How America Will Improve Its Cybersecurity (politico.com) 119
Politico writes:
President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...
It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.
The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...
Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."
But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).
It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.
The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...
Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."
But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).
Betteridge's law applies, probably (Score:4, Insightful)
Re: (Score:2)
Betteridge only works on binary questions. "How" is multiple-choice.
Re: (Score:2)
Only if it presents choices. Otherwise it is an open ended essay.
Re: (Score:2)
But Betteridge's law is supposed to apply to headline questions, and that headline is worded as a statement.
However, if you do reword it as a question, it becomes "How will America improve its cybersecurity?"
In that form the answer is "No" because the assumption of the question is false. Ain't gonna happen.
Now if you're looking for a joke, how about blaming Al Gore? Criminals are always following the money, but Al told them not to worry about the money when they were designing the Internet, and they didn't,
Re: (Score:1)
But Betteridge's law is supposed to apply to headline questions, and that headline is worded as a statement.
However, if you do reword it as a question, it becomes "How will America improve its cybersecurity?"
In that form the answer is "No" because the assumption of the question is false. Ain't gonna happen.
Now if you're looking for a joke, how about blaming Al Gore? Criminals are always following the money, but Al told them not to worry about the money when they were designing the Internet, and they didn't, and now we have all these cybercriminals chasing after the money they didn't care enough to worry about. If they had considered the money in the first place, it's possible we wouldn't be in this mess. Or maybe not, but I'd still defy the situation to be worse.
How can you blame AI hype for something this fundamental, network security, and not blame an environment were "routing and routing protocols.." were considered obsolete at one time since "we now have an application layer..."?
Re: (Score:2)
Pretty hard to figure out what you are trying to say, but I'm guessing you mean Al Gore was hyping the Internet to Congress rather than hype about AI = Artificial Intelligence. But even with that guess, your question is not clear. Do you want to reword or explain it? Or should I try to lead back to the "Follow the money", don't ignore it side?
Re: (Score:2)
Sure, but some extension to samba that would easily allow for end-user file decryption with a security key would go a very long way to eliminating exfiltration threats and minimizing encryption ransomware. Network take-over is harder to address, as is management engine takeover of existing systems (at least to my imagination).
Re: (Score:2)
Re: (Score:2)
It will be interesting to see when someone takes it up. The technical side is minimal beyond client support of course. A few applications that store a bunch of temporary files on a samba share (or need to access dozens of linked files) might be a bit more work to address.
Re: (Score:1)
Re: (Score:1)
Paying ransomware demands seemingly (Score:1)
Re: (Score:1)
If you dont make it part of the requirements of software deployment and procurement, then no one will ever give a shit and the problem will get worse and worse. If there is legislation providing a set of guidelines to adhere to then at least at some point it may/should come to someones mind when working on government software and when looking at vendors software
Its better than just throwing up your hands and abdicating responsibility and pretending like its not a problem and never address it. Also it provi
Require open source for government operations (Score:5, Insightful)
I'm a Windows guy to be sure but when it comes to government I feel those systems should be built on open source software as much as possible and if something doesn't exist put some funding towards developing it. Hell develop a "federal distro" of BSD or Linux for government workstations. The damn NSA helped develop SELinux. I think the history has proven itself clear that the open source solutions that are the backbone of much of our internet infrastructure have borne out to be far more secure than the industry solutions. Seems like for every Heartbleed there are 10 large flaws in closed source software. Never mind the cost savings and that saved money could easily fund long term development of these important systems.
I'm probably pipe-dreaming here and at the least this would be a decades long process but I think for government operations it's the moral and practical thing to do but I am positive the smarter people here can come up with some problems with this. I think it's an ideal worth pursuing.
Re: (Score:1)
Re: Require open source for government operations (Score:2)
Oh I agree. I suppose you would do a top down approach, do the servers and critical functions first and then work down to workstations last.
Frankly I don't think MS could stop that and I've always thought it would be a good idea for a Linux distro to just copy the Windows 7 GUI and systems as closely as possible as a transition OS for us gullible Windows users.
