US Plans Cyber Shield For Private Companies and Utilities 178
wiggles writes "The federal government is launching an expansive program dubbed 'Perfect Citizen' to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?"
Surveillance (Score:5, Insightful)
Yes, because more surveillance is what is needed. Every year it goes further and further. The good thing is that at least they know to take it slowly - increase the surveillance just a little bit at a time and people wont really complain or notice. In a few years you will be there, just like with UK.
I would think that internet infrastructure belongs to the "critical" category too. Just tell your political opinions in a private conversation to someone, say you don't like the mayor and expect a lawsuit. How long until "harmful content" like P2P and porn starts to get blocked? Looks like USA is not that far from China after all.
And a name like a "Perfect Citizen"...
Re:Surveillance (Score:5, Insightful)
Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.
Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::
Re:Surveillance (Score:5, Interesting)
Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.
Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::
The mention of the Patriot Act was apropos. That's because when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.
Re:Surveillance (Score:5, Interesting)
when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.
To paraphrase a quote, "The only Perfect Citizen is a totally subjugated and suppressed citizen".
To really secure the infrastructure, a system of up-links and down-links to the TDRS satellites would be more secure. If land-based connectivity is required, then dedicated fiber-optics is a good bet. Just by-pass the internet altogether.
Re: (Score:3, Insightful)
Air-gap security is all fine and good against casual hackers, but still leaves you with an awfully gooey center. I don't know why Slashdotters keep advocating it as such a panacea.
Re:Surveillance (Score:5, Interesting)
The summary for the submitted article misses almost EVERY important aspect to this story, as it was initially reported! It almost looks like an attempt to deliberately minimize concern over the dubious legality and suspect agenda for "Perfect Citizen".
In fact, Samzenpus and "Wiggles" seem content not to mention the program's Orwellian name, nor the specific use of the term "Big Brother" by Ratheon contractors associated with the NSA on this effort.
Here is the summary I supplied, when submitting this story as a front-pager for Slashdot. I believe that it is more cogent and INFORMATIVE than the blandness offered us.
The WSJ is reporting on an $100M NSA program [wsj.com] "to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants." All of which sound nice enough, if one does not become critically focused on the name they chose for this effort: 'Perfect Citizen'. [pcworld.com] Releasing this to the WSJ has the appearance of PR cover for the expansion of both warrantless surveillance [wikipedia.org] and the intrusion of the NSA into a theatre of domestic operations. [eff.org]
Ratheon, the NSA contractor charged with realizing the NSA vision for the 'Perfect Citizen' program openly called this the "Big Brother" [theregister.co.uk] system, in internal communications.
For once, I really wouldn't mind a "dupe" story, either my summary or that of another poster with some insight to the implications of "Perfect Citizen".
Re:Surveillance (Score:5, Insightful)
Yeah, its too bad they don't include more unsubstantiated facts and editorial opinions with strong biases in the summaries. I was just thinking how much I was missing that!
Re: (Score:2, Interesting)
I do not see this as akin to the mass wiretapping of individuals of a previous administration. This is traffic pattern detection by the sound
Re: (Score:2)
if malicious patterns were detected perhaps an auto-cutoff of the plant from the internet could be triggered.
This seems, to me, like a dynamic that's exploitable in itself.
Assuming that the plant is connected to the Internet in the first place for a real purpose, whatever that purpose is is suddenly vulnerable to a denial-of-service attack. All you gotta do is trip the IDS deliberately.
And now for the Tinfoil stuff (Score:4, Insightful)
What if there are no "massive cyber-attacks" by "Chinese hackers"?
Who'd know? The key part of almost every successful TCP/IP network attack or compromise is the ability to manipulate intermediate hosts, etc. to obfuscate and mislead as to the actual "real location" of the attacker or malicious agent. When I was so preoccupied, in the mid/late-nineties, it was common practice to use Chinese IP space as "base-camp" for our explorations. I remember, in particular, an entire University lab of several dozen Sparc5 clones, directly connected to the Internet. Getting shell on these was a trivial exercise. The poor quality of the systems administration on these hosts was also an excellent indication that any forensics effort would be pretty hopeless, with the simple deletion of local logfiles.
Given the resources of a US or Israeli intelligence agency, it is completely likely that attacks could appear to be "Chinese" - without ever having a ZH presence. Manipulation of BGP, etc. could produce the required 'evidence'.
Which also begs the question: why would "Chinese" or "North Korean" state-sponsored "hacker gangs" be able to launch attacks with sophistication enough to be considered a threat to national infrastructure, yet simultaneously naive enough to be triangulated back to their supposedly surreptitious origin?
