Slashdot Mirror
Ed Felten: California Must Lead On Cybersecurity
An anonymous reader writes In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn't mince words: "The odds of clearing Congress: low. The odds of materially improving security: even lower. "What he suggests as an alternative, though, is a surprise. "California," he writes, "could blaze a trail for effective cybersecurity policy." He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It's an interesting idea. Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy.
From Felten's essay: Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks. Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing.
Of any state government's, California's policies also have the chance to help (or harm) the most people: nearly 39 million people, according to a 2014 U.S. Census estimate.
This device uses a default password known to the State of California to cause cancer, birth defects, or other reproductive harm.
When used to protect bigotry and discrimination...Great, let's have some more!
When used to protect citizens from corporate abuse? Terrible, that's forbidden!
Then GTFO, because without CA's leadership you wouldn't be on the internet right now. Or eating very well.
I've worked in banking were we were audited by multiple government entities, our private auditors and auditors from our thousands of customers.
Security audits are only worthwhile if the company being audited is actually serious about security in the first place. In over a decade of such audits I don't think the audits ever found anything that we didn't already know.
During this time we aquired multiple other companies, all of who had passed security audits, and the quality of their security had very little relation to what the audits said. You can have rather poor security and people who are really good at working with the auditors and get really good reviews from the auditors.
They may identify default passwords in Internet connected devices, but if the password is changed from the default to something trivial it won't detect the problem without helping much.
Why would you say something like that? Whereas, I don't have high confidence in any governmental organization to ratify legislation that works well with tech matters, California has lead the way for many in the past that are now national standards.
Off the top of my head, there was a time where you could buy a new car without a catalytic converter, and without any emission standard requirements in every state besides California. Same thing can be said about safety equipment or specification (bumper heights, crash standards). Currently, all the requirements that had to be met for California are nationally required.
I expect we will see the same adoption nationally for small motorized and two-stroke motors in the future. Also, the Junior College system that CA has had since (at least) 1978 (sans tuition for residents) recently had national mention.
All in all, although many protest and resist change, it seems that California legislators are more intuitive than most and they seem to have lead the nation on many other models aside from the aforementioned.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Bespoke setup - somewhat safe. COTS - You are asking for it.
Anyone who has default passwords or compromised firmware(with backdoors) deserve whats coming, and the directors should be personally responsible for all that follows.
Anything critical should have a dedicated line, or failing that dedicated, custom software / firmware/protocol(s) plural - where TCP/IP is not the only protocol. Recompile your TCP/IP stack so that is only has what you know you need - and drop any others)packets).
Yes, there are places who use off the shelf products with off the shelf software and rent a nerd/network monkey to get it up working. Or trust some cloud service to do it better/cheaper - even though passwords (and without sms or two factor) are in that solution and travel up wires that anyone can see.
All you really need, is a clue.
Ooh, sorry the only way to get off the planet is to use technology developed in California.
Well, unless you want to trust the Russians or Chinese. And even then, they probably borrowed stuff they picked up somewhere that might have been California.
"Security audits are only worthwhile if the company being audited is actually serious about security in the first place".
I guess what matters is who holds the 'purse strings". When I observe a non-compliant issue and report it to my client, most of the time my client calls for a secondary audit. It's rare to see the same issue on the secondary. The audits I've done where I observe the same non-compliance are rarely retained by my clients.
My clients hold the "purse strings" and will accept an "anomaly", "error" or an explainable exception, but they won't deviate from agreed compliance with their clients.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
California, seems to be reactive in terms of policy.
It will try hundreds of policies many of them fail or have no impact. But the few that do work they will tout how progressive they are.
Still I want to cross the state border with my nice juicy apple.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
NOTHING is going to happen in California. Their budget is a joke. They have a double digit sales tax rate and the biggest deficit out of every state. They have the stupidest, most intrusive laws that negatively impact every other state. Their politics are almost as corrupt as Illinois. They don't do a thing about illegal immigrants and they're tipping the economy over and causing a massive crime problems. They also have a drug problem. California is the model of how you don't run a state.
And they're supposed to get tough on cyber security?
In California and by California are not the same things even though they sound similar.
I'm not supporting the parent's position but please understand that you are not speaking about the same things.
