Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Big Money for Cyber Security

By imrdkl in Technology
Wed Nov 13, 2002 at 02:58:20 PM EST
Tags: News (all tags)
News

This week, House Bill 3394, the Cyber Security Research and Development Act, passed in the Senate, and is now headed for the White House, where the President is expected to sign it without delay. Almost a billion dollars are allocated by the bill, for scholarships, grants and research on the topic of Cyber Security.

While much of the existing knowledge and many of the working implementations in this area have been developed over the years as part of existing Free Software implementations, the government has found that there simply is not enough funding, or talent, behind those efforts. They're quite concerned about vulnerabilities in the critical infrastructure of the US, including telecommunications, transportation, water supply, and banking, as well as the electric power, natural gas, and petroleum production industries, all of which rely significantly upon computers and computer networks for their operation.

The bill itself may be studied at the Library of Congress, using their search engine, or directly. This article will present an overview of the exciting and profitable opportunities which will soon be available to researchers with an interest in Cyber Security.


Some of the other important findings of the bill include:
  • The US is not prepared for coordinated cyber attacks which may result from war
  • Federal investment in computer and network security research must be increased to decrease vulnerability, expand and improve the "pool" of knowledge, and better coordinate sharing and collaboration.
  • African-Americans, Hispanics, and Native Americans comprise less than 7 percent of the information science workforce, and this number should be increased.
I consider the second finding particularly interesting. Given the history of security research, when the bill finds that better sharing and collaboration is necessary, one might conclude that the government intends to support the continued and expanded efforts of Open Source software, to accomplish the task. While there are certainly closed implementations for security, it's just "commonsensical" to put the money behind the open and freely-available efforts which are already shared, and collaborated upon.

In general, the National Science Foundation (NSF), which will be the director of the foundation which distributes the funds, will be directed to award monies for research and study on the following topics, during the next five years:

  • authentication, cryptography, and other secure data communications technology
  • computer forensics and intrusion detection
  • reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure
  • privacy and confidentiality
  • network security architecture, including tools for security administration and analysis
  • emerging threats
  • vulnerability assessments and techniques for quantifying risk;
  • remote access and wireless security
  • enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property.

Now, that's certainly a broad list. It introduces significant possibilities for improving and enhancing existing implementations, as well as finding new and improved techniques. The applications which will be considered are to be evaluated on a "merit" basis, and may be undertaken by universities and other non-profit institutions, as well as partnerships between one or more of these institutions along with for-profit entities and/or government institutions.

Criteria for acceptance of any proposal submitted will be based upon:

  • the ability of the applicant to generate innovative approaches
  • the experience of the applicant in conducting research
  • the capacity of the applicant to attract and provide adequate support
  • the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center.

It seems a fair question to ask, why is the amount of "partnership" important? If the end result of the research is to be "shared and collaborated", then perhaps the amount of partnership is not so critical as the first three criteria. In any case, there's soon to be a lot of new money for study and work related to computer security. The application process itself, while not yet established, has provisions for each of the distinct topics mentioned previously, both for graduate study and training, as well as undergraduate internships and programs.

Have you an interest in Cyber Security? What programs or software could be improved, and how would such a large capital infusion for research affect these projects? What are the political ramifications of the government getting involved with the projects, either directly or indirectly? And what about the shortage of minorities in the profession? What can be done to encourage young people in general, and African-Americans, Hispanics, and Native-Americans in particular to study and learn about Cyber Security?

Other Coverage: UPI, InfoWorld and GovExec

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Most Important Topic?
o authentication, crytpo 18%
o forensics and intrusion-detection 1%
o reliability 17%
o privacy and confidentiality 36%
o network security 15%
o emerging threats (worms, virusen, DoS, etc) 5%
o remote/wireless security 5%
o Enhancing Law Enforcement abilities 0%

Votes: 58
Results | Other Polls

Related Links
o passed
o Library of Congress
o search engine
o directly
o UPI
o InfoWorld
o GovExec
o Also by imrdkl


Display: Sort:
Big Money for Cyber Security | 65 comments (54 topical, 11 editorial, 0 hidden)
Privacy, worms (4.80 / 10) (#2)
by FlipFlop on Wed Nov 13, 2002 at 08:46:17 AM EST

While all of the poll-options are important, I think the two most important are:
  1. emerging threats (worms, virusen, DoS, etc)
  2. privacy and confidentiality

Both of these issues are under constant attack. If we don't develop systems with privacy in mind, it will simply disappear.

