Richard Clarke, the man who served President Bush as a special adviser for cyber security, has a five-point plan for saving the internet. Speaking at a Santa Clara University conference dedicated to "trust online," Clarke called the net "a place of chaos in many ways, a place of crime in many ways," but laid out several means …
Imagination is a wonderful thing
"What if we had a champion in the government who we trusted on privacy rights and civil liberties? What if we had a government advocate with real power to ensure that the government doesn't violate privacy rights."
What if we had a fairy to grant all our wishes? What if pigs could fly? What if this guy actually believes what he's saying?
Send round the men in white coats
Required Equipment :-
1) A strait-jacket
2) A permanent detention order in the nearest asylum
he's clearly barking MAD.
How does a biometric id help on the net?
How does a *biometric* id card help prove identify on the internet?
A biometric card contains information in it that can be used to verify biometric data. As such and presuming it works, it would be useful to physically verify the owner of the card at a bank, store, etc.
However on the internet, a web site has no biometric scanners. Sure they could obtain biometrics remotely via a scanner owned by the user, however this can be forged or subject to man-in-the-middle attacks.
A major problem with biometrics is once a user's biometric fingureprints are leaked, they can NEVER be re-secured. Short of bodily alterations, the user has permanently lost his identify. A least a password or other credentials are less painful to update.
Where he lost all credibility to me..
He's talking about the future of the net, something realy only geeks are going to pay attention too, but who does he keep name dropping?
If he wanted to remain credible, he should name drop someone who didnt overlook the net, and tried to deny its existence until it was almost too late.
Besides, name any major geek that gives Bill Gates any kinda credibility these days anyway.
Vint Cerf was right, long before the rest of us were.
Cerf has it right
Tell Vint I'll buy the ammunition. :-)
It's scary, to imagine how people so thoroughly unaware of how the Internet works--what it even is, really--might actually manage to get some of these notions implemented.
Why should the power grid be connected to the Internet?
As far as I'm aware, it isn't - except through corporate VPN's, and even those are questionable.
I wonder if the sky is blue in his world?
"the man who served President Bush as a special adviser" - nuff said :-/
I am not sure that the idea of the US Government regulating the 'internet' is anything more than 'oh so last century'. Though forcing ISPs to crack down on bot-compromised PCs sounds like a pretty useful idea.
"One thing you could do with a biometric ID card - if you wanted to - is prove your identity online," - well, 'prove' the identity of your biometric ID, at any rate. We are ASSUMING such a system is infallible, and that is laughably naive. Pass the cool-aid, please.
"What if we had a champion in the government who we trusted on privacy rights and civil liberties?" - I imagine the US Government would pay it lip service or ignore it to suit itself just as they (and most other countries' govts.) have for every other such organisation in any sector.
"Number four: A secure software standard." I assume such a "Microsoft Championed" standard would prohibit open access to source code as Explorer and Outlook have SO proved the Security Through Obscurity model. Forcing the internet to IIS wholly would be GREAT for security ;-) Especially after patching has been deemed unnecessary any more.
"Clarke's fifth and final idea is a less than open internet." He seems to have described a set of intranets in critical positions being properly firewalled and VPNed. REVOLUTIONARY!!!
Sounds like another 'expert adviser' who is only expert at giving advice, not actually knowing with any useful depth the topic being advised on.
Re: Why should the power grid be connected to the Internet?
Possibly he is getting confused about IP-over-power-line ;-P
"because of certain shibboleths"
Holy CRAP! Teh Internets is infected by Great Old Ones! No wonder them Good Ole Boys want to nuke it from orbit.
Did this guy really say "shibboleths"? In a serious speech? Was he actually trying to scare people with Lovecraftian horror? Or am I missing some vital bit of I.T. fact and a 'shibboleth' is some kind of router?
If there's one thing politicians and their advisors have in common, it's a distinctive separation of fervor between idealism and personal responsibility for implementation. How much do seated paper-pushers really know about the degree of exertion in the ranks? Not much, but I'll keep mum and let the reader ponder why.
As of today, there are roughly 700 million connected computers on this planet. Yes, there are tracking cookies and other forms of privacy "evasion" everywhere, but only so much information is covered here. Now, we're talking about actually monitoring everything everyone does on the Internet. That kind of information could fill the Library of Congress several times a day, and that's just with the number of machines that are connected now.
For the sake of information access, which I am not against in the least, organizations are starting to make WiFi-ready laptops available for less than a barebones tower sold for a few years ago. If the OLPC takes flight in, say, China and India, that 700 million figure will mushroom. And to monitor every single packet that traverses every ISP's bandwidth would call for more manpower than revenue can pay for.
