Site defaced - what next?

bmcculley at rcn.com bmcculley at rcn.com
Sun Aug 8 20:36:01 EDT 2004 

>To the GNHLUG mail list - Sorry for the long post.  This 
>discussion is getting very involved.

My apologies also, but I'm going to try to put it on a track
that suits the group purpose, but first my obligatory
off-topic political comment (those looking for something
on-topic for the group search for "SET ON_TOPIC")...

>> Our goal as a society should NOT be to allocate more 
>> resources to law enforcement, but LESS.  That is, we 
>> should be striving to create a society where less law 
>> enforcement is required, because people police themselves.  
>
>Absolutely agree with this!

I may absolutely agree, or strenuously disagree, depending on
a point of clarification.  Question is, by "police themselves"
do you mean self-discipline, or vigilante justice?

Problem with self-discipline is that it doesn't matter, or do
you much good, once an aggressor attacks.  Vigilante justice
has its own problems too.  So what is the best solution?

Likewise, conspiracy theory validity aside, when it is
demonstrably true that there are bad guys willing to fly
airliners full of people into tall buildings to make a
political point, what is the best way to deal with the problem?


>Are we going to get rid of the Police and the FBI and the 
>rest of the security alphabet?  Should we ?

and if we do, what replaces them, mob rule?

>And there is also a growth trend in cyber crime which 
>must be addressed.
>Now, the rugged individualists which this email list is 
>comprised of can and do, in general, take care of 
>themselves in the cyber security department and so we find 
>less need for help in this area then the general public.

Interesting comment, given the genesis of this thread.  My
impression is that Greg scores well in security self-reliance,
and his forensic reports seem to validate that.  Yet he got
nailed, big time, by a global cyber warfare campaign.  If it
comes down to seeking law enforcement response by the Saudis,
or the Italians, I'll put my money on the FBI before I'll bet
on gnhlug - maybe there's a role for those agencies eh?

>But the general public will never be able or desirous of 
>taking care of their own security and they will need law 
>enforcement (As well as better efforts on the part of the 
>software vendors) to help them in this area. 

Let's clarify, there are two components in the general public,
the consumers and the businesses.  Businesses need to learn
that they must take care of security, although they will want
to outsource it to law enforcement.  (There's the area for
libertarians to engage, btw, businesses care only about money
and not at all about rights, so this is the danger zone with
law enforcement encroachment!)

>> How do we do that?  That's the question we should be asking...

SET ON_TOPIC

Exactly.  How do we collectively, as a society, create a cyber
network environment that is not prone to hostile attacks, and
responds appropriately when attacks do occur?



>
>> > The technological solution is our *only _real_ option*.
>> > The legal/law enforcement option is only an *after 
>> > the fact* measure that may actually make the problem 
>> > worse, as now those who love a challenge of not being
>> > caught will be lured into cracking.
>I think most who love that challenge are already doing it.  
>"Some" enforcement effort would least get rid of the 80-98% 
>of the population who are doing casually and have no real 
>skills. (The script kiddies).
>And for any enforcement effort to work, a technological 
>solution is also required.  It needs to work automatically, 
>in real time and has to be part of each ISP's   
>infrastructure.  Or were you thinking that we can harden 
>each individual system?

Good points.  Some monitoring and enforcement is required,
question is where and by whom?  I agree that the ISP
infrastructure is the appropriate place, question is whether
ISPs will rise to the task or defer to the gummit?  Remember
ISPs are businesses, need to make a profit to justify their
continued existence, and security and enforcement are costs. 
Won't it make more sense for them to cost-shift those costs to
society in general, in the form of governmental law
enforcement agencies?

Economics aside, how would such technology work?  I've got my
own ideas, want to hear from others!

 



>
>Didn't I read about some new instructions/architecture
changes being
>made by both Intel and AMD to keep buffer overflow attacks
from working
>in their CPU chips?
>

Um, such technology has been around for years.  It just isn't
used.

Also, now there is a major initiative to develop a "trusted
computing base" which merits its own firestorm because of the
privacy violations.

Incidentally, the real underlying problem is that people
insist on privacy and anonymity for themselves but want
everyone else to be held accountable for misbehavior.  There
is an inherent conflict between those two features!

It's like the present uproar about electronic voting, we want
private anonymous balloting but also want to be able to prove
that our ballots were counted correctly - I think Heisenberg
would give up on these problems!



>Lynch a virus author?  (You hold 'em, I'll get the Bolt 
>cutters...  :) )

Anti-virus vigilantes?  Tar and feather a spammer?  

but what happens when it turns out the poor tarred and
feathered spammer was simply a zombie victim of Microsoft
software?

Maybe we've found another way to popularize open source?

-Bruce McCulley

More information about the gnhlug-discuss mailing list