Slashdot Mirror
Internet Security: Where Do We Stand
buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
Just remove all the remaining trust between hackers...
I am sure most hackers would not grass/bring them forward for money - especally in groups.
Is it a boat?
Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.
These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings. It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.
...
To quote an article I wrote on this some time ago:
"During the Kosovo conflict in 1999, a sixteen-year old ethnic Albanian girl, nicknamed "Adona", began an e-mail correspondence with a junior at Berkeley High School, America. She wrote of Serbian forces holding her village to ransom, killing journalists and community leaders, raping women, and finally of her friends and family deserting the village
Because of the anarchistic, anonymous nature of the Internet, the Serbian authorities could do nothing to stop this flow of information between its citizens and the outside world, which meant that it could no longer censor all information. This not only gave the people of Kosovo who had some access to these Internet organisations hope and a sense of purpose during the conflict, but helped the international community better understand the circumstances in Kosovo during and after the conflict.
"
"incentivating"
Some mornings it just doesn't seem worth it to gnaw through the leather straps. -- Emo Phillips
It is one or the other. It is impossible to increase security without reducing anonimity. Internet has been hailed for its anonimity, and it is a thing that should be kept. But on the hand it also lacks the possibilities (with the current email protocol) to increase ones security with a reduction of anonimity. For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.
But this is slashd... oh, you meant metaphorically.
good effort on spelling errors! anonimity! incentivating! partictularly!
thankfully you were saved by not using the clumsy "viruses"
It's viruses - not virii ;P
Any technology distinguishable from magic, is insufficiently advanced.
Seriously. For more information than you ever wanted to know about why "virii" is incorrect, please see here.
Thank you.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I find it funny that I've never seen an article which correctly uses the terms 'hacker' and 'cracker'. This one included, although they don't even mention 'cracker'.
The old cliche of the kiddy hacker in their basement, bragging about their accomplishments on BBSes is a little old, and somewhat funny. No serious hacker talks about what they do. There would be no one to hand you in, because no one but the hacker knows it was them. This wouldn't stop hacking, it MAY stop some kids from running DDoS's on IRC channels because they got 0wn3d on Efnet. (Did they ever get to Efnet 2? haven't been in a while)
-- Having a Creationist Museum is like having an Atheist place of worship
We're gonna have squads of mercenaries trolling the internet picking off script kiddies (and probably bystanders too) while the real crackers continue to be dicks, and the real white-hats get picked off by the posses.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
And people are starting to understand it.
The Internet is not a planned system. It grows and connects like a natural system obeying laws such as Zipf's Law.
When it comes to security, the best model for what is going on in the Internet is also an organic model, namely the naturally occuring phenomenon of parasites, and the way these evolve in any real or simulated ecology.
I've gone into boring detail in my journal.
My opinion is that until we use natural models, and learn from them, we will not be able to stop the rising tide of parasitical code that infests the Internet.
"Monocultures" are a large part of the problem, and the Economist rightly argues that opening the Windows source code to third parties would create more variety and thus more security. But I think we have to go much further, towards systems that actively evolve to protect themselves against parasites.
I've been criticised for saying this by people who say "it's just a metaphor, it does not mean anything". This is untrue: it is a model, one that we can use to understand what the heck is going on: what are the dynamics behind the process, what are the weaknesses of today's infrastructure, and what are the best solutions.
Let me summarize this one more time: The internet behaves like an ecology, obeys the same laws as natural ecologies, falls prey to the same problems as natural ecologies, and if we want to create structures that survive these problems, we must understand things in terms of an ecology, not a planned design.
Ceci n'est pas une signature
no != know? I hope this was an attempt at sarcasm.
No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.
For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.
Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),
There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.
Cure the sickness; don't treat the symptoms.
Join Tor today!
TCPA will be an important victory for everybody on the internet.
The first steps of it are already being made by Phoenix and Microsoft, and I'm sure that, when it's fully implemented, there won't be more viruses or even SPAM for that matter.
Since TCPA relies on trusted systems, anything that stays out of the "trusted ring" (i.e. virus writers, other untrusted systems, etc.) won't be able to affect the system.
I hope everybody here at Slashdot understands the importance of such a move in the computer industry, since it's not such a matter of monoculture, but a system that only allows trusted content to flow...
how long until
Isn't eliminating online anonimity practically impossible? What about cybercafes, for instance? (Although not big in the USA, cybercafes are one of the main ways to access the internet in many poorer countries)
Secondly, supposing you did manage it by imposing some kind of draconian laws i.e. you have to log on at all cybercafes with some universal ID. Then wouldn't identity theft become an even bigger problem - i.e. hackers would pinch other peoples identities to hack.
