(http://www.veracode.com/blog/wp-content/uploads/2012/08/stuxnet-infograpic.png)
You cannot avoid this war. You're on a computer, so you're a target. And deleting all your online information and chucking away your computers will not save you, neo-Luddites. Every company you do business with has digital databases, which can be accessed online. The government keeps digital records about you, also accessed online. The power stations and infrastructure you rely on...all comes back to computers.
You, your data, your money or your perceptions of the world are potential cogs in a fast growing and potentially vast cyberwarfare machine which is helping lay down the conditions for a multipolar (http://en.wikipedia.org/wiki/Polarity_%28international_relations%29#Multipolarity) Cold War.
Cyberwarfare isn't so bad now, but it has the potential to be. Let's take something simple, like the power going out. I'm sure our American posters remember when the power went down in the aftermath of the 2012 summer storms, in Maryland, West Virginia and Washington DC, leaving hundreds of thousands without power. When the power goes out, things get hairy. Not straight away, but give it a couple of weeks, maybe even a month....You see where this is going?
Cyberwarfare's penchant for collateral damage is also worth noting. Just look how many computers were infected by Stunext, above. And that was a so-called "surgical" strike (much like the Predator drones in Pakistan and Yemen...). And then there is the fact that anything you put out there, once it is found can likely be reverse-engineered, altered and then aimed right back at the state, or hacker group, or criminal gang that originated it. And it's already happening. Decrypted Stunext files were on HBGary computers that were hacked by Anonymous. The true source code wasn't released, but there is enough there for a smart group of people to rewrite it to suit their own purposes.
Cyberwarfare, like the covert actions and intelligence operations of the Cold War, wont be restricted to cyber-world effects. Let's say one wanted to "help" an election go in a certain direction....out of a love of democracy and the irresponsibility of the voters in question, of course. Well, cutting power to certain areas, as mentioned above, could do a lot to undermine trust in the government. Especially certain ethnic enclaves. Messing around with the (rather complex) logistical systems for major food suppliers, be they corporate entities or international aid agencies would be another. Hacking the computers of party activists and strategists, then making leaks to counter their moves, inserting false stories via hacking into online news sites.....the possibilities are endless.
You can cause riots, destroy nuclear facilities and even collapse governments with this, if you know what you're doing. Or even if you don't and you're just a very enthusiastic amatuer working in the right political context. A context as short-sighted and paranoid as the USA or Pakistan...well, I don't think you need a shiny infographic for that, do you? Much like biological warfare, the possibility for unforseen circumstances that will trigger bigger and even worse things is very possible.
We all need to start thinking about and paying more attention to this kind of thing.
The thing is, other than having what pretty much amounts to a "Zombie Survival Pack" next to the door at all times and hoarding canned goods and water like a Montana Militia compound, what can we do? The tech is already out there, floating around. The can of worms is open. The milk has spilled. Another shabby cliche here.
Well, firstly, you can learn to secure your own box.
If you're not going to control your computer, then someone else is. And that someone else might just decide to use it as the virtual equivalent of a cruise missile launcher.
Secondly, promote good INFOSEC practice among friends, family and companies. Cybersecurity is now what counter-terrorism was in the 2000s...namely, a field dominated by hucksters, with some otherwise intelligent and knowledgeable people struggling to make ends meet. When you find good people, let other people know. Most companies don't even spend money on securing their shit, or, when they do, they use cheap hucksters, or they ignore the findings of the Red Team because of "cost inefficiency". Because they don't understand the risk because someone hasn't shoved a shiny infograph in their face.
Thirdly, make people understand the stakes. Don't scare-monger, people have had enough of that, but make it clear the very real possibilities that could arise from current-day events. Use that to get them interested in securing their own computers, their companies, their banks etc.
All of those are fairly doable, IMO. And here is the more idealistic stuff:
Fourthly, get people interested in resilient, sustainable communities. Dispersed nodes with multiple redundancies will make things like taking the power grid down much harder. Sure, the opportunity costs of such attacks will go down too, but the damage should be limited.
Fifthy, try and spell out the risks to elected officials. If a Congressman wont listen, it's possible someone in a state legislative body will. Ambitious people can build careers on this kind of thing, if handled properly. Also try and get people in the infosec community and legislature working together with the bureaucracy. I'm sure there are some minor NSC functionaries out there dreaming of being the next George Kennan (http://en.wikipedia.org/wiki/George_F._Kennan), perhaps writing the "Long Email" on cybersecurity strategy.
I don't even know why the graphic part of that infographic was there. It didn't add anything to visualize the information, just made it look vaguely threatening. I guess the relative sparseness up top and the hurried jumble down bottom were meant to show increasing tension but the closest thing to a relevant visual is the "1/5th of Iran's functional centrifuges" part.
