Jonathan Zittrain and a Cyber September 11
To Listen: Get Adobe Flash Player, or download an mp3 at the bottom of the post.
“Only if it’s in a safe-deposit box, surrounded by Marines. And it’s unplugged.” This is how Jonathan Zittrain explains how to save your computer from a virus that, he adds, we can’t possibly avoid. When the people who want to destroy the world — we’re talking about terrorists — figure out a way to reward the hackers who actually can, a hundred million people (and some banks, and some airlines) will wake up one morning to computers wiped clean of data that feature, according to Zittrain, a skull and crossbones and the words “you lose.”
He’s describing a virus that is fundamentally more malignant, designed to destroy a good chunk of the capital we have stored up in America as data. It’s nothing that McAfee or Norton can protect you from.
Zittrain is the Jack N. and Lillian R. Berkman Assistant Professor of Entrepreneurial Legal Studies at Harvard Law School, which means that it’s his job to worry not only about the possibility of such a virus, but its consequences. The reaction to a terrorist attack on an open network is likely to mirror that of an attack on an open society: increased suspicion, the possibility of draconian restrictions on coding that may choke innovation and change the value of the Internet.
So Jonathan Zittrain will be in the studio with Chris, but we’re looking for a couple of other people: perhaps Richard Clarke, who made a pet project of cyber security before many people were worried about it, perhaps someone else who specializes in terrorism and the Internet and, we hope, someone who can really outline for us what would happen if we woke up one day without computers.
Ideas?
Jonathan Zittrain
- Jack N. and Lillian R. Berkman Assistant Professor of Entrepreneurial Legal Studies, Harvard Law School
- From Brendan’s pre-interview notes
-
The status quo is not tenable. Right now we have a ton of consumers who are clueless, including really powerful computers that are always on and have broadband, this is a recipe for disaster. One tuesday morning we’ll wake up and everything will be wiped, something. Only the forbearance of the virus-writers prevents more virulent attacks.
To prevent more virulent attacks: mostly that we just can’t get enough people to do this, the kind of skill and vigilance needed is not something to be fair to demand of the average pc user.
Vendors won’t improve their products, users won’t improve their habits until there’s a watershed event, a digital 9/11. Aftermath: a public demand for computers to finally act like appliances. “I want the machine that’s not interesting, but reliable.”
Legislation: things are going to be drawn up that would be crude, maybe access should be limited to thtose who can take security seriously, compromise the generative nature of the Internet.
Mark Seiden
- A sniffer — looks for flaws in corporate networks — for the Cutter Consortium
- From Brendan’s pre-interview notes
-
Are institutions safe? Of course they’re not safe. they run the same software as the consumers run. They may be better at applying patches, still have the same vulnerability. When the Irish potato famine happened, they all had the same kind of potato. One bug can reach through and kill them all. Basically, it’s all windows. 80 percent windows. If you can get more that fifty percent of the install space infected with a new bug, you can cause a lot of damage.
How do you get in throguh the firewalls. Lots of ways. People have portable machines, connect at home, connect at work. Employees can be induced to download stuff. The perimeter is just too permeable these days.
Judith Perrolle
- Professor of Sociology, Northeastern University
- From Brendan’s pre-interview notes
-
The focus on a catastrophic event is sensationalist. It’s so much easier to blame some evil outside person than to make the changes you need to to prevent the smaller events — hard-drive crashes, viruses — that happen much more often. A huge amount of crime is done by insiders, a huge chance that it’s a clerk in a bank than a teenager in Bucharest. We’re vulnerable, to accidents as well as evil people.
The very design of computers, the Internet was fault tolerant, routes around problems. The original Internet is a very nice example of fault-tolerant design.
There’s a trend in our legal system toward reducing product liability. Companies are less and less likely to get sued for product failures if we reverse the trend, make companies more responsible for flaws in computer design.
We need more end-user education, like the seatbelt campaign, and we need safer cars, let’s not have so many ford pintos. You can’t keep bad people from doing things, you can only make the bad things that people do have small consequences.
Will a loss event increase protections? Bubonic plague worked wonders for the survivors, wages went up, really freed up a lot of opportunities. But do we want that? Danger of overreaction. After 9/11, we go to an airport, you have enormously inconvenient, don’t check for contents of containers coming into the country, there are now economic drags in place that don’t slow down terrorists at all.
