Schneier on Security: Virtual Mafia in Online Worlds
Interesting post on how ties in social networks can be used for virtual extortion.
FINAL DEFCON 17 RANKING
Congratulations to VedaGodz on winning the DEFCON 17 CTF. Stats and more later -- here's the rankings:
1. VedaGodz
2. Routards
3. PLUS@postech
4. Shellphish
5. Sexy Pwndas
6. Song of Freedom
7. Sapheads
8. lollerskaterz dropping from roflcopters
9. WOWHACKERThose of you that stayed around for the awards ceremony know that sk3wlofr00t had a slight conflict of interest making their contrived score irrelevant.
DDTEK HPUTM TECHNOLOGY ANNOUNCE
DDTEK is happy sunshine to presenet Hyper Parallel Universal Thret Management (HPUTM). Successful tests of HPUTM teknologee were made during the happened qualifications. These quantum predictive techonlogy using temporal acceleration of hardware constipated all attacks known, unknown, unknown known, known unkown, known known, and unknown unknown using hyper turing NP engine completion. Demonstration of HPUTM at Defcon CTF is the prove that DDTEK defense ever stands time and its tests. Techmology all other are not the comparison. The rainy doom spank ass of other monkey software triumphs over oall including poor ruinners Juniper, Sonicwall, Microsoft, Checkpoint.
Graphs all blockage shown for DDTEK HPUTM:
CTF Qualifications Complete! Top 9 plus sk3wl invite to Vegas!
Qualified teams:
1. sk3wlm4st3r (CONFIRMED! as sk3wl0fr00t)
2. Team Awesome (aka VedaGodz) (CONFIRMED!)
3. Sexy Pwndas (CONFIRMED!)
4. PLUS@postech (aka PLUS) (CONFIRMED!)
5. Shellphish (CONFIRMED!)
6. Song of Freedom (CONFIRMED!)
7. lollerskaterz dropping from roflcopters (CONFIRMED!)
X. Underminers (deadline expired)
8. Routards (CONFIRMED!)
9. WOWHACKER (CONFIRMED!)
10. Sapheads (CONFIRMED!)
alt. sutegoma (CONFIRMED!)
alt. CLiP (CANT PARTICIPATE)
alt. pebkac (unconfirmed)
alt. ACMEPharm (CONFIRMED!)With final confirm that sk3wlm4st3r represents the champion of DC16 then WOWHACKER is 10 and Sapheads_ is number 1 alternate.
- Final Team Standings
- All Submitted Answers
- All Submitted Answers by Team
- All Submitted Answers by Challenge
- Correct Answers by Challenge
- Time to Solve by Challenge
Teams above need confirm there intent for playing in Vegas.
Use the email address your registered for qualifications.
Thanks for fun times weekend!
~ddtek cr3w
DEFCON 17 CTF Qualifier can starts
FOR IMMEDIATE RELEASE
5 JUNE 2009
DEFCON CTF QUALIFIER GO GO
Defense Diutinus Technologies Corp (ddtek) is pleased to starting the round of qualification for DEFON 17 CTF.
QUALS GAME: http://quals.ddtek.biz/quals/board.html
IRC: irc.oftc.net #ctfquals
DEFCON 17 CTF Qualifier announced dispite conficker
FOR IMMEDIATE RELEASE
1 APRIL 2009
DEFCON CTF QUALIFIER ANNOUNCED
Defense Diutinus Technologies Corp (ddtek) is pleased to announce the round of qualification for DEFON 17 CTF.
The competition will be held on 5-7 June - without a stop, participants can be located everywhere. All are to play, but only the 9 best groups will be invited to join us in Las Vegas for the annual DEFCON ninja square off. We also intend to honour the code of the former CTF host and automatically qualify last years champion, the sk3wl of r00t (although we sincerely hope them to participate in qualifications).
The qualification round will be in the style of game board, but answers need not be in the form of a question. Categories will require teams to demonstrate the superiority of hacking into a vast relm of security.
