The US-Soviet Cyber Cold War 117
Roberto123 writes "A security expert with the NSA says a cyber cold war is being waged that has significant parallels to the Cold War between the US and Soviet Union. Dickie George says the way to fight the cyber cold war is by building security into technology, making it transparent to the end user, continually monitoring networks and updating their security software."
Screw transparency (Score:5, Insightful)
I don't want transparent security technology. I want security technology that I can see and touch and NEED to think about.
1.When its transparent it just gets abused and used against me for crap like DRM by people who haven't the right.
2.I want the confidence of knowing I have protection because I put it in place.
3.I want to be able to turn it off when need be to understand where a problem exists, the security layer or something else.
4.I don't trust my government to have my interests in mind much of the time, and as much as I distrust foreign governments and foreigners even more that dose not make me included to put the security of my information and communication in the hands of my own government which has proven its often inept and at times malicious.
5.Its my stuff nobody should be dictating to me how I protect it or don't as a matter of principle. Just as with my house its my right to leave the door unlocked if I want to and useless as that right might sound I am unprepared to give it up.
Re:Question (Score:5, Insightful)
Anyone else amused that the word "cyber" is still in use?
I'm more amused about the "Soviet" part.
Cyberwar is for the incompetent (Score:4, Insightful)
Cyberwar! It's like war, but for people too dumb to protect themselves.
Don't put critical systems or private data on anything attached to the public Internet. Regularly verify the physical integrity and isolation of all secure systems. For everything else, make regular backups to prevent wiping attacks. This is basic vigilance to protect vital assets.
What I'd like to suggest to every cheap-ass corporate exec that is counting on the government instead of internal IT staff to protect their networks, is to listen to how stupid that sounds.
Only stupid if execs are responsible (Score:4, Insightful)
What I'd like to suggest to every cheap-ass corporate exec that is counting on the government instead of internal IT staff to protect their networks, is to listen to how stupid that sounds.
It's only stupid if the execs in question are actually responsible, and held responsible, for failing to do proper due diligence. However, as corporate behaviour in the US has consistently shown for some time now, execs are routinely let off essentially scot-free, even in the case of obviously willful and malicious profit-seeking at the expense of the company and even market -- just have a look at Enron a few years ago, or Wall Street today.
Meanwhile, if execs can save a few bucks by essentially outsourcing network security to the Feds, and pocket the savings themselves in the form of bonuses or other compensation perquisites, then, in the ethical vacuum of US board rooms, they'd have to be mad to do otherwise.
Cheers,
Re:Question (Score:2, Insightful)
War is war just like cyber-bullying is bullying but the term cyber war does bring with it distinctions. When you say war, people think WWII, Vietnam, Iraq - something tangible. Cyber war is beyond the grasp of most people (especially those normally involved in war) and has different rules.
It's more like e-mail versus mail, or cyber-sex versus sex. You can prepare for or experience one, but that doesn't necessarily help with the other.
More pushing of Clarke's book (Score:2, Insightful)
Somehow, everyone is supposed to conveniently forget how the Clinton administration, with Richard Clarke as the national security advisor, handed the Chicoms the over-the-horizon missile targeting, placing them on par with the USA. And everyone is supposed to conveniently forget how the Bush administration, when Clarke was still in as national security advisor, allowed the highly classifed ball bearing factory in Ohio to be sold to the Chicoms. Sorry, Clarkey, but we won't but your trash.
Re:Screw transparency (Score:1, Insightful)
Points 1-5 are good points, for a /.-er who knows what they are doing. However, the big security issues are people who don't care enough to keep their fly zipped.
Point 1 is good because transparent security is security Joe Sixpack isn't leaving disabled.
Point 2 is also good. However, having some sane defaults can't hurt, as Joe is not going to lift a finger to secure anything.
Point 3 is also solid. However, Joe will be turning off his security at the behest of dodgy pr0n sites who tell him to in order to install malware.
