I'm thrilled that the government, big tech, and finance are working in lockstep to safeguard my rights and privacy. It's very generous of them.
I rest assured knowing that I will never be locked out of any one of my accounts; should I get on the wrong side of any of them, I'll be locked out of both the financial system, the internet ecosystem, and be on the wrong side of the law, for my own safety and digital health.
Checklists are not the answer. Some kind of liability framework seems like the answer. And perhaps through such a lens we'll discover that some businesses simply shouldn't exist.
You see it with HIPAA. It's unclear whether the financial liability causes companies to invest in security and that work discourages hackers. Or, if hackers aren't as interested in customer data / healthcare records. Seems like the low hanging fruit is just to infiltrate a network and figure out how to get it to mine monero.
I think HIPAA is a good example, especially the somewhat infectious nature of business agreements. There are serious penalties with leaks, and the BAs leave everyone liable (and very, very cautious). I do think the teeth of the law make a lot of HIPAA leaks go unreported. I imagine the almost crippling financial and reputational impact gets weighed heavily against the cost of getting caught.
The only way to have liability is ... show people didn't follow a checklist. The main way to show a restaurant is liable for getting people sick is to show they didn't follow the health code, the main way to show a company is liable for fire is to show they violated various codes, etc.
Well, yes and no. You can have liability on inputs or liability on outputs. For restaurants, liability on outputs would mean a restaurant being liable for any food poisoning that occurs within X hours of eating there. But, human health has many confounding factors, so the inputs are easier to measure and to impose liability on.
For computer security, I'd want to see liability on results, and not just on the methods and the checklists. If a company has a data breach, then that's something for which they can be held liable. That might mean that it becomes much more expensive to maintain large databases on users, which would be a good change.
For restaurants, liability on outputs would mean a restaurant being liable for any food poisoning that occurs within X hours of eating there.
You kind of run up against that old English Common Law principle that a defendant is innocent until proven guilty with that idea.
In simple situations, outcomes can work. If you intentionally cause someone to die, you're guilty of murder no matter how you manage to do that (but a chain of causation still needs to be proven, a rough correlation is patently arbitrary and unjust). But complex situations where causation is complicated require standards - proving someone intentionally killed someone in traffic would be hard if there were no traffic laws.
Agreed. My last few experiences with 'security officers' were that they knew how to read off a checklist, and check said checklist.
None of the three had any clue if what we were saying was even true. Or what it would mean if it weren't.
To make myself more clear: checklists might be ok, if the checker can scour the code and prove such things. I've never met one that does or even seems to have the ability to.
One area the US government could really make a difference in cyber security is making identify theft more difficult. Currently all you have to do to defraud banks is get your hands on some government issued numbers (social security numbers and driver licenses). If the government created an identify system that was no so easy to impersonate, some types of hacking and data leaks would not longer cause problems to the public.
Given the push to have vaccination passports and people not pushing back hard on that aspect of privacy, probably pushing through a digital national ID might be as ripe as it’s ever going to be.
I think a regular national ID was attempted under the Obama administration but failed due to pushback, if I'm remembering correctly. The closest we got was Real ID, passed in 2005, which is barely being implemented fully now, over 15 years later.
It makes me wonder how long it would take a true national ID system with digital verification, maybe something similar to Estonia's, to take to actually implement. It would have to be something not left to each state to handle, or it'd suffer the length and per-state disparities of Real ID.
> I think a regular national ID was attempted under the Obama administration but failed due to pushback, if I'm remembering correctly.
Not really. There was some discussion of it during the period of the Bush Administration which turned into Real ID (2005 was well before Obama was elected), but it's a stretch to call even that, much less any murmurings during the Obama Administration, an “attempt”.
> It makes me wonder how long it would take a true national ID system with digital verification
If you mean a mandatory one, mandatory ID faces Constitutional issues that are central to the US conception of liberty, so probably a collapse of the Constitutional order.
If you mean available standardized digital ID with digital verification, well, TSA had an RFI that closed in June preparatory to a rulemaking on adding digital ID, including digital verification, standards into the Real ID standards, because a number of states have digital ID efforts and there is a demand for them to qualify as Real IDs, because of the uses for which Real IDs already are (and the more that thet will be in the next couple years) mandated for l.
