Immunizing the Internet 181
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
Finally! (Score:5, Funny)
Re:Finally! (Score:3, Insightful)
And claiming that a certain amount of malware going around helps security measures stay alert is silly. The analogy with living organisms and biological malware is way off. Computer malware doesn't thrive in the wild, mutating randomly. It is powered by misguided humans and by misguided blacklisting approaches to security.
Perpetuatin
Wow! Who knew? (Score:5, Funny)
Re:Wow! Who knew? (Score:5, Insightful)
In general being exposed to a lot of germs (typically harmless) trains up your immune system. buggers catch a lot of local bacteria and allows for exposure in a safe and weakened form.
-- Just because it's correct. Doesn't make you want to do it.
Re:Wow! Who knew? (Score:2)
While it may be safe to eat those who bug you, you may instead try eating your boogers.
Re:Wow! Who knew? (Score:2, Troll)
Re:Wow! Who knew? (Score:3, Funny)
Mark
Re:Wow! Who knew? (Score:2)
To the point, children may be stronger for this, but its increasingly a problem for adults having petri dishes running around.
Re:Wow! Who knew? (Score:2, Insightful)
Don't bet on it.
The well is poisoned. (Score:5, Interesting)
A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".
What happened?
The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.
It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.
Re:The well is poisoned. (Score:5, Interesting)
I've seen a student here report a security hole (the muppet that originally developed the web app they were using tracked currently logged in user by putting their username in the CGI parameters. Change the name, and you can be whoever you want), and some members of staff still wanted to seem the kicked out (we did manage to talk some sense into them, though). Point is, if it had just gone to the person maintaining the system at the time (me), I'd have patched up the code, thanked them, and forgotten about it.
Re:The well is poisoned. (Score:5, Funny)
Re:The well is poisoned. (Score:2)
Re:Full disclosure is a necessary evil (Score:3, Insightful)
It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.
Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger
However, full discolure is a necessary evil it we wan
Re:Full disclosure is a necessary evil (Score:2, Informative)
Re:The well is poisoned. (Score:5, Insightful)
While I do agree with you, that a kid reporting an error and perhaps even a sugested solution, would be regarded as helpful and something of a "white-hat" on a private perspective
However one thing that has changed since the early eighties is that now there is usually quite a bit more money involved.
Now accountability is a big concern.
If that kid was into a system I admin, I must realize that even if he propably just is helpful, I still cant be sure, after all he was in there, where he shouldnt have been, who knows what he did and discover but not tell me about.
And thats what its all about, ne one side I have a complete stranger who claims that he has been in one of my systems, found a few bugs, and have a few suggestions, one the other side is that the only way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.
If I trust the kid, and he happens to be a black-hat - poof - there goes my job
If he turns out to be a white-hat, well in that case he was nice and not much won for either me or my clients (since we have to do an expensive audit anyhow)
So I would asume he was a black-hat, cause if he wasnt, I havent lost much... Maybe synical, but thats how it works.
Re:The well is poisoned. (Score:3, Informative)
Having someone come forward and say "you've got a rather specific problem that needs fixing and here's a way to maybe fix it" and then going and doing your damnedest to ruin their career and/or put that person in jail is simply needlessly shooting the messenger.
Re:The well is poisoned. (Score:2)
Re:The well is poisoned. (Score:2, Insightful)
Which, arguably, you should have done in the first place.
Re:The well is poisoned. (Score:2)
Yeah, it's like what von Clausewitz said about war: "You plan for what the enemy can do, not what he will do."
When somebody can corrupt your whole system, the only secure way to proceed is to assume they already have.
Re:The well is poisoned. (Score:2, Insightful)
It's crooks who are the problem, but more commonly it just appears to be lawyers who are the major part of it, since they so often find themselves "forced" to do due-diligence and attempt to prosecute every little thing that come
Re:The well is poisoned. (Score:2)
The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.
That's like a jewel thief or bank robber claiming they were "just trying to help out" when relieving a bank or jewelry store of its goods. Breaking and entering is breaking and entering -- if you do not belong in a place and
Re:The well is poisoned. (Score:2, Interesting)
That's like a jewel thief or bank robber claiming they were "just trying to help out" when relieving a bank or jewelry store of its goods. Breaking and entering is breaking and entering -- if you do not belong in a place and you enter that place without authorization, you're breaking the law.