You mean all those industries that off-shored their IT and Security to the cheapest bidder can't secure their systems?
BIG FREAKING SURPRISE.
If you do wish to bring that concern forward, do make it against the OP, and then I'll make a modified reply to them once they do so, should I feel it is warranted.
Absent that, I hold them to their words as expressed, which was not engaging in any such differentiation, but simply lambasting California in the stereotypical fashion that would lead to outrage if it were another locale.
Me, I was just highlighting how they didn't make the differentiation, but painted the whole state with a broad brush. I guess you didn't get the point of my words. Please understand, you didn't get my purpose at all, so no, you were not comprehending what I was speaking about. I'm sorry that I didn't make it clear to you.
More homeless camps are appearing beyond downtown L.A.'s skid row
That state is making the US into a third world country.
What they propose is not going to happen simply because of this:
He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts.
Outside auditors doing anything in CA government? We'll see that only when all else is lost, and people are starting to go to prison.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is the intent of "separate but equal" States at it's core. Each State should be attempting such change in a way that the country as a whole can learn from each other without barrier of a large, in-inescapable, Federal government. Although, in this specific case, it sounds like somebody lobbying to create a new State-mandated industry.. which should always be held to decent amount of skepticism. This reeks a bit of "if only we had an outside consultant..."
This is the intent of "separate but equal" States at it's core.
That is definitely an advantage of the federal system, but it was not the purpose. The constitution was written that way to prevent the centralized government from becoming too dictatorial. Indeed, if the constitution had given the national government much more power, not all of the states would have joined.
"First they came for the slanderers and i said nothing."
I'm not sure why I would have to. The article stated the government of California which is the only entity that could be by California. This is the context the OP's comment should be examined in. You stated "in California" which is not the same thing but could encompass the same things.
No, it is clear from the context of the reply and even just the summery that the GP was talking about the government of California.
Ok, you do understand that there is/can be a difference between from or in a geographical area and caused by the leaders of that geographic area right? In other words, I understood your point or purpose but showed how it was not relevant to the situation due to nuances in language. Now if I say go get me some ice cream, and you say why, I would expect any other person wishing to comment to be commenting to your why within regard to my telling you to get me ice cream. It's just how language works. It would be silly for someone to chime in with "Your wrench is the wrong size" as a reply to your "why". In order for their comment to have bearing on the conversation, it would have to apply the presupposition that I told you to get me ice cream in order to be congruent with the conversation. Made "in" is simply not made "by" therefore bringing in the problem.
Really...how about Rhode Island? It's a small enough place, so it should be easier to secure.
Many, many people are moving from California to Texas, often following companies who are either moving their headquarters or like Apple, who is moving their new development to Texas. They come here because this is where the jobs are, and the cost of living is so much lower. The same person might make two to three times as much real income after accounting for cost of living.
They come to Texas because Texas has jobs, Texas has affordable housing, Texas has a road system that works, unlike California gridlock. Yet they bring with them the very same political ideas that have failed so badly in California. If you want to regulate your employer out of business, please STAY in California. Your welcome to come here and join in our success, but your also welcome to stay there and keep your fail. Please don't bring your fail here.
>. You are welcome to your state where a lack of laws allows employers to restrict your opportunities to change jobs. Yeah, welcome to your overlords who use the lack employee protection to push your income down.
Yeah, it was Texas where that happened, not California, right? It was Google and Apple conspiring against employees. Nope, must have been Toyota and Texas Instruments who did that.
The thing is, when the statehouse is deeply involved in business, those three or four businesses who purchase state senators have a huge advantage over all the smaller companies. Those three or four companies collude and the employees are screwed. When the politicians are expected to stay out of the way, you have hundreds of companies hiring just at one job fair in Austin alone. It's not possible for 500 tech companies in Austin to ALL collude.
Securing networks and computers will require companies to spend more time and money to take necessary steps to protect users of their products. The government, NIST in particular, has developed standards to evaluate risks in computer systems. Companies need to start putting their money where their mouth is and make changes.
This is the intent of "separate but equal" States at it's core.
That is definitely an advantage of the federal system, but it was not the purpose. The constitution was written that way to prevent the centralized government from becoming too dictatorial. Indeed, if the constitution had given the national government much more power, not all of the states would have joined.