For the government I think so long as things are standardized people will catch on, it's their job after all. Don't some departments still work on
Re: (Score:2)
And here's the problem advocates will face. Kind of what nuclear energy faced. Everyone talking a good game about how their solution is the best. But once the problems started advocates didn't look quite so shiny and new. Much doubt was sown, and people went with alternatives. In the case of nuclear it was renewables. In the case of Linux it will be OpenBSD. ;-)
Re: (Score:1)
Do you think Microsoft would be upset if the govt. started using Linux with a Windows-clone desktop?
If it was better and cheaper overall, organizations would switch to it.
Re: (Score:1)
I remember when they went from WIndows 95 to XP, then XP to win 7. Some people made a real big deal out of it. OMG, I don't know what to do now. Some win users are so dumb that they have to have an icon to do their work. Even if that icon is simply running putty, using port 24 and connecting to server X. Really. Change the server and you'd have to have someone go to the idiot's machine and change the icon. You can't talk them through it on the phone.
I think some people milk it for all it's worth so they don
Re: (Score:3)
when it comes to government I feel those systems should be built on open source software as much as possible
But this has been tried, numerous times. I mean, over probably the last two decades there has been a constant drumbeat of various jurisdictions across the world proudly announcing their liberation from Microsoft. They always fail, partly because of interop issues with parts of the government that haven't been migrated yet, but mostly because of the four trillion legacy apps that would need conversion. https://www.nextgov.com/cio-briefing/2016/05/10-oldest-it-systems-federal-government/128599/ [nextgov.com] is old but sti
Re: (Score:2)
According to that GAO list, taking the naively optimistic view that the projects slated for upgrade 5 years ago actually completed, it would be cheaper, less bug-prone, and more effective - to close down the IRS.
Re: (Score:2)
Projects like JEDI that pull all the legacy stuff into the cloud have ... some hope. I won't say I have any optimism, but I think this approach has a better chance of success than
Re:Require open source for government operations (Score:4, Funny)
Normally I'd say "if it ain't broke, don't fix it". Over my years I've become a much bigger fan of stability and resiliancy over new features. However, 50 year-old assembly code on an IBM mainframe fits the definition of "please describe programming in Hell".
I took an assembly language programming class in community college back in 1987 and it was on an IBM 4381. The teacher's day job was at Martin Marietta and I remember his comments clearly. "First thing when hired as an assembly programmer is remove ALL THE COMMENTS. Nobody will understand how anything works and you now have a job for life."
Re: (Score:3)
I took an assembly language programming class in community college back in 1987 and it was on an IBM 4381. The teacher's day job was at Martin Marietta and I remember his comments clearly. "First thing when hired as an assembly programmer is remove ALL THE COMMENTS. Nobody will understand how anything works and you now have a job for life."
My first salaried job in 1994 was at a little software company whose principal product was a DOS (later Windows) disk encryption and file protection utility. It consisted of a custom bootsector (asm), a DOS .SYS driver (asm), a DOS .COM TSR (asm) and a setup/install/uninstall utility (MS C 6.0). Later, there was a VxD (protected-mode 386 asm, a lot of reverse-engineering of undocumented protected-mode INT 21h APIs in Windows for Workgroups 3.11 and Win95 on my part went into that). All the DOS code was ridd
Re: Require open source for government operations (Score:3)
I am also an open source advocate, like you, but I think itâ(TM)s fair to say that neither open source, nor would just publicly releasing or maintaining the source code would solve the issue being presented.
I think the main issue that windows machines are almost always the target is because, in enterprise environments, they are ubiquitous. I have worked for years in some of the largest companies in the US, and Linux and MacOS devices, while they exist, are probably about less a percent of all the machi
Re: (Score:1)
The improvements seem very sensible and logical. (Score:5, Insightful)
Quote from the Slashdot story:
... the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging."
Re: (Score:2)
So what is on my software bill of materials for my OS? On my old Solaris 9 servers a base install had the SUNWbnuu and SUNWtnetd package which provided things like uucp and telnetd which weren't even needed 20 years ago. Modern system have way too much in their "core" and that needs to be trimmed down a bunch. The BSD team removed Bash, Perl and Python from the base package and that didn't cause too much pain but the base still has a full development system on it which isn't need on production servers. M
Re: (Score:3)
So what is on my software bill of materials for my OS?
