Internet Security

**GrnEyedDvl** · February 08, 2008, 11:54 PM

I attended a local meeting today about internet security and child safety on the internet. There were business people, IT people, local and state law enforcement, and a couple of idiot lawmakers in attendance and I wanted to throw a few things out there that came up in this meeting.

It was originally intended to be about child porn and solicitation from chat rooms and local issues like that but it quickly turned into "Let's fix the entire internet". Bear in mind that some of these people have no technical knowledge of the internet at all as I mention some of these ideas that came up. Only one of these was mine, the rest came from other people. I wanted to get some feedback from people in other locations as we are going to have another meeting next month and may be passing some of these ideas on to federal and international lawmakers.

Some problems will come up because of the international nature of the internet, but most of those can probably be worked out.

The ideas that have at least some merit I am passing on, there are far more ideas that arent even worth mentioning.

This one was my idea about domain extensions. The .com, .org, .edu and so on. I actually submitted this to Internic long ago when I was in school as a class project, but we never even got a response. With the way websites are handled now, its nearly impossible to block all adult content from minors. This is because you either have to block them by specific domain name, by Content Rating, or by using a 3rd party blacklist. All of those have their flaws, and with porn being the probably the fastest growing segment of the web keeping up with it is really hard. So the idea is simple, create a new domain extension for adult content sites, .xxx. Any website that has adult content would be required to use the .xxx extension, and give them a year to get switched over. The fees for registering a domain name are very low, and I would even say that for the first 6 months the sites shouldnt be charged for it, and their old site could have a redirect to the new site for that first year. After that its just a matter of changing DNS settings for each site. There are tons of sites, but it could be done without too much trouble. Then you could simply block anything from a .xxx extension. Penalties and fines for violating the rule would be paid to whatever country the site was hosted in.

This one wasnt my idea, but I did like it. Administering it would probably be a nightmare at first, but eventually I think it would pay off. Simply shut down any site that has a virus embedded in it. I know, at first I thought the same thing. Impossible! But its really not that bad. You start small, have a group of 100 people whos only job is to surf the net looking for viruses, malware, trojans, phishers, whatever. Every time they find one they record the site name, and contact the host. If its a hosting company, they will certainly play ball and shut the site down, and provide information about who owns the site. Then you fine the site owner $10,000 and require community service. Not a set number of hours, but a set number of sites. That person has to go and find and report 100 websites that have some sort of virus. If not, 30 days jail time.

If the site ends up being a site like TWC, who owns and operates its own server, you can till track who owns the IP, or who the IP is leased to. If it ends up being a site hosted on a home computer with a dynamic IP address, its harder to find but that can be done also. Many ISPs track your IP and your MAC address and tie them to your router. I know Comcast does.

If the site ends up being owned by a government agency, such as North Korea is fond of doing, its a bigger problem but still doable. First you ask them to shut it down. If they refuse then you start denying traffic from their block of IPs, from a technical side you could actually deny access to the rest of the internet from North Korea, it would be a monster task, but it could be done. Once you started to implement something like that the government in question might change their tune.

Require PIN numbers for internet transactions. Isnt it strange that you have to know your PIN number to withdraw $20 at an ATM, but you dont have to have it to buy a $2000 TV on the internet? Some sites already do this, NewEgg uses the Verified by Visa system which requires a 2nd password.

Theres more but I would have to dig my notes out to remember them. A few things to talk about anyways.

**Sidmen** · February 09, 2008, 01:06 AM

Then you fine the site owner $10,000 and require community service. Not a set number of hours, but a set number of sites. That person has to go and find and report 100 websites that have some sort of virus. If not, 30 days jail time.

That pretty stiff. I wouldn't support it.

**Thanatos** · February 09, 2008, 02:11 AM

Impossible to enforce, it would never work.

It's easier to just put him in jail once you have him.

**sapi** · February 09, 2008, 02:44 AM

Originally Posted by GrnEyedDvl

I attended a local meeting today about internet security and child safety on the internet. There were business people, IT people, local and state law enforcement, and a couple of idiot lawmakers in attendance and I wanted to throw a few things out there that came up in this meeting.

It was originally intended to be about child porn and solicitation from chat rooms and local issues like that but it quickly turned into "Let's fix the entire internet". Bear in mind that some of these people have no technical knowledge of the internet at all as I mention some of these ideas that came up. Only one of these was mine, the rest came from other people. I wanted to get some feedback from people in other locations as we are going to have another meeting next month and may be passing some of these ideas on to federal and international lawmakers.

Some problems will come up because of the international nature of the internet, but most of those can probably be worked out.

The ideas that have at least some merit I am passing on, there are far more ideas that arent even worth mentioning.

This one was my idea about domain extensions. The .com, .org, .edu and so on. I actually submitted this to Internic long ago when I was in school as a class project, but we never even got a response. With the way websites are handled now, its nearly impossible to block all adult content from minors. This is because you either have to block them by specific domain name, by Content Rating, or by using a 3rd party blacklist. All of those have their flaws, and with porn being the probably the fastest growing segment of the web keeping up with it is really hard. So the idea is simple, create a new domain extension for adult content sites, .xxx. Any website that has adult content would be required to use the .xxx extension, and give them a year to get switched over. The fees for registering a domain name are very low, and I would even say that for the first 6 months the sites shouldnt be charged for it, and their old site could have a redirect to the new site for that first year. After that its just a matter of changing DNS settings for each site. There are tons of sites, but it could be done without too much trouble. Then you could simply block anything from a .xxx extension. Penalties and fines for violating the rule would be paid to whatever country the site was hosted in.

While this is a nice idea in theory, it has been tried before, and it failed because it did not get the support of the adult industry. Without that support it will not eventuate, and I don't think that much has changed in the couple of years since I last heard of it in that regard.

This one wasnt my idea, but I did like it. Administering it would probably be a nightmare at first, but eventually I think it would pay off. Simply shut down any site that has a virus embedded in it. I know, at first I thought the same thing. Impossible! But its really not that bad. You start small, have a group of 100 people whos only job is to surf the net looking for viruses, malware, trojans, phishers, whatever. Every time they find one they record the site name, and contact the host. If its a hosting company, they will certainly play ball and shut the site down, and provide information about who owns the site. Then you fine the site owner $10,000 and require community service. Not a set number of hours, but a set number of sites. That person has to go and find and report 100 websites that have some sort of virus. If not, 30 days jail time.

That would be a massive pain to administrate, be overly reliant on having excellent virus signatures (you'd only need to have one false positive...), and would be self-defeating in success (after all, if you clear virii off the net, the vigilanteism wouldn't work

).

I really don't like the idea of forcing people to search for virii as community service anyway, though, and that's the main issue I have with with the idea - what's to stop people, or groups of people, from faking sites in order to meet their 'nastyness quota'.

It would also run into huge problems if you couldn't find the identities of the owners, as you say:

If the site ends up being a site like TWC, who owns and operates its own server, you can till track who owns the IP, or who the IP is leased to. If it ends up being a site hosted on a home computer with a dynamic IP address, its harder to find but that can be done also. Many ISPs track your IP and your MAC address and tie them to your router. I know Comcast does.

If the site ends up being owned by a government agency, such as North Korea is fond of doing, its a bigger problem but still doable. First you ask them to shut it down. If they refuse then you start denying traffic from their block of IPs, from a technical side you could actually deny access to the rest of the internet from North Korea, it would be a monster task, but it could be done. Once you started to implement something like that the government in question might change their tune.

Cooperation is needed in either case, and I'd rather bet on the sky falling than you getting the near-unanimous world support that you'd need for that sort of scheme to be successful.

Require PIN numbers for internet transactions. Isnt it strange that you have to know your PIN number to withdraw $20 at an ATM, but you dont have to have it to buy a $2000 TV on the internet? Some sites already do this, NewEgg uses the Verified by Visa system which requires a 2nd password.

Debatable, but the one thing I would say is don't make it the same pin as for the real-world account - there's no point giving people a license to snatch that out of the ether with phishing sites, even if they chances of them also having the plastic are one in a million. Of course, everyone would still use the same pin for both, but it'd be worth a try

**~~Enter Name Here~~** · April 12, 2008, 09:19 PM

Good posts

**Gwendylyn** · April 12, 2008, 09:40 PM

I thought the US legislature had discussed requiring porn sites to register with a .xxx suffix. It had been knocked down because there is absolutely no way to enforce it outside of the US, rendering it useless.

It would certainly make searching for porn easier though.

Originally Posted by GrnEyedDvl

Require PIN numbers for internet transactions. Isnt it strange that you have to know your PIN number to withdraw $20 at an ATM, but you dont have to have it to buy a $2000 TV on the internet? Some sites already do this, NewEgg uses the Verified by Visa system which requires a 2nd password.

In reality, most don't force you to use a PIN for your debit card anywhere but at the ATM or bank. The vast majority of debit cards can be run as credit from the register - or online. I'd don't recall an online site that differentiates between debit or credit cards as it is, so a PIN won't solve any security problems with a credit card.

Educating people so they don't fall for phishing schemes would go a lot further. There's only so much protection from the provider's side that one can give before you have to force the consumer to educate themselves or face the consequences.

You start small, have a group of 100 people whos only job is to surf the net looking for viruses, malware, trojans, phishers, whatever. Every time they find one ... you fine the site owner $10,000 and require community service. Not a set number of hours, but a set number of sites. That person has to go and find and report 100 websites that have some sort of virus. If not, 30 days jail time.

It's a reverse pyramid scheme. It would not work, especially since many of those viruses and trojans are created and disseminated outside of the country, let alone all the illegal types of porn that come out of and are hosted in other countries.

Most reform ideas are not realistic due to the global nature of the internet.

**Sidmen** · April 12, 2008, 10:53 PM

In reality, most don't force you to use a PIN for your debit card anywhere but at the ATM or bank. The vast majority of debit cards can be run as credit from the register - or online. I'd don't recall an online site that differentiates between debit or credit cards as it is, so a PIN won't solve any security problems with a credit card.

This would assume that pin numbers should be required for credit cards as well as debit cards. If we do that on the internet and in the real world, it would dramatically cut down on CC fraud since you'd need more than just the numbers on the card to buy something.

**dj LiTh** · April 13, 2008, 01:21 PM

Originally Posted by Sidmen

This would assume that pin numbers should be required for credit cards as well as debit cards. If we do that on the internet and in the real world, it would dramatically cut down on CC fraud since you'd need more than just the numbers on the card to buy something.

Um... well lets say something was bought using a stolen credit card... Its just going to be shipped to the persons address who's on file with the bank who issued the card. If its downloadable content, well then you have an ip address which is traceable (not totally but pretty much).

**Tangro** · April 13, 2008, 02:50 PM

If the site ends up being a site like TWC, who owns and operates its own server, you can till track who owns the IP, or who the IP is leased to. If it ends up being a site hosted on a home computer with a dynamic IP address, its harder to find but that can be done also. Many ISPs track your IP and your MAC address and tie them to your router. I know Comcast does.

What will you do if one has redone firmware on his router and, or use Wireless connection? There are ways to enter net for some period of time through direct link. In this case there is no host whom can help you.

For example, have you ever tried to trace .zlob origin?

**Tangro** · April 13, 2008, 03:20 PM

Oh, and what will happen to this anti virus company after RIAA decide to abuse this law in its war against P2P? My friend, this company will find it's self under attack and as it wouldn't have such high security as RIAA it would get hacked. Constantly.
Bad for biznis.

**Gwendylyn** · April 13, 2008, 11:13 PM

Originally Posted by dj LiTh

Um... well lets say something was bought using a stolen credit card... Its just going to be shipped to the persons address who's on file with the bank who issued the card. If its downloadable content, well then you have an ip address which is traceable (not totally but pretty much).

No, you can buy something using the billing address as one address and the mailing address as another. I buy gifts for people all the time online.