Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI's Top Cyber-cop Says We're Losing the War Against Hackers

Soulskill posted more than 2 years ago | from the have-you-tried-bullets dept.

Security 134

New submitter sienrak writes "Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is 'unsustainable.' 'I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,' Mr. Henry said."

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Yay (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39500937)

Hack the planet....

Re:Yay (0)

Anonymous Coward | more than 2 years ago | (#39502795)

They're hacking Microsoft products, of course.

For the good of humanity, the US DoJ needs to split Microsoft up, strip them of their patents and force them to abandon their proprietary formats and APIs. The world needs interoperability, not lock-in,

Given the previous FBI story... (5, Insightful)

3seas (184403) | more than 2 years ago | (#39500943)

Well of course they are losing the battle..... a house fighting against itself will fall.

Re:Given the previous FBI story... (4, Insightful)

zero.kalvin (1231372) | more than 2 years ago | (#39501057)

It is in the nature of the fight itself. Anyone anywhere can come up with a way ( if smart and motivated enough) to hack anything anywhere, it is completely different from invading another country or defending your own. Individuals can't be suppressed the way you subdue hostile forces. The matter is unless you install a spy cam inside the brains of everyone I don't see how the hacking war can be won. ( and even in this case someone would hack it ! )

Re:Given the previous FBI story... (5, Interesting)

Anthony Mouse (1927662) | more than 2 years ago | (#39503221)

Anyone anywhere can come up with a way ( if smart and motivated enough) to hack anything anywhere, it is completely different from invading another country or defending your own.

You're completely right. And the idea of having some incompetent bureaucracy with the power to spy on everyone and shut down the internet is is totally insane.

But let's not just complain about it, shall we? Why don't we do one better?

Making systems totally secure is a pipe dream, but we can certainly make them more secure. And entirely without a surveillance bureaucracy.

The key is to understand that secure software is a market failure: Nobody wants to pay for security until after they get hacked, which means software developers have the wrong incentives. The one that goes out of their way to do security right end up going out of business because they get beat to market by the ones that ship the first code that compiles. But let's resist the knee jerk government reaction to this, which is to pass laws telling everybody what to do. That isn't what's needed here -- the result of any sanctions will be a "teaching to the test" problem where developers do the bare minimum to avoid liability while not actually making secure software, and meanwhile software development is made far more expensive due to regulatory compliance burdens. So forget about that.

What would actually work? SE Linux. It was produced by the NSA, it's open source, and it makes things more secure. Why don't we spend the money on that sort of thing? Use the carrot, not the stick. Have the NSA provide free, voluntary security audits to major infrastructure providers. Have them produce more software in the nature of SE Linux -- things designed by all those genius cryptographers they already employ, which can subsequently be adopted by everyone everywhere and make things more secure. Fund more software like TOR which can protect privacy, to get such things to the point that they're fast and efficient enough for regular use by everyday people (and screw over enemy countries that censor and oppress in the process). Provide incentives for the more rapid adoption of technologies that increase security, like DNSSEC and IPv6.

These are the things that have the potential to actually work. If they're actually serious about improving security, and Something Must Be Done, let it be that. Because the last thing we need is another hopeless regulatory bureaucracy.

Re:Given the previous FBI story... (5, Insightful)

poetmatt (793785) | more than 2 years ago | (#39501125)

Nah, see it's just a word replaced incorrectly. they're losing the war against profit. "Cybercrime" is just the justification. They want people to spend more money under the guise of counter-terrorism.

Re:Given the previous FBI story... (1)

Jeremiah Cornelius (137) | more than 2 years ago | (#39501211)

Thank you. They don't seem to be worried about the threat to expectation of privacy from Facebook and Google... Let alone that from the FBI or NSA.

You were born in sector X. Sector X has the dominion over you!

Re:Given the previous FBI story... (3, Interesting)

DCFusor (1763438) | more than 2 years ago | (#39502065)

They are losing the battle, but we're doing just fine, thanks. Their definition of the battle is that they effortlessly control everything and have "Total Information Awareness" which, of course, is not the battle we are in ourselves at all.

So trust us! (0)

Anonymous Coward | more than 2 years ago | (#39500955)

so trust the government with our privacy and security they will say...

Huh? (0, Redundant)

rossdee (243626) | more than 2 years ago | (#39500957)

Who is this "we" ?

Some of us aren't part of the Government...

Re:Huh? (0)

F69631 (2421974) | more than 2 years ago | (#39501195)

You will be one day [wikipedia.org] , so I recommend staying up to date on all the important issues.

Re:Huh? (1)

Iniamyen (2440798) | more than 2 years ago | (#39501341)

Sorry, I don't understand the joke. Can you enlighten me? Thanks in advance.

Re:Huh? (1)

meow27 (1526173) | more than 2 years ago | (#39501417)

he is basically calling the parent poster a minor, since in the united states, it is illegal [AFAIK even for the government] to distribute the identity of minors

Re:Huh? (3, Insightful)

F69631 (2421974) | more than 2 years ago | (#39501565)

The OP lives in USA which is - last time I checked - a representative democracy. It might be imperfect one (=difficult to break the two-party system) but it's still a democracy... which means that The Government is just the set of institutions that The Population has built. Saying that you aren't part of the government in such a state is saying that you can't influence the decision making process, which probably means that you are too young to vote.

It doesn't help if you say "I'm a LIBERTARIAN. I want the fed abolished...". Even ignoring all arguments about how you can't exclude yourself from a group just because you don't believe in everything it has democratically decided... This is FBI we are talking about. Even the most idealistic libertarians would say "The government has only one job: Keep us safe from the bad guys" (i.e. power to use violence is the only true natural monopoly) so this is perhaps the one institution that libertarians would retain.

Suck my dick. (-1)

Anonymous Coward | more than 2 years ago | (#39500971)

Suck my dick, faggots!

