This is what I put in a message on a blog today.
Ok I think I am getting some traction on the don’t blame the victim message, so now what do we do about it?
My thought is that MS and McAffee, Avert, all the development houses are working at what they can do as fast as they can.
With Microsoft and it’s secure development lifecycle they are trying to make their software as safe as they can. The AV writers are working overtime keeping up to virus signatures.
Governments, police and militaries seem to be handicapped, not enough manpower, poor focus or something. They have problems with finding and if they can find them, getting to major MalZ.
We need to sit down, look at the issue and then figure out what to do about it.
To this end I have started S31. A school of systems and applications experts and leaders in the Internet martial arts. We have taken it onto ourselves to focus our attentions not on describing the problem or looking at ways to protect our systems; but what can be done to combat the attacks we have been subjected to for so long.
Clearly trying to bring the MalZ to justice using arrests and prosecution is not working. This mostly falls into the problem of jurisdictions and the fact a lot of these are either by government or allowed by governments that are not exactly friendly to the west.
Also creating technical means to stop the attacks is not working to it’s full potential. While these efforts have been good enough until now, good enough does not mean perfect. We and all who want to be free on the Internet appreciate their efforts and encourage them to keep up what they are doing as it is very important. But we need something more.
In the last few weeks we have been encouraged by other’s efforts in testing techniques to possibly fight back. We need to keep up this research.
S31 will be continuing these efforts in parallel with other researchers as well as defining requirements for the work ahead.
So for now, patch your systems with every patch you can. Run a good virus scanner in an active scanning role. Use 2 fire walls, a hardware firewall at your Internet connection and a software firewall on every single PC you own.
Use good mal-ware scanners, use two just to be sure. We also recommend using a second antitrust on a manual scan once in a while, once a week if you are on the net much, once a month otherwise.
Be on the lookout for all and any social engineering, phishing and whaling. Educate the people around you. teach them how to protect themselves. And keep at it, people get complacent once they have been uninfected for a while. People don’t want to have to be security experts, they just want to read their email and surf the web. We hope that in the future they can do just that.
And remember don’t blame the victim, it doesn’t help anybody and makes us take our focus off of the people who are the real problem.
At the moment we are creating our goals and putting together plans. S31 will be modeled on traditional models for other martial arts training and headquarters. Starting with a setting of what is expected and what our leaders and students need to know and how the training will proceed.
As a Dojo we will not only be teaching computer security and anti security techniques, but since this is a dangerous game we will be playing we are also training in traditional martial arts as well. Our members currently include not only experts at computer topics but also these same people have a lot of other skills such as from different martial arts, kung-fu, judo, aikido…
There will be no fees required for the training but each student is expected to have certain items and must at this point be physically located within driving distance of our headquarters for daily visits for training and meetings. They are also hoped to bring with them new skills that can be transferred to others in the Dojo.
Each person is required to have an existing security clearance from a short list of western governments and have proof of this. We must be able to trust our fellows and while this no guarantee of trust it goes a long way to allow us to start down that road to trust.
Our intent is not to put those security clearances at risk, unless we can get a lawful way of performing our task we will only be a place of learning. If we can get either a legal basis or formal permission we will perform the task we have set. Well time to get at it.