Where’s our ‘National Strategy for Cyberspace’?

Topic

New Reply

ISSUE 18.31 • 2021-08-16 PUBLIC DEFENDER By Brian Livingston Crime on the Internet has gotten ridiculous. In 2020, the Federal Trade Commission receiv
[See the full post at: Where’s our ‘National Strategy for Cyberspace’?]

3 users thanked author for this post.

WSGeo, lmacri, oldfry

Reply | Quote

Replies

An Internet passport is a better concept. It helps prove that you are who you say you are, and makes it hard for anyone else to impersonate you.

It’s widely understood that you need a national passport to travel across borders. Internet passports could let you safely surf all the way around the World Wide Web.

An Internet passport will let any government, any enterprise, any web site.. track you easily. No cookies needed.

5 users thanked author for this post.

Tom-R, rc primak, wdburt1, Cybertooth, erbkaiser

Reply | Quote

Why? I don’t follow; perhaps some explanation of this would be interesting to read.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Alex5723 wrote:

An Internet passport will let any government, any enterprise, any web site.. track you easily.

It can also lead to China-style ‘social credit score’ where dissidents are easily denied access to the Internet.

8 users thanked author for this post.

Tom-R, rc primak, johnf, wdburt1, Cybertooth, Mr. Austin, bbotz, Alex5723

Reply | Quote

Exactly. No need for something so drastic. For some reason, the providers of gravely flawed software have escaped the legal liability that most other service providers are subject to. This for many years led to a total disregard of security and privacy issues. Now, though the disregard is no longer total, many developers still produce vulnerable code because their in a hurry to crank out a product. The way to make something a priority goal for businesses is to charge the for failing to meet that goal. Simple as that.

And, btw, users of flawed software who incorporate that software in other products should also be liable. Not strictly liable. Negligence is enough. But they should have to do an audit or rely on someone else’s. Does this cause problems for open source? Sure. But those are problems that all software, including open source, should have. We don’t let dangerous homebuilt aircraft fly willy nilly.We do let well designed and constructed homebuilts and kits in the air with suitable precautions and restrictions.

5 users thanked author for this post.

erbkaiser, johnf, wavy, wdburt1, Mr. Austin

Reply | Quote

Some people use VPNs to give them complete anonymity while surfing the web (complete, that is, other than with the VPN company). We would lose that anonymity if this were implemented.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

4 users thanked author for this post.

Tom-R, rc primak, johnf, Cybertooth

Reply | Quote

In Norway 4.2 million people use BankID (a Public Key Infrastructure solution) for identication towards banks and official authorities.

Reply | Quote

It could be used as a COVID vaccination passport too, and therefore encourage uptake?
peter

Reply | Quote

This is a horrible idea. I’m certain that it (or some other privacy negating idea) will be implemented eventually.

When I first came to the internet we were all encouraged to pick anonymous names and tell no one our real names or locations unless we were connecting it to our jobs or professional life. The internet flourished and grew. This will stifle the www. Hopefully it will revitalize or stimulate a different part of the internet and it will eventually become something that’s homegrown again.

5 users thanked author for this post.

rc primak, johnf, erbkaiser, Cybertooth, Mr. Austin

Reply | Quote

Anything designed by committee is going to be full of compromises. And, can anyone think of a government program that worked? Administrations change. Politicians will use this to punish enemies, as previously stated. There has to be a solution that doesn’t compromise one’s identity, is secure, and is easily implemented.

4 users thanked author for this post.

rc primak, johnf, Cybertooth, Mr. Austin

Reply | Quote

“And, can anyone think of a government program that worked?”

Medicare, Social Security. There are more.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

3 users thanked author for this post.

WSGeo, rc primak, wavy

Reply | Quote

As one who uses both medicare and SS, all I can say is they sort of work….and when your health is at risk ‘sorta’ doesn’t come close.

1 user thanked author for this post.

Mr. Austin

Reply | Quote

They work just fine for me and my friends. Sorry to hear you have problems with these two services.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

rc primak

Reply | Quote

One does not need a device to identify yourself, you just need a private key in a PKI environment.  You prove you have the key without ever disclosing it.  (If that doesn’t make any sense to you, then you need to read up on public/private key cryptography.)

A system has been developed to do just that, and it’s even public domain – SQRL, at https://sqrl.grc.com/  All we have to do is implement and use it.

3 users thanked author for this post.

erbkaiser, wavy, WSGrannyGeek

Reply | Quote

But how many ordinary consumers know how to set up a  private key in a PKI environment? I don’t. It is not as easy and straightforward as this idea is.

