There is an agenda but it's also information that is long overdue - and there is more of it Classified for what many ppl consider no good reason. Also, other reports have indicated faculty and staff at the Unis too. None of which I doubt terribly.
For me the bigger issue is that is simply doesn't matter - it's not like this level of nation-state backing is ~required~ for most cyber heists or most security issues. If anything it furthers (on top of other bad perceptions) that competitiveness is increasingly a function of secrecy vs innovation. Oh well - I'm repeating myself. ;-) -Ali On Wed, Feb 20, 2013 at 10:49 AM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw <g...@cigital.com> wrote: > > hi sc-l, > > > > No doubt all of you have seen the NY Times article about the Mandiant > report that pervades the news this week. I believe it is important to > understand the difference between cyber espionage and cyber war. Because > espionage unfolds over months or years in realtime, we can triangulate the > origin of an exfiltration attack with some certainty. During the fog of a > real cyber war attack, which is more likely to happen in milliseconds, the > kind of forensic work that Mandiant did would not be possible. (In fact, > we might just well be "Gandalfed" and pin the attack on the wrong enemy as > explained here: > http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare > .) > > > > Sadly, policymakers seem to think we have completely solved the > attribution problem. We have not. This article published in Computerworld > does an adequate job of stating my position: > http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 > > > > Those of us who work on security engineering and software security can > help educate policymakers and others so that we don't end up pursuing the > folly of active defense. > > > I'm somewhat surprised a report of that detail was released for public > consumption. The suspicion in me tells me its not entirely accurate or > someone has an agenda. There's too much information in there that > would be cloaked under "national security" given other circumstances. > > There also appears to be a fair of FUD-fanning going on: > "Additionally, there is evidence that Unit 61398 aggressively recruits > new talent from the Science and Engineering departments of > universities such as Harbin Institute of Technology." The US > equivalent would be like saying the NSA actively recruits > Mathematicians and Computer Scientists. > > Jeff > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ >
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
