Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre

Reader Comments on Aardvark Daily 22 Jan 2001

From: Brian Cahill
For : The Editor (for publication)
Subj: Crimes Amendment Bill

The Crimes Amendment Bill's giving government the power to
legally hack into computers is justifiably been given a lot
of attention, but there are other aspects of the bill (or
rather, the Supplementary Order Paper on it that ought to
raise as much concern.

One (reported on IDG web site 19 Jan) is the subject of an
ICONZ submission on the SOP - that connecting a PC to a LAN
will become illegal because PCs are "... any device ... that
is capable of being used to intercept a private
communication ...".

Another is that the SOP makes "unauthorised access" to a
computer system illegal and punishable by up to two years
imprisonment. Since normal, honest, use of the Internet
frequently involves downloading files from WWW and FTP
sites, and sending e-mails, without prior "authorization"
from the target computer's owner, the SOP appears to make
most Internet usage illegal.

Some might say that making a computer accessible on the
Internet implies "authorisation" to access it, (in which
case computers connected to the Internet won't be protected
by the legislation). Others might say that yes, we'll all be
criminals under the new legislation but that's OK because
they'll only prosecute the "bad" people.

I don't find either explanation reassuring.




From: Richard
For : The Editor (for publication)
Subj: Poison pen for Spooks?

Hmm...

It occurs to me that one could set up "cop-bait" on a
computer system with traffic patterns likely to pique the
interest of the various nosey-parkers in the government's
employ.

Then one could make the system security hard, but not *too*
hard and lightly encrypt the file system (oh, with someting
simple, like ROT13 or 56-bit encryption).

And then lace the sucker with every goddamn virus, worm,
trojan, bomb, trapdoor, backdoor you can lay your hand to,
hell, even write some new ones :)

That, and/or monitor the system so that any uninvited
intrusions can be traced and reverse-hacked as they happen -
 break into their systems as they break into yours.

If they wanna fight, give 'em one I say.




From: John Elsbury
For : (for publication)
Subj: Police Hacking

Nice, emotive, scenario but it just ain't like that.  For
a "hacking" attempt against a PC to work the following
conditions *have* to be met:

(1) The PC *must* be connected to the Internet and the
connnection *must* be active for the duration of the
hacking attempt.

(2) There *must* be ports open on that PC which a hacker
can see, and those ports *must* in turn be connected to a
listening service which will respond to connection attempts.
The only way these ports will be there, open, and listening
is if the "hackee" PC is running software intended to open
those ports and listen to them, and to respond to
connection attempts.  There is no "magic backdoor"
available to law enforcement authorities, who would in any
case find it easier and more effective to install a device
to physically monitor keystrokes.  From outside you can't
force a MODEM to accept calls, and you can't open a port
which isn't there.

Now, I accept that a number of users will have peer sharing
enabled and so unprotected Windows shares may be visible.
I accept that some people will have "always-on" internet
connections.  Some may even have legitimate remote access
software (e.g. PC Anywhere) running.  I accept that some
people are unfortunate enough to have run "remote access
trojan" programs which they have received one way or
another.  Sure, those people are at risk.  If, however, I
was doing anything on my home PC which I was afraid "they"
might want to know about then I would avoid all of the
above risk factors - software firewalls are cheap and
reasonably effective, antivirus software will catch all but
the newest "trojans", and I wouldn't leave the PC
permanently connected to the Internet. Especially if I was
doing something business-critical.

Aardvark Replies...
Unfortunately, many business users (particularly SMEs) tend to
run their systems "out of the box" with little understanding of the
vulnerabilities that a "stock standard" Windows PC has.

With DSL becoming a cheaper and more viable "full-time" connection
option, many of these machines will be permanently online and
accessible -- especially if they leave their mail client polling the
ISP's POP server at regular intervals.

The unfortunate thing is that there are far too many PCs out there
on the Net with file-sharing enabled over the TCP/IP connection,
old/outdated versions of applications and drivers, and a
multiplicity of other weak-points that can be exploited by anyone
(including government-sponsored operations) trying to break in.

Most readers of this column tend to forget that they probably
have a significantly higher awareness of the problem and have
therefore taken steps to protect themselves.

The fact that email-borne viruses and trojans (such as Melissa
and the "Love Bug" continue to spread with such speed is a great
indication of how many Net users (including many business-users)
are ignorant, naive or just plain dumb.  I get regular reports
from people who have received "infected" emails from public
companies and smaller traders around NZ on a regular basis.
You can bet that their PCs are equally vulnerable to hacking.





From: Chris Kerr
For : The Editor (for publication)
Subj: Police hacking

It's ironic that in an attempt to protect us from getting
hacked, the government are granting themselves the right to
hack us.

I'm even less impressed if they genuinely think this is
going to help them fight computer crime.  The only
computers vulnerable to their interference will be the ones
belonging to internet users who don't have the technical
knowledge to protect themselves against intrusion.  You
wouldn't expect a burglar to leave his own doors and
windows unlocked, would you?

