Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cyber War Mass Hysteria Is Hindering Security

CmdrTaco posted more than 3 years ago | from the hysteria-is-hawesome dept.

Privacy 75

jhernik writes "International cyber threat initiatives are in danger of becoming overblown, the US government's security chief told the RSA Conference in San Francisco. 'Cyber war is a terrible metaphor,' said the US government's cybersecurity czar Howard Schmidt. 'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria.'"

cancel ×

75 comments

Sorry! There are no comments related to the filter you selected.

Hes right but... (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35232748)

How is this any different from The War on Drugs, The War on ChildPorn, The War on Terror??

One way...

American businesses lose money if there is mass hysteria & people use the internet less.
There was no downside to the mass hysteria on The Wars on Things except for the truth
being lost in the FUD.

Re:Hes right but... (5, Funny)

Anne_Nonymous (313852) | more than 3 years ago | (#35232880)

What we need right about now is a War on War, man!

[flashes a peace sign, rolls a doobie, doesn't trim pubic hair]

Re:Hes right but... (4, Insightful)

HeckRuler (1369601) | more than 3 years ago | (#35233546)

There was no downside to the mass hysteria on The Wars on Things

Buuwha!? I'm sorry, have you been under a rock or something?
The mass hysteria over the war on drugs made the USA have one of the highest incarcerations per captia in the world.
The mass hysteria over the war on childporn has given oppressive assholes the shoehorn to wantonly take over 85,000 websites. By accident.
The mass hysteria over the war on terror has made flying a sexually abusive experience, and let Bush invade two nations, and arguably lead to hundreds of thousands of deaths.

But oh hey, CORPUSA didn't lose their profit margins, so it must not be all that bad.

Re:Hes right but... (1)

amRadioHed (463061) | more than 3 years ago | (#35235538)

And don't forget the damage that the "wars" have done to civil rights.

Re:Hes right but... (1)

HeckRuler (1369601) | more than 3 years ago | (#35235842)

Uh, yeah, but my last two examples ARE examples of damaged civil rights.
Freedom of movement has been damaged due to TSA's porno scanners and body searches. I can still generally go anywhere I want, so it's not like I've lost the right, but they're sure making it uncomfortable.
Due process has been damaged when the system can mistakenly take over 85,000 sites. I mean, I know a judge signed off on it, and that's the due process here, but apparently either the judge or the person writing the warrant didn't stop to think of the repercussions. Why isn't there more to the process? Something that would make sure the door they're busting down isn't to the public water utility? Because "why won't you think of the children?", that's why.

So yeah, civil rights are important. But realize that these ARE civil rights. That civil rights are MADE OF these sort of things.

I dunno if smoking weed can really be considered a civil right though.

Re:Hes right but... (1)

internettoughguy (1478741) | more than 3 years ago | (#35237646)

I dunno if smoking weed can really be considered a civil right though.

Civil rights are just a political construct anyway, one half of which concerns equality before the law. Which simply means that: treating everyone equally under the law.

Now you could claim that prohibition of "smoking weed" is not an infringement of this legal equality provided that it is equally prohibited for everyone. But then you could say the same thing about the prohibition of anal sex, which would have the side effect of effectively banning gay sexual relations. The other half of civil rights is the part that protects an individuals freedom from being unnecessarily trodden on by the state.

Now we just have to ask if it is necessary to prohibit cannabis, and I would argue that in the absence of a public health system it certainly isn't necessary, and with a public health system and appropriate Pigovian taxes it certainly isn't necessary.

Thus it is probably an infringement of civil rights to prohibit it.

I guess he's saying (0)

Anonymous Coward | more than 3 years ago | (#35235410)

I guess he's saying that those warrant mass hysteria? That's what they're inciting, at any rate...

Don't you mean... (5, Funny)

BlackLungPop (1307317) | more than 3 years ago | (#35232768)

"Cyberhysteria"?

Re:Don't you mean... (1)

Gordonjcp (186804) | more than 3 years ago | (#35232836)

No, I think you mean "cyberhysteriahysteria"

Re:Don't you mean... (1)

Nadaka (224565) | more than 3 years ago | (#35232870)

Hysteria about cyberhysteria expressed on the internet is cybercyberhysteriahysteria

Re:Don't you mean... (1)

gstoddart (321705) | more than 3 years ago | (#35233424)

No, I think you mean "cyberhysteriahysteria"

Come on, that's so lame ... it should be Cyber-Hysteria^2. Way cooler and hip for the kids.