As they say, "Pull the other one, it has bells on it."
The only serious outcome of any mass-scale foreign cyber-attack has been to create a climate for the acceptance of increased surveillance, demolition of limits for Federal agencies and the Military in regards to the law-abiding civilian US population, and the complete obliteration of 4th and 1st Amendment protections afforded by the U.S. Constitution. What if that is not the "unintended consequence"?
Re:Surveillance (Score:5, Informative)
I'm no tinfoilhatter (see my post history) and I can easily state that the government does and has been monitoring communications of citizens since before the PATRIOT Act.
Google any of the following:
Project Echelon
FBI Carnivore
FBI NarusInsight
This isn't fear mongering against the government. Those are actual programs/projects the government uses to watch those they want to watch. Actively, passively, whatever it is it doesn't change the fact that the government has the means and the will to watch those it finds worth watching.
Now, to think that the new system will watch international connections only is short sighted. All you have to do is argue that an "enemy" could bounce through an internal (to the US) proxy and the government would have wholesale reason to peek at _every_ connection, foreign or domestic.
Re:Surveillance (Score:5, Insightful)
Regardless, as I've said many times on this site...in the year 2010, honestly thinking that most if not all digital communication that you engage in isn't tracked, monitored, or recorded at SOME POINT, either by a company or by the government, is just foolish. I operate under the assumption that I have zero privacy with my cell phone and online, and act accordingly.
Re: (Score:3, Funny)
Re:Surveillance (Score:4, Interesting)
Speaking of which...
On June 25th, just a few days ago, the original UKUSA agreement that set up Echelon was declassified and published. It includes a number of supporting documents as well.
http://www.nsa.gov/public_info/declass/ukusa.shtml [nsa.gov]
Re: (Score:2)
I seem to remember Carnivore being a huge "letdown" when detail of what it could actually do came out, IIRC the program itself could be recreated in perl in about 15 min. Not that I'm defending the program, it was just meh in its capabilities
Re:Surveillance (Score:5, Insightful)
>>>hey aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.
Like the smart meters being installed in Californian homes. All they need to do now is upgrade the firmware to include a little NSA spyware (literally) so they can how much energy you are using & what it was for. ("Running grow lamps in the basement - mmm interesting. Notify the Drug Agency.")
Patriot Act sucks
The Patriot Renewal Act which Obama signed sucks even more. At least George Duh Bush could claim he didn't know what was in the bill whe he signed it in 2001, but Obama observed the direct consequences of the law (police entering homes w/ self-written warrants; spying on communications; arrests without right of trial). He should have vetoed that bill.
Re: (Score:2)
My guess is intel agencies already have access to power consumption numbers.. though not live data, like a smart meter provides. I really don't think it's that useful though.. does a plug-in hybrid look like a rack of grow lights? Or a rendering cluster? Or a water-splitting setup? But i do think it would be bad for them to have access to. If i had that data, i could plan my raids around the times of least usage.. under the assumption that everyone is asleep or out of the house. It could be useful in a
Re: (Score:2)
Yeah but now they are putting meters inside appliances which will communicate with the central smart meter (house thermostat). So they'll be able to see if it's a plug-in hybrid or a rack of grow lights.
Aside-
Thank $deity that firefox has redline spell-checking. My fingers must be numb today - all kinds of typos
Re: (Score:2)
The appliances bit is where i get nervous. There are so many cool things we can do with sensors, monitoring, and automation in our homes.. but almost all of them are double edged swords.
Re: (Score:2)
>>>You are assuming the rack of glow lights has the ability to identify itself to the smart meter. Legacy devices will never register.
Good point but it doesn't really matter. Cops usually look for sudden spikes in power usage, or high usage, that indicates a growing operation. But now with smart meters the cops don't need to look - the meter can be programmed to automatically flag itself, and then the DEA can investigate.
Re: (Score:2)
That's not true. Cops don't regularly conduct fishing operations of utility records to find growers. Stop making things up. Under what authority can you claim that cops usually do that?
Cops do IR camera fly-bys, looking for the heat generated by a grow op (falls, debatedly, under "in plain sight"). Or if they have reason to suspect, they subpoena the utility for the records.
Re: (Score:2)
There's a risk this will grow to where the government is so paranoid it does care how long the TV is on. Right now, there are estimated to be 8 million US citizens on the Main Core list (although this is just a Wikipedia entry, so of course it could be a gross exaggeration):
http://en.wikipedia.org/wiki/Main_Core [wikipedia.org]
How far is it from putting 8 million people on your critical threat list to making people document how much Wattage their TV draws so the government can tell if there's some other appliance running i
Re: (Score:2)
Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.
