p2pnet - rss feed: The dangers of being safe
p2p news view / p2pnet: It’s time to ‘get safe online’, at least according to the latest government-backed internet safety campaign.
Or rather, it will be very shortly, since at the moment the campaign website consists of a single page announcing ‘a joint government and private sector initiative aimed at helping consumers and small businesses to use the internet safely’.
But it will surely be an exciting, compelling and informative multimedia experience once it goes live.
The idea, as with so many other campaigns, is to persuade computer users in homes and small businesses to understand online threats better and to help them figure out what to do to protect themselves.
It’s depressing to think that there are still people out there who connect dows computers to the net without a firewall, anti-spyware program and up-to-date anti-virus services in place, but this is clearly so.
Even Mac and Linux users, smug though they can sometimes get, need to understand security issues, apply patches and protect themselves from the public network with a firewall.
And it can only be a matter of time before we hear about the first virus or worm for the PlayStation Portable, since it comes with wireless internet built in.
The lead body behind ‘Get Safe Online’ is the National High Tech Crime Unit, who have quite an impressive track record when it comes to promoting security awareness in the business world. They’ve been working on it for nine months under the codename ‘Project Endurance’, but now it’s ready to go live, with support from companies including BT, HSBC, eBay and Microsoft.
They’ve also tried to pull in the children’s safety campaigners, and I know that Childnet International is playing a part because my daughter is on their children’s panel and has reviewed some of the material, though I haven’t seen it myself.
Microsoft, eBay and the banks aren’t spending their money just out of a sense of duty, though. The campaign is partly motivated by fear on the part of online retailers and ISPs, who have noticed that people are getting increasingly nervous about shopping and banking online. They hope that an educational campaign will counter this trend and reassure those who currently stay offline because they are worried.
I’m in favour of attempts to raise awareness, especially since the spammers and phishers work hard to get under our defences. I’m already receiving spam offering to sell me Tamiflu without prescription, and I’m pretty sure that if I bought some my credit card details would be ‘borrowed’ for other purposes.
But of course I also think that the software companies, ISPs, computer manufacturers, website designers and e-commerce sites are really to blame, because they’ve built a network which is fundamentally insecure and open to fraud, theft and abuse. Making the users do all the work is adding insult to injury.
However we have to work with what we’ve got, and changing the internet is a long term project. In the meantime, better education is a good start, although I doubt that we’ll find a section on this corporately-funded site that explains why modern software is so full of bugs and how the software companies manage to sidestep any liability for the damage that might be caused by it.
But it will be interesting to see if my dad, a ‘silver surfer’ with almost no awareness of the damage that malware could do to his computer, hears about the campaign and asks me about it.
Unfortunately all the good work done by the campaign could be undermined by a rather disturbing court case which concluded recently.
Earlier this month Londoner Daniel Cuthbert was fined under the Computer Misuse Act for doing what almost every website advises – checking to see whether the company he was dealing with online really were who they claimed to be.
After he had made a donation to a website raising funds to help victims of the Asian tsunami he noticed that he didn’t receive a confirmation message, and became concerned that he’d fallen victim to a phishing scam and had revealed his credit card details.
Cuthbert went a bit further than most because he’s a security consultant, but he didn’t hack into anyone’s servers or damage anyone’s data. He probed the server using some fairly standard network security tools in order to check it out. He was satisfied, and reckoned that the server had simply failed to operate properly because he wasn’t using Windows and Internet Explorer.
Unfortunately the systems administrators noticed his probe and panicked, thinking they were being hacked into. As a result he was raided and arrested, and eventually convicted under the Computer Misuse Act.
The Act, which was passed in 1990, makes it an offence to alter a computer without permission, but it’s so vague about what counts as a ‘computer’ and what counts as altering that – as I pointed out when it became law – it could be used to prosecute someone who set your video to record a programme without asking first.
In this case it has been used to make a criminal out of someone who seems to have been simply following the advice given on the government’s trading standards website, where it tells you to ‘look for information about the protection the company has put in place’.
If those who have the technical skill to take this advice seriously are going to end up being prosecuted this can only undermine the message coming from the new safety campaign.
Perhaps the high-tech crime unit should be talking to the politicians about sorting out the law so that they can avoid this sort of foolishness in future.
Bill Thompson - andfinally.com
[Thompson is a UK-based writer and broadcaster.]
