Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Webcurity Wishlist?

Cliff posted more than 12 years ago | from the bending-the-governments-ear dept.

Security 512

breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"

"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."

cancel ×

512 comments

Sorry! There are no comments related to the filter you selected.

First post for Jesus (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2659993)

I claim this furst post for the baby Jesus.

Yours,
Anonymous Coward

i love my job (-1)

count_sporkula (446625) | more than 12 years ago | (#2659994)

no, really

pgpnet (1)

resistor2004 (254817) | more than 12 years ago | (#2659998)

offer rewards for running PGPnet

Fp (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2660002)

Fp Damn Lameness Filter Anyway

Don't ban tools! (5, Insightful)

pete-classic (75983) | more than 12 years ago | (#2660005)

To borrow a phrase; if you outlaw nmap, only outlaws will have nmap.

-Peter

Re:Don't ban tools! (5, Interesting)

Bonker (243350) | more than 12 years ago | (#2660092)

This is probably the most important thing any network professional can ask for.

Outlaw evil behavior, not the tools that enable that behavior. In many cases the tools have many, many more positive and educational uses than negative uses. In a lot of cases, the tools can be used to stop or examine criminal (cracking) behavior.
Say what you will about Steve Gibson [grc.com] , but the
guy knows a little about network security. He gives an extended discussion [grc.com] on how he used the tools of the IRC-based DDOS trade to help oust some script k1dd13's that were hammering his site.

Tools like L0pht-crack, the NT password cracker tool, I couldn't have convinced my execs that a company password policy was necessary and passwords like 'password01' were unnacceptable.
Just like we don't ban sledgehammers and bolt-cutters even though they can be used to break padlocks, we shouldn't ban network tools either.

Re:Don't ban tools! (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2660180)

In other words: Get out of our way, and leave us alone you old, retarded, out moded, mutha fuhkas.
Atleast, that's just how I feel.

Holding Companies Liable (4, Insightful)

Anonymous Coward | more than 12 years ago | (#2660006)

How about holding various companies whose products are exploited the most (re: MS) liable for their lack of security?

just because they get exploited the most (5, Interesting)

eclectric (528520) | more than 12 years ago | (#2660068)

doesnt' mean they're the least secure.

Exploits are still made against products that Microsoft secured over a year ago. And indeed, microsoft gets exploited the most because they are used by the vast majority of non-technical users. Can you imagine what would happen if 90% of the computer-owning people used linux? Every single hole in the OS would not only be explioted, but you could count on it being a LOT less likely that the average-joe user would *ever* update his software to fix the hole

Re:Holding Companies Liable (5, Insightful)

jspey (183976) | more than 12 years ago | (#2660123)

More specifically, if you pay for some software and it has security holes that a reasonable and prudent check should have found before it went on sale, and those security holes cause you problems (like lost time, lost money, lost business, whatever), then you can at least try to get the purchase price of the software back from the publisher. Seriously. Lots of software has holes in it. But if I buy win2k and install it, and the default install turns on IIS, and IIS has enormous holes in it that should never have made it past quality control, then I should be able to get the cost fo the software back from microsoft when I suffer problems from their poorly designed software.

If you make the penalties for unsafe software too large, no one will write software. But there needs to be some sort of incentive for companies with so large a market share that they don't care how crappy their software is to make their software safe.

Mr. Spey

Re:Holding Companies Liable (-1, Redundant)

OSgod (323974) | more than 12 years ago | (#2660157)

Or perhaps we should fine you for not training your systems administration staff on how to set up servers correctly.

This argument holds about as much water as the "sue the automakers because cars shouldn't go that fast" or "sue McDonalds because coffee shouldn't be hot".

Re:Holding Companies Liable (0, Redundant)

posmon (516207) | more than 12 years ago | (#2660189)

eh up! this is america in the 21st century. you can sue for anything! [freerepublic.com]

Wishlist... (5, Funny)

gowen (141411) | more than 12 years ago | (#2660011)

My wishlist:
  1. Never ever ever use the so-called-word "Webcurity" again.
  2. ...
  3. Err ...
  4. Thats it.
(apologies to Private Eye)

Re:Wishlist... (5, Funny)

Unknown Bovine Group (462144) | more than 12 years ago | (#2660036)

UGH. Webcurity? Lets nip this one in the bud.
Webcurity is the most slashtacular word I've seen in a long time. It's cowboyNealiciousness is of almost Hemosian proportions.
It's almost Katzian.

well... (2, Troll)

turbine216 (458014) | more than 12 years ago | (#2660013)

My network-security wishlist for presentation before Congress:
  • Try all Microsoft engineers as domestic terrorists in one of those military tribunals.
  • Kindly ask Larry Ellison to get bent.
  • Outlaw any Passport and .NET services.

Whaddya think, mr. attorney? Can we make this happen??

What I Really Want (5, Insightful)

twoflower (24166) | more than 12 years ago | (#2660015)

The number-one item on my wishlist would be for the government to keep completely out of network security issues -- the government should ensure security on its own networks, of course, but they shouldn't be concerned about anything else.

There's already enough laws to deal with DOS attacks and such -- more laws just means more expense for those who have to deal with them.

Twoflower

Re:What I Really Want (0)

Anonymous Coward | more than 12 years ago | (#2660047)

amen. do we really want the people who brought us the long lines at the post office, the long lines at the DMV/DOT ect. anywhere nere anything of import?

if he truely wants to "DO SOMTHING", he can vote to keep the TAXES off the net.

Govt should only do..... (1)

Tye_Informer (412478) | more than 12 years ago | (#2660109)

The Government should only do what the private sector doesn't want to do. You can set up a government organization to do anything the private sector does. They will do it half as good for twice the price.

