Forgot your password?
typodupeerror
Security

The NYT on the Proliferation of Botnets 244

Posted by Zonk
from the we-live-in-interesting-times dept.
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
This discussion has been archived. No new comments can be posted.

The NYT on the Proliferation of Botnets

Comments Filter:
  • by davecb (6526) * <davec-b@rogers.com> on Saturday January 06, 2007 @09:50PM (#17493448) Homepage Journal
    An older Windows release, reasonably patched,
    running under Linux (win4lin) and behind a paranoid
    firewall is safer than XP or Vista.

    Alas, not as safe as an unpached RH9, mind you,
    but still safer than Vista (;-))

    --dave
    • by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Saturday January 06, 2007 @10:16PM (#17493644) Homepage Journal
      is safer than XP or Vista.
      but still safer than Vista (;-))

      You say this with what evidence?

      Vista hasn't even been released to the public yet and the only versions people have seen are unfinished betas and a very few corporate users who have started playing with the new RTM Enterprise. You know you're on Slashdot when a product that isn't even out yet has already been relegated to the insecure/unsafe/junk software category.

      However, I see you have that little winky smiley thing at the end of your post. Does that mean you're just kidding and it's all a joke? Or are you serious, but going under the guise of joking so if somebody calls you out on your statement you can just say "whoosh!"? Emoticons are stupid--better for people to say what they mean and stick with that.
      • by timeOday (582209)

        You say this with what evidence?... You know you're on Slashdot when a product that isn't even out yet has already been relegated to the insecure/unsafe/junk software category.

        Such optimism!

        Truth is, every new piece of software is insecure junk until proven otherwise. Almost always, that takes time and exposure, and patches. Certainly that's been the case with past MS OS's, and Vista has a lot of new code. Sorry, nobody gets tens of millions of lines of new code [symantec.com] exactly right the first time. You'd

      • by denoir (960304) on Sunday January 07, 2007 @01:09AM (#17494834)
        As a current Vista user I can tell you the following: Microsoft has a high priority of not being blamed for security issues. Their solution is to through the UAC (User Account Control) warn the user before he makes any action that could potentially be harmful to the system. This is just about any action. "WARNING! Operation 'use keyboard' is a high security risk. Press any key to abort." Ok, perhaps not that bad - but nearly. If you are an experienced user, you will turn UAC off after cursing at Microsoft for 15 minutes. If you are an inexperienced user you will just blindly accept the warning - otherwise you can't use your computer normally. In effect the operating system is constantly crying wolf and there is no way in hell an inexperienced user will be able to tell the difference between an irrelevant warning and a relevant one. Vista is also supposed to be much more secure under the hood. I really hope so, because their approach to user based security sucks. The only real point that I can see is avoiding getting sued.
      • by mcrbids (148650)
        Emoticons are stupid--better for people to say what they mean and stick with that.

        Emoticons exist to clarify what is being said. Therefore, it's part of what's being said.
      • by h2g2bob (948006)
        Windows XP SP1 and earlier are not being patched, even for security updates [microsoft.com]. XP SP2 or Vista are the only "safe" OSs.
    • by 0racle (667029)
      The VM is unnecessary and just adds a layer that does nothing for security. Any system behind a good firewall is enough but will not save the user from themselves.
    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday January 06, 2007 @10:37PM (#17493826)
      There are a limited number of ways for a machine to be cracked.

      #1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.

      #2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.

      #3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).

      So, why aren't we seeing a focus on the biggest security issue?

      Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.

      If you cannot do it securely, then you should not do it.
      • Re: (Score:3, Informative)

        by 0racle (667029)
        Windows ships with lots of open ports
        IIRC, it hasn't since XP SP2 as the firewall is enabled by default. Any open ports a users system has since then is because they allowed those connections themselves.
        • by khasim (1285) <brandioch.conner@gmail.com> on Saturday January 06, 2007 @10:57PM (#17493956)
          IIRC, it hasn't since XP SP2 as the firewall is enabled by default. Any open ports a users system has since then is because they allowed those connections themselves.

          Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.

          The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.

          And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.

          I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.

          I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.
          • I wish more people would point this out! A firewall by itself is not security. It's just an extra layer of protection. Protecting insecure apps by putting them behind a firewall is a recipe for disaster. Ideally, you should be able to turn your firewall off and still not be any more vulnerable. The primary function of a firewall is to reduce visibility, not add security.
            • by Vancorps (746090) on Sunday January 07, 2007 @02:26AM (#17495238)
              Sorry, but the primary function of a firewall is indeed to add security. My website is protected by a firewall but it still receives millions of hits and several hundred thousand pageviews. It's safe to say its quite visible and I wish it to remain so. You're right that a firewall is an additional layer of protection and is by no means the only layer. Sometimes you are forced to run an insecure app though and in those times you thank your lucky stars you have proper firewalls and routers and VLANs and RADIUS to help protect your services.
              • Re: (Score:3, Interesting)

                by dodobh (65811)
                Unless your firewall is a reverse proxy, you are still vulnerable to exploits in yur code, or the webserver.

                Firewalls are bandaids, there is no replacement for well written, secure code.
            • by hughk (248126)

              Firewalls *should* be bidirectional filters. That is, they filter what goes out (egress) as well as what comes in (ingress). You are probably confusing them with NATs which usually allow anything out and provide some limited means for inbound port mapping. The XP firewall, when correctly configured will filter egress. Unfortunately it is relatively easy for an application to override. For example any kind of SMTP spambot needs to be able to send out SMTP (and probably hook up with IRC). If SMTP is blocked e

          • An ignorant question: Why, then, does MS persist in leaving them open? It seems like there's no real reason for doing so unless you have a specific reason, and that it's possible to open ports only as necessary, eg., opening whatever port(s) MS Messenger uses only while MS Messenger is running. Since MS presumably has competent people designing its security and doing the best they can with such a complex product, why haven't they taken this obvious step?
      • Re: (Score:2, Insightful)

        by mistralol (987952)

        Well thats not really true. There is almost an unlimited number of ways a machine can be compromised.
        Most of them still valid.

        A program written for a specific task downloaded and run by the end user does not fall into the categories you list.

        First problem with XP and SP2 was its new security features did very little. Like come on it now asks the end users is this ok to run ? but the problem is the first time they saw things like this every time they clicked no their programs didnt work. So from then on they
      • The lack of open ports is not all good. Getting entwork printing working with UBuntu is a pain, for example.

        I would have thought the biggest problem at the moment are web browser vulnerabilities - which is why I use Noscript.
      • by grahammm (9083) *
        And why do PC vendors sell PCs which have not had the latest security updates applied? This can lead to a catch-22 situation for the purchaser - they have to connect to the internet to download the security patches but while they are doing so they are vulnerable to any exploits which are addressed by the updates they are downloading. So vendors should, at the very least, provide a CD containing up to date security patches for the pre-installed software so that the purchaser can secure the system before goin
    • Parent got moderated 'flamebait'??

      His post seriously addresses TFA, and the only possibly flame-like statement has a smiley after it. Somebody please scroll back and mod him up.
  • by flyneye (84093) on Saturday January 06, 2007 @09:54PM (#17493476) Homepage
    Capitol Punishment on national television for owners of botnets.
    O.K.,O.K. maybe just corporal punishment ,but it has to be bareass.

    • Maybe if there were free tools available to find and remove bots from home computers, you could argue that a "pollution" fine would be in order for those that allowed (through neglect) bot proliferation.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      What is "capitol" punishment? A stick of dynamite in the rotunda?

      You mean "capital" punishment.

      • Re: (Score:3, Funny)

        by bjohnson (3225)
        Capitol Punishment - Sitting at the witness table in a Senate hearing room, in front of the cameras, listening to Ted Stevens lecture you about the Internets Tubes. You are not allowed to laugh.

