Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
The Great Security Panic

By mingofmongo in Op-Ed
Thu Oct 31, 2002 at 07:07:22 AM EST
Tags: Security (all tags)
Security

After a good solid 40+ years of handing our credit card info to minimum-wage workers at stores that don't shred anything and often throw out this info in dumpsters in the alley - we are now taking a rather inexplicable interest in the security of information that is strongly encrypted from end to end.

Do we really need more security in home computers, and on the net in general, or is this just a bunch of greedy nerds trying to flex their geek-muscles in public? Is this a legitimate concern, or just sheep being fattened up for the slaughter? Is my sarcasm coming through, or are you really unsure of my stance on the issue?


Observe two criminals. Each one wants your stuff. Criminal A is sitting at home in his underwear staring at a computer monitor. Criminal B is sitting in a van across the street from your house.

A has to gain access to the network your computer is often on. This may or may not be easy. Best case (for A) is that he is on the same 'last mile' as you and is simply there with you. Worst case is that he has to hack his way across several networks to a machine on your network. B just waits until you aren't home.

A's options at this point are to try to get into your machine, or just sniff your network traffic. Breaking into your machine requires either guessing authentication info from things A knows about you or by analyzing network traffic in hopes of getting some info, or by making use of a security hole (bug) that may or may not exist on your system, and may or may not have been fixed. If A is really sneaky, he may try to trick you into installing something that makes his job easier, but you need to be really stupid for this. B's options are: pick a lock, break a window or break a door with a big hammer.

A must take care to clean all logs on each machine he has used in this process, and any logging routers he passes through if he wants to cover his trail adequately. B should wear gloves, and keep his visit short.

A will learn the contents of your grocery list, the love letters you wrote to your bosses wife, all those digital camera photos of your cat and if you are really dumb, he may get a credit card number. He may or may not get the expiration date, which makes it useful. If A just sniffs the network, he will get those love letters again, the cat photos you sent to your cousin, and a big garbled mess of encrypted data from your last Internet purchase. If A is skilled, and has a fast machine, he might crack this encryption over a period of 10-20 months if at all, and then you may be out the $50 you are responsible for in case of fraud. Meanwhile, B has just stolen your computer, your jewelry, the mad-money in the soup can, your DVD collection and your favorite velvet Elvis painting.

Not surprisingly, more people have more stuff stolen from them in real life than on-line, by a very wide margin.

The fact is, if you aren't a complete schmuck, you have very little to loose to a hacker as long as you don't keep important data on your machine, and you don't send it insecurely. You have absolutely no need for "palladium" or any other heavy metals to protect data you are not being careless with. The fact is, you are not even a target. You, as a normal computer user, are the most un-interesting person on earth to a hacker. You don't have anything they want. There is not likely anything they can use or learn from on your machine. You do not likely have any porn that they can't get for free on Usenet. They don't want your financial info, when they can go dumpster diving for 20 or 30 cardz in a night.

The answer is not draconian security measures that you will not benefit from at all. The answer is to use the same logic that keeps you from eating food you find laying in the street. At some point, you were probably taught that it is bad to eat candy-bars you find laying on the ground. At some slightly later point, you realized that this was good advice. I'm betting that the vast majority of my gentle readers do not on a regular basis, eat food they find laying in the street. You just don't do it. There is no intestinal security device that keeps you from putting trash in your mouth - you just don't do it.

It should be obvious to most people now that information is like food, and there are things that you don't want to do with it if you want to stay healthy. And if occasionally someone doesn't get it, it is no bigger tragedy than when people buy gold from strangers on the telephone. There is no good way to keep fools from parting with their money and info. Think of it as a corrolary to Barnum.

Security that people don't have to think about at all, is bound to fail. Security has to be a conscious thing. You make an effort to lock the door of your house. You have a pretty good idea what will happen if you leave the keys in your car enough times. Why should computer security be any different from ordinary real world security. The basic law of the universe is: don't do anything dumb. If you follow the law, you will be secure at home and on-line, among other benefits. If you break the law, you will have lots of problems anyway.

Tell everyone you know that you don't need help to avoid stupidity. Have big conversations about how you are not mentally deficient, and don't need a "mom" in your computer to watch over you. Learn something rather than just believing every piece of FUD that rains down on you from on high. If people start talking about this enough, someone in marketing at Intel or M$ might start to fear for their bottom line, and stop this foolishness.

Or maybe we are really that stupid, and need our hands held all the time.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Computer security is
o Very important to me. 37%
o Kinda important. 29%
o A big geek wankfest. 11%
o A way for computer related businesses to fleece the unwary. 4%
o A fun way to pick up chicks. 5%
o A conspiracy of the 12 foot tall lizards from space. 7%
o Other 3%

Votes: 193
Results | Other Polls

Related Links
o Also by mingofmongo


Display: Sort:
The Great Security Panic | 192 comments (119 topical, 73 editorial, 0 hidden)
I think you miss a point (4.00 / 5) (#3)
by Platy on Tue Oct 29, 2002 at 06:41:12 PM EST

I think the point in "encryption for everyone" (if you allow me to limit security to encryption for now) it not so much that a special person might or might not get your data - but how hard it is to do this on a large scale. (e.g. by ISPs, governments, executive and similar)

As a citizien who values privacy I do not want all the data which flows over my internet connection be analysed and stored and indexed and so on. Even if I know that if "they" (above mentioned bodies) probably can get my data if they want.
--
Tongue-tied and twisted, just an earthbound misfit, I.
The point is that you can chose what to encrypt (3.50 / 2) (#6)
by mingofmongo on Tue Oct 29, 2002 at 06:53:09 PM EST

If you encrypt and otherwise secure everything, you are wasting your time and effort, and creating an environment where security fades from conscious view.

Security is your own responsibility, and not that of some software company thousands of miles away. We have all the tools today to meet the need, without causing a big hassle. Do we really need an electronic nursemaid also?

How secure is a world where everyone thinks that security is being taken care of automaticly?

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Encryption (4.50 / 2) (#10)
by Platy on Tue Oct 29, 2002 at 07:15:52 PM EST

I was refering to encryption only. Encryption of everyday messages ("hi how are you" and so on) which makes it harder to filter messages "worth" cracking which helps against cracking them.
--
Tongue-tied and twisted, just an earthbound misfit, I.
[ Parent ]
I tried to get Phill Zimmerman interested in that (4.00 / 3) (#15)
by mingofmongo on Tue Oct 29, 2002 at 07:39:58 PM EST

idea, and didn't get anywhere. I used to think crapflooding the world with bogus encrypted data was the way. But now I'm not so sure. The encryption commonly used is strong enough to stop any casual eavesdropper, and even most law enforcement. And you can get stronger stuff if needed.

No... I still say that the way to protect stuff is to avoid shouting it from the rooftops. Everything should get the level of security it needs and not a drop more.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

encryption of minutia (4.00 / 2) (#161)
by adiffer on Thu Oct 31, 2002 at 02:35:19 AM EST

I usually encrypt when I feel like encrypting.  That includes some crap at times if the recipient is encryption-savvy.  My machine is easily fast enough to secure the information well enough to get it to its destination without being picked apart.  I'm not so sure about its safety on the other end, so I still employ the 'don't shout from rooftops' method as a backup.

Seems to me that you are trying to raise a point the ignorant won't understand, the lazy will try to avoid, and the wise already handle with whatever tools they like.

-Dream Big.
--Grow Up.
[ Parent ]

"Level it needs"? (4.50 / 2) (#175)
by RofGilead on Thu Oct 31, 2002 at 12:28:41 PM EST

For any message being sent, how do you decide what "level it needs" of security?  A message encrypted with technology of today, at the "level it needs" to be protected from a normal person's computational resources, or at a higher level, from governmental resources, will not be protected from the level of technology that is available in five, ten, or twenty years in the future.

 If your information is a credit card number and expiration, you may be able to protect it for as long as it is in use.  If your information consists of business documents that should never be released within the scale of a human lifetime, how are you going to protect that information?

 And this is simply taking into account the increasing rate of computation per cost in relation to time.  If a sudden advance such as quantum computing reaches practicality, it would be even worse.  To bridge that gap, common consumers would need quantum communication technologies of their own, and such a gap would likely exist for an extended period of time.

 Also, the article was silly.  A thief can only break into one house in a period of time that an automated computer cracker could break into a large set of machines, get a large number of credit cards, all without much stress or fear of being caught.

-= RofGilead =-

---
Remember, you're unique, just like everyone else. -BlueOregon
[ Parent ]

On the contrary (4.33 / 3) (#18)
by trhurler on Tue Oct 29, 2002 at 08:11:21 PM EST

First, there are so many things to secure and so many places they can go wrong, that if most of them are not mostly automated, then none of them will get done right.

Second, if you don't encrypt everything, then traffic analysis is trivial, which makes finding and breaking the stuff you need much easier(ie, possible, rather than impossible.)

Third, you do not have all the tools you need today. Most of the tools you have don't work as well as you think they do. Why do I know this? Because I'm a toolmaker, and you're some chump ranting about things you don't know anything about.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
encryption (3.00 / 2) (#64)
by heng on Wed Oct 30, 2002 at 03:29:46 AM EST

Hey, I didn't realise k5 supported encryption. :o)

[ Parent ]
Well, (4.50 / 10) (#16)
by trhurler on Tue Oct 29, 2002 at 07:49:40 PM EST

First of all, most computer security is not oriented at keeping credit card numbers out of the hands of script kiddies. Most computer security is about privacy, and the expected intruder is institutional in nature.

