Are there sufficient existing technical methods of safeguarding communications on the open internet while obviating creating new laws and practices which may limit freedom?
The topics in the show are scary but now some laws may make the private sector afraid to create new tools if it makes them liable. Including one that make the Nimba worm you mentioned have one less programmer trying to stop it.
What is your opinion on the latest DMCA laws that have been enacted in some states, effectively making firewalls and Network Address translation routers illegal due to their poor wording. here's a snippet from e-week.
One of the common aspects of these laws is that they make illegal any device or program that can "conceal or to assist another to conceal from any communication service provider or from any lawful authority the existence or place of origin or destination of any communication." Aside from LaBrea, this makes a whole set of common IT programs and hardware illegal, from firewalls to VPNs to privacy applications.
From O. Sami Saydjari: While I favor protecting intellectual property, I think DMCA is ill-concieved for the reasons you say.
From James Lewis:
DMCA is a good example of unintended consequences. People worry that it and other IP protection laws will reduce research into improved computer security products. There is some evidence that at least initially, DMCA was having this effect. Laws like DMCA and the digital rights management DRM technologies that are being designed to provide IP protection could end up reshaping the Internet into something less useful if we arent careful in how they are implemented IP protection is important, but it has to be done in a way that balances protection with access and user rights. The best thing to do may be to point out when IP protection legislation has the effect of damaging network security efforts, as legislators seem willing to take security into account. The other thing to think about is whether these laws should have sunset clauses so that after a few years were forced to rethink them to see if they work.
I am a VP at a major national insurance broker and have been involved in insuring cyber risks. This invovles, in many cases, assessments both online and in the real world. Many of the findings are that networks are very vulnerable. Those that have sufficient security are able to purchase insurance against virus, unauthorized access both from employees and outside hackers, DDOS etc. I would appreciate your thoughts on this aspect. Things burn so companies purchase fire insurance, is the same logic true for cyber attack?
From O. Sami Saydjari:
Yes, exactly. Cyberspace insurance would be purchased to limit the maximum damages incurred from an attack and would based on some minimum acceptable level of protection employed by the system being insured. As technology improves, that standard will hopefully get higher over time.
From James Lewis:
It turns out to be hard to quantify risk so far on cyber security. Insurance companies have good data on fires, car accidents etc that allow them to predict how likely an accident is to occur and what the likely cost will be. We dont have the same actuarial data on cyber, in part because companies conceal damages and in part because damages can be hard to quantify. The other side of this is that for things like fires, insurance companies have good data on how certain actions reduce risk. A building owner installs sprinklers and this lowers the risk of fire damage. We dont have that same level of knowledge for many network security steps you can do everything in the ISO standard and still have problems. Finally, many companies self-insure for many cyber risks, because both the probability and the damages are so low. I think this means we will see a few years of trial-and-error until enough data builds up that allows insurers to offer attractive products.
I haven't seen a decent cyberwar since the chinese american disputes that caused the attrition mirror to go down. honestly aside from the US and some northern european countries, cyberwarfare has almost no real military or political value. So why be concerned? To impose security protocols on a system as vast and diverse as the Interweb will only end in the destruction of its core value, or failure. In either case the very notion of cyberwarfare seems to be that of folly from all perspectives and relative points of view. So my question is, how can you justify your existence as a "cyberwarfare expert". Sure it makes interesting historical mentions, and sensationalist media attention.
New York City, New York
It was said in the show that a system running a Microsoft OS can be comprimised in less than two minutes. Would the US government be more secure if systems were standardized on something like BSD?
And is standardizing on a more secure OS the right approach at all? Are we more secure with a diverse computing environment or with one hardened standard?
Do you Approve or Disapprove "security" conferences such as Defcon ,Bay Con and 2600 Meetings?