Site defaced - what next?

[Fred]

On Sun, 2004-08-08 at 20:34, bmcculley at rcn.com wrote:
...
> Likewise, conspiracy theory validity aside, when it is
> demonstrably true that there are bad guys willing to fly
> airliners full of people into tall buildings to make a
> political point, what is the best way to deal with the problem?

How about a review of the foreign policy over the past 2 or 3 decades
that leads to 9/11-style retaliation? Can we not have a foreign policy
that does not piss off so many people in the world that they'd feel so
strongly motivated to fly themselves into our buildings?

I was not happy with the overly-simplistic Bush propaganda of "they hate
us" crap. When one reviews what the US has been doing to or with, say,
Afghanistan, Iraq, Iran Saudi Arabia, etc., one quickly understand why
some are willing to give their lives in what is to us a horrific manner.

None of that got mentioned at all in the mass media outlets in the
months following 9/11, with the possible exception of some late-night
shows on at 2AM when few are watching.

> >Are we going to get rid of the Police and the FBI and the 
> >rest of the security alphabet?  Should we ?
> 
> and if we do, what replaces them, mob rule?

I hate to say it, but we already have "mob rule". The "mob" just happens
to be the police and the FBI. And when they do you in, who yer gonna
call?

Been there, experienced that. More times than I care to count. It gets
old after while.

Oh, and the police have no compunction about lying in court, as I found
out the hard way. Even when there are many witnesses to counter them.

> >And there is also a growth trend in cyber crime which 
> >must be addressed.
> >Now, the rugged individualists which this email list is 
> >comprised of can and do, in general, take care of 
> >themselves in the cyber security department and so we find 
> >less need for help in this area then the general public.
> 
> Interesting comment, given the genesis of this thread.  My
> impression is that Greg scores well in security self-reliance,
> and his forensic reports seem to validate that.  Yet he got
> nailed, big time, by a global cyber warfare campaign.  If it
> comes down to seeking law enforcement response by the Saudis,
> or the Italians, I'll put my money on the FBI before I'll bet
> on gnhlug - maybe there's a role for those agencies eh?

Good luck pursuing that avenue. I really don't see it being worth the
effort. If you count your time by, say, what you'd charge as a
consultant, then the cost-benefits picture becomes very clear.

Lets say it takes 50 hours of your time to go through the motions to
nail down the attacker and bring him to justice. Ok, and lets say you
value your time at $100 per hour. So now you've accrued a "cost" of
$5000, which only nailed one attacker. Meanwhile, your system gets hit
by 5 more attacks. Want to loose $25,000 more going after them? If
you've got time and money to burn, be my guest!

And it still won't solve *the problem*.

Perhaps instead, you spend 10 hours or "$1000" securing your system,
thus the next 5 attacks completely fail.

If you have money to burn, you can afford to litigate and press for
charges -- hell, and even hire lawyers to fight your case -- and they
typically charge more than $100 per hour, mind you. 

If all 6 attacks were by local attackers, it may actually be worth
spending the time/money/effort going after them. If, on the other hand,
one is in France, one is in Taiwan, one is in Turkey, one is in
Russia... you get the picture.

> >But the general public will never be able or desirous of 
> >taking care of their own security and they will need law 
> >enforcement (As well as better efforts on the part of the 
> >software vendors) to help them in this area. 
> 
> Let's clarify, there are two components in the general public,
> the consumers and the businesses.  Businesses need to learn
> that they must take care of security, although they will want
> to outsource it to law enforcement.

Business must *front load* security issues into their plans, else risk
being bitten. And for them the cost are even greater, in downtime, lost
consumer confidence, lawsuits, and the like.

I make my clients type in long passphrases to access their credit card
databases. They hate it, but they recognize the importance of security.
I rather see them do that than to be sued because some cracker cracked
the credit card database and posted all the numbers to some Usenet
group. They did whine about it at first, but I think they rather quickly
realized what I was giving them in return.