Re:Suck my dick. (0)

Chas (5144) | more than 2 years ago | (#39501893)

Dude, if you're cruising for a piece of guy-ass, we don't need to know about it.

Seriously.

Slashdot, non-news for nerds. (0)

Anonymous Coward | more than 2 years ago | (#39500981)

Not news in anyway shape or form, unless, of course, for some reason you thought the Feds had a handle on things. BAHAHAHA.

Of course he would (4, Insightful)

Hatta (162192) | more than 2 years ago | (#39500991)

Economic espionage is an excellent excuse for implementing centralized control of the internet.

Re:Of course he would (3, Insightful)

Glarimore (1795666) | more than 2 years ago | (#39501133)

Economic espionage is an excellent excuse for implementing centralized control of the internet.

And as long as corporations are not controlled by the government, their security is their responsibility. Let them handle it.

Re:Of course he would (2)

Hatta (162192) | more than 2 years ago | (#39501367)

This is America. Here it's the corporations who control the government.

Re:Of course he would (1)

rrohbeck (944847) | more than 2 years ago | (#39502131)

Obligatory:
In Soviet Russia, politicians control corporations!

Re:Of course he would (0)

Anonymous Coward | more than 2 years ago | (#39502185)

In Soviet Russia, they kill people who steal there memes.

Re:Of course he would (1)

Nimey (114278) | more than 2 years ago | (#39502653)

In Nazi Germany, they kill people who use poor grammar.

The new "Think of the Children" (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39500993)

"Privacy and Security". Watch those words, folks. In the name of privacy and security we have already given up bits of both. This yahoo wants us to give up even more. Fear the person who says he can guarantee your privacy and security because first you need to give those up to him.

Re:The new "Think of the Children" (0)

Anonymous Coward | more than 2 years ago | (#39502167)

Pitt responded that: "Necessity was the plea for every infringement of human freedom.
  It was the argument of tyrants; it was the creed of slaves.

The Propaganda war has begun (5, Insightful)

realmolo (574068) | more than 2 years ago | (#39501035)

Can you feel it? The government wants to get control of the internet, and computers, and all communications devices in general.

They're going to pretend it's for our safety. They just want to protect us from hackers, after all.

I'm not a "government is evil" guy, but this is the kind of thing governments typically want to do. And it has to be prevented. Call your congressman.

Re:The Propaganda war has begun (1)

Ihmhi (1206036) | more than 2 years ago | (#39501449)

Honestly, the worst firewalls in the world are in places like Iran and China. People in those countries manage to circumvent them just fine, and so will we if it comes down to it.

And if not, there's always sneakernet.

Re:The Propaganda war has begun (1)

rtb61 (674572) | more than 2 years ago | (#39503553)

Which is the underlying reality of internet security. If it absolutely doesn't need to be connected to the internet than don't bloody connect it to the internet. If it is going to save a thousand dollars a year to connect to the internet but cost ten thousand dollars to 'maybe' secure it, then don't connect it to the internet.

When it comes to security, the internet should not be any different than reality. What would you do to secure your actual physical computer system, would you require every person on the planet continuously (incorporate an auto-taze neck collar to disable them of they do anything suspicious) because of that one person who grabs a brick throws it through you office window and yanks your file server right off your desk.

Re:The Propaganda war has begun (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39501479)

Yep.

Even on /. there was at least half a dozen stories matching the "$insider says $hackers have already compromised >90% of computers in ($line_of_business|$federal_department|...)"

Feels like someone's preparing the ground to bring out some new legislation.

Re:The Propaganda war has begun (0)

Anonymous Coward | more than 2 years ago | (#39501527)

I don't think that's what he's saying. (It should go without saying that government control of the internet will not make it more secure.)

The internet is full of technologies built before anyone thought security was a concern and others that were built without thinking about security because there's no money in it. A lot of computer technologies need to be rethought from the ground up if we want any hope of having them be secure, and that's not cheap or worthwhile in the eyes of most people. Remote logins should use (hopefully physical) cryptographically secure tokens, not passwords. Any program dealing with data from a remote server or client should be written to be provably free of buffer overflows and other known categories of security bugs (the simplest way to do that is to not use C, but I'll leave it open to the possibility that that is not an option, perhaps for performance reasons).

Re:The Propaganda war has begun (0)

Anonymous Coward | more than 2 years ago | (#39501539)

Who takes the product of your labor by threat of force and gives it to plutocrats? The government - not illegal aliens.

Who kidnaps and tortures people? The government - not kids that download MP3s.

Who murders civilians with drones? The government - not pot smokers.

Yes, the occupational government is evil and should be treated as such.

Can you name a single police state in all of human history that didn't end up evil?

Re:The Propaganda war has begun (0)

Anonymous Coward | more than 2 years ago | (#39502319)

Government is made of people just like you and me. Government only goes so far as we let it. If it runs amok and hurts us, it is as if we hurt ourselves. What are you prepared to do to stop this insanity?

Re:The Propaganda war has begun (1)

Anonymous Coward | more than 2 years ago | (#39502753)

Many will do anything due to greed.

We're fucked.

Refreshingly, he does NOT call for new laws (5, Informative)

TheEmperorOfSlashdot (1830272) | more than 2 years ago | (#39501039)

He places the blame right where it belongs, on those corporations and government agencies that are too incompetent to design secure computer systems or hire those who can:

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.

Re:Refreshingly, he does NOT call for new laws (2)

DigiShaman (671371) | more than 2 years ago | (#39501095)

No, but he sure as hell left the door wide open for a politician to create new ones. The other politicians salivate at the prospect of attaching riders to it too.

It was bound to happen sooner or later. He just kicked the pace up a notch, that's all.