You must be registered for participate.
Registration site: CLOSED
Registration opens: 01.04.2009 00:00:00 UTC
Registration ends: 04.06.2009 00:00:00 UTC
Qualifications open: 05.06.2009 23:00:00 UTC
Qualifications ends: 07.06.2009 23:00:00 UTCMore information that will follow via your registered email address.
Bring all your l33t haxor skillz just leave your Kiddie toolz behind.
Vulc@n Difensiva Senior Engineer Diuntinus Defense Technologies, Inc.
DEFCON 17 CTF Organizer Is Chosen
Today announced that Dark Tangent DEFCON 17 CTF Organizer is chosen. We are a group give the a proposal 1.
Much exciting for us because of our company startup departure from stealth watch soon announce that the technology to the test of time against the current and future attacks. We look forward to our technology, demonstrat their superiority against the security work people and hackers during CTF quals.
We see those who are came before us and creat an experience that defaies all the concerned parties. KenShoto and Ghetto Hackers make beuatiful hard work for CTF over the years, CTF not have be the world cup security attack and defense.
For those of you who are interested the pcaps and game binaries for the DEFCON 17 CTF are now available via bittorrent. Study up and get ready for next year's quals.
current 111st session of congress -->Cybersecurity Act of 2009S.773 - Cybersecurity Act of 2009
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
S.773: A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
-->Display VersionRollover any line of text to comment and/or link to it.
Preview and Print Bill Text -->S 773 IS
111th CONGRESS
1st Session
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes. S. 773
IN THE SENATE OF THE UNITED STATES
April 1, 2009 Mr. ROCKEFELLER (for himself, Ms. SNOWE, and Mr. NELSON of Florida) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
A BILL
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the ‘Cybersecurity Act of 2009’.
(b) TABLE OF CONTENTS- The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Cybersecurity Advisory Panel.
Sec. 4. Real-time cybersecurity dashboard.
Sec. 5. State and regional cybersecurity enhancement program.
Sec. 6. NIST standards development and compliance.
Sec. 7. Licensing and certification of cybersecurity professionals.
Sec. 8. Review of NTIA domain name contracts.
Sec. 9. Secure domain name addressing system.
Sec. 10. Promoting cybersecurity awareness.
Sec. 11. Federal cybersecurity research and development.
Sec. 12. Federal Cyber Scholarship-for-Service program.
Sec. 13. Cybersecurity competition and challenge.
Sec. 14. Public-private clearinghouse.
Sec. 15. Cybersecurity risk management report.
Sec. 16. Legal framework review and report.
Sec. 17. Authentication and civil liberties report.
Sec. 18. Cybersecurity responsibilities and authorities.
Sec. 19. Quadrennial cyber review.
Sec. 20. Joint intelligence threat assessment.
Sec. 21. International norms and cybersecurity deterrence measures.
Sec. 22. Federal Secure Products and Services Acquisitions Board.
Sec. 23. Definitions.
SEC. 2. FINDINGS.
The Congress finds the following:
(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.(2) Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantage.(3) According to the 2009 Annual Threat Assessment, ‘a successful cyber attack against a major financial service provider could severely impact the national economy, while cyber attacks against physical infrastructure computer systems such as those that control power grids or oil refineries have the potential to disrupt services for hours or weeks’ and that ‘Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector.’.(4) The Director of National Intelligence testified before the Congress on February 19, 2009, that ‘a growing array of state and non-state adversaries are increasingly targeting-for exploitation and potentially disruption or destruction-our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries’ and these trends are likely to continue.(5) John Brennan, the Assistant to the President for Homeland Security and Counterterrorism wrote on March 2, 2009, that ‘our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated.’.(6) Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’.(7) The Cyber Strategic Inquiry 2008, sponsored by Business Executives for National Security and executed by Booz Allen Hamilton, recommended to ‘establish a single voice for cybersecurity within government’ concluding that the ‘unique nature of cybersecurity requires a new leadership paradigm.’.(8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall. What is particularly important in this analogy is that, unlike conventional warfare where deployment takes time and money and is quite visible, in the cyber world, when the attackers find a new weapon, they can attack millions of computers, and successfully infect hundreds of thousands, in a few hours or days, and remain completely hidden.’.(9) According to the February 2003 National Strategy to Secure Cyberspace, ‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system--the control system of our country’ and that ‘the cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.’.(10) According to the National Journal, Mike McConnell, the former Director of National Intelligence, told President Bush in May 2007 that if the 9/11 attackers had chosen computers instead of airplanes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center. Mike McConnell has subsequently referred to cybersecurity as the ‘soft underbelly of this country.’.
