we're just as likely to collapse under our own weight than to get off this rock and cruise the galaxy.
Be happy each morning you read Slashdot you're not in a burning skyscraper hundreds of feet up in the air among people screaming, waiting for everything to collapse...thinking about how insecure a city is to stand up against a couple dozen knuckleheads who were willing to trade their lives for thousands.
Enjoy the days of Chinese farming American secrets in cyber space, breaking into digital vaults. What comes next won't be so fun.
Is hard to be secure when you exploit 0day holes without warning the vendor to make Stuxnet and similar ones, or if you force companies to leave holes for you to enter. Those two policies are incompatible with being secure.
Also, putting people with access to virtually all (even private communications of companies/individuals) adds an specially weak point in the security. If politicians are so easy to bribe, why shouldn't be fbi/nsa agents or middle management?
. . .U.S. Air Force cyber security researcher. . .
So, is Captain Obvious and actual captain?
No he's an Air Force civilian worker, probably a GS13
Apocalypse Cancelled, Sorry, No Ticket Refunds
Agreed, let's stop blaming the victims.
That Windows XP unpatched PC is "secure" until some knucklehead throws malware at it, just like the jewelry store with bars and an alarm is secure until three thugs show up with crow-bars and perform a smash-and-grab.
As security becomes more problematic for consumers, the market adjusts. In large part, we're already seeing some of this... Unconscious social movement "to the cloud" has a lot to do with putting our heads in the sand. Get the data off the box in front of us where we'd be "forced to deal with tedious cat-and-mouse arms races" and put our digital lives and data in the cloud, where we won't know (care?) it's being stolen on a regular basis. Amazon, Google, Microsoft, Apple, Facebook, these are the new banks of our society.
Computer software and hardware products are what they are, which is useful, but not impregnable.
I can't afford an armored car and a bunker, so I drive a truck and live in a brick house. Same with computers - most people use the machines, we don't have endless hours in a day to pour into trying to make these sand castles more secure. Technology moves fast. Those sand castles will be replaced in a couple years, and we'll have a new set of problems to futz over while continuing to pursue the meaning of life (e.g. build a family, contribute to the tribe).
Almost every company does not care about anything that no one notices. Their MBA's weigh the cost of building something secure against their perceived chance of a security breach (or the chance they won't be at a different company when a breach occurs) and rarely are willing to pay.
Outsourcing hurts security, and every big company does it. Why? because its cheap. You may argue about the knowledge level of the employees overseas, but that isn't the point. If you want it secure, you want your own employees working on it. You want your code local, not sent to people unknown overseas.
Almost every company is cheap in this respect, big and small... At one Fortune 100 company I used to work for (that I can say with near certainty that almost every single adult in the US knows), I had access to SSN's for every employee in my division (over 200 employees) even though I did not need or request them, and to make it worse, they were in plain text.
That same Fortune 100 company failed a PCI audit due to having entire credit card numbers in plain text (among other problems). We did not get any funding to start the encryption project until after the credit card organization started handing us daily fines. We asked for funding to encrypt the SSN's at the same time and were denied. We were only allowed to fix the issues to stop the fines.
At a different much smaller company (of roughly 1000 employees), their users' passwords were not even encrypted. They were stored by reversing the sequence and a process similar to ROT-13. It was so bad, if I was looking at the database, I would be able to "decrypt" over 90% of them in my head. The scary thing... I was working for a credit card issuer (one you probably have NOT heard of) and the system was used for managing corporate credit cards including setting limits and issuing new cards (and the system was designed for public internet access used by many fortune 500 clients).
While I was there, there was a large redesign to the entire process. It was upgraded to allow automated password resets, forced password aging, and a new UI. We (the developers) requested to change the back end storage and were flatly denied.
To make matters worse, they wanted us to remove the ability to allow special characters. The reason? Corporate politics. A newer system (with more funding and better liked by the corp execs) did not allow special characters and we couldn't let our (un-liked, but more used) system be better. We were able to get a corporate security person to not have us forced to drop special characters, but we were not allowed to tell the users that we allow them. (I was already looking for a new job when this happened, and this made me redouble my efforts.)
