Dan Geer On Trusting PCs In Botnets

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"

That worked so well

[Gr8Apes (679165)]

for Sony, for one. Yep, can't say enough good things about root-kitting your customers...

Re:

[Lobster Quadrille (965591)]

Somebody explain how this is a) useful b) acurate c) practical or d) ethical. I'll settle for any one answer.

Re:That worked so well

[Brian Gordon (987471)]

Not penalizing. Although the author's grasp of English is dubious, I think he's saying to present the user with a "Install this ActiveX control"/plugin popup. If the person accepts it, then they're an idiot and the plugin battens down the OS for the duration of the transaction so that all the other spyware can't get at it. If they decline it, the transaction continues anyway because they have the security sense to turn down a random plugin.

Re:That worked so well

[1u3hr (530656)]

Mixed up Robinson Crusoe and Lemuel Gulliver.

At least I didn't get Gilligan and the Professor in the mix.

Re:That worked so well

[by Anonymous Coward]

Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing. Problem is, if you can get away with that, what else would they agree to? The benevolent company then takes measures to protect themselves since the user authorized it. They then pass the money saved from not dealing with infected computers on to their customers. Yay. If the customer initially declined, then apparently they like to keep control of their computer and you proceed under the assumption you're communicating with a clean(-ish) computer. Fair enough.

I'd say that the main problem with this scenario is the idea of a business being benevolent. I don't trust them to not screw me... but isn't that the author's point? It's an interesting concept, even if it likely wouldn't execute well. At the very least, the idea of somehow measuring a customer's willingness to just click the "yes" button is worth some thought.

Re:That worked so well

[Holmwood (899130)]

Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing.

Actually, if I "agree" (i.e., say yes), it means I *do* mind being root-kitted. If the company then proceeds to root-kit my machine, they are definitely opening themselves up for a lawsuit.

That question is almost as bad as the infamous:

Yes means No and No means Yes. Format computer now, Yes/No?

But really, this error reinforces some of the disturbing aspects of the original question as cited. Users who answer "Yes" to using a more secure question may be idiots who always click yes; they may be knowledgeable users who expect something like SSL. They are unlikely to be sophisticated users that expect to be root-kitted.

I certainly agree with parent about the dangers of assuming benevolence -- from corporations, or governments.

Holmwood

Re:

[Yetihehe (971185)]

That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?

Can I choose ^C ?

Re:That worked so well

[joto (134244)]

That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?

Can I choose ^C ?

Yes

(assuming that "Yes means No and No means Yes" is still in effect).

Re:

[mtgarden (744770)]

That was the point I made at ZDnet. If the company asked me if I could be root-kitted, I would say no. If they asked me if they could enable a more secure transaction, I would probably say yes. My assumption would be that the company would now require tougher passwords etc... and give me some sort of perk for being extra safety conscious. So the assumption that I would select yes, because I am dumb and always click yes, is retarded. I only click yes when I trust the source (I assume a reputable busine

Re:

[Marcos Eliziario (969923)]

We always had licenses for HAM radio. And any HAM operator knows the trouble caused by unlicensed/incompetent operators. Ham radio has the licensing requirement because radio spectrum is a limited resource.
Maybe we should have a similar system on the internet: A special, restricted use network to be used only by licensed operators, and a free, no-license citizen's band internet for myspace users and similar fauna.

Asking to be Secure means already infected?

[Geoffrey.landis (926948)]

Is this for real? The proposal is that clients who do ask for a secure connection are infected, and that the ones who don't ask for a secure connection aren't infected? Isn't this, like, precisely opposite of what you'd expect? And his response to clients who ask for a secure connection is to put a rootkit on their server?

A few of the commentators on \. have managed to translate the editorial into a proposal that actually might make some sense, but reading it as written, the proposal is the worst, most

WTF

[Zouden (232738)]

Where's the Monty Python foot icon? This has to be a joke.

Numbers

[willyhill (965620)]

My guess is that the number of people who would say "No" is directly proportional to the number of PCs that are not infected.

BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

Re:Numbers

[thegrassyknowl (762218)]

Unless we deny users the right to use their computers... or educate them.

You can't educate most of them. They don't want to learn. It's unfortunate but it's the truth. Laypeople think that "firewall" and "anti virus" is all they need to keep them safe from nasty people. I have the unfortunate task of dealing with people like that on a daily basis (many ask why I'm so jaded) and they don't care what the real experts say.

If you tell average Joe that he shouldn't do something that he wants to because it's a bad idea and then Joe's "expert" mate says "nah man you've got firewall and AV installed you'll be right" he'll ignore you. He will listen to the "expert" mate of theirs that installed Windows once or twice using the restore disk that came with their shiny Dull PC and now thinks they know everything because the "expert" doesn't get in their way of doing stupid things.

