Hacker Jeff Moss Sworn Into Homeland Security Advisory Council 139
Wolfgang Kandek writes "Hacker Jeff Moss, founder of computer security conferences DEFCON and Black Hat, has been sworn in as one of the new members of the Homeland Security Advisory Council (HSAC) of the DHS. Moss, who goes by the handle 'the Dark Tangent' says he was surprised to be asked to join the council and that he was nominated to bring an 'outside perspective' to its meetings. He said, 'I know there is a new-found emphasis on cybersecurity, and they're looking to diversify the members and to have alternative viewpoints. I think they needed a skeptical outsider's view because that has been missing.'"
DC = suits = Borg (Score:5, Insightful)
Good for the council (Score:3, Insightful)
Good luck with that, Jeff (Score:5, Insightful)
Re:More change for the US (Score:4, Insightful)
Well, if you stop looking at it as a insult to your team, and more as nothing more than a joke, it was pretty funny. I voted for Obama, and I still thought it was funny as shit.
But ... lets be realistic here, the jury is still out on intelligent and competent, I've seen nothing in particular so far to make me believe he is truly any different. Its practically impossible to tell this early on how its going to play out, you really don't know his agenda yet, just what you're supposed to think it is.
Re:DC = suits = Borg (Score:3, Insightful)
Re:Maybe Jeff can explain this (Score:3, Insightful)
The password is not encrypted, it is cryptographically hashed (encrpytion is two-way, hashing is one-way). A hash function transforms an arbitrary length input into a fixed length output, so there is no inverse function in the mathematical sense: a single hash value has an infinite number of inputs corresponding to it. Finding a value that produces a given hash is extremely hard: a good hash function will not have any way of computing such a value more effective than brute force (e.g. you try all possible inputs until one of them given you the hash you're looking for).
As for reversing the algorithm: in essence, the generation of the password hash always uses a stateful generator, and this state is not preserved in the hash. When trying to reverse the hash, you must know not only the hash but also the state of the generator at the end of the algorithm, otherwise backtracking to the initial state of the generator defined in the hash function definition can take more than the age of the universe, even if you used all the computing power on earth to break this single password. Another mathematical idea that is frequently used is that if you have two very large prime numbers x and y, you can quickly compute their product z, but you can't easily find x and y if you only have z. Unless you have a quantum computer, which doesn't exist yet.
Real world analogy: it's nearly impossible to find two persons with the same fingerprints, but the fingerprints themselves don't contain any infromation about the name of the person. If you have a fingerprint and a person, you can easily identify if it the fingerprint belongs to the person, but if you only have the fingerprint, you need to check the fingerprints of all people to find a person that has the same fingerprint.
Re:More change for the US (Score:5, Insightful)
Not quite (Score:5, Insightful)
Re:DC = suits = Borg (Score:3, Insightful)
Give me a break. It's another talented, unethical scumbag joining up with the even bigger scumbags in government so that they can fuck us over more efficiently. Immunity and privilege for him, surveillance for the rest of us.
Re:Not quite (Score:3, Insightful)
The name of the House Committee escapes me, but they do yearly reports on computer security and gov't agencies regularly get Ds (up from their previous Fs).
The big question is what do these grades really mean? Do they really provide any true indication as to how effective the Government is at securing their systems? Is a 'D' all that much better than a 'F'? And what does it mean if an organization manages a 'B' (mine did)?
But at the same time, I get a feeling that it sort of does give an impression as to where things are. A 'D' just isn't all that great. But it is better than a 'F'.
My little nook of the Fed world improved over the years. Infosec took on new meaning when the top of the Fed hierarchy started throwing around requirements and putting on their serious face. I would imagine things ARE getting better all in all. It's just darned hard to tell how much better.
http://csrc.nist.gov/groups/SMA/fisma/index.html [nist.gov] demonstrate its compliance with the security requirements as opposed to how well the requirements are actually implemented.
NIST Special Publication 800-53 is what I had in mind. It's generated a ton of work for contractors to bring in auditors. And in my (limited) experience, it's a great opportunity for someone with no infosec background to "get in to security" as auditors are simply required to follow the documentation. Said documentation can be turned on it's ear by a sufficiently adept beurocrat in some cases (and avoided if your auditor isn't too technical in others). But despite my cynicism... it's something. There ARE some good practices in that document. And NIST has put out some nice automated scripts to help hash it all out (best keep an eye on what its doing though). So it's not ALL bad. Just not great.