Re: Another way of making money using the net?

[David Farber <dave () farber net>]

________________________________________
From: Eugene H. Spafford [spaf () mac com]
Sent: Sunday, January 20, 2008 11:51 AM
To: David Farber; ip
Cc: Valdis Kletnieks
Subject: Re: [IP] Re:    Another way of making money using the net?

On Jan 20, 2008, at 9:20 AM, Valdis.Kletnieks wrote:

> > Hackers literally turned out the lights in multiple cities after
> > breakin=
>
> The most telling part of the article:
>
> "Donahue did not specify what countries were affected, when the
> outages
> occurred or how long the outages lasted."
>
> In other words, "trust us it happened, we won't give you anything
> verifiable,
> and you'll have to take our word that we're not fear-mongering.

I'll respond to this as an example of a class of replies, and not
intended to single out Valdis.

Why do people automatically distrust statements that are actually
quite reasonable?   Many of us who work in security know that SCADA is
vulnerable.  We also know that the criminal element is operating
online basically unchecked.   So why react as if this is some form of
government manipulation?   That Tom said as much as he did in the
venue where he did is, in many senses, surprising for its openness.

There are many reasons that more detail can't be given on various
disclosures, and why some disclosures can't be made at all:
   *  the methods used to get the information are "fragile" and if too
much detail is given, the source can be traced and stopped.   If the
source is a person, this could mean the deaths of people.  (Doubt
that?  There are many examples in the literature -- and look how quick
some countries are to execute people for less minor incidents than
espionage.)
   * the source of the information is a person or agency who is
"friendly" and known, but if it were revealed in his or her home
country that there was information sharing, the political
ramifications would be significant.  Maybe in the US too.  This would
damage or eliminate a useful channel of information.   Sometimes the
rhetoric of belligerence between governments is only that -- rhetoric
for consumption at home, especially by the fanatics...or their
leaders.  (There are historical examples, and we'd be foolish to
believe there aren't some current.)
   * the fact that a country was damaged in such a way, or extorted by
mere criminals, would be embarrassing to that government and to its
people.  If we are friendly with them, well, there is no reason to
embarrass friends in front of others.
   * exposing the target could make them the target of other attackers
wishing to try their hand at this kind of behavior.  If the target
hasn't yet been able to upgrade their infrastructure, then identifying
them would make them a repeat target.
   * exposing details would require a legal or diplomatic response by
some parties, which they would really prefer not to exercise because
they are trying to solve things quietly, or have other activities of
more importance going on that might be disrupted.

The list goes on.

We should always be skeptical of what we are told, and look at it
through the lens of what we know.   At the same time, we must be aware
that there are valid reasons why some things are secret, and forcing
their exposure can endanger others -- immediately or indirectly.

Yes, we are open to manipulation with false or half-true information.
That's why we should carefully consider the sources, the issues, and
the ground truths we (think) we know.  That we have been lied to in
the past is a given.   That we will be lied to in the future is a
given.  But that does NOT mean that we should conclude that every
statement made to us by someone working for the government is a half-
truth or intended to be sinister.   Personally, my experience has been
to give careful thought to anything said by any political appointee or
elected official, but to give the benefit of the doubt to regular
employees when something plausible is stated.

In this case, ask yourself what is the downside to trusting that the
statement is true, or is close to the truth?  We harden our SCADA and
digital control systems against outside interference and maybe invest
in some improvements to our cyber investigation capabilities.   Gee,
that's an awful alternative, isn't it?   I guess we should disbelieve
the account, and leave our power grid wide open for attack -- that'll
show those lying government types!

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com