Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security IT

Community Comments To Security Absurdity Article 190

Posted by kdawson
from the boiling-frogs dept.
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
This discussion has been archived. No new comments can be posted.

Community Comments To Security Absurdity Article

Comments Filter:
  • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Tuesday November 28, 2006 @11:12PM (#17029072)
    <fill in the blank>

    people would use common sense.
    • Re: (Score:3, Informative)

      by Anonymous Coward
      From the article:

      "
      * Don't click on links in email messages. Type the URL in your browser manually.
      * Disable the preview pane in all your inboxes.
      * Read all email in plain text.
      * Don't open email attachments.
      * Don't use Java, JavaScript, and ActiveX.
      * Don't check your email with Microsoft Outlook or Outlook Express.
      • by chrisv (12054) on Wednesday November 29, 2006 @12:08AM (#17029390) Journal

        Even of the items that I know about - which is most of them - that doesn't mean that I follow them. As far as them being common "geek" sense, they might be, but:

        • "Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message are a result of the mail client automatically highlighting what looks like a link.
        • "Disable the preview pane in all your inboxes." - That's what you disable any sort of active content for in the first place - it should be the default in any reasonable mail client to not have any sort of active content running in your mail client.
        • "Read all email in plain text." - and this one as well.
        • "Don't open email attachments." - this falls into the category of something most people probably don't know about, but that's because they tend to trust their email. As far as it goes, though, don't open unexpected attachments seems more correct than not opening any attachments.
        • "Don't use Java, JavaScript, and ActiveX." - It's not Java and JavaScript that you need to worry about so much, it's ActiveX. And since the only browser that will run ActiveX is MSIE, that's already been taken care of by one of the other suggestions farther down this list.
        • "Don't check your email with Microsoft Outlook or Outlook Express." - which is perfectly acceptable in a personal context. Too many businesses, however, mandate Outlook and Exchange. Get businesses off of Exchange once a viable competitor becomes available and then getting them off of Outlook becomes easier.
        • "Don't display your email address on your web site." - or on any website, if you can get away with it.
        • "Don't follow links in web pages, email messages, or newsgroup without knowing what they link to." - That's the first point on this list, really.
        • "Don't let the computer save your passwords." - I'll agree with this one, but for places that I don't care about the password that I use, it still gets saved here on the computer, simply because I'll never remember the account name / password the next time I need to use it if I don't.
        • "Don't trust the "From" line in email messages." - perfectly reasonable.
        • "Never Use Internet Explorer and instead Switch to Firefox." - Don't I wish life were that easy? Reasonable idea, but talk 80% of the users of the internet into it... until then, it's not going away.
        • "Never run a program unless you know it to be authored by a person or company that you trust." - perfectly reasonable.
        • "Read the User Agreement thoroughly on all software you download to ensure it is not spyware." - this gets you approximately nowhere, since pretty much every EULA includes clauses that basically allow the distributor / author of the software to do whatever they want to your computer without any liability on their part.
        • "Don't count on your email system to block all worms and viruses." - this is one of those things that should be obvious to anyone who has been online for more than an hour.
        • "Get a Mac" - as much as I like this idea, that sounds like an idea that would just change the targets of viruses and worms from Windows-based platforms to Mac-based platforms. They might be more secure - but how frequently is a Mac targeted in preference to a Windows system?

        So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place. Security would be better if it wasn't for the hideous defaults that we put up with - which in an ideal environment without worms and viruses and such would make for better usability, but since most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever...

        • by TubeSteak (669689) on Wednesday November 29, 2006 @12:43AM (#17029568) Journal
          So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place.
          Common sense isn't always so common.

          Computer security is a state of mind. Maybe if the internet was more like a construction site, where not being safe = losing a finger... people might take the time to learn how to anticipate threats instead of just blindly applying a set of rules.
          • Computer security is a state of mind. Maybe if the internet was more like a construction site, where not being safe = losing a finger... people might take the time to learn how to anticipate threats instead of just blindly applying a set of rules.

            But that's the problem. A construction site is an unusually dangerous place so people use extra caution. There are signs and common safety procedures and everyone allowed in is supposed to be a construction worker specially prepared for these risks. Right now it

        • Re: (Score:2, Insightful)

          by timmarhy (659436)
          i've got 5 better rules: 1. be paranoid 2. be paranoid 3. dont' download exe's from p2p or torrents. 4. dont' trust anything you get via email 5. don't use windows.
          • If you follow point 5, not following point 3 is rather harmless... few viruses run via Wine. ;)

            For linux I would instead of point 3 do "Use your package manager to install software

        • ""Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message
          • by Tim C (15259)
            So if you click the link or even copy-paste it, you risk being directed to a phishing site.