The examples just prove corporations want to nickle and dime everything and only pay for the bare minimum. In addition management rarely understand tech (even in some so-called tech companies,) and you see why they would rather hire cheap programmers instead of quality programmers.
Until they are willing to pay for security they will not be secure. And now it seems that the worse thing that happens after a breach they pay for a year of "id theft monitoring." A year of monitoring if they get caught compared to paying for quality software development -- Which do you think most companies choose?
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
So, they regulate a software manufacturer to the point where very little in the way of features are getting accomplished in lieu of focusing on security fixes. Costs skyrocket for made-in-the-u.s.-absolutely-secure-software, meanwhile software made in India, Russia, China, etc. aren't beholden to the same regulations. Their software is cheaper, done sooner, and has all the features customers need. Software firms beholden to the regulations die off in droves. Problem solved, right?
The pharmaceutical industries have a lot of rules and procedures that need to be followed, to minimize risk to patients, and these rules are largely effective (sure, not completely, but killer drugs are pretty rare). The idea of 'release it now and fix it later' would never be tolerated in the pharmaceutical industry. Why can't the software industry aspire to similar safety standards? The idea that it is impossible to write perfectly secure code, where does that come from? Is that really true?
Stasis is death. Embrace change.
It's not outsourcing, developers, lazy users, the Chinese or any other of the above mentioned causes that are at the root here. The root cause is the operating systems we all run aren't secure by design.
Linux, OS_X, Windows, Android, and all the phones run systems which are based on the idea of users who can be trusted. This is a great idea for computer science departments of the 1970s, prior to wide scale networking and mobile code. The idea is just stupid in todays environment, and has just lead to a ton of patches over a ship made of sponge.
Capability based security reverse the bad assumption that you should base everything on trusting (or not) the user. The user isn't the problem. The software the user uses should be the problem, and focus of attention. Linux, OS_X, Windows, Android, etc. ALL trust a program with the resources of the user in question, which is NUTS (and has been quite a foolish thing to do since 1980)
The Genode project is working to bring a full-on capabilities based system together on top of an L4 secure kernel. In this OS, the user selects the resources to make available to the program at run time. This is better than App_Armor in that it's more flexible, and easier to work with. The best part is that capabilities already match the way we deal with non-computer based parts of our life.
Owe someone $15? You had them a $20, and they give you $5 back. The $20 bill was a capability, and the maximum you could lose. They can't trojan horse your money, and steal the rest out later.
Want to let someone borrow your car? You hand them the keys, and it gets them into your car... not all cars of that model, not your house, not your bank account. It's a capability, which accesses that one resource, not all of them.
Capabilities offer a way to fix computer security for good if enough people "get it" and push for its adoption.
Planting a spy on the inside is not a social engineering attack.
Actually, yes, it is.
Server software that is very, very secure is possible. Look at, e.g. postfix, openssh, apache w/o modules, etc. It costs more, but the real issue is it has to be designed and implemented by people with strong secure software engineering skills. Today, secure software engineering is still rarely taught, and almost never as mandatory subject. As long as that continues, most software will suck security-wise, as secure software engineering requires a quite different mind-set from ordinary software engineering. It is however quite clear how to do it today. Techniques like privilege-separation, marking and tagging, secure containers, full input validation, etc. are well understood and cause massive increases in the difficulty to hack a system and can make it impossible. The problem is just that they are not used because so few people understand them.
My proposal: Make secure software engineering courses mandatory for any SW-Engineering and CompSci qualification. Then add high liability risks for all those that do not use these techniques to force management into abandonning shoddy practices.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
True, almost all software produced has quite a few security holes. I just fixed some security holes in online classes that - cybersecurity. These are courses put out by a well known government agency that specializes in safety and security, but that agency doesn't come close to securing it's own systems.
HOWEVER our buildings are also quite vulnerable to Chinese missiles. We haven't secured our shopping centers, our sports stadiums, or our power plants. China could very easily wipe out any of them. Does that mean we'd accept it if they did? If China shot down a US airliner would we say "eh, it's our own fault for not securing our airspace"? Of course not. We'd hold China accountable, very quickly. Probably within a matter of hours. That's the biggest failing - we've chosen to sit down and allow China to attack us for the last several years, with no real response from us.