While the government can't force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.
They don't need to do any firmware upgrades. All the data all ready goes to those energy companies. It will be up to them to decide what to share with the NSA.
Re: (Score:2)
That's my tanning booth, you insensitive clod.
Re:Surveillance (Score:5, Interesting)
Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.
Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::
FTFA:
A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.
They basically come out and directly say they are taking advantage of a slippery slope and happily sliding down it. So monitoring people driving is the same as watching what they are doing online.... yeh, thats not a slippery-slope argument at all </sarcasm> Next is, well, we already monitor the critical infrastructure, why not just all corporations, why not just all ISPs and all home users, then we could really catch all those sleepercell terrrrists at home!! yeh1!! its just like red-light cameras.
Tm
Re: (Score:2)
The OP is right on target. I'm sure the government would consider "backbone routers at Tier1 ISPs" critical infrastructure. Given the compliant Congress and our society's lack of actually generating real material goods anymore, it isn't too much of a stretch to imagine the RIAA/MPAA convincing Congress that P2P is a serious threat to the economy. Oh noes, cyber-attacking pirates off the fiber-port bow!!! Shut down teh intartubez! Save the contents!!!
Re: (Score:2)
If by "stretch" you mean "already done", then you're right.
http://slashdot.org/~chill/journal/252992 [slashdot.org]
Re: (Score:2)
The OP is right on target. I'm sure the government would consider "backbone routers at Tier1 ISPs" critical infrastructure. Given the compliant Congress and our society's lack of actually generating real material goods anymore, it isn't too much of a stretch to imagine the RIAA/MPAA convincing Congress that P2P is a serious threat to the economy. Oh noes, cyber-attacking pirates off the fiber-port bow!!! Shut down teh intartubez! Save the contents!!!
Bingo!
The implied situation is that Tier 1 ISP's don't do have IDS and appropriate procedures in place and need help from the government to look to the security of their networks and systems. Somehow, I think that the ISP's are already doing a far better job of this than some low-bid government contractor will. Though, as we've seen, utility companies..., maybe not so much. Fine, draft regulations and then enforce them with meaningful penalties for failure to comply. Don't suggest that "the government" ca
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You don't understand do you. This is just the beginning. That kind of power is like a black hole. The closer you get the less control you have till you just can't break free. Who watches these people? Don't tell me Congress will watch them. They don't have a fucking clue. You'd better to be ready to fight for your civil liberties. /tinfoilhat
Or ask for a job
Re: (Score:3, Informative)
Perfect Citizen (Score:2)
I swear the people who name such programs must be deliberately trying to bait conspiracy kooks.
Think? (Score:2)
Re: (Score:2)
Now pick up that can!
Asinine (Score:2)
A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras.
::facepalm::
My internet traffic is not on a public roadway.
It's just rediculous that they're trying to make such an argument
while trying to plug these boxes into private networks.
Re: (Score:2)
Maybe Alex Jones is smarter than he acts. He's been talking for months about Boxes being placed in homes (or at the curb) to monitor internet lines to ensure security. I thought he was nuts but now here it comes.
"Any who would give-up essential liberty for temporary security deserve neither." - Benjamin Franklin, Pennsylvanian
Re:Asinine (Score:5, Insightful)
The first thing I thought of when I read the flame-inducing "How do we feel about NSA spyware in all of our infrastructure?" was "oh well, at least there will be good-guy spyware in there with the bad-guy spyware..."
Do you really think that these private firms are honky dory with their current systems? As discussed to death at Black Hat 20[insert any year here], most private firms are years behind the DOD when it comes to info security, some of them ignoring it outright (the new power grid technology comes to mind).
If these companies aren't going to take security seriously, is it really wrong to offer a program that lets the NSA help them out? Or worse, would you rather the NSA simply hold out for a secret executive order to place surveillance equipment without the need to tell anyone? I think that this step, at least, is in the right direction. It could still go horribly wrong, but why kill it before it has the chance to do some good?
Re: (Score:2)
>>>My internet traffic is not on a public roadway.
Maybe it's time we nerds setup our own private network. Something like Usenet or Fidnonet but much faster (the old 56k or 112k connections are not enough). On second thought, with advancing codecs maybe it would work. I just watched Doctor Who at dialup speeds (48k) and it was no more horrible than watching a VHS tape.