Network security is really run by market pressure. For example, I won't buy anything from a company that wants me to email my credit card number to them! If enough people are concerned about their security those companies will either change or disappear. The only involvement I would expect from the government in this case would happen when someone stole one of those credit card numbers being emailed. Until then stay out.
(I don't even think the government should be in the business of informing users of security problems! Anyone that watches the news knows about these things! If they don't they wouldn't pay attention to the Ad Council's ads anyway)

Think again (1, Interesting)

Anonymous Coward | more than 12 years ago | (#2660152)

Think again about having the government 'keep out' of security issues. It would be great for them to 'keep out' forever, but we know this is not going to happen. If they do not pass laws ALLOWING things like security auditing tools, public security forums, and the like, eventually laws will get passed contrary to those! While you have the freedom now to posess something like nmap(1), don't take this for granted! We'd like it to fall under free speach, and view anything we do with it as harmless, but other people don't. Freedom is waning.

The public is presently being trampled by corporations because the public assumes that they are free to do things that are pretty common-sense alright. IE, buy a CD and make a copy of it for your car, or for backup in case your cds get stolen (say you own 200 CDS, at $15ea, and they get stolen. That's $3000!!! Now think of those 400 disc changers and how easy it is to grab one of those if you broke into someones house). While you feel (and it is) perfectly morally alright to copy cds for your own personal use, companies are trying to ERODE these rights. All the while, the public (slashdot, etc al.) whines about this in forums, sighting 'fair use' clauses of old laws that may or may not apply. The fact of the matter is, the DMCA is a new law, and it doesn't matter if its contrary to those old laws, it supersedes it. What IS needed is a law stating that content sold to the mass consumer CANNOT be encrypted in a way to prevent copying. Something proactive.. Then let the RIAA go to court with the government and try to overturn the law. But they cannot, because they work under the law.

My main gist is that theres some things that people just take for granted, and want the government to 'stay the hell out of their lives'. But without proactive laws, they will soon find those things they take for granted outlawed due to somebody pushing the ball the other way.

Webcurity? (0, Redundant)

joshv (13017) | more than 12 years ago | (#2660016)

What kind of word is that? Webcurity...

What next? Homelandcurity?

-josh

Re:Webcurity? (1)

Conspiracy Theorist (250373) | more than 12 years ago | (#2660062)

webcurity n. An imaginary word intended to be interpreted as a buzzword, which when used around the right people will make you sound intelligent and thereby increase your job security.

Re:Webcurity? (1, Funny)

kkokal (450374) | more than 12 years ago | (#2660081)

C'mon... it's a perfectly cromulent word.

The obvious (5, Insightful)

heyeq (317933) | more than 12 years ago | (#2660018)

Well, for starters, don't let Microsoft's Chief Security Advisor work as a security advisor for the White House.

hailstorm and the like (5, Interesting)

curtis (18867) | more than 12 years ago | (#2660021)

This is a great chance to get our concerns as a community out into the public sector.

Consider this: ONE person/organization has EVERYONE'S personal and financial data online. This goes against all design architectures in both security AND engineering. A single point of failure. Imagine one bank in real life, with Barney Fife guarding it. Would you put your life savings there?

With more and more commerce occurring on the internet, the more important it is that there is some scheme to protect this important market. I am particularly concerned with one private company holding the public trust in their hands -- I am also very concerned about the government, for that matter, also holding this information!

So what would you have the government do? (2, Insightful)

KingAdrock (115014) | more than 12 years ago | (#2660055)

I understand everyones concerns with Microsoft and their Passport technology. But what would you have the government do to change it? I think this is more of a case where if you don't want to use it don't. And if a company you deal with requires its use, talk to them.

You can't have the government put a stop to a perfectly legal business practice by Microsoft just because you don't like it. I'm not sure government overcite would be a good thing either. I'm interested to know what you would want the government to do about it.

Re:So what would you have the government do? (1)

jslag (21657) | more than 12 years ago | (#2660195)

You can't have the government put a stop to a perfectly legal business practice by Microsoft


Actually, if you wanted a certain business practice stopped, asking the gov't to make it illegal isn't the worst thing you could do.

Re:So what would you have the government do? (3, Insightful)

number11 (129686) | more than 12 years ago | (#2660221)

What to do? No, don't ban the business practice. Just ensure responsibility.

We have a company (not just MS, but anyone) that holds user data (passwords, credit card info, whatever) accessible online (the proof of the pudding is in the eating.. if some cracker is able to access it, then it was accessible). Make that company liable for any real or consequential damages to users due to leakage of that data. Damages including value of time lost in changing passwords, dealing with credit card companies, whatever. Liable regardless of whatever EUL or click-thru smokescreens disclaiming liability they may have.

Don't mandate *how* they should stay secure. Just make it clear that if they blow it, it's going to be very very expensive.

Egress Filtering (5, Interesting)

jac (7157) | more than 12 years ago | (#2660024)

"Coax" all carriers and providers to do egress filtering at the edges of their networks. This should help significantly in reducing DDoS attacks and should help make malicious network activity easier to trace.

Bam.... (0)

Anonymous Coward | more than 12 years ago | (#2660085)

That is an *excellent* suggestion. I hate "Me Too'ing", but this needs mod'ed up. Feel free to mod me down while mod'ing the parent up.

INGRESS filtering, rather? (0)

Anonymous Coward | more than 12 years ago | (#2660145)

Of course, egress filtering also helps by preventing the DDoS traffic from reaching the single target node. But two points should then kept in mind:
1. the traffic will congest the links in that access network
2. egress filtering should be done in the stub area border router

Re:Egress Filtering (already) (1)

dago (25724) | more than 12 years ago | (#2660187)

lots of providers are already doing egress filtering (if not a majority, but I can only speak for my company)

haha (-1)

neal n bob (531011) | more than 12 years ago | (#2660027)

I have dealt with congress - mostly lazy penis driven tools. Very few actually care about security - unless you mean not getting caught banging interns.