Oh if only they had known that it would become a monster anyway. They were already confident that it would. Had they known for certain that it would happen so soon, I woncer if they would have tried harder to prevent that or at least slow it down.
<offtopic>By the way, if you're really working on a code review for systemd, I say: have fun with that!</offtopic>
The cost of living is 28% higher in California:
http://livingwage.mit.edu/stat...
http://livingwage.mit.edu/stat...
The average dollar salary of a programmer is 10% higher:
http://www.indeed.com/salary/q...
http://www.indeed.com/salary/q...
Texas programmers therefore have average effective salaries 18% than in California. I AM having good luck.
A state run by a single party beholden to corporate interests and lobbyists and massively dependent on the tech industry. A state that is so incompetently run that it is teetering on the verge of bankruptcy, that its schools have dropped to the bottom, and that can't even solve its traffic gridlock. Cybersecurity legislation in California will do little more than exempt tech companies from any sort of liability and pour out massive amounts in government subsidies to big corporations for cybersecurity initiatives.
Real cybersecurity would require massively increasing the financial liability of corporations for any breach in security that causes their customers to lose money or waste time. For example, when a data breach at Home Depot causes banks to have to reissue credit cards, banks should be financially responsible to their customers for the many hours they have to waste on dealing with new credit card numbers, and Home Depot should be financially responsible to banks for all their resulting costs. If each of these data breaches cost corporations a few billion dollars, you'd be surprised how quickly security shapes up.
Do you think that will last if the price of oil stays down? Serious question, not an argument. I don't know the answer.
23 years ago, my mother moved to Austin because that's where she found a nice job with a tech company, Dell, and a nice house for about $120k. Since then, gas has gone to about $4, gone back up and down. The Texas economy has done well throughout. This is the point where someone will point out that the Texas economy wasn't as good 30 years ago (when Democrat Ann Richards was governor).
Shale oil has been good to Texas in the last three years, but again we've been doing well much longer than that, and tech is strong, independent of energy. The state has a large rainy day fund - money set aside, saved up. So fiscally we're prepared for hard times, unlike areas that have large debt they'll be paying on in the future.
People and companies have also been moving here from Colorado, where the tech sector has been weakening relative to Texas. My honest assessment is as I hinted above - business is coming to Texas FROM the states that are making pot legal, increasing regulations, etc - liberal states. That suggests to me that while smoking pot might be fun, and these liberal policies may have some benefits, they are bad for an economy - bad for jobs. I get it - I used to be a member of NORML. So I understand that point of view - I wrote some of the literature they read. It just hasn't worked well for the jobs and cost of living situation. The people coming to Texas for jobs are voters, however. They've come from Colorado and California and brought their pothead ballot initiatives with them. If they team up with other liberal groups to gain majority control, they'll likely vote for the same policies here, and we'll end up with the same results. That's when the Texas economy will fall long-term, I think.
In the past the oil industry was a much bigger part of the Texas economy than it is now. It's still a large part, but there is a ton of high-tech stuff all around Texas - Apple is building all of its Mac Pro units in Texas, for example...
They also have a lot of international trade, including a major airport and shipping port too. All of that adds to economic diversity.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I read the screeds above comparing Texas and CA. Look folks, California has a huge and diverse economy with a lot more than silicon valley contributing. It also has really, really nice weather. (which is why houses are expensive, in part) We're not rushing to the store today to stock up on batteries and food like they are in that other bastion of business on the east coast.
Some businesses are going to "business friendly" states.. why are they business friendly? Because they subsidize the move with tax rebates or forbearance (Tesla in NV, for instance) or because they have little or no regulation (grind those workers into the soil.. there's more where they came from).
I like being from a state where we have laws that protect the quality of life of the animals I eat. I like the "master plan for education", and the fact that free education has been guaranteed by the state constitution for over 100 years. I like being able to surf, rock climb, and ski all in the same day. I like eating fresh produce year round, grown and harvested by workers with nation leading protections on conditions for those workers (thank you UFW). I like being from the state that isn't killing its prisoners. I like living in a state where there's an agency protecting my access to the beach (all of it).
