Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Chinese Hacking Is Only Part of the U.S. Security Problem

Soulskill posted about a year ago | from the two-to-tango dept.

United States 101

An anonymous reader writes "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.' 'The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security."

Sorry! There are no comments related to the filter you selected.

Because... (1)

Anonymous Coward | about a year ago | (#43941231)

US security sucks? Now, now, there's no need to become all yoddle! After all, the US has been propagating that which is unseen to the foreign admissive. Why don't we all just get all along, and become brothers in rancid?

Re:Because... (-1, Flamebait)

Anonymous Coward | about a year ago | (#43941497)

US security sucks?

Yes and the Chinese hackers know it. Seems the US has some chinks in its cyber-armor.

Re:Because... (2)

colinrichardday (768814) | about a year ago | (#43941727)

Yes and the Chinese hackers know it. Seems the US has some chinks in its cyber-armor.

Was that the best way of stating this?

Re:Because... (1)

Anonymous Coward | about a year ago | (#43941835)

Yes and the Chinese hackers know it. Seems the US has some chinks in its cyber-armor.

Was that the best way of stating this?

Oh I agree. The prefix "cyber-" is completely overused.

Re:Because... (1)

Virtucon (127420) | about a year ago | (#43945231)

it needs to have an "i" or "e" in front of it to make it better.. iCyberSecurity or eCyberSecurity will make it all better.

Our buildings are vulnerable to Chinese missiles t (2)

raymorris (2726007) | about a year ago | (#43944301)

True, almost all software produced has quite a few security holes. I just fixed some security holes in online classes that - cybersecurity. These are courses put out by a well known government agency that specializes in safety and security, but that agency doesn't come close to securing it's own systems.

HOWEVER our buildings are also quite vulnerable to Chinese missiles. We haven't secured our shopping centers, our sports stadiums, or our power plants. China could very easily wipe out any of them. Does that mean we'd accept it if they did? If China shot down a US airliner would we say "eh, it's our own fault for not securing our airspace"? Of course not. We'd hold China accountable, very quickly. Probably within a matter of hours. That's the biggest failing - we've chosen to sit down and allow China to attack us for the last several years, with no real response from us.

Anyone can easily kick in the front door of your house. If they do so, we don't blame the victim for not having a six inch thick steel door. We throw the assailant in the slammer.

Probably, our software will never be secure for the same reasons our houses won't be secure - because security is HARD. It's much easier to break something than to build something. Building something that can't be broken is almost impossible. To be competent at software security takes about six years of training for a typical corporate programmer, one who doesn't really understand software engineering as a science. An otherwise skilled programmer could learn to make his good software into fairly secure software in three years. That's about, what an extra $40k - $60k per year for a programmer with several years worth of extra education / training. How many organizations are willing to pay that cost for secure systems?

  I have fifteen YEARS of experience in software security, but no one is offering me a job that pays a reasonable salary, not when they can instead hire an idiot for $40K to create a heaping pile of garbage that mostly "works", for a year or two until he's in a different position.

Re: Our buildings are vulnerable to Chinese missil (0)

Anonymous Coward | about a year ago | (#43947839)

Equating cyber to buildings is in no way equivalent in this analogy. Cyber is a much easier and effective means of breaching and compromising the US. Btw, the proposition that was voiced also solved your other issue of eliminating all the yahoos that entered into the IT field for the purpose of a "good salary" as there would be a higher expectation for performance on those remaining in the field. Yes it could potentially slow down the delivery of capabilities to customers potentially, but it would also shift the basis of software delivery from "get it out there because its 80%, no 70%, no wait 60% is good enough approach", to delivering a reasonable and responsible product. Other good news from this approach is that we may and up with a Microsoft product that ISN'T delivered with a promise that the issues of the prior version which were set to be resolved this version, will "really" be resolved in the next version. ;-) @IE

Re:Because... (1)

Shavano (2541114) | about a year ago | (#43943839)

US security sucks? Now, now, there's no need to become all yoddle! After all, the US has been propagating that which is unseen to the foreign admissive. Why don't we all just get all along, and become brothers in rancid?

US security sucks or ALL electronic security sucks?

Re:Because... (1)

Jason Rousseau (2945315) | about a year ago | (#43944179)

The internet is complete anarchy and given the fact that business is conducted globally, hardening the security landscape is daunting..pointing the finger at the government, being a capitalist society rather than businesses collectively working towards some set of standards and hold those accountable who bring harm to the info-structure.as weaken the economy. Lastly, the US has to protect it's interests...and if that means waging a cyber war against rogue nations, so be it. "All's fair in love and in war..bitches".

first (-1)

Anonymous Coward | about a year ago | (#43941257)

first

So start demanding changes. (5, Interesting)

khasim (1285) | about a year ago | (#43941261)

First off, demand that every software vendor provide a list of files that their product installs, where those files are installed by default and different checksums/hashes/etc for them.

It should be possible to boot a machine with a live CD (or PXE) and inventory every single file on that machine and identify the origin of each of them.

At least you'd know whether a machine was cracked or not.

Right now, with existing anti-virus, all you can say is that a machine does not have anything that matches the signatures that you have right now.

Re:So start demanding changes. (2)

Zapotek (1032314) | about a year ago | (#43941531)

Nowadays, folks try to do as much as possible in RAM -- by that I mean no patching files or writing to the FS at all. So, keeping track of modifications to any sort of executable file (even indirectly executable, hell, even if it's not executable) will certainly be a handy tool but not as much as you'd think. Also, debsums [ubuntu.com] already does this and I'm sure other package managers support similar functionality. Now, if there's no such utility for your system (even commercial 3rd-party) then you may have chosen/setup the wrong system.

Also, AppArmor-like systems are quite handy too as they allow very fine-grained control for what operations a certain process/executable can perform, thereby allowing you to avoid modifications to the FS via an exploited vulnerability in the first place (and also limit what the exploit's payload will be able to execute once in RAM, no execution privs means no way to execute a shell which makes things much harder).

But even so, privs can be escalated and jails can be broken and vulns can be chained, better get some security education and minimize the chances of writing vulnerable code in the first place, and then carefully fix the inevitable vulnerabilities which you'll surely introduce as soon as you learn about them.

Re:So start demanding changes. (1)

Anonymous Coward | about a year ago | (#43941545)

Right now, with the Microsoft Windows way of doing things, all you can say is that a machine does not have anything that matches the signatures that you have right now.

Fixed that for you.

Turns out, the principle of least-privilege isn't so easily bolted-on in a haphazard manner after decades of doing it wrong, teaching software authors to expect it done wrong, and users to not know the difference.

For *nix, there is Tripwire and Aide and similar programs to do exactly what you're proposing, without support from the vendor. Isn't that easier than getting hundreds of independent companies to all cooperate with your scheme?

