IP: DoJ security handwave - "The hackers are coming! The hackers are coming!"

[Dave Farber <farber () cis upenn edu>]

Date: Tue, 19 Jan 1999 18:28:40 -0800
From: mech () eff org (Stanton McCandlish)


I find this ironic in light of the clear message our DES Cracker victory
just sent - again - to the DoJ/FBI.

http://www.wired.com/news/news/technology/story/10605.html


<begin excerpt>

US Attorney General Janet Reno unveiled a program today to establish a new
command center to fight "cyber attacks" against the nation's critical
computer networks. The $64 million center would reportedly unify existing
federal computer security efforts to investigate computer penetrations of
banks, the military, and other core systems.

But computer security experts sharply criticized Reno's plan as
short-sighted, noting that she is deflecting responsibility for a very
serious situation away from software vendors and the widespread lack of
education about basic computer security safeguards.

[...]

"Perhaps this is a con game," said Peter Neumann, principal scientist with
the computer science lab of SRI International, a research and consulting
company.

"You put out a system with miserable protection and hope that someone
breaks it" Neumann said. "Then you can ask for millions of dollars more to
perform further palliative protections, rather than getting to the core of
the problem - significantly ratcheting up the security of the
infrastructure."

[...which would require yielding to industry pressure on the crypto front...]

Neumann linked the Justice Department's current concerns on cybercrime to
the government's ongoing efforts to implement mandated "key recovery."
Under that scheme, law enforcement would be given access to the secret keys
that would decrypt encrypted information online. Federal officials have
promised that such keys, potentially worth hundreds of millions of dollars,
would be stored in secure facilities.

"The real irony of all this is that we are being told that there are no
undue risks in key-recovery crypto systems," Neumann said.

"If our infrastructure is this bad, how can anyone hope to protect what is
perhaps most critical, namely, the crypto keys!" he said.

[end excerpts.]

The article also recounts that the main focus of the DoJ effort will be to
simply track down the crackers (or try to).  Operation Sundevil II, anyone?


A related article at
http://www.wired.com/news/news/politics/story/15643.html continues:

[begin excerpts]

[...] National Infrastructure Protection Center. NIPC is designed to fend
off threats to the nation's banks, transportation networks, power and water
resources -- and [...] military networks.

By employing the collective muscle of several  intelligence and law
enforcement agencies, NIPC (pronounced "nip-see") can conduct
investigations that would normally be beyond the scope of a single agency.

[...]

Security experts warn that there is a clear distinction between kids that
crack Web sites for fun and cyber terrorists trying to cause serious
damage. But for Michael Vatis, an associate director of the FBI who's
serving as NIPC's director, the distinction is irrelevant.

[....]

Vatis would not comment on any case under investigation by NIPC. Chameleon
[a teenage hacker suspect] wasn't as reticient, however. In his account on
the computer security site AntiOnline, he said that the FBI had been
watching his house, tapping his phone, and monitoring his Internet
connections for months.

[...]

When fully staffed, NIPC will employ 125 at the FBI headquarters in
Washington, and another 300 to 400 around the country. The center will also
run a multimillion dollar computer system that will house a massive
national infrastructure security database.

[...now for the ironic part...]

The center will also serve as the nation's security adviser, instructing
both government and private institutions on security and software
purchases, according to Vatis.

[... we now return you to the scary stuff...]

"We need to be able to communicate in real time with other agencies and we
need to be capable of sophisticated analysis and display of information,"

[...]

In practice, [their e-forensics] process would involve installing
surveillance sensors on high-profile Web sites that are commonly targeted
by crackers. That information could be stored and later analyzed.

[...]

But [one hacker/security consultant] accuses Washington of indulging in
unwarranted hysteria. "There are two [Internet] buzzwords in government
right now: pedophile and terrorist.

"And any law or any measure taken against these two groups seems be
condoned by the public," he said. "It's the '90s equivalent of McCarthy's
stand against communism. We need to distinguish between hackers and cyber
terrorists."

[End excerpts]

Let the witch hunts begin.



--
Stanton McCandlish      mech () eff org       http://www.eff.org/~mech
Program Director, Electronic Frontier Foundation
voice: +1 415 436 9333 x105   fax: +1 415 436 9333   ICQ: 16631335
PGPfone: 204.253.162.21  ICQ Pager: http://wwp.mirabilis.com/16631335#pager