Obama's Internet Kill Switch Approved

[Arrqh]

Do you realize how much it would hurt the US (and global) economy to shut down the US Internet even for a few hours? In an effort to mitigate damage--such as massive numbers of robo-trades--you would cause even more damage.

Which in some cases might be more preferable than the alternative. Such as a complete global economic meltdown like the 9/18 event almost was.

Nonsense. What you're suggesting is cutting off your own head to prevent someone punching you in the nose. The response is not proportional and will do far more harm then what you're trying to prevent.

 

[Marc]

Aren't there also provisions under the U.S Constitution relating to interstate commerce? If the you started cutting of the Internet within the U.S I'm sure that that there would be a case in the courts faster than you can say IP Packet because it would have a massive impact on commerce.

 

[darkwing_duck1]

Do you realize how much it would hurt the US (and global) economy to shut down the US Internet even for a few hours? In an effort to mitigate damage--such as massive numbers of robo-trades--you would cause even more damage.

Which in some cases might be more preferable than the alternative. Such as a complete global economic meltdown like the 9/18 event almost was.

Nonsense. What you're suggesting is cutting off your own head to prevent someone punching you in the nose. The response is not proportional and will do far more harm then what you're trying to prevent.

What could be worse than a global economic meltdown, not just one nation, but ALL nations. That's what was staring us down the barrel on 9/18. There are other scenarios where the ability to pull the plug on the net might well save the nation, such as a co-ordinated cyber-attack against financial institutions and the power grid.

 

[Arrqh]

Which in some cases might be more preferable than the alternative. Such as a complete global economic meltdown like the 9/18 event almost was.

Nonsense. What you're suggesting is cutting off your own head to prevent someone punching you in the nose. The response is not proportional and will do far more harm then what you're trying to prevent.

What could be worse than a global economic meltdown, not just one nation, but ALL nations. That's what was staring us down the barrel on 9/18. There are other scenarios where the ability to pull the plug on the net might well save the nation, such as a co-ordinated cyber-attack against financial institutions and the power grid.

As Robert Maxwell said, any damage done by cutting off the internet would most likely do much worse damage then your imaginary doomsday scenario.

As for a coordinated "cyber attack"... read the thread. Such a thing is only possible in the imagination and in movies. Reality doesn't work that way. Preparing for something that's impossible is a waste of time... you might as well be asking for kryponite research to protect against Superman going rogue. Superman isn't real, so defending against him is pointless, as is defending against imaginary cyber attacks by causing even more damage then they could possibly do.

A lot of people in this thread have made some very informative posts about the reality of the situation. Reading and understanding their posts is going to be a lot more helpful then making up impossible scenarios.

 

[darkwing_duck1]

^ Impossible?

From 2007 (read carefully the bolded parts):

Chinese military hackers have prepared a detailed plan to disable America’s aircraft battle carrier fleet with a devastating cyber attack, according to a Pentagon report obtained by The Times.



The blueprint for such an assault, drawn up by two hackers working for the People’s Liberation Army (PLA), is part of an aggressive push by Beijing to achieve “electronic dominance” over each of its global rivals by 2050, particularly the US, Britain, Russia and South Korea.


China’s ambitions extend to crippling an enemy’s financial, military and communications capabilities early in a conflict, according to military documents and generals’ speeches that are being analysed by US intelligence officials. Describing what is in effect a new arms race, a Pentagon assessment states that China’s military regards offensive computer operations as “critical to seize the initiative” in the first stage of a war.



...


Cyber attacks by China have become so frequent and aggressive that President Bush, without referring directly to Beijing, said this week that “a lot of our systems are vulnerable to attack”. He indicated that he would raise the subject with Hu Jintao, the Chinese President, when they met in Sydney at the Apec summit. Mr Hu denied that China was responsible for the attack on Robert Gates, the US Defence Secretary.