Re:So start demanding changes. (0)

Anonymous Coward | about a year ago | (#43942941)

Already can do that.

debsums on Debian does exactly that.

Oh, you mean for that other OS. ;)

Re:So start demanding changes. (0)

Anonymous Coward | about a year ago | (#43943277)

That works great unless your BIOS or any of the firmware in any of your other components has been compromised. Off the top of my head, other than the BIOS, there is firmware in your Ethernet chip, hard disk, printer, and video card.

IIRC, there was an Intel Ethernet chip with a firmware bug that caused the chip to crash if it received a specific byte sequence. It's not too hard to imagine that such a bug could be exploitable and it's possible to remotely update the Ethernet firmware with something that let's you remotely read/write arbitrary memory locations, bypassing the OS entirely.

Re:So start demanding changes. (0)

Anonymous Coward | about a year ago | (#43944197)

This isn't even half a solution. Do you really think state sponsored espionage relies upon primitive trojans sitting in the file system? Heard of root kits? I wouldn't mind betting the Chinese have infiltrated systems at the bios or even hardware level.

Re:So start demanding changes. (1)

Jason Rousseau (2945315) | about a year ago | (#43944287)

First off, demand that every software vendor provide a list of files that their product installs, where those files are installed by default and different checksums/hashes/etc for them.

It should be possible to boot a machine with a live CD (or PXE) and inventory every single file on that machine and identify the origin of each of them.

At least you'd know whether a machine was cracked or not.

Right now, with existing anti-virus, all you can say is that a machine does not have anything that matches the signatures that you have right now.

My days would be much simpler if all dev's turned out software that is hospital grade. I am not real sure about the point Khasim is making, most software and driver's are digitally signed. True, zero-day attacks are more frequent these days however, I believe that is more related to streaming media that is harder for AV software to track because of torrents and proxies and embedded and gets de-ciferd "on the fly".

Re:So start demanding changes. (0)

Anonymous Coward | about a year ago | (#43948457)

I developed a product once that worked the opposite of AV software. It took a snapshot at boot and ran the system from the snapshot. Assume everything is a virus. On reboot, delete the snapshot and start over again. You could select specific folders to allow writes; such as My Documents. Impossible to infect anything outside of any folder flagged as writable. No signature updates required. Again, assume everything is bad except what you flag as good.

Your kidding of course (2)

StillNeedMoreCoffee (123989) | about a year ago | (#43941277)

Start with designing operating systems that are secure and language enviromnments that are secure rather that feature rich marketing shows. Don't put the blame on the programmers that have to work with shoddy designed infrastructure. Change the infrastructure.

Re:Your kidding of course (5, Insightful)

pspahn (1175617) | about a year ago | (#43941465)

You may be over-estimating the will of developers who actually intend to build something secure out of the box. Sure, you've got the chunk of folks that require fine-grained security in their day-to-day, but the rest of them that take security for granted (we're not big enough yet to make things secure, we'll wait until revenue hits $xxx and then "do it right") are just going to worry about making their stuff function according to the spec.

I have left some code lying around before that I am not particularly proud of, not that anyone important would notice, as it tends to be things only another developer would recognize. It's difficult to think of other occupations that are not affected by this type of thinking either, otherwise we wouldn't have to send the Dept. of Health around to restaurants to make sure the kitchens are clean, or the pedagogists around to the elementary school to make sure learning is happening, or aviation officials to enforce maintenance standards...

Of course there needs to be accountability for code that does important things. That is clearly obvious. There are too many people interacting with code in occupations that previously wouldn't have done so. At some point it's going to be a good idea to have a nice audit trail.

Re:Your kidding of course (0)

Anonymous Coward | about a year ago | (#43941599)

I have left some code lying around before that I am not particularly proud of, not that anyone important would notice

I guess then, your customers are not important? The hackers who might ger into your customers' systems aren't important either? Only the bigwigs at your company count, right? I hope I'm not running anything you wrote...

Re:Your kidding of course (1)

pspahn (1175617) | about a year ago | (#43942673)

30 hours worth of work to be completed in 8 hours. Something is going to be less than ideal.

Re:Your kidding of course (1)

Cenan (1892902) | about a year ago | (#43944207)

You may be over-estimating the will of developers who actually intend to build something secure out of the box.

Not only that, but he and the article are hugely overestimating the amount of control the developer has over a project that is done on contract for an agency. "Do it this way", "make it work that way", "no, remove that annoying button"...
The story forgets to mention that, indeed the hackers utilized bugs in software to gain entry but the tech is already here to secure the targets, someone with decision power just decided not to, they are now trying to paw off the responsibility to the poor guys on the floor, for yet another match of ping pong.

Of course it would be super awesome fantastic if we could hold developers responsible for the bugs they introduce, similar how we hold mechanics responsible. The problem is though, that more often than not, the developer's boss is a fucking clueless moron, while the mechanics boss is another mechanic. The mechanic gets the time he needs to solve a problem on a given car, in order to cover his and his boss' ass. Developers get how ever much time is alotted to them by marketing, and that time does not include testing.

Re:Your kidding of course (1)

Jason Rousseau (2945315) | about a year ago | (#43945025)

Damn right you better not be lazy...people who work on the "back end" and deal with your shit...will be payng you a little visit...If you got time, check your code f-ucker's...I like my wife and kids and weekend's.

Re:Your kidding of course (1)

satuon (1822492) | about a year ago | (#43944601)

One of the best security would be to make each application able to have its own directory where it can read/write, and nothing outside it is available, and then the Open File Dialog should be separate from the application, and any file selected by it allows the program to have a descriptor for that file and nothing else.

Basically, programs should run chrooted and not be allowed even read access to the entire harddisk.

s/technological/human (3, Insightful)

Midnight_Falcon (2432802) | about a year ago | (#43941305)

I find the summary to be quite myopic in terms of security -- it thinks that there's a technological solution for every security problem. In reality, as long as humans have access to data -- they can be deceived, tricked or otherwise made to inadvertently disclose said information to a third party. I doubt there will ever be a technological solution to address this 100% -- you can make walls and try to idiot-proof your network, but then you will discover that someone has invented a better idiot.

Re:s/reading comprehension/you (-1)

Anonymous Coward | about a year ago | (#43941691)

Part of the summary:

"Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight.

It is clear that they are talking specifically about technological vulnerabilities. Also, in the given context of a military/national security type of system, only trained personnel are allowed to access them. However imperfect, that's as good as it gets in terms of dealing with social engineering or the dumb-user problem.

This isn't a corporate or customer environment they're talking about here. That might be all that you know, but it is not all that there is. These users are unlikely to mistake the CD-ROM for a cupholder. They aren't going to think an unfortunate Nigerian prince really needs their top-secret national security documents to transfer his money out of the country.

