Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cybersecurity Laws Would Do More Harm Than Good

Unknown Lamer posted about 2 years ago | from the if-the-point-were-security-that-is dept.

Government 77

Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering." Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."

cancel ×

77 comments

Sorry! There are no comments related to the filter you selected.

digital Blackwater eh? (1)

X0563511 (793323) | about 2 years ago | (#41465143)

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

Re:digital Blackwater eh? (3, Interesting)

jeffmeden (135043) | about 2 years ago | (#41465191)

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

Given the complications of anonymity, subterfuge, and just outright corruption that could complicate an e-mercenary squad, the implications of this sort of thing proliferating will be HUGE. I don't like the idea of the government getting involved where they aren't needed, but at least they are typically either amenable to openness (via the FOIA or similar), or they are large enough to have a whistleblower ecosystem pre-installed (e.g. Bradley Manning). A private third party, whose allegiance might literally even be to a foreign state, is a very scary thought.

Re:digital Blackwater eh? (1)

Anonymous Coward | about 2 years ago | (#41465951)

Bradley Manning wasn't a whistleblower, he just dumped anything he could get his hands on like a spy.

Re:digital Blackwater eh? (0)

Anonymous Coward | about 2 years ago | (#41469767)

Ah, Mr Prince, how's things in Abu Dhabi these days?

Re:digital Blackwater eh? (1)

CanHasDIY (1672858) | about 2 years ago | (#41465235)

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...

Re:digital Blackwater eh? (4, Insightful)

icebike (68054) | about 2 years ago | (#41465679)

Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...

As well it should.
Security is one thing, chasing criminals is quite another.

Protecting your network does not include attacking others. Packets arriving on your router are in no way like bullets arriving on your front door.

What's needed is a fast, focused, obligitory repsonse from upstreams.
Too often complaining about an attack, even when the source is a known single point, results in no action at all from your provider.

Black ICE !!! (0)

Anonymous Coward | about 2 years ago | (#41465703)

Interestingly, William Gibson had that idea in 1982, or so. Google "Burning Chrome".

Black ICE [Re:digital Blackwater eh?] (1)

Geoffrey.landis (926948) | about 2 years ago | (#41467383)

Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA...

And William Gibson talked about offensive cyber security quite a few years before that [tangentonline.com] -- he called it Black ICE. (ICE = Intrusion Countermeasure Electronics)

Re:Black ICE [Re:digital Blackwater eh?] (1)

CanHasDIY (1672858) | about 2 years ago | (#41467413)

I wasn't trying to imply that I came up with the idea, just relaying the anecdote of vague threats from government agents when I openly suggested implementing it.

Why is that an issue if the response is digital? (1)

SuperKendall (25149) | about 2 years ago | (#41465261)

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

It doesn't matter where the attack comes from, if the response is to counter-attack the computer system attacking you digitally.

You can imagine a team expert is taking over control of botnets or discovering control servers and using exploits to disable them.

In the end the owner of a system on a network has the responsibility to keep a system they control from attacking other systems on the network. If they are unable to do so other systems on the network being attacked should have the right of self-defense even if it means the attacking system goes down... if it's under outside control it's essentially already down, or at least very likely to be a source of harm to the owner even if they do not yet know it.

Re:Why is that an issue if the response is digital (2)

icebike (68054) | about 2 years ago | (#41465787)

the network being attacked should have the right of self-defense

Be careful what you wish for. You might just get it.
A packet is not a bullet. Don't equate the two metaphorically.

When you start giving people attack authorization in an effort to curb ping floods you are asking for the same
type of unfettered authority that big media used to go after Kim Dotcom. You will rue the day such a
provision became the law of the land.

Not the same thing (1)

SuperKendall (25149) | about 2 years ago | (#41466109)

A packet is not a bullet. Don't equate the two metaphorically..

Metaphorically speaking, it can be identical. It is not always so, but a system being flooded by a botnet is under attack just as surely as a fortress with a thousand bullets flying at the walls.

When you start giving people attack authorization in an effort to curb ping floods you are asking for the same type of unfettered authority that big media used to go after Kim Dotcom.

We are talking self-defense of a server being attacked over a network.

In no way what happened with Kim Dotcom be the same. The main reason of course is that Kim Dotcom was PHYSICALLY attacked. I am only talking about people attempting to electronically attack servers to the agree they no longer attack - not storming in and taking actual server hardware.

Also Kim Dotcom was never involved in an attack on anyone. He was more like a library than an assault force (to brutally stretch the metaphor).

Re:Not the same thing (3, Insightful)

icebike (68054) | about 2 years ago | (#41466453)

You've totally misse the point here.

The point is that big media used copyright laws to goad big government into taking world scale action, including armed response, arrest, seisure, all in response to a little phrase in the law about "defending their copyright".

Can you imagine what might happen if you gave an Electric Power utility the right to counter attack rather than simply taking their plant control systems off of the public network?

Can you assure me you can write legislation authorizing counter attacks that will never result in more loss of freedom, more abuse of authority? Can you assure me that If I write a blog complaining about brownouts and post a link to the Power Companies complaints page, that I won't have jack booted thugs arriving at my door step simply because other people went to that page and complained also? Can you write legislation that will not be stretched to point of labeling encryption a munition?

The issue here is infrastructure serving entire cities and states, not some web site that goes down meaning you have to drive to your bank rather than banking on line.
A thousand bullets hitting the wall of a fortress does nothing. 50 million hitting the wall in the same place may make a little hole after awhile.

But the minute I unplug the router and take my oil refinery off the public network, all those "dangerous packets" go nowhere.
Exxon does not need counter attack authority. Anyone thinking they do is a very dangerous person.