For worms, the single most effective thing we can do, is write software using type-safe languages. Over half of all security holes are caused by buffer-overflow bugs. If all of our software had been written in a type-safe language, half of all security holes would have never occurred.

I know some people will claim that good programmers don't leave buffer-overflow bugs in their software. Those people are wrong. Murphy's law comes into play here. If something can go wrong, it will. Sooner or later, someone will make a mistake and we will have a security hole. For goodness sakes, the OpenSSL library on FreeBSD was audited for security holes and it still had a buffer-overflow bug. If a piece of network software, designed for security, and audited by experts had the single most common security hole, what hope do we have that any of our software is secure?

AdTI - The think tank that didn't

Emerging? (4.00 / 3) (#5)
by SEWilco on Wed Nov 13, 2002 at 08:59:57 AM EST

Those don't seem to be "emerging" threats. Those are common and established threats. ("Thanks, Bill!")

[ Parent ]
My guess (3.00 / 3) (#24)
by imrdkl on Wed Nov 13, 2002 at 03:39:44 PM EST

Is that the underlying reference in the bill might be to mutations on the virii, and refinements in the techniques which are used. You'll recall the DoS attack against the root DNS servers a few weeks back, for example. From what I read, if it had been sustained, it could have caused significant problems.

While it's well known among this community that this is nothing new, it's also important to let the people who implement this law know that the gut reaction, which might be to close port 80 at the border and let the "enemy" packets fall on the floor is not necessarily always the best reaction.

Perhaps the age of the internet itself makes all of these sorts of things "emerging" threats.

[ Parent ]

Most of your comment is decent (2.33 / 3) (#26)
by pooflinger0x00 on Wed Nov 13, 2002 at 03:55:23 PM EST

But then you had to use the non-word "virii". You get a "1" for that.

[ Parent ]
Thats ok (1.66 / 3) (#36)
by imrdkl on Wed Nov 13, 2002 at 05:25:05 PM EST

I'll give you hugii, if you feel the need.

[ Parent ]
Type saftey (4.66 / 6) (#10)
by steveftoth on Wed Nov 13, 2002 at 10:50:58 AM EST

"That word you kepp using, I do not think it means what you think it means."

Type safe  languages are ones where the compiler can check the type of a variable during compilation.  

However, buffer overflows are caused by not checking the bounds of an array before accessing it.  The most dangerous kinds are when you declare an array on the stack and then fill it with data direct from the network.  All the while looking for a eof character and not checking to see if you are exceeding the bounds of that array.

Some runtime enviroments allow for automatic checks to be placed on arrays, like the JVM or products like stackguard.  So that if the stack is broken by bad input and sloppy programming, then it is not the 'end of the world'


[ Parent ]

Type Safety (4.33 / 3) (#13)
by Bad Harmony on Wed Nov 13, 2002 at 11:46:24 AM EST

How do you do a bounds check on an array reference in a function when the only type information available to the function is that it was passed a "pointer to foo"?

5440' or Fight!
[ Parent ]

You only need... (4.33 / 3) (#15)
by steveftoth on Wed Nov 13, 2002 at 12:15:29 PM EST

the size of the block of memory that the pointer points to.  The type of contents are not necessary.

I agree that type saftey is a good thing.  I'm just saying that it's not what causes buffer overflows.  Type safety has other benefits, like being able to catch errors before they are executed, and easing interfaces between developers.

[ Parent ]

also.. (3.50 / 2) (#16)
by steveftoth on Wed Nov 13, 2002 at 12:18:34 PM EST

you should be passing around pointers to foo by themselves, usually there is a contract involved.  Like you are passing one and only one foo pointer.  OR you are passing a pointer to an array of ten foo.

pointers to void can be evil, but sometimes they are necessary in C.

[ Parent ]

H-1B and Cyber security (3.36 / 19) (#7)
by nomoreh1b on Wed Nov 13, 2002 at 09:59:14 AM EST

Somehow, a country importing hundreds of thousands of foreign engineers-many of whom are either Islamic, have relatives in countries with substantial Muslim populations or have relatives in countries that are subject to direct nuclear blackmail muslim countries, just doesn't strike me as a practice that is going to enhance national security.