It seems like either an attempt to be seen addressing about
a problem without actually making an effort, or an attempt
to legitimize an unwelcome amount of scrutiny into the way
New Zealanders are managing their affairs.

Could someone point out the good guys and the bad guys to
me?  I'm having some trouble telling them apart.



From: Tony
For : The Editor (for publication)
Subj: More than one way in...

While I agree with the comment John makes about this
being 'emotive', this argument assumes the only way in is
through the Internet or a modem.
As the powers that be are performing this service legally,
what is to stop them coming in through a leased line
(assuming that a business has one) courtesy of a Telco?
Obviously this won’t provide full access, but how many
Admins monitor or protect lease line access?




From: nick
For : The Editor (for publication)
Subj: anti hacking laws

Im opposed to any govt involvment in anything to do with
the internet.    Why?.  cause as soon as they get any form
of control on anything in this world you can bet the next
thing will be a charge.   Well, the theme of things these
days is pay as you go.   Imagine a charge for entry to
sites accessed.   Imagine a form of toll for the
internet.   Dont laugh.  If the bods in govt get any
control then they'll find a way of getting money out of it.




From: Rob K
For : The Editor (for publication)
Subj: Too late... Attacks ARE Authorized by the Gov't

Bruce:  You guys are TOO late.  Check out this link...

www.army.mil/disc4/privacy.html

It will show you the public policy for a typical military
site (which, by the way, is required to be on all
Department of Defense computers as an information dialog
box requiring acceptance prior to logon.  It SPECIFICALLY
states that computers attaching via the internet are part
of the security structure of the site. It also states:

"Monitoring includes, but is not limited to, active attacks
by authorized DoD entities to test or verify the security
of the system."

So, too late gang.

Rob K
Baton Rouge, LA




From: Ian
For : The Editor (for publication)
Subj: Suspicion of committing an offence

Brian Cahill's point is well made: probably the new
regulations will mean that most of the things we do online
on a daily basis will become illegal.

However, the police will presumably use discretion with
regard to who they prosecute,in much the same way that they
do with other offences.

However, will it not be very convenient to be able to
arrest anyone with an internet connection under this new
law, giving them time to find a "real" offence or "real"
evidence.

On second thoughts, if there is an offence _already_
committed, won't it save more time and money just to
convict on this?

This seems similar to the notrious British "Vagrancy Act"
or "sus" law, which enabled police to arrest anybody (often
a member of an ethnic minority) on suspicion that an ofence
had been committed. Following an outcry a number of
years ago, this law has now been replaced (although the law
that replaced it is not much better).




From: Peter Hewett
For : The Editor (for publication)
Subj: Trashed my PC?

Of course, it doesn't take an incompetent hacking attempt
to trash your PC.  It could be a hardware or software
crash, virus attack (newer than your update) or something.

For mission critical data files, one should make a second
copy, and store it in a separate place.  A nuisance, but
prudent for important files.

Risk of data loss is not really a good enough argument to
allow criminals to do what they like because police are
forbidden from investigating them.




From: Hamish MacEwan
For : The Editor (for publication)
Subj: State Invasion

These powers, beloved of Law Enforcement around the world,
seem suspect to me on the simple grounds of usefulness.  Can
some enterprising soul discover or tell me, where such
powers have done any good?

Current wire-tapping provisions in the US, and those still
not yet implemented under CALEA have a parlous history of
success.  Citizens and the State seem enamoured of the
notion that by granting these powers some benefit will
arise.  Not that I know of.

Remember DNA, have you noticed the UK has now moved on to
seeking sanction for recording the DNA of innocent people?
Interestingly, after all the talk of prevention and
detection of "Major Crime," the last news I saw of the use
of this database was to investigate the theft of a large
puppet from a pier somewhere in England.

No, the State already has too much power, is too fond of
granting it to those with money and influence (the Digital
Millennium Copyright Act), and we should stop being deluded
by the promise of eliminating various hobgoblins
(Narco-terrorists, child-porn-paedophiles, etc.) raised to
justify ceding more of our rights and privacy.

If we are to just say no, let it be to the unwarranted
intrusions into our lives these provisions allow, for little
benefit and, note Citizen Taxpayer, at some expense.

As far as I can see, like suing tobacco companies, this is
just a case of "Me too!" for NZ, following the lead of our
OECD bretheren, just so we can stay in the club.  We didn't
with nuclear weapons, let's not with this either.  State
Invasion is not your friend, anymore than plutonium is.




From: spiro
For : The Editor (for publication)
Subj: aargh

you people are clueless as the government.

virus attacks? hard disk crashes? more like paranoia en
masse.

not every computer on the planet is running windows. people
who are running windows, or UNIX systems installed out of
the box deserve to get hacked. you people should wake up and
start learning how to secure your machines and your
networks.

or if you're in a corporate environment, pay someone to.

if you're at home, get a copy of norton's personal firewall
or something similar.

it's not rocket science.

everybody should also install PGP. and start using it.
encrypt ALL emails. if you only encrypt one email in 100,
then they know what to target. if you start encrypting ALL
email, they will have to crack everything. and good luck to
them.



Now Have Your Say

Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre