Comments for Vmyths http://Vmyths.com Truth about computer security hysteria Thu, 03 Feb 2011 05:36:21 +0000 hourly 1 http://wordpress.org/?v=3.3.2 Comment on Does “Gulf War printer virus” hoax have roots in a WWII sailor’s tale? by Stuxnet, cyberwar, cybersabotage, blah… | ESET ThreatBlog http://Vmyths.com/2010/11/28/wwii/comment-page-1/#comment-516 Stuxnet, cyberwar, cybersabotage, blah… | ESET ThreatBlog Thu, 03 Feb 2011 05:36:21 +0000 http://Vmyths.com/?p=744#comment-516 [...] irrelevant thought: why, I wonder, do all the Stuxnet conspiracy theories keep reminding me of the Iraqui printer virus story? Is it all the “nudge, wink, I know something you don’t know” commentary [...] [...] irrelevant thought: why, I wonder, do all the Stuxnet conspiracy theories keep reminding me of the Iraqui printer virus story? Is it all the “nudge, wink, I know something you don’t know” commentary [...]

]]> Comment on SANS “Threat Level” remains green over Stuxnet hysteria by xfmrhsd http://Vmyths.com/2010/09/27/sans/comment-page-1/#comment-514 xfmrhsd Thu, 18 Nov 2010 05:35:10 +0000 http://Vmyths.com/?p=1224#comment-514 Must hurt to be right, hope the link works; http://my.earthlink.net/article/tec?guid=20101117/1cf800db-87e7-42a6-bf3c-a34c22aa737e Here it comes. Must hurt to be right, hope the link works;
http://my.earthlink.net/article/tec?guid=20101117/1cf800db-87e7-42a6-bf3c-a34c22aa737e
Here it comes.

]]> Comment on Stuxnet worm smells like overhype by xfmrhsd http://Vmyths.com/2010/09/24/stuxnet/comment-page-1/#comment-512 xfmrhsd Mon, 27 Sep 2010 02:31:17 +0000 http://Vmyths.com/?p=1098#comment-512 Was a quiet decade as far as virus hype goes, looked like the old days with the Symantec banner on CBS Evening News today, took over 10 years for it to come back. Duke Nukem forever comes out Feb 2011, any connections conspiracy theorists? Or could this be simply a cycle in virus hype as happened before (Benefiting AV companies) concurrent with simply a company capitalizing on a long awaited release just after a major financial upheaval. In either case we out here stand to benefit from the entertainment. Good AV software (Not Symantec by the way! I use a free down loadable copy from a good company) and a hardware firewall makes all this just entertainment for us. Game on AV industry! Hype on gaming industry! Wait! reverse that, or maybe not , does this apply to both? In any case I will be playing DNF when it comes out...and no thumbdrives will be allowed on military bases forever. Was a quiet decade as far as virus hype goes, looked like the old days with the Symantec banner on CBS Evening News today, took over 10 years for it to come back. Duke Nukem forever comes out Feb 2011, any connections conspiracy theorists? Or could this be simply a cycle in virus hype as happened before (Benefiting AV companies) concurrent with simply a company capitalizing on a long awaited release just after a major financial upheaval. In either case we out here stand to benefit from the entertainment. Good AV software (Not Symantec by the way! I use a free down loadable copy from a good company) and a hardware firewall makes all this just entertainment for us. Game on AV industry! Hype on gaming industry! Wait! reverse that, or maybe not , does this apply to both? In any case I will be playing DNF when it comes out…and no thumbdrives will be allowed on military bases forever.

]]> Comment on Gov’t hype surrounds ”Operation Buckshot Yankee” by Rob Rosenberger http://Vmyths.com/2010/08/26/oby/comment-page-1/#comment-511 Rob Rosenberger Sun, 05 Sep 2010 19:48:43 +0000 http://Vmyths.com/?p=925#comment-511 Further reading: <ol> <li><cite>SecurityWeek</cite>: <a target=press href="http://www.securityweek.com/defense-departments-cyberwar-credibility-gap" rel="nofollow">Defense Department’s Cyberwar Credibility Gap</a></li> <li><cite>Wired.com</cite> Danger room: <a target=press href="http://www.wired.com/dangerroom/2010/08/insiders-doubt-2008-pentagon-hack-was-foreign-spy-attack/" rel="nofollow">Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack</a></li> </ol> Further reading:

