Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Electronic Paper Cuts

By Signal 11 in Internet
Wed Dec 13, 2000 at 10:15:38 AM EST
Tags: Politics (all tags)
Politics

The media has been writing sensationalistic articles about so-called "cyberterrorism", "cyberwarfare" and using other buzzwords to describe a basic problem - how secure is the internet? Because of the sensationalism and poor research, many computer enthusiasts have all but dismissed the problem. Maybe we should look at it a second time.


Alot of us are worried about online privacy. Whether it's Big Brother, corporate interests, or your neighbor down the street, chances are you have something to hide from someone else. Quite frankly, the NSA, CIA, FBI, and most of the other three-lettered government agencies are suffering from a glut of information. You've used search engines before, we all have - and we know how hard it is to use them to find a specific piece of information. The government's problem is alittle bit worse.

During the cold war East Germany had a massive spy network. The CIA and NSA were involved in monitoring communications in the area for us. There are thousands of tapes that, to this day, have not been reviewed. They were recorded, sent to an archive, and have never been listened to. Ever.

With the explosion of the internet, the problem has become even worse. Not only is there a glut of information, but hundreds of opportunities for steganography exist online, in addition to strong crypto being used by lay-people. I truly feel for the NSA, it has to be tough to live up to this country's expectations of it.

I don't believe the government is invading people's privacy on a mass-scale. They simply cannot - it's inefficient, expensive, and has little practical benefit. Quite frankly, you're just not important enough. While the capability to monitor you inexpensively exists, the manpower and information processing resources currently available means that the paranoia about the government is unjustified.

It's been necessary to state this to get to the heart of the matter, but first I had to dispel some FUD surrounding our government - Yes, they've made mistakes, but right now they need some help about a very important issue. The United States, as well as most european countries that are tied to us economically and whose economies are increasingly dependent on the internet, is facing a substantial danger online.

With ever-increasingly complex operating systems and software, security vulnerabilities are being reported (and exploited) and an unprecidented rate. As Bugtraq's moderator, Aleph1, would no doubt tell you, it's not an easy job keeping abreast of new changes - entire classes of vulnerabilities are discovered every year.

Many administrators are concerned about security, but are undereducated or too busy to deal with it. The result is that even when patches and updates are available they go unapplied on millions of computers connected to the 'net. Even for those administrators who take security seriously, invariably a mistake is made - an improperly applied patch, a typo in a configuration file, incorrect file permissions, in addition to a plethora of unpublished hacks which you simply don't hear about. The end result of this is an internet which is, to paraphrase Bruce Schneider, dying by death of a thousand paper cuts.

Many of our financial systems are based online, and as I've demonstrated above, these systems are constantly under a low-level attack, with new attacks being discovered daily on the front lines. Many times major disaster has been avoided by sheer luck or quick responses by system administrators watching over the networks late at night. While many of these attacks are harmless presently, they are growing in both numbers and severity.

The mainstream media has, and continues to, routinely release information which is inaccurate, misleading, and sometimes dangerous. While the latest e-mail virus (such as ILOVEYOU) and Amazon.com outages makes front page, more serious issues like those reported on BugTraq daily are completely unnoticed. The american public is not aware of how fragile the networks we maintain are, and if they knew, chances are they would overreact and do something stupid anyway - like have the government get involved in all the wrong ways.

The conclusion of all of this is sobering: It's not a question of if, but when, there will be a determined, high level attack on our network infrastructure. Many white hat groups have expressed concern over the relative ease that routing protocols can be exploited - a few well placed packets would be all it would take to crash the internet, based largely on dynamic routing. Although the internet is distributed, a few critical superstructure points (the backbone) could fail, leading to a cascade failure which could kill connectivity around the world for days, maybe even weeks. Nightmares about backhoes aren't the only thing keeping network administrators up at night.

I propose that as a partial solution to this problem that we expand the defense budget to include the internet's infrastructure points, and allocate funding accordingly to ensure that the companies responsible for major portions of the internet (amazon.com does *not* count) making available to them government resources and personnel. This includes the NSA. I also propose that countries other than the United States impliment similar practices, and that they work together to share resources and information with other countries. We are all interdependent on each other.

