1. 17

Cached link for those who still can’t yet access krebsonsecurity.com like me: http://webcache.googleusercontent.com/search?q=cache:https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

  1.  

  2. 2

    My reply to Krebs' proposals on his site:

    “Well Brian, you have to understand the economic and social factors that led to widespread insecurity to understand just how unlikely you’re proposal is to happen. The demand-side cares nothing about sacrificing for security. They want faster, shinier PC’s with more features and at lower cost. The supply side’s incentive is time-to-market where they cobble crap together to get largest market-share. Distributor agreements, enterprise support, patents, and backward-compatibility are used to ensure it’s mostly an oligopoly with little room for vast change. Collectively, this means both the OS’s and protocols that end up dominant are almost always prone to easy attacks while simultaneously being almost impossible to change in widespread.

    Your proposed organization would have to either (a) get most of that to change across many market sectors at least at the protocol levels, or (b) have money for links with capacity of Tier 1 backbone + clusters of 100+Gbps NIDS’s to detect/respond to the attacks + many ops staff + finance this with paltry money from journalists or companies paying them. All I’m saying is “Good Luck!”

    Now, far as disaster initiating response, we’ve had constant disasters for businesses and consumers going back decades with alternatives that had fewer problems. They didn’t adopt them. Government, thanks to lobbying, didn’t adopt a liability regime. Further, DOD’s response to attacks on infrastructure in the past was as follows:

    1. Leave it all insecure while not even offering the high-security, GOTS protections at cost (hardware) or free (software). They have protections for SCADA already paid for but won’t let us have them. Defense-only. ;)

    2. Continue promoting insecure solutions from market whose track record indicates they won’t work. I was confused and irritated by this.

    3. Offer to install network or host-level taps that let NSA et al monitor all traffic to look for attacks. I was getting less confused and more irritated.

    4. Install a remote control option so they could take control of it and recover in event of disaster or attack. I was purely irritated at this point as agenda was obvious: surveillance & control, not security.

    That was called “Perfect Citizen.” You may have even reported on it before. I’m just reminding everyone that the last series of attacks led them not to protect us but to take advantage of fear to install surveillance equipment while maintaining insecurity on purpose. They pulled similar shit on Siemens with Stuxnet resulting. Recently, a combo of a software crisis and SIGINT goals led to this program to get U.S. infrastructure and tech where they want it to be:

    http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html

    So, the solution isn’t going to be a government if it’s a country like the U.S.. The market and users created this situation. They’re unlikely to solve it unless the solution can spread like wildfire while maintaining backward compatibility with existing systems, same features even if insecure, and at about same price. Main ISP’s are also unlikely to adopt something if it will break the internet. Old WinXP and IE6 problems also show tons of users will keep insecure stuff even then. Leaves a certain amount of DDOS available. So, there’s your summary and obstacles. Happy hunting to the startups and coalitions. :)"