None of these is perfectly executed, far from it.. but the intention is there and is pervasive at its very core. As Gov Brown points out, you paddle a little on the left and a little on the right, and you gradually make your way in the direction you need to go.
You can, of course, live somewhere with no beaches or natural wonders to preserve. That does save on coastal commissions and the like. Or, you can just buy your own beach.
You can, of course, live somewhere with no significant labor laws, and benefit from virtual slavery of low paid workers afraid to challenge their boss. Papa Doc led a very nice life in Haiti, and probably didn't give a lot of thought to the life of the general population.
Yeah, I was being lazy when I wrote that, and I knew it. Funny that I didn't feel like taking a few seconds to do the arithmetic, given the subject line of my post.
Eyeballing it, Texas programmers effective salary is actually about 16% higher. I still don't feel like double-checking my math on that, but feel free to.
State governments are where most things should happen.
1) Decentralization of power keeps government closer to the people
2) Experiments only break or fix one state, allowing others to observe
3) The US federal government has a whitelist of duties, not a blacklist
I'm not sure why I would have to.
Are you asking why you should?
That was provided later in the post, if you didn't understand, let me know what you had a problem with comprehending, since I don't know what you're having a problem grasping.
If you meant that as an obligation, then no, you wouldn't have one, I wouldn't say any of us are under any obligation in this discussion forum. Note how I already said I'd only reply if I felt it was warranted based on what the OP said in a modified post.
A good case study is the community colleges. They are subsidized with the idea that better workers with better jobs will have a higher tax base. Except they all send the money back 'home' or use it to sneak in more. It is no joke that at most of my entry level jobs I was the token Anglo. Immigration allows for the creation of wealth by keeping wages down.
A lot of the now legal kids fall into a government support programs. Over 5 million family take some form of food aid in California. the state has only 38 million people! Some of the cultures these people have are very dependent based. They don't understand why we shouldn't go full socialism. They are basically conditioned to be surfs. abit surfs with money.
California is now issuing illegals Driver licenses! wtf the fuck! I don't care if it says it on the card. If it says it on the card they should be deported, not because they won't come back, but because it detours others from coming.
> As a result, we have to expect and accept that people will on occasion act in ways that we don't like and perhaps even contrary to their own well-being.
Perhaps that's applicable. There are enough gray areas to that question that we could go on for hundreds of pages discussing it. We'd never all agree, because it's a philosophical question, no a factual question. It's rather a different topic, though. What we're discussing here is jobs and the economy in Texas. In other words, as I said in the post you replied to:
while smoking pot might be fun, and these
liberal policies may have some benefits, they
are bad for an economy - bad for jobs
Similarly, maybe you think that "regulating" your employer to bankruptcy is more "fair". You and your boss can be homeless together. Okay, fine it fits your definition of "fair". I won't argue that. You are welcome to your philosophy*. It probably has some good points. Putting the employers out of business is clearly bad for jobs and bad for the economy - that's a provable statement of fact.
* You are very welcome to enjoy and IMPLEMENT that philosophy in a place where your neighbors agree with it. I request that you please do not run away from it's effects and bring it here. If you don't like the effects of your policies in California, change them, or come to Texas and become a Texan.
Perhaps that's applicable.
It is applicable. There's no "perhaps" to it. In a mostly free world people will act in ways that we won't approve of.
What we're discussing here is jobs and the economy in Texas.
And I get you think that legalized marijuana smoking is somehow worse economically than the current state of affairs with its destruction of people and the rule of law.
Similarly, maybe you think that "regulating" your employer to bankruptcy is more "fair".
OR MAYBE YOU DO. You're the one glossing over the destruction of a person's life just because they smoke or possess weed. Putting people out of business merely because they smoke something you don't approve of is pretty damned similar to the straw man you accuse me of above.
How is it more "liberal" to regulate a business to death rather than a person? Instead, I believe both are equally illiberal.
I request that you please do not run away from it's effects and bring it here. If you don't like the effects of your policies in California, change them, or come to Texas and become a Texan.
I in turn ask that instead of glibly saying that we'll never agree due to some mysterious quirk of philosophy or geography, look at the actual harm caused by the War on Drugs and then repudiate it. This is not a California thing. This is a moral thing.