Cain, I think even your basic cybersecurity advice is optimistic. I use my co-workers and my mother as a base of judgment for these sorts of things. These are people who don't know you don't have to double click a link. These are people who get their facebook accounts hijacked by fishing e-mails REGULARLY. And these are "it'll never happen to me" kind of people who if you explain the rather complicated history of an advanced warfare virus will look at you as if you just said the Illuminati lizard folk control global finances (both of which we know are true).
I know that it's a defeatist attitude, and I don't think that it's pointless to practice your own security (which I, admittedly, do not do well), but that's how it stands. If this thing gets unleashed on the public we are FUCKED, plain and simple, because your average person isn't computer literate enough to combat something an entire developed nation was crippled by.
I hate infographics, they're cluttery and difficult to read. However, I can see how they increase the appeal of information for the general population.
It's the attention-whoring method. "LOOK! MORE PICTURES, LESS WORDS AND NUMBERS! AND SKULLS!!!1!" :lulz:
QuoteI use my co-workers and my mother as a base of judgment for these sorts of things. These are people who don't know you don't have to double click a link. These are people who get their facebook accounts hijacked by fishing e-mails REGULARLY. And these are "it'll never happen to me" kind of people who if you explain the rather complicated history of an advanced warfare virus will look at you as if you just said the Illuminati lizard folk control global finances (both of which we know are true).
It can depend on the kind of people you have to work with, their age demographic for example. Most people I work with, despite constantly amazing me by not forgetting to breathe, are fairly computer savvy, and even able to choose passwords that would be hard to brute-force. That's because much of the office and admin work is done by their people in their 20s and 30s here, and they've grown up around computers enough that good practice comes naturally.
Obviously that's a problem in workplaces where the demographic is older, but in the long term, that is a problem which will solve itself.
Quote from: Cain on October 11, 2012, 06:58:12 PM
QuoteI use my co-workers and my mother as a base of judgment for these sorts of things. These are people who don't know you don't have to double click a link. These are people who get their facebook accounts hijacked by fishing e-mails REGULARLY. And these are "it'll never happen to me" kind of people who if you explain the rather complicated history of an advanced warfare virus will look at you as if you just said the Illuminati lizard folk control global finances (both of which we know are true).
It can depend on the kind of people you have to work with, their age demographic for example. Most people I work with, despite constantly amazing me by not forgetting to breathe, are fairly computer savvy, and even able to choose passwords that would be hard to brute-force. That's because much of the office and admin work is done by their people in their 20s and 30s here, and they've grown up around computers enough that good practice comes naturally.
Obviously that's a problem in workplaces where the demographic is older, but in the long term, that is a problem which will solve itself.
:lulz:
This is what I tell them all the time.
Quote from: Man Green on October 11, 2012, 05:58:49 PM
I hate infographics, they're cluttery and difficult to read. However, I can see how they increase the appeal of information for the general population.
See, I think they can be great and add depth to information if they're done right, especially for more visually oriented people. Using them just as an eye catcher, though, is pretty annoying, especially when, like this one, it's all jumbled up and flows poorly.
The information itself isn't a bad introduction to Stuxnet, I just don't see why it isn't a list. It's times like these I miss TZip - he was not only really interested in stuff like this but also very savvy at improving them.
Quote from: Cain on October 11, 2012, 06:58:12 PM
QuoteI use my co-workers and my mother as a base of judgment for these sorts of things. These are people who don't know you don't have to double click a link. These are people who get their facebook accounts hijacked by fishing e-mails REGULARLY. And these are "it'll never happen to me" kind of people who if you explain the rather complicated history of an advanced warfare virus will look at you as if you just said the Illuminati lizard folk control global finances (both of which we know are true).
It can depend on the kind of people you have to work with, their age demographic for example. Most people I work with, despite constantly amazing me by not forgetting to breathe, are fairly computer savvy, and even able to choose passwords that would be hard to brute-force. That's because much of the office and admin work is done by their people in their 20s and 30s here, and they've grown up around computers enough that good practice comes naturally.
Obviously that's a problem in workplaces where the demographic is older, but in the long term, that is a problem which will solve itself.
I don't know...I saw yet another woman in her 20's swipe her bank card at the store this morning, when it didn't work, she pushed harder, and then HARDER... :lulz:
not to be all turbo hipster geek or anything, but
it doesn't matter what steps you take to secure data on your computer when you are doing it all on top of a platform you're not allowed to inspect. if you don't have access to every byte of source code in your security software and your operating system, you're wasting your time.
vex, that's true for insanely well-done stuff like stuxnet, so in this context you're probably right. But proprietary commercial software is good enough against less sophisticated attacks.