Re:Refreshingly, he does NOT call for new laws (2)

Red Flayer (890720) | more than 2 years ago | (#39501129)

Sure, but that doesn't stop others from hopping on that train:

Matthew Eggers, a senior director at the Chamber, said the group "is urging policy makers to change the 'status quo' by rallying our efforts around a targeted and effective information-sharing bill that would get the support of multiple stakeholders and come equipped with ample protections for the business community."

Message: Further blur the lines between various enforcement agencies, possibly including military, for the benefit of corporations.

Re:Refreshingly, he does NOT call for new laws (1)

Glarimore (1795666) | more than 2 years ago | (#39501277)

The problem is that even if you're tech team is the most savvy in the world, you've still left yourself wide open to attack via social hacking. In terms of security, humans are and will always be the weakest link in a computer network.

Good luck keeping the CFO from being phished.

Security is (0)

Crash McBang (551190) | more than 2 years ago | (#39501047)

a journey, not a destination.

Thus saith Steve Jobs.

Or maybe it's that perfection is a journey, not a destination.

Meh. Probably both...

Obvious (0)

Anonymous Coward | more than 2 years ago | (#39501053)

If he says FBI is winning there's no reason for asking more budget.

I fully agree (1, Insightful)

hjf (703092) | more than 2 years ago | (#39501099)

I fully agree. We need a change in legislation.

And I propose the following: make every technician in charge of systems security liable for hacks to their network. And systems manufcaturers too. Make security a a requirement, and not a suggestion.

You know, cause some people might interpret "change in legislation" as "we want to spy on all citizens". Which is useless.

Re:I fully agree (2)

Glarimore (1795666) | more than 2 years ago | (#39501171)

You can legislate only to a certain degree. That is, make companies responsible for the security of the information related to their CLIENTS. I personally don't care if a company loses their trade secrets to hackers, but I do care if they lose my personal information, credit card numbers, etc.

Re:I fully agree (2)

es330td (964170) | more than 2 years ago | (#39501457)

make every technician in charge of systems security liable for hacks to their network

Okay, so technicians will require hack insurance, because nobody will risk the financial penalty of taking said job with unlimited financial liability. This means that network technicians will have to be licensed to be insurable, which will cost money. Now only large firms will be able to afford the cost of these technicians. It is almost certain that the government will step in an license operators, just as they do doctors, accountants and other professionals. This is all certain to do wonders for the "anyone can do it" nature of computing.

Re:I fully agree (1, Interesting)

hjf (703092) | more than 2 years ago | (#39501889)

I don't see any problem with that. I don't want an idiot with a pirated Windows Server 2008 to be in charge of my medical records, for example. And a lot of times that's exactly what you get.

"Anyone can do it" doesn't mean they SHOULD. Doctors, architects, engineers, and everyone in charge of infrastructure or other critical projects or things that could cost your life are required a license. Why aren't "IT managers" required the same? IT now IS infrastructure, and a lot of times the sysadmin is just a guy who installed a server. IT systems run traffic lights. I'm sure the engineer that designed and placed the lights was licensed, but the guy in charge of the two computers that run the system isn't.

And as a bonus, since IT managers now need to be licensed, their rates would go higher. We'd get rid of the boss' nephew installed warez windows and undercutting a tech that actually knows what he's doing.

Re:I fully agree (0)

Anonymous Coward | more than 2 years ago | (#39502823)

Many extremely talented individuals have six or seven figure incomes and no high school diploma let alone any college!

They are hired by skill and skill alone.

I raked in 80,000 before turning 20 myself. Dropped out of school and all that. Showed my skills off at a convention and was hired immediately by a fellow attendee who happened to like my talent.

That's how the big boys play. I can destroy your scope-lacking context-unaware college wannabe. I was writing code before I turned 10 and knew from a very young age that computers were my life. I have an autistic-like draw to computers and know them inside and out. I'd never pass your certification yet here I am racking in big money. That tells me your certification is wrong and short sighted. Another attempt to squish true professionals out of the field. Pathetic this war is on intelligence.

I never let my schooling get in the way of my education.
-Mark Twain.

Re:I fully agree (1)

hjf (703092) | more than 2 years ago | (#39502849)

No, that tells me you're special. You're an exception. And if you knew as much as you say, you'd ace any certification tests.

This is from someone like you, who flunked college, but aced all stupid certs and how I not only have the knowledge, but also the papers to prove it.

Re:I fully agree (1)

PeterM from Berkeley (15510) | more than 2 years ago | (#39502269)

Hold the technician liable? How completely unfair.

What if your OS is insecure and leads to you getting hacked? Did the Technician write the OS? Did the technician get dictatorial control of what OS was used?

No. In this case, the technician is a mere scapegoat.

What if your network hardware had a backdoor installed in it by a 'counterfeit' or malicious 'legitimate' manufacturer? Can one reasonably expect a security technician to audit every piece of hardware and software?

No. In this case, the technician is a mere scapegoat.

Can the technician dictate exactly how systems are to be used and who can use them?

No, in the case of an insider hack, the technician is a mere scapegoat.

Can the technician dictate the physical security of all his hardware?

No, in the case of a physical compromise, the technician is a mere scapegoat.

About the only thing the technician can control are some weak-ish security policies and how quickly patches get installed.

Security is a tough problem, and I'm telling you, the fix for it is NOT scapegoating the technician.

--PM

Re:I fully agree (0)

hjf (703092) | more than 2 years ago | (#39502961)

Hold the technician liable? How completely unfair.

The technician has no responsibility if data is stolen or loss? How completely unfair. If a security guard is on the night shift and someone robs your place, guess who's liable?

What if your OS is insecure and leads to you getting hacked? Did the Technician write the OS? Did the technician get dictatorial control of what OS was used?

If the technician is a CIO, yes, he gets dictatorial control. And if the OS is insecured and it got hacked, the OS vendor can be liable.

