What a Hacked PC Can Be Used For 364
An anonymous reader points out that the Security Fix blog is running a feature looking at the different ways hacked/cracked computers can be abused by cyber scammers. "Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common — yet often overlooked — ways that cyber crooks can put your PC to criminal use."
They don't care (Score:5, Insightful)
Over the years I've offered help staying secure to friends, co-workers, etc. and I've learned that they just don't care. Most people only want help in one situation- when they have a virus that interferes with their computer working properly. Then they want it removed so they can go back to doing all the stuff that got it on their machine.
If you don't believe me - tell someone who isn't a tech person to go read this blog post. A week or two later ask them if they read it. I'm gonna go out on a limb and say over 90% wont.
Or talk to someone like that about security. Watch as their eyes glaze over and they look for a way to escape.
Dissapointing (Score:4, Insightful)
Re:They don't care (Score:2, Insightful)
this is soooo true.
I have coworkers who do downloads 24/7 from their home computers (no MAC spoofing, no TOR, no proxies, no nothing).
When asked about the dangers of being caught (even as a remote possibility), the answer was the same: "I don't care!"
Re:They don't care (Score:5, Insightful)
Same experience here.
However, I told people all those issues that are mentioned in TFA. The response of my friends? "So what?" -- They do not feel responsible for malware running on their computer. Somehow, I can even understand them; they just bought a computer and pay an ADSL line -- why should they care if their computer is broken by design (e.g. needs an update before the first connection as it was the case with Windows XP before the computers have been delivered with SP2 installed)? It's hardly their fault.
Child porno? (Score:1, Insightful)
Come on now, that has got to be a troll.
What are the odds that a hack0r is also a pedo that would do this?
Even if a pedo paid a hack0r what are the odds he would report him?
I am I being naive here or is this guy really trolling?
Re:They don't care (Score:5, Insightful)
I agree, I worked at a computer store doing service for many many years and I would see the same old people over and over and over again. I would tell them to just stop installing kazzzza! or stop browsing seedy porn sites but they never did and it was always their teenage son's fault.
(If it was me i'd ask how to lock him out after the 5th $100 reload) - didn't always need a reload just saying...
I even offered to explain to them how to setup a bios password and sold special case locks for three bucks... no takers.
They would however, always be very mad at me for not preventing their computers from getting reinfected. I guess they expected I would create some sort of magic barrier for them.... I donno... It's funny hearing "I'll never come back here AGAIN!" from the same person and then see them back in two months or so....
People don't mind going out to the bar and spending $200 on shots but don't try and charge for fixing their porn box or you'll get beat...
Re:They don't care (Score:2, Insightful)
Sadly, no, they don't (Score:5, Insightful)
It stopped when I forced him to use Firefox instead of Internet Explorer, and set him up with a limited user account and told him he'd need to log out or switch users to an administrator if he wanted to install something.
Hasn't had a problem since.
Everyone else I've tried that (or something similar) with is too obstinate or stubborn to recognize or believe when I tell them that they're actually clicking "Yes please, install this virus on my computer" over and over again, every time they want a new free, useless desktop widget or application or game produced by a company no one's heard of... that just has to have Admin privileges to run...
Re:Dissapointing (Score:3, Insightful)
Re:They don't care (Score:4, Insightful)
Most people only want help in one situation- when they have a virus checker that interferes with their computer working properly.
There, fixed it for you. Most virus checkers are worse than the viruses they protect you from.
Re:They don't care (Score:5, Insightful)
I'd say it's much worse that people treat their vehicles the same way, but the same line of reasoning applies. It's more trouble to be a safe driver and maintain your vehicle in proper working order than it is to deal with the occasional hassle of a fender bender or possibly death. And if the possibility of dying isn't enough to get people to change their actions then I really don't think lecturing them about malware is going to do the trick.
The apocalypticism is getting old (Score:5, Insightful)
I'm tired of the press and so-called "experts," taking the Chicken Little approach to security, personally. There are a few basic ground rules; if you follow them, 90%+ of the time, you're going to be fine.
