Unfortunately, it's this sort of headline-catching soundbite that causes ordinary users to be scared about using the internet rather than teaching them basic computer security advice.
Ignoring the fact that the iPhone CAN run more than one process at once (in fact, in the related articles section at the top of the page, there's a link to an article entitled: Apple plugs remote-code execution flaws in iPhone), Windows is perfectly safe to use for internet banking; at least, if running a current anti-malware package and the latest security patches. The sort of person that is capable of creating a USB-bootable linux install is the sort of person that would ensure their computer was running an anti-malware package and the latest security patches.
Insp Van ger Graaf's statements really don't inspire much confidence in the NSW computer crime unit, if this is the level of understanding of information security typical of their staff.
Posted by
Dan Halford,
Oct 9, 2009 2:51 PM
|
I believe the security recommendations presented by this speaker is based on his technical ignorance and personal bias.
Additionally I don’t feel he can predict future laws that require ISPs to validate the clients’ security environment. The validation would require a breach of security.
Finally, if his audience needs an explanation on what booting up a system means, I suspect they are not technical enough to challenge his techno babble.
Posted by
Bill,
Oct 9, 2009 3:07 PM
|
If they're not technical enough to challenge his techno babble, then they're certainly not technical enough to pass laws mandating specific security technologies for internet banking!
Posted by
Bern,
Oct 11, 2009 2:16 PM
|
Even though the recommended solution is rather impractical for most users, the man has a point: according to the most recent estimate, almost 60% of all Windows computers worldwide is infected with malware -- a fact that I can testify to from personal experience with lots of (now former) Windows users. Especially click-happy kids and adolescents are pron(e) to infection. Antivirus by nature is always running behind the facts, so even though it helps, it's by no means a guarantee for a clean box (not to mention the fact that a lot of malware silently disables anti-malware software).
Posted by
Richard,
Oct 12, 2009 1:27 AM
|
The main problem is getting you Windows people to accept what the truth is.
Posted by
Jim,
Oct 12, 2009 1:43 AM
|
"If they're not technical enough to challenge his techno babble, then they're certainly not technical enough to pass laws mandating specific security technologies for internet banking! "
Unfotunately, that hasn't stopped them making similar laws in other industries.
Posted by
Harold,
Oct 12, 2009 1:45 AM
|
Detective Inspector Bruce van der Graaf should be commended for telling the truth, even though he must know that a certain large computer software company will be after his head on a platter.
For internet banking the LiveCD idea is a simple practical measure that any user can take.
You don't even need to burn a cd yourself.
Canonical will post a cd to you free of charge:
https://shipit.ubuntu.com/
Posted by
SilverWave,
Oct 12, 2009 2:47 AM
|
@Bill
If a person who understands what he is talking about with internet security cannot "predict future laws that require ISPs to validate the clients’ security environment", how can the people that are unable to understand him then create such laws? Why do you think the MPs are listening to experts in a 'hearing'? And if you think this validation is a security breach, go read about web browser user agent strings on Wikipedia!
@Dan
Ordinary Windows users should be scared of using the internet for online banking - there's a 50% chance that there is something on their computer watching them. That way they might do it more securely. As an analogy, would the reason you lock your house happen to be fear?
Posted by
Buggy,
Oct 12, 2009 2:53 AM
|
@ Dan Halford:
Excuse me, but you seem not to know what a Linux bootup disc is.
It is a CD. You download a CD image and burn it to a CD. This CD is then bootable, without needing a USB stick or internal hard disk.
So all you need to do is:
1) Download
2) Burn to CD
3) Put the CD in the CD drive and restart your computer.
I definitely have no idea which part of this procedure would be so complicated that an ordinary computer user can't perform it.
Posted by
Gustl Burger,
Oct 12, 2009 3:19 AM
|
Dont focus on the windows thing. Focus on the "Live CD" thing. Thats a fantastic idea and it really doesnt matter the OS on the live system. If theres such a thing as a windows live cd, that'll work too.
The iphone idea isnt so great though, because iphones are very easy to steal, cookies and all.
Posted by
shayne.,
Oct 12, 2009 4:07 AM
|
Does the insecurity of the client side computers even matter when the banks servers are also insecure?
Posted by
ram,
Oct 12, 2009 10:31 AM
|
"Even though the recommended solution is rather impractical for most users."
What is impractical about popping in a live CD. The solution is so practical and inexpensive, not to mention secure, one could expect banks to create their own tailored liveCD complete with marketing, splash screens etc.
Posted by
Stomfi,
Oct 12, 2009 1:38 PM
|
Of course if your computer got infected, has become a zombie, it is by a previous visit to a non-bank site. It is common sense, and I to this for a long time, using a bootcd, a virtual system or a specialized partition on a multiple boot disk.
With the bootcd you have the problem it is practically impossible to activate a firewall and to update your browser with the latest patches, witch leave a very small risk during one session. After the session everything is clean again.
Somebody, like an organization of banks, should set up a few trusted proxy's, only connecting to trusted bank sites. Like one proxy in every continent or country. Company's like Canonical should bring out a bootcd with a preinstalled firewall that only connects to those proxies.
Posted by
HomeUser,
Oct 12, 2009 8:23 PM
|
First up, I run Puppy Linux OS off a CD-rom. Secondly, this cop in NSW forgot to tell us what the ABCNEWS told us March 2009 "NSW to allow secret searches, hacking" www.abc.net.au/news/stories/2009/03/04/2507007.htm
Why would a NSW cop that wants to be able to hack our comupters be telling us how to be secure? Read the book 1984 sometime.