What if your network hardware had a backdoor installed in it by a 'counterfeit' or malicious 'legitimate' manufacturer? Can one reasonably expect a security technician to audit every piece of hardware and software?

Yes. It is reasonable to expect hardware and software to be audited. It should be MANDATORY. If you have a credit card module on your sales system, you can expect Visa to audit it. If your software does taxes, you can expect the IRS to audit it.

Can the technician dictate exactly how systems are to be used and who can use them?

Yes. That's his fucking JOB.

Can the technician dictate the physical security of all his hardware?

Yes, he can, and should.

About the only thing the technician can control are some weak-ish security policies and how quickly patches get installed.

Then you're exactly the problem with IT: expecting your vendor to provide all sort of fixes and support. Do not think, don't do anything. If the system fails, call vendor support to cover your ass, instead of actually fixing the problem that's causing you downtime.

Security is a tough problem, and I'm telling you, the fix for it is NOT scapegoating the technician.

Something tells me you don't have real work experience. You're just a code monkey (no offense) somewhere, and there is an idiot above you who dictates the rules. What I mean is that THIS guy is the one who's liable. That's what he's paid for.

If a pipe is leaking and it ruins your wall, do you call the individual plumber who installed that? Or do you call your contractor, i.e. the guy you PAID to do the job?

pot and kettle? (4, Insightful)

v1 (525388) | more than 2 years ago | (#39501117)

Anyone else find it ironic that the FBI, of all organizations, (perhaps besides the NSA) is whining about losing to people hacking into our privacy? Isn't that what they do for a living? Not just to "the other people", but to our own citizens all the same nowadays?

They're grousing over a problem that they're part of...

Don't aim to outrun the bear... (5, Insightful)

wanderfowl (2534492) | more than 2 years ago | (#39501155)

There are hackers, phishers, spammers, and other untrustworthy people on the internet. The FBI seems to have just realized that they can't prevent them from existing, and now tells us that we'll "never be secure", and people react. But this has always been the case offline as well. There are thieves, murderers, and con-artists, and we can never make them go away either, and as such, here too, we will never be secure.

That said, if you use common sense, encrypt your important data, don't click links in unsolicited emails, and use a password better than "12345", you'll already be enough of a pain to most "hackers" that they'll not bother, because next door, there's a guy who's got a plaintext full of banking passwords on his desktop with file sharing on.

There's a saying that if attacked by a hungry bear, you don't need to outrun the bear, just the other people at the campground. Same goes here.

Re:Don't aim to outrun the bear... (5, Insightful)

mlts (1038732) | more than 2 years ago | (#39501345)

The FBI is also dealing with a lot of businesses who have existed for years with at best paying lip service to computer security.

I remember a few years back so many PHBs saying, "security has no ROI" like it was a mantra for magic success. Of course when I asked the person about what they do if they do get breached, the answer was invariably, "Call Geek Squad, and they will fix it."

The sad thing is that there is no real drive for private businesses to focus on actual security. A breach happens, and usually it won't be reported, and if it is, it is because there are thousands of people who got nailed and have hard evidence finding who did it upstream. Even though there are laws to disclose breaches with private info lost, it isn't hard to ignore them -- the company top brass will find a fall guy, and the domain admin password will continue to remain "swordfish". Even if the firm goes bankrupt, it doesn't really matter, because the top brass just finds a niche somewhere else.

There is also the belief that intruders won't do much damage. A wiped box? Stick in a backup tape. Lost customer info? Not our problem if customers get identity theft issues. Lost source code? The H-1Bs end up copying it to their home soil anyway.

Until the attitude that security is a cost center with nothing to gain back goes away, it is no wonder that criminal organizations and foreign intel departments are having a field day.

Ironically, where I see actual improvement in security is in government. The main reason is that government departments (and this applies not just to the US but any country out there) have a lot to lose, especially around election years. Companies can fold and the CEO just moves to a new venture, but a government department that is weak on security will face the wrath of the voters, as well as any elected official that is looking to keep their jobs. In countries that are not democracies, it can mean loss of face for leadership which will be swiftly dealt with.

Re:Don't aim to outrun the bear... (1)

elucido (870205) | more than 2 years ago | (#39503225)

There are hackers, phishers, spammers, and other untrustworthy people on the internet. The FBI seems to have just realized that they can't prevent them from existing, and now tells us that we'll "never be secure", and people react. But this has always been the case offline as well. There are thieves, murderers, and con-artists, and we can never make them go away either, and as such, here too, we will never be secure.

That said, if you use common sense, encrypt your important data, don't click links in unsolicited emails, and use a password better than "12345", you'll already be enough of a pain to most "hackers" that they'll not bother, because next door, there's a guy who's got a plaintext full of banking passwords on his desktop with file sharing on.

There's a saying that if attacked by a hungry bear, you don't need to outrun the bear, just the other people at the campground. Same goes here.

But most hackers aren't the ones who the US government would have to use war powers against. The US government would have to use war powers to stop state sponsored hackers.

I can see it now (0)

Anonymous Coward | more than 2 years ago | (#39501175)

I can see it now. Due to rampant hacking we are enacting new laws requiring everyone to have an FBI secured internet box to protect your privacy. Followed by a clause in tiny letters "The FBI will have have access to all your data. But it's OK because we're the good guys".

How quaint (1)

Anonymous Coward | more than 2 years ago | (#39501201)

"...never have a reasonable expectation of privacy or security."

Yet the same government will step aside when the corporates want to nullify privacy, which means the question is really "from whom" and "for how much money".

losing a war? (0)

Anonymous Coward | more than 2 years ago | (#39501221)

a war? against cooperation, the US government needs to protect? against cooperation who can't afford to properly secure their OWN SERVERS!?!?
there is a war going on, smart vs retarded government agencies who work for big cooperation and who can't secure their servers...

it's time to pull the plug on the US governments protection of stupid...