In that case, using your metaphor, what happens to the person who walks by the jewelry store and calls the owner (or the authorities) to inform them that the door has been left open. In a real jewelry store, the owner w
PDF WARNING! (Score:5, Informative)
Re:PDF WARNING! (Score:3, Insightful)
Like a pdf isn't a royal PITA under linux + firefox? No wonder yu posted AC (/me currently running SuSE + Firefox, and avoiding pdf files whenever possible because they're still bloated).
Now back on topic, this is just SO fucked up logically:
Re:PDF WARNING! (Score:2)
[..]
If it isn't your system, don't be f*cking around with it, same as if its not your car, your home, or your other sh*t.
You are making a moral argument. The article isn't about morals, it's about facts.
Re:PDF WARNING! (Score:2)
Poster wrote: You are making a moral argument. The article isn't about morals, it's about facts. No wonder its in a Law Review - morals are optional for lawyers.
Seriously, the simple fact is that don't have a legal right to try to do a buffer overrun on someone else's system. Or try to install a root kit. This isn't morals - this is fact. Its a crime.
Re:taken from the 'Bantown manifesto' (Score:3, Informative)
Your original premise has a few flaws:
No, its not. Its neither single, nor uninterrupted, nor deterministic.
Its not a single state machine, because its not a single machine. By definition, the Internet is a collection of machines.
If you tried to push that analogy in any other field, the BS quotient would set alarms off immediately. For example, if you tried to say that people are a single person because all their interactio
For those who won't RTFA (Score:5, Funny)
IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM
Re:For those who won't RTFA (Score:5, Interesting)
Realistically this is the history repeating itself. Many times.
Prior to Edward Jenner discovering the vaccination the people tried to instill immunity to Smallpox in their children by a process known as variolation. The difference from vaccination was that people were deliberately infecting children with the real virus hoping that they have it in a milder form. Well... and if not, that was just a child, one more, one less who cares. In some more awkward and less developed parts of the world this is still done with Varicella, and less frequent Rubella, Measles and Mumps.
Society attitudes have changed since. The majority no longer consideres normal to infect children with the real viruses. Still, even now, there are idiots who insist that "having child diseases is good for the children as it improves their character" (or other such bollocks).
Similarly, infecting networks with real worms is not dissimilar to variolation. There are plenty of security tools out there nowdays which can detect the vulnerabilities that can be used by the worm and force the user to fix them. There is no real need to weed out the "weak" (yeah, I know, I am tempted myself to weed out the idiotz sometimes).
And as far as jo average user it will take some time for them to grow up, but it will end up the same as with vaccination. People were reluctant to do it initially. That is not the case now.
Re:For those who won't RTFA (Score:2, Insightful)
Can you provide any sources for this statement? Every description I've ever seen of losing a child, even in the bad old days, was usually pretty painful. You probably have to exempt the usual psychopaths.
Re:For those who won't RTFA (Score:2)
Which as far as I am concerned is about the same as the "one more, one less" attitude. Just a different form of it.
Let's not forget that 40%+ child (under 7) mortality was something normal as recently as the 19th century in most of Europe. People in those days were much more familiar with child death in the family then us. I am not saying that they did not care at all. Only idiots do not. They simply cared less, because they did not have a choice. Tuberc
Re:For those who won't RTFA (Score:2)
The reason for exposing children to mumps, etc. (as my mother did me) is that these childhood diseases were far less fatal to children. They can easily kill adults.
Re:For those who won't RTFA (Score:2)
Re:For those who won't RTFA (Score:2)
Re:For those who won't RTFA (Score:2)
No, the issue, at least in the article, is to what degree do we punish or encourage system penetration, and should punishment fit actual damage rather than simple penetration.
There's nothing wrong with your opinion in and of itself, but perhaps you should actually read the entire article (for comprehension) before commenting on it. The author never suggests that there should n
Does this work for offline crime? (Score:5, Insightful)
What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?
Ame
Re:Does this work for offline crime? (Score:3, Funny)
Why Shouldn't it :-P (Score:2, Interesting)
Of course, real-life doesn't work like that. Just look how every little imaginery threat is currently used by the PTBs to further clamp down on the innocent general public.
Re:Why Shouldn't it :-P (Score:3, Insightful)
Yeah, because we all know that insurers are not part of the system at all; unlike the rest of us, they have access to magic money-making machines powered by pixie dust.
Re:Why Shouldn't it :-P (Score:5, Funny)
The rich people were probably just going to donate their spare wealth to charity to help the poor: robbery saves them the trouble of having to do that, too. It's a win-win situation!
