Internet Security: Where Do We Stand

buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."

How about we encourage people to use IPTables?

[ahfoo]

Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
With just IPTables and SpamCop configured properly most of these security problems disappear.

Re:How about we encourage people to use IPTables?

[mental_telepathy]

Good call. Hey grandma, just type IPTables -t INPUT --dport 80 -j DENY at the command line. Me, I'm getting my family to buy macs. Regardless if you think they are more secure because of OS or more secure because of being a smaller target, right now they are more secure, and you get click-button firewalling.

Re:How about we encourage people to use IPTables?

[quigonn]

The mistake you make is that you don't care about security in multiple layers. Additionally, I would recommend to use a ProProlice-enabled gcc to compile your server applications, to enable (if your OS provides it) non-executable-stack features, and (when it's finished) my self-written ContraPolice, which adds protection against heap overflows to your applications. Additionally, systrace might also be a good feature against possible attacks against your system.

Of course, the things I presented here are only for a small percentage of all services and machines in "big" production environment. So, for more protection, a close look at the client has to be done, too.

Re:How about we encourage people to use IPTables?

[Maestro4k]

• Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse? With just IPTables and SpamCop configured properly most of these security problems disappear.

The problem is most people don't want to deal with OSS if that means using Linux. They want to be able to use most of the software that they can find in most stores, share it with friends, etc. As much as I like Linux, I use Windows XP on my main system because I prefer a lot of windows-based tools to linux-based ones. (And this includes free/shareware, not just commercial software.)

Before someone says it, WINE isn't the answer, not yet anyway. I'm an expert user, and I have troubles with getting things to work under WINE, or at least things I _want_, not just things that will. This is the deal-breaker for your average joes, they won't deal with it.

Besides, OSS software can be harder to secure right if you don't know what you're doing fully. I think the best approach all around is to hold companies responsible for glaring defeciences. If you have a bug/security hole found every once in a while it's one thing. When you have them found weekly, if not daily, and you have a closed-source product, then there's really no excuse for it.

Anonimity necessary

[Telex4]

These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings. It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.

To quote an article I wrote on this some time ago:

"During the Kosovo conflict in 1999, a sixteen-year old ethnic Albanian girl, nicknamed "Adona", began an e-mail correspondence with a junior at Berkeley High School, America. She wrote of Serbian forces holding her village to ransom, killing journalists and community leaders, raping women, and finally of her friends and family deserting the village
...
Because of the anarchistic, anonymous nature of the Internet, the Serbian authorities could do nothing to stop this flow of information between its citizens and the outside world, which meant that it could no longer censor all information. This not only gave the people of Kosovo who had some access to these Internet organisations hope and a sense of purpose during the conflict, but helped the international community better understand the circumstances in Kosovo during and after the conflict.
"

Re:Anonimity necessary

[jkrise]

I think anonymity is used as a tool by so called 'security firms' to plead helplessness in detecting the source of security breaches. If Microsodft was really sincere in preventing security attacks on it's systems, it should've supporrted the earlier bill - not the present spammer-friendly version.

In short, the problem is not the anonymity of these cyber-terrorists, it's the accountability-phobia of software firms, at the root cause of these breaches. If we had a law that a 'supplier' of software is bound to fix security breaches and vulns free of cost in his code, we'll suddenly see MS rewriting Windows from scratch for LongHorn.

The current law is like an alsatian without teeth.

-

Re:Anonimity necessary

[RLiegh]

It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.

Are you so niave as to not realise that in our increasingly totalitarian world, these are all detriments.

How do you think John Ashcroft feels about people who percieve the US as having an "overbearing government" being able to speak out anonymously and with impunity?

Hasn't he gone on record about his views on that?

And as far as whistle-blowers go; no corporation considers whistle blowing to be a Good Thing, and therefore if they were presented with that angle of online anonymity they would probably pony up Even More Money to fight it.

So, in short, the reasons you cite are the reasons why online anonymity is now a thing of the past.

Re:Anonimity necessary

[lurvdrum]

Such a law would need to go further and make the software supplier liable for consequential losses incurred from using their software. THEN you would see Windows getting a proper rewrite.

Don't no the right word to use? Make one up!

[MrSelfDestruct]

"incentivating"

Re:Where do we stand : Abridged version

[mattjb0010]

But this is slashd... oh, you meant metaphorically.

I believe there is an answer

[heironymouscoward]

And people are starting to understand it.

The Internet is not a planned system. It grows and connects like a natural system obeying laws such as Zipf's Law.

When it comes to security, the best model for what is going on in the Internet is also an organic model, namely the naturally occuring phenomenon of parasites, and the way these evolve in any real or simulated ecology.

I've gone into boring detail in my journal.

My opinion is that until we use natural models, and learn from them, we will not be able to stop the rising tide of parasitical code that infests the Internet.

"Monocultures" are a large part of the problem, and the Economist rightly argues that opening the Windows source code to third parties would create more variety and thus more security. But I think we have to go much further, towards systems that actively evolve to protect themselves against parasites.

I've been criticised for saying this by people who say "it's just a metaphor, it does not mean anything". This is untrue: it is a model, one that we can use to understand what the heck is going on: what are the dynamics behind the process, what are the weaknesses of today's infrastructure, and what are the best solutions.

Let me summarize this one more time: The internet behaves like an ecology, obeys the same laws as natural ecologies, falls prey to the same problems as natural ecologies, and if we want to create structures that survive these problems, we must understand things in terms of an ecology, not a planned design.

