SoylentNews is people
SoylentNews
from the pandora's-box-well-and-truly-opened dept.
A newly disclosed National Security Agency document illustrates the striking acceleration of the use of cyberweapons by the United States and Iran against each other, both for spying and sabotage, even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran’s disputed nuclear program.
The document ( https://firstlook.org/theintercept/document/2015/02/10/iran-current-topics-interaction-gchq ), which was written in April 2013 for Gen. Keith B. Alexander, then the director of the National Security Agency, described how Iranian officials had discovered new evidence the year before that the United States was preparing computer surveillance or cyberattacks on their networks.
It detailed how the United States and Britain had worked together to contain the damage from “Iran’s discovery of computer network exploitation tools” — the building blocks of cyberweapons. That was more than two years after the Stuxnet worm attack by the United States and Israel severely damaged the computer networks at Tehran’s nuclear enrichment plant.
(Score: 2, Informative) by anubi on Tuesday February 24 2015, @02:36AM
If anything, having hostile interests out there should convince us of the need for robust standards, interoperability, yet not monogenomic ( I am borrowing a farm phrase here, as that usually refers to a specific genome of corn, nothing but that is grown, and a blight that hits one gets 'em all. ).
In order for this to happen, a lot of "security by obscurity" memes need to be tossed, to be replaced by "security by design".
We once had a form of security by design. The old programmer's text editor. You could open *anything* in it, yet there was no way to transfer hostile code by just looking at it.
A variant of this came out which should have taught us all a lesson. ANSI codes. The old "escape sequence" codes, which were soon used to cause havoc on unsuspecting people who opened a file in an ANSI-enabled editor. We should have all learned the lesson right then and there. Do not mix executables and data!
The point I am trying to get to is I believe it is still possible to have a trustworthy system, however its communication protocols need to be reined in to a very basic HTML-like format, honoring trusted text, image, video, and sound, as well as the methods of checkboxes, radio-buttons, and form fields. Limited file transfer possible to/from only the location specified by the user would be useful as well, but under no circumstances have any sort of scripting. If a script file must be run, it would have to be downloaded, then specifically executed by the recipient - and also all script files would use a format very similar to the old .BAT formats, where it could be read and understood what it is going to do when it is run. You may read it without fear of actually executing it, as execution of anything will require a deliberate set of actions on the user's part.
This won't set well with the copyright people who base their business model on user ignorance.
What I would like to see is our computational infrastructure online like the network of Radio Amateurs. They are all running various implementations of transmitters and receivers, all of them compatible, on the same frequencies, using the same languages. Or farmers growing a variety of crops, in such a manner that a strain of corn vulnerable to a blight isn't planted by ALL the farmers. The financial people are always stressing Diversity in our retirement portfolio. I also need to stress the importance of diversity in any critical infrastructure, so that that which knocks one down doesn't knock 'em all down.
At GHz speeds, things can happen damned fast.
This isn't the most economical way of doing things, but it is by far the most resilient way if you intend to build a system that lasts. The system is not hardware - rather it is a set of protocols. Public protocols. Well-understood protocols. Today's annoyances of bad web pages will do nothing more to anyone's system than what happened when one of us opens up an .EXE file in an ASCII text editor. I think we have all done that, and lived to tell about it with no harm done at all.
I am way too pissed at my own Congress for passing all this DMCA type legislation that just eggs on computer illiteracy for the profit of a few.
All this stuff Congress is passing is just paving the road for everyone else and his brother to throw rocks at our glass houses.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Tuesday February 24 2015, @02:44AM
Congress works for someone else than voters..
Anyway what you write is perfectly sane. The problem comes when corporations push the profit motive above everything else, part of that translates to too little time spent on coding properly and insane deadlines. Combine this with wild west coders. And you have a security accident(s) waiting to happen on a irregular basis.
(Score: 2) by c0lo on Tuesday February 24 2015, @03:01AM
If you think west coders are wild, wait until you see the wild east coders.
(grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by tibman on Tuesday February 24 2015, @03:06AM
I often think of the same thing when it comes to the web and security. It is cringe worthy when logging into a bank site that requests flash to run.
SN won't survive on lurkers alone. Write comments.
(Score: 3, Interesting) by anubi on Tuesday February 24 2015, @03:41AM
Yes! I cringe a lot having to provide credit card or financial codes on a site demanding I run scripts. I feel naked as a jaybird.
Its the thing that stopped me from doing online stock trading. I had no idea who I was *really* talking to when I know good and well that my URL bar is easily overwritten with scripting. I am sure the banker knew it too, but he has "Hold Harmless" clauses he demands I accept before he will do business with me. I also suspect my intolerance of scripting is what is killing off my purchases at Amazon, as I will allow Amazon, but not all those other little God-Knows-Who tag-ins who try to ride in on any Amazon transaction.
I feel I am trying to conduct business at the bank, with all sorts of strangers looking over my shoulder and taking notes.
I would sure like to see the day businessmen putting a "hold harmless" clause in their contract be seen as businesslike as restaurants printing "Not Responsible for Food Poisoning" on their menus. I hold that my Congressmen should have "fought for me" a bit on that DMCA, and required the concession of the "hold harmless" clause in exchange for legal teeth for reverse engineering and breaking digital locks. But not a one of them "fought for me", and sold all of us out to the Lobbyist.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]