While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.
The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.
But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.
Virus writers will always exist, just like music sharing, and ads. The key is just how you will negate their effects.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Microsoft is far behind in the security world. Their "Security is #1" is just bull to make people feel better about using Windows.
If Microsoft is so secure, how come it:
1. doesn't support APOP in outlook [express]?
2. doesn't support IPsec tunnel?
3. still supports Frontpage?
4. doesn't let you see whats going on (netstat on unix shows process related to the socket opened, windows does not)
on and on..
Why is the only way to somewhat-secure Windows limited to buying third-party apps?
Pay low-life a lot of money to catch other low-lifes. Yeah right.
Imagine this: your little sister sits in front of her computer, ready to send the latest pix of her little doggy to your grandma.
Five cops burst through the door and arrest her for spreading that noxious "I love goatse.cx!" virus. Yes, that virus. The one that installs a spambot on your Windows machine.
Her crime? She clicked on that little "Rudolph the red-nosed reindeer e-postcard" that was sent to her by the nice girl she chatted with yesterday.
End result? '000s of $$$ spent in legal fees and millions of dumb IIS/Exchange servers crashed all over the world. And one very rich bastard, laughing all the way to the bank for denouncing an innocent.
Thank you, The Economist. Great idea.
Here is my offer: banish Microsoft products everywhere. Replace with medium- (Linux) to high-security (OpenBSD)OS everywhere and watch the [virus|worm] problems disappear. Oh, and make spamming a crime punishable by public castration. That should do the trick.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
See if you can get the most bounty on your head! Open to script kiddies everywhere!
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Bounty system, wow, that's a brilliant idea.
Instead of hacking systems, hackers can instead hack systems, frame teenage kids, and make money! Sweet!
---
I support spreading santorum
If the government can do it, why couldn't a cracker?
- viri
- virii
- viriii
- viriv
- virv
- virvi
- virvii
- virviii
- virix
- virx
(nicked)Justin.
You're only jealous cos the little penguins are talking to me.
One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.
That's not interesting at all. As covered here, that's what MS thinks is the way to address the issue. All that's interesting about that situation is that they've set aside 10 times as much money as they have current bounties for; how is expecting 10 times as many security issues in the future considered any sort of a fix for the problem?
Being British, this shouldn't affect me directly, but with Blair doing his best to be Bush's lapdog, what starts in the US will inevitably trundle it's way here.
I think MS and most other s/w firms like to have a 'recurring income model' for s/w, rather than a one-time fixed income model. It follows therefore, that some 'value' has to be delivered to the customer, to justify the expenditure.
For an OS and Office writer, which is what MS basically is, it helps to dedliver this 'value' in terms of Service Packs and bug fixes for problems it was responsible in creating, and which it is morally obliged to undertake for free, rathre than for an annual 'Subscription (Dis)Advantage Agreement'.
Thus, it is more crucial to know of MSs plans, rather than where we stand currently - while discussing this topic of security. If MS gets away with Palladium, they might actually write secure code; if Palladium fails to take off, users will have to live with these worms and security hazards.
Which is why I posted this earlier, and got modded Flamebait!!
" Where does Microsoft want us to go tomorrow? (Bankrupt, yes,.. that sems to be the answer).
Whereveer we stand now, we stand naked - ready for exploitation; the situation isn't changing fast, either."
If you keep throwing chairs, one day you'll break windows....
"I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."
On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.
Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.
Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.
-
One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.
If anyone thinks this will work, then I feel sorry for them. Hackers by and large aren't going to rat on each other. There's one really good reason -- if the one they ratted on finds out who they are, or his/her friends find out, then the rattee is going to be in deep doodoo fast. Facing this, they'll just take the route of least resistance and easy moolah and rat out innocents or even set up innocents and report them.Think about it, how hard is it to infect the average joe's computer with a trojan, worm or virus? History (heck, recent history in fact) shows us that it's not terribly hard. For some of these worms/etc. that come out, you don't even have to click on anything to get infected! So it'd be easy as pie to set someone up. Just infect their machine with a trojan, make their machine do Evil Things (tm) while they're actually active on it, cover your tracks, and report. Law enforcement tends to be overexuberant on catching cyber evil-doers, and there's a more than fair chance they won't dig deep enough to notice the tracks the hacker left on the innocent guy's computer.