My personal experience with government networks and computers is that they are about as secure as a box of donuts in a room of programmers.

tell them (5, Interesting)

elliotj (519297) | more than 12 years ago | (#2660028)

the more crypto the better. and don't try to legislate backdoors into it or anything.

people need to reliaze that crypto is available to anyone with the ability to use it...it needs help in getting the average joe to use it.

most people won't use PGP or something b/c it is too complicated. crypto needs to be built into office and internet apps from the ground up. strong crypto. stuff that can't be broken.

people need to feel secure about these things. i think the govt has a lot to offer in promoting pki and such to get this in the hands of everyone.

privacy is important. the govt needs to make a proactive effort to show that they believe in personal privacy and are willing to help make it happen online.

Re:tell them (1)

libre lover (516057) | more than 12 years ago | (#2660160)

... and the best way for this to happen is for the Gov't to drop all restrictions on the inport/export of strong encryption. Besides, the cat is way, way out of the bag.

Require ISPs to bundle firewall software (2, Insightful)

linzeal (197905) | more than 12 years ago | (#2660039)

At the very least a free one like Tiny Software [www.tinysoftware] . I'm sick of getting DOS attacks looking for IIS from zombies on my subnet.

Two things (4, Insightful)

Anonymous Coward | more than 12 years ago | (#2660045)

First, stay out of the way. don't meddle in things that you know nothing about. Don't place restrictions on security meassures, a la encryption export. Don't mandate government backdoors and don't permit the likes of Carnivore and Magic Lantern.

Second, concentrate on the governments own cyber security problems. Clean up your own house before you start trampling over mine.

You're an attorney (0, Troll)

cmclean (230069) | more than 12 years ago | (#2660049)

I am a California-based network security attorney

So what are you paying for this consultancy work you expect us slashdotters to do, for you, for free?

Seriously dude, you must be earning some big bucks, but you want us to do your job for you?

Not flamebait pal, I'm serious. If you don't know the answer, go tell your client to find someone who does, it's the least you owe them.

cmclean

Wrong side of the bed? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2660143)

Note to all who post on /. -


Please help curb angry, pointless trolls by consuming at least one caffinated beverage prior to posting.


And on a personal note to cmclean: Got job?

Re:You're an attorney (2)

sphealey (2855) | more than 12 years ago | (#2660169)

First of all, he is doing his job.

Second, and most importantly, if he does in fact have the ear of a Senator, and if he is able to translate technical concerns into political babble, this is a very good opportunity to present concerns which aren't usually heard by the political class. And all without having to pay $250 for a plate of rubber chicken!

sPh

Legislate Obscurity! (0)

Anonymous Coward | more than 12 years ago | (#2660050)

Squash anyone who talks about vulnerabilities. Squash them like little bugs, BWAHAHAHAHA.

IPv6 and IPSEC (5, Interesting)

PineHall (206441) | more than 12 years ago | (#2660052)

If the government would require on all their networks IPv6 and IPSEC, that would go along way toward IPv6 and IPSEC being accepted and would improve network security. Nothing else needs to be done.

Most important and significant problem (5, Insightful)

Cesaro (78578) | more than 12 years ago | (#2660053)

The most important and significant problem is not putting the proper resources into getting that security. Upper level management are not technically minded folk, and they don't view computers and true tools. They don't understand the costs when you try to explain it to them. "I'd like to get around $200k so that I can physically seperate out infastructure and give us added security."
Management: "I'll give you 2 un-trained contractors, a spool of thread, and a tin can."

They just don't understand, or appreciate what computers provide, but yet they get irate when something happens. Therefor the largest hurdle to overcome is getting the senior people up to snuff, or willing to to dish out the resources for what needs to be done above and beyond a simply reactionary level. To them, pro-active computer security is like flushing money down the toilet.

Re:Most important and significant problem (1)

Stonehand (71085) | more than 12 years ago | (#2660094)

Perhaps that wouldn't be the case if there were clear, severe penalties for negligence in implementation or design when it comes to leaking information.

For instance, I'm not aware[*] of any major legal action taken against e-commerce companies which leak CC# numbers wholesale. AFAIK, they are not even obligated to pay any penalty or offer any compensation or assistance with, say, cancelling cards or contacting credit firms. If there were a steep price to pay for failure, then the cost-benefit analysis might swing towards security.

[*] Not saying there aren't; there quite possibly have been. I'm just not aware of any yet. *shrug*

Prevent monoculture (2, Interesting)

Stinking Pig (45860) | more than 12 years ago | (#2660058)

Dictate that computing environments must employ a free mix of platforms and tools so that a single crack or worm can't be used to exploit the entire company/organization/network.

I suppose it would be asking to much... (2, Funny)

ptomblin (1378) | more than 12 years ago | (#2660059)

...to implement the death penalty for anybody using Outlook or Outlook Express on my internal networks? It would make my life a lot easier.

Re:I suppose it would be asking to much... (2, Funny)

Lozzer (141543) | more than 12 years ago | (#2660136)

It would go some way to solving the unemployment problems too.

Egress filtering (3, Informative)

cgleba (521624) | more than 12 years ago | (#2660060)

A professor at the University of Massachusetts named Brian Levine pointed this out and I wholeheartedly agree:

It should be regulated that every network only allow their alotted IP to leave their network -- aka egress filtering.

For example (using unassigned addresses purely for example), if you have a 192.168.5.0/24 subnet, you should not allow 10.10.5.0/24 addresses to leave it -- aka ONLY allow 192.168.5.0/24 addresses to leave it .

If everyone did this it would solve most of the IP spoofing problems and add a lot of accountability without infringing on people's privacy. Massive DoS attacks could be traced and stopped.

Re:Egress filtering (3, Interesting)

Agthorr (135998) | more than 12 years ago | (#2660134)

What about multihomed hosts where one ISP doesn't know about the other's addresses? I was administering such a setup once, and it was extremely useful that the ISPs didn't do egress filtering!

Also, although I agree it's generally good practice, this isn't something I'd want the government regulating. It sets a bad precedent, and they'd try to regulate all sorts of other aspects of network administration where they should not be sticking their noses.