1. Ideally, don't use a Windows machine on the Internet. (Yeah, right) If you must, however, don't browse sites devoted to smilies, ringtones, custom mouse pointers, or that sort of crap...you're asking for it that way.
2. If you use Linux or FreeBSD, use sudo. Do NOT be an idiot and just use root all the time, and don't use sudo without a password on it, either.
3. Use multiple disk partitions. On Windows, that means you can reinstall faster if you do get hit by something, and on Linux or FreeBSD, it hopefully limits the number of places an attacker can go.
4. Realise that while virii/trojans might be common on Windows, actual live attacks on individual machines (i.e., with an actual human 14 year old on the other end) are rare almost to the point of rendering the scenario academic. That's not to say that they don't occur at all, mind you, but there was this absolute paranoid idiot who I saw being interviewed a few months back, who was declared an, "expert," who spoke of using virtualisation and various other gratuitously overblown means of keeping people out of his systems, and also advanced the theory that the entire Internet could effortlessly be destroyed in around five minutes flat.
5. Virus scanners on Windows are hugely overrated. Use one if you must, but I've never seen an infested Windows box that didn't have multiple virus scanners running, thus proving that in the grand scheme of things, they really don't do all that much. A better idea is to learn to identify the types of sites that virii can typically be picked up from, and avoiding said sites.
Basic, minimal security, up to a certain point, is of crucial necessity, IMHO. Beyond that point, however, most paranoiacs are actually hobbyists who don't realise it. Their obsessive measures aren't truly as necessary as they think they are; for the most part they do what they do more simply because they like it, than because they actually need to.
My hacked PC (Score:5, Insightful)
If I can no longer read files because of changes to proprietary formats,
if I cannot play media because of DRM,
if I cannot use my hardware because proprietary drivers don't exist and the manufacturer won't release the information needed to create an open-source driver,
if I cannot obtain security updates because my OS is wrongly deemed to be an unauthorized copy,
if I am not allowed to install the software that I buy on any PC I choose without having to call for permission,
if the software on my computer calls home without my explicit permission,
if the software on my computer transmits information about my computer without my explicit permission,
I have lost control of my computer and it has been hacked.
Re:They don't care (Score:5, Insightful)
This is unfortunately very true. Several of my co-workers bring me their machines from home every few months to fix and 90% of the time none of the Windows updates are installed and the anti-virus software is either outdated or completely disabled. I finally sent an email to all employees that I will no longer fix any non work machines. My main reason is that they seem to think that my expertise is worth nothing to them..none of them have ever offered to buy me a pack of beer, much less pay me for the hours I spend on their personal computers, but also because it's extremely frustrating that they don't really care about preventing the problems in the first place.
Re:Users won't care (Score:5, Insightful)
Re:They don't care (Score:5, Insightful)
I'm going to assume here that you're implying they say "ok" when you tell them to read it. I think this is a more general phenomenon and isn't specific to computing at all. Lots of people casually say they're going to do something with no intention of actually following through, which makes me wish they'd just decline the request up-front. It's like their word doesn't mean anything to them, so they give it carelessly. Of course, they wouldn't dare do that to their boss at work, because he has ways to make them regret it, meaning this is merely a selfish trait and doesn't require any explanation more complex than a weak character. It's one of those things that has become common but that does not make it normal.
That's what I like about security. It's one of the few things where that sort of childishness and inability to deal with the real-world situation just won't fly, at least not for very long. An ability to put on an act and go through the motions won't protect you from the cleverness of the black hats; you need to actually have some understanding of what you're doing and why you're doing it. I think that's why people don't like this topic and consequently don't want to take even the more basic precautions. Whether they admit it or not, they resent finally encountering something that requires them to think, that cannot be reduced to a short list of simple steps that they can execute mechanically.