Furthermore, this security "czar" seems to be putting a lot of focus on perimeter security, a concept that has long since proven less than adequate to protect networks. As long as new novices are added to the connected community, with little to no prior knowledge of Internet security and hacking, every network is still vulnerable from the inside.
What is the solution, then? I'd say our first priority should be to focus on a way to cut botnets down to size. If enough of these millions of existing Web surfers are educated on how to root out infections, and prevent them from recurring, they could pass this information on to new users, and take a sizable chunk out of the processing power at every bot master's disposal.
Until Symantec has had plenty of time to refine and dispense its new concept of protocol whitelisting, and other security vendors follow suit (and new users are made aware of the need to install and upkeep this stuff), here's a way to lock down the major attack surfaces of a Windows (XP or 2000) PC and prevent malware from launching: http://invincible-windows.blogspot.com/
Hope this helps!
That’s the funniest thing I've read in ages.
A closed internet? Dont you just pull your internet connection and you get a closed network? The only reason they're hooked up to the internet is costs less to make a VPN than a spend money building a real network lol
None of his points are valid
If you're going to spout off at the mouth, make sure that at least one of your five ideas is valid. None of his are.
1. Biometric IDs are meaningless on the internet. There is no way for a website to know who is connecting. And with man-in-the-middle, session-hijacking, etc., information is easily copied/spoofed. But I'll go one step further and say that biometric IDs are meaningless in real life, too. A biometric ID will AT MOST allow someone to verify that your biometrics match those on the card. There is literally nothing saying that the data on the card proves your identity. We literally have no identities. All identity is assumed on the basis of trust. You believe that I'm "Chris" because I'm telling you that's who I am. It may or may not be true. Every single type of identifying document can be falsified. Given that, there is no way to prove your identity.
2. U.S. Government oversight of the internet. Because that's what the rest of the world is calling for, right? Ignore the fact that various countries are ready to rip the internet apart because the U.S. government refuses to let go of the reins. Let's add more U.S. government regulation, because that's corrected all problems in all other industries. Assuming such regulation could be legally obtained, how would he propose to enforce such regulations in other countries? Some countries, for example the U.K. and Australia, will bend over for the U.S., but many others won't be so cooperative.
3. Non-partisan organization dedicated to fighting abuses of government power. We (used to) have that. It's called "checks and balances"; it's the reason the government is split into three branches. But ignoring that, there will never be any such organization. Most politicians only care about obtaining and maintaining power. To change that would require a wholesale replacement of virtually all politicians at once, and that's assuming you could find honest, non-power-hungry people to fill all the roles. Ignoring that, Democrats and Republicans almost never agree on anything, simply out of principal. The only way to have a non-partisan organization on anything is to eliminate the political party system. Even if such an organization was achieved, how can you "fight abuses of government power" when said abuses are enacted by the President, who has been given unlimited power? He would simply render the organization irrelevant (much like he did with the U.N. when this Iraq war started).
4. A secure software standard. Is this guy such an idiot that he thinks software will *EVER* be secure enough to never need patches? Newsflash: most authors do want secure software. But there are inevitably bugs, no matter how much testing a piece of software goes through. "Securing" electric devices is (over-simplified, I'm sure) easy -- design the circuity with fuses or circuit breakers to prevent dangerous over-voltage/over-amperage, and make sure hot/neutral never touch ground. Securing software which can have a virtually infinite number of factors and inputs is exponentially complex.
5. A closed internet. Let's ask the Chinese people how well that's working for them. As for the power grid being connected to the internet, it shouldn't be directly connected, it should have a capable firewall in between it. I cannot think of any reason why the power grid needs to be publicly-accessible via the internet. So you have a firewall block incoming traffic (and, possibly, set up a VPN WAN). Newsflash: virtually all computers that connect to any telecoms company are connected to the internet, whether they know it or not. The telecoms will then route the traffic accordingly, whether it's between two VPN endpoints, a point-to-point WAN, or connecting a customer to the internet. All of that traffic goes over the same routers and networks -- the internet. It doesn't mean that all endpoints need to be publicly accessible.
I do have to admit, though, I loved his thought of "Why shouldn't there be a closed internet? There are already relatively closed internets - and now we need to think seriously about expanding them." So you want to EXPAND a CLOSED internet. Wouldn't that make it more, oh, what's the word, OPEN? Using that logic, you could view "the internet" as a really big highly-expanded closed internet.
There's security and there's security...
Moral of this story is to stick to what you know, or risk appearing foolish.
