It's now 2013 - is cyber war still exaggerated?

It rather depends on your definition of "cyber war".

If you instead say. "Cyber Espionage" or "Cyber Crime" then the answer is they are both very much on the increase.

To rephrase an old saw "There be gold in them there mountains of code" and the "rush" is very much on as the traffic stats show...

Yea, that would be a nice trick, problem is that the typical Mains AC has an impedance of less than 1 ohm at frequencies below 1khz and about 150ohms at frequencies above 1Mhz.

I have played around with "power factor correction" circuits as low bit rate receivers. Basically modulating the time of the Diode turn-on of the Tx system (requires that you create a task sync'ed to the Mains frequency and phase the task load so that it occurs in the mains cross over period. This task needs to dissipate lots of power for a few milli seconds around the AC voltage zero cross-over. Doing this discharges the Input cap to the TX systems SMPS so that the diode turn-on time happens earlier (i.e. phase modulated on the Mains AC). This causes harmonic distortion generation on the AC Mains, which is correctable by certain classes of PFC systems, especially those intentionally used for mains PFC correction. Often these power system PFC devices have inbuilt system monitoring channels (aka receiver) You can only communicate at very low rate Bps, but for certain apps this is all that is required.

If you can add a pair of Narrowband powerline modems using the frequency band 40Khz to 500Khz and 16 QAM modulation (CENELEC band). The PLC modems will automatically detect the AC load phase angle change point that occurs at the SMPS diode turn-on. Typically they will change the type of modulation at this point (drop back to BPSK or FSK) so the modulation will be QAM16 at AC crossover, something similar to 8PSK at the AC peaks and BPSK at the rectifier turn-on / off points. If the Narrowband data is a suitable known PN sequence than you can construct a very efficient antenna at around 250Khz and gets loads of processor gain from the sequence.

The trick IMHO is to get devices added to the AC Power Network that nobody suspects. These devices form the PLC to RF return channel bridge.

For some reason what Clive Robinson wrote reminded me of this article:

Can A Satellite Read Your Thoughts? - Physics Revealed
http://deepthought.newsvine.com/_news/2010/07/13/...

First off my apologies for a very late reply I've been somewhat pre-occupied having just spent another week in hospital (I don't know what it is but I just cann't seem to keep out, and no it's not the food or Nurses).

With regards my comment about a covert comms channel I was referring to long distance such as half way around the world and by the likes of hopping on and off memory keys etc.

That is a piece of malware has two basic purposes the first is to be malware the second is to act as a forward or reverse relay for other malware that might not have a public comms path to ET with.

Imagine if you will a fault tolerant comms network using removable media or other air gap crossing method to get updates in and data out from a device on an isolated network (such as PLC's or those dealing with highly sensitive/confidential material).

From what has been said Stuxnet appeared to have one half of the capability (ie get updates in) but not the reverse comms channel (which is very important for effective targeting on fire and forget malware).

With regards your comment about using the SMPS as a power line modulator as an "outbound" comms channel yup it would work very nicely if you are reasonably close to the target and on a common mains power supply so that you could instal monitoring equipment to pick the signal up (do it up around 14MHz and it might just make it around the world on a clear channel ;)

The trick to perform is how to make an ordinary PC etc sensitive to this mains power signalling so that it could act as a relay point.

I have not tried but some 24bit sound cards have a lousy earth return and thus suffer earth return pickup... It may be possible to pluck the wanted signal out of the ground return noise.

If it can be done, then some people are going to get ultra nervous about how they airgap systems :-)

Like Nick P it is an area I already address for certain sensitive things. In my case by passive series filtering at AC (50Hz thus very big ferrite core inductors) then using AC-DC sub 1Hz lowpass into a battery float (for very low impeadence) and DC-AC again with filtering.

It's big and clunky and not particularly efficient which is not ideal. What I have been thinking about is using series resonant powersupplies running around 1MHz and instead of modifing the resonant frequency actually change the inductance value by using variable reluctance techneiques (have a look at chapter six "High Frequency Transductors" in a book called "soft ferrites" by E.C.Snelling, published in 1969 by Iliffe books of London, the ISBN could be 592 02790 2).

