Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
United States Encryption Government Security

How America Will Improve Its Cybersecurity (politico.com) 119

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.

The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).
This discussion has been archived. No new comments can be posted.

How America Will Improve Its Cybersecurity

Comments Filter:
  • by Krishnoid ( 984597 ) on Saturday May 15, 2021 @06:21PM (#61388798) Journal
    I also like the way Bruce Schneier put it, very sound-bitey: "Security is not something you can buy; it is something you must get" [schneier.com].
    • Betteridge only works on binary questions. "How" is multiple-choice.

      • Only if it presents choices. Otherwise it is an open ended essay.
         

        • by shanen ( 462549 )

          But Betteridge's law is supposed to apply to headline questions, and that headline is worded as a statement.

          However, if you do reword it as a question, it becomes "How will America improve its cybersecurity?"

          In that form the answer is "No" because the assumption of the question is false. Ain't gonna happen.

          Now if you're looking for a joke, how about blaming Al Gore? Criminals are always following the money, but Al told them not to worry about the money when they were designing the Internet, and they didn't,

          • But Betteridge's law is supposed to apply to headline questions, and that headline is worded as a statement.

            However, if you do reword it as a question, it becomes "How will America improve its cybersecurity?"

            In that form the answer is "No" because the assumption of the question is false. Ain't gonna happen.

            Now if you're looking for a joke, how about blaming Al Gore? Criminals are always following the money, but Al told them not to worry about the money when they were designing the Internet, and they didn't, and now we have all these cybercriminals chasing after the money they didn't care enough to worry about. If they had considered the money in the first place, it's possible we wouldn't be in this mess. Or maybe not, but I'd still defy the situation to be worse.

            How can you blame AI hype for something this fundamental, network security, and not blame an environment were "routing and routing protocols.." were considered obsolete at one time since "we now have an application layer..."?

            • by shanen ( 462549 )

              Pretty hard to figure out what you are trying to say, but I'm guessing you mean Al Gore was hyping the Internet to Congress rather than hype about AI = Artificial Intelligence. But even with that guess, your question is not clear. Do you want to reword or explain it? Or should I try to lead back to the "Follow the money", don't ignore it side?

    • Sure, but some extension to samba that would easily allow for end-user file decryption with a security key would go a very long way to eliminating exfiltration threats and minimizing encryption ransomware. Network take-over is harder to address, as is management engine takeover of existing systems (at least to my imagination).

      • Something implemented via Samba's VFS module system [samba.org], maybe?
        • It will be interesting to see when someone takes it up. The technical side is minimal beyond client support of course. A few applications that store a bunch of temporary files on a samba share (or need to access dozens of linked files) might be a bit more work to address.

      • Better yet, just use Samba on TrueNAS Core. Unmutable shanpshots that have to be destroyed by the UNIX user for the ZFS filesystem. Allowing end users who are domain admins to disable all volume shadow copies on your file server just puts the sign on you. The sign that says your an incopetent IT administrator.
    • Spend the night with me and you just stay happy! I am waiting for you here ==>> http://gg.gg/oobp4 [gg.gg]
  • by Anonymous Coward
    Based on this AC observations of course.
  • by jacks smirking reven ( 909048 ) on Saturday May 15, 2021 @06:52PM (#61388864)

    I'm a Windows guy to be sure but when it comes to government I feel those systems should be built on open source software as much as possible and if something doesn't exist put some funding towards developing it. Hell develop a "federal distro" of BSD or Linux for government workstations. The damn NSA helped develop SELinux. I think the history has proven itself clear that the open source solutions that are the backbone of much of our internet infrastructure have borne out to be far more secure than the industry solutions. Seems like for every Heartbleed there are 10 large flaws in closed source software. Never mind the cost savings and that saved money could easily fund long term development of these important systems.

    I'm probably pipe-dreaming here and at the least this would be a decades long process but I think for government operations it's the moral and practical thing to do but I am positive the smarter people here can come up with some problems with this. I think it's an ideal worth pursuing.

