Site defaced - what next?

[Derek Martin]

On Sun, Aug 08, 2004 at 01:06:05PM -0400, Jeff Kinz wrote:
> Never attribute to malice that which can be adequately explained by
> stupidity. --"Hanlon's Razor"; variations variously attributed to
> Goethe, Napoleon Bonaparte, William James, Robert Heinlein, and the
> possibly apocryphal Robert J. Hanlon.

It's incomplete though.  What if there's ample evidence of malice?

> > In the case of both the attack on the WTC and the Federal Building,
> > we know that federal law enforcement agents had prior knowledge, but
> > did nothing to stop the attacks.  

> 	Assumes a willful act instead of a typical bureaucratic SNAFU
> like the one that destroyed Challenger.  I think the latter is more likely.

I don't; it doesn't explain why the ATF paged its employees and told
them to stay home.  They had to know the jig was up...  Rather than
responding to it appropriately, they simply evacuated the office.
However, additional reports indicated that they responded within 5
minutes of the actual bombing in full riot gear.  Law enforcement
experts stated that it normally takes 30 minutes to respond, most of
which is just preparing gear...  I don't think ineptitude adequately
explains this.

> And for any enforcement effort to work, a technological solution is also
> required.  It needs to work automatically, in real time and has to be
> part of each ISP's infrastructure.  

Sorry, but I am really offended by the idea of law inforcement having
the capability to spy on virtually everyone on the planet in real
time...  I'm going to have to strenuously object to anything remotely
similar to this kind of approach to solving the problem.  Forcing
businesses to become an extention of law enforcement is the WRONG
solution.

> Or were you thinking that we can harden each individual system?

Yes.  They should come that way by default.  The average user has no
need to be running services which bind to external interfaces on their
desktop machine; but Windows (and lots of Unix-alikes too) have them
that way.  Internet exploder and it's ugly step-cousins CAN be
redesigned to be much more secure by default.

> > Sad, but true.  So, let's keep law enforcement out of cyberspace as
> > much as possible then, shall we?
> 
> Agreed, but - how much is "as much as possible" when most cyber user's
> are nearly clueless? And willfully intend to remain so?

Again, the solution is to push the responsibility back where it
belongs: on the vendor.  "As much as possible" can be mostly.  It is
possible for people to write good software.  DJB proved it with qmail
and DJBDNS.  We are clever -- we can write tools (and have already) to
help us do so.  But as others have argued in the past, there's no
economic incentive for the vendors to bother, so they don't.

> > Microsoft is a most visible and most hated example of this, and hence
> > they are a big target.  But they are not alone.  Until we as consumers
> > hold responsible software companies who sell poor quality software,
> > and force them to write better software, the situation will not
> > change.
> Hmm - can/will the consumers actually do anything about this?  How do we 
> catalyze this effort?  DRM awareness day at Best Buy in Nashua?

Grass roots, I guess...  We need laws that allow the commercial
software vendors to be held responsible.  Nothing else will work.
Period.  The potential thread of losing their shirts on liability
lawsuits will force the vendors to do a better job.

Ok, even with my liberal interpretation of what is and istn' on-topic
here, I think this thread has only a tenuous connection to it, so I'm
gonna stop here.  Plus there's another accursed mosquito in my room,
so I'm going to have to spend some time hunting it down before I can
go to bed safely...  Sigh.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.