The technical information needed to maintain good computer security is abundant. It is easily found via Google. I think the real problem here, the reason why nothing seems to seriously improve, can be found in the mentality with which security is approached. That mentality, in turn, can be shown to have its roots in the way people have become during the last few generations, particularly their short attention spans and their addiction to convenience and instant results. Security is just good at exposing these things because its rules and concepts are like the laws of physics: the principles are sound and all the wishing in the world won't change that.
Re:They don't care (Score:5, Insightful)
The answer to this is to put the "personal" computer into context. PCs really stopped being personal computers the moment the availability of internet access became the norm. They should be called "social" computers now, but most people don't think of them that way.
How you put the "social" computer into context varies from person to person. I have a family member who I support who knows little about how computers work, and barely knows how to use one. He happens to be very politically minded, in a right-wing hardcore military patriot kind of way. I forward him some info about the Chinese hacking into US military and government networks and "cyber warfare" and that woke him up. Now he thinks it's his patriotic duty to keep his antivirus updated, and not open email attachments. I have very few problems from him these days, and the last few have been due to his security software being *too* tight. He thinks any problem he has with the computer could be a virus, as opposed to a bug or human error, or whatever, but he has gained enough sense of paranoia that he's made his usage habits a lot safer than they were when he was first going online.
You just have to find the right button to press (in the person, not on the computer) and then the rest will follow naturally because they finally care. If the user's a businessman, play up financial scammers and anarchist punk hackers. If the user's religious, invent satanic hackers. If the user's a leftist, talk about The Man and government spooks. If they're a concerned parent type, talk about child predators.
Re:They don't care (Score:5, Insightful)
That's like saying "people simply use their cars (and automobiles) as vehicles". A Mac IS a PC too, its just one where the same vendor controls the hardware, software and outlets.
Re:They don't care (Score:5, Insightful)
The solution is obvious (albeit ugly). Punish the user. We are a long way from having a "secure" OS - I use Windows at work and both Windows & Linux at home and have used them for years. They both used to be swiss-cheese concerning security and both have improved dramatically, but neither are secure nor will they be any time soon.
1) Any ISP relaying openly malicious traffic needs to face consequences for it - Force them to self-monitor.
2) ISPs will start threatening users responsible for malicious traffic with disconnection.
3) Users with compromised connections will either have to start caring about security or give up Internet service.
I can feel the flames rising around me - They're welcome. As long as when you shout me down for this ugly step "forward", please present an alternative solution more insightful than "OS designers need to fix their security", 'cuz nobody's hit end-game yet. (Or "4 - ???" "5 - Profit", please... It's tired... But it did appear very recently in the WSJ as an analogy for Obama's stimulus plan - How cool is that!)
Re:The apocalypticism is getting old (Score:1, Insightful)
Why not just run a Linux host, and run Windows in a VM for tasks that require Windows? You can have a semi-up to date backup of the VM file, so if it ever does decide to die, it'd be an easy recovery.
Re:They don't care (Score:1, Insightful)
If your car's brakes go out and you hit a tree, do you sue the tree? No. Do you sue yourself? No. You sue Ford. They sold you a broken product. Same with M$. They told you it worked when you bought it, but it's broken. Make M$ responsible for fixing the damed problem.
Re:They don't care (Score:2, Insightful)
That's because they WANT an appliance (Score:5, Insightful)
Consumers want a secure easy to use web surfing appliance, but it is unobtanium to them. I mean wtf, why isn't this obvvious yet? Not everyone is a computer nerd and specialist, most people aren't, and they have no huge desire to become one, they just want to surf the net. The computer industry just freeking *insists* on selling them devices that actually take a fairly high level of sophistication to keep running smooth and clean, because it makes them shedloads more money. Megaboatloads. The only web surfing appliances that have been on the market have mostly all sucked and been grossly over priced, and we all (here) know that.
