Slashdot Mirror
White House Lures Mudge From Google To Launch Cyber UL
chicksdaddy writes: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka "Mudge") to head up a new project aimed at developing an "underwriters' lab" for cyber security. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
It would have been quite hilarious had they instead hired former slashdot employee Pudge. I would have happily taken bets on how long that appointment would have lasted...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I don't think so, not without very heavy handed censorship, which the 'industry' will demand, and will turn this into a paper tiger, saying nothing more than, *We take security very seriously, and the perpetrators will be caught* in their press releases.
“He’s not deformed, he’s just drunk!”
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
Well one, it's bad enough for a single company to have their 'security' teams meaningfully assess the security beyond the obvious. Good security really has to be ingrained throughout the process.
The obvious security issues that something like a 'CyberUL' would catch are generally not the issues. The problem is that once a new issue is discovered, the existing install base is not be updated. Either because updates are available but IT teams are slack, or because everyone has jumped on the bandwagon of using preloaded stuff baked into products that get subsequently abandoned by their vendor or the vendor just goes defunct.
For another, any US endorsed entity calling the shots for security faces a bad credibility problem. NIST is pretty well distrusted globally now, I don't know what would happen with this initiative.
XML is like violence. If it doesn't solve the problem, use more.
This organization would just be responsible for verifying that software is secure, not than an organization is secure. Just like you can still electrocute yourself with a UL listed device if you insist on using it in an unsafe manner, it will be entirely possible for organizations to use CyberUL software in horribly insecure ways. The point of the listing is just to verify that the software can be used securely, if you keep it patched and use it correctly.
Why not use key based auth instead of password based?
Probably for the same reasons that crypto email never worked out, but I wish it were an option on things like banking websites.
I'm now using a password manager, so I can use pretty hard passwords without having to try to remember them. But using signed certs would be much much stronger still.
--
$tar -xvf
I thought it was "L0pht Heavy Industries"? Good times, good times.
There is an important difference between any government agency and UL. UL's product safety standards are developed in partnership with those who produce the products and with other safety agencies, notably IEC and CSA. This brings credibility, skill, and independence into play.
For government officials the desire to be seen "doing something" favors haste and visibility rather than long term effectiveness. UL's primary focus is product safety, not favorable media coverage.