~10% of the population is African American (5.00 / 3) (#20)
by Xeriar on Wed Nov 13, 2002 at 02:19:34 PM EST

Only 7% of security professionals are black, hispanic, etc.

The idea is that if a population of people is not equally in job x, then there is something wrong. Not that I necessarily agree to this (especially computer security - some are more interested in it than others, and cultural differences will be magnified here).

----
When I'm feeling blue, I start breathing again.
[ Parent ]

10%? source? (2.66 / 3) (#33)
by turmeric on Wed Nov 13, 2002 at 04:41:23 PM EST

i think you are a little low there big guy how about 12% , (12% hispanic too) http://www.census.gov/prod/2001pubs/c2kbr01-1.pdf

[ Parent ]
I think that's combined (4.00 / 4) (#40)
by hardburn on Wed Nov 13, 2002 at 06:09:12 PM EST

I think they're talking about all three groups combined.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
u racist idiot (1.40 / 10) (#32)
by turmeric on Wed Nov 13, 2002 at 04:35:55 PM EST

get a freaking clue, dumbass

[ Parent ]
If turmeric is telling you to get a clue... (3.80 / 5) (#35)
by SocratesGhost on Wed Nov 13, 2002 at 05:04:29 PM EST

then you know you're in trouble.

just kidding, t. sort of.

-Soc
I drank what?


[ Parent ]
gosh socrates (1.14 / 7) (#44)
by turmeric on Wed Nov 13, 2002 at 09:11:07 PM EST

dont you have some intercrural sex to perform on your unwilling ancient greek subjects, you sick allen ginsberg wannabe?

[ Parent ]
maybe (2.25 / 4) (#45)
by SocratesGhost on Wed Nov 13, 2002 at 10:07:01 PM EST

But seeing as how you're so fixated on it, is there a closet that you want to escape?

Besides, it's SocratesGhost. I've never said I was Socrates, but I do consider myself a much poorer shade of him. Who's your hero, a kitchen spice?

-Soc
I drank what?


[ Parent ]
yes as we all know (1.00 / 1) (#51)
by turmeric on Thu Nov 14, 2002 at 12:01:22 PM EST

saying that pedophilia is wrong is equivalent to being a pedophile. good logic.

how about this logic: worshipping an ancient greek pedophile and naming yourself after him and never speaking out against pedophilia and continually blabbering about free speech instead of trying to solve the very real problem of international pedophile rings, is equivalent to supporting pedophilia.

kitchen spices never raped anyone, nor did they spawn egomaniacal dictators like alexander the great, nor fascist social theorists like plato

[ Parent ]

ok (none / 0) (#63)
by SocratesGhost on Fri Nov 15, 2002 at 02:42:38 PM EST

pedophilia is wrong and should be stopped.

I do sincerely hope that makes a difference.

Look, on a discussion site, views on speech are important. Saying that something is evil or bad is a distant second. The rules pertaining to speech dictate what issues are talked about and how that discussion may proceed. In a way, views on free speech are more relevant and important on K5 than any single other topic that could be addressed on this site. After all, it is specifically those viewpoints that lead to articles and comments being voted up or down.

It's not the pederastic aspects that are important to me, but the theories that Socrates left behind: that people are essentially good and learn evil; that knowledge can be gained from discussion. I can see how this would horrify you who would prefer to verbally abuse people into quiescence.

It's sad that you have so difficult a time separating things. There's times when I honestly pity you, because I cannot ever imagine someone like you as happy.

-Soc
I drank what?


[ Parent ]
Poll (4.50 / 6) (#11)
by evilpenguin on Wed Nov 13, 2002 at 11:14:28 AM EST

Without all of them (except perhaps the last), the others are worthless.
--
# nohup cat /dev/dsp > /dev/hda & killall -9 getty
What a waste of the final option (4.00 / 2) (#21)
by imrdkl on Wed Nov 13, 2002 at 02:59:17 PM EST

Should have been "All of the above", clearly. However, I'm not sure that would be an absolute winner, given the early preference for the privacy option.

[ Parent ]
Operating System Architecture (3.57 / 7) (#14)
by Bad Harmony on Wed Nov 13, 2002 at 11:59:16 AM EST

UNIX was pretty hot stuff for the 1970s. Today, its security model isn't so attractive. How many people are willing to give that up for something less fragile? How many people are willing to stop writing privileged software in unsafe languages?