Please make the slight effort to comprehend what you read and to understand its context. The discussion is so much smoother that way.

Re:s/reading comprehension/you (1)

colinrichardday (768814) | about a year ago | (#43941781)

It is clear that they are talking specifically about technological vulnerabilities. Also, in the given context of a military/national security type of system, only trained personnel are allowed to access them. However imperfect, that's as good as it gets in terms of dealing with social engineering or the dumb-user problem.

Ever hear of Mata Hari?

http://en.wikipedia.org/wiki/Mata_Hari [wikipedia.org]

Re:s/reading comprehension/you (0)

Anonymous Coward | about a year ago | (#43941875)

It is clear that they are talking specifically about technological vulnerabilities. Also, in the given context of a military/national security type of system, only trained personnel are allowed to access them. However imperfect, that's as good as it gets in terms of dealing with social engineering or the dumb-user problem.

Ever hear of Mata Hari?

http://en.wikipedia.org/wiki/Mata_Hari [wikipedia.org]

So a spy who lived before there were such things as computers, is your example of a social engineering attack against trained US military personnel who handle classified documents?

Planting a spy on the inside is not a social engineering attack. You do know that, right? And hackers within the borders of China are not members of the US military or employees of sensitive defense contractors or employees of companies designing critical infrastructure. You know that too, right?

I'll have to try that out sometime, just spouting some irrelevant BS that seems related in the vaguest possible way but doesn't actually have anything to do with the subject being discussed, and then acting like I really made a great point. I am curious how it feels to deceive oneself to that degree.

Re:s/reading comprehension/you (1)

colinrichardday (768814) | about a year ago | (#43943459)

Planting a spy on the inside is not a social engineering attack.

Actually, yes, it is.

Re:s/reading comprehension/you (0)

Anonymous Coward | about a year ago | (#43943457)

Part of the summary:

"Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight.

It is clear that they are talking specifically about technological vulnerabilities. Also, in the given context of a military/national security type of system, only trained personnel are allowed to access them. However imperfect, that's as good as it gets in terms of dealing with social engineering or the dumb-user problem.

This isn't a corporate or customer environment they're talking about here. That might be all that you know, but it is not all that there is. These users are unlikely to mistake the CD-ROM for a cupholder. They aren't going to think an unfortunate Nigerian prince really needs their top-secret national security documents to transfer his money out of the country.

Please make the slight effort to comprehend what you read and to understand its context. The discussion is so much smoother that way.

I wish you could work with the "trained" personnel who operate some of our most important systems. Not only are many of them decidedly untrained but the culture enforced by military doctrine does not lend itself well to innovative or intelligent thinking. They just want people who will do the same thing consistently for years, regardless of if it is right or wrong. There are too many very complicated systems and not enough intelligent or highly trained people to get anywhere near close to manning all of them.

Patch Code is like Chinese Food.... (2)

Bob_Who (926234) | about a year ago | (#43941309)

.....In an hour, you'll be hungry again.

Just plain silly (4, Insightful)

Gorshkov (932507) | about a year ago | (#43941321)

The whole idea that China should be 'held responsible' for the hacking is just plain silly on it's face. Governments and private corporations have been spying on each other ever since the first cave man tried to keep a secret.

Can you imagine during the cold war of the US President went to Stalin and said "please stop spying on us"? Because that's exactly what's been suggested here.

Re:Just plain silly (0)

Anonymous Coward | about a year ago | (#43941541)

Or, if Stalin asked the US to stop spying?

I've often wondered if all the money the US spends on military could be better used by having more friendly foreign policies?

It costs me $10 to protect myself with weapons, or $5 to be nice and share....

Incredibly oversimplified i know...

Re:Just plain silly (0)

Anonymous Coward | about a year ago | (#43943937)

Spending $5 to be nice only works as long as someone else isn't spending the $10 and taking power while we stand politely by. American foreign policy has always assumed that someone, somewhere is either spending the $10 or will be as soon as they can, so our aim has always been to either make sure we are an unlikely target or, since isolationism is no longer feasible, to make sure that even if you do spend the $10, your advantage is limited, because so are we.

The rest of the world benefits from this greatly; you know that stat that people love to quote about how we outspend almost all of our allies combined? That means they don't have to spend that money. That's more money to buy our products and services, and more money to make themselves better, which keeps our allies happy and keeps our nation's economy strong. If we stop spending this money, Europe will need a major naval force of their own, not just to protect themselves but to protect their shipping lanes and trade partners; right now, we take care of a lot of that.

Spending the $10 has a lot of benefits besides just raw military power.

Re:Just plain silly (0)

Anonymous Coward | about a year ago | (#43945333)

This is assuming that the fiver, in a one time transaction, would last forever. As any schoolyard bully would know, it, don't. The bully needs mooore justification for his gratuity. But god save us, there is another schoolyard babboon awaiting in the wings.. just as the good nixon opened trade to china, just as prince regan started our industries to china, the repug teaparty will save us by cutting all expenditures to Zero, and basing our government oon the back of our poorest people. That will increase our security budget to every penny...every sheckle will have to be spent too some other company too buy oour freedom. If you controol the manufacturing centers, the food centers, by buying them, didn't you conquer them?

Re:Just plain silly (1)

causality (777677) | about a year ago | (#43941981)

The whole idea that China should be 'held responsible' for the hacking is just plain silly on it's face. Governments and private corporations have been spying on each other ever since the first cave man tried to keep a secret.

It's a form of sabre-rattling. Although, it is useful to note the difference between spying as in passive information gathering, versus something intended to cause material damage like Stuxnet. The latter actually is a form of attack.

Can you imagine during the cold war of the US President went to Stalin and said "please stop spying on us"? Because that's exactly what's been suggested here.

I imagine the Soviets were pissed off about this one [wikipedia.org] .

The Trans-Siberian Pipeline, as planned, would have a level of complexity that would require advanced automated control software, Supervisory Control And Data Acquisition (SCADA). The pipeline used plans for a sophisticated control system and its software that had been stolen from a Canadian firm by the KGB. The CIA allegedly had the company insert a logic bomb in the program for sabotage purposes, eventually resulting in an explosion with the power of three kilotons of TNT.

That's quite a bit more destructive than merely learning unauthorized information.

Exactly, plus .... (1)

sgt_doom (655561) | about a year ago | (#43947303)

. . .as I mention in a later comment, if all those tech jobs, technology and investment have been shipped to China, this would be the likely result, with generations of American students/workers rendered almost obsolete in their pursuit of IT employment.

more certifications? oversight? (2)

kcmastrpc (2818817) | about a year ago | (#43941325)

sounds like an excuse to spend more money, on more stuff that they already have/don't need.

take a look at the IT/data security invested in the automotive/pharm industry, and then ask yourself, "well, why are they so secure?"

