Slashdot Mirror
Are the Days of Individual Security Over?
angry tapir writes "People solely relying on patching and upgrades are lulling themselves into a false sense of security, and individual protection is no longer sufficient in the age of multi-vector attacks, according to the president of the Australian Internet Industry Association. According to AIIA's Peter Coroneos, vendors need to intervene at the network level and provide security tools at multiple levels to help secure people from the variety of threats that are emerging."
Film at 11!
"After you secure your network Mr. ISP, remember to filter out these websites." (hands over blacklist including playboy.com, domai.com, etc)
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
"vendors need to intervene at the network level"
Doesn't this seem like just another excuse to let networks censor material by just labeling it insecure?
Rule for the modern world.
1. Assume malice. Once you determine there's no malice, you can go back to your normal discussion.
"need to intervene at the network level and provide security tools at multiple levels to help secure people from the variety of threats that are emerging". That's one of the better ones lately. Ask yourself: what are these security tools capable of doing *besides* stopping viruses?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I run a popular rolling release linux distro, by the time you clowns have identified a threat I'll be patched. I don't run flash or any proprietry software so you're not going to be helping there either.
In summary: This is not a valid excuse to sidestep privacy protections and intercept communications data with DPI kit.
In short: Fuck You!
So stop taking it seriously. They don't seem to have much respect for the individual in anything anymore:
http://en.wikipedia.org/wiki/Censorship_in_Australia
This just looks like another power grab.
Seems like another argument to take responsibility away from individual users. I'm sure it involves filtering domains that "may be virus vectors and may contain illegal content that the user is being protected from". Little "Great Firewalls" for each ISP? Considering that this is coming from Australia, it might be a part of yet another attempt to push for the creation of a Great Firewall at the ISP level, using "industry standards" to enforce it instead of a law that has to be approved and might be struck down.
Yet Another Tech Blog
(but so much more, including game and movie reviews)
http://yanteb.peasantoid.org
It's early in the thread, so I'll get the astroturfing over with post-haste.
The only corporation that has any clue as to what constitutes effective security is Microsoft. Everything Microsoft does is great. The iPad isn't anywhere near as great as the yet-to-be-released tablet that Microsoft is planning.
Have I mentioned, yet, how great Microsoft is? Google is actually evil, despite what they say.
If Microsoft wasn't great, they would have 0% market share.
And even though I have a 7 year old cellphone, which I use sparingly (prepaid ftw), if I were to bother with a smartphone, it would definitely be something with Microsoft Windows Phone 7.
OK, MIcrosoft: where's my moola?
cheers,
ps - afaict, there are no ms-related products in my life, and there *probably* never will be. Slackware 13.37 RC 3.14159265358979323846264338327950288419716 ftw!
pss - I still want my money.
Seriously, whatever made him think that consumer machines, particularly Windows machines, were even close to being secure? Remember that you're dealing with Aunt Tillie who may still be running Windows ME here.
Now, one thing ISPs could do that might make sense is to have an automated system that contacts a user if they see something suspicious (e.g. several hundred thousand emails at 3 AM) from their connection. That of course assumes that the ISP deletes the data in question within a reasonable time frame.
I am officially gone from
... is Smith and Wesson.
cheap, effective, and protected by the U.S. Constitution.
sudo apt-get upgrade has been good enough for me for years. Thank you very much.
(I also have ClamAV with the Fireclam extension for Firefox to scan the downloads but well...)
I'm pretty sure we all know the score here. We know who the bad guys are and what they are after. We know who the vendors of the platforms being exploited are and why they aren't or can't be patched. We know why end users continue to pretend they don't know or understand what is happening or what they can do to prevent it.
I just wonder what things would have to happen to overcome all of this crap? Will there have to be a cyber 9-11 attack somewhere to wake everyone up?
The other day, a person I went to some classes with called me and told me she "got a virus... or several viruses." I invited her over and she brought her laptop with her for me to examine and clean if possible. She was afraid to turn it off. But what was refreshing to me was the fact that she did everything right.
1. She went to another computer and changed all of her on-line passwords -- banking, insurance, bill paying, email, everything.
2. She ceased all work and use of her computer immediately.
3. She was using a browser that wasn't MSIE.
What I saw what just about what I expected to see. A window that was decorated to look like a Windows window "running a scan" and reporting several infections all over her computer. Problem was, since she was using something other than MSIE, the window wasn't manipulated to hide the URL this was supposed to be coming from... showed to be somewhere in eastern europe. A dialogue box was up with two buttons -- both of which lead to downloading an EXE file. And had this been MSIE, I had no doubt that the machine would have already been compromised -- seen that too many times. And oh yeah, all of this continued to work despite that she wasn't connected to the internet at all. Fascinating stuff and kinda pretty.