Only a partial quote (1)

mr1911 (1942298) | more than 2 years ago | (#39501233)

"We're losing the war against hackers" is the public version.
"We're losing the war against hackers unless my budget is tripled" is what he tells Congress.

Re:Only a partial quote (0)

Anonymous Coward | more than 2 years ago | (#39501771)

I wish he was just after money, but most of the time you hear this kind of story from the FBI what they want from congress isn't money, but more power over people.

Re:Only a partial quote (1)

mr1911 (1942298) | more than 2 years ago | (#39501999)

I agree with your sentiment, except power isn't something they ask Congress for. They just do it and say they won't do it again if/when they get caught. Or they will do illegal and immoral things to gain new powers through FUD legislation. Google "fast and furious gunwalker" if you would like an example of the ATF and DOJ at work.

Security is swimming upriver by definition. (3, Informative)

El Jynx (548908) | more than 2 years ago | (#39501259)

Information sharing is built into the universe, and so is copying of patterns. Atoms and molecules share electrons in predictable ways, cells communicate with each other, living entities communicate and share in incredibly diverse and complex ways; and once "the cat is out of the bag" it's almost impossible to get it back in. Streisand effects ad nauseum. The war living things wage against each other on so many levels - for example, viruses versus our immune systems - are also a facet of this interaction. We exist in an environment where sharing and communication is fundamental and everything influences everything else in myriad, complex ways. Making something totally secure - in other words, preventing it from interacting with its environment - hence is utterly impossible, or at the very least the amount of energy required to secure something is immense and the result is always imperfect.

Goes for plagiairism as well. DNA copies itself, kids copy their parents, we copy habits and patterns from each other hundreds of times every day. It's part of our processes for optimalisation and they're also intrinsic to the universe. Thus, things like copyright are also doomed to fail. Here, too, the amount of energy required is huge.

Dr. Strangelove (3, Insightful)

Nimey (114278) | more than 2 years ago | (#39501263)

"Mr. President, we must not allow... a hacker gap!"

Standard tactic for getting the government to spend money on a military-industrial complex project.

Doomed to fail (3, Insightful)

jd2112 (1535857) | more than 2 years ago | (#39501279)

Any "war" where there isn't a party who can negotiate terms of surrender is doomed to failure.

Re:Doomed to fail (1)

regdul (2561319) | more than 2 years ago | (#39502007)

A war where there is no clear enemy can never be won but that's the whole point. If the war will never and you don't ave to take back the restrictions and laws you passed and you don't have to release prisoners of war (doesn't apply to "cyberwars" yet, but see the war on terror). And as a bonus it can't be "lost" either since there's nobody to whom you can surrender.

That's funny, I am consistently winning... (0)

Anonymous Coward | more than 2 years ago | (#39501283)

The first time I ever hooked up a computer to the Internet it was cracked and owned within two weeks. It took me half a day to remove the trojan, install a firewall, and discard all the "helpful security advice" from Microsoft and the antivirus industry. In the 15 years since, no computer under my control has had a security incident worse than a browser hijacker, with the impact confined to the settings in the browser itself.

The problems are twofold: 1) Microsoft makes tons of money from replacement sales to computer illiterate lusers who believe their compromised machine is "broken" and purchase a replacement. 2) A whole industry of useless "certified IT professionals" has been raised up to exploit Microsoft's deliberately broken security model, that makes them "indispensable" and "knights in shining armour" in a world filled with (non-existent) Super Hackers.

People who know how to secure a computer and a network are a very small minority, in terms of both numbers and dollars. Our voices are actively suppressed at every turn, because when people listen to us, Microsoft and their army of outside sales reps a.k.a. A+ and MCSE Certified technicians lose money and power. At least we have this: Ours are always the last systems standing.

Just like terrorism (3, Interesting)

honestmonkey (819408) | more than 2 years ago | (#39501321)

You can't really fight terrorism with bullets and bombs, just like you can't fight hackers with some "new" anti-virus program or whatever (at least not for long). But nobody wants to think like that. "If we kill enough of them, they'll stop" doesn't work with terrorists - they're roaches in the walls and you can't get them all without collateral damage or creating yet a different kind of roach. However, all we have are bullets and bombs. "If we build a good enough firewall, it'll stop them" is just a challenge to hackers. Nobody wants to hear "You must completely change how your computers work to have even a ghost of a chance." Instead, it's "How do I fix what I have now?" The answer "You can't" doesn't let you keep your job or make anyone any money.

Re:Just like terrorism (1)

elucido (870205) | more than 2 years ago | (#39503197)

You can't really fight terrorism with bullets and bombs, just like you can't fight hackers with some "new" anti-virus program or whatever (at least not for long). But nobody wants to think like that. "If we kill enough of them, they'll stop" doesn't work with terrorists - they're roaches in the walls and you can't get them all without collateral damage or creating yet a different kind of roach. However, all we have are bullets and bombs. "If we build a good enough firewall, it'll stop them" is just a challenge to hackers. Nobody wants to hear "You must completely change how your computers work to have even a ghost of a chance." Instead, it's "How do I fix what I have now?" The answer "You can't" doesn't let you keep your job or make anyone any money.

The way to stop hackers is to create jobs. When there's fewer jobs there tends to be more hackers just like any other type of crime.

If we are talking about cyber warriors then we are talking about state sponsored hackers and this is actually a war effort because these state sponsored hackers aren't civilians.

