TechNet - Только для профессионалов. Специально для Вас. >
Форумы
>
End to End Trust
>
How should we enhance security on the Internet without undermining social values, such as privacy and anonymity?
How should we enhance security on the Internet without undermining social values, such as privacy and anonymity?
- How should we enhance security on the Internet without undermining social values, such as privacy and anonymity?
- ИзмененоMicrosoft TWC 3 апреля 2008 г. 23:29Updated text
Все ответы
- Some thoughts to bear in mind:
The fact, in short, is that freedom, to be meaningful in an organized society must consist of an amalgam of hierarchy of freedoms and restraints. ~Samuel Hendel
He that would make his own liberty secure, must guard even his enemy from opposition; for if he violates this duty he establishes a precedent that will reach himself. ~Thomas Paine
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin, Historical Review of Pennsylvania, 1759
Most men, after a little freedom, have preferred authority with the consoling assurances and the economy of effort which it brings. ~Walter Lippmann, A Preface to Morals, 1929
Freedom is the will to be responsible to ourselves. ~Nietzsche, Twilight of the Idols, 1888
Most people want security in this world, not liberty. ~H.L. Mencken, Minority Report, 1956
Liberty means responsibility. That is why most men dread it. ~George Bernard Shaw, Man and Superman, "Maxims: Liberty and Equality," 1905
[source: The Quote Garden]
secretary - Internet Society - NY Chapter http://isoc-ny.org - I believe that no matter what other steps, precautions or enhancements are taken - we need to spear-head this with a push towards educating the public.
Many problems would be avoided, and go unexploited if we had a better-informed, trained and educated public.
I'm not saying that everyone will have the knowledge to keep themselves electronically safe, but at the same time, I don't believe it's necessary to build software that holds the users-hand at all times. With the holding-the-hand method, there are typically several new annoynces and sacrificed conveninces that we (internet/computer-savvy masses) must deal with.
I imagine this won't be perfect for a long time, but the last thing I would want to see from these changes are lost privacies, and loss of control. The ultimate control should remain in the end-user's hand.
For example, if someone surfing the internet knew that they could check the properties of an email to see who the actual sender was, they would have probably not clicked on the link from <company name here> requesting their password.
So in short, the answer (or at least a large ration of it) is education.
Thanks,
Craig - I think we're asking the wrong questions, and I think it's important to ask about a couple of ideas that underpin the assumptions that are being made.What do you mean by 'enhance security'?Usually, I've taken 'security' to mean that all parties to the conversation know:(a) the relevant identity of the party to whom they are speaking,(b) that the party to whom they are speaking has not changed since the last time they spoke to that party,(c) that their speech is being received by the party with whom they are speaking without adulteration,(d) that the speech that they hear from the party with whom they are speaking is the speech that that party spoke, without adulteration,(e) optionally, that nobody else can hear what is being spoken until it reaches the other party and the other party chooses to make it available.The concept of 'identity' is fairly difficult to express, but I'm going to make a stab at it...Every entity can be addressed in one or more ways. Each means of addressing that entity is an 'identity'.Now, I realize that there are some whitepapers that Microsoft has put out including 'the laws of identity', but I read them several years ago and cannot remember all the details. What strikes me most, though, is this: there is no one single 'true' concept of 'identity' that works in every situation.Every entity has at least one identity. There is no single context within which every identity is recognized; however, every context has a means of individually identifying the entities which take part in it.This means that identity is context-sensitive. Every context has its own concept of identity, and it's impossible to apply any single set of rules to all contexts.The DRM concept includes "devices are entities". This is because the content-provider wants to whisper its secrets to the device without the policy that the device implements and enforces being subverted. Thus, DRM is a specific context, and one which needs to have its own rules written.However, each and every single one of us who are in this discussion has an identity. We may choose not to divulge it (thanks, in part, to the shared Live ID that Microsoft has set up), but we all have it.In fact, we all have more than one. I am much more than just K.Hamilton, khamilto@live.com. I have different addresses, each relating to a different facet of who I am and what I choose to do. I have many contexts that I take part in. I'm much more than my legal identity -- and everyone I interact with online is much more than their legal identities.I daresay that this 'legal identity' business -- that you have to provide your legal name for everything you do -- is one of the reasons why people don't trust the internet. Why should I