Forgot your password?
typodupeerror
Security United States

Cybersecurity Chief Resigns 367

Posted by michael
from the told-he-had-to-install-all-patches-personally dept.
Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."
This discussion has been archived. No new comments can be posted.

Cybersecurity Chief Resigns

Comments Filter:
  • by garcia (6573) * on Friday October 01, 2004 @02:41PM (#10407161) Homepage
    Yoran has privately confided to industry colleagues his frustrations in recent months over what he considers the department's lack of attention paid to computer security issues, according to lobbyists and others who recounted these conversations on condition they not be identified because the talks were personal.

    Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack. Why should they diversify right now? They might bore the public with their "crying wolf" on dirty-bombs and airplane searches and would need another shiny object to get everyone to pay attention to.

    About 90 percent of computer users interviewed remembered the name of the performer from the last Super Bowl halftime show, while only 60 percent knew when they last updated their computer security program.

    No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!

    Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work. If it doesn't work they want to call up their ISP and have them fix it. Their computer is a dumb terminal for their ISP's webpage and http://www.thehun.com. As far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know. Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).
    • by PitaBred (632671) <slashdot@pitabre ... g ['s.o' in gap]> on Friday October 01, 2004 @02:51PM (#10407288) Homepage
      If I had mod points, I would give them to you.
      On a semi-related note, we're the ones who need to convince people of this. Most people I know are amazed when I tell them what the keyloggers and such do, and show them what just Ad-Aware will come up with. One of my friends (an older lady) actually bought a book on my recommendation because she wants to know what's going on on her computer, and learn more about even basic security.
      It takes time, but it's a grassroots movement :) And unless you use the same tactics as the "War on Terror" (the h4x0r5 will get your credit card!) and show them hard evidence of it already being there, it's hard to convince people of the threat.
      • by gidds (56397) <slashdot@gRASPidds.me.uk minus berry> on Friday October 01, 2004 @08:42PM (#10410346) Homepage
        Hmmm. Maybe being a Mac user makes me biased on this, but I reckon that computer users (of all kinds) should be able to flick a switch and just have it work. They shouldn't have to educate themselves about viruses and other malware. They shouldn't need to be concerned about security and other issues. After all, I don't need to read up on emission spectra and the effect of induction on power phase lag just to fit a light bulb or press a light switch; neither should I need to learn lots about computer security just to use a few applications. In short, we shouldn't be having this conversation!

        The fact that we are having this conversation seems to mean that we as software developers aren't doing our jobs properly. We should be writing secure systems, making sure that nothing we do could possibly be a point of entry for malware of any kind. This particularly means the folks at MS, of course, but even app writers need to be vigilant.

        But we're not living in that ideal world; we're living in the real one, where the most popular platform has innumerable insecurities in its OS and popular apps... So I guess you're right: we do need to make users aware of these things. It just annoys me, because we shouldn't need to!

        • No, you're probably a bit spoiled by being a Mac user - but you're not wrong at all!

          As just one (of countless!) examples I run across in my line of work (on-site PC service), I was trying to help a guy out this afternoon who had spyware/virus problems crippling his Windows XP machine.

          He's no dummy either. He has a PhD in Physics, and works from home as an editor for college textbooks.

          This is about the 5th. time in 6 months or so that I've had to help him fix these types of issues. Originally, he was ru
        • It's not quite that simple, though. There will always be a certain level of education needed for /anything/.

          To use your analogy of the lightbulb, I may not need to read up on emission spectra and the effect of induction on power phase lag in order to change a lightbulb, but it's still important to have certain understandings; it's good for the person changing the lightbulb to know that sticking their finger into the light socket with the switch turned on is 'not advised,' for instance. Sure, that seems l
    • by Anonymous Coward on Friday October 01, 2004 @02:51PM (#10407302)
      People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack.

      I don't think malicious code is comparable to terrorist attacks for most people. Of course, there are life-supporting systems vulnerable to attack, and those should be guarded very carefully. But those systems aren't the ones on the average Joe's desk. For the systems average people maintain, malicious code (viruses, worms, spyware) is an aggravation, not a danger. The worst that could happen is that their credit card numbers are stolen. A real monetary loss, but it'd be a stretch to compare it to a bomb of any kind.

      • by siriuskase (679431) on Friday October 01, 2004 @03:00PM (#10407405) Homepage Journal
        Lives lost is more dramatic than dollars lost. I have to admit, I'd rather lose my dollars than my family. But bringing down the economic system would hurt more people a little bit than most bombs which hurt just a few people a lot. And that little bit could be much more significant in the long run, we know how to dispose of dead bodies, what would we do if banking transaction systems failed? How long would it take for us to be back in business?
      • by Anonymous Coward on Friday October 01, 2004 @03:17PM (#10407597)
        ...The worst that could happen is that their credit card numbers are stolen. A real monetary loss, but it'd be a stretch to compare it to a bomb of any kind...

        So when those "terrorists" start sucking money from those compromised credit cards to fund their continuing activities, thats ok because Joe Sixpack thinks "it doesn't affect me, I don't care". Joe Sixpack is in essence the biggest security threat to the US.