The RF signature of the unstable PWM is easy to detect and embedding a long spreading sequence makes each infected system uniquely identifiable. The same technique can be used with regular analog loop AC-DC SMPS's, but it requires intentional load modulation, this reduces the Antenna RF efficiency because multiple loads are typically located within a 1/8 of a wavelength at the load modulation frequency.

"You can make a "targeted" virus like the Stuxnet one, but it's still not all that targeted. You can't be sure of hitting your target, unlikely you'll know if the target gets infected"

Hmm not sure on that from some research I have been party to it would appear the most successfull way to get to a target is via multi vectored air-gap crossing "fire-n-forget" malware. Which is very much what Stuxnet was supposed to be (I've commented on this before prior to Stuxnet's appearance).

The targeting is not of necessity a problem it depends on how you go about it.

If you assume no "ET Phone Home" capability then the targeting needs to be very specific, however targets tend to be highly dynamic thus the more specific the more time sensitive it becomes.

This gives a threshold based on the dynamics of the target and the delay time from launch to designated target. It is this specific problem that makes directed attacks appear a better option as it very much shortens the time component. But it also reduces the probability of success if the target is not on a direct path to the attackers.

The advantage of the ET option is that a two way path can be established (with an unspecified time delay bassed on the reliability of the path) this means the initial targeting can be less specific and can be refined step wise on each iteration of comms. The downside is that you will get hundreds if not thousands of "calls to home" to deal with.

Stuxnet did not appear (from what has been said) to have the ET capability at the level required. This may be due simply to those developing it not having an idea of how to implement a sufficiently secure return path.

As I have detailed before there are ways of making both forward and reverse comms channels that are sufficiently decoupled that tracing from target back to control is highly improbable.

In effect you get the coverage area of a nuke but with pinpoint strike capability, however you have no real control over transmission delay so you still have a forward time payload issue (but this is a simple problem if the time to attack is greater than the delay time of the control channel).

A cyber war is reasonably possible given how much is wired up nowadays, except that at the same time it really isn't. Most military equipment isn't connected to the main grid, which means you need to physically access it. Good luck with that.

You could take out.. I dunno, the GPS system? Mobile phone towers and landlines. Basically like fighting a war with muskets and mollys versus M4's and Apaches. Possible, but still quite useless. The NSA has CTF games, Capture the Flag for anyone who isn't up to scratch with their gaming terminology. Difference is, they do it with computers, object is to take down an opposing computer. Several hacking sites do the same thing, quite fun too. But the NSA is very, very good at it. They've had a cyber division for years, and I'm fairly certain that if anyone tried launching an attack against the U.S.A., then N.S.A. could trace a computer signal and the military could go do what they do best.

A virus is less traceable but very.. Inelegant. It's like a puncture wound with a foil compared to a nuclear bomb. Sure, the nuke will do the trick but it's going to take out absolutely everything. You can make a "targeted" virus like the Stuxnet one, but it's still not all that targeted. You can't be sure of hitting your target, unlikely you'll know if the target gets infected, will take out all your allies as well. Unless you give them the patch, but people talk which will lead to the patch getting around quicker than you want.

So a virus is useless for cyberwar. Only leaves direct hacking which is traceable, and that, as pointed out 2 paragraphs up is somewhat frowned upon given the projected response.

An EMP would be much better for a technological attack, and the countries that could produce those large enough and in enough numbers to actually be effective doesn't include countries where the burkha is used. Russia, China, U.S.A., possibly some of the EU countries, Britain. 'Bout it so far as I can tell.

tl;dr/dc;dr

A cyberwar is one of those "in 50 years" kind of things, possible now, but not on the scale used in the media. As an attack vector as a part of a conventional war, it would be, and is quite useful. Even if just for temporary confusion in major cities diverting resources away from a strike area. As a war in and of itself, no. Not now, not for another 5-10 years at the very least.

Granted, just a dropout so may be missing some vital information, ymmv, as they say.

