Internet Security: Where Do We Stand

buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."

Why don't we just implement more security?

[Jerk+City+Troll]

One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.

No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.

For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.

Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),

There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.

Cure the sickness; don't treat the symptoms.

Security will never be achieved

[pvt_medic]

While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.

The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.

But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.

Virus writers will always exist, just like music sharing, and ads. The key is just how you will negate their effects.

Babies and Bathwater

"I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."

On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.

Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.

Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.

Re:How about we encourage people to use IPTables?

[Maestro4k]

• Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse? With just IPTables and SpamCop configured properly most of these security problems disappear.

The problem is most people don't want to deal with OSS if that means using Linux. They want to be able to use most of the software that they can find in most stores, share it with friends, etc. As much as I like Linux, I use Windows XP on my main system because I prefer a lot of windows-based tools to linux-based ones. (And this includes free/shareware, not just commercial software.)

Before someone says it, WINE isn't the answer, not yet anyway. I'm an expert user, and I have troubles with getting things to work under WINE, or at least things I _want_, not just things that will. This is the deal-breaker for your average joes, they won't deal with it.

Besides, OSS software can be harder to secure right if you don't know what you're doing fully. I think the best approach all around is to hold companies responsible for glaring defeciences. If you have a bug/security hole found every once in a while it's one thing. When you have them found weekly, if not daily, and you have a closed-source product, then there's really no excuse for it.

Re:Anonimity necessary

[lurvdrum]

Such a law would need to go further and make the software supplier liable for consequential losses incurred from using their software. THEN you would see Windows getting a proper rewrite.