Re:Don't you mean... (1)

netsharc (195805) | more than 3 years ago | (#35235096)

Hysteria 2.0! Because "2.0" is the new "Cyber-"!

Re:Don't you mean... (1)

mshadel (268014) | more than 3 years ago | (#35235380)

Since "cyberspace" is both the cause of the hysteria and the means to spread it we should call it "metahysteria".

Re:Don't you mean... (1)

gstoddart (321705) | more than 3 years ago | (#35235382)

Hysteria 2.0! Because "2.0" is the new "Cyber-"!

OK, fair.

How about e-Hysteria 2.0 then? Possibly i-Hysteria 2.0, but that might be trademarked already.

Re:Don't you mean... (0)

Anonymous Coward | more than 3 years ago | (#35236868)

iMad?

Re:Don't you mean... (1)

Gordonjcp (186804) | more than 3 years ago | (#35238242)

You could have i-Hysteria 2.4TDi - it's a bit slower off the line but it's just about as fast and costs about half as much to run.

Re:Don't you mean... (1)

gstoddart (321705) | more than 3 years ago | (#35238584)

You could have i-Hysteria 2.4TDi - it's a bit slower off the line but it's just about as fast and costs about half as much to run.

Wow, you managed to pull a car analogy out of this thread. Awesome, dude! ;-)

Re:Don't you mean... (1)

The Archon V2.0 (782634) | more than 3 years ago | (#35235350)

Information superhysteria?

Re:Don't you mean... (1)

Zediker (885207) | more than 3 years ago | (#35234198)

So do we clear that up with a Cybperhysteriaectomy? *shudders*

cyber cyber everywhere (5, Funny)

Ancantus (1926920) | more than 3 years ago | (#35232838)

Quote from TFA

” Cyber war is a terrible metaphor,” said the US government’s cybersecurity czar Howard Schmidt.

It seems like 'Cyber War' is a terrible metaphor, but 'cybersecurity czar' is perfectly acceptable for eWeek

Re:cyber cyber everywhere (1)

decipher_saint (72686) | more than 3 years ago | (#35232976)

When war with the cyborgs comes (and it will) what we will call it?

Re:cyber cyber everywhere (2)

Ancantus (1926920) | more than 3 years ago | (#35233018)

When war with the cyborgs comes (and it will) what we will call it?

Watson's Gentleman's Dispute

Re:cyber cyber everywhere (3, Funny)

decipher_saint (72686) | more than 3 years ago | (#35233098)

Watson's Gentleman's Dispute

The only defense is a clone army of Alex Trebeks armed with one word answers.

I shall hide in the American city of Toronto!

Re:cyber cyber everywhere (-1)

Anonymous Coward | more than 3 years ago | (#35233762)

>> I shall hide in the U.S. city of Toronto!

There fixed that for you. Toronto and Canada are both in America.

Re:cyber cyber everywhere (1)

Destoo (530123) | more than 3 years ago | (#35235558)

Watson's Gentleman's Dispute

Can't wait for that app to hit the iTunes store.

Re:cyber cyber everywhere (1)

Jakester2K (612607) | more than 3 years ago | (#35233092)

War.

Re:cyber cyber everywhere (0)

Anonymous Coward | more than 3 years ago | (#35248856)

Honestly, when I read this, I broke into tears and died.

What? (1)

kevinNCSU (1531307) | more than 3 years ago | (#35232862)

The US Government thinks Cyber war is a stupid term now too?! Quick, everyone switch positions!! ;)

Re:What? (0)

Anonymous Coward | more than 3 years ago | (#35233008)

Please, the correct term is eWar (or iWar if Steve Jobs is involved).

Re:What? (1)

Narnie (1349029) | more than 3 years ago | (#35234300)

Of course you can't expect the government to get this right, so it will likely be an Eee-War or an I-War.

Course I would also expect interweb-war, interpipes-war or even intertubes-war.

Re:What? (1)

517714 (762276) | more than 3 years ago | (#35236724)

The US Government thinks Cyber war is a stupid term now too?!

It must mean we really are at war!

