Interesting People mailing list archives
Re: Another way of making money using the net?
From: David Farber <dave () farber net>
Date: Sun, 20 Jan 2008 18:49:56 -0800
________________________________________ From: Eugene H. Spafford [spaf () mac com] Sent: Sunday, January 20, 2008 11:51 AM To: David Farber; ip Cc: Valdis Kletnieks Subject: Re: [IP] Re: Another way of making money using the net? On Jan 20, 2008, at 9:20 AM, Valdis.Kletnieks wrote:
Hackers literally turned out the lights in multiple cities after breakin=The most telling part of the article: "Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted." In other words, "trust us it happened, we won't give you anything verifiable, and you'll have to take our word that we're not fear-mongering.
I'll respond to this as an example of a class of replies, and not intended to single out Valdis. Why do people automatically distrust statements that are actually quite reasonable? Many of us who work in security know that SCADA is vulnerable. We also know that the criminal element is operating online basically unchecked. So why react as if this is some form of government manipulation? That Tom said as much as he did in the venue where he did is, in many senses, surprising for its openness. There are many reasons that more detail can't be given on various disclosures, and why some disclosures can't be made at all: * the methods used to get the information are "fragile" and if too much detail is given, the source can be traced and stopped. If the source is a person, this could mean the deaths of people. (Doubt that? There are many examples in the literature -- and look how quick some countries are to execute people for less minor incidents than espionage.) * the source of the information is a person or agency who is "friendly" and known, but if it were revealed in his or her home country that there was information sharing, the political ramifications would be significant. Maybe in the US too. This would damage or eliminate a useful channel of information. Sometimes the rhetoric of belligerence between governments is only that -- rhetoric for consumption at home, especially by the fanatics...or their leaders. (There are historical examples, and we'd be foolish to believe there aren't some current.) * the fact that a country was damaged in such a way, or extorted by mere criminals, would be embarrassing to that government and to its people. If we are friendly with them, well, there is no reason to embarrass friends in front of others. * exposing the target could make them the target of other attackers wishing to try their hand at this kind of behavior. If the target hasn't yet been able to upgrade their infrastructure, then identifying them would make them a repeat target. * exposing details would require a legal or diplomatic response by some parties, which they would really prefer not to exercise because they are trying to solve things quietly, or have other activities of more importance going on that might be disrupted. The list goes on. We should always be skeptical of what we are told, and look at it through the lens of what we know. At the same time, we must be aware that there are valid reasons why some things are secret, and forcing their exposure can endanger others -- immediately or indirectly. Yes, we are open to manipulation with false or half-true information. That's why we should carefully consider the sources, the issues, and the ground truths we (think) we know. That we have been lied to in the past is a given. That we will be lied to in the future is a given. But that does NOT mean that we should conclude that every statement made to us by someone working for the government is a half- truth or intended to be sinister. Personally, my experience has been to give careful thought to anything said by any political appointee or elected official, but to give the benefit of the doubt to regular employees when something plausible is stated. In this case, ask yourself what is the downside to trusting that the statement is true, or is close to the truth? We harden our SCADA and digital control systems against outside interference and maybe invest in some improvements to our cyber investigation capabilities. Gee, that's an awful alternative, isn't it? I guess we should disbelieve the account, and leave our power grid wide open for attack -- that'll show those lying government types! ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Another way of making money using the net? David Farber (Jan 19)
- <Possible follow-ups>
- Re: Another way of making money using the net? David Farber (Jan 20)
- Re: Another way of making money using the net? David Farber (Jan 20)
- Re: Another way of making money using the net? David Farber (Jan 21)