The Hysteria of the Cyber-Warriors 150
Posted
by
Soulskill
from the y2k-is-looking-more-reasonable-by-the-day dept.
from the y2k-is-looking-more-reasonable-by-the-day dept.
Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting:
"At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."
Ignorance Leads to Fear Leads to Profit (Score:5, Insightful)
Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'
Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.
... and that's easy to turn into fear when you're talking to the people who are in charge of protecting us from threats. And the potential mitigation techniques are another endless myriad of complex software/hardware. All I can say is that it is highly unlikely that a Live Free or Die Hard 'fire-sale' scenario will happen. I can't in good conscious tell you it's impossible. I can tell you that the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten. Then there's the possibility of lesser attacks which are highly probable but I feel that the cost-risk ratio is all messed up. Again, I believe this is due to ignorance.
I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex
You get into a weird sort of emperors-new-clothes kind of situation when the only people who understand your problems are also the ones trying to sell you a solution. And they're just not being openly honest nor realistic with you.
Think of the children, goddamnit! (Score:2, Insightful)
Uh, seriously? Journalists and other people with something to gain from it take a sensationalist view point and run with it?
Holy crap, really? They do that? Huh.
Oh well. /eats some Cheetos. What's on the tube?
Are you kidding? (Score:5, Insightful)
Its kind of a big deal when the U.S. military can't keep its data secure.
Like when plans for the JSF fighter were taken.
http://www.cnn.com/2009/US/04/21/pentagon.hacked/index.html [cnn.com]
I don't have time to Google it all, but it has been a pretty regular stream of "Pentagon loses data/gets hacked" and "US military data found on Chinese file sharing sites" etc. etc. etc.
And in an era where more and more of our bombs are dropped by computer-controlled drones....
Yeah, its kind of a big fucking deal. IMHO..
Fear == Revenue (Score:2, Insightful)
If country A were to take down country B internet connection then country A wouldn't be able to spy on country B or even get sensative info. I honestly don't think it's a big of a problem as they make it out to be.
Most of it's just hollywood and bad publishing, but the main idea behind all this is revenue.
The gov get's more spending, the site/paper that publishes the story gets more notice, and the list could go on forever. The truth of the fact is if people knew the facts then no one would beable to sell "protection" software and computer movies would have to make sense.
Elevating a simple scenario to a movement (Score:3, Insightful)
b. Turn off your phone.
c. Turn off your TV.
d. Take that $20 bill in your wallet (better yet in a different society, you wouldn't need money)
e. Go buy a slice of pizza. Enjoy the outside environment.
.
. See that wasn't so hard.
That what would likely happen in a cyber attack. It's more like a 'snow' day in DC. Of course, if a physical Pearl Harbor, 9/11 or Katrina happened, you would NOT be able to do the above. As for money: if major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions, you'll be taken care of to some extent. Sure you may lose money, but life isn't going to end.
.
Therefore, this is exploiting technology for the purpose of generating 'progress'. A. That's a politician's job (to look useful in keeping your "well being" SAFE) and B. that's a skill where gov't excels (exploitation).
concern over cyberterrorism (Score:3, Insightful)
In the face of meatspace terrorism, meatspace liberties can be curtailed. That's why there's "concern" over cyberterrorism. Because the internet is not healthy for the establishment. It can spread both truth and propaganda, but currently, it tends too much toward truth for the establishment. If that sounds crazy to you (nothing on the internet but lies and pr0n!) then you haven't looked around.
FTA:
Yes, this same thing keeps happening, where a (possibly) real world problem is used to justify a curtailing of freedom, consolidation of power, and serving various agendas of people in power at the time. A cynic might say it's planned, but we're not cynical, are we?
I suggest we give it a name. Let's call it Problem-Reaction-Solution.
Re:Ignorance Leads to Fear Leads to Profit (Score:3, Insightful)
I agree and I would add the simple fact of life that politicians love to BS and love to be seen as though they are "with it", whatever "it" happens to be at the time. Same thing over here in the UK, all the policticians are using the prefix "cyber" on every bloody thing they can, without really thinking about it. Old gits, with about 5 years of working life left, before they bugger off to some highly paid consultant job, bandying "cyber" about like so much confetti. Just to make it seem like they understand this wonderful tech, which they love trying to take credit for putting in place!
Like most politics, all smoke and mirrors. Make the public think they getting something they asked for, make it seem like the gov is in control, while they have no more clue about the state of things than the local knitting circle!
Re:Ignorance Leads to Fear Leads to Profit (Score:5, Insightful)
Not to mention that in the process of securing against the "cyber-terrorism" bogeyman [slashdot.org], an big added benefit for ruling elites will be removing net anonymity and related speech in the name of national security, bringing all those blogs and uncontrollable information channels under heel in a more hierarchical system - or at least more accountable to an "authorized views", type system - ("Take down that anti-war protest site and uncensored video footage - preempt information warfare against our war, sir") and of course, only authorized p2p channels and protocols allowed in this future we are manufacturing, thanks.