    • by KiloByte (825081)
      No, no. You got that wrong.
      The bareass corporal punishment should be reserved for female crooks of appropiate age.

      The rest should be rid of -- but, sending them to the Capitol would count as a cruel and unusual punishment.
  • by wytcld (179112) on Saturday January 06, 2007 @09:57PM (#17493506) Homepage
    When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.

    If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.
    • Re: (Score:3, Interesting)

      by zCyl (14362)
      But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.

      And what if it's a GPL'd chainsaw that you made in college, put on the internet for people to copy and use if they want, but never took the time to test thoroughly?
      • by petrus4 (213815) on Saturday January 06, 2007 @10:48PM (#17493902) Homepage Journal
        And what if it's a GPL'd chainsaw that you made in college, put on the internet for people to copy and use if they want, but never took the time to test thoroughly?

        Ever been part of the warez scene on IRC?

        I'm assuming you haven't, so I'll explain. That system is entirely trust based, and self-regulating. If a file ever comes from anyone which has a virus or anything else suspect included, the source of the file immediately gets ostracised, at least as a source, and most likely in terms of download access as well, since the system is based on reciprocal trade. Wrong, I hear you say...what about cracks coming from warez *web* sites or p2p nets which have malware? Said malware would likely be put into the archives by the webmasters of those sites themselves...the upstream cracking groups would NOT be doing it, because there are a lot of people in the warez food chain who are not going to want to receive/propogate known malicious files. ANY group which includes files for compromising a system with a release has just destroyed its' ability to subsequently release files that people will trust at any point in the future. Ditto for eMule files that have nasties in them...they get intercepted/recreated downstream. That is part of the entire reason why nets like eMule use the sorts of file hashing systems that they do; if you know the hash of a particular group's release, you can download said release and get entirely clean warez.

        Ditto with any moron who was going to be dumb enough to try and write GPL licensed malware...they'd gain a horrible reputation very, very quickly. The other thing is, anyone who is sufficiently interested in doing the wrong thing as to be writing malware in the first place is not going to care about licensing it unless they are exceptionally stupid...which malware authors generally aren't. Sociopathic and deserving of being used as live shark bait, yes. Stupid, no.

        Accidental bugs which lead to buffer overflows and such are different. They are unavoidable, and people know that...despite the best of developer intentions, occasionally they happen. As such, although the author of said bug will not risk ostracision for authoring it, in most cases (at least if the program in question has more than half a dozen or so users) it gets patched very quickly.
        • by shmlco (594907)
          "Accidental bugs which lead to buffer overflows and such are different..."

          Yep. Those bugs were accidental... really.
        • I came across this idea [aburt.com] recently via a writers' group. The author proposes breaking the "warez" distribution system by deliberately putting out many partly-broken versions of software. For a game this would probably mean some versions that crash halfway through or subtly corrupt saved games. But if the warez networks are using hash signatures to identify perfect original versions of media, wouldn't this technique fail?
    • by Kjella (173770)
      If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.

      Hey, yank the network cord and yo
    • by tomhudson (43916) <barbara.hudson@ ... a - h u dson.com> on Saturday January 06, 2007 @10:20PM (#17493686) Journal

      If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault.

      Hans Reiser, is that you?

    • by 0racle (667029)
      Liable for what? Releasing software with bugs in it? You would have to extend that to every software manufacturer that has ever existed.
    • Re: (Score:2, Interesting)

      by mistralol (987952)


      And i was thinking about this the other day. Thats why software typically isnt bought by end users but licensed on an "as is" bases.

    • Re: (Score:3, Insightful)

      by c6gunner (950153)
      "Insightful"? Dammit. Slashdot REALLY needs a better moderation system.

