Schmidt Predicts Digital Sky Is Falling 583
Danse writes "Former Microsoft security chief Howard Schmidt now works for the government as the vice chairman of the Critical Infrastructure Protection Board. According to this article on Security Focus, he has been touring the country, proclaiming the dangers of "zero-day viruses" and "affinity worms" that will create the kind of havoc that nothing else short of a nuclear exchange could cause. "Traffic lights, pacemakers, appliances -- all subject to outages and interruptions because in the future they're controlled via Internet, declares Schmidt. The power grid could fail catastrophically by 2005!" How do you argue with this kind of rhetoric, especially when it's being spread directly by government officials to corporate leaders?"
There's no hope. (Score:3, Insightful)
The fact that we have the DMCA, that freedom is being eroded in the face of national ID cards and the loss of anonymity on the net indicate that the sky is falling.
Re:There's no hope. (Score:4, Funny)
Re:There's no hope. (Score:3, Insightful)
I do though, believe this is a real threat. I'm pretty sure someone will take a go at it also. The thing is, my mom has the best advise for this, 'Prevention is the best medicine'. Well, take it out of context a little, and it works.
Put simply (Score:3, Insightful)
The problem is this:
Don't panic (Score:2, Funny)
But.. (Score:4, Insightful)
Why would these things be controlled via the internet? We already segregate certain high security systems from the internet to avoid even the chance of them being "hacked". I don't think a pacemaker would -EVER- be hooked up to the internet -- not only is there no point, but it's just extra risk for something to go wrong.
On the note about how to stop the rhetoric, it's simple. We need people who are educated in technology to report to the government with the TRUTH, not these fictional facts being spread to merely cause a slight fear which will (in all likely hood) raise the sales in the technology industry to "buy more secure products".
But AUTOMAN taught me otherwise . . . (Score:4, Interesting)
Between shows like that, in which a computer program given life could control any electrical device, and all the poorly done "hax0r" characters on film and television, why would you expect people NOT to believe things like this?
Re:But.. (Score:4, Interesting)
Because idiot sheeples want bigger faster better. They want their refrigerator to be able to print out a list of groceries it needs on their computer. They want to be able to put a recipe into their laptop, and using wireless, have it pre-program the stove and microwave, and have the refrigerator and pantry tell them what they need to buy to make it happen. Because clever marketing has convinced people that "can you hear me now? good" means you SHOULD be hauling a freakin digital phone with a billion free any time minutes a month around the grand canyon or your favorite cavern and annoying me.
Because people will BUY it if they think it is glitzy and new and makes them all hep and stuff. Maybe not many people, but people *will* buy. Look at cars! They now have more freakin features than anyone ever needed, but boy do they want them!
Figure out what people would have said about PDA's and cell phones thirty years ago had someone suggested they would exist. "Thats ridiculous..why would anyone EVER want that? I have my phone in the house, and I have my day-timer! Why carry around something that needs batteries?"
Granted.. Im as guilty as the next guy.. I gave my son a laptop to learn on when he turned six.. because I wanted him to have the edge as he grows up and be experienced and not afraid of computers.. but I think I may have done him a grave disservice, introducing electronics-as-necessity to him that young in life. (How many 9 year olds do you know who, on the phone with their friends, say "Hang on.. I'll shut down the laptop and be right over?"
Things will get hooked to the internet and to each other that never should be.. in the name of "convenience" and "cause its neat".
Maeryk
Re:But.. (Score:2)
Traffic lights and pacemakers don't need anything except clocks and sensors. You wouldn't want to make a larger-scale system, because that would be too hard to program-- it would be very difficult to avoid messing up the system even without attackers.
Re:But.. (Score:3, Insightful)
Actually, I remember reading a writeup somewhere.. (might even have been here) but I have no clue where to start searching or under what.. about fridges that, using bluetooth, could self-diagnose and call the service guy FOR you. Say if the compressor started running hot, or if the temperature started fluctuating wildly.
Again.. I dont necessarily think it would catch on big at first, but you *know* how corporations have a habit of ramming stuff down your throat simply because they make it the only thing available. (Buy a carbeurated car.. go ahead.. they are easier for you to work on, and have far fewer sensors in them.. but can you get one? THere are next to none produced).
I dont want a cell phone that gets web pages, gets email, plays games, sings songs, or allows me to control my television. I want a cell phone that lasts more than two hours on a damn battery. Funny, I cant find one that doesnt do all the useless crap anymore, but I *SURE* cant find one that lives up to even its manufacturers claims on power consumption.
What scares me is they start putting this stuff in, whether we like it or not. And who is to say your fridge doesnt broadcast a signal to roving trucks with service people in them? That may sound a bit on the edge, but its possible. And anywhere that type of thing is a "convenience" it could also be abused.
Bigger and Faster is not *always* better. Give me a simpler time.. when if the power went out, people didnt lose their minds.. they simply lit candles and played cards for an hour or two. Or when people kept buckets of water around during storms so they could flush toilets. That I could understand. Technology is *SO* freakin ingrained into our lives these days that without electricity, the world grinds to a freaking halt rather suddenly. And it shouldnt have to. People did fine without it for 2000 or more years.
