Slashdot Mirror
White House Lures Mudge From Google To Launch Cyber UL
chicksdaddy writes: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka "Mudge") to head up a new project aimed at developing an "underwriters' lab" for cyber security. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
I like it! Seriously.
Next the White House will bring in Capt. Crunch to make sure the phones are secure.
It would have been quite hilarious had they instead hired former slashdot employee Pudge. I would have happily taken bets on how long that appointment would have lasted...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I don't think so, not without very heavy handed censorship, which the 'industry' will demand, and will turn this into a paper tiger, saying nothing more than, *We take security very seriously, and the perpetrators will be caught* in their press releases.
“He’s not deformed, he’s just drunk!”
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
Sure, hire hatted s'kiddies. I'm sure we'll all be much s4f3r that way.
Well one, it's bad enough for a single company to have their 'security' teams meaningfully assess the security beyond the obvious. Good security really has to be ingrained throughout the process.
The obvious security issues that something like a 'CyberUL' would catch are generally not the issues. The problem is that once a new issue is discovered, the existing install base is not be updated. Either because updates are available but IT teams are slack, or because everyone has jumped on the bandwagon of using preloaded stuff baked into products that get subsequently abandoned by their vendor or the vendor just goes defunct.
For another, any US endorsed entity calling the shots for security faces a bad credibility problem. NIST is pretty well distrusted globally now, I don't know what would happen with this initiative.
XML is like violence. If it doesn't solve the problem, use more.
Who does the what with where now?
Ohhhhh, you mean like a list of vulnerable hardware for hackers to check to see what to go after first?
Because that's what this will be used for... more than any companies will use it to check their own inventory and upgrade.
This organization would just be responsible for verifying that software is secure, not than an organization is secure. Just like you can still electrocute yourself with a UL listed device if you insist on using it in an unsafe manner, it will be entirely possible for organizations to use CyberUL software in horribly insecure ways. The point of the listing is just to verify that the software can be used securely, if you keep it patched and use it correctly.
Why not use key based auth instead of password based?
Probably for the same reasons that crypto email never worked out, but I wish it were an option on things like banking websites.
I'm now using a password manager, so I can use pretty hard passwords without having to try to remember them. But using signed certs would be much much stronger still.
--
$tar -xvf
I thought it was "L0pht Heavy Industries"? Good times, good times.
Move along. Nothing to see here. LOOK! another cat video!
Don't worry about the world's largest information gatherer and internet traffic director passing employees back and forth with the administration that has openly bragged about its best-ever use of data to influence the public while using the NSA to spy on everybody more than any other government in world history...
Net neutrality! Gay Marriage! (just don't worry about all that pesky stuff like freedom, privacy, conscience, independence... as long as you get a couple policies you like, you'll be good little minions) it's all good. Google gives you free stuff (in exchange for spying on you and selling whatever they learn about you) and the President wants to give you cheap high-speed internet (by taking the money from other people, and as long as you let him do all the nasty stuff like spying and droning...)
UL began, at least, as a service in the private sector; indeed, security auditing is already a service provided in the private sector.
Why is the government, which grabs its income by decree, allowed to play around with what are clearly private sector services?
Strange, for a supposedly tech community : No one seems to know what UL really does.
In order to sell product to the public that e.g. plugs into the wall in the United States, one must (generally) have it tested and certified by UL. This is a Good thing, and of course there are exceptions, but it stops dangerous (think: electrocution, or carpet that combusts readily releasing toxic fumes) products from harming people. And, as per the name, losses to insurance companies ;) Such organisations exist in most (all?) countries, the 'big' ones (that if you comply with standard for, you're basically ok) are : Canada - CSA, Germany - VDE and so on.
I have no way of knowing what they intend, but if you call this the "Cyber UL" and organise it the same way, the natural conclusion of that is a regulatory regime that makes it illegal (or hard) to sell a networking product to the general public without test and certification.
Would that be so bad if it was public safety focused (think those network exposed IV drug pumps)? I guess it would depend on the regulatory regime put in place.
There is an important difference between any government agency and UL. UL's product safety standards are developed in partnership with those who produce the products and with other safety agencies, notably IEC and CSA. This brings credibility, skill, and independence into play.
For government officials the desire to be seen "doing something" favors haste and visibility rather than long term effectiveness. UL's primary focus is product safety, not favorable media coverage.