Slashdot Mirror
Internet Security: Where Do We Stand
buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings. It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.
...
To quote an article I wrote on this some time ago:
"During the Kosovo conflict in 1999, a sixteen-year old ethnic Albanian girl, nicknamed "Adona", began an e-mail correspondence with a junior at Berkeley High School, America. She wrote of Serbian forces holding her village to ransom, killing journalists and community leaders, raping women, and finally of her friends and family deserting the village
Because of the anarchistic, anonymous nature of the Internet, the Serbian authorities could do nothing to stop this flow of information between its citizens and the outside world, which meant that it could no longer censor all information. This not only gave the people of Kosovo who had some access to these Internet organisations hope and a sense of purpose during the conflict, but helped the international community better understand the circumstances in Kosovo during and after the conflict.
"
"incentivating"
Some mornings it just doesn't seem worth it to gnaw through the leather straps. -- Emo Phillips
It is one or the other. It is impossible to increase security without reducing anonimity. Internet has been hailed for its anonimity, and it is a thing that should be kept. But on the hand it also lacks the possibilities (with the current email protocol) to increase ones security with a reduction of anonimity. For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.
No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.
For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.
Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),
There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.
Cure the sickness; don't treat the symptoms.
Join Tor today!
Isn't eliminating online anonimity practically impossible? What about cybercafes, for instance? (Although not big in the USA, cybercafes are one of the main ways to access the internet in many poorer countries)
Secondly, supposing you did manage it by imposing some kind of draconian laws i.e. you have to log on at all cybercafes with some universal ID. Then wouldn't identity theft become an even bigger problem - i.e. hackers would pinch other peoples identities to hack.
While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.
The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.
But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.
Virus writers will always exist, just like music sharing, and ads. The key is just how you will negate their effects.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
That, and there is no such word as "incentivating".
Slashdot's first reaction to VMware
"I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."
On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.
Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.
Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.
Actually, it will make the situation worse. think about it - right now you have a (fairly small) group of serious crackers who know that the best way to keep on doing what they do is to STFU and make sure nobody else finds out about them, and you have the much larger group of wannabes and s'kiddies who try to inflate their own ego by public boasts. Now, what happens when you put out a bounty? Well, the vocal one start to get caught or they learn to keep their gob shut. Some of them will stop and move to something else, but some will stay and increase the size of the silent cracker group... and before you know it you wind up in the same situation as modern medicine and antibiotics: your miracle cure has made the problem worse by encouraging the growth of resistant strains of cracker....
Wouldn't it also be an incentive to manufacture false evidence so you can frame somebody up & collect the $$$
Trust no one
If I had a DeLorean... I would probably only drive it from time to time.
>if 90% of the people use the terms "incorrectly", maybe you should reconsider your own views on what is correct and what is incorrect?
Ofcourse not! Media can herd 90% of the people(or even more) in to thinking whatever they want. That doesnt mean that you should change your views to synchronize with it.
http://www.nasirudheen.blogspot/
-
Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.
The problem is most people don't want to deal with OSS if that means using Linux. They want to be able to use most of the software that they can find in most stores, share it with friends, etc. As much as I like Linux, I use Windows XP on my main system because I prefer a lot of windows-based tools to linux-based ones. (And this includes free/shareware, not just commercial software.)Before someone says it, WINE isn't the answer, not yet anyway. I'm an expert user, and I have troubles with getting things to work under WINE, or at least things I _want_, not just things that will. This is the deal-breaker for your average joes, they won't deal with it.
Besides, OSS software can be harder to secure right if you don't know what you're doing fully. I think the best approach all around is to hold companies responsible for glaring defeciences. If you have a bug/security hole found every once in a while it's one thing. When you have them found weekly, if not daily, and you have a closed-source product, then there's really no excuse for it.
And if TCPA does have centralised control, you have the problems of total monitoring, proprietary lock-in and the erosion of usage rights for digital media.
There is a parallel with existing firewalls - they can increase security by blocking certain content (e.g. RPC exploits using port 135), but trusted web traffic with IE-exploits or virus-laden emails usually sail through.
Well, I just checked, and it appears that the threat of jailtime did not stop rape completely in the US.So it is not that preventive, eh ? My point is that instead of trying to punish more and more it might be a good idea to start using carrots instead of getting a bigger stick.
A crime is the result of motivation and occasion. Instead of trying to extinguish motivation through fear of jail (which does not stop crime entirely) why not add other methods, or work on preventing occasions (transparent societies) ?
Besides, if you think the whole justice system isn't there mainly to bring vengeance to victims and their relatives, you need to go watch A Clockwork Orange.
Maybe we deserve this world ?
But why, in the first place, did those computers have outside access? Or rather, entry points.
If a computer is controlling a really important piece of hardware (nuclear plant, anyone?), I sure hope it is NOT connected to ANY outside network, for whatever reason. And if it is, the one who decided it was a good idea should be held responsible for whatever happens, and lose his job, get a big fine that will make sure he will NOT EVER make the same mistake... Maybe this way security will be a level higher.
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
Bzap's argument is a prime example of the poorest form of debating technique ever. He takes the argument completely out of context and then throws it into the highly emotionally charged arena of "rape". I'll say one thing about this argument and then get back to topicality: No one likes to admit it but everyone knows that there are cases where the accusation of rape was completely unjustified and made with an ulterior motive of political revenge or monetary greed.
Back to the idea of offering bounty incentives for capturing malicious hackers.
No one likes to admit it but everyone knows that there will be cases where the accusation of malicious hacking will be justified completely by falsified evidence and will be made with an ulterior motive of political revenge or monetary greed.
This is precisely why vigilantes are also seen as criminals under our legal system.
+++ATHZ 99:5:80