Maeryk
Re:But.. (Score:2)
No, actually, you have done him a service. It's better that he's used to it than become a technophobe. Honestly though, I'm impressed that he'll say "Let me shut down my laptop, I'll be right over," instead of "Let me boot up Quake III. Head over to the server at 192.168.25.65. I'll be there in a minute."
Human interaction has gone down the thresher. One of my closest friends does almost nothing other than work and play EverQuest. I rarely see him anymore. I'll ask him "Mark, I tried to get ahold of you? Where you been this weekend?" and he'll say "Oh, I was around, but I was playing EQ all weekend." He actually does mean ~12+ hours/day.
*sigh* Where have we gone, and what have we become.
You overly deride people (Score:4, Insightful)
Re:You overly deride people (Score:3, Interesting)
The biggest technical revolutions are not in things that people think they need, they are when one (or a few) smart people come up with things people need and build it. People didn't need a machine that talks until Edison invented one, and now everyone has some decendant of his record player. (Probably the only orginial invention of Edison!)
I agree that my kitchen doesn't need to print my grocery list. However my kitchen should keep track of what I have in it. When I see a sale on juice, it should inform me that I bought a lot of juice at the last sale, and half of it is still left. Then two isles over it should remind me that I'm low on flour as I pass by.
I have no problem making a list of things I need, but I often pass the store and want to combine trips (saves gas and time) as long as I'm nearby, even though I don't have a list.
How my kitchen can inform me of all this when I'm at the store is a different question. Wireless is getting someplace though, and will probably be avaiable long before my kitchen can sense what I have in it.
Bad examples (Score:3, Insightful)
While I'm the first person to acknowledge that marketing pushes a lot of products on people that they don't really want or need, both of your examples here fail.
Day-timers are great for people that have 50 contacts and 5 items on their todo list. My mom used to carry around one of the 5x8 ones that was quite full. It didn't even fit in her purse, so it was very inconvenient. I kept demonstrating my PDA to her, that it was indeed easier to use than the laptop she used at the office, etc. Finally she lost her day-timer and freaked out. There was no way she was going to recall all the appointments she had made over the coming weeks and months. Luckily, she had only left it at an associate's office who called her the next day. She immediately switched to a PDA and within a month was able to use it far more efficiently than the day-timer. If she loses that, it's all on her laptop at work.
As for cell phones, I'm quite happy with mine. As long as you don't go nuts and start thinking that just cause it's ringing you have to answer it, you'll be okay. I turn it off when I don't want to be interrupted, and I put it on vibrate when I carry it so no one else is ever bothered by it. Two recent examples of being useful. Saturday we were driving to a friend's party an hour away. The driver had written the directions incorrectly, so I called my friend on the highway to get the right junction. Then Sunday a friend called while I was shopping to see if I wanted to head to another friend's house for the day -- he was just leaving home and could pick me up on the way. That's convenience and new opportunities that I'm glad to have.
That one idea for a new gadget (internet-enabled pacemakers) sounds like a bad idea doesn't mean they all are. If you could work out the security issues completely, network-enabled traffic signals could be very useful. Imagine an ambulance leaves the station in an emergency. The system operator could have the traffic signals along its path go red in both directions and ring they're own sirens, giving advanced notice to cars and pedestrians to clear the street.
As for worrying about giving your son a laptop, I wouldn't lose any sleep over it. I had legos as a kid (no home computers), so I said, "Hang on. I'll put away my toys and be right over." And I don't feel I'm somehow scarred by it. :) Computers are tools, like toys, books, and guns. The key is to educate your children in their proper use before you let them use them. Some tools may have bigger consequences in misuse than others, and that should be discussed as well.
Re:But.. (Score:2)
So, given the (currently slow) trend towards telemedicine, it is only a matter of time before a person an consult a doctor online, and that doctor can ask the patient to plug in his pacemaker so that it can be updated remotely.
Is this a good idea? Hell yes, it might save lives. But there is much infrastructure work to do to make it safe. The Internet as it exists today is not have the required reliability, let alone security.
Re:But.. (Score:2)
Actually, some devices like the pacemaker, have short-range radio transmitters in them. They're high-tech enough now that they collect data on the patient, and can then be transmitted via wireless to a modual on the belt that records things. Some pacemakers are sophisticated enough to be able to deterimine if you're going into v-fib and enact a form of de-fibulation.
It's only a short step away for the pacemaker to then relay to the interface modual on your belt that you just had a heart attack, then it tells your cell phone to call for an ambulance, and gives your GPS location. It's technology that we're near to implimenting. It's part of us getting our older Americans the freedom to stay at home instead of being placed in a home so they can be watched over in case they should have a heart attack, or some other condition come on them. Think of it as an automated "panic" button that summons help.
Traffic lights *can* be controlled from the web (Score:3, Informative)
Consider then a virus that allowed someone to put a back door into my workstation. They would then have the ability to sniff passwords and ultimately give them control over the traffic lights.