have to make my name known in order to exercise my right to free speech (I'm in the US), when the Supreme Court has held that anonymity must be upheld so that people are not afraid to express their (perhaps unpopular) speech?Every context that I interact in has a notion of 'identity', though in most of them there is no linkage between that context's notion of identity and my legal name/identity. However, every one of those contexts has a 'unique' identity concept, so that once I pick a name, it can be reasonably believed that if it came from that name in that context, it came from me.To generalize:If a given contextual identifier is attributed as a party to the communication, that given context identifier should be identified as the same party to all communications with that identifier.Thus, one of the ways that we can enhance security is to make it possible for all contextual identifiers to be given strong identity bindings. However, because policies on identity-binding can differ wildly from place to place (some places require a full name/credit card identifier when someone signs up, others require an email address, others still don't even require that), there cannot be any real 'central authority' for all contexts.The only logical view, then, would be to make every context be its own authority. Every context should have its own contextual-identity certification authority.In order for this to happen, though, the public view of the role of the CA must change. To abuse a metaphor, there cannot be only a single "lock icon at the bottom of the browser window"; the information on who someone is and what context their identity is unique within must be presented automatically, in a way that's easy to understand.In order for this to happen, there needs to not be a central 'I certify that this is a valid context' CA. Every website that has a forum has its own context, and manages its own context. It should be able to set up a context by doing the equivalent of 'posting its CA certificate on its forum', without having to have its CA certificate certified by anyone else. (Banks and other high-value relationships should still have their identities certified, but requiring every website that wants to encrypt username and password data that's being sent over the network to pay for an SSL/TLS certificate is simply absurd.)The process of obtaining a context-identity certificate needs to be streamlined, and standardized. There should be no limits on where a context-identity certificate can be used, other than the policies in place at the other end. (Banks should use certificates they issue to their customers, or they should use legal-context certificates issued by legal-context CAs. I shouldn't have to use my legal-identity certificate to log into my slashdot account, though. Nor should I have to use it to log into Windows Live. Nor should I have to use it when I'm opening a chat to one of the people I've met online -- instead, I should be able to use the certificate that I have for the context in which I've met them, to prove that it's really the same person they interacted with in that context.)The meaning of a certificate needs to be adjusted. For low-value interactions, it should be 'this certificate identifies this entity as this identifier, part of this context'. If you've already interacted with someone in that context, you should already have the CA key for that context. The concepts of "key usage" don't really apply in this view -- signature-only? encryption-only? what does that have to do with anything in a low-value context?X.509 standardizes how to specify what policy is in place regarding how to prove who a given key belongs to. However, at the moment it's far, far too useless for the social contexts that we find ourselves in online. Once this changes, encryption and multi-identity tools can become ubiquitous... and once that happens, it'll be easier to understand what needs to happen to make interactions more secure.-K.Hamilton
I've been working on several of these issues over the past year and have invented a number of solutions in this space. In short I've found a way to ensure that the real owner of an identity (in any context) can not be misused. Additionally it is free of any privacy concerns. Here are the Identity Rights built into the solution I've been working on and what I think are important to ensure that the end result that you guys come up with is useable and useful.
People have the right to:
1. Own and control their identity and previous owned identities.
2. Regain control of their identity if it should be compromised.
3. Be anonymous while controlling their identity at the same time.
4. Have a single place to control their identity in any context.
5. Privacy and Civil Liberties
The solution should perform in real-time and work for any context on or off the Internet. Identity Fraud occurs in all aspects of life and people should have the right to know if someone is using their identity but at the same time they should never have to reveal their identity to obtain these rights. To be useful, it should be able to protect against fraudulent activity such as on-line transactions, simple account creation, boarder security, job fraud, healthcare fraud, insurance fraud, change of address, or anywhere where a fraudulent identity could be used to obtain credit or value from another person. Oh and it should be 100% free to consumers.