The number of users who click 'yes' and 'no' will be split 50/50, depending on the question. I don't think it's possible to predict what people are going to click because it all depends on the type of message and the wording.

A lot of people always click allow or always click block when ZoneAlarm pops up a warning. They'll always click "Allow" when Windows pops up and says that they are trying to install an unsigned program. They have seen that type of dialog before and kind of know what to expect when they make their usual response.

Random Internet questions are different because people aren't expecting them to be there. There is no preconceived notion of how to respond to the random question other than to read it and work out what it's trying to say.

Re:

[johnny boy (129702)]

Except when the OS tells someone, by icon and name, that they are clicking on an image, then it shouldn't install a program instead. Hiding extensions and allowing programs to masquerade as benign files is an interface issue. There is no reason Microsoft can't design the interface to ensure that EXE icons have a special signifier indicating the nature of using the icon (Linux might improve here too).

Hiding the extensions by default might make the interface seem less cluttered, but it definitely creates cr

Re:Numbers

[mcrbids (148650)]

The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

BBBBBZZZZZZZZZZZZZZZZZZZZZTTTTT!!!!

Sorry, Charlie. You got this one wrong!

True or false: Some places are more secure places to keep your money.

True or false: Some cars are safer during a crash than others.

True or false: Some airports are safer/more efficient than others.

Now for the kicker:

True or false: Some software is more secure/better designed than others.

The truth is that my wonderful Mother in Law had her computer infected by merely clicking the subject line of an email on her otherwise patched computer with antivirus and a hardware firewall on a DSL connection. What did she do that she shouldn't have?

People sometimes do stupid things, and even reasonable things in cars and get into accidents. But even so, a car that's well designed will protects its occupants better, and frequently makes the difference between injury and death. You get into an auto accident on the freeway, which would YOU rather be in: A Yugo or a Mercedes? I know which one I'D pick...

People *do* make mistakes, and they *do* things that are stupid. If using a computer requires perfect behavior in order to work, then they won't work.

Re:Numbers

[joto (134244)]

Some people Are just too stupid to own computers

No. They might be to stupid to operate a computer, or to stupid to operate a computer connected to Internet without getting infected in less than 30 seconds. But I believe even most primates are intelligent enough to own one. What that requires, is simply an understanding of private property.

I have given up trying to educate some friends of friends who need their computers fixed again.

Why were you trying to educate them in the first place? Did they ask you to educate them? Did they seem particulary interested in Internet security? Or was there some other reason that focused more on your needs than theirs?

What you should do is to stop fixing friends (of friends) computers for free. If they have to pay (not necessarily you) for support, they will learn about Internet security by necessity.

I have a friend who is a cook, and I don't expect him to cook me free food (if he always did, I would never learn to cook). Nor do I expect my friend who is a debt-collector, to collect debt for me either.

The reason idiots ask you to fix their computer, is (a) because you actually do it, and (b) because you always says yes, they assume you enjoy it. If you say no, they will (a) respect that, and (b) not stop being friends with you. Unless they are psychopaths, in which case you are better off anyway.

Flawed premise.

[TeraCo (410407)]

The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.

A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.

Re:Flawed premise.

[Odiumjunkie (926074)]

> Having pointed this out, I do have to add: this is a retarded idea.

Not only is it stupid, I imagine that it would be very hard to implement.

Who wants to volounteer to code a "use-once rootkit" that provides a "special encrypting network stack" that guarentees secure communication on a machine that you believe is compromised with x brand of malware and y number of existing rootkits? How are you going to make it so secure than malware writers can't subvert it for their own purposes?

The idea presented is bafflingly stupid, but the idea behind it is not: different security models for users based on behaviour patterns.

If someone uses a six character dictionary-word password (you could check once before hashing and store the result), or fails to uncheck the "receive offers from our partners" checkbox when entering their e-mail address, then perhaps they're not terribly savvy computer users and it would be an idea to throw a few more CAPTCHAS at them each time they log in, or more closely monitor their account for suspicious activity.

Or a different approach.

[khasim (1285)]

Since we're discussing ways to make online shopping safer ...

Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.

There. Your credit card info NEVER crosses the wire.

And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.

That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
vs
That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).

It's a joke.

[Erris (531066)]

When you pull your head out of M$ propaganda you will understand what the author is saying. You don't get the joke because you are a victim of double think and believe things that glaringly contradict each other.

The author is responding to hate mail he got for challenging the M$ party line that only idiots get 0wned.