No, he's not. (0)

winkydink (650484) | more than 3 years ago | (#35232868)

You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680 [zdnet.com]

So, when it happens it's just a bad day, right?

Re:No, he's not. (2)

0123456 (636235) | more than 3 years ago | (#35232974)

You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680 [zdnet.com]

You presumably missed the mass debunking of that claim a few days ago?

Re:No, he's not. (1)

winkydink (650484) | more than 3 years ago | (#35233890)

I must have. I saw some disagreement a few days ago, but no mass debunking. Protection requires 10% of ISP's to adopt a routing policy change. Let me know when that's done, ok?

That's easy. (3, Informative)

khasim (1285) | more than 3 years ago | (#35234032)

Protection requires 10% of ISP's to adopt a routing policy change. Let me know when that's done, ok?

It would be done within 24 hours of such an attack actually succeeding. More likely within an hour.

That's the core problem with all of these "disaster" scenarios.

They depend 100% on all-of-the-interested-parties doing nothing at all to resolve or mitigate the problem(s) during / after an attack.

There are lots of idiots out there who would not be able to fix their systems. But there are also a lot of smart people who know how to fix the problem but just haven't gotten management to buy off on it yet. That will change when there is a real problem.

No Hyperbole? (2)

Cornwallis (1188489) | more than 3 years ago | (#35232872)

'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria'.

Then how the hell do they expect to get and keep their bloated budgets?

Re:No Hyperbole? (1)

PPH (736903) | more than 3 years ago | (#35233030)

Using the term 'war' has some interesting legal implications for presidential powers. Congress and in some cases the courts, can be bypassed once a 'war' has been declared.

Re:No Hyperbole? (1)

Paracelcus (151056) | more than 3 years ago | (#35235038)

This is the REAL reason for all this unmitigated BULLSHIT, it's all about the unreviewed, uncontrolled accumulation of POWER & MONEY in fewer and fewer hands. The manipulation of the gullible, the poorly educated, unsophisticated, apathetic Americans to manufacture consent of the people to their own enslavement!

Mod parent up. It's about the money. (3, Interesting)

khasim (1285) | more than 3 years ago | (#35233770)

First off, this "war" has yet to result in a single death of an otherwise healthy adult at home. So calling it a "war" is incorrect.

Secondly, from TFA:

Lynn claimed that spy agencies have gained accessed to weapons system designs and other military plans, source codes and intellectual property from businesses and universities.

Exactly as spies have done for the last 2,000+ years.

Schneierâ(TM)s fear is that we are on the verge of an IT arms race. âoeWe havenâ(TM)t seen offensive cyber weapons companies, but they are coming,â he said. âoeBig defence contractors are working on this â" you know they would be dumb not to.â

I'm going to disagree with Bruce on this one. At least until he further defines "offensive cyber weapons". Again, not a single, healthy adult has been killed at home because of any "cyber attack" by someone using a "cyber weapon".

The real problem is that so few organizations pay attention to basic security practices. Just look at HBGary.

 

Sheez man, get with the plot. (1)

EasyTarget (43516) | more than 3 years ago | (#35232886)

Wait for this guy to be told to STFU; If you don't have mass hysteria how can you have a mass clampdown?

Re:Sheez man, get with the plot. (3, Insightful)

camperdave (969942) | more than 3 years ago | (#35233442)

Mass hysteria doesn't work in cyberspace. Mass hysteria only works on unwashed masses, not on a hacker culture with a long history of circumventing barriers, especially artificially imposed barriers. In cyberspace, everyone can hear you scream, so you have to be subtle. A deep packet inspection here, a closed port there. If you go off darking fiber willy-nilly, you'll awaken the wrath of the hackers on their home turf. You won't know what hit you.

Re:Sheez man, get with the plot. (1)

anegg (1390659) | more than 3 years ago | (#35238198)

I think the hysteria to be on guard against here is that of US policy making officials. We have lots of defense contractors who have been hyping "cyber" for a couple of years now. (That's right - they don't even call it cyberwar, or cybersecurity. Just "cyber." Ooooooo - shivers down my spine.)