Device and transaction security is clearly important. But in 2007 over 120M personal records were compromised due to data breaches and all the firewalls, secured devices and SSL tunnels in the world were not the main issues. The assumption should be made that eventually people's identities are going to be stolen and people must have a way to combat this inevitability without every giving up any personal information.
kellyralI strongly believe that with all the crime and missleading issues that have arose through the years the internet is free for all, now we, the people, have to place some sort of locks in it and on it. How?, very easy, an international organization or an organization conformed by ALL the countries in this world; has to control and follow up the access and use of internet. Individuals will have to register by mail or a limited temporary access to a server that is not connected to the internet but to the mass holding of data about each user of the internet. Will required that an individual or entity have to give or disclose full name, Address, Phone#, purpose of access and any other information that is required to identify and locate the individual or entity requesting access to internet.
The information provided has to be kept secure and be access "ONLY" by Investigations bureau of each Country and/or region by having certain securities in place. Now, Once an individual or entity is granted this permission to access Internet, they will have to signe a legal biding contract in which it is specified the do and do not policies, which will tell the individual what will cause the denial or the penalty due to misuse or fraudulent of the internet, E-Mail and any other comunications used through the internet. All of this have to be logged through a unique comunication code that was used to access the internet linked to the individual or entity profile.
This will be very easy to do through the satelite systems, phone companies, cable companies and any other company in the world that provides Internet service.
Many will think that this will be against the freedom, liberty, anonimity, privacy of the internet and the individual or entity information. Remember, the private information can be accessed only by the Investigations bureau of each country, no one else. This will not compromise the identity of the person using the internet because each user will have a unique code to access it. This code will have to be used throughout the network (internal or external).
The implementation of this will be simple with minimum cost. Will have a high security in place. Will give the peace of mind to every user of the internet is safe. No personal data will be available to 2nd and 3rd parties. The individual will not know the code assign to him to access the personal data of the subscription, only the Investigations Bureau. E-Commerce will be more secure. The individual will have a code for personal use when accessing the internet and a different code will be generated for each subscription. This subscription codes will not be linked to the personal data, will only be linked to the File # that can be accessed only by the investigations bureau in thrir unique inside server that can be accessed only one time for subscription, thaen after the subscription is done the personal data has to be moved to a different server not connected to the internet and the data on the one time access server will be deleted, making it imposible to be recuperate or undelete....Well just a thought.......- While the argument about security vs liberty/freedom is never going to go away, and is equally valid from either side of the issue, I say that making the internet safe is more of a business issue.
If I want to run a business, or a legal one, anyway, there are certain things I have to do to make it legal, such as filing papers, incorporating, DBA's etc, that all link my business to ME, and actual, accountable person who is then expected to do business according to rules and laws regarding doing business in this country.
If we applied the same rules to internet and email, we could accomplish much in terms of securing the internet without violating everyone's privacy. People could choose to work and surf anonymously for whatever reasons they wish to.
But the rest of us should be able to state clearly who we are, and what is the purpose of our business or other venture. So we could decide to become a 'REGISTERED' email server, proclaiming to the world who we are and why we send email, or proclaiming that our webserver is open to the public and clearly who owns and operates it and the purpose of that website.
And we could then choose to only let registered people into our website. That is as much our right as Americans as every other business in America. We could CHOOSE to only accept email from persons who can validate their email servers, etc. My org gets 2000 spams an HOUR, and the best we can do is drop their connections, but they are not giving up, they keep trying to sell us the viagra, get us to share our info so we can recieved millions of unclaimed inheritance that is due us for no reason than Mr. M. Mubarek has FOUND us and wants to give us this money.... etc.. etc....
So if the collective business world considered who can access their sites, and whose sites they can access, that is a business decision, and security by elimination. We should be able to say in some simple firewall rule that our intranets could only talk to websites and email servers that have been validated.