    • It'd certainly be more secure & cost-effective to switch to Linux. However, I suspect most Windows users, who don't even know that that's the operating system they're using or even what an operating system is, would probably freak out & get totally tied up in knots & not be able to get any work done if you did something as small as change the colour of their home button. It'd be a long, slow, painful transition. Do you think Microsoft would be upset if the govt. started using Linux with a Window
      • Oh I agree. I suppose you would do a top down approach, do the servers and critical functions first and then work down to workstations last.

        Frankly I don't think MS could stop that and I've always thought it would be a good idea for a Linux distro to just copy the Windows 7 GUI and systems as closely as possible as a transition OS for us gullible Windows users.

        For the government I think so long as things are standardized people will catch on, it's their job after all. Don't some departments still work on

      • And here's the problem advocates will face. Kind of what nuclear energy faced. Everyone talking a good game about how their solution is the best. But once the problems started advocates didn't look quite so shiny and new. Much doubt was sown, and people went with alternatives. In the case of nuclear it was renewables. In the case of Linux it will be OpenBSD. ;-)

      • Do you think Microsoft would be upset if the govt. started using Linux with a Windows-clone desktop?

        If it was better and cheaper overall, organizations would switch to it.

      • by ebvwfbw ( 864834 )

        I remember when they went from WIndows 95 to XP, then XP to win 7. Some people made a real big deal out of it. OMG, I don't know what to do now. Some win users are so dumb that they have to have an icon to do their work. Even if that icon is simply running putty, using port 24 and connecting to server X. Really. Change the server and you'd have to have someone go to the idiot's machine and change the icon. You can't talk them through it on the phone.

        I think some people milk it for all it's worth so they don

    • by larwe ( 858929 )

      when it comes to government I feel those systems should be built on open source software as much as possible

      But this has been tried, numerous times. I mean, over probably the last two decades there has been a constant drumbeat of various jurisdictions across the world proudly announcing their liberation from Microsoft. They always fail, partly because of interop issues with parts of the government that haven't been migrated yet, but mostly because of the four trillion legacy apps that would need conversion. https://www.nextgov.com/cio-briefing/2016/05/10-oldest-it-systems-federal-government/128599/ [nextgov.com] is old but sti

      • by chill ( 34294 )

        According to that GAO list, taking the naively optimistic view that the projects slated for upgrade 5 years ago actually completed, it would be cheaper, less bug-prone, and more effective - to close down the IRS.

        • by larwe ( 858929 )
          Heh. Naively optimistic indeed. As you can see from the other article I linked, even the 8" floppy disk migration that was supposed to conclude at the end of 2017 didn't complete until October 2019 - so yeah, 5-year timelines were assuredly not met. In fact I'm pretty sure I read an article about those old IRS systems this year.

          Projects like JEDI that pull all the legacy stuff into the cloud have ... some hope. I won't say I have any optimism, but I think this approach has a better chance of success than

          • by chill ( 34294 ) on Sunday May 16, 2021 @09:37AM (#61390236) Journal

            Normally I'd say "if it ain't broke, don't fix it". Over my years I've become a much bigger fan of stability and resiliancy over new features. However, 50 year-old assembly code on an IBM mainframe fits the definition of "please describe programming in Hell".

            I took an assembly language programming class in community college back in 1987 and it was on an IBM 4381. The teacher's day job was at Martin Marietta and I remember his comments clearly. "First thing when hired as an assembly programmer is remove ALL THE COMMENTS. Nobody will understand how anything works and you now have a job for life."

            • by larwe ( 858929 )

              I took an assembly language programming class in community college back in 1987 and it was on an IBM 4381. The teacher's day job was at Martin Marietta and I remember his comments clearly. "First thing when hired as an assembly programmer is remove ALL THE COMMENTS. Nobody will understand how anything works and you now have a job for life."

