December 22, 2024

Archives for September 2002

White House Cybersecurity Plan: On Life Support?

The White House’s “National Strategy to Secure Cyberspace,” initially slated for release on Wednesday, has been delayed, the Washington Post reports. This comes on the heels of the removal of some of the report’s proposals, and a leak of the draft proposal.

It looks like the report will end up as an eloquent expression of good intentions, coupled with few if any effective action items. Once the decision was made that the report would be changed to make all of the stakeholders happy, this result became inevitable. There are just too many agendas in play to reach any kind of consensus on this issue.

This is not necessarily a bad thing. The government can improve the security of its own systems, but there is little it can do to make ordinary non-government computing more secure. Our main problem is that the market doesn’t reward vendors for investing the large amounts of time and money necessary to build highly secure systems. There isn’t much the government can do to change that.

ABC News Hires "Hackers" to Disrupt Police

ABC News reports on their own hiring of “hackers” to disrupt the Huntington Beach, CA police department. (Start reading at the “Testing the system” heading.)

They tried to trick an officer into leaving his post to investigate a false “emergency.” They tried to infect the Chief’s computer with a virus. (Fortunately, neither of these attacks ended up working; but it wasn’t for lack of trying.)

What was ABC News thinking? Trying to disrupt a working police department, which the citizens were relying upon to cope with any real emergencies that developed, was an amazingly irresponsible thing to do.

The article implies, but does not directly say, that the police department consented to this test, but was kept in the dark about which day it would occur. If so, then the police department needs their heads examined just as badly as ABC News does.

I’m all in favor of testing critical systems, but not by mounting surprise attacks on the systems that ordinary citizens’ lives depend upon.

[Link credit: disLEXia]

Ernest Miller on Lessig/DRM

Great new entry in the Lessig/DRM debate, from Ernest Miller at Lawmeme.

This is starting to turn from a narrow debate about Lessig’s piece into a wider discussion of how to think about DRM and Palladium. I’m eager to see this wider discussion start.

Low-Tech DRM

Today’s New York Times reports that Epic Records has taken a decidedly low-tech approach to DRM in pre-releasing two new albums to critics:

… the CD’s [are] already inside Sony Walkman players that have been glued shut. Headphones are also glued into the players, to prevent connecting the Walkman to a recording device.

Needless to say, this was defeated by at least one writer, who was able to get the CD by taking the Walkman apart. Why? Says the writer, “if I want to give it a proper review, I’m going to listen to it how I want to listen to it

Serious Linux Worm

New.com reports on a new worm infecting Linux/Apache servers. (A “worm” is a malicious standalone program that propagates on its own, without requiring any human action.)

A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said Saturday.

It was only a matter of time before this happened. Linux in particular, and open-source software in general, are not immune to malware such as worms and viruses. Linux has gotten a free pass for a while, because malware developers, like all software developers, tend to target their code for the most popular platforms. Now that Linux is so popular on servers, it becomes a more natural target for malware.

Of course, whoever did this is a criminal and deserves to be punished.

If there is a silver lining here, it is that this serves as a wake-up call for those who view the poor state of computer security as a “Microsoft problem” or a “closed-source problem.” All software is riddled with bugs, and all security-critical software is riddled with security-critical bugs. We just don’t know how to build large, complex programs without them. Rather than pointing the finger at others, who might or might not have a few more bugs than we do, we all need to figure out how to do radically better than any of us are doing today.