| 9:50 pm on Oct 3, 2009 (gmt 0)|
<hand up waving> OOOH! OOOH! PICK ME!
|earlier intrusions into the country's electrical grid. |
How this happens baffles me beyond all belief.
Haven't they heard of firewalls?
|Order Deny,Allow |
Deny from all
Allow from <authorized IPs only>
I mean seriously...
With that meager amount of protection then you have to first hack into one of the machines at the IPs authorized, assuming you know who's authorized in the first place!
If the government is serious about cyber security the best thing they could possibly do is put some OpenSource software out in the field for everyone to use, to include in our servers and PCs, to detect problem sources and coordinate automatic firewall defenses to block the sources of the activity to halt the spread of botnets.
| 12:05 am on Oct 4, 2009 (gmt 0)|
HOORAY FOR MORE GOVERNMENT!
"The more corrupt the state, the more numerous the laws." -- Tacitus
| 12:12 am on Oct 4, 2009 (gmt 0)|
These new hires are not going to be making laws, they're hopefully going to be fixing the gaping holes in government network security -- and improving the ratio of useful workers to bureaucrats in that department as well, I'd wager.
| 1:12 am on Oct 4, 2009 (gmt 0)|
My best friend works for the DOD in the computer crimes lab. He investigates intrusions into government networks. You wouldn't believe the incompetence of government IT people. 1,000 more morons isn't going to solve anything, just expand the payroll.
| 2:12 am on Oct 4, 2009 (gmt 0)|
Incompetence and government employees?
| 2:40 am on Oct 4, 2009 (gmt 0)|
Might we assume --at least initially-- that your friend at DOD is not a moron, and that DHS's new hires might not also be morons? -- The article did say there were going to hire experts, no?
To stay on topic, let's not take this thread in the direction of general government-bashing, but rather discuss what this might mean for government computer security, and possibly internet security as a whole -- There are going to be 2000 more eyeballs focused on cybercriminals, and ISPs are a lot less likely to ignore their reports/inquiries than those of individual Webmasters or small security firms.
| 2:50 am on Oct 4, 2009 (gmt 0)|
|1,000 more morons isn't going to solve anything, just expand the payroll. |
let's not bash government I guess.
Parkinson's Law The demand upon a resource tends to expand to match the supply of the resource. Sure, let's throw some bodies at a problem. (sarcasm)
Another Parkinson's law is that after a certain barrier, a bureaucratic organization becomes autonomous and creates work for itself regardless of what exactly it is doing. 1000 people has been brought up many times as that barrier. How and most importantly WHY would they hire competent people?...
The electrical grid stuff is a steaming joke. Just don't put an electrical grid on a public network. Or at least pay incrediBill a $100/hr for 1 hour so he can run his firewall command.
| 4:57 am on Oct 4, 2009 (gmt 0)|
They should just pay script kiddies a fee every time they hack somewhere and then another when they tell the goons how to close the hole. Whose networks exactly will they protect and who is going to pay?
| 5:28 am on Oct 4, 2009 (gmt 0)|
|1,000 more morons isn't going to solve anything, just expand the payroll. |
Considering the private sector has many thousands of "morons" employed on the task of cyber security and they haven't been able to do anything except publish reports telling us how bad the problem is, as if we didn't already know, maybe it's time the government created a task force.
What could be the possible harm to add some muscle to the problem because the public sector is bogged down in rhetoric and over priced high end solutions available to the biggest players, not the average webmaster with a server needing security.
| 1:03 pm on Oct 4, 2009 (gmt 0)|
I hope the focus stays on plugging the security holes and doesn't expand into creating new rules and laws against webmasters. This is how becoming self important starts.
1000 new hires can help, the trick will be to make sure all 1000 are sincerely wanting to do a good job. 999/1000 isn't good enough because that 1 could wreak major havoc behind the scenes. I imagine hackers and spammers will also line up to try and get someone on the payroll...
| 2:41 pm on Oct 4, 2009 (gmt 0)|
|creating new rules and laws against webmasters |
More than likely it would be rules for ISPs since they're the first line of defense for quashing botnets and some are sluggish to respond to AUP violations, if at all.
