back to article National Cyber Security Centre to shift UK to 'active' defence

The head of the UK’s new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK’s overall security. The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days …

Silver badge
WTF?

Active Defence?

DDos the class A address space, proactively...

1
1

Re: Active Defence?

Well if every nation starts to shoot back, which seems to be the way it is going, that may be the end result.

3
0
Gold badge
FAIL

"large-scale, non-sophisticated attacks"

You mean pay for the work those businesses were too stupid or too penny pinching to do themselves?

If a business is too short sited to realize it's vulnerable, or too short sighted to realize it needs to protect itself why, exactly, should anyone else do it for them?

In the same vein I think the Bank of England should not work out bail out plans for banks, they should work out bail out plans for customers and let the bank go to the wall. Anything else is basically a license to fail.

15
3
Silver badge
Childcatcher

Re: "large-scale, non-sophisticated attacks"

If a business is too short sited to realize it's vulnerable, or too short sighted to realize it needs to protect itself why, exactly, should anyone else do it for them?

While I agree with the sentiment, the practice is not particularly helpful. Allowing one business to become a malware-infested hole does no-one any good - not the hapless victim, not its customers and not anyone else on the same internet. A better approach would be for a competent outside agency to come it, clean up and then present a bill to the business in question. Alternatively, actively blocking said organization from internet access of any sort would also address the issue while going in the direction you seem to be heading. Either way should do the trick.

4
2
Silver badge

Re: "large-scale, non-sophisticated attacks"

"If a business is too short sited to realize it's vulnerable, or too short sighted to realize it needs to protect itself why, exactly, should anyone else do it for them?"

If you went into a few small business you'd probably find they had all sorts of domain-specific skills that you not only lack but are completely unaware existed. It doesn't make you short-sighted. Just as you're not omniscient, neither are they. Small businesses are, by definition, small. That means they're not big enough to be certain of having the range of knowledge and skill to realize the things you realize.

8
1
Silver badge
Devil

So kill the spam botnets

OK so subject to personal experience caveats and because killing the botnets is just so trivial...

I never had an SMTP connection from a dynamic IP that was legitimate, and those that still get through are (a) 'here is your invoice' with an attached 'active' zipped document (b) html either directly phishing or with active content pulled in from elsewhere (c) hardly any watches/pills any more.

If you don't kill the distribution it doesn't matter how good your defences are because you will be overwhelmed by sheer weight of numbers - does nobody ever learn the lessons of zombie films?

So anyway, if someone sends me a virus/trojan, does that count as an attack and can I get them extradited? I could do a script on the mail server to automate the arrest warrants...

3
0
Gold badge
Unhappy

"If you don't kill the distribution it doesn't matter how good your defences are "

Exactly.

Now if these "offensive operations" do that then those SME's some people seem so concerned about don't get to see this threat.

In the 2nd decade of the 21st century all businesses should realize that if they have an internet link anyone from some bored skiddie in Arizona to a unit of the Chinese army to a disgruntled football supporter could rock up at your virtual doorstep.

Cybercrime is like state surveillance. Once you've sunk the development costs you can use the same tools to attack as many targets as you have resources. Get £10 or £10m it's all good (to the criminal). "We're too small to bother with " is no defense because for the criminal it is no bother to hit you as well everyone else.

3
0
Gold badge
Unhappy

Re: "large-scale, non-sophisticated attacks"

"hat means they're not big enough to be certain of having the range of knowledge and skill to realize the things you realize."

That's actually not a question of knowledge.

It's a question of common sense.

The smartest thing I know is that I don't know everything. So I'd hire a company that did specialize in that area and hire them.

3
0
Silver badge

Re: "large-scale, non-sophisticated attacks"

"Alternatively, actively blocking said organization from internet access of any sort would also address the issue while going in the direction you seem to be heading. Either way should do the trick."

Usenet Death Protocol anyone?

There's a flaw in the concept of blocking any organization from internet access in that the type of organisation we are talking about will be the customer of an ISP or possibly be an ISP. Blocking such an organisation is unfair restriction on commercial activity. The government, of any political colour, usually runs away from doing something that would stop a particular business from doing business and paying taxes. The spice^W cash must flow.