    • by TomorrowPlusX (571956) on Friday October 01, 2004 @02:53PM (#10407318)
      While I'd like to mod you insightful, I have to sacrifice that right, because I have to tell you something:

      Your idea of a dumb terminal to TheHun just MADE MY GODDAMN DAY. Somebody, give this man a patent!

      That's all,

      TomorrowPlusX
    • >>They want to flip the switch and have it work.

      I know exactly what you mean. I service several professionals' (CPA's, lawyers, doctors) pc's that feel exactly that way. I try to encourage them to take a basic computer class (copy & pasting, clear printer spool, ipconfig, email attachments, updating software, etc) to make them more efficient instead of calling a tech for every little thing. Their attitude is like, "I know everything I need to know, knowing computers is not my job." Which is u
      • Then they get pissed when a tech isn't there within 5 mins. Hmm.....maybe I don't charge enough for service calls?

        Do you think so?

        In all seriousness, charge them what you're worth to them. If they're not interested in learning about their systems, charge them for your expertise. If they want to save some money, offer to tell them how to do some of that basic stuff so they won't need to call you for silly stuff.

    • Ah America. Where we are too lazy for democracy.

      I do find it funny that people will shrug off the probability of something bad happening to them if it's less than being struck by lightning, and then go ahead and by a super-mega-lotto ticket.

    • by chrish (4714) on Friday October 01, 2004 @02:58PM (#10407385) Homepage
      They interviewed 500 people out of 185 million Americans with Internet-enabled computers.

      Wouldn't that be called a "statistically insignificant" sample set?

      • No, they sampled enough folks to make this assessment. They didn't even need that many if it follows a standard distribution, right? 30 would be enough in that case, assuming they are sampling the right target.

        Remember, they are just trying to draw a graph of probabilities, not learn every minute unique answer.

    • by museumpeace (735109) on Friday October 01, 2004 @03:07PM (#10407483) Journal
      People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack.

      What you say is true enough about the the Joe and Jane Consoomer types that are referred to in latter part of the article but the "people" we are talking about here are the govmint folks whose job and is and whose claim on our loyalty and obedience is their duty TO PROTECT US. If those people don't know Internet Protocol from Intellectual Property we should fire their asses rather than let them drive every competant person they can away from the job.
      Any body with a cable modem who took a minute to look at their firewall log could tell you how many times per hour their house WAS singled out for molestation by bots and hackers. Watching some pimple working from behind a Korean ISP try to telnet a home computer in Massachusettes IS a little creepy and the kind of thing that would alarm the average homeowner who would be all over 911 if he saw a person physically prowling about in his back yard...if only they were looking!
    • by rahlquist (558509) on Friday October 01, 2004 @03:10PM (#10407516) Homepage
      You are right about people not giving a rats ass. But in defense of the idiots out there, part of the problem is the closed loop thats is computer knowledge and those who have it.

      When you have none you share none, when you have a little you share that, when you have a good amount you start to keep it to yourself, when you have enough knowledge to say setup a linux box from source, you keep you knowledge closely guarded and dont share shit with the average user.

      Why? Because like most things in life when you work hard for somethign you are loathe to just give it away to Dewy Dumbshit who just crashed his system trying to install a video driver for a Nvidia card when his is an ATI. Part of the reason people are ignorant is there is no way for them to learn from experienced users. Thats why we have HR people hiring idiots from places like DeVry and expecting them to be a real system administrator.

      So We have 3 groups of users, the haves (have knowledge and know how to use it), the have nots (but may actually want it) and the care nots (folks who want to read their email and dont give a flip about malicious attacks). Everyone was a n00b at one time or another, when was the last time any of you /.'ers sat down and calmly thoroughly explained cyber security to another n00b and gave them true insight?
      • by chris_mahan (256577) <chris.mahan@gmail.com> on Friday October 01, 2004 @04:14PM (#10408209) Homepage
        The reality is that Joe Consumer gets a glaze over his eyes (yes, both) when I start talking about port knocking, man-in-the-middle, and automated backups.

        Then usually my wife elbows me in the ribs and announces: "Don't listen to my husband, he can't make good party conversation".

        So no, I don't talk security to people. They don't want to hear it.

        Then they all blabber about the latest football team this and draft that and did you see that pitcher? At which point I hit the punch bowl and the cashews and sit by myself, running through my head the list of things I need to implement as xmlrpc services.

        Lastly, for jane newbie, there are TONS of good sources out there on what to do and how to do it. (Borders bookstore comes to mind, as well as Professor Google).

        And generally guru geeks LOVE to talk about tech, they just don't like to be ignored.

      • when was the last time any of you /.'ers sat down and calmly thoroughly explained cyber security to another n00b and gave them true insight?

        Just about every week, to some person or another! I explain clearly and persistently the nature of the problem, what is at stake, the vectors by which computers become infected, and the clear, precise steps required to prevent it. I provide references, and even drag them kicking and screaming, to articles by reputable agencies and media outlets, describing the sever
    • by potus98 (741836) on Friday October 01, 2004 @03:42PM (#10407872) Journal

      ...They want to flip the switch and have it work.

      Damn straight skippy! I've been dreaming of this for years

      ...They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus.

