Oh yeah I blew a gasket.
I read the Danger room story with dread. I never get invited to these things. Well anybody with a CV could likely have gotten into it but hey I HAVE A FREAKING JOB. So what are you thinking the chances are the head of DARPA or Cyber command even has a clue I exist? You know. That paid for asset working for DoD who hasn’t been able to get a word in edgewise on these topics? You know that guy who gave up his tenured professorship in a major university system, moved his family half way across the country, took great financial risk, and all he wanted to do was serve his country because he thought it was a good idea?
I’m so pissed off right now I should take a deep breath.
That way I can yell louder!
When I read the head of DARPA and head of Cyber Command saying stuff like:
“We are losing ground because we are inherently divergent from the threat,” conceded Dugan…
Then you get the boss man saying….
That means, to use a hackneyed phrase, a “new paradigm,” according to Gen. Keith Alexander, who leads U.S. Cyber Command, the military organization devoted to active, day-to-day defense of military networks. “We diagnose the malware, clean up the systems, get set up again and wait for the next exploitation. We have to change the way we think abut defending our systems.”
I’ll likely lose my job over this but sfw.
Going after “hackers” ooohhhh ahhhhhh to fix your network security issues is kind of like going after the local belligerent with a hammer to fix your glass blowing business. Cause, like they all know how to break the stuff they’ll be the expert at fixing it.
Information assurance and security isn’t going to be fixed by bad boy hackers or defense industrial base wags. One doesn’t have the breadth of skills and the other is incentivized to keep the stuff broken. Building another Internet on the same flawed premises of attribution and systemic security thinking is stupid but the DIBs like it cause they profit. The Hackers say “give up” it’s all good let’s all co-mingle our data. Do you think I could have gotten a security clearance if I had a dozen convictions for USC 18 violations. And, if I was good enough to not get caught would I subject myself to the brutality of a security investigation?
I’m not a hacker. However, there are about 40 top tier super studs and studdettes working in industry, the financial markets, major corporations and even the Department of Defense with the stamp “SELIL APPROVAL” (hey… it’s like a pun).
Hey I work for y’all in DoD and you couldn’t care less (shhh down in front).
To fix information assurance and security you gotta do a few things or it will always be broken.
1. Don’t get a new paradigm fix the one you got. Get out of systems security models based on flawed security strategies developed and refuted for the last freaking 40 years. We developed a strategy and instantiated it into law. Now we’re stuck with the same major processing rules for things like iPads, iPhones, with leadership that needs an iClue. Start thinking about your information flows and get a grip on that web of deceit you call security.
2. My clock radio works, my watch works, and not until you hook it to the freaking Internet is some muddled connectivity fetish did I have any issues. Appliances of failure for the future get your disposable connectivity on. If it’s an appliance don’t connect it like a monolithic computing structure. Don’t let it be a read/write file system. Disaggregrate processing functionality to sub components and use redundant polling mechanisms to secure it. You know like in highly resilient computing for the last …30 years.
3. Freak out. You can’t secure everything but you can encrypt the hell out of it. Get some encryption right here and look for temporal based security. Classify your data but don’t be classification crazy. You know there used to be these rules and when you followed them information based security worked most of the time. Ain’t no security working all the time. But, that is why we talk about failing gracefully not like a giant Wikileaks turd flop in the middle of public diplomacy. I am aware it was the DoD and not the State Department who failed.
4. Hey did you know what you get when you mix TCP/IP and UDP? A freaking nightmare! The Internet has dozens of protocols and only a few of them are secure. Why in the freak would you have unattributed packets even allowed past the front of the network? huh? Because it is like how the Internet works? Only if you allow it. You want YouTube to work? Why? Oh wait. You might have a clue about usability. Right up until I try and use that brick from NMCI. Yeah. That brick. With the DIB outsourced piece of garbage. The one people cry when they have to try and use it to do things like fight wars.
5. Oh yeah now getcha some good freaking data. Most breaches occur at the 7th or 8th layer of the OSI 7 Layer mode. We do some real good security at level 3 and 4. Well, hell no we don’t. We suck because we pass all those social engineering attacks up to the 7th layer for users. That ain’t their fault it’s ours. Why do we do it?
6. Come on back to #2. If my data is in the cloud it requires major connectivity that don’t exist everywhere. But, that doesn’t matter because my iPad isn’t allowed on the DoD network. Why? Because the Certification and Accreditation process takes 2 years to get through. Do, I don’t do it. Instead my ancient Dell is a mouldering box in my desk drawer. Think about it.
7. Rolling rolling rolling. The data is king get your data off the network and onto a drive. Then don’t encrypt the data at rest. That way I don’t have to worry about the overage charges as Comcast rips me a new one for downloading your terabyte of juicy goods. But, heck stealing your laptop out of your car is just as good a breach as any. Get some encryption at rest.
8. Leadership is a shallow grave for the cyber types. I can’t become some colonel with a battalion of infantry unless I’ve been in the infantry for quite some time. But, hey!!! We’re all about putting crazy dudes with typewriter fetishes into leadership positions of cyber related activities.
9. Now hear this! There is ops and their is management of information systems also known as information technology. Ops guys are bad dudes. We need like two of those to take over small countries with large bank accounts. Over there we need an ARMY of guys to secure stuff. Now get this they ain’t bad dudes in Def Hat Black Con t-shirts that say “got root”? They’re polo shirt wearing pissed off hipsters glad to have a job. Jeepers. There is like 1-14 FTEs in federal service working IT.
10. It’s my freaking country don’t give it away to the same measly mouthed fecal-brained idiots I used to play chess with in jail. I used to play chess with the bastard murders, killers, and rapists a long time ago. No I wasn’t an inmate (did you actually read my bio?). I see these conferences and type of statements and I either want to kick Ackerman in the shin or drink heavily. I know what they want but if you’ve got a clue you stay away. Hell I’ve tried to get involved and I’m just a clueless researcher.
Yeah I’m going to get into trouble for this.
Anybody need a CISSP with a clue? A guy who is ABD in Technology? Primarily studying computer forensics at the top computer forensics school in the country? You know a guy with over 20 years in Information Technology including major telco experience? Hey do you need a guy who has taught Certified Ethical Hacker Curriculum? Done real research into cyber security because it is fun and not a funded project? Categorized and created a complete taxonomy for predictive vulnerability analysis? Yeah, I didn’t think so. Y’all only want hackers. I get it.
Screw DARPA and Cyber Command.