Why don't we just implement more security?

[Jerk+City+Troll]

One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.

No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.

For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.

Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),

There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.

Cure the sickness; don't treat the symptoms.

Eliminating online anonimity

[pubjames]

Isn't eliminating online anonimity practically impossible? What about cybercafes, for instance? (Although not big in the USA, cybercafes are one of the main ways to access the internet in many poorer countries)

Secondly, supposing you did manage it by imposing some kind of draconian laws i.e. you have to log on at all cybercafes with some universal ID. Then wouldn't identity theft become an even bigger problem - i.e. hackers would pinch other peoples identities to hack.

Security will never be achieved

[pvt_medic]

While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.

The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.

But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.

Virus writers will always exist, just like music sharing, and ads. The key is just how you will negate their effects.

Just what we need...

[Noryungi]

Pay low-life a lot of money to catch other low-lifes. Yeah right.

Imagine this: your little sister sits in front of her computer, ready to send the latest pix of her little doggy to your grandma.

Five cops burst through the door and arrest her for spreading that noxious "I love goatse.cx!" virus. Yes, that virus. The one that installs a spambot on your Windows machine.

Her crime? She clicked on that little "Rudolph the red-nosed reindeer e-postcard" that was sent to her by the nice girl she chatted with yesterday.

End result? '000s of $$$ spent in legal fees and millions of dumb IIS/Exchange servers crashed all over the world. And one very rich bastard, laughing all the way to the bank for denouncing an innocent.

Thank you, The Economist. Great idea.

Here is my offer: banish Microsoft products everywhere. Replace with medium- (Linux) to high-security (OpenBSD)OS everywhere and watch the [virus|worm] problems disappear. Oh, and make spamming a crime punishable by public castration. That should do the trick.

New Haxxor Challenge

[maroberts]

See if you can get the most bounty on your head! Open to script kiddies everywhere!

Re:Anonimity versus security

[droleary]

It is one or the other. It is impossible to increase security without reducing anonimity.

Rubbish. Anonymity comes within a context. If you give all your friends keys to your apartment, that doesn't necessarily tell you which individual was nice enough to drop off your mail and water your plants while you were on vacation. Similarly, if you sent me a key in the mail, you will have extended your web of trust, but completely anonymously; neither you or your friends know who I am seen in your apartment.

For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.

I'd say you're wrong here, too. SPEWS and other blocklists are examples of exactly that kind of trust issues being applied to current mail systems.

It's easy!

[aug24]

1. viri
2. virii
3. viriii
4. viriv
5. virv
6. virvi
7. virvii
8. virviii
9. virix
10. virx

(nicked)

Justin.

Babies and Bathwater

"I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."

On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.

Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.

Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.

Re:Cliches

[AllUsernamesAreGone]

Actually, it will make the situation worse. think about it - right now you have a (fairly small) group of serious crackers who know that the best way to keep on doing what they do is to STFU and make sure nobody else finds out about them, and you have the much larger group of wannabes and s'kiddies who try to inflate their own ego by public boasts. Now, what happens when you put out a bounty? Well, the vocal one start to get caught or they learn to keep their gob shut. Some of them will stop and move to something else, but some will stay and increase the size of the silent cracker group... and before you know it you wind up in the same situation as modern medicine and antibiotics: your miracle cure has made the problem worse by encouraging the growth of resistant strains of cracker....

Re:Hackers

[pirhana]

>if 90% of the people use the terms "incorrectly", maybe you should reconsider your own views on what is correct and what is incorrect?

Ofcourse not! Media can herd 90% of the people(or even more) in to thinking whatever they want. That doesnt mean that you should change your views to synchronize with it.

Re:trust

[ThosLives]

Well, you're right that it's about trust, but I'm not sure in the sense you indicate. 'Security', in my book, is simply preventing someone from doing something you don't want them to be able to do. There are two flavors of this; one relies on trust and the other does not. The trust one is, "hey, please only do the things I tell you you can do." The other is, "I'm going to throw up a bunch of walls and if you try something I didn't explicitly allow you to do, I'm gonna beat you with a stick."

"Security" doesn't have anything to do with anonymity or not. Think of it this way - anonymity doesn't make a bank more or less secure. You could be famous and rob a bank. What recognition gives is not preventative; it is only reactive. It allows you to go after someone after they have done something you don't want them to do.

Some would argue that this is a deterrent to "security violation" since it would be known that if you do something you're more likely to be caught. However, for those apt to try and perform a "security violtation", this just adds to the mystique, honor, whatever. Except for the truly insane, who just don't care. For most people, non-anonymity is just an annoyance because they wouldn't do anything wrong in the first place.

The question for the computing world then needs to become which stance to take. It seems the "don't do things unless I tell you it's OK" is infeasible since we know that people will do things they know aren't OK. Then the question must be what kind of walls to put up. Most "security" issues today are because the walls are insufficient, not because we can't go out and catch the people coming into the barn and stealing the chickens.

And why are the walls insufficient? Well, the fundamental problem is that usually a breach is something that is allowed to happen but by someone who shouldn't be allowed to do it. This is why people are clamoring for identity validation and all that jazz, but we are fast learning that identiy is not even sovereign in this world; at least not in a non-morally-ambiguous way (i.e., biometrics).

I must admit that I don't have answers to the questions of security, because whenever you allow people to do something, there is always a possibility that it will be abused. And in a world where (at least in the USA) people are taught more and more that they are not responsible for their actions (if this were not the case, we would have far fewer lawsuits) security will not be solved by any technical means.