Feeds

Fed cybersecurity initiative boosts TCPA

The White House likes Palladium

  • alert
  • submit to reddit

The Power of One Brief: Top reasons to choose HP BladeSystem

On Wednesday a group of federal bureaucrats, business representatives and industry lobbyists will be rolling out a draft of the White House's new initiative to enlist the computing public in the task of defending cyberspace. Originally, the Feds had planned to roll out a final draft, but this has been delayed due to unresolved conflicts among the technology companies the scheme will be affecting.

An earlier draft of the White House plan, drawn up under the direction of cybersecurity Czar Richard Clarke, has been leaked. We don't know how up-to-date it is; but it's been posted on-line as a series of .jpeg images in no particular order. Tomorrow, with luck, we'll get to see an updated 'official' version, but this one should help satisfy curiosity in the mean time, even if it's outdated.

A lot of it, I must say, is good old-fashioned common-sense. The government feels that the Internet's BGP (Border Gateway Protocol) is too easy to attack; and they're right. They recommend the adoption of a secure version (S-BGP) which is already in development. But uptake has been slow because it involves investment in new kit, and like most bureaucratic efforts, this one neglects to solve the basic problem: how do we entice, shame, cajole, threaten, bribe, private companies into discarding their property and buying new stuff to replace it?

Routers and switches and their operating systems should be beefed up, we're told. Fine, but who's going to pay for that? SCADA systems need stronger authentication mechanisms; but of course this involves a performance hit so we'll need very low-latency auth devices. And that's an excellent idea. Anyone care to donate the hundreds of millions of dollars needed? Bill Gates, are you there, buddy?

ISPs should implement ingress and egress filtering to make attacks involving IP spoofing more difficult. Yup, they should all right. Who's going to make them do it? Congress? Right; Congress doesn't know the difference between a packet filter and a packet of dust filters.

We're talking about companies here with (severely battered) shareholders to answer to. You don't just tell them, 'gee, it would be great if y'all would spend a few billion dollars making the Internet a bit safer for us all to use.' It has to make business sense, it has to pay off somehow; and that's chiefly what's lacking in the White House scheme. Basically it's a wish-list of the sort anyone with a background in network security would draw up.

Mining for Palladium

Clarke's lieutenant, Critical Infrastructure Vice-chairman Howard Schmidt, is an old Microserf. In fact, he was in charge of security during the days (not long ago) when Outlook was configured to launch executables without user intervention. As soon as Billg decreed that Trustworthy Computing shall be Law, they gave Schmidt the sack, and he was then salvaged by the White House's National Security Council.

Thus it comes as no surprise that such familiar phrases as 'trustworthy platform', 'trustworthy operating system' and the like should be sprinkled throughout the draft. I didn't actually spot the 'P-word', but one can read between the lines well enough. Palladium and schemes like it, which turn the personal computer into a set-top box for controlled computing under the label, 'secure computing', do have a nice potential to turn profits for the software and media industries if they can be forced on consumers.

There actually are some benefits to naive, casual users from devices of this sort. If you're the kind of person who wants to use a computer for simple tasks on-line and off, and who's concerned about security, but who has no interest in learning about either the computer or security, then this product is for you. It will undoubtedly make the millions of Windows machines carelessly connected to the Net by people who just don't want to be bothered more resistant to attack and exploitation.

But the technology itself is very much open to exploitation by the software and media industries, who can use it to restrict access to their priceless jewels, which, as you know, you no longer purchase, but merely lease. The potential for Corporate America to use something like this to screw the consumer is so great that I personally believe it outweighs all the possible security benefits.

The problem here is the incomparable greed and arrogance of the software and media giants we deal with every day, and their paramilitary lobbies like the BSA and the RIAA. They've got a well-established and very unattractive record of abusing consumers. We know these companies and lobbying groups are going to screw us to the nth degree for all eternity. They've signalled this in a hundred ways: punitive BSA audits, EULAs demanding root privileges; shrink-wrap contracts with preposterous terms; the UCITA Trojan legislation which absolves software companies of all responsibilities; the DMCA; copy-proof CDs; Fritz Hollings and his efforts to mandate DRM in all household hardware; Howie Berman and his desire to let the RIAA hack and disable P2P networks -- the list of bad-faith crimes against the consumer goes on. The trusted computing platform is the single most dangerous weapon we could ever concede to these companies.

Yet it is the only portion of the White House's grand scheme which appears capable of generating a new revenue stream, such as pay-per-use software and media, made possible by a usurious DRM regimen sufficient to make it profitable. Look for Congress to be getting a real 'education' about this new boon to Homeland Security during the next twelve months. ®

The Essential Guide to IT Transformation

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.