Second, most of what remains is aimed at preventing disruption of service. Seeing as a useless computer is worse than no computer at all, this is obviously a worthy goal, and in fact, individual attackers can have a vast impact on the usability of your computer.

Third, for those of us who are not just individuals running PCs in our basements(I have a day job, you know,) computer security is a real concern, because like it or not, billions of dollars are lost to faulty computer security every year on the corporate level. When the attacker is not just some guy, but rather a guy with the backing of a corporate or governmental entity(the latter is quite common in some countries,) and when the target is a large company rather than some individual's credit card number, a lot of your assumptions fall down.

Fourth, once your system has been attacked, you are faced with the prospect of totally reinstalling it from scratch to make absolutely sure nothing has been modified, removed, or added which will cause you problems down the road. The hassle is a very large factor, and face it: your average computer user doesn't understand it. This "don't eat food off the street" analogy is great for those who have a clue - but most computer users - even most pros - really don't have a clue. You probably don't either.

Is computer security oversold to grandma? Yes, but so is everything else she could ever want or fail to want or not realize exists. So what?

Your story seems to me half naive ranting and half tempest in a teapot. Perhaps you should learn more about subjects before you write rants about them.

--
'God dammit, your posts make me hard.' --LilDebbie

No, actually, you are wrong (4.50 / 2) (#17)
by mingofmongo on Tue Oct 29, 2002 at 07:57:45 PM EST

Most computer security IS most definatly about finances, and most of that is about credit cards. Some is about company secrets, and practically none is about personal privacy. The only help you get on personal privacy is from a few nice hacker types, and what ever dribbles down from the corporate side.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Sorry, I was too kneejerk on that... retry.. (4.66 / 3) (#20)
by mingofmongo on Tue Oct 29, 2002 at 08:14:04 PM EST

The article I wrote is all about home users. It is about the stupid palladium crap that is targeted at home users. Like I mentioned, the majority of hack attempts are not on home users, so the fear, uncertainty and doubt aimed at the home user is pointless money-grubbing.

This kind of thing is not being aimed at institutional users. It is being aimed at the home users who might do something like try to use an unsigned dvd player to watch something they bought outside their region.

One thing you can't call me, after my years in and around the computer security industry, is naive. Half the security implemented is a useless waste, made necessary by clueless exectutives making decisions at the 19th hole. People want magic technical solutions to un-magical human problems that are better soved by policy and accountablility than VPNs. I still don't know where the billions of dollars in dammage comes from, even after hearing about it for years, but I can guess it is from shit statistics and over valuation of useless data.

I'm not trying to lead anyone down the garden path here. It is all a big wankfest. Even institutions have far more to fear from inside attacks by employees, and outright theft than they do from network attacks.

The right security for the right situation is usually quite minimal and adequate.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Well, (4.20 / 5) (#25)
by trhurler on Tue Oct 29, 2002 at 08:29:04 PM EST

If what you mean is that Palladium is a joke, it might have done you well to mention Palladium somewhere in the article, so that I could simply have voted zero and moved on. Yes, Palladium is stupid, but Palladium is not a security measure for you or me. It is a security measure for the RIAA and the MPAA. Make no mistake.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
I did mention palladium. (4.50 / 4) (#28)
by mingofmongo on Tue Oct 29, 2002 at 08:41:24 PM EST

Sometimes, despite my total hatred for the human race at large, I assume they have inteligence that I should avoid insulting by pointing out the overly obvious. I am usually wrong.

I don't think stupidity is the problem in our exchange though. I think you didn't really read much of the article before posted your comment. I then did the very same thing in return at first.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Broadband connections (4.25 / 4) (#23)
by goonie on Tue Oct 29, 2002 at 08:21:48 PM EST

I find myself agreeing with much of the reply here, but I'd add an additional point. Once the home user has a broadband net connection (and more and more non-technical users are getting them) they have a resource that, if commandeered, can do lots of damage as part of a DDOS attack.

It's like owning a gun. If it's stolen, it poses a considerable risk to others. Therefore, the owners of a net-connected computer, just like gun owners, should take care to keep it secure.

[ Parent ]

except that a gun can kill if misused, but (2.75 / 4) (#31)
by mingofmongo on Tue Oct 29, 2002 at 08:51:24 PM EST

a DDOS just stops people from getting porn.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Agreed (4.00 / 3) (#42)
by goonie on Tue Oct 29, 2002 at 09:48:34 PM EST

I didn't mean to imply that you could kill people by not securing a computer on a DSL connection. It's an issue of property damage, instead.

A better analogy might be leaving the keys in a bulldozer, which can do a hell of a lot of damage to property if a teenager gets behind the wheel :)

[ Parent ]

Perhaps (3.00 / 1) (#87)
by curien on Wed Oct 30, 2002 at 12:03:08 PM EST

As we become more reliant on the Internet for general-purpose telecommunications, a DDoS attack could very well cost someone their life.

And a gun, if misused, will most likely just put a small hole in a wall somewhere.

--
Murder your babies. -- R Mutt
[ Parent ]

If you're going to wax hypothetical (4.00 / 1) (#167)
by tzanger on Thu Oct 31, 2002 at 09:20:32 AM EST

You should at least try and keep both your points on the same side of the extreme.

A DDoS attack could very well cost someone their life, just as a misused gun will most likely kill someone. Or, a DDoS attack would most likely cause people to lose the access to pr0n, just as a misused gun would mostly likely put a small hole in a wall somewhere. It's disingenuous to put one on one extreme and then the other on another.



[ Parent ]
Yes (4.00 / 1) (#184)
by curien on Thu Oct 31, 2002 at 10:53:05 PM EST

I was trying to demonstrate that the parent of my post was making the same mistake.

Compare "can" with "can". Or compare "most likely" with "most likely". Mixing the two only muddles the issue.

--
Murder your babies. -- R Mutt
[ Parent ]

hahaha (none / 0) (#185)
by tzanger on Fri Nov 01, 2002 at 10:14:30 AM EST

My apologies. I was trying to prove the same point you were trying to prove.



[ Parent ]
A point that's often missed (4.50 / 4) (#21)
by andrewm on Tue Oct 29, 2002 at 08:19:40 PM EST

If you're a merchant selling stuff online and someone uses a stolen credit card, then you lose money. Once you've shipped the goods to the thief and the owner of the credit card has had the transaction reversed, do you really think that the credit card company will generously take the loss, or will they take the money back from the merchant's account? There's plenty of companies that will handle credit card billing for you, and that will eat any losses due to fraud - but you pay higher fees for this protection, so still lose money.

This isn't an issue when you physically hand the card over to a person in a store, because the credit card company won't let the customer reverse the charge - they have to go back to the store to get a refund.

Actually, there are few cercumstances in which (4.50 / 2) (#24)
by mingofmongo on Tue Oct 29, 2002 at 08:25:18 PM EST

the banks won't chargeback the card. As long as the cardholder has a fairly good payment history, he is a valuable, sought-after resource to the bank. The merchant, on the otherhand, is kinda stuck. If he doesn't accept the card, he loses business, so the card companies will usually side agains the guy they have wrapped up anyway.

On line and catalog sales are more risky, but the merchant pays a much higher rate for that anyway. Regardless, none of the crap that is being pushed on the end user as far as security goes, addresses that problem.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

e-Merchant no obligation to protect your e-credit (4.50 / 2) (#60)
by Al Macintyre on Wed Oct 30, 2002 at 01:17:16 AM EST

As I stated in another post here, the reason you 7 times more likely to have your credit stolen on-line is that many e-merchants inadequately protect security of their customers.

Hundreds of thousands of credit cards info are stolen from hundreds of e-merchants AFTER the purchase - the merchants got their money from us, they are under no legal obligation to secure our info on their computers.  After a serious hacking incident, they are free to close up shop, get paid off by their insurance companies, open up a new business and continue selling us stuff with inadequate security against history repeating.

Meanwhile the customers have ruined credit because of what happened to the hundreds of thousands of people whose credit was stolen on line.

Or another example, insider crime in the payroll department.  As I shared on my weblog http://radio.weblogs.com/0107846/Categories/security/ Oct 10 http://radio.weblogs.com/0107846/categories/security/2002/10/10.html the Chicago Sun Times reported that it only took one crook working for the State of Illinois to steal info on thousands of co-workers leading to thousands of victims.

The bottom line is that it is too damn easy for a crook to steal your identity, and it is not because they have credit info on you, it is because the banks sell an account to anyone who claims to be you with absolutely no evidence to support the notion that they are you, then when they drain all your assets and skip off, the bank holds you responsible for their debts.

The solution is to make the credit issuers responsible for proving who it is they sold credit to.
- Al's weblog: http://radio.weblogs.com/0107846/ donate your unused PC resources (only when you not using them) to cure cancer http://members.ud.com/about/
[ Parent ]

margins (3.83 / 6) (#27)
by SocratesGhost on Tue Oct 29, 2002 at 08:39:01 PM EST

Thief A can get a full entertainment center online, and even have you pay for online shipping. He can also ruin my credit rating and that will haunt me for decades. Thief B is limited to how much he can carry and what can fit into the back of his van.

-Soc
I drank what?