Still, I booted one of my machines over to Windows, updated everything and AV signatures too. I pulled her hard drive and connected it to a USB adapter and connected it to my computer to perform a scan. After a very long time, nothing showed up leaving me 98% certain that all was well and that nothing had happened to her machine.
Still, she doesn't fully understand the technologies but she at least listened to advise to not run MSIE on the WWW and to stop using her computer and to change her passwords from a different computer. How many people do you know would do that? I don't know too many... in fact, she was the first. I had another classmate who had a similar problem and she was terrified but she KEPT USING HER COMPUTER. I was like "uh.... okay... these are the risks... it's on you now."
Motivations and desires push people to do things, often stupid things, in spite of their knowledge of the risks involved. AIDS is still alive and killing for that very reason and so is drug-pushing spam. (Though lately, I have seen a LOT less of that... actually, none... either my filters are learning way good or there is simply less of it out there and what is out there is being caught.)
In a perfect world, Microsoft would abandon its Win32 and create a new OS based on BSD like Apple did. We would still have reasons to "hate" on Microsoft and they would still find ways to screw things up I am sure, but a better OS is definitely needed for the world and if it ain't going to come from Microsoft, I find it hard to imagine where it would come from in the near future.
It's kinda hard to see what the conclusion of TFA is, since it doesn't really take a moment to summarize anywhere in the piece. But basically we have two people speaking. Peter Coroneos tries to say something that home routers should contain more/better security.
Then he says: "people need to ask if Cloud applications are secure and private". I don't see what that has to do with security but rather with privacy, but there you go.
Then there's TrustDefender co-founder and CEO, Ted Egan, who's trying to peddle his company product, which seems to be a piece of software not unlike a trojan, which detects other trojans.
OK, that was a waste of time.
8 of 13 people found this answer helpful. Did you?
Don't they rebuild their machines once a day like I do? It's a synch! That way you can arrange your Operating Systems across you machines the way you like for that day. Learn to click and type fast , that's what I did BTW The Blue Ray versions of the Star Trek movies are now available on the Star Trek website – they have ditched the blurred versions and put out the high feng shuey originals like Spielberg did with Close Encounters (and re tinted Lucasarts still have to do). This is important geek culture!. I can't wait ...
The purpose of existence is to make money.
With the increase in population and vice, there are so many people walking around that it's hard for a single homesteader to protect their land and family all by themselves these days. It used to be that when someone walked onto your property you could see them coming from a mile away, and you could get a pretty good idea of what they was a-hankerin' to do by the way they looked and what they had with'em. These days, in Silver Gulch, with every kind of person around, and so many people walkin' about, it just doesn't do to have everyone have to look after their own. Which is why we need a sheriff, to keep law and order! The only way to keep the miscreants from overrunnin' the town is for the good, law-abidin' citizens to work together! ....same thing, different century, essentially.
For your security, this post has been encrypted with ROT-13, twice.
First indicator that this guy may be wrong is he's a CIO. CIO's have staff that probably tell him the kind of crap that he has in this article, but let's look at what he has....a quote of his quotes:
"Coroneos said vendors need to intervene at the network level and need to provide security tools at a multiple levels to help secure people from the multiple levels of threats that are emerging."
I think this means that vendors need to design security as a function of their software and of their networks which gets a big DUH! I don't think he means that the ISP needs to do this necessarily.
"The rise of cloud computing is also adding another dimension to the security problem.
“If you look back 15 years ago we were talking about thin clients and now we are seeing an increase in migrations to the Cloud,” he said.
“However, there are issues with the Cloud, including data protection and security.”"
Ok....cloud computing is NOT inherently insecure, however you DO happen to give up control of the data once it gets moved to the cloud. Cloud Computing is one of trust. Do you trust Amazon's S3 Service? What about Google? Is Cloud Computing really something different? I also dispute that Cloud Computing is a new concept. It's a different way of doing what we already do. You have complete control of a server that is running on the internet instead of sitting in your companies rack and the setup may include data synchronization. Cloud Computing is nothing more than networking with a new spin. Does this add a new dimension? Maybe, but I don't see it as being any different since you have most of the same control over the server in the cloud that you do in your home.
What this all boils down to is trust. If it's something that really needs to be secure, you put multiple layers of Firewalls and endpoint protection on them and then you encrypt the hell out of it and NEVER even think about putting it into the cloud and the regular home user just isn't equipped for this.
With all of that said, there should be walled ISP's as well as unwalled. The experienced use the unwalled and the non experienced don't. There you ALSO enter into another level of trust: you trust your walled ISP to only block the bad stuff and not the good stuff. The question is: who determines what is bad and what is good??
Gorkman
He'll tell you it's alive and well.
Coroneos said vendors need to intervene at the network level and need to provide security tools at a multiple levels to help secure people from the multiple levels of threats that are emerging.