Anyone can easily kick in the front door of your house. If they do so, we don't blame the victim for not having a six inch thick steel door. We throw the assailant in the slammer.
Probably, our software will never be secure for the same reasons our houses won't be secure - because security is HARD. It's much easier to break something than to build something. Building something that can't be broken is almost impossible. To be competent at software security takes about six years of training for a typical corporate programmer, one who doesn't really understand software engineering as a science. An otherwise skilled programmer could learn to make his good software into fairly secure software in three years. That's about, what an extra $40k - $60k per year for a programmer with several years worth of extra education / training. How many organizations are willing to pay that cost for secure systems?
I have fifteen YEARS of experience in software security, but no one is offering me a job that pays a reasonable salary, not when they can instead hire an idiot for $40K to create a heaping pile of garbage that mostly "works", for a year or two until he's in a different position.
I am a geek so, yesterday's revelations did not surprise me, because this kinda bullshit has gone for years now and I assumed all of the "hulla-balloo" that went viral were from people that have never gone on the internet or used a cell phone or have not taken a high school history course or have any knowledge of WW II. The buzz created yesterday was quite un-nerving to me because I never assumed that so many people were oblivious to this. I.T students run sortware, (I would imagine) like PRISM for learning networking purposes and I still use diagnostic tools that is open-source. I can see why people are so outraged beacause at the government does not help matter's given the verbage ie:(cyber-attacker/ national security) if I did not know binary..would comming off like and the So many I could not imagine life without the use of phones, computers and the internet and how my day which and how that how it relates same token I can how adversely see how So much of today's and how that can alter peoples .Cell Phoes l
ivelyhood, freedom ..
Anything engineered has potential by man can also be reverse-engineered by man I wished to God, people ...it is just the way it is If only people could understand
It is so un-nerving to me as to how un-educated people are and how sc am so bothered that is quite bothersome to me as to the l am a little unnerved Without getting dramatic Artificial Intelligence goes both ways and can altel help people relieze understand how many levels the "big picture". ( as to what the security, privacy, economic landscape year 2013 and h
Poor application doesn't come from lack of familiarity of poor training, however. It comes from tools which do not adequately expose functionality to the end users. Every time a tech argues "but technology X can do this you just need to learn how to do Y", he is dropping the ball. This argument was only appropriate when interfaces were limited by technological capacities (first due to being done in hardware such radio nobs and then due to lack computing power to do both interfaces and main application logic in software). Given the amount of computing power available today, inability to expose concepts to end users is 100% tech's fault. This goes not only for concepts exposed to consumers. This goes for tech produced for techs as well. Anyone who even thinks that a computer language should not be responsible for exposing hardware capacities in a way that does not tax anyone's attention span should be ashamed to even think about the subject and they should be much more ashamed of voicing their opinion on the subject. Dropping the ball on UX at every level of technology, given the capabilities of the modern technology, is why security features don't get properly used. They are not adequately exposed to the users. Cats can use ipads. Humans can use any technology if its interface is not designed by amateurs or hacks.
Any guest worker system is indistinguishable from indentured servitude.
When the DoD (that would be Dept. of Defense for the dummies who regularly read this site) issues the top security level (O-Ring) to Micro$oft's operating systems, and MS hands over their OS source code to the Chinese gov't, could be a major cause of the problem. Another major cause would be offshoring all those jobs to China --- offshoring all that technology to China --- offshoring all that investment to China (instead of corporate amerika amortizing into their country from which they are based, and should be expelled); said actions render this article posting completely ludicrous, written by a member of the species, ignoramus americanus!
. . .as I mention in a later comment, if all those tech jobs, technology and investment have been shipped to China, this would be the likely result, with generations of American students/workers rendered almost obsolete in their pursuit of IT employment.
Hackers did not not want develop on closed systems like DEC VMS with its deep levels of security. That was very painful for the few months i had to wrok with that. Now we are paying for this.