By law, you are responsible for only the first $50 (4.33 / 3) (#29)
by mingofmongo on Tue Oct 29, 2002 at 08:49:27 PM EST

of fraudulent expences on your credit card. The bank will almost always waive the $50 anyway. This is a reflection of the small percentage of fraud there really is. It doesn't have any effect on your credit history at all.

The merchant may suffer, but (currently working for an online retailer as I do) I can tell you that there is a lot of verification done on large purchases. You verify the billing address, the three digit security hash, and the expiration date. Many retailers won't ship to an address that is not the same as the card billing address, and others require a lot of faxing and other papertrail before shipping to another address.

Fraud is lots lower than you think.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

not saying it's common (3.00 / 1) (#46)
by SocratesGhost on Tue Oct 29, 2002 at 10:01:05 PM EST

I'm just saying that success gets you more.

-Soc
I drank what?


[ Parent ]
FUD (4.33 / 6) (#36)
by killHUP on Tue Oct 29, 2002 at 09:19:23 PM EST

True, there are plenty of reasons why a person doesn't need to go insane trying to keep their systems secured.  There are also many organizations out there selling security services that thrive on fear-mongering.<p>
But there's also the need for the public to be aware of the potential dangers.  You know not to eat candy off the street because someone warned you of the dangers of eating things you find on the street.  Why not give the public all the information they need to keep themselves safe?<p>
Saying that it <i>probably won't happen to me</i> is simply a delusion.  With automated cracking tools, you no longer need to be a specific target but a randomly-chosen IP address.  Don't forget that a system compromise costs the user time and money, regardless of what is "taken".  Systems need to be rebuilt, the integrity of stored files validated, etc.<p>
Mini-disclaimer: I run a site that focuses on InfoSec.  I don't make any money from it nor do I benefit from "scaring" the public.  If anything, the site <i>costs me</i> every month to keep going.  If it wasn't a hobby of mine, I'd find a better way to waste my money ;)

--
Kill-HUP.com: Unix and Information Security news and discussion.

Dammit (3.00 / 2) (#37)
by killHUP on Tue Oct 29, 2002 at 09:20:45 PM EST

I need to watch the format I choose ;)

--
Kill-HUP.com: Unix and Information Security news and discussion.
[ Parent ]

Absolutely right. I'm all for information. (1.00 / 1) (#39)
by mingofmongo on Tue Oct 29, 2002 at 09:34:20 PM EST


"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

This already happens to an extent (2.00 / 1) (#133)
by Fon2d2 on Wed Oct 30, 2002 at 04:44:09 PM EST

People know these things already.

Keep software updated.
Save periodically while working on a document.
Backup files to external media periodically.
Don't use common words or names for your password.
Change your password periodically.
Don't give out your password or write it down.
Don't share folders without a password
Never share folders with write permissions.
And so on.

[ Parent ]

Re-education (3.00 / 1) (#170)
by killHUP on Thu Oct 31, 2002 at 10:50:58 AM EST

I agree, most people already know this stuff. Just like locking doors, watching your kids and not leaving the car keys in the ignition. It's the putting it into practice that seems to be the problem ;)

Maybe beating the public over the head every few months with the same message just isn't working. Wasn't there some government agency with a cartoon spokesperson in the works? Hell, people listen to Smokey the Bear....

--
Kill-HUP.com: Unix and Information Security news and discussion.
[ Parent ]

Found it! (2.00 / 1) (#171)
by killHUP on Thu Oct 31, 2002 at 10:52:51 AM EST

It was Dewie the Turtle, thanks to the FTC. I knew I'd seen this posted somewhere before ;)

--
Kill-HUP.com: Unix and Information Security news and discussion.
[ Parent ]

It's obvious you need to think about this more (4.81 / 11) (#41)
by CaptainSuperBoy on Tue Oct 29, 2002 at 09:40:12 PM EST

Criminal A isn't going after YOUR credit cards specifically. You're pretty dense if you think there are computer criminals sitting around targetting any specific individual.

Under your 'common sense' approach to security I think we'd see a lot more of the large-scale theft of thousands of credit card numbers online. It would be dangerous to put information security in the backseat because "it's so much harder than breaking into a house." The obvious difference is, the stakes are incredibly high.

--
jimmysquid.com - I take pictures.

8 yers long enough? (4.00 / 4) (#43)
by mingofmongo on Tue Oct 29, 2002 at 09:50:57 PM EST

Something people have a hard time understanding is that there is no such thing as zero-tolerance in reality. You can never have %100 percent security, not in any aspect of life. There is a point of diminishing returns on most everything, and in home user end security, that point is very close to the front door.

The naive view isn't that end users are getting screwed by all this security BS, but that it is worthwhile for them to spend a lot of effort on protecting data no-one wants.

Institutional computer users are already quite well protected these days. Some corporations are far better protected against hacking than any branch of the military.

Things like Palladium, and twenty different virus scanners do nothing to keep institutional servers safe. They are aimed at people who are so scared by FUD that they will give up privacy they don't understand to get security they don't need.

All I'm asking is that we stop helping this stupidity.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Thank you (3.50 / 2) (#126)
by Fon2d2 on Wed Oct 30, 2002 at 04:28:11 PM EST

It's good that you made the point of diminishing returns and that there is no such thing as 100% security. In fact there is no such thing as 100% perfect anything. That fact and the law of diminishing returns are two fundamentally important facts if one wants to understand your point. Trying to discuss security without that knowledge would be like trying to discuss energy policy with no comprehension of the laws of thermodynamics. I phrased it a bit differently in a different comment thread as a matter of statistics, but it was essentially the same point. Anybody that goes through a little extra effort has a lot less likelihood of being hacked. And there are all kinds of simple things to do. Install a firewall. Keep software updated. Do regular backups. Keep network or system logs. Etc.

[ Parent ]
On second thought, I'd have to say that (4.00 / 3) (#45)
by mingofmongo on Tue Oct 29, 2002 at 09:58:40 PM EST

under my common sense approach, there wouldn't be thousands of credit cards on line to be stolen. Why should anyone keep all those card number on file on a machine that is available to the net? There are plenty of ways to handle cards that don't expose such a stupid vulnerability.

Common sense would have them removed from the system as soon as possible. After the charge occurs, they are only needed for archival purposes. Why do people have them around to be stolen at all? Ever try to hack a CD sitting in a safe-deposit box? And if that's too much trouble, why aren't they encrypted?

I bet that no merchant has had this happen to them twice...

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

CCs online... (none / 0) (#190)
by fink on Sun Nov 03, 2002 at 04:16:15 PM EST

under my common sense approach, there wouldn't be thousands of credit cards on line to be stolen. Why should anyone keep all those card number on file on a machine that is available to the net?
Because without credit card numbers available somewhere online, electronic commerce, be it through banks, through vendors, or through basic EFTPOS machines, would stop? Do realise that damn near everything these days goes through a public network at some point, including the humble EFTPOS machine.

Is that in fact what you're proposing - that we stop using credit cards for electronic transactions of any kind, and we go back to using them only with paper transactions, which had a much higher fraud rate? If so, what are you proposing to replace the card with, which will be secure and usable?

Or should ThinkGeek et al just shut down now?


----
[ Parent ]

I recall reading (3.66 / 6) (#49)
by godix on Tue Oct 29, 2002 at 10:20:04 PM EST

... in one of the numerous MSNBC, CNN, or BBC articles about 'identity theft' that online credit card fraud is twice real world credit card fraud. This is a scary sounding stat and mildly concerned me till I later learned that real world credit card fraud was somewhere around .1% or so which means online fraud is only .2% of all transactions. After that I quit worrying about my credit card getting stolen. Besides there is a $50 limit on fraud and many credit cards, mine included, won't even charge you that $50.

Computer security basically comes down to common sense. Would you leave your credit card # written on a piece of paper at your desk, if not why leave it in your computer? Would you collect and store questionably legal porn pics in the real world? Why do you have that directory of what very well may be models under 18? Would you brag about how many movies/cd's you copied from your local rental place in front of strangers? Why share all those technically illegal mp3's you have in kazaa?

In my case this system means I take basic precautions of installing security patches/virus scanners/etc. However if someone did break into my computer then they could steal my collection of MP3's (all made of CD's I own I might point out) and a couple anime music videos I'm playing around with. Big deal, you're welcome to them if you want, I keep backup cd's.


- An egotist is someone who thinks they're almost as good as I am.

e-Reality is not credit safe (4.00 / 2) (#58)
by Al Macintyre on Wed Oct 30, 2002 at 01:05:27 AM EST

There was a story in the media where Visa revealed that we are 7 times more likely to have our credit info stolen when using it on-line than when using it in the physical world.  This is basically because e-business is run by amateurs in security, while real businesses have many years experience figuring out how to operate.  Your credit info is stolen from the places where you do business, that store credit info on customers where hackers can make off with credit card info on tens of thousands of people at one time.

The $50 limit is if your physical card is stolen.  There is no limit if your identity is stolen ... they can make off with all your money, and then some, leaving you in debt for a long long time, with lots of hassles for life also.

