"This report underlines the Governments complete failure to appreciate or address the extent of crime committed online. There is little coordination, leadership or urgency sending out a message that this country is a soft touch on e-crime."This is I think nonsense, lots is being done to tackle crime online, the problem is that people are stupid and the Government, whichever party controls it, can do little to rectify that. Some of the recommendation of the report are also quite quaint.
For example, it criticises the Government for taking the stance that security is a matter for the individual. There is nothing wrong with that stance though, it's true. Does the Goevrnment legislate to ensure that we keep our personal belongings on our person? No. Do we have laws requiring us all to have keys or wallets on a chain connected to us. Of course we don't. Who is repsonsible for the security of our homes? The locks in our doors? Whether we leave the window open or closed? It's not the Government, it is individuals proeprty owners. Individuals acting online are no different and equally responsible for their security.
When you get that email from the "bank" telling you to click a link and login to confirm your details, if you do it then you're an idiot and deserve to be fleeced. If someone knocked at your door and said "I'm from the bank, can you give me your cash card and confirm your PIN number please?" what would you say? Exactly. You'd slam the door in their face whilst probably telling them to go away in the anglo-saxon vernacular.
The Lords report also says it wants to "establish a kitemark for secure internet services". This already exists. It's called a Secure-Socket Layer certificate and the use of a functioning brain that can read a URL. That little padlock you see when you buy something online means you have created a 128bit encrypted tunnel with the remote server from your browser. It's not beyond the realm of possible that someone could penetrate the tunnel, but the length of time it would require to do so compared to the length of time the tunnel is up makes it unlikely.
Double-click the padlock next time it appears as well. You'll get to read the certificate details. You will see the name of the signing authority, and deatils about the company that purcahsed the certificate, as well as how long the certfiicate is valid for. If you ever get a certifcate warning error when you're browsing a site then you're taking a risk about whether it is valid. The tunnel will still be encrypted, but you have no knowledge about the validity of the server you're connecting too.
Of course, even if there was some new kitemark it won't serve to mean very much if your machine has already been compromised. This is true for an SSL connection too. If your machine is compromised then the tunnel becomes meaningless anyway. The same is true if the remote server is compromised, and it's worth remembering that a good hacker is likely to own a system for a while before it becomes clear to the sysadmin that it is compromised. Being rooted is an occupational and general hazard online, just like being burgled is in the real world.
The Lords report also mentions the compromising of credit card details. Technically speaking, if a business plans to have a payment gateway and store credit card details then VISA and Mastercard will want massive audits done and extremely aggressive security protocols on the data. Numbers will be encrypted for a start and if you fail an audit the authorising houses for credit card transactions will simply remove a companies right to accept those payments anymore. A large number of banks are already implementing extra security protocols as well. Natwest Bank has introduced a secondary layer of password security for card purchases with partnered sites like Amazon.
Yes, the Internet is the Wild West, but security of your information online is a matter for individuals and/or businesses. Legislating in the UK won't make a blind bit of difference to when you purchase from elsewhere. Banks as well cannot be held responsible for fraud committed against their customers when it is the customers own stupidity that has caused the fraud to occur. Stupid people will always get conned and ripped off, and the Government can't legislate to stop people being born idiots.
11 comments:
Gosh, is your new header image an original Hoby?
yes
And the shameful thing is that young Brokenshire attended my alma mater, and therefore has no excuse.
Not only can you not legislate to protect the genetically inept, Our dear leaders seem to be fully intent on breeding that specific characteristic into as many of the plebes as is possible which leaves then with a somewhat problematic dilemma.
Then again of course no doubt the next well thought out announcement will be that t'interweb is waaaay too dangerous for the little preciouses and it must be banned.
Yes, I read this and thought it was a bit silly.
Sadly, the young, the weak and the stupid do suffer from cyber crime, just as they do other stuff.
There is a kind of lazy thinking that brands the internet as being throrougly wicked, without anything other than vague feelings of discomfort about it.
My son recently fell victim to the "speakers out of the back of the white van" scam. Does this mean we should ban white vans?
(Actually, what a good idea!)
Dizzy,
"wants to "establish a kitemark for secure internet services". This already exists. It's called a Secure-Socket Layer certificate and the use of a functioning brain that can read a URL."
Does nothing to protect against the database open to internet connection on some other port, with a null dba password, never mind any complicated application vulnerabilities.
"Of course, even if there was some new kitemark it won't serve to mean very much if your machine has already been compromised."
Or if the fraudsters, darling little imps that they are, fake the kitemark.
"Numbers will be encrypted for a start"
Strictly, not required under PCI-DSS Version 1.1 - see Appendix B. And, anyway, irrelevant for most online compromise, as the web server needs to be able to decrypt on the fly, therefore will have the key cached somewhere.
"Natwest Bank has introduced a secondary layer of password security for card purchases with partnered sites like Amazon."
Not partner sites but any site that uses 3D-Secure (the general crapness of which caused the recent Protx outages) aka "Verified by Visa" and "Mastercard SecureCode".
"Government can't legislate to stop people being born idiots."
Sorry to disagree again, picking holes in what was actually a good post, but the statist cunts can very well, and probably will, legislate. It will be completely ineffective but that has never stopped them before.
But you;re not picking hole. I was not saying that SSL certs did do anything, I was pointing out that in effect it was about the equivalent fo a kitemark. I mean, you could spend the money and get a fake SSL cer if you wanted to too.
Also the link doesn't disagree with the premise at all. That legislation doesn't stop people being born idiots.
The hole picking was fine to be honest. It was always a general post.
If I use a company on line they have a responsibility to make sure that security is tight, but equally I have the same responsibility to check that the site I am using has a high standard of security before disclosing my personal details.
Security and safe use of the internet by my rugrats is MY responsibility when it comes to the computer at home.
"The ultimate result of shielding men from the effects of folly is to fill the world with fools."
Herbert Spencer
I'm not sure how accurate it was, but in Boston T Party's novel Molon Labe he describes a simple but elegant encryption system. I forget the exact details but I think it involved all the users of the encrypted mailing system communicating keys to each other using apparently random, predetermined offshore mail accounts. The keys were large strings of ASCII (numbers, letters, punctuation etc) that were used to open encrypted email attachments with some ridiculous number of bits for the encryption. Supposedly it would take a supercomputer weeks to crack. Something like that anyway, I can't find my copy. Quite possibly just fictitous babble but Mr. Party is usually very acurate about this sort of thing.
If cybercrime was prevalent, we'd all know at least one person who has fallen victim to it.
I don't know of anyone. We have nothing to fear but fear itself...
Post a Comment