I've seen Richard Clarke interviewed and I've read transcripts of a number of talks he's given on his actual area of expertise, counter-terrorism, and the guy's no dummy. However, his having once had subordinates who'd use teh intarwebz to track terrorist activity does not make him an authority on the nuts and bolts of data security that he's commenting on here. Pity he didn't acknowledge that in himself... although, the man gotta eat, I suppose... if someone came up and went, "Here, come deliver a lecture on Mesopotamian mythology and we'll give you $20 G's," what's my response going to be except, "Hell, yeah."
Clark gets IT, the internet is now in production, testers please go elsewhere
It is interesting to read many of those people who attack major software vendors for distributing insecure code attacking the idea of forcing major software vendors to secure their code. Interesting and absurd!
They want to say that MS should not be using the internet as a test bed for its insecure operating systems, and at the same time want to say that there should be no requirements for security on the internet.
Citizens, governments, academia, and businesses are using the internet for production applications, including critical applications -- applications people's finances depend on, and applications people's lives depend on.
We should not be doing this on a network that other people are simultaneously using as a test bed, or a hunting ground in which to victimize innocents. Testers need to build their own little test networks in their labs.
Whether securing the citizen's, commercial, academic and government production network communications means tightening up the internet, or whether it means moving production traffic onto another network, I don't know.
It is clear that if those who use the internet for production purposes leave it, the internet will collapse because the hobbiests and hackers aren't going to pay to support the infrastructure, and serious experimenters would rather use their own lab networks.
We will have new 'closed networks'
Well actually I believe in the future we will have new 'closed networks', but probably exactly the opposite of what Clarke proposed.
People will build their own networks which are free of regulation from the government or companies, the later beeing the more serious thread to the internet at the moment. People _will_ build tunnels through the internet and build meshed wireless networks simply because in the future this will be the only way to have anonymity.
Meshed wireless networks will provide access to areas where companies just don't think it would be worth it. Those networks, beeing in the hands of the participants, also would cost precisely the amount of money they actually cost. No artificial monthly or usage based fees, just the bare technical cost. And obviously, nobody in the network would have an incentive to lock out a competitor.
So wait some time and we will have closed networks, but not in the way he proposes.
Mr. President - lock down this series of tubes!!!
@secure software standard
First, plug all of your systems in at once. Then go to the circuit breaker, and flip the circuit switch rapidly a good 30 times.
Afterwards, drop the systems off of the roof, then they'll be *very* secure.
Also, Microsoft should not be used in the same sentence as secure, or as in the same sentence as standard. Both of those words at once referring to M$ may possibly cause damage to the fabric of reality.
"in the government who we trusted"
Isn't that an oxymoron?
Bollocks, i must have got the april fool's version of the source code checking memo.... I thought we were all _putting_ holes in our code and purposefully making mistakes, i especially didn't think of the idea of checking the stuff after writing it..
Fact or Fiction .......Spot the Difference?
"Clarke said. "Why should the part of the internet that's connected to the power grid be open? Why should that part of the internet that runs nuclear laboratories be open? Why shouldn't there be a closed internet? There are already relatively closed internets - and now we need to think seriously about expanding them."
Mr Clarke will discover that Web 2.0 is Command and Web 3.0 is Control and Web 4.0 is Command and Control.
The Internet is not something you can compartmentalise to keep Inconvenient Truths from surfacing. IT is a Space into which SMARTer Processing of Information into IntelAIgents from dDeeper and Higher More Advanced Control Webs Inject/Feed for Media Production and Playing as the New Reality Policy dDelivered Virtually by Real SMART Boffins and CyberIntelAIgents into AIReSearch and Development.
Real Spooky? .....http://www.bbc.co.uk/spooks/ ...... MI6, way ahead in the AI Game, do you think? Pioneering ARGonauts on Virtualised Quests?
Well, at least now we know that if it is not, it can be.
And that Technology is ....... well, Priceless Really, but Easily Told in Private and Personal Confidential Consultation. ITs Proxy Application with Mentored and Monitored Support InfraStructure can be purchased though..... with Investment Interest Paying for the Driver Programming.
Which is really Capitalism putting ITs House in Order with Resting Investor Funds, Generating from the Banking System, a Credited Virtual Wealth for Future Star Turns/Performers/Entrepreneurs to deliver on their Word.....and ITs Promise.
Who loses what in that scenario, and is it anything worth having if it can be delivered by everyone else/anyone else?
Close the Internet?
How exactly does he plan to "close" the internet? From where I'm watching the Internet seems to be wide open, not just to anyone who cares to get on it but also to anyone who cares to expand it or add new structure to it.
