Announcement

Collapse
No announcement yet.

"The home computer is the new front line of war."

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • "The home computer is the new front line of war."

    I just spent 45 minutes writing a long post with links and research attached. Then when I posted it, it told me I needed to log in again and it disappeared into the ether. Livid does not describe it. That being said, it was a bit rambling and perhaps deserved a rewrite anyways.

    I attended a panel at defcon 17 titled "Preparing for Cyber War." One of the panel members made the comment in the title, though I've paraphrased as my memory can be leaky. It's been stuck in my mind for a couple months now, and I've been turning it over. It's an interesting challenge. Any sort of malefactor could do a lot of damage with a couple million zombies to help it out. Terrorist might simply wipe out data to cause confusion and damage, or use millions of stolen passwords to destroy confidence in our banking system. Enemy states could use DoS attacks to restrict communications between agencies. The possibilities are endless and don't need to be enumerated to this crowd. So how do you secure hundreds of millions of computers in the US?

    Given that I spent almost three years as a High School teacher, it is natural that I would fall back to education.

    Virginia does not have a computer class requirement. It does have what they call "Standards of Learning," part of the general framework of what children are supposed to learn while in school, and those do address technology and computer skills. Passwords are covered between Kindergarten and Second Grade. Copyright is covered every grade. Hacking and computer crime are covered in High School. While this might make it appear VA has it covered, there is no corresponding class required in HS. This means that those skills must be shoehorned into another class that every student is required to take. We got around this requirement in our particular school by adding a computer skills class to our required curriculum, though a complete class is not a state requirement. The class consisted mostly of MS Office skills, sadly, and was taught by a business teacher.

    While it is a given that education does not change all habits, or sometimes even most (witness how many people still don't wash their hands....thanks SuperFreakonomics!), I believe that education would pack the most "bang for the buck." A full class wouldn't be necessary, but a unit inside of a current computer skills class in Information Assurance would be a fairly cheap (on gov terms) fix, and it would reach a reasonably high percentage of the population. Of course, how much of that percentage would actually apply what they learned is unknown, but I'm sure there's research on that subject somewhere. Even if only ten percent of the students applied the mechanisms of protection involved, that would be a substantially higher number than currently do, given the numbers involved. I'm not normally a fan of top down fed intervention, but this is one of those cases where I believe it might be necessary. And of course, this isn't even a complete solution at all, but possibly a start.

    Right after Defcon I did some quick google searches on high school information security, and found nothing. I just did it again this morning and found a Symposium in CA for high school level CS teachers, funded through some NSF grants. There are definitely some people moving in this direction.

    How would you fix this little issue?

    Mel.
    Secretary

  • #2
    Re: "The home computer is the new front line of war."

    I've been researching this kind of thing for a paper for one of my classes. The one thing I've found that can be done that applies to home computers as well as to corporations, the govt, etc. is for the OS and software to be made better and more secure. This is purely my opinion, but I think Microsoft is the greatest threat to national security, even though that is not their intention. Winn Schwartau also points to non-secure software that wasn't really ready to be released as one of the sources of this problem. The govt is going to get their paws into this issue one way or another, and I think what they should do is hold the software companies accountable for what kind of crap they turn out. Expensive? Yes. Hard to implement? Yes, but I think it really would get to the source of the problem. While your idea is pretty good, I'm not sure that the average end user is intelligent enough or aware enough to make good decisions, even if he/she were to be educated on the matter while in school. Sadly, most of the kids I know are not interested enough in computers or computer security to take a class like that seriously, even if it was a requirement
    "Why is it drug addicts and computer afficionados are both called users? " - Clifford Stoll

    Comment


    • #3
      Re: "The home computer is the new front line of war."

      I've worked IT in schools before my current job and the proliferation of students now using the internet is far beyond what it was when I myself was a student at the very same school!

      I think if something was rolled into a "generic computer course" it could help mitigate problems in the future. I think DHS does a good job educating consumers, but users are stupid. "My friend's kid said x and I should be safe" little does he know that x is what opens up his box for intrusion, or some sort of stupid chain mail telling them to delete rundll32 because it is a virus.