5440' or Fight!

What is a 'safe' language' ? NT (4.00 / 1) (#23)
by steveftoth on Wed Nov 13, 2002 at 03:17:44 PM EST



[ Parent ]
Ada? NT (4.00 / 1) (#25)
by Cro Magnon on Wed Nov 13, 2002 at 03:51:46 PM EST


Information wants to be beer.
[ Parent ]
Why? - NT (4.00 / 1) (#28)
by steveftoth on Wed Nov 13, 2002 at 04:21:14 PM EST



[ Parent ]
For one thing (4.00 / 1) (#29)
by Cro Magnon on Wed Nov 13, 2002 at 04:28:48 PM EST

it has very strong type-checking. It was designed to be error-resistant. In sharp contrast to certain anything-goes style languages. I won't mention names, but its initial is C.
Information wants to be beer.
[ Parent ]
Safe Languages (3.00 / 2) (#38)
by Bad Harmony on Wed Nov 13, 2002 at 05:55:30 PM EST

Ada95, C#, Dylan, Java, ML, Modula-3, Scheme, Smalltalk.

5440' or Fight!
[ Parent ]

Java is not safe. (3.00 / 1) (#42)
by steveftoth on Wed Nov 13, 2002 at 08:45:42 PM EST

Java is not safe, well it's safer then C. But you still need the runtime to make it safe.

GJC can run without array indexing checks, thus having any bufferer overflow go out of bounds. Normally people use a JRE that had index checking but it is not part of the language.

Java does include the fact that all arrays are declared to be a certain size and this helps, but it's possiable to over run yourself.

[ Parent ]

Unix and "safe" languages (3.75 / 4) (#39)
by hardburn on Wed Nov 13, 2002 at 06:06:22 PM EST

Unix was never "hot" so far as its security goes. It has pretty much always been wide open. It was only "hot stuff" for its other contributions to system design (like putting small tools together to make the whole work).

Also, "safe" languages don't protect you from bad programmers. They only stop good programmers from doing clever things. There is nothing inheirently wrong with C, but it demands that you *gasp* actually know what you're doing.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
UNIX Security Model (4.33 / 3) (#46)
by Bad Harmony on Wed Nov 13, 2002 at 10:36:25 PM EST

I remember that it looked pretty advanced compared to the kludgey and ad-hoc nature of the security measures of many other operating systems of the day. It had an understandable and well-documented security model. Passwords were encrypted and in a regular file, not in plaintext in a "hidden" file. The command line interpreters were normal programs, not an integral part of the operating system, with tendrils reaching everywhere. Users could write and install privileged programs with the setuid mechanism. The UNIX system was transparent. You could understand the operating system, even if you didn't have a source code license. No, it wasn't Multics, but neither was anything else.

5440' or Fight!
[ Parent ]

Bad Programmers? (3.00 / 1) (#48)
by bodrius on Thu Nov 14, 2002 at 12:18:13 AM EST

I would think clever programmers are actually a bigger problem.

Specifically, I would think a "safe language" requires a security policy that allows untrusted code, that may be very well coded by a very clever programmer that knows what he's doing, to run in a very restricted environment, because YOU don't know what he's doing. Particularly if he's that clever.

Then your problem would be to run all these clever programs in the "safe environment" that goes with the "safe language".

Then again, I may be wrong.
Freedom is the freedom to say 2+2=4, everything else follows...
[ Parent ]

Er (none / 0) (#47)
by carbon on Wed Nov 13, 2002 at 11:14:20 PM EST

What exactly is bad about UNIX's security model? I don't really see any serious problems with it, that is, post the recent additions to various Unices regarding partial chroot privledging (i.e. giving a chrooted process internal root access, but only giving it some root privledges, excluding things like chroot (so that it cant unchroot itself))


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
One word: Superuser. (none / 0) (#65)
by vectro on Mon Dec 02, 2002 at 11:10:41 PM EST

UNIX operating systems generally lack fine-grained privelage control that other operating systems provide. For example, on NT you can set a user to have privelages to set the time without giving them privelages to repartition the hard drive. This is impossible on classical UNIX without writing a setuid-root intermediate program.