Re:No governance required. (Score:3, Insightful)
No "cyberwarriors needed", first round (Score:5, Insightful)
Look, for the first round of clean up no "cyberwarriors" are needed. We just had yet another article about how single city, for a single Windows worm, lost millions due to clean up. In that case it lost over $2.5 million [slashdot.org], including rewarding the designers of the security flaws to the tune of $1 million. Knocking down a water tower would probably cost less to repair. So why are not the defense and law enforcement agencies stepping in here?
It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act [cornell.edu].
From there we can go on to hardening the net with IPv6 and dealing with the usual intelligence / counter-intelligence activities. But the first step, before we can stop the economic bleeding [bastiat.org] is to deal with the cause of the problem: the people who promote and profit from known defective technology.
Re:Ignorance Leads to Fear Leads to Profit (Score:4, Insightful)
"I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex"
And yet you're claiming that "the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten."
Not sure where you're getting your confidence from. You've basically just said that these complex systems are extremely vulnerable. Meaning, even you can't be clear to what extent these vulnerabilities can be used to cause damage.
Re:Are you kidding? (Score:5, Insightful)
Yeah, but it's not cyber-"terrorism;" nothing is going to blow up. It's just espionage.
Plus, I've got to wonder how much of this is truly "hackers" from the outside, and how much is just the result of employees taking data with them -- whether they're just being sloppy, or actually malicious (e.g., ethnic Chinese with misplaced loyalties (god do I hate nationalism)).
Whatever the case, without disclosure for each "incident" of what actually happened in technical terms, we the public will never understand what's going on at any level besides "OMG HACKERS" -- which can mean anything.
A little bit of non-commercial input (Score:3, Insightful)
I'm in security research, but none of you will be potential customers (trust me, you won't), so I needn't lie to you: It's hopeless, but not serious.
The problem is not insecure applications. It's not the stealthy superhacker from China. It's not the RBN (ok, it is, but they couldn't do jack without the original culprit). The biggest problem in IT security and internet security is (drumroll please) the user. And his inability and unwillingness to take responsibility for his crate.
There are security holes, granted. They are not the main source of malware, though. I do assume here that the average /. reader knows a bit more about his machine than "push this button to turn on, when a window opens that you don't know, panic". Likewise, a lot of you say they have no AV suit installed and never had troubles with malware. I believe you. You're probably not into dancing pigs and if you are, you don't let any arbitrary webpage gain root access to show those pigs dancing.
A lot of users do. And thus get infected. And thus become a security problem.
Governments will create a lot of laws concerning the problem, without one that actually addresses the problem: Making the user responsible for his security. I don't mean "get infected, get your pants sued off". I mean that you are required to take reasonable (!) means and surf safely, that includes not clicking on every friggin' crap you run into, that includes not opening every goddamn spam mail and run the infector. This would require educated users, and education has always been the mortal enemy of surveillance and monitoring, so we won't see any of this anytime soon. So it's hopeless.
On the other hand, the infections we face currently (which may change, but so far didn't) don't even come close to enabling anyone to cause a global network meltdown. It is a nuisance (because of spam, page infections and so on), attacks may take out certain parts of the net, but there's no global threat. So it's not serious.
Re:The post-nuclear war threat (Score:4, Insightful)
The U.S. no longer has to worry about nuclear war? Probably. However, those nice N. Koreans are about as well adjusted as a squirrel after his third cup of coffee. Want to bet that even knowing full well they'd get annihilated, they wouldn't lob one in our direction if they started something they couldn't win? How about Al Qaeda and those gentle Islamic fanatics. Care to guess what they'd do with one of Pakistan's nukes if they were to, I don't know, maybe get one slipped to them as long as no they didn't ask questions?
Yes, DoD is expensive, losing a war is vastly more expensive. Let's talk some numbers, shall we. The U.S. DoD recurring budget (forgetting about Iraq and Afghanistan) is roughly $600 Billion/yr. Our recurring budget deficit is over $1 trillion. So even halving DoD's budget won't put us in the money. That doesn't count the Me Generation demanding their slice when they start retiring because there's nothing worse than a Baby Boomer who isn't made to feel the center of attention. Deficits from those nutjobs are well north of several trillion.
So no, there's isn't plenty of money to go around. Also, before you hop on the disarmament wagon train, you might want to consider that other countries reactions to the loss of the U.S. nuclear umbrella are probably not what you'd like them to be. First off, if Iran goes nuclear and the U.S. isn't around to back up the Arabs that hate us, the Arabs will want theirs too...of course they could rely on the Europeans...bwahahaahahaha...seriously, no one relies on those jokers. Hell, the U.S. is allied with them and knows better than to rely on them. Then there's the Asian countries who dearly love their Chinese brothers...as long as the their Chinese brothers don't have designs on their land, raw materials, etc...which they do. They will likely demand a nuclear counterpoint to China, Japan will find their pacifist notions are mere indulgences they can ill afford with China pushing them around, not to mention those nice well-adjusted N. Koreans.