      I think what would be helpful would be for the home networking market to start pushing rudimentary IDS into routers. I think standard end user antivirus doesn't cut it any more, they either don't update their definitions, or they don't configure it right ("duhurr it slows mah computer machine down") or they just outright disable it.

      I agree on the OS hardening, but the problem, I think is that OSes are so vast in size these days that they just are open to more problems. I made a witty facebook comment the other day about the code size and I had to look it up, Vista has 50 million lines of code. Imagine how much potential for vulnerabilities. While, I think they have made great strides in the last year to improve, I still think since it is the most popular and used desktop software, and because it is, it will face more and more scrutiny than anything else. OSX has been proven to be vulnerable in the last few years, Linux is too, but what is the point of spending time to write exploits for those vulnerabilities, when your goal is sheer numbers, besides e-cred? It's only a matter of time before Apple computers tip over the scale and become popular enough to write exploits for.

      I think media plays a huge role in misconceptions about security as well. I haven't done anything official, but I've talked to a bunch of people and more than 75% of them believe that half the garbage they see on CSI or NCIS happens in real life. I'm planning on doing a user survey within the next couple of weeks (we're starting an IT newsletter for my agency) to publish. (we're getting a lot of people in our office asking how they can remove SUPER ANTIVIRUS PRO ULTRA EDITION from their home computers)

      tl;dr yes I think your idea is a good one, but I think it is a broader topic than just teaching a bunch of kids and hoping that at least 10 implement something they learned.
      "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

      Comment


      • #4
        Re: "The home computer is the new front line of war."

        No matter the end users intelligence, if you can create an ingrained habit of complex passwords, regular software updates, and updated firewalls and AV software, I think you would go a long way to solving this problem. And that's the sort of thing that grade school was made for.

        I certainly agree about the software side, but I can't see the government legislating that. How do legislate secure? 1 bug or less per thousand lines of code? One exploit released per year? I did see a prediction somewhere, and I disremember where I saw it, about the future involving insurance for software companies against financial loss due to insecurity. His prediction was that companies were going to start being held financially liable for losses incurred due to bugs and security holes. That would certainly make the software companies sit up and take notice. It would likely be unworkable as a solution though....one loss might bankrupt a smaller software company. And who is to blame when it's a large combination of factors?

        That was why I was saying Education might be the most cost effective solution. It won't cost hardly anything to add a unit to an existing class. Agreed that it won't be the most effective, but in these days of government overruns and budget shortfalls, expensive means that it won't get done at all.

        EDIT: g3k, the idea of high school as a platform was so that you would eventually get to everyone, since almost everyone goes through HS at some point in life. Admittedly, there's a very large percentage of people already out, but this is a problem that will involve long term solutions.

        And adding those capabilities into home routers would be an excellent part of the solution. I know I don't run AV or a firewall at home, and I haven't had ANY trouble. I ran wireshark for awhile and had no random incoming connections through my router. I was disappointed, actually. The NAT from the firewall solves most of my issues concerning incoming attacks. Of course, I also don't download anything I see, and check out sketchy sites from that computer (I have a sacrificial computer for those sorts of things lol). For the average user though, I can see that being a huge boon.

        Mel
        Last edited by Melesse; November 3, 2009, 09:25. Reason: Simultaneous posting!
        Secretary

        Comment


        • #5
          Re: "The home computer is the new front line of war."

          Originally posted by Melesse View Post
          EDIT: g3k, the idea of high school as a platform was so that you would eventually get to everyone, since almost everyone goes through HS at some point in life. Admittedly, there's a very large percentage of people already out, but this is a problem that will involve long term solutions.

          And adding those capabilities into home routers would be an excellent part of the solution. I know I don't run AV or a firewall at home, and I haven't had ANY trouble. I ran wireshark for awhile and had no random incoming connections through my router. I was disappointed, actually. The NAT from the firewall solves most of my issues concerning incoming attacks. Of course, I also don't download anything I see, and check out sketchy sites from that computer (I have a sacrificial computer for those sorts of things lol). For the average user though, I can see that being a huge boon.

