Slashdot Mirror
Microsoft Calls For 'Digital Geneva Convention' (usatoday.com)
Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
Because theirs is by far the most architecturally broken and bodged, therefore most insecure and vulnerable OS.
If you want peace you need to start by committing not to attack the other side, only to ever defend yourself.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Maybe we should restore general law literacy first. The way things currently are, law is enforced strictly at the whims of the powerful.
Just as long as.... as unleashing Clippy on the world is deemed a war crime.
Why not a "digital land mine treaty" while we're at it?
Perhaps there's a good reason to call it a 'digital Geneva Convention' - It's basically a nice guideline to point to that the US browbeats others with, only to fail to ratify into law and enforce themselves.
Without an enforcement body, this is meaningless. Who would you trust to enforce it anyway, MICROSOFT? Why not just call it a digital waste of time.
Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students. Unlike conventional weapons that require expensive physical objects, a massive DDoS can be launched from a cast-off 486 as the top level command console as it can from a high-end supercomputer.
The main focus needs to be on "Great Wall of xxx", "xxx" being the country. If this isn't thought of now, it will be done by the government when some cyber-terrorism event happens that gets knee-jerk reactions going (think the USAPATRIOT act.) China has their Great Firewall. Iran is building their own Internet. Australia is in the process of building their nationwide firewall. Blocking attacks from other countries is going to be an issue sooner or later.
A second focus needs to be on LARTing IoT makers to follow a ground up security design. A hub (or hubs for redundancy) and spoke system, so IoT devices do their communication through a hardened hub that only allows the devices to communicate with what sites the signed manufacturer's manifest allows (and 0.0.0.0/0 is not allowed directly.) As it stands now, there is actually a punishment for IoT makers to design any security in their products. Mainly because if v1.0 has a security hole, when IoT maker makes 1.1, all the owners of Device 1.0 will upgrade or else face being pwned. If the IoT maker did updates, they would lose out on that revenue, plus to them, every dollar spent on security is a dollar with no ROI. Unless pressure is placed on IoT makers, we will be seeing exponentially worse DDoS attacks when every fridge, microwave, smart TV, sex toy, and doorbell be used for it.
Thanks to the NSA and CIA, and such "rules" will have so many back doors that they will be useless.
Rules get ignored and circumvented. Devices and software have backdoors. I don't see how to make sense attempting to apply the concept in one area to the other.
"Well, the best defense is a good offense. Do you know who said that? Mel the Cook on Alice."
ELOI, ELOI, LAMA SABACHTHANI!?
How do you enforce a digital Geneva convention?
You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.
Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.
"That's the way to do it" - Punch
Or law in general anymore. Law only gets enforced at the whim of the powerful. For that matter, it's hard to tell what anyone takes seriously anymore, as most people seem to be more eager to be ground underfoot than the people doing the grinding.
how about an agreement that forces the OS makers off the user's data? No? You mean you'd have to significantly alter Win 10 to pass those new rules?
If you can't store data safely, you better not store it at all.
The only thing that needs to happen to clean up this whole mess is to make people and corporations FULLY responsible for any data collected and any damage done to anyone by the data being leaked. You'll see that data snooping end pretty fucking quickly that way.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A guaranteed right for civilians to strike back against state-sponsored attacks that should not be targeting them should be enshrined into law. All forms of warfare. Collateral damage? No fucking longer, because it will be your ass.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Does that mean that NSA, FBI, IRS, etc. would not "attack my server?" This is the most
idiotic idea that anyone ever not thought through. Its a total non-starter. I thought even
Clintonite Democrats from Washington and California were smarter than that.
Would this make any serious impact though? Vast majority of cyber attacks aren't the life-and-death ones like bringing down the power grid. They are the more gray areas, espionage and theft, that nation-states may not be as quick to sign up for. If anything, many nations, including Western ones, view economic espionage as a civic duty in a global economic zero sum game. Why would they sign up for that? In addition, you nation-states already tend to use "non-state" actors to give them plausible deniability. Oh those hackers who hit your grid - just some vagrant teenagers.