      This psychotic-chainsaw-with-artificial-intelligence analogy is one of the dumbest things I've ever heard. Maybe the author of that post is really so ignorant about computers that he believes them capable of free-thought and action. If he is, I feel sorry for him. The people who modded him up, though, should know better. Computers require programming or user input, or both. Either way, they only do what SOMEONE ELSE has told them
    • by donaldm (919619)
      The problem is not exactly Microsoft it is the people who miss-manage their own PC's. Basically a Computer is quite sophisticated and a user should be better educated on how to use one. The problem is that people seem to be brainwashed into thinking that a Computer is like a commodity item such as a TV and it is easy to use so they don't need to learn much. This is the concept that Microsoft pushed in the 1980's and continues to push which is now causing enormous problems and this is the fault of Microsoft.
    • by drsmithy (35869)

      When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.

      If you do this with Windows, you're fine. How is it going to help, again ?

    • You'd better be willing to bankrupt both Apple and the Mozilla Corporation then, as both have a long track record of major security holes.
  • unless you know how to secure it and maintain it.

    The people offering this "advice" have got to be idiots. True, it might cost more to pay someone else to de-own your PC and train you on how to avoid problems in the future than the cost of replacing the hardware. That doesn't mean that educating yourself isn't the right answer though. What does buying a new machine do to make you more secure? Buy a $400 brand spankin' new bottom of the line Dell, throw it up on the net, and get owned in under 20 minutes.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Buying a new computer won't help you unless you know how to secure it and maintain it.

      I'm guessing the poster thought that was the advice based on the closing anecdote. In it someone ran into trouble because their current PC was a botnet client. They weren't running the security software provided by their ISP because it overwhelmed their PC, and were buying a new one that was powerful enough to run all of the anti-virus/firewall/etc. protection they need.

      You don't need to be a security guru, but you

    • Not quite.... (Score:5, Insightful)

      by Dcnjoe60 (682885) on Sunday January 07, 2007 @12:42AM (#17494648)
      Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.

      Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).

      As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.

      So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)
      • Re:Not quite.... (Score:4, Interesting)

        by IamTheRealMike (537420) <mike@plan99.net> on Sunday January 07, 2007 @08:05AM (#17496726) Homepage

        I cannot believe people are still saying this. How many stories about botnets do we have to have on Slashdot before people realise that UNIX is not secure either.

        Look. The vast majority of this crap comes in via browser exploits these days. Running malicious attachments etc is not such a favoured technique anymore. There is nothing in UNIX that stops applications from being written in an insecure fashion, there is nothing in UNIX that stops apps hooking each other to hell and back (which is largely what these bots are doing when they steal data), there is nothing in UNIX that even makes it hard to install a rootkit. Just phish the password out of the user, or wait until an authentication dialog appears and overlay your own, or wait until a privilege escalation attack is found (new ones appear all the time). But as you don't need root to steal data, send spam, display popup ads or any of the other things bots do this is really just a nice-to-have bonus, it's not essential.

        The fundamental architecture of Windows NT is no different to UNIX these days. They are both seriously flawed because they are based on a threat model from the 70s, when the world of computing was totally different. Having an administrator user and also a "regular" user who are really the same person is a nasty hack that doesn't solve the problems at all. Apple don't have the answers ... have you seen how easy it is to suck SSL protected form data out of Safari? Neither does the Linux community. SELinux has gone down the route of totally static policy, which is fine for servers but worthless for desktops.

        MacOS and Linux are statistically insignificant, but if people keep recommending them as a "solution" then soon they won't be and then we'll find, oh look, it's just as easy to create Mac botnets as it is Windows botnets. What little trust is left in computer security people will then be gone.

        The fact is, residential computing is fucked. Utterly, utterly fucked. The guy quoted by the NYT is right, the war was already lost a long time ago, and people keep pretending it wasn't. The war was lost when the computing community decided that user based DAC security models could stop malicious software. They can't, they don't, and they never will so please stop saying MacOS or Linux are somehow inherantly better, when they aren't! They are at best temporary band-aids.