          Mel
          While I like the idea for high school, you have already described the problem. Sure, it will fix problems in the future, but we have rampant problems right now. A lot of them are the over 45 crowd and the under 20 crowd. I like to think my generation little more on the up and up (I'm in my mid-twenties), but there are exceptions to my grandeur thoughts as well. Like I said, I did work IT in a school, most of the kids were pants-on-head retarded when it came to this kind of stuff. If they can access myspace, they are good. I ran with some unscrupulous folks last year who did myspace phishing scams, and the majority of the hijacked accounts were kids under 20. And while this may seem to fit into your "fix the future" scheme, it might be too late before something like this is even talked about in a school role and then eventually implemented before some major attack of American zombie computers take out our own infrastructure lead by THREATENING COMMUNIST NATION hackers.

          I'm passionate about this idea because like I said, I worked in schools as well. When I went to high school, we had a helpdesk program where us nerds can congregate and learn2helpdesk. I learned a lot from that program, but unfortunately it was underfunded. When I ended up working at my highschool as a computer janitor, the program was almost completely gutted. They did not have a proper lesson plan or a proper teacher to teach the kids. I stepped in and taught them when I had free time, and I got more people interested, but last I heard the program was going to be canceled.

          You know how schools work. To convince them to do something like this is a little like running around in circles.
          "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

          Comment


          • #6
            Re: "The home computer is the new front line of war."

            Originally posted by Melesse View Post
            I just spent 45 minutes writing a long post with links and research attached. Then when I posted it, it told me I needed to log in again and it disappeared into the ether. Livid does not describe it.
            This sounds like a cookie problem. You might not have cookies enabled for defcon.org and subdomains, or you may have something setup to purge cookies. Some parts of the forums support logins without cookies, but others do not. This provides an illusion that cookies don't look like they are needed for the forums. They are needed.

            Comment


            • #7
              Re: "The home computer is the new front line of war."

              Originally posted by g3k_ View Post
              While I like the idea for high school, you have already described the problem. Sure, it will fix problems in the future, but we have rampant problems right now. A lot of them are the over 45 crowd and the under 20 crowd. I like to think my generation little more on the up and up (I'm in my mid-twenties), but there are exceptions to my grandeur thoughts as well. Like I said, I did work IT in a school, most of the kids were pants-on-head retarded when it came to this kind of stuff. If they can access myspace, they are good. I ran with some unscrupulous folks last year who did myspace phishing scams, and the majority of the hijacked accounts were kids under 20. And while this may seem to fit into your "fix the future" scheme, it might be too late before something like this is even talked about in a school role and then eventually implemented before some major attack of American zombie computers take out our own infrastructure lead by THREATENING COMMUNIST NATION hackers.

              I'm passionate about this idea because like I said, I worked in schools as well. When I went to high school, we had a helpdesk program where us nerds can congregate and learn2helpdesk. I learned a lot from that program, but unfortunately it was underfunded. When I ended up working at my highschool as a computer janitor, the program was almost completely gutted. They did not have a proper lesson plan or a proper teacher to teach the kids. I stepped in and taught them when I had free time, and I got more people interested, but last I heard the program was going to be canceled.

              You know how schools work. To convince them to do something like this is a little like running around in circles.
              The biggest problem in schools isn't the students, it's the teachers. I've found teacher's username/password laminated to their desks. I've had teachers make student passwords all the same because "the kids can't remember the passwords you give them", more like "I don't want to have to think when I log into a kid's account". If you want a way around some type of security, give it to a middle school student, or the whole school, they'll figure it out. We need to educate the current 35-60 year old population, the 13-34 age group pretty much have it under control, or at least know better....

              Comment


              • #8
                Re: "The home computer is the new front line of war."

                Originally posted by barry99705 View Post
                The biggest problem in schools isn't the students, it's the teachers. I've found teacher's username/password laminated to their desks. I've had teachers make student passwords all the same because "the kids can't remember the passwords you give them", more like "I don't want to have to think when I log into a kid's account". If you want a way around some type of security, give it to a middle school student, or the whole school, they'll figure it out. We need to educate the current 35-60 year old population, the 13-34 age group pretty much have it under control, or at least know better....
                I highly doubt such broad generalizations apply. I spent a couple years teaching, and just as in all groups, ability and inclination varied. True, the younger generation is more comfortable with technology, but that comfort does not come with knowledge about security. Just because they can log on the computer, and spend hours with their iPod and iTunes doesn't mean they know anything about password complexity, not to click on links sent over IMs, or how to tell a phishing email from the real thing.