A similar thing could be said for any device which can be controlled from a machine which is either connected to the net, or can be accessed by other machines ultimately connected to an untrusted network.
While the chance is slim that any of this could happen, don't discount the possibility just through your ignorance of how these systems could be attacked. Sure the traffic lights aren't directly connected to the net, but that's not the point.
Huh? (Score:3, Insightful)
Re:Huh? (Score:2)
what?!? (Score:3, Funny)
My brain just imploded.
Re:what?!? (Score:3, Funny)
I was pretty surprised to hear that MS had a security chief once too.
HELP! (Score:2, Funny)
Somebody call 911, someone is SYN'ing my pacemaker!
Pacemakers? On the Internet? (Score:3, Funny)
Anyone who thinks that a pacemaker on the Internet is a Good Idea deserves to have a pacemaker installed, connected to the Internet, and running a MicroSoft Operating System.
You have to admit, it gives a whole new meaning to "Denial of Service", as well as "your license has expired".
Right (Score:3, Funny)
Pacemakers on the net? (Score:4, Funny)
Get up in the morning.
Make coffee.
Eat breakfast.
Ping grampa.
Re:Pacemakers on the net? (Score:2)
Man, if I had mod points right now, you'd be ++.
Re:Pacemakers on the net? (Score:2, Funny)
Re:Pacemakers on the net? (Score:4, Funny)
Re:Pacemakers on the net? (Score:4, Funny)
grampa: no route to host
$ arp -d grampa
$ ping grampa
ICMP redirect
64 bytes from grampa (192.168.0.1): icmp_seq=0 ttl=255 time=1 msec
^C
$ ssh -Xc blowfish root@grampa
Password:
pacer2020$ vncviewer grama:0
Out of memory
Connection reset by peer!
$
# NOOOOOOO!
Re:Pacemakers on the net? (Score:3, Funny)
*rimshot*
Thanks I'll be here all week. Try the veal.
Cats and dogs... (Score:2, Funny)
Hopefully not with each other. I guess those powerless mid-afternoon skies sure can be dark, dark enough that even the animals get confused.
The Last thing people need (Score:2, Insightful)
pacemakers.... (Score:2, Informative)
granted, a pacemaker or other medical device could be transmit-only for a medical emergency; likewise a traffic light can detect if an accident has occured and transmit info to police.
We saw what happened in South America with traffic lights when their central timing servers were stolen, they just rolled back onto their own timers instead of being centrally controlled. Life still moved forward, albeit with more stop-and-go.
Dont get me started on the power grid, it's on it's own private non-Internet connected network. It'll take an insider to cause trouble, but this threat has been there for over 100 years.
Re:pacemakers.... (Score:2)
Oh great... (Score:2)
We have some guys just like that in our gov/police in .nl as well though. According to them, us hackers are 'staatsgevaarlijke anarchisten'. Usually these people aren't taken seriously by people that _do_ know what they are dealing with. And hopefully for you USians that gov chapter has some people with a clue that can set the facts straight.
Re: Oh great... (Score:3, Interesting)
> So now you guys in the US have someone in the government that is fighting windmills.
Remember, this guy is now part of an Administration that follows a policy of using the threat of foreign terrorism to terrorize the public into accepting legislation, policy changes, and major reorganization of government agencies. The key for reading this guy, just as for the rest of them, is to look beyond the FUD and see what his agenda is.
Re:Oh great... (Score:2)
Scarcely news here in the US I'm afraid. Then again...I imagine politicians and their lackeys everywhere occaisionally tilt at windmills, so we're not likely alone in that category. I do wish people would consider the effect on their careers and reputations before going off the deep end spouting apocalyptic FUD.
I don't think we should be rosy about everything, but I do think some sanity should be present before carrying reports of doom far and wide.
I say (Score:2, Redundant)
I didn't know all IP = Internet (Score:5, Informative)
What worries me most is this absurd prediction that traffic lights and the power grid etc will become part of the internet. There are no good reasons for traffic lights to be on the public internet, and lots of good reasons for them not to be. However, there are lots of good reasons to control such things by computer, and the best way to take advantage of this is by using economies of scale through the use of commodity hardware. In other words, over TCP/IP. So, the traffic light network assigns all lights an IP address. This isn't the same as being on the internet. And despite all the fearmongering it's unlikely to happen.
Remember, these people have been predicting critical infrastructure death for 10 years, and their theoretical net-wide worm actually hit 14 years ago! Be fearless, build firewalls, and update your software, and ignore this moron (though if you can use it to convince your boss you need a new dual 1.5ghz machine with a giant plasma display, go for it...)
Re:I didn't know all IP = Internet (Score:5, Insightful)
I think I agree with your general points, but actually the worms could have been a lot worse. Had Code Red, for example, performed destructive actions on the target servers, it would have been an absolute disaster, and everyone would have remembered The Day Code Red Hit. As it was, most people disabled the exploited feature or applied hotfixes, and were back on their feet again.