Re:Not the same thing (1)

SuperKendall (25149) | about 2 years ago | (#41466879)

The point is that big media used copyright laws to goad big government into taking world scale action

Yes they did, and that is utterly unlike private companies taking action for virtual defense. There is nothing whatsoever similar about the two things. I'm not missing anything; you are confusing everything.

all in response to a little phrase in the law about "defending their copyright".

Defense of copyright is an abstract concept with a huge legal and regulatory structure built around it. What it is not at all like is the ability for a private company to respond to a real assault.

Can you imagine what might happen if you gave an Electric Power utility the right to counter attack rather than simply taking their plant control systems off of the public network?

Yes I can, the result is a good one. Any infrastructure being used to attack a power plant could attack anything else. Any such infrastructure being compromised is probably ALSO collecting data the owner of the infrastructure would classify as secure.

Can you assure me you can write legislation authorizing counter attacks that will never result in more loss of freedom

I'm not talking about writing any legislation at all. I was merely responding to the concept of a "digital backwater" and what it would mean. It does not have to mean new legislation.

Microsoft is ALREADY taking some botnets out. No legislation involved.

Can you assure me that If I write a blog complaining about brownouts and post a link to the Power Companies complaints page,

That is not a "physical" assault and would have no cause for physical retaliation. Again you are confused between a "real" attack and words.

The issue here is infrastructure serving entire cities and states

Yes, if such infrastructure is infiltrated it should be taken offline ASAP before further systems can be infiltrated. Companies attacking back could accomplish this. Over time ALL companies, not just utility companies, would have to learn to secure systems better and compartmentalize security breaches.

To bring in a new metaphor, right now lots of companies computer security is sloppy, and they are getting away with leaking toxins into the internet at large. Should they be allowed to do so just because some of the companies leaking digital toxins also run power plants?

Exxon does not need counter attack authority.

Yes they do, as does any company with infrastructure on the internet - because it makes the whole internet a much safer place.

Re:Why is that an issue if the response is digital (1)

Anonymous Coward | about 2 years ago | (#41466829)

People who live in digital houses shouldn't throw packets...

Re:Why is that an issue if the response is digital (2)

Hizonner (38491) | about 2 years ago | (#41466639)

You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right? Among the dozens of other ways you can be misled about the source of something?

Not too smart to let your adversary control your targeting.

You do know that most "computer systems" are shared hosting, right?

I can't imagine a "team expert" doing very damn much good in most cases, but I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral damage along with it. And probably calling it a "success", too. Then they'll automate it and make it even more braindead. And it'll be another cash cow for the security equipment makers, and the software industry as a whole will continue to whine that it can't possibly make, you know, software that works and is at least slightly difficult to disrupt.

No, thanks.

Re:Why is that an issue if the response is digital (1)

SuperKendall (25149) | about 2 years ago | (#41469583)

You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right?

Presumably a "digital blackwater" would be able to double check before attacking.

You do know that most "computer systems" are shared hosting, right?

Yes, I also know that the shared hosting can impose processor and memory limits on slices so impact of attacking that share would not affect the other shares (unless you are talking about a reverse denial of service, which I am not).

I am not talking about a nuclear network response that takes out a data center, but hacking the specific system(s) attacking you.

I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral damage along with it.

Then the company launching the counter attack would be sued and that would be the end of that, which is why such a team would in fact be careful and now cowboy.

Then they'll automate it and make it even more braindead.

Which they would not do because, again, legal exposure.

it'll be another cash cow for the security equipment makers,

Got bad news for you bro; security equipment makers win either way.

In fact they win bigger in a system where you just let botnets have their way with you and let them carry on.

the software industry as a whole will continue to whine that it can't possibly make, you know, software that works and is at least slightly difficult to disrupt.

There I disagree. I think having infected systems being taken offline along with critical business systems will finally get management to realize there is a real cost to not paying attention to IT's desire to spend money securing systems, and companies as a whole would start to treat system security with the importance it deserves.

Re:Why is that an issue if the response is digital (1)

Hizonner (38491) | about 2 years ago | (#41469803)

Presumably a "digital blackwater" would be able to double check before attacking.

Here [wikipedia.org] is the kind of double checking we got from "analog blackwater". You may have noticed it caused kind of a bit of concern at the time.

Why would one expect "digital blackwater" to be better, exactly? Cowboys are cowboys.

I am not talking about a nuclear network response that takes out a data center, but hacking the specific system(s) attacking you.

It's not that easy to get into just anything on demand. This team of yours is going to be under pressure to produce results. How long before they decide they have a "critical need" to resort to denial of service? Or before they decide that the best way in is to hack the hosting or virtualization platform itself, get that wrong, and shut down a bunch of innocents?

And shared hosting doesn't totally isolate clients from one another, either. Not even VPSes.

Then the company launching the counter attack would be sued and that would be the end of that, which is why such a team would in fact be careful and now cowboy.

Um, people aren't generally that disciplined. The priorities of the moment take over. Especially because the incentives of the actual humans involved are not the incentives of the corporation. Get the boss off your back...

And what makes you think this mythical tiger team is going to make itself easy to trace and sue, anyway? You want to be stealthy so the "bad guys" don't come back on you. And, hey, you might as well be stealthy so that damaged third parties can't come back on you, either. "After all", these people will reason, "it was just an honest mistake".

So people getting sued would probably be a rarity, and that would lead to a "can't happen to me" attitude.

And once you normalize the behavior, it tends to escalate.