Larry M. Wortzel, the author of the US Army War College report, said: “The thing that should give us pause is that in many Chinese military manuals they identify the US as the country they are most likely to go to war with. They are moving very rapidly to master this new form of warfare.” The two PLA hackers produced a “virtual guidebook for electronic warfare and jamming” after studying dozens of US and Nato manuals on military tactics, according to the document.
The Pentagon logged more than 79,000 attempted intrusions in 2005. About 1,300 were successful, including the penetration of computers linked to the Army’s 101st and 82nd Airborne Divisions and the 4th Infantry Division. In August and September of that year Chinese hackers penetrated US State Department computers in several parts of the world. Hundreds of computers had to be replaced or taken offline for months. Chinese hackers also disrupted the US Naval War College’s network in November, forcing the college to shut down its computer systems for several weeks. The Pentagon uses more than 5 million computers on 100,000 networks in 65 countries.



Jim Melnick, a recently retired Pentagon computer network analyst, told The Times that the Chinese military holds hacking competitions to identify and recruit talented members for its cyber army.



He described a competition held two years ago in Sichuan province, southwest China. The winner now uses a cyber nom de guerre, Wicked Rose. He went on to set up a hacking business that penetrated computers at a defence contractor for US aerospace. Mr Melnick said that the PLA probably outsourced its hacking efforts to such individuals. “These guys are very good,” he said. “We don’t know for sure that Wicked Rose and people like him work for the PLA. But it seems logical. And it also allows the Chinese leadership to have plausible deniability.”



In February a massive cyber attack on Estonia by Russian hackers demonstrated how potentially catastrophic a preemptive strike could be on a developed nation. Pro-Russian hackers attacked numerous sites to protest against the controversial removal in Estonia of a Russian memorial to victims of the Second World War. The attacks brought down government websites, a major bank and telephone networks.


Linton Wells, the chief computer networks official at the Pentagon, said that the Estonia attacks “may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society”.



After the attacks, computer security experts from Nato, the EU, US and Israel arrived in the capital, Tallinn, to study its effects.



Sami Saydjari, who has been working on cyber defence systems for the Pentagon since the 1980s, told Congress in testimony on April 25 that a mass cyber attack could leave 70 per cent of the US without electrical power for six months.


He told The Times that all major nations – including China – were scrambling to defend against, and working out ways to cause, “maximum strategic damage” by taking out banking systems, power grids and communications networks. He said that there were at least a thousand attempted attacks every hour on American computers. “China is aggressive in this,” he said.

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece

http://www.time.com/time/world/article/0,8599,1940009,00.html (2009)

But even if U.S. officials try to raise the issue of what they believe is a constant and growing campaign by China to infiltrate U.S. networks, steal secrets and hone Beijing's ability to wreak havoc in case of military conflict, the likelihood is that Chinese officials will simply deny that the problem exists, as they have done with great success in the past. From the American point of view, there's unfortunately currently little Washington can do to change that state of affairs.

http://www.time.com/time/photogallery/0,29307,1929133,00.html "At a fundamental level, the Chinese view cyberwar as an overt tool of national power in a very different way from the United States," says James Mulvenon, a Washington-based specialist on the Chinese military. "The U.S. is still uncomfortable exercising that power, but the Chinese — and the Russians — are very comfortable with the deniability and using proxies, even though the actions of those proxies could have enormous strategic consequences."


Mulvenon and other analysts say China employs a constantly shifting mix of official and civilian or semicivilian groups (such as so-called patriotic hacker associations) as the foot soldiers — the "proxies" — in its cyberwar armies. The technological challenges of tracing attacks on U.S. government and private-corporation computers are so enormous that Beijing can simply deny that any of the problems have originated in China. So far, the Chinese have been able to get away with it, despite the fact that not just the U.S. is complaining. In the past few years, sources ranging from the German Chancellor's office to government mainframes as far afield as New Zealand and Belgium have made loud public allegations that they had been the subject of cyberinfiltration from China, all to no avail.

"The scope and scale of the attacks has not abated despite the international opprobrium and outcry," Mulvenon says. "It's a serious problem that at the moment we don't have a solution to, because our inability to attribute the source of the attack fundamentally undermines our efforts at deterrence. If you can't identify the attacker, you can't deter them."

