[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

[Robert Edwards]

Getting Way Off-Topic...

On 16/06/11 21:47, Sam Couter wrote:
> Bob Edwards<bob at cs.anu.edu.au>  wrote:
>> Without wanting to marginalise the horror of cyber-bullying (and
>> all other forms of bullying), especially as a parent, I would
>> still argue that of all the many activities I am involved in, I am
>> least likely of all to be seriously injured or killed by a "worm",
>> "trojan", "virus", "spam", "phish", "DDOS attack" or similar coming
>> from the Internet, from poorly-"secured" web sites or otherwise.
>
> A few scenarios to consider:
>
> 1) Money from your bank account disappears, the bank's access logs show
> the transfer request came from your computer, you can't pay your mortgage
> or rent, end up on the street, contract pneumonia and die.

Does anyone actually _know_ of any instances where someones bank account
was accessed without proper authorisation over the Internet and the
bank didn't work hard to fix the problem? Just curious.

My credit card had unauthorised transactions on it earlier this year,
probably after my wife purchased some stuff from a Chinese dealer on
eBay, and the bank sorted it all out, no problems.

How would an un-"secured" web server at someone's home (running Myth, or
whatever) have helped an attacker get to my bank account, apparently
from my computer? I guess "phishing" could be one way, but that has
little to do with running un-"secured" web servers.

>
> 2) Somebody commits a serious crime (say, distributing kiddy porn) from
> your network, you end up in jail, are shanked with a sharpened piece of
> brocolli at dinner and die.

I can see how an un-"secured" web site could be used for the unwitting
distribution of banned material.

You would have to have a pretty lousy lawyer if they couldn't convince
a court that you were in any way complicit in the commissioning of the
crime, though. I would reckon that most reasonable lawyers could get
you off even if you were complicit...

>
> 3) Somebody orders the My Little Pony DVD collection using your credit
> card and your computer and has it delivered to your address, in garishly
> bright non-discreet packaging, and you die from embarrassment.

Fair 'nuf. Point taken. The Internet is dangerous. Don't run your own
web server on the Internet... this could happen to you.

>
>> On the other hand, if I was in the "security biz", I would definitely
>> want to make sure that more resources were poured into "securing"
>> the 'net. Especially as some particularly responsible people think
>> that it is a good idea to hook, eg., nuclear fuel processing plants
>> up to it...
>
> I'm not in the security biz. I'm the guy who has to put up with spam and
> other annoyances because of the general lack of security on the net.
>

I am not sure that advising people not to run their own web servers is
in any way going to make spam go away or make the Internet any more
"secure". I think most of us know that most spam is not coming from
non-"secure" home web servers... There are much bigger problems out on
the 'net than this.

What I am more fearful of is the idea that all web servers should be
run by fewer and fewer people in ever more powerful organisations.

I have been accused in the past of being anti-peer-to-peer because I
won't jump onto the IPv6 bandwagon where everyone can have their own
2^53 static IP addresses. And yet I see this insidious trend towards
corporate web portals (the Facebooks, Twitters, iStores etc. of the
world) where everything on the web/Internet is centralised and
controlled by fewer and fewer people. And many 'net users seem more and
more happy to buy into this model. It makes them feel "safe"...

It is not dangerous to run a moderately well-maintained public-facing
web server at home. It is dangerous to buy into the argument that only 
the big end of town should be allowed to run our web servers, for
"security" reasons...

Cheers,

Bob Edwards.