CSIS Report: Securing Cyberspace

If you want to help boost the economy and also help secure the national infrastructure then let's start some public works projects. Take a bunch of the best penetration testers you can and split them up. Have them just attack without warning and see how far they can get. Take their report, fix it, shift the groups and start over. Let's get some people who actually know what they're doing in there working on these projects. I can just see the recruitment posters now...

Oh and in case you couldn't gather for yourself, they concluded the US cyber defenses are apalling.

Well mid december, around the time this report was published, Booz Allen Hamilton ran a "cyber-war" simulation with 230 representatives of government defense and security agencies, private companies and civil groups. Sounds like what you're talking about on a smaller scale. Basically they had two teams; one defending, one attacking.

Oh and in case you couldn't gather for yourself, they concluded the US cyber defenses are apalling.

http://www.canada.com/topics/technol...tml?id=1096131

While Cyber Security is an increasing threat to the US National Security, I feel as though it's being approached completely wrong. The term is often thrown around as a buzz word to attract attention and scare people. Someone needs to clarify some of the goals rather than throwing big sweeping statements like "we will secure the internet." Some ideas are: securing emergency telecom, isolating military networks to prevent access, enforcing and updating in place security standards, etc. I mean for instance let's take a look back at DC16 and we see discussions on securing SCADA systems. This isn't a new topic either. It's been raised several times before. Aren't basic utilities sort of vital to the national infrastructure?

I think we'd be a lot better off if they just started small. Review current security standards to make sure they are not only adequate but also practical. I'd say a lot of times people circumvent these standards simply because they are lazy and don't feel like dealing with them. Also: why should the FAA's new air traffic control system be told that DOD standards forbid them from having USB ports on their systems yet we just saw an issue where the US Army had an incident with USB thumb drives? People will always go after your weakest link in any security situation. I have a companion who said that following their post 9/11 analysis, the FAA reported their biggest security hole was ironically the link back to Pentagon. Let's set these standards and enforce them across agencies.

If you want to help boost the economy and also help secure the national infrastructure then let's start some public works projects. Take a bunch of the best penetration testers you can and split them up. Have them just attack without warning and see how far they can get. Take their report, fix it, shift the groups and start over. Let's get some people who actually know what they're doing in there working on these projects. I can just see the recruitment posters now...

Bottom line, if they want this to work, they need to actually set some realistic goals. Too often the phrases are used in a general sense and bad connotations get attached. For instance DRM and trusted computing would be great if it were being used to protect the users instead of protecting the producers from the users. Let's set these goals to actually secure the national infrastructure and stop trying to worry about the comcast user who is torrenting in his mother's back yard. It's also ironic that they're trying to control and centralize something that was originally designed to be decentralized and resilient to physical attack...

i know wat u meen for crying out loud all anyone has to do to ovoid getting cought is hack the national grid then you have acsess to every computer on the planet firewalls are useless against this methode and once your in all you have to do is change the electronics pulse display to binory code and its all good secure the web they lie

from Digit

I doubt it. In any "cyberwar" I've read about recently, both sides have managed to either hack websites and servers or bring them down with DDOS. Even Georgian hackers managed to deface and crash Russian websites in South Ossetia towards the end of last August. Both Palestinian and Israeli websites are being hacked almost on a daily basis now. The only group that I personally feel are capable of mounting a large scale Cyberwar and defending their own systems is China. And they're not only testing out their tactics on the US; France, UK, Germany, Australia and New Zealand all reported attacks on government systems originating from China last year.

Perhaps I haven't come across the article yet but does anyone have any info on Chinese government websites being successfully penetrated? I'm sure there was some instances, but I doubt anything on the scale of attacks they have mounted (one Wired article quoted a Pentagon Official that they face "thousands of attacks every day")

And in case anyone takes this the wrong way, I'm not being political by discussing different countries abilities or tactics, just making some observations

i know wat u meen for crying out loud all anyone has to do to ovoid getting cought is hack the national grid then you have acsess to every computer on the planet firewalls are useless against this methode and once your in all you have to do is change the electronics pulse display to binory code and its all good secure the web they lie

from Digit

i know wat u meen for crying out loud all anyone has to do to ovoid getting cought is hack the national grid then you have acsess to every computer on the planet firewalls are useless against this methode and once your in all you have to do is change the electronics pulse display to binory code and its all good secure the web they lie

from Digit

Did you finish your PM spree asking people how to hack?

Yea... I've got a great idea. Maybe we should create a newbie forum, all new members can be automatically subscribed and only those members who wish to view it can. Then we'll be able to save our PM's as well as the rest of the forum from being overrun by "teach me to hack" posts. And we might even be able to help a few n00bs why we're at it.

Ah well, that'll never happen. It's much easier for everyone to be elitist...

/me shrugs.

Hey! You could be the welcome wagon in /dev/random! You can set a sticky and let people know that you (and anyone else that volunteers) is ready and waiting to help people with with questions.

Sure! You could start a thread about that, and volunteers could respond to this thread stating their intention to also volunteer, and then you and anyone else that responds to that thread can all take such questions by PM! You and other volunteers can fight the system by volunteering your time to help new users with any kinds of questions they might have, and do it all by PM. If you really want to do this, I can make sure PM support is available to all users right when they sign up, with no waiting.

If you think I am joking about this, I am not. If you seriously want to see these changes, you can use the above to create a grass-roots movement to help the newbies, and new users through PM.

Moderators have finite time, and they have to contend with the following:
"Wants are infinite, but resources are finite."
"Actions speak louder than words."

Just because some mods don't have enough free time to support such a system doesn't mean that you and others shouldn't. Use of PM would make this possible,



It will be one more day before the mods have their decision on a newbie forum.

The results of adding a strictly, "Hi! I'm New!" forum just for people to introduce themselves was not supported by even a large minority of moderators, and without support from at least a few highly-available moderators to maintain a forum, any such forum would fail to disrepair.

The only items being discussed now by moderators are:
Converting /dev/random into a "Newbie Forum"
Making a new Newbie Forum which has the same rules as /dev/random
Having a "fake" forum called, "Hi! I'm New! This is my Introduction" (or something similar) which is really is link to each user's blog. This lets people introduce themselves in their blog and lets anyone interested enough in someone to read about them a place to go see any introduction they may have posted.
(These were based on items suggested in the other thread.)

I'll post the results to this last batch of items being discussed by mods tomorrow night.