God (-1)

Anonymous Coward | more than 2 years ago | (#39501397)

God says...

heeded corrupted entrance Nebridius grievous burnt view
IMPLIED slippery perfect suck unemployed general author
teachings wanderer chaste pricked stays urgedst age Be
murder arrive after wantonness support harbour agonised
necessities occurred temperance conceit griefs connects
Grant sounding severed precedes eminence Court excites
fetched tried puppies clasped compassing happier deal
worthy ours temporary passages Ver liked pricked extinguished
cloudiness Animals sorrowed fighting renowned recognises
year's June discussed seeketh Beauty novice tilde program
feedeth Lo corruptly ascension devoutly pale guilt deformity
practise preeminent note unlimited regardless fled flock
circles vindicating forgetting nets Jews products EXPRESS
uninjuriousness with downfall patiently longed whirlings
hearken lectured unhappily talketh attaining distrusted
Old startles weaker dryness wooden reptiles traveller
walking fishes artifice plan Fire musical proportions
contents mountain befalls virtue horror smoothing tune
waste agito salary 'that sanctification beating happiness
hint pence stages inasmuch senseless hung universe uncase
grievously VIII lovers Because glorifies remembereth haunt
Please excellencies Omnipotency lewd consideration waterest
Pay persuasions veiled walls yielded invite dutiful happeneth
worse caught indirectly frenzy untruth mazes moral Insomuch

Businesses need to invest in IT from day 1 (5, Insightful)

undeadbill (2490070) | more than 2 years ago | (#39501399)

At least, that is what I got out of the warnings in the article. It wasn't about the FBI needing more money, so much as his discussion of the absolutely deplorable state of most business networks. Most businesses, even IT managers within businesses, seem to think that best security practice means sending someone to a Cisco firewall class, putting an ASA into an external facing connection, and passing a security scan as all they need to stop the bad guys. They never really consider what it means to really monitor the health of a network, or have an understanding of how their internal applications operate across their machines, nor are they willing to really invest in the kind of staffing and knowledge needed to make sure their data is actually secure. In the end, they are better off with making that early investment, because that knowledge also translates into fewer expenditures on gimmicky appliances, and a better focus on having things run right. It is a shame that mostly these businesses are blithely whistling past the graveyard.

Most businesses seem to miss from the day they replaced their file drawers with a file server, they went from a "widget" company to an IT company that does widgets. It is a subtle but definitive change in how businesses need to focus investments in resources. Unfortunately, most businesses just don't get it. They think because some snake oil dealer slapped "security" on the side of the box that the word means anything.

What I'd like to see is ACM, the ISC, ISC2 (no relation), and other organizations start pushing for more stringent best practices written into regulation (not law). Basically, if a business doesn't take the effort to invest in their own security, then they should be held liable if they get broken into. Don't expect insurance to pay out. Don't expect to be personally shielded by corporate liability if your client data goes into the wild. On the other hand, if businesses DO meet those standards, then they likewise shouldn't be held liable. I would really like to see the above organizations testifying on the Hill about what that would mean.

Re:Businesses need to invest in IT from day 1 (1)

Ocker3 (1232550) | more than 2 years ago | (#39503233)

Wait, so you're Not going make a post about the Government's War on Privacy and put up actual facts and try for a reasonable analysis? Fool, this is Slashdot, expect to be modded -1 Troll. *sigh*

The obvious problem, the unspoken answers (0)

idontgno (624372) | more than 2 years ago | (#39501421)

"I don't see how we ever come out of this without changes in technology

I.e., treacherous computing [gnu.org] , where the computer actually serves the powers-that-be and not you

or changes in behavior,

Um.... I got nothing here. People are douchebags. Period. People have been defrauding, trolling, lying, and generally hating since before recorded history, and nothing the government can do the change the basic core of human behavior. Embedding monitoring and control logic into each computing and communications node would be far easier, and profitable for those contracted to accomplish it.

The goal presented is absurd. (0)

Anonymous Coward | more than 2 years ago | (#39501455)

The common term "vulnerable network" has incorrect implications. It suggests that the current type of network would be "invulnerable", which is unreasonable. Applying that to the physical world demonstrates the absurdity of that goal. Something like 90%+ of US houses can be broken into with trivial effort (e.g. bump keys) if the burglar even bothers to acknowledge the lock - 99%+ if the burglar decides to just smash a window instead. And yet we don't get continual stories about how we're losing the war on burglaries.

Amazing... (1)

sirroc (1157745) | more than 2 years ago | (#39501465)

Its only taken them a "few" years to realize this... Yet, the war on drugs is 35(?) years strong now. When will they admit they can't win that one too?

Re:Amazing... (0)

Anonymous Coward | more than 2 years ago | (#39501725)

Its only taken them a "few" years to realize this... Yet, the war on drugs is 35(?) years strong now. When will they admit they can't win that one too?

+5, Insightful

I say we ... (2)

PPH (736903) | more than 2 years ago | (#39501473)

... take off and nuke them from orbit. Its the only way to be sure.

Changes in Technology (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39501495)

The technology is fine, the problem is the user-centric security that everything employs. There's an alternative called the principle of least privilege [wikipedia.org] , which we use all the time in other aspects of life, just not with computers.

You might be tempted to think you know of a system that actually uses this, but you're wrong. The term capability has a lot of uses, and the application of it in Posix or Symbian systems isn't the same thing.

Only when we stop assuming that a program should be able to have free run of everything will we be able to fix this problem.

It's almost like there's an active conspiracy to keep this idea in obscurity..... but probably not.

It dosnt have to be "hackers" (1)

bobjr94 (1120555) | more than 2 years ago | (#39501515)

An employee, who is allowed access to files/info, that they then are then copying/sharing/selling... Users who don't log out of their computers, or administrator who give users to much access to things they dont need to see. Is it hacking then the person has a sticky note with this months password on their monitor, or on their pull out keyboard if they think they are being sneaky.

Re:It dosnt have to be "hackers" (1)

elucido (870205) | more than 2 years ago | (#39503183)

An employee, who is allowed access to files/info, that they then are then copying/sharing/selling...
Users who don't log out of their computers, or administrator who give users to much access to things they dont need to see.
Is it hacking then the person has a sticky note with this months password on their monitor, or on their pull out keyboard if they think they are being sneaky.