              My first salaried job in 1994 was at a little software company whose principal product was a DOS (later Windows) disk encryption and file protection utility. It consisted of a custom bootsector (asm), a DOS .SYS driver (asm), a DOS .COM TSR (asm) and a setup/install/uninstall utility (MS C 6.0). Later, there was a VxD (protected-mode 386 asm, a lot of reverse-engineering of undocumented protected-mode INT 21h APIs in Windows for Workgroups 3.11 and Win95 on my part went into that). All the DOS code was ridd

    • I am also an open source advocate, like you, but I think itâ(TM)s fair to say that neither open source, nor would just publicly releasing or maintaining the source code would solve the issue being presented.

      I think the main issue that windows machines are almost always the target is because, in enterprise environments, they are ubiquitous. I have worked for years in some of the largest companies in the US, and Linux and MacOS devices, while they exist, are probably about less a percent of all the machi

      • You don't use windows 95 to replace a system that could run as a PLC. PLC's do not get windows viruses. Many places have move to software based PLC controllers because you can use windows and your mouse. They get what they paid for....
  • by Futurepower(R) ( 558542 ) on Saturday May 15, 2021 @07:02PM (#61388888) Homepage
    I'm impressed with the Biden administration.

    Quote from the Slashdot story:

    ... the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging."
    • by thogard ( 43403 )

      So what is on my software bill of materials for my OS? On my old Solaris 9 servers a base install had the SUNWbnuu and SUNWtnetd package which provided things like uucp and telnetd which weren't even needed 20 years ago. Modern system have way too much in their "core" and that needs to be trimmed down a bunch. The BSD team removed Bash, Perl and Python from the base package and that didn't cause too much pain but the base still has a full development system on it which isn't need on production servers. M

      • by larwe ( 858929 )

        So what is on my software bill of materials for my OS?

        This isn't just about the OS and it's DEFINITELY not just about the very light and simple situation of an easily-updatable, easily-inspectable piece of software sitting on the hard disk of a general-purpose computer.

        The purpose of the SBOM is to provide a list of versioned code packages that you have included in your software, so that when a vuln is announced, your customer can immediately know which systems are affected. But this doesn't simply mean "Linux packages" or "Microsoft updates". It also refers t

  • by tanstaaf1 ( 770797 ) on Saturday May 15, 2021 @07:02PM (#61388890)
    To stop hackers you need to stop using software that they have access to, can practice on, and can compile to. And that means you need to get rid of the stupidity like JVM and CLR, also - just don't allow it on your machine by never allowing it to be ported in the first place. Microsoft and MacOS and even generic Linux need to go, the system calls/APIs and general vulerabiltities are public knowledge. Next, commodity hardware shouldn't be used, either. Other than that, almost no system used for serious purposes should have "easy" remote access/connectivity. Purism has the right idea here -- keep all the stuff like USB, Bluetooth, and camera/microphone HARDWARE DISABLED. Or pull it out entirely. Even a hyperintelligent AI would have a hard time getting past missing hardware. Look, I had a run-in with a ransomware attack about three years ago. It isn't that hard to make a system 100x harder to crack; it is mostly just a matter of making bad practices sufficiently painful. More than anything else, LOSE the internet and LOSE Microsoft. Monocultures are not a good idea.
  • by Proudrooster ( 580120 ) on Saturday May 15, 2021 @07:03PM (#61388892) Homepage

    Security is an illusion, mostly propped up by vendors selling security products.

    You don't buy security, you earn it by making it a priority.
    Most companies are amazed when a server stops working because the filesystems filled up.
    I am amazed that companies can have gigabytes of data uploaded yet no one notices anything.

    We could start by unplugging China and Russia from the Internet to give us some time.

    What I see changing is that insurance companies are sick of paying out of cybersecurity issues and dropping policies on renewal.
    Unfortunately, I think that insurance companies are the only thing I can see driving real change since real change requires hiring competent people to be on guard.

