Kaspersky calls for end to net anonymity

http://www.zdnetasia.com/insight/sec...2058697,00.htm

[Q] That's it? What's wrong with the design of the Internet?

[Kaspersky] There's anonymity. Everyone should and must have an
identification, or Internet passport. The Internet was designed not for
public use, but for American scientists and the U.S. military. That was
just a limited group of people--hundreds, or maybe thousands. Then it
was introduced to the public and it was wrong to introduce it in the
same way.

I'd like to change the design of the Internet by introducing
regulation--Internet passports, Internet police and international
agreement--about following Internet standards. And if some countries
don't agree with or don't pay attention to the agreement, just cut them off.

********************************************

Maybe it's time to call for an end to Kaspersky's influence in computer
security.


jc

On Sun, 18 Oct 2009, in the Usenet newsgroup alt.computer.security, in article
<hbfsuj$el8$1@news.eternal-september.org>, jc wrote:

>http://www.zdnetasia.com/insight/sec...2058697,00.htm

Yeah, but you snipped a bit of context that explains some of his
points.

] Are you saying that people often don't understand the complexities of
] the work security researchers are involved in? Consumers, businesses
] and even governments?

] Governments do understand because they are more and more in touch with
] these problems. Enterprises, big enterprises, some of them have
] dedicated teams of security experts and they really understand what's
] going on. Consumers generally have no clue, but they don't need to
] understand.

Do you honestly think that even a hundredth of one percent of the users
have any clue at all? People think that because they can have access,
they can do anything without worrying about side effects.

>The Internet was designed not for public use, but for American
>scientists and the U.S. military. That was just a limited group of
>people--hundreds, or maybe thousands.

0597 Host status. N. Neigus, E.J. Feinler. December 1973. (Format:
TXT=11678 bytes) (Updated by RFC0603) (Status: UNKNOWN)

0603 Response to RFC 597: Host status. J.D. Burchfiel. December 1973.
(Format: TXT=1482 bytes) (Updates RFC0597) (Updated by RFC0613)
(Status: UNKNOWN)

0613 Network connectivity: A response to RFC 603. A.M. McKenzie.
January 1974. (Format: TXT=2557 bytes) (Updates RFC0603)
(Status: UNKNOWN)

December 1973 is a bit before IP (RFC0791 - September 1981). But you
probably want to look at RFC0832;

0832 Who talks TCP?. D. Smallberg. December 1982. (Format: TXT=42751
bytes) (Obsoleted by RFC0833) (Status: UNKNOWN)

and revisions (RFC0833-9, RFC0842-7 from December, 1982 to February,
1983). That assumes you have enough clue to know what TCP is.

Oh, and you clipped out an interesting one:

] If I were Bill Gates, I'd run another company--100 percent owned by
] Microsoft--that produces the antivirus under a different brand.

I'd prefer to have Microsoft take responsibility for providing shitty
code and security holes large enough to fly a dozen Airbus A-380s in
line-abreast formation through. You know the chance of that happening.

>I'd like to change the design of the Internet by introducing
>regulation--Internet passports, Internet police and international
>agreement--about following Internet standards.

In the 1970s and 1980s, computer users knew about _responsibility_
for their activities. If you fucked up, your account _could_ be toast
and you lost access. As most who had access either used it as part of
their job or school work, loss of access had severe repercussions.

There is registration now - but the problem is that there are no
repercussions for "bad" behavior, just as there are few agreed
definitions of such behavior. Do you remember the last time a spammer
was prosecuted or sued for loss of bandwidth? Spammers and on-line
gaming and pr0n providers are just trying to make money - why single
them out? Personally, I'd love to see every owner of an infected
computer be fined the 'cleanup' costs, and loose access for a
significant time - a year for the first proven offense - three years
for the second, and so on. Is your computer a zombie/bot because YOU
don't know or care to learn how to use it? Oh, yeah - I know! Your
computer is protected by that 30-day demo version of $SCREWU
Anti-mal-ware software that it came with when you bought it. Right.

Old guy

You are getting to be a grumpy old man telling us about how wonderful
things used to be in his youth, and how everything is going to hell
nowadays. Don't.
I was also there in those good old days. I was I think one of the first
people in Canada to get an account on Arpanet and to run programs
remotely on the the MIT server-- tensor manipulation routines to do
General Relativity on-- connection via 300bps modem.

yes, at present there are a lot of problems with the net, but then even
with those passports, etc, there would be problems. If you think they
would not be successfully forged, then you are dreaming. Ie, this is
liable to bring more problems for people and few benefits.

Note that liablity for the software writers (eg MS and its software) would be a far
bigger advance.