If you aren't running Insider builds you really aren't looking after your own interests. That's what I do. I also handle things for my Mom, but she mostly uses it to play Facebook games and other Facebooky things. She does what in her world amounts to "serious stuff" on an Android phone I picked out for her. I also picked out her "Facebook computer".
Maybe I "enable" my mom too much.
I've twice tried to submit a story where we could all get together and issue our friendly challenges regarding Slashdot but they were declined. Eventually I'll likely work up the gumption to try again. Anybody else like to have a go?
Rules get ignored and circumvented. Devices and software have backdoors. I don't see how to make sense attempting to apply the concept in one area to the other.
Sorry, poor terminology choice. I should have said "exceptions" or "loopholes."
I actually want a Home product that is maintainable. I have health problems though, so my cash is at a premium. I try to make use of Home, but there are features of Pro that would make my life easier in maintaining my and my mom's computers. Then there's no product for maintaining home devices. For that matter, diagnostic messages and recovery procedures of devices and software are garbage. My phone today would attempt to connect to my home network and then not do it. No error message or anything.
All right, so you have 32-bit Windows. It puts stuff in C:\WINDOWS\SYSTEM32. You then bolt on 64-bit Windows. Do you put the 64-bit stuff in C:\WINDOWS\SYSTEM64? Not if you're Microsoft. For them, the correct answer is to put the 64-bit stuff in C:\WINDOWS\SYSTEM32 and put the stuff for 32-bit programs that turn them into 64-bit calls into C:\WINDOWS\SYSWOW64
Hoped I helped. Society is already badly frayed and this is an area which could result in Tower of Babel levels of falling out if we don't tend to it.
Comparing a desktop operating system. especially one for home use, to a server operating system, is not useful.
I have a saying. National sovereignty is a violation of personal sovereignty. I need to further develop my philosophy, but you gotta start somewhere.
"So yeah, you crashed the economy"
"You owe us one economy. Better get started on that.
Originally Windows was essentially a shell over MS-DOS. At that time, Windows was 16-bit and SYSTEM was the directory. Some stuff kind of still wants other stuff there, and this matters in the 32-bit versions of Windows which can still run 15-bit Windows programs and many DOS programs. The transition to 32-bit was not the major compatibility breaking change you say it is. 16-bit calls were thunked to 32-bit routines just as 32-bit calls are now thunked to 64-bit routines in 54-bit versions of Windows.
Are security protocols that broken at larger organizations or is it just Microsoft asking for government protection from improving and finding bugs in their software?
It's easy to defend against a security attack, you could use perhaps a large amount of sites small enough to be managed by a 2 or 3 man team and then connect those sites with a network that takes different routes around when one goes missing. We could have ARPA develop the thing and call it ARPAnet.
Custom electronics and digital signage for your business: www.evcircuits.com
The NSA isn't snooping on Facebook and Gmail because they expect to find Chinese and Russian military secrets there. Almost all active conflicts now are asymmetric warfare where at least one of the parties aren't enrolled in regular armies of any kind, it's just people. They don't dress up in uniform, they don't have any particular military infrastructure, they hide among the civilian population in civilian buildings and use civilian tools. The general population's freedom, privacy and anonymity will come under attack again and again. I can wave a convention at the NSA all I want, they don't care. What we need are hardened tools, better transparency and more control. And the legal protection to be able to use those tools freely.
Live today, because you never know what tomorrow brings
Where do you buy security breeches? The normal ones I wear are forever letting me down.
None of your HOSTs files protects against state-sponsored attacks. That one got proven by plenty of state actors already.
Give up on your shitty outdated 'security' as this modern world barely even uses HOSTs any longer.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
where all the signatory companies agree to spend a minimum percentage of gross profits on making their products secure. And, they could agree to cooperate with other digital defense treaty companies on security matters.
Too big to fail? Are we there yet again already? Companies being exempt from law because if we could slap them with a fine that isn't but a slap on the wrist, they take our economy with them, essentially holding our economy hostage?