            Hence the original rule is "type the address in manually".
          • by PopeRatzo (965947) on Wednesday November 29, 2006 @06:59AM (#17031412) Homepage Journal
            OK, that's enough. When you start telling people that they shouldn't use hyperlinks or preview panes, then we're talking about moving backward.

            I'm not sure I agree with this notion of putting all the security onus on the end user at all. What if every time I got on the subway it was my job to check to see if the wheels were about to fall off? Or if every time I sent a letter through the regular mail it was up to me to make sure the envelope was unopenable by anyone but my intended recipient?

            When you start having the list of "common-sense" security measures taking up more than a paragraph, that means there's something wrong somewhere up the food chain from the end user.

            I know it can be done. I work at a small University and I haven't seen a single spam in my inbox in the last year. I get a list every so often of what the spam filter caught and it's amazingly accurate. And this from a system that's run by the usual half-bright academic computer services staff member.

            And what about an operating system that's basically a leaky boat? Before it wastes another minute on giving me transparent windows, Microsoft needs to make Windows impenetrable to spyware without the help of half a dozen spyware catchers, firewalls and adware monitors. If an operating system can't provide basic security, then what good is it anyway?

            A huge percentage of the traffic in the internet's tubes goes through a limited number of systems and providers. They might start doing their part too.

            And before you lazy bastards who are making a living at "internet security" tell me "you don't know anything about internet security"... You are goddamn right I don't know anything about internet security, and I have no interest in learning. In fact, I own a house and I don't know anything about motion detectors or satellite surveillance (well, actually, I do, but I shouldn't NEED to) to be able to secure my house. I lock the front door and feed my mastiff and that takes care of it.

            I am getting impatient with the ever-lengthening list of security measures regular end-users are supposed to take to use the internet. And I'm way past impatient with security measures that involve giving up utility, such as "don't click on hyperlinks, type in your URLs".

            Now you there, with the bad skin and "/." t-shirt. Get to work and figure this security thing out and leave me alone with your "common sense".

            • Re: (Score:2, Interesting)

              by bluebox_rob (948307)
              What if every time I got on the subway it was my job to check to see if the wheels were about to fall off?

              Well if you're driving a car (which is probably a better analogy) then it is your job. There are certainly measures that can be taken by programmers and network admins to make things better, but the freedom to go anywhere on the web will always come with the price of some degree of responsibility, both for your own well-being and that of other users (again with the car-driving analogy). Surely using
              • by PopeRatzo (965947)
                But my car is not a public place, as is the internet (or the subway).

                Of course, I agree that people should use common sense when computing. My only argument is that common sense does not extend to typing in URLs instead of clicking links.
                • by Dun Malg (230075)
                  But my car is not a public place, as is the internet (or the subway).
                  You're misunderstanding the analogy.
                  car = your computer = private/your responsibility
                  road = internet = public area/greater controlling authority's responsibility
                  • by lukas84 (912874)
                    Roads usually don't damage cars. Usually it is:

                    a) Other cars
                    b) You, on your own, doing something wrong

                    Cars are still unable to compensate stupid drivers. They probably never will be.
                    Computers with dedicated functions can be made to compensate for stupid drivers (Ever seen a 360, Wii, or PS3 getting rootkitted? Me neither).
                    But multipurpose machines probably never will.
        • by dbIII (701233) on Wednesday November 29, 2006 @01:52AM (#17029950)
          Get businesses off of Exchange once a viable competitor becomes available

          There is a thing called email which is far more useful and has been around longer - you also can use mbox files readable even by a text editor instead of some weird database that requires shareware to fix when it gets corrupted. If Microsoft provided tools to support their own products properly I would recommend it - but no, conventional email servers available from a lot of different sources are superior in almost every way. Even the horrible sendmail configuration file is superior to weird registry hacks to change the behavior of exchange.

