As the Australian Government continues to grapple with the issue of how best to protect the nation from internet nastiness, the House of Representatives Standing Committee on Communications has just lobbed a major new element into the debate in the form of a mega-report on cyber-crime. The report - entitled Hackers, Fraudsters …
The only protection consumers need is from yet another big brother government initiative!
RE: Protection required?
I agree, I'm not sure of the political landscape of Australia but they seem to be going through their "New Labour" phase. I like Australia, I really hope they manage to realise what going on and vote them out soon.
I always thought that your Labour governtment was a copy of our Hawke/Keating era, one, slightly before...
ie your next Labour gubment will be WORSE
What on earth (or in cyberspace) is a conroy connector
other than a googlewhack that is - the sole result is this elreg article)
I'm guessing that's a connector controled by (Stephen) Conroy.
"a conroy connector"
Just so long as it connects my boot to his effin' head.
I believe the "Conroy Connector" is a reference to the National Broadband Network
It's a Fibre to the Premises (FTTP) network that is going to be built in Australia. The end goal is fibre optic cable Internet to 90% of Australian homes and businesses (who want it, that is). Result - quick, quick Internet connections. More info here:
It's a good thing too that Telstra is being pressured by the government. Telstra is one of the worst things in the world - a _private_ monopoly (on copper wire phone cabling, for example). They'd prefer to rake in rent money rather than invest it in new infrastructure. That's why Australian broadband speeds are languishing behind other countries.
Conroy is quite the ignorant tosser in a lot of things. But he's no Richard Alston ("the world's biggest Luddite" - remember?) He promised the NBN and he's sticking to it; good on him.
[As for Internet censorship - the thing that most El Reg readers despise him for - it has been put on hold until the next election, and it may never re-appear. The government is sliding in the polls, and net censorship is not the vote winner it seemed to be. Good it's gone too.]
That would seem the most effective way of preventing virus infections, malware etc.
Oz has my sympathy!
end-users be required to "install anti-virus software and firewalls before the Internet connection is activated". They should then do their best to keep security up to date and "take reasonable steps to remediate their computer(s) when notified of suspected malware compromise".
FFS! Some of the Wallys I have to deal with have enough trouble finding the power button, let alone understanding things like AV scanners and Malware.
Tell me Missus Politician, what about those that don't live in Billy's Pleasure Park eh? Not everyone runs Windows you know, just 'cos you associate Computer to Windows. Those who don't run Windows, will obviously need to source a different AV scanner. Granted Windows will be the number one used and probably the number one spreader of the nasties.
Are you going to give away free nasty-beating software to everyone to get this sorted or will we have to pay for it ourselves? What if I refuse to run AV will the new Oz Internet Stasi be round to cut of my connections (oooh!)?
The more these simple minded planks come up with, the more I am reminded of the Bottom Inspectors in Viz!
Linux users need not apply
Does this mean that only those using a pre-approved combination of operating system and anti-virus/firewall will be permitted to access the internet?
Presumably, when you want to activate your new connection you'll have to contact a monkey in a call centre who in turn will use a pre-approved script and testing tools to make sure it's all working as intended.
But, given all that, how are they going to certify all of the other PCs I might then attached to my new connection? Are they intending to distribute some kind of end-user connection applet that validates everything is as mandated before allowing a connection to be made?
Actually, i was thinking about some of the strange systems i have connected to the interenet over the years. Can you even get Anti-virus for SunOs 4? While i know there is Anti-virus programs for RiscOs and AmigaDos, i would be surprised if they have been updated since the 1990's
Also from the retro-computing post earlier, Does that mean that you cant legally Twitter from your zx-spectrum down under? I assume this will also put the nackers on any home project to put a PDP online/build a web server out of a toaster and couple of old telly's
The firewall issue you can get around with a hardware firewall box, but the anti-virus is a bit of a killer.
They may still need legislation
The NBN is probably going to be a hybrid layer 2 / 3 network. Most of the current big players will take L2 connections. So that's all a little low to be putting application level stuff like virus scanners. Firewalls maybe - but not web-style ones which can differentiate virtual hosts.
Not a bad idea
"...the report recommends that end-users be required to "install anti-virus software and firewalls before the Internet connection is activated"..[and]..ISPs would be obliged to ... inform users when their IP address has been flagged as linked to infected machine, and put in place a policy of "graduated access restrictions" – with disconnection as the ultimate sanction."