When the policy wonks go off half-cocked, and the policy enforcers (CyberCommand, etc.) rush to salute and do their job, we will have wrongly focused substantial attention, and substantial $$$s, on chasing the wrong threat. The defense contractors will be happy, because they will get paid many $$s to "research" and "carry out policy" and the like. Each branch of the military will be busy building up its "cyber" capabilities. The powers that be will be building the legal infrastructure for the big red "kill switch" on the Internet.

The perhaps more expedient practice of getting all of the critical infrastructure crap off of the Internet, where it shouldn't have been placed in the first place, will be overlooked. Its much more exciting to have a big challenge to deal with than to make the problem much more manageable by not being so stupid about things in the first place. Fifteen years ago, the thought that corporations would run corporate networks over the Internet was laughable; everyone knew it was too risky. The idea of connecting SCADA networks up to corporate networks that were connected to the Internet was silly. Slowly, over time, the lure of cost savings grew to be too big to ignore. It can be hard hard to justify not saving large amounts of money due to an ill-defined mysterious threat of "Internet hackers" when no large profile cases of major losses due to these hackers have been observed. Now corporations have their internal networks all built on top of the public Internet (usually with VPN technology to provide some confidentiality/integrity). Availability? Not a problem - it works fine! (As long as their isn't a targeted DOS attack, and the Commander in Chief doesn't flip the "kill switch.") SCADA networks - why, of course they are connected to the corporate network - it makes logical sense, its much easier to manage, its so much cheaper than running a separate network... And now we have a big screaming hysteria over protecting "critical infrastructure" because some portion of it is either accessible through the Internet or is dependent upon the Internet carriers for availability, and it turns out that the Internet threat may have some teeth after all.

The threat to be on guard against is the threat of stupidity in the form of companies that put critical infrastructure on the Internet or through the Internet because it saves them $$s.

Re:Sheez man, get with the plot. (0)

Anonymous Coward | more than 3 years ago | (#35239606)

Unfortunately, there are more ignorant pissant voters online than hackers -- and they will allow the fuckhead politicians to go ahead with insane policies.

Cyberwar tends to be a misnomer (3, Informative)

mlts (1038732) | more than 3 years ago | (#35232938)

An intrusion attempt is an intrusion attempt, be it by a dedicated tiger team doing a pen test, some guy living in Elbonia testing his skillz, an enemy country with their intel arm probing for weaknesses, a criminal organization looking for organizations with their fly open to use as staging points for botnet C&C servers.

An attack is an attack, and an exploit check is an exploit check. Who is doing it matters less than handling it, be it someone checking if the ssh daemon is buggy, or someone calling the front desk pretending to be the CEO and demanding a password.

Ideally, people need to not focus on *who* is doing the attacks as the primary concern, but the attacks themselves.

Since there is no good definition of a cyberwar, if one defines it as a country's military or intel forces attacking another site to find a way in, it can be said that there are plenty of cyberwars going on around the globe with almost every country going against everyone else.

Re:Cyberwar tends to be a misnomer (1)

BlackLungPop (1307317) | more than 3 years ago | (#35233288)

Good point. I move we change the prevailing term to: "GLOBAL CYBERMELEE" !!!

Re:Cyberwar tends to be a misnomer (1)

Narnie (1349029) | more than 3 years ago | (#35234370)

Good point. I move we change the prevailing term to: "GLOBAL CYBERMELEE DEATHMATCH" !!!

There, FTFY

Re:Cyberwar tends to be a misnomer (1)

An ominous Cow art (320322) | more than 3 years ago | (#35234920)

Needs more "XXXTREME".

Rock On University of Phoenix (1, Funny)

Frosty Piss (770223) | more than 3 years ago | (#35232962)

Since Howard Schmidt is a University of Phoenix graduate, I trust everything this guy says.

Schneier and McConnell yesterday (4, Funny)

adenied (120700) | more than 3 years ago | (#35233028)

I was there for the Schneier / McConnell / Chertoff panel yesterday, mostly for the lulz and got some. Perhaps the best part was when Mike McConnell (former Director NSA and Director of National Intelligence) told Bruce Schneier that he was as big a supporter of privacy as anyone else, even him. The look on Schneier's face was priceless.

Re:Schneier and McConnell yesterday (0)

Anonymous Coward | more than 3 years ago | (#35233264)

Privacy is his view means nobody has access to your data without your permission except the spooks.

No contradiction!