Oh, I'm Sorry (4, Insightful)

doctor woot (2779597) | about a year ago | (#43941329)

Do you expect medical professionals to be able to cure every disease and infection ever? Do you expect automotive engineers to be able to build mechanically perfect vehicles? No. Of course the attitude the majority of people take towards online security is a joke, but no more so than saying "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration."

Cyber espionage, crime, and warfare exist through the same mechanisms that allow viruses to become resistant to treatment: adaptation. Systems can be designed to be harder to break, systems can't be made to be impenetrable. The language used in this article is just the same old IT-focused yellow journalism we've all come to expect on the subject.

Re:Oh, I'm Sorry (1, Insightful)

iggymanz (596061) | about a year ago | (#43941563)

your analogy is not accurate, the majority of vulnerabilities are due to variations on the same dozen sloppy coding mistakes. A proper analogy would be most car manufacturers in some hypothetical right-hand side driving country with many highway ramps not putting bolts on the right front wheel and not having a problem most the time because most turns are to the right and not the left, and the occasional left turn is almost always followed by a right that reseats the wheel.

Re:Oh, I'm Sorry (1)

doctor woot (2779597) | about a year ago | (#43941923)

the majority of vulnerabilities are due to variations on the same dozen sloppy coding mistakes

I don't doubt that.

A proper analogy would be most car manufacturers in some hypothetical right-hand side driving country with many highway ramps not putting bolts on the right front wheel and not having a problem most the time because most turns are to the right and not the left, and the occasional left turn is almost always followed by a right that reseats the wheel.

That would be a proper analogy if it's what was being argued. While the article did call for stricter security standards for commercially produced code, something that I agree with, it also said that breaches of security would not happen if such were the case. Hence the analogy; you can make the system better, you can't make it perfect.

Re:Oh, I'm Sorry (1)

causality (777677) | about a year ago | (#43941737)

Do you expect automotive engineers to be able to build mechanically perfect vehicles? No.

Vehicles that never fail? No. Vehicles that have a reasonable failure mode? Yes.

Consider the air brakes on a tractor trailer. The air is what keeps the brakes apart. If some mechanical failure caused a loss of air pressure, the failure mode would be stopping the vehicle. That is acceptable. If they did it the other way, with the air pressure being used to apply the brakes, the first sign of failure could be the inability to stop the vehicle at highway speed. That is not acceptable.

Either way, it's not a question of perfection. It's a question of expecting failure. The principle applies to software as well.

Re:Oh, I'm Sorry (1)

doctor woot (2779597) | about a year ago | (#43941885)

You should read my comment again, because your reply is essentially repeating what my post said to begin with. Do people treat security poorly in the IT industry, yes. Can security be strengthened by more rigid standards and harsher penalties for failure, yes.

What I responded to, and I'll quote it again, was "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration." The implication here is that these things are NOT possible if systems are not poorly designed, implemented and configured. That's a load of bullshit. even with the best security advancements available you are simply not immune. To suggest otherwise is to display ignorance on the subject.

Re:Oh, I'm Sorry (2)

causality (777677) | about a year ago | (#43942303)

You should read my comment again, because your reply is essentially repeating what my post said to begin with. Do people treat security poorly in the IT industry, yes. Can security be strengthened by more rigid standards and harsher penalties for failure, yes.

What I responded to, and I'll quote it again, was "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration." The implication here is that these things are NOT possible if systems are not poorly designed, implemented and configured. That's a load of bullshit. even with the best security advancements available you are simply not immune. To suggest otherwise is to display ignorance on the subject.

Would you concede that (say, by using managed languages) eliminating all buffer overflows would be a huge step in the right direction? We have the capability of doing that. There is still the impossibility of ever conclusively proving that a given piece of software is completely free of all possible bugs, but that's a lofty and unrealistic goal. There are many feasible steps we could take that are realistic. We generally don't take those steps because the trade-offs involved don't fit our priorities. They usually mean more effort and therefore more expense, but government is the one institution that does not need to make a profit.

Referring to your original post, there is a huge difference between "this doctor is incompetent and is guilty of malpractice" versus "cure all diseases all the time". I am essentially agreeing with you, except I think that with the latter case, you're going to an absurd extreme that no one is realistically suggesting. That was my point.

Re:Oh, I'm Sorry (3, Insightful)

doctor woot (2779597) | about a year ago | (#43942837)

I think that with the latter case, you're going to an absurd extreme that no one is realistically suggesting. That was my point.

Except it was suggested. The premise given was that should "poor application or system design, implementation, and/or configuration" be eliminated, so too would "Cyber espionage, crime, and warfare". My argument was tasking engineers with eradicating all of those problems would be like tasking doctors with curing every disease. I'M not the one going to an absurd extreme, it's a direct quote taken from TFA. I'm merely pointing it out.

Re:Oh, I'm Sorry (1)

Shavano (2541114) | about a year ago | (#43943875)

Do you expect medical professionals to be able to cure every disease and infection ever? Do you expect automotive engineers to be able to build mechanically perfect vehicles? No. Of course the attitude the majority of people take towards online security is a joke, but no more so than saying "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration."

No, but cyber espionage, crime and warfare are made enormously easier and more productive by shoddy security design.

Re:Oh, I'm Sorry (1)

doctor woot (2779597) | about a year ago | (#43944375)

Except, again, that's not what's being argued. What was said in TFA was the ONLY reason cyber crime, espionage etc etc exist is because of shoddy security design. This is not only completely false, it unnecessarily burdens engineers and sysadmins with the task of somehow managing the impossible.

is there anyone who takes the opposite position? (3, Interesting)

Trepidity (597) | about a year ago | (#43941351)

That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?

Re:is there anyone who takes the opposite position (1)

CanHasDIY (1672858) | about a year ago | (#43941417)

That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?

Yea - Sergei from totallylegitbankwebsite.ru

Re:is there anyone who takes the opposite position (0)

Anonymous Coward | about a year ago | (#43943341)

That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?

Yes. In the same way that US govt hacking Chinese govt/military computers is entirely a Chinese security problem.

Similarly that US govt hacking Russian govt computers is entirely a Russian security problem. And similarly that Russian govt hacking British govt computers is entirely a British security problem. etc, etc.

Only Americans would think they can get a free pass because they are the US.

If you were including Chinese individuals (non-state), then it should be treated as any other criminal activities. Non-state individuals from around the world hacking US govt/military computers is STILL entirely a US security problem. Same with Russian, British, Chinese, etc.