This isn't just about the OS and it's DEFINITELY not just about the very light and simple situation of an easily-updatable, easily-inspectable piece of software sitting on the hard disk of a general-purpose computer.
The purpose of the SBOM is to provide a list of versioned code packages that you have included in your software, so that when a vuln is announced, your customer can immediately know which systems are affected. But this doesn't simply mean "Linux packages" or "Microsoft updates". It also refers t
Stop using commodity software (Score:3, Interesting)
Re:Stop using commodity software (Score:5, Insightful)
So, security through obscurity, then?
Re: (Score:2)
Go back to 3270 style terminals and this shit would go away overnight.
Re: (Score:1)
Re:Stop using commodity software (Score:5, Insightful)
Daftest thing I've read today.
Let's see, you've suggested not utilizing: COTS, software libraries, OSX, Linux, Win, API functionality, commodity hardware, connectivity, **THE INTERNET**, videoconferencing (camera/mic). Tell me how a typical day's work for governmental/clerical staff will occur, by all means. Who'll write this code? Who'll keep anyone from pen-testing your fever-dream of government-proprietary apps once they're distributed to hundreds of thousands of staff systems?
And you admit to having been unsuccessful in blocking ransomware. Hmm.
Re: (Score:1)
FAIL (Score:1)
Don't take my word, just check Migs and Mils they have on U.S. testing ranges.
Re: Stop using commodity software (Score:2)
Security is an illusion..... (Score:5, Interesting)
Security is an illusion, mostly propped up by vendors selling security products.
You don't buy security, you earn it by making it a priority.
Most companies are amazed when a server stops working because the filesystems filled up.
I am amazed that companies can have gigabytes of data uploaded yet no one notices anything.
We could start by unplugging China and Russia from the Internet to give us some time.
What I see changing is that insurance companies are sick of paying out of cybersecurity issues and dropping policies on renewal.
Unfortunately, I think that insurance companies are the only thing I can see driving real change since real change requires hiring competent people to be on guard.
Re: (Score:1)
Re: (Score:2)
. . .and telling everyone, ***even in the C-suite***, that, no, they do not need admin/root and software install rights on their boxes. And so what if the CEO likes Macs, if it's the only one in a Windows network (I worked in a place with exactly that situation. The CEO had a dedicated tech, as he was also something of a walking PEBKAC error. . . .)
For that matter. pushing out desktops and servers that don't have things like Telnet and FTP installed. After all, they already go without Solitaire and Mine
Maybe Use Up To Date Software (Score:5, Interesting)
Stop the greed. You guys already pay these IT guys a hell of a salary so let them do their job. Bitching about paying for up to date software when you pay you execs multi million dollar wages then cheap out on IT needs is fucking ridiculous.
This is my tax money going to waste.
When is our population going to demand these assholes to be fired?
Re: (Score:3)
Still not a panacea. Updated package of developer gets compromised and you have a real-time attack vector. Also, the obscene number of “appliances” requiring trust of third and fourth parties to an agreement.
Re: (Score:2)
Calm your fears. Paranoia about what happened from a university with Linux updates doesn't mean you can go off the deep end about everything to do with IT.
They make medication for those who are overly paranoid. Try some!
Re: (Score:3)
The university case is far from the first example— how many times has node.js been compromised? There are three or four other widespread packages that have had similar issues. Not to mention thet whole issue of mobile apps that get sold and the new owner turns them into malware.
The appliances are really what makes me paranoid though.
Re: (Score:2)
While I also decry the stupidity of some IT departments (there's a lot of people in there who can read and quote the latest issue of some IT magazine, but don't know TCP from HTTP), one cannot simply blame the IT department for all security problems. And security isn't just about using the latest version all the time.
Individual departments tend to select software, and they often pick products without regard to security. Maybe the billing department selects something that meets all the needs of a good bill
Re: (Score:3)
When is our population going to demand these assholes to be fired?