- Tonight’s Music
- Gerador Zero of Rio de Janeiro, Brazil.
free viagra
buy viagra online
generic viagra
how does viagra work
cheap viagra
buy viagra
buy viagra online inurl
viagra 6 free samples
viagra online
viagra for women
viagra side effects
female viagra
natural viagra
online viagra
cheapest viagra prices
herbal viagra
alternative to viagra
buy generic viagra
purchase viagra online
free viagra without prescription
viagra attorneys
free viagra samples before buying
buy generic viagra cheap
viagra uk
generic viagra online
try viagra for free
generic viagra from india
fda approves viagra
free viagra sample
what is better viagra or levitra
discount generic viagra online
viagra cialis levitra
viagra dosage
viagra cheap
viagra on line
best price for viagra
free sample pack of viagra
viagra generic
viagra without prescription
discount viagra
gay viagra
mail order viagra
viagra inurl
generic viagra online paypal
generic viagra overnight
generic viagra online pharmacy
generic viagra uk
buy cheap viagra online uk
suppliers of viagra
how long does viagra last
viagra sex
generic viagra soft tabs
generic viagra 100mg
buy viagra onli
generic viagra online without prescription
viagra energy drink
cheapest uk supplier viagra
viagra cialis
generic viagra safe
viagra professional
viagra sales
viagra free trial pack
viagra lawyers
over the counter viagra
best price for generic viagra
viagra jokes
buying viagra
viagra samples
viagra sample
cialis
generic cialis
cheapest cialis
buy cialis online
buying generic cialis
cialis for order
what are the side effects of cialis
buy generic cialis
what is the generic name for cialis
cheap cialis
cialis online
buy cialis
cialis side effects
how long does cialis last
cialis forum
cialis lawyer ohio
cialis attorneys
cialis attorney columbus
cialis injury lawyer ohio
cialis injury attorney ohio
cialis injury lawyer columbus
prices cialis
cialis lawyers
viagra cialis levitra
cialis lawyer columbus
online generic cialis
daily cialis
cialis injury attorney columbus
cialis attorney ohio
cialis cost
cialis professional
cialis super active
how does cialis work
what does cialis look like
cialis drug
viagra cialis
cialis to buy new zealand
cialis without prescription
free cialis
cialis soft tabs
discount cialis
cialis generic
generic cialis from india
cheap cialis sale online
cialis daily
cialis reviews
cialis generico
how can i take cialis
cheap cialis si
cialis vs viagra
levitra
generic levitra
levitra attorneys
what is better viagra or levitra
viagra cialis levitra
levitra side effects
buy levitra
levitra online
levitra dangers
how does levitra work
levitra lawyers
what is the difference between levitra and viagra
levitra versus viagra
which works better viagra or levitra
buy levitra and overnight shipping
levitra vs viagra
canidan pharmacies levitra
how long does levitra last
viagra cialis levitra
levitra acheter
comprare levitra
levitra ohne rezept
levitra 20mg
levitra senza ricetta
cheapest generic levitra
levitra compra
cheap levitra
levitra overnight
levitra generika
levitra kaufen
August 15th, 2005 at 9:25 pm
Clifford Stoll? He was one of the first ones to look at computer crime. He was worried about computer crime well before Richard Clarke.
http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/104-9107966-7767138?v=glance
http://en.wikipedia.org/wiki/Clifford_Stoll
August 16th, 2005 at 1:36 pm
Probably the best voice on computer security would be Bruce Schneier (schneier@counterpane.com and http://www.counterpane.com).
August 16th, 2005 at 2:33 pm
Back at Apple in the early 90′s I used to joke that when the world-ending virus shipped we’d still have six months to compute before they ported it to the Mac.
Diversity may be a pain for developers, but it makes the installed base much more resistent to single-point security failure. Might want to ask your guests what they think of computing monoculture and the security implications of a single OS, browser etc.
And yes, it’d be great to hear more from Schneier.
August 16th, 2005 at 7:07 pm
A rather forboding title for the show– ? I have a lot of respect for Zittrain, but this is a bit of hyperbole here. To obliquely paraphrase Groucho, I’ll disconnect my computer, and you can keep the safe deposit box and the Marines. It’s not like the “evil-doers” are going to write a virus, and then send in some armed contigent to take out the systems *off* the Net. (What Groucho actually said: “Give me fresh air, golf clubs, and a beauiful girl– and you can keep the fresh air and the golf clubs!”)
Agreed with Greg on diversity of software as a defense mechanism.