Re:digital Blackwater eh? (2)

im_thatoneguy (819432) | about 2 years ago | (#41465337)

Which is precisely the problem. If you are a corporation then US law prohibits you from striking back. So all you can do is play defense defense defense. You can harden your systems all you want but being a stationary and fallible target it's almost inevitable that you'll be compromised. It's too easy to compromise a system. And even if you identify the attackers it's unclear if the judicial system simply doesn't care or the government is the attacker. It's incredibly difficult to press charges against foreign hackers. So without a viable means of justice it's not surprising that people want to resort to the oldest form of 'justice' in history when there are no peaceful responses: violent and forceful action. You might not be able to sue them but you can hopefully start making it more expensive by finding the sources and shutting them down.

Re:digital Blackwater eh? (1)

whoever57 (658626) | about 2 years ago | (#41468605)

So all you can do is play defense defense defense. You can harden your systems all you want but being a stationary and fallible target it's almost inevitable that you'll be compromised. It's too easy to compromise a system

Maybe the " defense defense defense" approach is flawed also (or perhaps the way that people "play defense" is flawed). Perhaps you start by looking at what technologies have been compromised most frequently and you avoid those technologies.

Re:digital Blackwater eh? (1)

im_thatoneguy (819432) | about 2 years ago | (#41472619)

Perhaps you start by looking at what technologies have been compromised most frequently and you avoid those technologies.

That technology is usually a person.

Re:digital Blackwater eh? (1)

surgen (1145449) | about 2 years ago | (#41465667)

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

This is terrible terrible news for the coffee shops of the world that offer free wifi.

Because if someone can break in, either the company broken into is completely incompetent at their own security, or the attacker is good enough to have the foresight required to not to launch an attack from their own network.

We should almost always be thankful (1)

Anonymous Coward | about 2 years ago | (#41465167)

" and, for once, we all should be thankful for our lawmakers' inability to act."

We should almost always be thankful of our lawmakers' inability to act. Consider how many times each day you say to yourself how glad you are that someone else decided something on your behalf.

Re:We should almost always be thankful (0)

Anonymous Coward | about 2 years ago | (#41465251)

" and, for once, we all should be thankful for our lawmakers' inability to act."

We should almost always be thankful of our lawmakers' inability to act. Consider how many times each day you say to yourself how glad you are that someone else decided something on your behalf.

Took a shower and thought "boy i am glad i made the decision of coming up with and implementing a water purification and delivery system..." Got in to the car, pulled out of the driveway, and thought "boy i am glad i made the decision of coming up with and implementing a standard system of roads to drive to work on"...

Hell, right now I am thinking to myself "boy am I glad I decided to make assault a felony, because otherwise I would be kicking the ass of this idiot on the internet"...

Re:We should almost always be thankful (-1)

Anonymous Coward | about 2 years ago | (#41465421)

Don't use logic on the libertardians, it only infuriates them.

Re:We should almost always be thankful (1)

Anonymous Coward | about 2 years ago | (#41465753)

Don't use logic on the libertardians, it only infuriates them.

The free market will sort *that* out, too...

Re:We should almost always be thankful (1)

lightknight (213164) | about 2 years ago | (#41465833)

I believe you forgot the part where "the motherland will provide!"

But you're probably too young to know what that's referencing.

The government already has security requirements (1)

jpschaaf (313847) | about 2 years ago | (#41465213)

Uncle Sam already plays a heavy hand by defining standards that apply to software products that are sold to the US government. Ever hear of FIPS 140-2? The document that says exactly which encryption algorithms are allowed and not allowed? Both Microsoft and Linux vendors (RedHat, SuSE) have incorporated FIPS mode in their operating systems. Not surprisingly, these modes are generally turned off...

Re:The government already has security requirement (1)

chill (34294) | about 2 years ago | (#41465493)

Not surprisingly? Do you have ANY clue on this subject at all?

What is wrong with mandating someone use a validated, tested algorithm and implementation instead of pulling one out of their ass and claiming their "proprietary solution" is superior?

The only thing turning off FIPS 140-2 compliance mode does is allow users to make stupid choices. FIPS mode prohibits that.

What's your issue?

Re:The government already has security requirement (1)

Dekker3D (989692) | about 2 years ago | (#41466021)

His/her issue is probably the concept that one government can set a mandate on a piece of software used internationally.

Re:The government already has security requirement (3, Informative)

chill (34294) | about 2 years ago | (#41466215)

It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.

Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.

And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.

I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.

Re:The government already has security requirement (1)

jpschaaf (313847) | about 2 years ago | (#41467089)

What's your issue?

I have lots of issues with FIPS 140-2. Number one on the list is the fact that the list does more to constrain algorithms than to guarantee a good algorithm will be used. Number two... people are afraid to upgrade to a newer OpenSSL with security patches for fear of loosing their precious $50,000 validation. I also have issues with the self-testing requirements. It's a waste of CPU time. Why make people wait an extra half-second every time they open a program that uses encryption?

Re:The government already has security requirement (1)

chill (34294) | about 2 years ago | (#41467449)

I'm not sure I understand. By constraining algorithm choice to good algorithms it guarantees a good algorithm will be used. Are you saying that the SHA-2 suite and AES are not good algorithms?

The recent validation of OpenSSL FIPS Object Module 2.0 should address fear of patches. If it doesn't, then they are either dicking with the code themselves and are rightfully fearful, or don't understand the process.

As for self-testing requirements, wow. That explains the issue. That mentality right there is why security frequently fails.