And the whole issue of "big brother" is such as to make such a scheme
absolutely abhorent for me. That whole licensing scheme would rapidly be
used both by the gov't and by criminal elements to trackback stuff on
the web to you.





ibuprofin@painkiller.example.tld (Moe Trin) writes:

>On Sun, 18 Oct 2009, in the Usenet newsgroup alt.computer.security, in article
><hbfsuj$el8$1@news.eternal-september.org>, jc wrote:

>>http://www.zdnetasia.com/insight/sec...2058697,00.htm

>Yeah, but you snipped a bit of context that explains some of his
>points.

>] Are you saying that people often don't understand the complexities of
>] the work security researchers are involved in? Consumers, businesses
>] and even governments?

>] Governments do understand because they are more and more in touch with
>] these problems. Enterprises, big enterprises, some of them have
>] dedicated teams of security experts and they really understand what's
>] going on. Consumers generally have no clue, but they don't need to
>] understand.

>Do you honestly think that even a hundredth of one percent of the users
>have any clue at all? People think that because they can have access,
>they can do anything without worrying about side effects.

>>The Internet was designed not for public use, but for American
>>scientists and the U.S. military. That was just a limited group of
>>people--hundreds, or maybe thousands.

> 0597 Host status. N. Neigus, E.J. Feinler. December 1973. (Format:
> TXT=11678 bytes) (Updated by RFC0603) (Status: UNKNOWN)

> 0603 Response to RFC 597: Host status. J.D. Burchfiel. December 1973.
> (Format: TXT=1482 bytes) (Updates RFC0597) (Updated by RFC0613)
> (Status: UNKNOWN)

> 0613 Network connectivity: A response to RFC 603. A.M. McKenzie.
> January 1974. (Format: TXT=2557 bytes) (Updates RFC0603)
> (Status: UNKNOWN)

>December 1973 is a bit before IP (RFC0791 - September 1981). But you
>probably want to look at RFC0832;

> 0832 Who talks TCP?. D. Smallberg. December 1982. (Format: TXT=42751
> bytes) (Obsoleted by RFC0833) (Status: UNKNOWN)

>and revisions (RFC0833-9, RFC0842-7 from December, 1982 to February,
>1983). That assumes you have enough clue to know what TCP is.

>Oh, and you clipped out an interesting one:

>] If I were Bill Gates, I'd run another company--100 percent owned by
>] Microsoft--that produces the antivirus under a different brand.

>I'd prefer to have Microsoft take responsibility for providing shitty
>code and security holes large enough to fly a dozen Airbus A-380s in
>line-abreast formation through. You know the chance of that happening.

>>I'd like to change the design of the Internet by introducing
>>regulation--Internet passports, Internet police and international
>>agreement--about following Internet standards.

>In the 1970s and 1980s, computer users knew about _responsibility_
>for their activities. If you fucked up, your account _could_ be toast
>and you lost access. As most who had access either used it as part of
>their job or school work, loss of access had severe repercussions.

>There is registration now - but the problem is that there are no
>repercussions for "bad" behavior, just as there are few agreed
>definitions of such behavior. Do you remember the last time a spammer
>was prosecuted or sued for loss of bandwidth? Spammers and on-line
>gaming and pr0n providers are just trying to make money - why single
>them out? Personally, I'd love to see every owner of an infected
>computer be fined the 'cleanup' costs, and loose access for a
>significant time - a year for the first proven offense - three years
>for the second, and so on. Is your computer a zombie/bot because YOU
>don't know or care to learn how to use it? Oh, yeah - I know! Your
>computer is protected by that 30-day demo version of $SCREWU
>Anti-mal-ware software that it came with when you bought it. Right.

> Old guy

In <slrnhdphi5.lca.ibuprofin@compton.phx.az.us> ibuprofin@painkiller.example.tld (Moe Trin) writes:

[snip]

>them out? Personally, I'd love to see every owner of an infected
>computer be fined the 'cleanup' costs, and loose access for a
>significant time - a year for the first proven offense - three years
>for the second, and so on.

And then we can go after the folk who mistake "loose" for "lose".
And if we follow up by banning the people who add in an apostrophe
when using the possessive form of "it[']s", we'll have lots
and lots of spare capacity...