Posted by
Aussie Rod,
Oct 12, 2009 9:40 PM
|
The statistics on compromised Windows PCs is frightening, even in Australia. Puppy Linux doesn't even need any anti-infection software. It boots from CD, any PC user can do it. Comes up clean, runs in RAM. You can choose to save sessions to a file if you want, even an encrypted file. Heck, you can even save sessions back to a DVD, have a complete audit path of saved sessions, even roll back if you ever think a session got compromised.
Posted by
Barry,
Oct 13, 2009 12:16 AM
|
I use puppy linux for all my work and banking and have never had a security issue.Windows had a security issue on a weekly basis or would crash during secure sessions I endorse everything barry says
Im a uk user the same issues here
Posted by
David Grundey,
Oct 13, 2009 1:29 AM
|
What's "NSW". Is it the "Nerdy SuperWeb Police Force"?
Thanks for not clarifying the acronym...
Posted by
Dohn Joe,
Oct 13, 2009 3:18 AM
|
This is again an example of addressing the symptoms and not the root cause of the problem. Having a linux boot disc will create the illusion that all is fine. People will continue to use weak passwords, click on bogus links and won't learn the importance of patching and AV, as the boot disc is a snapshot in time. This is even worse because a 0-day can just as easily take out the Firefox running on the live CD (which would not be patched) than IE (on Windows) or Safari (on iPhone) for that matter. Home users and companies need to be held responsible to some extend for their ignorance and stupid online behaviour.
Posted by
camelx,
Oct 13, 2009 11:07 AM
|
I seem to recall there was a standards authority (I forget which) that recomended AGAINST using the iPhone, for the reason that it (and Safari in general) does not have a built-in anti-phishing filter.
Posted by
kaldosh,
Oct 15, 2009 1:04 PM
|
@ Joe Dohn:
NSW is 'New South Wales' - a state
( county for you maybe? ) on the Eastern Coast of Australia.
Posted by
Geoff,
Oct 16, 2009 4:37 AM
|
The onus is on banks to provide safe transaction end points - by Australian law.
Secondly no technology that doesn't have a trust endpoint defense can secure against man-in-the-middle / DNS poisioning attached where someone snoops and intercedes before the Banks attach https security to your end device. Keying in www.yourbank.com.au doesn't help at all if your hosts file is tampered with or if any link is compromised between you and the bank.
No Operating System / virus scanner / firewall combo alone can help you completely. You need a reliable trust model to secure the end point (PC) initiation point of the transaction (including site certificate checks against the web services site you are trying to reach - with protection from electronic snooping. Did the Australian firm - TrustDefender ever get this off the ground?
Posted by
Security Beast,
Oct 21, 2009 1:17 PM
|
Many people acknowledge the security benefits of Linux over Windows, especially when performing sensitive tasks such as Internet banking. I for one won't use it even with Firewalls and Internet security software installed. However, you make it sound so easy to run a Linux live version and get on the Internet. Linux can be very modem hardware unfriendly, especially if you have a wireless broadband modem. I've been trying to get mine working for weeks with no luck, even with the best of help from bulletin boards and blogs.
User friendliness in IT solutions is paramount if people are to use it successfully for daily tasks, such as Internet banking. I suggest you may like to provide a tutorial on how to configure a Linux live version in order to communicate with an Internet banking service.
Regards...
Posted by
Nick Kenney,
Jan 19, 2010 1:26 PM
|
@Gustl: You don't even need to download & burn ISO images, you just buy it, and I find free live linux CDs/DVDs are often easy to get hold of.
@Bill The iPhone severely limits multitasking, although it is theoretically possible, it is not just as easy as pie for a process to hide itself in memory and spy on you, like it is in Windows. I do not know what else you attribute to his technical ignorance; it seems like a good idea. Even if you are generally safe on your McAfee Windows machine, don't have kids and know what you are doing (the vast majority of users do not fit into this category), there is always a risk, which you should not take when banking. A live Linux boot is a perfect solution. Oh, and it baffles me how you think you are qualified to dismiss his recommendations as 'biased' after proclaiming Windows secure enough for banking, seeing as computers get infected by malware at a rate of 10% per month!
@Richard: I think a live CD is a simple, cheap and practical solution, compared to trying to secure Windows.
Posted by
Siglus,
Jan 21, 2010 8:28 AM
|
@Gustl: You don't even need to download & burn ISO images, you just buy it, and I find free live linux CDs/DVDs are often easy to get hold of.
@Bill The iPhone severely limits multitasking, although it is theoretically possible, it is not just as easy as pie for a process to hide itself in memory and spy on you, like it is in Windows. I do not know what else you attribute to his technical ignorance; it seems like a good idea. Even if you are generally safe on your McAfee Windows machine, don't have kids and know what you are doing (the vast majority of users do not fit into this category), there is always a risk, which you should not take when banking. A live Linux boot is a perfect solution. Oh, and it baffles me how you think you are qualified to dismiss his recommendations as 'biased' after proclaiming Windows secure enough for banking, seeing as computers get infected by malware at a rate of 10% per month!
@Richard: I think a live CD is a simple, cheap and practical solution, compared to trying to secure Windows.
Posted by
Silas,
Jan 21, 2010 8:29 AM
|