Reader Comments on Aardvark Daily 22 Jan 2001
From: Brian Cahill For : The Editor (for publication) Subj: Crimes Amendment Bill The Crimes Amendment Bill's giving government the power to legally hack into computers is justifiably been given a lot of attention, but there are other aspects of the bill (or rather, the Supplementary Order Paper on it that ought to raise as much concern. One (reported on IDG web site 19 Jan) is the subject of an ICONZ submission on the SOP - that connecting a PC to a LAN will become illegal because PCs are "... any device ... that is capable of being used to intercept a private communication ...". Another is that the SOP makes "unauthorised access" to a computer system illegal and punishable by up to two years imprisonment. Since normal, honest, use of the Internet frequently involves downloading files from WWW and FTP sites, and sending e-mails, without prior "authorization" from the target computer's owner, the SOP appears to make most Internet usage illegal. Some might say that making a computer accessible on the Internet implies "authorisation" to access it, (in which case computers connected to the Internet won't be protected by the legislation). Others might say that yes, we'll all be criminals under the new legislation but that's OK because they'll only prosecute the "bad" people. I don't find either explanation reassuring. From: Richard For : The Editor (for publication) Subj: Poison pen for Spooks? Hmm... It occurs to me that one could set up "cop-bait" on a computer system with traffic patterns likely to pique the interest of the various nosey-parkers in the government's employ. Then one could make the system security hard, but not *too* hard and lightly encrypt the file system (oh, with someting simple, like ROT13 or 56-bit encryption). And then lace the sucker with every goddamn virus, worm, trojan, bomb, trapdoor, backdoor you can lay your hand to, hell, even write some new ones :) That, and/or monitor the system so that any uninvited intrusions can be traced and reverse-hacked as they happen - break into their systems as they break into yours. If they wanna fight, give 'em one I say. From: John Elsbury For : (for publication) Subj: Police Hacking Nice, emotive, scenario but it just ain't like that. For a "hacking" attempt against a PC to work the following conditions *have* to be met: (1) The PC *must* be connected to the Internet and the connnection *must* be active for the duration of the hacking attempt. (2) There *must* be ports open on that PC which a hacker can see, and those ports *must* in turn be connected to a listening service which will respond to connection attempts. The only way these ports will be there, open, and listening is if the "hackee" PC is running software intended to open those ports and listen to them, and to respond to connection attempts. There is no "magic backdoor" available to law enforcement authorities, who would in any case find it easier and more effective to install a device to physically monitor keystrokes. From outside you can't force a MODEM to accept calls, and you can't open a port which isn't there. Now, I accept that a number of users will have peer sharing enabled and so unprotected Windows shares may be visible. I accept that some people will have "always-on" internet connections. Some may even have legitimate remote access software (e.g. PC Anywhere) running. I accept that some people are unfortunate enough to have run "remote access trojan" programs which they have received one way or another. Sure, those people are at risk. If, however, I was doing anything on my home PC which I was afraid "they" might want to know about then I would avoid all of the above risk factors - software firewalls are cheap and reasonably effective, antivirus software will catch all but the newest "trojans", and I wouldn't leave the PC permanently connected to the Internet. Especially if I was doing something business-critical. Aardvark Replies... Unfortunately, many business users (particularly SMEs) tend to run their systems "out of the box" with little understanding of the vulnerabilities that a "stock standard" Windows PC has. With DSL becoming a cheaper and more viable "full-time" connection option, many of these machines will be permanently online and accessible -- especially if they leave their mail client polling the ISP's POP server at regular intervals. The unfortunate thing is that there are far too many PCs out there on the Net with file-sharing enabled over the TCP/IP connection, old/outdated versions of applications and drivers, and a multiplicity of other weak-points that can be exploited by anyone (including government-sponsored operations) trying to break in. Most readers of this column tend to forget that they probably have a significantly higher awareness of the problem and have therefore taken steps to protect themselves. The fact that email-borne viruses and trojans (such as Melissa and the "Love Bug" continue to spread with such speed is a great indication of how many Net users (including many business-users) are ignorant, naive or just plain dumb. I get regular reports from people who have received "infected" emails from public companies and smaller traders around NZ on a regular basis. You can bet that their PCs are equally vulnerable to hacking. From: Chris Kerr For : The Editor (for publication) Subj: Police hacking It's ironic that in an attempt to protect us from getting hacked, the government are granting themselves the right to hack us. I'm even less impressed if they genuinely think this is going to help them fight computer crime. The only computers vulnerable to their interference will be the ones belonging to internet users who don't have the technical knowledge to protect themselves against intrusion. You wouldn't expect a burglar to leave his own doors and windows unlocked, would you? It seems like either an attempt to be seen addressing about a problem without actually making