      Sure, maybe. Or perhaps they have no idea what "malicious code" is in the first place. BTW: They shouldn't have to care about malicious code! It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East. What kind of background/training does Joe have? Why in the world would I give a crap about his answers on any polls.

      ...Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).

      Ahhh yes, IT snobiness strikes again. The average person shouldn't have to "give two flying fucks" . The PC industry should get its act togeather and deliver "dumb" terminals that do exactly what people expect them to do. Chances are, you don't know anything about natural gas fittings, but you still use a stove. I don't know anything about generating and containing microwaves, but I still eat frozen burritos. Why the hell should we burden Joe-average with patches, virus updates, malicious code, .dll's, conflicting IRQs, etc...? Especially when all they want to do is read e-mail, download pr0n, and play games. It's not like the average PC user is trying to develop a new OS kernel.

      • The problem is, I've heard of people blowing up their houses because of natural gas fittings. That, and the people who do those are actually certified. It's not usually a DIY job. Same with designing a microwave.
        But people want to put software on their computers. Hell, if you want a secure system, mount everything but the swap/temp as read only, and boom. Nothing can go wrong. As soon as you increase the complexity of the system, you run into problems.
        It's almost as if you think "Hell, we can build a rowboat that anyone can use, why can't we build a Triton class submarine that anyone can use?"
        • ...It's not usually a DIY job. Same with designing a microwave.

          Exactly!!! Certified experts have already designed those products for use by Joe-average. He can cook all kinds of meals without needing to install new gas fittings, adjust microwave frequencies, or fiddle with particle beams [technovelgy.com]. :-)

          I have argued for years that the general, home-user PC device should have matured into appliance-level sophistication (ie: easy to use) YEARS ago. The "complexity" of the modern PC operating systems are total over

      • by dekashizl (663505) on Friday October 01, 2004 @06:58PM (#10409721) Journal
        Sure, maybe. Or perhaps they have no idea what "malicious code" is in the first place. BTW: They shouldn't have to care about malicious code! It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East. What kind of background/training does Joe have? Why in the world would I give a crap about his answers on any polls.
        A better analogy, instead of saying that average people need not know US "strategic and tactical strategies", is war-time rationing. You may not know how to build a tank, but if the government says "don't waste metal because we need a lot of it to build tanks" (as they have done in the past), then average person should listen.

        And in this case, the government should step up and say "don't let your PC become a zombie, because you are contributing to massive DDOS attacks againt our critical infrastructure". Unfortunately, it takes an event of 9/11 proportions to wake people up enough to acknowledge the possibility.

        So when NYSE, Nasdaq, banking networks, and critical communications infrastructure are brought down by a cyber-terrorist attack, THEN you'll start seeing this top-down focus on more localized security. Sadly, not before that.
    • blame the user eh? (Score:5, Insightful)

      by gad_zuki! (70830) on Friday October 01, 2004 @03:46PM (#10407927)
      >Face it, people don't give two flying fucks about being educated in computer know-how.

      I dont care how my fridge and toaster work, at least on the level of maintaining them properly and repairing them. Along with my car. You're being too geek-centric here and blaming the victim.

      Why aren't Mac users having the massive security problems Windows and Unix users have? The problem is the product and the vendor. We are at a point where you can make a safe OS you dont have to babysit. The market has delivered it in the form of OSX, for the most part. Linux is no magic bullet either as it runs so many services, is very user unfriendly, etc. Come on, face facts here before I get modded down for diverging from the "party line."

      What people need is a better product, not four CS classes on network security. What people need is to do their work and shut the thing off and not worry about it. What people need and what they are getting from Dell et al are two very different things. If we're going to blame the Bush administration, lets blame them for letting MS go when they could have broken them up into two or three different companies.

      For every field there's someone like you who blames the user. Be it the mechanic who is pissed that "stupid drivers" can't figure out how to change a fuse or their own tire. Or plumbers sick of doing midnight calls because landlords put off maintenance and something breaks in the middle of the night. Or local telco/power companies sick and tired of triming your trees for you when your tree breaks a power line.

      IT should work for people. People shouldnt be working for their computers. Blaming the user is the wrong way to go about it. Blame the designers for not making a user-centric design. Blame the designers for shipping code riddled with security holes.
      • by einhverfr (238914)
        Linux is no magic bullet either as it runs so many services, is very user unfriendly, etc. Come on, face facts here before I get modded down for diverging from the "party line."

        When was the last time you actually installed Linux as a workstation or a server without installing stuff you don't need? 5 years ago?

        I have only seen a couple of services enabled by default on Red Hat distributions since 8.0. These include NFS and SSH, and both are blocked by default by firewall rules.

        That being said--- there
    • by Mr Guy (547690) on Friday October 01, 2004 @03:47PM (#10407943) Journal
      No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight?

      This may be a crazy theory, but possibly it's because there was a nipple involved.
    • by jc42 (318812)
      Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work.

      No, they don't. If they did, they would never buy anything from Microsoft. They'd all be buying Macs.

      And don't try to claim that they're ignorant of Windows' user hostility. Jokes about the difficulty of making computers do anything right are part of the general culture. And people with even the slightest bit of computer awareness are always aware of Apple. I've overhea
  • by caluml (551744) <slashdot AT spam ... OT calum DOT org> on Friday October 01, 2004 @02:42PM (#10407177) Homepage
    'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency.