1
0
Silver badge

Lawful?

"lawful and carefully governed offensive cyber capabilities"

By whose laws, ours or the laws of the country in which the site being attacked is located?

Does any country make it lawful for another country to attack its local sites?

9
0
Silver badge

Re: Lawful?

Generally there are even laws to govern wars, such as the Hague convention and the Geneva Convention(s) of Civilised Warfare.

If politicans were passably competent then we'd have a set of laws relating to the offensive use of hacking, limiting the damage caused. For instance, deliberately sabotaging equipment without injuries or fatalities being acceptable (since stuxnet shows it's been done already, and if you make that illegal they'll just do it anyway) but hacking systems to cause human harm is forbidden.

Such as you can disable a chemical plant by deliberately burning out hardware, but you can't cause a major industrial accident or explosion. Deliberately tampering with infrastructure such as traffic lights should be avoided, but failing this then if targeting shared infrastructure then they should be disabled totally, and not set them up to occasionally all show green, etc.

Frankly, most nations are going to do that anyway because the response to causing large numbers of deaths is going to result in what used to be called a punative expedition when we were brutally honest about such things, but today are rebranded as something like "limited scale military operations" in newspeak.

1
0

Re: Lawful?

A damaging attack by the NCSC on a government server where I am could conceivably earn the death penalty

0
0
Vic
Silver badge

Re: Lawful?

Without wanting to detract from your main point,

Deliberately tampering with infrastructure such as traffic lights should be avoided, but failing this then if targeting shared infrastructure then they should be disabled totally, and not set them up to occasionally all show green, etc.

Forcing traffic lights to all-green is actually just an annoyance; it's not dangerous, despite what you see in the movies. Each signal controller is fitted with a separate watchdog unit which will detect such conflicts. The watchdog is a simple device which cannot be defeated by configuration - it's basically a wired-OR function. And when it trips, it takes out the fuse to the signal group, causing all the signal heads to turn off.

Having junctions that are normally signal-controlled suddenly becoming uncontrolled isn't great for traffic management, but that's a whole lot safer than having conflicting greens...

Vic.

2
0
Silver badge

Re: Lawful?

@ Vic; Much. And it's good to know there are competent designers out there that haven't been defeated by management!

As you say thugh the general point is that if we had competent politicians then we'd have a rules for civilised digital warfare. Simply lifting Asimov's first law and replacing "robot" with "system" would suffice.

0
0
Silver badge
Mushroom

Bows and arrows against the lightning...

"lawful and carefully governed offensive cyber capabilities"

Hell, we can't even defend ourselves properly against opportunist criminals using freely available tools and exploits out there. What chance would we have against well-resourced nation states we've deliberately pissed off ?

3
0
Silver badge
Facepalm

Re: Bows and arrows against the lightning...

@Chris King - sounds like you're guilty of "disagreeing with the Government", and are therefore a terrorist.

The only hope we have is government incompetence.

So, no worries.

4
0

Re: Bows and arrows against the lightning...

A wise person once said, "Friends are made in much the same way as enemies are made, it's a concious act"

To suggest that GCHQ and the other 3 letter criminals that do the elites bidding, have not been launching proactive cyberattacks; Anybody believing this probably also believes two skyscrapers followed the path of greatest resistence and collapsed at near freefall speed, into their own footprint.

Wakey wakey people, you may have gone to a Uni, and think you're a know it all, but trust me you don't know the half of it

3
5
Silver badge

Re: Bows and arrows against the lightning...

You mean stuxnet wasn't the work of a bored teenager, and that it wasn't an isolated incident?!

Shocking.

1
0
Silver badge
Mushroom

Re: Bows and arrows against the lightning...

"GCHQ and the other 3 letter criminals"

You may want to count them letters again, bubba. GCHQ is an ETLA, not a TLA.

0
0

Re: Bows and arrows against the lightning...

"you don't know the half of it"....Indeed, I know very little about mental illness.

1
0
Silver badge

Understandably Late to the Party, Ciaran, but Bring You Anything Worthy to the Round Table

If you're not in, you cannot win win and will always be defeated by that which is differently engaging and fabulously fleet in vectors and sectors wielding relative anonymity and absolute power with virtual impunity delivering practical immunity.