    • The fact is most of those points are very subjective, given to discussions around small. private tables and ignoring the fact that US cyber security is mush better than everyone else's. And that that gap will only grow.
    • by Salgak1 ( 20136 )

      . . .and telling everyone, ***even in the C-suite***, that, no, they do not need admin/root and software install rights on their boxes. And so what if the CEO likes Macs, if it's the only one in a Windows network (I worked in a place with exactly that situation. The CEO had a dedicated tech, as he was also something of a walking PEBKAC error. . . .)

      For that matter. pushing out desktops and servers that don't have things like Telnet and FTP installed. After all, they already go without Solitaire and Mine

  • by zenlessyank ( 748553 ) on Saturday May 15, 2021 @07:04PM (#61388896)

    Stop the greed. You guys already pay these IT guys a hell of a salary so let them do their job. Bitching about paying for up to date software when you pay you execs multi million dollar wages then cheap out on IT needs is fucking ridiculous.

    This is my tax money going to waste.

    When is our population going to demand these assholes to be fired?

    • Still not a panacea. Updated package of developer gets compromised and you have a real-time attack vector. Also, the obscene number of “appliances” requiring trust of third and fourth parties to an agreement.

      • Calm your fears. Paranoia about what happened from a university with Linux updates doesn't mean you can go off the deep end about everything to do with IT.

        They make medication for those who are overly paranoid. Try some!

        • The university case is far from the first example— how many times has node.js been compromised? There are three or four other widespread packages that have had similar issues. Not to mention thet whole issue of mobile apps that get sold and the new owner turns them into malware.

          The appliances are really what makes me paranoid though.

    • by MobyDisk ( 75490 )

      While I also decry the stupidity of some IT departments (there's a lot of people in there who can read and quote the latest issue of some IT magazine, but don't know TCP from HTTP), one cannot simply blame the IT department for all security problems. And security isn't just about using the latest version all the time.

      Individual departments tend to select software, and they often pick products without regard to security. Maybe the billing department selects something that meets all the needs of a good bill

    • by kackle ( 910159 )

      When is our population going to demand these assholes to be fired?

      When the population itself, on average, becomes smart enough; in other words, never.

    • by ebvwfbw ( 864834 )

      Let them do their jobs and listen to the security people. I was a very well paid security guy for decades. Time and time again they refused to do what was recommended industry wide. "It'll break something." Even for something like Windows NTLM that was a joke in 2013. I know of an agency that still runs that. Refuses to get rid of it. Probably won't until at least 2024. "Too hard to get off of our legacy 2008 servers."

      What happens if something happens? Oh yea, that's what you recommended. Even if it's again

  • Windows is not, has never been, and will never be securable. Using it in any mission-critical application is egregious incompetence.

    • by zenlessyank ( 748553 ) on Saturday May 15, 2021 @07:34PM (#61388962)

      Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.

      Troll somewhere else.

      • Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.

        "Oh, it's behind the firewall, so I can just accept the AD defaults."

        And that makes my job so much easier

      • Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.

        You do realize that it is literally impossible for the user to secure Windows ... right?

        Even if the user has Administrator level access, They do not have System access and it would be absurd for them to even try. They also do not have the source code, so they can't attack the security issues through that avenue.

        Maybe you could enlighten everyone as to how you expect a user to secure anything? Training users not to do dumb things is a part of Security and it is the only thing a typical user can do. How would

        • My Windows is pretty secure, so maybe you need some help or do some more research. I've been a user since Windows 3.1 and only ever had 1 nasty infection and that was my own fault for playing with some nasty programs back in the Windows 98 days.

          No ransomware, no one breaking in and taking over my machine, nor anything else that folks have issues with.

          BTW.. It is impossible to secure a house too, but you do the best you can.

          • My Windows is pretty secure

            It is adorable that you have that impression.

            No ransomware, no one breaking in and taking over my machine, nor anything else that folks have issues with.

            Well, at least we know *why* you think that your Windows installation is secure.

