Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries

timothy posted more than 3 years ago | from the little-cubbies-for-everything dept.

Government 258

GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."

cancel ×

258 comments

Sorry! There are no comments related to the filter you selected.

Capitalized, with definite article (5, Insightful)

symbolset (646467) | more than 3 years ago | (#33681174)

Somebody's confused about the difference between "an internet" and "The Internet".

absolutely, do it yourself, fool (4, Insightful)

swschrad (312009) | more than 3 years ago | (#33681734)

you get yourself a bunch of private pipes, and you use them as a backbone using IP, and you use a private set of addresses like the 10-net, and you make no connections whatsoever between this and The Connected Internet.

and you have an internet.

and it's not connected to The Connected Internet.

and then you can control your own security.

and as long as you do not put any software on any machines on the private internet that comes from untrusted sources and has not been vetted, you're nice and secure.

nothing with any criticality should EVER be connected to The Connected Internet.

glad you've made a start in this process. now build one. a bunch of pre-teens could hash up one in an hour if you don't need a bunch of wacky routing rules.

Re:absolutely, do it yourself, fool (2, Funny)

lseltzer (311306) | more than 3 years ago | (#33681828)

It's not pipes, it's TUBES! TUBES!

Re:absolutely, do it yourself, fool (0)

Anonymous Coward | more than 3 years ago | (#33682306)

So, do you pronounce the "ou" in router as in "out" or in "toot"?

Re:absolutely, do it yourself, fool (2, Insightful)

tgatliff (311583) | more than 3 years ago | (#33681922)

Let me guess.... Actually, what this is really about is that the head of NSA is upset that he cannot currently stream HD 1080p porn directly to his desk from another government friend employee. I mean, it is just sooooo choppy. A new network must be made immediately!!!

Re:absolutely, do it yourself, fool (2)

Z00L00K (682162) | more than 3 years ago | (#33682118)

And a lot of useful information that exists on the Internet will be unavailable, so the disadvantages of the private net will outweigh the advantages.

Most of the problems on the net is caused by the fact that most computers runs the same OS (or OS family) which makes it easy for intruders. A larger variation in operating systems and applications would have made it a lot harder for malicious people.

How so? (3, Insightful)

khasim (1285) | more than 3 years ago | (#33682454)

And a lot of useful information that exists on the Internet will be unavailable, so the disadvantages of the private net will outweigh the advantages.

Like what?

The only one that immediately springs to mind is email and that's simple enough to handle.

What else would a person working on a secured network need to access?

Re:Capitalized, with definite article (2, Insightful)

tgatliff (311583) | more than 3 years ago | (#33681888)

He apparently seems to have a misunderstanding on what a VPN is as well...

Also, the problem is not "the internet". The problem is people in general. If you only allow a system to be modified by a physical person in front of a unix/linux/vxworks (or similar) terminal with no network connection, then it makes "hacking" something like pretty much impossible unless a person is physically present.

IPX, DECnet (0)

Anonymous Coward | more than 3 years ago | (#33681924)

Somebody's confused about the difference between "an internet" and "The Internet".

Well, they could simply run IPX or DECnet and not have to worry about attacks from the outside.

Re:IPX, DECnet (1)

lennier1 (264730) | more than 3 years ago | (#33682336)

Reminds me of the days when a bank's ATMs weren't networked the same way Joe Sixpack accesses his porn.

Re:Capitalized, with definite article (1)

blair1q (305137) | more than 3 years ago | (#33682248)

You mean "a network based on protocols developed for The Internet" and "The Internet".

Isn't that just a network? (4, Insightful)

XanC (644172) | more than 3 years ago | (#33681244)

This is what a bunch of us have been saying for a while: there's no reason for those really critical things to be on the Internet. Now they're proposing that they won't be, but are calling it a "partition". (??)

Re:Isn't that just a network? (4, Insightful)

airfoobar (1853132) | more than 3 years ago | (#33681326)

Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

Re:Isn't that just a network? (5, Insightful)

causality (777677) | more than 3 years ago | (#33681432)

Their goal is probably to get an excuse to somehow restructure the internet.. Who knows what "partitioning" may entail?

This could be a great "excuse" for us, too. We should make him a deal. Partition off the governmental and "critical industry". Now the public Internet has no more high-profile targets. Then, drop all the warrantless wiretapping, eavesdropping, and other monitoring from the public Internet and use it to lock down the governmental and critical parts. All of the resources and manpower focused on a much smaller target should do wonders towards securing us against the currently trendy bogeyman of "cyberattack".

Re:Isn't that just a network? (1)

AnonymousClown (1788472) | more than 3 years ago | (#33681708)

But that doesn't negate the "tracking terrorist communications" excuse.

Re:Isn't that just a network? (-1)

Anonymous Coward | more than 3 years ago | (#33681942)

But that doesn't negate the "tracking terrorist communications" excuse.