  1. SecurityWeek: Defense Department’s Cyberwar Credibility Gap
  2. Wired.com Danger room: Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack
]]> Comment on Today’s DEPSECDEF plagiarized his predecessor’s ”wake-up call” by Rob Rosenberger http://Vmyths.com/2010/08/27/oby-2/comment-page-1/#comment-510 Rob Rosenberger Sun, 05 Sep 2010 19:48:15 +0000 http://Vmyths.com/?p=942#comment-510 Further reading: <ol> <li><cite>SecurityWeek</cite>: <a target=press href="http://www.securityweek.com/defense-departments-cyberwar-credibility-gap" rel="nofollow">Defense Department’s Cyberwar Credibility Gap</a></li> <li><cite>Wired.com</cite> Danger room: <a target=press href="http://www.wired.com/dangerroom/2010/08/insiders-doubt-2008-pentagon-hack-was-foreign-spy-attack/" rel="nofollow">Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack</a></li> </ol> Further reading:

  1. SecurityWeek: Defense Department’s Cyberwar Credibility Gap
  2. Wired.com Danger room: Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack
]]> Comment on Virus experts play “king of the hill” on Twitter by Rob Rosenberger http://Vmyths.com/2010/08/30/twitter-3/comment-page-1/#comment-509 Rob Rosenberger Tue, 31 Aug 2010 02:18:40 +0000 http://Vmyths.com/?p=1022#comment-509 Graham Cluley <em>gets</em> the humor in my columns. He <a target=twitter href="https://twitter.com/gcluley" rel="nofollow">replied via Twitter</a>: "Glad to have provided some inspiration! cheers!" He probably knows I played leapfrog with him to reach my real target: @PCVirusNews. Graham Cluley gets the humor in my columns. He replied via Twitter: “Glad to have provided some inspiration! cheers!” He probably knows I played leapfrog with him to reach my real target: @PCVirusNews.

]]> Comment on Gov’t hype surrounds ”Operation Buckshot Yankee” by Gsparky http://Vmyths.com/2010/08/26/oby/comment-page-1/#comment-507 Gsparky Fri, 27 Aug 2010 01:49:30 +0000 http://Vmyths.com/?p=925#comment-507 Yeah, baby! Now *THAT'S* what I'm talking about! Yeah, baby! Now *THAT’S* what I’m talking about!

]]> Comment on Obama (!) spouts an urban legend in his cybersecurity speech by Rob Rosenberger http://Vmyths.com/2009/05/29/obama/comment-page-1/#comment-504 Rob Rosenberger Tue, 22 Sep 2009 01:09:03 +0000 http://Vmyths.com/?p=656#comment-504 ::My question, though, is how much do you ::think cyber-terrorism/security affects ::and costs the United States annually? Great question, Charley! Before I answer it, let me stress that while the "inside experts" claim they DO know the true scope of your question ... I insist they DON'T know the true scope. Extraordinary claims require extraordinary evidence, which we lack. The inside experts tell the public they can't divulge the truth because Osama bin Laden will use the knowledge to destroy the United States. Everything the public does know, overwhelmingly points to hyperbole and hysteria. So the skeptics say "stop crying wolf" and the inside experts say "we're Cassandras, you just wait and see." So. How much does it cost? Skeptical expert Bruce Schneier describes the cost as a "terrorism tax," similar to the Cold War tax although much more directly extracted from every American's pocketbook. I myself engage in hyperbole when I say "I honestly believe the cyber-terror tax exceeds its return on investment." Why, then, would I let the inside experts turn on me to demand "what evidence supports your belief"? Because I can then respond "well, you're the only one here who can give our audience the evidence they need to disbelieve me. But you won't cough up any evidence for scrutiny, will you?" Still, it doesn't answer your question. So let's make a (somewhat invalid) comparison. "Rob, did we spend too much on the Y2K hysteria?" The answer is "businessmen spent the right amount, but if they spent it in fear, then they spent the right amount for the wrong reason." A college-level logic course will teach you that, given a chocie, you'd rather spend the wrong amount for the right reason, than spend the right amount for the wrong reason. Terrorism of any sort is simply a matter of risk; the money you spend to mitigate it (repeat "mitigate") is essentially an insurance bet. (Professional poker players understand this logic as the "expected value of a hand." Pros would rather lose a hand for the right reason than win a hand for the wrong reason.) So, the answer to your question. The computer security industrial complex doesn't mitigate cyber-terror in a logical manner. We're spending money "wrong," and that's not right. ::Should we be paying more attention to it, ::not necessarily through fear mongering, ::but rather through indepth and accurate ::analysis and understanding? Yes. And I think the government should do it. Sadly, their research remains highly overclassified even by the government's own admission. But it's even worse than most experts realize, and we can expose it with a simple observation. We know the U.S. military analyzes the attacks it gets each day -- knowledge that remains completely out of reach to airmen & soldiers who would use the info to defend their home networks. It's valid to assume major intelligence agencies both friendly (e.g. Israel) and hostile (e.g. North Korea) target the home networks of career officers & sergeants who habitually take FOUO and (yes!) classified info home to work on it after duty hours. Military analysis would at least yield a realtime blackhole list, yet the knowledge goes to waste on home networks where it would prove particularly useful. I forget who once said "analysis that cannot be obtained is analysis that does not exist." The military's (public) release of a realtime blackhole list would do wonders in the realm of information protection. But they don't release it ... so it doesn't exist for those who could benefit from it. Crud. Did I just say "we do analysis wrong"? ...Did I answer both of your questions, Charley? ::My question, though, is how much do you
::think cyber-terrorism/security affects
::and costs the United States annually?

