Slashdot Mirror
Australian Cybercrime Enquiry Report Released
An anonymous reader writes "The Australian Government Standing Committee on Communications has released the results of a year long enquiry into cybercrime in a report titled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime. This report includes a recommendation that Internet Service Provider customers should be forced to install anti-virus and firewall software on their computers as part of their contractual obligations. The Australian Communications and Media Authority receive further powers and responsibilities under the recommendations with respect to shutting down websites hosting malicious content and ensuring that infected consumer devices are disconnected from the Internet."
The Australian Government is surely just taking the piss now. Honestly. What else can they say other than "the binary is COMING ALIIIIVEEEEE"? That would probably be a step up from Conroy's ramblings anyhow.
Disagree != mod troll.
Kind of like a public-health measure.
ISPs would have to: require all subscribers to install anti-virus software and firewalls before the Internet connection is activated
It seems to me like this is a strange requirement. I couldn't tell you the last time I actually went to a brick-and-mortar store and bought an antivirus product. And what about lesser-known or free antivirus solutions? Unless you're going to find someone with an internet connection and download them onto USB/an external drive, it seems like this requirement would negatively impact their marketshare (which, if they're lesser-known, would admittedly be small).
Considering that ad banners can be infected with java viruses, does that mean that any website with ads should be, by this law, taken offline? Pretty soon the computer users will have the legal obligation to stop using the internet entirely...
A stupid law like this will lead to the requirement the ISP install some kind of audit software on your PC to monitor compliance. Something like punkbuster. It would have to monitor your local system and possibly report back to the ISP. I don't see any other way this could work. This would be a nightmare to support a range of OSes and would possibly make a system that was properly maintained to be less reliable.
It's time to reclassify Linux as an antivirus product. Experience to date suggests that it is much more effective than single-purpose antivirus products - and it does so much more, for free!
I'm imagining some poor schmuck on the phone with an ISP trying to explain that the government mandated anti-virus software doesn't support their OS of choice (which the moron on the phone has never heard of) and being told that they can't have internet access because they don't have Windows.
Don't act like it won't happen. Heck, most ISPs if you're trouble-shooting almost demand that you remove the firewall and plug the machine directly into the cable modem, and only have trouble-shooting instructions for Windows and can't comprehend that you might actually be qualified to say that, since nothing has changed on your end, their network must be currently broken.
While I appreciate the intent of this, every time someone tries to legislate solutions to technical problems, they break more stuff.
Lost at C:>. Found at C.
The problem is not the idea of everyone having anti-virus, it's that you want the ISPs to distribute and enforce it.
I don't know about you, but I would never install any software given to me by an ISP. In Canada, Rogers actually have a history of opening more security holes than they close with their Firewall/AV software. To the point that some large corporations IT departments won't let you VPN in from home if you have the software installed.
In my experience ISP software is typically one of the worst forms of insecure bloatware you can put on a computer.
I think it's reasonable to say to people, hey, your ISP isn't responsible for data on your computer particularly if you don't even have basic protection on it. But it's another thing altogether to say, "you can't use the the Internet if you don't use anti-malware." That gets into all sorts of enforcement issues, what constitutes appropriate anti-malware, what happens if you don't comply ... can the ISP still bill you that month? What if you completely rolled your own, and there's no appropriate anti-virus software out there for your operating system. If ISPs must act as the enforcement gates, it's going to make a whole bunch of "network access protection" vendors quite happy. They'll get to sell a lot of complicated NAC gear to these ISPs.
That Conroy et al are not so much interested in controlling what we do as much as they are shills for internet security software.
Actually remembering the last time I was involved with a government technology program and who was involved that wouldn't surprise me in the least.
Firewall software? Maybe because it was because I am a UNIX guy and the kernel of these operating systems had control of the IP stack without needing third party programs. Or because a true firewall is a hardened hardware router that can withstand attacks not just coming from the outside in, but prevents items from coming from the inside out (such as E-mail from any box other than the designated mail servers.) A software firewall that is not built into the OS proper is pointless [1], as the OS should protect against incoming attacks, and if a malicious application is installed, the game is over anyway, so protecting against outbound stuff is pointless.