Give the terrorists their own partition too? :D

Re:Isn't that just a network? (1)

Kjella (173770) | more than 3 years ago | (#33681788)

And for all of you who seriously believe that, I have a wonderful investment opportunity in a bridge to sell you... In fact it's the same bridge, and it doesn't even exist and I'm actually just going to scam you for money but I assume your mind blanked after the first sentence and you're off to your bank to see how much you can mortgage your home (causing a second financial crisis) right now, but you'll probably start reading again at the end so: Limited time only, 300% guaranteed return! Sign up at i.r@gullible.biz.

Re:Isn't that just a network? (1)

royallthefourth (1564389) | more than 3 years ago | (#33682242)

Yes, let's tell him he can have his special internet on our terms or else we'll...uhhh...

Re:Isn't that just a network? (4, Insightful)

phantomfive (622387) | more than 3 years ago | (#33682244)

The people doesn't need an 'excuse' to make a deal with the government. We don't need to make deals with the government. In a government of the people, by the people, and for the people, when we want something done, we tell the government to do it.

Now all we need to do is convince the vast majority of the country to oppose warrantless wiretapping, etc. Most people are ok with that kind of thing, you know, because it catches criminals or terrorists or something. In other words, he doesn't need to make a deal with you, and he won't, because he has the people on his side. See also, "how Bush got congress to agree to invade Iraq by convincing the vast majority (for a brief moment) that it would help with terrorists or something."

Re:Isn't that just a network? (1)

Kepesk (1093871) | more than 3 years ago | (#33681342)

Yeah, I'm not sure why this concept has been so hard for them. If they really need critical information to be distributable on a system like the internet, all they would really need to do is set up a separate, independent internet using existing technology for their own secure purposes. I'm sure that with their vast resources, they could do it.

Am I right?

Re:Isn't that just a network? (1)

postbigbang (761081) | more than 3 years ago | (#33681514)

There are lots of little Internets around, actually private networks that emulate Internet infrastructure; the telcos offer them as extensions of their old private messes. Methinks the NSA just needs more money to complete their own wiring. And of course, that'll cure everything until we get our little backdoor router into the thing.

The Internet II was supposed to be an experiment to look at a nice OC192 highway to link universities in the old DARPA model... and it's wired (actually fibered) now.

I can just see the US National Debt sign in starting to spin ever faster.

Re:Isn't that just a network? (3, Interesting)

bartle (447377) | more than 3 years ago | (#33681468)

This idea of a nationwide secure network has never made much sense to me. Creating a secure network in a small organization is pretty easy but creating one that links many public and private enterprises sounds like a disaster. Gaps will inevitably appear but worse it creates a real target for someone who wishes to create harm.

Re:Isn't that just a network? (1)

mjwalshe (1680392) | more than 3 years ago | (#33681480)

yes this is just an internet for a restricted group if you want security build your own network and stick an air gap between you and the internet - this isnt exactly rocket science

Isn't that Internet 2? (3, Insightful)

jd (1658) | more than 3 years ago | (#33681864)

The whole point of the Internet 2 project was to provide secure, robust, high-speed communication to those who needed it. Not that I really know what makes "Internet 2" anything more than a section of the regular Internet 1 with restrictions on traffic routing off the high-speed backbone they've got. That and a functional IPv6 infrastructure which they've had in place for about 15 years without the need of tunnel brokers. Oh, and IPv6-aware applications - something else Internet 1 users have too few of and they've plenty of.

So the military have only NOW realized that putting sensitive or mission-critical information over a public network is a Bad Idea? Pffft. Pull the other one. They're one of the key players IN the Internet 2 endeavor. I can understand them wanting to get power stations and other critical infrastructure onto it, I can even understand them thinking Joe Public is too stupid to remember all of the news coverage Internet 2 has had over they years, or to google to see if such a network exists. But I'm frankly amazed that they've not been called on it by anyone, and shocked (shocked I tell you!) that nobody on Slashdot has mentioned it.

Re:Isn't that just a network? (1)

htdrifter (1392761) | more than 3 years ago | (#33682150)

There is no excuse for critical anything to be on the Internet. This is what happens when people are put in charge of something they don't understand.

Inventing an answer for an imaginary problem is not big thing. Implementing it is a different story.

The next big step is to design encryption technology to make Etch-a-Sketch secure.

Re:Isn't that just a network? (1)

Jaime2 (824950) | more than 3 years ago | (#33682352)

I think they're even more confused than that. It's pretty basic common sense that these critical services shouldn't be on the Internet. But, they are. Somebody must have weighed the security risks and benefits of connecting to the Internet and made a conscious desicion to connect to it. There is no way that this new "partition" could offer what they sought when they connected to the Internet. So, all this would do is reset the environment back to the time when they weren't connected. The same results could be acheived by simply disconnecting.

This will leave them with the issue of connecting to specific points, but there are already solutions do get this done. Heck, common solutions like MPLS fill the gap just fine.

