bleeerarrguh

As I reported two days ago, and is now noted also by Walter van Holst, a recent South Korean DDoS attack may in fact be a malicious attempt at sneaking through an oppressive law allowing the government to snoop commercial and private traffic alike. The European security agency ENISA published two reports on botnets not long ago, but appears to be supporting the idea of internet service providers notifying their customers of a potential infection instead.

Regardless of which security analyst you talk to, they will say that users are the true compromisors of security. The South Korean authorities appear to have taken this very literally, and while I didn't check if the strategy pursued by the Austrialian authorities and promoted by ENISA is actually helping users and ISPs it is clear that public authorities feel that users are not inclined and will not be inclined to take responsibility for their own security. Because botnets suck up bandwidth, the ISP is already tried on private initiative in some places although it appears to be a while ago. To my understanding this experience was discontinued since it's easy to forge being an ISP suggesting that you're infected..

At least one friend reacted to me in private saying that this proposal is an attack on democracy. It is, but it's just one among many, and many of the others are already enacted. As I've said in many discussions about trade agreements I think that our democratic powers are already quite limited by the fact that decisions are taken way over our heads. South Korea has signed two trade agreements that make mandatory severe repercussions against filesharing only within the last year, so clearly the South Korean government has already outsourced privacy to private actors. The other argument is the loss of free speech online that many other people have brought up in relation to Apple, Facebook, Google and other commercial actors who's activities with respect to users can't really be monitored or controlled. Presumably there at least one technical argument against, but nobody I know seems to be able to think of any.

Just like speed cameras though, you would expect there to be lots of fines in South Korea about this, but the danger to users and to the government is not very likely to decrease at all. Internet users, like drivers, are not likely to keep track of everything and update all their software or car tires as often as they should.

The public procurement process is likely to lead to very few, or even just the one, security company getting the entire responsibility for helping the government determine what is dangerous and what is not. Public procurement sadly isn't as transparent as it should be, and it's very easy for public authorities to default on a specific vendor because it's convenient. 98% of all computers in South Korea run Microsoft Windows. Government documents are only available for users running Windows. I'd feel uncomfortable with the same amount of power ending up with a single security company as are, presumably, all former customers of HBGary. So added security from this aspect is unlikely

Even if you, like ENISA suggests, would "outsource" the responsibility of warning users to an ISP, I simply can't believe that this is a good solution. I've written many angry posts about ISPs and I don't trust them for squat. Telefónicas business strategies, or for that matter Comcast's, Verizon's or even Eircom's strategies do not fill me with confidence that these people will either warn me or warn me in a way that doesn't primarily serve their business interests - at the expense of both me and my security. Added security from this aspect is also unlikely.

A counter-proposal would be to introduce computer security as a mandatory subject in basic education. That's probably the most useful way of spending public money. Everyone should know how to secure a home network, protect themselves against viruses and know the risk of viruses, or encrypt a harddrive. But when I talk to people who stopped studying even five years ago, very few of them remember any of the mathematics they studied so the system is obviously not flawless. Still, it's the only measure I can think of that's worth spending any public money on.

If we're going to digitize our society I think we're going to have to live with there being a risk crime in all parts of society. Some people break into your car, other people violate your network security. A much larger problem for society is the fact that our backbone infrastructure, our last mile infrastructure, our internet service provision and our online portals are likely to end up getting owned by the very same companies. Vertical monopolies. I noticed that this is already happening in hardware manufacturing which gives the one or two remaining hardware manufacturers a disproportionate amount of influence on what goes into our hardware - the specifications aren't open, how are we supposed to know? Just because internet service providers are larger than life and people are not, doesn't mean you should take the easy route and attempt to secure the networks from the parties that aren't the biggest threat to secure, and primarily reliable, network infrastructure.