                Our school attempted to block flash games and youtube. It wasn't a week before someone was using iGoogle to get around the block on flash games. Once that was blocked, it was the old standby, proxy servers. I don't think it was the average student who was finding those work arounds. It was a small cadre of knowledgeable students who spread the word.

                I don't disagree that the older generation will need something as well, but don't confuse familiarity with knowledge.

                Mel
                Secretary

                Comment


                • #9
                  Re: "The home computer is the new front line of war."

                  Originally posted by barry99705 View Post
                  The biggest problem in schools isn't the students, it's the teachers. I've found teacher's username/password laminated to their desks. I've had teachers make student passwords all the same because "the kids can't remember the passwords you give them", more like "I don't want to have to think when I log into a kid's account". If you want a way around some type of security, give it to a middle school student, or the whole school, they'll figure it out. We need to educate the current 35-60 year old population, the 13-34 age group pretty much have it under control, or at least know better....
                  True, but luckily, we controlled the usernames and passwords not the teachers. We did have an incident where a teacher left his computer for a few minutes and some kids hopped onto it while he was away and changed grades, but it didn't matter.

                  What I'm getting at is that kids are retarded with Myspace. I had to constantly check the weblogs for new CGI proxy sites that these kids were using. Myspace is an easy way to phish or install spyware. We also had an incident where a girl was talking to a pedo on Myspace on my network through a CGI proxy. It is a mess. While the younger crowd might know a lot about computers and are very savvy, it doesn't stop them from being dumb and getting phished or getting viruses installed.

                  We never had any teachers accidentally install a virus or open up weird emails, because they were either a) too old to want to use the computer or b) young enough to know wtf they are doing. Luckily we had awesome group policy and NIDS so even if someone clicked on a malware link we were safe, but not all places are lucky like that (see: my current job)

                  but I digress from the topic: Kids want instant gratification. Damned the consequences.
                  "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

                  Comment


                  • #10
                    Re: "The home computer is the new front line of war."

                    Speaking of instant gratification, I remember being so amazed in college. It was my sophomore year, and one of the guys in my frat had just installed BlackICE. We would spend hours going over those logs. I had read about hackers in HS, I took CS classes in HS and was a CS major at the time, but that was my first real experience with people who were trying to break into other people's computers! It was amazing!

                    Speaking on the subject of making it boring, you could run it as a game. As a class project, put an unpatched computer on a direct line to the internet. Watch what happens. Use some of the simpler tools to crack passwords and SHOW the students what weak passwords do.

                    And considering the older crowd, I've actually been considering giving free presentations at the library about computer security. Looks like it's something that needs to be done.

                    Mel
                    Secretary

                    Comment


                    • #11
                      Re: "The home computer is the new front line of war."

                      Originally posted by Melesse View Post
                      Speaking on the subject of making it boring, you could run it as a game. As a class project, put an unpatched computer on a direct line to the internet. Watch what happens. Use some of the simpler tools to crack passwords and SHOW the students what weak passwords do.

                      And considering the older crowd, I've actually been considering giving free presentations at the library about computer security. Looks like it's something that needs to be done.

                      Mel
                      That would be really helpful, teaching a free class. You could get in touch with your adult education community and possibly do it through there. Expect dumb questions.

                      I've considered starting up a computer club in my small little town, but I'm not sure how to go about it. We're too small to run a DCG or a 2600 group, but a computer or a LAN club would be cool, something to get the kids around here motivated to try new things. Enrich the community, etc.
                      "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

                      Comment


                      • #12
                        Re: "The home computer is the new front line of war."

                        Originally posted by Melesse View Post
                        And considering the older crowd, I've actually been considering giving free presentations at the library about computer security. Looks like it's something that needs to be done.