The whole freedom of speeth topic is rediculous here. If I sent out a death threat through email, the feds wouldn't have any trouble finding ME, but the spammer who is choking my email server is completely free to disguise his identity. He is more protected than I am and I am one of the good guys, trying in vain to protect my organization for the garbage and criminals who persue us.
So keep it simple. Give people the option of validating themselves (hmmm, like a drivers license, social security number, etc) or not validating themselves. Then make it easy for people to decide if they are going to surf the VALIDATED websites with their own identity, or surf the 'OPEN' internet and take their chances. I'm willing to bet the spammers and malware group are not going to validate themselves... If you choose not to join, that is your decision, but I should be able to choose to only do business and conduct communications with validated persons.
Sort of like the Black Market, we could call it the Black Market Internet, vs the Trusted Internet, and let people decide which one they want. Any bets on which one they want yet?
We don't give the real Black Market the freedom to advertise, but on the internet, you can behave any way you want.... That's my view!
one of the good guys - I'd suggest that the degree of privacy and anonymity we have on today's net is something of an illusion. You may feel anonymous when you post on a message board or take part in an online chat using a pseudonym, but you're not really very well hidden.I would like to see us simultaneously move in two directions: towards improved identification technology for those who need and want it, as the MS proposal describes; but also, towards explicit provision of an infrastructure for highly secure, private and/or anonymous communication. There has been a great deal of work in the cryptographic and security community over the past twenty years on mechanisms to provide this, and a few semi ad hoc and experimental systems such as Tor are being fielded.Let us raise the priority and visibility of these technologies and make them part of the foundation of a newly secure internet. They are perfectly able to coexist with an infrastructure that enables a greater degree of authentication and identification.Now, there may be concerns that adding more and better anonymity is going in the wrong direction since a goal of the MS proposal is to allow for better tracking of attacks and more accountability for malware authors. This can be resolved by allowing people to limit contacts from the anonymity networks to just certain protocols and data types. In this way we can have free speech, perhaps even freer than today, while still enabling the other goals of a secure internet.Moving forward on both fronts, security and privacy, is necessary in order to gain the confidence and trust of all stake holders. End users will not accept a net that is regimented and controlled and limits the freedom of personal expression. At the same time, allowing the source of data to be clearly identified will enable new mechanisms and policies for limiting the damage from online attacks and increasing mutual trust on the network. It gives us the best of both worlds, whereas focusing on just one or the other will not produce a viable solution.
Billy,
That works in concept but you are dealing with a multi-national, supra-governmental network where laws, regulations and such apply by country. You can't have a blanket registration because it's not legal in some areas to do so. Moreover, who will enforce these regulations? It's one thing to have laws on the books it's an entirely different one to enforce them.
-JM- In a project I worked on in the UK, with the company QinetiQ, here is the sketch of "trust categories" that we ended up when analysing a lot of different scenarios:
Source vs. Interpretation (both are not seen the same way with regards to trust)
Accuracy (in some situations it's the most important factor)
Audit trail
Authorisation
Identification
Availability
Reliability
Personal Responsibility (or law)
Reasoning (or business logic)
Usability
Harm (most subjective concept, but it may also be the most important for each and every person)
If you try to move away from "security" (which is a "sine qua non" of trust), you'll cross the path of the other facets of trust which are not adequately tackled nowadays. Although a lot of security bodies, organisations and companies claim that "security is all about trust", I sincerely believe that they don't know what they're talking about. The technical or legal aspects of security are shadowing the other ones, and while there needs to be a balance, nowadays the balance is more towards business than to people, because they're the ones ultimately targetted by professional hackers. I think that education, as said before, is essential, but not only education of the general public, education of the security industry too.
MS can exert the necessary pressure so that things are changed globally, because it's impossible to change the whole situation by simply changing yourself (which is, by the way, the only way to create a sustainable change: first change yourself). We live in an interconnected world, so if MS wants to solve this problem of "trust", it needs to ask politely other people to participate.
.hack - How do you see "Privacy and Civil Liberties" being implemented in a system that offers both anonymity and identity confirmation to a provider, about your connection?
I see one comment which triggered a thought...