It's not like the institutions he listed can't remove themselves from the Internet and join/start some other private packet-switched network. If they aren't happy with encrypted tunnels over the net why don't they fund their own copper/fibre/whatever links to all the other worldwide sites they want to talk to?
Oh, that's right, because it's prohibitively expensive and a pain in the ass to administer all that gear yourselves, I remember now...
Software monopoly is the no1 threat to computer security
How well would problems caused by design flaws go down in the media and with consumers if we had a healthy market with at least 3 or 4 equal size competitors?
Re: Why should the power grid be connected to the Internet?
Because otherwise your computer won't switch on when you press the power button. It's the first thing the tech support guy told me, and, you've got to plug the monitor in as well. This feller Clarke is a complete fool, he doesn't know the first thing about computers!!
Re: Internet Shibboleth
...needs to assemble his firing squad again...
1 a : a word or saying used by adherents of a party, sect, or belief and usually regarded by others as empty of real meaning
But I must admit I liked your Lovecraft take on it but its from some ancient hebrew dude.
"What if we had a champion in the government who we trusted on privacy rights and civil liberties? What if we had a government advocate with real power to ensure that the government doesn't violate privacy rights."
*Clarke points to self and clears throat repeatedly*
Actually a Shibboleth is a sort of "Sacred Cow" with knobs on. A concept.
You're thinking of a Shuggoth.
This is the only reasonable point he makes, and it is not completely impossible (just hard).
Few of the languages used for Internet applications (least of all C) have any kind of security guarantee. Java has a bit of it through bytecode verification and sandboxing, but the languages used to implement bytecode execution/translation do not. And if the flaws are in your browser (typically written in C), it doesn't help much if your bytecode is secure -- you've lost even before you get to run the bytecode.
While security can never be 100% tight -- there is still the human factor to consider -- it can be _a_lot_ better than it is now. Write your programs in languages that can't have buffer overflows and which are amenable to analysis, use proof-carrying code, enforce sandboxing, etc. There are a lot of known techniques that would make things so much better, so you don't really have to invent anything new, just decide to use what is already there.
Sorry, I have just got into trouble for laughing so much in the office after reading that article and it's comments.
Firstly, the guy lost all credibility as soon as I heard he was, basicaly, promoting Microsoft and talking about internet security at the same time. I don't mean to p!55 off any MS-lovers out there, but if you have, say, two networks, one using a MS server as it's firewall to the net, one using a Linux box, which one would you be able to break through first?
2nd, I have seen the UKs National Grid computers. They are not connected to the internet (except maybe in the limited way of using VPN's between sites, I didnt get THAT close, I was only a contractor). They are not even connected to the corporate PC network. If the good ol' US of A does it differently, they are even more STUPID than I have always believed (read what you will into that comment :)
Biometric security, hmmm... Something that relates your biometrics, as in things about your body, to a specific identity. Ermm... havent we had these for many years? In the form of ID cards with photos on them? Just because we use some new technology doesnt mean you wont be able to get fake ID's any more. Fake passports have been available for many, many years. All biometrics do is prove that, assuming said identity is real, you match it.
Right, I had better get back to work now, my boss is giving me dirty looks. Too bad I dont have a tape safe... Or a cattle prod, roll of carpet, shovel and lime.
It's a commonly used word derived from Hebrew referring to the colloquialisms used by a certain group.
Just a little bit behind the times, here, aren't we?
What if America ruled the world? On the other hand, what if the US was told to pay off its trade deficit?
Actually, what about creating a closed internet? Maybe Microsoft could get involved - or AOL. I seem to remember in the muddy depths of time AOL had a subscription-based system. I'm pretty sure these days it's only morons, cretins, grandparents, moronic cretins, cretinous grandparents, moronic grandparents and moronic cretinous grandparents that use it, occasionally.
Does a closed internet still seem like a good idea?
Actually, "shibboleth" was a password used by the Israelites in the Old Testament, because their enemies couldn't pronounce it; interestingly, the idea was updated in WWII by the Parachute Regiment, who adopted the phrase "Whoa Mohammed" after realising that their German opponents had trouble pronouncing a W as anything other than a V.
I think Chris has said pretty much all that needs to be said in response to Clarke's idiocy.
If you (or the author) had bothered to look into the guy's history, you'd see he had the same job under Bush as he did with Clinton, and that he was the only member of the executive branch on 9/11 who has apologized to the families of the victims for the failures of the government.
