Talk:Lecture 13
Contents
--Gorchard 00:41, 24 November 2005 (PST) - I had an interesting thought while watching the PBS "Cyber-War" program that someone linked to back in the discussion page of lecture 5 or so. The cyber attack that we want to avoid at all costs is a terrorist attack aimed at taking down power grids, communications, or other critical infrastructure. So perhaps non-terrorist cyber attacks of recent years, especially those created 'just for fun', have actually benefitted us more than they've harmed us. They have alerted us to the extreme vulnerabilities in computers on the internet and the possible damage that could be done...and in response we've become much more aware and started to design systems and implement measures to make such attacks more difficult. One argument against that might be that those attacks have also alerted terrorists to the attack opportunities available via the internet, but I feel there is a 'bright side' to attacks and viruses of recent years that might be overlooked.
High value vulnerabilities v. Low value
Chris Fleizach - One issue that wasn't discussed by Eric Rescorla is classifying vulnerabilities between critical and low priority. His research showed very little in terms of a trend in reducing the number of overall vulnerabilities, but how many of those vulnerabilties were major issues? For example, when next buffer overflow in CUPS (a printing server) is found in RedHat that allows a user to perform a DoS on printing services, does it affect that many people? Maybe no one noticed it before because no one really cares that much except the security researchers looking to increase the number of vulnerabilities they find.
Another point that was brought up briefly questions if the total number of investigators is increasing does it also point to an increase in vulnerabilities found over some longer time span. His model assumes an infinite number of possible vulnerabilities, which would mean the number of vulnerabilities found should be going up as more researchers enter the field. But, if the number of researchers is going up and the number of bugs found is at a constant rate (or going down), then it seems like the quality of software might be improving.
Eric Rescorla - Good questions. WRT to the question of the severity of vulnerabilities, you do get similar results if you look at just the vulnerabilities that ICAT rated as severe, though it's not clear how much those ratings tell you, of course. The question about the number of researchers in the field is a good one and one we have no good way to control for. On the other hand, we don't really know what the shape of that curve looks like and it's confounded by the amount of attention the researchers pay to any individual piece of software.
Dirty Bombs
Sean West (2nd Year MPP/GSPP): One of the most interesting questions in homeland security today is that of the dirty bomb/radiological dispersal device. Most recently, we have heard of the threat of dirty bombs by Jose Padilla, accused of plotting to detonate an RDD in Chicago--only to be reclassified by the Bush Administration as a criminal rather than an enemy combatant in the last week. But the case of the dirty bomb raises a lot of questions about just how much more damaging one would be than a conventional bomb. Surely, we should fear any type of bomb or attack on our society, but in people's minds there seems to be a dichotomy between conventional attacks and what are generally referred to as "weapons of mass destruction." But just as Prof Ackerman described in a previous lecture, dirty bombs are more a weapon of mass disruption than one of destruction. Graham Allision makes a similar point in Italic textNuclear TerrorismItalic text, yet society at large remains much more fearful of an RDD than a conventional attack. While I do not wish to argue that we should not fear an RDD, or that the threat of radiation spreading post-attack to first responders isn't a major issue, I am wondering how we should reflect this understanding of the true limits of damage of an RDD in our homeland security policy. Should we treat it like a "Conventional AttackPlus" or should we continue to place it alongside WMD? How much should anticipation of public panic even in light of limited damage inform our policy?