When the population itself, on average, becomes smart enough; in other words, never.
Re: (Score:1)
Let them do their jobs and listen to the security people. I was a very well paid security guy for decades. Time and time again they refused to do what was recommended industry wide. "It'll break something." Even for something like Windows NTLM that was a joke in 2013. I know of an agency that still runs that. Refuses to get rid of it. Probably won't until at least 2024. "Too hard to get off of our legacy 2008 servers."
What happens if something happens? Oh yea, that's what you recommended. Even if it's again
I'll believe it when they quit buying MS products. (Score:1)
Windows is not, has never been, and will never be securable. Using it in any mission-critical application is egregious incompetence.
Re:I'll believe it when they quit buying MS produc (Score:5, Insightful)
Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.
Troll somewhere else.
Re: (Score:2)
Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.
"Oh, it's behind the firewall, so I can just accept the AD defaults."
And that makes my job so much easier
Re: (Score:2)
Wrong. It is the user not the software. Just because morons don't know how to secure Windows doesn't mean its insecure.
You do realize that it is literally impossible for the user to secure Windows ... right?
Even if the user has Administrator level access, They do not have System access and it would be absurd for them to even try. They also do not have the source code, so they can't attack the security issues through that avenue.
Maybe you could enlighten everyone as to how you expect a user to secure anything? Training users not to do dumb things is a part of Security and it is the only thing a typical user can do. How would
Re: (Score:2)
My Windows is pretty secure, so maybe you need some help or do some more research. I've been a user since Windows 3.1 and only ever had 1 nasty infection and that was my own fault for playing with some nasty programs back in the Windows 98 days.
No ransomware, no one breaking in and taking over my machine, nor anything else that folks have issues with.
BTW.. It is impossible to secure a house too, but you do the best you can.
Re: (Score:2)
My Windows is pretty secure
It is adorable that you have that impression.
No ransomware, no one breaking in and taking over my machine, nor anything else that folks have issues with.
Well, at least we know *why* you think that your Windows installation is secure.
My various jobs throughout the years have all included various aspects of "trying to secure Windows". I should probably ought to retire and let a genius like you take over my responsibilities. After all, you have not really had any issues, so why would anyone else?
Let's examine the "monthly patches" for a second. Some of those patches are to fix things that are already being exploited
Re: (Score:2)
Security is just as much reliant upon the users actions as it is the OS vulnerabilities.
No OS in the world is going to be secure if the user is an idiot.
But since you are trolling, I will just say go ahead and write your book. I doubt it will sell well, if at all :)
Re: (Score:2)
Security is just as much reliant upon the users actions as it is the OS vulnerabilities.
No OS in the world is going to be secure if the user is an idiot.
While there is a lot of discussion to be had, I will generally go along with this statement. On its surface, it is a reasonable statement.
But since you are trolling, I will just say go ahead and write your book. I doubt it will sell well, if at all :)
You have an unpleasantly eventful life facing you if any information that contradicts your world view is considered trolling. You can not learn anything if your mind is closed.
There are already plenty of books out there detailing how Microsoft couldn't secure their way out of a wet paper bag. I doubt that my writing prowess is as vaunted as theirs, so I won't actually try
Re: (Score:2)
Microsoft's been trying to secure that pile of shit for how many decades now?
They haven't. If they try, their corporate customers will pitch a fit that desktops can't be managed remotely by one H-1B IT guy sitting in the next state.
Millions LOC (Score:1)
seL4 is just 17kloc and PROVEN memory safe.
An exploit in a subsystem will pwn only the subsystem(say TCP stack), not the entire machine
https://fgw.ddnss.de/L4gegenue... [ddnss.de]
Now if we combine this with memory safe languages, actually secure computers could emerge.
The government will not allow us to improve it (Score:2)
Re: (Score:2)
+1 to this, law enforcement at every level from local police departments through to federal agencies as well as intelligence agencies are all hoarding and using vulnerabilities rather than sharing them.
Even school districts are buying cellphone exploit tools from manufacturers like Cellebrite.
