

Sensible "Cyber War" Preparation, Or Just More Government Snooping? - cwan
http://reason.com/blog/2010/03/05/sensible-cyber-war-preparation

======
tptacek
Reason Magazine does this a lot. The author of this article clearly doesn't
believe the government has any business monitoring private Internet traffic.
That's admirable, and I agree. But here he crosses the line from reporting
based in a perspective to _breathless evangelism_.

The government's current plan to beef up cybersecurity does drastically
increase monitoring. _On government computers_. Government networks are
currently a shambles; they can't even fend off prepackaged malware, let alone
a concerted attack.

I think the current plans to improve this situation are misguided. For
instance, they call for signature-based deep packet inspection monitoring, but
say virtually nothing about application security or standardization. It's
security designed first and foremost as a carvout for contractors like
Lockheed.

But that doesn't mean that it's an Obama administration plot to read all our
email. It's unlikely Obama had any input into this at all, beyond "I want to
see something tangible and significant done to address cybersecurity".

Of course, Reason isn't going to give you any of this context, because they're
acting as an advocacy operation, and not journalists. They could call around
and get details, but they aren't doing that.

------
maqr
I just want everyone to realize two things about computer security:

1) Without very much difficulty, anybody can encrypt a message to be sent to
another person. No government can break this encryption, and no amount of
surveillance will help. Either the sending or receiving party must be
compromised to do effective spying, all the stuff in the middle does not
count.

2) Security holes are agnostic to attackers. If your system is vulnerable to
attack, then it is vulnerable to attack. SQL injection vulnerabilities do not
care if your native tongue is Chinese. "Cyber war" is no different to prepare
for whether you're battling a terrorist, a foreign government, or a 12 year
old with a botnet.

~~~
tptacek
I think it's significantly more difficult to safely encrypt a message that the
NSA can't read than people think. There are bugs in widely-used crypto
implementations that won't come to light for 10-20 years.

~~~
ErrantX
I'm willing to wager it's not just the NSA either. The uk has GCHQ and those
guys are stupidly smart - I'm sire other countries have similar.

