Slashdot Mirror
Internet Security: Where Do We Stand
buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings. It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.
...
To quote an article I wrote on this some time ago:
"During the Kosovo conflict in 1999, a sixteen-year old ethnic Albanian girl, nicknamed "Adona", began an e-mail correspondence with a junior at Berkeley High School, America. She wrote of Serbian forces holding her village to ransom, killing journalists and community leaders, raping women, and finally of her friends and family deserting the village
Because of the anarchistic, anonymous nature of the Internet, the Serbian authorities could do nothing to stop this flow of information between its citizens and the outside world, which meant that it could no longer censor all information. This not only gave the people of Kosovo who had some access to these Internet organisations hope and a sense of purpose during the conflict, but helped the international community better understand the circumstances in Kosovo during and after the conflict.
"
"incentivating"
Some mornings it just doesn't seem worth it to gnaw through the leather straps. -- Emo Phillips
It is one or the other. It is impossible to increase security without reducing anonimity. Internet has been hailed for its anonimity, and it is a thing that should be kept. But on the hand it also lacks the possibilities (with the current email protocol) to increase ones security with a reduction of anonimity. For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.
I find it funny that I've never seen an article which correctly uses the terms 'hacker' and 'cracker'. This one included, although they don't even mention 'cracker'.
The old cliche of the kiddy hacker in their basement, bragging about their accomplishments on BBSes is a little old, and somewhat funny. No serious hacker talks about what they do. There would be no one to hand you in, because no one but the hacker knows it was them. This wouldn't stop hacking, it MAY stop some kids from running DDoS's on IRC channels because they got 0wn3d on Efnet. (Did they ever get to Efnet 2? haven't been in a while)
-- Having a Creationist Museum is like having an Atheist place of worship
No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.
For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.
Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),
There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.
Cure the sickness; don't treat the symptoms.
Join Tor today!
Isn't eliminating online anonimity practically impossible? What about cybercafes, for instance? (Although not big in the USA, cybercafes are one of the main ways to access the internet in many poorer countries)
Secondly, supposing you did manage it by imposing some kind of draconian laws i.e. you have to log on at all cybercafes with some universal ID. Then wouldn't identity theft become an even bigger problem - i.e. hackers would pinch other peoples identities to hack.
While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.
The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.
But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.
Virus writers will always exist, just like music sharing, and ads. The key is just how you will negate their effects.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Uh, so what you are saying is that could just as well shut down the whole justice system, because the threat of jailtime for rape doesn't prevent rape? The threat of getting punished for illegal actions is highly preventive!
If the government can do it, why couldn't a cracker?
That, and there is no such word as "incentivating".
Slashdot's first reaction to VMware
"I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."
On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.
Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.
Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.
Wouldn't it also be an incentive to manufacture false evidence so you can frame somebody up & collect the $$$
Trust no one
If I had a DeLorean... I would probably only drive it from time to time.
-
Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.
The problem is most people don't want to deal with OSS if that means using Linux. They want to be able to use most of the software that they can find in most stores, share it with friends, etc. As much as I like Linux, I use Windows XP on my main system because I prefer a lot of windows-based tools to linux-based ones. (And this includes free/shareware, not just commercial software.)Before someone says it, WINE isn't the answer, not yet anyway. I'm an expert user, and I have troubles with getting things to work under WINE, or at least things I _want_, not just things that will. This is the deal-breaker for your average joes, they won't deal with it.
Besides, OSS software can be harder to secure right if you don't know what you're doing fully. I think the best approach all around is to hold companies responsible for glaring defeciences. If you have a bug/security hole found every once in a while it's one thing. When you have them found weekly, if not daily, and you have a closed-source product, then there's really no excuse for it.
And if TCPA does have centralised control, you have the problems of total monitoring, proprietary lock-in and the erosion of usage rights for digital media.
There is a parallel with existing firewalls - they can increase security by blocking certain content (e.g. RPC exploits using port 135), but trusted web traffic with IE-exploits or virus-laden emails usually sail through.
Well, I just checked, and it appears that the threat of jailtime did not stop rape completely in the US.So it is not that preventive, eh ? My point is that instead of trying to punish more and more it might be a good idea to start using carrots instead of getting a bigger stick.
A crime is the result of motivation and occasion. Instead of trying to extinguish motivation through fear of jail (which does not stop crime entirely) why not add other methods, or work on preventing occasions (transparent societies) ?
Besides, if you think the whole justice system isn't there mainly to bring vengeance to victims and their relatives, you need to go watch A Clockwork Orange.
Maybe we deserve this world ?
But why, in the first place, did those computers have outside access? Or rather, entry points.