As I noted earlier, the civil forfeiture of assets is the most unconstitutional thing the US and state governments do. There's also the militarization of law enforcement and the hijinks of unaccountable law enforcement, such as the Fast and Furious case where the ATF (Bureau of Alcohol, Tobacco, and Firearms) ran some alleged stings that had the sole outcome of providing considerable material support for the Sinaloa Cartel to kill people (and perhaps do other things like money laundering) in a nasty and bloody war across the border in Mexico.
> You're the one glossing over the destruction of a person's life just because they smoke or possess weed.
The morality of drug laws is not the topic of discussion in this thread. As I keep telling you:
What we're discussing here is jobs and the economy in Texas.
> And I get you think that legalized marijuana smoking is somehow worse economically than the current state of affairs with its destruction of people and the rule of law.
There's no "think" about it, the fact is that the economy in Colorado, California, and other liberal states has been getting worse and worse compared to Texas, which is thriving relative to those states. It's simple arithmetic. The unemployment umbers aren't somebody's opinion.
I'm sure someone would like to discuss drug policy with you in some other thread. I'd discuss it with someone else, someone who is still able to acknowledge that there is such a thing as arithmetic. maybe when you're a little less high.
The constitution was written that way to prevent the centralized government from becoming too dictatorial.
And how's that working out lately? And by "lately" I mean the last 9 decades, more or less.
As one wag put it, it took about a century and a half to get a Supreme Court that would rule that a man raising grain on his own land to feed his own family and livestock was engaged in "interstate commerce" as he did so.
Silly me, I thought that for an act to be commerce between states, it had to be: (1) commerce, and (2) between states. What he did was neither.
Now to await the first person to provide the Court's BS sophistry that explains why I'm the silly one in all of this. (If you do, I'll have a follow-up question for you.)
There's no time like the present. Well, the past used to be.
What difference does it make? If it's not commerce, the federal government can create a tax that will confiscate all the man's grain. Problem solved.
If a majority of the people want a larger federal government over a long-enough period of time, no constitution ever written will prevent it.
I'm interested in your follow-up question, though.
"First they came for the slanderers and i said nothing."
If you can find any of it, I think you might enjoy reading a guy from Colorado named Ray Morris. He was a big pot guy in Colorado , active with NORML in the early nineties.
It has become obvious that you're currently unable to grasp the concept that there can be a conversation about something other than weed ( too stoned?), so if you're in Colorado, please stay there. All we have down here is Mexican dirt weed anyway. You wouldn't like it.
Sorry, you didn't give the Supreme Court's BS rationale. No follow-up for you.
Just kidding. Here it is.
So, is there any action a person can take in the United States that is *not* "interstate commerce"? Walking near a school while carrying a firearm, perhaps? Operating a business which transacts with retail customers in its own state, but uses supplies that were manufactured in another state?
Once Justice Roberts said that if you call it a tax with an exemption clause for doing what the government wants you to, not a fine for disobeying the government (even if it was not called a tax in the actual legislation), it's OK. Peachy keen. No problemo. Problem solved. (To coin a phrase.)
Now anything can be prohibited or mandated by the federal government, punishable by a fine (that is called a "tax" when the wind is from the right direction at the proper time of day), apparently.
I'm not sure when the Constitution was dealt its death-blow, but it's definitely not getting up and walking away from that.
It could pull a Lazarus if the majority of the voters knew what was in the Constitution and wanted constitutional government. Or even a large bloc of voters that would be the swing voters in enough states, and enough congressional districts.
I'm not holding my breath.
There's no time like the present. Well, the past used to be.
So, is there any action a person can take in the United States that is *not* "interstate commerce"? Walking near a school while carrying a firearm, perhaps? Operating a business which transacts with retail customers in its own state, but uses supplies that were manufactured in another state?
Of course. Donating money to politicians.
"First they came for the slanderers and i said nothing."
Lol.. i explained why i wouldn't have to. I see you are ignoring content in order to focus on red herrings so i guess this conversation is over.
But here is a recap in case big paragrapg scare you. The context was obvious, no explaination needed as the article was talking of the government of california and the GP was talking of the article.therefore the attempt to associate anything that ever happened in california is misplaced and out of context.