The government needs to do more to protect ordinary users from cybercrime and safeguard the growth of e-commerce, according to a report from the House of Lords' Science and Technology Committee. Peers argue that a "laissez-faire" attitude to internet security by a range of interested parties including government, ISPs, hardware …
Excuse for more government control?
Am I using a different internet?!
Or are they just sexing-up the dangers?
Um, effectively what they are asking for is a world policeman, seeing as the net doesn't exactly respect global country boundaries
IP Packet: "Nope, can't go that way, I'm not allowed to go into [insert country name]".
The general public doesn't have a clue how to even come close to 'policing the web', besides, who wants to take responsibility for it all... all the pr0n and more besides!
You can't legislate against stupidity...
Seriously... so now when Joe Public gets an email from 'BarclayCard', clicks the embeded link, and types in his name, address, DOB, card number, start/end date, CVV, NI number, password, mothers maiden, etc. and then gets sh@fted by the bad guys...
Barclaycard, Pipex, BT, Microsoft and Symantec are all going to hand over cash to compensate Joe for his loss?
I seriously doubt it somehow...
Start with the ISP
In the case of phishing sites, surely the first defence should be that the ISP running the phishing site has an 24 hours per day instant take-down obligation, so that the moment one user detects a scam the ISP verifies it and prevents anybody else from being caught by it.
Of course, that requires international enforcement of that obligation, and maybe one or two nations will fail to pass the necessary legislation -- so it has to be backed up by a further procedure where cooperative ISPs mutually block access to detected phishing pages of uncooperative ISPs.
There is no such thing as a "cybercriminal" - just plain old regular criminals. People who steal cars aren't "autocriminals", and drug dealers aren't "pharmacriminals". Actually, the whole "cyberspace" usage is rubbish. It stems from William Gibson's novels, written in the 1980s, which have nothing to do with the Internet. If people mean to talk about the Internet, or the Web, they should do so.
Nevertheless, the report comes to a sensible conclusion: that banks and other organizations (including government, IMO) should bear most of the responsibility for preventing criminals from carrying out fraudulent transactions. Just as they already do in all other circumstances.
Wild wild west?
I like the idea of telling my grandchildren that I was a cowboy in the days of the Wild Internet. I can see their eyes as wide as saucers as I describe how I "used common sense and installed a firewall and stopped clicking on links in emails". Oh wait, my grandchildren aren't going to be retarded and so that's not going to impress them. *sigh*.
Quite how the Brits hope to wrestle control from the Americans would be an interesting story. The Brits haven't been very assertive in dealing with the Americans in the past and I can't imagine how a sternly worded letter to the Times will convince the Americans to release this strategic asset.
And for anybody who is brown (or Muslim) having Americans or British Lords governing the internet cannot be a good thing. Why would the rest of the world support continued Anglo-American hegemony? What's in it for us?
Just where is the Line?
I made my choice of ISP partly because they don't block anything. I trust myself to be able to put systems in place to control that sort of thing and I have the freedom to do what I want without a nanny telling me I can't. As such I take responsibility for what might happen if I get it wrong.
However, I can quite see (from the spam volume and the firewall log) that I am in the minority and that there are a lot of people out there who have let something nasty hit their machines, resulting in said machines joining the zombie army attacking the rest of us.
If you're going to have an internet sheriff then he needs to have the power to take firewall and spam filter logs donated by people and then force ISPs to block offending machines/networks from the greater internet until a clean bill of health is awarded. The sheriff doesn't even need to know the identity of the machine owner, his job is merely to provide the IP address and timestamp to the ISP to identify and handle themselves.
I'm sure that if one could remove all the zombie machines from the internet, the volume of spam and scam would drop dramatically as we'd be back to the old days of a few obvious machines that could be closed down quickly if they started spamming.
Of course, the amount of money this would cost ISPs means it won't happen - not only would they have to pay for the admin, but the more clueless customers would take offence and switch ISP (not necessarily a bad thing to get rid of the idiots in your customer base) which would result in less revenue going forward. You'd also have the problem of managing it on a world scale, given that some ISPs wouldn't play ball.
I have a lock on my front door, and I keep the key safe.
I have a Firewall/AV on my computer, and my passwords are safe.
I don't see police men at the enterance to my town vetting everyone that comes through for malicious intent. The security of my house is my own responsibility. As is the security of my computer. If my house gets robbed or burned down, I have insurance... Maybe I should insure my computer against vandals too..
Computer insurance... I think I'm onto something here!
To be fair, I think there should be minimum requirements for using the net, just like driving a car. Keep stupid people off the net and all will be fine. Police that.
Like Nev said...
.. this is just an excuse for more government control. The laws will be next to useless and near impossible to enforce even in the UK. However you can never have too many laws as they can be very useful if you think like Cardinal Richelieu:
"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged."
How naive can they be ?
So, do the people producing these wonderful ideas actually have some sort of understanding of how the technology works ? I guess not. So some criminal type in Afgulistan hijacks a Web site owned from the U.k. but cited in Holland and uses it to phish and the U.K. police are going to close the site, so what happens when the legitimate U.K. owner wants to get access to put his web site back ? a nice 'Site blocked' message?
Hey, if you go to the bbc web and read their on line safety stuff , they got attacked by a 'bot p.c. from a thai hospital, shut them down! Who cares about some sick thai people ? Who cares that it isn't the people in the hospital doing the scamming?
Would I lose my e-mail (that I pay for) if someone else used the address as a return address for a spam, even if the e-mail did not originate from my machines ? I get batches of these spoofed mail returns, I can see that they do not originate from my machines or e-mail connection or even from the U.K. but the 'Reply to' email field has <garbage> @ my email address in it, so that bounced emails don't get sent back to the spammer that sent them. Can I sue the companies bouncing these e-mails for harressment ?
Follow the money.
+ instead of either acting itself or providing incentives for the private sector
+ the government insists that users are ultimately responsible for their own security
...but apparrently not *liable* for their failures. If someone runs an open SMTP relay, or fails to install patches or does not have an adequate firewall they will become the unwitting accomplices of the black-hats. While establishing a basic standard of culpability is nearly impossible (although IIRC the London Stock Exchange require listed companies to demonstrate compliance with at least part of BS7799) without accountability in such cases there is little hope of decreasing the amount of abuse and the authorities have little opportunity to track back to the origin of the problem.
It is not simply a problem of jurisdiction which prevents states from implementing effective controls - the biggest barrier is that the problem has already got totally out of control.
I'd like to believe that the newer generation will pressure service providers to provide good and effective security which works both ways (other than its SSL certificate - how does your bank/betting site/ISP... demonstrate that it truly is the organisation you have chosen to place your trust in?) but am far from impressed by the quality nor the independence of IT education in schools.
+ In the case of phishing sites, surely the first defence should be that the ISP
+ running the phishing site has an 24 hours per day instant take-down
Please! This would open the flood gates to a whole new denial of service vector - one which is already being exploited, but fortunately only in a few cases. I can see this would be attractive to the state because it moves the problem out of their domain into that of private litigation. This would automatically favour those who would abuse the system and disadvantages the ISP, the site owner and the end user.
I don't have the answer to these problems (unless its to install Linux!). Certainly as far as the vendor is concerned it seems to demonstrate how a market for lemons evolves and the problems inherent in monopolies.
So if you get a scam letter via the post, can you then look to the post office for compensation for the loss due to your greed, erm stupidity.
How about education, not legislation?
How about making it part of the national curriculum that people be taught about roughly how the internet works? Adverts about 419 scams could be effective -- and funny if they also show 419-eater type situations happening to the perpetrators because the user was clever.
We've already got those pathetic "knock off Norman" pro-pigopolist adverts -- how about some useful adverts protecting the public instead? "Phishing Phyllis", perhaps?.
We Need A Sheriff
We all know it is quite difficult to do what they are asking but it certainly isn't impossible and not everyone is computer or internet savvy. Without just such controls the internet is doomed to be far less useful than it might otherwise be. I see a "can't do" attitude on some of these comments and an awful smell of "I'm alright Jack". If that means the net breaks into several parts for a few years that is fine, the stronger parts will survive and the other parts will collapse precisely because they didn't address these problems. Surely if troublesome sites are picked up they can be spammed out of existence even if they are in a troublesome jurisdiction like China or Pakistan.
The government doesn't want a secure, privercy-enhancing, anonymous-protecting internet because it would prevent them collecting taxes.
Eliminate half of all Internet scams in one simple step
Outlaw Microsoft products. Seriously; half the scams perpetrated today depend on the vulnerabilities built into MS products in order to propagate, and to collect users' data.
Once you've eliminated Microsoft, you can let the the bobbies loose on the less-lazy criminals.