How will America improve Cybersecurity (Score:1)
Sadly, it won't (Score:5, Insightful)
It falls to me to point out the elephant in the living room here on /.:
Geeks don't run the world. MBAs do. MBAs think, "Your cyber see-cure-it-tee thing or my bonus..."
Re: (Score:2)
MBAs think, "Your cyber see-cure-it-tee thing or my bonus..."
See Cureitee: "Hey, you give me choices..."
MBA: "But, but, you took the wrong choice! And my poor bonus..."
See Cureitee:"Shoulda thought of that before you started handing out options. In other words, this is your fault. Now if you'll excuse me, I've got to go draft my report for the PHB. He'll want to know why you configured our security to be dependent on bonuses."
Perhaps that's how we get rid of MBAs.
Simple: Treat cyberattacks like an act of war (Score:4, Funny)
Re: (Score:3, Interesting)
Not that attribution can ever be 100% without admission by the actor, but would you guess that 50% of cyber attacks are from private hackers with loose connections to the government who benefits from the attack? Where exactly do you send the military *to*?
Welcome to the world of armchair observation of asymmetric warfare.
Re: (Score:2)
Here's the simplest way to improve cybersecurity: Treat every cyber attack as if it were an act of war. Hackers broke into a federal system? Treat it no differently than Pearl Harbor or 9/11. Send out the military. That's the best deterrent.
Actually, yeah.
We tend to have a weird attitude about cyber security. It's not really a door's fault that an axe can get through it. That's why we have laws and police.
Re: (Score:2)
Here's the simplest way to improve cybersecurity: Treat every cyber attack as if it were an act of war.
I was discussing this with some acquaintances right after Darknet said "Aaaand it's gone".
You could make a case that says "Russia harboring infrastructure vandals is the same as .af harboring terrorists. This was a WTC attack grade incident, we will respond similarly". Critical difference in this case is that the countries whence these criminals are believed to operate (primarily ru, cn, kp) are not resource-poor countries with which we barely have a relationship and which have no way of getting kinetic w
Oh! (Score:3)
After you've had a few government databased hacked, putting thousands at risk (and offering them little more than a few years of credit monitoring); after a pipeline gets hacked, NOW it's security is an issue.
Know where their priorities are.
Give the bad guys money (Score:1)
Danegeld ? (Score:1)
I didn't notice (Score:1, Offtopic)
"ordered a sweeping overhaul" (Score:2)
Cybersec costs money. (Score:2)
Businesses and government don't want to spend money on cybersec.
The ONLY way to fix rhis problem is to COMPEL the PHB's to spend money on cybersec via personal consequences (fines/fired) if they don't.
While cybersec spend is discretionary it will continue to be massively underfunded.
If they don't HAVE to spend, they won't. Simple.
Ancient History... (Score:5, Interesting)
There are some ideas that have been around for some 50 years.
In "Hints on Programming Language Design", published in 1974, Tony Hoare said "Finally, it is absurd to make elaborate security checks on debugging runs, when no trust is put in the results, and then remove them in production runs, when an erroneous result could be expensive or disastrous. What would we think of a sailing enthusiast who wears his life-jacket when training on dry land but takes it off as soon as he goes to sea?" He was referring to subscript checking.
I did some work on a FORTRAN program in 1982, that had a habit of crashing if one or another internal table overflowed. The compiler documentation said the compiler could do subscript checking. The documentation lied. I wound up having to put explicit subscript checks on every table, and add run-time error messages that told the user "Table blah overflowed. Increase such-and-such named constant and recompile." It was all I could do, and it took me literally 160 hours of staring at FORTRAN code to understand it well enough to be able to do that much. That code had ISSUES.
The early capability machines were designed around, among other things, a very basic concept: EVERY array reference was checked by hardware. It was not possible to disable this feature. That makes "buffer overflow" vulnerabilities 100% impossible.
Later in the 1970s, Charles Hoch wrote a short paper, showing how the memory mapping hardware on higher-end PDP-11 minicomputers could be perverted to do basically the same thing.