            My various jobs throughout the years have all included various aspects of "trying to secure Windows". I should probably ought to retire and let a genius like you take over my responsibilities. After all, you have not really had any issues, so why would anyone else?

            Let's examine the "monthly patches" for a second. Some of those patches are to fix things that are already being exploited

            • Security is just as much reliant upon the users actions as it is the OS vulnerabilities.

              No OS in the world is going to be secure if the user is an idiot.

              But since you are trolling, I will just say go ahead and write your book. I doubt it will sell well, if at all :)

              • Security is just as much reliant upon the users actions as it is the OS vulnerabilities.
                No OS in the world is going to be secure if the user is an idiot.

                While there is a lot of discussion to be had, I will generally go along with this statement. On its surface, it is a reasonable statement.

                But since you are trolling, I will just say go ahead and write your book. I doubt it will sell well, if at all :)

                You have an unpleasantly eventful life facing you if any information that contradicts your world view is considered trolling. You can not learn anything if your mind is closed.

                There are already plenty of books out there detailing how Microsoft couldn't secure their way out of a wet paper bag. I doubt that my writing prowess is as vaunted as theirs, so I won't actually try

  • We cannot improve cyber security as long as the government holds back hacks and 0-day exploits to try to use against other countries. It has nothing to with open vs closed source. Our government is leaving us exposed for their gain.
    • by jonwil ( 467024 )

      +1 to this, law enforcement at every level from local police departments through to federal agencies as well as intelligence agencies are all hoarding and using vulnerabilities rather than sharing them.

      Even school districts are buying cellphone exploit tools from manufacturers like Cellebrite.

  • By getting that crapware known as Microsoft Windows off the Intertubes!
  • Sadly, it won't (Score:5, Insightful)

    by jhylkema ( 545853 ) on Saturday May 15, 2021 @08:43PM (#61389084)

    It falls to me to point out the elephant in the living room here on /.:

    Geeks don't run the world. MBAs do. MBAs think, "Your cyber see-cure-it-tee thing or my bonus..."

    • MBAs think, "Your cyber see-cure-it-tee thing or my bonus..."

      See Cureitee: "Hey, you give me choices..."

      MBA: "But, but, you took the wrong choice! And my poor bonus..."

      See Cureitee:"Shoulda thought of that before you started handing out options. In other words, this is your fault. Now if you'll excuse me, I've got to go draft my report for the PHB. He'll want to know why you configured our security to be dependent on bonuses."

      Perhaps that's how we get rid of MBAs.

  • by jmcbain ( 1233044 ) on Saturday May 15, 2021 @09:02PM (#61389128)
    Here's the simplest way to improve cybersecurity: Treat every cyber attack as if it were an act of war. Hackers broke into a federal system? Treat it no differently than Pearl Harbor or 9/11. Send out the military. That's the best deterrent.
    • Re: (Score:3, Interesting)

      by smap77 ( 1022907 )

      Not that attribution can ever be 100% without admission by the actor, but would you guess that 50% of cyber attacks are from private hackers with loose connections to the government who benefits from the attack? Where exactly do you send the military *to*?

      Welcome to the world of armchair observation of asymmetric warfare.

    • Here's the simplest way to improve cybersecurity: Treat every cyber attack as if it were an act of war. Hackers broke into a federal system? Treat it no differently than Pearl Harbor or 9/11. Send out the military. That's the best deterrent.

      Actually, yeah.

      We tend to have a weird attitude about cyber security. It's not really a door's fault that an axe can get through it. That's why we have laws and police.

    • by larwe ( 858929 )

      Here's the simplest way to improve cybersecurity: Treat every cyber attack as if it were an act of war.

      I was discussing this with some acquaintances right after Darknet said "Aaaand it's gone".