        • Re: (Score:2, Offtopic)

          by Dcnjoe60 (682885)
          I never said that Unix was secure. I said that certain versions of it come with all of the ports closed, which make it much less of a problem for the botnets to work.

          As for the fundamental architecture of NT being no different than Unix, well maybe, maybe not, but the security model sure is different. By default on Windows, everything is open and accessible unless you shut it down. Even if you don't enable file and print sharing, there are hidden administrative shares that can't be disabled without droppi
    • Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run.
      That's not really required. My aunt runs a Windows 2000 install I set up for her, she doesn';t have the admin password, IE, Outlook or the ability to install software and has never had a problem. My sister has a Mac, she keeps a seperate root account and has never
      • Yeah, but who set up your aunt? I'm talking about people who don't have a resident family IT guy who'll be around to provide setup and support. If you don't have anyone, you have no choice but to educate yourself and get good at it.
  • An easy answer (Score:5, Insightful)

    by Overzeetop (214511) on Saturday January 06, 2007 @10:00PM (#17493536) Journal
    So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).

    Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.

    Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.
    • Re: (Score:3, Insightful)

      by vtcodger (957785)
      ***So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).***

      Well .... No, not exactly ... unfortunately.

      • Even if all you are worried about is TCP/IP to web sites, you will need to allow traffic to your ISP and your DNS provider. I don't think these
  • New PC (Score:5, Insightful)

    by NitsujTPU (19263) on Saturday January 06, 2007 @10:02PM (#17493546)
    Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.
    • by zCyl (14362)
      Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.

      This story brought to you via the botnet which tookover the NYT. :)
  • by Todd Knarr (15451) * on Saturday January 06, 2007 @10:11PM (#17493604) Homepage

    The core of the problem is responsibility, or a lack thereof.

    Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.

    And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".

    Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.

    • by tftp (111690)
      So why do we let computer users off the hook

      Because the "damage" they cause is very small, and virtual in nature (an annoyance at most.)

      when they say "But I don't know anything about computers!"

      Because 100% of the lawmakers are firmly in this category?

    • by Jerf (17166)

      I make an analogy to automobiles.

      Yeah, sorry... I sort of stopped reading right there.

      Computers aren't cars, webpages aren't newspapers, and the Internet is not a highway.

      The closest real-world analogy to a botnet would be an engineered real-world virus, and even that isn't a good enough analogy to come to any conclusions with. (For one thing, nobody is a "manufacturer" of human bodies, so the blame situation would be entirely different.)

      Friends don't let friends make car analogies. Do your part to put a st

    • Most (not all, mind, you but most) people are reasonably responsible about maintaining their cars. They learned about it at their daddy's knee, or from the coach who taught them driver's ed. They hear about it when they buy a new car. They see ads on television ("Be good to your car so your car will be good to you...") People neglected their oil, filters, and tires savagely back when pumping one's own gas became popular because nobody was there to offer to check for them--but then a whole new line of enter
      • Re: (Score:3, Informative)

        by Todd Knarr (15451) *

        I don't know, I see the basic advice about security everywhere I look. You can't go to any security-related Web site, or even Microsoft's site, without hearing the basic common-sense rules I learned from other people in the BBS community back 25 years ago when I was in high school. Don't install software from sources you don't know and trust. Don't use software that downloads and runs stuff from external sources automatically. Put a hardware router with a firewall between your computer and the Internet. E-m

  • by jlarocco (851450) on Saturday January 06, 2007 @10:17PM (#17493658) Homepage

    and sell your old one cheap.

    Just the other day I bought an older Dell that "wouldn't boot" for $15, sans hard drive. An hour of hacking around inside, and I was able to get it going. It's a little old, but it'll make a nice LiveCD tester.

    Consumers are getting raped by MS and Dell, but they're not going to learn, so might as well take advantage.