Re:Egress filtering (1)

jmauro (32523) | more than 12 years ago | (#2660211)

Except this wouldn't work at all for things like phone upstream, satelite downstream. The IP's of the phone connection are different and not in the same network. Also a lot of other networks are and can be designed to use asyncronous links depending on the traffic.

Re:Egress filtering (2, Informative)

James Youngman (3732) | more than 12 years ago | (#2660218)

This possibly doesn't buy you much - many DDOS attacks utilise captured machines, and so there would be no requirement to spoof the source address - since it is not the attacker's own address.

FWIW, nobody should allow 10.0.0.0/8 addresses to leave their network, since it is a RFC1918 address.

First on the list... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2660064)

ban all open source development. Everyone knows that all 1337 h4x0rs use Linux to cause havoc.

Security (1)

exor (21736) | more than 12 years ago | (#2660066)

Have the goverment set up standards and rateing for security in software (IE what DOD has done.)

Require ALL O/S's, EMail, Firewall, and etc. Meet or exceed the rateing and put on their software package what Security rateing does the software have.

Re:Security (2, Interesting)

LordXarph (38837) | more than 12 years ago | (#2660205)

Have the goverment set up standards and rateing for security in software (IE what DOD has done.)

Decent suggestion.

Require ALL O/S's, EMail, Firewall, and etc. Meet or exceed the rateing and put on their software package what Security rateing does the software have.

BAD. Bad, bad, bad, bad, BAD. This is what the proposed SSSCA was supposed to do - regulate software design. Regulating software design is a TERRIBLE idea, as it leads to the issues we are just now starting to see - software that's legal in one country is illegal in another. Another issue is the very idea of a logo/rating program - it would favor the commercial sector to an unhealthy degree. With the fact that all OSS has release schedules of NIGHTLY, keeping the software in check with the legislation would be nigh impossible and significantly impinge the ability of open developers to work on a project if they need government approval to release a new stepgap build.

Read. My. ASCII. NO. SOFTWARE. REGULATION.

-Lx?

FOIA for private companies? (2, Insightful)

Stonehand (71085) | more than 12 years ago | (#2660067)

Is there an FOIA equivalent for private companies holding data on people, along with an obligation for speedy correction -- including a good-faith attempt at propagating corrections to other data-holding companies if the misinformation was propagated?

If not, perhaps there should be.

As a recipient of a subpoena... (5, Interesting)

dfeldman (541102) | more than 12 years ago | (#2660069)

A few years ago I worked as a sysadmin at a moderately large company. We had a pretty big turnover problem because our company's marketing efforts tended to attract job applicants who were "green" college grads, lazy, troublemakers, and looking for a "fun" workplace with foosball tables and free snacks. Needless to say, they did not fit in at the Fortune 500 company where I worked.

One of these employees got bored with his coding tasks and, with no previous exposure to a broadband Internet connection, apparently decided to become a script kiddie on company time. From all outward appearances, he got pretty good at it, but one day it caught up with him: U.S. Marshals came into my office and served me with a court order that asked for many, many pieces of information that would tell them who had been cracking systems from our corporate network.

I had no problem turning this information over, as the other choice was to go to jail and let the hacker go free. However, I was appalled with the way the marshals treated me: they knew that I was just the sysadmin, not the perpetrator, but they still treated me like a criminal. When I told them that our NAT setup doesn't keep logs of every single outgoing connection from our network (as had been requested in the court order) they got really pissed off and started threatening me. At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.

So, the moral of the story here is that law enforcement needs to show more respect for sysadmins, and learn the difference between a network admin and a criminal on the admin's network. Treating everybody as though they are all guilty will only build resentment and get in the way of getting their precious case solved.

df

Re:As a recipient of a subpoena... (0)

Anonymous Coward | more than 12 years ago | (#2660137)

And as someone who has also had a malicious user on a network I was running, I agree. Although I did not experience government involvement, I got enough nasty emails from people who were being portscanned from my netblock and were attacking me personally.

A little politness can go a long way. You want my help getting a malicious person from scanning you, treat me with respect.

He was lucky to work for your company (5, Insightful)

sting3r (519844) | more than 12 years ago | (#2660168)

One of my co-workers was scamming people on eBay from home, and one of the disgruntled customers called our local police department to whine about it. The police came down to our place of employment and started talking with the managers, and the managers literally turned white and started handing over records. This was without a warrant or court order, mind you. Last I heard, they had turned over the employee's entire HR file, his entire mail spool, and his desktop computer. Needless to say they did not want him to work there anymore after that day.

This brings up an interesting point, though: should Congress make it illegal for companies to give up your personal information to law enforcement without your consent (or a court order)?

-sting3r

Re:As a recipient of a subpoena... (1)

Crispin Cowan (20238) | more than 12 years ago | (#2660216)

At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.

You should not do anything at all without talking to the company's conusel, lest ye get a lawsuit from the accused.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. [wirex.com]
Immunix: [immunix.org] Security Hardened Linux Distribution
Available for purchase [wirex.com]

Responsibility (5, Insightful)

Alien54 (180860) | more than 12 years ago | (#2660073)

I do not know how you would do this, or what the right way to do it is, but I would like to see some responsibility for writing or creating secure systems.

I am thinking specifically of Microsoft, and the Microsoft Outlook Email Viruses, but this could certainly apply to plenty of other companies.

If companies are merely licensing the use of the software to us (and we do not own it), and charging the big bucks, shouldn't they be responsible and/or liable for the consequences - damages from using it? or is this a matter of they get all of the benefits, and we get all of the problems?

Re:Responsibility (1)

OSgod (323974) | more than 12 years ago | (#2660201)

Isn't that the responsibility of free software? To provide software that is better, more competitive and available so that no one will use the inferior Outlook that is riddled with security issues?

Wait, I forgot -- NO VIABLE COMPETITION EXISTS IN THIS MARKET SPACE -- obviously because MS is a mean company that doesn't allow it.

Sice there's no carrot..... (1)

AndyS (655) | more than 12 years ago | (#2660074)

Maybe it's appropriate to use a stick?