      You could make a case that says "Russia harboring infrastructure vandals is the same as .af harboring terrorists. This was a WTC attack grade incident, we will respond similarly". Critical difference in this case is that the countries whence these criminals are believed to operate (primarily ru, cn, kp) are not resource-poor countries with which we barely have a relationship and which have no way of getting kinetic w

  • by quintessencesluglord ( 652360 ) on Saturday May 15, 2021 @09:09PM (#61389140)

    After you've had a few government databased hacked, putting thousands at risk (and offering them little more than a few years of credit monitoring); after a pipeline gets hacked, NOW it's security is an issue.

    Know where their priorities are.

  • Protection schemes work!
  • I didn't notice (Score:1, Offtopic)

    by argStyopa ( 232550 )
    ...anything about leaving your laptop loaded with crack-smoking pictures at a random vendor.
  • I'm wondering how much more meaningful that is than adding the line "-never crash" to the launch options of a game in my Steam library. Presumably our cyber security forces have never waited for a President to tell them to stay on top of things. On the other hand, if they could issue directives, they might have a few. "Don't date spies, don't use unsecured devices, maintain your passwords, don't lose your laptops, and listen to us like we really are trying to protect you".
  • Businesses and government don't want to spend money on cybersec.

    The ONLY way to fix rhis problem is to COMPEL the PHB's to spend money on cybersec via personal consequences (fines/fired) if they don't.

    While cybersec spend is discretionary it will continue to be massively underfunded.

    If they don't HAVE to spend, they won't. Simple.

  • Ancient History... (Score:5, Interesting)

    by john.r.strohm ( 586791 ) on Saturday May 15, 2021 @10:19PM (#61389252)

    There are some ideas that have been around for some 50 years.

    In "Hints on Programming Language Design", published in 1974, Tony Hoare said "Finally, it is absurd to make elaborate security checks on debugging runs, when no trust is put in the results, and then remove them in production runs, when an erroneous result could be expensive or disastrous. What would we think of a sailing enthusiast who wears his life-jacket when training on dry land but takes it off as soon as he goes to sea?" He was referring to subscript checking.

    I did some work on a FORTRAN program in 1982, that had a habit of crashing if one or another internal table overflowed. The compiler documentation said the compiler could do subscript checking. The documentation lied. I wound up having to put explicit subscript checks on every table, and add run-time error messages that told the user "Table blah overflowed. Increase such-and-such named constant and recompile." It was all I could do, and it took me literally 160 hours of staring at FORTRAN code to understand it well enough to be able to do that much. That code had ISSUES.

    The early capability machines were designed around, among other things, a very basic concept: EVERY array reference was checked by hardware. It was not possible to disable this feature. That makes "buffer overflow" vulnerabilities 100% impossible.

    Later in the 1970s, Charles Hoch wrote a short paper, showing how the memory mapping hardware on higher-end PDP-11 minicomputers could be perverted to do basically the same thing.

    A paper on an early PASCAL compiler mentioned that, if the programmer was reasonably conscientious about specifying the bounds for arrays and variables, the compiler could usually prove at compile-time that an array subscript expression could not go out of range, and hence eliminate the run-time range check. I don't have a URL for this one. I saw it in a book that collected several otherwise-unavailable early papers, including two of Urs Ammann's papers on the original PASCAL compilers written at ETH Zurich for the CDC 6400. For this to work, of course, it has to be possible in the language to specify those bounds, and "modern" languages (C, C++, Java, and the like) don't provide that capability.

    Yet, when the Ada programming language came out, for which the first draft required subscript checking to be enabled by default, the very first thing that the "professional" programmers in the United States demanded was the ability to disable it, because of "performance" concerns.

    As long as it is fashionable to let programmers do anything they want, and rely on them not to make a mess of it (as the late Edsger W. Dijkstra was fond of saying), we are going to have problems. As long as we pretend that C and C++ are good languages, and Windows is a good operating system, we will continue to get what we deserve, and we will generally, as Jerry Pournelle used to say, get it good and hard.

