Slashdot Mirror
Internet Security: Where Do We Stand
buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
Just remove all the remaining trust between hackers...
I am sure most hackers would not grass/bring them forward for money - especally in groups.
Is it a boat?
Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.
We're gonna have squads of mercenaries trolling the internet picking off script kiddies (and probably bystanders too) while the real crackers continue to be dicks, and the real white-hats get picked off by the posses.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
And people are starting to understand it.
The Internet is not a planned system. It grows and connects like a natural system obeying laws such as Zipf's Law.
When it comes to security, the best model for what is going on in the Internet is also an organic model, namely the naturally occuring phenomenon of parasites, and the way these evolve in any real or simulated ecology.
I've gone into boring detail in my journal.
My opinion is that until we use natural models, and learn from them, we will not be able to stop the rising tide of parasitical code that infests the Internet.
"Monocultures" are a large part of the problem, and the Economist rightly argues that opening the Windows source code to third parties would create more variety and thus more security. But I think we have to go much further, towards systems that actively evolve to protect themselves against parasites.
I've been criticised for saying this by people who say "it's just a metaphor, it does not mean anything". This is untrue: it is a model, one that we can use to understand what the heck is going on: what are the dynamics behind the process, what are the weaknesses of today's infrastructure, and what are the best solutions.
Let me summarize this one more time: The internet behaves like an ecology, obeys the same laws as natural ecologies, falls prey to the same problems as natural ecologies, and if we want to create structures that survive these problems, we must understand things in terms of an ecology, not a planned design.
Ceci n'est pas une signature
TCPA will be an important victory for everybody on the internet.
The first steps of it are already being made by Phoenix and Microsoft, and I'm sure that, when it's fully implemented, there won't be more viruses or even SPAM for that matter.
Since TCPA relies on trusted systems, anything that stays out of the "trusted ring" (i.e. virus writers, other untrusted systems, etc.) won't be able to affect the system.
I hope everybody here at Slashdot understands the importance of such a move in the computer industry, since it's not such a matter of monoculture, but a system that only allows trusted content to flow...
how long until
Microsoft is far behind in the security world. Their "Security is #1" is just bull to make people feel better about using Windows.
If Microsoft is so secure, how come it:
1. doesn't support APOP in outlook [express]?
2. doesn't support IPsec tunnel?
3. still supports Frontpage?
4. doesn't let you see whats going on (netstat on unix shows process related to the socket opened, windows does not)
on and on..
Why is the only way to somewhat-secure Windows limited to buying third-party apps?
Pay low-life a lot of money to catch other low-lifes. Yeah right.
Imagine this: your little sister sits in front of her computer, ready to send the latest pix of her little doggy to your grandma.
Five cops burst through the door and arrest her for spreading that noxious "I love goatse.cx!" virus. Yes, that virus. The one that installs a spambot on your Windows machine.
Her crime? She clicked on that little "Rudolph the red-nosed reindeer e-postcard" that was sent to her by the nice girl she chatted with yesterday.
End result? '000s of $$$ spent in legal fees and millions of dumb IIS/Exchange servers crashed all over the world. And one very rich bastard, laughing all the way to the bank for denouncing an innocent.
Thank you, The Economist. Great idea.
Here is my offer: banish Microsoft products everywhere. Replace with medium- (Linux) to high-security (OpenBSD)OS everywhere and watch the [virus|worm] problems disappear. Oh, and make spamming a crime punishable by public castration. That should do the trick.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Require people to sign their mail with a key signed by the trusted third party. Drop mail from people who don't.
Granted, this won't stop the mail from hitting your mail server in the first place. But how is this a security risk?
Bounty system, wow, that's a brilliant idea.
Instead of hacking systems, hackers can instead hack systems, frame teenage kids, and make money! Sweet!
---
I support spreading santorum
I think MS and most other s/w firms like to have a 'recurring income model' for s/w, rather than a one-time fixed income model. It follows therefore, that some 'value' has to be delivered to the customer, to justify the expenditure.
For an OS and Office writer, which is what MS basically is, it helps to dedliver this 'value' in terms of Service Packs and bug fixes for problems it was responsible in creating, and which it is morally obliged to undertake for free, rathre than for an annual 'Subscription (Dis)Advantage Agreement'.
Thus, it is more crucial to know of MSs plans, rather than where we stand currently - while discussing this topic of security. If MS gets away with Palladium, they might actually write secure code; if Palladium fails to take off, users will have to live with these worms and security hazards.
Which is why I posted this earlier, and got modded Flamebait!!
" Where does Microsoft want us to go tomorrow? (Bankrupt, yes,.. that sems to be the answer).
Whereveer we stand now, we stand naked - ready for exploitation; the situation isn't changing fast, either."
If you keep throwing chairs, one day you'll break windows....
Are you so niave as to not realise that in our increasingly totalitarian world, these are all detriments.
How do you think John Ashcroft feels about people who percieve the US as having an "overbearing government" being able to speak out anonymously and with impunity?
Hasn't he gone on record about his views on that?
And as far as whistle-blowers go; no corporation considers whistle blowing to be a Good Thing, and therefore if they were presented with that angle of online anonymity they would probably pony up Even More Money to fight it.
So, in short, the reasons you cite are the reasons why online anonymity is now a thing of the past.
-
One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.
If anyone thinks this will work, then I feel sorry for them. Hackers by and large aren't going to rat on each other. There's one really good reason -- if the one they ratted on finds out who they are, or his/her friends find out, then the rattee is going to be in deep doodoo fast. Facing this, they'll just take the route of least resistance and easy moolah and rat out innocents or even set up innocents and report them.Think about it, how hard is it to infect the average joe's computer with a trojan, worm or virus? History (heck, recent history in fact) shows us that it's not terribly hard. For some of these worms/etc. that come out, you don't even have to click on anything to get infected! So it'd be easy as pie to set someone up. Just infect their machine with a trojan, make their machine do Evil Things (tm) while they're actually active on it, cover your tracks, and report. Law enforcement tends to be overexuberant on catching cyber evil-doers, and there's a more than fair chance they won't dig deep enough to notice the tracks the hacker left on the innocent guy's computer.
And to be honest, they probably won't get the chance to. How many average joes out there have done something not-so-legal? Probably a lot, it seems everyone and their brother's wife have illegal software of some sort to hear people casually talk about it. I've heard customers at Wal-mart ask employees if they can install ___ software on more than one computer. (Often it's anti-virus software they're asking about ironically.) When average joe is faced with getting in trouble for the stuff he knows he's done wrong, he'll probably cop a plea bargain to avoid that coming to light. And law enforcement will go along, after all it will look like a win for them on the public relations front.
For those that will scream that law enforcement wouldn't do these things, I can only tell you that I hope you never get to find out first-hand just what they will and won't do. I had the misfortune and it was a real eye-opener. I prefer not to go into specifics, but I will say that before my experience I never believed any of the supposed "conspiracy theories"/etc. about how bad law enforecment and/or the FBI/etc. were. Now I think they're all dead on.
Bottom line, putting out bounties on cyber-criminals would result in many innocent victems, and probably very very few real criminals being caught.
The gist of Mr Geer's argument is that Microsoft has over the years created "unacceptable levels of complexity" in its computer code. It has done so because its main objective has been to lock users into its software by tying the Windows operating system together with applications such as Word, Explorer and Outlook...
Not surprisingly, Microsoft bristles at this line of thought. The only reason the firm has been bundling the operating system with applications is that customers want it to, says Mike Nash, a Microsoft executive in charge of security issues. He finds it "personally insulting that people think our motivation is anything else."
Oh, puh-leeez, give me a break! When was the last time that Microsoft asked customers about what new features they wanted in Windows and the answer came back: "Make the code bigger, slower and more complicated. And this thing with the DOJ, mke sure that you build the browser right into Windows. And more viruses; I love them viruses!"
For years now, Microsoft has been blaming the users for demanding the poor design decisions that have made Windows the mess that it is. Truth is, Microsoft stopped caring about what users want many years ago; all they care about is what Microsoft wants. As long as they keep their current mind-set, the Internet in general, Windows in particular, will be a vast playground for script-kiddies, spammers and thieves. No "bounty" will ever do as much as a few intelligent decisions in the design process at Microsoft.
That very email conversation with the 16 year old Albanian girl could have really taken place with a 54 year old Brooklyn man (posing to be the girl of course), how would you know without some sort of identity validation? Did the girl just happen to find a high school junior that spoke her language? Was she randomly spamming email addresses hoping to find a sympathetic ear?
Government oversight is a reality the world over, that fact that the Internet has provided people a voice is great, but the abuses are starting to pile up and won't be tolerated as long as *anonymous* people continue to hack and compromise systems. After all, its not the hacker's voice for freedom and curiosity of knowledge that will be filling the ears of the lawmakers, its the big business' that are losing money every time a web site is defaced. If we continue down that road, we'll reach a point where any attempt to hide your identity will become a crime (read Patriot Act styled open ended legistlation).
I'd rather give up a little anonymity now then a whole lot later.
The key point is that the Internet is not just a million computers, it is a zillion computers plus a zillion people.
It's the people and their ways of using the Internet that turn it into a natural ecology.