Notes:

1: In the course I was doing, we were continually taught business techniques for selling a patch. After speaking to several people in the industry, it seems patching a potential issue is frowned upon from a cost/benefit point of view. Why patch a problem that may or may not lead to a loss of information due to a hack when the likelihood of being specifically targeted is low? So any publicity which results in a more secure I.T. world is a good thing. Might get such stupidity like "security through obscurity" sent to virtual hell where it belongs.

2: @Yarko
As said above, Stuxnet is useless if you really wanted to take out a business. Too much variables involved, not all that likely you're going to hit your target. Yes they could be compromised, not on a level that requires the amount of media. But as above in the note, any attention now is a good thing, since later on it will be understated and given no funding whatsoever.

3: @Bruce Schneier
"It is interesting. We're extremely reluctant to call actual wars with that name -- Iraq, Afghanistan -- yet we are quick to declare rhetorical wars: on crime, on terrorism, on drugs."

Not at all, makes perfect sense. I think.

Vietnam, Korea.. The U.S.A. as a country is very anti whatever the government decides to do, simply because they decided to do it. Even if it's something they want. MSFT is a company like that, even if someone likes their products and would prefer them over anyone else, they'll still hate them, simply because it's MSFT.

So to say "Let's go to war", the nation will react, potentially violently. It's a surefire way of getting voted out asap.

On the other hand, nothing pushes progress like a war, nothing unites a nation like tragedy. So to say a "War on X", makes them look really good. Gets the nation united. Only temporarily, but it makes a good advert in the meantime. And who's going to object to a war on drugs when you can guilt anyone disagreeing with you? To the point of being a pariah.

A side note, the "war on drugs", really is an actual war in Mexico. The U.S.A. isn't allowed to actively fight in Mexico, so it's a non-shooting war for them. But when drug cartels are being run by ex special forces and loaded with the equivalent amount of gear, then it very rapidly escalates beyond a simple revolver and flack jacket in a police raid.

But again, it imparts a level of seriousness that few other words do. Does wonders for the level of belief people will put in the rhetoric put out to support a campaign.

An actual war would have peace rallies blocking traffic all through Washington DC shortly after it started. :P

As an Israeli - I find the American fixation on cyber terror and cyber war somewhat amusing.

Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world - the fixation on cyber-X seems like a way of vicariously participating in some kind of a cool war effort (patriotism and machoism...) without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.

Perhaps - if I might speculate - it is even possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of "lets solve conflicts by talking everyone since everyone are created equal".

Yet cyber war and cyber terror are proofs of the inequality of life.

While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being called by a piece of targeted malware - any Israeli I know - including yours truly has close friends or family who were killed by real wars and real terrorists.

Danny Lieberman

He who controls the flow, regardless of what is flowing, has the power. This applies to money, information, food, you name it and the Federal Government thru the use of Military Command is looking to garner as much control of information as it can so that it can then control who learns what.

Senator Jay Rockefeller said the internet should have never existed. The hatred/fear of the internet by Rockefeller and many of his fellow professional politicians is because it has spawned a form of communication and information sharing between the average person that neither big business nor corporations can control or spin. Because people are able to communicate and share with each other outside that control, a massive revitalization of liberties and rights as defined by our constitution has taken off and this scares the hell out of these guys.

The threat of Cyber war is their saving grace as it could allow them to take back control of the internet and thereby control of the flow of information and the exchange of ideas between the electorate. The internet is an information Jungle but at least it offers a way for people to discover they are not unique in their views and thoughts on Liberties, Freedom and how out of control much of the government has become. The internet is also killing the main stream media, Newspapers, traditional magazines and even TV based news based shows and channels.

Before the internet allowed people to connect, most had no clue that they were not alone in thinking that there are serious issues with what the governments and the international corporations are doing. My parents are not big internet people; seeing it as mainly a way to email and send photos f the grandkids. Their single source of information and news comes from corporate controlled outlets being in the form of the daily newspaper and the news on the TV. If you can, thru the use of a handful of media conglomerates (which is exactly what we have for the most part with only a few local TV stations spread throughout the country being the exception) , control what gets reported and what doesn’t you can greatly push the consensus of the masses in the way you want. For example if you want to downplay the bad economy then you simply have all the news outlets put positive spins on ny news piece dealing with the economy and or simply not report anything that cannot be spun positively. This used to be called conspiracy theory but in fact its smart business if you are the media conglomerate owner or iin general part of the uber wealthy that gain from keeping the average person dumbed down and or uninformed.