Imagine if it had just deleted the boot.ini, and/or perhaps several megabytes of critical files (critical enough to fail on reboot but not to halt current operation)? It would continue to scan, and if the admin rebooted (that is the first line of defense, after all!) they would be hosed. Perhaps it would actually be worse to delete the 'non-standard' files, like user files...destroying web sites and forcing admins to go to back ups (Windows admins do keep backups, don't they?). Imagine 300,000 boxes being hosed within a short period!
Be fearless, build firewalls, and update your software, and ignore this moron
Amen!
Re:I didn't know all IP = Internet (Score:2, Insightful)
So his fundamental idea of a fast spreading deadly virus is contradictory.
It is possible to have a very fast spreading deadly virus. It just can not kill the host quickly, but this does not mean that it isn't deadly. A virus could be programmed to have a period of time during which it infects other systems, then kills the host it is on. Granted, this will have some limiting effect on the infection rate, but if tuned correctly this will be negligible.
It is really a matter of tuning the time it spends infecting other hosts to the time it takes for it to spread through the entire population.
Comment removed (Score:5, Insightful)
RobPiano Hits Nail on Head. (Score:3, Interesting)
Bull. Hype and the labor of countless millions of IT folks turned into dumpster fillers did not solve y2k for us. It's more like y2k was a fraud. Funny how all my old equipment still works with no effort on my part at all. Systems not designed to be fail safe are flawed.
Never the less, it's a good thing you brought up y2k as it's the easiest way to fight the FUD:
Y2K and war are now perpetual. Right!
You will only suffer continuous computer failure if you use M$.
Pacemakers? (Score:2)
Um, do these use an RJ45 or a BNC connector?
Re:Pacemakers? (Score:2)
I guess I can see where someone might think monitoring a pacemaker would be a good idea, but the way I figure, if I needed one I wouldn't want people to be able to monitor it...can you imagine?:
son: let's up the life insurance policy real quick and not report it
flacks (Score:2)
Anyone believes the gub'mint any more trustworthy than any other institution deserves to get it in the Darwin.
a larger (conspiracy theory) plan (Score:3, Interesting)
Perhaps they need to spread more FUD generated from 'reputable' sources like the government so people and corporations get scared enough to WANT government help.
The most conspiracy-engaging part of myself is saying that this is only the first step in a plan to 'prove' to us that 100% of USA civilian computer systems cannot be totally secure against attack from international adversaries and thus must not be in the hands of civilians.
Computers are incredibly powerful tools and today's machines are beyond what the scientists of 20 years ago dreamed of in the future's uber-super-computers. They can be used as powerful weapons in terms of using 'unbreakable' encryption, launching major DDOS and similar attacks, compromising systems and installing backdoors and more. They are tools for facilitating truly free speech and covertly exporting most any kind of information. Everyone with one could be seen as a threat to a government that wants ultimate control and thus this could be just the initial phase of a long-range multi-decade plan to keep all computers in the USA under physical control of the government.
Of course, this is just a far-fetched conspiracy theory. You are welcome to accuse me of throwing FUD because that's what this probably is.
I blame bad science fiction (Score:5, Insightful)
Law and order depicts "worm" that "takes control of your computer just be recieving an email!". Hackers: teenagers in bad oufits can crack into any system in the world (including being able to hack into a system by using phone lines taped together). Speed 2: leech loving man takes over a boat from his room with "fiber optic converter" (actually a data com port switch, I believe). The Net (another Sandra Bullock film) has a woman who's whole identity can be erased (especially when the FBI, Pentagon, and everybody else use the same anti-hacking software, which incredibly is used by evil hacker types).
In movies, anything (microwave, blender, vacuum, whatever) can be controlled by evil computer programs. Don't ever put your computer in charge of your house, or else it will develop artificial intelligence, and try to kill you by making electric cords whip around your neck (I never figured out how that worked).
Joe Public has no idea of how technology works - to him, it's indistinguishable from magic, so why couldn't it work? So when a man stands up and tells people a virus can circle the world 0 seconds, those who pray to the gods of technology in the hopes that their television doesn't turn off must believe.
We don't believe in monsters or demons, so we invent them in the form of hackers and superintelligent teenagers with a vengeance. We don't believe in gods, so we invent them in a government that knows all, sees all (when it's own FBI is 10 years behind the technology curve).
Good god, but I hate human ignorance.
Re:I blame bad science fiction (Score:2)
Yes... YEs they can.. it is blindly easy. you simply get 2 modems, break into any office phone room and find 2 POTS lines. place the modems on the pots lines set one to AA and connect them together with a null modem cable. simple as pie. Hell you can make it even more fun by placing several of these around town.. you can then link your re-directors and cause tons of hell for the feds trying to track you down. they show the brainless public handsets taped together (Wrong by the way, you have to tape them mouthpiece to earpiece with a foam donut to get that to work for 300bps... yes it does work) looks better and get's the point across instead of some funny looking box with blinkey lights.
BTW, before you home-cracker-detectives cry about me releasing a secert... any cracker worth anything but that of a poser knows everything I just said.
Yes, in my distant past I was overly curious... but that was really really long ago.
Forget crackers (at least human ones), read (Score:2)
or
"The Adolescence of P One" by
for tales of AI gone bad. There are others...