We need our core network infrastructure to be hardened against attack, but we must also balance this against private-sector interests. This is the catch - ISPs will be responsible for the security of their networks. If, through negligence, an attack originates from their network and causes substantial harm to the network, they can and should face both civil and criminal liability. You don't have to ask the government for help but if you do, your liability goes down.

I conclude that the government has neither the resources nor the inclination to spy on the average person, that we are facing the threat of attack both domestically and abroad which could lead to substantial economic damage in this country, that there are insufficient safeguards in place to protect against this, and that our government can and should be empowered with the ability to protect against this.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by Signal 11


Display: Sort:
Electronic Paper Cuts | 22 comments (15 topical, 7 editorial, 0 hidden)
A big yes... (3.87 / 8) (#4)
by Miniluv on Wed Dec 13, 2000 at 12:59:11 AM EST

I'll admit, this is fear mongering. And it's about damn time, from everyone cited as well as this article. Online commerce is not a big deal people, your credit card number is small potatos compared to some of the things currently being planned for. SecurityFocus has an article up about hospital records being stolen, recently they ran a piece about how the US Gov't is finally trying to address the electronic threat against our power grid.

One of the biggest causes of this is that so much is connected to the 'net these days. Some of this has brought us lightyears ahead of where we were, and some of this has brought us neglible benefit at cost of huge risk.

Somehow the principle of least access has somehow gotten lost in all this rush to connect to the net, share information, and generally try to be as transparently wired as possible. You see it in the fact that increasingly wired employees are requesting more and more in the way of outside access from their desks, in the ability to VPN in and do darn near everything they could from their desk. While some, even most, of this is necessary and greatly beneficial, there's something akin to the gold rush in trying to get connected with the biggest feasible bandwidth with the smallest possible inconvenience. The problem is that one of the first things thrown by the wayside is security, including procedural, software based, and hardware based.

I think soon we're going to see an incident of fairly colossal proportions, and it's not going to involve commerce at all. I'm not sure what "soon" means, it might be next week or it could be two years from now, but eventually somebody with the skills, desire and lack of scruples is going to do something staggering and suddenly we'll regret all of this "progress" we've made. While slowing might not entirely prevent it, nothing could, it certainly could attempt to mitigate the risk. We have a government crying out for people to contribute their skills and efforts to helping manage and mitigate this risk, but instead a commmunity is sneering.

At the very least, this is your chance to get inside the system and see what you can fix people. Everyone loves to laugh at the Dept of Defense and how often they get penetrated, but nobody is apparently willing to belly up to the bar and prove they're worth their spurs to defend it.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'

The government can do it! Sweet idea! (2.36 / 11) (#7)
by Sheepdot on Wed Dec 13, 2000 at 01:27:53 AM EST

Summation of posts by Signal 11:

10 DEFINE PROBLEM
20 INPUT SOLUTION
30 IF (PROBLEM = PERSONAL RIGHTS) GOTO 70
40 IF (PROBLEM = ECONOMIC RIGHTS) GOTO 90
50 PRINT "PROBLEM NOT DEFINED RIGHT"
60 GOTO 10
70 PRINT "GOVERNMENT SHOULD PROBABLY DO SOMETHING!"
80 GOTO 100
90 PRINT "LET'S GET THE GOVERNMENT INVOLVED!"
100 END

Let's get the government to fix it! Or work really hard to convince enough people that it is okay for the government to fix it!

Sorry man, nothing personal, but I'm noticing a trend here and it isn't looking good.


I use C++. (2.71 / 7) (#11)
by Signal 11 on Wed Dec 13, 2000 at 02:27:00 AM EST


// TODO: compiler flaky, run through gcc and define sarcasm as false?
#include "string.h"
#include "iostream.h" // the usual suspects
#include "evil.h"
#include "good.h"
#include "fucktypes.h" // call in the required prototypes

int main()
{
string problem;

problem >> cin;
cout << "problem specified was: " problem << endl;

format_problem(&problem);
if(problem->type == "personal rights")
fuck->type("government_req");
else if(problem->type == "economic rights")
fuck->type("government_dem");
else
cout << "Cannot find a way to fuck current
problem." << endl << flush;
fuck->type("self");

return -1; // can't happen
}


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]
Hooray! (1.50 / 2) (#18)
by perdida on Wed Dec 13, 2000 at 11:48:02 AM EST

Wooohooo!