Howdy doody, National Cyber Security Centre (NCSC),

Are you into Greater IntelAIgent Games Play ..... which crashes and smashes perverse elite systems and corrupt executive administrations/Dodgy SCADA Machines ....... from afar spaces and far away places? :-) ........ https://amanfrommars.blogspot.co.uk/2016/09/160916.html

Do you have master keys unlocking doors granting command and control to that and those able and enabled in that magic kingdom? Or are you in desperate need of them ..... realising there are all the future secrets National Cyber Security Centres seek to survive and prosper and crush and crash useless competition and minded opposition?

And just in case such escapes your attention, such as we explore here now is AI NEUKlearer HyperRadioProActive Weapons SystemsWare and when for and on sale, is it priceless and extremely expensive to buy and try/lend-lease and exercise.

2
1
Bronze badge
Linux

Lawful offensive cyber capabilities

What you need to do is put all internal Government systems on a private VPN run on embedded hardware providing end-to-end encryption and authentication and carried on top of the public Internet. That way you don't have to waste your time trying to proactively detect active hacking/phishing attacks.

2
1
Anonymous Coward

Re: Lawful offensive cyber capabilities

And when you need to communicate with the public, which is an important element of government work, your "brilliant" idea goes to rats. The government can't work air-gapped from the public and as soon as a gateway is provided to the rest of the world malware and cyber criminals have a way into the system.

BTW, what makes you think government doesn't already do this? this article rather suggests that they have already thought of, and implemented, running government systems encrypted over public networks.

PSN over public networks

0
0
Silver badge

A Few Words to the Wise and Forthright. Stupid is as Stupid Does.

If the UK’s newly minted National Cyber Security Centre is invented to maintain and retain and protect traditional established organisations/agencies/corporations, which one can easily accept have gone renegade rogue and self-serving, rather than servering the masses admirably and to a greater good, then will they be targeted relentlessly with information and intelligence they will be forced to suppress and try to deny all knowledge of rather than admit to accepting and ignoring. Such though will be a monumental folly which will lead to a place full of endless pain and destruction for them and their allies.

Let us hope that they be of an independent and creative mind with systems protecting administrations from the harm caused by internal rogue executive classes which have more akin to international criminal enterprises than being clearly seen to be aiding and abetting them in the many new virtual fields of profitable private pirate endeavour now floating themselves to markets out there in the ether.

0
1

Do people listen to themselves..

Do people actually listen to themselves, "Generally there are even laws to govern wars, such as the Hague convention" Which Hague is that? General or William?

What WAR? Or do you simply mean your inability to grasp that your "Computer" woes all spring from a dodgy compiler that surfaced out of a Laboratory back in 1986, about the same time that very same Laboratory dropped support for the very System in Question.

Version 7 Unix was the last official Bell-Labs version produced for academia, before research into versions 8, 9 & 10 which never left the Lab, shortly after it was abandoned by those same Lab's and they moved over to it's successor multi-level secure "System IX" whilst AT&T grabbed a hold of the now abandoned UNICE and produced "SystemV" and a certain programmer introduced the GCC compiler which was a DIALECT of C containing C++ proclaiming he was bringing Unix to the world, when in fact original research unix had already been replaced by a secure successor.

The rest as they say is history, insane filing system, dodgy compiler bugs, massive system failure, violations of privacy, inability to protect financial assets, break-ins, civil disobedience, etc, etc...

0
3

Re: Do people listen to themselves..

Don't worry I'm sure they'll get it eventually - when they go buy a trusted zone chip-set and find that the system in question works perfectly on it, does not allow brute force attacks, will not cough up it's passwords, will not communicate to any other system that doesn't speak the same protocol and just wont work in general on there Windows PC from IBM or DELL...

An to the NSA and GCHQ I'll simply say this: "Children shouldn't play with dead things!"

Eventually they're going to realise: If OpenBSD, GNU/Linux, Apple & Microsoft are awash with constant "Critical Vulnerability Exposures" then it's painfully clear, isn't it, that something somewhere is very badly broken when "System IX" developed by Bell-Labs in 1986 is "Critical Vulnerability Exposure Free!"