Point 4 is obvious, however Joe is begging his congresscritters to protect him from the bad guys. Of course, on the other hand, he goes to the tea party rallies to bellyache against it.
Point 5 is also obvious, but Joe uses this "my stuff, my security" to have no security at all. To use a physical example, Joe doesn't care if the transients move into his house, rip off the door, clog up his toilet, rip out all electrical cords out of the walls to sell for copper, and start smoking crack in the living room. Then the bums start using the place as a starting point to break in (or just invade) other people's homes. Joe's lack of security has now just not affected him, but the whole area. It is exactly the same when all of Joe's computers are on botnets and spamming/DDoS-ing/probing all machines in the neighborhood.
Just remember, you are knowledgeable. However the average person on the street just wants the computer to show the nudie pictures without needing to worry about firewalls or tech stuff.
*sigh* Because of this, I fear that the future of the desktop will be a locked down walled garden just the iPad.
Someone who gets it. (Score:5, Insightful)
This guy gets it:
"The cyber security professionals that we are creating today have to make security invisible to the end user. "They have to make it inherent in the out-of-the-box product that you buy and the only way to do that is for us all to work together, industry, government and academia. We need to be partnering on this."
All this crap about "user awareness" is a dead end. It takes too much attention. The mess underneath needs to be fixed. It has to be automatic. (And don't claim that's impossible unless you've read up on SE Linux and NSA's work on secure systems._
The last high-level US Government professional to publicly point this out was Amit Yoran at Homeland Security. He named Microsoft as the problem. He was canned and replaced with a lobbyist.
Re:Which Soviet Union would that be ? (Score:0, Insightful)
Russian Federation is ruled by same (kind of) people, so confusing it with USSR may be lexically wrong but is pragmatically adequate.
Network security an oxymoron? (Score:5, Insightful)
Dickie George says the way to fight the cyber cold war is by building security into technology, making it transparent to the end user, continually monitoring networks and updating their security software.
From the earliest days of the ARPAnet that led to the Internet, people have pointed out that it's pointless to build security into the network layer(s). Putting it there is a single point of failure that can be defeated by a single bribe to the right person. And the end users won't know that the network-level security has been compromised. If your security is supplied by a vendor along your message's route, that vendor has access to your message's contents, to do with as they please.
For this reason, it has been long understood that the only real security is in end-to-end encryption. Security at any lower level is merely a waste of cpu cycles and bandwidth. It can't be trusted by the users, who must supply their own security. So the network layer should work on supplying fast, reliable packet transport. Security belongs a higher level, out of control of the companies that deliver the packets.
Note that the most-used widely-available security package, SSL, works solely at the sender and receiver ends of a connection, and relies on the network for nothing but packet transport. And it supplies a list of encryption schemes, so if you learn or suspect that someone along the route has managed to crack your encryption, you can quickly change the scheme without the cooperation of any vendor supplying the links.
It is slowly getting through to a lot of people that the commercial Internet vendors have become a common source of data leaks, for well-understood commercial reasons. So relying on them to supply network-level security is an especially stupid idea. They will simply decode your data, and sell the contents to interested parties without your knowledge. Your only defense against this is to use encryption that they can't decode.
Re:It's even more boring. -- and even more scary (Score:4, Insightful)
"Why don't the banks have a better means of verifying transactions?"
Why indeed.
There was a time when they did, and investment banks actually invested rather than allowing failed math and physics grad students self-restyled as "quants" and "wiz kids" gin up things like CDOs on Excel.
You'd think the gubmint would pay a little bit more attention to monitoring and regulating the practices that *have* *already* destroyed our country.
These Wall Street spreadsheet jockeys have already destroyed more wealth in this country than all the "cybercriminals" combined.
But going after Wall Street fraudsters just isn't a priority, because they have only destroyed middle-class people and shifted the blame to the poor.
By contrast "Cybercriminals" are actually a threat to the rich and the super-rich, and the government's job is to protect the wealth of the super-rich.