CSIS Report: Securing Cyberspace

Re: CSIS Report: Securing Cyberspace

I prefer YoYo-Dyne.

Re: CSIS Report: Securing Cyberspace

I apologise for my last post, I should have worded it better.

I wasn't denying the fact that the US recruits white hat hackers, what I was pointing out was the event was openly advertised as being aimed at "hackers", something that I cant imagine going down too well with the general public in the US or UK. Look at the negative attention DEFCON gets and you'll see what I'm trying to get at here.

And with regards to my stab at the US, note I also mentioned the British government, that I live under. I could have gone on and named 11 other countries in Europe but I decided not to. I was simply pointing out the liberal methods of the South Korean government to openly advertise and try to attract hackers. My intention was not to ignite any patriotism or attract fiery responses.

I'll remember in future not to post before I've had my two coffees ;)

Re: CSIS Report: Securing Cyberspace

You do realize that a large number of people that organize/attend Defcon as well as other 'hacker' cons actually work for various government agencies?

The negative perception is only in the eyes of the ignorant, and ignorance is not something that's easily cured. People have to WANT to be come less ignorant.

Re: CSIS Report: Securing Cyberspace

Once again, you're not getting your facts straight.

1) Many of the people who come to DefCon work directly or are contractors for the US Government and it's various Agencies. And I'm not talking about lurkers, I'm talking about people directly involved.

2) Have you been to DefCon or any other US based Con? Have you attend the "Meet the Feds Panel"? Did you know that there are entities within the US Government that recruit AT DefCon?

3) You're still being very political in your statements.

4) Researching before posting is not a bad idea.

Re: CSIS Report: Securing Cyberspace

The government is at DEFCON? And they recruit?! No way!

Re: CSIS Report: Securing Cyberspace

Thought this interview with FBI's Cyber Division Chief on the security of the internet may be of interest http://voices.washingtonpost.com/sec...ime_chief.html

And for the smart ass above;

"A: We don't really make too much of an effort to recruit here. My purpose in being here is to provide the FBI cyber perspective."

Re: CSIS Report: Securing Cyberspace

Yea, there is a lot of recruiting going on... In fact, every time I go to DefCon I tried to recruit some "young hackers" into my er um.. "organization". It's all list in my agenda

So that's what you found most interesting?

You were surprised that a Law Enforcement agency didn't have an open recruiting effort at DefCon?

How bout the other Agencies? You do know the US Government has more Agencies than just the FBI, right?

So let me see if I understand this correctly, you expect every Agency of the US Federal Government to have the same hiring criteria as the Federal Bureau of Investigation? Further, do you know for a fact he was talking about DefCon and not Black Hat? When referencing "recruiting efforts" was he talking about "Agents" or any recruit what-so-ever? In his position, would it behoove him to admit to actively recruiting at a "hacker convention" from a political stand point?

Oh, I was going to make a comment about your "Smart ass" one, I didn't know if you were referring to me or "theprez98". But I think both of us would rather be a smart ass, than just an ass like you.

Re: CSIS Report: Securing Cyberspace

The TLA's that recruit at such things do not set up a booth and advertise, it isn't like the Armed Forces where they have guys handing out brochures. They sit back and watch the people, they talk to other's about the people they're interested in. Then they are approached, normally after the con.

Re: CSIS Report: Securing Cyberspace

Which is EXACTLY what I was getting at when I mentioned the Korean Government running their own "hacker convention" with the sole purpose of recruiting!

I never said the US government doesn't recruit hackers, what I said was they would never OPENLY do it, as you rightly said from a political standpoint, nevermind set up an event similar to Korea's.

The only point I was trying to make, was that from a "political standpoint", the US government would never OPENLY recruit hackers on a scale that Korea is doing.

That was all. You were the one that tried turning it into something more.

Re: CSIS Report: Securing Cyberspace

Listen Wanker (that's what you people call each other over there, right?), you're definitely trying my fucking patience. My general instinct isn't to be polite and nice, trust me when I tell you I'm being really gentle with you. I don't know if you're into rough trade, but it most assuredly looks like that's what you want.

You are comparing apples and sofas. You're talking about a Law Enforcement agency with your posts... I don't believe the Koreans are trying to recruit hackers for law enforcement... You have an agenda and you're trying to push it with the wrong motherfucker.

I as well as others have already covered the fact that Korea is playing catchup to the US in terms of "events" like the ones you described earlier.

Now cut your losses while you're ahead before I put you in fucking place.

Re: CSIS Report: Securing Cyberspace

GET SOME!!!

Welcome back. THIS is HighWiz. Bout time.

Re: CSIS Report: Securing Cyberspace

I concur. Its good to see some regulatin' again. :)

Anyway, the part of the CSIS report that interested me was the section "Identity Management for Cybersecurity" (p.61). This is something that has been a long time coming, but I don't really see how it could be implemented responsibly if businesses are given the option to create their own in-person proofing authentication methods(top of page 63). That would also create all sorts of interoperability problems I would think. It just seems like that could quickly escalate into a situation where all of my personal information is easily gained if one account (used on many different sites) is compromised.