Just look at the example of the FEDERAL RESERVE. Just 5 years ago most people had no clue it was neither Federal nor any kind of Reserve; everyone thought it was the Monetary arm of the government, not a privately owned Bank with rich and powerful shareholders. Go back 10 years ago and not only did most not know the real identity and purpose of the Federal Reserve but if you tried to speak out and say what it really was you were labeled as a conspiracy theory nut job. Now thanks to the internet and information sharing the masses are learning just how badly their elected representatives over the past 100 years have robbed the public to steal form the average person and re-distribute to the rich and powerful.

The threat of Cyber war is the Ace in the hole for these people to get back the control of the flow of info and they will do whatever they have to in order to get this done.

"'cyber' is a prefix you put on something to indicate it's a s**t metaphor" - Metlstorm.

"We surely need to improve our cybersecurity."

Depending on who you ask, it is even possible that special-interest legal issues have interfered with information security. For example, see "Unintended Consequences: Twelve Years under the DMCA" from the EFF ( https://www.eff.org/wp/unintended-consequences-under-dmca )

I was particularly annoyed by the equivocation of the Cold War to the term "Cyber-war". People *actually died* during the Cold War. Millions of them, in fact. The lack of a nuclear exchange certainly was saving grace for those of us in First World countries, but that's not much consolation to Vietnam or Korea or all those other proxies. Even when it wasn't "hot" everywhere, people were still certainly winding up dead in Berlin. Who has died from the "current" cyberwar?

Mildly off-topic, but it was also a little jarring for McConnell to claim Washington as the first spymaster (what of Walsingham?) or when he mentioned our role in defeating German encryption (without mention of the Poles and especially Brits who by most accounts did the heavy lifting on that front, yes?). I guess the Japanese front is less sexy? Some seemingly myopic (albeit perhaps typical) historical framework going on there.

http://www.wired.com/politics/law/news/2000/01/...

With regards @jlc3's comment,

"Personally I fail to understand why we shouldn't do anything about actual vulnerabilities because someone says it's just a hollywood stunt, not reality."

Is a valid point, however you are providing an excuse to those not wishing to take remedial action with you commen of,

"Because there are, literally, billions of possible"vulnerabilities" and we would go broke attempting to defend each of them against every movie plot threat that anyone could dream up"

Whilst it is true in the way it is written it ignores an important issue.

Whilst their may as you say be "billions of possible vulnerabilities" they are seldom if ever compleatly unique. That is each of your "bilions" falls into one or two of very few classess of vulnerabilities.

Importantly the defense for most classes is broad not speciffic and thus just a handfull of broad measures protects against a slightly larger number of classes of attack each of which in all likley hood contain the majority of your "billions" of individual attacks.

Further whilst protecting against each individual attack only provides a defence against it and one or two like it that are effectivly "known knowns" or "known unknowns". Protecting against a class also has the side effect of prottecting against some "unknown unknowns" as well due to the "class overlap" effect.

With regards to your final comment,

"Now, if you want to talk about fixing vulnerabilities that are being exploited TODAY by vandals and spammers and criminals that would be a different discussion"

You have to be carefull you don't fall into the tarpit referred to in the old saw about alligators and swamp draining.

Focusing on individual attacks is in general counter productive, like killing woodworm beetles as they emerge from their holes. The damage has been done and you are not protecting yourself against further attacks. The solution is to make the environment toxic not just to the existing lava but also future ones that hatch from any eggs that might be laid in future years. But importantly the right choice of toxin works effectivly against all the class of wood boring insects and some other creatures.

Re: NSA Perfect Citizen

There is insufficient information that can be verified to say...

The WSJ artical was the start of a proverbial "tempest in a tea cup" with misquotes and assumptions abounding in various press outlets (and as Davi notes above they don't check their sources these days).

One thing that can be said irespective of anything else "Perfect Citizen" was a name choice guaranteed to get people worked up.

It does not help the NSA's case when their "for press" statment jibe with each other over such things as "sensors" and if it is "R&D" or "data gathering".

