Hacker News new | ask | show | jobs
by nickpsecurity 2564 days ago
It's a myth:

https://news.ycombinator.com/item?id=17216853

Their main requirement was and is SIGINT. That drives about all their budget and power. Their secondary requirement was to protect the government and/or military (not sure) with communications security (COMSEC). They may have expanded that to computer security. They were also supposed to protect defense contractors since they were an extension of the military. That's why their most secure stuff is unavailable to average American but defense companies can buy it. Also, the penalties for failing to stop the next 9/11 are astounding compared to failing to prevent... (checks today's articles)... a Fortune 500 company from leaking 264GB in client, payment data.

So, they deny us good stuff and weaken what we have wherever possible in general case. Some tiny number of them in Information Assurance give us tools and guides to help us. NSA can't be trusted to protect us. I do think the people in IA who gave us the best tools should be hired by the organization that will protect us. :)
1 comments
solotronics 2564 days ago
I have started thinking this is a major systemic weakness the US has vs China. Companies in America operate as individual entities more or less vs the top down model in China. Every company I have worked with in China had a group of government agents it just seems to be standard operating procedure there. Maybe they weren't around for day to day operations but they were definitely around whenever Americans were there. It's apparent they have vast cyber and intel efforts intertwined with the major corporations. Contrast this to our model, I don't even know how to alert the US government if I see something suspicious related to cyber security.
link
nickpsecurity 2562 days ago
It's both a strength and weakness. For innovation, U.S. was among the strongest in the world during Strategic Computing Initiative where DARPA funded all kinds of industry work. Led to many innovations of today. Then, the weakness comes in with them caring only about profit (security is cost center), short term gains tied to executives' bonuses, and so on. That's when state involvement can help. We did have that under the TCSEC with DOD making security standards, incentivizing private sector to build them, and evaluating their security. Multiple agencies also offer security advice and testing. The middle ground looks to be regulations ensuring the basics are in place on top of continual improvement.

If China wants a model, the TCSEC is a decent start at one. It was made for military requirements, though. Like MLS. The next approach should focus on commercial needs. Also, both TCSEC and Common Criteria were paper heavy with long evaluations after product development was done. The next should focus on actual code with reviewers getting into the process early on, reviewing deliverable by deliverable, so they have better insight into what's going on with faster time to market. Lots of room for improvement over the current model.

TCSEC

https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...

Example of what industry was doing under TCSEC

https://csrc.nist.gov/csrc/media/publications/conference-pap...

Modern example from that lineage:

https://os.inf.tu-dresden.de/papers_ps/nizza.pdf

link