Just imagine if they were able to twist a few arms into shutting down known bad servers within hours, not days. Blocking machines known to participate in botnets access to the web until they were fixed, and intercepting and disrupting the botnets C&C (command and control) channels leaving the botnets deaf, dumb and blind.
Good start IMO and it's possible to do most of that today, very little technology required, just a mandate to make it happen.
Before long I wouldn't be surprised if your computer has to prove it has a firewall and A/V running before being allowed on the web, just like needing proof of insurance to drive a car on the road.
| 7:51 pm on Oct 4, 2009 (gmt 0)|
The reason I look at it with a "well, there's more money wasted" view is I think an approach similar to Moncao's, where it's sort of an eat what you kill type mentality, would be the most effective. Unfortunately, that's also pretty much the exact opposite philosophy of most public sector positions.
After having worked for a primarily government project consulting firm, the next government organization I see that has a top priority other than increasing and protecting their own budget and jobs will be the first.
| 10:34 pm on Oct 4, 2009 (gmt 0)|
|protecting their own budget and jobs will be the first |
Can't help but agree... few things I've seen done at the Federal level dealing with citizens/consumers accomplishes anything except their own bureaucratic growth... such as the Department of Energy (1977, now with a budget of $24.2 B/yr), with generally dismal results. I hope the 1k experts actually do a job, not create another bureaucracy we can't afford!
| 1:17 am on Oct 5, 2009 (gmt 0)|
Whats with all the government bashing here? These 1,000 heads are greatly needed and if anything will benefit the private sector by accelerating some of the projects that are held up mostly because there aren't resources to make them happen on the infrastructure & security side. (speaking from experience).
Its also terribly naive to think its as simple as a .htaccess.. the security checklist and scanning is a lengthy process. I've done it on just some oracle database clusters i built and it was enough to drive any security aware admin insane at just how fine grained they control access and priveledges.
However what it comes down to is people power to respond to attacks as well as people power to be pro-active on threats - any and all of them.
So i'm glad to see 1k jobs opening up
| 2:40 am on Oct 5, 2009 (gmt 0)|
IMHO this is as little about defense as "Department Of Defense" usually is, or to put it directly; not at all. All of you seem to have forgotten the news from a few months ago that the Pentagon would embark on a new cyberwarfare strategy involving an attack force that could ie. shut down enemy infrastructure and/or communications (eg. web sites that happen to post the wrong version of current events). So, these are tomorrows cyber-terrorists - only, they get paid by the US taxpayer.
For internet security as a whole, as well as overall privacy - this is not a good thing at all. It should be seen in the context of the other massive privacy infinging activities the various US secret services undertake, using monstrous databases, data-mining and surveillance at a very fine grained level. A lot of knowledge about these programmes can be found in the open, it's no big secret. With this new army of hackers they may be able to steal the data that they are not given voluntarily.
Just my 2 cents.
| 3:40 am on Oct 5, 2009 (gmt 0)|
|With this new army of hackers they may be able to steal the data that they are not given voluntarily. |
That scares me more than adding to the payroll. Where does it stop? If I write something about the problems I perceive with the government and they decide they don't like it they should have the right to intrude into my network and computers without a warrant? It's a pretty slippery slope.
The money needs to go to making the law catch up with the technology, hardening our existing networks, and motivating the employees we already have to do something other than play LAN games all day.
| 9:32 am on Oct 5, 2009 (gmt 0)|
--- LAN games all day --
I thought it was good ol' chess at 11 and checkers at 3:30(when the sig break is over) and some PowerBuilder & FoxPro 2.1 vs DotMatrix Print Drivers debugging as overtime....
| 1:42 pm on Oct 5, 2009 (gmt 0)|
claus, good point. we don't need another 2000 blogs / websites promoting Manistream Media's point of view. And that would be a more likely way they are going to handle "security".
On the plus side, I DO see how hiring consultants (especially foreign consultants) is dangerous on the government level...we don't want to see NORAD stand down next time around...sorry not getting political. So if they indeed will hire quality personnel that will handle simple tasks ...it would be a boost. Now...if only they fired 1000 incompetent workers in exchange....