Talk:Lecture 13
Contents
--Gorchard 00:41, 24 November 2005 (PST) - I had an interesting thought while watching the PBS "Cyber-War" program that someone linked to back in the discussion page of lecture 5 or so. The cyber attack that we want to avoid at all costs is a terrorist attack aimed at taking down power grids, communications, or other critical infrastructure. So perhaps non-terrorist cyber attacks of recent years, especially those created 'just for fun', have actually benefitted us more than they've harmed us. They have alerted us to the extreme vulnerabilities in computers on the internet and the possible damage that could be done...and in response we've become much more aware and started to design systems and implement measures to make such attacks more difficult. One argument against that might be that those attacks have also alerted terrorists to the attack opportunities available via the internet, but I feel there is a 'bright side' to attacks and viruses of recent years that might be overlooked.
High value vulnerabilities v. Low value
Chris Fleizach - One issue that wasn't discussed by Eric Rescorla is classifying vulnerabilities between critical and low priority. His research showed very little in terms of a trend in reducing the number of overall vulnerabilities, but how many of those vulnerabilties were major issues? For example, when next buffer overflow in CUPS (a printing server) is found in RedHat that allows a user to perform a DoS on printing services, does it affect that many people? Maybe no one noticed it before because no one really cares that much except the security researchers looking to increase the number of vulnerabilities they find.
Another point that was brought up briefly questions if the total number of investigators is increasing does it also point to an increase in vulnerabilities found over some longer time span. His model assumes an infinite number of possible vulnerabilities, which would mean the number of vulnerabilities found should be going up as more researchers enter the field. But, if the number of researchers is going up and the number of bugs found is at a constant rate (or going down), then it seems like the quality of software might be improving.
Eric Rescorla - Good questions. WRT to the question of the severity of vulnerabilities, you do get similar results if you look at just the vulnerabilities that ICAT rated as severe, though it's not clear how much those ratings tell you, of course. The question about the number of researchers in the field is a good one and one we have no good way to control for. On the other hand, we don't really know what the shape of that curve looks like and it's confounded by the amount of attention the researchers pay to any individual piece of software.
Dirty Bombs
Sean West (2nd Year MPP/GSPP): One of the most interesting questions in homeland security today is that of the dirty bomb/radiological dispersal device. Most recently, we have heard of the threat of dirty bombs by Jose Padilla, accused of plotting to detonate an RDD in Chicago--only to be reclassified by the Bush Administration as a criminal rather than an enemy combatant in the last week. But the case of the dirty bomb raises a lot of questions about just how much more damaging one would be than a conventional bomb. Surely, we should fear any type of bomb or attack on our society, but in people's minds there seems to be a dichotomy between conventional attacks and what are generally referred to as "weapons of mass destruction." But just as Prof Ackerman described in a previous lecture, dirty bombs are more a weapon of mass disruption than one of destruction. Graham Allision makes a similar point in Italic textNuclear TerrorismItalic text, yet society at large remains much more fearful of an RDD than a conventional attack. While I do not wish to argue that we should not fear an RDD, or that the threat of radiation spreading post-attack to first responders isn't a major issue, I am wondering how we should reflect this understanding of the true limits of damage of an RDD in our homeland security policy. Should we treat it like a "Conventional AttackPlus" or should we continue to place it alongside WMD? How much should anticipation of public panic even in light of limited damage inform our policy?
Lecture 13 Comments and Questions ...
Professor Maurer, this may have been implied by your lecture but how much do you think the Cold War situation effected the public's attitude towards nuclear energy? It seems likely to me that the baby boomers having to do duck and cover drills and live through the Cuban Missile Crisis must have really added to a negative perception of nuclear energy and radioactive substance generally.
Professor Maurer, as a former litigator, what is your stance on tort reform? You seemed to suggest that plaintiff’s attorneys play a large role in maintaining the public's negative perception of nuclear energy.
I understand that FEMA primarily handles natural disasters. However, if there was a dirty bomb attack would they be tasked with the cleanup? If not, which agency would be? If so, and the Dept of Homeland Security believes that a radiological device is a real threat, we may all be in a bit of trouble since I understand that FEMA is undergoing huge budget cuts and is actually being downgraded, organizationally speaking, within the Dept of Homeland Security to more of an office than an agency.
Professor Maurer, you seemed to be pretty excited about benchmarking and metal models insofar as they might improve communication on the true dangers associated with nuclear energy. From what I understand, the new Energy Bill and the current leadership at the Dept of Energy are pushing nuclear energy -- has DOE been at the fore of developing/implementing such a PR campaign based on benchmarking and mental modeling? If so, do you have any examples?
Professor Maurer, when you mentioned that torture may have helped prevent the Philippines airliner attacks, were you referring to Bojinka or some other plot?
One of the students mentioned Israel and the Landau Commission, with respect to establishing limits on torture; can someone provide a bit more information on the Commission?
One of the students also commented on the notion of symmetry/symmetrical enforcement concerning the Geneva Conventions, according to Professor John Yoo who authored many of the memos upon which the Bush administration developed their policies on interrogation techniques, that is the precise reason why enemy combatants should not find protection under the Conventions. That is, because they are not, by definition, tied to any state, there is no way to ensure that they will reciprocate treatment.
Also, with respect to how far is too far, what are peoples' thoughts on the photos from Abu Ghraib. Personally, I am not so sure that using dogs to frighten people is over the line. With regard to humiliation, Professor Maurer, that came in rather high on your list of what was too far; to me humiliation seems acceptable -- were you classifying it in some specific form or not?
With regard to the White House's, and especially VP Cheney's refusal to back interrogation reform and set concrete limits, from a pure international political sense, would it not benefit the US to form such boundaries and then, if need be, simply break them later. I mean, we are signatories to the UN Charter but that hasn't stopped us from using force in a manner that doesn't always coincide with it. Politically, I don't see how the country goes wrong by instituting, or claiming to, such regulations if it, in reality, can always pull away from them later. Any thoughts?
Concerning interrogation techniques, what is wrong with setting broad boundaries and leaving wide discretion to those responsible for interrogation -- sort of like any authorizing statute/administrative agency relationship. It's not clear to me that anything was wrong with what has existed previously. If people go over the line, they should be held responsible under the law but I would think, it makes sense to leave a fair amount of discretion to those few professionals who have the requisite knowledge to make informed decisions about the subject and not judges or legislators.
Just as a reflection on Mr. Rescorla's point about black hats using old exploits to spread menace, I received two emails in the last couple of days, supposedly from the FBI, with an attached zip program. Looking online to see what this things does, it turns out that it uses your own computers zip capability, which you have to initiate to zip your files and send the bundle off to whomever sent the email. To me, this seems rather old school.
Mr. Rescorla also picked backed up a point that I tried to make on the wiki last week, that is that to the general public, so long as their individual system isn't impacted in a way that interferes with there use, they don't seems to care. As such, it seems ill-advised to spend so much on cyber security (apart from those systems that really contain sensitive information) if 1) there is no evidence that it is solving the problem 2) there isn't widespread public demand; unless, as was pointed out, marketing is a significant motive.