If somebody gets rooted, and after being warned, does not clear the rooted box, then they could be fined. I'ld imagine very few attacks are managed from home boxes, and a significant number of DDoS attacks come from rooted boxes. It's not impossible to find out what these boxes are, and people on high end connections could be pushed to comply with the threat of fines.

As well as this, ISPs could be required to do egress filtering, to reduce the incidence of IP spoofing in attacks, amongst some other simple solutions. I imagine both of these would help to some degree at least.

howabout.. (1)

Anonymous Coward | more than 12 years ago | (#2660076)

howabout some laws condoning mailing lists and other security forums like bugtraq, encouraging full disclosure, and the like.

these can be made with the argument that security is not a definite thing. while there may be NO holes in operating system Y, there most likely is something that could be found. Now say OS Y secures 85% of networks. Without full disclosure, the vendor of OS Y is allowed to keep people in the dark, especially smaller customers, about any problems with OS Y.

asking congress to 'get out of the way' is only going to let things get worse, as the security community will be seen as having little opinion, while big corporations trample over common practice and common sense.

Also, a nice governmental security law would be 'Any arm of the government is only allowed to use software that has the source code availible and publicly auditable, or something that has been developed in-house.'. Does it really make sense to have company Z providing government 'security'? Sure, if company Z puts back doors in their products, and causes damage to another company, they can go to court together. But what happens when the government can't sue company Z because company Z now controls the court system with their backdoors.

Don't Attempt to Regulate (4, Redundant)

Bob(TM) (104510) | more than 12 years ago | (#2660078)

Congress doesn't regulate whether individuals or corporations lock their doors, install security alarms, or any of a plethora of physical security measures. Then, why would I want them to step into the fray and regulate security responses and policies in cyberspace?

To begin with, the government doesn't move fast. Given that time scales associated with the IT was becoming smaller and smaller, the iterrations would go through many cycles before Congress knows what hit them. Attempting to regulate the arena would get in the way.

Secondly, Congress obfuscates rather than clarrifies. Look at the DMCA - which causes more problems for the industry than it solves. It's great for the conventional copyright holder but has the effect of stiffling digital advances. Congress moving to mandate information security policies or measures would be the same thing - the paradym they are working under doesn't apply well to this technology or the time scales under which it operates.

Let the industry that's used to the pace of things set the policies. Congress is better suited to time scales where change occurs in years, not days.

Webcurity? (0)

Anonymous Coward | more than 12 years ago | (#2660082)

Based on the design and implimentation of the Internet on the whole, I think the governemnt could only do harm it as it exists today. The buisness machine has done it's damage to the concept of free thought and information already. My advice: STAY AWAY
The last thing needed is more excuses for large corporations to harass people just trying to voice their thoughts. While help in punishing hackers would be helpful to admins on the whole, I think perhaps it would do more damage than help.

Ask Slashdot: (-1)

CmderTaco (533794) | more than 12 years ago | (#2660083)

Damn! I'm out of Mountain Dew. What should I do?

Patch aquisition and rollout needs to be simple (1, Offtopic)

bbk (33798) | more than 12 years ago | (#2660086)

Plain and simple, getting patches and rolling them out is a pain in the ass, for most vendors products. I've switched most of my servers to BSD based systems, simply because it's easier and simpler for me to stop a service, do a cvs update against the patched source tree, compile and reenable the service, than it is for any other operating system.

Windows update is ok (the 75% of the time that it works), but there are far to many interdependancies between products - for example, to apply the latest Outlook 2000 bugfix, you need to download a 50MB patch for all of Office 2000, and have an Office 2000 disk around - since all my Outlook 2000 installs came with Small Business Server, I don't have this, and can't apply the
patch.

In short, it needs to be easier to patch systems - so simple, that people will bother to do it on a regular basis.

BBK

secure mail service (2)

4im (181450) | more than 12 years ago | (#2660087)

What I'd like to see is forcing mailserver default installs not ever to be open relay configs. One of the biggest pains right now is spam, largely enabled by open relays (besides clueless admins). Spam is theft of resources, can result in DoS, and should be outlawed.

Oh yes, force producers of email clients to use secure default settings. Deny *Script in emails, automatic opening of attachments even in preview mode etc. (thinking of Outlook [Express]). This would massively reduce damages by email worms.

Yet another point: get the ISPs to actually *do* something about abuse complaints [when they are reasonable].

National security concerns (1)

JMZero (449047) | more than 12 years ago | (#2660088)

The government should invest in improving and securing Internet, ATM, and telephone infrastructure. Remember reading about the key extraction test on the ATM machine a month or so ago? What if terrorists performed such an attack?

The government needs to be working to ensure security at banks and other institutions whose failure would be catastropic.

And don't make cloning illegal.

My experence (2)

LWolenczak (10527) | more than 12 years ago | (#2660091)

I would say the greatest issue is response by isps and groups who seem to have been a source for an attack. I NEVER hear back from ip address block owners, its rare, In maybe a three or four HUNDRED emails, I have only gotten one response from a person. In all honesty though, no matter of legislation or tax incentives can help that.

I think it would be best if the US Goverment, My Goverment, took a hands-off approch, but while encouraging insurence companies to give incentives to customers who maintain high security networks. Goverment Control of technology, Outlawing of the tools, will only make things worse, because only the crooks, script kiddies, and outlaws will have the tools and technology.

The internet is an international, boundless medium, and only a community effort, with the cooperation of isps and companies who hold massive networks, will keep the net free, and allow net admins to hunt down, and stop people who are doing things that cause net admins trouble in their job. I mean, I would be much happier if one isp out west would email be about one of their customers who have a box that is scanning one of my customers just about every three weeks.