Obviously you don't consider the crypto really that important. And that may be rightfully so, depending on the corresponding risk analysis. But we're not talking about your online purchases from Amazon where your liability is limited to $50 in credit card fraud, we're talking about critical infrastructure. In these cases it matters. Getting it wrong can have consequences that could potentially be catastrophic.

In places that crypto is important to get right there is no such thing as "trust me, this is good". NO, YOU ARE NOT TO BE TRUSTED. WE MUST VERIFY. Yes, every time.

Re:The government already has security requirement (1)

jpschaaf (313847) | about 2 years ago | (#41469013)

What possible good is re-encrypting the same test data every time you load the library? Either the algorithms are correct, or they're not.

Re:The government already has security requirement (1)

chill (34294) | about 2 years ago | (#41470359)

To ensure that the module itself hasn't been tampered with once it has been validated.

Verifying correctness of the algorithms and their implementation was the purpose of the lengthy NIST validation process.

After that, before each use, they're checking to make sure someone hasn't pulled a fast one and modified the code.

Ken Thompson's ACM classic Reflections on Trust [bell-labs.com] back in 1984 really laid this issue to bare. He was discussing compilers, and considering OpenSSL's validation is for source code and you can compile it yourself, it is very pertinent.

This sounds... (-1)

Anonymous Coward | about 2 years ago | (#41465255)

...suspiciously like a conservative argument. If there's a problem, leave it alone and those who are affected by it will eventually find the easiest and most efficient way to solve it. Government involvement only complicates things.

And of course, we can't have a pro-conservative viewpoint on Slashdot. If it ever happened, the resulting paradox would destroy the universe.

What should that look like? (5, Insightful)

Opportunist (166417) | about 2 years ago | (#41465273)

Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?

Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!

There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.

Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.

Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.

Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.

Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.

Re:What should that look like? (0)

Anonymous Coward | about 2 years ago | (#41465345)

Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?

At some point the value of the common good needs to be considered as the benefit to a unified, government-sponsored approach. Or, I suppose it's OK with you if you have the only computer not infected by a virus, since hell it's still someone elses problem!

Re:What should that look like? (2)

Opportunist (166417) | about 2 years ago | (#41466823)

The point is that you can sponsor it all you want, government cannot take this problem off you. Sorry, some things you gotta sort out for yourself, no wizard of Washington will fix it for you.

Re:What should that look like? (1)

dumky2 (2610695) | about 2 years ago | (#41478111)

If viruses are a big problem (high on people's value scale), then various companies will be happy to sell solutions, as far as feasible. I don't even know all possible solutions, since that is the point of creative entrepreneurship.
But some examples I can imagine: pick an ISP who quarantines infected computers, use VPN to create a virtual network of secure machines on an insecure network, build a more secure OS (see security design in modern mobile OSes, or isolation in modern browsers), use alternate networks with their own rules (strongly identified parties).

The common good is a shorthand for lots of small individual benefits. There is not one uniform common good for everyone. Looking at it in details (diverse and distinct situations as opposed to an aggregate blob) offers a better understanding of the problem, suggests more effective and efficient solutions, brings about economical trade-offs.

The only thing a government approach does is bring a slow, centralized and coercive "solution", as opposed to an emerging and persuasive solution. Yes, persuasion is harder, but that is the foundation of a peaceful society. Of course, both Congress and companies are eager to take advantage of tax powers to socialize costs.

Didn't Lieberman help make PGP? (1)

Anonymous Coward | about 2 years ago | (#41465309)

In the 1990s, didn't the same senator demand laws against all crypto, causing PRZ to make PGP in the first place?

Wasn't he also behind the push for the Clipper chip, key escrow, and other GAK (government access to keys) measures?

*sigh* I wish I could vote for a Tim May and Black Unicorn ticket.

There is more concern than most people think (2)

sackofdonuts (2717491) | about 2 years ago | (#41465351)

If folks actually think government agencies and industry aren't well aware of the criticality of the security threats then they are living in a fantasy world. I can believe congress has that attitude. Those folks are literally 10 years or more behind the curve in IT technology. And this just sounds like another attempt at grabbing more control of the internet by fear mongering.

He assumes these laws are about security (0)

Anonymous Coward | about 2 years ago | (#41465383)

When these laws are really about information control and licensing, universal taxation, universal copyright enforcement and universal surveillance.

There was no threat before 9/11 either (1)

bluefoxlucid (723572) | about 2 years ago | (#41465385)

The threat of terrorist attacks before 9/11--I'll interpret that to mean "the impending threat leading up to 9/11"--is nothing. It's akin to the threat of getting hit by a meteor, or lightning. It'll happen -eventually-, for sure; there's always been terrorists, lightning, and meteors. Here's the thing: Terrorists hit shit with the planes because of dumb luck. They've been in and out and tried this stuff for decades, finally got one through, and haven't since. TSA is ineffective as hell, but locked cockpit doors are a step up. Thing is, they're a step up when there's not suddenly The Brown Spy wandering around on every plane trying to get into the cockpit; the whole of Southeast Asia didn't become our enemy overnight, they're not all out to get us, and the people trying are still insane and stupid and relatively sparse (there's hundreds of them? On a planet with 7 billion people? Our country has 300 million people?).

The threat just isn't there. The internet is rough, it'll get rougher, but it's a nasty shitpipe for the bottom dregs of society as-is.

Re:There was no threat before 9/11 either (1)

icebike (68054) | about 2 years ago | (#41465957)

The threat before 9/11 was well known, not only by our own people, but by other mid-east countries that tried to warn us, and even tried to hand over Bin Laden. Clinton was too busy getting BJs by Lewinsky to even worry about what everyone was telling him. After all, two previous bomb attempts on World Trade were merely petty criminals, right?