Some modern UNIX operating systems, such as recent Linux kernels, do offer more fine-grained control. Using again my clock example above, it would be possible to grant a Linux process the priveladge to set the time and nothing else. But such interfaces are most certainly extensions to classical UNIX, which are unsupported by most vendors and have inconsistant APIs amongst those who do.

“The problem with that definition is just that it's bullshit.” -- localroger
[ Parent ]

safe is not safe (none / 0) (#52)
by Dogun on Thu Nov 14, 2002 at 01:44:02 PM EST

for example, an exception, thrown because the lateral acceleration measured by the sensors was outside of the ammount required by some other component of it's software, killed a particular satellite launch, and, if I'm not mistaken(I'm not)... the code was written in Ada. Moreover, if the same component had been written in C, or an exception had not been thrown, the launch would have succeeded, despite the confused software. The rocket was Ariane-5, in July of '96, European Space Agency. The rocket was unmanned, and the faulty code was not even needed until after takeoff. The fault here was not Ada's fault, it was bad design. Bad design is what you should be blaming, not bad languages. Therac-25 failed due to lack of consideration of race conditions. Mars Lander has a bad landing because some numskull was using feet while everyone else was using meters. Notice a trend? The failures of software are not overrun array bounds. They are language insensitive. Good software design is the real culprit, not pointers, malloc, free and delete, or even array index bounding. If you want to promote safe langauges, promote them on their other strengths - possibly, shorter development time, 'ease of use'. Buffer overflows, however, can be greatly reduced by switching to languages with array index bounding. Although I don't reccomend it for most circumstances, it is one way to avoid the problem. It still doesn't change the fact that it's an escape, not a solution.

[ Parent ]
Ariane-5 (5.00 / 1) (#55)
by Bad Harmony on Thu Nov 14, 2002 at 05:55:09 PM EST

The software was written in Ada. The basic problem was that they took software that worked in the Ariane-4 and used it in the Ariane-5 without testing and requalifying the software. There were enough differences in the Ariane-5 flight profile to exceed limits that were set to match the Ariane-4 flight profile. This generated a common mode failure that made the redundant flight computers useless. Sort of like reusing the engine control software from a Pinto in a Mustang.

Fault-tolerant systems must detect faults, and not just ignore them. How to handle exceptions is part of the engineering process. An engineer should decide if an exception can be safely ignored or if it should trigger a shutdown or recovery process.

It is misleading to compare safety-critical systems to general use software. Due to more extensive testing and scrutiny during design, the types of faults encountered during operation are going to be different in safety-critical systems. You are going to see more requirements and design errors, as opposed to coding and implementation errors.

5440' or Fight!
[ Parent ]

Theft and racism (2.12 / 8) (#27)
by duncan bayne on Wed Nov 13, 2002 at 04:11:47 PM EST

* African-Americans, Hispanics, and Native Americans comprise less than 7 percent of the information science workforce, and this number should be increased.

What a wonderful idea. Let's steal money from people through compulsory taxation, and give it to others. Even better, let's ensure that the race of the recipient is a factor in the decision to give him that money!

Seriously, I don't know which idea I find more repulsive.



been doin it for white people (3.25 / 4) (#31)
by turmeric on Wed Nov 13, 2002 at 04:35:09 PM EST

for a long ass time. what do you think all those reagan defense contracts were for?

[ Parent ]
and may i add, mr kiwi (4.00 / 2) (#34)
by turmeric on Wed Nov 13, 2002 at 04:44:50 PM EST

whose exact land are you sitting on right now, anyways? may i ask which race introduced mandatory taxation on the fertile fields of your domicile's surrounding countryside?

[ Parent ]
No excuse (4.00 / 3) (#37)
by duncan bayne on Wed Nov 13, 2002 at 05:47:07 PM EST

Yes, many European immigrants acted in an immoral fashion towards the Maori inhabitants, taking land from them by force and / or fraud. Yes, the Maori killed and ate their predecessors. Neither fact excuses contemporary racism by either any group.

The problem is that people in New Zealand (and overseas) seem to apply a shocking double-standard when judging racism. For example, government agencies here offer scholarships to those of particular races (generally Maori) with public money, and restrict voting on a certain number of seats in Parliament to those of Maori descent. Yet typically, to complain against this is considered racism.



