Showing posts with label firewalls. Show all posts
Showing posts with label firewalls. Show all posts

09 April 2008

Security? - Don't Bank on It

A useful article here dissecting what's wrong with the latest version of the UK Banking code, "the voluntary consumer-protection standard for UK banks", which was released last week:

Until the banks are made liable for fraud, they have no incentive to make a proper assessment as to the effectiveness of these protection measures. The new banking code allows the banks to further dump the cost of their omission onto customers.

When the person responsible for securing a system is not liable for breaches, the system is likely to fail. This situation of misaligned incentives is common, and here we see a further example. There might be a short-term benefit to banks of shifting liability, as they can resist introducing further security mechanisms for a while. However, in the longer term, it could be that moves like this will degrade trust in the banking system, causing everyone to suffer.

The House of Lords Science and Technology committee recognized this problem of the banking industry and recommended a statutory change (8.17) whereby banks would be held liable for electronic fraud. The new Banking Code, by allowing banks to dump yet more costs on the customers, is a step in the wrong direction.

I also wonder what the banks' attitude to people using GNU/Linux systems might be, given the following requirement:

Online banking is safe and convenient as long as you take a number of simple precautions. Please make sure you follow the advice given below.

• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.

Since GNU/Linux users tend not to run anti-virus programs, and don't use traditional firewalls: does that mean they're always liable?

21 June 2007

After Flickr, It Gets Quickr

Not, alas, open source as far as I can tell:

IBM Lotus Quickr is team collaboration software that helps you share content, collaborate and work faster online with your teams -- inside or outside firewall.

Interesting not just for its adoption of Web 2.0 technologies, but its anointing of the Flickr naming meme. (Via Bob Sutor's Open Blog.)

11 April 2007

Security in Numbers (105, to be Precise)

One of the oldest canards is that open source can't be secure, because crackers are able to see the source code and exploit it. Good to see a journal dedicated to security doesn't buy it:

Open source applications make their source code publicly available for any user to download, compile and execute. This makes it possible for developers to modify different aspects of the program to their needs. However, it also makes it extremely easy for malicious coders to find and use exploits in the software against unsuspecting users.

To prevent this from happening, open source software employs some of the highest forms of security around, and when it comes to open source security applications, that bar is set even higher. After all what good would a network firewall or intrusion detection system be if a user were able to penetrate the system because of an exploit in the source code?

It follows this up with a handy list of 105 open source security apps (although I'm not quite sure if all are pure free software, or whether some just run on things like GNU/Linux). Anyway, a useful starting point.

26 January 2007

There is no War on...Botnets

After the War on Drugs, and the War on Terror, now, it seems, we are to have a War on Botnets:

Mr Toure said that whatever the solution, the fight against botnets was a "war" that could only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - worked together.

But it is a truth universally acknowledged, that as soon as you declare "war" on some amorphous entity like "drugs" or "terror" or "botnets", you've already lost, because you shift from the practical to the rhetorical.

This is all about security theatre: talking tough instead of acting intelligently. Sorting out botnets does not require a "war": it's simply a matter of telling Windows users the truth about their bug-infested system, getting them to use a firewall and anti-virus software and - maybe, one day - getting them to understand that downloading or opening unknown software is hugely risky.

07 December 2006

The Politicians' Big Disconnect

According to heise online:

the [German] Federal Ministry of the Interior declares the ability to search PCs without physical access to them to be a key component in the fight against terror.

Well, it can declare away until its booties fall off, but as the article points out:

How a screening of PCs protected by a firewall or tucked away behind a router with Network Address Translation is to be carried out the proposals of the politicians concerned with internal security remain conspicuously silent, however.

Quite. Throw in a modicum of serious data encryption, and you have a PC that is seriously hard to hack - however much the politicians might declare this approach to be a "key component in the fight against a terror."

All of which provides a further demonstration, if one were needed, of how this idiotic "fight against terror" is merely a pretext for governments around the world (step forward, Mr Blair) to impose pointless and unworkable schemes that serve no other purpose than to trample on the freedom of all of us, while the ne'er-do-wells laugh up their terrorist sleeves.