          Disclaimer - I've only looked after 3 MS Exchange servers and one bare metal rebuild from backup to recover old mail (nightmare that would never be required with a sane mailbox format - the whole thing is just too fragile and finicky and required an install with the same service packs, identical company info strings in the install, same registry hacks etc). Open relay by default with one patch too aparently - or perhaps that just has to be fiction because they could not be that stupid could they?

        • by Moraelin (679338)

          "Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message

          • E.g., the greek omicron looks pretty much exactly like an "o". Someone could jolly well have you think you're going to "www.mozilla.com" when it's actually written with an omicron and is, in fact, a completely different site.

            Which sort of suggests the solution. Instead of associating each language with its own set of characters, there should be one master set of characters and each language chooses the set of letters it needs. Thus an 'o' really is an omicron.

            That would still leave characters that are su
        • by rs232 (849320)
          "bit overkill. Check to see where they're [URLs] going first"

          How do you tell from viewing the URL that microsoft.com isn't the same as microsoft.com.some.unicode.characters.com.

          "don't open unexpected attachments seems more correct than not opening any attachments"

          How can you tell unexpected attachments if it comes from a known address and without opening it.

          "how frequently is a Mac targeted in preference to a Windows system?"

          It's not a matter of frequency, the underlying OS is more secure.
      • by britneys 9th husband (741556) on Wednesday November 29, 2006 @12:53AM (#17029620) Homepage Journal
        * Don't click on links in email messages. Type the URL in your browser manually.
        Too much work. I bought this computer to make my life easier.

                        * Disable the preview pane in all your inboxes.
        How do I do that? I'm not smart like you when it comes to computers.

                        * Read all email in plain text.
        I wouldn't get to see the pictures my friends send me if I did that.

                        * Don't open email attachments.
        What? And miss out on the lasest web games my friends are playing?

                        * Don't use Java, JavaScript, and ActiveX.
        No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.

                        * Don't check your email with Microsoft Outlook or Outlook Express.
        But Outlook is what my computer came with. I can't afford a new computer this month.

                        * Don't display your email address on your web site.
        Unacceptable. My customers need to be able to contact me.

                        * Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
        How do I know what it links to before I click?

                        * Don't let the computer save your passwords.
        Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.

                        * Don't trust the "From" line in email messages.
        Then how do I know who sent me the mail?

                        * Never Use Internet Explorer and instead Switch to Firefox.
        I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.

                        * Never run a program unless you know it to be authored by a person or company that you trust.
        How do I know who wrote the software, it just shows up on my computer?

                        * Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
        Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.

                        * Don't count on your email system to block all worms and viruses.
        Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?

                        * Get a Mac
        At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.
        • Re: (Score:3, Insightful)

          by jrockway (229604)
          Good post. Most of the above points are things the computer should do properly -- the user shouldn't have to work around insecurity on the Internet.

          JS/Java interpreters should not be able to enter a state where they can damage the user's computer. Maybe they'll crash the tab that they were loaded from, but that's it. This isn't quite how things work today, but software can be improved. Firefox and Java are open source, so that makes finding and fixing any insecurity easier.

          The same goes for clicking lin
          • by a.d.trick (894813)

            user shouldn't have to work around insecurity on the Internet

            Then who will? Do you think the browser creators will? We'll they might, but it's rather iffy. Just take a look at Internet Explorer. It is the most popular web browser from a very large company and it has major problems. Microsoft is just not interested in providing users with a high level of security. That leaves the various organizations that administrate internet related stuff and all of them have shown as much effectiveness as a dead badger.

      • Preview panes are sandboxed in new versions of Outlook. I am not aware of ANY virus that can execute in the Outlook 2003 preview pane.

        The author of that list is being dogmatic, not smart.
        • by Intron (870560)
          "Sunbelt's testing has confirmed that Outlook 2003 is vulnerable [informationweek.com] -- in its most-patched SP2 version at least -- but that earlier editions of the e-mailer, including Outlook 2000 and Outlook 2002, are not at risk. Sunbelt has yet to test Outlook 2003 SP1."

          Well, as of September 22nd it was vulnerable. I'm sure everyone updates their machines the instant that new patches come out, though.
      • Re: (Score:2, Informative)

        by jmodule (609349)
        From the article:

        "
        * Don't click on links in email messages. Type the URL in your browser manually.
        [snip]

        I hope everyone realizes that this list was given as an example of where IT "best practices" have failed as a solution for the security problem. The whole point was that the existance of such a list is a symptom of the general security failure, and certainly not as a recommendation from the author.