And considering “the possibility of draconian restrictions on coding that may choke innovation and change the value of the Internet…” Well, consider what actually happened after September 11th. The draconian restrictions were… surrendering your toenail clippers and blowtorches upon boarding airplanes (the shoes came later). I understand that we may have reason to fear controls on code (a la DCMA)… and perhaps, a non-programmer might simply have a knee-jerk reaction to require that all code be licensed, but I’d be curious to find someone who’s actually voiced this.
As for said “evil-doers,” from what I’ve read from Clarke and Michael Scheurer (who wrote his last two books as “Anonymous”), the global terrorist group of al-Queda doesn’t really want to “destroy the world.” They’d really like to control the Persian Gulf oil. I’d just as likely to see crippling viruses come from the lone actors.
August 16th, 2005 at 8:11 pm
I have the distinct pleasure of using two different software on a daily basis. At work I use microsoft windows and at home we have nothing but mac’s. I am continually amazed at how little upkeep there is with our mac’s. At work there is always some new virus or virus protector we have to be aware of or use. At home, we don’t think twice about going anywhere on the web.
Recently, at work, there was a warning about a virus on the itunes site. Any PC user was to beware. I only have itunes on our home computer so there was nothing to worry about.
This is an example of how two softwares can stop viruses. My questions would be
1. How could these two talk to each other and not spread viruses?
2. Would e-mailing things around be an option (I’m thinking of a virus that might hit a company)?
3. How many softwares would it take to stop a virus? ( There is no punch line, it is a real question! *:O)
August 18th, 2005 at 10:37 am
The problem with information security is not the technology itself. You can have all the firewalls and antivirus programs in the world, updated every five minutes; it can all be undone in five seconds by the human factor.
Social engineering, as some describe it, is a far larger threat than any Windows virus ever could be. The average end user in a US company takes zero responsibility for security. When asked, the majority will indicate that they at least understand the need for information security policies and practices, but be unable to tell you what that means, or what they need to do to comply.
As a result, in my opinion, the enterprise approach to information security in this country is a joke. It’s not for lack of trying on IT’s part, in most cases; most competent IT departments as a whole can recommend policies that will have the effect of increasing security to desirable levels. (As the article indicates, the only completely secure computer is one that’s in a locked box, unplugged.) The problem comes when the People Who Decide Such Things decide that IT’s recommendation is too intrusive or inconvenient, and change the policies (or more frequently, their enforcement) to increase convenience at the expense of security.
To take an example, it’s inconvenient to have to memorize your password. It’s much easier to write it down on a sticky note and tape it to your laptop. The problem with that is it completely negates the security benefit of a password; the password system may as well not exist. Passwords are the foundation upon which enterprise security is built; yet this behavior is tolerated at all levels of the enterprise, even when written IT policy specifically prohibits it.
Why does this happen? Because when push comes to shove, the people in IT need to keep their jobs. Telling a vice president (or someone that has his ear) that they’re in violation of IT policy has the potential for being a severly career-limiting event. Once an exception has been made, the potential exists for the policy in question to become completely meaningless.
A partial solution to the entire information security problem is to empower (eek, that word makes my skin crawl) IT to *actually enforce the policies that they put in place*. IT workers need to be able to tell the users they support when they’re in violation of written policy, and document said violations directly with Human Resources, as they would with theft, tardiness, insubordination, or any number of other items that would involve HR documentation. I say directly with HR because working with the end user’s manager would be ineffective in most cases, as the manager could simply dismiss the violation out of hand as being “not important”. There would also need to be *real consequences* for breaking IT policy. Not a lecture, not a memo, but something with more teeth, like a suspension, or, in severe cases, termination for cause.
This may seem severe, even Draconian, but when you realize the stakes involved, the punishment fits the crime. Something as simple as the written password example that I described above could potentially lead to significant material losses on the part of the company, depending on the role of the employee involved. (Would Staples like it if Office Depot got hold of their marketing strategy for the next fiscal year? I seriously doubt it.)
The cynic in me says that the status quo is unlikely to change. A “digital 9/11″ would probably have a beneficial short-term impact on IT policy regarding security, but so long as IT has to answer to non-technical departments, their efforts at increasing security will be largely in vain.
August 18th, 2005 at 6:15 pm
I have used an internet-connected ibook for the last 5 years without any virus or spam trouble. I keep my personal and financial records on an old pc that is never on the internet. It is plugged into the electricity, but how could it possibly be affected by a virus?
Of more concern is the computer systems used by governments and businesses. Are you saying they don’t keep backups of their essential data? Systems that depend on real-time data input would be most vulnerable, wouldn’t they?, Like air traffic control,. Surely they have a plan for emergencies–they must be able to communicate — they must have done it somehow before they had computers. It’s just plain incompetent not to do so. We should all keep our old tools-books, papers, pencils-just in case.