    He was also heard to say "linux is teh l33t and m$ feerz their mad penguin sk1llz".

  • by Igloodude (710950) on Friday October 01, 2004 @02:44PM (#10407197)
    Without a Digital Pearl Harbor attack hitting us, it is unlikely that anyone will take him seriously, and since Digital Pearl Harbors was just Richard Clark FUD in the first place, his resignation was inevitable.
    • by LanMan04 (790429) on Friday October 01, 2004 @03:15PM (#10407565)
      A digital Pearl harbor is not FUD. One day our increasing reliance on automated and interconnected systems to run or critical infrastructure is going to bite us in the ass, and HARD.

      It doesn't have to be terrorist related, it could be incompetence or not rebooting your aging Windows system once a month, a-la the recent air traffic control blackout. And we're in serious shit if a tech-savvy threat manages to penetrate power distribution, emergency call, or air-traffic control systems, or who knows maybe all three, and shut it all down right before a devestating physical attack. It's a huge force-multiplier, but in addition it can be a force unto itself. Imagine the whole country going without grid power for a month or two. Not a pretty picture.

      As usual, no one will do anything serious until there is a major incident (involving loss of life), after which "computer security" will be beat into our skulls every minute of every day, even if it's draconian and won't actually make people much safer, just like transportation security is today.
    • by EvilTwinSkippy (112490) <yoda AT etoyoc DOT com> on Friday October 01, 2004 @03:17PM (#10407591) Homepage Journal
      Of course this regime would respond to a Digital Pearl Harbor by invading Mexico.
  • If there is one marketing term I despise more than any other, it's "cyber". Well that and putting the letter "e" or "i" in front of terms.

    Drop it already! It's sooo 90s, dude.
  • by swillden (191260) * <shawn-ds@willden.org> on Friday October 01, 2004 @02:45PM (#10407215) Homepage Journal

    More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

    The problem is that many PC users are doing the cybersecurity equivalent of what some idiot did near my home about fifteen years ago.

    He was in his boat out on a lake when a thunderstorm moved in. When others on the boat suggested that they should go to shore for fear of lightning he scoffed, stood up on the bow of the boat, stretched his arms upward and shouted "Take me now, God!".

    God complied.

    Connecting an unpatched PC to a broadband connection is pretty much the same thing.

    • More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

      This is a meaningless statistic. I bet if I surveyed 493 Slashdotters with the same question I'd get somewhere around 90% answering the same way because it'd be the truth.

    • As long as knowledgable people have the attitude that victims of crime deserve what they get, realistic attempts to control such crimes are discouraged. Some slashdot types enjoy the superior feeling we get when we hear of the woes of those not in our tech elite.

      Concerns about nightmarish tales of computer zombies and such that sound like bad horror movies are so silly when dirty bombs and anthax are lurking out there somewhere.

      • As long as knowledgable people have the attitude that victims of crime deserve what they get, realistic attempts to control such crimes are discouraged. Some slashdot types enjoy the superior feeling we get when we hear of the woes of those not in our tech elite.

        It's the same attitude an assurance company has about you when it comes to securing your home. They tell you that certain types of locks are insecure, and that you should lock your home, and not letting the bathroom window open. And they refuse t
    • Connecting an unpatched PC to a broadband connection is pretty much the same thing.

      I have to admit that I'm connected to broadband with an unpatched PC. And I still feel safe. That's because none of the three security vulnerabilies issued for my OS version affect me.

      PC != Windows
    • by EvilTwinSkippy (112490) <yoda AT etoyoc DOT com> on Friday October 01, 2004 @03:00PM (#10407403) Homepage Journal
      If they were real PC users you would have at least 986 answers from 386 people surveyed.

      Of course the first answer is always "I didn't do anything."

    • by EvilTwinSkippy (112490) <yoda AT etoyoc DOT com> on Friday October 01, 2004 @03:10PM (#10407523) Homepage Journal
      I had a new install of XP for a client become infected in 3 minutes, over a dialup line.

      No choice one that one though. I was trying to download the patch to prevent XP from becoming infected in 3 minutes by connecting it to the internet...

  • BIG mistake (Score:3, Interesting)

    by rwven (663186) on Friday October 01, 2004 @02:47PM (#10407227)
    I think we all know it's a ridiculously HUGE mistake to underestimate the importance of cypersecurity. Whoever is responsible for "not paying enough attention" to it needs to be outright fired... We're talking about every classified document in existence being at risk. Frankly i don't blame him a bit for quitting. I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case, but obviously someone needs to get their act together....
    • I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case

      Exactly, we have nookalur level security on those systems.
  • Intractable Problem? (Score:5, Interesting)

    by Gothmolly (148874) on Friday October 01, 2004 @02:48PM (#10407242)
    As I said at a meeting one day as people were pulling their hair out over the latest MS worms, and the failures of all of the "automatic patch deployment"-type tools out there, "Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence. I half expected to be stoned to death as a heretic. When Corporate America stops sucking on the Microsoft Tit, we'll finally see real improvements in security. As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.
    • I would also have pointed out that Skype, Firefox, and Tale in the Desert work great under Linux, and that's what I spend the majority of my workday doing, so Linux is quite viable.
    • As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.