And the computer repair and fixit industry doesn't want more rugged and fool proof net surfing appliances either, cleaning up borked windows machines is a multi BILLION a year industry. I bet for most whitebox shops it might be the bulk of their income. The computer hardware makers like borked computers because they get people on a hardware upgrade path once the consumer has been pwned a few times and people just decide a brand new machine will be the magic fix.. The operating system industry wants borked because they get people on an upgrade path, again, get them thinking/hoping new version "Grand Horizon 7.0 XPU" will be the magic fix.
This won't change until we have software lemon laws and consumer warranties.
If a product is not "suitable for purpose", in this instance being on the net 24/7, without having to be a computer expert and installing a crapflood of other additional software, etc, this will just continue. Once it starts costing computer sellers and operating system sellers serious coin because of defective by design products, then things will change for the better, just like what happened in all other industries. It's the last industry with legalized "caveat emptor" out there, the magic get out of all legal responsibility EULA.
Obligatory car analogy: What would you think of paying big bucks for a new car, then finding out after you left the lot that you needed an additional entire trunk full of tools you needed to purchase and carry around with you all the time and at least a medium professional/serious gearhead hobbiest level knowledge of car mechanics in order to drive all the time?
That's the situation with computers and software today. Don't blame the end user all that much for getting broken computers when that is all they are provided with in the first place, no matter how much they spend on them.
Re:They don't care (Score:5, Insightful)
Re:They don't care (Score:3, Insightful)
It's just human nature, nothing to get upset about. The idea is basically this: is it more trouble to learn how to use a computer properly or to get it fixed when, on occasion, it stops doing what you need it to do?
Maybe. But it starts to get really tiresome when it's your spouse you are talking about (so the work is pro bono, and you *can't* just say no when they ask for help), they insist on using an OS that you don't like to administer (Windows), they insist on using software that requires admin privileges to run (Quicken, for example), they ignore your advice about having the kids use their own non-admin privileged accounts to play on-line games, etc., but they still blame you when *once AGAIN* the computer doesn't "just work" (because there are so many viruses on the machine that it takes 45 minutes just to start Task Manager).
If you can't get people to wear seat-belts (Score:5, Insightful)
Couple with this, the article is full of fuzzy words like: potential, could, may, can, possibly. There's nothing in it that says, authoritatively that anything bad will CERTAINLY happen if you don't secure your machine. Hell, people exceed the speed limit 'cause they don't think they'll get caught. Imagine what they'd do if there's not even a chance of any financial penalty for wrong-doing or laziness.
In the end, appealing to the average Joe's sense of community responibility is a non-starter. There's got to be mandated security that cannot be disabled. It's got to work all the time and it's got to be ubiquitous. Until then, the situation won't get any better.
No real-world analogue (Score:4, Insightful)
The problem, in my opinion, is that people who don't seem to care about computer security are the sort of people who abstract a computer into real-world analogues and stick to that, hard. That is, they're the sort who've been taught how a computer works solely by comparing it to things they know outside the computer world (i.e. "your hard drive is like a big filing cabinet and you don't need to care past that", "email is just like getting letters, just over the internet!", "the media player is like a big jukebox with all your favorite songs!"). Anything that doesn't fit in their real-world analogue system is for those stupid smelly nerds who exist solely to fix your problems when they inevitably happen.
And that last part is where it starts to go wrong. Try explaining computer security to a non-techie. If you go from the technical end of what's happening, they'll get confused and ignore you. If you go from a real-world analogue method, you'll be inventing all sorts of fantastical explanations that, to a real-world person, sound patently absurd, the stuff of fantasies and science fiction for those stupid smelly nerds who exist solely to fix their problems when they inevitably happen.
For example, they'll think you're out of your mind when you tell them there's botnets trying to break into your computer(s) endlessly without rest, and they don't care who you are or how rich you are. Try explaining that in a real-world or sorta-real-world context: There's an army of zombies on your lawn, they feel no pain, they want to get into your house, they will never stop, your brains are as good as anyone else's, and unless you stay on the ball, they WILL get in and make you one of them (not to mention the fact that, of course, we don't want zombies on the lawn). Does that sound like something anyone outside the computer world would take seriously?