-- rc primak

Reply | Quote

The idea of a device such as mentioned in the post is seriously flawed. Devices get lost ─ at home and away. They get stolen. They don’t work for the visually impaired. The process described sounds way so intimidating it would induce brain freeze in a majority of non-techies, especially older ones. It sounds time-consuming to use (even a few seconds umpty times a day adds up). Gather data on how many people actually use two-factor ID. I do not know anyone who does, myself included, although I acknowledge that it is a good idea.

While I’m totally on board with the need for tightening security, no! Please do NOT prop up the USPO with a device only the mentally agile enlightened will use!

6 users thanked author for this post.

rc primak, RockE, johnf, erbkaiser, wavy, OscarCP

Reply | Quote

I have had to use an RSA gadget to generate tokens for connecting to a government site where I intended to work on something for several hours. But I don’t see this as a solution for browsing the Web or helping stop email phishing. Besides, it seems like a bit too much for most home users.

Also I disagree with the idea of making some form of authentication exclusively using a cellphone “app”. I don’t think I am the only one here, let alone in the whole world, who prefers to do most things online using a computer, not a cellphone. For phone calls, I have a landline connection and it suffices. With no text messaging capability.

I do, on the other hand, fully expect the Web to become less user friendly, as it is now open warfare against all legitimate users, by gangs (including unfriendly nation states’ ones) that have infected the Internet and are not about to disappear any time soon, no  matter what measures any country adopts on its own. This calls for strong international cooperation, at least with our closest allies. Because this is war.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

rc primak, wdburt1

Reply | Quote

The problem here is that the police are too busy investigating misgendering incidents, hurt feelings and other non-crimes.

Also ID online is a stupid ******** idea, same as forcing you to use your real name in games. The trolls / criminals will ALWAYS be using fakes, the only one left vulnerable is you.

5 users thanked author for this post.

rc primak, wavy, wdburt1, Cybertooth, Mr. Austin

Reply | Quote

Digital Identity Frameworks is really the best solution which combines multiple modalities with standard credential inputs and can leverage advanced identity concepts such as MFA with little to no “technical expertise” on the part of the user. FIDO is a very strong contender for the future of MFA for the layman and requires very little training and technical knowhow once it is activated for the user. A single modality approach is never going to be as secure as MFA as you always need two of the three keys to gain access and one of those cannot be easily stolen/copied/etc, then you have truly strong security. Couple that with SAML on the backend for the sites and applications that you need to access and you have a solid solution that anyone can use and can streamline the entire process once the session tokens have been exchanged.

1 user thanked author for this post.

oldfry

Reply | Quote

Mr. Livingston, I have followed your thought for a very long time and usually very much enjoy them. The ideas you advanced in your article are intelligent, well-thought, and well-meaning. They are also fatally flawed in a variety of ways.

It comes down to this:  Am I willing to give digital proof of my personally identity to a truly broken system of government, which has been broken for decades, and trust them with it? Never. The obvious possibilities for myriad malfeasances by a corrupt government have hardly ever been greater. We live in an era of openly anti-scientific, truly censored media and corrupted government.

Last I checked in around 2010, “Citizens United” gave POTUS the unequivocal legal authority to detain anyone, at any time, for any reason, indefinitely and without due process of law. Would I ever trust such a government as that?

My answer is, and always will be, “No, thank you”.

2 users thanked author for this post.

erbkaiser, WSGrannyGeek

Reply | Quote

Mr. Austin wrote:

Last I checked in around 2010, “Citizens United” gave POTUS the unequivocal legal authority to detain anyone, at any time, for any reason, indefinitely and without due process of law.

It’s time you checked again if that’s what you believe.

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

If you know otherwise why not just provide a link to the current law?

Reply | Quote

“Citizens United” was about contributions to politicians’ election campaigns. Can you provide proof that it says anything about giving the president the extraordinary powers you mention? The granting of such unfettered powers would be, for a start, unconstitutional, and I very much doubt the Supreme Court will say: “That’s OK, not a problem.”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

rc primak

Reply | Quote

Yes. I can. I’ll get around to it and post it. And the security of our the U.S. government was ‘bought’ a long time ago by the companies who had/have the most cash to bid by corrupting and diverting the original intentions of the laws which used to protect its citizens. I’m anyone but the only one who noticed the signs and trails of the last 50+ years.