  • by stoneycoder (1020591) on Tuesday November 28, 2006 @11:20PM (#17029114)
    Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.
    • Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.

      Then it is true: Windows Vista is Bill Gates' secret doomsday weapon, the final piece of his twisted plot for total domination, which will destroy humanity and bring about the rise of the machines in our place!

      I always knew that paperclip looked shifty.
    • Vista will employ a new paradigm of security based on this article; it will be known as Security Through Absurdity.
  • by skywire (469351) * on Tuesday November 28, 2006 @11:48PM (#17029280)
    Try to guess which one is a Slashdot headline:

    "Alteration Frequents From Space-Age Poetry Bannister"
    "From Tabletop Mannered Asterisk Will Age Understood"
    "Community Comments To Security Absurdity Article"
    "Likely Georgetown Under Wisely Instantiation If"
  • Wrong approch (Score:4, Insightful)

    by cryptoluddite (658517) on Tuesday November 28, 2006 @11:56PM (#17029316)
    We're taking the wrong approach to security. You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure. Or you can fight a cause and however much it costs you that problem is solved for good.

    Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.

    This entire class of low-level flaws can be solved completely. Then it's just the higher-level problems like impersonating web pages, xss, some trojans, that kind of thing. Still a problem, yeah, but without the entire class of automatic propagation it is so much less of one.
    • You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure.

      Where I come from, they call this "securing your revenue stream."

      Seems like the security companies are doing A-OK there; they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.

      Like all arms races, if you're in the arms business, you can laugh all the way to the bank. (U
      • they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.

        Wow. That simple statement also sums up the War on Drugs.

        disclaimer: USED to work in Law Enforcement as part of said "war"...
    • Re: (Score:3, Informative)

      by Duncan3 (10537)
      *laughs* And yet every worm, trojan, and rootkit uses officially documented API's to install and do what they do.

      I think you were looking for the language war article. This one is about ignorant users clicking "OK" to things.

      • The problem is the bugs that they use to install and do what they do. Your implication that 'every worm, trojan, and rootkit only uses officially documented APIs' is just absurd. Why apply any security patches at all if the answer is just not to click "OK"?

        The user's environment could be restructured so that clicking "open this program" does not allow it to escape and mess up the whole system. So while a user may install google toolbar, and it may report to google everything done, and it may crack passwo
    • by Dunbal (464142)
      The biggest problem is C and all the other non-typesafe languages.

            Are you proposing we burn all the compilers and shoot everyone who knows C? The very power of the C language comes from its lack of structure. Besides, there's nothing you can do in C that you couldn't do in assembly.
    • Re:Wrong approch (Score:5, Insightful)

      by IamTheRealMike (537420) <mike@plan99.net> on Wednesday November 29, 2006 @02:34AM (#17030130) Homepage

      The problem is that the typesafe languages are not realistic for writing desktop software in. Both Java and .NET are plagued with serious technical problems - which is why so few desktop apps are written using them. Even trivial optimisations like stack allocation cannot be done by the programmer in these languages, they take advanced analyses running inside complex optimizing compilers .... running on the users desktop.

      Basically, you are right that using these languages would eliminate whole classes of vulnerabilities. But they would not eliminate all of them, and the costs are huge in terms of writing efficient, pleasant-to-use software. Stuff written in Java today is just uncompetitive, secure or not.

      • Re:Wrong approch (Score:5, Interesting)

        by patniemeyer (444913) * <pat@pat.net> on Wednesday November 29, 2006 @10:04AM (#17033594) Homepage
        First, most of the desktop (and non-desktop) development going on in the world is stuff that you do not see. It's going on inside businesses for their own use. And as a rule it's overwhelmingly Java and now .NET.

        Second - What makes you think that you can optimize anything better than a compiler, much less one that profiles your application *as it runs* and makes adjustments on the fly? This has been proven over and over again - Java's garbage collection is in most cases *faster* than hand coded garbage collection. How is that possible? Because Java has more *information* about what is going on at runtime than you do at compile time. It can put very very short lived objects on a special part of the heap, it can do all kinds of things that you cannot do statically.

        There are many reasons that Java and now .NET haven't yet taken over the traditional desktop app share yet. But they are not about raw performance and haven't been for many years.

        Pat Niemeyer
        Author of Learning Java, O'Reilly & Associates
        • Because Java has more *information* about what is going on at runtime than you do at compile time.
          Well, yes, but it doesn't always have that information in time to do anything about it.