Even more fundamental than national ID or PKI is incentives. If the burden of proof is clearly on the creditor, they will very quickly tighten up their anti-fraud measures. The current equilibrium of creditors being able to burden random people with the cost of proving they're not responsible for fraudulent loans is Kafkaesque.
For many years retail stores didn't care about stolen credit card information being used to buy gift cards. The banking sector ate those fraud losses. Once the payment card oligopoly shifted the liability onto merchants, retailers had to eat way more fraud. Retailers immediately took down gift card displays, rushed to upgrade to chip terminals, and when they put the displays back they stopped selling $500 cards.
I'd be a lot more interested in an id system that was controlled by the individual rights holder: a verified system granting or revoking access to their data. Individuals have far more incentive to protect their data than state apparatus.
login.gov would be great for this, with the obvious caveat being that it ties a persistent user identifier to sites you login with.
Maybe there could be two login flows - one that generates a unique pseudo-identity for each service, and another that actually beams over your PII for identity verification purposes.
I'd really like to see a data permissions system that was outside government controls, no idea how that could happen though, definitely not globalist corporate controlled
A huge joke. If you have ever had to work with the DoD you may have had to deal with CMMC.
It's totally ridiculous. At least it will boost the economy by adding thousands of security officer jobs and pad the pockets of any security vendor, and drive system administrators nuts by having to deal with shit like Microsoft Azure GCC High
CMMC is a framework that wasn't really there before. Sure it has bad points but, it at least moves things forward in the right direction and makes things more visible. The problem I've encountered with it is that PHBs want things hidden or "creatively mitigated" to pass inspection. Security would be much better if an independent 3rd party were used to audit all RMF/CMMC packages. That is usually not the case.
We're getting closer and closer to cyber and kinetic warfare intermingling regularly. Attacking a US company may become akin to attacking a US citizen. State backed or State sanctioned actors will be looked at as an agent of the state itself. Hacks will lead to proportional responses from governments against governments.
It's not much different than our military and contractors protecting domestic oil company interests abroad.
What do you do in the case the actor is using a weak state as cover? Send a surgical strike into a country that aside from having the presence of the bad actor had nothing to do with it?
> Send a surgical strike into a country that aside from having the presence of the bad actor had nothing to do with it?
Work with law enforcement agencies in those countries to apprehend the person. If the country won't cooperate or shields the attackers, then sure, a drone strike could work.
Hard disagree. First, you downplay "unauthorized information access". Foreign adversaries have targeted our industrial SCADA systems, which can lead to death and destruction.
Second, there's no moral absolutes that dictate how a nation should act. I value the lives and information of my family and friends more than I value the lives of someone attacking them. Don't like it, don't attack... :shrug:
Now that the American empire is going to shit, how are you going to get your dick hard without being able to murder people just because you feel like it?
> how are you going to get your dick hard without being able to murder people just because you feel like it
What's your obsession with my penis? This is your second comment about it. I ignored it the first time, so you try harder the second time? You're a creepy dude.
This will be an unpopular opinion, but I would require all allied countries to enforce bcp38/rfc2827 to prevent spoofing. Any country not adopting this would be null routed by all other countries. When a country does not police it's own traffic to make a serious effort to stop known criminal entities, all other countries would null route or remove BGP advertising the IP space of that country until they got their act together. This would create some financial incentive to take out the trash. The null routes or filtered BGP advertisements would be temporary unless a country repeatedly violates policy. This puts the onus on each country to take crime seriously in their own jurisdictions. Side stepping the blocks would result in sanctions as a starting point. I do realize and acknowledge this could potentially lead to privacy issues, as countries would have to enforce identity to at least get internet transport level access. There is also the matter of corruption.
Within a country, the same methods would be enforced. If for example, T-Mobile allowed unfettered abuse of its pre-paid wireless cards as they do then the countries they reside in would de-list them from BGP advertisements. The government would have legal immunity in doing so. Or if AWS, DigitalOcean, Linode, OVH, etc... allowed people to abuse their VM's, same deal. De-listing might start with a region then become global depending on the level of abuse and how seriously the company responds and takes action to take out the trash.
In my humble opinion, anything short of this would just be meaningless political posturing and the problems would continue to grow and escalate.