Laws are not the answer: it will just create a criminal underground. You cannot legislate against human nature - look at the "war on drugs".
Tighter security is not the answer: every lock designed by a human can be picked by a human.
Open source is not the answer: any suitably complex system, transparent or not, will have security flaws, usually at the user interface point (think: weak passwords).
Security patches are not the answer: parasitical code can spread many times faster than any human reaction time.
I believe the answer is that computer systems will have to evolve something similar to an immune system, based on recognising friend-or-foe, and capable of regular pseudo-sexual exchange to scramble the locks against parasitical code that has adapted. Finally, it is likely that parasitical code will eventually be co-opted (just like the bacteria in our guts) into less harmful roles.
To put this into context: the wars in your intestine started with the very first life forms and have been one of the basic engines of change in evolution for 3.5 billion years (along with climate change). I believe we're only at the very first stages of this process with the Internet, but inevitably we will follow a similar route.
Anyhow, I will be long dead before this actually happens. It's just idle speculation.
Ceci n'est pas une signature
The real problem is that social research has shown that incentives simply do NOT work. In fact, adding rewards has been shown to reduce the number of people that get turned in compared to when no intervention is used at all. A real solution would focus on determining and eliminating the intrinsic motivators fueling the hackers. For a good overview/compendium/analysis, read Punished by Rewards: The Trouble with Gold Stars, Incentive Plan$, A's, Praise, and Other Bribes by Alfie Kohn
One of the growing problems is the large base of broadband-connected (cable, DSL) users that ISPs insist on putting on dynamic IP address pools. We all know that there is no technical advantage to the dynamic IP addresses, since practically everyone is connected 24/7 (this is not the same situation with dial-in modem pools, where dynamic IPs are the best way to go).
If ISPs allocated static IP addresses to all their cable/DSL customers, we would see tremendous security gains because customers' addresses would stand still while they are tracked down.
Perhaps it's time to see some government regulation that requires that an ISP that provides broadband services where customers are connected more than X% of the day has to provide a static IP address. ISPs like to provide dynamic addressing because they have a persistent fear of people 'running their own servers' (bullshit), plus they can sell static IP addresses. Their approach is detrimental to general Internet security.
Imagine if there was a type of cheap cell phone service designed to facilitate outgoing calls only, accomplished via a dynamic origin phone number (that changed daily), making nearly impossible to have someone phone you back. Don't you think such a phone would be a huge source of all kinds of abuse? That's what ISPs are making possible by dynamic IP addresses on broadband customers. These hosts become rogue, because they are moving targets.
A measure of anonymity is desirable. There's no doubt about that. Since the beginning of modern society people have been coming up with ways to sneak off to clubs, or galas, or parties, or conventions where they can be free of their public identity, if only for a short while.
.logs, and tracing packets back through routers.
Internet security is only a problem due to serious flaws in the Windows model of bringing computer technology to the world. I don't feel that it has anything at all to do with any piece of legislature. The problem with internet security is that there are too many script-kiddies who can get away with digital murder. If the world had stuck to a more technical operating system then the script-kiddies would be matched against real programmers and real engineers--System administrators who could really track them down. In the world as we know it, run primarily on Microsoft products with any average Joe Algebra administering the network because he plays politics well and holds five or six certifications, script-kiddies have no real fear of getting caught. Joe Algebra with his certifications is interested in the paycheck. He's not interested in sticking around until 11 PM doing DNS lookups, sifting through
It is plain to see that the problem lies not in the anonymity of the attackers but rather in the mediocrity of the enforcers. Unfortunately I don't see that this is changing much as Linux begins to gain popularity. The certification system will continue to allow any Joe Algebra to administer his networks even if the entire world migrates to RedHat. What we have is a social problem. Everyone wants to collect the large paycheck associated with system administration but very few people truly has the genuine interest that it takes to competently administer the system. Honestly, the same seems to be true across every industry.
The world is run by a political system dominated by clowns, wannabes, and charlatans who run a good show and steal our paychecks.
+++ATHZ 99:5:80
Let's see, a bounty for the head of the cracker who did the deed.
Let's say I am really, really good.
Let's say that the cracker who did the deed is really, really good and very dangerous.
Let's say that the bounty is really, really high.
Let's say that there is another cracker, call him "stooge," who is really good, somewhat dangerous, but not as good or dangerous as am I.
I want the bounty, I can very effectively frame stooge, who is pretty darn good, but framable, and not so dangerous.
or i can go after someone who is much better and more dangerous.
Looks like all a bounty system would do is incentivize crackers to do very effective jobs of framing innocent, less effective, hackers.
The Economist should know more about Economics.