Re:is there anyone who takes the opposite position (1)

Jason Rousseau (2945315) | about a year ago | (#43944777)

I am a geek so, yesterday's revelations did not surprise me, because this kinda bullshit has gone for years now and I assumed all of the "hulla-balloo" that went viral were from people that have never gone on the internet or used a cell phone or have not taken a high school history course or have any knowledge of WW II. The buzz created yesterday was quite un-nerving to me because I never assumed that so many people were oblivious to this. I.T students run sortware, (I would imagine) like PRISM for learning networking purposes and I still use diagnostic tools that is open-source. I can see why people are so outraged beacause at the government does not help matter's given the verbage ie:(cyber-attacker/ national security) if I did not know binary..would comming off like and the So many I could not imagine life without the use of phones, computers and the internet and how my day which and how that how it relates same token I can how adversely see how So much of today's and how that can alter peoples .Cell Phoes l ivelyhood, freedom .. Anything engineered has potential by man can also be reverse-engineered by man I wished to God, people ...it is just the way it is If only people could understand It is so un-nerving to me as to how un-educated people are and how sc am so bothered that is quite bothersome to me as to the l am a little unnerved Without getting dramatic Artificial Intelligence goes both ways and can altel help people relieze understand how many levels the "big picture". ( as to what the security, privacy, economic landscape year 2013 and h

No real repercussions, no incentive. (1)

Anonymous Coward | about a year ago | (#43941357)

In mainstream corporations none of this is going to happen until security issues impact the bottom line. And then it will be corps typical approach, of addressing specific instances. The military too, Adobe and Windows are used all over the place.

Re:No real repercussions, no incentive. (1)

Jason Rousseau (2945315) | about a year ago | (#43944813)

In mainstream corporations none of this is going to happen until security issues impact the bottom line. And then it will be corps typical approach, of addressing specific instances. The military too, Adobe and Windows are used all over the place.

Mainstream corporations..What corporation does not use computer's , phones, or networks Candy Land?

Re:No real repercussions, no incentive. (1)

jc42 (318812) | about a year ago | (#43949685)

In mainstream corporations none of this is going to happen until security issues impact the bottom line. And then it will be corps typical approach, of addressing specific instances. ...

Nah; it'll be the typical approach of finding the "hackers" that expose security holes, then firing and/or prosecuting them to teach them (and their friends) the traditional lesson: We don't want to hear about our security problems. We'll continue to punish you hackers until you give up.

In my experience, this approach is the usual one that corporations use with their own developers. It's why the smarter developers tend to avoid working on security-related stuff. They want to keep their jobs, stay out of jail, etc. The result is the current security mess. Anyone with a grain of sense understands why it's such a mess.

(And no, after one such experience, I've never accepted another task that involved implementing security. I write routines to test everything I develop. If my test routines are treated as criminal evidence against me, I don't write the test routines - or the software that they were designed to test. If you don't understand this, I'm not gonna be developing software for you. And your software will be full of holes, because other developers also understand what your attitude means to them. ;-)

Anyway, I've found it "interesting" that this discussion doesn't seem to be mentioning the implications of the way that programmers are treated when they report security problems. Maybe because the people who understand the issue think it's too obvious to comment about ...

Rank? (0)

Anonymous Coward | about a year ago | (#43941399)

. . .U.S. Air Force cyber security researcher. . .

So, is Captain Obvious and actual captain?

Re:Rank? (1)

flyingfsck (986395) | about a year ago | (#43941629)

No, Captain Obvious was demoted to a Lieutenant long ago.

Re:Rank? (1)

budgenator (254554) | about a year ago | (#43942217)

. . .U.S. Air Force cyber security researcher. . .

So, is Captain Obvious and actual captain?

No he's an Air Force civilian worker, probably a GS13

fago2Rz (-1)

Anonymous Coward | about a year ago | (#43941401)

Don't want to feel a super-orGanised BE NIGGER! BE GAY!

agreed (0)

Anonymous Coward | about a year ago | (#43941421)

i am a cyber security student and i believe that this post has some relevance. too many software companies put out beta this and beta that. this gives people the opportunity to figure you out and find backdoors. if developers worked closer with security professionals i believe that there would definitely be a better approach to releasing software. i mean when they release a new pharmaceutical, we know the 2345623456345 side effects.

Re:agreed (1)

colinrichardday (768814) | about a year ago | (#43941819)

But to know the side effects, wouldn't you need the code? Which is exactly the opposite of what you are saying about releasing betas.

Cue (1)

Anonymous Coward | about a year ago | (#43941447)

Cue the "But software is hard and we can't do it well" cries from the incompetent.

US security problem (0)

m1ndcrash (2158084) | about a year ago | (#43941471)

lies within people's curiosity on how to lose weight by learning this one secret tip. Yes. Dumb and fat.

Sudden burst of common sense (1)

c0lo (1497653) | about a year ago | (#43941481)

Forget the arguments of "software - a non-regulated industry", that's noise. The reality is:

- Businesses: make hacking illegal and unload the cost to keep us secure to the govt; the businesses purpose is to make money not security
- Army: buddy, it worked for lulsec. But now you're on your own, we can't do it

Outsourcing plays a role. (3, Insightful)

TwineLogic (1679802) | about a year ago | (#43941487)

In one example I saw, the, um, mistake in security implementation was committed by a belarussian contractor who had a strong feeling against the U.S. oil interests in Georgia (Eastern Europe) and was working at a U.S. mega-corporation...

Hiring certain political persuasions to do mission-critical work for mega-corporations is something I would look out for. I specifically mean hiring anti-U.S. personalities to perform work for U.S. infrastructure has its weaknesses.

When mega-corporations implement critical infrastructure (e.g. login credentials) they would be using sympathetic professional contractors, probably from the U.S., the U.K., France, Germany, Japan, Australia, New Zealand, Canda of course. Not BRIC. That's my 2c /.

Re:Outsourcing plays a role. (0)

Anonymous Coward | about a year ago | (#43941709)

Mega-Corporation only cares about mega-profit and so if super-anti-US personality is cheaper then guess who gets the job?

Re:Outsourcing plays a role. (2, Insightful)

Anonymous Coward | about a year ago | (#43941817)

In one example I saw, the, um, mistake in security implementation was committed by a belarussian contractor who had a strong feeling against the U.S. oil interests in Georgia (Eastern Europe) and was working at a U.S. mega-corporation... Hiring certain political persuasions to do mission-critical work for mega-corporations is something I would look out for. I specifically mean hiring anti-U.S. personalities to perform work for U.S. infrastructure has its weaknesses. When mega-corporations implement critical infrastructure (e.g. login credentials) they would be using sympathetic professional contractors, probably from the U.S., the U.K., France, Germany, Japan, Australia, New Zealand, Canda of course. Not BRIC. That's my 2c /.