Great question, Charley! Before I answer it, let me stress that while the “inside experts” claim they DO know the true scope of your question … I insist they DON’T know the true scope. Extraordinary claims require extraordinary evidence, which we lack. The inside experts tell the public they can’t divulge the truth because Osama bin Laden will use the knowledge to destroy the United States. Everything the public does know, overwhelmingly points to hyperbole and hysteria. So the skeptics say “stop crying wolf” and the inside experts say “we’re Cassandras, you just wait and see.”

So. How much does it cost? Skeptical expert Bruce Schneier describes the cost as a “terrorism tax,” similar to the Cold War tax although much more directly extracted from every American’s pocketbook.

I myself engage in hyperbole when I say “I honestly believe the cyber-terror tax exceeds its return on investment.” Why, then, would I let the inside experts turn on me to demand “what evidence supports your belief”? Because I can then respond “well, you’re the only one here who can give our audience the evidence they need to disbelieve me. But you won’t cough up any evidence for scrutiny, will you?”

Still, it doesn’t answer your question. So let’s make a (somewhat invalid) comparison. “Rob, did we spend too much on the Y2K hysteria?” The answer is “businessmen spent the right amount, but if they spent it in fear, then they spent the right amount for the wrong reason.” A college-level logic course will teach you that, given a chocie, you’d rather spend the wrong amount for the right reason, than spend the right amount for the wrong reason. Terrorism of any sort is simply a matter of risk; the money you spend to mitigate it (repeat “mitigate”) is essentially an insurance bet. (Professional poker players understand this logic as the “expected value of a hand.” Pros would rather lose a hand for the right reason than win a hand for the wrong reason.)

So, the answer to your question. The computer security industrial complex doesn’t mitigate cyber-terror in a logical manner. We’re spending money “wrong,” and that’s not right.

::Should we be paying more attention to it,
::not necessarily through fear mongering,
::but rather through indepth and accurate
::analysis and understanding?

Yes. And I think the government should do it. Sadly, their research remains highly overclassified even by the government’s own admission.

But it’s even worse than most experts realize, and we can expose it with a simple observation. We know the U.S. military analyzes the attacks it gets each day — knowledge that remains completely out of reach to airmen & soldiers who would use the info to defend their home networks. It’s valid to assume major intelligence agencies both friendly (e.g. Israel) and hostile (e.g. North Korea) target the home networks of career officers & sergeants who habitually take FOUO and (yes!) classified info home to work on it after duty hours. Military analysis would at least yield a realtime blackhole list, yet the knowledge goes to waste on home networks where it would prove particularly useful.

I forget who once said “analysis that cannot be obtained is analysis that does not exist.” The military’s (public) release of a realtime blackhole list would do wonders in the realm of information protection. But they don’t release it … so it doesn’t exist for those who could benefit from it.