I actually see no problem with this at all. It's about time that everyone took responsibility for securing their own computers - the internet IS a public network after all, and it's not at all unreasonable for users of that public network to make sure they behave. The situation we have at the moment is that most users (typically on Windows boxes, but not always) do not even know if they are spurting out rubbish to the internet because of a virus, and many don't even care as long as "it still works" (I know this from experience). I'm afraid disconnecting some people is the ONLY way they will bother doing anything about any virus/spambot infection. It might also force the likes of MS to finally sort-out their act and stop selling swiss cheese operating systems.
As an aside, bearing in mind most people have no idea what they are doing, why do all the router manufacturers set their default in-built firewalls to "let anything pass" rather than something far more restricted which would still work for most people (which is only about 5 port numbers rather than sixy-odd thousand!) - it's utterly irresponsible!!
I do see problems there.
First, the systems they're using are inherently insecurable. And gov.au is then proposing to use a limited, fallible, and highly marketed (why? because it brings in money!) method to ``fix'' the problem.
Second, as you yourself point out, most people don't have enough clue to do anything sensible with the requirement, bringing in dosh for third parties, and depending on details it'll hamper people who do have a clue. So, a real fix it isn't, but it is going to cause pork barreling for the sna^H^Hecurity venduhs.
I agree it is time and past time we stopped being vulnerable in large masses. But the fix isn't to do the equivalent of slapping a couple plasters on a swiss cheese. I also see a problem with you, where you're en passant blaming router boxes for the failings of (irresponsible because incompetent) end-users and their insecure toys. You might as well be advocating the micros~1 proposed ``bug tax'' for all the sense you're making in playing the blame game.
So it's ok to carry on spreading viruses then?
What you seem to be saying is that most people use insecure systems and don't know what to do to secure them (if, indeed it is possible at all)?
So... you are concluding that we just let them carry-on using insecure systems and carry on not doing anything about spreading viruses? And if you're not saying this then what ARE you proposing?
While I agree with the first part about ignorant users (and I pointed this out), that does not in any way excuse it. If you start cutting insecure systems off the internet then people will VERY quickly get wise to it and either fix their systems or use something that is more secure - they have no choice! Yes, it will make money for security folks, but Jo Public will very quickly tire of paying for such services and will eventually opt to use a more secure system. I say again - The user not knowing what they are doing is NO EXCUSE for spamming everyone - if it costs the user money to fix it then tough - it's costing many many people and companies a HUGE amount of money every year to combat the problems that Jo Public's insecure computer is causing. If you used your argument all the time, you'd be saying that it's ok for Jo to run people down on the roads because he doesn't know how to drive a car!
And why do you call the idea limited and fallible? What's fallible about being cut off? Seems a VERY good way of stopping network traffic to me.
And I am not passing blame to anyone - most internet routers are knowingly sold (indeed, are specifically marketed!) to people who do not know what they are doing - this is a FACT. In light of this, the manufacturers should take some social responsibility and make some attempt to make their product as secure as they can. It would have virtually (if not actually) zero manufacturing cost impact and would go a significant way to helping users who don't have a clue. I am not having a go at the ignorant user - this stuff is complex and most people are never going to "get it", and will need help. But like the law, ignorance is no excuse, and one should follow the rules and be a good internet neighbour.
Using the internet is not like driving a car. There is no way that not knowing good internet neighbourliness is going to lead to death, serious injury, or damage to property. You do know what a straw-man argument is, don't you? ;0)
Good intentions good for paving.
Those ``home internet routers'' are pretty safe already, because of how NAT works. Indeed, the infection paths nowadays are of the ``drive by'' type. And having those edge things ``fix'' XSS and overflows and things in protocols layers above the layers they're supposed to operate in is a good recipe for making the whole thing even more unpredictable. Plus, deep packet inspection and acting on it is censorship. So if the state mandates the vendors puts that in... that goes beyond merely high proof utter technical stupidity.
The problem with this sort of government rule, as already implied by other commenters, is that it implies things that amount to a rehash of ``all the world is a vax'', or now ``all the world is a wintendo with a clueless moron behind it''. That sort of law gets really old, really fast, in several meanings of the word.