I work in IT Security and I barely understand what he is talking about. Is he suggesting that we don't have the tools to detect and counter-act these threats at the network level already? Is he saying we should implement network level solutions such as filtering? If so, why target that advice at vendors and not service-providers? The tools already exist. The suggestion is so light on details and ambiguous, it's meaningless as a direction.
In the article, he writes,
It reminds me of a Monty Python skit where a building is being held up by trust. It’s only standing up because people are believing it will stand up[...]
Anybody know what skit he's referring to?
I'll have punched you in the cocks and stolen your lunch money before you've even pulled your guns out.
Can't we just stop using that?
Windows will NEVER be secure.
To be secure (or secure enough to avoid viruses etc) would mean sacrificing other things that are more important to Microsoft's customer base including ease-of-use and backwards compatibility.
and 2% fearful that you got the same root kit she has?
Still, I booted one of my machines over to Windows, updated everything and AV signatures too. I pulled her hard drive and connected it to a USB adapter and connected it to my computer to perform a scan.
or Plop Linux + Avast + latest 400.vps on bootable CDR. That's how I end up fixing peop's computers (if I'm feeling charitable, i.e. if they are family). No way am I plugging a known compromised device on my LAN, let alone directly to my computer, no matter how patched I think it is. And I don't even run Windows.
Plop what a relief it is.
More music, fewer hits
A: most definitely yes: the individuals have all been secured! Now it is time to move forward to social security...
Errr... what? Ah,now I see why this is coming from:
the fight-botnets-with-socialism dept.
Questions raise, answers kill. Raise questions to stay alive.
You're the descendants of bad-ass convicts! Why the hell are you racing to outdo America with all the "OMG, WON'T SOMEBODY PLEASE THINK OF THE CHILDREN!!!" BS ?!!!!
In summary, grow a pair .
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The only way to be 100% secure is to have no network connection at all. Preferably also turned off and locked in a safe. Virus --> anti-virus software --> anti anti-virus & polymorphic virus --> etc. DOS attack --> countermeasures --> DDOS --> more counter. Network attacks --> firewall --> ISP level network --> something new?
Yes, very simplified and not very accurate, but it shows the constant war between attackers and attackees.
Vote monkeys into Congress. They are cheaper and more trustworthy.
the Australian Internet Industry Association. According to AIIA's Peter Coroneos, vendors need to intervene at the network level and provide security tools at multiple levels to help secure people from the variety of threats that are emerging."
[Industry] spokesman declares that life as we know it is about to end, and that only [industry] is in a position to protect us. Given the proper financial incentives, of course, and made mandatory by legislation "for our own good" if need be.
Color me shocked.
Dewey, what part of this looks like authorities should be involved?
Look, there are things an ISP can do to keep itself secure. For example, they can look for suspicious activity and kill your connection if it becomes obvious you are owned.
But pretty much anything else becomes them providing LESS service, not more.
excitingthingstodo.blogspot.com
[ 1 ] Hanlon's Razor says "Never ascribe to malice that which can be adequately explained by stupidity." I'd add laziness and greed, but that's just me.
Point is, the folks doing the attacking are not doing so with malice, they're doing so because it's easier than a real job. Being a mindful, aware, contributing member of society is hard.
Ok, but still, attacks are happening. Fine:
[ 2 ] Two men walking along a trail, suddenly come upon a tiger. The 1st bends down to snug laces, and the 2nd remarks: "What are you doing? You can't outrun a tiger!" The first replies, "I don't have to outrun the tiger. I only have to outrun YOU."
Security is not a destination, it's a process, and you only need to be ahead of 50% of the rest. Not such a hard goal, really. And, no, these ideas are not dissonant, they combine to relieve the FUD of this thread.
Repeat both aphorisms 4x per day for a week, and relax. The world's ultimately not such a scary place, people are inherently good (or at least "not so bad") and it will all work out pretty ok in the end.
Won't change much. Sorry to come to MS's defense, but the absolute stupidity of users and software supplier's ability to provide security holes will prevail, even against the best security.
It might surprise you, but holes in MS's OSs are not the main attack vector these days. It's user stupidity and popular third party programs like flash and pdf-reader. And for neither, you can provide an OS patch.
The share of user stupidity in a system's security problems is well described by the "Dancing Pigs" theory. In a nutshell: A user will open the gates to any malicious software for the progress of getting something he wants. For the really stupidheads, dancing bunnies and the promise of nudie pics will suffice, because they don't understand that these things don't need elevated security privileges to work, and they learned that when they are prompted to grant privileges they have to click "yes" because else "it does not work". Don't think that this would not work on the more clued people, since a crack for some system relevant software (like, say, the OS) would probably need privileges to tinker and toy with the OS and its files and nobody would consider it a problem. Or, if you vow to be honest and thus not be susceptible to such vectors, you just need to download a driver from a typo'ed homepage and you're there as well. I've even seen reputable download pages being hacked and some files being replaced with malware, so don't think you'd be safe from this. All that needs to happen is a hacked SVN repository. Or do you REALLY review and audit all the source you download and compile, hmmmmm?
