I heard an extremely interesting radio program on NPR. Terry Gross on Fresh Air interviewed Richard Clarke (former Counter Terrorism Adviser to both Presidents Clinton and Bush) about his new book Cyber War: The Next Threat to National Security and What to Do About It.

It was eye opening. We worry about hackers, spammers and crooks. But the real hard core threat is from military and security agencies of national governments. He gave real examples that have already happened that I was unaware of. He then laid out real physical threats that can be brought about over the internet by breaking into and taking control of computer control systems.

Anyone else hear this interview? Read his book?

It seems we are at the mercy of the spread of microsoft and bad security practices "out there." What can we do about it? Anything?

Comments?

What can you do about it ? Well, you can wake up, that's one thing you can do.

I don't see what this has to do with Linux security tho...

Haven't read the book (you can user Harper Collins browseinside to get an idea BTW) but have read some articles over the years.


We recently had a discussion on LQ about threats baked-in in HW and such. As in attack spectrum. In a recent article I read by Wesley Clark at the end he suggests that one of the basic problems stems from past unification (be it management, cost-based or otherwise) and that re-introduction of diversification would help make the infrastructure more resilient, stronger. (BTW I think that introducing mcrsft, or posts speaking of reveille for that matter, into a or any discussion is too easy and will only serve to detract from the main topic.)

One thing I find really messed up is how much foreign-manufactured hardware governments (and private entities responsible for certain critical infrastructure) use. While I won't claim that hardware can't be backdoored/trojanized when manufactured at home, I think it does make production easier to oversee effectively.

As for software, my gut tells me we'd be safer if we increased investment in the human resource necessary to develop most of it in-house (based on F/OSS whenever feasible). At the very least, I think all software used by the government should be open source (even if it's not free), so that it can be meticulously scrutinized.

NOTE: I haven't read the book (but I did stay at a Holiday Inn Express last night).

I agree. And it is unfortunate.

However, it is also frustrating when there is a huge event in the news about a virus or worm taking down huge numbers of machines and causing chaos in corporate environments, and no one, not one single reporter, identifies it as a Windows virus or worm. They just talk generically about computers on the internet, so the average person is lead to believe that it affects all computers and continues buying into the Windows marketing.

Yesterday, I was walking down the hall at work, and I had a bunch of people accost me in the hallway exclaiming that their Windows machines had been hosed by the McAfee update and they were desperate for help. I referred them to the full time Windows support guy we have for just those sorts of reasons, but he was overloaded.

So, it was gratifying to hear someone of the stature of Richard Clarke express a professional judgment that Windows had no business anywhere near an internet facing command or control system. And he wasn't just talking military, he was talking business and industry.

As Unix and Linux admins and users living in this environment, we have responsibility to maintain our own systems. But, I think we also have a responsibility to speak out appropriately when these events occur, and say things like, "Yes, that's a Windows virus" and, perhaps, "those kinds of things are far less frequent on Linux/Unix/Mac systems." In yesterdays case, tens of thousands of Windows PCs were taken down by the very thing that was supposed to be protecting them.

I might also note that the clock on the McAfee system that distributes the update notifications is off by about half an hour. You can see it by looking at the full headers and comparing the receipt time on your mail server (you get it half an hour before it was sent ). Now that's really reassuring.

Anyway, I'm actually serious in asking what sorts of things we can do and looking for other people's thoughts.

FWIW, Threat Level has posted a review of the book.

1 members found this post helpful.

Thanks, I very much agree with that review. This guy is a nutcase, if there ever was one. He's pushing this cyber war BS, because he has his own agenda. He want's a anti-cyber-terrorism squad with the right to hack people's computers in the name of national security. That's all he wants, well maybe not him specifically, but that is what is wanted by the rulers.

hmm. That is a pretty damning review. According to that review, Clarke is guilty of hyperbole and insufficient rigor and fact checking. But I don't think he's any more of a nut case than the conspiracy theorists who attribute hidden agendas to him.

Checking http://en.wikipedia.org/wiki/Richard_A._Clarke, he was part of the Reagan, Bush Sr., Clinton, and Bush Jr. administrations, but left the government in 2003. He's now Chairman of a company that deals in strategic planning and corporate risk management. Based on that, I would suggest that the more likely explanation for his hyperbole is that he has the typical conflict of interest of so many in the corporate world. He want's to make money, and he get's his money from corporations that are worried about risks. Stoke up that fear of risks and he has more opportunities to make money.

The review did also say that some of the threats are real. So rather than worry about foreign agents remotely torching our copier, or some imagined conspiracy behind such hyperbole, perhaps we should pay attention to the risks that are real.