Here’s my biggest question: Why can’t an airport or a business have an inTRAnet that’s not on the inTERnet, and a separate one for the internet? Won’t we soon have retina scans to identify authorized users of proprietary data?
I don’t understand why you seem to be more worried by the possibility of a wipeout than the possibility of an undetectable spy virus or a virus that alters critical data.
I’m not a technical person, so please forgive me if my questions are stupid. Here’s another: Do you think our nuclear weapons are on the internet? Please tell me it isn’t so.
August 18th, 2005 at 7:01 pm
To “keepmoving” — when you say “softwares” I think you mean “operating systems.” To answer your question, let’s continue the biological metaphor, and think of different OS’s as different species. In general, most viruses have evolved to target one type of host species. So viruses rarely cross species.
There’s another plainly obvious reason why there aren’t many cross-platform viruses. There aren’t many Mac viruses to begin with. Search Google for “Mac virus” and you get this well-researched article from the MacObserver website.
“Mac Viruses By The Numbers – Word Macro: 553, Classic Mac: 26, OS X: Zero”
http://www.macobserver.com/editorial/2003/08/29.1.shtml
To “Evil Otto”– yes, to an extent (I work for an IT department). There are also times that IT is overprotective, and thus users work around security walls which they don’t appreciate (not here, of course).
To “mnye” (did I pronounce that right?) — again, yes, to an extant. It is not always a question of black or white whether a system is connected to the Internet. Most business/government/public safety systems are connected to a network, and connections to the wild Internet are controlled at each access point along the way. The biggest risk is using email or a unprotected browser inside these organizations, so all of the fancy firewalls get circumvented.
You can likely check with the FAA, or your local airport, or your bank, etc., and ask if they passed a computer security audit, when, if that’s on file, etc. I hope that sort of information is FOIA available. And these audits include backup plans, of course– some of this specified by legislation in the wake of 9/11.
On my original point, I would like to couch my skepticism a bit. I don’t worry about international terrorists releasing a virus as much as I do lone hackers/multinationals/foreign powers.
August 18th, 2005 at 7:07 pm
Ok, listening tonight. So far, the “digital pentagon” and the “digital alien and sedition act” which Chris introduced are red herrings.
August 18th, 2005 at 7:11 pm
Also, Jonathan said that anyone can send any data to anyone– “no gatekeepers.” Well, I can’t send him an old virus, since I expect that he has anti-virus software which would stop it.
Otherwise, yes, agreed with what he said– it’s the forbearance of the virus-writer who hasn’t thought to do it.
I’d call, I’m waiting for something else to chomp my teeth into it. Onto the “cure.”
August 18th, 2005 at 7:13 pm
What you’re talking about is the Matrix virus from the Shadowrun role-playing game. The objective of the Internet is to create a means for end-to end connection, like electrical power. As long as that objective is maintained, nothing will stop the growth or hurt the strength of the net itself.
What is more worrisome to me is the limits in our power systems. To take down the Net, all that really needs to happen is for the power distribution system to be hit, taking down the server system. Distributed computing can help, but it can’t eliminate the risk.
August 18th, 2005 at 7:18 pm
chad — What who’s talking about? sounds interesting.
Glad to hear Mark Seiden on this show, he’s been helpful at quantifying risks. And Jonathan Zittrain is always brilliant as well. back from the break…
August 18th, 2005 at 7:35 pm
Agreed with Judith– that Microsoft’s own anti-spyware tool is a great leap forward, a tremendous piece of software.
August 18th, 2005 at 7:40 pm
Too bad Judith left– I wanted to bring up her point about software companies not being liable. I wanted Jonathan to address that. Oh well. I’m on hold on the phone…
August 18th, 2005 at 7:41 pm
In the spirit of “the only secure computer is one that is unplugged,” why are sensitive private data stored and accessible online anyway? If this data is so important, one should not allow it to interface there any more than one would carry their bankbook open in a transparent purse.
The internet was created for research information exchange and discussion. Back in the early days between BBSs and internet, I always feared that it would become like teevee, and so it is – as scrambling for monopoly between phone and cable ensues.
Now it seems for the service of commercial interest. There have always been criminals sniffing around money and precious items.