Means and methods were not discovered until after the fact, but they were there and these particular terrorists were already being watched. One was already in jail.

There was plenty of impending threats leading up to 9/11, but then, as now, nobody in government is taking it seriously.

Re:There was no threat before 9/11 either (1)

bluefoxlucid (723572) | about 2 years ago | (#41467359)

2 previous bomb attempts on the WTC, also the Oklahoma City Bombing, some other random crap from here or afar.

You make my point for me though. There was terrorism before 9/11. There is terrorism after 9/11. 9/11 wasn't special, it wasn't the beginning of a trend, it wasn't a new thing; it was the exercised probability that you'll get hit by lightning. Yeah, okay, maybe somebody dropped the ball; eventually somebody always drops the ball.

In this case it looks like they were dropping the ball so hard they should have got nuked. WTC didn't come down because the FBI was dealing with 350,000 terrorist attacks and ONE slipped through; at worst, it happened because it was the only thing going on, and so much of the crap that goes on is such a non-starter that everyone dozed right through it until it got rammed up their ass.

Look around you: nobody in government is taking anything seriously? Well shit, nothing's happening, When something does happen, it's just part of the routine, the one crazy guy that didn't get shot out there or didn't get stopped coming in or didn't get caught smuggling bomb materials through customs. The guy we dozed on because nothing ever really happens and so much small shit gets stopped--and not by TSA and post-9/11 handjobs, but by actual military intelligence and border patrol. The world is just mundane.

TSA (2)

gmuslera (3436) | about 2 years ago | (#41465417)

Is about control, not the remote chance to find something they say that are after. The real enemy, depending from which side you take, is the population or the government, not outsiders.

For once be thankful for inability to act? (3, Insightful)

perpenso (1613749) | about 2 years ago | (#41465461)

... for once, we all should be thankful for our lawmakers' inability to act ...

Only once? While gov't does occasionally get things right, getting it wrong is hardly a rare instance.

Think about how often gov't gets it wrong with respect to tech issues. The truth is they get it wrong just as often in other domains as well. We merely don't understand those other domains so we don't see the problems, we read some news article and all we see is legislation with good intentions. I'm sure some non-techie is reading an article about gov't going to increase cybersecurity and is thinking "sounds like a good idea".

IMHO we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance, and politicians have adapted to this environment accordingly. All they really care about is that they hold the "correct" stand on an issue, not actually accomplishing anything. Until we start voting out people because they supported well intended but poorly thought out legislation little will change.

Re:For once be thankful for inability to act? (0)

Anonymous Coward | about 2 years ago | (#41467029)

we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance

That's just human nature -- being applied to the most dangerous, destructive force possible (government). It works the same way in the workplace -- the people who get promoted (or receive special favors) are those who emphasize "intentions" and "effort" over performance, and the people doing the promoting readily accept it because that is exactly how they got the job. Meanwhile, the people quietly doing the actual work go completely unnoticed.

The rigger died. (3, Funny)

HeckRuler (1369601) | about 2 years ago | (#41465465)

the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders.

I've played that Shadowrun module.

why trust the government (3, Insightful)

one_who_uses_unix (68992) | about 2 years ago | (#41465519)

I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government? Now I am certainly not an anarchist, however I take the same view of centralized government that the founders of the US took - powerful central governments will inevitably grow and be corrupted because they are comprised of humans who are imminently corruptible.

It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector. They are all made of the same human stuff, all just as corruptible - the only meaningful difference is that the humans in government wield the power of massive force to accomplish their goals.

The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car. The government sucks at doing things efficiently and using best practices - the examples are legion.

People need to take personal responsibility for their systems and decisions.

Re:why trust the government (0)

Anonymous Coward | about 2 years ago | (#41465925)

I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government?

We all, to some degree, place trust in our government. Unless you are living off the grid (you aren't), then you place implicit trust in government as well--whether you realize it or not. The common line of thought is that the government you place trust in is an extension of the public and beholden to them. In contrast, a corporation is purely an extension of its share holders and beholden to them (assuming it is public, a private company is even less so). It should be pretty obvious, when push comes to shove, which entity is more likely to hold your interest in mind.

The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car.

Police exist for a reason, and while I am sure many civilians are comfortable in their ability to shoot any perp who wrongs them, there a great many more people who are unable to defend themselves and who must rely on the police. Equally, government belongs in cyber security. Or are we to leave it to the citizens and corporations to figure out which hacker group used a zero-day exploit to steal a massive amount of credit cards? How would the citizens possibly defend themselves here? There is no way the victimized corporation will release any server-logs or breach data. And how would the corporation possibly bring these criminals to justice? Corporations don't have the resources to pursue these criminals. Even if the corporations some how caught the criminals, who would bring them to justice? (hint, it would need to be the *gasp* government). Without a government involved in cyber security, hacker/criminals are left to their own wilds to fuck shit up as they see fit.

People need to take personal responsibility for their systems and decisions.

Personal responsibility my ass, you're promoting a criminal culture with minimal repercussions to the criminals and zero power to the end user. No fucking thanks.

Agreed, 110% (here's a way for Windows users) (0)

Anonymous Coward | about 2 years ago | (#41465937)

"People need to take personal responsibility for their systems and decisions." - by one_who_uses_unix (68992) on Wednesday September 26, @12:46PM (#41465519) Homepage

Per my subject-line above: Agreed, & here's the EASIEST WAY for Windows users to do so @ least

(Via CIS Tool -> http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings [computerworld.com] , a MULTI-PLATFORM security test that is FUN to use & do, almost like a performance benchmark, albeit, for system security instead...)