>   (There's the area for
> libertarians to engage, btw, businesses care only about money
> and not at all about rights, so this is the danger zone with
> law enforcement encroachment!)
> 
> >> How do we do that?  That's the question we should be asking...
> 
> SET ON_TOPIC
> 
> Exactly.  How do we collectively, as a society, create a cyber
> network environment that is not prone to hostile attacks, and
> responds appropriately when attacks do occur?

It cannot be done "collectively", but individually. Each individual
person, enterprise, organization, etc. must seriously take security
concerns into their own hands. And the best thing would be to see a
diverse set of security strategies put in place, not monolithic  ones.
We all see what happens when monolithic solutions are thrust upon the
masses, right Bill Gates and Steve Balmer?

> >> > The technological solution is our *only _real_ option*.
> >> > The legal/law enforcement option is only an *after 
> >> > the fact* measure that may actually make the problem 
> >> > worse, as now those who love a challenge of not being
> >> > caught will be lured into cracking.
> >I think most who love that challenge are already doing it.  
> >"Some" enforcement effort would least get rid of the 80-98% 
> >of the population who are doing casually and have no real 
> >skills. (The script kiddies).
> >And for any enforcement effort to work, a technological 
> >solution is also required.  It needs to work automatically, 
> >in real time and has to be part of each ISP's   
> >infrastructure.  Or were you thinking that we can harden 
> >each individual system?
> 
> Good points.  Some monitoring and enforcement is required,
> question is where and by whom?  I agree that the ISP
> infrastructure is the appropriate place, question is whether
> ISPs will rise to the task or defer to the gummit?  Remember
> ISPs are businesses, need to make a profit to justify their
> continued existence, and security and enforcement are costs. 

Ah, but their *customers* can insist on the appropriate security
measures being in place, quickly turning that so-call "cost" into a
profit.

> Won't it make more sense for them to cost-shift those costs to
> society in general, in the form of governmental law
> enforcement agencies?

No, because these agencies are highly inefficient in delivering *real
benefits* for the much greater costs involved. They may give you the
warm fuzzies, but I need only point to their track record over the
years. 'nuff said. 

Remember that people who work in government only care about *the
process*, not *delivering results*. Hell, even Newt Gingrich said so
himself! For all his faults, that was the one thing he ever said that
made any kind of sense.

And when the government *does* get interested in "results", you get
snafus like Waco, Ruby Ridge, and the Move incident in Philly, etc. Oh,
they get results, alright. 

> Economics aside, how would such technology work?  I've got my
> own ideas, want to hear from others!

There is no one cookie-cutter solution, other than eternal vigilance.

> >
> >Didn't I read about some new instructions/architecture
> changes being
> >made by both Intel and AMD to keep buffer overflow attacks
> from working
> >in their CPU chips?
> >
> 
> Um, such technology has been around for years.  It just isn't
> used.

Properly written software is the solution to that. Alas, languages like
C almost encourages bad code. There are no bounds checking inherent to
the language itself. And in C++ bounds checking is by policy only. The
language does not really have it either, though it is easier to
structure code in C++ do do bounds checking for you.

> Also, now there is a major initiative to develop a "trusted
> computing base" which merits its own firestorm because of the
> privacy violations.
> 
> Incidentally, the real underlying problem is that people
> insist on privacy and anonymity for themselves but want
> everyone else to be held accountable for misbehavior.  There
> is an inherent conflict between those two features!

I'd like to see privacy for everyone. If everyone has privacy, I know
I'll have mine as well.

> It's like the present uproar about electronic voting, we want
> private anonymous balloting but also want to be able to prove
> that our ballots were counted correctly - I think Heisenberg
> would give up on these problems!

Electronic voting is Bad News for completely different reasons. No time
to get into it now. Basically, it's too easy for voting fraud to be
done.

-- 
Fred -- fred at lrc.puissante.com -- place "[hey]" in your subject.
There are inflows and outflows -- and you're just a little node.
Know then, what transcendental sets have you.