The Code War Arms Race 74
pacopico writes "A story in Bloomberg Businessweek gives the first in-depth look at a wave of new start-ups selling cyber weaponry. The story describes this as the evolution of the defense industry in response to a wave of brazen attacks against Google, the Pentagon, the IMF and thousands of companies. It's pretty scary stuff, especially considering that these new weapons are not regulated at all."
Cyber Weaponry? (Score:2, Insightful)
Really? Good god, slashdot.
Re:The difference (Score:5, Insightful)
Find me a US general with just one of those traits.
Arnold (before he turned traitor at the behest of his Tory girlfriend)
Lee (before he fought for the Confederates - see also the Mexican-American War)
Sherman
Grant
Roosevelt (Theodore, not Franklin)
Pershing
Patton
Bradley
Eisenhower
MacArthur
Long story short, well... your point doesn't stand.
Re:The difference (Score:5, Insightful)
The general may or may not be capable of thinking outside the box - but I guarantee that he has troops who are capable. I was Navy, rather than Army. We spent a lot of time thinking, inside, outside, under and over the box. Of six commanding officers, one was a VERY imaginative person, two more were only slightly less imaginative, and the others were more or less average in that respect. Box thinkers, but capable of following a train of thought that left the boxy station.
Clue - military people are like civilians, in that everyone is an individual. You can't summarize how military people think - especially if you're not even a military person.
Re:What could and what will happen (Score:4, Insightful)
I disagree. I trust the users to make intelligent use of the computers they have accounts on. On the other hand, I don't trust programs, nobody should.
When a program is run, the only limits on its actions are set by the security settings of the system with respect to the account that launched it. These permissions are usually assigned by an administrator, and out of the users control. Default permissive environments are the root cause of our current lack of security. A program gone rogue can do as much damage as a malicious user on their worst day, in the blink of the eye, without even showing any symptoms of trouble.
The user, and the scanning tools are scapegoats here. Sure, some users make mistakes, and do stupid things, but it is impossible to determine if a non-trivial program can be trusted. Blaming users for failing at an impossible task is foolish, at best. Tools are just tools, to try to help increase transparency in terms of known vulnerabilities.
The solution is a default deny environment for programs, in which the user gets to decide which, if any, of their resources are given to a particular instance of a program. If it's not in the list, the program doesn't get it, and doesn't even know about it. This lets the user decide what they want to work with, and strongly limits the side effects of a program gone rogue.
It's not a very hard thing to conceptualize, nor to plan out. The hard thing is the massive amount of investment in our current code base, and mind-set, which need a subtle tweak, and some clever hacks.
There are positive signs, but I fear it will be another 10-20 years or more before a system which is default deny becomes the more popular choice. That's a lot of time and effort thrown away, that could be better utilized.