Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
igb at batten.eu.org
Mon Aug 2 14:40:24 BST 2010
On 2 Aug 2010, at 14:25, Clive D.W. Feather wrote:
> Ian Batten said:
>>> The server, as in a dedicated host offering professional services
>>> protect itself against anything the "internet" throws against it,
>> Except that's both contrary to the law in every other field, and
>> incredibly elitist.
> I disagree with you and agree with the intent of the statement.
> A URL is a string of (to a first approximation) printable
> characters. A web
> server should be able to handle any string of printable characters
> in the
> URL field of the GET request and do something sensible with it. This
> be a 403 or a 404, but it shouldn't be accessing files that it's not
> supposed to return to the user and it shouldn't do anything
Sure, and as an engineer I agree with you. And my immediate reaction
was that the Cuthbert case was an over-reaction, and I think the
precise details of the case make for a tangential discussion. I'm
very, very nervous about the idea that somehow attempting to break
into computer systems should have a defence of (in essence) "had they
wanted to secure it they should have done a better job" when that is
not the case with any analogous crime. It smacks of blame the victim.
A door lock should be able to cope with any key being inserted and
only open when the correct one is used, but wandering around with a
set of lock picks is liable to get you prosecuted for "going
equipped", and attempting to actually use them would be a further crime.
If I lock my front door with a hypothetic one-lever lock that can be
picked in a second while wearing boxing gloves, that might cause
people to be less sympathetic when my house gets broken into and might
lead to an interesting conversation with my insurance company if I
tried to claim; it would not, however, be a defence for the burglar to
say that it was my fault for not fitting a better lock.
Similarly bike locks, car alarms, etc: if I want to prevent the thing
being stolen, it behoves me to use security measures suitable for the
job, because having your stuff stolen is a pain. If I want my
insurance to compensate me, they will set a minimum level of
protection they expect me to use, and will potentially give me a
discount for having more (my car has a magic-string-of-letters
accredited immobiliser, and that's worth a few quid off the insurance).
However, whether I take those precautions or not is not at issue when
someone is prosecuted - it's not a bigger offence to steal a bike
secured with a bloody great big Kryptonite chain than it is to steal a
bike secured with a lock from Poundland.
More information about the ukcrypto