Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

James Firth james2 at jfirth.net
Sun Aug 1 11:10:33 BST 2010 

Peter Tomlinson wrote:
> Recently I was at an IAAC Working Group about being safe on the
> internet, and there the nature of the internet (wild and woolly) was
> discussed, and whether it could be made tame. Having thought about it
> both then and later, I'm of the opinion that the protection should be
> in
> both web server and user system, and that it should be routinely
> installed and configured in both, and be ubiquitous in its operation.
> So
> protection against inadvertent illegality needs to be there in the
> protection software in the user system, and the web server's system
> should protect against a user doing the illegal thing.

It already is and it's called protocols/standards/RFCs.

The server, as in a dedicated host offering professional services should
protect itself against anything the "internet" throws against it, with the
exception possibly of denial-of-service type attacks, which require some
level of network protection.

Up list the mention of "anything else is unauthorised access": not under the
CMA, unless it could be proved the attacker knew the consequences of his/her
actions could prove denial of service, loss of data etc.

"anything else is..." perhaps a breach of contract depending on the Ts & Cs
(and how enforceable those Ts & Cs are) of the website being visited (eg
robots.txt etc).

The internet is doing a remarkable job protecting itself without government
interference, considering the potential for harm and the likely rewards from
certain large-scale attacks.

I wish the police would be as proactive in investigating fraud using the
internet as they were in this case.  From basic auction seller fraud to
phishing and in particular the hacking of home PCs.

Large corporations like BT can afford to and should be responsible for their
own server resilience.  The police simply should never have been involved.

In fact the payment industry gets very little truck from the police in
investigating e.g. credit card fraud, as I found out from my personal
experience when I tried to get the police to take further action in
prosecuting the gang they uncovered in relation to my own losses.  Too
complex to track across national borders, they said. (All within the EU).

However the "little guy" who's home PC comes under daily bombardment from
vulnerability probes and phishing emails gets very little help from law
enforcement, even when they attempt to make a complaint(*)

James Firth

More information about the ukcrypto mailing list