I have posted more about e-Security at http://radio.weblogs.com/0107846/Categories/security/ - see for example

Oct 9 http://radio.weblogs.com/0107846/categories/security/2002/10/09.html

Aug 29
http://radio.weblogs.com/0107846/Categories/security/2002/08/29.html

Use the calendar on upper right corner to navigate to my other posts
- Al's weblog: http://radio.weblogs.com/0107846/ donate your unused PC resources (only when you not using them) to cure cancer http://members.ud.com/about/
[ Parent ]

I've seen it happen a few times, (3.00 / 1) (#135)
by mingofmongo on Wed Oct 30, 2002 at 04:46:28 PM EST

and not once has the end user been responsible for one dime. The bank ususally waives the $50 even. The merchants are out the dough, and they are the ones who need the security lesson, so it all works out.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Working out (4.00 / 1) (#153)
by ucblockhead on Wed Oct 30, 2002 at 07:00:43 PM EST

Yes, and the merchants pass the cost of the thefts on to the consumer in the form of higher prices.

I say that speaking as someone who spent six years writing credit authorization software for merchants. If you think it is the merchant that eats the cost, you are very naive.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]

Merchant (2.00 / 1) (#156)
by godix on Wed Oct 30, 2002 at 07:44:18 PM EST

Either the merchant will learn security so they don't have to pay that extra cost or they'll go bankrupt because their prices will be higher than other people for the same goods. Either way stores security for credit cards isn't really a danger for ME


- An egotist is someone who thinks they're almost as good as I am.
[ Parent ]
or (4.00 / 1) (#172)
by ucblockhead on Thu Oct 31, 2002 at 11:34:36 AM EST

or all merchants will have equally lax security and all pass on the costs of fraud on to the consumer.

That's not theoretical. That is exactly what certain real merchants I am aware of do.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]

Warning to all hackers! (3.00 / 2) (#63)
by tacomacide on Wed Oct 30, 2002 at 03:06:11 AM EST

Don't even bother hacking this guy, because he keeps his kiddie porn in the REAL WORLD!

*** ANONYMIZED ***
[ Parent ]

It's called a daughter [nt] (2.66 / 3) (#71)
by gazbo on Wed Oct 30, 2002 at 06:49:43 AM EST


-----
Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

[ Parent ]

No (2.00 / 1) (#155)
by godix on Wed Oct 30, 2002 at 07:42:08 PM EST

I let my friends collect it and I just pay them a visit when I want a peek. Much safer with the law that way...


- An egotist is someone who thinks they're almost as good as I am.
[ Parent ]
Where are you getting this information? (4.42 / 7) (#53)
by El Volio on Tue Oct 29, 2002 at 11:39:45 PM EST

If you think home users aren't being targeted, you're wrong. If you think they aren't being targeted individually, you're most probably right. Home systems (especially those with a fast connection to the Internet) are often used either as waypoints in a more serious attack or as convenient places to use/serve warez or porn.

This is not to say that information security is more or less important than physical security; it's different. Not everybody just uses the Internet to surf for porn; there's a lot of use of it outside of that area (though I'll stop short of calling it all "productive"). And yes, sometimes some products are oversold. But until people understand the fundamentals of information security the way they understand the fundamentals of physical security, that will continue to be necessary. I wrote an article some time ago that was pretty well ignored and shot out of the queue, probably rightfully so, that drew a bunch of parallels in this regard. But just as securing a house requires good locks and often an alarm system, securing your home system(s) occasionally requires an outlay. And although many people know how to look for some vulnerabilities in their house (open windows and such), the number who know how to keep up with vulnerabilities and such is still quite small. Perhaps it's growing, but it's still small.

Your basic premise is just flawed. And until home systems stop getting compromised and used to attack my networks and make my job obsolete (I'm a senior infosec engineer for a large telecom company), then I'll keep banging this drum as loudly as I can.

Give me a break (3.10 / 10) (#56)
by barnasan on Wed Oct 30, 2002 at 12:07:27 AM EST


The fact is, if you aren't a complete schmuck, you have very little to loose to a hacker as long as you don't keep important data on your machine, and you don't send it insecurely. You have absolutely no need for "palladium" or any other heavy metals to protect data you are not being careless with. The fact is, you are not even a target. You, as a normal computer user, are the most un-interesting person on earth to a hacker. You don't have anything they want. There is not likely anything they can use or learn from on your machine. You do not likely have any porn that they can't get for free on Usenet. They don't want your financial info, when they can go dumpster diving for 20 or 30 cardz in a night.

Who are you to tell people what to do? Or what they are, and what they are not? Or what they need? Or what they "probably" have to loose?

Get over it. It's a free society, with free markets. If people feel the need to protect their privacy (even if it's more perceived rather than real protection), they'll buy products with protection.

To be more specific, it's not your FUCKING business what I want to keep on my computer and what not. It's not even your damn business if I'm a schmuck or not. It's not your business if I'm "interesting" or not to anyone, even to criminals.

Don't tell me what I (don't) need. Don't tell me what is "likely" to be found on my computer, OK?

Basically you are saying: "keep being the little small grey mouse you are probably anyway. Somebody who ain't have much to lose, doesn't need to have protection mechanisms either. Instead, **I** will tell you what you need. Just make sure you don't fall out of the line, and you will be alright."

I'm really surprised that the otherwise very liberal K5 crowd doesn't object more loudly to the basic premise of the article.

Basically, it's a simple decision: are we for individual privacy, or not? If we are, then the whole article is pointless. Because free markets and technological innovation can take it from there just fine.


Who you "probably" are... (4.00 / 2) (#81)
by Vygramul on Wed Oct 30, 2002 at 09:58:26 AM EST

I think the intent of that paragraph was to give the hacker's point of view. For example: if you're a nefarious hacker looking for a monetary payoff, who are you going to devote your resources on? Some random Joe who may or may not have money worth taking AND who may or may not keep info on his computer that would enable you to getting that money? Or, will you spend your time hacking into known quantities?

Yes, you may want privacy. You may want more protection on your computer (or ANY protection at all if you're using Windows), and that's fine. I think that hewas just trying to help put things in perspective for those who may want to buy security.

Free Markets work well, but work even better if people are informed. Just ask Bill Gates.


If Brute Force isn't working, you're not using enough.
[ Parent ]

Need the user manual for your brain ? (3.00 / 2) (#173)
by acheon on Thu Oct 31, 2002 at 11:36:49 AM EST

Some facts :

=> Overall, what he states in his article is true. And especially in the paragraph you quoted. No amount of indignation will ever change that.

=> I don't think he meant to tell you what to do. Learn how to read -- and to control your temper.

=> Your last argument can be turned easily. Is anyone interested in your personal data ? If not, then worrying about privacy is pointless.

=> I know a good remedy to cure frustration. It's called Arsenic.

=> One last thing : at least don't claim to be a troll afterward -- I don't buy it. No one can look as much like an idiot as a genuine one.

[ Parent ]

I don't think people over-do computer security (2.75 / 4) (#57)
by Big Sexxy Joe on Wed Oct 30, 2002 at 12:53:14 AM EST

Well, maybe a few, but there is no great security panic. I got my firewall and virus scan program. Most people are probably a little under-educated on the subject.

I'm like Jesus, only better.
Democracy Now! - your daily, uncensored, corporate-free grassroots news hour
Hrm... (4.76 / 21) (#65)
by fink on Wed Oct 30, 2002 at 03:44:47 AM EST

As an (note, not the) engineer with security specialisations for a large defence related organisation, I can say this fairly authoritatively:
People don't spend enough time managing the right parts of information security.
It's not overdone - if anything, it's still underdone. Case in point: Code Red. Case in point #2: ILOVEYOU. Case in point #3: Any one of the number of buffer overflow related issues which plague systems from time to time.

Often, security is an afterthought - it's something managers and the like often feel can be "built onto the system" after the fact. This is not the way to do things - if you build security onto a large system, you're almost guaranteed to miss something unless you're very pedantic. Again, it only takes one very small flaw, and your system's potentially available for any use a criminal may desire, be it personal information, private use of the machine, or some combination thereof.

The appropriate way to approach security is not "more of it"; it's better analysis of where the problems are, better education of both users and implementors, and ensuring that new defects are handled in an appropriate manner. In a lot of ways, it's easier to protect new OSes against intruders than it is to protect new homes against same; new homes still have windows and doors, which can be smashed or jimmied. OSes can be, more or less, protected against any kind of known attack.

Also, security != encryption. Just because someone's CC details are sent over the wire encrypted, doesn't mean a thing if the target system doesn't spend appropriate time and effort on ensuring the system's safe against unwanted intruders.

Not surprisingly, more people have more stuff stolen from them in real life than on-line, by a very wide margin.
What you say in some ways is true - you are more likely to get your house broken into and have things stolen than to have information stolen online, if only because there are more people who live in houses than have an internet connection. That said, network security problems are a very real issue - you only need to subscribe to Bugtraq or be a member of CERT to see just how many problems occur.
I'm fairly sure that per-capita, information security breaches are more common than household security breaches. I'll find online data to back this up.
if you are really dumb, he may get a credit card number. He may or may not get the expiration date, which makes it useful.
The problem with network security is it takes but one breach and any amount of information can be leaked, and as many people will well tell you, there are any number of breaches either already there or waiting to be found. It only takes one bug, not someone being "really duumb" and making their CC details available. Try buying something online without providing all of the details that someone malicious could want. This data has to go somewhere, and inevitably it's stored for some time on a machine somewhere, possibly in a database, and possibly on a machine which hasn't been assessed appropriately against common causes of unauthorised data access.

On that note too, it doesn't take a "really stupid" move to make your credit card details, in full, available to the world. All it takes is a rootkit, or an SSL vulnerability, or an improperly secured database, or a failure in an OS to make all that kind of data - expirations and all - available for all to see.

