Difference between revisions of "Talk:Lecture 7"
(→CyberSecurity Progress) |
(→Is Secrecy Really That Important?) |
||
| Line 27: | Line 27: | ||
And an irony of the situation is that I've heard over and over again, at least in computer science, that hiding and obfuscation are some of the least effective ways to secure your systems. Sounds like a topic for a paper, no? | And an irony of the situation is that I've heard over and over again, at least in computer science, that hiding and obfuscation are some of the least effective ways to secure your systems. Sounds like a topic for a paper, no? | ||
| + | |||
| + | [[Jameel Alsalam]] But hiding and obfuscation are the cheapest form of security, also... I agree with you that it makes no sense for government agencies to rely on cyber-criminals not realizing the weaknesses that exist - but given that I do not really trust the numerous government agencies to be able to quickly respond to exposed weaknesses, I am a bit leary of publicizing them to broadly (which I think that some people see as a way to spur a reaction to those threats). | ||
| + | |||
| + | On the Agora meetings, and FOIA not applying to them - it wasn't the nicest way for it to be put since we like our governments to not have to hide too much from us, but from the little that I have had a chance to observe beaurocratic systems - when they have a lot of scrutiny, I do not think that those systems become more effective - if anything the beaurocracy springs into action spending all its time defending itself from scrutiny. Which is certainly not how we want security professionals in our governments spending their time. | ||
Revision as of 16:38, 13 October 2005
Contents
SCADA Systems, Al Qaeda & Cyberterrorism
--Jeff Bilger - Dr. Lazowska briefly mentioned SCADA systems during tonight's lecture. Back in April of 2003, the PBS documentary program Frontline aired a program titled Cyber War! that highlighted the vulnerability of our power grid due to SCADA systems. It's a bit theatrical, but worth a watch since it touches on all the topics we have discussed in class so far.
Also, it would be interesting to know if anything has been done since 2003 to further secure these SCADA systems from attack.
PITAC to PCAST, but where's the action on reports?
Avichal 23:25, 12 October 2005 (PDT) PITAC's charter was allowed to expire on June 1, 2005. On Sep 30,2005 it was revived in a way by extending the charter of PCAST to also cover network and information technology.[1].
In my opinion that dilutes the focus that could and was achieved on the role of Information Technology by the PITAC commitee which was solely focussing on IT. The opposing argument is that PCAST will be able to address IT in a more holistic fashion. Regardless, the basic problem is the lack of action on the reports that are generated by these committees.
Be it the 9/11 report or various PITAC reports, administration owes it to the public to implement suggested measures as is practical,and update the public routinely of it's progress. It's high time the administration followed it's rhetoric with some action and did more about homeland & cybersecurity than ratcheting up and down the threat level on a colored scale.
It's also interesting to note that Kvamme (Co-Chair PCAST) notes his first priority would be to examine the progress of IT R&D at the federal level [2] - an area for which the PITAC reports have shown the goverment to be performing egregiously.
CyberSecurity Progress
Chris Fleizach It was interesting to note that Dr. Lazowska and his committee came to the conclusion the federal government needed to lead research in security measures because private industry couldn't provide the funding or the vision. Yet, Phil Venables followed immediately after and presented a holistic approach to Goldman Sachs security system that would certainly rival any governmental agency, with multiple layers of protection, constant network scanning, mock attacks on a regular basis and a slew of contigency strategies that would certainly make PITAC proud. He even mentioned that they did spend some time thinking about issues five to ten years down the road. The main difference from what Dr. Lazowska was trying aim for is that this research from Goldman Sachs is probably protected and not available to the general public, so what happens is a re-inventing of the wheel at each organization. But then Kirk Bailey and Ernie Hayden mentioned that their most useful system was the "Agora" team, circumventing public and formal discussion for quick, informal aid. I think we can safely assume that the government will not change its stance on science and basic research for the next three years, so perhaps we have seen the past, present and future of cyber security research - security implementation and research driven by companies motivated by economic realities and diffused through informal channels. Was it ever any different?
Jameel Alsalam To be fair, I think that Dr. Lazowska's point was addressing not so much the implementation of security measures in the corporate world, but basic R&D in the production of new security products, or more secure IT products. From Phil Venables's talk, it sounds like Goldman-Sachs is doing a magnificent job in implementing the best technologies that it can as well as putting in a number of structures that support its security - this implementation is a major factor in actually acheiving security, and that task is so complex that a 5-year plan is actually needed just to manage the implementation! This is seperate however from long-term research on the products themselves.
Is Secrecy Really That Important?
--Gmusick 08:47, 13 October 2005 (PDT) As noted by one of my classmates during the lecture, there is a paradox in the security community where they want highly-trained security experts yet they don't really discuss security in public in a substantial way so people can learn about it. This points to an even deeper problem where our public officials continually classify reports about the state of security at public facilities.
I can't remember if it was Kirk or Ernie that made a dismissive comment about there being no FOIAs (short for Freedom of Information Act requests) at the Agora meetings, but as a former journalist and a current security student, this really bugged me. Public officials always complain about underfunding of security initiatives but they rarely tell you exactly why they need the money...they just say "trust me". How are we, the public, supposed to know what is truly important and what is not when highly political decisions are made in near total secrecy based on "classified" information that could say anything from we will suffer a nuclear attack in our harbor next week to the moon is made of cheese?
And an irony of the situation is that I've heard over and over again, at least in computer science, that hiding and obfuscation are some of the least effective ways to secure your systems. Sounds like a topic for a paper, no?
Jameel Alsalam But hiding and obfuscation are the cheapest form of security, also... I agree with you that it makes no sense for government agencies to rely on cyber-criminals not realizing the weaknesses that exist - but given that I do not really trust the numerous government agencies to be able to quickly respond to exposed weaknesses, I am a bit leary of publicizing them to broadly (which I think that some people see as a way to spur a reaction to those threats).
On the Agora meetings, and FOIA not applying to them - it wasn't the nicest way for it to be put since we like our governments to not have to hide too much from us, but from the little that I have had a chance to observe beaurocratic systems - when they have a lot of scrutiny, I do not think that those systems become more effective - if anything the beaurocracy springs into action spending all its time defending itself from scrutiny. Which is certainly not how we want security professionals in our governments spending their time.