And to be honest, they probably won't get the chance to. How many average joes out there have done something not-so-legal? Probably a lot, it seems everyone and their brother's wife have illegal software of some sort to hear people casually talk about it. I've heard customers at Wal-mart ask employees if they can install ___ software on more than one computer. (Often it's anti-virus software they're asking about ironically.) When average joe is faced with getting in trouble for the stuff he knows he's done wrong, he'll probably cop a plea bargain to avoid that coming to light. And law enforcement will go along, after all it will look like a win for them on the public relations front.
For those that will scream that law enforcement wouldn't do these things, I can only tell you that I hope you never get to find out first-hand just what they will and won't do. I had the misfortune and it was a real eye-opener. I prefer not to go into specifics, but I will say that before my experience I never believed any of the supposed "conspiracy theories"/etc. about how bad law enforecment and/or the FBI/etc. were. Now I think they're all dead on.
Bottom line, putting out bounties on cyber-criminals would result in many innocent victems, and probably very very few real criminals being caught.
The answer is:
Between a rock, and a hard place.
"Incentivating?" "Incentivating??"
Theres one simple way to instantly eliminate all VB script virii and IE security flaws and i think we all know what it is? yes thats right its our trusty friend "Add/Remove Programs" and our even more trusty friend, an alternative browser and mail client. People its not like there arnt alternatives and its not like there arnt good alternatives. Personally I use Opera because it feels faster than anything (including IE) and it has a whole host of features IE doesnt. It took me one week a few years ago to make the switch and ive never looked back - I was stuck with an old computer and a slow connection abroad for a week, instead of downloading a 30Mb IE install i decided to go with Opera and when i came back home it was the first thing i installed. I even got my girlfriend to switch to opera! (and she uses flash of all things!) So basically theres no excuse for IE flaws and VB scripts which are pretty much the major annoyences for the average user on the net so lets look at a comparison:
:) hm thats a strange pr0n site there are no annoying pop-ups killing me except that one i requested. Now for my email, lets see "enlarge your boobs" er no, "clear your browser history" er thats ok i can already do that, "eliminate pop-ups" er nah thats ok. ok thats that taken care of, now for some hot sex.
IE user:
Ah why are all these pop-ups opening ah ill close them oh shit more are opening its like i dont have control ah i knew i shouldnt have visited goats cx! Oh crap IE just crashed, oh well ive lost all the windows i had open. Ill start it up again but ahh its taken my home page to something else! Ok ill check my mail. Oh fuck it just mailed my entire address book with some new virus.
Alternative user:
hm lets see, la la la, oh dear my browser crashed, one sec ill start it up again, *clicks restore* ok there we go all my windows are back up
You dont need bountys or legislation just better software.
This comment does not represent the views or opinions of the user.
The gist of Mr Geer's argument is that Microsoft has over the years created "unacceptable levels of complexity" in its computer code. It has done so because its main objective has been to lock users into its software by tying the Windows operating system together with applications such as Word, Explorer and Outlook...
Not surprisingly, Microsoft bristles at this line of thought. The only reason the firm has been bundling the operating system with applications is that customers want it to, says Mike Nash, a Microsoft executive in charge of security issues. He finds it "personally insulting that people think our motivation is anything else."
Oh, puh-leeez, give me a break! When was the last time that Microsoft asked customers about what new features they wanted in Windows and the answer came back: "Make the code bigger, slower and more complicated. And this thing with the DOJ, mke sure that you build the browser right into Windows. And more viruses; I love them viruses!"
For years now, Microsoft has been blaming the users for demanding the poor design decisions that have made Windows the mess that it is. Truth is, Microsoft stopped caring about what users want many years ago; all they care about is what Microsoft wants. As long as they keep their current mind-set, the Internet in general, Windows in particular, will be a vast playground for script-kiddies, spammers and thieves. No "bounty" will ever do as much as a few intelligent decisions in the design process at Microsoft.
The key point is that the Internet is not just a million computers, it is a zillion computers plus a zillion people.
It's the people and their ways of using the Internet that turn it into a natural ecology.
Laws are not the answer: it will just create a criminal underground. You cannot legislate against human nature - look at the "war on drugs".
Tighter security is not the answer: every lock designed by a human can be picked by a human.
