Gallery

Bashin' the bots

Posted on 9 Apr 2008 at 12:05

Davey Winder steps into the murky world of botnets and gets some disturbing results from a routine online health check.

Hallam-Baker is no stranger to the online world and has been at the very centre of web development for decades - he was a member of the team at CERN that created the original web specifications, and personally made substantial contributions to the design of the core HTTP protocol. He went on to become the first principle scientist in 2000 at VeriSign, a key player in defining the internet trust infrastructure that enables safe online commerce, and he has even helped prepare a security plan while working at the MIT Laboratory for Artificial Intelligence that enabled deployment of the Executive Office of the President's internet publications system. The point is that he knows what he's talking about and has the kind of CV to prove it, which is why dotCrime Manifesto is at once such an intelligent and surprising look at the world of internet crime.

He explores exactly how the internet suffers from a lack of accountability that leaves it vulnerable to the criminal fraternity, and suggests practical ways to fix this from technical, cultural and political perspectives. He talks about protecting the internet infrastructure from top to bottom by building a more secure transport mechanism, improving identity management and gaining safety without sacrificing any of those net virtues we've come to rely upon, such as ubiquity, simplicity and privacy. I'll grant that Hallam-Baker isn't the first to talk about the need for change and to suggest radical improvements to internet architectures, but so far as I'm aware he is the first to actually write down a design for deployment and to put his reputation where his mouth is by challenging the online industry to define security objectives, strategy and design - and make it happen in reality. If you only read one book on the subject of online security this year, make it this one, and I challenge you to come away from it without at least one or two good ideas that can be integrated into your own security strategies, be they personal or corporate.

Mental health check

I've long been a fan of F-Secure, partly because I have the greatest respect for its team of researchers, who work ceaselessly to get the better of the bad guys from their HQ in Finland, and partly because they've eschewed fancy interfaces and overly complex applications to concentrate instead on security through simplicity. To me, F-Secure has always been an easy-to-use, unobtrusive but rock-solid security suite application.

That's why I was quite pleased to see they've taken their security evangelism one step further with the newly launched Health Check service. This web application is meant to enable anyone to quickly check up on the security status of their PC, including the operating system, web browsers and all installed software. It's free to use, will verify whether a PC is "safe to use online" and can solve security problems "with assigned software upgrades and security advice". Or so it says.

So I pointed my browser at www.f-secure.co.uk/healthcheck and off I went. Unfortunately, I didn't get very far: it seems I'd made a mistake by choosing what's generally regarded as a safe web browser, namely Mozilla Firefox, as it isn't supported by F-Secure Health Check. This struck me as being more than a little dumb, in effect forcing me to "downgrade" to an inherently less secure browser in order to check how secure my system is! This immediately put me on the back foot, but I bravely fired up Internet Explorer 7 anyway (the application requires IE6 or later), only to find that the Health Check also uses a Flash interface rather than a more straightforward approach to usability. Another brownie point lost, and a couple more were squandered when it told me I had to install an ActiveX control before I could continue. Sheesh! By now, I imagine many people would have simply given up, and I can't say I'd blame them. On the plus side, it does work under Vista (32-bit only) and XP.