> ...as President Joe Biden appealed to private sector executives to "raise the bar on cybersecurity."
So a new banner has been hoisted, under which some lobbyist interests will be serviced, and if this results in any security improvements - it will be a happy accident. Here, I'll fix the problem for you Biden - here is what you say: "Today I've been directed to announce that... I've directed the Department of Justice to investigate the negligent actions of companies that have contributed to the growing trend of identity theft and associated crimes." Boom, problem solved. This solution is well known, and has been for as long as I can remember. If somebody fills their orphanage-for-the-blind adjacent warehouse full of TNT, and a chain smoking burglar breaks in... the warehouse owner isn't the victim.
What good can come from this? "We want to improve our cybersecurity - lets engage the biggest technology companies in the country." If we invite them all to a luncheon, their collective knowledge of "cyber" must lead to something good, right? Except all of these executives likely have limited understanding of cybersecurity at best. At worst, they or their team already thought up regulations to help crush early companies, and this is an opportunity to get them through.
The year is 2026. Cyberattacks have escalated to the point that megabanks are offline for weeks at a time, power grids go dark for ransom, airliners are guided into deadly collisions, a database of every American's Social Security Number is leaked, and drinking water is sabotaged by remote criminals. The USA CYBERSAFE ACT is passed with overwhelming bipartisan support. It mandates trusted federal security co-processors in every computer, key escrow, a national firewall at every ISP, an end to crime enabling online anonymity, and a chain of custody for all actions done on a computer: logs must be retained by a licensed business IT department or manufacturer of a consumer device for two years. Root access is a felony.
The year is 2027. Power grids still go dark for ransom, but at least the internet has been turned back into TV. If you know how to use Linux, you might be able to pick up a fourth podcast!
Yeah not going to happen. Might happen to government, but not banks.
Banks are incentivized by profit, and being offline pose extreme risk to profit. Government are just mostly self promoting bureaucracy until something goes really wrong, and then it's still the same bureaucracy.
Banks are also incentivized by costs, both real and perceived. security is a perceived cost, easy to discount until it happens. This is why ATMs run very old operating systems, for example.
Capitalism isn't magic pixie dust that makes everything good.
That is one of many ways to address these issues. The underlying problem that needs to be resolved is that the average security posture of most companies is bad and we (US citizens and anyone else vested in the economic well being of the US) need to do better.
Sadly, incentivizing people and organizations isn't always good enough--technical hiring is difficult for most orgs to begin with, the market for technical security specialists is smaller than that of software engineers, and good security is an ongoing business function.
Fixing this at a systemic level will take a broad variety of initiatives: some governmental, some driven by insurance/liability frameworks, and initiatives (government, industry, or social) to encourage more people to get into security.
In the 1980s we used to be able to buy "shareware" floppy disks for $3 at user group meetings. These things had all sorts of cool stuff on them. We didn't have to worry about our computers being permanently damaged, because back then, unlike now, our operating systems were on write protected, easily copied floppy disks. Our hardware wasn't smart enough to house any trojan horses, so you knew it wasn't at risk.
We had computer security. Not because MS-DOS was such an amazing piece of code, but rather the hardware was simple enough that you couldn't hide a trojan in it.
The job of an operating system is to protect the hardware, and allow the user(s) of a system to use the resources without risk. NONE of the current crop of operating systems we use 40 years later is suitable for the job, not Linux, Windows, MacOS, iOS, Android, the cloud.
Now that even the cheapest persistent storage is likely to have multiple levels of firmware, it's up to the operating systems to virtualize the hardware, and keep applications from directly touching it. NONE of our current crop of systems do that.
All this "cybersecurity" spending is just a grift if it doesn't deliver actual computer security.
Director of Engineering - Security from Coalition here (we participated in the event) - We committed to building more free security tools for all organisations to protect themselves. We’ve already made Coalition Control our Attack Surface discovery and monitoring platform free (https://control.coalitioninc.com) and we will continue to add more features and more tools for free there. If there are any questions,I am happy to answer them!
1) Certain infrastructure should be off the net automatically - pipelines, water treatment plants and similar things (or online with hardware guaranteed one ways connections).
2) Standards for testing backups.
3) Standards for IoS devices (a million insecure Internet light bulbs, what could possibly go wrong).