      I hit the icing on the cake Wednesday. My company rolled out a PGP solution for Outlook. Good, right? Wrong! The policy is to write down your passphrase on a paper, give it to IT, who will then store your passphrase for safekeeping in case you lose it.

      !!!
      • "I hit the icing on the cake Wednesday. My company rolled out a PGP solution for Outlook. Good, right? Wrong! The policy is to write down your passphrase on a paper, give it to IT, who will then store your passphrase for safekeeping in case you lose it."

        (My jaw drops)

        That is truly stunning in its short-sided cluelessness. Now a social engineer has to make only one line of attack and he or she has everyone's password at once. Brilliant.

    • by GoofyBoy (44399) on Friday October 01, 2004 @04:04PM (#10408108) Journal
      >"Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence.

      If someone tried this at work I would give him a stunned silence too.

      Here we are trying to fix a difficult problem with everyone's job on the line and someone want to play Monday morning quarterback by sprouting off comments that does not help, unless you think you can get the entire company migrated over and trained to use Linux in the next 2 hours.
  • by thpr (786837) on Friday October 01, 2004 @02:48PM (#10407246)
    More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code

    Given frequent updates, ZoneAlarm, a firewall/router, precautions about not opening things I don't know about, VPNs, and other things, I probably AM more likely to be struck by lighting than hit by malicious code. But I'm a /. reader... :)

    • Without security, you are more likely to get hit by malicious code than _not_ win the lottery.

      A friend of mine is consulting for AOL and he was unable to install Windows 2000 without getting attacked from within their internal network. And from what I've heard the wild Internet is just as bad or worse.

    • by Waffle Iron (339739) on Friday October 01, 2004 @03:08PM (#10407496)
      I probably AM more likely to be struck by lighting than hit by malicious code.

      I wouldn't be so sure about that. This [noaa.gov] report says that the US has lightning injuries+fatalities of around 500 per year. That means the average person gets hit by lightning about once every 600,000 years.

      The odds that somebody is going to develop a blockbuster zero-day exploit are much higher than that. For example, what if some person or organization discovers something like new flaws in both Cisco routers and the standard JPEG rendering .DLL or .so? And instead of posting it to security mailing lists, they write effective exploits to hijack the routers to serve up infected JPEGs?

      Most of the computers on the Internet could be compromised within minutes just by ordinary browsing. No amount of patching, firewalls or care on the part of the user would prevent the attack. That is just one scenario; it's not hard to think up countless variations. It may be unlikely that this will happen in any given year, but I doubt that it would be as rare as once every 600K years.

    • OK, it's clear that you're trying to do the right thing and for that I applaud your effect. Seriously - keep it up and encourage those around you to do the same.

      However, you must be smoking crack. Are all of your apps secure against the recent JPG decoding vulnerabilities (because you "open" things you don't know about each and every time you view an image on the web)? Have you read the line-by-line security audit of your VPN software and have a reasonable belief that it's mathematically correct (becau

  • by FunWithHeadlines (644929) on Friday October 01, 2004 @02:48PM (#10407258) Homepage
    Please note, this is a rant that is not directed at one political party of the other, for both do it. But since the Bush team is in power, they will have to do as an example of what I mean.

    All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.

    This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.

    Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).

    • Well airline security wasn't really an issue before Al-Queda's sightseeing tour of New York and DC, either.

      Cybersecurity isn't sexy because there isn't a body count. Terrorists strike an airliner, there are 100 souls. Terrorists strike a refinery, there might be a couple of workers and firemen. The real impact is sticker shock at the gas pump. Terrorists strike a bank computer, and people can't use their ATM cards. Computer security really doesn't rank up there.

      As a geek I would like to think I'm saving

      • by FunWithHeadlines (644929) on Friday October 01, 2004 @03:14PM (#10407556) Homepage
        Yes, that is the point, really. They focus on whatever gets votes, and terrorism is the big topic at the moment for obvious and horrible reasons. Cybersecurity should also be focused on properly, but because it's considered a lesser priority we have one cybersecurity czar after another resigning.

        "Well airline security wasn't really an issue before Al-Queda's sightseeing tour of New York and DC, either. "

        One quibble about that sentence: Airline security became an issue in the early 70s when hijacking came in vogue. All those security checks and rules are used to at the airport? Didn't exist back in the 60s and earlier. The hijackers would do something like smuggle a gun on board, and they would react by installing metal detectors. Then the hijackers would ratchet up the ante, and the security people would add a new check. Finally, security became fairly good at airports, such that hijacking went down in frequency. So the people who might have tried hijacking now tried, say, putting bombs on board, and the escalation of cat-and-mouse moved in a new direction.

        It is a sad irony that people became trained to sit quietly during a hijacking since that was the best way to ensure your safety: wait it out until it was over and you'd be fine. The 9/11 hijackers used that psychology to their advantage. But that advantage is forever gone, for never again will passengers sit quietly by waiting for it to be over. That fact is how I know there will not be another 9/11 incident of the type we saw that horrible day. Instead, terrorists will try something entirely new. Something to think about as you wait in that endless line at the airport, realizing that they are busy chasing yesterday's terrorists, and probably haven't a clue what tomorrow's terrorists might dream up. Depressing thought, but probably realistic, given the history of airport security for the past forty years.