Re:Isn't that just a network? (0)

Anonymous Coward | more than 3 years ago | (#33682376)

It is called a private VPN. *MANY* companies do it. You can even hire companies to set it up for you.

They take a bit of work to setup. But once you do you can use both at the same time. And yes it does work. You need to decide what traffic you let in and out. Then *ONLY* that. Then only encrypted. Then only those nodes you have whitelisted in. Then only when you allow it. Its called Radius (small part of it but it works very well).

What happens many times is people end up bridging across from the real internet into the intranet. *THEN* you have a problem...

It just takes one... (4, Insightful)

DoofusOfDeath (636671) | more than 3 years ago | (#33681252)

One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.

In fact, thinking they are safe in a walled garden is likely to lower their level of caution.

And it doesn't require an active network link spanning the networks. Virus and other nasties can be entered via CD's, USB sticks (I'm looking at you, U.S. Navy), or malicious persons on the inside.

If this guy is serious, what he probably wants is the ability to partition the Internet such that walled gardens can be set up, torn down, and have their membership adjusted very quickly.

On, and to hope that the ability to mess with that never gets into the wrong hands.

Re:It just takes one... (2)

Statecraftsman (718862) | more than 3 years ago | (#33681522)

He might want to mess with the network and its topology because he's a network guy. Right now the biggest threats come from exploitable bugs in software so rather than attempt to create a new Internet, this guy should be funding massive security code review of both free and non-free software.

Re:It just takes one... (1)

DoofusOfDeath (636671) | more than 3 years ago | (#33681558)

He might want to mess with the network and its topology because he's a network guy. Right now the biggest threats come from exploitable bugs in software so rather than attempt to create a new Internet, this guy should be funding massive security code review of both free and non-free software.

Fair point. But I'm not sure which approach would be cheaper and/or more effective.

Re:It just takes one... (3, Informative)

Znork (31774) | more than 3 years ago | (#33681678)

Partitioning is a pipe dream; any network with a significant number of users will have uncontrolled exchanges with the internet.

The only way to have reasonable security is to keep certain subsystems separate and accessible only via specific gateways; no user is ever logically placed on those segments, and they are only ever accessed over very few very specific interfaces.

Re:It just takes one... (0)

Anonymous Coward | more than 3 years ago | (#33681764)

Walled Garden.....

Make it secure, with stiff penalties for breach including those with higher structured positions than those of the responsible party, highly auditable under FOIA, and labor force is restricted to non-contract, non-outsourcing, and non-military (except for penetration testing purposes).

Call it the 'Peoples Network' for Securing America and Infrastructure.

Why yes. I am a slightly Communist. Why do you ask?

/tongue slightly in cheek

There is a good reason for this (4, Informative)

Aqualung812 (959532) | more than 3 years ago | (#33681898)

I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.

In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.

The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.

People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.

Re:It just takes one... (1)

suomynonAyletamitlU (1618513) | more than 3 years ago | (#33682234)

One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.

It's okay, they can just create their own, malware-free porn sites on the government network and nobody'll ever be tempted.

Re:It just takes one... (1)

LordLimecat (1103839) | more than 3 years ago | (#33682250)

You mean, unless theres actually real security there? I would hope the NSA could afford better equipment than dumb switches and a single router.

There are, for example, pieces of network equipment that will detect outbound traffic on the network and forcibly route it through itself (the equipment I saw doing this was a Nomadix gateway). Tie that with a managed layer-3 switch (configured to prevent DHCP from coming from untrusted ports), plus a little configuration to raise a red flag when a node's mac changes, and you have a configuration where the most someone can do is provide himself an isolated connection to the internet.

Of course, one could have a wireless router hooked to the internet, hook into that and then bridge into the private network, but noone else would be able to access that gateway, and if you have proper firewall rules in place noone should be able to do any serious harm regardless. Sure, an outside party could spoof IPs, but I dont see how you would get any kind of meaningful TCP connection thru the bridge if you did so.

Saying that "one little gateway....and the whole walled garden is compromised" is just ignorant. I mitigate that scenario with a second $30 Rosewill router walling off part of the network. LOOK! now the breach is contained to a single segment. Why are armchair admins being modded "insightful", again?

Re:It just takes one... (0)

Anonymous Coward | more than 3 years ago | (#33682432)

One little gateway to the great, unwashed Internet, and the whole walled garden is compromised.

One little gateway to any private network compromises it? O rly?

Most private networks I know of take advantage of the fact they can dictate what goes on it, and which protocols can pass it.

Obviously we have reasons for building all the private networks we currently have today, and the possibility of a little gateway popping up doesn;t stop them from working.

I suppose (3, Insightful)

KarrdeSW (996917) | more than 3 years ago | (#33681262)

I suppose it would be possible to build a whole second infrastructure across the country for Government agencies and 'critical industries', one that would never necessarily cross lines with any part of the 'insecure' internet. However, I would think the fact that you would need a nationwide infrastructure is what would make it just as insecure as the real thing, as there would be innumerable points for a malicious person to connect in. Also, unless you plan on creating a whole new 'secure' operating system to connect to every computer on this new network, you're still going to be vulnerable if anyone brings in a flash drive or a DVD with a virus.