Don't criminalize security research (5, Insightful)

mikej (84735) | more than 12 years ago | (#2660093)

There's an ongoing trend to criminalize the tools and speech used to conduct security research; This is the single most frustrating aspect of the government's involvement in network security. Lists like bugtraq and tools like nessus and nmap are absolutely vital to the health of a network-connected system. Some suggested legislation would make all security discussions criminal, some would allow such work to only be conducted by approved organizations; Both would shatter the ability of the individual administrator to effectively secure his systems. If I could make one and only one request it would be to specifically disallow legislation that attempts to let companies involved with the internet take the security ball to their private court and bounce it around, leaving individual system administrators with no tools and no forums in which to discuss their own defences. In short: keep public, individual security research legal.

Thanks, and good luck.

Totally agree, mod this up (NT) (1)

biftek (145375) | more than 12 years ago | (#2660138)

Keeping research open is important, mikej is right on.

The Answer is Simple... (4, Funny)

Electric Angst (138229) | more than 12 years ago | (#2660098)

Federalize computer security. Make network admins another part of the executive branch, like the FBI, NSA, or ATF. Assign agents to every buisness with an internet connection (more significant the connection, more agents). Give them the authority to break down the doors of the script kiddie attempting to zombie user's workstations and point a gun at their head.

Three vital needs (2, Insightful)

PrimeEnd (87747) | more than 12 years ago | (#2660102)

There are at least three things we need:

1. Wide deployment of IPSec.

2. Open standards and full disclosure of vulnerabilities.

3. Client diversity in the network ecosphere. A single species (can you say 'outlook') is extremely vulnerable.

Wiretap law problems, lack of knowledgeable people (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2660108)

I'm a sysadmin at a major US military base, so my experiences might not apply directly to the private sector, but I'm sure there's some overlap. We run into constant legal confusion over when and where we can monitor activity, whether it's mail, web traffic, IDS logs, or whatever. We get conflicting information from all sides on the issue, and no one can point us to a set of clear guidelines or uniform policies. As a result we wind up with security policies that have huge gaps in them - not being allowed to block VBS attachments at the firewall, for example. We've since gotten around that one, but it's a constant fight.

Probably more critical is the lack of knowledgeable people. There are obviously some people at the top with a clue, and they issue some instructions that often make a lot of sense, but between them and us at the functional level there's a huge gap. When we get calls on IDS hits from our MAJCOM network operations center, for example, some of those people aren't even sure how many octets are supposed to be in an IP address. There's very little help provided in implementing the policies as they're directed - everyone's left to figure it out on their own and there's a huge amount of duplicated effort.

What we need more than money or tax breaks is this: centralized resources with tools, policies, information, and efficient channels of communication.

2 words: limited liability (2, Interesting)

llamalicious (448215) | more than 12 years ago | (#2660110)

Yes, network administrators have to be vigilant about their own security, and put in place whatever measures are necessary to ensure the integrity of their data (and their companies)

My only wish would be specific legislation proposing limited liability in cases where a 3rd party piece of software was used and an exploit found and used against said software before a security warning is made known, or security patch is made available by the vendor.

If the administrators have done their job and have all their software up to the best spec they can, but are subjected to liability against themselves for an error in a piece of software they put their trust in.. it's bad news.
Especially if the client dictates the software to be used for securing the data... man, it's just bad karma.

In the meantime, keep using multiple levels of security. Screw the overhead if you've got sensitive data...

Trouble brewing (1)

s20451 (410424) | more than 12 years ago | (#2660113)

This has got to be a first. I thought you weren't supposed to take any legal advice given on Slashdot; but here's a real, live lawyer asking for it. Did the world end while I was in the john?

i'll tell you what i want (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2660116)

what i really really want

i really really really wanna zig-a-zig-ah.

thanks you

wishlist (0)

Anonymous Coward | more than 12 years ago | (#2660117)

  1. Stay out of it - Congress will make everything worse by legislating anything to do with security
  2. When you do try to legislate security (because you will, because you feel like you have to "do something"), get and CAREFULLY consider the opinion of the computer using comunity before passing it into law. By community I mean NOT JUST corporations but end users and other people whose motives might be different from those of software manufacturers
  3. Remove all crypto restrictions; apart from the fact that people are actually capable of developing crypto outside the us, the restrictions don't actually prevent the export of strong crypto
  4. No backdoors. They are not, and will never be, safe
  5. Fund open source OS/crypto/etc. development projects to provide free, quality, code-transparent tools to aid people secure their networks

Technologists Vs. Politicians (2, Interesting)

Wedman (58748) | more than 12 years ago | (#2660126)


Or would you tell them to get out of the way?

Maybe that's a good idea: let the technologists work it out. Was it a politician who developed the first firewall, IPSec, NIDS, etc.? I don't think so.

While there is a social element to breaking networks, the solutions to these problems should NOT legislation (IMHO). Making something illegal or applying manditory monitoring does nothing to stop those who intend to circumvent/ignore those measures.

Network security should be left in the hands of thoses most capable. If any body or government should look to tackle the 'issues' - real issues - of network security, I think it should be a body of technologists and people who really do have an understanding of what network security really means.


Thank you.

Re:Technologists Vs. Politicians (1)

Stonehand (71085) | more than 12 years ago | (#2660161)

Making something illegal or applying manditory monitoring does nothing to stop those who intend to circumvent/ignore those measures.

Sure it does. Fines, jail time, and execution (for, say, homicide -- I'm not talking strictly about network security here, although eventually it may be quite possible to commit murder via a network attack; think DOS of critical systems) tend to have varying levels of deterrent or incapacitative effects.

If they can't afford the carrot... (1)

rbrander (73222) | more than 12 years ago | (#2660127)

...then they can use the stick.

Pass some laws making it an offense to be egregiously insecure, on the grounds that you have made yourself part of the problem, a menace to others on the public network.

If you're wide open to becoming a siteful of zombies to be used in DDOS, it's like leaving a gun unsecured - on your front lawn.

Far from costing budget money, the fines levied will be a revenue source. And the fear of the fines and the shame of the criminal charge will spur pointy-haired bosses into Getting Serious about security in a way that some tiny tax break never will.

wish list (0, Offtopic)

LordXarph (38837) | more than 12 years ago | (#2660141)

Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for?