Open source is not the answer: any suitably complex system, transparent or not, will have security flaws, usually at the user interface point (think: weak passwords).
Security patches are not the answer: parasitical code can spread many times faster than any human reaction time.
I believe the answer is that computer systems will have to evolve something similar to an immune system, based on recognising friend-or-foe, and capable of regular pseudo-sexual exchange to scramble the locks against parasitical code that has adapted. Finally, it is likely that parasitical code will eventually be co-opted (just like the bacteria in our guts) into less harmful roles.
To put this into context: the wars in your intestine started with the very first life forms and have been one of the basic engines of change in evolution for 3.5 billion years (along with climate change). I believe we're only at the very first stages of this process with the Internet, but inevitably we will follow a similar route.
Anyhow, I will be long dead before this actually happens. It's just idle speculation.
Ceci n'est pas une signature
It is true that in an ecology we see replication and selection, which appear to be missing from the Internet "ecology".
However, look closer, you will see that these do actually take place. Software competes for space on hardware, for network bandwidth, and for user attention. Every CPU cycle and packet absorbed by a parasite means less for honest software. Every minute spent deleting spam is a minute less for honest work.
Ceci n'est pas une signature
Security is a process. When you see things that don't work, you change the way you behave. MS has had piss poor security and virus scanners in place for years and this model has not worked. Yet this is what they promote for the future.
The definition of insanity is doing the same thing over and over and expect a different outcome to result.
The really idiotic thing is when they try to legislate not breaking security, ala DMCA. That is like shutting the barn door after the barn has been burnt to the ground. Sure they can prosecute someone for breaking into a computer, but it's too late, the computer has already been broken into and the data all stollen.
But why, in the first place, did those computers have outside access? Or rather, entry points.
If a computer is controlling a really important piece of hardware (nuclear plant, anyone?), I sure hope it is NOT connected to ANY outside network, for whatever reason. And if it is, the one who decided it was a good idea should be held responsible for whatever happens, and lose his job, get a big fine that will make sure he will NOT EVER make the same mistake... Maybe this way security will be a level higher.
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
Virii is a perfectly cromulent word.
"Sic Semper Tyrannosaurus Rex."
maybe incentivizing was what the submitter was after. Oh, and by the way, don't rag on someone for not "no"ing the right word to use if you can't do it yourself ;)
do not read this line twice.
The real problem is that social research has shown that incentives simply do NOT work. In fact, adding rewards has been shown to reduce the number of people that get turned in compared to when no intervention is used at all. A real solution would focus on determining and eliminating the intrinsic motivators fueling the hackers. For a good overview/compendium/analysis, read Punished by Rewards: The Trouble with Gold Stars, Incentive Plan$, A's, Praise, and Other Bribes by Alfie Kohn
You confuse cause and effect.
Regulation is not the basis of human civilization, it is an effect of it. Whenever people get together to try to cooperate on solving a common problem (and this is the basis for human society), they will define rules and an authority to enforce those rules.
Attempts to plan or regulate society without respecting the natural tendencies of people tend to create disasters. (Think of any "planned economy").
And yes, I believe that viruses will never cease to exist. It's been 20 years, and we have not seen one single effective solution to viruses, despite significant attempts at many levels.
Parasitical software is not a technical challenge like - e.g. VoIP or 3d animation. It represents a new class of problem: a self-replicating organic pest that uses human weakness to infest a technical infrastructure. So long as there are people, there will be viruses.
If you believe that this is simply because of poor security in Windows, bad email clients, etc., consider the very first wild virus, which ran on a Univac mainframe.
Parasitical code can run on any programmable system that is connected to others.
Ceci n'est pas une signature
But the patches often create more security problems than they fix, and there is a fear that Microsoft might use such regular access to desktops to keep rival software-makers away, thus reinforcing the source of the original problem, its monoculture. "If you don't trust us to download our patch, then you shouldn't be running our software," counters Mr Charney [a M$ exec], as if consumers had a real choice.
I almost choked when I read this. Not only at the hubris of the M$ exec, but at the ignorance of the Economist's reponse, "as if consumers had a real choice". Normally the Economist does its research and homework and shows all sides of the story without bias. But whether or not you agree with Linux being able to challenge M$ in the desktop and server space, the choice is undeniably there! Did I misread something from the article?? Shame, shame!