Human: "Is there a God?"
zzzaaaappppp - lightning strike fuses the power switch on.
Computer: "Now there is."
But not that part! (Score:2)
See, that's the best part of the movie. The fact that a monoculture lends itself to insecurity. Look at farms of IIS servers. Are they secure? Why not? Would we be better off with every HTTPD having equal market share? 100% Apache?
Don't knock the only reasonably accurate part of the movie!
Re:Maximum Overdrive (Score:2)
Re:I blame bad science fiction (Score:3, Funny)
Actually, it was a PowerBook 5300, which didn't have Airport or USB. However, they did catch on fire, so just throwing it at the alien spacecraft might have caused it to explode ;-)
-jon
Why argue? (Score:2)
Someone should stand up in the audience (Score:2)
Actually, it's not suprising, from the usual myopic brainwashed Msft employee mentality of "we are the computer industry", for such a person to think all computers are hopelessly screwed beyond hope.
Pacemakers (Score:3, Insightful)
The sky is falling... (Score:2, Insightful)
Zero-day??? We knew all about that! (Score:2)
Maybe he should be a good citizen and stay away from the piracy.
Routers for pacemakers? (Score:2)
Shill (Score:2)
shill
n.
One who poses as a satisfied customer or an enthusiastic gambler to dupe bystanders into participating in a swindle.
v. shilled, shilling, shills
v. intr.
To act as a shill.
v. tr.
To act as a shill for (a deceitful enterprise).
To lure (a person) into a swindle.
v : act as a shill
The question is, who's he shilling, the clueless gubers in our government or the public in general or the clueless gubers in our corporations or all the above?
As for who he's shilling for, well, that seems rather obvious.
How do you fight the rhetoric? (Score:5, Interesting)
There are a couple of important points to consider.
* Systems related to national security shouldn't be on the internet in the first place. Sure, that's what its was designed for, to be a comm network that would survive a nuclear strike and still route packets. Of course, plenty of government networks are already physically disconnected. Not firewalled, just not connected. So no Slashdot reading on your power grid terminal. Until we actually start building secure software, cause we don't now, some systems absolutely have to stay disconnected, or connected only through separate, encrypted, physically secure networks.
* Instead of feeping creaturism, maybe its time to actually start worrying about security, ala OpenBSD. Could it be that people would put up with substandard office software and not-so-intuitive file browsers if we guarenteed them that the financial data on their computers would be safe? Would you pay extra for your internet-connected pacemaker (which will probably send data to your doctor) if you knew that somebody couldn't hack it and turn it off? Would your Mom put up with having to learn a confusing operating system if it meant that her Quicken data wouldn't get stolen? I bet mine would.
* And maybe, just maybe, we, as software engineers should stop living up to the low expectations of the marketdroids and the PHBs (oooh look, shiny GUI) and start demanding more of ourselves. The reason that propoganda like this punk is spewing travels so fast is that the computer-using public has been conditioned to expect so little (Oh, another reboot? No big deal. Server's down? Eh, kick it, I'll go get a cup of coffee.)
So, I'd tell people to stop whining, stop freaking out, and stop bowing to the government-media complex's instinct to make everything a damn crisis. Instead of worrying, do something. If you're a software dude, start thinking about robustness and security instead of pretty. If you're a (l)user, start learning how to secure your stuff, and start demanding that they companies you buy from do the same.
Whoa, deja-vu.... (Score:2)
Three words: Y2K.
It's sad to count on FUD to rally the population.. (Score:2, Interesting)
When all of the population starts to see all your little practices and schemes, criticize your every move, and notice you are not representing them but you're representing the whole mighty $ and corporatism, what could be more "welcomed" than a terrorist attack?
ALl the "sheeps" lose focus, are scared, and WANT help, seeing this, after, the gov uses this tactic to lever just about every single agenda he can. And then they preach how free they are, when their objective is to become the second China.
Of course I might be pessimistic and reading too much slashdot that mostly show the negative content when it comes to your rights online, but I've yet to see any form of government that is still 100% there for the VOTERS and not for the companies or mighty $. at some point the $ will fail, look at how much US is in debts, look at how much debts the average american has, look at how many bankruptcy/year, at some point, unfortunately, this system will all crash because it relies on continual expansion.
Reminds me of the Y2K debacle (Score:2, Insightful)
Word spread slowly at first but by 98 most of the people who needed to know had done their homework and started work.
The band wagon started to roll when the IT industry realised that there was serious money to be made. Services to analyse your systems, reasons to upgrade NOW to the next version, a ton of bodies to poke around in every line of code you were running. New hardware by the lorry load.
By early 99 there was a secondary industry looking at everything from embedded code, to legal and insurance issues, and massive pressure on the late-adopters to fall in line and spend some money. Around this time there were people forecasting planes falling out of the sky, power outages causing knockon effects and taking down the entire grid. Meltdown of the banking industry etc etc
I was involved with some people working in the middle east on Y2K and for the most part govt and companies did just about nothing. Very little was spent, and only the the things that actually broke got fixed. Admittedly they had less IT infrastructure to worry about, but their scepticism about apocalyptic warnings from the West was perfectly justified by events.