0
3
Bronze badge
Facepalm

Re: Do people listen to themselves..

> The rest as they say is history, insane filing system, dodgy compiler bugs, massive system failure, violations of privacy, inability to protect financial assets, break-ins, civil disobedience, etc, etc...

This is news to me, I hadn't realize all our current computer woes was down to SystemV and the GCC compiler.

3
0
Silver badge

Do people listen to anything novel or be they prey to IT and unfolding engaging narratives ‽ .

Hi, Walter Bishop,

The news, which surely should be made aware to all who might care and/or need to know, is that practically all computer woes are down to the PEBKAC vulnerability which is so easily exploited continually to the nth degree, and is an endemic systemic weakness which cannot be strengthened against abuse/misuse/SMARTR IntelAIgent System use.

1
0

Re: Do people listen to anything novel or be they prey to IT and unfolding engaging narratives ‽ .

amanfromMars;

PEBKAC vulnerabilities are easy to stop, just get rid of the browser, does System IX (Plan 9) original have a web browser? No, it doesn't... Because the programmers where totally correct to assume that Web browsers along with wallpaper are nothing but a complete distraction from the goal of having a system without bugs, oh sure they're working on things like the LSO pre-load vulnerability and things like ShellShock and working on harmonising the compiler, but at the same time you've got large corporate efforts to insert garabge like SYSTEMD and UEFI but can anyone actually tell me the point? I mean seriously, if they're already declared the BSD & Linux are dead, both in terms of idea's and goals then what is the point of flogging a dead horse continuously proclaiming that they're working on a fix! The wording and hackers add-age that "RISC is good" seem's to fall on deaf ears and we here in the UK should be proud of what we accomplished with ROOL and BASIC - a system that they're busy trying to stuff up with the GCC compiler inserted into it changing it from 16bit's protected mode to 32bits protected mode alongside Poisoned NUT!

It was all there in the leaks, funny how Windows 3.0 not 3.1 stood the test of time better than any of what came afterwards and loads of programmers spend years trying to remove Microsoft's influence over there operating system, in terms of MSDOS (FreeDOS & OpenGEM) and in one fell swoop these SCO Groupware hugging REDHAT humping Nazi's undo countless years of effort with insane dribble like UEFI & ME microcode in your CPU!

0
2
Silver badge

Powerless Spectators to the Whims and Flights of Fancy of SMARTR IntelAIgent Systems

PEBKAC vulnerabilities are easy to stop, just get rid of the browser,... ... Sysop0

Replacing browsing humans with virtual machinery to run systems differently and equitably is certainly one surefire way to eliminate the idiotic elemental component from the command and control interface/star ship bridge, Sysop0.

Do you believe such is a current work in present progress and/or already a mature application for mass multi media manipulation?

0
0
Devil

Re: Powerless Spectators to the Whims and Flights of Fancy of SMARTR IntelAIgent Systems

Oh the work is in progress and it's a wasted effort, you can read all about AI systems that search for a patch security vulnerabilities but it doesnt address the cause of the vulnerabilities in the first place.

Human error!

It was a huge mistake to use C++ and ANSI C together, heck they havent even patched the years old vulnerabilities in SQL and SQL really isnt that great but on that same note neither is XML.

When you bundle it all together, XML, Java, C & C++ and Perl & Pascal & Assembler of course your going to have problems, ever heard of the expression, too many cooks?

Heck any damn kid can code what they term as an INSERT in my hay-day I wasnt shy of coding the odd logic bomb or two, released on my own machines so I could sit there and have some LuL's but as to the question of Legality, no it's absolutely not LEGAL nor is it in compliance with standard computing practice! Because INSERT's (viruses) cause bigger security issues when they escape from your C&C command and control and start bringing down SCADA networks. The question is one of ethics!

0
2
Silver badge

Moving the Goalposts .....

The question is one of ethics! .... Sysop0

Quite so, Sysop0. We are in total agreement there.

Is it a kind and decent act to crash and burn/seek and destroy corrupted and perverting systems of remote virtual administration with super active zero day exploitation of endemic and systemic vulnerabilities with the practical command and control leverage of dumb assets via SCADA Operating Systems?

Is such AI a Heavenly Service for Hellish Operations?

0
0
Devil

Re: Moving the Goalposts .....

Well they should focus on ONE language and stick with it, instead of smashing all of them together in some universal phat ass-hat compiler would be my take, how about an operating system coded entirely in JAVA - if Sun Microsystems want's to flaunt it's JAVA to a wider audiance what about jNode OS?

An Operating System written entirely in JAVA! Of course people would flock to it, like wise with C++ and likewise with any number of operating system languages, they should stop throwing all there egg's in one basket and proclaim it as Good!

0
1

"Active cyber defence means hacking back against attackers to disrupt assaults"

Nope - that ain't it at all.

Hacking back against attackers is an entirely reactive strategy and is a total waste of resources.

Try again.

2
0

16bit 32bit & 64bit

Phryday

16 Bit's was known as REAL Mode

32 Bit's became known as Enhanced Protected Mode!

And now these guys want to use 64 bit's for there programs with no justification as to how it's better to have even more room for integer overflow in your program's memory.

64 Bit supposedly better, well that's kind of what they said about 32 bit's and look where it led and look at the state of your insecure Operating Systems that furnished them all with the luxury of 32 bit programming.

0
2
Silver badge

Backhacking

"Hacking back against attackers is an entirely reactive strategy and is a total waste of resources"

Y'reckon?

Ivan Kwiatkowski's revenge backhack wasn't a waste of resources.

Florian Lukavsky's whaling scammer takedown and the subsequent arrests wasn't a waste of resources.

The French researchers who busted Darkode and Damagelab by means of Heartbleed weren't wasting resources.

0
0
Silver badge

Re: 16bit 32bit & 64bit

Enough with the apostrophe's.

16 bits, 32 bits, 64 bits. Not Bits nor Bit and certainly not Bit's.

You're a sysop in the same sense that I'm a brain surgeon. Not at all.

1
1
Devil

Re: 16bit 32bit & 64bit

Sorry I must have missed the part where I needed an anti-virus to complete my daily work flow, paying through the nose for something you dont even really need and dont even get me started on Firewall technology maybe you stop and inspect packets on your network, I dont feel the need to on mine!

How's the brain surgery going, been labotomised lately?

Bits Bytes Packets & Punks! Next thing you know you'll be telling me about Boolean Logic!

Fish can fly and Pigs can swim!

0
1
Angel

Re: 16bit 32bit & 64bit

Oh and I've got some magazines for you: Made in America - Ones called Phrack and the other ones called 2600 although in the UK 2600 becomes 2680hrz due to our trunking being different on the phone lines.

There kind of the best most epic guide's about why Open Source is a haven of nothing but "Hackers" chip & pin, biometrics, what one person can dream up in La-La land becomes another "Hackers" fairy tail!

My god did you see that giant robot unicorn?

It's here if you missed it! https://storiesbywilliams.files.wordpress.com/2013/12/wildcat1.jpg

0
1
Devil

Re: 16bit 32bit & 64bit

Wait for phat chubby GCHQ Boss to approach biometric security scanner, apply L'Oréal Elnett Supreme Hold Hairspray 400ml and lightly dust keypad, then sit back and wait, sticky finger-print will remain and keys without dust indicate which Biometric code will open the door.

Dont sweat it over the CAC Piv' those can be cloned and in all likelyhood the polystirine ceiling tiles make for an easy access route!

Finally walk off singing "Sticky finger, the man with the golden-touch!"

0
0
Thumb Up

Re: 16bit 32bit & 64bit

The technique of Red-Boxing still works in the UK - largly thanks British Telecom..

You dial 150 operator assisted dialing for the blind - if they ask you could say it was just looking at "David Cameron" that made you go blind.

Then of course you expliain to the operator your having a problem dialing the number and ask for assistance, then when prompted play the sounds of 10p 20p or 50p dropping into the phone from your dictaphone. FREE LONG DISTANCE!

0
1
Happy

Re: 16bit 32bit & 64bit

An there we have it, the instant thumbs down, showing that someone somewhere felt getting free long distance at the expense of the Phone company and the tax payer was reprehencable, now if only they felt the same way about industrial espionage which they try to palm off as being necessary and legal, we'd all be on the same page!

0
1

Black & White

It's all there in Black & White:

Acorn C/C++ Compiler!

Their development was taken up by Acorn and subsequently taken over by Castle Technology, who later added the lacking C99 support. Castle funded further development by means of a subscription scheme. In early 2009, development and sales of the tools were transferred to RISC OS Open.

C99 is no longer the standard, the C11 version of the C programming language standard, published in 2011, replaces C99. Got to compile with "--errors --pedantic!"

There poison has dribbled out of the nut!

0
1

Compile

If your looking for a non-GNU compiler allow me to suggest Open Watcom - in the C11 criticism page it suggests it as a viable alternative to the GCC and suggests that it is far more standards compliant, heck you can use Open Watcom to compile the tiny C compiler then you can use Tiny C to compile CLANG and then you'll be wanting to look at the dodgy Kernel code with functions that are out moded out-dated and stuff that shouldnt even really be included with a Kernel but hey, they're generic - ie: they include it all including the kitchen sink!

0
1
FAIL

Lorrie Love Defence

Best defence for Lorrie Love: "It was a moment of madness, from eating all that toxic genetically modified Wheat & Rye flour imported to the UK made by the Rockerfella foundation and the rest of the Tax evading corperations of America!"

0
1
Mushroom

Re: Lorrie Love Defence

Enjoy your Digestive, Twinkie, Dohnut's or Sandwhich, it was the rockerfella solution to world hunger and it's got an aggressive extra 8 chromosomes instead of 16 and it's inside everything, so remind me how did "Steve Jobs" die? It was something rotting his inside's wasnt it? Wouldnt have been the floride in the water, that just cuts down on NHS bills for dental work and makes you more docile, so I guess it's probably in the Wheat - after all you are what you eat!

If he pleads the temporary insanity plea, he'll get time off with good behaviour although I imagine they wont let him near a calculator again and ironicly if he'd been using research unix in the first place his approach would have probably been totally different because he would have appreciated the irony that all along C++ and dodgy libraries with undue MS influence are the cause of all those vulnerabilities in the first place!

An dont count on it being just Law enforcement that knows about flaws in the design phase, within two days of owning a smart phone a 5 year old little girl was the one who showed me how to bypass the Pin screen with a factory reset, proclaiming "this is my phone now!"

0
1
Unhappy

Have you?

Have you ever tried to recover a £500.00 touch device from a 5 year old child that wont give it back because it's shiny and plays candy crush saga? Mission impossible!

0
1
Facepalm

Young Lady

Me "Young Lady, thats mine and I need it, its got all my contacts and personal photo's on there..."

Child *TAP* *TAP* *TAP* *TAP* "Not anymore!"

Me "Now listen here madam, you will give me that phone!"

Child "I'll do you!"

Me "Excuse me, what did you just say to me?"

Child "It's mine and your not having it, if you try I'll scream and tell someone you touched me wrong!"

Charming youth of today!

0
2
Holmes

Google

As google is so big on social profiling and experiments it should really try it some time, just hand out loads of google glass and pixel notebooks to a load of under privledged kids from some rough area and then see how many of them give it back willingly without a fuss.

In hacker lingo the expression is !pwned hard", by a 5 year old!

0
2
IT Angle

Aversion

The UK and US government has a deep aversion to using Open Source anything, every single computer owned and operated by the Government in the UK & the US is Microsoft Windows FE (Front End) so when you take into account that Open Office does exactly the same as Microsoft Office, you really have to examine there deep aversion to using Open Source and Open Standards. The french are not so stupid, all there Police are running Linux because they love it along with most of the German population who embrace anything that the estabilshment tells them is "Verbotn!" like Ubuntu!

What & Where is the deep seated aversion to using Open Source and Open Standards coming from?

Oh Microsoft, that your department funds with Capital every fucking YEAR whilst they sell you something thats shit and below performance average!

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017