(11) The Center for Strategic and International Studies report on Cybersecurity for the 44th Presidency concluded that (A) cybersecurity is now a major national security problem for the United States, (B) decisions and actions must respect privacy and civil liberties, and (C) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure. The report continued stating that the United States faces ‘a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals, and others, and that losing this struggle will wreak serious damage on the economic health and national security of the United States.’.
(12) James Lewis, Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies, testified on behalf of the Center for Strategic and International Studies that ‘the United States is not organized and lacks a coherent national strategy for addressing’ cybersecurity.
(13) President Obama said in a speech at Purdue University on July 16, 2008, that ‘every American depends--directly or indirectly--on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.’ Moreover, President Obama stated that ‘we need to build the capacity to identify, isolate, and respond to any cyber-attack.’.(14) The President’s Information Technology Advisory Committee reported in 2005 that software is a major vulnerability and that ‘software development methods that have been the norm fail to provide the high-quality, reliable, and secure software that the IT infrastructure requires. . . . Today, as with cancer, vulnerable software can be invaded and modified to cause damage to previously healthy software, and infected software can replicate itself and be carried across networks to cause damage in other systems.’.SEC. 3. CYBERSECURITY ADVISORY PANEL.
(a) IN GENERAL- The President shall establish or designate a Cybersecurity Advisory Panel.
(b) QUALIFICATIONS- The President--(1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.
(c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess--
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.(d) REPORTS- The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.(e) TRAVEL EXPENSES OF NON-FEDERAL MEMBERS- Non-Federal members of the panel, while attending meetings of the panel or while otherwise serving at the request of the head of the panel while away from their homes or regular places of business, may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by section 5703 of title 5, United States Code, for individuals in the government serving without pay. Nothing in this subsection shall be construed to prohibit members of the panel who are officers or employees of the United States from being allowed travel expenses, including per diem in lieu of subsistence, in accordance with law.(f) EXEMPTION FROM FACA SUNSET- Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Advisory Panel.SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.
The Secretary of Commerce shall--
(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce; and(2) implement the plan within 1 year after the date of enactment of this Act.
SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States through--
(1) the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to Centers and, through them, to small- and medium-sized companies throughout the United States;(2) the participation of individuals from industry, universities, State governments, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities;(3) efforts to make new cybersecurity technology, standards, and processes usable by United States-based small- and medium-sized companies;(4) the active dissemination of scientific, engineering, technical, and management information about cybersecurity to industrial firms, including small- and medium-sized companies; and(5) the utilization, when appropriate, of the expertise and capability that exists in Federal laboratories other than the Institute.(c) ACTIVITIES- The Centers shall--
(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;
(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies to protect against and mitigate the risk of cyber attacks to a wide range of companies and enterprises, particularly small- and medium-sized businesses; and(3) make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.(c) Duration and Amount of Support; Program Descriptions; Applications; Merit Review; Evaluations of Assistance-(1) FINANCIAL SUPPORT- The Secretary may provide financial support, not to exceed 50 percent of its annual operating and maintenance costs, to any Center for a period not to exceed 6 years (except as provided in paragraph (5)(D)).