Oh, and you could NEVER allow wireless connections to this network... that would just be too damn easy.

"Partition"? Build separate infrastructure instead (2, Insightful)

zooblethorpe (686757) | more than 3 years ago | (#33681360)

That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.

Cheers,

Re:"Partition"? Build separate infrastructure inst (0)

Anonymous Coward | more than 3 years ago | (#33681446)

unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic

Isn't that the whole idea behind a VPN?

Re:"Partition"? Build separate infrastructure inst (2, Interesting)

causality (777677) | more than 3 years ago | (#33681484)

That's just it, though, the only way to truly securely establish a separate network would be to run separate lines -- build in separate hardware, build in an air gap. Attempting to "partition" the Internet at the software level is pure silliness -- unless you command both ends of the pipe, and all points in between, there's a chance that someone may be able to intercept your traffic. And with deep packet inspection and similar tools these days, they could thus also alter your traffic, meaning any communications over the Internet cannot be secure, at least not in the way this Keith Alexander is talking about.

Cheers,

I think a much better approach is to assume that the intermediate network is insecure and beyond your control. Then, use very strong end-to-end encryption to make a secure tunnel, much like the SSH approach. I mean, this is the NSA here. It's not like they wouldn't know how to use good encryption.

Encryption secures content, no gty on delivery (2, Insightful)

zooblethorpe (686757) | more than 3 years ago | (#33681816)

Sure, the NSA is undoubtedly up on the best crytpo around. While encryption will secure a message payload, it doesn't ensure that the message gets where it's going -- routing traffic over the Internet leaves the end- and midpoints open to DDOS and other attacks, tying up servers and preventing message transmission. A physically separate network, however, would avoid much of the harmful noise that happens in teh intarwebs.

Cheers,

Re:"Partition"? Build separate infrastructure inst (1)

cheater512 (783349) | more than 3 years ago | (#33681486)

Whats wrong with a government and critical infrastructure VPN?

VPN on Internet still vuln to DDOS etc (1)

zooblethorpe (686757) | more than 3 years ago | (#33681776)

Although the signal content might be secure, the signal itself would still be prone to disruption through various shenanigans like DDOS attacks and the like. A dedicated physically separate network would not face the same issues unless physically compromised. On the wide-open Internet, though, some bored teenager in Kuala Lumpur or Rotorua or Arkhangelsk could conceivably disrupt government systems, especially when so many such systems seem to be run on known-insecure Windows.

Cheers,

Re:"Partition"? Build separate infrastructure inst (1)

Twanfox (185252) | more than 3 years ago | (#33681812)

DDoS attacks don't rely on compromising data so much as they rely on denying you access to resources. If you're on the same network as the 'unwashed masses', they can flood your pipe and block you from getting out unless you've got some really good traffic management protocols.

Re:I suppose (2, Insightful)

countSudoku() (1047544) | more than 3 years ago | (#33681416)

They are compromised from the inside before they even string up one RJ-45 cable. Just tell Gen. Nuisance that "We'll just not dial into the bad guy's BBS, Sir." and call it a day. These are the great "cyber warriors" from the USA; unable to comprehend and put up a VPN for this shit. Dumb, and dumber.

Re:I suppose (3, Insightful)

PCM2 (4486) | more than 3 years ago | (#33681426)

I suppose it would be possible to build a whole second infrastructure across the country for Government agencies and 'critical industries', one that would never necessarily cross lines with any part of the 'insecure' internet.

Yeah, but why would the NSA want that? This is the NSA we're talking about, not the Department of Defense. What they probably want is to reconfigure the Internet so that there are lots of "walls" all over the place, like a maze. Most of the walls will have doors on them, so your traffic will be able to pass through without noticing a thing. The NSA is selling this as if the idea is to make some special walls that don't have doors on them, so those parts of the network will be more secure -- but I'm betting the real idea is the NSA gets to sit on top of all those walls and look down.

Re:I suppose (0)

Anonymous Coward | more than 3 years ago | (#33682200)

The NSA is part of the Dept. of Defense...

Re:I suppose (0)

Anonymous Coward | more than 3 years ago | (#33681688)

But there already are at least 3 such for use by military, this is not news.

Cyber Command (1)

HiggsBison (678319) | more than 3 years ago | (#33681264)

Cyber Command sounds WAY too much like some sort of comic book superhero hangout.

Fine! Let it be so! (1)

erroneus (253617) | more than 3 years ago | (#33681268)

Let there be an internet for government and sensitive business entities. I'm all for it. This would give less cause for government to screw around with surveillance and monitoring on the global internet I should think. (Yeah, I know they will still want that) It would also allow better protection of data without unplugging entirely.