[ Parent ]
contemporary society (2.50 / 2) (#43)
by turmeric on Wed Nov 13, 2002 at 09:09:37 PM EST

hmmmm let me think. i wonder what representation i will find if i look up the kiwi parliament. And you know what, i saw "once were warriors" so don't give me that "were all equal now" bullshit, you cocky white nub.

http://www.state.gov/g/drl/rls/hrrpt/2000/eap/756.htm

" Police abuse declined slightly from 1999; however, there were instances of police abuse. During the year, 4.2 percent fewer complainants alleged misconduct by officers than during 1998-99. There were 11 cases of police misconduct that involved deaths, down from 21 in 1997-98. In one such case, police in May fatally shot a Maori youth, leading public officials, including the Prime Minister, to urge better police-Maori relations. The officer, also of Maori descent, was found by an internal police investigation to have acted in self-defense and was exonerated, which resulted in protest from the Maori community in the Taranaki region.

Maori inmates constitute more than half the prison population, even though Maori are only 15 percent of the general population (see Section 5). The Government sought to reduce the problem of Maori recidivism through Maori focus units, which integrate Maori values into the rehabilitation program. "

wow sounds like a real workers paradise youve got there, guvnah, all races in harmony, no vestiges left, and all the unfairness from your ancestors being rich bastards slaughtering natives is eradicated and everyone is equal. how lovely for you and your white friends.

btw bringing up cannibalism, pretty goddamn racist of you, if we go back to the 1700s england i wonder what lovely social habits we will find, burning women to death in public for entertainment because they were "witches", perhaps? slaughtering irish, stealing their land , stomping them into the ground? gosh those noble whites, at least they didnt eat their own people. they just flayed them alive and pulled their guts out in public and then ripped them limb from limb with 4 horses.

[ Parent ]

Settle, Grettel (none / 0) (#57)
by duncan bayne on Thu Nov 14, 2002 at 10:42:48 PM EST

And you know what, i saw "once were warriors" so don't give me that "were all equal now" bullshit, you cocky white nub.

So did I, the difference is that I don't think more racism will fix the problem. Do you?

btw bringing up cannibalism, pretty goddamn racist of you

Really? They practiced it, you know. Just as middle ages Europeans burned witches, as you say. My point was that all races and cultures, throughout history, have had their low points. The current trend however is to call anyone highlighting the historical shortcomings of certain groups racist, but to ignore or even applaud others.



[ Parent ]
i just love it when the federal government (3.75 / 4) (#30)
by turmeric on Wed Nov 13, 2002 at 04:34:35 PM EST

which is one of the most discriminatory unrepresentative bodies in the country decides to tell the rest of the country about diversity

I'm seeing black helicopters? (3.00 / 2) (#41)
by JAM on Wed Nov 13, 2002 at 07:07:17 PM EST

...or it just a coincidence that this arrives mostly at the same time that the TCPA/Palladium marketing?
-- Sorry for my engRish (TM)
This legislation clashes with the DMCA (5.00 / 1) (#49)
by Netsnipe on Thu Nov 14, 2002 at 07:24:44 AM EST

What hypocrisy! The US Government wants to reap in the benefits of having a well funded security research sector and infrastructure, but bites the hand that's going to feed it at the same time!

Thanks to the Digital Millennium Copyright Act, it's illegal for US citizens to disclose any information on security vulnerabilities, that may also be used in order to circumvent digital security. The same law that censors Red Hat from releasing security advisories in the US, stops Alan Cox from explaining his patches so as to not incriminate himself, and allows Professor Felten to be threatened with lawsuits for releasing his findings on (SDMI) encryption-cracking to the public.

Hopefully, what will come out of this, is that the US Government will finally repeal the draconian DMCA when they realise how much it cripples research into security.

--
Andrew 'Netsnipe' Lau
Debian GNU/Linux Maintainer & Computer Science, UNSW

Thank you (none / 0) (#50)
by imrdkl on Thu Nov 14, 2002 at 07:33:23 AM EST

I had hoped someone would point that out. Not only does it clash with DMCA, but likely also will eventually breach several sections of the Patriot Act, and likely conflict with other legislation in the pipeline.

[ Parent ]
Patriot Act (none / 0) (#53)
by Syntax on Thu Nov 14, 2002 at 03:31:46 PM EST

That my not matter cause I believe the Patriot Act is set to expire anyways.

[ Parent ]
The Patriot Act will expire (none / 0) (#54)
by imrdkl on Thu Nov 14, 2002 at 05:48:05 PM EST

but not during the next 5 years, which is when these funds will be distributed.