Think of the chiiiiiiiildren! (3, Insightful)

Drakkenmensch (1255800) | more than 3 years ago | (#35233056)

But but but... without mass hysteria, how are we going to divert economic assistance to the poor into funding government initiative aimed at revoking civil liberties?!?

Mass Hysteria? (0)

TheRealMindChild (743925) | more than 3 years ago | (#35233086)

Mass hysteria is dogs and cats, LIVING TOGETHER!

I'm quite surprised... (2)

nickserv (1974794) | more than 3 years ago | (#35233260)

...to hear a government official basically saying "calm down already." No need to worry though Mr. Schmidt, the tech community can generally think for itself when determining cyber threats and the merits of related initiatives. We're certainly not waiting for the government to tell us how, when or why to secure our systems. You get your information from us, not the other way around. "Mass hysteria" is reserved for those who give up their rights (TSA, Patriot Act, repeal of the Posse Comitatus Act, etc...) and rally behind a buffoon as soon as the corporate puppets in the US government fire up their fear mongering engines. Got to love the irony of it though. A government official uses fear mongering to quell the fear mongering from the establishment that stands to profit most from a "cyber war." The military industrial complex was bound to incorporate the tech industry one day, I just I hadn't realized that day had arrived. Greed, then religion, is the root of all evil. Now go and see Zeitgeist Moving Forward.

Re:I'm quite surprised... (1)

chemicaldave (1776600) | more than 3 years ago | (#35233572)

I would only expect the government to become more sane when it comes to technology as time progresses. I'm currently a grad student studying computer/information security & policy, and as a child of the digital age. I can say with confidence, that most of my peers (even the ones with government funded scholarships) are pretty level headed when it comes to "cyberwar" nonsense. There's really nothing to get up in arms about.

I think you'll find that most people who had to grow up through the Bush administration (and yes, Obama, too) have a significantly more sour view regarding privacy from government and fear-mongering, especially those of us in technology.

Stuxnet (1)

QuincyDurant (943157) | more than 3 years ago | (#35233754)

The Stuxnet attack seems to have worked as well as or better than an airstrike. Call it what you will, it was something pretty damn close to a an act of war.

We should abolish those ignorant politicians! (2)

sageres (561626) | more than 3 years ago | (#35234060)

This goes to show you that people with a limited understanding of computer network technology should not make, set or comment on the computer security public policy. That's how we wind up with guys being dragged away by Secret Service and after being five years in jail and finally released are not even allowed to use a phone, because a bunch of idiots on the hill who think that Internet is a collection of "tubes" and network security amounts to the video-game 3d-flight from the popular hacker movies.. these guys are writing the laws that hinder the true grows and potential of the computer innovation and IT industry in general.

Again... capability based security can fix this... (2)

ka9dgx (72702) | more than 3 years ago | (#35234246)

If we took even a fraction of the "cyber" defense spending that's being spent everywhere (on firewalls, virus scanners, spam filters, etc), and put it into a practical, usable, cabsec (capability based security) system we could FIX this problem.

Capability based security is simple in concept.... provide a program, and a list of capabilities (such as read-access to a config file, read-write access to a sandbox directory, read/write access to the internet) to the operating system. The operating system then enforces security so that NO MATTER WHAT, the program can't access any other files or devices.

If each of the system services is properly configured, and the user is provided with the tools that make it trivial to sandbox an application, then they can run code without ever having to trust it. This makes virus-scanning obsolete.

This is a default deny strategy, the opposite of what we have in place now. If it's not explicitly permitted, it CAN'T happen.

Re:Again... capability based security can fix this (2)

jeff4747 (256583) | more than 3 years ago | (#35234760)

The operating system then enforces security so that NO MATTER WHAT

This is where your plan falls completely apart.

The way you come up with good defense is not to only figure out how it should be done. When in that mindset, we only think about how stuff should work and we easily gloss over the vulnerable parts - we're only thinking about the correct path through the system.

In addition, you need to not consider the difficulty in breaking your design. Because there's somebody out there with the knowledge and funding to do something you think is 'way too hard'. If it doesn't violate the laws of physics, it will be done.

Your solution relies on hardware and software that was developed by error-prone humans that works "NO MATTER WHAT". That doesn't happen. Ever.

