On Tue, Jun 11, 2002 at 09:47:55AM -0400, Sean Donelan wrote:

If these questions are answered incorrectly, it could impact your operations.

<rant> your operations will be impacted regardless of how the questions are answered. that's how the government works. doubly so if you s/denail of service/cyber-terrorism/ good to see that it's only taken 10 years since the end of the cold war to find a new GREAT EVIL(tm) to use as the excuse for the continued erosion of our rights and civil liberties, and provide for the continued expansion of a government already hindered by its own bloated bureaucracy.

53 Questions for Developing the National Strategy to Secure Cyberspace

they can't count. but that's ok, so long as their self-esteem is intact.

http://www.whitehouse.gov/pcipb/53ques.html

i'll hope the fact that nobody has responded to this publicly is not an idication that the questions are rhetorical. the fact that they're being asked by the government would tell me that someone thinks they already have the answers, they just need someone to tell them they're the right answers. as part of my patriotic duty, i'll provide answers to these questions for no charge. :-)

1.2. Assistance: What can be done to make it easier for home users and small businesses to safe guard their systems? Should internet service providers (ISPs) perform more of the cybersecurity functions for the home user and small business?

that's 2 questions. the gummint wants to regulate your internet, and they can't even count. be VERY afraid. judging from the number of companies pushing their security software/services on the internet these days, i'm hard pressed to believe that it is impossibly difficult for the home user and/or small businesses to safeguard their systems. but if we must make it easier, i'll gladly go door-to-door with a baseball bat and break the kneecaps of anyone who doesn't buy at least a personal firewall and anti-virus software. i'm a firm believer in the "you must be this tall to ride this ride" philosophy. providers, afaik, are already offering thse services to people who feel their data is worth paying to protect.

1.3. Disclosure: What disclosure of risk should ISPs, software vendors, and hardware vendors make to home users and small businesses?

use of this equipment/software/service may be hazardous to your health and possibly cause serious injury or death. we're not liable for these or any lesser inconveniences. prolonged use may cause vision problems, repetitive motion injury, and extreme cynicism. caveat emptor. one of the few things i still like about the internet is the lack of government mandated bullshit designed to protect me from myself and little script-kiddies. as soon as i see a government mandated warning label on my copy of free *nix, i'm throwing the computers out on the curb and going into a more respectable line of work like drug-dealing.

3.A.5. Connecting Critical Functions to the Internet: How should we best address the security risks arising from critical Federal functions being performed on networks that have routers and other systems vulnerable to denial of service and other cyber attacks from the internet?

don't connect critical federal functions to networks with routers and other systems vulnerable to denial of service and other cyber attacks from the internet. i'm fully willing to believe that the government is *that* stupid. when designing critical services, it is necessary to assess the risk of failure. when connecting to the internet, one can safely say that the risk is significantly greater than 0, but not precisely defined. therefore, the decision should be whether the function is too critical to put at the risk of relying on the internet, not how do we deal with having made the poor choice to put the most critical functions of the government in harms way.

3.B.6. Connecting Critical Functions to the Internet: Are there sectors that perform critical functions which could achieve greater security and reliability by operating networks unconnected to the internet and other public switch, open systems?

duh! put granny's life-support system on the public internet, i dare you! hopefully that question cost the taxpayers less than the others.

4.3. Securing the Mechanics of the Internet: Can the traffic control systems of the internet (Domain Name Servers, Border Gateway Protocols) be made more secure? Can routers be made more secure by separating control functions from the general traffic channel? How can major denial of service attacks be mitigated? What problems arise in deploying more secure systems, how should they be overcome, and how should such improvements be funded?

ugh, 6 questions...brought to us by the same people who proudly proclaim that they've cut the budget when they're only spending $100B more than last year. 1. yes, probably, but do they need to be? 2. probably not. out-of-band control functions would require making a secure out-of-band channel to function. if we can't do it in-band, we probably can't do it much better out-of-band. moving the front door to the back of the house doesn't stop people from going in and out. 3. major denial of service attacks can be mitigated by fixing the cause proactively. spoofed-source is EVIL. 4. a. security is always a trade off with convenience, they are inversely proportional. security = 1/convenience b. the question should be "do they need to be overcome?". at some point, a clueful person will need to stand up and say "these critical systems over here need to be secure at all costs, and convenience be damned. the convenience features on the other side of the room need to be user friendly, with the understanding that they may fail now and then". c. they should not be funded with my tax dollars. this includes "fees" charged by government agencies. i'm quite sick of subsidizing everything from citrus farming to section 8 crack-houses. bonus question: how much do you have to pay in taxes every year before you take government stupidity as a personal insult? -- Sam Thomas Geek Mercenary the average i.q. is 100, that's 75 when adjusted for inflation.