I think we are seeing the same pattern with Security issues. There is undoubtedly a problem, people certainly need to spend money on it, for sure CEOs don't really understand the issues and last but not least the problem is not as big as people make out. I guess this is why a few public spirited types are trying to spread some panic in boardrooms.
Question is whether this is a bad thing or not. I'd love it if everyone invested wisely and promptly, but right now its in my personal interest for them to just invest in security services full stop. (or at least to pay me to implement more security)
If everyone goes too far in securing IT who really suffers?
The Importance of Hardware and Software Diversity. (Score:4, Informative)
The man is right! (Score:2, Insightful)
Basically, once a sufficient number of vital systems are internet-connected, running the same software & OS, you've got yourself a big, fat potential vulnerability.
This cannot be fought with anything but a painstaking effort to secure the infrastructure that is vulnerable, and keep the secure infrastructre secure. This does not only apply to the US. If such an attack was launched on Europe or South-East Asia, it would also have a devastating effect. We all need to protect ourselves.
DO they actually think anyone (Score:2)
Yes, there's a Windows-based pacemaker controller (Score:4, Informative)
See their download page. [paceart.com]
By 2020 Fire Breathing Dragons will burn the earth (Score:2)
Microsoft FUD (Score:2)
Argh! I was Fooled! (Score:2)
It was the second hour of a two part documentary on hackers, and it was VERY well produced with lots of subtle manipulations all of which seemed friendly and wise. The finished product aired detailed several true items, amplified them, mixed them in with some twisted until almost false items, dropped in serious faced legislators with hysterical, doom & gloom viewpoints, mentioned the FBI and CIA many times, fuzzed out people's faces, --And then spin doctored the whole concoction into a whirlwind of fear.
Their points were:
1. There is basically NO security which can stop the truly determined hacker.
2. YOUR vital information, money, identity, etc. is valuable to the evil hacker and can easily be comprimised.
3. Airplanes can be dropped out of the sky, hospitals shut down mid-operation, train systems messed with and whole economies crashed, blah, blah, blah. . .
4. There are not enough laws and legal recourses to deal with this disaster which could at any moment strike.
5. Even the American military has a special division charged with the task of swooping in to keep the country from self-destructing should an evil hacker decide to end the world via the internet. -It's THAT serious! Fear! Fear! Fear! (Yawn)
Anyway, because I forgot for a short while that I was WATCHING TELEVISION that I was also being MANIPULATED. Stupid, stupid, stupid. (I stopped watching the evil tube months ago. I'm not sure how I lived back then! Even without two hours or more of crap nonsense per day, there still aren't enough hours between sun-up and sun-fall to get in all the living I want. --Oh, and try watching something after six months of abstaintion; even the 'good' shows suddenly look remarkably brain-dead!)
Anyway, all the government has to do, when enough of this incorrect, (but remarkably easy to sell), belief structure has been installed, is deliberately screw with some major utility or whatever, and then drop in the paratroopers. And people won't put up a fuss, cuz you know, hackers, right?
Essentially, the whole fear-farm works like this:
1. Show vital services and just how bad things would be should they be crashed. This causes anxiety and fear.
2. Deliberately misguide people into believing that ---insert scapegoat here--- can easily cause the above mentioned disasters.
3. Show how the legal systems are woefully underprepared for dealing with this kind of threat.
4. Leave the audience dangling and ripe for the picking. --You only have to get enough senators to watch your 'informative' crap, and bingo! Job done.
It's all a shell game, and the winner takes ALL.
-Fantastic Lad
Give up. (Score:2)
You can't. Most people are idiots, and in the United States, where people are indoctrinated by religious and educational establishments to have unquestioning faith in authority.
Just look at the decades of effort it took for anyone other than white males to be treated as human beings. Homosexuals still don't have the same civil rights as heterosexuals. Do you really think that the computer nerds of America have any real hope of countering the computer-realted bullshit spewed from the mouths of the government,AntiVirus companies, Microsoft, and cable news "experts?"
Your best bet is to do what I did. Realize that getting geeks to do more than write letters is next to impossible, trying to lead them to stand up for their rights, or even for intelligent thought, is hopeless. Your best bet is to just take a different strategy: Get a job working for these assholes, and enjoy the ludicrous salaries sleazy government guys are passing down to the people who build the infrastructure that keeps them in office (At least until some other politician turns the tables.).
They've been in bed together for a while (Score:3, Informative)
TLA. (Score:3, Informative)
Y2K
The end of the world was predicted. Nothing happened. Why? Because good people worked their asses off and prevented the Y2K "damage".
Hint: want to avoid 90% of all problems on the Internet? Follow this three step program:
1. Avoid ALL M$ products like the plague.
2. Whatever system you use, keep it up-to-date, apply the patches and the security upgrade religiously.
3. Whatever system you use, lock down all un-necessary services and ports.
4. Whatever you do, don't put everything on the Internet! Pacemakers, energy grid and air-traffic systems don't have anything to do on the Internet. period.