        • All those security checks and rules are used to at the airport? Didn't exist back in the 60s and earlier.

          A side note, the US is the only country I've been to that allows non-passengers up to the embarkation gates. Anywhere else, you get stopped at customs and can't proceed without a ticket. Curbside check-in, which I'm still fuzzy on, but as I understand basically puts your luggage right on the plane stright from the taxi, is another huge issue.

          Let's face it, the US was always behind in security, because
      • Bringing down the computerized communications systems would totally f*** us up, but what makes it worse is we wouldn't know the extent of the damage until later.

        Let's hope the terrorists stick with dramatic stuff like violently killing a small percentage of us, than more insidious stuff that could leave us unable to respond to followup attacks.

  • by Gary Destruction (683101) * on Friday October 01, 2004 @02:49PM (#10407259) Journal
    Defending your country includes domestic and foreign defense both off and online. The fact that the military and various government agencies use the Internet is justification for including cyber security as part of defense. Cyber security should be part of the DoD's job.
  • Taking it lightly (Score:5, Insightful)

    by jdavidb (449077) on Friday October 01, 2004 @02:50PM (#10407280) Homepage Journal

    In a possibly related story, individuals take cybersecurity lightly

    To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance with silly buzzwords like "cybersecurity." Why does everything have to be "cyber"-this and "cyber"-that? In my mind this doesn't sound any different than putting e- in front of everything and trying to market it during the dot-bomb bubble, and I imagine that it has a similar effect on the public. We've been conditioned since 1998 to ignore anything with e- or cyber- as a prefix. Why are we surpised that people don't take "cybersecurity" seriously, when we show by our vocabulary that we don't, either?

    Instead of "cybersecurity," how about "computer security," or "personal computer security"? See, it's possible to communicate what you mean in a simple, effective way without fancy buzzwords, and people might even pay more attention. ("You mean my computer might be in danger?")

  • by GodBlessTexas (737029) on Friday October 01, 2004 @02:50PM (#10407284) Journal
    Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.

    I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.

  • by maxchaote (796339) on Friday October 01, 2004 @02:51PM (#10407291)
    More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

    Time to go buy a ticket...
  • by ARRRLovin (807926) on Friday October 01, 2004 @02:51PM (#10407299)
    Sounds like he feels he was being setup to fail. That or they have the department wrapped so tightly with red tape that it makes the department ineffective. As most effective CIO/information directors will tell you, they're not interested in maintaining anything. They want to innovate and if you make that impossible or do not require innovation, they will leave.
    • Sounds like he feels he was being setup to fail.

      Or perhaps he felt that there are a lot of issues to be concerned about, but nobody in the administration wanted to consider them. Maybe it's the same thing. If I recall, that was essentially Richard Clarke's beef. According to Clarke, he kept telling the administration that this terrorism stuff was serious, but his superiors didn't want to hear it, didn't want to have to do anything about it.
  • being "hit" (Score:4, Funny)

    by justforaday (560408) on Friday October 01, 2004 @02:53PM (#10407319)
    More than a third of the 493 PC users surveyed...said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

    It should be noted that these people are probably thinking of being "hit" in the physical sense of the word...
  • It can be very frustrating to someone who just wants to accomplish something when politics prevent it from happening.
  • Good. (Score:5, Insightful)

    by Exmet Paff Daxx (535601) on Friday October 01, 2004 @02:55PM (#10407345) Homepage Journal
    Hopefully the hydra will not spring forth another head to take its place. The question we need to ask ourselves here is: should the government even be involving itself in "regulating the Internet" to "improve security"? Considering the free market has a better track record at accomplishing nearly everything (compare the DMV to 7-11) why the hell do we need a useless figurehead like this in the first place? He's ex-Microsoft for God's sake.

    If the government actually wanted to promote cyber security, the best way to do it would be to put a bounty system on the evildoers and let the market compete to catch them. Microsoft but a bounty on some virus authors and look how fast they were caught! Imagine if we had a bounty on web defacers, worm authors, and other such vermin. System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change. You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers? It's not too hard to spot the goon with the notebook and the high power 802.11 antenna connecting to every network in his path.

    Personally I'd love to put "Internet Bounty Hunter" on my resume. I'd probably start with the goon at 66.35.250.150 who keeps proxy scanning me.
    • Re:Good. (Score:4, Insightful)

      by PitaBred (632671) <slashdot@pitabre ... g ['s.o' in gap]> on Friday October 01, 2004 @03:09PM (#10407509) Homepage
      Wait, what? What does ex-Microsoft have to do with anything? They hire some very talented people. Just because I abhor their corporate policies and marketing doesn't mean that the people who work for them can't have any good points.
      As for the wardriving thing... that's stupid. It's the same thing that got MS to the position it's in today. Why not have official wardrivers that find vulnerable AP's and then go knock on doors, telling people to get them fixed? Hit the root of the problem. Increase the barrier of entry for "hackers", the typical script kiddie crap, and 99% of the problem will go away. But just like any crime, you can't get rid of it completely. There will always be people trying to take advantage of others.
    • Re:Good. (Score:3, Insightful)

      by Kaa (21510)
      System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change

      Boggle. So you think making sysadmins read their users' email is a GOOD thing?