It is also FREE for Windows 2000/XP/Server 2003 users, & timeout version trial is available for Windows 7/Server 2008 users ( The 30-day trial is MORE THAN ADEQUATE to run it, & export the .reg file changes it makes to re-use again).

---

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA/Windows7/Server 2008, & make it "fun-to-do":

http://www.google.com/search?hl=en&source=hp&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1 [google.com]

---

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

* There you go... & yes, it really works - IF "followed-to-the-letter" in its advisements + tweakings!

(Nicest part is, is It only takes around 1-2 hours of your time to do, for YEARS-to-DECADES of stable uptime into the distance (based on "industry best security practices" & FAR more))

APK

P.S.=> It's done alright by /.'ers in the past too, via these examples of my posts on it being "upward moderated":

---

* THE APK SECURITY GUIDE GROUP 18++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&cid=25093275 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]
APK SECURITY TEST CHALLENGE LINUX vs. WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=267599&threshold=1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://yro.slashdot.org/comments.pl?sid=1638428&cid=32070500 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://books.slashdot.org/comments.pl?sid=168931&cid=14083927 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://news.slashdot.org/comments.pl?sid=1135717&cid=26941781 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://it.slashdot.org/comments.pl?sid=416702&cid=22026982 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&cid=30649722 [slashdot.org]
APK SECURITY GUIDE: 2008 -> http://ask.slashdot.org/comments.pl?sid=970939&no_d2=1&cid=25092677 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&threshold=-1&commentsort=0&mode=thread&cid=30649722 [slashdot.org]
APK SECURE SETUP FOR IP STACK:2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14211084 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14210206 [slashdot.org]
MICROSOFT SECURITY:2010 -> http://news.slashdot.org/comments.pl?sid=1546446&cid=31106612 [slashdot.org]

---

... apk

Re:Agreed, 110% (here's a way for Windows users) (1)

chill (34294) | about 2 years ago | (#41467171)

I'll be brief.

THE GOV'T DOES THIS. NIST 800-137 is all about "Continuous Monitoring" which means "set baseline configs, make sure they're followed". USGCB is used for Windows 7 and RHEL Desktops, and CIS commonly used for most everything else. (USGCB and CIS for Win7 are almost identical.)

Let me repeat that. CIS is frequently used as the config gold standard for Windows, Linux & Solaris servers as well as Cisco equipment. For the things CIS doesn't have, they use DISA STIGs, which are just as good but more geared towards the military viewpoint.

The EO that is being bandied around is about telling critical infrastructure to use these standards, too!

Use NIST 800-53, 800-137, FIPS 140-2, USGCB and CIS. They are very good best practices and flexible enough to not straight-jacket implementers (unlike some of the DISA STIGs).

The *PROBLEM* is this isn't good enough. You CANNOT follow these configs to the letter for strict compliance and have usable systems. At some point you have to provide complex services and those can be vulnerable to problems REGARDLESS of how well you secure the OS.

Even after that there are major issues with application security that can't be dealt with by configuration security.

Agreed & disagreed (need links too)... apk (0)

Anonymous Coward | about 2 years ago | (#41467419)

The ONLY parts that gave me a "hassle" & the CIS Tool folks agreed & AMENDED per my suggestions?

They were the parts regarding:

---

1.) USB (since everyone NEEDS usb pretty much, but, it does present autorun difficulties - which Linux &/or Windows have been patched for iirc)

2.) Security Dongles

3.) BIO metric based security like fingerprint scanners etc., NOT EVERYONE HAS!)

---

* Which CIS Tool for Windows 7 @ least, have been amended for... there are or were a couple of "false positives" in it that it did not 'pick up on' properly, but other than that?

Plus - The testimonials I included in my 1st post tend to show otherwise, as to "unusable systems", as well as my OWN TESTIMONIAL to that effect, once CIS Tool & the rest of what's in my security guide is applied, that you do NOT have an "unusable system" (far, Far, FAR from it in fact!).

APK

P.S.=>

"The *PROBLEM* is this isn't good enough." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)

Which is WHY my guide goes way, Way, WAY past what CIS Tool suggests alone...

---

"You CANNOT follow these configs to the letter for strict compliance and have usable systems." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)

That's not TOTALLY true, but, then again, I didn't get to READ those since PER MY SUBJECT-LINE ABOVE: you supplied NO LINKS to the settings you noted the gov't. uses, for direct study of the points you noted (guessing they're USB &/or BIOMetric stuff I mentioned though).

---

"At some point you have to provide complex services and those can be vulnerable to problems REGARDLESS of how well you secure the OS." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)

Then, you only SELECTIVELY use said services (whatever those are, beyond USB & BioMetrics I noted above), such as JAVA, JavaScript, ActiveX, Plugins of varying types for webbrowsers, Scripting of ALL FORMS, etc.!

(Which is EASY ENOUGH to do, via Opera's "By Site" preferences, globally setting them ALL INACTIVE first, & making exceptions for sites YOU CHOOSE to run those services on... FireFox has its NoScript which can help too, plus it's OWN "internal blocklists" vs. bad sites (like Opera's URLFILTER.INI)).

---

"Even after that there are major issues with application security that can't be dealt with by configuration security." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)

Agreed - which is WHY my guide goes far beyond CIS Tool, & provides that which stalls that which YOU speak of here:

End user education (making users aware of who/what/when/where/how/why they get "hit" online)...