If you think along product development lines you have various stages. The first of which is the usual scientific method,

1, See paterns in random data
2, Identify non random data and correlations.
3, Investigate issues arising from paterns
4, Identify if issues are measurable.
5, Perform an analysis to confirm hypotheses.

At this point the second stage of "feasability" is carried out and then other "Marketing" issues.

The third stage is getting managment "buy in" to go further. This generaly involves

1, Identify product gap.
2, Do a "requirments analysis"
3, Do an "Engineering feasability study".
4, Do an "Engineering prototype".

Then iterate one or two times.

At this point a lot of eyes have been looking on the issue and as is normal with something new you look to expand the product base.

And this is the point where otherwise benign technology gets scary.

In order to expand the product base as wide as possible to attract as much business as possible you have to look not at the actual "functionality" but the "potential" for that functionality.

For instance a CCTV camera is of it's self fairly benign, it's what you hook it upto that get's scary.

And it is this that is causing concern whipped up by the name and who the players are.

Am I saying "Perfect Citizen" is benign?

No far from it what I am saying is that we know way to little to make even a gut reaction let alone an informed judgment.

So one to keep the eye on for now.

There will be cyber scare and cyber rules?

"An attack on the electrical grid or air traffic control system could kill hundreds if not thousands."

I'm a big fan of prevention (at least when it comes to preventing the preventable), but there are less preventable problems that are more properly dealt with in a resiliant manner that depends on a plan for rapid recovery. The many electrical grids fails from time to time, rarely causing more than annoyance. Service is routinely restored within hours to days. Turning off the air control system would certainly be disruptive but flight crews are quite able to land their aircraft without external assistance. If you're concerned that North Korean smurfwarriors might hack the system so cleverly as to make planes collide deliberately (like when the Gremlins rewire the stop lights in Kingston Falls so that they are green in all directions) then we're moving off into movie plot threats.

An attack on the electrical grid or air traffic control system could kill hundreds if not thousands. Should we wait until its "demonstrated" before we spend the money to prevent it?

As you should (as any sane mind should) for any word invented by Smurfs.

But the question of ownership is interesting. The "people" don't really have the wherewithal to run control on anything on a greater span of years than less than a decade. It's why we in the States delegate it to our reps.

But ownership is individual responsibility.
It's individuals that create organizations like EFF, ACLU, BT and BP.

One guy though started thinking about the possibility of people using medical technology to decapitate a human head and keep it alive. It bugged him -- alot. So he went out and patented the process so that (legally) no one could do it without his permission. and doing it illegally gave him a recourse under law.

cf http://v3.espacenet.com/publicationDetails/...

The whole earth review had an interesting article on it back in the day. He saw a problem and (literally) took ownership of it.

Sure. Go ahead and recommend that to him.

What happens then? Will we see countless articles on "blogosphere-war"? With "blogosphere-terrorism"?

In a surprise blogo-attack today, blogo-terrorists unleashed their newest blogo-weapon upon an unsuspecting people. The USofA's strategic reserve of the canonical list of "yo momma" jokes was corrupted and had to be deleted.

The President has asked that all citizens please check their browser cache for an uncorrupted copy.

We must all do our part and contribute our shared blogo-efforts to maintain our blogosphere for future generations of bloggers.

I hate the word "blog".

Maybe a partial response is public humiliation. Some one write a worm that over writes "Cyber" with "Smurf"

A sampling of the debate

Smurfsecurity
Smurfati (Gaga's next hit)
Smurfwar
U.S. Smurf Command,
Smurf 9/11
National Smurf Security Division director Amit Yoran
Smurf Pearl Harbor,
Smurf Katrina
Smurf Armageddon
Smurfspace
Smurfcrime
Smurf-espionage
Smurf-activism
The Smurfwar Threat has been Grossly Exaggerated
Protecting Smurfspace as a National Asset: Comprehensive Legislation for the 21st Century
North Korea was probably not responsible for last year's Smurfattacks
Smurf terrorist
Smurf-dissembling, Smurf-bookselling, Smurf-commandbuilding, or Smurf-constitutionwrecking
Smurf-divorce
Smurf discussion
The NSA has ridiculous Smurf protections
all our essential systems are allegedly vulnerable to "Smurf" attacks.
Is the threat of Smurf attack being blown out of proportion? Yes. But does that make it a lie?
Hey, wait a minute ... isn't that what "Smurf"(-netics)"

Smurfblog; the opportunity for us to post Smurfcomments with our Smurfcomputers; the Smurflinks, Smurfcartoons, and even the occasional Smurfflame. ... Now if you'll excuse me, I need to go to my Smurfhome and eat my Smurfdinner.