I don't think it should be "partitioned" so much as having a new one built in parallel... and while they are at it, make it all IPV6. We all need a way to transition and a big fat project like this would be a great way... and while we're at it, maybe we can get the U.S. on the metric system.

Re:Fine! Let it be so! (0)

Anonymous Coward | more than 3 years ago | (#33681344)

... and while we're at it, maybe we can get the U.S. on the metric system.

Now wait just a minute, that's going way to far !

Re:Fine! Let it be so! (1)

PincushionMan (1312913) | more than 3 years ago | (#33681406)

Yes. And while we're at it, the NSA Chief would like a pony to go with his Internet Mk2, please.

Re:Fine! Let it be so! (2, Insightful)

dwye (1127395) | more than 3 years ago | (#33682026)

> and while they are at it, make it all IPV6.

Why would the second, USA or NATO only, internet need IPV6? Remember, this is the one that YOU will never be allowed on (at least in your role as a private person), let alone Mexico, Central America, South America, Africa, the Middle East, Asia. Likewise, this is the one that toasters, your gas and water meter, the coke machine on the 7th floor of Science Hall, or any other such appliances would not need to be on. In short, this is the Internet before Al Gore ruined it by opening it up for blatant commerce, and will have that few hosts (i.e., few enough so that every admin on it would know all the top level domains, if not most of the other admins).

> and while we're at it, maybe we can get the U.S. on the metric system.

Obviously, you are too young to buy liquor. Try and buy a new *fifth* of bourbon (or get your parents to). The USA has been on the metric system for decades (since the yard was defined in terms of the meter) but doesn't send men with guns after people or companies who use the customary measurements instead.

makes sense to me (0)

Anonymous Coward | more than 3 years ago | (#33681274)

This makes perfect sense to me. In fact, I don't understand why the military/government didn't make their own separate network in the first place. Seems like it would've made everything a whole lot easier.

Someone didn't get the memo (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33681276)

NIPR? SIPR? You want a third network that you don't manage properly or put realistic security policies on?

Fucking bureaucrat.

Re:Someone didn't get the memo (4, Informative)

Penguinisto (415985) | more than 3 years ago | (#33681412)

The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.

Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs [disa.mil] (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.

/P

Re:Someone didn't get the memo (0)

Anonymous Coward | more than 3 years ago | (#33681628)

Ahem, those are the official unrealistic policies. If you're downlink far enough from the core, you may not have the bandwidth to validate those. You must be in a nice chair in the lower 48 with a high speed link to be able to complete the network audit.

Re:Someone didn't get the memo (4, Informative)

dwye (1127395) | more than 3 years ago | (#33682154)

> ever had to put all of /usr onto its own partition and lock the whole thing read-only?

No, because SunOS5 had this on installation, back about 1990. With symbolic links and such, it was really quite simple. You remounted /usr as RW only when you had to remake the kernel, and then rebooted after (once a month or less often). In fact, our /usr was on a separate disk that had a hardware RO/RW switch on it.

This stuff was worked out long ago. Then, it was ignored because someone decided to build from scratch with no more (prior) thoughts of security than a HAL-9000 had.

Get in line... (1)

Statecraftsman (718862) | more than 3 years ago | (#33681288)

"What's up MPAA? Hey, RIAA are you in line too or just waiting for your order?"

Re:Get in line... (1)

mjwalshe (1680392) | more than 3 years ago | (#33681536)

sorry did the MPAA and RIAA just get ListX status :-))))))))))

Default Gateway (3, Funny)

p0p0 (1841106) | more than 3 years ago | (#33681298)

Just tell all the companies worried about cyber attack to set their gateway as 127.0.0.1 and they'll be perfectly safe.

Re:Default Gateway (2, Funny)

Penguinisto (415985) | more than 3 years ago | (#33681424)

Hey! That's MY IP address! No wonder I can't connect anywhere - damned IP addy conflict!

Uhh (4, Insightful)

ShooterNeo (555040) | more than 3 years ago | (#33681312)

Is this guy legitimate? How the hell did someone so ignorant of networking become head of US cyber command? NOTHING stops someone from grabbing off the shelf hardware and creating a WAN that has no hardware connections with the global internet. Or, there's various virtual ways to do this that are almost as good. Companies and institutions have been doing this for decades. Hackers can only get in if the institution is dumb enough to put the mission critical hardware on a network that IS connected to the internet, or even dumber, run the mission critical control system on a windows machine. Of course, corporations do this all the time...

Re:Uhh (3, Interesting)

betterunixthanunix (980855) | more than 3 years ago | (#33681500)

The public statement is just a political maneuver, to help with the real goal: killing the open Internet. The free and open Internet is a nightmare for them, because it allows all sorts of people to communicate and do things without being monitored. It is bad for business (which is what the US Government is really interested in protecting) and bad for the politicians who bankroll the NSA.