--
__________________________________________________ ___
Knowledge may be power, but communications is the key
dannyb@panix.com
[to foil spammers, my address has been double rot-13 encoded]

Moe Trin wrote:
> On Sun, 18 Oct 2009, in the Usenet newsgroup alt.computer.security, in article
> <hbfsuj$el8$1@news.eternal-september.org>, jc wrote:
>
>> http://www.zdnetasia.com/insight/sec...2058697,00.htm
>
> Yeah, but you snipped a bit of context that explains some of his
> points.
>
> ] Are you saying that people often don't understand the complexities of
> ] the work security researchers are involved in? Consumers, businesses
> ] and even governments?
>
> ] Governments do understand because they are more and more in touch with
> ] these problems. Enterprises, big enterprises, some of them have
> ] dedicated teams of security experts and they really understand what's
> ] going on. Consumers generally have no clue, but they don't need to
> ] understand.
>
> Do you honestly think that even a hundredth of one percent of the users
> have any clue at all? People think that because they can have access,
> they can do anything without worrying about side effects.
>
>> The Internet was designed not for public use, but for American
>> scientists and the U.S. military. That was just a limited group of
>> people--hundreds, or maybe thousands.
>
> 0597 Host status. N. Neigus, E.J. Feinler. December 1973. (Format:
> TXT=11678 bytes) (Updated by RFC0603) (Status: UNKNOWN)
>
> 0603 Response to RFC 597: Host status. J.D. Burchfiel. December 1973.
> (Format: TXT=1482 bytes) (Updates RFC0597) (Updated by RFC0613)
> (Status: UNKNOWN)
>
> 0613 Network connectivity: A response to RFC 603. A.M. McKenzie.
> January 1974. (Format: TXT=2557 bytes) (Updates RFC0603)
> (Status: UNKNOWN)
>
> December 1973 is a bit before IP (RFC0791 - September 1981). But you
> probably want to look at RFC0832;
>
> 0832 Who talks TCP?. D. Smallberg. December 1982. (Format: TXT=42751
> bytes) (Obsoleted by RFC0833) (Status: UNKNOWN)
>
> and revisions (RFC0833-9, RFC0842-7 from December, 1982 to February,
> 1983). That assumes you have enough clue to know what TCP is.
>
> Oh, and you clipped out an interesting one:
>
> ] If I were Bill Gates, I'd run another company--100 percent owned by
> ] Microsoft--that produces the antivirus under a different brand.
>
> I'd prefer to have Microsoft take responsibility for providing shitty
> code and security holes large enough to fly a dozen Airbus A-380s in
> line-abreast formation through. You know the chance of that happening.
>> I'd like to change the design of the Internet by introducing
>> regulation--Internet passports, Internet police and international
>> agreement--about following Internet standards.
>
> In the 1970s and 1980s, computer users knew about _responsibility_
> for their activities. If you fucked up, your account _could_ be toast
> and you lost access. As most who had access either used it as part of
> their job or school work, loss of access had severe repercussions.
>
> There is registration now - but the problem is that there are no
> repercussions for "bad" behavior, just as there are few agreed
> definitions of such behavior. Do you remember the last time a spammer
> was prosecuted or sued for loss of bandwidth? Spammers and on-line
> gaming and pr0n providers are just trying to make money - why single
> them out? Personally, I'd love to see every owner of an infected
> computer be fined the 'cleanup' costs, and loose access for a
> significant time - a year for the first proven offense - three years
> for the second, and so on. Is your computer a zombie/bot because YOU
> don't know or care to learn how to use it? Oh, yeah - I know! Your
> computer is protected by that 30-day demo version of $SCREWU
> Anti-mal-ware software that it came with when you bought it. Right.
>
> Old guy


I see. Shall we model the Internet after China's lead? Kaspersky is
proposing a virtual police state. Anonymity is essential for dissident
movements in many parts of the world, but in Kaspesrky's view this is
disposable for a little bit of what he views as "security." And, if I
want to visit a few p0rn sites inconspicuously, that's my prerogative. :)


jc

On Mon, 19 Oct 2009, in the Usenet newsgroup alt.computer.security, in article
<Aw4Dm.49558$PH1.10401@edtnps82>, Unruh wrote:

>You are getting to be a grumpy old man

Getting to be? Bill, I've been a grumpy old man for at least five or
more years - long before I turned 65.

>yes, at present there are a lot of problems with the net, but then
>even with those passports, etc, there would be problems. If you think
>they would not be successfully forged, then you are dreaming. Ie,
>this is liable to bring more problems for people and few benefits.