As for anti-virus, maybe on Windows, but I have yet to see malware on a serious UNIX system unless it is a Trojan (and no A/V system can protect against that.) However, I just find it almost laughable when I have to install McAfee on a pSeries box with some script to show it is running for audit reasons.
Instead, maybe the law should be worded as "proper security measures shall be taken to protect against malicious software and remote attacks." This way, an OS that has a decent IPS built in doesn't need to have third party stuff tacked onto it to make it compliant.
[1]: An exception is the DroidWall app on rooted Android phones. It provides good security because a lot of apps ask for network communication privs which shouldn't have it, and a user otherwise wouldn't have control of what can and what can't communicate out.
I say Australia should have the ISPs refuse service to anybody running a windows box. This would remove at least 70% of the malware and would improve customer satisfaction!
Would you hug a bear?
So we have a "Office of Online Security be established within the Department of Prime Minster and Cabinet" :)
Then we see a cut to "The Online Child Sexual Exploitation Team", a unit of the Australian Federal Police of $2.8 million.
http://www.smh.com.au/opinion/politics/fight-to-filter-out-evil-leaves-bad-guys-to-do-their-worst-20100514-v4cq.html
We also have some fun news via http://www.zdnet.com.au/inside-australia-s-data-retention-proposal-339303862.htm
Beyond the "want the source and the destination IP addresses for internet sessions" they are dreaming of linking
""They want allied personal information with that account, including, [the department] said, passport numbers.""
with "automate the process of requesting and obtaining access to telecommunications data."
One day your ip could be linked to your isp and photo id while you surf on a filtered internet with Windows anti-virus and firewall software running.
Some great projects and funding for someone
Domestic spying is now "Benign Information Gathering"
not the American sense (conservative==constitutionalist).
BWAHAHAHAHAHAHAHAHAHA. This is a joke, right?
The installation of a virus scanner does nothing to stop new malware. Such beasties are only as good as their databases, which always lag behind the current malware. And having it installed doesn't mean it's kept up to date or it's actually used. How many "trial" versions of NAV have I seen over the years that are massively out of date? Hundreds.
What I also want to know is what kind of anti-virus software is there for Solaris machines? If you run a real operating system, do you have to take it off the 'net now because you can't even buy "antivirus software"?
Australia is really beginning to become an IT shithole, judging by the news. But I don't think raging neckbeards in the street is going to intimidate the stupid politicians.
--
BMO
Can I just scan for the evil bit instead?
The balance of power in our Senate is held by independents and the Greens, but mostly by an ultra consertvative called Senator Fielding who represents the christian orthodoxy. To pass legislation the government must get the Greens and Fielding on side to out vote the opposition Liberal Party who are not liberals but conservatives. Thus the government is always having to suck up to Fielding. After the next election, later this year, it is unlikely that Fielding will have that power any more, even if he is re-elected. The current polls would have the Greens with enough senate seats to control the balance of power in the upper house irrespective of which major party wins the general election. When they have to suck up to the Greens, rather than the Christian right wing it will be very interesting to see how policy changes, even if we have a conservative government (still not likely, but you never know).
We still are.
Slashdot tends to hype things up, exaggerate, and report on suggestions, ideas, and whimsical musings from a couple of politicians, as if they were a done deal and were being introduced into law right away.
It's not the case though.
Internet filter: Conroy and his lot have been talking about it for two years now. But their own trials showed it was essentially useless. The draft legislation hasn't even been written, let alone introduced into Parliament as a Bill. And if it were introduced, it would never pass - Labor doesn't have the numbers to get it through. And they recently announced that they are, essentially, scrapping the idea in its current form.
Forcing ISPs to record users' internet history: This is already done in most of the EU. But Australians definitely don't like the idea, and like the filter above, it will die before any real steps are taken to get this into law.
Subject of this article: This is one step below even those two things. It's a recommendation by a committee. Do you know how many commiitees there are and how many random recommendations they make? Generally a very very small proportion of such recommendations ever find their way into official Government policy. The idea of disconnecting infected machines spewing out spam or participating in a botnet is a good idea. But requiring AV software as a precondition to getting online? Hahahaha ... that is completely unworkable. Think of the average home user's technical abilities. Think of the outrage in the ISP industry. Think of the fact that Mac and Linux users don't really need AV software. Etc.