That's a troubling situation for China's potential adversaries to find themselves in, particularly as, unlike in conventional military training, what China's hackers are doing is the real thing, not make-believe. "The skill sets needed to penetrate a network for intelligence-gathering purposes in peacetime are the same skills necessary to penetrate that network for offensive action during wartime," notes a recent congressional report on China's alleged clandestine cyberattacks in the U.S. According to the report, released in October by the congressionally mandated U.S.-China Economic and Security Review Commission, that means that "if Chinese operators are, indeed, responsible for even some of the current exploitation efforts targeting U.S. government and commercial networks, then they may have already demonstrated that they possess a mature and operationally proficient CNO [computer network operations, or cyberwarfare] capability."
​

More Links:

http://www.time.com/time/magazine/article/0,9171,1692063,00.html (*2009)

http://www.time.com/time/magazine/article/0,9171,1098961,00.html (2005)

http://www.atimes.com/atimes/China/LB09Ad01.html Asia Times (this year)

http://www.msnbc.msn.com/id/33439397/ (MSNBC 2009)

http://www.asiasentinel.com/index.php?option=com_content&task=view&id=2257&Itemid=171

And that's just CHINA.

 

[darkwing_duck1]

double post

 

[Robert Maxwell]

Your articles were pretty light on details, as articles on this subject usually are--lots of doom and gloom and sensationalism, very little substance.

I'll go down what things were actually mentioned as having happened:

1. Hackers taking over websites. Yeah, this happens all the time. That's what happens when you have weak passwords, poor encryption keys, and unpatched software. People have to take security seriously.
2. Using remote-control software to steal government documents. This is easily fixed through better IT policy. Anyone using a computer with sensitive data on it should be utterly forbidden from installing software on it. That's a fucking no-brainer. I hope the government has learned its lesson. However, this sort of thing is also common, and like item #1, is bred of poor security practices. Also, note that all the documents involved were unclassified, meaning they were on low-security systems to begin with, so it's hardly surprising the Chinese managed to get their hands on them. Really, we're worrying about unclassified data?

The TimesOnline article is a joke and not even worth discussing. There are absolutely no details in it regarding how this plan to bring down aircraft carriers would work. And if you read the stats in the article, hackers have managed to compromise something like 1300 Pentagon-related systems out of 5 million. I guarantee you those 1300 systems are likely floating laptops, web servers, and other extremely low-security computers that are always begging to be compromised. Hardly the kind of doomsday scenario in which enemies take control of our vital defense networks.

Politicians have got it in their heads that you have to do something special to thwart hackers from other countries, so they come up with this "cyberwarfare" nonsense. Hacking is hacking, regardless of who is doing it and why, and you address it the same way regardless of circumstances: sound IT policy and user education. Don't let users install programs, don't put sensitive systems on the open Internet, put a DMZ between your low-security public services and your high-security information systems, require strong (and frequently-changing) passwords, keep software updated, instruct your users on the dangers of poor security practices, etc. This shit isn't rocket science.

What you should take away from this is not that there is no risk--there is most definitely a risk, primarily in terms of stealing state secrets. Poorly-secured systems with sensitive documents on them are certainly at risk. What I and others have been trying to communicate is that this notion of massive "cyberwar"--with "cyberwarriors" on a "cyberbattlefield"--is sensationalist nonsense from the media. They're trying to sex up something that is inherently unsexy: a bunch of poorly-groomed nerds hanging out in the basements of restaurants, trying to find computers with unpatched vulnerabilities and/or stupid users who will run any damn program somebody emails to them.

I read every article you posted and not a single one of them indicated a credible threat to our national security, just a lot of speculation and technically-ignorant mumbo jumbo. This is what happens when you have journalists writing about things they understand very poorly: they're led around by the nose by government mouthpieces and boastful hackers, rather than getting a firm grasp of what's really going on here.

I'm sorry, but bringing down websites and breaking into public servers is kiddie stuff. I grew out of that shit when I was about 16. If that's the worst we have to worry about, this is much ado about nothing.

 

[darkwing_duck1]

^Apparently you ignored all the experts cited who say you are 1000% wrong. Experts in cyber-security, cyber-warfare, foreign policy, etc. You say the articles are too vague. Of COURSE they're vague. They're not going to say exactly what was done and why, lest someone ELSE get any ideas.

OK, the thing about the aircraft carrier I didn't get either, but what about what happened in Estonia? Important public services offline for considerable time. A bank ruined.

And there's the testimony of the cyber expert before congress that a co-ordinated cyber attack on the power grid could black out 70% of the US for months.

Those are REAL threats. Creditable threats, predicted by those whose job it is to study and understand such things.

What credentials do YOU have to say they're wrong, or credentialed experts to do so?

 

[Robert Maxwell]

^Apparently you ignored all the experts cited who say you are 1000% wrong. Experts in cyber-security, cyber-warfare, foreign policy, etc. You say the articles are too vague. Of COURSE they're vague. They're not going to say exactly what was done and why, lest someone ELSE get any ideas.

No, they're vague because these "experts" know all they're talking about is instituting better IT policies, and they have to sex it up with talk of "cyberwarfare" for the news media so they can get their budgets enhanced.

OK, the thing about the aircraft carrier I didn't get either, but what about what happened in Estonia? Important public services offline for considerable time. A bank ruined.

The main thrust of the Estonia segment was the takedown of numerous websites--something that is rather easy to do. It's very vague what was done to the bank in question, but it was hardly "ruined." It was "brought down," which doesn't mean quite the same thing in computer parlance that it does elsewhere. It just means their computer systems were temporarily disabled. If we're talking about external systems (e.g. an online branch) then it was probably a DDoS. If someone got into their network and sabotaged it, that is--once again--an example of poor IT policy.

And there's the testimony of the cyber expert before congress that a co-ordinated cyber attack on the power grid could black out 70% of the US for months.

If that's really true then the people administering our power grid are fucking idiots and should be fired immediately, because such a thing shouldn't even be possible. So, either they are total morons or they are simply fishing for taxpayer money to "beef up security."

Those are REAL threats. Creditable threats, predicted by those whose job it is to study and understand such things.

The threats are completely overblown.

What credentials do YOU have to say they're wrong, or credentialed experts to do so?

How about well over a decade of experience writing software and dealing with hardware, with a major focus on networks? I've been working with computers long enough to know what their capabilities and limitations are. The vast majority of people don't, and that's why public officials can spout these doom-and-gloom scenarios and not get called on it. There is no reason any system attached to critical infrastructure should be on the open Internet for anyone to find. If it is, whoever made that decision should be fired.

The solution to the threat of "cyberwarfare" is not to have our own armies of "cyberwarriors" to do battle on some virtual battleground, it is to have good IT policy and educated users. But that's not as "sexy" as the notion of "war in cyberspace," apparently.

We can and should engage in electronic espionage for intelligence-gathering, since obviously our enemies are doing the same. But it's not exactly rocket science to protect our own systems.

 

[STR]

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y. Top Secret information is often kept in PC's within locked vaults (something like the first Mission: Impossible movie, but obviously less dramatic), while Secret and Confidential info are kept on locked down computers that are to be used only for classified work. Not only are you not allowed to install anything, but they have built-in trusted computing hardware which will block and report any unauthorized attempts to alter the system. These may be networked in with other computers over an encrypted LAN/WAN, which again must be physically separated from internet connected networks.

At least, that's how it's supposed to be according to regulations and guidelines. Given the sprawling nature of the federal government, even the relatively small black areas, it's not adhered to 100%. Hence the occasional Chinese man arrested for taking nuclear secrets.

 

[CuttingEdge100]

Threat of 'cyberwar' has been hugely hyped
by Bruce Schneier
URL: http://edition.cnn.com/2010/OPINION/07/07/schneier.cyberwar.hyped/?fbid=ncHZUGX5-n5

(CNN) -- There's a power struggle going on in the U.S. government right now.

It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

"The United States is fighting a cyberwar today, and we are losing," said former NSA director -- and current cyberwar contractor -- Mike McConnell. "Cyber 9/11 has happened over the last ten years, but it happened slowly so we don't see it," said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn't just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.

Googling those names and terms -- as well as "cyber Pearl Harbor," "cyber Katrina," and even "cyber Armageddon" -- gives some idea how pervasive these memes are. Prefix "cyber" to something scary, and you end up with something really scary.

It seems like textbook fear-mongering if you ask me.

 

[Marc]

Threat of 'cyberwar' has been hugely hyped
by Bruce Schneier
URL: http://edition.cnn.com/2010/OPINION/07/07/schneier.cyberwar.hyped/?fbid=ncHZUGX5-n5

(CNN) -- There's a power struggle going on in the U.S. government right now.