Re: Only ISPs?
neil, I think I'll sue AT&T for all the money I've lost on pump&dump scams forwarded to me via fax. Of course I have enough health insurance to cover me for any disease out there and I have $99 vacations planned through 2150.
Linux isn't the answer
as Colin McKinnon suggested. It's only more secure because it's a minority OS. If we all switched from Windows to Linux hackers and virus writers would switch focus as well and everyone would be switching back to the, apparently, more secure Windows. At least part of the answer could be to mandate that Windows users *must* run a firewall, antivirus/anti mal-ware software and always be patched up to date.
ISPS could enforce that incentivised by a reduced rate/insurance. Again you run against this being a global problem. Alternatively, get MS to force a firewall, antivirus etc on users. Make it easy to switch but difficult/impossible to completely remove. Eventually, with OS upgrades, that could solve the problem at the expense of compatant computer users being upset/annoyed.
Wild West Internet Sheriff
I think all ISP's should be required to give you the option of blocking all email that either does not have a verifiable return address or has a from address which is just a bunch of scrambled letters like: xc7RtyIO2fR56Zx or something like this which is obviously just a stupid computer generated ID. Your ISP should also block certain kinds of files or give you the option to block them. Your ISP should also be required by law to give you the option to filter your input for your children. They could actually make money off of this by charging a small fee every month for children filters.
The ISP has the ability to block and filter a lot of this junk E-mail and viruses, and executable files from getting to your PC to begin with. If the consumer is paying for a service, they should at least have the option of getting a service without all the viruses and junk mail that obviously is not from a verifiable ligitimate business. I think I have seen enough adverts for Penis Enlargement and Viagra to be a giant oversexed gorilla. We should be able to block some of this junk.
I have an idea, maybe you should send every one of these stupid Email's to your Department of justice. After a few billion forwarded E-mails maybe they will get the idea.
I also think no one should be able to send E-mail without a verifiable Post Office ID or some kind of Security Code.
By Tom Chiverton
Posted Friday 10th August 2007 15:14 GMT
The government doesn't want a secure, privacy-enhancing, anonymous-protecting Internet because it would prevent them collecting taxes"
In what way does a secure, privacy enhancing ,anonymous Internet stop the/any government collecting tax's
"It's only more secure because it's a minority OS" - Jonathan Lane
No, no, NO, Jonathan. Read up on the issue before you post. Apart from the fact that, to be technically correct, there are no Linux viruses, and never can be, only trojans (that can only affect the user, not the OS itself - unless the user is stupid enough to be running as root) and vulnerabilities (e.g. buffer overflows and other exploits).
No-one ever claimed a single penny of the thousands of pounds offered by Eddie Bleasedale (NetProject Ltd) to anyone who could infect a properly-configured Linux machine with a virus - in fact, to the best of my knowledge, no-one ever tried!
And I'm always astonished at the stupidity of Windows users who read about Linux tools such as ClamAV (for removing Windows viruses from e-mail passing through a Linux server) and think that "anti-virus package for Linux" means that Linux viruses exist!!!
All internet connections come with a quick install sheet as follows:
1) Your bank (online or otherwise) will never ask you for your account details
2) You do not have any rich and recently deceased relatives you have never heard of
3) Even if microsoft / yahoo / <large corporation of choice> *do* run a lottery, you have not won it - especially as you didn't enter it in the first place
Now, in order to install your internet connection...
The dangers of education
Not all people can be educated, some of them are just plain dumb or ignorant or lazy, etc.
Even if we could somehow manage to turn out a generation of smart people, it would ruin our economy. Most "legitimate" corporations depend on uneducated consumers. The current business model: "produce cheap goods in China, spend some money on marketing" would not work very well without the uneducated masses.
I would shift the focus from defense to offense. Public hangings of spammers and malicious hackers may work as a deterrent, but if not it would still be very entertaining to watch.
Seriously, as long as big companies like ebay insist on sending out emails full of clickable links, they are part of the problem. A plain text email would do fine, all users know how to log in to their accounts, the links serve no real purpose, and very easily imitated by phishers.
Another problem is free email. As long as it's free, it will be abused. Once someone invents a secure way to put one cent "stamps" on emails and the big players like Yahoo, AOL and MSN agree on using it, very few spammers will be able to afford sending out billions of emails. At least it would encourage some targeting, and a real removal system.
