If you're doing electronic filing, isn't your information being put on the net anyway?
-- Matthew Miller mattdm@mattdm.org
Actaully no. No more than using ssh is sending your password over the net. Electronic filing uses a secure tcp/ip protocol.
STYMA, ROBERT E (ROBERT) wrote:
Actaully no. No more than using ssh is sending your password over the net. Electronic filing uses a secure tcp/ip protocol.
If you do your tax filing over the web, it is done using secure network protocol. Actually, for HTTPS, I can check what encryption scheme is used (just click on the lock icon). If I don't like it, I can simply disconnect and do my taxes elswhere or using some other method. For net filing, I have no idea what they are using and how secure it is. I can only hope that they are using same encryption algorithm (for example 3DES or AES) as the ones used for HTTPS protocol. That would mean net filing has exactly the same security as HTTPS. If they are using some propriatory protocol (instead of the standard ones), I'd stay clear from net filing and use good old paper and pen. All propriatory protocols in history of mankind have proven to be trivial to brake.
Even if you do it all on your PC, your information is going to be stored on two networked computers. Your desktop PC running Windows will be one of them. And we all know how secure is desktop PC. Once you transfer it over, it is going to exist for some amount of time on another networked computer. Your government's tax agency computer.
The only good reason against doing taxes over the web is that you trust third party (privatly owned entity) with your private data. But on the other hand, as soon as you hire some agency and/or accountant to do your taxes, you are doing basically the same thing. As long as you live in country with sufficient legal regulations that requires anybody doing taxes (including over the web) to protect your privacy, you should be fine.
Have in mind that braking into your desktop PC is almost zero-risk thing. There'll probably be no consequences for attacker even in unlikely case that he is detected. You do not have sufficient funds to do much about it. Your funds are barely enough to set up basic defenses for that matter. On the other hand breaking into accounting company's computers or government computers is completely different story. They have funds to hunt down the attacker. Unlike you, they have funds to create secure environment. If I have to keep my confidential data anywhere, the last place I'd like to see them stored is desktop Windows machine.
On 2005-02-14 at 09:24-06 Aleksandar Milivojevic amilivojevic@pbl.ca wrote:
Have in mind that braking into your desktop PC is almost zero-risk thing. There'll probably be no consequences for attacker even in unlikely case that he is detected. You do not have sufficient funds to do much about it. Your funds are barely enough to set up basic defenses for that matter.
I think you underestimate the strength of the defenses that can be prepared from some second-hand PC hardware, the Fedora Core distribution, and the application of a little knowledge and time.
On the other hand breaking into accounting company's computers or government computers is completely different story. They have funds to hunt down the attacker.
And those same funds are what make them a juicy target for attackers in the first place.
Script kiddies will be stopped by trivial defenses. Intelligent and determined attackers aren't going to waste their time targeting Joe User's home PC; they're going to go after more rewarding targets.
Even when intelligent and determined attackers *do* target home PCs (e.g., because spammers are paying for spam zombies), for every PC with even moderate defenses, there are at least 100 that can be successfully attacked with virtually no effort. Why climb 50 feet up the tree to pluck a single fruit when there's plenty of fruit that's just as juicy at ground level, just waiting to be picked?
Unlike you, they have funds to create secure environment.
Unlike me, they have to hire employees to run and maintain that secure environment.
This is significant, because it's relatively well-established that most security breaches originate from the inside (not from external attackers). Here's a recent study:
http://www.itsecurity.com/tecsnews/feb2005/feb78.htm
Why do you trust more? Yourself, or some random companies' hundreds of employees?
If I have to keep my confidential data anywhere, the last place I'd like to see them stored is desktop Windows machine.
In terms of network threats, I assert that a home Windows desktop machine, competently managed (up-to-date on security updates, running anti-virus software, running anti-spyware software, etc.) and used (using Firefox instead of IE, all accounts set up as restricted users, et. al.), protected by an intelligently configured Linux-based firewall, is a more secure location for one's confidential data than the fileservers of a big corporation.
Of course, with a home PC, physical access attacks (e.g., a burglar breaking into your house and stealing your computer) are more difficult to defend against, but even physical access attacks can be mitigated to some degree...
James Ralston wrote:
On 2005-02-14 at 09:24-06 Aleksandar Milivojevic amilivojevic@pbl.ca wrote:
Have in mind that braking into your desktop PC is almost zero-risk thing. There'll probably be no consequences for attacker even in unlikely case that he is detected. You do not have sufficient funds to do much about it. Your funds are barely enough to set up basic defenses for that matter.
I think you underestimate the strength of the defenses that can be prepared from some second-hand PC hardware, the Fedora Core distribution, and the application of a little knowledge and time.
On the other hand breaking into accounting company's computers or government computers is completely different story. They have funds to hunt down the attacker.
And those same funds are what make them a juicy target for attackers in the first place.
Script kiddies will be stopped by trivial defenses. Intelligent and determined attackers aren't going to waste their time targeting Joe User's home PC; they're going to go after more rewarding targets.
Even when intelligent and determined attackers *do* target home PCs (e.g., because spammers are paying for spam zombies), for every PC with even moderate defenses, there are at least 100 that can be successfully attacked with virtually no effort. Why climb 50 feet up the tree to pluck a single fruit when there's plenty of fruit that's just as juicy at ground level, just waiting to be picked?
Unlike you, they have funds to create secure environment.
Unlike me, they have to hire employees to run and maintain that secure environment.
This is significant, because it's relatively well-established that most security breaches originate from the inside (not from external attackers). Here's a recent study:
http://www.itsecurity.com/tecsnews/feb2005/feb78.htmWhy do you trust more? Yourself, or some random companies' hundreds of employees?
If I have to keep my confidential data anywhere, the last place I'd like to see them stored is desktop Windows machine.
In terms of network threats, I assert that a home Windows desktop machine, competently managed (up-to-date on security updates, running anti-virus software, running anti-spyware software, etc.) and used (using Firefox instead of IE, all accounts set up as restricted users, et. al.), protected by an intelligently configured Linux-based firewall, is a more secure location for one's confidential data than the fileservers of a big corporation.
Of course, with a home PC, physical access attacks (e.g., a burglar breaking into your house and stealing your computer) are more difficult to defend against, but even physical access attacks can be mitigated to some degree...
One thing that is missed is the increased usage of telecommuting. If home machines are hacked, that can allow a backdoor into the secure company domain. How many people that telecommute also get company computers? Many get the pleasure of using their own, home computer.
Sure the company may use VPN and encryption between work and home but if the home machine gets compromised, all bets are off. More justification for higher security at home for telecommuters.
James Ralston wrote:
I think you underestimate the strength of the defenses that can be prepared from some second-hand PC hardware, the Fedora Core distribution, and the application of a little knowledge and time.
I perfectly agree with almost everything what you wrote, and don't find what I wrote to be really contradicting.
I was talking in general, what you can find in an average home. Not abuot what you can do if you have a bit of salt in your head. Average user has AV software with license that expired at least year or two ago (so his AV isn't really working), crappy firewall with UPnP enabled (so that any piece of spyware can dig holes through it) and nice collection of at least dozen trojans happily running oh his/hers machine. Average home user goes to the store, buys a box, and it simply works. He uses it once a week, and does absolutely no configuration/maintence on it (nor wants to be bothered with it). He thinks he has AV, because that's what sales person told him (in reality he got 90-day license bundled with his PC, most pepople will never extend it). You say Linux. Average home users responds with "is it something for eating, or new soap brand"? Hack, I even saw people connecting ADSL modems to LAN ports of those small router/firewall boxes you can buy cheap nowdays (because local ADSL provider gives instructions/support (and software for connecting, which you really do not need at all) that only works with ADSL modem connected directly to PC). Configuring broadband router to authenticate over PPPoE (two clicks in web browser) was too complex task for them. That same average user will turn off Windows firewall first time something doesn't work (and some "tech support" person asks him to try turning it off and walks him through the steps), and simply leave it off so that his favorite MP3 sharing application works... Should I continue or simply stop now and have my lunch?
On Mon, Feb 14, 2005 at 08:07:15AM -0600, STYMA, ROBERT E (ROBERT) wrote:
If you're doing electronic filing, isn't your information being put on the net anyway?
Actaully no. No more than using ssh is sending your password over the net. Electronic filing uses a secure tcp/ip protocol.
Of course. And Turbo Tax for the Web (and all of the other companies) also use https. I guess the question is: a secure protocol _to what_?
-
Aleksandar Milivojevic -
James Ralston -
Matthew Miller -
Robin Laing -
Styma, Robert E (Robert)