    References:

    http://flint.cs.yale.edu/cs428... [yale.edu] fo
    https://homes.cs.washington.ed... [washington.edu]
    https://dl.acm.org/doi/10.1145... [acm.org]

    • The lack of Memory Safety is indeed the most important cause of cybernetic exploits. About 70% of the CVE database entries are related to buffer overflows, use after free, double frees and so on. Even experienced software engineers will have some bugs in their programs and the language should do its best to limit the damage from that.

      It is time to stop using C and C++ for systems programming, which will eliminate said 70% of CVE issues. Even operating systems can largely be built using memory safe progr
  • Lesson # 1 (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Saturday May 15, 2021 @10:31PM (#61389278)

    I know it's cheaper and convenient and all but. . . .

    FFS QUIT CONNECTING IMPORTANT SHIT TO THE INTERNET

    Critical Infrastructure ?
    Department of Defense Networks ?
    Electirical Grids ?
    Nuclear Facilities ?
    Water Treatment Facilities ?
    Hospitals ?

    Any of this ring a bell ?

    Anything and everything that can be accessed by your IT department remotely ( via the internet ), unless you spend a great deal of money and ONGOING effort otherwise, can be accessed by someone else whose intentions may not be as upstanding as yours. ( HUGE emphasis on the word ONGOING here. You can't just fund a fix, get it in place then fire all your IT staff and expect your network to stay secure for very long. )

    I'll say it again: KEEP CRITICAL SHIT OFF THE DAMN INTERNET

    Do that and you solve 90% of your cyber-security problem. Private circuits. Ever heard of those ? Intercepting traffic across them isn't impossible, but quite a bit more work than your average idiot on the internet is willing to put in to get access. See 10% problem below.

    The other 10% is dealing with external actors *bribing your employees, dumb-ass executives who bring their own wireless AP to work, or the other morons who " found " a USB drive and decided to plug it in to see what's on it.

    *This becomes a very likely reality when you decide to go with the lowest cost staff you can find. ( Read that: Offshoring )
    If you can find a tech overseas who is maintaining a target network making $100 / month and throw $10k at them, I promise you your network is no longer your network very soon after.

    I understand your company wants to cut costs, but you should never consider Network Security as something you can skimp on or cut corners. Lay off one of your overpaid Executives and use their pay to keep your Network safe if you have to or your future will be filled with quite a bit of regret.

    • In DoD, our classified networks ride on the internet. They're essentially just highly encrypted VPNs. You can't logically address them from the internet, but you still get networking. It's a step, but all it takes it someone to load a USB drive or optical disc they shouldn't. Think Stuxnet. On the other hand, I don't know how you efficiently manage remote systems without some sort of network. Maybe smaller islands of isolated networks to limit the damage.
    • I know it's cheaper and convenient and all but. . . .

      FFS QUIT CONNECTING IMPORTANT SHIT TO THE INTERNET

      I agree with you. And how about the need to connect to these systems remotely? Maybe old concepts like SSH, FTP, Packet filtering,... needed to become more a layer 2 thing security and all? And maybe leave layer 3/4 more for session management?

      • by kackle ( 910159 )

        And how about the need to connect to these systems remotely?

        Radio. Leased phone lines. Dedicated cabling. Such local networking would require local hacking for intrusion.

        Using the Internet only makes such connections "easier".

  • It is not possible to write secure software. Or to rephrase, it is not possible to give a guarantee. Any update can introduce new vulnerabilities, and vulnerabilities get discovered in widely used code that have been there for decades.

    When will they learn that the only way to even start ensuring a system is secure is to air gap it. No Internet. If the system needs to be networked between physical locations, you need to exclusively own and control the network medium. System designers need to start with

    • by ebvwfbw ( 864834 )

      Don't need to airgap everything. Even then, it's a false sense of security as stuxnet shows us. Should and could limit people to work machines only. Only do work on the work machine. Block work machines without a need to go to the internet from being able to get to the internet. No facebook, instagram, etc. Train them to not open things unless they know about it. Just basic things.