(2) PROGRAM DESCRIPTION- Within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of a program for establishing Centers and, after a 30-day comment period, shall publish a final description of the program. The description shall include--
(A) a description of the program;
(B) procedures to be followed by applicants;
(C) criteria for determining qualified applicants;(D) criteria, including those described in paragraph (4), for choosing recipients of financial assistance under this section from among the qualified applicants; and
(E) maximum support levels expected to be available to Centers under the program in the fourth through sixth years of assistance under this section.(3) APPLICATIONS; SUPPORT COMMITMENT- Any nonprofit institution, or consortia of nonprofit institutions, may submit to the Secretary an application for financial support under this section, in accordance with the procedures established by the Secretary. In order to receive assistance under this section, an applicant shall provide adequate assurances that it will contribute 50 percent or more of the proposed Center’s annual operating and maintenance costs for the first 3 years and an increasing share for each of the next 3 years.(4) AWARD CRITERIA- Awards shall be made on a competitive, merit-based review. In making a decision whether to approve an application and provide financial support under this section, the Secretary shall consider, at a minimum--
(A) the merits of the application, particularly those portions of the application regarding technology transfer, training and education, and adaptation of cybersecurity technologies to the needs of particular industrial sectors;
(B) the quality of service to be provided;
(C) geographical diversity and extent of service area; and
(D) the percentage of funding and amount of in-kind commitment from other sources.
(5) Third year evaluation-
(A) IN GENERAL- Each Center which receives financial assistance under this section shall be evaluated during its third year of operation by an evaluation panel appointed by the Secretary.
(B) EVALUATION PANEL- Each evaluation panel shall be composed of private experts, none of whom shall be connected with the involved Center, and Federal officials. An official of the Institute shall chair the panel. Each evaluation panel shall measure the Center’s performance against the objectives specified in this section.(C) POSITIVE EVALUATION REQUIRED FOR CONTINUED FUNDING- The Secretary may not provide funding for the fourth through the sixth years of a Center’s operation unless the evaluation by the evaluation panel is positive. If the evaluation is positive, the Secretary may provide continued funding through the sixth year at declining levels.(D) FUNDING AFTER SIXTH YEAR- After the sixth year, the Secretary may provide additional financial support to a Center if it has received a positive evaluation through an independent review, under procedures established by the Institute. An additional independent review shall be required at least every 2 years after the sixth year of operation. Funding received for a fiscal year under this section after the sixth year of operation may not exceed one third of the annual operating and maintenance costs of the Center.(6) PATENT RIGHTS TO INVENTIONS- The provisions of chapter 18 of title 35, United States Code, shall (to the extent not inconsistent with this section) apply to the promotion of technology from research by Centers under this section except for contracts for such specific technology extension or transfer services as may be specified by statute or by the President, or the President’s designee.(d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL DEPARTMENTS AND AGENCIES- In addition to such sums as may be authorized and appropriated to the Secretary and President, or the President’s designee, to operate the Centers program, the Secretary and the President, or the President’s designee, also may accept funds from other Federal departments and agencies for the purpose of providing Federal funds to support Centers. Any Center which is supported with funds which originally came from other Federal departments and agencies shall be selected and operated according to the provisions of this section.
SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:
(1) CYBERSECURITY METRICS RESEARCH- The Director of the National Institute of Standards and Technology shall establish a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. These metrics should measure risk reduction and the cost of defense. The research shall include the development automated tools to assess vulnerability and compliance.