... apk

Re:why trust the government (1)

chill (34294) | about 2 years ago | (#41465981)

How you secure your house or car has little to no bearing on 990100% of your neighbors. How the electrical grid and power plant, sewer treatment system, municipal water system, natural gas pipelines and the like are totally different.

Damage to those can cause severe impacts to the community as a whole. The size of the community can vary depending on the system. For example your municipal water system could impact your city, whereas the power plant in your neighborhood could potentially bring down the entire regional electric grid.

Personal responsibility is a must, but it does not necessarily scale to community-wide services.

Re:why trust the government (1)

icebike (68054) | about 2 years ago | (#41466185)

This.

But just as when you locked door isn't enough, governmental police power should be available to apprehend the culpret, if nothing else than to prevent our heighborhoods from becoming running gun battles. This discussion is about allowing power company goons bash down your door in swat gear carying M16s because you 14 yearold hacker son was in the basement shutting down trubines with his iPad.

Just as local police serve as a (supposidly) impartial refferee between victim and perpetrator, there has to be a way for private industry to bring legal charges, via the government, rather than flash bang charges via hired thugs.

Re:why trust the government (1)

mcgrew (92797) | about 2 years ago | (#41468467)

It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector.

You're not thinking it through. Look at the difference between CWLP and Amerin. Both are electrical monopolies in Illinois. CWLP is run by the city of Springfield, Amerin is a publically held company. CWLP has the lowest electric rates in the state, the least downtime, and the best customer service. Why? Because Amerin in not beholden to its customers, who are captive and can't just go down the street and find anoter electric company. Amerin is only beholden to the shareholders. So rates are high, they do as little maintenance as possible, and have no need for good customer service -- customer service is usually to keep your customers from going somewhere else.

If CWLP rates go up too much or service goes down too much, the Mayor loses his job. It isn't a matter of him being more ethical than Amerin's CEO, it's a matter of accountability and who you are accountable to.

However, I do agree that government has no place in cybersecurity, other than to write regulations preventing corporations who you don't vote for and have no stake in from releasing your private info. I wish they WOULD write those regs.

They are not talking of the same thing (1)

dropadrop (1057046) | about 2 years ago | (#41465525)

It seems like the first dude is worried about what attacks on the infrastructure could do, and he's right. There are already plenty of tools and best practises on securing yourself, more laws would only possibly ease the investigation when a breach happened (which is the reason anyone on the investigative side not making a buck out of it will call for new laws).

Now the scenario on a digital blackwater is not needed due to a lack of laws, rather the problem is that officials will not investigate most cases even when they are in their juristriction and there is a clear trail of evidence. Often somebody can attack you numerous times, and you are on your own. This could be fixed by increasing the workforce.

useless (0)

Anonymous Coward | about 2 years ago | (#41465559)

it is impossible to completely protect against hackers. human beings are really good at adapting, and hackers usually are really good at problem solving. The only thing these laws and shit do is make thing harder for everyone. And the common end consumer pays the price. If they want to combat hackers, why don't they get their act together so that so many people wont be so pisssed off. preventing a problem is the best way to deal with the problem.

He Said What? (1)

Dripdry (1062282) | about 2 years ago | (#41465593)

"Go all mercenary"
What the hell is that supposed to mean?

All Your Bits Are Belong To U.S.?

seriously, wtf government?

Say what, mothafukka? (1)

Penurious Penguin (2687307) | about 2 years ago | (#41466469)

I had a chance to see General (Specific) Hayden [eccentrici...gency.info] perform at the Geriatric Thugs & Podium Assassins RapFest. And let me tell you; once he got limbered up with some warm milk and a few raw pork sausages, he really got funky. After the show, he told us 'bout hackin' on his AOL account. Said some bitches wuz 'bout to get bussed up on the tubes, yo. When I asked him if the gubmint knew what I was doing on da web, he said "Don't make me go mercenary an ya ass." an' I knew homey weren't playin no games.

Because on a serious note, these guys are little more than extremely well-funded, cyberphobic, pimpster penta-thugs with diseased imaginations. And a corrective suggestion, if we are to remain up-to-date: It's a "Digital Academi", not Blackwater [wikipedia.org] . Or, we could just be hard, and confine our knowledge in the past while our minds bumble bewildered in the future -- 'cause it's a thug life, it pays well and looks good on the telly.

Yeah...and? (0)

Anonymous Coward | about 2 years ago | (#41465639)

Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now.

Anyone who honestly believes any sort of law would stop these attackers needs to pull their head out of their ass.

3 Interlocking Gears (0)

Anonymous Coward | about 2 years ago | (#41465687)

If they can't do anything, they can't do anything to us. Vote a split ticket this November and preserve the balance!

pown to own - power plants and factories (3, Funny)

RichMan (8097) | about 2 years ago | (#41465749)

Just legislate that every 3 years an industrial site must open itself to a 1 week pown to own event. If anyone can pown the control system they get to own the plant.

Would make for some nice corporate-on-corporate events to gain control. Even enviro-on-corporate.

Yes this is quite silly. But might as well have it happen in the open rather than behind closed doors.

Having worked with Chabinsky and Henry... (2)

mattashburn (150456) | about 2 years ago | (#41465791)

Having worked with Chabinsky and Henry previously, I'm glad they're not in charge any longer.

let's not forget the profit motivate (1)

tatman (1076111) | about 2 years ago | (#41465917)

Let's not forget there are companies, including the ones being attacked and hacked, that may very well benefit one way or another from the current state of cyber security as well. They have their own agendas to promote that are in the best interest of the company, but not the country or its citizens.

So my ads will read like. (0)

Anonymous Coward | about 2 years ago | (#41466055)

I have a OC192 to the desktop, I want to be your back door man.