If you want to fix the OS, fine, force the OS vendor to finally get on with fixing their crap code. Don't force others to pay for it, either. Don't force essentially unrelated devices to patch up problems in crap OSes (or applications, or websites) either. Fix the OS instead, or ditch it and move on to something less resembling a rotten corpse. There are quite a few options even without counting anything with ``linux'' in it somewhere, though no need to discount it either.
If you want to fix the stupidity, you can go about it from two directions: Fixing the user by education is one. Fixing the OS to have less a confusing design is another. You can't do all from just one side.* The main culprit vendor tried to, failed, then as time went on and they kept adding more layers of the same, their stuff became ever more confusing. Then they asked others to pay for it with a ``bug tax''. Uhm, no. Not even if they didn't sell their crap for a 90% margin and weren't sitting on several humongous sacks of cash.
Point is: Yes, you can do a lot. No, requiring all computers to adhere to safety rules that only apply to a subset is not the way. Putting that in law is shooting yourself in the foot with a bigger cannon, so don't do it.
Same with people. Might as well forbid stick drive because granny can't use it. That's not how it works. You make granny use an automatic, and leave the rest alone. If you can't imagine how that works, you have no business making laws.
* This is the ``the only intuitive interface is the nipple; everything else is learned'' argument, and it's false. The nipple isn't intuitive either. You can go a long way with methaphors, but you can't go all the way, and besides, the methaphors only work because that something else you're using for a methaphor has already been learned.
Finally a homogenous landscape with lots of _really_ bad code. It's just a matter of time till the first AV worms spread by using bugs in the AV software.
Thought they do that already...
...especially since AV software, by their nature, has higher-than-average security clearance, providing an easier route to the top, regardless of OS.
Some Suggestions Make Sense
The ISPs are indeed capable of detecting many cases of malware infection and should notify their customers about that by snailmail. If the customer does not react after some period, turn off the line.
That would decimate botnets considerably and also protect the customers from their own negligence, incompetence and serious financial loss. But the decimation of botnets alone justifies this.
The gubmint does not need any customer data to achieve that - all stays with the ISP, who has it anyway.
Yep, completely agree. The ISP is the connection point between the user and the rest of us, and they can detect a lot of this badness quite easily, without the need for deep packet inspection.
Open ports showing an unprotected windows share? Huge amounts of traffic to port 25? Call the customer, if they can't explain, block it. Evidence of probing for open IPs on same subnet? If they can't explain, drop their connection and post them an anti-virus CD.
It's more work for the ISP and likely to hack off some customers, but if you want to clean up the current state of affairs they HAVE to be the first port of call. You can't drive a car on the road with no brakes and no-one complains about that - similar legislation will force all the ISPs to act as one, and ensure their more irate virus-spewing customers don't just pack up and go elsewhere.
What is it here?
There is no sensible relationship between the internet and the safety related bits of cars. If you need an analogy on cars, this would be something to do with locks that are too easy to open - a nuisance, but no-one is going to create legislation for it.
Please, let's have some sense of proportion - sloppy use of the internet does not cost lives, lead to serious injury, or cause damage to property. Maybe it is the use of the word "virus" that makes people think in terms of death and destruction. Whatever, lets keep the analogies sensible, eh?
If they modified it to "take reasonable steps to be secure" then that is just common sense.
However without the retro computing angle, there is already flaws with needing antivirus;-
NAS, I have a NAS box connected to the router that gets the internet connection. It may have its firewall configured to not forward any internal ports from my NAS box, but still i dont plan on running anti virus on it, even if i could convince BusyBox to run something.
Oh ffs, thank god I don't live down under
Ignoring the ridiculous antivirus restriction (see posts by other commentators!), this is just crazy because it's supposed to oppose the bad guys but actually creates a wonderful new opportunity - no need to hack PCs anymore, just hack government servers and you'll grab whatever you want from whoever.
woods for the trees
First remove the political won't somebody think of the children waffle
"the interests and needs of business"
"The committee were also told that increasing internet speeds were likely to make the situation worse"
"This should include active consideration of how to increase access to network data held by global IT security companies to address commercial concerns are desirable."
"put in place a policy of "graduated access restrictions" – with disconnection as the ultimate sanction"
Right, so the real targets are downloaders who cost the copyright mafia money (but not as much as they claim), thats not as some halfwit individual who loses some money because of a phishing scam, is it?. Always, ALWAYS, follow the money....
Has Aus been infected with the religeous nutter meme?
I think so.