an effort, or an attempt to legitimize an unwelcome amount of scrutiny into the way New Zealanders are managing their affairs. Could someone point out the good guys and the bad guys to me? I'm having some trouble telling them apart. From: Tony For : The Editor (for publication) Subj: More than one way in... While I agree with the comment John makes about this being 'emotive', this argument assumes the only way in is through the Internet or a modem. As the powers that be are performing this service legally, what is to stop them coming in through a leased line (assuming that a business has one) courtesy of a Telco? Obviously this won’t provide full access, but how many Admins monitor or protect lease line access? From: nick For : The Editor (for publication) Subj: anti hacking laws Im opposed to any govt involvment in anything to do with the internet. Why?. cause as soon as they get any form of control on anything in this world you can bet the next thing will be a charge. Well, the theme of things these days is pay as you go. Imagine a charge for entry to sites accessed. Imagine a form of toll for the internet. Dont laugh. If the bods in govt get any control then they'll find a way of getting money out of it. From: Rob K For : The Editor (for publication) Subj: Too late... Attacks ARE Authorized by the Gov't Bruce: You guys are TOO late. Check out this link... www.army.mil/disc4/privacy.html It will show you the public policy for a typical military site (which, by the way, is required to be on all Department of Defense computers as an information dialog box requiring acceptance prior to logon. It SPECIFICALLY states that computers attaching via the internet are part of the security structure of the site. It also states: "Monitoring includes, but is not limited to, active attacks by authorized DoD entities to test or verify the security of the system." So, too late gang. Rob K Baton Rouge, LA From: Ian For : The Editor (for publication) Subj: Suspicion of committing an offence Brian Cahill's point is well made: probably the new regulations will mean that most of the things we do online on a daily basis will become illegal. However, the police will presumably use discretion with regard to who they prosecute,in much the same way that they do with other offences. However, will it not be very convenient to be able to arrest anyone with an internet connection under this new law, giving them time to find a "real" offence or "real" evidence. On second thoughts, if there is an offence _already_ committed, won't it save more time and money just to convict on this? This seems similar to the notrious British "Vagrancy Act" or "sus" law, which enabled police to arrest anybody (often a member of an ethnic minority) on suspicion that an ofence had been committed. Following an outcry a number of years ago, this law has now been replaced (although the law that replaced it is not much better). From: Peter Hewett For : The Editor (for publication) Subj: Trashed my PC? Of course, it doesn't take an incompetent hacking attempt to trash your PC. It could be a hardware or software crash, virus attack (newer than your update) or something. For mission critical data files, one should make a second copy, and store it in a separate place. A nuisance, but prudent for important files. Risk of data loss is not really a good enough argument to allow criminals to do what they like because police are forbidden from investigating them. From: Hamish MacEwan For : The Editor (for publication) Subj: State Invasion These powers, beloved of Law Enforcement around the world, seem suspect to me on the simple grounds of usefulness. Can some enterprising soul discover or tell me, where such powers have done any good? Current wire-tapping provisions in the US, and those still not yet implemented under CALEA have a parlous history of success. Citizens and the State seem enamoured of the notion that by granting these powers some benefit will arise. Not that I know of. Remember DNA, have you noticed the UK has now moved on to seeking sanction for recording the DNA of innocent people? Interestingly, after all the talk of prevention and detection of "Major Crime," the last news I saw of the use of this database was to investigate the theft of a large puppet from a pier somewhere in England. No, the State already has too much power, is too fond of granting it to those with money and influence (the Digital Millennium Copyright Act), and we should stop being deluded by the promise of eliminating various hobgoblins (Narco-terrorists, child-porn-paedophiles, etc.) raised to justify ceding more of our rights and privacy. If we are to just say no, let it be to the unwarranted intrusions into our lives these provisions allow, for little benefit and, note Citizen Taxpayer, at some expense. As far as I can see, like suing tobacco companies, this is just a case of "Me too!" for NZ, following the lead of our OECD bretheren, just so we can stay in the club. We didn't with nuclear weapons, let's not with this either. State Invasion is not your friend, anymore than plutonium is. From: spiro For : The Editor (for publication) Subj: aargh you people are clueless as the government. virus attacks? hard disk crashes? more like paranoia en masse. not every computer on the planet is running windows. people who are running windows, or UNIX systems installed out of the box deserve to get hacked. you people should wake up and start learning how to secure your machines and your networks. or if you're in a corporate environment, pay someone to. if you're at home, get a copy of norton's personal firewall or something similar. it's not rocket science. everybody should also install PGP. and start using it. encrypt ALL emails. if you only encrypt one email in 100, then they know what to target. if you start encrypting ALL email, they will have to crack everything. and good luck to them.Now Have Your Say
Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre