Experts: Network security deteriorating, privacy a lost cause Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants. "We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not …
Privacy lost? That's a defeatist argument of someone who has given up and seeks to justify that.
Privacy isn't lost, but it has indeed become harder to protect, especially since technical people seem to think that it's only a matter of putting some crypto in a product. It just takes more skill.
It is BOTH defeatist...AND realist. Network security is like crimefighting. You're never gonna stop ALL of it. It is the case of "you have to be lucky all the time, they only have to be lucky once" AND they outnumber you. It's just that with network security, ONE breach is usually enough.
So the challenge of network security is to prevent ANY breach (since only once is enough to basically ruin you). Only a perfect security solution can achieve that level of success.
However, man is imperfect. Therein lies the contradiction.
It is BOTH defeatist...AND realist
No, it's lazy. This is the sort of attitude that creates security budgets that are only sufficient to cover liability in case something goes wrong, but does not allow a decent crisis plan and customer care for such a situation to be put in place. This means when a breach occurs you get the sort of mealy mouthed crap politicians come out with like "we did everything we could" - generally a claim not investigated further.
There is a LOT more that can be done than just amoeba level "challenge- response" activity, but it takes hiring brighter (read: more expensive) people instead of glorified "I follow process because that's all I am capable of" overpaid administrators.
The options are simple. Do it right, or end up a dead cert for a breach. And stop giving up *before* the battle.
"The options are simple. Do it right, or end up a dead cert for a breach. And stop giving up *before* the battle."
That's the problem. There is NO "do it right". That implies perfection in an imperfect world. As someone else has said, network security is an oxymoron: much like Digital Right Management. The INHERENT risk of making something available on a network is that the wrong person accesses it: either by breaking the defenses (brute force hacking) or by disguising as one of the trusted (phishing). It's like the front door: strong crooks break the door down, clever ones get an impression of your key. Not even the vaunted air gap is 100% effective, as Stuxnet showed.
In the final analysis, network assets should be a value/risk evaluation. How useful is the asset on a network vs. the risk of someone exposing it. Instead of trying to keep hardening the target, the targets themselves should be evaluated to see if they're worth the risk and taken off if not. If the system will fail eventually, the best one can do is to fail safe and minimize the damage.
Networks can never be secure, as they are typically outside of your reach. You cannot prevent people from tapping your wires, unless you go through extreme measures.
Instead the more sensible approach is endpoint security. Make sure that whatever data you throw at your endpoints, they will not break and that all data that needs to be secure is properly encrypted and authenticated.
This is something modern Unixoid systems are fairly good at. If you want to transfer files between 2 networked Linux boxes, you are likely to use ssh which is encrypted and authenticated. Same goes for web services. A good percentage of those are already reachable via https, and even though that's https has it's serious flaws, it's still relying on some imaginary network security.
That's not enough. Crypto solves some problem very well and others not at all. If you get an encrypted message containing an xlsx file, how do you make sure there is no buffer overflow-based virus inside* that xlsx ? Or if there is one, how do you limit the damage. Currently, this kind of bug means "user account owned". It does not have to, as sandboxing could contain it. See the Google Chrome security model.
* Or: How do you make sure your xlsx does not contain a Flash movie which contains an exploit for Flashplayer ? Not kidding, that's how they owned RSA and Lockmart. You see, commercial IT is wholly corrupted.
The issue isn't network security it's communications security. As soon as some form of relay is established, security is compromised and one faces tradeoffs.
Does one send a single messenger on horseback (slower, less conspicuous but more vulnerable), surround the messenger with armed guards for protection (slower, more expensive, more conspicuous, less vulnerable) or presume monitoring but encode like smoke signals (conspicuous, faster, decipherable)?
Technology has made the means of communication orders of magnitude more complex but the same basic trade-offs haven't changed. What technology has also done has increased the number of domains and instances of messages categorized as needing to be secure. No longer is security just the provenance of battlefield communication.
For some reason there is a growing acceptance that loss of privacy for individuals is inevitable but what hasn't yet caught on is that privacy for abstract entities such as governments, corporations etc. will also be eroded.
Right now, people accept cameras everywhere monitoring our behavior but institutions are allowed to go about much of their business without such constant monitoring. We can't Imagine that there would ever be cameras in every board room, every court, every meeting. What would be the effect of such transparency ? And yet this transparency is happening not with cameras but with every form of communication within institutions and they don't like it.
People think monitoring is fine when they think they have nothing to hide but does refusal to be monitored mean there is something to hide? Institutions give reasons such as state security, competitive advantage, protection of property, the recently conjured up modern notion of privacy etc.. but if individual privacy is eroded one can't expect institutional privacy to be maintained.
Technology is neither the problem nor the solution. It is rooted in our very attitudes towards others. Competition, mistrust, domination and unifying conceptions which tend to be exclusionary and limited (religion, nationalism, gardening and fan clubs are all examples).
We are dealing with two contradictory principles that have been used to describe our "information age", one that information is power and the other being information wants to be free.
Although as in times past, increasing amounts of money, time, effort and technology will be thrown at this security problem, we can neither get off this road nor know where it is taking us but there will be much "sound and fury" along the way.
It's also laziness and profiteering. Would you volunteer to be a security solider in your local bus once per month for a day ? I am sure you have more important business in front of your TV to do. In exchange, they monitor your every move on public transportation these days.
Plus, killing foreign "terrorists" with drones makes much better revenue than selling pistols and machine guns for police-style security forces.
And if you think all of that news is bad [if you have dirty little big secrets to hide] or good [if you don't have secrets to hide, and can recognise and accept perfect transparency as an effective disinfectant and deterrent to manipulative malfeasance and ignorant arrogance/arrogant ignorance], please be advised that the Great IntelAIgent Game has only just started and you aint seen nothing yet …….. and Google have been cordially invited out to play in ITs Alien Space Places …… http://www.ur2die4.com/?p=4161 …… but they are not necessarily leaders following in the leading fields there.
And whenever you be told that GCHQ is fully aware of the situation, can you ponder on the dire state of national television intelligence servering and the BBC's abject failure to better beta edutain/educate, inform and entertain the masses for/with digital control of the future.
Where be there a John Reith when he be needed?
HM ER got it just right whenever she shared, allegedly, …… "There are powers at work in this country about which we have no knowledge." ….. http://news.bbc.co.uk/1/hi/uk/2407841.stm ….. for there most certainly is/are. Of that you can be assured. But only the fool and their tools would be rightly terrified, methinks.
* Mikel posted Sunday 26th May 2013 07:09 GMT here, on this thread :-)
You mean a Female Mafia Boss threatened one of her disloyal underlings ? Say it didn't happen !!!!!
"We can't guarantee for your security, Paul...."
It's actually quite simple, there are more than enough former members of the armed forces in the west who will bully and intimidate people whom are uttered to be "enemies of the state". No proof, no court proceedings required whatsoever. No real secret here. And no need for a special service. Dumb ex-soldiers to be used by their former officers live in almost every street.
.... for Targetting WMD Users and Abusers?
It's actually quite simple, there are more than enough former members of the armed forces in the west who will bully and intimidate people whom are uttered to be "enemies of the state". No proof, no court proceedings required whatsoever. No real secret here. And no need for a special service. Dumb ex-soldiers to be used by their former officers live in almost every street. .... cs_graduate Posted Monday 27th May 2013 13:53 GMT
You might find if you cared to investigate, cs_graduate, and especially so with regard to former special forces officers and men, who would never recognise the description of being dumb ex-soldiers, that they are a lot smarter now than they ever were before, and they may realise that the state is the enemy and cares little to nothing about them and theirs and their welfare after their service of following dumb political and financial orders.
And that puts pompous and pontificating ministers and senior dodgy communications advisers in the frame for future soldierly special forces undivided attention, to name but a brace of deserving souls worthy of that which they would be peddling/pimping and pumping and dumping. And that would give them lead with intelligence services too, which would be a pleasant change from the mayhem and madness which be presently servered for world views in the daily news.
You gotta think out of the box which imprisons you, cs_graduate, otherwise you be destined and fated to be slave to the system and just an inconsequential number.
Proof positive of the earlier post …. Posted Monday 27th May 2013 18:31 GMT …. and the contention that the state be the enemy, and by inference and direct association that would imply the problem is rooted in the government of the day, be here, …. http://www.independent.co.uk/news/uk/home-news/betrayal-of-our-wounded-veterans-i-served-my-country-then-they-turned-their-backs-8633611.html ….. and how would one disagree with that, whenever William Hague is arguing to arm right dodgy foreign rebels to attack national and military forces* and Iain Duncan Smith is floating the notion that social benefits be removed from general circulation and channeled into national defence and police forces to secure protection for systems and administrations which are creating deadly enemies …… which be akin to rogue government officials trying to ringfence security and protection for themselves?
And they think to call themselves leaders worthy of a nation's support and election into high office? Oh please, that be certifiable madness and a conservative recipe for disaster to be visited upon the intellectually deficient and psychotically delusional?
And those be two valid enough questions to be asked of UKGBNI Intelligence chiefs, whoever they be, wherever they be, for they are failing spectacularly to secure and protect the future with the exercise of intelligent lead, which the public might be expecting them to be supplying to media for the puppets in Parliament to present as democratic policies.
* Isn't that something similar to what Uncle Sam did in Afghanistan just before the Russians left and in Ulster too, whenever they were funding terrorism and the dirty war with donations there also? Some special relationship, eh?
Yes … it's a mad, mad, mad, mad world in deed, indeed, but who needs fools at the levers of control, other than other fools hell bent on their own destruction? Certainly no one sane is going to accept such nonsense as a reality to be supported and supplied with Great Game Changing Novel Technology/AIMethodology/NEUKlearer HyperRadioProActive IT, are they? Casting pearls before swine never produced anything worthwhile.
Stick a knife in your chest then. I'm glad the correct words "attack" and "attacker" was used towards the end.
TO THE REGISTER EDITORS:
Please keep it real. Everyone of your authors and editor should know the meaning of "hack" and "hacker". If not, please quit your job and go work for Disney. I hear it's pretty nice over there.
The problem here is that it is illigal to do in most western countries.
You need to jump to many hoops to get the police/FBI <fill in your favourite law enforcement agency> to do anything.
Also a lot of website hacks are due to sloppy (either by internal developers or a contractor) coding.
I've learned to not trust a single bit comming form a browser, all data needs to be checked on range, unwanted characters (who may allow SQL injection) etc before doing any processing. There are tried and tested methods to ensure that a session is not hijacked.
> Everything is going to be known about you
What a load of self-important cobblers.
Having a few snippets of information about when someone using my CC last bought some teabags online, or whether I sent my aunt an email on her birthday means nothing. Even if these sorts of items can be linked back to an individual - so what? It tells people nothing about what I want, my goals, desires or fears.
At best it just presents some slightly-less-than-irrelevant information for my ad-blocker to ignore and sends a few irrelevant emails to a spam-dump email address - never to be seen by anyone.
This "knowing everything" meme is the same as stating that white noise contains all the answers to all the questions in the universe. It may well be true, but the cost of sifting through it all to find those answers is extremely high - much higher than the value that results. Plus, like white noise, there is no guarantee that what seems like the correct answer (gleaned from an online transaction 10 or 20 years ago - and yes, I have some from 1993) is either still relevant or has made the correct inferences.
The "leadership" of the western world has convinced itself that Money Trumps Everything. That means:
* we "need" Acrobat Reader installed on each and every PC, to "read business literature and MAKE MONEY"
* we "need" Adobe Flash Player installed on each and every PC (see RSA "Security" (nice joke, isn't it ?) ), to "view business videp clips and MAKE MONEY"
* we "need" MS Office installed on each and every PC (see RSA "Security") to "write business documents and MAKE MONEY"
* we "need" to run Windows on each and every PC, because "our customers run Windows, too. They have THE MONEY"
* we "have no money" for serious security efforts in bespoke systems
* we the leaders "have no time to look into technology issues and discuss them with experts", as we "need to care about MONEY"
Very much the same can be said about the banking industry, which bribes the hell out of politicos so that they "have to count the MONEY; have no time to lock down finance".
In short - the western world is terminally corrupt and nothing will save us short of something which will bring fidelity and rationality back. It usually takes a rather authoritarian journey to eradicate excessive corruption. Grab a history book and find out the Anglos had this kind of thing too, before you cry "mother of democracies".
"Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you".
Never seen those ads popping up. The best they can do is show ads in my native tongue.
"Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you.""
Not everything, and not everyone is a pleb. Some people can and do protect privacy (where possible)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
