Slashdot Mirror
White House Lures Mudge From Google To Launch Cyber UL
chicksdaddy writes: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka "Mudge") to head up a new project aimed at developing an "underwriters' lab" for cyber security. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
Even a UL stamp for sites that do parameterized SQL injection would be an improvement over today's utter lack of standards. Add to that a browser-based warning for sites without a UL stamp and you've reduced XSS attacks.
Security is so bad that small improvements can make big differences.