User education is one part of the picture - if people knew to check for certain basic security issues e.g. the latest patches on their system, they'd be somewhat fine.

The fact is, if you aren't a complete schmuck, you have very little to loose to a hacker as long as you don't keep important data on your machine, and you don't send it insecurely.
The fact is, there are "complete schmucks" out there who keep everything on their systems, thanks to both a lack of education and/or a lack of desire to make things better. The other fact is, computers have become pervasive; they control lots of parts of every day life, and it's getting impossible to assure that "important data" is not stored on some machine somewhere. Often, users don't have control of these machines themselves, so are reliant on at least two other individuals - developer and administrator - to ensure the safety of their data.

-1, but not because I disagree with you; more because I think more time researching your facts and thinking your argument through would have helped your cause.

----

The comment is better than the article (4.33 / 6) (#77)
by wiredog on Wed Oct 30, 2002 at 09:43:01 AM EST



Earth first! We can strip mine the rest later.
[ Parent ]
Did you read the comment or the article? (1.75 / 4) (#129)
by mingofmongo on Wed Oct 30, 2002 at 04:33:20 PM EST

The comment is one more instance of 'steel vault doors or nothing'. The idea that every situation requires all possible security is laughable. In what way is this better than an article about home computer users having unnecessary security issues thrust upon them?

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

read it again, my friend... (4.83 / 6) (#134)
by fink on Wed Oct 30, 2002 at 04:45:34 PM EST

... I thought I'd made it pretty clear. Security is not something we need more of, it's something we need to do better.

It certainly isn't a case of "steel vault or nothing". It's a case of starting with a simple deadbolt on the front door - which at the moment is more often left off than on in the IT security world. As Inoshiro and others pointed out, it takes one fault to breach an IT system, and given the pervasiveness of computing, this is rapidly becoming a major problem. You can't not store personal or critical computer on a system any more. It just can't be done.

Unnecessary information security is as bad as no security - because that encourages users to find ways around it, and people see it as onerous. What I look for is better security. Education. Doing things smarter, not harder. Encouraging people to lock that deadbolt when they go out. The basics, which are so often cheerfully ignored.

----
[ Parent ]

more reasons why the article is rubbish (2.62 / 8) (#69)
by nex on Wed Oct 30, 2002 at 06:04:44 AM EST

there are many comments here that explain why the story above is incorrect in many points already. still, i feel like adding to the list, please excuse the partial redundancy:
  • the author states that "It should be obvious to most people now that information is like food". the premise that you shoudln't stick either in your mouth when you find it lying on the street isn't quite enough to make the metaphor explain anything.
  • the author states that computer security should not be different from "ordinary real world security" without any restrictions. this seems to be based on the assumption that virtual/electronic/digital data repositories, market places, letters etc. aren't different from their ordinary real worls counterpieces, which is blatantly stupid.
  • computers are designed to execute computer programs. computer programs are used to automate tasks, to do the same thing over and over again, once you have programmed it. computers can do this ridiculously fast. if a malicious cracker finds a security hole that allows him to steal something valuable from one person, this might enable him to steal something valuable from thousands of persons. even if every individual has very little to lose, someone has to pay; for example, an insurance company (and subsequently all their customers). so there are people to whom digital security is of great importance. working on the latter is no big geek wankfest.
  • many people have to keep important data on their machines and connect these same machines to the net, because their job requires it. they do all kinds of important tasks, most of which don't involve geeky wanking.
  • many people have to send important data somewhere else eletronically. not insecurely, of course. however, to ensure the security of the transmission, it's not sufficient to use a program that says "strong encryption" on the box. you have to make sure the strong encryption actually works and there are no security holes. doing so is no big geek wankfest.


The author thinks you are a self important weenie (1.25 / 4) (#101)
by mingofmongo on Wed Oct 30, 2002 at 03:40:25 PM EST

The author hasn't overlooked any of the things you think he has.

The author thinks you need to read the story again, the whole way through this time.

The author is well aware that computers are fast.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

so the author considers me a self important weenie (3.50 / 2) (#139)
by nex on Wed Oct 30, 2002 at 05:08:07 PM EST

> The author hasn't overlooked any of the things you think he has.
he hasn't managed to convey this fact to the reader.

> The author thinks you need to read the story again, the whole way through this time.
the reader had read the story the whole way through the first time. the reader (i mean, nex, i) also mentioned positive aspects of the article in an editorial comment and actually voted +1 FP as the topic the author chose is an important one.

the author may think about the reader what he wants, but the author should notice that presenting some rather unrelated rants is not a good rebuttal of a list of precise accusations. (among which you can not find the assertion that the author has overlooked something (who are you to tell me what i think?), nor any evidence that the reader had not read the whole story, nor any doubt wheter the author knows that computers are fast.)

[ Parent ]

Yes the author does. (2.50 / 4) (#147)
by mingofmongo on Wed Oct 30, 2002 at 05:52:32 PM EST

While I am glad you voted for the story (as many who dissagree with me have) that doesn't make your comment any less weenieish.

I wrote an opinion piece, based on my years in the industry, and my dismay at current trends. You posted your opinions in responce. Your opinions are not hard facts, and laying them down in a list doesn't make them any more valid, although it is rather impressive looking.

In my opinion, it is very foolish to trust important data to inherently insecure systems on enourmously insecure networks. It is usually not necessary, and when it is, there are ways to protect it that don't involve screwing things up for everyone. Just because a stupid practice becomes commonplace, doesn't mean its no longer stupid.

If, however, people know things are not secure, they can choose either to not store and send this info on the computers/internet or take special precautions in the few circumstances that require it. Why is this unreasonable?

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

basic rule: don't insult the audience (2.00 / 1) (#159)
by nex on Thu Oct 31, 2002 at 02:21:11 AM EST

i fully agree with that comment. some systems are insecure, and if you know that, it's stupid to use them as they are. also, in your article, the explanations of what person A does and of what person B does are quite good. and you surely understand the subject matter quite good and we don't really have to discuss issues like wheter information really is like food. but there are two problems with how you presented your precious knowledge: the article has a completely different ring to it than your comment above. for example, in the introduction you stated that we either need more security in "home computers" or that "the great security panic" (which really isn't that great a panic) is just about "a bunch of geeks trying to...". and then you go on to explain that we are safe enough at home and don't need additional security measures. consequently it looks like you think that persons concerned with digital security are "geeky wankers". you also insult people at other points, for example where you call everyone who has a computer which is not perfectly secure and still contains some bits of sensitive data stupid. as if the inner workings of firewalls, trojans etc. were taught in primary school and everyone who purchases something on-line should understand the asymmetric encryption used to transmit his data. to make a longstory short: comment is good and reasonable, story sounds different to people who don't know much about digital security yet (the target audience!).

the other problem is that several people found several criticisable points and many of them are valid.

[ Parent ]

-1, bad premise (2.33 / 6) (#73)
by b1t r0t on Wed Oct 30, 2002 at 08:29:12 AM EST

The only people that Palladium intends to make feel secure are the MPAA and RIAA. Everything else is a red herring. So how does your fillet o' herring taste?

-- Indymedia: the fanfiction.net of journalism.
They intend to make grama feel secure, but (2.50 / 2) (#100)
by mingofmongo on Wed Oct 30, 2002 at 03:35:21 PM EST

they only hope to succeed in making Valenti more secure. Don't confuse function with marketing.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Well yeah, but (4.80 / 10) (#76)
by kitten on Wed Oct 30, 2002 at 09:24:19 AM EST

There's a couple things I think you're overlooking. First, you're right that individuals are not being targetted; that is to say, no "cyber thief" (I got that from this Norton ad) is saying, "I'm specifically after kitten's credit card number today." What they could be doing is just running port scanners and the like in general to see what machines are around, and then sort of poke about to see what they can find. Certain NetBIOS exploits, if I'm not mistaken, allow this to happen without much trouble on the cracker's part.

Second: You may not have any valuable data, or be a target for DoS attacks and the like, but a poorly secured machine could be easily used to launch said attacks. If X wants to harrass Y, what safer way to do it than by making it look like the attack came from Z's computer? (Where Z is any two-bit schmuck running an unpatched Windows box or whatever.)

On the other hand, you do bring up a lot of good points. People have been giving their credit card number over the phone for years without any major issues, and most people don't think twice about doing so. Yet suggest to that same person that they buy something online, and suddenly it's, "I don't know about giving away my CC number online."

My boss is one of these people. At one point he was absolutely convinced that the problems with our vhosted webspace were caused by a "hacker" who maybe "broke into the system" and was usurping our webhosting account. While something like that is possible, it's extremely unlikely - but that was the first and most rational explanation he could think of.

He's not alone. A lot of people are scared of "hackers" - partially because the media makes such a huge ruckus about it every time some isolated (preventable) incident occurs. The way it's presented, it's easy to see how someone could think there's swaths and legions of hackers and criminals constantly after your personal stuff. Security companies don't make it any better, with their hue and cry of "personal financial information" and "private documents" on your "internet connected PC". (Quite frankly, if a cracker wants these TPS reports, he can have them.)