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
One of the growing problems is the large base of broadband-connected (cable, DSL) users that ISPs insist on putting on dynamic IP address pools. We all know that there is no technical advantage to the dynamic IP addresses, since practically everyone is connected 24/7 (this is not the same situation with dial-in modem pools, where dynamic IPs are the best way to go).
If ISPs allocated static IP addresses to all their cable/DSL customers, we would see tremendous security gains because customers' addresses would stand still while they are tracked down.
Perhaps it's time to see some government regulation that requires that an ISP that provides broadband services where customers are connected more than X% of the day has to provide a static IP address. ISPs like to provide dynamic addressing because they have a persistent fear of people 'running their own servers' (bullshit), plus they can sell static IP addresses. Their approach is detrimental to general Internet security.
Imagine if there was a type of cheap cell phone service designed to facilitate outgoing calls only, accomplished via a dynamic origin phone number (that changed daily), making nearly impossible to have someone phone you back. Don't you think such a phone would be a huge source of all kinds of abuse? That's what ISPs are making possible by dynamic IP addresses on broadband customers. These hosts become rogue, because they are moving targets.
Slashdot has become synonygous with psuedoisms in recent days, with the number of new words created jumplexing infinumerously.
The blame for the phenominii has been attributed to "Encyclobabblic ilittributors", intent on adding words to the English lingolanguage.
Why not open your pc to being fixed by white hat viruses. Anti virus viruses seem to be held back by legal concerns, but these would deminish if the user explicitly invited anti virus virusus onto the system. Typically the system would be a single pc connected to the internet.
Let the white hat black hat battle rage on the net, like a bigger version of that simulated core wars game.
Be Free: Free Software Tuition
Is this really the president of one of the largest network security companies in the market claiming that not one company in Checkpoint's 90% market share was affected by MSBlaster?
There's no excuse for a word like that. People have been shot for less.
"Internet Security" is an oxymoron anyway.
not to mention"anonimity" and "virii"
Dear Frans,
I regret to inform you that Anonimity is no longer an option due to the new Security Policy we have inplemented to protect you, our Valued Customer. Please take the time to check our new Terms Of Service which have also come into effect at this time.
Regards,
Customer Services Department.
"Internet Security" is an oxymoron.
In my experience, anonimity increases security. When people can have anonimity - we don't make lazy assumptions in the way we design our software. It avoids the "well we dont need to make a tight design because we can always trace it back to whoever...." attitude and forces security to be put in a proper context from the beginning.
Anonimity also encourages "unextorted" behavior. Voteing is a good example - on an individual scale blackmaling someone to vote for a candidate is very difficult. The same applys to social behaviors on the internet. If you can trace people back to the source, but they're anonymously extorted - then you have not givven yourself better security, just an illusion.
Also, historically look at the way the germans took away the guns from all the registered gun owners in 1940. And then look at how the jews were forced to wear a star of david on their shirts. In these cases anonimity did nothing to increase security, but did a lot to promote tyrrany. My fear with the internet exactly.
We've learned from millenia in meatspace that you need more than one tool if you want to limit antisocial behavior.
We have locks and alarms, we have liability laws for vendors who supply unsafe goods, and we offer rewards for informing on criminals.
>silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.
Wouldn't destructive virus writers be more fearful if they knew that their "friends" might turn them in for a reward? Right now consequences are rare, but the black hats fear them enough that they try to cover their tracks.
>There's so much that needs to be done.
Amen! If people protected their computers and networks as well as they protect their cars and houses we would be better off.
use a homonym!
Just another proletarian malcontent.
Given that the magazine is the Economist, I'm surprised they didn't suggest letting "the market" work out the issues before they started screaming for the end of anonymity on the interweb.
[o]_O
Microsoft should PAY hackers to find security holes. It would be a relatively small cost for MS to pay, and it would give hackers a place to report holes... Its so obvious, I can't believe it hasn't already been implemented.
Let's see, a bounty for the head of the cracker who did the deed.
Let's say I am really, really good.
Let's say that the cracker who did the deed is really, really good and very dangerous.
Let's say that the bounty is really, really high.
Let's say that there is another cracker, call him "stooge," who is really good, somewhat dangerous, but not as good or dangerous as am I.
I want the bounty, I can very effectively frame stooge, who is pretty darn good, but framable, and not so dangerous.
or i can go after someone who is much better and more dangerous.
Looks like all a bounty system would do is incentivize crackers to do very effective jobs of framing innocent, less effective, hackers.
