Cybersecurity Final Exam

Wed Jun 12 08:08:53 UTC 2002

On Tue, Jun 11, 2002 at 09:47:55AM -0400, Sean Donelan wrote:
> 
> If these questions are answered incorrectly, it could impact your
> operations.

<rant>

your operations will be impacted regardless of how the questions are
answered. that's how the government works.
doubly so if you s/denail of service/cyber-terrorism/
good to see that it's only taken 10 years since the end of the cold war to
find a new GREAT EVIL(tm) to use as the excuse for the continued erosion of
our rights and civil liberties, and provide for the continued expansion of
a government already hindered by its own bloated bureaucracy.

> 53 Questions for Developing the National Strategy to Secure Cyberspace

they can't count. but that's ok, so long as their self-esteem is intact.

> http://www.whitehouse.gov/pcipb/53ques.html

i'll hope the fact that nobody has responded to this publicly is not an
idication that the questions are rhetorical. the fact that they're being
asked by the government would tell me that someone thinks they already have
the answers, they just need someone to tell them they're the right answers.

as part of my patriotic duty, i'll provide answers to these questions
for no charge. :-)

> 1.2. Assistance: What can be done to make it easier for home users and
> small businesses to safe guard their systems? Should internet service
> providers (ISPs) perform more of the cybersecurity functions for the home
> user and small business?

that's 2 questions. the gummint wants to regulate your internet, and they
can't even count. be VERY afraid.

judging from the number of companies pushing their security software/services
on the internet these days, i'm hard pressed to believe that it is
impossibly difficult for the home user and/or small businesses to
safeguard their systems. but if we must make it easier, i'll gladly go
door-to-door with a baseball bat and break the kneecaps of anyone who
doesn't buy at least a personal firewall and anti-virus software.

i'm a firm believer in the "you must be this tall to ride this ride"
philosophy. providers, afaik, are already offering thse services
to people who feel their data is worth paying to protect.

> 1.3. Disclosure: What disclosure of risk should ISPs, software vendors,
> and hardware vendors make to home users and small businesses?

use of this equipment/software/service may be hazardous to your health
and possibly cause serious injury or death. we're not liable for these
or any lesser inconveniences. prolonged use may cause vision problems,
repetitive motion injury, and extreme cynicism. caveat emptor.

one of the few things i still like about the internet is the lack of
government mandated bullshit designed to protect me from myself and
little script-kiddies. as soon as i see a government mandated warning label
on my copy of free *nix, i'm throwing the computers out on the curb and
going into a more respectable line of work like drug-dealing.

> 3.A.5. Connecting Critical Functions to the Internet: How should we best
> address the security risks arising from critical Federal functions being
> performed on networks that have routers and other systems vulnerable to
> denial of service and other cyber attacks from the internet?

don't connect critical federal functions to networks with routers and other
systems vulnerable to denial of service and other cyber attacks from the
internet. i'm fully willing to believe that the government is *that*
stupid. when designing critical services, it is necessary to assess the
risk of failure. when connecting to the internet, one can safely say that
the risk is significantly greater than 0, but not precisely defined.
therefore, the decision should be whether the function is too critical
to put at the risk of relying on the internet, not how do we deal with
having made the poor choice to put the most critical functions of the
government in harms way.

> 3.B.6. Connecting Critical Functions to the Internet: Are there sectors
> that perform critical functions which could achieve greater security and
> reliability by operating networks unconnected to the internet and other
> public switch, open systems?

duh! put granny's life-support system on the public internet, i dare you!
hopefully that question cost the taxpayers less than the others.

> 4.3. Securing the Mechanics of the Internet: Can the traffic control
> systems of the internet (Domain Name Servers, Border Gateway Protocols) be
> made more secure? Can routers be made more secure by separating control
> functions from the general traffic channel? How can major denial of
> service attacks be mitigated? What problems arise in deploying more secure
> systems, how should they be overcome, and how should such improvements be
> funded?

ugh, 6 questions...brought to us by the same people who proudly proclaim that
they've cut the budget when they're only spending $100B more than last year.

1. yes, probably, but do they need to be?
2. probably not. out-of-band control functions would require making a secure
   out-of-band channel to function. if we can't do it in-band, we probably
   can't do it much better out-of-band. moving the front door to the back
   of the house doesn't stop people from going in and out.
3. major denial of service attacks can be mitigated by fixing the cause
   proactively. spoofed-source is EVIL.
4. a. security is always a trade off with convenience, they are inversely
      proportional. security = 1/convenience
   b. the question should be "do they need to be overcome?". at some point,
      a clueful person will need to stand up and say "these critical systems
      over here need to be secure at all costs, and convenience be damned.
      the convenience features on the other side of the room need to be user
      friendly, with the understanding that they may fail now and then".
   c. they should not be funded with my tax dollars. this includes "fees"
      charged by government agencies. i'm quite sick of subsidizing everything
      from citrus farming to section 8 crack-houses.

bonus question:

how much do you have to pay in taxes every year before you take government
stupidity as a personal insult?

-- 
Sam Thomas
Geek Mercenary
the average i.q. is 100, that's 75 when adjusted for inflation.