All this attention to the lurking, cryptic "hacker" trying to break into your computer, diverts attention from real security issues. Basic stuff, like don't open email attachments unless you know what they are. Don't leave ports wide open. Don't assume the MS installed protocols are as they should be - turn shit off if you don't use it. For all the fuss my boss makes about 'hackers' and his precious Norton Personal Firewall, I spent the past two days cleaning an opaserv virus off a machine, which was caused by him. He allows the root directory (c:\) to be fully shared, uses a ridiculously easy and obvious password for everything (the same one over and over, too), and a number of other things that would make you cry. (In case any smartass just got ideas, although I'm using the present tense, this is all past-tense; I've since corrected these and many other issues and secured things.)

My point is that it's not a bad idea to be wary and take precautions, but focus on the real issues. People are paranoid about their credit card numbers and "online theft" yet see nothing wrong with opening every email attachment that comes their way as a "file in order to have your advice".
mirrorshades radio - darkwave, synthpop, industrial, futurepop.
Thankyou. That was a great comment. (1.50 / 2) (#132)
by mingofmongo on Wed Oct 30, 2002 at 04:37:50 PM EST


"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

You need to read (3.00 / 2) (#79)
by wiredog on Wed Oct 30, 2002 at 09:47:10 AM EST

The Crypto-Gram.

Earth first! We can strip mine the rest later.
Some of my view came about as a result of (3.00 / 1) (#125)
by mingofmongo on Wed Oct 30, 2002 at 04:26:10 PM EST

conversation with Bruce. He's not all that hip on systems being securable via technology solutions either.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Why be Thief A (4.77 / 9) (#82)
by Elkor on Wed Oct 30, 2002 at 10:00:11 AM EST

Thief A gets to watch his favorite porn movie while his computer sifts data. Thief B has to stand around in the rain because you decided for a quickie before going to see the movie.

Thief A doesn't care whether you are home or not, because if he can get into your computer you're not likely to notice. Thief B has to make sure you aren't at home. You will notice a strange person(s) wandering around picking stuff up.

Thief A uses a secure connection to the remote machine he hijacked to check on the latest cracking attempt. Thief B has to keep people from identifying his face, vehicle, or license plate.

Thief A has to contend with your firewall and security protocols. Thief B has to contend with your security system that calls the cops, the large dog sleeping in the dining room, and the nosy gun freak who lives next door.

Thief A can wait several weeks or months after obtaining your data before using it and is no more or less likely to get caught. Thief B has less than 48 hours to exchange his stolen goods for cash before the police get descriptions of the items out to pawn shops.

I understand where you are going with the comparison. But there are certain advantages to being a "work at home" thief.

Regards,
Elkor


"I won't tell you how to love God if you don't tell me how to love myself."
-Margo Eve
Awareness (3.50 / 2) (#83)
by killHUP on Wed Oct 30, 2002 at 10:42:11 AM EST

"You will notice a strange person(s) wandering around picking stuff up."

One can only hope ;)   Alternately, if you have proper logging set up, you might just as easily notice a strange remote user wandering through your filesystem picking things up.

...but that's a mighty big if...

--
Kill-HUP.com: Unix and Information Security news and discussion.
[ Parent ]

Just as Easily? (n/t) (3.00 / 1) (#86)
by bodrius on Wed Oct 30, 2002 at 11:43:39 AM EST


Freedom is the freedom to say 2+2=4, everything else follows...
[ Parent ]
Perhaps easier (4.00 / 1) (#168)
by killHUP on Thu Oct 31, 2002 at 10:28:49 AM EST

If you had a big house and weren't in the room in question, how would you notice a thief sneaking in through a window and walking off with something? With strict logging and an IDS, you'd be notified the equivalent of every time someone looked at your house ;)

Of course, then there's the problem of sorting through all that info and drawing lines of what you care to know about and what you don't...

--
Kill-HUP.com: Unix and Information Security news and discussion.
[ Parent ]

You forgot one... (3.00 / 2) (#91)
by EriKZ on Wed Oct 30, 2002 at 01:28:29 PM EST


Thief B sells your stuff for cash or keeps it.

Thief A has data that no one gives a damn about.

[ Parent ]

Theif B gets more, more often,and gets caught less (3.00 / 2) (#123)
by mingofmongo on Wed Oct 30, 2002 at 04:23:29 PM EST


"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Cite (3.00 / 1) (#146)
by chigaze on Wed Oct 30, 2002 at 05:48:14 PM EST

Can you back this up? Are there any reasonable accurate stats on rates of online crime vs. break and enters and capture rates?


-- Stop Global Whining
[ Parent ]
Does he? (3.00 / 1) (#151)
by a life in hell on Wed Oct 30, 2002 at 06:43:41 PM EST

While I agree he gets more, more often, I do beg to differ that he gets caught less.

    - jj

[ Parent ]

unnecessary risks (3.00 / 1) (#160)
by adiffer on Thu Oct 31, 2002 at 02:24:30 AM EST

Thief B risks getting shot dead in many States where juries won't convict for excessive force.

Breaking into houses is probably just a bad analogy though.  That's not where the real money is.  Businesses have much more to steal and more predictable hours for their employees.

-Dream Big.
--Grow Up.
[ Parent ]

Thief A doesn't need to choose a victim (4.66 / 3) (#174)
by p3d0 on Thu Oct 31, 2002 at 12:11:16 PM EST

Theif A can scan a million machines from the comfort of his home, and then attack the ones that are vulnerable.

Imagine if Thief B could sit down at his computer and generate a list of all the unlocked doors in his neighborhood.
--
Patrick Doyle
My comments do not reflect the opinions of my employer.
[ Parent ]

Missing some critical points. (4.50 / 4) (#88)
by Inoshiro on Wed Oct 30, 2002 at 12:42:12 PM EST

You dress up thief A a bit, making his/her job sound hard. Security online has a very large gap: you have people who know what they are doing, and complete morons. Since most systems ship anywhere from moderately insecure to insanely insecure (with the exception of the fantastic OpenBSD project), only the smart people will have secure setups.

For the people of middling knowledge, they will only plug some holes, or will fall out of date with the security updates. Any single hole is as bad as many holes, because both cases allow complete access to data, and both require a complete rebuild. Essentially there is no middle ground in digital security because of this. This means anyone not willing to invest in competent security (and, since they don't know who is/isn't competent very easily, this also includes people who are willing, but choose poorly) is as easy to get into as a house with no locks.



--
[ イノシロ ]
single hole is better than many holes (4.00 / 2) (#92)
by Fon2d2 on Wed Oct 30, 2002 at 01:49:08 PM EST

statistically speaking. You have to factor in the chance of each particular security hole being exploited and then combine that into the probability that your system is comprimised, which will be larger than the probability any specific security hole was exploited. Most crimes are crimes of opportunity, including computer crimes, so every little bit that reduces opportunity is a little extra bit of security for your system.

[ Parent ]
Any compromise is a total compromise. (4.00 / 2) (#95)
by Inoshiro on Wed Oct 30, 2002 at 02:48:44 PM EST

The poster seemed to have played this down to show that thief A's job was harder, because they couldn't just bust down a door, or watch from across the street. Thief A has no problem periodically scanning a system from other compromised systems with little to no chance of being discovered.

The internet is a commons, where everyone causes security to be bad or good. Once someone is broken into, chances are they'll be used to break into other systems. Thief A can leverage other crappy security even it the event of your own fine security to break in, or just cause problems. Only if your security, and everyone else's security, is excellent will this person be forced to resort to thief B means.



--
[ イノシロ ]
[ Parent ]
Did you read my comment? (4.00 / 2) (#113)
by Fon2d2 on Wed Oct 30, 2002 at 04:04:21 PM EST

If thief A is using the resources of a comprimised system he is almost certainly using scripts on that system to help find security holes on other systems. A script isn't going to look for every known security hole in every operating system and TCP stack. It's a matter of probability. The extra security you gain by plugging one security hole is directly proportional to the probability that that hole would have been exploited. Your statement that a computer is either secure or not is like saying there is no such thing as computationally secure cryptography. Their is always a chance any system could be compromised. Modern operating systems are too complex to be able to do a full mathematical analysis to see whether holes exist. That's why they exist in the first place. Eventually you'll get down to something like a 0.001% chance of being compromised within 5 years. Well, if you're a home user, do you really much care beyond that?

[ Parent ]
So its steel bank vault doors or nothing? (3.50 / 2) (#116)
by mingofmongo on Wed Oct 30, 2002 at 04:10:41 PM EST

Total security (which is impossible by the way) or none? How about simply not storing important data in insecure places. How about determining an apropriate level of security and applying that? Why must every email I write be secure? Why must a machine that is used to play videogames, and type up cooking recipes be guarded like Fort Knox? Why is everyone so worried about DOS attacks? The fad has pretty much passed, and there is no security measure that can stop it anyway.

The problem is that people are expecting an inherently insecure medium to be completely secure all the time. People are foolish to rely on the security and consistancy of the internet, and I don't think this foolishness should be supported.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Impossible is a strong word (4.00 / 1) (#142)
by Spendocrat on Wed Oct 30, 2002 at 05:14:24 PM EST

Encrypt with onetime pad; destroy the key.

It's not useful, but it's certainly not impossible.

[ Parent ]

As you say, impossible is a strong word, (4.00 / 2) (#150)
by mingofmongo on Wed Oct 30, 2002 at 06:12:48 PM EST

even when applied to cracking one-time-pads.

Given an extreamly short message, a good code, and no known information about the sender, the message or the circomstances, complete trust in all parties and the proper implementation of the scheme, the possiblity of cracking one-time-pad schemes drops nearly to zero. But this is not always, or even often the case.