Eat Smurfs? Yuck How could you @Tom T.

But to be fair I've always thought of cyberspace as blue. It occurs to me you know that Gibson could end the misuse by turning RIAA lose on the copywrite infringers. Is he seeing a nickle out of their use of his intellectual property?

"The 2nd annual Cybersecurity Symposium kicks off in Washington today as elite cyberati from federal agencies, the Pentagon and private industry gather for a day of brainstorming about threats to our computer networks."

Cyberati?!! Cyber-sheesh!

It doesn't require that any particular line of attack be spectacularly successful (e.g. making a lot of nuclear power plants melt down, or crashing hundreds of airliners), but everything that can be attempted must be attempted, and with skill and resources. If someone's trying really hard to corrupt all financial/legal/medical records all at once (which might start months before the climax), and also attacking the power grid and air traffic control and the internet all at once, then it might be cyberwar. If nobody's attacking the telephone system, it's not cyberwar. If nobody's crashing commercial servers, it's not cyberwar. If there's a plausible (non-lethal) IT attack and nobody's trying it, it's not cyberwar.

And above all, if the general population didn't notice it at the time, then it definitely wasn't cyberwar.

That sound perilously close to "knowing" that there are Communists operating in Hollywood back in the McCarthy era.

"So while we debate the definition, and the attacks and breaches continue to mount, and the media picks up a random story here and there when a breach is noteworthy enough or even made public...what needs to happen before we(i.e. Government) takes action?"

That's easy. There are fewer than 3 murders a day in NYC. So, all the cyber-terrorists have to do is to kill 3 people in one day in the USofA using their cyber-weapons in a cyber-attack.

If the cyber-terrorist's cyber-weapons can't kill our people in a cyber-attack as fast as we kill each other in a major city then why spend money on the cyber-fear instead of demonstrable threats?

If you disagree that our nation and infrastructure is under constant attack from other nation states, or that we are adequately protecting our assets, then the debate is over. Your readers seem an optimistic lot. However, I'm confident that anyone in your position knows better.

So while we debate the definition, and the attacks and breaches continue to mount, and the media picks up a random story here and there when a breach is noteworthy enough or even made public...what needs to happen before we(i.e. Government) takes action?

I applaud the use of the "cyber" terms if it brings attention to the issues. It's a far more benign attention-grabber than a crash of our financial system, electrical grid, or air traffic control system.
-RR

New desktop - thanks!

Cracked 9ec4c12949a4f31474f299058ce2b22a on my lunch break. It says "Nunc Id Vides, Nunc Ne Vides".

Yes you do.

Because there are, literally, billions of possible "vulnerabilities" and we would go broke attempting to defend each of them against every movie plot threat that anyone could dream up.

Now, if you want to talk about fixing vulnerabilities that are being exploited TODAY by vandals and spammers and criminals that would be a different discussion.

The same if you want to talk about what "best practices" should be.

In my opinion, both sides won the debate based on different definitions of Cyberwar. Based on the idea of WAR, declared or otherwise, then the threat (or more specifically, risk) is completely overblown. Based on the idea of a metaphorical-war, like the Cold War, then accurately measuring the threat is irrelevant and can't be overblown. This is a war of ideas. It's a war of posturing. This is a war about convincing other people (and other countries) that they're even more vulnerable than we are.

As an aside, why does the FBI have a Cyber Division? Is cyber-crime somehow different than normal crime (handled by the Criminal Division)? Is cyber-terrorism, whatever that is, different than normal terrorism (handled by the Counterterrorism Division)? Is cyber-espionage different than normal espionage (handled by the Counterintelligence Division)? We act like adding the prefix "cyber" changes one concept into a different concept.