A little over a year ago, I wrote an editorial where in back-of-the-envelope style (.pdf) I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. In the intervening months, I received a certain amount of hate mail but in those intervening months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths.

He parodies the party line brilliantly by saying:

This parallels the real world where people who get venereal diseases tend to get more than one. The reason is simple, the infections computer or cellular are side effects of behavior and consistent behavior tends toward consistent results.

and then suggesting that vendors instantly 0wn anyone who says they want a secure connection. This is not a serious suggestion, it simply point out the absurdity of blaming the user for something others so easily and frequently do. Vendors are screwed and he knows it.

The author is also pointing out how insulting it is for M$ to continue to blame the user for M$ security problems. If M$ really believes this, they must also believe that 2/3rd of their customers are idiots who and have VD. Is there any other vendor on the planet that so casually insults their customers?

Amazingly enough, the general population still believes the M$ party line. I had this argument with a co-worker the other day. He so strongly believed that it's the user's fault that he could not accept estimates by Vint Cerf or Michael Dell as accurate. Stories of corporate network dissaster are similarly dissmissed as the fault of idiots at work. More amazing than the man's inability to take in new information was the temper tantrum he threw when calmly questioned and confronted with facts. M$'s own estimates will also bounce off his otherwise bright head because it would force him to conclude that there's either a 2/3rd chance that he's an idiot or worse - he's been wrong headed and vocal for years, which is the definition of an idiot. How does M$ build such loyalty while being so abusive? Windoze security is a oxymoron and it's time the public at large understood that.

Re:

[c_sd_m (995261)]

This parallels the real world where people who get venereal diseases tend to get more than one. The reason is simple, the infections computer or cellular are side effects of behavior and consistent behavior tends toward consistent results.

So if a slashdot reader has a chance to get laid he shouldn't do it since obviously the other party will do anyone?

Re:

[Erris (531066)]

The easiest way to shut you up is to ask you to prove one of your outrageous lies.

What, like Vint Cerf and Michael Dell saying between 20 and 40% of Windoze machines are part of a botnet? [bbc.co.uk], M$'s assertion of 2/3rds [eweek.com]? Such outrageous lies. Take it back to Redmond, AC, your talking points don't work anymore.

Re:Flawed premise.

[TeraCo (410407)]

If a reputable site is offering me 'extra security' and I accept it, that doesn't demonstrate anything about my willingness to accept malware. It just shows that I trust that reputable site.

Re:Flawed premise.

[TeraCo (410407)]

You trust a site.. on the internet. You are an idiot.

How is that tinfoil hat treating you? People quite a bit cleverer than either of us have gone to a lot of trouble to address 'trust' issues in on the internet.

By the by, when you patch your OS you're trusting a site on the internet. I hope I haven't shocked you.

Re:Flawed premise.

[omeomi (675045)]

If you download and run an executable that *any* website offers you on the Internet, to provide you with "more security", then you're an idiot. Oh, and if you think otherwise you're an idiot too.

Linux is often viewed as more secure than Windows...If I download a Linux distro, am I an idiot? Same goes for Firefox. The second bullet point on the Firefox web page [mozilla.com] is "Stay Secure on the Web". What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot?

Re:Flawed premise.

[by Anonymous Coward]

What if I download a Windows firewall update that Microsoft claims is more secure than the old version? Am I an idiot?

Yes, at that point you are an idiot.

(Posted from a Windows system, by an idiot.)

Re:

[a_nonamiss (743253)]

You trust a site.. on the internet. You are an idiot.

::Sigh:: So I suppose you never do anything useful on the Internet? Why not just unplug your modem/Ethernet cable? It would save you from having your PC compromised, and it would save the rest of us from your logic.

Re:

[SirSlud (67381)]

You're on a website. You trust it enough to connect to it and assume it will not exploit your system should its owners become aware of a client exploit you are susceptible to and are unaware of. Where did you get your anti-virus or firewall software or your patches to bugs that are discovered in your network stack or network daemons? Super happy fun land?

As soon as you plug that cable in, you impart some minimum amount of trust to teh interwebs. As far as I can tell, nobody who has installed reputable trust

Re:

[a_nonamiss (743253)]

But since windows (at least, XP) doesn't have kill -9

You information isn't quite correct. Right click on taskbar -> Task Manager -> Processes. Right-click on offending process -> End Task. BAM! Dead as a doornail. No waiting. (under normal circumstances) If you don't know the process name, you can head on over to the applications tab, right-click on the application and choose "Go To Process." Alternatively, if you're a "power user" (and I use that term lightly) there are the most excellent and free Process Explorer (for those who like clicking and p

Re:

[zippthorne (748122)]

As far as I can tell, from my admittedly user point of view, the task manager doesn't actually kill processes. It sends them exit signals. As evidenced by the fact that, unlike every Linux distribution I've ever used, "end task" doesn't result in the immediate disappearance of any windows related to the process and the process name's removal from the process list. Only after a period of unresponsiveness does it drop ceremony and outright end the process.