      You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers?

      LOL. Wardriving is perfectly legal.

  • by 26199 (577806) on Friday October 01, 2004 @02:57PM (#10407369) Homepage

    ...than winning the lottery: well, you're about 250 times more likely to be involved in a car accident than to win the lottery. And about 10 times more likely to be murdered.

    (That's over a whole year, assuming you buy a ticket every week).

    Virtually everything is more likely than winning the lottery. Their poll just shows that people don't really understand probability... (hmm. You're also more likely to be hit by lightning than to win the lottery.)

  • by CrazyJim1 (809850) on Friday October 01, 2004 @02:57PM (#10407371) Journal
    They should outsource this National Cyber Security job to India.

    God spoke to me:
    www.geocities.com/James_Sager_PA
  • Bruce Schneier (Score:3, Insightful)

    by mboedick (543717) on Friday October 01, 2004 @02:59PM (#10407390)

    Bruce Schneier [schneier.com] should have this job. As a matter of fact he should be Secretary of Homeland Security.

  • by The-Bus (138060) on Friday October 01, 2004 @02:59PM (#10407399)
    Imagine someone walks up to you and starts talking to you about your car insurance:

    "Well, here's the thing. Your car needs to be safe, and since 1997, with more highways available, more ISEC 45 systems can't accomodate Goodyear telecons. Car insurances? In your glove box, you can find your insurance info several tachometers. Make sure to astagate the TFGG Nationwide proteases for the next fifteen days, and then every fifteen days -- dirkonite 1997 malfunctions could lead to superfinite hexagon and then your gas mileage Liberty Mutual goes down. But the car is fine, it's a good car. It's going to explode and your dog will die. Just call the state RT-678 system box accelerator engine spark plug twice, after frubbing the seats and air conditioner. So, yes, Ford and Honda are a risk, but you have filters, GM just needs shafts -- in Japan."

    That's basically what the average person hears when you start talking about computer security. They seem to understand some terms, but for the most part their eyes glaze over. Then they say "OK" and go back to looking on eBay for that autographed baseball. Even running Ad-Aware is a pain for most people. There's about 20 different options and if they click the wrong one they don't know what just happenned.

    • I've just come to accept that I'm a modern day car-mechanic.

      Most people have the samed glazed look when you try to talk to them about how riding the brakes leads to premature wear, why accellerating to 40mph between stop signs kills gas milage, why changing the oil is important, and the relative merit of heading blinking red lights on the instrument panel.

  • Business as usual (Score:2, Informative)

    by samberdoo (812366)
    *political rant* An administration that has lied so many times it doesn't even know the truth, doesn't need security. Seriously though most of the leading edge work on cyber security and detection is being done by the gov't or under gov't supervision.
  • Really, same old - does ANYONE (I exclude the obvious hardcore security concious techies out there from this, obviously) take cybersecurity seriously? Companies dont. Home users dont. Hell, there are even Sys Admins out there that think security is just disabling the FTP server!

    What I find odd though, is the differences in the way the media shows cybersecurity. Although it's been quite common in the media lately - movies (too numerous to bother counting - you know them anyway), news releases on viruses, phishing, etc. all have had (at least in Australia) an increase of media exposure in recent times. There's a lot of very serious attention out there to this issue, but it's not working!

    People see a movie that examines cybersecurity, which may be discussing a real issue in the same way every other mainstream movie does (ie. somewhat realistic... Willing suspension of disbelief and all that). What I don't understand though is that movies about other topics make people stop and look at the bigger issue being discussed. People watch a war movie and go "oh hay, war is bad/good/hell". People watch a horror flic and go "oh hay, i'm going to buy me an axe and board my doors up to keep those psychos out". People watch a "cybersecurity" movie (or even news) and go "hah, it'll never happen to me - I know everything about my computer!".

    Until we fix this problem, and get across to the public (and hence Governments) that this IS a major issue (and that it isn't going away), the problem is just going to get worse.

    I guess part of the problem is the fact that the topics are usually quite abstract. Often, you can't explain how or even WHY these things happen without getting into some fairly abstract details. What do you mean people can talk to my computer? But it's listening to multiple things at once? And some might be good? But why would they want to use my computer to talk to websites?

    AAAaaarrrrghhh....

    Regardless, something needs to be done, as this is an all to common event.

  • Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, RE

  • Joe Average (Score:2, Insightful)

    by Anonymous Coward
    More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.
    Which is probably just as indicative of Joe Average having a poor understanding of probability theory as of a failure to grasp cyber security issues
  • Well... (Score:3, Insightful)

    by jav1231 (539129) on Friday October 01, 2004 @03:15PM (#10407572)
    If a story were to come out that Amit say wanted to implement more DMCA-like restrictions on the Internet and was frustrated because the administration wouldn't let him we'd all have a different attitude. But since this guy quit the BUSH administration, he obviously was suffering in his job trying to do right by all Americans and was being squashed by the man. The fact that he gave effectively 1 day's notice points to a character problem. What's the over and under he starts popping up on talk shows and campaign stops with "a revealing look into the Bush administration" soon?
  • by Anonymous Coward on Friday October 01, 2004 @03:18PM (#10407609)
    The average Joe does want to learn. They're just under no obligation to think that the things you want them to learn are worth learning. My mom gets on my case left and right about how culturally ignorant I am--I've only heard Monteverdi's Vespers of the Virgin Mary once, and how is it that I can hate The Marriage of Figaro when I've only heard half of it? But I'm not oblivious because I don't like opera. I've prioritized. I've made sacrifices.