Any corporation "too big to fail" must be broken up, anything "too big to fail" is a threat to the economy in general.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Only Microsoft will be allowed to attack and spy on you, without being perturbed or sidelined by these annoying competitors.
Sorry, that's juvenile and I should know better, but these little outbursts of virtue signalling from them get my goat. And I haven't even got a goat.
On y va, qui mal y pense!
The Hague convention says that civilians get the same protections, provided they carry arms openly and fight more or less according to the laws of war, before their enemy has intervened. If the perfidious Canadians were to cross the border and attack the Twin Cities, I'd have the legal right to pick up a rifle and start shooting as a lawful combatant. That right ends the moment the US Armed Forces show up, which in this particular case would be before I could get a rifle.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
"By the way, Khyber - Are YOU doing better than I have on this front?"
I've never had an attack or network penetration, ever, because I'm smarter than you. I've never had to write a HOSTs program, because unlike you, I'm not stupid enough to get infected by anything, and I'm smart enough to use dedicated hardware that's impervious to OS workarounds.
You, on the other hand, and your outdated security friends, have tried to beat my system, and you've all failed miserably. So, please, come back when you're actually competent at breaking into systems, then you can talk about security.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Hey, guess what? My internal to router block list is only TEN lines long and runs a thousand times faster than your shitty hosts file.
You needed 16,000 lines to do what I could do in ten. You're fucking PATHETIC and so are the people that trust and support you.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I've built my own protocols. This is why you can't touch my stuff.
It's called PROPER PROGRAMMING - something your 16,000 lines of code is not.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"Documented facts"
>nothing but a bunch of other 3rd world 'security' people having their words repeated by you
Meanwhile, as I've proven (and as Microsoft has proven) time and time again, HOSTs is bypassed by the OS and browsers AT WILL.
You fucking moron.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
>fake name and fake life
Meanwhile, as Vice President of one of the oldest mineralogical societies in California, I've secured their entire network exactly as I described and ran a full-out attempt to get any ad to display on our computers.
ZERO ADS DISPLAYED.
I just block the largest ad networks off the bat by wildcard IP and it's fucking done in my router. ZERO ADS TOUCH ME.
Apparently, you're not smart enough to figure out that the ad companies paid for static IPs for easy configuration, in whole blocks. Just block the entire fucking range.
Code line reduction by four fucking orders of magnitude.
Meanwhile, back to my job as Vice President and certified gemologist, LOSER.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"Windows doesn't block hosts fool (only 4 windows update)"
I didn't say Windows blocks HOSTs - now you're putting words in my mouth you incompetent fuck.
But it still bypasses it for Windows update? THAT IS EXACTLY WHY HOSTS IS USELESS!
If I fucking say YOU DO NOT GO THERE and yet the computer STILL GOES THERE, then HOSTs is BROKEN.
That you cannot accept this logic is proof that you're insane, untrustworthy, and a FRAUD.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"Where do hosts get bypassed no mind? Windows Update ONLY stupid fuck!"
And every browser, and any program can be programmed to bypass HOSTs, proven time and time again with a simple GOOGLE SEARCH - how? Ignore fucking DNS resolution in the OS and do it yourself (ever hear of ZenMate for Chrome? It does exactly that.)
USELESS. This is why IP blocking works best.
BTW, you can simply bypass HOSTs if a piece of malware simply removes the user permissions from HOSTs. Pretty shitty 'security.'
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Ahh, the moron looking at OLD NEWS (in which the e-mail was proven a FAKE - the header was TWO LINES LONG. Obviously fake.)
See how stupid you are? Now I have you, Alexander P Kowalski, for libel, and the proof is right here, where you can't touch it, hide it, or deny it.
Now to hunt you down and file suit.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Thanks for the extra libel evidence.
I love it when you lose so hard you have to resort to personal attacks.
I'm going to love to even more when the news of the lawsuit comes to bite you in the ass.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.