If a computer is controlling a really important piece of hardware (nuclear plant, anyone?), I sure hope it is NOT connected to ANY outside network, for whatever reason. And if it is, the one who decided it was a good idea should be held responsible for whatever happens, and lose his job, get a big fine that will make sure he will NOT EVER make the same mistake... Maybe this way security will be a level higher.
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
It's not very intuitive. Pretty ironic. Under Mandrake you just click on the security tool.
:-p
Yeah, it's just the rest of the OS that'll make Grandma likely to off herself in frustration and get you that inheritance early.
Grandma should probably stick to a Mac, I'd say.
Is this really the president of one of the largest network security companies in the market claiming that not one company in Checkpoint's 90% market share was affected by MSBlaster?
Bzap's argument is a prime example of the poorest form of debating technique ever. He takes the argument completely out of context and then throws it into the highly emotionally charged arena of "rape". I'll say one thing about this argument and then get back to topicality: No one likes to admit it but everyone knows that there are cases where the accusation of rape was completely unjustified and made with an ulterior motive of political revenge or monetary greed.
Back to the idea of offering bounty incentives for capturing malicious hackers.
No one likes to admit it but everyone knows that there will be cases where the accusation of malicious hacking will be justified completely by falsified evidence and will be made with an ulterior motive of political revenge or monetary greed.
This is precisely why vigilantes are also seen as criminals under our legal system.
+++ATHZ 99:5:80
I think everyone else has hit it but I'll say it, too.
If you really cared about your grandmother enough that you feel it's necessary to hold her up as a debate spectacle on an internet discussion board then you would be more than happy to set up her system so that she doesn't need to worry about any of these technicalities.
+++ATHZ 99:5:80
I agree, the idea of having "hackers" chase eachother for a "bounty" is pretty stupid if you ask me. It could lead to all sorts of problems.
Who better than a "hacker" to set someone else up to take the fall for spreading a virus? Root their box, get it to distribute the virus, leave a development trail in their files, post some whacko "hacker shit" to usenet, write some evil manif3sto and put it in a hidden directory, cover your tracks and then call the feds on them.
You could even drop some kiddie porn in there just for good measure. Nothing like picutres of a hogtied prepubescent Malaysian boy to get the media and the justice department fired up and out for blood.
The victim would be deep fried by the media before lunchtime the next day; guaranteed to have zero chance of a fair trial anywhere in the free world. The feds would probably even lock his ass up al-la-Mitnick without counsel or official charges if you did it right.
So the "hacker" cashes in while distributing his virus in the wild.
Not to mention the awesome bragging rights for framing his asshole ex-boss and getting him sent to federal pound-me-in-the-ass prison.
Man, this idea is sounding better and better all the time!
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
Because Outlook Express is a pretty mediocre piece of software all the way around?
2. doesn't support IPsec tunnel?
Huh? Windows supports IPSec tunnels just fine, as long as you aren't using Win95/98/ME. You aren't using ME, are you?
3. still supports Frontpage?
Umm, because it's a successful commercial product? Duh? Perhaps you meant to ask why they don't improve FrontPage in any meaningful way?
4. doesn't let you see whats going on (netstat on unix shows process related to the socket opened, windows does not)
NETSTAT -O on Win XP and Win 2003 shows the PID; run TLIST from the Resource Kit or TASKLIST on XP/2003, or simply look in Task Manager to identify the process.
Why is the only way to somewhat-secure Windows limited to buying third-party apps?
It isn't, but as long as the majority of Windows admins display your level of ignorance and incompetence, the third-party vendors will continue to do a brisk business with folks who'd rather click a big friendly button than RTFM.
Please point at the part of my comments that state my opposition to existing justice system. Oops, there aren't...
I never said we should get rid of jails, I said we needed to explore methods of preventing crimes instead of limiting ourselves to punishing crime by increasing/adding jail time (I am not formally against it, but I think it will inevitably reach an efficiency limit anyway). Some people think transparent societies are one such prevention method. Some people disagree, others propose to tag everyone with RFIDs or to brainwash people into valuating virginity, etc...
And you did not get my point about A Clockwork Orange, which actually shows that the lack of a punishment for crimes does not work either.
Maybe we deserve this world ?
True, this is an unpickable lock, and my assertion fails.
However, it is impossible (as far as I can see) to actually implement this in an unbreakable manner. At some point, a cryptographic lock that is used by people depends on human interaction, and at that point, it can be picked, often in the most simple of ways:
"Hey, random dude, what's your passphrase?"
"Oh, I can't tell you that!"
"Go on, I'll give you a free pen"
"OK, it's MyDogIsSickAgain".
"Cool, thanks!"
"You won't use it, will you...?"
"Nah, of course not!"
Eliminate all computer users, you eliminate security problems.
Ceci n'est pas une signature