BAN MICROSOFT.

-Lx?

PLEASE hands off. (2)

TheMCP (121589) | more than 12 years ago | (#2660144)

Given Congress's track record of passing laws relating to computing which, in about 100% of cases, clearly demonstrate the fact that the people who wrote the law have no concept of how the Internet works and are responding solely to what corporate lobbyists are telling them, I'd rather if Congress would keep their dirty mitts off of this issue.

Yes, it sucks to essentially have to barricade your computers from the rest of the world and not be able to trust any external entity to help you effectively, but I'd rather have that than more weird laws making more innocuous actions criminal offenses for no apparent reason.

Laissez faire... (1)

sterno (16320) | more than 12 years ago | (#2660163)

You know I thought on this for a little bit and I can't think of a single thing the government can do to help. The best thing they can really do is just not meddle with it.

Enforce the laws we have... (5, Insightful)

moonboy (2512) | more than 12 years ago | (#2660166)



  • No New Laws - The government has a habit of throwing more laws at a problem (yes and money too). We don't necessarily need more laws, just proper enforcement of the existing ones. (or maybe I should say, no laws just for the sake of creating them....no hollow laws to appease the general pulic and press...if new laws are made, they must be effective!)
  • Crypto - No more restrictions on crypto.
  • Tools and Methods - The government shouldn't ban tools and methods used to work in network security. These are very necessary to increase the level of security. Like another poster said, if you ban them (ie, make their use, possession, etc.) illegal only the "bad guys" will have them.


Coinage Failed (2)

Effugas (2378) | more than 12 years ago | (#2660167)

Webcurity? Sounds like one dot-com too many. Among other problems, "curity" feels more like it belongs to *obscurity* than *security*. Besides the famous line separating the two, nobody wants an obscure website :-)

Security-related phrases in the english language are usually combinations of initial syllables. Information Security gets compressed down to InfoSec, "Defense Condition" to DefCon, and "Strategic Forecasting" to StratFor, for example.

WebSec...well, sounds like it'd be a phrase for the specific branch of Infosec dealing with external access to internal data through a tightly controlled interface. Certainly feasible, though you start hitting problems when protocols other than HTTP start getting used. (Is it a website if you don't get it over HTTP/HTTPS?)

Of course, with everything imaginable getting piped over HTTP(as opposed to SSH *grins*), maybe WebSec is appropriate...

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Mixed platform/Open file formats/ (0)

Anonymous Coward | more than 12 years ago | (#2660170)

The best and only way for the government to improve "web security" without further eroding civil rights is to mandate that all goverment and government funded institutions:

1) Operate a roughly balanced mixture of platforms from different vendors. (For example, at least three different platforms per "role" [mail server would be a 'role'] and no more than 70% in any one platform.)
This reduces exposure to worms and virii and OS or application specific exploits.
This encourages companies to ensure that their products are interoperable and standards compliant.
It also rather neatly solves the Microsoft monopoly problem.

2) Only exchange data with the public and each other using open file formats.
I don't know if this is still true but, for example, the NIH required grant submissions be delivered in Microsoft Word format. This is absurd on its face.

3) Rethink the DMCA .

-J

Part the justice system can help with. (1)

WillRobinson (159226) | more than 12 years ago | (#2660173)

Current discussion on loganalysis@securityfocus.com, is that almost all systems have security logging. But since most log systems can be spoofed, how can we give Due Diligence for Admission in Court with the information that we have. Maybe some guidelines from the legal system would be nice? Rather than what happens on a case by case, depending on the savy lawyers to convice people.

Currently, most sys admins can send a page from a log and get most people either booted of a isp, or a strong talking to. But if you go to court, its almost inadmissable evidence, since it is POSSIBLE that the log has been compromised.

Get out of the way. (5, Insightful)

SecurityGuy (217807) | more than 12 years ago | (#2660179)

The *LAST* thing I want is a legislative "solution" to a problem the so called experts can't even agree on. Full disclosure or not, is scanning illegal, should it be, etc. Legislative solutions are far too often nothing more than new problems. Copyright violation is a problem. The DMCA is supposedly the solution. Terrorism is a problem. The solution, apparently, is to pass laws undercutting privacy and liberty in the states. Crime via computers is a problem, their solution was key escrow (thankfully not implemented), and now the FBI is writing computer viruses (Magic Lantern).


Thanks, but no thanks. I'd much rather stick to securing my boxes with the understanding that it's a hostile net out there than have my government tell me the One True Way to do so. Passing laws which only apply to less than 5% of the world's population will not make the net secure, and feel good legislation is something I can do without.

How about no more EULA ? (1)

fymidos (512362) | more than 12 years ago | (#2660182)

what kind of agreement is an End User agreement? don't you need 2 sides to agree ?

why not force the companies to accept responsibility for their software? what if i lose important work because of bad software?Why shouldn't i be able to see the specs (not the features) of the software i buy ?

i mean , ok it does the job .. but how ?

Go away (1)

Ledge (24267) | more than 12 years ago | (#2660184)

The best thing that the Government could do for security is to go away. Drop obsurd encryption regulations. Stay away from legislating security. The legislation of morality doesn't work, why would you think that the legislation of security would?

What to ask of congress? (1)

bahamat (187909) | more than 12 years ago | (#2660188)

Basically I don't want government involved in security in the private sector. The private sector can handle security on it's own.

However, my *legal* concerns are about being labeled a criminal while my basic liberties are taken away to protect a fat corp's stash of gold.

A modest proposal (0)

Anonymous Coward | more than 12 years ago | (#2660191)

Trial before military tribunals for people using
scripts to scan networks to try and break into
them. A few public hangings would reduce this
a lot. Right now the majority of traffic coming
into our subnet during nighttime hours is from
people running scripts trying to break into our
machines. Complaining to ISPs gets one nowhere.
I've got gigs of logs I'd be happy to send to
the tribunal.