I see this “Cyber 9/11″ fear is being spun more and more in this realm and I feel it is to serve the benefit of commerce, regulation, and control. (I am reminded of that famous statement made by John Perry Barlow at Davos about “…you weary giants of [flesh] and steel.” )
If the internet is regulated and controled (ditto for our personal hardware), the whole will be ruined. I know come that day, I will disconnect, as there will be no attraction. In fact, that day is getting closer and closer. (It started when my former ISP stopped allowing shell accounts!)
August 18th, 2005 at 7:45 pm
At the beginning of the program, Chris said that the Internet was a libertarian ‘draem’ – that is, a decentralized network that works. One thing libertarians belive in is the right to defend yourself, that if you don’t, terrorists or despots will take away your liberties. This eternal vigilance is what drives the open source community to make their operating systems (Linux, *BSD) secure.
August 18th, 2005 at 7:45 pm
“Regulation” and “control” does not mean loggin or not logging.
August 18th, 2005 at 7:46 pm
while I’m waiting, I like Jason’s comment.
ksandre– the internet is monitored … which is what I asked Zittrain. oops I blew my question.
Time to go home.
August 18th, 2005 at 7:48 pm
Oh, yeah: “no places to hide” on the internet – what about Privacy and Anonimity?
I thought this was about protecting precious and inportant data online?
;p
August 18th, 2005 at 7:51 pm
Just for the sake of source, here the link to the John Perry Barlow famous statement:
A Declaration of the Independence of Cyberspace
http://homes.eff.org/~barlow/Declaration-Final.html
August 18th, 2005 at 7:51 pm
ksandre– Good point.
Jonathan Z– great point before about the security pitfalls about public wifi– when you connect through public wifi, you have absolutely zero knowledge about the network you’re connecting through. I take your larger point, that Internet is so ubiquitous we *expect* to connect all the time.
Good show.
August 18th, 2005 at 7:54 pm
Each operating system has it’s own vulnerabilities – the key to ensure the long term security of any worldwide system is diversity.
The reason we are discussing this is because Redmond WA puts out junk operating systems.
August 18th, 2005 at 7:55 pm
ksandre– good point on the post *before*. JP Barlow’s “Declaration” was laughable.
August 18th, 2005 at 7:55 pm
oh, ya .. I’m running Win2K and had to run and get the patch.
Linux, Mac & other OS’es need to do a better job marketing, and convince the boss at work, too
August 18th, 2005 at 7:56 pm
KeithErskine Says:
Re: “libertarian dream”
“…. This eternal vigilance is what drives the open source community to make their operating systems (Linux, *BSD) secure.”
Applause! Right on!
Oh, yeah, software of questionable value? To whom? To M$ or the RIAA or the MPAA? Bye, bye BitTorrent….
August 18th, 2005 at 8:00 pm
I think that the only people who will be vulnerable are the users of any low quality operating system that needs patches for it’s patches that are for patches.
I believe that Mac OS X has a built in Firewall to prevent these type of attacks.
I wish that Mark Seinden could have stayed on air longer. It sounds like he spoke out of experience in the field.
August 18th, 2005 at 8:01 pm
Something I didn’t get a chance to mention is that a lot of the effort to make the internet more “secure” is actually an effort to support the economic interests of near-monopoly technology and media companies against innovation.
August 18th, 2005 at 8:02 pm
response to shpilk
I think that companies are trying to watch their wallets, and the bottom line is that Dell’s are cheaper than Mac’s when you initially buy them. I wonder how the price adds up when you take into account upgrade test time, upgrade time, and virus fighting time.
August 18th, 2005 at 8:03 pm
Judith– thanks for appearing on the show… and in the “clog”! (the comment-log) I wish Z had answered your point about computer companies not being liable (would he have agreed? or would that stifle innovation? or is open source code a way out of such contracts?)
as to your point here… hmm… do you mean that Symantec and McAfee are doing quite well with the level of viruses that there are right now?
August 18th, 2005 at 8:04 pm
A lot of fun, as always, guys.
I think the net (heh) was cast a bit wide here. There’s so much to this subject, and an hour is tough to put it all in. Personally, I have great faith in capitalism solving a lot of problems regarding connectivity vs. clampdowns from central authority, but it is that very thing…. faith.
My life philosophy plays in here: I look at anything, be it data, loved ones, possessions… and I ask myself two questions:
1. “What effect would this have on my life it was was gone tommorrow?”
2. “What do I need to do to avoid losing it tonight?”
Hence a lot of my data is mirrored in six locations around the country, and backed up on DVDs, CDs, and digital tape.
I realize I’m in the minority.
