[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

[Scott Ferguson]

On Fri Jun 17 01:47:06 MDT 2011 Robert Edwards wrote:
> On 17/06/11 14:21, Scott Ferguson wrote:
>> On Fri, 17 Jun 2011 08:33:59 +1000 Robert Edwards
>>>
>>> On 17/06/11 06:33, Martijn van Oosterhout wrote:
>>>>> On Thu, Jun 16, 2011 at 10:48:03PM +1000, Robert Edwards wrote:
>> <snipped>
>>>>>>>
>>>>>>> Does anyone actually _know_ of any instances where someones bank account
>>>>>>> was accessed without proper authorisation over the Internet and the
>>>>>>> bank didn't work hard to fix the problem? Just curious.
>>>>>
>>
>> <snipped>
>>
>>>>>
>>>>> Have a nice day,
>>> So that's a no? Not an actual instance of this happening?
>>>
>>> Bob Edwards.
>>
>> Yes. Still working to get the money re-instated.

<snipped>


>>
>> Cheers
>>
> 
> Thanks Scott.
> 
> Ok, I count that as 1 for the first incident: clear money fraud/theft
> caused by misadventure on the 'net. Still, the bank largely came
> through, eventually, although you still need to recover the overdraw
> fee.

Yes. There's always that trade off with convenience. It'd be easier to
spend money if I just used a standard credit card - but then I could
have lost more. It'd be simpler and I'd have lost less earnings time if
I'd just eaten the loss - but that would just nourish and encourage the
fraud. It'd also mean the bank wouldn't keep monitoring suspicious
transaction patterns.

> 
> I think we are blaming this on the eBay vendor you purchased from 

Yes, one of. Or through one of the companies associated with processing
the transaction (etc, etc, ad infinitum)

> and
> I can't see how an un-"secure" web server at someone's home could
> possibly have been involved.

Nor can I - I was responding to the quoted question.
Apologies for any confusion.

> 
> Second and third examples I am not counting as "dangerous Internet:
> turn off all your home web sites right now before we have a real nuclear
> incident and someone actually dies"... They seem more related to the
> general vagaries of using credit/debit cards more than anything Internet
> specific.
> 
> Cheers,
> 
> Bob Edwards.

Lest I be misinterpreted - I'm not opposed to people running home web
servers. It's no more dangerous than changing a light bulb. ;-p
Whereas hosting commercial services is more like doing your own
plumbing, electrics, installing home irrigation, or fixing your brakes
(without the same licensing requirements) ;-p
It's all a matter of context - circumstances and knowledge,
understanding that convenience comes at a cost, and the proviso that
things change (what was ok last week is not necessarily this week).

It's convenient to have access to your home media library, tv recorder,
web cams, security system, home automation system, and home desktop from
anywhere in the world. Likewise it's convenient to be able to download
fast, and be able to download 400GB a month without putting more money
in the machine (but at least secure your wifi connection!).
But if you plan on cheating on your wife, downloading copyrighted files,
storing all your important documents and passwords in plaintext etc, etc
- the problem is not insufficient security - the problem is high-risk
behaviour. It's not like having a bank account has never been without risk.

I'm very leery of certification to run your own web server or licenses
to access the internet - nightmare of parenting license schemes flash
through my mind, or one of Microsoft's "suggestions" to certify the
suitability of people to drive their computers.

I guess the best analogy I can think of is that it's counter-productive
to never expose children to stairs - small falls are good.
Humans are not intuitive statisticians, the media is not to be trusted,
and dousing your house in Pine-O-Clean won't make you healthy. I find
some of the cyber-fraud figures very hard to believe - and I'm familiar
with the seamy side of the web.

Most of the cyber-bullying stories I hear fall under the category of a
good parent should supervise instead of demanding laws against sharp
corners on furniture. As an ex-smoker, peer group pressure is a bs
argument for justifying an activity. Given the number of people who die
from car accidents - the media scare stories about planking and
fffffacebook bullying are just evidence of our inability to apply real
priorities to risks. Being called fatty fatty bum bum is the least of
childhood risks - being able to deal with bullying is probably more
useful that never having to encounter it. When it comes to these
internet scare stories - is it just me, or is there always a marketing
angle? Child psychologist and author says... a security researcher for
McAfee says....

Like anything else, no one knows all the risks of connecting to the
internet - so running your own web server is a case of do your research
and ask around. Most of the time most people do the right thing - and
their are wonderful places like this list where people will advise on
how to setup a server properly (and what constitutes properly).

Lastly, stress kills too! Lock it down as best you can, with the best
info on hand, in the time available - keep up to date, and stop
worrying. :-)

Cheers - and now I *need* that beer to unstress!