It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

"The United States is fighting a cyberwar today, and we are losing," said former NSA director -- and current cyberwar contractor -- Mike McConnell. "Cyber 9/11 has happened over the last ten years, but it happened slowly so we don't see it," said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn't just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.

Googling those names and terms -- as well as "cyber Pearl Harbor," "cyber Katrina," and even "cyber Armageddon" -- gives some idea how pervasive these memes are. Prefix "cyber" to something scary, and you end up with something really scary.

It seems like textbook fear-mongering if you ask me.

And one only has to look at the postings made by some-one else in here to see how that fear mongering at work.

It's a situation not helped by a lack of understanding by the general population compounded by what they see on tv.

 

[Robert Maxwell]

Threat of 'cyberwar' has been hugely hyped
by Bruce Schneier
URL: http://edition.cnn.com/2010/OPINION/07/07/schneier.cyberwar.hyped/?fbid=ncHZUGX5-n5

(CNN) -- There's a power struggle going on in the U.S. government right now.

It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

"The United States is fighting a cyberwar today, and we are losing," said former NSA director -- and current cyberwar contractor -- Mike McConnell. "Cyber 9/11 has happened over the last ten years, but it happened slowly so we don't see it," said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn't just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.

Googling those names and terms -- as well as "cyber Pearl Harbor," "cyber Katrina," and even "cyber Armageddon" -- gives some idea how pervasive these memes are. Prefix "cyber" to something scary, and you end up with something really scary.

It seems like textbook fear-mongering if you ask me.

We finally agree on something!

This is all about certain factions in the government trying to expand their powers and capture a bigger budget. It has nothing to do with genuine threats. The more they can play up the dire threat of "cyberwar," the more they can convince Congress to go along with them.

Also, thanks for clarifying on classified information, STR. I knew there were stringent policies in place, I just didn't know the details.

 

[darkwing_duck1]

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y. Top Secret information is often kept in PC's within locked vaults (something like the first Mission: Impossible movie, but obviously less dramatic), while Secret and Confidential info are kept on locked down computers that are to be used only for classified work. Not only are you not allowed to install anything, but they have built-in trusted computing hardware which will block and report any unauthorized attempts to alter the system. These may be networked in with other computers over an encrypted LAN/WAN, which again must be physically separated from internet connected networks.

At least, that's how it's supposed to be according to regulations and guidelines. Given the sprawling nature of the federal government, even the relatively small black areas, it's not adhered to 100%. Hence the occasional Chinese man arrested for taking nuclear secrets.

But those measures are insufficient, as history has shown. China in particular has penetrated our security numerous times.

Cyber-warfare is a fact, no matter how much Robert and others might wish otherwise. Hostile powers are spending considerable time and resources in developing their capacity in this regard. We fail to do so at our own peril.

 

[STR]

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y. Top Secret information is often kept in PC's within locked vaults (something like the first Mission: Impossible movie, but obviously less dramatic), while Secret and Confidential info are kept on locked down computers that are to be used only for classified work. Not only are you not allowed to install anything, but they have built-in trusted computing hardware which will block and report any unauthorized attempts to alter the system. These may be networked in with other computers over an encrypted LAN/WAN, which again must be physically separated from internet connected networks.

At least, that's how it's supposed to be according to regulations and guidelines. Given the sprawling nature of the federal government, even the relatively small black areas, it's not adhered to 100%. Hence the occasional Chinese man arrested for taking nuclear secrets.

But those measures are insufficient, as history has shown. China in particular has penetrated our security numerous times.

Cyber-warfare is a fact, no matter how much Robert and others might wish otherwise. Hostile powers are spending considerable time and resources in developing their capacity in this regard. We fail to do so at our own peril.

Umm...did you even read what I said? And if you did, please explain how you can remotely hack into a computer that has no connection to you. Anything that's actually sensitive, and useful, is completely separate from the public internet and as such is not susceptible to a remote attack over the internet. The assertion that "patriotic hackers" can shut down the USS Enterprise or Abraham Lincoln is asinine in its assertion. No one with any clue how networks work would EVER make such a stupid claim, which is why there is zero citation of how such an attack would unfold.

Basically, anything you can attack from the internet is not particularly valuable information. They're not getting nuclear launch codes, they're getting lunch menus for the CIA cafeteria. It's not just low hanging fruit, it's the only fruit they can see and possibly ever touch.