Re:Again... capability based security can fix this (2)

ka9dgx (72702) | more than 3 years ago | (#35235490)

A trusted, proven microkernel is the only part of a system that one should have to worry about.

The way we currently do it is to trust huge swaths of code with the integrity of everything. That will never work.

Re:Again... capability based security can fix this (1)

jeff4747 (256583) | more than 3 years ago | (#35239802)

Because that microkernel runs on magic pixie dust, not hardware with it's own vulnerabilities.

Re:Again... capability based security can fix this (1)

ka9dgx (72702) | more than 3 years ago | (#35240388)

It's not perfect, and there is no pixie dust, just different underlying design choices.

Having a micro-kernel which is mathematically proven to do what it says is a big step forward.

Having ONLY the micro-kernel run in protected mode, and be the only thing you MUST trust reduces the attack surface by multiple orders of magnitude/

Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to get access to the network, does it? This prevents the drivers from secretly sending info out on the internet.

It's not a perfect system, but if you can limit the number of bugs which can possibly take out the OS to a few instead of thousands, isn't it a major step in the right direction?

Re:Again... capability based security can fix this (1)

jeff4747 (256583) | more than 3 years ago | (#35240884)

Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to get access to the network, does it?

Why do I need to go through the operating system to access the Internet?

Sure, it's the most convenient way. But the NIC doesn't care if there's an operating system.

It's not a perfect system

Then perhaps you shouldn't suggest it as the perfect system?

Re:Again... capability based security can fix this (2)

ka9dgx (72702) | more than 3 years ago | (#35242300)

Thanks for sticking with this thread, I think its important to work out a way to express this better so more people can grok cabsec.

Capability based security isn't perfect. Would it be fair to say it's a better system?

The purpose of an operating system is to fairly and securely share the resources of the computer. If the programs running get direct access to hardware without the ability of the OS to manage it, the OS isn't really doing its job... it's more of a program loader (think MS-DOS). Thus the OS should always manage things like network connections, disks, memory, CPU, etc.This is why programs go through the operating system to access the internet.

Here's another way of looking at it.

When you configure a firewall, one of the first rules you put in is default deny. This makes management practical. Instead of blocking threats as you become aware of them, you start with a list of protocols you support, and specify the rules for each.

The current way we do things is like subscribing to a service that lists known bad IP addresses, and ports, then adding each of those as a block rule to our firewall, on an ongoing basis. The rule lists would get very large, very quickly. The firewall performance would plummet.

Additionally, the firewall would not protect against a new hostile host until it was detected, investigated, confirmed to be bad, then put into the services list of bad hosts, then propagated through to the firewall. During this time you're vulnerable to threats from that host.

Delays enumerating bad are always more costly than delays enumerating good, in terms of security.

A capability based system is like that default-deny rule in the firewall. The program can only modify the files, folders, networked resources, that are provided to it, assuming write access is part of that provision. A really strict system would even limit the CPU clock cycle rate and/or count... to prevent system hogging.

Would you agree that this is a much saner way to do things?
Thanks for your time and attention.

Re:Again... capability based security can fix this (1)

cdrguru (88047) | more than 3 years ago | (#35236550)

Yes, but who administers such a thing?

The problem is that by putting computers in the hands of people that by definition cannot administer a complex system we have to have systems that do not need any administration. Combining this with the ability of the user to add software to the configuration is a disaster for security - the user has no clue what the software they are adding might be doing.

There are two possible solutions to this, neither of which is anyone moving towards. The first is the "App Store" model where the computer is completely locked down except for adding applications purchased through a single App Store where everything is checked, validated and secured. The other approach is that what 99% of the people with computers actually need is a "Web Appliance" that is totally locked down - no ability to add software. I suppose there is a third way where everyone with a computer is paying a service which administers their computer(s), doing things like installing software and configuration changes.

Any of these would work but both would infringe upon the rights of Russian business people to make money from the vast network of unadministered computers. It would also make it extremely difficult to reap vast amounts of money from ad networks because anyone with half a brain would block all ads from ever appearing on computers they were administering.

The end of this is that no such changes are going to take place We will always have insecure computers of which half are controlled by someone other than the putative "owner".