First they'll set up a new network for "critical infrastructure," which you can only connect "certified" devices to, and then you'll start to see things...like suddenly your bank will require you to use that new, secure, not-open network. Then new and popular music will only be made available on that network. Then videos, games, books, and so forth, until eventually the Internet falls by the wayside, as forgotten as Fidonet, even if it even remains in existence. You will only be allowed to connect certain computers to that network, running certain software, and of course, you will not have any sort of root access to your system.

Re:Uhh (1)

mangu (126918) | more than 3 years ago | (#33681724)

new and popular music will only be made available on that network

LOL [btjunkie.org] . Good luck with that, even if you "secure" all your networks [wikipedia.org]

Re:Uhh (1)

equex (747231) | more than 3 years ago | (#33681952)

You're absolutely right. Their best wrench will be the online banks which almost everyone uses now, even me. And I don't do anything else online like shopping, ordering tickets etc. I simply don't trust anyone with my credentials. The only reason I use online banking is because it saves me a lot of money in actually traveling to the bank in the first place, and then also bills paid online are not charged additional processing fees.

Re:Uhh (4, Insightful)

Strange Ranger (454494) | more than 3 years ago | (#33681758)

Keith knows about WANs and VLANs and VPNs. My guess is this is just Keith's way of campaigning for a 200 million dollar budget so he can go on a serious shopping spree.

Also, having direct control and access to all the information that will be on it. "Come on in banks and military suppliers, Telecoms, and Energy companies, etc., sure there's room for you on the Homeland Network!!"

My tin foil hat doesn't warp my brain. "Killing the open internet" isn't the goal of this public statement or this proposal. Growing his budget and expanding the scope of Homeland Security, certainly.

Do we still teach the dangers of Fascism in school these days? My tinfoil hat does compel me to include this Wikipedia quote [wikipedia.org] "Fascists seek to organize a nation according to corporatist perspectives, values, and systems, including the political system and the economy."

Think how much easier it could be to share information [slashdot.org] without getting caught.

Re:Uhh (3, Informative)

mangu (126918) | more than 3 years ago | (#33681950)

You beat me to it, that's exactly what I was going to write.

Saying something as stupid as this "secure zone" proposal should be enough to get banned from ever working in a high responsibility government job again. "Secure zones" already exist [wikipedia.org] , if they aren't being used correctly by the government is because people like Keith Alexander aren't doing their job.

Re:Uhh (0)

Anonymous Coward | more than 3 years ago | (#33682216)

Is this guy legitimate? How the hell did someone so ignorant of networking become head of US cyber command? NOTHING stops someone from grabbing off the shelf hardware and creating a WAN that has no hardware connections with the global internet. Or, there's various virtual ways to do this that are almost as good. Companies and institutions have been doing this for decades. Hackers can only get in if the institution is dumb enough to put the mission critical hardware on a network that IS connected to the internet, or even dumber, run the mission critical control system on a windows machine. Of course, corporations do this all the time...

Yah, it's almost like they'd have to make up new policies that define what this new network is and who maintains it, and what the requirements are for connecting to it, routing its traffic, how the policies are enforced, etc.

But but, that would take something like the government's involvement to implement such a plan! Some kind of government information technology networking command.. something or other. Do we have one of those? Who would run such a thing?

Right... (1)

skuzzlebutt (177224) | more than 3 years ago | (#33681314)

Because a segment of the internet dedicated to government and "high risk" sectors would be much safer...like when I put a DO NOT STEAL note on my bike.

WTF?!? (1)

thestudio_bob (894258) | more than 3 years ago | (#33681322)

Jesus Christ, you mean they're not!?!?

What f$*!!ing moron thought it was a good idea to do this, anyway. I was always under the assumption that critical system were not connected to the internet.

Holy Moly, I'm not going to sleep well tonight.

Re:WTF?!? (2, Insightful)

Penguinisto (415985) | more than 3 years ago | (#33681440)

They are for the Military - Google for NIPR and SIPR as a good start...

So, what they want is... (5, Insightful)

Todd Knarr (15451) | more than 3 years ago | (#33681338)

So, what they want is a private IP-based network. No sweat, we've been building those for a couple of decades now. When I did point-of-sale for a truck-stock company, we had our own private network for connecting to our stores, credit-card processors and the like. You need routers, appropriate leased-line or other dedicated bandwidth, and some time spent on a white-board laying out the topology. The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet. Yes, this means the machines on that network aren't going to be able to access the public Internet. You wanted a private, isolated network, you get a private, isolated network. If you want to live dangerously you can create appropriate DMZs and firewalls and proxies to give internal machines external access, but remember that that means worms, viruses and other malware can ride in on stuff coming back in through that external access and infect machines inside the perimeter. At that point your "protected" network isn't protected at all (in fact it's probably more vulnerable, since you likely skimped on internal protection since it's supposed to be a protected network).

Re:So, what they want is... (1)

interval1066 (668936) | more than 3 years ago | (#33681870)

"So, what they want is a private IP-based network. No sweat..."