And to add to Franklin's quote:
- I would rather take the risk that there's a 1 in 300 million risk that a terrorist will kill me,
Re: (Score:2)
It's so diculous, it's ridiculous twice! It's re-diculous. Not to ridicule, of course.
As for connecting things to private networks: read. This is done in cooperation with private network owners that agree it's a good idea, considering what they're operating/protecting. You're not being forced, on your own network, to have anything to do with it.
Guess (Score:2)
How do we feel about NSA spyware in all of our infrastructure?
ummm.... NOT GOOD
Spyware? Really? (Score:4, Informative)
When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.
Re: (Score:2)
When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.
But giving the a program one of the the most Orwellian names ever - "Perfect Citizen" - sure doesn't help the NSA's credibility either.
Re: (Score:2, Funny)
("Ahhh I see citizen 12 is using grow lamps - send the DEA to investigate"), then liberty will die for all of us.
If you are running grow lamps, maybe talking about them in every single post you make to slashdot isn't the way to keep them a secret? Just a thought.
Re: (Score:2)
Re: (Score:2)
or they might shoot at your grandma but miss and kill your daughter, hilarity ensuing, like in Detroit a few weeks back.
All cyber-assaults will be detected! (Score:2)
... detect cyber assaults on private companies
You know, like downloading the latest Lady Gaga CD.
And the Maginot Line will protect France (Score:5, Insightful)
That's the problem with big expensive publicly-announced efforts to protect against known attacks. The bad guys tend to not be idiots, and don't do what you expect. Come on, we can't even protect ourselves from our own stupidity, like when a trader accidentally enters an order for a billion rather than a million. If our systems are so fragile, then it doesn't take much. Oh, and what makes anyone thing that we don't have insiders willing to initiate cyber attacks? A big fire wall on the ourside doesn't help much there.
If they did it correctly, it would help. (Score:3, Insightful)
Start with the basics. Map the traffic patterns and usage patterns.
Now, roll that data up from a hundred different companies.
You'll see the patterns.
Share that information (anonymized) with the companies so that they can hunt down any "weird" traffic on their networks.
Re: (Score:2)
uh, dshield.org much?
Re: (Score:2)
You can't anonymize it. Any information given with enough detail to be useful is many times more than enough to reconstruct the relation of "anonymized" data points.
Willing to bet (Score:2)
Citizens? (Score:2, Interesting)
Concerns that don't involve tinfoil hats. (Score:2)
Re: (Score:3, Informative)
>>>there's the age old... "they put something called linux on it, and it looked like something a hacker might use" problem
Like that poor kid who was given detention. His crime? Demonstrating Linux on his personal laptop during study hall, and handing out free CDs of it to friends. The teacher assumed the kid was a pirate and punished him. She even went so far as to contact the guy who created the original CD, and scold him too! "I don't know why you are handing-out these CDs but I play to con
at least the NSA konws what Linux is and army uses (Score:2)
at least the NSA konws what Linux is and army uses it a long with mac os as well.
What could possibly go wrong? (Score:2)
It's not like the gov would ever use any info it gathers against you.
Ahhh... (Score:4, Informative)
Also, they might have wanted to pick a less dr-strangeglove-sounding name. But maybe the NSA geeks have a sense of humour too?
Slashdot (Score:4, Funny)
Wow... (Score:3, Insightful)
.. seriously, are we that far behind in our critical infrastructure that its still just plopped down on the internet without a firewall, filtering, port blocking, like some infected win95 machine from the 90s? Stuff like that should not be on the internet directly, ever. Private networks only, connected only to systems that need to monitor/control. Sure its faster/cheaper to plop a dsl line to that remote site, but its far less expensive to just get a direct private line to it than it would be to implement any of this other security theater the govment likes to use. Imagine your corporate firewall being run by the NSA....Hah
Tm
Re:Wow... (Score:4, Interesting)
Kiss Open Systems Goodbye (Score:3, Insightful)
There it goes out the window with all of the Bills currently in Congress to chase the internet "boogie man" as they hire "governmental approved companies" to produce boxes to install on your internet line.
Proprietary and very secret boxes.
They will track how long you play WoW, what you buy and put you in prison for that Virus that downloads pr0n.
SO much easier to get rid of people they don't like especially if the black box has the ability to infect and download the pr0n for them onto your home PC using "government approved software".
This is getting way out of control very fast.
One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.
Ironically there is a very real chance that only the collusion of fascism can take down Open Source because companies can't compete against it and governments absolutely hate systems built in the open because they can't lie about what they are doing to the masses.