A paper on an early PASCAL compiler mentioned that, if the programmer was reasonably conscientious about specifying the bounds for arrays and variables, the compiler could usually prove at compile-time that an array subscript expression could not go out of range, and hence eliminate the run-time range check. I don't have a URL for this one. I saw it in a book that collected several otherwise-unavailable early papers, including two of Urs Ammann's papers on the original PASCAL compilers written at ETH Zurich for the CDC 6400. For this to work, of course, it has to be possible in the language to specify those bounds, and "modern" languages (C, C++, Java, and the like) don't provide that capability.
Yet, when the Ada programming language came out, for which the first draft required subscript checking to be enabled by default, the very first thing that the "professional" programmers in the United States demanded was the ability to disable it, because of "performance" concerns.
As long as it is fashionable to let programmers do anything they want, and rely on them not to make a mess of it (as the late Edsger W. Dijkstra was fond of saying), we are going to have problems. As long as we pretend that C and C++ are good languages, and Windows is a good operating system, we will continue to get what we deserve, and we will generally, as Jerry Pournelle used to say, get it good and hard.
References:
http://flint.cs.yale.edu/cs428... [yale.edu] fo
https://homes.cs.washington.ed... [washington.edu]
https://dl.acm.org/doi/10.1145... [acm.org]
Excellent Post / Here Are The Goods (Score:1)
It is time to stop using C and C++ for systems programming, which will eliminate said 70% of CVE issues. Even operating systems can largely be built using memory safe progr
Remove the Dot (Score:1)
Lesson # 1 (Score:5, Insightful)
I know it's cheaper and convenient and all but. . . .
FFS QUIT CONNECTING IMPORTANT SHIT TO THE INTERNET
Critical Infrastructure ?
Department of Defense Networks ?
Electirical Grids ?
Nuclear Facilities ?
Water Treatment Facilities ?
Hospitals ?
Any of this ring a bell ?
Anything and everything that can be accessed by your IT department remotely ( via the internet ), unless you spend a great deal of money and ONGOING effort otherwise, can be accessed by someone else whose intentions may not be as upstanding as yours. ( HUGE emphasis on the word ONGOING here. You can't just fund a fix, get it in place then fire all your IT staff and expect your network to stay secure for very long. )
I'll say it again: KEEP CRITICAL SHIT OFF THE DAMN INTERNET
Do that and you solve 90% of your cyber-security problem. Private circuits. Ever heard of those ? Intercepting traffic across them isn't impossible, but quite a bit more work than your average idiot on the internet is willing to put in to get access. See 10% problem below.
The other 10% is dealing with external actors *bribing your employees, dumb-ass executives who bring their own wireless AP to work, or the other morons who " found " a USB drive and decided to plug it in to see what's on it.
*This becomes a very likely reality when you decide to go with the lowest cost staff you can find. ( Read that: Offshoring )
If you can find a tech overseas who is maintaining a target network making $100 / month and throw $10k at them, I promise you your network is no longer your network very soon after.
I understand your company wants to cut costs, but you should never consider Network Security as something you can skimp on or cut corners. Lay off one of your overpaid Executives and use their pay to keep your Network safe if you have to or your future will be filled with quite a bit of regret.
Re: Lesson # 1 (Score:1)
Re: (Score:1)
I know it's cheaper and convenient and all but. . . .
FFS QUIT CONNECTING IMPORTANT SHIT TO THE INTERNET
I agree with you. And how about the need to connect to these systems remotely? Maybe old concepts like SSH, FTP, Packet filtering,... needed to become more a layer 2 thing security and all? And maybe leave layer 3/4 more for session management?
Re: (Score:2)
And how about the need to connect to these systems remotely?
Radio. Leased phone lines. Dedicated cabling. Such local networking would require local hacking for intrusion.
Using the Internet only makes such connections "easier".
Air gap is the only answer (Score:2)
It is not possible to write secure software. Or to rephrase, it is not possible to give a guarantee. Any update can introduce new vulnerabilities, and vulnerabilities get discovered in widely used code that have been there for decades.