This is common sense. But it has one major political problem: as soon as you try to implement it, the large numbers of people who prefer emotion over thinking are going to scream RACISM. It is how the small-minded feel righteous and noble (instead of, you know, getting off their asses and doing something they believe in).

God help you if any of the work was going to be outsourced to people with some melanin in their skin. It won't matter how critical the project is or how hostile to the US the outsourced workers are, no politician wants to open himself up to accusations of racism. It shuts down all critical rational thought like it is designed to do. It's how losers with indefensible ideologies end debates they cannot win. It is our modern-day "Communism" - it's based on hysteria and there's one under every rock and behind every corner, you know.

Re:Outsourcing plays a role. (1)

colinrichardday (768814) | about a year ago | (#43941905)

Yeah, next you'll tell me that the Romans trusted a German named Hermann (Arminius) who then betrayed three entire legions at Teutoburger Wald.

Oops

http://en.wikipedia.org/wiki/Arminius [wikipedia.org]

Re:Outsourcing plays a role. (1)

TwineLogic (1679802) | about a year ago | (#43942711)

Thanks that was a good read.

Re:Outsourcing plays a role. (0)

Anonymous Coward | about a year ago | (#43946999)

You do realize that that contractor was willing to work for $3 less an hour then the other candidates right? Why do you hate capitalism so much?

Hello??? (1)

bobthesungeek76036 (2697689) | about a year ago | (#43941593)

Every piece of technology we use is made in China. And we're just now thinking about this??? Duh!!!

Cannot imagine the NSA data in the wrong hands (0)

Anonymous Coward | about a year ago | (#43941609)

China or some other country or some domestic or international mafia. It would simply a disaster if the NSA data falls in the wrong hands. Given that all the financial institutions likely have backdoors, the NSA must have even that data freely available to them. Sickening to even imagine.

Re:Cannot imagine the NSA data in the wrong hands (0)

Anonymous Coward | about a year ago | (#43941733)

Why? Does the NSA have secrets the US has gained by spying on other countries?

Weird how the NSA spying on others = GOOD, but the NSA spying on US citizens = BAD.

Also odd how US spying = GOOD, but anyone else spying = BAD.

Who cares. (0)

Anonymous Coward | about a year ago | (#43941631)

In light of recent discoveries, (PRISM, Verizon) who gives a crap what the Chinese do. We have massively bigger problems.

outsourcing lack of QA, golf course meetings, ect (1)

Joe_Dragon (2206452) | about a year ago | (#43941751)

outsourcing lack of QA, golf course meetings, ect also plays a role even more so when IT is out of the loop and the PHB makes the calls.

Let's translate this into real world terms (0)

Anonymous Coward | about a year ago | (#43941765)

NASA is the best in the world for bug-free software. NASA still has bugs in their software. Making people responsible for something that cannot be avoided is nonsense. Software security is not a solved problem. Mandating a certain approach to security is only going to slow down progress in finding better approaches, not to mention quadruple the cost of software development.

Life has risks, deal with it (1)

rtp (49744) | about a year ago | (#43942015)

A thug with a crowbar in meat-space is no different than some hacker on the Internet with a SQL injection.

Automobiles, airplanes, nuclear power plants, bank vaults, and other physical constructions are regularly identified with security flaws or weaknesses.

You know how to hack an armored Humvee full of infantry? With an IED. Life is dangerous. So is the Internet.

Most people don't live in bunkers. We accept the risk that all types of horrible things can happen, and we worry not. Wood and brick houses are regularly leveled by Mother Nature. We could all live underground, but we don't (well, those of us no longer in our parent's basement). People in Florida, Oklahoma, and Kansas could invest in hardened building construction processes and rebuild after a storm with concrete and high tech alloys, but they don't. Wood houses replace the splinters of the last house a tornado shredded, and people move right back in. New Orleans flooded, and people moved back into the below-sea-level bowl.

Stop thinking in abstract, academic terms. Life isn't black & white. We live in shades of gray, where no position, method or object is absolutely secure.

Life is full of imperfections. Humans make mistakes. Entropy. Chaos. Envy. Greed. Hatred. Sh*t happens (aka Acts of God).

Computer security flaws are "surprising" only to the fools who think the world is safe. Given that technology has reduced the distance between tribes, we're all witness to see how friendly humankind really is, err, isn't.

If you've ever been on the wrong side of war, mugging, rape, or other acts of violence - even bullying - then you should know there are those among us that operate with an "eat or be eaten" mentality. Humans are still animals. That lock on your front door isn't going to stop thugs intent on a home invasion, because they're going to break through the window, or crowbar the door-jam, or cut through the vinyl siding, drywall and a few inches of insulation with a machete...

The Internet and air travel has rendered all of us so close, we're holding hands. Americans in close quarters with the Chinese, Russians, and Islamic radicals... Are we all singing Kumbayah? Umm, no. People are doing what people do...we compete, steal, destroy, oppress, deceive, and occasionally rain Hellfires from above.

Just wait until nano, bio, and robotics really take off. Some kid in India may unleash Pandora's Box with a super-flu that wipes out a few billion of us, and this article we're reading is worried about computer documents?

Computer security is a fad, like bank security in the wild west. Give it a few decades, and it's all OBE as we move on to the next thing. A vault by itself doesn't stop the enemy, just as a computer by itself isn't impregnable. At some point, you need force-on-force conflict to effectively defend what's yours from others.

Do you really think there won't be another Alexander, Attila, Genghis, Caesar, Cortez, or Hitler? Humans can be loving, but they can also be ruthless. Terrorists are out there trying to reboot civilization so they can have an easier grab at power. Through dissolution of the family model, worship of the dollar, competition for resources and all sorts of other factors that come with scaling society beyond a village, we're just as likely to collapse under our own weight than to get off this rock and cruise the galaxy.

Be happy each morning you read Slashdot you're not in a burning skyscraper hundreds of feet up in the air among people screaming, waiting for everything to collapse...thinking about how insecure a city is to stand up against a couple dozen knuckleheads who were willing to trade their lives for thousands.

Enjoy the days of Chinese farming American secrets in cyber space, breaking into digital vaults. What comes next won't be so fun.

Barn doors (0)

Anonymous Coward | about a year ago | (#43942119)

No. Won't happen.

The only people who think this way are hard-core security types and highly structured personalities. Those people aren't in charge of the important parts of the software creation and delivery systems. Furthermore, there's no one 'in charge' of this. It's as meaningless as suggesting that the 'boss of the Internet should ban child pr0n'.

From the demand side: Companies and consumers would balk at paying for this and would chafe at the extended QA cycles, longer product delivery times, and the general bureaucracy required to implement.

From the supply side: The vast majority of the technical workforce would resist the structure, restrictions, certifications, education and general bureaucracy required to implement.