(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.(3) SOFTWARE SECURITY- The Institute shall establish standards for measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. The Institute will also establish a separate set of such standards for measuring security in embedded software such as that found in industrial control systems.(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.(5) STANDARD SOFTWARE CONFIGURATION- The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.(6) VULNERABILITY SPECIFICATION LANGUAGE- The Institute shall establish standard computer-readable language for specifying vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time.(7) National compliance standards for all software-
(A) PROTOCOL- The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal Government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks. to ensure that it--
(i) meets the software security standards of paragraph (2); and
(ii) does not require or cause any changes to be made in the standard configurations described in paragraph (4).(B) COMPLIANCE- The Institute shall develop a process or procedure to verify that--(i) software development organizations comply with the protocol established under subparagraph (A) during the software development process; and
(ii) testing results showing evidence of adequate testing and defect reduction are provided to the Federal Government prior to deployment of software.(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.(c) INTERNATIONAL STANDARDS- The Director, through the Institute and in coordination with appropriate Federal agencies, shall be responsible for United States representation in all international standards development related to cybersecurity, and shall develop and implement a strategy to optimize the United States position with respect to international cybersecurity standards.(d) COMPLIANCE ENFORCEMENT- The Director shall--
(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.(e) FCC NATIONAL BROADBAND PLAN- In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.
(a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel--
(1) has reviewed the action;
(2) considered the commercial and national security implications of the action; and(3) approved the action.
(b) APPROVAL PROCEDURE- If the Advisory Panel does not approve such an action, it shall immediately notify the Assistant Secretary in writing of the disapproval and the reasons therefor. The Advisory Panel may provide recommendations to the Assistant Secretary in the notice for any modifications the it deems necessary to secure approval of the action.SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
(a) IN GENERAL- Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. The Assistant Secretary shall publish notice of the system requirements in the Federal Register together with an implementation schedule for Federal agencies and information systems or networks designated by the President, or the President’s designee, as critical infrastructure information systems or networks.(b) COMPLIANCE REQUIRED- The President shall ensure that each Federal agency and each such system or network implements the secure domain name addressing system in accordance with the schedule published by the Assistant Secretary.
SEC. 10. PROMOTING CYBERSECURITY AWARENESS.
The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign that--
(1) is designed to heighten public awareness of cybersecurity issues and concerns;(2) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and(3) utilizes public and private sector means of providing information to the public, including public service announcements.
SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) FUNDAMENTAL CYBERSECURITY RESEARCH- The Director of the National Science Foundation shall give priority to computer and information science and engineering research to ensure substantial support is provided to meet the following challenges in cybersecurity:
(1) How to design and build complex software-intensive systems that are secure and reliable when first deployed.
(2) How to test and verify that software, whether developed locally or obtained from a third party, is free of significant known security flaws.
(3) How to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality.
(4) How to guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks.
(5) How to build new protocols to enable the Internet to have robust security as one of its key capabilities.(6) How to determine the origin of a message transmitted over the Internet.(7) How to support privacy in conjunction with improved security.(8) How to address the growing problem of insider threat.(b) SECURE CODING RESEARCH- The Director shall support research that evaluates selected secure coding education and improvement programs. The Director shall also support research on new methods of integrating secure coding improvement into the core curriculum of computer science programs and of other programs where graduates have a substantial probability of developing software after graduation.(c) ASSESSMENT OF SECURE CODING EDUCATION IN COLLEGES AND UNIVERSITIES- Within one year after the date of enactment of this Act, the Director shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008. The report shall include--
(1) the number of students who earned undergraduate degrees in computer science or in each other program where graduates have a substantial probability of being engaged in software design or development after graduation;
(2) the percentage of those students who completed substantive secure coding education or improvement programs during their undergraduate experience; and
(3) descriptions of the length and content of the education and improvement programs, and a measure of the effectiveness of those programs in enabling the students to master secure coding and design.(d) CYBERSECURITY MODELING AND TESTBEDS- The Director shall establish a program to award grants to institutions of higher education to establish cybersecurity testbeds capable of realistic modeling of real-time cyber attacks and defenses. The purpose of this program is to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real-world environment. The testbeds shall be sufficiently large in order to model the scale and complexity of real world networks and environments.