My citation of Chinese agents is a traditional counterespionage problem, not a cyberwarfare issue. No IT security policy in the world will help you if you sit Hu Jintao in front of a secure computer and give him credentials to log in. Even if you did, shutting down the public internet for 80% of the world would in no way fix the problem.

Do you realize how much it would hurt the US (and global) economy to shut down the US Internet even for a few hours?

How much would it cost the US...somewhere between $2-5 billion a day. Since more than half the world's internet traffic goes through the US, I'd triple or quadruple that number for global damage. I must say I find it hard to believe anyone has the resources to do more than $20 billion of damage a day.

 

[darkwing_duck1]

^You are, simply put, wrong.

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/14/AR2010021403817.html

http://www.telegraph.co.uk/news/wor...etwork-GhostNet-penetrates-103-countries.html

http://online.wsj.com/article/SB10001424052748703399204574508413849779406.html?mod=googlenews_wsj (includes information about the Chineese compromise of F-35 data)

http://www.uscc.gov/researchpapers/...ber_Paper_FINAL_Approved Report_16Oct2009.pdf (official report on Chineese cyberwarfare)

http://online.wsj.com/article/SB123914805204099085.html (penetration of US electrical grid by Chinesse, Russians, others)

http://online.wsj.com/article/SB124027491029837401.html (more on the JSF breach)

http://www.heritage.org/Research/Reports/2008/02/Trojan-Dragon-Chinas-Cyber-Threat

http://www.techshout.com/internet/2...e-hundreds-of-danish-sites-and-issue-threats/

http://www.techshout.com/security/2008/14/us-congressmen-accuse-china-of-hacking-their-computers/

https://www.infosecisland.com/blogv...nese-hackers-Or-lost-cyber-war-Part-III-.html

http://www.time.com/time/magazine/article/0,9171,1098961-2,00.html#ixzz0iFTOZt8D (the "Titan Rain" incident)

Just a few minutes worth of Googling and following links. Cyberwar is real. It is important. We MUST fight it as vigorously as any other war.

 

[CaptainStoner]

There is no reason any system attached to critical infrastructure should be on the open Internet for anyone to find. If it is, whoever made that decision should be fired.

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y.

This is my obvious point also. You can't hack a computer that has no internet connection. The security risk there is a physical one. Wasn't that how that huge bank security gaffe happened a few years back - stolen or lost laptops, not through hacking.
It's still important to take seriously, but no, they're not going to disable the Navy with a computer hack from China.

 

[Marc]

There is no reason any system attached to critical infrastructure should be on the open Internet for anyone to find. If it is, whoever made that decision should be fired.

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y.

This is my obvious point also. You can't hack a computer that has no internet connection. The security risk there is a physical one. Wasn't that how that huge bank security gaffe happened a few years back - stolen or lost laptops, not through hacking.
It's still important to take seriously, but no, they're not going to disable the Navy with a computer hack from China.

Ah that would be the gaffe where the bank shipped non-encrypted backup tapes to storage only to have the tapes go walkies in transit (and I think that was only part of the cluster fuck).

http://www.computerworld.com/s/arti...ith_data_on_4.5M_clients?nlid=8&source=NLT_PM

For all the noise made about security, the internet etc etc I wonder what would be revealled if data theft patterns were examined to see how much took place through internal measures (workers hacking the systems or simply taking advantage of lax security), external hacking and finally the loss/theft of hardware and storage media.

A few years back an Australain current affairs program (term used in the losest possible manner) ran a story about the supposed dangers of internet banking after some people had money stolen from their account. The problem wasn't the internet banking, the problem was they hadn't been good with the security and a former friend watched and them enter their logon details and memorised them.

 

[STR]

^You are, simply put, wrong.

