[plug] Security and Privacy.

[Scott]

----- Original Message -----
From: "Leon Brooks" <leon at brooks.fdns.net>
To: <plug at plug.linux.org.au>
Sent: Saturday, December 23, 2000 8:06 PM
Subject: Re: [plug] email message formats (inline attachments)


> Christian wrote:
>
> > If you disable viewing inline attachments then you end up clicking on
> > the attachment to view it anyway.
>
> ....
> Truth be told, I would rather not see any nastygrams or other spam in
> the first place, but in practice that involves either not having an
> email address, or having a human filter it for you first.
>
Which bring me to my point;
The more security the less functional, there is only one more step (the
ultimate security feature) the off switch.

After reading a article called Linux Entomology from  Maximum Linux. It
seems that some Linux viruses are transmitted from scripting languages.
Also
" At least as early as 1991, it was shown that a document written in Tex, a
UNIX typesetting format, could contain viruses. Postscript can be used
similarly. .... In fact, a virus that infects manpages- the original UNIX
help files- was posted to a UNIX mailing list."

Buffer overflows are also a problem eg a mp3 a "poorly designed player"
could inadvertantly execute code hidden inside a MP3 song.

"Linux systems are also vulnerable to the same boot sector viruses that
plague the windows world. To some degree, Linux may ironically be less
vulnerable to these because Linux users tend to leave their computers
running, rebooting only occasionally ."

The article goes on a bit from there with some hope and some warnings.
Basically as Linux is more widely used the more likely that viruses will be
made and used. Linux has many advantages that windoze doesn't but that
doesn't mean that newer smarter viruses wont be written. As more and more
people use Linux the more problems will be faced. We think because Linux is
set up to be a multi-user system it is (in some respects) safe. In reality
there are many programs we run on a regular basis that do have (to some
degree) root access, java being the least of them.

My other points "How far is far enough? What is more important security or
privacy?"
The only way to be completely secure is to allow nothing to come in at all
and hope that the dist you are using is virus free as well. I more worry
about protecting my privacy than anything else. Privacy has been scary for
me ever since the Tax File No came out.  In anything other than government
(australian) use, i always use one of several different names and dates of
birth. My e-mail address, where not necessary is someone at microsoft.com. I
use several different E-Mail addresses depending on importance. I never give
my full name not even to government (lying by omission i know but
defendable) or i use initials. I know there are 2 people in australia with
the same name and birthdate that bank with my bank (notice how i don't say
which bank). Even this will not be enough for the conscientious user but at
least i can make it difficult and maybe fumble the statistics a little bit.

It would be really good if everyone were to do the same and purposely fumble
the online questions then there would be less spam, less statistics and less
people telling us what we need.

In my opinion if you are a ISP it is not your responsiblity to protect your
clients from everything that can happen to them, infact i would think it
would be impossible and still protect their privacy. Rather it is the
responsiblilty of all of us to be vigilant and stamp out the flotsam where
we can. At the same time we have to decide what the balance between
something that is beneficial and something that is not. The reality is there
will always be nothing we can do to make our system totally secure.

We all know how exact computers are and even expert systems can't predict
human behaviour, privacy can be a simple as misspelling your name, a human
would understand it but a computer would mistake you for someone else.

Privacy is the only real security measure.

Scott