[ Parent ]
Once more, with feeling... (none / 0) (#58)
by sigwinch on Thu Nov 14, 2002 at 10:55:50 PM EST

Thanks to the Digital Millennium Copyright Act, it's illegal for US citizens to disclose any information on security vulnerabilities...
Do you have a citation for the United States Code, or are you just mindlessly parroting the ignorant propaganda from Alan Cox?

Once again, I point out that I have actually read the relevant statutes, and they only prohibit devices that can extract protected content. And then, only under certain narrowly-construed circumstances that basically amount to intentional vicarious copyright infringement under classical copyright law. An essay describing a flaw is not prohibited because it is not a device. An essay is not an algorithm, it does not process data, it does not crack encryption keys: it is abstract knowledge.

Furthermore, Alan Cox is a damn idiot for simpering about CHANGELOGs when every Linux distribution includes file editors, debuggers, and filesystem editors that are far more potent circumvention devices for violating access controls. Server/desktop Linux distributions already come with a full suite of tools for directly accessing every data structure in the system, access controls be damned.

--
I don't want the world, I just want your half.
[ Parent ]

Missing poll options (5.00 / 1) (#56)
by sigwinch on Thu Nov 14, 2002 at 10:30:05 PM EST

  • Unsuprising user interfaces
  • Handling all strings/octet-buffers using length-checking libraries
  • Trusted security appliances to keep private keys from wandering away
  • Convenient biometrics and authentication tokens
  • Strong isolation between programs to make malware harder
  • Network infrastructure for quenching floods

--
I don't want the world, I just want your half.

That sounds scarily similar to this.... (none / 0) (#59)
by volo on Fri Nov 15, 2002 at 12:23:40 AM EST

Information Awareness Office

The most serious asymmetric threat facing the United States is terrorism, a threat characterized by collections of people loosely organized in shadowy networks that are difficult to identify and define.  IAO plans to develop technology that will allow understanding of the intent of these networks, their plans, and potentially define opportunities for disrupting or eliminating the threats.  To effectively and efficiently carry this out, we must promote sharing, collaborating and reasoning to convert nebulous data to knowledge and actionable options.


Good choice on the logo guys...

Ahh, more government spending! (5.00 / 1) (#60)
by Foozle on Fri Nov 15, 2002 at 01:55:02 AM EST

Ah, our tax dollars at work. My CS masters was paid for by SDI funding (neural networks for target tracking, in the late 80s). No usable research results, but it paid my tuition (and a meager stipend). Think of it as an indirect "higher education subsidy". Sometimes the Law of Unintended Consequences" actually pays off... The system exists. Work with it.

By an odd coincidence... (none / 0) (#61)
by Foozle on Fri Nov 15, 2002 at 01:57:45 AM EST

I ended up in Information Security. Go figure. If only government funding paid more than consulting....

[ Parent ]
In fact, both my grad stints were NSF funded... (none / 0) (#62)
by Foozle on Fri Nov 15, 2002 at 02:09:15 AM EST

My second go-round in grad school (technology policy, mid-late 90s) was funded by the NSF: research for a micropayment system and for public key infrastructures (flavors of the respective months)... And I'm a WASP-male. Go for it! The funding it there!

[ Parent ]
Be paranoid (5.00 / 1) (#64)
by kcbrown on Mon Nov 18, 2002 at 06:47:02 AM EST

Those of you who have noticed that the bill conflicts with the DMCA are of course correct that it does.

But if you believe that this conflict will matter, think again.

Remember that it's ultimately the government that decides whether or not to go after someone for violation of a national law like the DMCA.

So it should be obvious what will happen here. The bill will pass and those who are performing the research in question for the government will get immunity from prosecution, at least while they're performing the research in question. You can also expect much of the research in question to have big "Classified" stickers pasted all over it when the research is done.

And those things that aren't immediately classified will, of course, be patented.

End result: only those things that "need" to be secured in the interests of "national security" will end up being secured. But personally owned items (personal computers in particular) will only be secured from their owners (think Palladium), not necessarily from the world at large and certainly not from the government. This is because it's advantageous to the government that private computers and the communications that they particpate in be easily compromised, at least when the source of the compromise is the government itself.

Big Money for Cyber Security | 65 comments (54 topical, 11 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!