4) Standards for not having a hundred companies auto-updating onto the systems of critical infrastructure companies.
The great thing about insurance is that we don't just get to create baselines our policyholders must adhere to, we also get to enforce them. A perfect example of this is anyone that has a policy with us must have RDP behind VPN/ whitelisted only to specific IPs. I spent years trying for free to convince orgs to do this and was ignored, here we convince all our policyholders to do it and everyday more and more companies as we onboard them.
For backups, not only do they need to have it, they need to be tested, kept offline and encrypted - this doesnt apply to all its split by revenue bands/industry/mix of other logic.
IoT devices - they get notified in Control if we find any on the internet and told to not have them directly exposed
* Do you know if there are any follow up meetings planned? Did they discuss some kind of process?
* what were the main concerns discussed?
* interesting to find out about the coalition (I was briefly involved in a similar insurance setup in my home country). Is your ‘baseline’ derived from some standard? Can I find it online?
Yes the group will continue to meet and I believe more will come out overtime as we start to better define how we as private entities can help the gov.
- our baseline is internal. We are with our customers end to end. From selling the policy to scanning them, notifying them and we have our own incident response team which means that we learn a lot with every claim. So when we add a vulnerability in critical state in Control you can assume it came from learnings of losses combined with our cybersecurity expertise.
Nice feedback loop you have there! (re last point). If you can point to the actual proven ‘indicators of risk’ instead of flagging every potential issue onder the sun, everyone is going to love you!
I look forward to a summary report on incidents somewhere in the future ;)
58 comments
[ 2.8 ms ] story [ 107 ms ] threadI rest assured knowing that I will never be locked out of any one of my accounts; should I get on the wrong side of any of them, I'll be locked out of both the financial system, the internet ecosystem, and be on the wrong side of the law, for my own safety and digital health.
Building a better future, together.
For computer security, I'd want to see liability on results, and not just on the methods and the checklists. If a company has a data breach, then that's something for which they can be held liable. That might mean that it becomes much more expensive to maintain large databases on users, which would be a good change.
You kind of run up against that old English Common Law principle that a defendant is innocent until proven guilty with that idea.
In simple situations, outcomes can work. If you intentionally cause someone to die, you're guilty of murder no matter how you manage to do that (but a chain of causation still needs to be proven, a rough correlation is patently arbitrary and unjust). But complex situations where causation is complicated require standards - proving someone intentionally killed someone in traffic would be hard if there were no traffic laws.
None of the three had any clue if what we were saying was even true. Or what it would mean if it weren't.
To make myself more clear: checklists might be ok, if the checker can scour the code and prove such things. I've never met one that does or even seems to have the ability to.
It makes me wonder how long it would take a true national ID system with digital verification, maybe something similar to Estonia's, to take to actually implement. It would have to be something not left to each state to handle, or it'd suffer the length and per-state disparities of Real ID.
Not really. There was some discussion of it during the period of the Bush Administration which turned into Real ID (2005 was well before Obama was elected), but it's a stretch to call even that, much less any murmurings during the Obama Administration, an “attempt”.
> It makes me wonder how long it would take a true national ID system with digital verification
If you mean a mandatory one, mandatory ID faces Constitutional issues that are central to the US conception of liberty, so probably a collapse of the Constitutional order.
If you mean available standardized digital ID with digital verification, well, TSA had an RFI that closed in June preparatory to a rulemaking on adding digital ID, including digital verification, standards into the Real ID standards, because a number of states have digital ID efforts and there is a demand for them to qualify as Real IDs, because of the uses for which Real IDs already are (and the more that thet will be in the next couple years) mandated for l.
Maybe there could be two login flows - one that generates a unique pseudo-identity for each service, and another that actually beams over your PII for identity verification purposes.
It's totally ridiculous. At least it will boost the economy by adding thousands of security officer jobs and pad the pockets of any security vendor, and drive system administrators nuts by having to deal with shit like Microsoft Azure GCC High
It's not much different than our military and contractors protecting domestic oil company interests abroad.
Work with law enforcement agencies in those countries to apprehend the person. If the country won't cooperate or shields the attackers, then sure, a drone strike could work.