Espionage yes but that still involves hackers usually.

"war?" (1)

JustAnotherIdiot (1980292) | more than 2 years ago | (#39501541)

This is as much a "war" as kids playing with squirt guns in the backyard.

In related "news" (0)

Anonymous Coward | more than 2 years ago | (#39501557)

They are also losing the War on Drugs, the War on Terror, the War on Gambling, the War on Crime, the War on Prostitution, and the War on Thirst. There are some things that you just can't beat. Kill them all, and they will rise up again from an unrelated source.

hold on (0)

Anonymous Coward | more than 2 years ago | (#39501613)

Are they talking about real hackers that do shit of their own volition? Or about hackers who are talked into doing shit by the FBI and then arrested by the FBI, like the terrorists?

Not the government's business (1)

Hentes (2461350) | more than 2 years ago | (#39501621)

If corporations don't care about their own security why is it so important to the US government?

Re:Not the government's business (1)

jc42 (318812) | more than 2 years ago | (#39503013)

If corporations don't care about their own security why is it so important to the US government?

Perhaps because the US government makes a pretense of representing us, the citizens. And poor corporate computer security threatens us, especially since it makes our bank accounts vulnerable to criminals who can exploit the poor security. So it's not surprising that our representatives in Congress might be starting to get the message that there's a problem that's threatening their voters. And, being Congress, they do what the Constitution says is their role: They declare war.

Yes, this makes no sense at all. But nobody ever accused the US Congress of being full of people with sense.

Re:Not the government's business (1)

Hentes (2461350) | more than 2 years ago | (#39503245)

One solution could be to make corporations liable for loss of user data. I'm pretty sure that they would secure their systems surpisingly quickly if they are the ones who have to pay for a breach. That still wouldn't help against industrial espionage though.

Re:Not the government's business (1)

elucido (870205) | more than 2 years ago | (#39503175)

If corporations don't care about their own security why is it so important to the US government?

Our lives are at stake if some dumb corporation doesn't care about security. Some corporations are critical.

Define "We" .... (2)

sammcj (1616573) | more than 2 years ago | (#39501623)

Over the years I've been subjected to less and less personal data attacks to the point where I can't remember the last time I got a virus. Back in the day I used to be constantly battling with them.

Are we? (2)

Entropius (188861) | more than 2 years ago | (#39501631)

I'm able to do my job (high-performance computational simulations in physics) just fine without worrying about "hackers".

I buy shit off the internet, pay my bills, have cybersex with my girlfriend, play online games, and read the news -- no problems.

How are we "losing the war on hackers" if I can basically do all sorts of useful crap on the internet without having to greatly alter my patterns of behavior because of hackers?

I definitely am more worried about non-computer theft (which I've been the victim of quite a few times) than ONOZ HACKERS. Yes, there is computer crime, but it is really not that big of a deal.

cuttin' in on their action! (1)

v1 (525388) | more than 2 years ago | (#39501877)

They're just grumpy because others are cutting in on their action. If anyone's going to be violating your right to privacy, it's going to be them!

War? hackers? (4, Insightful)

jc42 (318812) | more than 2 years ago | (#39501975)

Solving the problem might require abandoning the "war" metaphor. Declaring this a "war" is a way of allowing the authorities to ignore insignificant (to them) things like legality and morality. The inevitable result, which we're already seeing, is offending a lot of the population by the overreaction and "scorched earth" tactics. Taking down sites without any semblance of due process is guaranteed to hurt a lot of innocent bystanders, and as with real wars, this just turns the population against you.

This is much like the "war on drugs". Even those of us who don't abuse (or even use) illegal drugs are still very likely to be offended by the atrocities committed by the warriors. Taking people's cars, homes, and sometimes lives without any sort of trial is both wrong and counterproductive, but it's what the "war" metaphor leads to.

There's also a major problem with the media's expropriation of the term "hacker", which was originally a term of high praise for a technical expert, retargetting (;-) it as a term for an anti-social criminal. This tends to get the message across that people with technical expertise in software security are considered suspect by the media and the general population. You want these people on your side. Characterizing them as criminals isn't the best way to make this happen.

As long as we have a "war against hackers", I'd expect the problems to get worse. That phrase itself is pretty much a guarantee that the problems won't be approached in a reasonable fashion. It also guarantees that lots of innocent bystanders will be hit by the warlike measures. Even worse, people who could have helped you will be classified as hackers and, uh, "discouraged" from helping find the solutions.

I'm reminded of the time, back in the 1960s, when a "War on Poverty" was declared here in the US. That one ended rather quickly, as lots of poor people started publicly asking where they could go to surrender. But it's not obvious that the large population of software "hackers" will take this approach. If I happened to be a software expert with some expertise in computer security, where would I go to surrender?

Re:War? hackers? (1)

elucido (870205) | more than 2 years ago | (#39503157)

It's a war in the sense that hackers can put lives at stake and get people killed. Yes it's accurate to describe it as a war.

But I don't think teenage script kiddies are "cyber warriors".

Who has what role? (0)

Anonymous Coward | more than 2 years ago | (#39501989)

Perhaps because the FBI doesn't have a clearly defined role, or at least not one that they willingly define to the public. They're all over the place. What the hell is the FBI, an domestic investigative body, doing in every country we have an embassy? Oh, right. Providing investigative administrative assistance.

Perhaps it's my fault to think they should only be operating within US borders. That said, let's look at the argument here. Losing to Hackers. Would that be domestic hackers, or foreign hackers? Can the FBI even tell the difference? I doubt it. Especially when it's been stated before Congress that the entire military and corporate network landscape has been compromised by China!

