In the developing story of the "Cuthbert case" the ripples continue to spread as security experts disect the result. Curiously, it hasn't hit the mainstream much, probably because popular press can't work out what the fuss is about but the blogs seem to have it. Adam points at Samizdata.net Diana Quaver, who has followed and documented the case in much more detail. Also dropsafe has a nice roundup. Here's one article from ZDNet:
"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted," said Sommer, senior research fellow at the London School of Economics' Information Systems Integrity Group.
Sort of. More usefully, what we are not confident about is that we can describe in terms that users will understand and that matches the web's ethos just what is "unauthorised" and what is not. We've now got a good theory as to what BT thought was unauthorised - but it isn't a theory that makes any sense to the user or the web, nor is it a theory promulgated much further than the minds of corporate security experts.
In terms of a trespassing analogue, there is no sign, no fence, and BT prosecuted the trespasser on the basis of finding his wallet dropped inside the facility. As the owner admitted to being inside, this was considered good enough for a criminal conviction - but it isn't good enough for trespassing!
This is a complete mess. I'd suggest not going anywhere near the DEC / BT.donate.com site to donate; or indeed anywhere near BT until they explain in terms understandable to users just what the difference between their website and the RFC is.
Read on for more news!
It's official: we now have a duopoly in CPUs as AMD has reached 50% of one particular market. This was a classic story that I picked when I realised that Intel had broken the golden rule that had established its hegemony - and started on the fatal journey to design another chip that wasn't Intel-compatible. AMD saw it too and went the other route of Intel-compatible-and-64 bits and won. By the time Intel had realised their mistake it was too late, and thanks to their mistake we all win with cheaper chips and more aggressive progress. Now if only Steve Ballmer would get distracted on ... dunno, how about DRM?
Over 90 percent of ISPs surveyed cited simple "brute force" TCP SYN and UDP datagram DDoS floods from zombie PC networks as their biggest day-to-day hassle, a finding which should apply equally to their corporate clients. This puts DDoS ahead of more recent attack types such as fast-spreading worms and DNS poisoning, which were ranked second and third respectively, in terms of prevalence. Even then, worm attacks were often most hazardous in terms of their original effect on traffic. "The primary threat from worms is not the payloads but the network congestion they cause," the report noted.
Surprisingly, given the prevalence of this type of attack in recent years, only 29 percent of ISPs offered services to counter and trace DDoS in an automated way at the ISP level. The majority only discovered such events when a customer contacted them for help. The main means of defending against DDoS remains the use of Access Control Lists (ACLs), but these come with the downside of shutting off network access. The DDoS attack is stopped but only by replicating much the same effect as the original traffic blocking.
The reported motivations for DDoS attacks clusters around issues such as cyber-extortion, electronic protests against companies, and even corporate espionage. Few, if any, of such attacks are reported to result in criminal action against the instigator, which could account for its continued popularity.
Nice the way they characterise it as a "hassle" and ignore the actual damage done to the target, which is presumably under some extortion play.
A very nice piece of Open Governance; eBay shareholders go through the annual report and talk about the stated risks there. Some good stuff on Paypal woes for payment systems people.
And finally a welcome sounding of the alarm: CIOs and vendors are complicit.
Those who've read my draft on silver bullets will know what this is about, but it is good to see someone else looking at the problem. Here's what Ed Lazowska (who holds the Bill & Melinda Gates Chair in Computer Science & Engineering at the University of Washington !!!) says:
Q: Some of the problems, such as software not being designed with security in mind, indicate that CIOs are somehow complicit. In your opinion, are CIOs victims or are they part of the problem?
A: The answer surely is both. CIOs are partially responsible for the insecure state of today's operating systems, because they failed to see the handwriting on the wall and prioritize security. Vendors produce what we are willing to purchase. CIOs are largely responsible for the failure of their organizations to operate at the current state of the art with respect to cybersecurity, and very few organizations operate at the current state of the art.
Now, the problem is that you can't suddenly decide that you want something like security and expect to be able to buy it, because the technology doesn't necessarily exist. Almost no IT company looks ahead more than one or two product cycles. And historically in IT, those ideas comes from research programs that the federal government underwrites. Just think about e-commerce: You need the Internet, Web browsers, encryption for secure credit card transactions and a high-performance database for back-end systems. The ideas that underlie all of these can trace their roots to federally funded R&D programs.
That's how this relates to the R&D agenda. Long-range R&D has always been the role of the national government. And the trend, despite repeated denials from the White House to the Department of Defense, has decreased funding for R&D. And of the R&D that does get funded, more and more of it is on the development side as opposed to longer-range research, which is where the big payoffs are in the long term. That's a more fundamental problem that CIOs aren't responsible for.
I do not agree with the second part of his answer, but left it in for contrast!Posted by iang at October 14, 2005 02:19 PM | TrackBack