What is the special magic about technology (Score:4, Interesting)
I don't agree with it, for what it's worth, in either case.
Re:Does this work for offline crime? (Score:3, Informative)
Re:Does this work for offline crime? (Score:2)
I hate these kinds of analogies, but can't help but play along...
How would you feel about having someone hanging out outside your front door playing with the locks, going to your windows and seeing if they open, trying to peep in your bedroom blinds, tracking what time your kids leave and come home from school, and sitting in a parked car across the street for a few days staring at you?
Would it make you fee
Re:Does this work for offline crime? (Score:2)
Re:Does this work for offline crime? (Score:5, Insightful)
This isn't the equivalent of bank robbery (nobody gets potentially harmed, and no real damage done). Rather, a far better example would be the instances of journalists repeatedly and successfully smuggling weapons through TSA security, onto commercial flights. Absolutely no real harm is done by it, and success leads to very important good things (increasing security where it is lacking).
The more they will find security holes, and make the system safer against the real threat, the truely malicious professionals. Of course, the analogy isn't perfect, but it's far closer than bank robbery and murder.
Probably because of people like you... People who can't relate the computer world to the proper real-world equivalents, and therefore have a really warped and twisted misunderstanding of the computer world.
Re:Does this work for offline crime? (Score:2)
Is that so? Hmmm. "No, officer, I'm a journalist, honest. I know I'm wearing a turban and have a foreign-sounding name, but I wasn't going to use these explosives strapped to my chest. It's just for a newspaper story. Sorry, what? 'Press card'? Er, no, I left that at home, sorry. But I really wasn't going to s
Re:Does this work for offline crime? (Score:5, Insightful)
This is where the analogy breaks down catastrophically. There is no simple, familiar motivation for anyone to try getting into a house as an intellectual exercise, or even as a challenge. Either the house is wide open - in which case it would be legal to enter in some jurisdictions, while in others the householder could legitimately shoot an intruder anyway - or it is secured, in which case any attempt to gain entry is almost certainly of a criminal nature.
Computers are different, in that trying to understand and improve on software mechanisms is a universal impulse among (good) programmers. Bill Gates, and many other people who came to be famous, hacked in his youth. The sainted Richard Feynman confessed openly to having made a hobby of getting into as many locked areas and safes as he could, while working on the Manhattan Project. He had absolutely no ill intentions, although he was well aware that the military bosses would be hard to convince of that. Incidentally, he told of a valuable spin-off, when a senior official left the project and his immense safe was found to be secured. No one had the combination, and they were thinking of explosives and thermic lances until Feynman came along and casually opened it.
Please don't accuse me of trying to excuse genuine criminals - I am the last person to do that. But do realize that many people who experiment with software do so from motives of genuine curiosity and intellectual challenge, which can be very useful if properly harnessed. And let's get over the crude physical analogy of "breaking into" a computer. A computer is a machine that executes instructions. When some sets of instructions are executed, the computer can display words, numbers, and pictures meaningful to humans, and accept human input through keyboards and other devices. A computer does not have a mind of any sort, and thus cannot be deceived, pleased, annoyed, or educated. Moreover, the idea of the computer as a structure or territory that could be broken into is simply an analogy that helps us to think about it; it does not correspond to anything real.
Re:Does this work for offline crime? (Score:2)
I have no real point here. I just wanted to work a car analogy into the conversation. =)
Re:Does this work for offline crime? (Score:2)
Re:Does this work for offline crime? (Score:2)
A computer is an abstract machine for manipulating information. As good
Re:Does this work for offline crime? (Score:2)
Exactly. They're also becoming pervasive in areas that have little to do with either generic off
Here is an example of a break in (Score:2)
Re:Does this work for offline crime? (Score:2, Interesting)
Slightly off-topic, but there is a quite funny pr
Re:Does this work for offline crime? (Score:2, Interesting)
People taping their keys next to their door.
Banks where you just state a different name and get full access to the corresponding accounts.
People stating that they don't bother if other people can access everything in their house as long as they don't do anything that actually harms them ("i don't care if someone can read my mail")
I and probably everyone on slashdot know people who don't give a shit about IT s
Re:Does this work for offline crime? (Score:2)
If you break into a computer system, copy/steal/mess around with stuff, then tell the maintainer, it's hardly ethical, is it?