          Both in Java and classic VB, I've wished many times for a way to specify that I'm going to have half a million objects of the same class (I do a lot of batch programming), that should all be created and destroyed as a single unit.
    • by drsmithy (35869)

      Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for

    • We're taking the wrong approach to security. You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure. Or you can fight a cause and however much it costs you that problem is solved for good.

      Agreed.

      The biggest problem is C and all the other non-typesafe languages.

      I think you're still attacking the problem at too low of a level. How do you get everyone to switch languages? What is the motivation? What about existing software?

      Then it's just t

  • three solutions (Score:5, Insightful)

    by bcrowell (177657) on Tuesday November 28, 2006 @11:56PM (#17029326) Homepage
    A person can go to his/her local computer store and purchase an expensive new computer, plug it in, turn it on and go get a coffee. When he/she returns the computer could already be infected with a trojan and being used in a botnet to send out spam, participate in phishing attacks, virus propagation, and denial-of-service attacks, etc.
    I assume the operating system was Windows? Solutions:
    1. Buy a Mac.
    2. Buy a machine with Linux preinstalled.
    3. Buy a Windows machine, and put it behind a $20 router with a built-in firewall.
    • by TubeSteak (669689)
      3. Buy a Windows machine, and put it behind a $20 router with a built-in firewall.

      Do you even need a firewall? Doesn't NAT auto-magically protect you?
      • Re: (Score:3, Informative)

        Doesn't NAT auto-magically protect you?

        It does until someone tells little Johnny to DMZ his machine so his game will work.

        Fix: use router passphrases that the delinquent is unlikely to guess, like "work is its own reward" or "idle hands are the devil's tools"

    • Sure that blocks malicious people from getting in. What happens if users unwittingly download a trojan while surfing on the net? Now Mr. Keylogger etc. has unfettered access out. Yes, now it's really that much more secure. I'm more afraid of malicious code being accidentally executed on a computer than someone zombifying the machine from outside...
      • Re: (Score:2, Interesting)

        by bcrowell (177657)

        I wasn't claiming to have found the magic solution to all security problems. I was just claiming to have found three pretty simple solutions to one particular security problem referred to in the article: the situation where your brand-new computer gets owned while you're still in the process of downloading security updates.

        What I object to about the article is that it makes it sound like security is a disaster for everybody. No, actually security is a disaster for everybody who hasn't learned certain skill

        • The problem is that we're living in a world where a computer user has to be able to do the equivalent of changing the oil in his own car -- some people can, but most people can't.

          I'm a pretty expert user. I have a very good grasp on security. If I'm running a Windows box and want to run an executable I don't know if I can trust, it is not easy. Sure I can make a new user account, lock that account down, use "run as," and hope the executable does not take advantage of any of the common local escalations i

    • ... but I was under the impression that most "brand new expensive computers" would be running Windows XP with SP2 pre-installed, and that comes with a firewall which, while not exactly a suit of platemail, will certainly suffice to make sure that any security vulnerability exploited on your own machine came in from a connection you authorized.

      Somebody tell the security writer what "trojan" means, by the way. I mean, I might have abandoned my history major halfway through, but I don't remember the moral of
    • Re: (Score:3, Informative)

      by MrNonchalant (767683)
      Or:
      4. Realize that doesn't happen anymore because the firewall that ships with SP2 is an adequate defense.

      Network worms targeting out-of-the-box Windows boxes are a thing largely of the past. What may happen is after two months of using the computer and clicking "OK" to those pesky dialogs asking for exceptions to the firewall one of those services may be insecure enough to allow a remote attack. She or he might also get themselves infected via some other method, like surfing the uglier parts of the web wit
  • by alshithead (981606) * on Wednesday November 29, 2006 @12:08AM (#17029392)
    I'm not sure we are experiencing a "profound failure" of security. "Profound" is a pretty extreme description. To me it implies a whole lot more problems than we really see. Hacking multiple power utilities to fail an entire country's grid might apply. What we really see is the failure of a fair number of ignorant individual users to secure their systems and some odds and ends type of security breaches of business and government entities. It's not like the major stock markets of multiple countries are being brought down or nukes have been launched. That could always potentially happen but what kind of really dire (profound) consequences have been seen?
    • 1,000 Cuts (Score:5, Interesting)

      by Kadin2048 (468275) <`ten.yxox' `ta' `nidak.todhsals'> on Wednesday November 29, 2006 @12:29AM (#17029510) Homepage Journal
      Well, I would be with you, except that if you believe the numbers in TFA (the original, not in the comments), cybercrime is more profitable than the illegal drug trade. I assume there's probably even more money being spent trying to prevent and defeat cybercrime, and on security. That's a lot of money diverted from legitimate enterprise, and a lot of missed opportunities.

