Forgot your password?
typodupeerror

Comment: Re:Blatant corruption (Score 1) 63

This is true up to a point. The rules are in place to keep those things from becoming so excessive that they turn into abuse. That said, easy and informal working relationships - within the bounds of law - also positively influence regulated environments by reducing misunderstandings, enhancing willingness to work through issues, assuring that the regulated and regulators start from much more similar conceptual pages, and improving the overall effectiveness and applicability of future regulations. It's an issue with mixed values; coming down on the overly formal and legalistic side of it can be just as damaging as the opposite to the ultimate objective of regulation - safer, fairer, more effective industries.

Comment: Article and Associated Reports Misunderstand (Score 2) 95

by jofny (#46761997) Attached to: Lack of US Cybersecurity Across the Electric Grid
That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.

First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.

Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.

Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)

Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.

Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.

Comment: Re:Actual Report Here (Score 1) 137

by jofny (#42946803) Attached to: Security Firm Mandiant Says China's Army Runs Hacking Group APT1
The releasing of that many indicators and this information a)Puts Mandiant as a business and as individual employees at risk of retaliation and b)Means that the Chinese will change their tactics away from the indicators that have been released, so Mandiant and their clients will have *less* visibility than they had before. The report was released for the common good, IMO.

Comment: Re:5th domain of warfare. (Score 1) 115

by jofny (#39040557) Attached to: "Cyberwar" As a Carrot For Those Selling the Stick
Territory control is only a side effect of most wars. Most of the time, territory is gained for resources or to take away resources. There are other resources to take away or gain that are not geographically based - clear threat to financial stability is a simplistic example. That will certainly, through force, have the other side closer to suing for peace.

Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.

Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.

If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:

You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.

You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.

Comment: 5th domain of warfare. (Score 1) 115

by jofny (#39037023) Attached to: "Cyberwar" As a Carrot For Those Selling the Stick
Not believing in cyber war is like not believing in air war, sear war, land war, or space war.

Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.

Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).

"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)

Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).

So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".

(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)
Security

The DNSSEC Chicken & Egg Challenge 77

Posted by CmdrTaco
from the not-tonight-i-have-a-headache dept.
wiredmikey writes "To begin DNSSEC implementation or not: that is the question facing a host of enterprises, notably any that engage in e-commerce or online financial transactions (online retailers, banks, investment firms, hospitality and travel, etc.). These businesses find themselves in a catch 22; there are obvious security benefits to adopting Domain Name System Security Extensions or DNSSEC, but there are some severe downsides to being too early in the adoption curve – downsides that are becoming more and more apparent every day. While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all. Simply put, DNSSEC can only work if it is supported throughout the hierarchy from publisher to visitor..."
Worms

Stuxnet Worm Infected Industrial Control Systems 167

Posted by Soulskill
from the going-for-the-gusto dept.
Sooner Boomer writes "ComputerWorld has an article about the Stuxnet worm, which was apparently designed to steal industrial secrets and disrupt operations at industrial plants, according to Siemens. 'Stuxnet has infected systems in the UK, North America and Korea, however the largest number of infections, by far, have been in Iran. Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs — so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.' If the worm were to be used to disrupt systems at any of those locations, the results could be devastating."

Comment: Re:oh, please (Score 1) 147

by jofny (#32803108) Attached to: TSA Internally Blocking Websites With 'Controversial Opinions'
I fully expect /. to be blocked by TSA there
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.

//God, some people, they do need babysitters and soft walls.
Image

Anti-Speed Camera Activist Buys Police Department's Web Domain 680

Posted by samzenpus
from the I-bought-the-law dept.
Brian McCrary just bought a website to complain about a $90 speeding ticket he received from the Bluff City PD — the Bluff City Police Department site. The department let its domain expire and McCrary was quick to pick it up. From the article: "Brian McCrary found the perfect venue to gripe about a $90 speeding ticket when he went to the Bluff City Police Department's website, saw that its domain name was about to expire, and bought it right out from under the city's nose. Now that McCrary is the proud owner of the site, bluffcitypd.com, the Gray, Tenn., computer network designer has been using it to post links about speed cameras — like the one on US Highway 11E that caught him — and how people don't like them."

A committee is a group that keeps the minutes and loses hours. -- Milton Berle

Working...