More arguments in code please. :)

-perdida
The most adequate archive on the Internet.
I can't shit a hydrogen fuel cell car. -eeee
[ Parent ]
Who do you call when someone wants to hurt you? (2.20 / 5) (#8)
by maketo on Wed Dec 13, 2000 at 01:52:33 AM EST

911....

I dont mind the govt ability to listen in on conversations and monitor communications, as long as it is controlled properly. After all, I doubt that anyone wastes time with your Joe down the street unless Joe happens to be suspected of something. Noone has the time to waste and resources to justify to listen in on what you and your wife talk about on the pillow. So...problem is - is the govt controlled properly? Probably not. There have always been misuses of this or that, power comes with responsibility and not everyone understands that. Is it really bothering your everyday existance? No. Unless the govt. finds a way to invent an AI machine to read/listen/analyze/reason on your conversations.

Now, to try to address the question of "how secure are we" - I think the problem is not technological in nature, it is social. Your average Joe consumer wants a computer to get on the Net. The company pays him off with a fat paycheque, wife demands him to run errands, children ask for homework solutions, he runs to local shack, buys a ready made - one button Internet ready computer and voila! - your sucker is online, exposed and wide open. Now, another category of danger exists - these are your power grid, your DOD machines, your CIA Signal_11 files. I believe that you have forgotten one big issue - whoever tries to attack these networks in an organized manner, whoever it is, will not be caught in the act, they will probably be caught before it. Why? Because any intelligence service works to prevent, not to cure. They are infiltrated in all possible elements, all possible organizations around the world. They have the resources and the man power to do that. If something of a size of attack on USA DOD machines or USA power-grid was planned, the boys in black would know about it. You might have read about Mitnick and about god knows who....the simple reason people didnt get caught was because they were not deemed a threat. Were they considered as such, they wouldnt have had the chance.

Now, dont take my word for it - I dont have a clue, but if you think about it, makes sence...
agents, bugs, nanites....see the connection?

Your faith is touching Mr Bond... (3.00 / 2) (#13)
by Miniluv on Wed Dec 13, 2000 at 05:21:01 AM EST

They are infiltrated in all possible elements, all possible organizations around the world. They have the resources and the man power to do that.
Wow, I'm sure the CIA, NSA, and FBI wish this were true. The truth of the matter is that the "big boys" aren't really the threat. The intelligence business is pretty tame, they don't kill agents (traitors they do however), and most of the time everybody gets home at the end of their tour of duty. Terrorism is the big deal these days, and it's getting worse not better.

Terrorist organisations are notoriously hard to infiltrate, especially the ones who've been Darwinized for the past 2 decades. It's the same continual battle of knowledge between the good guys and the bad, but the rules work against the good guys in a sense.

If the Gov't truly felt there was no threat to the power grid a major Gov't sponsored conference on security and disaster management in the power grid wouldn't have just ended recently. I know nuclear weapons are not capable of being launched online in any fashion, and that's part of what I'm after. It's a continual cost analysis type equation when weighing if a system SHOULD connect to the Internet, or even an intranet. Does the gain outweigh the worst reasonable risk? Does the worst case risk far outshadow the best possible gain? All these things have to be properly balanced on every level, from Joe the Grocer's personal website, to the DOD's encrypted, classified network.


"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

the meatspace security problem: a modest proposal (3.54 / 11) (#9)
by TuxNugget on Wed Dec 13, 2000 at 02:19:48 AM EST

In meatspace, many people continue to use 18th century security on the portals to their abodes, despite the fact that almost every schoolchild can defeat this security. Even thought there are harsh daily reminders that some citizens are homicidal maniacs who will kill you in your sleep and eat your young, people do not take the time to improve their meatspace security.