If there were independent "certified" authenticators on the net, then I could "imply" a certain traceable level of authentication without ever telling anyone who I am.
I find it helpful to realize concepts like this using a parallel we're already comfortable with.
For instance, I can be a member of a club, without actually having to identify even so much as my membership number to others inside the club. But if I were asked by a club employee I might have to present my credentials - if I agreed to it, to be allowed to order food.
On the other hand, if I didn't comply to their request, they could a) not serve me, and/or b) ask me to leave (eject me).
Now when I enter a ball park, the vendors there don't ask me for my identity. Their interest is to sell me something at a huge profit (sound like anyone you know?) Instead they "assume" I purchased a ticket and that the gatekeeper only allowed me into the park after verifying it. They're more than happy to have me as a customer - although if I use my credit card, once again I must present some credentials that prove with some level of credibility they'll get their money.
Interestingly in this case, the vendor never cares if I have a ticket and indeed, it's not their place to even ask for it.
However if I want to ascend to the private box section on the upper mezzanine, I must once again present my ticket where a second gatekeeper reviews my ticket.
Perhaps then, entrance, purchase, blog, e-mail, file and all unique levels of necessary authentication could be verified either directly or indirectly through their respective "authorities" based upon need - and permission to access.
For instance, entrance to the Internet is the base authentication which says to every other entity on the net, "if I need to, I can track you down with a valid request to the appropriate authorities - but normally I will NOT know who you are, nor will I have any other mechanism to find that out."
Simple entrance to the net must be validated based upon three authorities, one is your connection provider, second whoever is paying for the connection you are currently using and finally somebody (your personal cert) that can authenticate your actual identity. Please note...this is exactly the same traceability now available, however in this case the two entities before the ISP are currently not verified - the final connector, and the actual end-user.
When you log into your Internet connection and all credentials check out, you're given a an instantly certifiable session token which can be validated by the connection provider only, that you are a legitimate "club member" and traceable should the legal need arise. The token itself can be certified valid by any Internet entity by connecting to the issuing "authority", in this case, your ISP.
It is the responsibility of the ISP to validate this session, generate the token, and record the connection owner's ID and user's ID so this information can be backwards tracked (traced) in the event that civil authorities make a valid request to obtain it.
But the certified ISP never reveals any details beyond the fact this is a traceable connection to anyone except in response to a lawfully executed warrant.
Your connection token is unique each time you connect to the net, and by itself cannot identify you - period. It contains no personal identification, but can be used under court order (and quickly mind you), to expose your real identity through a reverse look up. And when a reverse request is made...each authenticator in the chain is responsible for giving out the next piece of information...not one authority. Everyone in the chain must agree - except in the case of a high enough level of authority, whereby some, or all of the chains must comply. To enforce validity, tokens should not be appended beyond the ISP level.
These connection tokens could be replaced every 10 minutes, and could be allowed to overlap by 10 minutes so that business transactions can take place without timing out.
If while browsing the net, you wish to make a purchase at a vendor's site (who also is fully certified by the same procedures), you may be asked to provide a vCard style credential or at least a user ID/password pair which validates your membership at their site. This is a low credibility authentication which cannot be instantly verified, however the vendor can (and should) attach your session token to their session logs for traceability in case of a necessary legal action.
To make your purchase, the vendor passes your connection over to your bank, which validates the sale privately using a separate token chain with no other personal or banking information (and no CC info) being sent between the two sites except for the sale data and sale token, plus it can include the vCard to help speed things along. Notice there's no heavy authorization required for the vendor's site, just a merchant agreement to a credit card clearing house. The vendor never knows anything about how you pay, nor any of the details. This even solves the vendor CC information storage problems and vulnerabilities we're now living with.
After the transaction clears, the bank sends a paid-ticket ID to the vendor. This again is a multi-level secure connection, traveling between two validated token holders - the bank and the vendor.