Imagine the organization required to implement this. What IT union or professional organization has the power and conceded authority needed? There are very few and none even have the dominant position needed to grow into this role.

What universally recognized educational organization, qualification, certifying authority, or standards body has the status? While there are many, none dominate. There isn't even one achieving 'First among equals' status!

Let's just throw out a few names as a starting point. IEEE, IETF, CERT, OASIS, NIST, SEI, ITIL, COBIT, ISO-20000, ACM, ISACA, W3C, NIST, COMMON, Apple, Microsoft, Oracle, SAP, IBM, FOSS, RMS. I've almost certainly missed a few. See any in there with the leadership status required? See any there that don't have giant flaws? I don't.

This proposal is a barn door and it's missing a horse.

Re:Barn doors (1)

rtp (49744) | about a year ago | (#43942229)

Agreed, let's stop blaming the victims.

That Windows XP unpatched PC is "secure" until some knucklehead throws malware at it, just like the jewelry store with bars and an alarm is secure until three thugs show up with crow-bars and perform a smash-and-grab.

As security becomes more problematic for consumers, the market adjusts. In large part, we're already seeing some of this... Unconscious social movement "to the cloud" has a lot to do with putting our heads in the sand. Get the data off the box in front of us where we'd be "forced to deal with tedious cat-and-mouse arms races" and put our digital lives and data in the cloud, where we won't know (care?) it's being stolen on a regular basis. Amazon, Google, Microsoft, Apple, Facebook, these are the new banks of our society.

Computer software and hardware products are what they are, which is useful, but not impregnable.

I can't afford an armored car and a bunker, so I drive a truck and live in a brick house. Same with computers - most people use the machines, we don't have endless hours in a day to pour into trying to make these sand castles more secure. Technology moves fast. Those sand castles will be replaced in a couple years, and we'll have a new set of problems to futz over while continuing to pursue the meaning of life (e.g. build a family, contribute to the tribe).

Punching holes (1)

gmuslera (3436) | about a year ago | (#43942183)

Is hard to be secure when you exploit 0day holes without warning the vendor to make Stuxnet [wikipedia.org] and similar ones, or if you force companies to leave holes [slashdot.org] for you to enter. Those two policies are incompatible with being secure.

Also, putting people with access to virtually all (even private communications of companies/individuals) adds an specially weak point in the security. If politicians are so easy to bribe, why shouldn't be fbi/nsa agents or middle management?

Re:Punching holes (1)

cavreader (1903280) | about a year ago | (#43942375)

Most holes today are opened by poor network management, poor patch management, poor password managment, and most of all the users. Social engineering is the leading vector of most malware today.

Re:Punching holes (1)

gmuslera (3436) | about a year ago | (#43945605)

The best approach to close holes is education, not opening even more holes, forbidding closing existing ones, or making people accept to live with holes (after all, if we have no privacy because evil government, what more will do evil hackers over that?)

chinese getting info....... (0)

Anonymous Coward | about a year ago | (#43942321)

so... are people (and the chinese) sooo gullible to believe that all the info gathered by the chinese is real, and not planted FUD ?

Companies don't want to pay for security (1)

stretch0611 (603238) | about a year ago | (#43942323)

Almost every company does not care about anything that no one notices. Their MBA's weigh the cost of building something secure against their perceived chance of a security breach (or the chance they won't be at a different company when a breach occurs) and rarely are willing to pay.

Outsourcing hurts security, and every big company does it. Why? because its cheap. You may argue about the knowledge level of the employees overseas, but that isn't the point. If you want it secure, you want your own employees working on it. You want your code local, not sent to people unknown overseas.

Almost every company is cheap in this respect, big and small... At one Fortune 100 company I used to work for (that I can say with near certainty that almost every single adult in the US knows), I had access to SSN's for every employee in my division (over 200 employees) even though I did not need or request them, and to make it worse, they were in plain text.

That same Fortune 100 company failed a PCI audit due to having entire credit card numbers in plain text (among other problems). We did not get any funding to start the encryption project until after the credit card organization started handing us daily fines. We asked for funding to encrypt the SSN's at the same time and were denied. We were only allowed to fix the issues to stop the fines.

At a different much smaller company (of roughly 1000 employees), their users' passwords were not even encrypted. They were stored by reversing the sequence and a process similar to ROT-13 [wikipedia.org] . It was so bad, if I was looking at the database, I would be able to "decrypt" over 90% of them in my head. The scary thing... I was working for a credit card issuer (one you probably have NOT heard of) and the system was used for managing corporate credit cards including setting limits and issuing new cards (and the system was designed for public internet access used by many fortune 500 clients).

While I was there, there was a large redesign to the entire process. It was upgraded to allow automated password resets, forced password aging, and a new UI. We (the developers) requested to change the back end storage and were flatly denied.

To make matters worse, they wanted us to remove the ability to allow special characters. The reason? Corporate politics. A newer system (with more funding and better liked by the corp execs) did not allow special characters and we couldn't let our (un-liked, but more used) system be better. We were able to get a corporate security person to not have us forced to drop special characters, but we were not allowed to tell the users that we allow them. (I was already looking for a new job when this happened, and this made me redouble my efforts.)

The examples just prove corporations want to nickle and dime everything and only pay for the bare minimum. In addition management rarely understand tech (even in some so-called tech companies,) and you see why they would rather hire cheap programmers instead of quality programmers.

Until they are willing to pay for security they will not be secure. And now it seems that the worse thing that happens after a breach they pay for a year of "id theft monitoring." A year of monitoring if they get caught compared to paying for quality software development -- Which do you think most companies choose?

Re:Companies don't want to pay for security (1)

Jason Rousseau (2945315) | about a year ago | (#43944881)

correct on some level's, I do not mind calling India, tho, . Unreliable hardware, apathy, untrained and stupid trash security. Small businesses or ISP's in my small town (10 ) can get by with outsourcing easily and remote config and call center 's like MSFT's.

Here's the problem... (1)

Anonymous Coward | about a year ago | (#43942489)

So, they regulate a software manufacturer to the point where very little in the way of features are getting accomplished in lieu of focusing on security fixes. Costs skyrocket for made-in-the-u.s.-absolutely-secure-software, meanwhile software made in India, Russia, China, etc. aren't beholden to the same regulations. Their software is cheaper, done sooner, and has all the features customers need. Software firms beholden to the regulations die off in droves. Problem solved, right?

I think there is a point here (1)

SleepyHappyDoc (813919) | about a year ago | (#43942551)

The pharmaceutical industries have a lot of rules and procedures that need to be followed, to minimize risk to patients, and these rules are largely effective (sure, not completely, but killer drugs are pretty rare). The idea of 'release it now and fix it later' would never be tolerated in the pharmaceutical industry. Why can't the software industry aspire to similar safety standards? The idea that it is impossible to write perfectly secure code, where does that come from? Is that really true?

