Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Sun Aug 1 21:40:44 BST 2010

James Firth wrote:
> Peter Tomlinson wrote:
>   
>> Recently I was at an IAAC Working Group about being safe on the
>> internet, and there the nature of the internet (wild and woolly) was
>> discussed, and whether it could be made tame. Having thought about it
>> both then and later, I'm of the opinion that the protection should be
>> in
>> both web server and user system, and that it should be routinely
>> installed and configured in both, and be ubiquitous in its operation.
>> So
>> protection against inadvertent illegality needs to be there in the
>> protection software in the user system, and the web server's system
>> should protect against a user doing the illegal thing.
>>     
>
> It already is and it's called protocols/standards/RFCs.
>
> The server, as in a dedicated host offering professional services should
> protect itself against anything the "internet" throws against it, with the
> exception possibly of denial-of-service type attacks, which require some
> level of network protection.
>
> Up list the mention of "anything else is unauthorised access": not under the
> CMA, unless it could be proved the attacker knew the consequences of his/her
> actions could prove denial of service, loss of data etc.
>
> "anything else is..." perhaps a breach of contract depending on the Ts & Cs
> (and how enforceable those Ts & Cs are) of the website being visited (eg
> robots.txt etc).
>
> The internet is doing a remarkable job protecting itself without government
> interference, considering the potential for harm and the likely rewards from
> certain large-scale attacks.
>
> I wish the police would be as proactive in investigating fraud using the
> internet as they were in this case.  From basic auction seller fraud to
> phishing and in particular the hacking of home PCs.
>
> Large corporations like BT can afford to and should be responsible for their
> own server resilience.  The police simply should never have been involved.
>
> In fact the payment industry gets very little truck from the police in
> investigating e.g. credit card fraud, as I found out from my personal
> experience when I tried to get the police to take further action in
> prosecuting the gang they uncovered in relation to my own losses.  Too
> complex to track across national borders, they said. (All within the EU).
>
> However the "little guy" who's home PC comes under daily bombardment from
> vulnerability probes and phishing emails gets very little help from law
> enforcement, even when they attempt to make a complaint(*)
>
> James Firth
James, you well illustrate the position that our discussion got to 
(although not everyone agreed). The line that I took is that the 
specifications and tools and internet best practice are there, so we 
should use them. Then you get to the point that was the starting 
assumption for the discussion: the problem for the little guy - so we 
need to ensure that its routine to deploy the tools at millions of end 
points, and do so at low cost. After discussing this with a couple of 
people not part of the IAAC discussion, I'm trying to write a paper 
suggesting a way forward. This is expected to be published on a web site 
operated by one of those other two.

Peter