Endpoint-to-endpoint security can be handled in any way feasible and desirable - except it is not a part of this first level of credibility authentication. In other words, an entity cannot normally go beyond obtaining your connection token, which may not be adequate for a secure point-to-point VPN. However this solution can be extended to provide such, assuming a) the end user can trust the host's token and b) the host can trust the ISP's session token plus some other credentials such as a user name/password pair, a certificate or a third-factor token generator.
So while not answering the endpoint-to-endpoint issue, anonymity is protected while allowing existing and new authorization solutions to ride on top.
What's very cool about this approach is that it provides perfect anonymity, assuming of course that each entity is legit, and that laws are not broken by shady ISPs, vendors or banks. But unlike all other variants I've seen so far, entities are private, yet always traceable, and since that's the case, in this model no one using this system can connect to the Internet do an ill deed to another and simply get away with it.
This represents the exact same privacy and legal search methods we now have in place in our physical society (like them or not).
Plus, and so important to the anonymity question is that this solution allows both the verifiable and non-verifyable Internet to co-exist if that's a requirement. For instance, not all end-user connections would have to present tickets. (You can walk around the ball park and sell peanuts and popcorn to end-users without forcing them to have a ticket to the game, although you as a vendor may still have to purchase a concession license.) But first-rate entities can do business with other first-rate entities if they want to.
- ИзмененоDaveD1948 18 апреля 2008 г. 16:06Grammar errors
- I see on the T.V., and anywhere our "Writers," that were on strike in 07 and 08 are involved: An attempt to communicate in "Symbolism" that gets in to our subconscious better than just the old fashion interactions that are either "Positive," (which pertains to some rudimentary form of progress) or "Negative," (which, in some "Bizarro World" of bipolarity, pertains to oppression). Duality, Bipolarity, Oppression, Progress, Communication, Laws, Reality, Illusion, add some Greed. I have left out numerous, consecutively assembled, KEYS, winding like DNA, that are ubiquitous to our social building blocks of "Identity." Bigotry is a scaffold in there somewhere...
I read a saying that, "All learning is emotional based", I can't Quote the origin, but, I can dissect the context. It is also written that to enroll in a four year course in College, then get through three years, what you have learned will be partially obsolete by the pace of technology and discovery. So, whatever is in the wings and being edited into a usable template may be a puzzle that can be assembled today, and the pieces will fail to fit tomorrow. All these unknowns and lateral issues can be generalized into a synonymous paradox not unlike declaring Independence and writing a Constitution, only for internet representation. I assume we all know about George Bush and Dick Cheney? The "Bush Capades" and our Un-Constitution? Grinding.
For learning to be based on emotion is a rather ablative analogy... I, and a few of the Newly Compensated Writers out there understand that learning has a deeper primal base, the shift is to converse with our un-evolved physiological ego's and bring the stragglers into the New Millennium. It may be a little late, sociological shock aside. I guess if you learn wrong, it is "Your Fault" in our society today. Those are the signs I get flashed repeatedly in my face. But who is teaching the wrong stuff every damb hour of the day. We have systemic failures in the family, community, local city, state, and federal hierarchies. The puzzle is made to never be able to finally be pieced together, on purpose. Not a good template to follow, or oppose.
I am having security issues on my computer tonight. That is what led me to here, attempting to make my own brand of lemonade, I guess.
I assume, for a select few there are no unknowns in cyber-space. As well as, for a select few, there are no rules that can't be spun into egg white for Key Lime Pie topping. Us grunts are all supposed to take our little pieces of crust and wait for the answers we know we are missing. I hope that is soon to change, being oppressed is a lot of wasted effort. Fighting all the negative interactions in person and then the spam in some anonymous universe is a form of abuse, oppression and de-volution. Positive interaction? Is probably, exactly like, a non-dysfunctional family, of which society has segregated fractions of, in relatively sparse little islands of private illusion. "To pursue positive interaction is good," (I modify a Shakespear maxim), "but to get it un-pursued is even better!" The abusers will never volunteer, the addictions of the dark side of the mind take precedent.