      When people don't trust technology and don't use online banking, then banks don't spend as much on it. Venture capital and other sources of funding start to dry up; the pace of development slows.

      It's not a problem that's probably going to result in a city being vaporized overnight, but that doesn't mean it's not a problem. It's like muggings in a large city: sure, you can wave it off and say that it only happens to tourists, rubes, and the unwary -- why should street-smart people care about it? -- but over time it starts to take its toll everywhere. The economic cost alone starts to act like a tax on everything, and it drives away customers and new business.

      People who understand computers and know what precautions to take to prevent being victimized, cannot just put their heads in the sand about the current situation. Particularly since most people who are capable of understanding the problem, earn their living in some technology-driven field, it's those people who stand to be affected by the 'downstream' effects of cybercrime and a culture of insecurity.
      • You make a great point but don't address my point of the use of the word "profound". I'm currently working for a VERY large bank and it doesn't seem to be significantly impacted. From my admittedly biased view they seem to be putting a lot more resources into expanding their IT based offerings than fighting bad guys. Between their offerings for private individuals, small businesses, large corporations, and other banks it seems most of what they do is try to offer more services. They definitely aren't r
        • by Phleg (523632)

          I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typo's...not illiteracy.
          I presume the spurious apostrophe was his fault, then? :)
        • by Vellmont (569020)

          I'm currently working for a VERY large bank and it doesn't seem to be significantly impacted. From my admittedly biased view they seem to be putting a lot more resources into expanding their IT based offerings than fighting bad guys.

          Are you sure about that? The effects of crime aren't always totally obvious. Maybe you wind up getting less IT commerce business than you would if there wasn't a lot of cybercrime. In some ways the Internet is like a bad neighborhood. There's a lot of people that won't go in
  • Is this just a FUD ad for Microsoft's " Trustworthy Computing" or what?

    Microsoft's work in training developers company-wide in secure coding practices is virtually unparalleled among major software vendors, and has resulted in their Security Development Lifecycle (SDL), a formalized process for incorporating secure coding and security testing into every phase of a product's lifecycle. Their Trustworthy Computing initiative so far looks like a success; one that has transformed Microsoft's and much of the industry's thinking about security in just four years.

    Vista goes a long way in bringing protection mechanisms such as User Access Control, Kernel Patch Protection, Mandatory Driver Signing & Address Space Layout Randomization to mainstream computer users. If there is going to be any improvement of the current cybersecurity situation, it has to start with the operating system. In this regard, if Microsoft delivers on their promise to produce a secure operating system, it will be an important milestone for cybersecurity, and quite possibly a start to a security revolution. Vista also launches Microsoft's entry into the security space with anti-malware products and services such as Windows Defender, OneCare, and Forefront. The insufficiencies of today's anti-malware software have long been known. Microsoft's entry into the security space will force security vendors to innovate or be pushed out of the market. I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry.

  • by Epsillon (608775) on Wednesday November 29, 2006 @01:21AM (#17029796) Homepage Journal
    I know what you're thinking, mods. But it isn't just another "don't use Windows" post. TFA seems to concentrate on the dominant OS, so i will do the same.

    I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

    How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...

    Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.

    Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.

    Too simple?
    • The problem is old versions of Windows had open ports. You don't need a VM to fix that, just close those open ports (which is what a firewall does, essentially). New versions don't have open ports, but to get an old version to be a new version, you have to download the update (or simply enable the firewall yourself - hardly rocket science). So not "too simple", just "too complicated".
      • by Epsillon (608775) on Wednesday November 29, 2006 @04:10AM (#17030468) Homepage Journal
        Yes, Mike. Not rocket science *for us*, but we seem to continue making the same mistakes most IT pros make when dealing with technology: That because it's simple for us, it's simple for everyone. It's not. Firewalls aren't understood by everyone. Heck, a lot of post-September users think fairies [1] deliver web pages.

