NYT Reports Porn Spam Hijacking Network 497
twitter writes "This NYT story describes how thousands of PCs have been used as porn spambots and reverse proxy servers, and mentions that they could be used for kiddie porn. Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."
Possible Legal Implications Abound (Score:1, Interesting)
Monoculture it is, but... (Score:5, Interesting)
I guess that's pretty authoritarian, and there are better ways to beat spam. Still... the elimination of the luser is a shining grail for us all, no? ;)
Re:Monoculture it is, but... (Score:2, Interesting)
However, putting users in tightly controlled segments of the internet (filtering inbound/outbound of most unnecessary garbage and attack vectors) by default would cut down on this problem greatly. The first to complain will be those with esoteric needs and "power users." Require them to read/pass some basic education before allowing them a hall pass into the internet. Since they must abide by the AUP, I don't see a problem with testing them to see if they know it, and how to prevent themselves from being in violation. This entire process could be mostly automated.
Microsoft not mentioned? (Score:2, Interesting)
Not to mention the obviousness of using such a widespread and vulnerable platform. I think this is what everyone's getting at.
And to think of how many NT4 machines are out there with a root RPC vulnerability that MS refuses to fix. If someone's running NT4, I don't know how likely it is they are going to apply anti-virus patches. I think MS leaves footprints of vulnerabilities for this sort of problem for years after releasing products, regardless of actions others take to try to help.
Broadband providers are partially at fault (Score:5, Interesting)
What kills me is that it's in the ISP's best interests to encourage safe computer habits, and they don't really emphasize that.
These things really are problems (Score:5, Interesting)
Here's the thing though, with StarBand, they have an auto-imposed limit of around 500mb/week upload, and if you go over it, you are automagically shut off for a few days. The problem with this, and I have seen it happen, is that the Spam/Pornbots can infect a Starband Customers computer, and easilly make them go over their weekly 500mb upload limit. Thus causing them to lose their internet connection.
This poses a real problem, not only for the end user (The people I deal with are all in the far reaches of Northern Minnesota where Satellite Internet is the ONLY broadband option) but also for the ISP's. Its viruses/bots like this that make it even more necessary for legislation to fight spam.
The writers of the Bots would be the spammers, not the owners of the infected systems. Just because I borrow your car to deliver the paper, does that mean that in reality, you delivered the paper because it was YOUR car?
-I may not me amish, but I am a geek!-
Unfair expectation (Score:4, Interesting)
Hardly a fair question, and I'll use your car safety requirement example to demonstrate.
Back before there were seatbelt laws, many cars simply did not have them. So once those laws were put into place, would it be fair to expect older cars to pass the seatbelt test?
Now if this minimum security law you suggest were to become a reality, it would be Microsoft's responsibility to make sure that future operating systems pass the security test. But you cannot hold them to a standard that does not currently exist.
I've noticed this... (Score:1, Interesting)
It's about time... (Score:2, Interesting)
Someone went to jail for running Microsoft Windows.
This isn't as far-fetched as you might think. For instance, the federal child-porn laws are strict-liability laws, which means that if someone is found in possession of child porn, they are guilty, regardless of how it got to their machine. So when these viruses start delivering child porn, some clueless windows user could literally get 5 to 10 years for running their machine without a firewall.
I say this is a good thing. When computer virus victims start getting jail time, the average populace will get serious about computer security. (Which of course, can only be a good thing for Linux.)
You know... (Score:2, Interesting)
If Linux were in the mainstream, everyone and their mom would be logged in as root, like Windows users are with administrative accounts anyway. So why even pretend that Linux, should it ever become as mainstream as Windows, would be inherently more secure? The issue here is educating the users who open "FREE COLLEGE WEBCAM HOTTIES.EXE" rather than improving the quality of the software.
Re:Just say Microsoft. (Score:3, Interesting)
Well, this [nowthis.com] explains the NYT article (they don't want to piss off Gates), and I suppose you could assume something similar for the other media outlets.
Microsoft is mentioned...by ommision (Score:4, Interesting)
If you actually read the article, you read:
The rogue program does not affect the Apple Macintosh line of computers or computers running variants of the Unix operating system.
OK, so that leaves what? Windows, OS/2, and a few oddities. And the only likely one of those, the only possible one is Windows.
So, Windows is there, but the NYT went out of their way to *avoid* mentioning it.
Re:FUD (Score:5, Interesting)
So. We have 500Mb/s+ of bandwidth being used in a DDoS, anyone's guess going on the actual spam, kids undoubtably seeing hardcore porn and computers being deliberately compromised and abused. Tell me again that spammers have a right to free speech and it's a victimless crime that doesn't cost anyone anything? They have a right to be force fed Hormel products until they explode like the Glutton in Seven if you ask me.
Re:Broadband providers are partially at fault (Score:3, Interesting)
Needless to say, I'm pissed and contemplating switching to DSL if this continues, and I really wish users could educate themselves so I wouldn't need to be subjected to this bullshit.
Computers are not tools (Score:2, Interesting)
Tools such as a pen or a screw driver work ONLY when you are using it. A screw driver does not screw a screw and cannot stab someone without a person operating it (and hence a TOOL).
The point is devices are inherently more dangerous than tools. One has moral agency over tools (again: stab or screw, its all up to the operator), one has much less control over a device. Which is EXACTLY why people should be educated on how to use and control these devices. While not having moral agency over a device, one most definitely carry partial responsibility for activating a device.
Sorry, what was so wrong with the post? (Score:4, Interesting)
Flame on if you like, but it is quite common for these sorts of things to happen on Windows boxes, and not on Linux boxes, due precisely to the monoculture and the flawed default security model of Windows (actually a number of different flawed models in Windows OS and apps).