                        Mel
                        That is a great idea, and I hope you're able to do that! I am pretty concerned about some of the older people - unless their jobs required them to have some sense of security awareness or unless they're tech savvy on their own, it seems that a lot of them are clueless. I've had to play tech support for two of my uncles and had to get rid of a lot of spyware and garbage on one uncle's computer. I think some of the most vulnerable people are grandma-aged adults who are learning to use the computer to communicate with family members long-distance and can barely check their email, much less maintain security. I'm not dissing them, but it is a bit easier for people who have worked with computers for a long time (like my dad is 56 but is a systems admin) or who grew up with computers like me (I'm 25) to grasp the concept.
                        "Why is it drug addicts and computer afficionados are both called users? " - Clifford Stoll

                        Comment


                        • #13
                          Re: "The home computer is the new front line of war."

                          Originally posted by Melesse View Post
                          I highly doubt such broad generalizations apply. I spent a couple years teaching, and just as in all groups, ability and inclination varied. True, the younger generation is more comfortable with technology, but that comfort does not come with knowledge about security. Just because they can log on the computer, and spend hours with their iPod and iTunes doesn't mean they know anything about password complexity, not to click on links sent over IMs, or how to tell a phishing email from the real thing.

                          Our school attempted to block flash games and youtube. It wasn't a week before someone was using iGoogle to get around the block on flash games. Once that was blocked, it was the old standby, proxy servers. I don't think it was the average student who was finding those work arounds. It was a small cadre of knowledgeable students who spread the word.

                          I don't disagree that the older generation will need something as well, but don't confuse familiarity with knowledge.

                          Mel
                          We used St. Bernard to block access. Pretty good system. It's a subscription based web blocking device, so the proxy sites get added pretty quickly. This site is blocked there (Hacking), but the computer tech accounts had bypass rights.

                          Comment


                          • #14
                            Re: "The home computer is the new front line of war."

                            Originally posted by AgentDarkApple View Post
                            I've been researching this kind of thing for a paper for one of my classes. The one thing I've found that can be done that applies to home computers as well as to corporations, the govt, etc. is for the OS and software to be made better and more secure. This is purely my opinion, but I think Microsoft is the greatest threat to national security, even though that is not their intention. Winn Schwartau also points to non-secure software that wasn't really ready to be released as one of the sources of this problem. The govt is going to get their paws into this issue one way or another, and I think what they should do is hold the software companies accountable for what kind of crap they turn out. Expensive? Yes. Hard to implement? Yes, but I think it really would get to the source of the problem. While your idea is pretty good, I'm not sure that the average end user is intelligent enough or aware enough to make good decisions, even if he/she were to be educated on the matter while in school. Sadly, most of the kids I know are not interested enough in computers or computer security to take a class like that seriously, even if it was a requirement
                            I have to say that I think your off mark with your comments AgentDarkApple. OSes in general are getting better with security. Microsoft (I am not a fan) has gotten better over the past years. They have made security a priority in there development process. Yes there are still flaws but it is getting much better. Linux has it's far share of bugs as well and can be pwned just as easily if the admin never patches the kernel.

                            The issue is 3rd party software running on these systems. Any of these apps that run service accounts as administrator/root that have rolled out to production untested. This is the happy hunting ground for attack. And many of these company's are content with allowing this bad code to just sit unpatched until your site is compromised.

                            Next, there is no way that the government can force anyone to write good code. How can they audit such a system? How would they fine someone? If your app gets compromised, well you get a fine in the mail. Have a nice day. Who would get the money from the fines? The Government? Well... they need to fix there code before policing everyone elses code. This Orwellian concept will never fly. And if we look at legislation like PCI or GLBA where company's are fined or closed for data loss this also has had it's share of issues. Many company's are still not in complaince with PCI reg's and yet are not getting fined. I say, make the reg's we have have more teeth. Start sending out fines and getting CEO's into court. This will send a message. No more laws... just enforce the one's we have.

                            The bottom line is the Internet has grown to a point that we will never be able to fully protect ourselves from it in the office. Home networks are now a HUGE source for botnets and this will only continue to grow in the coming years. Our best bet is to wait and let our robot masters figure our the problem for us. They will have the answer.

                            ALL HAIL ROBOTRON
                            XS

                            Comment


                            • #15
                              Re: "The home computer is the new front line of war."

                              Originally posted by madnos View Post
                              Our best bet is to wait and let our robot masters figure our the problem for us. They will have the answer.

                              ALL HAIL ROBOTRON
                              I, for one, welcome our new robot overlords.
                              Thorn
                              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                              Comment

                              Working...
                              X