Crud. Did I just say “we do analysis wrong”?

…Did I answer both of your questions, Charley?

]]> Comment on Obama (!) spouts an urban legend in his cybersecurity speech by Charley Brown http://Vmyths.com/2009/05/29/obama/comment-page-1/#comment-502 Charley Brown Sat, 19 Sep 2009 15:11:01 +0000 http://Vmyths.com/?p=656#comment-502 I probably should have read part one before parts 2 and 3 of this article, but I do have a question. You mentioned in part 2 that government intelligence officials have lacked data and appropriate computations regarding the prevalence and cost of cyber-terrorism and cyber-security. Obama, Clinton and past Presidents have used faulty intelligence information to push agendas. My question, though, is how much do you think cyber-terrorism/security affects and costs the United States annually? Should we be paying more attention to it, not necessarily through fear mongering, but rather through indepth and accurate analysis and understanding? Perhaps it is the fear mongering, but I do feel that as we progress further into a global, digital environment, there is a need for cyber-security. Do I agree with Obama and his numbers on this issue? Not at all, I feel as if its a tactic to push agenda rather than really focusing on what should be done about it. I'm just curious to see how you feel about the core of the issue beyond Obama's blunder. -Charley Brown <a href="http://www.welivethis.com/newsfeed/2009/09/13/audio-engineering-schools/" rel="nofollow">Audio Engineering Schools</a> <a href="http://www.welivethis.com/newsfeed/category/hiphop-music/" rel="nofollow">Latest Hip Hop Music</a> I probably should have read part one before parts 2 and 3 of this article, but I do have a question. You mentioned in part 2 that government intelligence officials have lacked data and appropriate computations regarding the prevalence and cost of cyber-terrorism and cyber-security. Obama, Clinton and past Presidents have used faulty intelligence information to push agendas. My question, though, is how much do you think cyber-terrorism/security affects and costs the United States annually? Should we be paying more attention to it, not necessarily through fear mongering, but rather through indepth and accurate analysis and understanding? Perhaps it is the fear mongering, but I do feel that as we progress further into a global, digital environment, there is a need for cyber-security. Do I agree with Obama and his numbers on this issue? Not at all, I feel as if its a tactic to push agenda rather than really focusing on what should be done about it. I’m just curious to see how you feel about the core of the issue beyond Obama’s blunder.

-Charley Brown

Audio Engineering Schools

Latest Hip Hop Music

]]> Comment on Obama part 2: where did his “$1 trillion” guesstimate come from? by Charley Brown http://Vmyths.com/2009/05/29/obama-2/comment-page-1/#comment-501 Charley Brown Sat, 19 Sep 2009 14:45:41 +0000 http://Vmyths.com/?p=697#comment-501 Although I am an Obama supporter, I can't help but say that I'm not surprised. It seems as if the intelligence officials of each and every one of our past few presidents conjure up ridiculous numbers when trying to push their specific agenda. I had hoped Obama would be different, but I guess hope gets you no where. It is really sad that after 10-15 years, our top government intelligence officials have FAILED when it comes to compiling and understand cyber-security data. One would think the government could reach out to the most intelligent cyber-security experts to compile data that can help them better understand cyber-threats and the security measures that can be take at the least expense to the public. I'm not holding my breath. -Charley Brown <a href="http://www.welivethis.com/newsfeed/2009/09/13/audio-engineering-schools/" rel="nofollow">Audio Engineering Schools</a> <a href="http://www.welivethis.com/newsfeed/category/hiphop-music/" rel="nofollow">Latest Hip Hop Music</a> Although I am an Obama supporter, I can’t help but say that I’m not surprised. It seems as if the intelligence officials of each and every one of our past few presidents conjure up ridiculous numbers when trying to push their specific agenda. I had hoped Obama would be different, but I guess hope gets you no where.

It is really sad that after 10-15 years, our top government intelligence officials have FAILED when it comes to compiling and understand cyber-security data. One would think the government could reach out to the most intelligent cyber-security experts to compile data that can help them better understand cyber-threats and the security measures that can be take at the least expense to the public. I’m not holding my breath.

-Charley Brown

Audio Engineering Schools

Latest Hip Hop Music

]]>