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/14/AR2010021403817.html

http://www.telegraph.co.uk/news/wor...etwork-GhostNet-penetrates-103-countries.html

http://online.wsj.com/article/SB10001424052748703399204574508413849779406.html?mod=googlenews_wsj (includes information about the Chineese compromise of F-35 data)

http://www.uscc.gov/researchpapers/...ber_Paper_FINAL_Approved Report_16Oct2009.pdf (official report on Chineese cyberwarfare)

http://online.wsj.com/article/SB123914805204099085.html (penetration of US electrical grid by Chinesse, Russians, others)

http://online.wsj.com/article/SB124027491029837401.html (more on the JSF breach)

http://www.heritage.org/Research/Reports/2008/02/Trojan-Dragon-Chinas-Cyber-Threat

http://www.techshout.com/internet/2...e-hundreds-of-danish-sites-and-issue-threats/

http://www.techshout.com/security/2008/14/us-congressmen-accuse-china-of-hacking-their-computers/

https://www.infosecisland.com/blogv...nese-hackers-Or-lost-cyber-war-Part-III-.html

http://www.time.com/time/magazine/article/0,9171,1098961-2,00.html#ixzz0iFTOZt8D (the "Titan Rain" incident)

Just a few minutes worth of Googling and following links. Cyberwar is real. It is important. We MUST fight it as vigorously as any other war.

Link spamming is not the same as presenting a case. Especially as none of those links disprove ANYTHING I said. I'm again unsure that you even read anything because you say "Cyberwar is real." I never said it wasn't, it's just a buzzword for IT attacks from foreign soil, which is no more or less dangerous than attacks from anyone else. What I did say is that nothing important is or should be vulnerable, so long as policy is adhered to. For the most part, it is. Case in point, the F-35 hack you mentioned: http://uk.reuters.com/article/idUKTRE53K0TG20090421

Also, in that massive pile of garbage you threw at me rather than write a real response with one or two citations, you still haven't found proof of the assertion that an aircraft carrier can be hacked and shut down remotely. You won't be able to, because anything of actual value is not stored in an online accessible site. The ONLY relevant article is the one on the electricity grid, but the US grid is a 3rd world-grade cluster#### with problems far beyond vulnerable computers.

So rather than more link spamming, go back and prove your first point, rather than shifting the debate around in an attempt to skirt the responsibility of actually proving anything you've said up to this point.

There is no reason any system attached to critical infrastructure should be on the open Internet for anyone to find. If it is, whoever made that decision should be fired.

@Robert Maxwell. If I recall correctly, computers with access to classified information (at least secret and top secret, if not confidential) must be physically separated from anything connected to a public network. They literally have a spec that says it must be X feet from internet connected computer Y.

This is my obvious point also. You can't hack a computer that has no internet connection. The security risk there is a physical one. Wasn't that how that huge bank security gaffe happened a few years back - stolen or lost laptops, not through hacking.
It's still important to take seriously, but no, they're not going to disable the Navy with a computer hack from China.

Ah that would be the gaffe where the bank shipped non-encrypted backup tapes to storage only to have the tapes go walkies in transit (and I think that was only part of the cluster fuck).

http://www.computerworld.com/s/arti...ith_data_on_4.5M_clients?nlid=8&source=NLT_PM

For all the noise made about security, the internet etc etc I wonder what would be revealled if data theft patterns were examined to see how much took place through internal measures (workers hacking the systems or simply taking advantage of lax security), external hacking and finally the loss/theft of hardware and storage media.

A few years back an Australain current affairs program (term used in the losest possible manner) ran a story about the supposed dangers of internet banking after some people had money stolen from their account. The problem wasn't the internet banking, the problem was they hadn't been good with the security and a former friend watched and them enter their logon details and memorised them.

I kinda hit on this earlier. The bulk of the serious breaches, the theft of nuclear secrets, bank thefts, are perpetrated by individuals with access that shouldn't have it, or weren't properly vetted before given it. Occasionally you have the good ol' fashioned Benedict Arnold turning red coat after working for years. Those are the dangerous ones.

 

[Marc]

Also, in that massive pile of garbage you threw at me rather than write a real response with one or two citations, you still haven't found proof of the assertion that an aircraft carrier can be hacked and shut down remotely. You won't be able to, because anything of actual value is not stored in an online accessible site. The ONLY relevant article is the one on the electricity grid, but the US grid is a 3rd world-grade cluster#### with problems far beyond vulnerable computers.

Any electrical grid is an easy target no matter how good.

Take out a few transformers or high transmission lines (a few kilos of HE would do the trick nicely) and you can bring a city to it's knees and part of that is that you trigger the mechanisms designed to protect the system (such as load shedding to protect the generators).