That's not to say that it's sensible, just that done right, it's absolutely nothing like bank r
Re:Does this work for offline crime? (Score:2)
Re:Does this work for offline crime? (Score:2)
Re:Does this work for offline crime? (Score:2)
It's not good for banks to be robbed, but it is good for honest people to be thinking about how their bank might be robbed and to go to the management and say "Hey, I've noticed that you've got this weakness that would let me walk off with a lot of money".
Re:Does this work for offline crime? (Score:4, Insightful)
If I break into a computer and play a prank that hurts no one, why should I be facing hard jail time where if I had just broken into a building and played a prank the police would probably not even bother tracking down who did it?
Somehow people in the technology world have gotten it in their heads that people being curious and testing boundries deserves ass pounding federal prison time. This is incredibly destructive to some of the most important qualities in people: curiosity, cleverness, inventiveness all get squashed by this concept of "if we didn't intend for you to be able to do something and you do, you're a criminal".
This is highly destructive to real network security, the kind of security where even if people want to do something you didn't intend them to do, they can't. We need to go back to making tinkering with interfaces provided to you legal. The rule should be, if you don't want me to be able to tinker with the interface, don't provide it to me.
If hacking is a crime only criminals will hack.
Re:No, but it doesn't mean to be a stupid victim (Score:2)
Look... I live in a city which has had over 300 murders last year, god knows how many rapes, and roberies are common place.
Not to exscuse the criminal, but these things happen and that is why most banks here
Taquila Sunrise (Score:3, Funny)
Looks like I found a new Taquila drinking buddy.
Re:Taquila Sunrise (Score:2)
Or perhaps you have too many Tequila buddies already.
Re:Taquila Sunrise (Score:4, Funny)
Too often companies ignore problems until it's.... (Score:4, Interesting)
Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.
Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.
Hey, it works for living creatures (Score:2, Insightful)
open source hacking (Score:3, Interesting)
Re:open source hacking (Score:3, Informative)
Re:open source hacking (Score:2)
Article summary - rewritten... (Score:5, Interesting)
Makes sense now, don't you think?
Good idea, but doesn't work out (Score:4, Interesting)
The reality looks different.
In reality, people don't want to be bothered with this pesky thing called security. They want their machines to do the magic by themselves and not worry about it. So they created laws where it becomes illegal to even look for a security hole. Because, what you can't see isn't there.
Take you average user. Just enough smarts to turn on the PC, updating with an automatically generated and even transfered script is beyond their capabilities. When (not if, when) their computer is turned into a spamslugger, who will they blame? Themselves for not being able to keep their machines secure?
Keep on dreaming.
The laws are a reflection of the general unconsciousness. People don't want to be hacked, so it must not be done. Yes, the machines are insecure, yes, there are billions of trojans and viruses out there trying to break in (and succeeding, most of the time), but as long as we don't see them, they're not there.
La la la, I can't hear you...
Lawmakers out of touch (Score:5, Interesting)
Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.
I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.
I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.
Re:Lawmakers out of touch (Score:2)
Bullshit. The teen would have gone to jail. Just because the window's open don't mean it's ok to enter.
Re:Lawmakers out of touch (Score:2)
oh, there should be penalties (Score:3, Insightful)
As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.
Re:oh, there should be penalties (Score:2)
if there was no security, are you actually breaking in? so, in which case, are you violating the law by attempting to discover if there is any security in place?
in meatspace, if you walked up to a building and try and open the door, but it's locked, as I understand it you've committed no crime. If the door is locked and you pick the lock without damaging it, you are committing a criminal offense of trespass. If you break
A little knowledge is a dangerous thing... (Score:5, Insightful)
The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.
It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.
This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.
They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.
A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.
-Erik
Re:A little knowledge is a dangerous thing... (Score:2, Interesting)
This measure of loss is overinclusive, however, because much of the cost of restoring system integrity is money that one should reasonably expect users to spend anyway. Whenever security flaws are discovered, users spend time and
Honest, officer, I was just checking the doors (Score:4, Insightful)
Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.
When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.
Re:Honest, officer, I was just checking the doors (Score:2)
Re:Honest, officer, I was just checking the doors (Score:2)
Parallels in Biological Systems (Score:4, Informative)
In a way, as different portions of the computer systems and software are attacked, the flaws that allow for such attacks are, in general, corrected. Problems identified in one attack can be applied to other areas, and as such, can affect system-wide changes toward a better system (think buffer overruns), as well as more security-minded design (think security developments in IE7 and Vista).