In normal circumstances this is a good thing as it

Re:

[Antity-H (535635)]

To answer your last question : process explorer is available here : http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx [microsoft.com] which seems to be part of the microsoft website (if you trust URLs and DNS I mean).

Dumb.

[WK2 (1072560)]

When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes"

I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.

Re:

[QuantumG (50515)]

Have you considered the possibility that someone has broken into the stock buying site and now would like to get into your banking site? Maybe because, I don't know, they think you might have *more* money in your bank account that the stock buying site doesn't have access to and they'd like that money too? Honestly, if your stock buying site tells you that you need more security than your browser supplies and asks that you download some random piece of software that you can't even inspect to ensure is not

off topic

[Mr Abstracto (226219)]

mod me off topic if you must, but I for one just cant bring myself to ever trust someone with muttonchops like that.

How do i reply again?

[L7_ (645377)]

Yes.

Awesome!!1!

[Orthuberra (1145497)]

I can't wait, and if they say "No" just don't allow them into the site, because how can you trust them if they say no to an extra special secure connection, can you? I can't wait for the future where our choices are root-kitted slave or web pariah!

--In Soviet Russia, internet connection owns you!

Wait a second....

[PieSquared (867490)]

A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.

I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.

If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."

So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.

Re:

[nacturation (646836)]

what part of this is hard to understand?

Taking the control of the keyboard away from the OS *is* the super special security that they are asking you to install.. you said yes.

The summary *and* the article are poorly worded. Rather than simply asking "Do you want to use our extra-secure connection?" (as in, this could be a somewhat slower but more secure 256 bit standard SSL protocol) the question should have been phrased as "Do you want to download and install this executable software to enable our extra-secure connection?". In that light, the rest of the discussion actually somewhat makes sense... however much you agree or disagree with the rest.

WTF?

[thatskinnyguy (1129515)]

Is there anyone else here who read the summary and thought "What the fuck?!"

Re:

[Tim C (15259)]

Well, I actually thought (and in fact said out loud) "That's an absolutely fucking ridiculous idea!", but close enough I feel.

So, I access a site I presumably already trust which would presumably be worthy of that trust, as they're trying to protect themselves and their users (albeit in an utterly retarded way). It pops up a dialogue asking me if I want to use a new, even more secure connection, and if I say yes then they root my PC because they think I'm an idiot and therefore my PC is almost certainly inf

Woke up this morning, don't believe what I saw

[greenguy (162630)]

...hundred million botnets, washed up on the shore
Seems I'm not alone in being alone
Hundred million castaways, looking for a home

Ill send an SOS to the world
Ill send an SOS to the world
I hope someone don't get my
I hope someone don't get my
I hope someone don't get my
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah
PC in a botnet, yeah

Dumbest. Idea. Ever.

[Opportunist (166417)]

Let's assume I go to this page. Let's assume I do read what's offered to me. So I could use a superspecialawesome security feature. Great. I'm security conscious and yes, I want that security feature.

Let's assume I go to this page. Let's assume I am a trained clickmonkey. So I get a dialog that asks "yes" or "no", and I click yes because I always click yes.

Erh... who'd click no?

What's the demographic of people who would click no there? People who do read security popups but don't want to be secure?

Sounds to me a bit like a scam. Nobody would click no there. So this all smells a bit like "look, we ASKED the customer if he wants to get a rootkit, it ain't like we didn't tell them".

Yes, another kdawson masterpiece.

[radimvice (762083)]

I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.

Re:Yes, another kdawson masterpiece.

[thatskinnyguy (1129515)]

You can edit your preferences to not include kdawson in the stories you get. He does have a terrible track record as far as quality goes. I wouldn't be surprised if kdawson was just a common login name at /. that the admins use just to get our goats.

BRILLIANT

[Almahtar (991773)]

You see, all the other rootkits will trust this one, thinking it's one of THEM!!! Then all you have to do is have your rootkit tell them that it can't stay long and would they please let it have this password/account number and they can steal the next.

They'll never even know this was a good guy root kit the whole time!

better dialog box

[Rudisaurus (675580)]

I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".

The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!

Huh?

[Psychor (603391)]

I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!

Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.

In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.

Mr. Geer doesn't go far enough

[petard (117521)]

Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.

Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.

The Slashdot Experience

[Blackheim (661904)]

Posts like this keep me coming back