"Once someone invents a secure way to put one cent "stamps" on emails and the big players like Yahoo, AOL and MSN agree on using it, very few spammers will be able to afford sending out billions of emails. At least it would encourage some targeting, and a real removal system."
Do you think that's going to take off? Who would agree to that?
Neither the Theory or Reality is suitable
The problem is, the internet was built with this exact intent in-mind - to stop any form of disruption by having so many vast networks and routes that it couldn't be destroyed or stopped. If all out Nuclear warfare can leave it intact (satelites in orbit), then I doubt even Britain's beaucrats have a chance of seizing it up.
Not that the idea is either smart or fair either. They're planning to get the least internet savvy people (aside from politicians themselves) to 'protect' and police the internet of the entire world, despite them not honestly having either a clue or a responsibility (despite their claims to the contrary) on doing so. If I am a business, I have to police the internet. What stops me from doing a bad job, if any? Why should I pay (as the company) for the mistakes of others?
Even if this was a good, well-thought of (how unlikely) plan, I wouldn't support it, even if it deals with crime. If they figure out how to restrict crime, then they'll have a method to restrict other things (say, freedom of speech) or use it to generate financial income (which is always tempting to a government), which defeats the purpose of the Internet. This deals a crippling blow to everyone who uses it, as it means the Internet is no longer safe from red tape and freedom to do practically (I still don't support crime mind) anything with it.
I'll hold up my hands, I used my old PC without firewall when I first got broadband, but that was because I was unfamilar with the Internet as a whole (obviously). I was under the mistaken assumption my computer was safe as is. I didn't figure at the time additional software had to be added to make up for the pitfalls of Microsoft. Had I been told when I started what I learnt over the years of using it, I would have scrambled for the nearest firewall software and anti-virus software kit.
I now, as an old-hand of the Internet (on a relatively new PC), sit behind a modifible dual-firewall (you heard right) system with active anti-virus software and, failing those peices of kit, have several backups of off-line lower-key security kits standing by. Even since then Microsoft has improved, but I still don't trust their incredibly shoddy software.
What we should do...
1) E-mail filters need to be better designed. If the E-mail companies want, I can tinker with their code and make it better (for free).
2) An E-Code system should be set-up, where in-order to sent attachments, the sender has to have your E-Code. This code can always be changed, although to ensure there are no mix-ups, the first section of the code will be based on your E-mail address.
3) Better security supplied by Microsoft, or at least, free security software supplied with PCs. Don't mind which so long as they do the job.
4) All ISPs to supply an training manual that informs and warns the user of the dangers of the Internet and how to stay safe. Preferably with instructions on how to obtain free security software.
you don't migrate you graduate.
Look it's like this everybodies not going to
start using Linux if you get well enough good and
fed up and decide to learn something you graduate
to Linux some of you got stuck along the way you
guys win the Darwin award you make sure people
in Russia and other places don't starve by your
being such complete suckers life is good but
only if you learn and adapt;.]
Oh yeah and if you have enough money you
are probably OK with a mac.
I'm thinking of a badge, not a five pointed star but a 'cloud' shape. Maybe about 3 inches or so in size, gold for sherrifs and silver for deputies perhaps.
I used to be a good horse rider, maybe I can apply for training. Organising a posse to go find Stamford Wallace would be hard work but great fun.
(I'll get my coat)
re: Neither the Theory or Reality is suitable
1) mOst are pretty good heuristics, and work well enough. those that do defeat current spam filters for any length of time are usually emails with imagemaps instead of text. Email clients should have "download pictures automatically" turned of by defualt.
2) That would not stop malware-laden attachments sent by scanning address books, adn most people have attachments set to not automatically download to save bandwidth.
3) Microsoft securtiy is what gave us Vista (partly). More of it is not a good idea.
4) ISPs should not do this. It should be part of the National Curriculum for say year 10s, and the manual freely availible from public libriries or somewhere similar.
Like in the Wild West, you should look after yourself, and if you think you can take down a scammer or spammer without getting your sytem wiped out or harming inocent bystanders, then you should be allowed free rein to do so.
ISPs are the problem
ISPs could be the solution. Most include some variety of modem device in the package. Make it incorporate an SPI firewall. Make it block SMTP traffic to any host other than the ISP's mailservers.
But no, a disposable USB-attached piece of shit is the norm.
Complain to ISPs whose subscribers relay spam. Currently they simply don't feel any pain. We should be overwhelming their abuse mailboxes in precisely the same ratio that they are instrumental in flooding our own.