I'm not advocating that the world governments should let virus writers and crackers have free reign of the Internet. A balanced response would allow for leniency for those who have no malice in their intentions. Of course, this is difficult to prove, and from personal experience, I have yet to meet a virus writer with purely altruistic intentions. Also there are corporate interests to deal with as well. How embarrassing must it have been for Symantic to have their flagship product meant to help secure a computer be the source of insecurity? While Symantic handled the situation extremely well, many other companies do not have a large security minded staff on hand to deal with security problems. For them it is easier to accuse the attacker than acknowledge a problem they cannot deal with.
Re:Parallels in Biological Systems (Score:2)
Similarly, it is the
As Good As It Gets (Score:2, Interesting)
The world is always in a sort of "Ok on the count of three, we all drop our guns" state.
Get the terminology right...! (Score:2, Informative)
Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.
Now, I always thought a worm is "self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers."
Geez people - if you can't cromulize your terminology, I have little faith in your article..
Certified Ethical Hacker (Score:4, Interesting)
Introduce a properly run certification scheme for "Certified ethical hacker". Base it on a course taking in relevant law, security techniques etc., and make damn sure it is vendor-agnostic. Only make the course available to persons who have no criminal convictions, are on the voter's list, member of a professional body, and pass FBI checks or your national alternative. It will be free to qualified applicants.
Now issue those people with a set of official paper forms, with proper security marking and tied to the individual. When they encounter a security issue, they issue a paper based advisory (because it is still traceable, and because you do not then leave a trail on the net that might enable the black hats to find and target you.) copy to some official body who every year will report the statistics, and list the companies that failed to respond to security advisories.
So now you have it on your resume when you write in for the bank job: Certified Ethical Hacker, 42 confirmed alerts (or whatever).
Before anybody tells me this is simply fantasy, consider that there are already volunteer public security forces. In the UK we have Special Constables and the Territorial Army, and there are equivalents in many other countries. We have a Health and Safety Executive who can walk into any company at any time it is operating and demand immediately to observe what is going on. So why not a properly trained volunteer Internet security force?
Open doors vs Closed doors. (Score:2, Interesting)
Its that good?
I think yes. but need:
1) The white hat attitude. Complete morons are discarded.
2) Its a hole, and not a feature. Maybe the users want the system this way, and know enough about the tradeoff.
3) The hole being fixed. If is imposible to fix holes, maybe because lack or resources, this help nothing. Of course, the problem here is the lack of resources.
On real world, some people want to live
Too late (Score:3, Interesting)
Amazing... Student written huh? (Score:3, Insightful)
The problem is akin to the broken window problem in economics. Sure, exploiting security holes leads to more fixes, but you have to take into account the costs. Further, this does not mean Information Security itself is improving, it simply means virus, trojan, and worm writers have to become more creative.
In short -- if this is what Harvard is producing these days, maybe it's time we re-asses the "Ivy League."
It's easy to immunize the internet... (Score:2, Funny)
Uninvited entry should be punished. (Score:2, Interesting)
It's a good point...sufficient? (Score:2)
I can see that it might well be more rational to judge people by the damage they do or can be shown to have been attempting to do, but that requires judgement. And it's always safer to say "It's HIS fault!", then to acknowledge that you may have made a mistake.
So I don't see things getting better or saner. Pe
Filtering trojans and zombie traffic at switch? (Score:2)
1.detect malware, viruses, crackers, zombie traffic, etc.
2.define an identifying pattern and critical data segments to be destroyed
3.diffuse this info to major routers and other servers on the net around the world
4.ISPs and smart individuals can also subscribe to the data feed
5.Routers and firewalls use this feed to filter out (or rewrite
Re: (Score:3, Insightful)
Re:Yeah... (Score:2)
Re:Yeah... (Score:2)
And when that trespasser is having to break in because you are ignoring them or the phone line's down and you can't be reached, or the house is on fire and the smoke has knocked you unconcious, should you still shoot first and ask questions later ?
Even to take your statement as it stands, you will have learned something from their "attack" - if you notice it and even get to *shoot* in the
Re:Student from where ? (Score:4, Informative)
What's with people being lazy? Or is it just an attempt at some karma whorage?
Re:Viscious Circle (Score:2)
Re:Viscious Circle (Score:2)
I think the article is about worms in the wild evolving our security to better withstand against intentional attacks from hostile nations/aliens/whatever, not from the worms themselves. I didn't really RTFA though.
Re:Viscious Circle (Score:2)