The "Perfect Citizen" in this definition is one who doesn't question, only uses what the government tells them to and more importantly believes that the internet is better off with it.
-Hack
Re: (Score:2)
>>>One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.
Vice-versa: Some of us might start using Lubuntu Linux or Amiga OS specifically because we are told we can't. Some of us enjoy challenging tyrants in order to fight for freedom.
Re: (Score:2)
Of course not. They would be taking away your essential liberty to infest yourself and everyone around you with all manner of digital pests so you would be (appropriately) upset.
My point is that they're much likely to require something like SE Linux that forbid it.
You may return to being a good citizen by recycling your hat now.
Re: (Score:2)
More likely they'll make you run Windows or Mac OS, and nothing else.
Re:Kiss Open Systems Goodbye (Score:4, Informative)
You do know they're talking about doing this to water, electric, utilities, gas and railroad infrastructure, right? "Critical infrastructure", such as traffic control centers, the power grids, gas grid and the like. You aren't critical infrastructure. WoW certainly as hell shouldn't be running on critical infrastructure. Traffic in those network SHOULD be watched and coordinated. The companies can either let the NSA do it or purchase the equipment and do it themselves.
Last I knew, those "proprietary systems" (example here [narus.com]) were Linux-based using libpcap but on screaming fast hardware. Proprietary analysis software is used to baseline traffic patterns and look for anomalies.
Re: (Score:2)
I don't want to step on your rant, but most US Gov websites i've seen.. are on linux. I would guess much of the infrastructure is the same. End-user computers are mostly windows boxes though. With those come exchange and sharepoint and blah blah. But the critical stuff appears to be linux/bsd. You can check here: http://toolbar.netcraft.com/site_report?url=whitehouse.gov [netcraft.com]
Also, the last time i saw a Certificate of Networthiness list.. there was plenty of OSS approved: apache, php, python, putty, RHEL, fi
Re: (Score:2)
Definition of "Slippery Slope" (Score:2)
A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.
"You already gave up privacy for traffic cameras, so we can watch you drive, now we want to see what kinds of pr0n you like, cause thats no different and no big deal and its to stop the terrrrrists from doing another 9-11." This is exactly why privacy advocates are so rabid about what seems to be little things. They add up quick, and eventually get used as a "well we already do X, so this should be fine".
Tm
"Perfect Citizen" (Score:4, Interesting)
Seriously, shouldn't they try harder to disguise the intentions with a name like "Save the children security project" or "Patriotic Minutemen project"????
Re: (Score:2)
Here's another idea... (Score:2)
Wouldn't a secure OS be a better option? (Score:2)
Cabsec - Capability Based Security has been around for a long time, it was part of Multics... the idea of having real security built into the OS, available as a tool for the USER to decide what resources to make available to an application, is a very powerful one.
Unfortunately, its a boil the ocean solution.... you have to build a new OS which supports it, and then port your apps.
Re: (Score:2)
With the proven L4 kernel, the device driver code from Linux, and the GPL... it should be feasible to build a trusted system for the rest of us.
The key is to allow the user to assign privileges to a program at run time, and have the operating system constrain the program to those resources. It's not really hard to do, compared to the approach we have now, it's conceptually easier.
Perfect Citizen (Score:2, Funny)
Bias? (Score:3, Insightful)
How do we feel about NSA spyware in all of our infrastructure?
Better than Chinese spyware in all of our infrastructure.
False positives and masked attacks (Score:2, Insightful)
The net has huge tides - but unpredictable ones such as the traffic burst that happened when Michael Jackson died.
Those traffic shifts, along with the introduction of new technologies (such as IPv6, cloud computing, and smaller things like the next twitter) will create false positives.
And an attacker, knowing that there are these bursts fairly frequently and that during them there will be false triggers, will time the launch his attack so that it occurs during or shortly after one of those events.
Personally
Re: (Score:2)
Those traffic shifts, along with the introduction of new technologies (such as IPv6, cloud computing, and smaller things like the next twitter) will create false positives. And an attacker, knowing that there are these bursts fairly frequently and that during them there will be false triggers, will time the launch his attack so that it occurs during or shortly after one of those events.
This is pretty much a solved problem. You're picturing a system that monitors traffic level, then automatically shuts off the traffic in an emergency. That's not the state of the art and hasn't been for a long time. Rather, you deploy IDS systems that build a relational database of "normal" traffic on a network over time. Administrators look at the traffic ad mark some of it as "critically important" like the connection between the control system update board and the deployed sensors, and the connection bet
The universal OFF switch (Score:4, Insightful)
Re: (Score:2)
have those commands input manually by someone you reach directly by phone.