    • Re: (Score:3, Interesting)

      by sjwest (948274)
      Waiter Rant (some blog) covered this recently http://waiterrant.net/wordpress2/?p=400 [waiterrant.net]

      "Same old," Arthur says. "How's the writing thing going?"
      "Harder than I expected," I say. "But thank God for computers. I can't imagine typing this all out on a typewriter."
      "Computers are great," Arthur says. "Until they go wrong."
      "Ain't that the truth."
      "My old computer was so infested with porn I had to throw it out," Arthur says.
      "No way," I reply, taking a sip from my martini.
      "I'm not kidding."
      "Couldn't you reformat the h
  • The summary is a little misleading. The NYT doesn't recommend that getting a new PC is the solution. They simply quote a woman running an old machine with Win98, which wasn't capable of running the security software provided by her ISP without slowing to an unusable crawl. I think most of us have seen our share of computers in that state to sympathize.

    Did anyone really expect a middle-aged, non-techie to think "Gosh, I should finally install Linux with a lightweight window manager!"
    • If the 'security software' provided by her ISP made
      the computer slow to a crawl, I'd say that the
      'security software' was actually malware/spyware.

      • I am offended every time an ISP tries to install software on my computer. When we go to the gas station, do the attendants try to glue widgets to our upholstery or steering wheels?

        It's damned AOL, convincing people wrongly since the beginning that "The Internet" is a piece of software on their computer. It is not. It is a utility, and an ethernet cable is just like a power cord.

        (This small rant after a Verizon FIOS install put shedloads of crap on my parents' PC. I had to explain to them that this c

  • Purchasing a new, "updated" PC is going to give you about as much protection as purchasing a new "updated" vehicle. Sure, you're going to find plenty more safety features to make your drive easier, but bottom line is the vehicle isn't going to be immune to crashes; it's still your duty to drive responsibly. The same goes for your PC - it's your responsibility to secure you PC against the latest threats. As far as the propagation of malware goes, I predict it's only going to get worse. Let's face it - as lo
  • I have already handed an Ubuntu disk to one "lost cause"... perhaps the wave of the future? Then, over beers, you help install thunderbird and get most of their stuff up and running. What a shiney new machine they have!
  • by astrashe (7452) on Saturday January 06, 2007 @11:21PM (#17494084) Journal
    The problem is exacerbated by the reluctance of MS and PC vendors to give out Windows CDs that can be used to wipe and reinstall systems. They should build pockets into the sides of cases for the CDs so people don't lose them, and slipstream all the drivers in, and put instructions to boot the restore disk on the CD label itself.

    Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.

    It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.

    • Re: (Score:3, Funny)

      by BigZaphod (12942)
      How about a single button solution on the front panel of the PC? Label it as "power" so that each time the user turns the system off it actually starts a reinstall after shutting off the monitor. That way, when they come back in the morning, they can start fresh! Imagine how much easier tech support would be... rebooting your computer would actually help - and it'd always come back with a clean slate! No confusion about where they accidently dragged the Recycle Bin while trying to click on the Start me
    • Re: (Score:3, Interesting)

      by Rick17JJ (744063)

      I had suspected that my Windows 2000 installation may have been compromised in some way so I wanted to reinstall it. Unfortunately, it took me several days to find one of my two original installation CDs. I found both of them, then I remembered that they were both Windows 2000 upgrade disks, so I will also need to find either my Windows 98 disk, my Windows ME disk or one of my two Windows NT 4.0 disks, none of which I could find. So I couldn't reinstall Windows. If that had been Linux I would have just

      • by 1u3hr (530656)
        I had suspected that my Windows 2000 installation may have been compromised in some way so I wanted to reinstall it. Unfortunately, it took me several days to find one of my two original installation CDs. I found both of them, then I remembered that they were both Windows 2000 upgrade disks, so I will also need to find either my Windows 98 disk, my Windows ME disk or one of my two Windows NT 4.0 disks, none of which I could find

        If I recall correctly, an upgrade install looks for an existing install on yo

        • by Rick17JJ (744063)

          Thanks, for the info!