Given, this is already the case with SSNs, but I don't plan on using that to login to Facebook/Myspace any time in the future. Provided that they will not allow any social networking sites to use these new methods I may be more comfortable, but the whole internet is moving towards being social. Its a tricky situation, for sure.

Re: CSIS Report: Securing Cyberspace

Yea, you can't be just any geek off the street, gotta be handy with the steel if you know what I mean...

It really depends on what they mean by businesses in relation to creating their own authentication. Will it be every mom and pop shop on the net or primarily organizations who process CC and banks. I think this is definitely an area where they need to focus some more attention and thought.

There are a few technical hurdles they have to overcome, as well as a decision on usage. From reading the report, I don't think there was a single consensus as to what should be done for identity management while protecting civil liberties. I'm also concerned with a single point of failure if that's the avenue they are looking to go down.


Interesting for me was one of the last quotes in the report itself when they were discussing research and "reachitecting the internet" (p.75).

"Perhaps the most important game-changing research involves what we call 'rearchitecting the Internet". The Internet is a human creation and as a veteran of the 1970s DARPA effort said to us, "We built it; we can change it."

Re: CSIS Report: Securing Cyberspace

Slashdot has now posted the results of that interview here: http://interviews.slashdot.org/artic.../12/19/1448238

Re: CSIS Report: Securing Cyberspace

Installment 1 of ?:


(PDF p.7, printed p.1)
List of items to protect and guard includes items with known points of contention a sometimes mutually exclusive priorities.

If the FAA's only focus was to ensure passenger and pilot safety, then we wouldn't see many of the problems that the FAA has been plagued with over the pas 15 years. Burdening the FAA with a secondary purpose of on-time flights, and a tertiary purpose of keeping air-based commerce moving means there will be contention between these items. Passengers and pilots will just have to hope that their own safety is not overlooked so much (to keep flights on time and keep air-based commerce moving) that they don't die or get injured while flying.

(PDF p.8, printed p.2)
Again, contradictions exist in the list of items for this one group. A judicial system exists with search warrants as an established system to primarily focus on laws with respect to civil right, privacy and more. Law enforcement's focus is primarily enforcement of the law, not civil rights and privacy. By ensuring each group maintains a simple focus of a single objective without conflict in their assigned goal, they can specialize and push full-force, without internal conflict or disagreement.

Assigning a collection of goals to any group which are or can be in conflict is trouble. It can be as harmful as decoupling control from responsibility. Privilege separation, Mandatory Access Controls, User vs. Kernel Space, programming API with clearly defined interfaces, and even domestic partners with clearly defined areas of responsibility and control in a domestic space and surrounding property are all examples of how it is possible to avoid ALL issues of contention caused by contradictory selections make any such, specific decisions a violation of agreement.

Decisions which require subjective evaluation for “right” and “wrong” answers will eventually lead to failure, as what you think is, “right,” may not be what your boss thinks is, “right.” Decisions which require only objective evaluation for “correct” and “incorrect” are simpler to follow, and can be replayed and re-tested with only one correct answer given the same set of circumstances and input.

Additionally, what advantage would exist by splitting cyberspace-specific issues from existing agencies? I see greater value in having each agency build their own cyberspace-specific teams based on their existing goals, mandates, or directives. Agencies focused on world trade, and international commerce have a specialized interest in cyberspace crime, while the FBI, CIA, or NSA would have totally different interests in cyberspace crime from detecting and recording violations of law for possible prosecution in court, to breaking laws in cyberspace through commission of actions instead of enforcement, or maybe eavesdropping and information gathering and analysis-- all different from each other.

A separate office for Cyberspace either means duplication of effort which presently exists in other agencies or government organizations or it means removing duplicate groups or sections in other agencies.

(PDF p.8, printed p.2)
This means using tax money in private business or it doesn't.
This means bypassing search warrant process or it doesn't
This means using private information gathering companies as a transparent government documentation repository which bypasses freedom of information acts, or it doesn't.

Separation of government from private business also provides more protection from abuse by raising the bar for abuse to requiring conspiracy and risk for papertrail. Arguments listed above with clearly defined boundaries (not responsibilities) also applies here.

(PDF p.8, printed p.2)
Regulation? This sounds very expensive.
I'll agree that a government is one of 3 ideal spaces for *standards* to exist, but regulation requires enforcement, and enforcement can be very expensive. At some point, a dollar amount will be made and a cut-off point for enforcement, and crimes with values less than that amount will be ignored, overlooked, or only documented, but not investigated. This will lead to an immediate refinement of attacks to choose attacks that fall under the arbitrary threshold and thus avoid investigation and penalty. Criminal elements are quick to react to changes in their environment, as those that don't learn quickly get caught sooner rather than later.
Additionally, why can't standards be created and passed through NIST for official review and use anyway?

(PDF p.12, printed p.6)
(See Item #8)
If CERT* remains with DHS, then why is there even a need for a NOC? Seriously.

(More comments later.)