===================
Something you think we should know? tips[at]p2pnet.net
October 29th, 2005 at 4:03 pm
This article contains some of the same problems I notice elsewhere. It says we should be holding software companies more accountable. The only way we have to do that is to create a competitive marketplace where people can switch vendors when they don’t like what one vendor is offering. It is then suggested that those who have exercised that right (those not using the most vulnerable software) are somehow “smug” because they have done their part.
Until people realize that “Virus Scanners” serve no purpose other than to detect known exploits for known security problems, they will not realize that any computer that needs to run a virus scanner is badly designed. While it is one thing to have tools to alert users of potential problems when installing software, viruses that get in without manual intervention from the computer owner are exploiting software flaws that should simply be fixed.
I haven’t been personally infected with a virus since the early 1990’s. That is when I switched from running an Amiga computer to running various Free Software operating systems such as BSD Unix (on that Amiga) and then Linux. While I obviously still need a firewall and keep my software patched as bugs are fixed, I no longer have to worry about design flaws that are easily exploited and never fixed as is the case for Microsoft users.
Suggesting that the ISP should have any part in this is also part of the problem, not part of the solution. The Internet is intended to be a network where the endpoints are smart, and the network itself is dumb. It is wrong to have intermediaries like ISPs doing anything other than routing packets — issues such as security of your endpoint must happen at your endpoint, otherwise the basic functionality of the network is diminished. Just as we don’t want to be stuck with 8-track tapes forever in the future (oh — they are already gone), we don’t want to be stuck with ISPs creating filters to “snapshot” the current functionality of the Internet and not allow it to advance without their permission.
October 29th, 2005 at 4:21 pm
I agree with you wholehearedly. I have never had a virus since I switched to Linux. Not only that, my computer will NEVER contract a standard written virus. What makes my computer more “secure?”. I have made a couple of simple modifications to my Linux kernel and also to just about every program that runs as root or has an Internet connection. This is what I like about Linux, it has a free license. I can do ANYTHING what I want with it as long as I do not restrict others from doing the same.
The government and the cartels are NOT the solution but rather, they are the PROBLEM. Most government mandated programs run only on Windows therefore forcing most businesses to run this operating system. If the government was serious about protecting the online envoronment, it would make sure that any program it requires people or businesses to run to be open source and available to the operating systems written by those other than Microsoft. Until governments (U.S.A. included) embrace free market capitalism, the Internet will never be safe. Home users who do not have to use government mandated software should use Linux, BSD, Solaris, or MacOS (BSD Derivative). Anyone that I know of that uses these operating systems have never had a virus.
October 29th, 2005 at 9:04 pm
It amazes me that it is accepted practice for software companies to rush to sales an incomplete project with the idea that they will issue patches later to finish what should have been a finished product at the start. I would not buy a car with the idea that they would ship me the tires in a month, why should software be any different?
My last go around with a worm in my home network convinced me that I was running the wrong software for an OS. Since it got into the MBR of every hard drive in the system, the task of zero writing every one of those hard drives added up to a lot of time down. I had all the protections. Anti-spy ware, hardware firewall, software firewall, trojan hunters, anti-virus, and on and on. What none of the removers would do is remove what they weren’t written to detect. New signatures are written often but it has to reach a certain level of infection before that occurs. I could find mention of the worm but I could not find cures, solutions, nor recommendations to eliminate the pest.
At that point I asked myself what I was doing wrong. My answer came to me that I was using the wrong OS. It is unforetunate that Microsucks has been as successful as it has in eliminating competion. Since the choices of modification or altering the OS is nil on major levels (being as it is locked down); there is no chance of altering its habits when it comes to user level.
Finally I tried linux. While I am not an expert with Linux, I learn a little every day about it. What I can say with all certainty is that since that day, I have not been infected with a malware of any sort. Do I still have all those anti this and thats for an OS? Yes of course. Do they ever show up anything? Never. About the worse I see is cookies. I don’t regret the change as security is more of an issue for me on the net than any other topic.
Best of all, any of those malware detectors are free for linux. There is no annual renewal fee, no major profits to be made by businesses. There is also no hidden time costs with what it takes to run those applications on a constant basis as I used to have to do with Windows.
Many will say they can’t live without Windows. That linux doesn’t have game support or intercompatiblity with other business apps that use Windows exclusively. No problem on my part. I no longer have those security issues.