Perhaps you could clarify how the comment in this instance was not appropriate. The GNU/Linux default security model that my family run all their machines on does not run arbitrary software with elevated privileges as Microsoft does. It never has. And it is not such a monoculture, resulting in being less susceptible to attack.
These are attacks I have never had to worry about. A neighbor, who typically runs Linux with no breaches of security, tried putting up an IIS server just once to see how it compared, and it was owned by hackers within 15 minutes.
Sure there could be an increase in real security incidents some day with Linux, but not before there are far worse problems with existing Windows platforms (until there is much change to Windows).
Perhaps there just needs to be a windows-only section of Slashdot, so that Windows users can discuss these problems which are less relevant to the rest of us without feeling continuously picked on due to the technical problems with their choice of an OS.
Re:Erm... (Score:2, Interesting)
I realize that such an event is somewhat unlikely, but I doubt it's impossible. And the fact that all these computers are the same makes it possible. So he's not attacking Microsoft for itself, but for the monopoly they have.
Dan Aris
There are significant differences... (Score:5, Interesting)
I cannot speak for later versions of Windows since I stopped using them, but I never saw a version of windows that does not force you to completely log off and back on to access privileged functions, encouraging people to run with privileges on all the time, because they cannot just enter the password for privileged activities. Su does not exist, nor does sudo.
Most other modern versions of OS's are significantly better (Lindows early versions were an exception). Just having su and sudo is much better.
OSX has no root enabled by default, and relies on sudo to limit elevated privileges to single operations.
GNU/Linux/XFree86 systems typically give warnings when the user logs in to the window manager as root, give a limited environment with a red background, etc., and on the other hand make it easy for the user to run without elevated privileges most of the time.
And the monoculture is also inherently less even if everyone were to use Linux, because the licensing allows significant derivitive / deviant branches.
Claiming that Linux would be no better if it were as successful as Windows ignores facts.
This is just the tip of the iceberg. I have been on an email team faced with the question, do we allow contents to auto-execute, which actually thought about the problem before blindly implementing it, unlike Microsoft.
Re:Heh (Score:5, Interesting)
It isn't elitist to say that computers are fairly unique and complex devices. Just because everyone uses one now, improperly for the most part, doesn't mean they should or even can magically becomes television sets with six buttons on the front.
Good point...but...then they shouldn't be sold as such. If you're going to market your computer/operating system as "easy enough for grandma to use" then it better be easy enough for grandma to use.
Products will have a development cycle that gradually make them more and more user friendly. Remember programming with punchcards? Remember the days before UIs? Computers are very much like cars and toasters and VCRs. All you're showing is an elitist attitude. You are obviously a smart person (and I don't say that sarcastically), and you enjoy having a complex machine to work with. Great. But you make up about 5% of the demographic that most software and hardware companies are designing their products for.
There is a place for complex software...there's also a place for simple software that works as advertised. There _will_ be a computer with six buttons on the front sooner rather than later, because that's what the general population wants. Not everyone is a hacker, and like I said, most companies in the industry aren't getting their profits from hackers like you (or me).
By your logic, a VCR should be just as simple to use a shampoo bottle, and thus, so should computers.
Perhaps a bit of overstatement there, eh? I don't expect my shampoo bottle to safely connect to the internet and send email. But if I purchase an operating system that claims it does that, it should do it. I don't need to understand the engineering behind the top of shampoo bottle to open it. Nor do I need a degree in electrical engineering to play a VHS tape. So why should I have to be hacker to safely send and receive emails?
Re:FUD (Score:3, Interesting)
I've examined some of the boxes (by either NMAP, SSH, or telneting into them) and there were a couple routers (Linksys or similar home routers) but many of the boxes are actually Linux.
This seems to suggest one of two things to me: Either Linux boxes are getting hacked, or the spammers are using (multiple?) DSL accounts and Linux to send out their spam (this seems more likely to me).
Re:Microsoft is mentioned...by ommision (Score:3, Interesting)
I wrote the article. I didn't go out of my way to avoid mentioning it. I didn't scream it, either. I simply wrote that the other systems are not affected.
I have written specifically about the problems of the software monoculture in many, many stories, and thought that I laid it out in this one as well. If I didn't hit MSFT with a ball-peen hammer, no, and obviously many slashdotters expect to see that at every possible opportunity.
Sorry that I'm not the advocate that you want me to be, but that's not actually part of my job description.
Re:FUD (Score:2, Interesting)
I have seen nothing but windows boxes as hosts.
I have not seen much porn. DVD burners, sale prices on TVs (in Russian), kitchen appliances (www.kuhny.ru), mosquito killing system, email service www.mail15.com (yeah, right!), anti-spam software (sure, I'll buy anything this spammer offers!)
systems give EHLO of compuserve.com, microsoft.com, or more rarely yahoo.com. Other than that, there is no attempt to disguize headers.
systems are pretty much worldwide. Big hosts are rr.com, attbi.com, attbb.com, kornet.com, a bunch of sites in china, at least three edu's. All in all, I think I have sent out over 1000 spam reports. The response has been underwhelming.
skynet.be deserves special shaming, their "action" consists of sending an automatic response explaining what spam is. No worry that they have clients who are ownzered.
I have been able to get in touch with exactly one owner of a spambot. He did say that he found that he was running MartFinder, Alexa, Avenue A, BFast, Common Hijacker, Double Click, DSO Exploit, Hitbox, Mediaplex, WindowsMediaPlayer.
Unfortunately, none of those look like the villian.
ha ha! (Score:3, Interesting)
Someone else has provide technical details [slashdot.org]. This is not run of the mill.
exploit a common hole in Windows, but to indicate that this is a symptom of Windows insecurity with insufficent evidence is unethical.
You can say that wihout laughing? I love you too!