The poor security at portals is compounded by poor preparation and planning. Old fashioned intrusion detection systems, such as dogs, chain locks, and closed windows generally rely on making enough noise during compromise to wake up the inhabitants. However, these systems are all subject to being defeated when the occupants are away in the case of theft, or in advance in cases where rape or murder is the goal.

Counterattack systems, such as pistols and shotguns, are rarely loaded and often have not been fired for many years. In many cases the owner has received no training in their proper use. In any case, the value of counterattack as a deterrent to intrusion is diminishing in the wake of rising legal and political problems as well as rising firepower of the potential intruders.

Many homeowners could improve meatspace security by simply installing a removable titanium plate over all exposed portals when they retire for the evening. Another simple way to improve security would be to hire a security expert to probe for common weaknesses and conduct a mock attack to test preparations.

Few homeowners pursue these options, and complain for the government to do more in detecting and punishing intruders. Ironically, punishing intruders involves giving them more secure housing than the average citizen enjoys, along with free meals and recreation. Citizens do not seem to appreciate that the government can not be everywhere and the prisons are almost full.

Therefore, I have a modest proposal: let the criminals go free, and lock up victims and those at high risk in the prisons. This way, those who are most in need of high security facilities will have them at their disposal.

With the increasing ability to telecommute over the net, it is possible that the citizen of the future may never need to leave their home, and so an institutionalized life of total security may become quite fashionable. At the same time, police will then be free to turn neighborhoods into war zones at the slighest illegality, and make life for the criminals rather unbearable. There will be no need to arrest criminals, as they will die fighting each other for scraps of food.

Many will find this scenario unpalatable, but I suggest the first thing is to better inform the public and get them to accept this as being in their own best security interests. One way to do this may be to encourage the prison stripe look as a new fashion fad.

Physical and information security not analogous (4.50 / 2) (#19)
by sigwinch on Wed Dec 13, 2000 at 04:14:13 PM EST

Violation of physical security...

  1. Attracts attention that is likely to result in immediate capture.
  2. Occurs in the prosecuting jurisdiction, making arrest, prosecution, and punishment as easy as it gets.
  3. Can result in lawful summary execution in many jurisdictions, and has uniformly severe punishments if dealt with after the fact.
  4. Can be counteracted by anyone who can manage to dial 911.
  5. Guilt can be readily proven in most cases, if a suspect is found.
  6. The violation can be easily understood by a jury.

Who violates physical security? People who either have a poor understanding of the obvious risks, or those with nothing to lose. Natural selection and general economic prosperity limit the supply of such people.

Violation of computer security...

  1. Often attracts little attention, as it is difficult to distinguish from normal operation
  2. Usually occurs across several jurisdictions, making prosecution a severe logistical challenge.
  3. Punishment is unlikely, and not usually severe.
  4. Requires tremendous skill, applied proactively, to counteract.
  5. Guilt is very difficult to establish, unless the attacker is blatant and persistent (Mitnick would have gotten off lighter if he had sent the FBI an engraved invitation to his arraignment.)
  6. The jurors' brains will implode if they try to understand the violation.

Who violates information security? People with money, flexible ethics, and plenty of time on their hands. Evolution creates such people, and prosperity gives them the means to act.

--
I don't want the world, I just want your half.
[ Parent ]

Ok, I'll buy part of that (3.00 / 1) (#20)
by TuxNugget on Fri Dec 15, 2000 at 08:40:02 AM EST

Thanks for arguing with me. While I would concede that computer security is harder, I note that lack of physical security can have harsh consequences -- and people ignore it anyway. That was the primary thrust of the original comment (besides the silly suggestion of locking people up in prisons where it is safe).

Having given you some credit, I can now try to nitpick.

Your #3, Punishment is less severe for computer intrusion, is not necessarily true. Some people do receive harsh punishments for computer tresspass, even if they didn't do much more than a portscan.

#5, Guilt very difficult to establish, is often the case, but I would caution against giving the impression that electronic criminals can only be detected by electronic means. Yes, it is hard to know which script kiddie named k00l hacked you system, but sometimes a reward or monitoring his buddies (via IRC) will ferret him out. On a similar note, I read somewhere that one of O'Reilley's authors ended up in jail somewhere for testing passwords at a firm that employed him as a consultant. In that particular case, establish "guilt" was easy - the defendant said he did something that the VP of Good-looking hair said was wrong. Of course, the jury was probably pretty hardwired to accept the defendant's admission that he did it and the VP's opinion that it was wrong. The thought of really questioning the latter probably would not occur to most people.