Reply | Quote

It has been so long since I thought precisely about this I’d conflated the name of Citizens United with the National Defense Authorization Act, in which would be/have been contained the sections of the U.S. Code I mentioned. I’ll fish it out when I can make some minutes for it.

Reply | Quote

OscarCP wrote:

“Citizens United” was about contributions to politicians’ election campaigns. Can you provide proof that it says anything about giving the president the extraordinary powers you mention? The granting of such unfettered powers would be, for a start, unconstitutional, and I very much doubt the Supreme Court will say: “That’s OK, not a problem.”

Because of labrynthine laws which affect national cybersecurity laws my posts about this are a process of continual research and look like they’ll take time. Amid our obviously autocratic government policies these days, in the context of the cybersecurity measures suggested by Mr. Livingston, it makes perfect sense to do background research on the government’s track record about those laws.

You could start with these three older articles until I can eventually (whenever that will be) find out of the right to detain without cause is/is not in the current, 2021 or 2020 National Defense Authorization Acts.

2013 Mic page – NDAA: What Obama Hoped You Wouldn’t Notice About This Bill

2012 ACLU page – Don’t Be Fooled by New NDAA Detention Amendment

2012 National Review – The ACLU’s Double Standard

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

Mr. Austin wrote:

2012 ACLU page – Don’t Be Fooled by New NDAA Detention Amendment

They did not succeed.

The final version of the bill also provides, in sub-section(e), that “Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States”.

Detention without trial: Section 1021 NDAA

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

Reply | Quote

The Colonial Pipeline was hacked because a static password for VPN was left in place prior to multi-factor-authentication being added to their VPN.  This was an old shared user account used by the IT staff.  It should have been deleted years ago.  The password for it leaked on the dark web.  The hackers merely logged in versus breaking in. They were not even detected despite having access for a very long period of time. The attack was only noticed once the hackers started encrypting files.  Despite the hackers not gaining access to the critical gasoline pipeline infrastructure, management panic’d and shutdown the pipeline.

A water treatment plant that was hacked was foiled when operators noticed someone was remote controlling the admin consoles and the operators stopped the settings from becoming dangerous.  That too was an old insecure IT shared account running an unapproved remote control system which bypassed all the network remote security.  Apparently put into place so technicians didn’t have to come into the plant to monitor or adjust the systems after hours, etc.

Target was hacked because their retail locations environmental controls were not air-gapped from the internal company LAN.  The hackers compromised the heating and air conditioning vendor and gained access to the Target network and breached the credit card systems. They modified the firmware for the credit card readers and stole thousands of customers credit / debit cards. If it was air-gapped the worst they could have done was turned off the A/C or lights in retail stores.

More often than not, it is humans who are the weakness. That includes IT staffers who implement shadow systems to get around security restrictions which they feel impede their ability to do their jobs.  Human nature is laziness, greed, lust, etc.  Attackers use social engineering to take advantage of all those traits and then some.  Mitnick once demonstrated live during DEFCON how to social engineer AT&T.  He called and pretended to be a field engineer and he tricked AT&T employees into granting him privileged access to the phone system. This goes well beyond any technology.

Phishing attacks are so successful because humans are dumb and easily fooled. Infrastructure with legacy technology is not being audited to remove old user accounts and connectivity that bypasses the network remote access standards.

It costs a great deal of money to do things properly and even when you do so, there are always vulnerabilities.  Take Ford Motors, who recently setup servers incorrectly allowing security researchers to access the internal systems that only dealerships should have had access to. Again, where was the change control process to validate proper security configurations on production Internet accessible application servers?

Even the Cloud cannot save you.  Microsoft Azure has to audit customer configurations so they can alert them when they are setup insecurely.  This is because customers do dumb things when setting up cloud infrastructure.

3 users thanked author for this post.

oldfry, Mr. Austin, erbkaiser

Reply | Quote

Anonymous  #2384052  : I do agree, by and large, with the general thrust of your comments about lax security measures being behind some of the serious online attacks that have been successful in doing some serious damage.

Now about:

“Phishing attacks are so successful because humans are dumb and easily fooled.”

Yesterday, I received an email from “Verizon” asking me to “confirm” my “email address.”

It had one big black button that read “Verify Address”, otherwise it very much looked like a regular email from my ISP, that I receive every so often for various reasons.

Hovering the cursor over the “Verify” button, however, revealed an URL that had several spelling errors, including “Verizoan” instead of “Verizon” and it was located in the site of a Web sites’ developer. So: phishing.

