hi sc-l, This morning, NPR did a story <http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders> about the idea of "Active Defense" which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?) At Cigital, we believe this is a recipe for disaster. The last thing we need in computer security is a bunch of vigilante yoo-hoos and lynch mobs. Rule of law anyone?
I talked all about this in my SearchSecurity column in November: Proactive defense prudent alternative to cyberwarfare<http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare> (November 1, 2012) In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington. Here's what I had to say to Threatpost about the issue (warning: poor sound quality): http://threatpost.com/en_us/blogs/gary-mcgraw-cyberwar-and-folly-hoarding-cyber-rocks-111312 I have also been voicing these thoughts at think tanks like CNAS and in academic venues. Here are three pointers to recent talks: http://www.ists.dartmouth.edu/events/abstract-mcgraw.html http://www.kcl.ac.uk/sspp/departments/warstudies/newsevents/eventsrecords/mcgraw.aspx http://www.eecs.umich.edu/eecs/etc/events/showevent.cgi?2626 FWIW, I am going to be on a panel about this at a private event during RSA with the founders of CrowdStrike on the opposing side. Should be interesting. Given their dunderheaded philosophy, maybe I should bring a security detail along. If you feel as strongly as we do about this issue, please send this to your Representatives. They need to read it: Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security<http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf> in AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II<http://www.cnas.rsvp1.com/node/6405?mgh=http%3A%2F%2Fwww.cnas.org&mgf=1>, Center for a New Amercian Security (June 2011). What's the alternative to throwing rocks? Making sure our houses are not glass by building security in. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