Re:Are you kidding? (Score:3, Insightful)
Maybe, maybe not. When the Chinese missile hits the F22 because they have the specs for our anti-missile countermeasures, something blows up. When the Iranians take control of a predator drone with full armament and turn it against our bases in Iraq, something blows up. When the Russians hack into NORAD, something blows up. Etcetera..
Granted these things haven't happened yet. But its not idle hand-wringing to think that they might. And its not a waste of time to secure our networks.
Re:No "cyberwarriors needed", first round (Score:4, Insightful)
Re:Are you kidding? (Score:3, Insightful)
This is why I think that true security lies not in keeping people from obtaining information, but from setting things up so that it is irrelevant if people obtain that information.
Consider the situation where someone knows all the internal workings of, say, the JSF, but it's designed in such a way that that knowledge would not allow someone to prevent the use of the JSF.
Or consider "identity theft": what if it didn't matter if someone stole your "identity" because there was nothing they could do with it anyway? (Now, in that case, the tradeoff would likely be some loss of convenience.)
So I'll say it again: true security is knowing that you're safe* even when people get to places where you normally wouldn't want them.
*Of course, the definition of "safe" is fairly tricky in this instance. I would probably define "safe" as something along the lines of "suffering no direct immediate or prolonged-exposure-based physical harm."
Re:Are you kidding? (Score:4, Insightful)
Everybody, governments, companies, content creators, privacy advocates, have the same problem: digital information is cheap to disseminate.
If somebody breaks into a library of secret documents, there's a limit to how many copies they can make and take out. Even if they were to scan and store every page in every folder in every cabinet, it's still extremely time-consuming.
If somebody breaks into a computer full of secret documents, it takes seconds, maybe minutes, to copy the whole thing. And, the person doesn't have to be physically located by the computer. The person could be halfway around the world, or just right next door but seem halfway around the world.
What it amounts to is that secret-keeping is becoming more and more difficult. Actually, this isn't true. The difficulty of secret-keeping hasn't changed. But society desires convenience. And little do people know, these two concepts are mutually exclusive.
Furthermore, while convenience is individual, keeping secrets is communal. "Secret" is a term that only has meaning within the context of systems, i.e. only people inside the system know the secret, while people outside the system do not know. The problem is when one individual wants convenience and compromises secrecy for it, then the secret is effectively compromised.
Everybody just wants to have their cake and eat it too. That kind of logical impossibility will not happen, no matter how much we might desire it.
Re:Ignorance Leads to Fear Leads to Profit (Score:3, Insightful)
Sold "as-is" (Score:3, Insightful)
MS is not the one perpetuating the attacks, or causing the damage...
Re-read the post: those who promote and profit from known defective technology are at fault. That spreads out the blame to include all those Certified Gold Partners and M$ monkeys who go around posing as IT experts. In fact, the licensing partially takes M$ off the hook by stating that it is made available "as-is" and without claims to suitability for any particular task. They know their products can't cut it.
The fault also lies on all those Certified Gold Partners and M$ monkeys who go around posing as IT experts who end up promoting M$ products in place of suitable technologies. In some ways, more of the fault is on them because of the licensing. It is these "experts" that were supposed to choose between competing technologies and choose safe, low-maintenance, low-cost options to boost productivity. What happens then once they start knowingly and consitently doing the opposite [sciencebase.com]?
Look at melamine. It's safe and legal to make, distribute and put into product. Melamine is not safe or legal in food [sciencebase.com]. M$ products might be fine for some home gaming, if one has thousands to put into good hardware and is willing to do just about anything to avoid getting a real gaming console. However, replacing working, mission critical systems with ones known not to work does call into question what kind of legal action needs to be taken against the actors.
Willful negligence, gross negligence and criminal mischief -- if the deeds are with physical product, versus "oops, sorry, nuttinwecuddadonaboddit" for software? Oh, come on and join the 21st century. The "with a computer" clause doesn't magically absolve people of criminal wrong doing.
Re:Ignorance Leads to Fear Leads to Profit (Score:3, Insightful)
Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs.
Really? I personally don't. Can you cite examples? Most of the systems that I rely on predate the computer and network infrastructure by decades. I have enough food and water around the house to last a week of normal consumption (i.e. without rationing). I'm pretty sure that I don't need a computer for my toilet to flush (I'll admit I could be wrong about that). Other than that, I rely on roads, but I don't *need* the traffic signals to work. Power is a nice to have, but again not required. what else? TV? slashdot? reddit? the IRS? the military? I'm pretty sure I can manage for quite a while without any of those.