vox_rox

I just read an article here http://www.washingtontimes.com/funct...1-114750-6381r that talks about how security on the Internet is such a problem that they should consider how to crack down onit, allowing only "those who take securtiy seriously" to have access. the whole article goes like this:

So, I guess my questions are:
1) what do they think they can do?
2) IF they could do something, would they in the face of looking like a totalitarian regime?
3) what does this mean for Microsoft, the world's least secure yet most used operating system?

I find it ironic that it is the RETIRING chief saying all this, as if he has any pull anymore anyway. But conspiracy theorists always say that for every uttered sentence, there is a word of truth. So, what is the truth here? Go ahead, tell me. I CAN handle the truth.

Peace,

Pierre

__________________
---
There is no such thing as strong coffee - only weak people.
---

Dragonlich

I'd say he's right. There should be some sort of effort to crack down on insecure computers, which are directly responsible for a lot of problems right now (DDOS attacks, spam, viruses, etc). They might be abused by someone, including terrorists, to further a political goal. I think it's rather irresponsible to go online with a system that's insecure, because you're not only risking your own system, but are potentially harming other people's computers too.

Now, if your OS is insecure and you can't do anything about it, that's one thing; but if there are patches to make it more secure, and you simply refuse to install them, you are being irresponsible. There are in fact many unpatched systems out there, systems that could have been secure, if only the end user cared. And no, I don't think ignorance is an excuse; if you don't know how to use a computer, you shouldn't be using it!

If we're talking about more critical systems (companies, utilities, etc), it's even worse: the owners have an obligation to protect their data and their computer systems. At the very least it's an obligation to their stockholders. I'd say governments can and should demand that such systems are properly protected, in the interest of national security. There are many laws and rules that govern what you can and can't do in the physical world (environmental demands, safety demands, etc), so why would computer security be something different? I think it's rather stupid if a company spends millions to physically protect their buildings, but won't spend a fraction of that money protecting their computer system! (Especially stupid, given the fact that a lot of secret corporate data is on those computers!)

My answers to your questions:

1) I think the government can talk to companies such as Microsoft, and ask them to improve the security. They can also go to ISPs, and ask them to take a more pro-active role in this area. After that, they can create laws that force companies to implement a bare minimal amount of computer security.

2) They wouldn't look like a totalitarian regime. It's time people started realizing that owning a computer also gives you some responsibilities. I'd say it'd be perfectly reasonable to cut internet access to computers that aren't well protected, on the basis that these computers can and will be abused. It's kind of like the government making rules about car travel, such as maximum speeds, minimum safety guidelines; if you don't follow the rules, they'll give you a ticket. Do you consider that a sign of a totalitarian regime too?

3) That's a rather biased statement, isn't it? MS' operating systems may not be perfect, but they're hardly the "least secure" OSes. But yes, they'll need to (further) improve their security, as they're doing right now. On the other hand, it's still the end user that has to update his system, and if this user fails to do that, you can hardly blame Microsoft. Which brings us right back to my initial statement: the end user is at least partly responsible.

Coppertop

It would seem to me that this would be a logistical impossibility for any one entity.

vox_rox

Well, when it comes to travelling by car where there is imminent risk of death or injury, of course rules are important and I would never call any govenment totalitarian nased only on the fact that they implement and enforce traffic laws. Further to my comment, I realize I may have overstated my case using words that may have been too sweeping. However, I do not think that forcing individuals in their homes to have certain software on the computers is either realistic, nor is that the role of government, and I would certainly NOT allow a government to tell me what I should and should not be runing on my computer, or in my stereo, or what books I read, or anything that falls under the realm of Home Electronics. Period.


I can see your point here, but there is one key weakness here that you have not though about, and that is my Mother. Or yours for that matter. She is unaware of what kind of technology is invloved in Internet communcaitions. In fact, she's fairly oblivious to almost every aspect of computer technology, but since the "every home with a PC" con has gained speed, she has one, whether she knows how to use it or not, or even needs it or not. So she basically has no clue what a "patch" is, what constitutes a secure system, or even the consequneces of sending a piece of e-mail. And I would be willing to bet that there are millions, maybe tens of millions of people just like her, who will NEVER know what is going on with their computer.

So, your suggestion would be that anyone without some level of computer certification would be prohibited from owning/operating a computer in their house until such time as they can demonstrate that they know how to use one safely. Is that correct?

Peace,

Pierre

__________________
---
There is no such thing as strong coffee - only weak people.
---

Dragonlich

I think that's all fine and dandy, but have you considered the consequences? Suppose I were to exercise my right not to install a firewall and virus scanner, and as a result, I get infected with a worm that sends massive amounts of data to other computers, infecting them in the process (after all, they exercised their rights too). I would be criminally negligent, and should be held accountable for the results of me exercising my "rights".

I do not suggest that the government should be allowed to force you to install a certain program (no way!); I'm suggesting that the government can expect you to provide at least *some* protection. I'd say they can ask you install *a* firewall and *a* anti-virus program. They could probably go to the ISP for this, who can be legally required to provide such programs free of charge.