Agreed - and if you think I'm advocating such, you are REALLY
mis-reading my posts. Passports/licenses are not the solution and
won't work any more than existing anti-mal-ware prevents bots and
zombies. The userbase wouldn't stand for it anyway. You might notice
Jon Postal's RFC0706 from 1975. Slightly similar to today, no? What
I was referring to is the fact that the existing system isn't dealing
with the existing problems. At one time, network entities at least
made a token effort to control abuse. But as one example, I've given
up on sending mail to the RFC2142 'abuse@' role account more than five
years ago. It's a waste of my admin time, and if you're lucky and your
mail doesn't bounce (either "no such user", or "mailbox full") you may
get a canned response from an ignore-bot that does absolutely nothing.
I had problems with abuse (mainly zombie/bot stuff) from three '.edu's
two of which had limited but legitimate reasons to connect to some of
our servers. Complaints were ignored until a firewall block rule got
the attention of someone at two of them. The abuse was stopped in
less than a day, and we then restored limited access. Why did it take
that much work on our part?

Most entities have dropped the abuse role - partially because the bean
counters see it as an expense with no redeeming points, partially
because the majority of the complaints tend to be childish in nature
(news://alt.os.linux.ubuntu is a classic - and comp.os.linux.misc is
not far behind), or either lack details or the details point elsewhere.
Who is to blame for that? Will it get fixed? Not likely. Sure I'm
getting less spam mail from zombies, mainly because I've stopped
accepting connections from residential ISPs and anonymous mail
services. Pity about the contents of the bath water, but corporate
approves the trade-off.

>Note that liablity for the software writers (eg MS and its software)
>would be a far bigger advance.

which I don't think is going to happen either. The sheep keep buying
the crap, and there is no incentive for MS to make anything better.

>And the whole issue of "big brother" is such as to make such a scheme
>absolutely abhorent for me. That whole licensing scheme would rapidly
>be used both by the gov't and by criminal elements to trackback stuff
>on the web to you.

No, I'd rather see provider themselves enforce what they may laughingly
call their terms of service. I suspect that's not going to happen
either, because of fear that they could be sued, or that the bean
counters would be horrified at any possible loss of potential or
actual revenues.

Old guy

On Mon, 19 Oct 2009, in the Usenet newsgroup alt.computer.security, in article
<hbj2sb$saf$1@news.eternal-september.org>, jc wrote:

>Moe Trin wrote:

>> There is registration now - but the problem is that there are no
>> repercussions for "bad" behavior, just as there are few agreed
>> definitions of such behavior. Do you remember the last time a
>> spammer was prosecuted or sued for loss of bandwidth? Spammers
>> and on-line gaming and pr0n providers are just trying to make money
>> - why single them out? Personally, I'd love to see every owner of
>> an infected computer be fined the 'cleanup' costs, and loose access
>> for a significant time - a year for the first proven offense - three
>> years for the second, and so on.

>I see. Shall we model the Internet after China's lead?

Obviously, you haven't been there, and believe it must be horrible.
Were that the case, why is a lot of network abuse showing up from
Chinese IP space - continually? Or do you believe that there are
endless numbers of Chinese companies selling exactly the same
merchandise by spamming the crap out of certain Usenet news groups
with a new company replacing one that the Chinese government has
punished the previous day?

>Kaspersky is proposing a virtual police state.

I don't care what he's proposing. It's not practical and won't fly.

>Anonymity is essential for dissident movements in many parts of the
>world, but in Kaspesrky's view this is disposable for a little bit of
>what he views as "security."

True anonymity is difficult to achieve - do you know the open access
point you are using to send stuff to an onion router is open because
the owner is clueless, doesn't care, or is running a honeypot?

>And, if I want to visit a few p0rn sites inconspicuously, that's my
>prerogative. :)

And why should I care? As long as you are not using my own, or my
companies resources, you can do anything you'd like. But note that
caveat.

Old guy

On Sun, 18 Oct 2009 13:15:53 -0700, jc wrote:

> http://www.zdnetasia.com/insight/sec...2058697,00.htm
>
> [Q] That's it? What's wrong with the design of the Internet?
>
> [Kaspersky] There's anonymity. Everyone should and must have an
> identification, or Internet passport.

Go fuck yourself, Kasp, Internet anonymity is the backbone of the
international rebellion against tyranny and George Bushit(e)s.
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!

[Kaspersky] There's anonymity. Everyone should and must have an
identification, or Internet passport.

Crap! - There is nothing wrong with the design of the internet.
Remember...it was originally designed for sharing information.
And, what is the problem about sharing information? Well, I guess only
if you have something to hide that may be a problem. But to the rest
of us - not. And security can also be born of "access to information",
as what you do not know can and most likely will affect you...

Just take a look at the Gary McKinnon case - that has been going on
for 7 years now.
http://freegary.org.uk/
And ask yourself [Kaspersky] is there any resemblance to nazi like
behaviour by the political elements?
Unless you advocate this type of tyranny - go fuck yourself
[Kaspersky]

Elle