While this may seem a bit of a technical entry again, I urge everyone even slightly interested in the internet, computers and communications to read on. In the long run, you will be affected whether you like it or not.
First, I'd like to point you to an article talking about the recent Storm Worm, a malicious piece of software that is believed to have created a gigantic bot net consisting of up to 10,000,000 machines. This puts a whole lot of processing power into the hands of people with less then honest intentions. In fact, the Storm botnet can easily withstand performance comparisons with super computers used for research purposes. Are you a part of it?
Then we get to the question : who has to clean up the mess? Are ISP's to allowed to intervene and cut the connection of infected machines on their network? Or are the users responsible to keep their machines clean and uninfected? What if they don't? My answer would be quick and decisive : infected machine on the network? Cut the connection and stop the spreading and attempts to infect others. That solves the short term problem, and forces the user to take action. Yes, they may pack up their bags and sign up with another ISP, but really... do you want infected machines on your network? I'd say no. Full article can be found here : ISPs turn blind eye to million-machine malware monster.
You may also have heard about a recent breach in security that spilled the login ID's and passwords of the email accounts of embassy personnel all over the world. Today he published details and admitted that he used the distributed anonymity service tor to accomplish his goals. Tor is nothing but a tool, it's not a virus, it's not spyware and it's not malicious. Don't blame the tool for being used maliciously. Think of it as a hammer. You can use it to drive nails into wood and build yourself a home, but you can also use it to break the glass of a car, to attack a bank runner or to kill someone. We don't go around yelling hammers should be illegal, do we?
With the recent mentioning of tor in the embassy e-mail heist and it being abused by the Storm Worm bot net as well (this time not as a tool, but rather by spreading an infected file posing to be the official tor software) I can see people getting concerned about tor, yet they know little about it. Let me assure you again : tor is not malicious! If you want to know and read more, go to the only official tor site at http://tor.eff.org.
Congratulations if you worked your way through all this, even if you skipped the articles I referred to. I'm glad that even if you don't agree with me, or only understood 10% of everything that I talked about, you are interested in privacy and security. With the ever growing interconnectedness of services, institutions and computers, the requirement to be aware of privacy concerns will only rise.
I came across an interesting service yesterday, and I think it will come in handy some day : Coral Content Distribution Network. It can help you access sites that are overloaded or over their bandwidth limits by going through a series of worldwide servers that retrieve information using peer-to-peer techniques, and thus only have to request the information from the originating server once. Mind you, it's only geared towards static sites (such as this one for instance) and won't help you to log in to your web mail account.
Want to try it?
www.friedkitten.com (original site)
www.friedkitten.com.nyud.net (through Coral CDN)
Indeed, it's as easy as typing ".nyud.net" behind the site you're trying to reach. Probably not all that useful for the average surfer, but I can definitely see the value of having this knowledge flowing through my synapses and storing it in my neurons for eternity.
Comments
Thanks for your defense of Tor! I need to point out that, although the Tor network was used in this case, probably millions of usernames and passwords are exposed on unencrypted wireless, daily, all over the world.
It is important, I think, to understand that you should never give a username and password to a web site that has an "http" address, only to "https" addresses. A connection through Tor can be encrypted end-to-end -- but only if one is communicating with a secure protocol -- https: or encrypted chat both would be examples of this.
We are very careful, usually, to only put a credit card into a web page that has a "lock" symbol in the corner of the browser window. Everyone should be equally careful never to give a username and password to a page that is not "locked" -- not secure.
You should at the least use different passwords for insecure accounts, like those at theregister.co.uk and wired.com (which ran the embassy story today), which ask you to give a username/password on an unencrypted link. But even this can open you up to people posting things you wouldn't wish to have said in your name.
It is only through understanding our security online -- through understanding tools such as Tor, and what https: means, and what a phishing attack is, and so on, that we can manage our risks online.
The last node through which traffic passes in the Tor network does not in fact need to pass data to the destination unencrypted -- if the origin and destination are using a protocol that supports encryption.
You wouldn't say that the people who make your backup software are at fault if they don't force you to back up your files regularly. We, like the backup software creator, warn people in our documentation that the protection of Tor is not foolproof without educated and disciplined use. And like backup software, if you don't use it right, it can do nothing to change what has already occurred.
We have advised, and continue to advise users of the Tor network to use encryption end-to-end whenever it is prudent and/or possible. But those end-to-end encrypted products (https, encrypted versions of email and chat) are available to the users in many forms -- it would not be proper for us to dictate what people should use, but only encourage them to take precautions.
Shava Nerad
Development Director
The Tor Project
Posted by: Shava Nerad at September 10, 2007 1:03 PM
Waw! Thanks!
Posted by: madame at September 10, 2007 6:29 PM
Darn, that "nyud.net" site is blocked by my employer's filter :-/ I'll have to try it again on my home pc
So, probably only useful for home surfers and not "corporate surfers".
Posted by: Nadia at September 11, 2007 8:06 AM
The .nyud.net thingie is pretty cool! I'm going to do my best to remember that one!
Posted by: Ashtronaut at September 12, 2007 4:15 AM