I digress though, since ICE is clearly handling those nasty trademark cases by shutting down product infringement websites both here in the US and overseas, where presumably, their only way in is if the TLD goes back to Verisign ownership. Good use of enforcement money and protection against industry products who can be easily replicated at 1/3 the price. To hell with International law, trade agreements, and treaties, right?

Then you have US-CERT, which I presume should be the one handling actual network security and response, seem to be doing a bang up job at the moment. Remember again how our entire military and corporate network environment has been infiltrated by foreign entities? Are they asleep at the switch or they just lacking the funding to implement effective policies.

Then we have the NSA, which I'd argue is in the best position to inform us of who is doing what to whom on the networks, and how we can better stopgap that, but that would mean admitting that they are actually vaccumming up every bit that travels more than a meter domestically.

And all that goes back to proper administration personnel, right? I mean, it's the arm-chair admins who are the last line of defense here isn't it? They're the ones securiing the networks, servers, web portals, access-rights, and so on, and so on ......

But we don't punish admins or contractors who lapse at their job, do we? Well, if they do, I haven't heard of too many other than those who were commiting fraud or vising questionably legal content on the web from work, instead of rolling out patches from earlier this week. I mean, we're still going after Gary McKinnon for 'logging in' to unsecured windows boxes at NASA. At least he brought awareness to the fact that some public facing machines were vulnerable. I'd say give him a $1000 cashiers check and be on about it. Oh, and fire the admins or permanently ban the Government contractors who were supposed to be doing the job they were hired for.

My point? It's spaghettification. Creating the DHS did nothing for any of this, even if that wasn't part of its intent. And I can bet you several things will happen in response to this giant gaping cluster-f#&k of a situation. Which will likely occur after another year or two, when more retiring long-serving members of the Gov, testify before Congressional posturing sessions. The result will be more money will be thrown at it, more completely misdirected legislation will be passed to combat it, usually pinpointed to restricting US citizens rights online, and more infiltration by foreign entities will ultimately ensue. All the while, from a legal perspective of the 'save your own ass clause', it's better for such compromises to exist in the first place lest the blame can't be held to the military or corporation, but to an untouchable 3rd party OUT of every US citizens jurisdiction.

Cynical? There isn't a word for how I feel about all this.

/rant

First of all... (0)

Anonymous Coward | more than 2 years ago | (#39502093)

the correct term is cracker. A hacker is a good thing.

Isn't this obvious? (1)

spynode (1377809) | more than 2 years ago | (#39502101)

US Firewall, here we come!

damn those hackers!!111 (0)

Anonymous Coward | more than 2 years ago | (#39502293)

they keep writing free software faster than we can use it!!111 halp!

Re:damn those hackers!!111 (1)

Daniel Phillips (238627) | more than 2 years ago | (#39503155)

they keep writing free software faster than we can use it!!111 halp!

Now that's scary.

Yeah, and he's so qualified to judge this.. (1)

guisar (69737) | more than 2 years ago | (#39502313)

Mr. Henry has earned a Bachelor of Business Administration from Hofstra University in New York, and a Master of Science in Criminal Justice Administration from Virginia Commonwealth University. He's a "bureau"crat saying what he's saying for political reasons and/or personal gain rather than any insight or competency. Not that academic credentials are the be all and end all but there's no indication either in his experience or training that would give me any confidence in his independent judgement or understanding of what others are telling him- other than that he's a politician....

http://www.fbi.gov/news/pressrel/press-releases/shawn-henry-named-executive-assistant-director-of-the-criminal-cyber-response-and-services-branch [fbi.gov]

Re:Yeah, and he's so qualified to judge this.. (2)

Daniel Phillips (238627) | more than 2 years ago | (#39503173)

And I would be far from surprised to learn he is an inveterate Windows user.

*facepalm* (1)

lightknight (213164) | more than 2 years ago | (#39502699)

What do you call a one-sided war, where the opposing side does not even register that you are fighting them, let alone why?

And this kills me. They want money for a 'war' that doesn't even exist, to produce armaments to fight enemies that do not wear uniforms and rarely act as groups, and to acquire powers which are so completely antithetical to this nation's foundation (super 4th Amendment violation) that merely suggesting the need for them guarantees an involuntary laugh from anyone with some learning in the field. It's such a power-grab, of such a large magnitude and breadth, using nothing but fear coupled with lies (of them being able to actually protect anyone, let alone themselves), that it is comparable to asking a King if you could have a night with the Queen, and oh, if you could, leave some condoms and lube on the night table near the bed.

Never mind the part where they will, in time, ask to install electronic agents on people's computers. I would be mindful to point at that that action will violate the 3rd Amendment: "No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law." In so far as they have labeled this a 'war,' by their very own language, and will, no doubt, ask to sequester electronic 'soldiers' on people's machines, in their homes, they will be in supreme violation of the law of the land.

But I digress. It's highly unlikely that the Supreme Court Justices, whose understanding of technology, I imagine, is eclipsed by their understanding of trainspotting, will lift a finger to stop that from happening.

Job creators. (0)

Anonymous Coward | more than 2 years ago | (#39502933)

How else would we employ all the cyber police.

Easy (1)

Daniel Phillips (238627) | more than 2 years ago | (#39503121)

Introduce an "intenet repair tax" that applies for Windows users. And they can just go on being lazy and fearful of changing to something better designed, but at least they will contribute towards paying for the damage.

There is never perfect security (1)

elucido (870205) | more than 2 years ago | (#39503141)

It's always an epic battle. That is why it creates jobs because there a problems to be solved which aren't easy.

The Answer (1)

Ukab the Great (87152) | more than 2 years ago | (#39503413)

"I don't see how we ever come out of this without changes in technology or changes in behavior"

ding, ding, ding, ding

What War? (1)

Doctor_Jest (688315) | more than 2 years ago | (#39503601)

Sounds like a "dire prediction" land-grab for an outgoing lunatic who needed to retire MANY years sooner....

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>