You're absolutely right, of course. The problem comes in when they're working on their great little pos application in their walled garden and then some one says "Hey! You know what'd be great? If we installed SATAN and did an audit of Router D over there, well lemme just jump over to... oh yeah...", then they connect up and their walled garden is for sh*t...

Re:So, what they want is... (1)

Todd Knarr (15451) | more than 3 years ago | (#33682392)

Not a problem. As a developer I had full Internet access. Grab SATAN, install it, run it, no problem. If I needed to get it onto the internal network, I just had to burn it to CD and take it over to one of the Support machines that was on the internal network. Or, later on, use ssh and scp to move it to a bastion host and then onto the production-side system I needed it on. Fortunately we were using Unix and X11 and weren't dependent on a full desktop environment, so running all the graphical tools I needed through an SSH X11 tunnel was fairly trivial.

Re:So, what they want is... (2, Interesting)

david.given (6740) | more than 3 years ago | (#33682036)

I've always wondered why people in this situation didn't build private networks based on protocols other than IP. A quick glance at /etc/protocols shows dozens of different protocols that can be carried by ethernet --- there must be something there that's sufficiently flexible to build a useful network out of but can't be carried by the Internet without protocol conversion. The old OSI protocol suite, for example. Or even write your own if you want special features, such as pervasive authentication on all connections (so you always know who made a connection, not just where from).

This adds an extra level of protection, in that it's much harder to be accidentally gatewayed onto the Internet; you need to have special applications that speak both IP and whatever protocol you're using and translate between them to even communicate.

Of course, you'll probably end up having to rewrite your entire set of application software from scratch to speak the new protocol, but TBH if you really need the security this is likely to be a good idea anyway (provided you don't farm it out to the lowest bidder). And if you're so concerned about security that you're willing to contemplate partitioning the Internet, cost isn't likely to be an issue...

By Clicking On This Link ( +1, Top Secret ) (1, Funny)

Anonymous Coward | more than 3 years ago | (#33681362)

You hereby agree to pay Kilgore Trout of Euro 100,000,000 for consulting with Cyber Command about running their own private network.

Please see Private Network [wikipedia.org] .

Thanks in advance.

Yours In Vladivostok [youtube.com] ,
Kilgore Trout, C.I.O.

More Secure? (1)

Lohrno (670867) | more than 3 years ago | (#33681368)

Cool so those Critical Industries and Government areas can be more easily isolated and thus made less secure? Thats what it sounds like to me but I'm certainly not knowledgable...

I think it is simple... (1)

Fallen Kell (165468) | more than 3 years ago | (#33681376)

If it is in charge of a critical resource in which people's lives and safety is at risk, it should not be connected to the internet. I can be on its own, internal private network with no actual physical connection externally. It can be a pain at first, but really it is not that bad. Even if you need to download patches, etc, you simply download them to a box that is on the internet, put it on removable media, scan the media for viruses, remove it and connect to the stand-alone network. Really not that big a deal.

Re:I think it is simple... (1)

sabt-pestnu (967671) | more than 3 years ago | (#33681532)

> scan the media for known viruses

FTFY, thereby illustrating the flaw in considering it "not that big a deal".

Re:I think it is simple... (1)

vux984 (928602) | more than 3 years ago | (#33681582)

Even if you need to download patches, etc, you simply download them to a box that is on the internet, put it on removable media, scan the media for viruses, remove it and connect to the stand-alone network. Really not that big a deal.

Unless you've bought into the whole SAAS model, and half the things you need to do require you to be connected to the internet. Or a software vendor you are dealing with requires internet access for license validation/activation. Or you've outsourced 9/10ths of your IT to a company that provides via remote access solutions like teamviewer/logmeinrescue/redmote desktop or even good old ssh... or they've bought into remote online backups...

Air-gapping systems from the internet can be a lot more complicated than you imagine.

I can't speak to military or utility requirements. But in common scenarious like medical systems in hospitals, or industrial manufacturing its often not very practical.

Isn't this kinda backwards? (2, Interesting)

Sooner Boomer (96864) | more than 3 years ago | (#33681408)

I mean, wasn't the internet designed/made for the military in the first place (ARPA/DARPA)? Then first the institutions (.edu) and later the commercial market (.com) came along and took it over. I guess creating a new network from scratch (and doing it RIGHT this time) is easier than kicking the rest of us pikers off of what was theirs in the first place.

the best government is no government (0, Flamebait)

NemoinSpace (1118137) | more than 3 years ago | (#33681464)

FTA

the country's critical infrastructure, 85 percent of which is owned by private companies. He said the agencies may need additional powers to take action during a cyber attack.

Seems to me the best way to improve security on the nations privately owned networks would be to cut the cable to the NSA. If the government want's to improve their internal networks, tell them to stop issuing laptops to morons who "lose" them.

I wonder what "additional powers" he has in mind? Isn't the Patriot Act draconian enough? When it comes to nationalizing private resources, I suppose this administration is warming up to Cuba more than ever :).