Basically, Slashdot always tries to make as scary a sounding summary as possible, and the non-Australian commenters lap it up and go "omg Australia sucks", ignoring the fact that these things are all just IDEAS or proposals which are unlikely to ever see the light of day. Result: Australia's name has been unfairly dragged through the mud on here in the last year. Yes - the current Government has had some awful ideas, which have and should be criticised. But some politicians' ideas /= actual policy or law. And in the case of the things mentioned here, are never likely to be. Australia as a whole hasn't miraculously changed in the last 12 months. As a culture, we are still laid back. Oh and it's not like Americans don't have some scary ass laws too ... warrantless wiretapping anyone? That even affects me as a foreigner - anytime I call someone in America, my conversation might be being recorded or listened to.
To pass legislation the government must get the Greens and Fielding on side to out vote the opposition Liberal Party who are not liberals but conservatives.
The Libs are, indeed, liberals. It's just the term has a different meaning in Australia (and the rest of the world) as compared to America - it refers to the economic, not social, policies (though even on that front, the Libs are far more 'liberal' than so-called 'liberals' in the US).
Ignoring the rest of the Australian governments internet policy, some of the stuff coming out of them is good. Some is incredibly bad. This one just happens to be a bit mixed and misdirected.
.scr files in emails, or indeed open any file in emails that look dubious. That didn't stop Antivirus 2009 from getting on their computers because they thought they were safe (safe because I installed antivirus and firewalls).
One of the best proposals they released is asking ISPs to monitor your traffic for obvious signs of infection. As a geek with a reasonably hardened setup at home I was dumbfounded when I got one of the emails detailing Confiker.C was all over my network. We have 2 fully patched Windows 7 computers, and a fully patched Windows XP machine (my sister's laptop). The laptop in question had Cnfiker.C in the past and I cleaned it and fixed the windows update settings on the laptop as well as re-instating the broken AV software and all was fine or so I thought for about 3 months.
3 full months it didn't click that our media centre is a Windows XP machine. Mainly this is because I've never once gone on the internet with it via a web-browser or opened email, downloaded software from dubious sources etc, this all lead to the belief that it was impervious to virus attack. I never considered an attack from inside the network, thanks to the evil government's mandated warnings though I have changed things considerably. What chance does the housewife next door (the one who runs an open wifi access point) have if even I missed such a thing?
Now this policy is both good and bad. There needs to be some level of mandated security. As for the details, that one is a bit more grey. I like the idea of not allowing computers that don't have an inbound firewall but does this need to be at a computer level or is the basic drop any unidentifiable packet policy of my router good enough? Does the policy require an aftermarket firewall or is windows firewall good enough? I am willing to bet that most if not all users have these systems and they are simply not turned on. All the same principles applies to antivirus. Is it good enough to have the software but not download the latest updates?
On top of all this there's the psychological problem too. A lot of users are just too ignorant of the threats to be connected to the internet. Antivirus and Firewalls will NOT protect them. My sister and mother are classic cases. Both of them are savy enough not to click on
Giving clueless users the feeling that they are safe will simply lead to complacency.
Excuse me while I go open this email with naked pictures of Britney Spears. Oh don't worry I've got the government watching my back.
"They are using force upon citizens, as if they were serfs."
Not really, some academics were commisioned by a government committe to come up with recommendations, traditionally these sort reports list every strategy they can think of, they make great slashdot headlines but are ignored by the government (except for the one recommendation they asked for during a golf game). As anecdotal evidence for that claim; I have been reading stories on slashdot about how both right and left wing Aussie communications ministers are implementing an Orwellian internet "any day now".
Think about it in "bread and circus" mode; Conroy has served almost a full term as comms minister and his filter is still nothing but an empty promise/threat. Before that the people on the other side of the house, (who are now filtering his filter from the law books), were just as adamant they would introduce a mandatory filter and just as unsuccessful because Conroy's mob filtered it out of the law books. If there was any real politcal will behind all this "clean up the net" rhetoric we would have had the Orwell plug-in installed circa 1997. But that will never happen because once they take on resposiblity for policing the net then all of a sudden it's the governments fault that someone's little princess was exposed to tub girl, much better for politicans on both sides to behave in their normal manner, ie: perpetually shocked, outraged and ineffectual.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.