And no, I won't buy Palladium just because it's the One True Technology That Will Save Our Sorry Asses From Evil Hackers!
geeezesus krist (Score:3, Insightful)
Anyone else see where this is going? The FORMER HEAD of MICROSOFT SECURITY (and quite frankly, microsoft and security should *snicker* never *snicker* be used in the same sentence together).
Obviously... Microsoft is very very happy now. They got the x-head of their security to be high up in government PROTECTION. Now this chicken little is running around squawking. Ya, I can see the next *initiative*... Paladium anyone? Government sanctioned because some LOSER who couldn't design a SECURE HOUSE LOCK is squawking.
For as many times as we accidently bomb some afgani wedding, can't we accidently bomb redmond? Please? Purty Please? With sugar on top?
Okay, so what is an 'affinity worm'? (Score:3, Interesting)
Does the rest of the world know something that I should?
Re:Pacemaker... (Score:2)
imagine the EULA on that one...
Re:Pacemaker... (Score:4, Funny)
Re:Pacemaker... (Score:2, Funny)
So how long 'till I can don my leather chaps, shave my head into a mohawk, and scour the earth looking for ammo and fertile women? How long damn you!!!! HOW LONG?????
Re:Pacemaker... (Score:2)
I would hope if I ever need a pacemaker, that it would have an IP address. I want my doctor to download all the information in the pacemaker every day, and do some analysis on it. Or at least if there is any hint of future trouble I want my doctor notified quickly. If there needs to be an adjustment, then the doctor should make it remotely when possible.
Note however that this needs to be an excellent ip implimentation. It needs to keep the primary function working no matter what. It must not be a problem if someone tries to DOS my pacemaker. There must be NO remote security holes. (OpenBSD has done a good job there, but even they are not good enough, after all this is my life at risk!)
Re:Pacemaker... (Score:2, Funny)
Re:Pacemaker... (Score:2)
Re:Pacemaker... (Score:4, Insightful)
Just because something has an IP adress and can be remotely monitored, does not mean that it needs to have ANY remote access to any functionality that could cause a problem.
Yes, we can (and will) design things stupidly enough so that this will be a problem, but that's more our fault than anything else. Like leaving your car unlocked with the keys in the ignition at 3 AM downtown. It's just not smart.
Now the more serious issue here, though, is that an uninformed government employee is scaremongering for power. Nothing new. But with the stock market doing as it is (buy at 6000, I say) this kind of talk is doing direct harm to the country.
This guy needs to shut the hell up.
Some pacemakers ARE remotely accessable. (Score:5, Informative)
Unfortunately, remote adjustment of medical implants (including pacemakers and drug-delivery systems) is sometimes life-critical, often greatly health-enhancing. So many of the devices are remote-accessable. Some of them (such as implanted defibrilators) also log info about the patient (i.e. when / how many times he had to be de-fibbed) and can be interrogated remotely.
But "remotely" means "via a nearby inductive loop (or the like) on a special-purpose device", not an internet link. (The interrogation device, of course, will have a computer in it and might be networked - but that's a separate issue.)
But don't you think the people who design the device and its software don't KNOW that? Medical device hardware and software is built by engineers working to a standard above that of telephony, which is in turn far beyond mil spec. (Yes you can get screwups. But they really do put in the effort. The management knows that killing a couple patients will kill the company, and they have the money to pay for good work rather than cutting corners.)
anything that has incoming can be flooded to death whether it wants to respond or not
Not true. Anything with an incoming link can have the link itself DOSed and taken down for the duration of the interference. Any radio can be jammed, too. But a communication module can be designed so that it doesn't exhaust resources needed by the rest of the system, and so that it will recover from the exhaustion of its own resources as soon as the attack ends.
Re:Some pacemakers ARE remotely accessable. (Score:3, Interesting)
An example of "Yes you can get screwups." - which will be the Tacoma Narrows Bridge / Three Mile Island of medical automation for the next century (or until a bigger screwup happens). It's also an example of the belt, suspenders, and wasteband button all snapping at once.
But how many medical automation products are in use? And how many of them are killing people through software bugs? I think you'll find that, in general, medical automation is already designed, implemented, and tested to a MUCH higher standard than, say, your latest commercial desktop OS.
We only need to look for a few minutes at most any place using technology to see people embracing mediocrity with little care. With each passing year, I worry more and more about the medical community too. The things I see in hospitals is especially worrysome.
Let's not go generalizing between consumer marketplace software and that designed for automating medical equipment, or between
I know it's cliche, but this is what happens when your primary focus is money. That's why the love of money is called the root of all evil. As long as profit happens, the mediocrity will continue, because the people making the money don't care about anything but making the money.
No. The problems you allude to are not inherent in money. They are what happens when short-sighted administrators focus solely on near-term profit (and are psychopathic enough to ignore non-money risks of human injury). Map human consequences into monitary terms by such mechanisms as liability suits and even a psychopath can grasp that cutting corners and killing people is a bad bet. And it's the job of the upper-level management (starting with the board) to insure that the lower-level managment (starting with the president, CEO, COO) aren't simultaneously short-sighted and psychopathic enough to take bad chances and kill the company.
