Fed cybersecurity initiative boosts TCPA

The White House likes Palladium

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

On Wednesday a group of federal bureaucrats, business representatives and industry lobbyists will be rolling out a draft of the White House's new initiative to enlist the computing public in the task of defending cyberspace. Originally, the Feds had planned to roll out a final draft, but this has been delayed due to unresolved conflicts among the technology companies the scheme will be affecting.

An earlier draft of the White House plan, drawn up under the direction of cybersecurity Czar Richard Clarke, has been leaked. We don't know how up-to-date it is; but it's been posted on-line as a series of .jpeg images in no particular order. Tomorrow, with luck, we'll get to see an updated 'official' version, but this one should help satisfy curiosity in the mean time, even if it's outdated.

A lot of it, I must say, is good old-fashioned common-sense. The government feels that the Internet's BGP (Border Gateway Protocol) is too easy to attack; and they're right. They recommend the adoption of a secure version (S-BGP) which is already in development. But uptake has been slow because it involves investment in new kit, and like most bureaucratic efforts, this one neglects to solve the basic problem: how do we entice, shame, cajole, threaten, bribe, private companies into discarding their property and buying new stuff to replace it?

Routers and switches and their operating systems should be beefed up, we're told. Fine, but who's going to pay for that? SCADA systems need stronger authentication mechanisms; but of course this involves a performance hit so we'll need very low-latency auth devices. And that's an excellent idea. Anyone care to donate the hundreds of millions of dollars needed? Bill Gates, are you there, buddy?

ISPs should implement ingress and egress filtering to make attacks involving IP spoofing more difficult. Yup, they should all right. Who's going to make them do it? Congress? Right; Congress doesn't know the difference between a packet filter and a packet of dust filters.

We're talking about companies here with (severely battered) shareholders to answer to. You don't just tell them, 'gee, it would be great if y'all would spend a few billion dollars making the Internet a bit safer for us all to use.' It has to make business sense, it has to pay off somehow; and that's chiefly what's lacking in the White House scheme. Basically it's a wish-list of the sort anyone with a background in network security would draw up.

Mining for Palladium

Clarke's lieutenant, Critical Infrastructure Vice-chairman Howard Schmidt, is an old Microserf. In fact, he was in charge of security during the days (not long ago) when Outlook was configured to launch executables without user intervention. As soon as Billg decreed that Trustworthy Computing shall be Law, they gave Schmidt the sack, and he was then salvaged by the White House's National Security Council.

Thus it comes as no surprise that such familiar phrases as 'trustworthy platform', 'trustworthy operating system' and the like should be sprinkled throughout the draft. I didn't actually spot the 'P-word', but one can read between the lines well enough. Palladium and schemes like it, which turn the personal computer into a set-top box for controlled computing under the label, 'secure computing', do have a nice potential to turn profits for the software and media industries if they can be forced on consumers.

There actually are some benefits to naive, casual users from devices of this sort. If you're the kind of person who wants to use a computer for simple tasks on-line and off, and who's concerned about security, but who has no interest in learning about either the computer or security, then this product is for you. It will undoubtedly make the millions of Windows machines carelessly connected to the Net by people who just don't want to be bothered more resistant to attack and exploitation.

But the technology itself is very much open to exploitation by the software and media industries, who can use it to restrict access to their priceless jewels, which, as you know, you no longer purchase, but merely lease. The potential for Corporate America to use something like this to screw the consumer is so great that I personally believe it outweighs all the possible security benefits.

The problem here is the incomparable greed and arrogance of the software and media giants we deal with every day, and their paramilitary lobbies like the BSA and the RIAA. They've got a well-established and very unattractive record of abusing consumers. We know these companies and lobbying groups are going to screw us to the nth degree for all eternity. They've signalled this in a hundred ways: punitive BSA audits, EULAs demanding root privileges; shrink-wrap contracts with preposterous terms; the UCITA Trojan legislation which absolves software companies of all responsibilities; the DMCA; copy-proof CDs; Fritz Hollings and his efforts to mandate DRM in all household hardware; Howie Berman and his desire to let the RIAA hack and disable P2P networks -- the list of bad-faith crimes against the consumer goes on. The trusted computing platform is the single most dangerous weapon we could ever concede to these companies.

Yet it is the only portion of the White House's grand scheme which appears capable of generating a new revenue stream, such as pay-per-use software and media, made possible by a usurious DRM regimen sufficient to make it profitable. Look for Congress to be getting a real 'education' about this new boon to Homeland Security during the next twelve months. ®

Boost IT visibility and business value

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.