I have known oppression of sorts all my life, then defined it. Abraham Lincoln saved slaves from it, supposedly... Some folks may never be free. RR
- ИзмененоPhony Cajonies 24 апреля 2008 г. 6:08spacing errors
- I can understand privacy as a social value, but why anonymity? I really don't have the time or desire to communicate with people who won't tell me who they are. I understand that there are many chat groups where people who wish to talk anonymously can do so, which is fine, but that has no appeal to me.
What concerns me the most is the apparent ease with which spammers can assume any identity they wish. Every so often I get notices from some ISP administrator that my message promoting Viagra or Fake watches has been rejected. Of course, I sent no such thing, but someone else easily placed my email address as the return address for their spam. Why should this be easy?
I would like my email program to have a filter that automatically rejects any email from an actually or potentially anonymous source, e.g. a sender who can't be traced back to a real, bill-paying person. I can't believe that the technology doesn't exist that would permit that.
I don't need to interfere with someone else's freedom to receive spam; it's just that I don't want it, and one way to avoid it would be to avoid any anonymous mail. Stay as anonymous as you wish, but don't try to communicate with me -- I don't have etime for you!
Jack Day, Columbia, MD. - Stop allowing anyone to download information into a person's computer or take information from a computer without that person's permission. Everyone must have verifiable sending location or access to internet is denied. At the time of log on, the computer is identified to the system and if any changes are made to the sending location then it is again verified prior to information going to another computer. Networked computer such as Google's system can be identified as approved networks. If networks are penetrated and un-desirable information is flowing through this network the provider must have in place systems to isolate the source of the defect or not be allowed to opertate the network on the internet. This means prior to cutting off the intruder, they must be tracked to the original penetrated source and this information shared with the Internet, and state what was done to prevent this in future before being allowed networked computer accesss again to Internet. K-Lynn
- One way to enhance the security of internet users would be to change the code of browsers so that nothing is allowed to install in the background. Until this is implemented by all browser code writers virus', bots, spam, etc. will continue uninhibited. Computer and internet users have a right to protect their equipment at all costs from all of the present and future threats, no matter who they are from. There should be no exceptions to this. From the top down to the end user. If a web site or email wants to install anything into someones system they should be given permission from the user. Hardware is purchased and owned by the end user not the company who assembled the parts. Hardware is NOT the property of someone else to do with as they please subversively, and without permission.
- ИзмененоJAVAA 6 июня 2008 г. 20:15this posting has a bug-it wont let me enter in my text-HELP
- The problem with taking it upon yourself to 'enhance security' is that many different people are going to define the term 'secure' in different ways. For one person, a secure internet might be an internet where they are able to go about their business anonymously, secure in the knowledge that their identity is protected from everybody else on the internet. For another person, a secure internet might be an internet where everybody is held accountable for their actions and are forced to identify themselves in a way that everybody else is aware of, so that nobody can pretend to be someone or something that they're not. Obviously, these ideas of 'security' are mutually exclusive and thus a problem arises.
- The real deal and issue here is that Microsoft made a big mistake when they chose to use the Windows business NT source code over the Windows 9x source code. Sure, the Windows NT source code comprised of NT, 2000, XP and Vista are nice operating system with great external security but at what cost. The cost has been that with the greater amount of services now provided the easier it is to hack the individual computer because the surface area is so great. In addition, the ability to let someone remotely control your computer is not what home computer users want or need. I can see why it would be so useful for the business model but for the consumer it is just terrible. My computer was hacked and it had Windows XP fully updated with a software firewall enabled and a wired LinkSys router and I was connected via VPN to the APS Network in September 2007 and my computer was hacked and my identity as well as the identity of first grade students were stolen. The problem is that computers are moving backwards in my opinion by having to hook into servers and other devices that when not properly configured make all the external security on your computer a joke. This hacker(s) could not break into Windows 98 Second Edition and just did a denial of service error which broke the connection to VPN but that is a lot better than actually losing information. Windows 98 Second Edition has long been underrated and the reason it had so many BSOD back in the day were mainly because of third party hardware companies writing faulty software drivers that caused a BSOD. Anyway, currently in my multi-boot the XP Professional side on a seperate hard drive in NTFS is down again and Windows 98 Second Edition keeps on trucking along with not a care in the world but the seldom denial service error. Finally, I like how so much stuff is manual in 98 SE and if you do not install the scripting host, know how to customize the system to allow it to use Windows ME and Windows 2000 drivers and are able to manually edit the registry as well as using some safety programs like SpywareBlaster then you are indeed doing well and may not have to install 98 Second Edition again in a long, long, long time. It is now 2 times that I have had to install XP Professional again and 98 Second Edition is doing well without one new recent clean install and I now longed my ram to 512 megabytes so I can easily use it as my main operating system again.