They can't see it, they can't abstract it out to anything that makes sense in their minds, they don't know how it would happen, it sounds really stupid, so you're the crazy person, and they can go back to cheerfully installing smiley packs. End of story. Unless there's some way to explain it that doesn't bore them, test their attention spans, or make them think we're the crazy people, they're going to ignore security concerns and just assume it's someone else's problem. Like those stupid smelly nerds. They don't have anything better to do, just staring at all that white on black text all day long.
Computer security is like a convertable car (Score:5, Insightful)
1) Do you wait for the car manufacturer to install a rain sensor (now that you are on the road and you see that it sometimes rains, that would have been a good option to get) that will automatically put the roof up when it senses the first rain drop?
2) Do you pull over before it rains and put the top up to be safe?
3) Do you drive around with the top down blaming the car maker for designing a car that can get wet and/or doesn't keep the rain out automatically all the time forever?
How is computer security different (metaphorically speaking)? I am sorry, but we all know it's up to the user.
Re:They don't care (Score:3, Insightful)
It's your responsibillity to pull the ebrake, reduce the gearing, come to a controlled stop at all speeds. Even if the manufactuer is responsible, it's kinda your fault for not being able to maintain control of YOUR vehicle. The owner of that pole is coming to you first, which if you are insured will be defered to your insurance carrier who will then determine if they eat it cause it's your fault, or go after the manufacturer. I'm a huge car guy, and maybe I expect too much from people. There is a reason when my car was stock that my brakes and suspension where the first parts to get upgraded though.
Also what happens if in your example it's because of poor maintenance? Which is more akin to the computer world. AV not running, no firewall, updates not installed due to fear of big brother, putting in dirty fuel (downloading everything P2P has to offer) Even the most greedy windows geek who was like that 10 years ago has changed, or atleast recomends Autoupdate for clients when the situation allows (not talking about servers here)
It's like the old "My throttle got stuck" excuse. really? turn the key off, or throw it in Neutral and blow the engine! don't risk the lives of others and try and brake against it or get it "unstuck." You work on it AFTER you and others are safe.
Same as a comp really. Lock your firewall down (no in/ out) and boot into safe mode (on win) or recompile, or whatever you gotta do for linux.
You bought the car AS IS w/ no warranty expressed or implied. Neither windows nor linux has a warranty or guarantee, (I know both are waranteed by other companies, when embedded) it's a matter of doing the best you can w/ what you got.
I don't pretentend to be the master of windows security, but if you don't want to lock your doors, install a security system or change your oil, and you don't want to pay me to do it, don't come to me when it breaks or is stolen w/ an empty wallet and a tear in your eye.
Re:They don't care (Score:5, Insightful)
And how does spoofing your neighbour's MAC address, claiming that he "tapped your WiFi when you had it open after a firmware update" sound plausible, if you spoof that MAC address into your router?
It doesn't. Because the wireless MAC of your neighbour will never, ever, under any circumstances, ever be seen by an ISP.
I know you can change MAC addresses in home routers. I'm not an idiot.
I can also think enough to know that "it musta been sumbudy else" isn't going to cut it as an alibi.
Re:They don't care (Score:3, Insightful)
"Internet security best practices" (Score:3, Insightful)
My ass!
I dont follow any either because nobody can even agree on what they are.... Like password rotation.... The most stupid "best practice" I've ever seen.
So my wireless is wide-open, I never change my passwords... and because of that I have a good life.
That may change, but nothing I can do will significantly change the odd of it happening without making my life miserable with stupids annoyance to start with...
Re:They don't care (Score:3, Insightful)
I agree that users are also culpable, but not in a nudge-nudge wink-wink kind of way. Going back to the car analogy, your brakes need to be replaced every so often, "updated", if you will. If you are at 100k miles and still on the original pads and haven't done an oil change, don't go crying to the manufacturer when the whole thing fails. Most home users I know are guilty of not doing proper maintenance on their systems, and of often not even knowing what needs to be done.