A pad can be compromised. It can be used improperly, especially on long messages. The data must be plain at some time, hopefully before and after encrytion-transmission-decryption, and is open to compromise at those points. People can be bribed, keys may not be random enough. People can be bribed...

You can try as much as you feel you should to secure things that need securing, but you will not hit 100% effectiveness.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

What are you talking about? (4.00 / 1) (#166)
by El Volio on Thu Oct 31, 2002 at 08:06:39 AM EST

Why is everyone so worried about DOS attacks? The fad has pretty much passed, and there is no security measure that can stop it anyway.
You have no idea. DoS attacks happen every day, they just don't make the news anymore except for big ones like, say, the (only partially successful) attack on the root DNS servers. And if you think they can't be stopped, then you are way behind the times. Depending on the type of attack, it may not be easy, but 90% of the attacks can be stopped by a sufficiently savvy staff.

You reach a decent conclusion (security must be balanced against acceptable risk) but you get there accidentally, because your reasoning is so flawed I don't know where to start.

[ Parent ]

Slight nit. (4.50 / 2) (#118)
by pwhysall on Wed Oct 30, 2002 at 04:14:17 PM EST

Most security breaches come not from exploits of poorly written code, but rather from people pulling silly stunts like not changing the "sa" user's password on SQL Server and then neglecting to firewall the thing off.

IOW, OBSD can only save you from other people's stupidity, and not your own :-)
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

How to fool Criminal B. (2.50 / 2) (#93)
by bigbtommy on Wed Oct 30, 2002 at 01:56:42 PM EST

Buy a laptop and take it everywhere. Then even when your house is empty, he won't be able to steal your data.
-- bbCity.co.uk - When I see kids, I speed up
Response: (3.00 / 1) (#96)
by JChen on Wed Oct 30, 2002 at 02:53:19 PM EST

Get mugged.

Let us do as we say.
[ Parent ]
Response: (none / 0) (#191)
by vrai on Mon Nov 04, 2002 at 06:28:36 AM EST

Carry a gun* as well as your laptop.

* - Or some non-lethal alternative if you like, but nothing deters muggers more than being shot in the face with a 9mm semi-automatic.

[ Parent ]

Security thou cravest? (3.66 / 9) (#99)
by The Mouth of Sauron on Wed Oct 30, 2002 at 03:35:11 PM EST

Thou shalt have none, if thou persisteth in using UNIXes, even thy beloved OpenBSD. Thy mansions and domains shall be open to infiltration and attack by thy enemy unless thou usest a truely secure Operating System.

Hast thou considered VMS, the one OS worthy of Mordor? Or Plan 9, with its excellent system of Rings within its kernel and userspace? Either of these choices, or even such arcana as OS/390 or MVS would protect thee and thine better than a toy like UNIX!

Harken unto my words, lest thy installations be rent by raiding spies!
------
I am the Mouth of Sauron.

Plan 9 is unix, VMS is the sorce of NTs net code (3.00 / 1) (#103)
by mingofmongo on Wed Oct 30, 2002 at 03:43:19 PM EST

so much for security.

I do have a soft spot in my heart for VMS in a nostalgic sort of way. I also have a Timex/Sinclair and an Atari 2600.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Thou art not entirely correct. (4.00 / 2) (#105)
by The Mouth of Sauron on Wed Oct 30, 2002 at 03:48:19 PM EST

Plan 9 taketh many ideas from UNIX, but it improveth upon them. Windows NT, although based upon ideas found in VMS, is not a direct descendent of VMS. Certainly the power of the command line interface of VMS is lacking in Windows NT.
------
I am the Mouth of Sauron.
[ Parent ]
I'm not saying they didn't muck it up, (3.00 / 1) (#107)
by mingofmongo on Wed Oct 30, 2002 at 03:52:30 PM EST

but there's enough VMS code in there that some of the comments got transplanted intact.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Ackshully. (4.50 / 2) (#114)
by pwhysall on Wed Oct 30, 2002 at 04:06:24 PM EST

The TCP/IP stack in NT is taken from BSD UNIX.
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]
some of it. But mostly VMS (3.00 / 1) (#117)
by mingofmongo on Wed Oct 30, 2002 at 04:12:49 PM EST


"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

No, none. (4.00 / 2) (#119)
by pwhysall on Wed Oct 30, 2002 at 04:15:05 PM EST

Sorry :\

I admin VMS for a living. The network code on VMS and NT is like night and day.

After all, there isn't a whole heap of DECNet in NT, is there?
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

That mayeth be for the best. (3.00 / 3) (#120)
by The Mouth of Sauron on Wed Oct 30, 2002 at 04:19:15 PM EST

Would thou wantest NT not to be able to speak to any other computer without much toil and travail?
------
I am the Mouth of Sauron.
[ Parent ]
Aye :-) (4.50 / 2) (#124)
by pwhysall on Wed Oct 30, 2002 at 04:24:56 PM EST

The TCP/IP stack in VMS was (and still is) a separate product. At the time NT was being developed and, indeed, up until VMS 7.3, it was called "UCX", standing for Ultrix Connection. Ultrix, for those not in the know, was DEC's proprietary UNIX implementation, way back when.

DECNet is a much richer network protocol than TCP/IP, but is of course completely proprietary - so none-VMS implementations of it are vanishingly rare.

One of the things that did for DECNet (IMHO) was the mindboggling complexity of DECNet Phase V, which, when married to DECNet-Plus, became a horrendous (if somewhat uberpowerful) monstrosity to administer.

To drag myself back to the point at hand - if NT's network stack was based on any VMS code, it'd look a whole lot different :-)
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

DECnet (4.50 / 2) (#128)
by The Mouth of Sauron on Wed Oct 30, 2002 at 04:30:28 PM EST

I seem to recall there is support for DECnet within the Linux kernel. I have no Linux box on hand for me to check, and the VAXen of Mordor are all in the slave pits of Nurnen. None resideth within my tower, so I have never tested if it works.

I do not recall if SlaveBSD has DECnet support, either.
------
I am the Mouth of Sauron.
[ Parent ]

Indeed there is. (4.50 / 2) (#130)
by pwhysall on Wed Oct 30, 2002 at 04:34:18 PM EST

However, it's end-node, and only supports DECNet Phase IV.

Still, quite an achievement.

LAT (Local Area Transport) is also available.

Eeeenteresting.

--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

Wasn't that (4.50 / 2) (#169)
by CaptainZapp on Thu Oct 31, 2002 at 10:43:40 AM EST

LAT (Local Area Transport) is also available.

DECs best guarded secret?

I recall, that the VMS source code was available for a hefty fee. I actually saw the box with micro fiches containing the sources at a place I worked in the late 80ies.

Later, when I was a DECie myself the legend went that the LAT sources where never, ever released and where considered somewhat the corporate crown jewels.

Ah nostalgia: The company that was technically ahead 15 years of any competition, but couldn't sell their way out of a wet paper bag.1)

1) One might argue, that they sold a hellova lot of products and services in the 80s, 90s. The thing was that DEC had a virtual monopoly on minis, the best engineering in the business and products that essentially sold themselves. Add to that a fiercly loyal user base...

[ Parent ]

Addishunally. (4.50 / 2) (#115)
by pwhysall on Wed Oct 30, 2002 at 04:10:36 PM EST

NT is only architecturally similar to VMS, due to the fac that MS hired Dave Cutler - DEC's chief architect feller - to head up the NT team. There is no VMS code in Windows NT.
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]
This from the admin... (2.00 / 3) (#165)
by ShadowNode on Thu Oct 31, 2002 at 07:14:04 AM EST

Who was penetrated by a couple of bumbling script hobbits?

[ Parent ]
Plan 9 (3.00 / 1) (#178)
by porkchop_d_clown on Thu Oct 31, 2002 at 04:02:04 PM EST

I'd love to play with Plan 9. But there's no way on heaven or earth I'm gonna pay several hundred dollars for the chance to try to compile it.

I'm still amazed that AT&T failed to learn from their mistakes and successes with UNIX and insisted on making it expensive for people to play with Plan 9 and Inferno.


--
Once one sock is sucked, the other sock will remain forever unsucked.


[ Parent ]

End User vs. Backend Security (4.00 / 2) (#111)
by shftleft on Wed Oct 30, 2002 at 03:59:15 PM EST

You bring up some good points about the misgivings of end users and the hysteria that comes along with the words "virus" and "hackers" throughout their universe. You're right, most hackers don't give a damn about joe user's desktop and whether or not he uses his credit card online, but the security threat to backend systems and servers is real. Some people that administer these servers are not as proficient as we would like them to be at keeping this critical information secure, which is the main reason why worms like Code Red and Nimda and the Apache SSL worm get front page news. There are admins out there that need to have their "hands held" so a database full of user information isn't compromised and posted on the web. You can't blame a user for a hole in IIS that allows remote root access to the machine, its not fair. I agree that there needs to be a balance between automating security and keeping informed as a user, but vendors should be held much more responsible for building secure system, especially when said software comes with a hefty license cost.

Why you are wrong.... (3.50 / 2) (#141)
by grent246 on Wed Oct 30, 2002 at 05:12:11 PM EST

The thesis of the article appears to be that computer security is only about protecting home users credit card numbers.