Third party software is also a big vector these days, now that MS has Windows more or less sealed. Browsers are, to varying degree, a vector. And don't think sandboxing javascript would change that, please don't be so naive.
Oh, you might say that a true separation of user and system makes a difference. Since 'til this day this isn't done so well in Windows. Well, it WOULD make a difference if people didn't only use one user account for everything. Be honest: How many accounts do YOU have on your machine? I'd wager 99 out of 100 people have one admin/root account and one user account. Does it make a difference in this scenario whether you hijack the machine or only the account? It makes it harder to hide your malware, granted, but unless it is found the effect is the same: The user will use his only account, and hence that trojan, running "only" with his privileges, will do so as well. You COULD of course disallow the execution of certain functions without elevated privileges (like, say, running in another process' context), but guess what, that IS already the case with Windows, did it ever stop any infection? Hardly.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We should collectively rush to close the barn doors after the horses are out.
Contrary to the popular belief, there indeed is no God.
and one heeded less and less. Soon both police states and helicopter parents fretting over precious snowflakes may ban the quote altogether as blatant pre-9/11 thought crime.
The author of this little piece cites Peter Coroneos, one who is not in favor of internet censorship. So stop being so paranoid.
The original statement is from the AIIA (Australian Internet Industry Association) which is made up by Australian ISP's (private companies) not the government.
Secondly, the AIIA have been instrumental in blocking some of the pants on head retarded legislation, including the aforementioned content filters.
Thirdly, the Australian ISP market is highly competitive, despite all the attempts of the privatised remnants of our national telco (who owns all the copper in Oz) to do the exact opposite.
But don't let the facts get in the way of your conspiracy.
You'll notice the site's name in cio.com.au
OMFG, that name clearly proof of their nefarious scheme.
CIO and managerial subordinates certainly wont be interested in reading the opinions of a competent industry rep. It's all a massive conspiracy.
Oh spare me that user experience bollocks. User experience is a pointless marketing term that has nothing to do with real HMI/HCI. User Experience is based entirely on bias and perception, meaning if you have the wrong experiene it's your bias and perception that was wrong.
Now the real solution is two fold. First, OS's need to adopt two security practices,
1. get rid of default accept, both OSX and Windows are still default accpet. Switch to Default Deny.
2. Stop allowing blank passwords.
Secondly and more importantly, we need to educate users. This is the only solution that is permanent, everything else is a stopgap. People only lock their cars and hide their valuables because they've been taught to.
Apple's File Vault hasn't been nearly as effective at encouraging encryption as Time Machine has been at encouraging backups,
Yes it has, because Apple's Time Machine has done feck all to encourage users to back up anything.
Apple are just as bad, if not worse then Microsoft for supporting bad end user habits.
Calling someone a "hater" only means you can not rationally rebut their argument.
Seems like another argument to take responsibility away from individual users. I'm sure it involves filtering domains that "may be virus vectors and may contain illegal content that the user is being protected from". Little "Great Firewalls" for each ISP? Considering that this is coming from Australia, it might be a part of yet another attempt to push for the creation of a Great Firewall at the ISP level, using "industry standards" to enforce it instead of a law that has to be approved and might be struck down.
Odd considering this man's stance on filtering (pretty similar to the stance of the entire ISP industry and most Aussies)
Q: Why do you oppose it?
For a number of reasons, the first is that we think that in terms of the way that the model is constructed, that it is not going to pick up the kind of content that people really do have issues with online. The volume of content that it is likely to pick up by virtue of the design of the filtering systems is really a drop in the ocean compared to the unsuitable content that is on the internet. And so the fear is that we will be creating a system where people believe that they are safer online, whereas in fact it will only be that content that people complain to the regulator about that is classified, combined perhaps with international input onto lists - but only a few thousand sites at best.
In other words the best you could say about the filter is that it will prevent inadvertent, accidental, access to a very limited number of sites, in the absence of any evidence whether anecdotal or empirical the people are accidentally coming across child pornography, bestiality, rape sites - the kind of sites that the government is seeking to dramatise here. Not in our experience, people are routinely bumping into.
A lot of the content that families really are concerned about for their children - things like violent material, racial hatred material, material which promotes race hate, maybe even just adult content that you wouldn't want your children to see, none of that will be picked up by this filtering solution.
Time to admit you dont know what you're on about.
Calling someone a "hater" only means you can not rationally rebut their argument.