A little social engineering, maybe:
"Hi Ben, This is Frank over at the . We have a little problem here. Actually, it's a big problem. We got a fire. Four buildings, so far. We can't put it out because the connection with is live. We need you to pull so we can get close enough to put out the fire."
I never got a root password by hacking. Every one I ever got was by asking nicely.
Re: (Score:2)
The power grid has manual off switches on the line (Score:2)
The power grid has manual off switches on the lines
Sensors (Score:4, Insightful)
would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack
How will the "sensors" communicate with the NSA while being attacked? The internet?
Re: (Score:2)
That Name! (Score:2, Funny)
why is the grid and nuclear plants on the Net anyw (Score:2)
why is the grid and nuclear plants on the Net anyways?
boondoggle (Score:4, Interesting)
A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.
They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors. That would also allay concerns about covert monitoring by the NSA.
Open-sourceing the product and allowing public audits is advantageous because what is sometimes obscured by "Security through obscurity" is that foreign operatives have covertly horked your source code and analyzed if for vulnerabilities.
What FEMA did for Katrina and the EPA did for the golf oil spill this program will do for online security: create an ineffective program which creates a false sense of protection, displacing genuinely effective protective measures. I am not saying that there is no roll for government here, but rather than the rolls played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.
Re: (Score:2)
A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.
Agreed, however, given the way software is procured and "certified" for security by the government, that is the least of the problem. Secure software in the government requires motivated players who will work around the security regulations in order to get secure software, and the NSA is one of the few branches of government that seems motivated.
They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors.
In theory that sounds great, but in practice do you have any idea hope nighmarish that would be for people who are actually try to create a secure system?
I am not saying that there is no roll[sic] for government here, but rather than the rolls[sic] played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.
Have you d
Re: (Score:2)
it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate
Dude, where's the money in that? Raytheon for the win.
I guess (Score:2)
Like as in also (Score:2)
Let's make a deal (Score:2)
I'll let the NSA put spyware on some of my computers, *if* they let me target a Tomahawk missile at my least-favorite spammer once or twice a year.
It is time to start a new country... (Score:2)
That actually has freedoms.
Sooner or later, every entrenched government becomes corrupt. As was seen back in the days when you couldn't fight the corrupt system, you left, formed a new country and then grew into a power that eventually becomes corrupt and then a section of your people leave and the process starts anew.
The United States has reached the stage that a segment of the population needs to leave and form a new country. Unfortunately, I believe we've run out of land. Used to be you could expand into
Ve need morrre orrrderrr. (Score:2)
the CORRECT solution is to never have critical infrastructure exposed to the Wacky Wacky Webbiepoo.
the old saw is still correct... the only secure computer is deep underground in a vault. no power. no wires. encased in concrete. access to the borehole up top guarded by crew-served weapons.
it is an INCORRECT solution to put critical infrastructure on the Wacky, with spies and lies draped all around it.
this means your "smart grid," folks, is megatard.
Re: (Score:2)
Your fly is open.
You're welcome.
Why am I paying for it? (Score:2)
Seriously.
People breaking into a private company is a private company's problem to prevent.
If they catch someone breaking in, they can report it to the police. Who will probably say something like "we don't do that", which is what they've told me every time I've reported a crime.
How do we feel about NSA spyware (Score:2)
Like we get a choice. Its already out there. This just brings it out into the open to serve as a deterrent.
Re: (Score:2)
>>>monoculture of insecurity.
"Monopoly" is the word you're looking for, and an Uncle Sam monopoly is no better than a Comcast monopoly. On the contrary: It's worse.
.
>>>future exploits will involve DOS by getting the NSA sensors to trip
And of course the failure of the government to secure the net will be used as proof that we need more, not less government.
Re:but.. Citizen (Score:2)
What if a person goes on a rampage in a school and shoots up people. Well we investigate, charge, and try and hopefully convict. The presumption of innocence prevents pre-emptive actions. We seem more and more to cater to Chaneyesque fears (where If I remember right he said if there is as little as 2% chance something bad is going to happen, we take pre-emptive steps or something like that, and we invade a country with our citizens loosing their lives and thousands suffering.. good work Dick). This gettin
Re: (Score:2)
heartbeat signals?
"hmm, node 1642 hasnt reported in over 30 seconds, better kill off that subnet"