Re:Again... capability based security can fix this (1)

ka9dgx (72702) | more than 3 years ago | (#35237306)

I think administration would be fairly simple for such a system. Instead of "installing" programs, which then entwine themselves into the OS, you would simply drop them into a folder. When you wanted to use them, one reasonable default would be that they could only operate in their own folder.

The idea of trusting code to do what it says on the Tin is the big problem here... not the user. If the user has a system that makes everything inherently sandboxed off from everything else, they have a very good shot at not fouling things up. This is especially true if it's obvious and transparent when you have to drag and drop access to the system folder into a task... if the normal experience never required that, they would know its dangerous.

The users aren't as stupid or foolish as a lot of techs believe.

Re:Again... capability based security can fix this (1)

Fulcrum of Evil (560260) | more than 3 years ago | (#35238112)

So if I want to download a file for one app, then use it with another, I have to download it again? If you make it easy to change the defaults for convenience, that's what will happen. If you make it annoying (like with win7), people use something else.

Re:Again... capability based security can fix this (1)

ka9dgx (72702) | more than 3 years ago | (#35238416)

No, you wouldn't have to download it again, you just give one access (as required to do the job) to the other. I think all of this could be done in a very open, transparent, consistent, and friendly way.

Re:Again... capability based security can fix this (1)

Chowderbags (847952) | more than 3 years ago | (#35239072)

And then grandma still downloads the "awesome screensaver" and clicks whatever warning popups come up telling her that the screensaver will do horrible things because "she wants to see the cute kittens". You can't use technology to fix stupidity.

Re:Again... capability based security can fix this (2)

ka9dgx (72702) | more than 3 years ago | (#35240438)

You're right... you can't fix stupid.

A different analogy might help here.

The current default permissive systems are equivalent to handing over your wallet to the cashier at the checkout counter, and hoping they will only take the right amount of money, and not use your info to sell your house before you get home. When you run a program, it can do anything you can do.

Granny is a lot smarter than you give her credit for, she knows not to hand her purse to the checkout person at the store. She only hands over the appropriate instrument of payment instead of everything. If the system is properly designed with good UI affordances, it should be very obvious when you're handing that kind of power over to something, instead of just letting it run in a sandbox.

However, if Granny does the right thing most of the time, the population of compromised machines would be far lower than today's levels... if you make targets harder to get, and fewer, then botnets get to be much tougher to run, etc.

It's worth trying, isn't it?

This country is headed for a disaster.... (2)

RevWaldo (1186281) | more than 3 years ago | (#35234950)

- This country is headed for a disaster of cyberpunk proportions.
- What do you mean, "cyberpunk"?
- What he means is Neuromancer, Mr. President, real Philip K. Dick type stuff.
- Exactly.
- Satellites falling down from the skies! Neurotransmitters boiling!
- Forty-eight hours of darkness! Gray goo, anarchocapitalism...
- Zippies rising from the grave!
- Linguistic hacking, AIs and ghosts merging together... mass hysteria!
- All right, all right! I get the point!


.

I ain't a war unless you can shoot someone! (0)

Anonymous Coward | more than 3 years ago | (#35235104)

"When computer crime is outlawed, only outlaws will have computers!"

Line 'em up against the walls guys, line 'em up.

Chickens come home to roos? (1)

Phizzle (1109923) | more than 3 years ago | (#35235228)

First the goobernment overblows the term Cyber war to get more funding, and now they want to tone it down? Does that mean they finally got enough of our money or did they find some other controllable threat to append the word "war" to, to maintain the profitable hysteria? Cause 9/11 changed everything, Brian! 9/11 changed EVERYTHING!

Mass Hysteria??? (1)

ZombieBraintrust (1685608) | more than 3 years ago | (#35240350)

I don't think there is any Mass Hysteria. The masses don't care about this.

rawr (0)

Anonymous Coward | more than 3 years ago | (#35240734)

My girlfriend missing her pill causes me mass hysteria, cyber-warfare does not cause mas hysteria

Unthinkable! (0)

Anonymous Coward | more than 3 years ago | (#35241974)

Hysteria?

America?

Why, that would be totally uncharacteristic. Everybody knows the American public is a collection of calm, rational, stoic people who would never be swayed by hyperbolic fearmongering into a harmfully disproportionate response to a real or perceived threat.

That noise? Oh, that was just the sound of a million sarcasm meters exploding at once...

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>