August 18th, 2005 at 8:06 pm
urbenz, I just got a mac mini that sells for about $500 and uses a PC type monitor, mouse and keyboard. I have found the total cost of ownership to be lowest for macs and actually highest for linux (because I value my time:). But I prefer linux to windows anyway because it is more secure and opensource.
August 18th, 2005 at 8:07 pm
response to Judith Perrolle
Well money is a decent motivator. But the developers of Firefox prove that some people innovate good products just for the sake of it.
August 18th, 2005 at 8:09 pm
Judith, I agree with you. I have a mac as well, and I’m very pleased with the work that was put into it to keep it secure.
August 18th, 2005 at 8:10 pm
Jon, There’s an interesting contradiction in antivirus company economic interests. If windows were actually designed to be more secure, who would buy their products?
Jason, Very smart to keep your backups elsewhere than beside your computer.
I learned this with paper since we had a fire in my apartment when I was working on my PhD dissertation.
August 18th, 2005 at 8:12 pm
I am very abnormal in how I approach data (hence I’m the “archivist guy”). My basement reflects this:
http://cache.cow.net/databarn.jpg
I’ve lost over 20 hard drives in the past 3 years (I have a few dozen running at any given time), so I know more than most the ethereal nature of data, and that sinking feeling when the metal crashes into metal.
August 18th, 2005 at 8:17 pm
I’m waiting to see a virus program that’s open source. Or could this program be edited to be a virus itself?
August 18th, 2005 at 8:19 pm
On my website, textfiles.com, I have many dozens of “open source” viruses. That’s one level of it all, discussion of what they are, how they work. People do that all the time. Virus writers are a funny lot, although (and I am not kidding) some are actually deadly.
August 18th, 2005 at 8:19 pm
Jason, I *love* your basement! I wish you had gotten to say more on the show. Even when we back up and archive the electronic media don’t have anywhere near the shelf life of paper, papyrus, clay tablets, or stone. We are vulnerable to losing our recorded history is we put it on computers for storage.
August 18th, 2005 at 8:26 pm
Nice artsscene site, jason. I’ve always admired ascii art!
I wonder if there could be a program that does a test run of any “exe” or other virus file before it’s actually opened? It could check to see if it tries to duplicate itself or do any other of the bad things worms and virus’ do.
August 18th, 2005 at 8:30 pm
Judith, I was brought, I think, to give a little “on the ground” background to Jonathan’s talking, but as we both heard, the boy can handle himself quite well, and in many different ways. Like I said, I got whiplash as everbody bounced around. I’m glad I got to say something, anyway.
If you want to hear me tell a room full of people my thought on digital history, I gave a talk that’s available here:
http://www.archive.org/audio/audio-details-db.php?collectionid=2004-h2k2-digitalhistory-jasonscott&collection=textfiles_audio
Hey, go to the creative commons dinner this upcoming tuesday!
http://www.copynight.org/
August 18th, 2005 at 8:31 pm
urbenz, that’s one of the core functionalities of anti-virus software.
It’s one of the things they do, look for completely-whacky calls and functions that make no sense for the program. Obviously, they also use signature files and other stuff.
August 18th, 2005 at 8:43 pm
Jason, re: copynight – sounds interesting and meets 2 blocks from my house, the one in Cambridge anyway.
Also I have an interest in digital archiving, but I do mine as VirtualPCs on a mac. I don’t have room for more than a few real computers.
August 19th, 2005 at 12:41 am
Marcus Ranum would be good to talk on this subject. Another good person would be Simson Garfinkle.
August 19th, 2005 at 12:44 am
Well, it appears that I’m out of sync with the show. I wish that I had seen this one when it was on deck… …sigh.
August 21st, 2005 at 11:56 am
Locking owners of PCs out parts of their operating system in itself represents a security risk. Since no complex software has been found to be completely immune to exploitable vulnerabilities, any 9/11 security framework could itself be exploited.
See “Remote Attestation” and content access monopolies
http://itheresies.blogspot.com/2005_08_01_itheresies_archive.html
One solution to identity theft is the use of a separate back channel that is used to notify a registered person when a transaction is made. You only need a minority of people to join such a system to act in the same way as a canary in a mine, detecting potental cracking by third parties. Notifcations of important transactions could be sent to your cell phone as well as your PCs.
See Epic Ideas for Privacy Reform
http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html
The only real solution is the adoption of a reliable framework and operating environment and DEMAND that, instead of the developers, trusted third parties audit and build the software used ( step 12 ).
See Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs
http://itheresies.blogspot.com/2004_10_01_itheresies_archive.html