About the infographic: I love infographics, but this one is just a waste of bytes. It's nice to package information in an attractive shareable picture these days, but that should make it more accessible, not borderline illegible.
(ETA: Not saying the information is a waste of bytes, just the presentation, yeah?)
Quote from: VERBL on October 11, 2012, 09:42:28 PM
vex, that's true for insanely well-done stuff like stuxnet, so in this context you're probably right. But proprietary commercial software is good enough against less sophisticated attacks.
About the infographic: I love infographics, but this one is just a waste of bytes. It's nice to package information in an attractive shareable picture these days, but that should make it more accessible, not borderline illegible.
(ETA: Not saying the information is a waste of bytes, just the presentation, yeah?)
Commercially security software can generally decrease your susceptibility to run-of-the-mill malware and viruses, that's true. But in an increasingly connected world where everything you do is tracked and recorded in some way, it isn't malware and viruses that pose the biggest risk. Your data, even your identity, is a commodity -- some people will buy it, others will sell it, almost everyone will do both, and then there's Big Brother which, despite it being a played out conspiracy theory, is actually out there, watching.
Computing from a platform that does everything viruses and malware will do in terms of collecting and transmitting your personal information, without any of the crashes and performance issues caused by viruses and malware, isn't a strategy for protecting your security. It's a strategy for protecting your
convenience, while leaving actual security concerns far in the background where they are out of sight and out of mind, but no less severe.
Relevant link:
(http://krebsonsecurity.com/wp-content/uploads/2012/10/HackedPC2012-600x381.png)
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/#more-17183
Quote from: V3X on October 11, 2012, 10:00:34 PM
Commercially security software can generally decrease your susceptibility to run-of-the-mill malware and viruses, that's true. But in an increasingly connected world where everything you do is tracked and recorded in some way, it isn't malware and viruses that pose the biggest risk. Your data, even your identity, is a commodity -- some people will buy it, others will sell it, almost everyone will do both, and then there's Big Brother which, despite it being a played out conspiracy theory, is actually out there, watching.
Computing from a platform that does everything viruses and malware will do in terms of collecting and transmitting your personal information, without any of the crashes and performance issues caused by viruses and malware, isn't a strategy for protecting your security. It's a strategy for protecting your convenience, while leaving actual security concerns far in the background where they are out of sight and out of mind, but no less severe.
I don't disagree with you at all; modern spyware is less of a threat to the average individual's privacy than our institutions. Criminals are mostly lifting credentials out of small to medium businesses and writing themselves payroll checks. (That's what all those work-at-home reshipping jobs are; foreign criminals cash out locally, buy fungible goods and have you mail them overseas to avoid suspicious international wire transfers.) The more likely threat to an individual - aside from adware and ransomware - is that crooks are taking advantage of all that UNLIMITED DATA and processing power that you bought but didn't really need to launch DDoS attacks, host shady web sites, and do criminal parallel computing projects. (You think hackers crack databases of hashed passwords with their home computer?)
For an individual, securing your computer is closer to keeping your guns in a safe than it is to keeping your side door locked.
Quote from: Cain on October 11, 2012, 09:42:57 AM
Cyberwarfare, like the covert actions and intelligence operations of the Cold War, wont be restricted to cyber-world effects. Let's say one wanted to "help" an election go in a certain direction....out of a love of democracy and the irresponsibility of the voters in question, of course. Well, cutting power to certain areas, as mentioned above, could do a lot to undermine trust in the government. Especially certain ethnic enclaves. Messing around with the (rather complex) logistical systems for major food suppliers, be they corporate entities or international aid agencies would be another. Hacking the computers of party activists and strategists, then making leaks to counter their moves, inserting false stories via hacking into online news sites.....the possibilities are endless.
Anthony Wiener for the longest time claimed that the twittergate sexting thing that led to him resigning was the work of a hacker. It turned out he was a lying politician, but that kind of thing is very much possible already, and it's going to get worse before it gets better.
I'm mixed on the threats to infrastructure. Living in the US, I don't think anyone would attack our infrastructure via hacking unless they were prepared to defend their infrastructure from a traditional bombing / economic sanctions / drones / whatever. That, and the causes of my most recent power outages have been tree branch, squirrel, tree branch, snake, tree trunk. I'm honestly a little surprised people don't go throwing aluminum bola things at power lines more frequently. We obviously need better cybersecurity on everything, but in terms of current threats, I think burying the lines would be more effective than anything else, with smarter AC units being a close second.