Last week I read a headline in my Google Reader that had me more than a little worried: Special IDs planned for net user to curb attacks. It immediately had me worried about the potential privacy issues this could bring up. Who would handle these IDs? How would then be issued? What data would be collected and attached to them? How long would that data be stored? How will it be secured? What would it be used for and by whom? Also isn’t there already a way to ID devices on the internet, you know the IP address system?
Now I hadn’t read the article yet but already I had a bunch of questions about it? I clicked on the link and quickly browsed the article. I was in class so I quickly saved it for future reading and downloaded the key report mentioned in the article, the Kenya Security Report 2012 by Serianu, an IT services and business consulting firm.
So I’ve finally read the article and the report and can finally talk about them with a little bit of knowledge. I think, being a computer science student, I can talk about these things with a little bit of authority.
First I’ll start with the report. 32 pages long, and a very obvious way to market Serianu, it provides numbers and statistics on various threats on our country’s internet and computers. For instance it claims that about 80% of IP addresses in Kenya have poor reputation scores because of spam. I won’t argue about the numbers in the report since I can’t really dispute them. However, I have gone over the report myself and have a couple of things to say about it.
Firstly, well done to Serianu for actually taking time to come up with report, whatever their motives. I’m a firm believer in data driven legislation when it comes to computers and the internet, and this report, and others like it, can be used to inform the government on exactly how far the law can help in preventing crimes and where it would be over reach.
Secondly, at the end of every section they give recommendations on avoiding and preventing various threats. While all very valid I can sum most of them down to just one phrase, “DON’T BE STUPID!”. That phrase if applied in its entirety could probably prevent over 90% of system breaches, hacks and malicious software. Recommendations like use firewalls, patch your system, use secure passwords, update your antivirus regularly and limit the number of people who have access to databases and other files by using privileges all fall under this simple rule.
Finally I felt that the report only had one mistake of omission, under the sections talking about spamming and the one of malicious software it fails to mention that one of the main reasons botnets and viruses are so prevalent in Kenya is the fact that a very small percentage of the population uses genuine software. The reasons for this are for another post but every computer admin of any sort worth his salt knows that non-genuine software has the high potential to come with security holes. I use a genuine copy of Windows on my PC and every time I connect to the net it patches and updates itself from Microsoft’s servers, this is not possible with fake Windows. The report should’ve mentioned that the use of counterfeit software was one of the main reasons virus are so wide spread.
Now on to the article in the Business daily. After reading it I found that headline very misleading. The government isn’t issuing ID for net users but rather want to have a local Public Key Infrastructure (PKI). This would enable users of basically insecure public networks (like the internet) to securely and privately exchange data and money through the use of a public and a private Cryptographic key pair that is obtained and shared through a trusted authority. Read more about it here. The government wants to move the process locally to reduce costs to businesses working online. That headline should have been something like “Government makes moves to secure online transactions locally”
It would behoove journalists and editors to ensure their headline their articles not to cause sensation but inform.
Now to end things on a light note here are two pictures from one of my favourite web-comics xkcd on security that should put things in real perspective for you.
Finally, read my other post about the government’s plans to play big brother on the internet here. Peace!!