My concern is legislation creep. It's easily seen that our (Oz) Nu-Labour is intent on control of our internet. I can see our government passing legislation to force anti-virus and firewall software onto our computers (for the sake of whatever). I can also see that within that legislation they will allow the Minister to make changes by regulation. This seems to be the common trend of government both in Oz and in UK at the moment.
So we start with a requirement (by legislation) that we install certain software and after some time it will become a legal requirement (by regulation) that we must use a government approved DNS server or install government approved firewall/anti-virus software either of which the government can use to switch on or switch off websites for whatever reason they think fit.
I agree that something needs to be done about botnets etc. But, is this the way?
It appears to me from reading The Reg over the years that some sort of concerted effort by ISP's and internet security services could at least reduce any botnet problem. But, a simple answer like that doesn't suit government long term plans. Why? Because it would be outside of government control and we know that in the end governments want to control the internet. It's outside of their control at the moment and they want to bring it within their scope.
The reason that governments want to control the internet is obvious, they know it is a powerful force and that it is the hands of the populace, that is a situation that just cannot be allowed, governments are elected to hold power, people are for governments to wield power over.
'Give me a fulcrum and I will move the world'. Governments see the internet as a fulcrum and we people must not have free access to it.
Not Going to Happen
I don't know why the media is running with this story as it's just not going to happen. Technically it's not feasible with the proliferation of different types of devices that can connect to the internet (just about anything these days, including fridges), as well as issues with multiple devices behind a router using NAT, etc, etc. Furthermore, there are all sorts of problems with deciding what is adequate virus protection - who would decide, how would it be policed, etc, etc. I wouldn't get concerned about these things bcause the idea is dead in the water as soon as someone takes a detailed look at it.
re: "wouldn't get concerned"
"I wouldn't get concerned about these things bcause the idea is dead in the water as soon as someone takes a detailed look at it."
You mean like Conroy's internet filter? The one he's determined to push through despite massive resistance by nearly every last person who has ever heard of it, and despite being repeatedly told by everyone with the least bit of technical knowledge that it is completely impossible to implement? I would certainly get concerned.
I've had it with the technical incompetence of this government. I have now begun to ensure my data trail disappears completely from the government's radar. Onion routing, several different VPNs terminating in different countries, everything encrypted so damn hard I'll have trouble accessing it myself. I no longer have the slightest bit of trust remaining in my government at all and I am determined not to let them have the tiniest degree of control over what I do online.
re: Has Aus been infected with the religeous nutter meme?
Only if you belong to the church of "State Control of Everything".
Which, you'll be pleased to know, is pretty much morality-free.
"Only if you belong to the church of "State Control of Everything".
Which, you'll be pleased to know, is pretty much morality-free."
As did the "Rev" T. Blair.
The UK got rid of their bunch.
Perhaps it's time the people of Aus who are not afraid of the rest of the world to clean out their their nations closet.
Just a thought.
ISPs would be obliged to provide security advice
>ISPs would be obliged to provide security advice,
I worked at the help desk of an ISP in my last year in college doing the basic mindless stuff (Is your computer plugged into the wall?) and I had a standard answer to that question from clients whose Windows machines got pwned?:
- If you have the money to be locked in, get a Mac for pete's sake. No more headaches.
- If youre on a budget, want to recycle older hardware and care about free-freedom and free-gratis, and still want continously updated desktops then there are myriads of Linux desktop options to suit everyone's needs (ive installed Linux on the machines of about two dozen seniors by now) from the Mac clone Ubuntu to other more Windows centric desktops that use KDE4.5: Mandriva and such..
The desktops are really at parity now so the changes are easy (just as easy as going from XP to Vista 7) to make.
It always come down to the human element/stupidty of course but I can tell you that in all the Mac and Linux boxes in my extended family (inlaws, parents, grandparents, aunts, cousins), my free tech support for the usual "Help, my Windows machines is infested... what do I do ? I need my data files, I DIDNT back up!!! Help!!" call at 2ham is not the same as with Microsoft using friends who I now transfer to my 14yr nephew who charges 12$hr for that kind of time consuming stuff.. (Heck with KDE's KRDC 4.4 Remote Desktop Client I dont even bother going over to do stuff.).
Of course, I shouldnt complain, the onslaught of Conflicker-infected PCs in the corporate world helped me get my first job last year out of school so not everyone loses when it comes to security.
Windows is a great environment for the security field.