[ Parent ]

'you're not important enough' (2.83 / 6) (#14)
by gregholmes on Wed Dec 13, 2000 at 06:16:35 AM EST

I just love that line. At once dismissive and insulting, and turning blame around from the snooper to the snoopee.

If I'm not important enough, why does government want to be able to monitor, decrypt, and store my communications? Preferably without me knowing about it, and without any public process to gain permission? As for resources, it gets cheaper all the time to store and analyze data.

Since I'm not important enough, I guess they'll give up all that rot about key escrow, and I'll never hear about it again.



What, Me Important? (none / 0) (#15)
by acestus on Wed Dec 13, 2000 at 07:10:52 AM EST

Signal 11 isn't suggesting that the government isn't interested in key escrow or the ability to monitor communication. He's saying that they aren't already tapping and recording your communication all the time. It would yield nothing. They just want to be able to, should the need arise.

Acestus
This is not an exit.
[ Parent ]
well, yeah ... (none / 0) (#16)
by gregholmes on Wed Dec 13, 2000 at 08:38:03 AM EST

I know that, that's the point. By saying they want it "just in case" we're all supposed to have a warm fuzzy feeling of security.

Picture this:

"We'd like to install a camera in your bedroom. Don't worry, we won't switch it on, it'll just be there in case we need it. Anyway, do you really think anyone wants to watch what you do? You're not that important (or good looking, or whatever)."

"Uh, OK. I guess that makes sense."



[ Parent ]
Accident Prevention (2.66 / 6) (#17)
by jabber on Wed Dec 13, 2000 at 09:33:31 AM EST

OMG! I voted +1 for Signal 11! You Bastards!

Wouldn't it be nice if the US Department of Transportation could make accident-proof highways? Complete with rubberized roads, and cushioned guardrails? And Aircraft Carrier-style arresting gear at all the exits? And guides to keep everyone in their lane? And maybe even provided an automated system to reliably guide everyone to their destination in a timely, expedicious, yet safe and curtious manner?

A safe and stable infrastructure would surely cut down on the number of crashes and highway fatalities - and it is important for this to be done on a high level, officially, since expecting individuals to take responsibility for their driving habits and the maintenance of their vehicles to assure safe working condition, is unreasonable and unenforcable.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"

In a way, we do. (none / 0) (#22)
by Miniluv on Sat Dec 16, 2000 at 05:33:00 PM EST

The thing is, the article isn't asking for the Gov't to make this a handout. Instead there are certain critical infrastructures that the Gov't is attempting to recognize, and categorize, as critical. This categorization is being met with resistance, despite the undeniable truth of the matter. Without a power grid the USA is virtually helpless. That's true of any industrialized nation.

It's fair that the Gov't want these critical infrastructures protected, and it's especially fair that they not feel they have to do it themselves, but instead should be able to facilitate the entire industry in working as a whole to find the best possible solutions to the most credible threat models.

Your analogy of roads went in a different direction than the reality of the situation. Instead of expecting the DOT to build crash proof roads, we expect them to enact laws which clearly define the threat models, and ascertain the responsible parties in dealing with those threat models. A good example would be the brakes on your car. If you fail to depress them and cause an accident it's your fault, and the law will deal with you accordingly. If you depress them and they fail to activate, thus causing an accident the law will instead deal with the party responsible for ensuring the proper operation of said brakes.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

The government doesn't need to spy on the average (3.00 / 2) (#21)
by Cynic77 on Fri Dec 15, 2000 at 06:57:37 PM EST

... person... they just need to have the resources and/or inclination to spy on you. Could they, without any trouble whatsoever, get into your "private" information online? Your emails, etcetera?. They don't have the resources to spy on the average person, but they do have the resources to spy on you.


When my ship comes in, I'll probably be at the airport...
Electronic Paper Cuts | 22 comments (15 topical, 7 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!