(e) NSF COMPUTER AND NETWORK SECURITY RESEARCH GRANT AREAS- Section 4(a)(1) of the Cybersecurity Research and Development Act (15 U.S.C. 7403(a)(1)) is amended--(1) by striking ‘and’ after the semicolon in subparagraph (H);
(2) by striking ‘property.’ in subparagraph (I) and inserting ‘property;’; and
(3) by adding at the end the following:
‘(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange;
‘(K) secure software engineering and software assurance, including--
‘(i) programming languages and systems that include fundamental security features;
Looks like an awesome project. I would really be interested in checking these out. There are so many possibilities!
Aug
24
The Cost of Not Understanding Probability Theory
By Antonio Cangiano. Filed under Essential Math, Probability Theory and Statistics
Misconceptions about probability theory and statistics have major repercussions on society. From seemingly minor things like the excessive sensationalism of some headlines, all the way to the jailing of innocent people based on “statistical evidence”. One of the most common misconceptions is the so called Gambler’s fallacy. Wikipedia defines it as follows:
The gambler’s fallacy, also known as the Monte Carlo fallacy or the fallacy of the maturity of chances, is the belief that if deviations from expected behavior are observed in repeated independent trials of some random process then these deviations are likely to be evened out by opposite deviations in the future.
This definition may seem a bit abstract, so let’s clarify it through a practical example. What’s the probability of flipping a fair coin 30 times in a row and obtaining heads consecutively each time? The answer is:
.
This would be extremely unlikely. How unlikely? One in 1,073,741,824 to be exact. So if we’ve just observed the coin appear as heads 29 times in a row, what are the odds that the same coin will land on heads on the 30th toss?
Many people would argue that the chance of this happening is less than one in a billion, as we just calculated. However, that answer is blatantly wrong. The probability that the 30th fair coin toss is going to come up as heads is still 0.5, because each trial (toss) is statistically independent from those that preceded it. Tossing 29 heads in a row is extremely unlikely, however once it has happened, it doesn’t influence the outcome of the 30th toss in any way.
People who fall for this fallacy, do so because of a fundamental misunderstanding of how probability works. They combine the probability of past events (irrelevant for independent trials), with that of future events. With the example above, some people would also erroneously conclude that “tails is long due to come up” and as such would think that it’s more likely to occur.
This informal fallacy has contributed to the ruin of many gamblers over the years. A tragic example of what happens when you uphold this way of looking at odds occurs with many who play the game of “Lotto” in Italy, a very popular lottery game played amongst the general population.
The idea behind this game is very simple. Five distinct numbers between 1 and 90 are randomly selected in 10 different Italian cities, three times a week. Gamblers can place several types of bets, but the one we’re interested in, for the sake of this article, is called the “estratto semplice” (simple draw). This type of game requires gamblers to correctly predict that a specific number will be drawn in a particular city.
The probability of placing a winning bet is 1 in 18 (i.e., 5/90), while the payout is 11.232 times the amount that you put down (so if you bet 1 Euro and won, you’d walk away with 11.23 Euros before taxes). The odds are clearly stacked in favor of the house, of course. Incidentally, Lotto is run by the state and as is also known as “a tax on the stupid” for rather obvious reasons.
There are many “systems” and theories used by a large pool of gamblers who want to “beat the system”. More often then not such systems are based on some flawed understanding of how probability really works. A very popular theory is that of the “numeri ritardatari” (”late numbers”, as we will refer to them throughout this article). The basic principle behind late numbers is this: since it’s extremely unlikely that a given number will fail to appear at least once out of 150, 180 or 200 draws in a row, in a given city, you can identify what numbers are “due” to appear and thus bet on them. For example, if a number hasn’t been drawn in the past 140 trials, the number of bets on it will start to grow very quickly.
Of course, despite the fact that a number hasn’t come up in a given city 140 times in a row, its probability of occurring on the next draw is still just 1 in 18. So betting any of the other 89 numbers would yield the same probability of winning.
