Cybersecurity Chief Resigns 367
Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."
Re:I just don't believe it! (Score:5, Informative)
On a semi-related note, we're the ones who need to convince people of this. Most people I know are amazed when I tell them what the keyloggers and such do, and show them what just Ad-Aware will come up with. One of my friends (an older lady) actually bought a book on my recommendation because she wants to know what's going on on her computer, and learn more about even basic security.
It takes time, but it's a grassroots movement
Re:I just don't believe it! (Score:4, Informative)
Wouldn't that be called a "statistically insignificant" sample set?
Re:"an organizational inability to do his job" (Score:3, Informative)
Or perhaps he felt that there are a lot of issues to be concerned about, but nobody in the administration wanted to consider them. Maybe it's the same thing. If I recall, that was essentially Richard Clarke's beef. According to Clarke, he kept telling the administration that this terrorism stuff was serious, but his superiors didn't want to hear it, didn't want to have to do anything about it.
Business as usual (Score:2, Informative)
Re:I AM more likely to be struck by lightning (Score:5, Informative)
I wouldn't be so sure about that. This [noaa.gov] report says that the US has lightning injuries+fatalities of around 500 per year. That means the average person gets hit by lightning about once every 600,000 years.
The odds that somebody is going to develop a blockbuster zero-day exploit are much higher than that. For example, what if some person or organization discovers something like new flaws in both Cisco routers and the standard JPEG rendering .DLL or .so? And instead of posting it to security mailing lists, they write effective exploits to hijack the routers to serve up infected JPEGs?
Most of the computers on the Internet could be compromised within minutes just by ordinary browsing. No amount of patching, firewalls or care on the part of the user would prevent the attack. That is just one scenario; it's not hard to think up countless variations. It may be unlikely that this will happen in any given year, but I doubt that it would be as rare as once every 600K years.
Re:Good. (Score:1, Informative)
Since when has the markets ever been "free"?
Monopolies are against free market. Cartels are against free market. Centralization of power to the hands of the few big companies is against free market, since those companies can use their scale to work against any competition, thus destroying the so-called "free market".
The free markets existed maybe in the 1800s, if even then.
Re:Intractable Problem? (Score:2, Informative)
What failures? Does Automatic Updates from Windows not work? It works seamlessly on all of our machines. Or, you can use SUS [microsoft.com]. Can you not get that to work either?
He did try for a year... (Score:5, Informative)
Two key political issues:
1) This office was expected to shift to the new intelligence chief that reports to the president as the recommendation from the 9/11 committee- new boss + new plan = waste of his first year
as everything would start over...
2) No clear authority in his position. As mentioned in the articles, he was too low in HS to get anything done in DC. Cybersecurity could recommend solutions, but could not force ANY of the government departments to coordinate systems / procedures / etc. and adopt best practice solutions. At this level of government, each fiefdom will do their own thing and the whole point of having a security chief is eliminated.
Re:no Digital Pearl Harbors (Score:1, Informative)
They did look seriously at compounding attacks via the use of ambulances loaded with explosives after initial attacks. Further Al Qaeda will have more and more people with technological skills if only because they are looking for smart educated people who they can persuade to their cause. Finally if we believe the administration (and really is there any reason not to) Al Qaeda/Islamic Jihad uses everything from email, steno encryption to sat phones. Computers obviously come into play if only for the vast sums of money that they need to track.
"Isn't this the same crowd, though, that blasts Tom Ridge for vague "we have evidence that terrorists will try to attack us some time in the next two years, so be alert" warnings?"
Yup but forgetting about the nations digital back orifice and the people who unlike Ridge are not trumpetting threats but just doing their jobs is no way to handle the situation either.
When Ridge gets up there and people rationally consider the present scary senario presented to them, people generally see a man cover this admistrations behind. The information is often outdatted (recent scare over attacks on New York based on what at best two - three year old data) or it goes against the way Americans live their lives (you can use duct tape and plastic sheeting to almost come close to the same protections as this administration's hermetically sealed in their views.) Don't get me started on the self serving and purely political colour coated system of paranoia which at its highest levels can suspend elections, declare martial law, and the congress can't say boo about it for months.
organizational inability (Score:1, Informative)
As somebody who has worked for the
Re:I just don't believe it! (Score:3, Informative)
Just about every week, to some person or another! I explain clearly and persistently the nature of the problem, what is at stake, the vectors by which computers become infected, and the clear, precise steps required to prevent it. I provide references, and even drag them kicking and screaming, to articles by reputable agencies and media outlets, describing the severity and danger of endemic computer infections.
I recommend a few simple steps for average Windows users:
1) Install some antivirus software or other. (I don't use it myself but I figure it's valuable for people who aren't quite as vigilant about prevention.)
2) Boot in safe mode then run ad-aware.
3) Update system with current security patches.
4) Install ZoneAlarm and learn to use it properly, or at least a home NAT gateway/router.
5) Never use IE for any reason. Download free and vastly superior Mozilla/Firebird.
6) Never use Outlook [Express]. Use Mozilla/Thunderbird or *anything* else!
7) Don't open executable/scriptable attachments (e.g. MS Office,
People start to get kind of hesitant at step 4, then they always freak out and get really defensive once we reach steps 5 through 7. I don't understand this undying devotion people have to IE / Outlook, despite all the evidence in the world that those two products account for 90% of the problems on the average computer. It's like you offer than a new car that gets 1000 MPG, removes greenhouse gases from the atmosphere and never requires any maintenance, but they still insist to the death on driving their rusty old Microsoft Jalopy that gets 8 MPG, can't go over 22 MPH, fills the passenger compartment with noxious fumes and catches on fire at least twice a day.
Once in a while someone listens, perhaps combatively at first, but then gets religion and goes out to spread the gospel. A couple weeks ago one of my coworkers spent a half hour arguing that I was being terribly unfair and unrealistic, expecting him and other average users not to pass around word documents and "funny bouncy ball"
Anyway, spread the word; more and more people will come around in time.