But it is not that others who fall for this scam are necessarily dumb and easily fooled (although that helps), or that I am so very much cleverer than those who fall for it. It takes some learning of what are the threats one faces online, and which are some of the basic ways to prevent them from harming one’s computer/life/fortune/…. and not many are regulars at sites such as “AskWoody”, where we all learn from each other, or have to take annual courses on IT security at work (as I do).

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

WSGrannyGeek

Reply | Quote

Verizoan? That’s like protozoan only different 😉

1 user thanked author for this post.

Cybertooth

Reply | Quote

When I receive email that appears to be from entities with whom I have relationships (e.g., bank, credit card issuer, ISP, etc.) I still view the actual source of the message to examine the email headers, links and other content before actually opening it.  Call me paranoid, but I think its an important step to avoid potential problems.

4 users thanked author for this post.

rc primak, wavy, OscarCP, Cybertooth

Reply | Quote

I second the comment on SQRL from Steve Gibson. Unfortunately this doesn’t seem to have gotten a lot of traction but neither has IPv6. Brian, you should discover more about what Steve Gibson spent years building and making freely available (see his website SQRL page https://www.grc.com/sqrl/sqrl.htm and this YouTube video of his technical presentation https://www.youtube.com/watch?v=Y6J1Yt8YYj0). Steve has moved on to re-engineering his SpinRite software which pays his bills so is unable to spend time evangelizing SQRL but perhaps you can help in this realm. SQRL keeps the current login paradigm that all websites use but removes any secrets about my or your credentials that the website has to remember and keep secure. SQRL won’t solve all security problems but does solve one very critical one.

1 user thanked author for this post.

Sueska

Reply | Quote

The best solution would be to abolish the NSA and other spying agencies. Most of the threats we now see were either because the NSA made encryption weaker, put code in our hard drives that we can’t get rid of, or were NSA tools that got leaked to the Dark Net.

Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak
Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for years

Want better security? Don’t put back doors in your software or hardware. Make encryption better, not weaker. Catch crooks the old fashioned way, with physical evidence, not forced telemetry from their devices. The more access you allow Government Agents into your software, the worst security gets.

3 users thanked author for this post.

Alex5723, RockE, Cybertooth

Reply | Quote

No thank you.

Reply | Quote

How extraordinary to use government to monitor identity on the Internet? Will government bear the blame when my identity is falsified? Or that will never happen because the government is awesomely capable.

2 users thanked author for this post.

rc primak, Mr. Austin

Reply | Quote

As I have mentioned here already, I think this is now a war, and the dream of unlimited freedom to do as one pleases on the Internet/Web is ending. To be more precise, this is a guerrilla war with criminal gangs and specialist military-type units backed and run by various governments to carry out operations against each other. Because of the pervasiveness of the Internet in modern life, such as its widespread use in controlling the workings of basic national infrastructures (oil and gas pipelines, electrical grids, national health systems, etc.) there is a need for strong defensive action, much delayed by politics in the USA, for example, and now inevitable, and not only in the USA. Like it or not, such defense is only possible to be organized and run by governments, in the case of the USA, at a minimum, the FBI, DHS, DoD, SD, and various intelligence services, with occasional backup from the local police. Private companies might help out, as MS does with their monitoring and reporting of the ever-changing types of massive attacks and developing anti-malware software, for example, but they are not equipped or is in their business models to take an active role protecting the nation against cyber attacks. That is left, as the whole of national defense is, to the government, with the cooperation of the citizens.

This article makes for interesting and sobering reading:

https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/

As in any war, there will be mistakes made and collateral damage will indeed happen. Any of us could be part of the collateral damage. Such is the world we live in, and to wish it were different, while it is natural to feel that way, it is not very practical. When, to use a metaphor, bombs are falling on top of us, it is not very useful to wish they weren’t. Or pretend they are not.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

WSrmsiegel wrote:

Steve has moved on to re-engineering his SpinRite software

Thats great news, Its been promised IDE was still common. I have been waiting to buy Spinrite for this!

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

In most countries, the Postal Service is owned and run directly by the central government. The same governments which abuse human rights. There has to be a better way to make the Internet safer, especially for those who live under such regimes.

In the US, we have seen already how the Postal Service can be gutted for political reasons.  How can this entity be trusted to survive, let alone keep a cyber-security system intact?

Also, I agree with the comment about Social Scoring. I don’t agree about pinning this label exclusively on One Country.

Social Scoring will arrive, but why encourage it in this way?

-- rc primak

2 users thanked author for this post.

erbkaiser, Cybertooth

Reply | Quote