          I did back up my Linux files, and other data files too. I also backed up the boot sector of the hard disk onto a USB flash drive, just in case the Windows installation program decides to rudely overwrite the boot sector with its own boot loader. I also created a GRUB boot CD which, if necessary, could be used as a temporary way to start-up Linux or Windows. A Knoppix live CD can also be used to access partitions in an emergency. I am prepared to give it a try again sometime. Perha

  • NYT Generator is down so time to use copy and paste from the print page:

    January 7, 2007
    Attack of the Zombie Computers Is Growing Threat
    By JOHN MARKOFF

    In their persistent quest to breach the Internet's defenses, the bad guys are honing their weapons and increasing their firepower.

    With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the co
  • Everyone seems to be blaiming either Microsoft or the ignorant user. Let's not leave out the ISP. ISPs should cut off anyone who's connection is showing suspicious activity like spewing out hundreds of emails over a short period of time, etc.
    • What about the banks?

      It took about 3 days to kill online gambling by prevventing the banks from handling the transactions. A million-dollar business reduced to being sold for one dollar. If they did the same to businesses promoted by spam, etc, the whole mess would stop in 3 days.

  • by TerranFury (726743) on Sunday January 07, 2007 @01:02AM (#17494792)

    I really, really don't get it. It's not that hard to keep a Windows box safe. I do understand how grandma can screw up, but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.

    People talk about "open ports." To me, that's right up there with "oh no! My IP address is visible!" paranoia. It's just not how computers work! Worms don't somehow jump into your computer through magic holes called "ports:" They exploit bugs in services.

    So, disable all the services you don't need. Get rid of the blasted Windows filesharing cruft. Shoot the scripting host. Turn off the remote desktop crap. Look through all the services, and just clean all that junk out. If you don't have idiot programs running that worms can fool into executing arbitrary code or otherwise misbehaving, you're ok! Then connect to the 'net and install the latest updates. In the time it takes you to do that, nobody will jump up through your NIC and give your computer gonorrea.

    A firewall is a safety net, and it makes perfect sense in, say, a production IT department to have as many safety nets and backups as you can. But a properly-configured machine, without exploitable crap running, shouldn't strictly need it, and I really think that a competent personal user can easily stay safe.

    As for the "security software" the article speaks of: Though an up-to-date antivirus is a decent idea, most software firewalls and other pieces of security software really just operate something like modern-day politicians, keeping users alarmed so as to justify their own existance. "Someone is trying to HACK you!" they scream, as an innocent ICMP ping request arrives at your computer. Pfft. Save your CPU cycles and just don't be a fool!

    • Re: (Score:2, Insightful)

      ...but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.

      I don't know why your post is considered Insightful. Because you said 5 minutes instead of 12 minutes? This from MSFT's web site:

      http://www.microsoft.com/technet/desktopdeployment /articles/080305tn.mspx [microsoft.com]
      Techniques for Patching New Computers
      Published: August 3, 2005
      By Tony Northrup

      I've Been Hacked Already?

      A few years ago, I was doing systems engineering work for a technology firm when a UNIX
  • by rrohbeck (944847) on Sunday January 07, 2007 @01:30AM (#17494952)
    Kudos.
  • i thought holding a website for ransom or unleashing a botnet DDOS to shut them down was a problem, but the topic was never touched on in the NYT article

    is it because the issue is outside the scope of the article or am i hopelessly behind the times and that's not really a problem anymore for some reason i'm not aware of?
    • by cdrguru (88047)
      Of course it is a problem. But you wouldn't want to scare people, would you?

      Today, the "other" use is to send spam. Lots and lots of spam - 10x more than a year ago or so. But the Eastern European protection racket is still there and these people are still getting paid off.

      Just another cost of business on the Internet.

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...