Yes, he seems to have zany ideas here, but that doesn't mean he's a Republican shill. The right-wingers in the US treated him like a pariah after his testimony about the Bush administration's blind eye to the threat of Osama.
I watched Richard Clarke deliver his (excellent thought slightly fanciful in my opinion) keynote at Blackhat a couple of months ago and it saddens me to see him now make a fool of himself in this way. He's definitely outside his area of expertise now.
Excellent analysis :-)
Too big an installed base
It's too late now to re-architect the internet in the ways this guy would like - there's just too big an installed base of the current protocols around the world for it to happen - that's why we'll still be using IPv4 for the foreseeable future, along with SMTP email and all the other protocols that could do with an overhaul but won't be.
Yes, I'm sure in certain closed and semi-closed environments, such as IPv6 academic networks, corporations, the military etc, where you can enforce protocol upgrades, some of these things may happen, but it won't happen to the wider public internet.
And even if he did get something like what he wants, I can see work-arounds appearing. Why do we have HTTP based web services? Because network admins are picky about which ports they'll open, but have little choice but to open port 80 et al.
NeXXXXt Generation Services ....... Al Fresco Base
"The only reason they're hooked up to the internet is costs less to make a VPN than a spend money building a real network lol" ..... Damien Jorgensen
And a VPN costs nothing but Interest to Set Up to Deliver Capital and Capitulation.... Who Dares Win Wins Territory Ably Administering Merciful Justice and ITs Reward.
Sp00ky Stuff...... which Patrols Controls in the Virtual Domain of the CyberSpace Created .....with Thoughts Shared and InterNetworking Together, Boldly Going Magical Mystery Turing, courtesy of CyberIntelAIgent Services and Specialist Applications Programming?
Could be/Can be/Is? :-)
Do you think British IntelAIgents are Responsible for/Liable to/Worthy of Costs for any such Virtual Machine Invention Permitting Virtually Real Interactive Play.... Control Games at A.N.Other QuITe Alien Level Playing Field?
Which pretty much tells y'all that IT is. ..... or should be? :-) Dealers Choice that one..... although the Game is always basically the Same as in Poker's Variations on a Theme..... which always relies on the Banks Winning for Winning Winnings/StakeMoney.
AIRinger for Love of Her Game? Or the Real Thing with hands to ITs Engine?
Whose Call or Raise is IT? Future IDeal or Present Imperfect?
re: Moral of this story is to stick to what you know, or risk appearing foolish.
Tis better to keep your mouth shut and be thought a fool than open it and remove all doubt.
Sometimes I have to remind myself of that... :)
Anyway there's not much to add, though I expect a lot will. The man speaks of things that he has only a passing knowledge of and speaks with the gravitas and authority of assumed knowledge. In other words he's the perfect politician. Par for the course really.
Can I come and watch?
I'm against the death penalty for being stupid, but I think this guy is happily trying to plug MS for profit - so that's malice, not stupidity.
Having said that, I'd suggest a public venue and the sale of paintball guns, for 24 hours or so. All he's allowed is a face mask - he's got his hands for the rest. That's much better because you can repeat this anytime he speaks again - could work for a lot of politicians as well, come to think of it.
[Sorry, political stooges always irritate me]
BTW, there IS a segregated section of the Net for people like that. Give them 127.0.0.1 to play with. It'll be enough to induce Repetitive Stain Injury (no, that 'r' is is deliberately missing).
It seems someone mistook Shoggoth for Shiboleth, by accident or design. :-)
Biometric ID's are easy to defeat even in person, much less online
"One thing you could do with a biometric ID card - if you wanted to - is prove your identity online," he said, as if taunting his critics.
There is a very interesting Mythbusters episode addressing this in which very simple techniques were used to trick biometric ID systems like fingerprint scanners. Summary here:
What a tosser
...that Clarke is.
I thought I'd just get that one in before I was biometrificated (did Bush call it that?) and had my post deleted before I'd even hit the submit key only to be disturbed by three suits (NSA, CIA, FBI) all with shades holding out a nice orange boiler suit for me.
And with BillG backing the conference; he's obviously finding it tough to sustain the trustworthy computing initiative: I suppose if he closed the internet he could pocket the money he's spending on decent(er) coding!
Software without bugs!!!
...From Microsoft !!!!!
Spoken by a man who has clearly never written a line of code in his life
"2nd, I have seen the UKs National Grid computers. They are not connected to the internet (except maybe in the limited way of using VPN's between sites, I didnt get THAT close, I was only a contractor). They are not even connected to the corporate PC network."
That was a Priceless ForeSight for Virgin CodeXXXX.