The Economist should know more about Economics.
but do precious little to keep out the crooks. Finding ways to mitigate online anonymity might, in Darwinlike fashion, weed out the script kiddies, but would likely do little to keep good crackers and outright crooks from staying anonymous.
.
Use of disguise and false identities has been a criminal (and espionage) tool for hundreds of years, despite extensive efforts of governments to document and prevent such conduct. Why would this be any different? Except now, only the crooks will have anonymous identity . .
By depriving crackers of anonymity, all we are doing is making it easier for crackers to exploit and beat up on its honest and innocent pray, who will no longer be anonymous.
Sir:
This is OT, it's just a warning to "consider the source."
The Economist has, in the past decade, gone from being reasoned and sensible to a shrill mouthpiece for The Right. Any story bigger than one column inch becomes a vehicle for what can best be described as capitalist propaganda.
Even after their hawkish view on Iraq --that Saddam posseses WMDs and is an imminent threat -- stands discredited, they still toe the neocon line.
The only thing left of value in The Economist is the wonderful charts and graphs in the back. And the occasional one-column-inch piece that doesn't have time to get into political rhetoric.
The Economist is still a valid news source, but if they keep heading down the path they're on, they are destined for irrelevancy. I cancelled my subscription a few months ago and I'm not looking back. Somebody please let me know if they pull their heads out of their asses.
Really, if you start getting a bounty on hackers, then it makes it a viable options for a careers. Perhaps not a full-time career, but maybe a side-job in addition to your pay-the-rent-feed-the-family type employment.
A lot of people argue that bounties will drive hackers (for the assumption of the article, blackhat varieties) underground, or perhaps incite turning in innocents for money... which is likely possible. You might want to consider that after a certain period of time, a process will be garnered to seperate the idiots from the professionals, and individuals respected in the field of hack-tracking can arise.
Which leads me to ask, other than certain gov't agencies that do investigate such things (usually only when involving larger amounts of money), is there anyone out there that does employ themselves by offering services for tracking hackers/DDOS'ers/spammers for organizations? I think many businesses might be happy to pay somebody to track down an attacker and then deal with them as opposed to pay extortion fees or deal with loads of penis-enlargement ads sucking their bandwidth...
A few hundred lawsuits later, everything will be as tight as it was in the Multics days.
There is no problem with hackers if you run an OPENBSD Firewall. Only idiots trying to use Windows as a firewall have problems!
Stop forking English!
Soylent Green is peoplicious!
OK, let's suppose for a moment that all Internet activity is traceable under judicial supervision by the legal authorities, and no-one else.
Now, the following people will have to take responsibility for their actions, and one way or another, those actions will stop:
and so the list continues.
That's a whole lotta benefit for giving up true anonymity in favour of legitimate traceability on the same terms as you'd have it in real life.
Anonymity's only real benefit is that it lets you make a genuine complaint without fear of reprisal. Of course, no-one sensible will take an anonymous source seriously; how do you know that girl was an ethnic Albanian, and not a spook working for the other side?
Actually, the big problem is that so many people do take it seriously, hence all the problems listed above. With freedom of speech must come responsibility for what you say. It does in the real world, so why should you get away with it on the Internet?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
virii -- Incorrect pluralization of "virus", used by people who want to make themselves look smarter. Example: "My computer is infected with virii! I am also a moron."
Oxford English Dictionary
b Pl. viruses. An infectious organism that is usu. submicroscopic, can multiply only inside certain living host cells (in many cases causing disease) and is now understood to be a non-cellular structure lacking any intrinsic metabolism and usually comprising a DNA or RNA core inside a protein coat (see also quot. 1977). [ Formerly referred to as filterable viruses, their first distinguishing characteristic being the ability to pass through filters that retained bacteria. ]
In addition, there is no latin word virii. There is virus. Vir is the nearest match and it means "man."
If you feel I am mistaken, please offer any dict. or printed source which references virii with a definition.
From the article:
Last year, American spies found a shack in Pakistan where it appeared that al-Qaeda had been training hackers to break into the computer systems of dams, power grids and nuclear plants.
Look, just because you find a bunch of empty Jolt bottles, O'Reilly's "Power Grids in a Nutshell", and a stack of Buffy DVDs in a shack in Pakistan, it does not necessarily mean that al-Qaeda was training hackers there.
I sure as hell hope I don't meet a multiheaded hacker
I would love to earn bounties - bring them on!