Memo to idiots who believe the answer to security
problems is for everyone with a computer connected
to the internet to spend their days reading
Bugtraq, reconfiguring their firewall and
installing the latest patches to software: Some
people actually have a life and are tired of
having it ruined by morons.

This is easy... (0)

sdb6247 (532003) | more than 12 years ago | (#2660196)

Tell the senator to spend a week reading tech-related websites. It will become abundantly clear to him what is on our minds... Star Wars, flaming Jon Katz (which is ok by me), and the next episode of Buffy. Seriously, though, our representatives are truly not listening to what has become an increasingly larger population- the tech world. They keep wandering around asking their buddies at huge corporations how the little guys feels... they have no idea. If they are truly interested in the issues facing us day-to-day, the answer is for them to start reading the same sites we do. Period.

Easy - apply evolution (0)

Anonymous Coward | more than 12 years ago | (#2660198)

The way to increase security is to repeal laws against cracking systems without doing damage. Anyone who finds a hole in a "secure" system should be able to notify the owner without fear of prosecution. After a suitable period of time, notifying the public should be allowed, too, if the public could in any way be affected by the hole.

Something similar applies to airport security, which despite appearances is presently a joke. We should have tiger teams constantly trying to break security. We should reward those teams for success, and provide incentives to the security people as well. Instead we have FAA guys who now and then try to take an obvious gun or bomb through - same guy, same contraband, same place, every time. Quote from a screener: "Here comes Fred with the .45 again."

Some professional suggestions (0)

Anonymous Coward | more than 12 years ago | (#2660199)

- Strong, unescrowed cryptography with no export restrictions. This will allow crypto to be integrated into all systems as a background service, and can be used for security against most threats (external hackers, DoS, viral attacks, etc.)
- Structural and procedural remedies against Microsoft, including the right to engage in class-action lawsuits for their lack of due care in system security issues
- R&D tax incentives under the 'war on terror' initiative. Upgrading current systems using current technology does not solve various problems, it just shifts the points of failure. New approaches and technology are what are needed, and would create 'economic stimulous' as part of the bargain
- Lower insurance premiums for enhanced security is a non-starter. We've done extensive analysis for insurance companies that wanted to enter into 'hacker' and other sorts of insurance as part of their risk management business. You can't adequately model security risks--even a thorough and detailed vulnerability assessment and penetration testing process only provides an analysis as good as the process (and staff), and only takes a snap-shot of the security as of that moment. A day later a new exploit could be released, users could install new software, a key application could be patched/updated, etc. etc. Hacker insurance is a myth
- Keep the U.S. government out of the 'protection' business, and that also means ending protection of Big Brother for the incompetent firms. Too many security 'experts,' particularly on the Defense side of the industry, are repurposed staff that have no real competence. Much of the security 'industry' is a subscription-based extortion racket. Companies with real concerns, particularly companies that are 'mission critical' (essential to the economy) should develop internal competence in safety and security issues, including massive recruiting among the exact population that reads forums like /. No external contractor is quite so concerned about your security as you should be, so act like it matters

Those are some good places to start.

Michael Wilson
www.7pillars.com

how about... (1)

atyr (531369) | more than 12 years ago | (#2660209)

the most secure network gets some candy?
I dont know about you guys but I think that would motivate me to lock down my net

mmm... gummy bears =D

on a more serious note, competition does stimulate a better product. Involving them in our affairs might not be something thats wanted but maybe they can help increase quality of services. Doesnt that sound like the ideal outcome to you? Kinda reminds me of open source in some aspect. We have more people working on one source and more problems are discovered and fixed. Perhaps involving them in some way might be our best bet as of yet, but how can we involve them without them overstepping their bounds =] Maybe its not, "should we involve" but how can we involve them constructively and wisely. In my opinion if we dont suggest any good ideas, we are damaging ourselves more than keeping everything nice and private. If we tell them what we want/need now perhaps it will make them feel important, and still benefit us as a whole. So putting "leave us alone" aside, what should we ask of them?

I could still go for some gummy bears though =\

Mail, Monitoring and Blocking (2)

ellem (147712) | more than 12 years ago | (#2660210)

Maybe they could clear somethings up...

I'd like to have clear guidelines on mail. How long do I need to keep it? Can I just totally delete mail or do I need to maintain backups.

When can I monitor/read someone's email? It's mine (well, it's the companies) but if MGR A wants me to give her access to EMP K mail is that legal? Can I monitor how many times my boss hits his stocks? When is OK to put a key stroke logger on someone's machine (don't ask, we ended up using a modified virus)?

Is it OK to block Accounting from mail
internet? To put a brick wall on their doorway so they are trapped in their damn Accounting offices forever? (OK that's probably not legal.)

PS -- I work for Lawyers' Travel... kinda ironic huh?

Get real (1)

DuneWolf (171296) | more than 12 years ago | (#2660212)

Congress should not legislate the behavior of employees, networks sysadmins, or companies as some have been suggesting. The primary areas where Congress should be concerned are:
1. Vulnerability of our commerce systems to domestic or international attack.
2. Creating an environment that encourages companies and consumers to protect themselves.
3. Ability to obtain properly authorized evidence in the event of a warrant to pursue suspected criminals.

Item one is the most critical, and what seems to be completely ignored by our current legislators. Any scheme of encryption cracking that is available to our goverment in the event of a warrant, is also available to our enemies. Yes, the FBI may be able to read Bin Ladin's email if no encryption exists, but, terrorists would also be able to have full access to our e-commerce infrastructure, private information, etc... and have the ability to cause significant damage, especially since e-commerce is becoming a more significant part of our economy every day.
2 implies educational programs, and sponsorship of groups that promote real security.
3 is important, but may not be realistic in the context of 1.

IPv6 (1)

yugami (102988) | more than 12 years ago | (#2660213)

the government of most countries should do a big push to move over to IPv6, THEN we can talk about security.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>