Cyberdyne? (1)

gmuslera (3436) | more than 3 years ago | (#33681488)

While you still have people in any partition you make you will still be at risk. And you still want that people visit your sites, no? NO?

In a world (0)

Anonymous Coward | more than 3 years ago | (#33681504)

Where a single dongle can be attached to a USB port and access the internet like that, partitioning the internet is just a waste of time and effort...

Re:In a world (1, Funny)

Anonymous Coward | more than 3 years ago | (#33682030)

I had to imagine this thread read by the movie trailer voice guy because of the title.

NSA chief invents "Networking", film at 11. (3, Insightful)

eataTREE (7407) | more than 3 years ago | (#33681642)

As many have no doubt pointed out, there is not now and has never been anything that stops anyone from building their own TCP/IP-based network and only allowing trusted users/machines/sites to connect to that network. There is no inherent need to connect *anything* to the public Internet, much less an asset that contains confidential information.

The thing that bothers me most about this announcement is the clear implication that secret data *isn't* currently partitioned onto private networks at top-secret government agencies.

Typical.. (1)

Paracelcus (151056) | more than 3 years ago | (#33681696)

Never heard of an "air gap".

For cyberfuck's cybersake. (0)

Anonymous Coward | more than 3 years ago | (#33681698)

"NSA cyberchief CyberKeith Alexander, also the cyberhead of the US Cyber Command told cybereporters that he would like to see the cybercreation of a secure cyberzone on the CyberInternet for cybergovernment and critical private cybersector cyberindustries such as cyberutility cybercompanies and the cyberfinancial cybersector. Alexander has repeatedly cyberemphasized the dramatic cybernature of the cybercyber cyberthreat cyberfacing American cybernetworks and his cybercomments were a further cybersign that the Pentagon does not think the cyberwar against foreign cyberhackers can be won. Alexander cyberdenied the cybermilitary has any cyberole in cybersafeguarding cybercivilian cybernetworks currently, but didn't cyberule out the cyberoption in the cyberfuture."

It's been reduced to a meaningless prefix and doubly so when redundantly applied to matters cyberian.

An utter waste of time.... (3, Insightful)

rickb928 (945187) | more than 3 years ago | (#33681742)

Completely. They have the .mil network, and can't secure that. So the answer is to segregate the 'real' Internet and a 'secure' Internet?

And this will prevent infestations via USB drive how exactly?

I thought so. Next, please.

And I want China and Spam providers off the Net (1)

WillAffleckUW (858324) | more than 3 years ago | (#33681970)

I have a feeling, since I want China and Spam providers off my Net, and the NSA wants us civilians off the Net we taxpayers paid for, that both of us will be disappointed when neither event occurs.

The Government has this already! (2, Informative)

CherniyVolk (513591) | more than 3 years ago | (#33682142)

The government and military already have a "partitioned" inaccessible "internet". The real name of the "internet" you are using to view this site is called NIPRNET, and the "secure partitioned" one is called SIPRNET. The secured internet has been around for decades and is still used by governments around the world.

So this proposition simply is a play on words, particularly a "partition" word, possibly for a total ground up restructuring scheme for sure. This is such a bold statement from a government official, it's baffling really.

Re:The Government has this already! (1)

blair1q (305137) | more than 3 years ago | (#33682282)

I think they want a third thing, that would connect government to corporate entities.

Because the country is rapidly moving towards overt corporate control of government, and they don't want to have to fly to Washington to pull the strings.

The war is lost? (0)

Anonymous Coward | more than 3 years ago | (#33682146)

and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won.

What bullshit speculation.

Does the building of walls on our borders suggest we don't think the war against illegal immigrants can be won?

And yes, "war against illegal immigrants" was meant to be every bit as retarded sounding as "war against foreign hackers" is.

In other words... (2, Insightful)

straponego (521991) | more than 3 years ago | (#33682180)

The ruling class doesn't want to be exposed to those peons who are subject to laws.

Oh well, at least they're not calling us Morlocks yet.

make another NIPRNet (1)

'Aikanaka (581446) | more than 3 years ago | (#33682222)

Do what the DoD's done, make another NIPRNet - but leave the Internet alone

Intranet (1)

bell.colin (1720616) | more than 3 years ago | (#33682226)

It's Call an "Intranet" (F*^&ing Govt. Idiots)

the reality (1)

bender183 (447302) | more than 3 years ago | (#33682264)

The NSA wants to create the worlds largest honeypot.

Stuxnet malware is 'weapon' ... (1)

AHuxley (892839) | more than 3 years ago | (#33682312)

http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant [csmonitor.com]
Stop filling your critical industries with MS products that cannot use USB without risk.
Comments like this would many go hmmm "a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown."
The NSA is tapped into every big telco system within and outside the USA, they have the software and hardware to track and sort most issues, voice prints ect.
This sounds more like small next step, legal standing in some areas. Then the next.
Do you really want your entire telco system watching for you 24/7 without a court order?
Just to keep a cost cutting, rust belt network up?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>