The internet is a commons and the performance and viability of the Internet is affected by every host on it. Already home users on broadband running unpatched consumer operating systems are too often compromised by one of the many worms soon after arriving on the net. With email clients that run arbitrary code without prompting and the herculean task staying up to date with patches, computer security is a much harder concept to get across than locking your doors and not eating food off the street.

To use the credit card theft example though (even though there are more important security issues), the encryption end to end is irelevant if the host is insecure. Getting a keylogger installed on the average home PC isn't that hard. Even without exploiting a buffer overflow or other security flaw, just emailing a "cool screen saver" will probably get the code running and sending back the contents of those online credit card forms.

More and more "average users" are also doing banking and share trading online where the stakes are considerably higher than an unauthorised credit charge.

Your stance against Palladium at the end, I agree with but not for the reasons of your article. There are many, many better written articles speaking out against Palladium at any decent security news site.



The point of the article is... (2.00 / 2) (#144)
by mingofmongo on Wed Oct 30, 2002 at 05:19:11 PM EST

clearly about the part of computer security that touches home users.

Thankyou, drive through.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion
[ Parent ]

Security is more than Money (4.33 / 3) (#157)
by nomoreh1b on Wed Oct 30, 2002 at 08:17:49 PM EST

The big thing to get here is a lot of what is being stolen isn't necessarily monetary. One investigator I know was able, using completely legal means, to completely trash a candidate for state legislature.

A gang that is active in banks for example has access to a lot of valuable information-the sort of stuff that enables them to figure out which prominent political figures have kids with substantance problems-or sexual habits that might be used to blackmail the politician(assuming the politician is clean themselves). The essence of security at any bank is protecting the assets of that bank. However, the bank's computing assets can be used to commit acts of fraud at other banks or acts of extortion against the banks customers-there is much less security in place to prevent this sort of thing.

It's not just $50 (3.50 / 2) (#176)
by deadplant on Thu Oct 31, 2002 at 02:17:49 PM EST

It is foolish to think that a stolen credit card only costs $50.
You only get charged $50 because the rest is INSURED.  That means that you pay for it in installments every time you use your card whether it's ever been stolen or not.

Credit card fraud is in the billions of dollars every year!  This money does not come from nowhere, it is covered by the transaction charges your retailer pays. (visa=1.5%, amex=3.5% it varies)
This means higher prices for me even though I don't use these ridiculously insecure wastefull credit card things.

I wish everybody would stop using credit cards.  I am not interested in paying for your bad decisions!

-ross

Yeah... (2.00 / 1) (#181)
by LukeyBoy on Thu Oct 31, 2002 at 06:23:17 PM EST

Fuck us! It's the corporations we should feel bad about... Please. Somehow I doubt that I'll shed any tears over percentage points that the retailer must pay - or the lost transaction charges companies like Visa or Amex will lose.

Yeah we really do need more laws protecting companies as opposed to people; note the sarcasm.

[ Parent ]

You should care (4.00 / 2) (#183)
by damiam on Thu Oct 31, 2002 at 07:10:01 PM EST

Whatever the retailer pays is passed on to you.

[ Parent ]
oh dear (none / 0) (#189)
by deadplant on Sat Nov 02, 2002 at 05:30:34 PM EST

don't you realize that all the retailer's costs make up part of the price you pay? YOU are personally paying insurance fees for the privilege of using a totally insecure credit card. Just because it doesn't show up on your bill doesn't mean it isn't there.

[ Parent ]
Screw that (2.00 / 1) (#182)
by nsgnfcnt1 on Thu Oct 31, 2002 at 06:42:44 PM EST

I long for the day when I don't have to carry any cash in my wallet and I can just pay for everything by card + PIN/fingerprint/retina scan/security-measure-du-jour. Hell, while you're at it why not just get rid of your money and keep your wealth in a large gold chunk in the basement. You can shave some off when you need to barter for things.

[ Parent ]
True Story (4.00 / 4) (#177)
by porkchop_d_clown on Thu Oct 31, 2002 at 03:59:02 PM EST

Just this week, someone managed to get my eBay password and tried to run a scam where they put up bogus auctions with me as the only bidder.

I think I was saved by one thing only - the credit card I had filed with Bill Point had expired earlier this year, and I forgot to update them with the new info.

After spending a day changing passwords and arguing with eBays "support system" I'm suddenly much more interested in security.


--
Once one sock is sucked, the other sock will remain forever unsucked.


Reality check! (4.33 / 3) (#179)
by Nexus7 on Thu Oct 31, 2002 at 05:18:17 PM EST

Witness how every politician (with the exception of a handful such as Al Gore), talking head, sitcom writer, newsperson, etc. will mock the internet as a source of serious news, collaboration, etc. They'll talk about online transactions as poor stand-ins for the brick-and-mortar experience.

At the same time, they advocate overly harsh punishment for laughable "computer", "hacking", "internet" and the like crimes. How can you perform serious crimes in a play medium?

The common thread is that they don't understand as most people on k5 would, the continuum of media for information flow and transactions, and the domains of applicability of each of brick-and-mortar banks and shops to ATM networks, to isolated networks, to the internet. As long as the average klutz is happy watching "raymond something" instead of, oh say, eff.org, we shouldn't be surprised at the disconnect.

This is simply a... (1.50 / 4) (#180)
by faustus on Thu Oct 31, 2002 at 06:06:07 PM EST

...veiled defense of the illegal attrocities purpetuated by computer hackers, who profit from stealing passwords to online pornogrpahy sites and pirating music and software.

Hackers want loose systems because they are easier to break into and destroy. Hackers are also afraid of democratic systems like Palladium because it will limit their ability to walk all over the copyrights that defend music and software companies's products. The bottom line is that better security is detremental to a hackers livelyhood, who make money from their illegal activities, by stealing credit cards, selling cracked FTP sites, and pirating software and music for sale on street corners.

Any system that prevents hackers from eroding the rights of law abiding citizens and multinational corperations gets a thumbs up from me. This article is a defense of theives.

That's an other area (none / 0) (#188)
by pakje on Sat Nov 02, 2002 at 06:55:11 AM EST

This story is about making a fortress of your home computer while the risk is more at public area's. It's good that shopping malls, train stations and city centre's have camera's, guards and advanced security systems. because those are the places where criminals make effort if cracked. If you live in a large house and are often vunerable. You might want a alarm system (software firewall) gate (hardware one) and maybe even hire a guard agency. but for most houses just a door lock and no open windows(hehe) will be enough (i.e. no webservers or vunerability's).

[ Parent ]
Crook A can automate... (none / 0) (#186)
by BushidoCoder on Fri Nov 01, 2002 at 06:09:19 PM EST

... his processes and hit up 1000s of "houses" at the same time. Crook B still has to sit in that van and wait for you to leave.

To not make online credit transactions safe for everyone, including the "pc idiots", is irresponsible. We cannot reasonably assume that each and every computer user is going to understand the technology he or she is working with, just as we cannot assume that every person who enjoys the luxury of air travel has a deep understanding of Bernouli's Principle. To advertise to everyone in the world, "Buy things online, its safe and cheap", but then to have that safety hidden behind a learning curve that is too steep for most people in the country is like advertising that cigarrettes are mostly safe and hiding all the lung cancer related data from people until they've finished their first year of Med School. Most people who do not understand how to use a computer and are at the most risk for this type of fraud could happily return to a pre-computer society, and only use a computer because it's the new social norm. My Mom needs help turning the damn box on, but she only has it because my brother and I has forced her to use it to email us. I think she is entitled to some level of "idiot-proof" protection.

I have a right to leave all my money on the street (none / 0) (#187)
by mingofmongo on Fri Nov 01, 2002 at 08:34:31 PM EST

and not have it stolen. Yet if I were to make a pile in the street of all my money, and leave it unguarded, I can't expect it to be there when I returned. This is an outrage!!!

I pay taxes for policemen to make sure that my money, when left in the street, will not be stolen. I am absolutely stunned to find that the street is an insecure place to store my money. I demand that security cameras be installed in all streets to watch my money, wherever I may lay it in the street, and armed guards should watch over any piles of money laying in the street.

It has been suggested that leaving my money in the street like that is inherently insecure, but I find it irresponsible that people would take this attitude. That is tantamount to aiding the theft of money that is left in the street. People who say that I shouldn't leave my money in the street should be locked up.

How could anyone be so irresponcible as to suggest that I put valuble things in a locked area, and use the street for walking and driving? That's crazy. I demand that money left in the street be safe!! Why should I stop leaving my money in the street, just because someone might take it?

Luckily, there are people who will sell me my own security cameras to use to watch my pile of cash. Some people will, for a small fee, guard my pile of money for me. Others will build a small lockable container right there in the street to protect my pile of money. It is sad that we have to go to these extreams to stop unscrupulous people from picking up stuff that is left laying around in the street, but we must do it if we want to be able to leave our crap lying around in plain view of the world... It is our duty.

"What they don't seem to get is that the key to living the good life is to avoid that brass ring like the fucking plague."
--The Onion

Well, (none / 0) (#192)
by dirvish on Mon Nov 04, 2002 at 08:21:55 PM EST

of course it is a bunch of geeks trying to make a profit. The real question is: Can we possibly worry too much about security? I don't see how we can. They more effort we put into security the more secure our info will be. This has to be a broad approach, covering physical exchanges and networks. There is no good reason why it shouldn't be a continuing effort, no matter who profits from it.

Technical Certification Blog, Anti Spam Blog
The Great Security Panic | 192 comments (119 topical, 73 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!