None of the above (1)

ka9dgx (72702) | about a year ago | (#43942773)

It's not outsourcing, developers, lazy users, the Chinese or any other of the above mentioned causes that are at the root here. The root cause is the operating systems we all run aren't secure by design.

Linux, OS_X, Windows, Android, and all the phones run systems which are based on the idea of users who can be trusted. This is a great idea for computer science departments of the 1970s, prior to wide scale networking and mobile code. The idea is just stupid in todays environment, and has just lead to a ton of patches over a ship made of sponge.

Capability based security reverse the bad assumption that you should base everything on trusting (or not) the user. The user isn't the problem. The software the user uses should be the problem, and focus of attention. Linux, OS_X, Windows, Android, etc. ALL trust a program with the resources of the user in question, which is NUTS (and has been quite a foolish thing to do since 1980)

The Genode project is working to bring a full-on capabilities based system together on top of an L4 secure kernel. In this OS, the user selects the resources to make available to the program at run time. This is better than App_Armor in that it's more flexible, and easier to work with. The best part is that capabilities already match the way we deal with non-computer based parts of our life.

Owe someone $15? You had them a $20, and they give you $5 back. The $20 bill was a capability, and the maximum you could lose. They can't trojan horse your money, and steal the rest out later.

Want to let someone borrow your car? You hand them the keys, and it gets them into your car... not all cars of that model, not your house, not your bank account. It's a capability, which accesses that one resource, not all of them.

Capabilities offer a way to fix computer security for good if enough people "get it" and push for its adoption.

It couldn't get any worse, could it? (0)

Anonymous Coward | about a year ago | (#43942977)

The US Government is spying on it's citizens and most likely corporations and their secrets as well. Now that they have all this information collected, foreign 'hacker's be they state sponsored or otherwise can find more juicy information without needing to compromise as many systems. They are able to better target their attacks at systems that are ripe with collected data. Am I wrong?

Stuxnet (1)

amightywind (691887) | about a year ago | (#43943001)

How about a Stuxnet like counter attack on the Chinamen?

Obama Deal To China (0)

Anonymous Coward | about a year ago | (#43943389)

Obama will attempt Blackmail on Chinese General Secretary of the Communist Party of China, i.e. President, Xi in exchange for 1 Trillion dollars ! Obama has a taste for money, like his tastes for male prostitutes and children prostitutes.

Boo -- Quick innovation makes more money than lost (0)

Anonymous Coward | about a year ago | (#43943675)

If the problem was a simple one to solve, we'd do it. I agree that software used by the military that puts lives at risk should be seriously vetted and rigorously controlled just like car designs and other the other devices he cites that can hurt people if faulty. But most other software is about making money with little to no risk of physical injury. Speed to market, flexibility, and risk acceptance makes trillions more dollars than the oft quoted but never substantiated billions in IP supposed lost (Who has billions USD to lose except publicly traded companies, and where are the disclosures?).

I'm not saying that rugged development and other security practices shouldn't be followed, but to suggest that we even could or should regulate the industry to protect it from perceived and unsubstantiated claims is nothing more than using FUD to support a security aesthetic position.

Secure Software Engineering is rarely taught (2)

gweihir (88907) | about a year ago | (#43943883)

Server software that is very, very secure is possible. Look at, e.g. postfix, openssh, apache w/o modules, etc. It costs more, but the real issue is it has to be designed and implemented by people with strong secure software engineering skills. Today, secure software engineering is still rarely taught, and almost never as mandatory subject. As long as that continues, most software will suck security-wise, as secure software engineering requires a quite different mind-set from ordinary software engineering. It is however quite clear how to do it today. Techniques like privilege-separation, marking and tagging, secure containers, full input validation, etc. are well understood and cause massive increases in the difficulty to hack a system and can make it impossible. The problem is just that they are not used because so few people understand them.

My proposal: Make secure software engineering courses mandatory for any SW-Engineering and CompSci qualification. Then add high liability risks for all those that do not use these techniques to force management into abandonning shoddy practices.

Re:Secure Software Engineering is rarely taught (1)

Jason Rousseau (2945315) | about a year ago | (#43944919)

"

Server software that is very, very secure is possible. " I have never heard of "Beta" business class Server software licensing...

Re:Secure Software Engineering is rarely taught (1)

Jason Rousseau (2945315) | about a year ago | (#43944971)

I have never heard of "Beta" business class Server software licensing.. (don't mean to be a smartass here, but you are talking business Domain Controllers software.. If you are talking Mission Critical bug level software? if so, my bad.

Re:Secure Software Engineering is rarely taught (1)

gweihir (88907) | about a year ago | (#43952597)

I have no idea what you are talking about. Care to clarify?

poor application (1)

superwiz (655733) | about a year ago | (#43946333)

Poor application doesn't come from lack of familiarity of poor training, however. It comes from tools which do not adequately expose functionality to the end users. Every time a tech argues "but technology X can do this you just need to learn how to do Y", he is dropping the ball. This argument was only appropriate when interfaces were limited by technological capacities (first due to being done in hardware such radio nobs and then due to lack computing power to do both interfaces and main application logic in software). Given the amount of computing power available today, inability to expose concepts to end users is 100% tech's fault. This goes not only for concepts exposed to consumers. This goes for tech produced for techs as well. Anyone who even thinks that a computer language should not be responsible for exposing hardware capacities in a way that does not tax anyone's attention span should be ashamed to even think about the subject and they should be much more ashamed of voicing their opinion on the subject. Dropping the ball on UX at every level of technology, given the capabilities of the modern technology, is why security features don't get properly used. They are not adequately exposed to the users. Cats can use ipads. Humans can use any technology if its interface is not designed by amateurs or hacks.

The premise of this posting is stoooopid! (1)

sgt_doom (655561) | about a year ago | (#43947285)

When the DoD (that would be Dept. of Defense for the dummies who regularly read this site) issues the top security level (O-Ring) to Micro$oft's operating systems, and MS hands over their OS source code to the Chinese gov't, could be a major cause of the problem. Another major cause would be offshoring all those jobs to China --- offshoring all that technology to China --- offshoring all that investment to China (instead of corporate amerika amortizing into their country from which they are based, and should be expelled); said actions render this article posting completely ludicrous, written by a member of the species, ignoramus americanus!

bullshit (0)

Anonymous Coward | about a year ago | (#43948909)

That's because my fellow Americans are greedy, lazy fucks. Step up niggas

open systems exploded into commerce (1)

peter303 (12292) | about a year ago | (#43954057)

Hackers did not not want develop on closed systems like DEC VMS with its deep levels of security. That was very painful for the few months i had to wrok with that. Now we are paying for this.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?