Nothing beats a hard copy - HAL F_,
You make a compelling argument. Like the facets of a well cut diamond, the truth can be many sided. What is the value of anonymity? To whom does it serve? Let us take automobile driving as an example since I have seen it's reference use in this forum. Who among us have witnessed driving that is undesirable? What is the motivating factor that takes a loving mom, upstanding citizen, to make a decision to cut-off a stack of cars in the right lane, saving themselves oh, say, 2 to 3 seconds while risking the lives of all involved using velocities enough to absorb 90% of every manufactured car's crumple zone? If it were a line at the theater would they still take that risk? What is it about our shiny metal boxes that masks our behavior afording us the "opportunity" to take the advantage? How can we cognate the risk emposed on others? Do we really hate each other? Does highway politics really betray who we are or what we strive to be? Only one answer allows us to make such recless choices... anonymity. Sure it is not true anonymity. Certainly anyone miffed enough about our behavior could find-out who we are but the chances of that happening re-enforces our perceived anonymity... to the point of risking wreckless choices. Imagine if our license plate was a bar code or RFID. Emediate ID could show up on your Tom Tom or Magellon. Imagine if the guy who made you slam on your brakes was a public servant... leds to some inteesting thoughts. The truth of the matter is that noone is ananymous. It is only a matter of [to what level is someone willing to take to find out who you are] and if that level precludes, lets say, a license plate. Are not we going to witness risky behavior in porportion to the amount of time spent frustrated and degree of difficulty to discover true ID. seems like a simple equation but are we looking far enough "down the road" we are on? I propose that today, right now, I can guarentee 100% secure B2B communication. It is very simple. Distributed, cloned protons in a carbon matrix like a bucky ball. Of course availability would be limited and those able to aford it would be of a new perminant elite. You and I (even if it were my patent) would be fored to slug it out on the cyber beltway, leaning out intellectual overhead for more and more miles per synaps. Beep beeep!
Pappkartoosh.
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda - In my mind, there are two main aspects to security: education and usability. From a technological standpoint, we already have the tools to build an extremely secure Internet.
The problem is that users are actively turning off security mechanisms or using weak passwords because they are inconvenient and the users aren't aware of the risks. Some of my customers refuse to change that even after they already had severe intrusions.
There is a parallel in the regular world: many people don't lock their front door, either, even in bad neighborhoods.
That said, there are a couple things Microsoft can do:
On the technological end:
- Support multiple independent concurrent LiveID logins, and implement a strong privacy policy that they will never be linked. This will solve a major privacy concern. For instance, I have a business LiveID and two personal LiveIDs. In fact, this is one of the reasons I am using Yahoo for most of my personal interactions - I can be logged in to Yahoo without logging out from my business LiveID.
- Support other OpenID providers. This will do two things: it reduces the proliferation of user names and passwords (password fatigue is a major security issue), and it allows users to choose which provider they trust with their private information.
On the social end, Microsoft can only work together with the Internet community as a whole.
Trust and control are paramount. Privacy is so high on people's minds because so much information is collected surreptitiously, and often in ways the user cannot avoid even if they are aware. That combination is a prime breeding ground for distrust.
- It would be nice if this world could be trusted; but the facts are that there are people out there who deliberately put viruses in, hack into email and even government agencies are threatening our privacy.
It's just not a safe world. And even the most sophisticated and reliable software to protect us just doesn't exist.
Sad, but true.
"Technolgoy can be our best friend or our worst enemy". My philosophy.