        The reason I suggest a VM is to jail the security update network stack from the main kernel. If you have, for example, a buffer overflow that allows arbitrary code execution in kernel space TCP/IP, you really don't want that running in your main kernel with a public connection; you want it jailed and only when the data is verified and checked against its hash do you want to apply the update image. If the jailed or virtual kernel becomes corrupt, it can be killed without harming the host OS. Detecting the jail doing something nasty should be simple; it should simply talk to one IP and download an image and hash file. If it starts opening other ports, kill it immediately. In fact, simply make the jailed process capable of only talking to the one host on one port. Useless for users and crackers, but just enough to update the OS safely.

        I know it's heretic of me in the extreme to suggest the OS takes away a choice, that of diving into the big electronic blue without care or conscience, but a lot of Windows users (and maybe a few others) need these safety nets, if for no other reason than to keep the rest of us safe and our mail servers from fending off spam floods from botnets.

        Doing this retroactively isn't an option; users of Windows up to and including Vista gold are now SOL for this idea, which is sad, especially given that Vista has a working out-of-the-box IPv6 stack. You think it's bad now? Just wait until every new machine has it's own publicly routable IP.

        The idea, or any such protection mechanism, *must* be implemented in the first RTM version of the OS to work effectively, or at the very least a service pack or point release that OEMs will pre-install. That means in the future, but it is imperative now that IT pros start thinking long-term rather than trying to tidy up their mistakes of the past. These problems cannot be solved by dwelling on mistakes made, just mitigated by exploiting obsolescence and helping time heal.

        [1] http://www1.uk.freebsd.org/doc/en_US.ISO8859-1/boo ks/faq/funnies.html [freebsd.org] with apologies to Paul from the UK mailing list for quoting him out of context.
    • Re: (Score:3, Informative)

      by drsmithy (35869)

      I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

      Yes, you can. Just enable the firewall first.

      How about this: Virtualisation is a reality on most machines nowadays. [...]

      Holy overengineering, batman

      • Re: (Score:3, Informative)

        by RAMMS+EIN (578166)
        ``You can't update your OS without a connection and you can't go online safely until you've updated your OS.

        Yes, you can. Just enable the firewall first.''

        You are aware that there have been a number of exploits that target Windows's firewall, are you?
    • by RAMMS+EIN (578166)
      ``Or have I simply made the problem too simplistic in my own mind?''

      For Microsoft to implement any sort of scheme that runs a sandboxed environment until security patches have been applied would require two things:

      1. Them admitting that the main product they ship contains serious security flaws
      2. Them actually writing a secure sandboxed environment

      (1) is something they have been very loathe to do; obviously, no company likes having to admit that their product is seriously flawed. (2) is something that may b
    • by RAMMS+EIN (578166)
      I don't know why you have to drag virtualization into it, other than to be compliant with the buzzword of the day. How about this:

      A simple, extensively audited installer that installs whatever it ships with, then contacts some server for security patches, downloads them, and applies them. Only after that do you get to boot Windows.

      The big issue I can see here is drivers. Thanks to there being a great lack of standardization in the way hardware is accessed, you will need lots of different drivers for network
  • by clacke (214199) on Wednesday November 29, 2006 @03:23AM (#17030296)
    Sometimes Spyware can cross the line when it expose adult pornography to children.


    Yes, this is clearly over the line. I mean, had it at least been child pornography, that would have been acceptable, but noo, they had to go all the way.
  • This isn't any surprise that Windows sucks.

    What I'm more concerned about is, "How much of this problem extends to Mac/Linux?"

    Phishing obviously does and can be avoided with sufficient electrical shock treatment.

    But what about the bots and such? I have a lot of hardware sitting online 24x7.

  • lets say the article is right
    does it matter?
    so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware, except for a few minutes removing viagra ads, and for me, spambayes does most of that pretty well

    as we know, the whole id theft thing is a media exaggeration, like missing children: most of the id theft is from family or friends, and most of the missing children are out for a walk with their parents
    • "lets say the article is right does it matter?"

      It does in that people will be wary of doing online commerce and that will hit the bottom line.

      "so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware"

      You must be the only one on the planet then.br>
      "as we know, the whole id theft thing is a media exaggeration"

      "An Emmy-winning film producer whose life was disrupted after hackers stole [usatoday.com] her Social Security number"

      was Re:does

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

Working...