Internet Security: Where Do We Stand

buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."

How about we encourage people to use IPTables?

[ahfoo]

Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.

Re:How about we encourage people to use IPTables?

[mental_telepathy]

Good call. Hey grandma, just type IPTables -t INPUT --dport 80 -j DENY at the command line. Me, I'm getting my family to buy macs. Regardless if you think they are more secure because of OS or more secure because of being a smaller target, right now they are more secure, and you get click-button firewalling.

Re:How about we encourage people to use IPTables?

[quigonn]

The mistake you make is that you don't care about security in multiple layers. Additionally, I would recommend to use a ProProlice-enabled gcc to compile your server applications, to enable (if your OS provides it) non-executable-stack features, and (when it's finished) my self-written ContraPolice, which adds protection against heap overflows to your applications. Additionally, systrace might also be a good feature against possible attacks against your system.

Of course, the things I presented here are only for a small percentage of all services and machines in "big" production environment. So, for more protection, a close look at the client has to be done, too.

I believe there is an answer

[heironymouscoward]

And people are starting to understand it.

The Internet is not a planned system. It grows and connects like a natural system obeying laws such as Zipf's Law.

When it comes to security, the best model for what is going on in the Internet is also an organic model, namely the naturally occuring phenomenon of parasites, and the way these evolve in any real or simulated ecology.

I've gone into boring detail in my journal.

My opinion is that until we use natural models, and learn from them, we will not be able to stop the rising tide of parasitical code that infests the Internet.

"Monocultures" are a large part of the problem, and the Economist rightly argues that opening the Windows source code to third parties would create more variety and thus more security. But I think we have to go much further, towards systems that actively evolve to protect themselves against parasites.

I've been criticised for saying this by people who say "it's just a metaphor, it does not mean anything". This is untrue: it is a model, one that we can use to understand what the heck is going on: what are the dynamics behind the process, what are the weaknesses of today's infrastructure, and what are the best solutions.

Let me summarize this one more time: The internet behaves like an ecology, obeys the same laws as natural ecologies, falls prey to the same problems as natural ecologies, and if we want to create structures that survive these problems, we must understand things in terms of an ecology, not a planned design.

Just what we need...

[Noryungi]

Pay low-life a lot of money to catch other low-lifes. Yeah right.

Imagine this: your little sister sits in front of her computer, ready to send the latest pix of her little doggy to your grandma.

Five cops burst through the door and arrest her for spreading that noxious "I love goatse.cx!" virus. Yes, that virus. The one that installs a spambot on your Windows machine.

Her crime? She clicked on that little "Rudolph the red-nosed reindeer e-postcard" that was sent to her by the nice girl she chatted with yesterday.

End result? '000s of $$$ spent in legal fees and millions of dumb IIS/Exchange servers crashed all over the world. And one very rich bastard, laughing all the way to the bank for denouncing an innocent.

Thank you, The Economist. Great idea.

Here is my offer: banish Microsoft products everywhere. Replace with medium- (Linux) to high-security (OpenBSD)OS everywhere and watch the [virus|worm] problems disappear. Oh, and make spamming a crime punishable by public castration. That should do the trick.

Re:Anonimity necessary

[RLiegh]

It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.

Are you so niave as to not realise that in our increasingly totalitarian world, these are all detriments.

How do you think John Ashcroft feels about people who percieve the US as having an "overbearing government" being able to speak out anonymously and with impunity?

Hasn't he gone on record about his views on that?

And as far as whistle-blowers go; no corporation considers whistle blowing to be a Good Thing, and therefore if they were presented with that angle of online anonymity they would probably pony up Even More Money to fight it.

So, in short, the reasons you cite are the reasons why online anonymity is now a thing of the past.

Re:trust

[ThosLives]

Well, you're right that it's about trust, but I'm not sure in the sense you indicate. 'Security', in my book, is simply preventing someone from doing something you don't want them to be able to do. There are two flavors of this; one relies on trust and the other does not. The trust one is, "hey, please only do the things I tell you you can do." The other is, "I'm going to throw up a bunch of walls and if you try something I didn't explicitly allow you to do, I'm gonna beat you with a stick."

"Security" doesn't have anything to do with anonymity or not. Think of it this way - anonymity doesn't make a bank more or less secure. You could be famous and rob a bank. What recognition gives is not preventative; it is only reactive. It allows you to go after someone after they have done something you don't want them to do.

Some would argue that this is a deterrent to "security violation" since it would be known that if you do something you're more likely to be caught. However, for those apt to try and perform a "security violtation", this just adds to the mystique, honor, whatever. Except for the truly insane, who just don't care. For most people, non-anonymity is just an annoyance because they wouldn't do anything wrong in the first place.

The question for the computing world then needs to become which stance to take. It seems the "don't do things unless I tell you it's OK" is infeasible since we know that people will do things they know aren't OK. Then the question must be what kind of walls to put up. Most "security" issues today are because the walls are insufficient, not because we can't go out and catch the people coming into the barn and stealing the chickens.

And why are the walls insufficient? Well, the fundamental problem is that usually a breach is something that is allowed to happen but by someone who shouldn't be allowed to do it. This is why people are clamoring for identity validation and all that jazz, but we are fast learning that identiy is not even sovereign in this world; at least not in a non-morally-ambiguous way (i.e., biometrics).

I must admit that I don't have answers to the questions of security, because whenever you allow people to do something, there is always a possibility that it will be abused. And in a world where (at least in the USA) people are taught more and more that they are not responsible for their actions (if this were not the case, we would have far fewer lawsuits) security will not be solved by any technical means.