Now, if you still choose not to install such programs, it's your choice. However, any resulting damage is *your* responsibility too. I'd say a solution would be to force ISPs to remove internet access from computers that are spreading viruses, worms, spam, etc. Just like some companies are shutting down websites with illegal content. After all, when your (in)action results in damage to others, you are responsible for the results, and your damaging (in)activity should be stopped.

As I said: the end user is at least partly responsible.

No, that's not what I'm suggesting. I'd certainly think a lot of helpdesk people would applaud such a thing, though.

No, I'm suggesting your mother should be assisted. She should be told by her computer what not to do (like Windows XP's new firewall/security center). She should also be given free programs by her ISP, to help her secure her computer. If she truly can't understand how to read help files from XP, or install provided programs, I think it's fair to say that she should indeed not be using a computer. Why should everyone else suffer the negative consequences of her ignorance? Why should ISPs pay millions of dollars to solve a virus/spam/worm problem because a lot of computer users don't understand how to use their computer responsibly?

I'm certainly not suggesting that someone should physically take away her computer. I am suggesting that she shouldn't have (full) internet access if she can't understand the consequences.

trache

He is the <i>former</i> director for the CIA.

He is nothing but a civilian with an (informed) opinion on the subject. He could advise the CIA on their future operations, but he can do nothing to put it into action directly.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

xerraire1

... i have read the statement, and I have but one comment.

MS.. is.. Screwed

vox_rox

Well, I still don't see how this has anything whatsoever to do with american national security. It wouls seem to me that as long as all government ans military computer installations, as well as publicly funded systems were all protected, then whatever else happens is moot. who cares if someones mother doesn't have a virus checker and ends up unwittingly sending malicious code here and there.

Besides, I think we're only speaking hypothetically anyway. There is no way that anyone, even the American government, could possibly put in place any type of logistics to accomplish what you are saying. Plus, Microsoft as the maker of the operating system, would also end up being liable in certain cases and there is no way that any pro-business gov't like the republicans would enter that realm.

Nope, the truth is, my mother, and milloins like her, will remain clueless, and the CIA, especially the FORMER CIA management, will not ever inact any form of public compliance of virus or firewall standards.

Now, working from the ISP perspective, there may be room to implement things at that point, but that is the furtherst down the chain such concepts will ever go.

Peace,

Pierre

__________________
---
There is no such thing as strong coffee - only weak people.
---

Dragonlich

I care. Because that malicious code spreads to other computers, and these can be used in DDOS attacks, as has happened in the past. That option costs a lot of time and money, and can be stopped by proper security measures.

If you want a more dangerous scenario: Suppose your mother's computer gets infected with a virus written by a terror group. By this route, you get infected by this new and unknown virus. You happen to be a government official with access to sensitive information, and you happen to use a VPN connection to that computer. Using keyloggers, the terror group now has access to your computer's password, and access to that VPN connection.

Is this scenario likely? Nope. But if terror groups are as dangerous and hightech as some CIA guys claim (I don't think they are, by the way), then this will happen eventually. The goal is to go for the weakest link, and if that link happens to be your mother, so be it.

I also think makers of operating systems will be "asked" to follow certain guidelines and safety protocols when designing their new software. The government could easily demand that any government-owned computer has to meet those regulations. Software companies are then pretty much forced to implement them, or lose a large customer.

Stompy

I think you should have a license in order to own a computer. Not necessarily operate, but own... this way SOMEONE in the household knows how to keep it updated and secure.

A test should be given to challenge the potential owner's knowledge in security, how to update the system, and other basic computer literacy questions.

If they don't pass, they don't get a license and can't own a computer: simple!

I'm serious, too.

__________________
I love lamp.

DukeNukem4ever

I agree with Dragonlich!
Everything in life has a consequence weather it be good or bad... and computing/internet surfing should be no different.

What Vox_Rox says is true to a point... the government/military systems are protected and monitered, but they utilize the very same web you and I use.
As such they can be and are under constant attack. This results in millions of tax payer dollars being spent on what Dragonlich has been trying to point out.
Common Sense Computing.... you don't get behind the wheel of a car without knowing a little something about it first... the same should apply to computers.

__________________
The Happy Pirate - AARRGGHH!!

vox_rox

Again, I have to say that this is not my mother's responsibility. I already stated that the most important thing is for government and military installations to be secure, anfd if they are no "terrorist" (gawd that word is overused!) is going to gain access to any info, VPN or not. And you, too, should protect your own computer. It's all a matter of taking control of your data, especially on the Internet.

Besides, even with some kind of standards or licensing, what makes you think that a computer from another country is not going to be able to send some malicious code around.

Now, both Stompy and DukeNukem4ever make good points about the cost of this kind of thing, and the chance of granting "lisences" and that sort of thing, but if you're worried about cost of governmentand and escalating bureaucracy, then issuing permits to operate a computer will be a nightmare of proportions never before seen. And I can tell you right now that OS developers, software developers, computer manufactures and computer retailers will fight that with ever lawyer who'll listen, especially when no one could possibly say with any certainty that it would do any good.

I still say that sensitive installations are the only ones who truly need this kind of protection, and I would hope that they already have it.

Peace,

Pierre

__________________
---
There is no such thing as strong coffee - only weak people.
---

Coppertop

It comes down to this: what's more fun? Personal responsibility or the government regulating your life away?