:P
Ive gotten to know a few hackers over the years of hanging in computer help channels - some are helpful and some are destructive but they all needed assistance or peer attention "sure Ill help - mwahaha".
Bounty Hunter #31337.
[posted anonymously incase this does happen - I dont want to ruin my chances of scoring a real job]
I agree that Macs are more secure now than Windows, but I still see a lot of real gaffes. These aren't just the occasional buffer overflow, either, these are such huge, stupid mistakes that you wonder if it wasn't intentional.
I use Linux because it's more secure and cheaper. And it's more flexible -- if Grandma needs her iptables (and I don't use iptables for firewalling, btw) then I'll just ssh in to her machine now and then. Maybe call her up -- "Um, Gram? Could you dial up now? I want to make sure you've got the latest kernel patches."
Don't thank God, thank a doctor!
First of all, the main thing we all obviously want to do here is manage risk. After all, there is a risk no matter what. Someone could get lucky with my 4096-bit RSA key, for example. I'm just willing to take that risk.
I don't believe in tracking down people after they've done something, at least in the computer world. In the real world, if you don't catch the serial killer, he may kill again. In the computer world, everyone could be wearing sexy, skin-tight bulletproof bodysuits. (My laptop is in far better shape than I'll ever be; it would look good in spandex.)
The critical element here is choosing who you trust and to what extent you trust them. Biometrics are an incomplete and problematic solution. People can modify their fingerprints, and if the fingerprint-scanning machine is compromised, people can acquire the fingerprints of others.
Passwords are also incomplete and problematic, because we are human. If only I had a dollar for everyone who uses passwords so common that can be broken with a dictionary attack, or so short ("brad" is not a password, it's a gift to the world) that they can be brute-forced in minutes... Well, I still probably wouldn't have enough money to train them properly, so forget it.
Public key solutions can be made to work, though, perhaps with biometrics. I have a 4096-bit key with a password >20 characters, stored on my laptop and nowhere else. I don't even firewall my ssh port on my router anymore -- patches come quickly enough.
Again, the problem is who to trust. If you trust no one, you may as well sell your network card. I trust the bank where I put my money, but I don't trust every vendor I'm buying something from. For example, I'd trust the hot dog vendor with $5 from the bank (via some sort of debit card), but I wouldn't trust him with my credit card number. I also can accept the risk that he might give me a bad hot dog, thus wasting $5, but not that he might rob me blind.
Imagine everyone having a keychain-type device with a built-in thumbprint scanner. It would be vacuum-sealed, and would destroy itself (probably chemically) if that seal was ever broken. Inside would be a ludicrously long private key. Public keyservers would be available for things like allowing me to sign someone else's key, thus defining who I trust, or even just people who's keys are valid. If someone walks up to me with this device, jacks it to mine, and I sign their key, I can be reasonably secure I wasn't fooled about who they are).
This way, in the case of commerce, I only have to trust the bank or credit card company, and no one else. For convenience, I can choose to trust lots of people -- even sending the bank a signed message that I want my friend's key (public key such and such) to have access to my account. In the case of identification, I only have to trust (say) the DOT, not anyone who looks up my information.
With a system like this, identity theft would still be possible, but it would be much harder. Someone would have to steal my physical key and somehow fool it into thinking it was reading my thumb, or they would have to compromise someone else whom I had assigned a high level of trust within the system, or they would have to break my key -- the soft one, that is. I am sure the vacuum-seal could work very well.
The only other option would be to somehow impersonate me in the process of obtaining a new key -- something that would probably be very, very difficult. It's not hard to imagine having backup keys, and in order to get a new backup, all one has to do is buy a new key and sign it with the old one. It's easily possible that a parent would get a key for a child at birth, at the hospital, and the child would never have to prove its identity in any other way than this one.
It should be noted that this eliminates any moral issues. The biometric never goes on any record except inside the key, and we've already agreed that this inside is inaccessible, because any attempt at tampering would
Don't thank God, thank a doctor!
There will always be ways to get around security controls, and as long as Microsoft is providing clever attackers with millions upon millions of easily controllable zombie hosts, the problem - and its symptoms - will not go away. Trying to force people to not take advantage of holes just waiting to be exploited is a losing proposition.
All this energy wasted dreaming up ways to prevent blackhats from taking advantage of Microsoft's lack of interest in security would be much better spent looking at ways to prevent such widespread and continual holes from being foisted upon the public in the first place.
illum oportet crescere me autem minui