Simple Solution for CyberSecurity (0)

Anonymous Coward | about 2 years ago | (#41466149)

Start by picking the OS(Operating System) that is secure. Which OS do you think is secure (A) Windows (B) OS X (C) Linux/Unix. Also, CPU companies like Intel Corp has CPU ID(Identification). Most servers can trigger the OS for the CPU ID which provides a triple witch of informations. The information provides stuff like OS, IP, CPU ID, Region, etc. The most secure CPU might be coming from AMD and ARM. ARM has a patent for HW (Hard Ware) security. The ARM Patent allows a secure handshake. IT MIGHT BE BETTER TO CREATE AN INFRASTRUCTURE FOR LINUX INSTEAD OF CREATING COMMUNISTIC LAWS THAT ATTACK CITIZENS. REMEMBER LIKE COMMUNISTIC CHINA, THAT USA DOESN'T USE WARRANTS ANYMORE.

Stunner tag (1)

Todd Knarr (15451) | about 2 years ago | (#41466155)

When I hear the cybersecurity people talking about taking offensive action against intruders, I can't help thinking about Miles, "Brothers in Arms" and the infamous stunner tag sequence.

Hey, what's the problem? (1)

aaaaaaargh! (1150173) | about 2 years ago | (#41466651)

Don't you think cybernetic systems should be secure?

And by the way, so should be cyborgs!

DDOS amplification without DNSSEC (1)

WaffleMonster (969671) | about 2 years ago | (#41466907)

F'n idiot bureaucrats treating cyber as if it is analogous to the real world.

If you thought DNSSEC was pure awesome tool to amplify your DDOS attacks kids just wait till you get to direct US government resources to attack your targets for you. Won't that be swell?

If you ever tire of getting your "friends" swatted at 3:00 in the morning just for laughs uncle sam has your back.

How about liability? (1)

haus (129916) | about 2 years ago | (#41470749)

If companies that went about gathering and/or storing sensitive information for others, then screw it up and allow that information into the wrong hands faced real liability for their failures perhaps more companies would do a better job of protecting their information. Or even better, some may opt to not gather/store the data in the first place.

The Infinite Wisdom of Congress (1)

edibobb (113989) | about 2 years ago | (#41472715)

I hope Congress is unable to pass cybersecurity legislation until its members understand the internet. The control systems for dams and power distribution can be disconnected from the internet; yet that's the prime scenario for scare stories about Chinese and Iranian hackers. After sufficient hype and scary publicity, laws are proposed to impose greater penalties on copyright violations and limit P2P file transfers in the name of cybersecurity. This happens OVER and OVER!

just send in the drones... its the only way (0)

Anonymous Coward | about 2 years ago | (#41474125)

What we need is physical retribution against online threats. A nice drone strike would do nicely, since those are perfectly ok to use on anyone anywhere.

Things that can go wrong (1)

knorthern knight (513660) | about 2 years ago | (#41474529)

1) One of the links in the summary http://blogs.cio.com/security/17430/air-force-chief-ex-fbi-agent-cybersecurity-policy-cant-wait [cio.com] has a quote...
> He thinks companies that find proprietary data on an external server should be
> legally able to take actionâ"to delete or encrypt the data. A company could
> then report the crime to the authorities so the government could search for the hacker.
Remember how a NASA video was mis-identified as property of Scripps Local News http://science.slashdot.org/story/12/08/06/1613211/nasas-own-video-of-curiosity-landing-crashes-into-a-dmca-takedown [slashdot.org]
Remember how some birds tweeting were mis-identified as "Rumblefish's exclusive intellectual property" http://yro.slashdot.org/story/12/02/26/2141246/youtube-identifies-birdsong-as-copyrighted-music [slashdot.org]
Now imagine if those same companies were authorized to DDOS your ISP or some other stupid stuff

2) Setting security standards... if a law was passed that only "secure systems" were allowed online, I could see Microsoft using bribes^H^H^H^H^H^H "campaign contributions" to ensure that only the latest patched version of Windows and Windows Office were allowed online.

These are just off the top of my head. I'm sure there's more.

Legislative solution? (1)

dumky2 (2610695) | about 2 years ago | (#41477777)

Passing a law does not make anything secure. What makes things secure is spending resources and time towards security. Who should be spending those resources? The companies that are taking security risks and exposing attack areas.

Regarding incentives to do better, corporations already have them, as security attacks are PR nightmares which push consumers to competitors and losing money is bad business.
Congress on the other hand has incentives to over-estimate the risk and over-spend (since it's tax money being spent after all).
And finally, corporations have incentives to support and capture regulation so that they can socialize their costs. Instead of having to pay for some in-house security experts or hiring security services, corporations get taxpayers to pay for an "internet police" of some kind.

Regarding risk evaluation and education, security firms already do that as they try to sell their services. Regarding consumer protection, review magazines, competitive advertisement and reputation already serve that purpose. But as usual Congress wants to think it knows better and is eager to use centralized power and coercion instead persuasion. But such coercion is not the basis for a healthy and peaceful society, and as political power continues to encroach, things will get worst, not better. That will sadly prompt more government intervention, feeding the cycle.
Politicians have been itching to get a power grab on the internet. They are just trying different avenues to see what the public will tolerate. SOPA was too much, try something else. Maybe protection privacy, security or maybe children. The recipe is claiming that voluntary and emerging solutions are insufficient (nevermind trying to prove that assertion) and then getting a foot in the door (regardless of whether it is actually a solution). If it doesn't pass the scrutiny of citizens, then try again.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>