When will they learn that the only way to even start ensuring a system is secure is to air gap it. No Internet. If the system needs to be networked between physical locations, you need to exclusively own and control the network medium. System designers need to start with
Re: (Score:1)
Don't need to airgap everything. Even then, it's a false sense of security as stuxnet shows us. Should and could limit people to work machines only. Only do work on the work machine. Block work machines without a need to go to the internet from being able to get to the internet. No facebook, instagram, etc. Train them to not open things unless they know about it. Just basic things.
Also, if you discover an idiot working for you - fire them. I know of a case where the windows manager was an idiot. During a pe
FALSE (Score:1)
If you are interested, read my other post on this page and have a look at this:
https://fgw.ddnss.de/L4gegenue... [ddnss.de] (please excuse the outdated cert, will fix this in the coming days)
https://de.wikipedia.org/wiki/... [wikipedia.org]
http://sappeur.ddnss.de/ [ddnss.de]
http://sappeur.ddnss.de/SAPPEU... [ddnss.de]
There have also been projects by Microsoft Research on memory safe kernels and there were(are?) the ALGOL Mainfame
jail C-level execs (Score:2)
Security is never a priority because it is a "cost". Jail senior execs of any company that is breached (as in the breach, in and of itself, is sufficient evidence for conviction) for several years. That would make it impossible for them to sweep it under the rug
Professional Engineering (Score:2)
No executive, no matter how public the failure and how critical the infrastructure is, will care about security until they're liable for it. Execs have a whole staff that deflects problems; they never see the fallout of their decisions to not invest in security. I think one of the best ways to externalize this is to turn IT/development into a branch of engineering and use PE licensing as a way to shift blame back to executives while shielding them to a degree they'd find acceptable. Proposals like "corporat
It"s Worse (Score:1)
We first need a serious talk about this problem before we talk about professional standards. When/If this will be fixed, we can talk about mandating a CS degree for any security critical work. No more shoddy data structure parser
The pot calling kettle black.... (Score:1)
Correct (Score:1)
Accountability (Score:2)
Today, if a private company has a security breach, it is very unlikely there will be any significant penalty, to the company or its executives.
Worst case, a class action lawsuit will impose a trivial penalty, including a year of identity monitoring. Not really a deterrent.
I think there should be simple, statutory liability for data leaks - $100 per individual's data leaked. No need to prove injury, no rake off for class action lawyers - just a federally-imposed fine.
Something similar, involving firings al
Does zero trust mean more active directory? (Score:2)
Every do this for security list is the same tired list of process whoring and paranoia in depth.
Meanwhile despite the proliferation of standards global system complexity is ever expanding in the name of convenience. Nobody wanting to run anything themselves and everyone wants centralized control over absolutely everything no matter how potentially apocalyptic.
Re: (Score:1)
LOL. Zero Trust, so you trust AD? Throughout my career if a pen test team gets anything, they get that first. Then they own everything with the possible exception of Linux and Solaris hosts unless they too drink the AD Kool Aid. How long did it take for an outside pen team to own AD where I last worked at? A whopping 37 minutes. Start to finish. Total ownership of the Domain controllers. This was from an office in Virginia on the internet (nothing special, no vpn, etc) to an agency in Maryland.
I'll have to
Not serious (Score:1)
But eventually the Biden Administration will have to make up its mind what's more important: the security of all our IT-infrastructure or the profits of a single company (and its related economic value to the United States).
Strong Security (Score:1)
Strong Typing
Sandboxing
Memory Safe Languages
Strict Input Parsing/Scanning
Formally specified data structures
Complete requirements documents
Complete Unit Testing
Fuzz Testing
K.I.S.S.
How long are we going to take this? (Score:1)
Wake me when IRS and Social Security use Yubikey (Score:2)
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
The instant any unknown penetration is detected, alarm bells sound and traffic and process analysis is used to snuff out the malware.
It isn't a scheme that would work with the current free-for-all system where it's assumed "good" software can do anything it wants because it comes from a trusted vendor.
On my subnet there are a specific number of devices that can communicate with each other in specific known and approved ways. Anything else is scrutinized and squelched. Unknowns can certainly not penetrate o
Re: (Score:2)
Not Really (Score:1)
Competent firewall guardians must be capable Perl programmers, or they will be overwhelmed by the massive log files generated every single day.