The application of this fallacy becomes extremely dangerous when coupled with Martingale betting systems, which are often adopted by “late number theorists”. The theory they use is very simple. Since they assume these late numbers are “due” very soon, they think they are going to be able to afford to put down double their previous wager on every bet until the number eventually appears. So when it does happen, the last sum they bet is multiplied 11 times (for the payout) and they will recoup all the money they’ve spent up until then, and end up netting a large additional payout, which is the (last wager x 8.232 + 1) Euros.
Martingale betting systems are guaranteed to work provided that the gambler has an infinite amount of capital and no limits are imposed on the maximum bet that’s allowed to be placed. In the real world, both of these requirements cannot be realistically met. The amount bet grows exponentially, so the Martingale system ends up being a surefire way to bankrupt those who employs it.
In the case of the Italian Lotto, both the fallacy that late numbers are “due” and the choice of betting systems (Martingale) are responsible for the ruin of many. The gambler’s fallacy plays an important role in this case because most people realize that they can’t sustain a Martingale type system for 200 consecutive draws. It’s their faith in the idea that late numbers are very likely to pop up soon, that tempts them into toying with this risky system.
If we assume these people are convinced that a very late number (say, one that hadn’t been drawn in the past 180 lottery draws) will be selected at some point during the next 5 weeks or so (15 trials), and that they’re starting with a bet of one Euro, we can see that the maximum amount they’d need to invest (according to their theory) would be 32,768 Euros, with a max bet of 16,384 Euros by the 15th draw. This is a sizable sum of money, but something that some people would still be able to put down, especially because they knew they payout would be 184,025.088 Euros (before taxes). A tempting prize indeed.
But what are the real odds that the number in question, the one that’s been eluding the gamblers, will not end up occurring at least once in the next 15 draws?
So there is a 42.43% risk that the punter will lose their 32,768 Euros, because they won’t have sufficient funds to double their wager at the next turn (assuming 32,768 Euros was the maximum amount they can afford to bet).
Bear in mind that with an exponential growth of the bet, a huge amount of capital will only afford our late number gamblers a few extra draws, thereby only slightly increasing their probability of making a profit. (With a payout of 11.232 times the wager, they could afford a smaller increase in the amount of money they put down draw by draw, but the overall principle remains the same.)
What has an adoption of this faulty theory led to in Italy? What kind of impact has it really had on those who adhere to it? The honest truth is that it’s gone so far as to contribute directly to things like suicides, people swindling their friends and employers, divorces, people betting their life savings and their homes, families being destroyed, and so on. Do such dire consequences occur to everyone who plays this game? No, of course not, but the fact that it’s happened to some people, and that these flawed theories are still employed today, is indicative of the misunderstanding about probability (and the risks of gambling) that occurs in the general population.
One could – and should – argue that such peoples’ demise is due to their gambling habits and to good old fashioned greed, yet I can’t help but feel that a solid understanding of probability theory would go a tremendous way in helping to cut down on the number of people who fall prey to these types of widespread theories.
An increased awareness of probability and statistics can only improve society and its ability to assess situations and make rational decisions. How do we begin to remedy this situation, not only in Italy, but around the world? We can start by devoting far more time in grade, middle and high school math classes, in order to teach students about this important subject and the implications that it can have on their everyday lives, understanding of society, and ability to make wise financial decisions.
Related Articles:
- A 10 minute tutorial for solving Math problems with Maxima
- What kind of Math did they teach you?
- Review of Math for Moms and Dads
- Ten Must Read Books about Mathematics
- Refresh your High School Math skills
-->
If you enjoyed this post, then make sure you subscribe to our RSS Feed.
Interesting article on Probability Theory
Good blog posting about an interesting way to control a botnet. I thought this would eventually happen. Still it shows us that the botherders are still not really thinking too hard about their C&C. Seriously guys have you ever heard about SILC??
Watching Diners, Drive-ins and Dives I heard the quote of the day. Chef Guy Fieri said "That's not grease, those are tears from a flavor angel." <- Total Win!