      Also, if you discover an idiot working for you - fire them. I know of a case where the windows manager was an idiot. During a pe

    • Just because the Windows and Linux kernels are hopless affairs, does not mean secure computers are impossible.
      If you are interested, read my other post on this page and have a look at this:

      https://fgw.ddnss.de/L4gegenue... [ddnss.de] (please excuse the outdated cert, will fix this in the coming days)

      https://de.wikipedia.org/wiki/... [wikipedia.org]

      http://sappeur.ddnss.de/ [ddnss.de]

      http://sappeur.ddnss.de/SAPPEU... [ddnss.de]

      There have also been projects by Microsoft Research on memory safe kernels and there were(are?) the ALGOL Mainfame
  • Security is never a priority because it is a "cost". Jail senior execs of any company that is breached (as in the breach, in and of itself, is sufficient evidence for conviction) for several years. That would make it impossible for them to sweep it under the rug

  • No executive, no matter how public the failure and how critical the infrastructure is, will care about security until they're liable for it. Execs have a whole staff that deflects problems; they never see the fallout of their decisions to not invest in security. I think one of the best ways to externalize this is to turn IT/development into a branch of engineering and use PE licensing as a way to shift blame back to executives while shielding them to a degree they'd find acceptable. Proposals like "corporat

    • Some really cunning people have convinced millions of applied computer scientists that kernels must be written in C. A single exploit will pwn the entire machine. Despite the fact that we had much better ALGOL-based mainframes with bounds checking, typed/tagged memory and so on.

      We first need a serious talk about this problem before we talk about professional standards. When/If this will be fixed, we can talk about mandating a CS degree for any security critical work. No more shoddy data structure parser
  • You know the USA has the NSA, CIA and FBI that plant back doors and hack orther coutries and businsses. If you don't your a special knid of American.... The pot calling kettle black....
    • But it now seems the most vulnerable nation is America herself. So, who benefits most from these halfbaked Unix and Windows Systems ???
  • Today, if a private company has a security breach, it is very unlikely there will be any significant penalty, to the company or its executives.

    Worst case, a class action lawsuit will impose a trivial penalty, including a year of identity monitoring. Not really a deterrent.

    I think there should be simple, statutory liability for data leaks - $100 per individual's data leaked. No need to prove injury, no rake off for class action lawyers - just a federally-imposed fine.

    Something similar, involving firings al

  • Every do this for security list is the same tired list of process whoring and paranoia in depth.

    Meanwhile despite the proliferation of standards global system complexity is ever expanding in the name of convenience. Nobody wanting to run anything themselves and everyone wants centralized control over absolutely everything no matter how potentially apocalyptic.

    • by ebvwfbw ( 864834 )

      LOL. Zero Trust, so you trust AD? Throughout my career if a pen test team gets anything, they get that first. Then they own everything with the possible exception of Linux and Solaris hosts unless they too drink the AD Kool Aid. How long did it take for an outside pen team to own AD where I last worked at? A whopping 37 minutes. Start to finish. Total ownership of the Domain controllers. This was from an office in Virginia on the internet (nothing special, no vpn, etc) to an agency in Maryland.

      I'll have to

  • I believe the U.S. government isn't serious about security otherwise it would've migrated all federal agencies to Linux or even a custom developer operating system. I can relate to that, since doing so would almost certainly ruin a trillion dollar company named Microsoft.

    But eventually the Biden Administration will have to make up its mind what's more important: the security of all our IT-infrastructure or the profits of a single company (and its related economic value to the United States).
    • seL4

      Strong Typing

      Sandboxing

      Memory Safe Languages

      Strict Input Parsing/Scanning

      Formally specified data structures

      Complete requirements documents

      Complete Unit Testing

      Fuzz Testing

      K.I.S.S.
  • The time to take the offensive on cyberwarfare is long past. When are we going to hire some hackers to do damage to countries which practice cyberwarfare on us? Biden would probably give China a pass since they have enriched his family considerably.
  • Expect a lot of opposition from companies also to that SBOM since it reaches into almost ALL software.
  • Comment removed based on user account deletion

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...