    The average person isn't apathetic or stupid.

    Instead, the average person is not you and probably doesn't want to be you.

    The average person cares a lot about things which affect their lives. Ask a farmer what he/she thinks about the latest pesticides, or if terracing has conserved as much soil as environmental proponents say. You'll get an easy hour of discussion out of a farmer that way. It'll bore you to freaking tears, but you'll get an easy hour of discussion out of a farmer that way.

    Ask a teacher what he/she thinks about No Child Left Behind. Ask an automotive engineer what he/she thinks about the disappearance of shade-tree mechanics.

    Kid, you are an elitist geek. The world's a much bigger and more interesting place than you give it credit for.

    Open your eyes. Open your eyes and enjoy the world as much as you can while you're young. Don't do what I did and spend the first 25 years as a pessimist before realizing how empty and useless pessimism is.

    I'm a cynic. A cynic is someone who's seen enough of humanity's beauty to be thoroughly convinced that it exists--and enough of humanity's ugliness to be thoroughly appalled at how rarely humanity's true beauty shows through.

    But take my word for it. The beauty exists, if you're willing to open your eyes. And the beauty will take your breath away.

    Have a nice life. Really. I mean that.
    • "The average person isn't apathetic or stupid."

      Look, they may not be stupid (in the dictionary sense of the word) but stupid is often used in place of ignorant. But they ARE apathetic. How else do you explain the low voter turnout? If 100% of the population was involved, even minimally, in voting or civics in general, this country would be a different place...

      "The average Joe does want to learn."

      Uhh, maybe. Some do, but many do not want to expend any effort to do so or learn anything that conflicts with
  • Zombies (Score:3, Insightful)

    by Jason Hildebrand (103827) on Friday October 01, 2004 @03:26PM (#10407694)
    "More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

    These are the people whose computers are being used to send spam [theregister.co.uk] while they sleep.

  • by JavaLord (680960) on Friday October 01, 2004 @03:29PM (#10407729) Journal
    This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday

    For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?
  • by erroneus (253617) on Friday October 01, 2004 @03:53PM (#10407990) Homepage
    If my experience with the TSA and the DHS is any indication, then I'd have to say that this problem is not at all surprising.

    The people who are in those positions seem more interested in keeping things from changing and keeping their jobs. They want a government paycheck but they aren't interested in actually doing their jobs. The problem with that attitude is that since the DHS is so new, there is no "keeping things the same." It's about growth and forming an organization. It's amazingly ridiculous how things operate (or fail to operate) within the places I've been exposed to.
  • by Anonymous Coward on Friday October 01, 2004 @04:52PM (#10408607)
    Amit tried to do this right - he had some very good people and had a solid vision for what needed to be done to secure primarily the government networks. He is a very sharp person and his executive experience was a plus - he was not an empty suit or political appointee.

    Two key political issues:
    1) This office was expected to shift to the new intelligence chief that reports to the president as the recommendation from the 9/11 committee- new boss + new plan = waste of his first year
    as everything would start over...

    2) No clear authority in his position. As mentioned in the articles, he was too low in HS to get anything done in DC. Cybersecurity could recommend solutions, but could not force ANY of the government departments to coordinate systems / procedures / etc. and adopt best practice solutions. At this level of government, each fiefdom will do their own thing and the whole point of having a security chief is eliminated.
  • by scruffyMark (115082) on Friday October 01, 2004 @09:40PM (#10410601)
    It says I need to be more vigilant. Funny thing is, I'm employed in infosec. It's a pretty laughable survey - it pretty much assumes the worst, so the best you can do is slightly better than the worst.

    I guess the answers their scoring system didn't like were

    • I don't have antivirus software (when someone comes out with an OS X virus, maybe I'll think about it). Actually I lie - I just remembered I have clamav, although it's not integrated into the system - doesn't automatically do anything at all, I just use it to scan the odd "important message" email attachment. Ah well.
    • When I get unexpected attachments, I open them to see what they are. Of course, I don't double-click them; I run file, strings, maybe clamav, a text editor if it's written in a scripting language. What blows my mind is, people get infected by trojans that arrive as password protected zip files - I mean, even the malware is user-unfriendly and people still manage to get bit.
    • I use file sharing. I chose to interpret that liberally - I run sshd, and occasionally need to transfer files via sftp.
    • I don't disconnect the computer from the internet when I'm not using it - like I said, I run sshd.
    • I haven't made backups recently. I admit it, I'm a slacker in that regard.
    • I don't have the phone number of my cousin, the computer guru, next to the computer in case something weird happens. Right.
    • The security of my "Internet browser software" is not set to high - that one cracked me up. I mean, why pretend you don't mean IE? No other browser has that "low/medium/high" security interface.

Some people carve careers, others chisel them.

Working...