Short-sighted crooks we will always have with us, and sometimes they work their ways into positions of trust. But encoding consequences into money terms can bite them big-time. Arthur Anderson LLP's board didn't institute such policies. Arthur Anderson LLP is as good as DEAD. An administrator at Worldcom got into a debt bind and cooked the books to save his own butt. Worldcom is bankrupt and he was the first one kicked out the door. And so on.
There's nothing magic - evil OR good - about money. It's just a convenient means for quantifying human effort and values, aspirations and miseries. It is "crystalized labor". It is a way to split barter into two halves, so a plumber doesn't have to find a farmer with a stopped-up sink whenever he wants groceries.
When you concentrate enough value and power in one place to do great good, you concentrate enough to do great evil. It's the people who then handle it who decide whether it does good or evil. And its the institutions around it that create good consequences for those who do good and bad for those who do evil. If the institutions work well enough, even most evil people may chose to do good - and the ones who chose to do evil will get squashed as a result.
Why? (Score:2, Funny)
I don't need the blender to start up at 5pm, so I can have a mixed drink or something when I get home, because it will have spoiled during the day. And I really don't want my bread sitting in the toaster all night, it invites pests.
Besides, with the extra money spent on these connected appliances, I could hire a maid.
$600 laser toaster with jellyjet printer, anyone?
Re:Engineers to lose their sanity in 2004 (Score:2)
Re:It's an ex Microsoft security chief... (Score:4, Insightful)
Now that he's in the government, these things are apparently more important.
The change of perspective and its timing is....interesting.
Re:It's an ex Microsoft security chief... (Score:5, Insightful)
Now that he's in the government, these things are apparently more important.
Hmm. I wouldn't be too certain there isn't a Microsoft agenda behind this ('Once you work for [ the CIA | Microsoft ], you always work for [ the CIA | Microsoft ]').
With our elected leaders deep within Hollywood's pockets, and the confluence of Microsoft's Palladium agenda to extend and encode their software monopoly into the hardware itself with the media cartels' Digital Rights Management agenda, this is exactly the kind of rhetoric I would expect from someone pusing either, or both, of those agendas.
The Digital Sky is falling, but not because of any foreign terrorists or script kiddiez. It is falling because several powerful cartels, a software monopolist, and our government are joining forces to eradicate the free wheeling internet as we know it in order to replace it with a medium they can better control, something that will resemble Just Another Media Outlet far more than it will the internet as we know it today.
If this steamroller isn't stopped it will be the end of Free Software, the end of the peer-to-peer nature that is inherent in the design of today's internet, and the end to free exchange of information via digital media. In short, it will be the end of freedom as we have come to know it.
And you know what. By the time anyone notices, much less cares, it will be far too late. We are the most affected here on
The change of perspective and its timing is....interesting.
You said it! Interesting
Re:It's an ex Microsoft security chief... (Score:5, Insightful)
I think this vision isn't necessarily untrue...... (Score:2)
Before software is deemed safe to run the more "modern" aspects of our lives, I think we need to hold people / companies accountable for the work that they do (or don't do). Somehow I think that MS would be less enthusiastic about peddling its wares if they were held criminally and financially liable for the consequences associated with any of the bugs in their various OS'es.
Re:It's an ex Microsoft security chief... (Score:2)
Excellent use of the Jedi Mind trick!
Re:It's an ex Microsoft security chief... (Score:2)
Re:Wait a minute... (Score:2)
Re:Wait a minute... (Score:2, Informative)
Is this the kind of FUD we're going to come to expect from security focus now that they sold out^H^H^H^H^H^H^H^H are under the symantec "corporate umbrella"?
Actually, the article is by George Smith of SecurityFocus criticizing Howard Schmidt formerly of Microsoft fame. (The write-up incorrectly combines these names.) Read the article before you post next time...
--Matt
Re:Wait a minute... (Score:2)
Maybe you should try reading the article before blasting Security Focus for spreading FUD. The whole point of the article is that Schmidt is the one who's FUDding, and you shouldn't believe him. That hardly sounds like the message that Symantec would be trying to spread if they were manipulating editorial standards for corporate reasons.
Re:It may be over the top, but... (Score:2)
Re:Not bloody Likely (Score:4, Insightful)
While Apache servers didn't get rooted by Nimbda, or by its cousin Code Red, they were still affected. Of course, it was more of a DOS attack since the Apache daemons were attempting to respond to the bogus requests but it was an attack nonetheless. I've seen the load shoot through the roof on Apache servers the had been targeted by nimbda/code-red infected system. I should note that this was a strange case where someone fired up an NT system (for testing) that they were unaware had become infected and both systems were inside a firewall. Makes a good case for having another layer of firewalls (and, perhaps, an IDS) inside the LAN just to protect your servers from goofy situations like this.
Re:Must be a joke. (Score:5, Informative)
Pacemakers sans internet control? (Score:2)
Who would ever trust his life to a device that's not internet connected?