Second, there's no moral absolutes that dictate how a nation should act. I value the lives and information of my family and friends more than I value the lives of someone attacking them. Don't like it, don't attack... :shrug:
You said it, not me.
What's your obsession with my penis? This is your second comment about it. I ignored it the first time, so you try harder the second time? You're a creepy dude.
Here's the plan: invade Afganistan, and eventually find the guy years later in a compound in Pakistan.
Within a country, the same methods would be enforced. If for example, T-Mobile allowed unfettered abuse of its pre-paid wireless cards as they do then the countries they reside in would de-list them from BGP advertisements. The government would have legal immunity in doing so. Or if AWS, DigitalOcean, Linode, OVH, etc... allowed people to abuse their VM's, same deal. De-listing might start with a region then become global depending on the level of abuse and how seriously the company responds and takes action to take out the trash.
In my humble opinion, anything short of this would just be meaningless political posturing and the problems would continue to grow and escalate.
So a new banner has been hoisted, under which some lobbyist interests will be serviced, and if this results in any security improvements - it will be a happy accident. Here, I'll fix the problem for you Biden - here is what you say: "Today I've been directed to announce that... I've directed the Department of Justice to investigate the negligent actions of companies that have contributed to the growing trend of identity theft and associated crimes." Boom, problem solved. This solution is well known, and has been for as long as I can remember. If somebody fills their orphanage-for-the-blind adjacent warehouse full of TNT, and a chain smoking burglar breaks in... the warehouse owner isn't the victim.
Yeah not going to happen. Might happen to government, but not banks.
Banks are incentivized by profit, and being offline pose extreme risk to profit. Government are just mostly self promoting bureaucracy until something goes really wrong, and then it's still the same bureaucracy.
Capitalism isn't magic pixie dust that makes everything good.
Doesn't sound so nice when you put it like that.
Sadly, incentivizing people and organizations isn't always good enough--technical hiring is difficult for most orgs to begin with, the market for technical security specialists is smaller than that of software engineers, and good security is an ongoing business function.
Fixing this at a systemic level will take a broad variety of initiatives: some governmental, some driven by insurance/liability frameworks, and initiatives (government, industry, or social) to encourage more people to get into security.
What systems can do that?
We had computer security. Not because MS-DOS was such an amazing piece of code, but rather the hardware was simple enough that you couldn't hide a trojan in it.
The job of an operating system is to protect the hardware, and allow the user(s) of a system to use the resources without risk. NONE of the current crop of operating systems we use 40 years later is suitable for the job, not Linux, Windows, MacOS, iOS, Android, the cloud.
Now that even the cheapest persistent storage is likely to have multiple levels of firmware, it's up to the operating systems to virtualize the hardware, and keep applications from directly touching it. NONE of our current crop of systems do that.
All this "cybersecurity" spending is just a grift if it doesn't deliver actual computer security.
Some thoughts:
1) Certain infrastructure should be off the net automatically - pipelines, water treatment plants and similar things (or online with hardware guaranteed one ways connections).
2) Standards for testing backups.
3) Standards for IoS devices (a million insecure Internet light bulbs, what could possibly go wrong).
4) Standards for not having a hundred companies auto-updating onto the systems of critical infrastructure companies.
For backups, not only do they need to have it, they need to be tested, kept offline and encrypted - this doesnt apply to all its split by revenue bands/industry/mix of other logic.
IoT devices - they get notified in Control if we find any on the internet and told to not have them directly exposed
* Do you know if there are any follow up meetings planned? Did they discuss some kind of process?
* what were the main concerns discussed?
* interesting to find out about the coalition (I was briefly involved in a similar insurance setup in my home country). Is your ‘baseline’ derived from some standard? Can I find it online?
Yes the group will continue to meet and I believe more will come out overtime as we start to better define how we as private entities can help the gov.
Ransomware and attacks on critical infra were the big ones - Joshua our CEO wrote a bit about it here https://www.coalitioninc.com/blog/coalition-meets-with-presi...
- our baseline is internal. We are with our customers end to end. From selling the policy to scanning them, notifying them and we have our own incident response team which means that we learn a lot with every claim. So when we add a vulnerability in critical state in Control you can assume it came from learnings of losses combined with our cybersecurity expertise.
I look forward to a summary report on incidents somewhere in the future ;)