A county sheriff where I live last year was in a gun fight with a man and as a result they both died. This is part and parcel of what Law Enforcement trains for and engages. The part that probably was overlooked (except by a few after the fact) was this probably was a matter of relaxed attitude.

The bad guy was breaking into homes in a mountainous area for years - the press took to calling him the "Cookie Bandit" because he took food, as well as valdalized buildings and stole property. How cute. How wrong. Turns out, when finally confronted by the sheriff he was anything but a character from Sesame Street - he was a serial killer, and died as one. The Sheriff was probably a bit more relaxed in the confrontation and lost the edge, because for years this guy was portayed as a harmless, almost comedic character.

It's pure speculation that had the Sheriff been more concerned, that the outcome might have been different - meaningless to speculate on that.

My point is that the media, and the flood of soundbites portraying something as harmless, might not be. It's perspective. I certainly do not trust the media to help me with my infrastructure decisions. I am concerned that it is counter effective on any educational efforts I might have to help the end users become more aware of their responsibilities.

the abuse of 'cyber' is a good example of this. Now we professionals are arguing the use of cyber to be a scare tactic (of course it is, if in the hands of media ... what a wonderful concept, the gritty grey world of Neuromancer), but it doesn't mean we have to let up on actually mitigating issues. If we feel that it's only a 'movie plot threat' and not valid, we will be farther behind on mitigation than normal. As security experts we are already fighting the catch up battle. :)

Note sure if my story helps but it's not a cry wolf, but rather an effort to make sure we differenciate between media hype and real threats.

/john

describing this as 'movie plot threat' dilutes it as unimportant. I know for a fact (many actually) that the current state of our infrastructure is vulnerable, that those vulnerabilities are being exploited to validate the access. This ranges from desktops to SCADA devices in gas/water pipelines. This is not a movie plot, these are verifiable threats. My point is that if you believe it only happens in the movies, you will be vulnerable. That someone hasn't already toasted your personal hometown water supply with 1000% the clorine count doesn't mean it cannot happen, that it's only a 'movie plot threat'.

Do not simplify too much - this will cause folks that should be concered, to not be concerned, and ignore *real* issues as unimportant.

I'm not even discussing the silly symatectical argument about the meaning of cyber here. I'm not advocating a Chicken Little attitude - merely a responsible one.

Personally I fail to understand why we shouldn't do anything about actual vulnerabilities because someone says it's just a hollywood stunt, not reality.

We tend to concur on the actual issues - I think again this is two issues in one 'column'. Cyber and it's ilk - definitions gone wild. And actual threats.

I think that what I know are threats, are NOT being treated as serious- and therefore remain threats. Whomever has control of those vulnerabilities is moot - it's the exploitation of them that becomes and issue.

Painting everyone saying there is a problem as a 'movie plot threat' empty argument doesn't help. Vulns exist, we need to take care of them regardless of the 'cyber' arguement.

btw, this isn't aimed at you - just an expansion of my previous.

Example, sort of: Had a DNS server on a network for the global company I worked for once, show up as compromised. Rootkitted. We took the machine offline to find root cause (no pun) and prepare to mitigate against the weakness through out. However the IT Director went slatheringly out of his mind- screaming at us. His idea was since no one apparently 'Did anything' in the 2 months it was rooted, it was a non-issue. I was flabbergasted at his perspective. For one, if it was a single host, then the response would have, naturally be tempered by that - but it wasn't. Taking it offline had no effect on traffic. In fact, it HAD been used (quite effectively) for sniffing traffic and other issues. That he didn't SEE an obvious meltdown as a result, meant to him we could leave it without any future effects. not so, but he never saw it that way.

matter of perspective I guess. To him it wasn't an issue because he never saw it as a problem. Others saw it as a clear threat and had a very different opinion.

::shrug::

/john

http://www.wired.com/dangerroom/2010/07/...

Nice to know they take life seriously!

Sounds crazy but look at the Executive Orders that have been passed or amended throughout the years and then tell me what you think.

That is the essence of the "movie plot threat".

"If the thought is that they won't be expoited by 'vandals' or 'criminals' or even nation-states not happy with us, and therefore we need not DO anything about it, falls right into place for an entity who wishes to cause harm."

Movie
Plot
Threat

No one is saying not to protect the systems. Protecting them against the KNOWN vandals and spammers and criminals will yield real results.

The problem is when people point to vandalism and then claim that CYBERWAR is a threat.

/john

Well duh, when did I claim otherwise? People are caught up on the semantics of the word war, and only one definition of this word. Look at the board definition of the word and it fits in this situation.

You look at the situation and come up with a plan to deal with it. This includes hardening of system and appropriate levels of response. A teenager trying to hack into a local school to change his grade doesn't need to have the 1st rifle infantry storming his house but a visit from the local police might be in order. Ditto for China trying to hack into corporate systems, can't use the military to deal with this but some other means can be used. And yes, at times a military response could be the correct response.

While I agree that cyber as a term has been muddied so much it's virtually useless, and onlly serves to be used by the media to cry wolf - the problems, and vulnerabilities exist, and are rarely addressed. If the thought is that they won't be expoited by 'vandals' or 'criminals' or even nation-states not happy with us, and therefore we need not DO anything about it, falls right into place for an entity who wishes to cause harm.

Just because digital is at the speed of light does not mean the 'attacks' per se, must be. Laying a good ground work before the attack is perfectly sensible.

I worry when I read people just blow off known issues as non-effective, because no one has eploited it to some highly visible advantage. I'd say, for example, the draining of our monies in the banks is pretty visible, and highly damaging - just isn't quite as exciting as a 105 round through the front door.

That vulnerabilities haven't been expoited to date does not mean there are no plans to do so. Ignoring problems because you haven't seen evidence of malicious intent is just wrong.

Cry wolf? No. Practical efforts to mitigate issues, certainly. Radical piece of sky waving and blurring of terms by the press does not mean there are no issues, and that does not mean we should ignore those issues that DO exist.

We have a couple of conversations taking place here, with a blurring of definitions. One is the term 'cyber' and how it's been abused, misused, and ignorantly flailed about like an air raid siren. The other are real issues of vulnerabilities in our infrastructures (private, personal, and government) that can and do affect us - that should be addressed.

Please take care to not confuse one issue (context abuse) and the other (actual problems to be faced) in that we end up doing not enough, or even nothing about the actual problems.

/john

Not how it works. Whichever group gets the most change in their support in a positive direction is the winner

Oh. My. God. CyberMechaStreisand. Quick, mail the government some money!

The real 'cyber' threat will be the fully autonomous weapon systems that descend from the Predators (T-0.1).

PW Singer makes a strong argument that taking human casualities (from the attackers side at least) out of the commit-to-combat equation increases the probability of war.

We see it now in Iraq and Afganistan. Our ALL Volunteer military. (well mostly ALL volunteer-Stop Loss is still in effect.)

"They knew what they were enlisting for. Screw 'em, they ain't my children." The Majority of Americans remain unaffected adn indifferent. So Afganistan has sputtered along for the better part of a decade while the adminstration had better things to do.

@Bruce. This is why you never get invitations to Congress or the White House. (I hear its nice)

Even if the threat is currently virtual we are scaling up for it. A lot of RFPs we're seeing are for "cyberwarfighting." Huge contracts with large number of option periods. Multi-service Centers are being established, "capabilities", as they say, are being acquired. That's on the unclass side. What's going on on the black side is only a matter of speculation.

I'm reminded here of where we were after Nagasaki. Zero risk of a nuclear war (all extant weapons expended). But there was still serious argument about gaps. Damn RAND. First we continued to make the bombs, then the Soviets acquired the same ability. Then the risk of confrontation and exchange became higher. But even while we were seeing THEM and The Beast from 20,000 Fathoms the actual ability of the Soviets (or us) to deliver warheads to target was limited. Like our fears today with non-state actors armed with nukes--in some cases they could only ferry them to closer launch points or ship them as cargo.

It took later sustained development of the weapon systems (missles, long range bombers, boomers) to make nukes an existential threat.

"Mr. President, we can't afford to have a mine shaft gap."

So here we are again? Who wants to play Plissken?