Identifying Compromised Websites

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"

I have the truth

[Anonymous Coward]

The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Of course

[lukewarmfusion]

If it can hurt/damage you or your property, then you should be informed.

If not, there's no reason for you to be informed.

Re:Of course

[wideBlueSkies]

>>If not, there's no reason for you to be informed

Define hurt.

If say some code gets onto my machine and jsut spins processor cycles..even though it's not really 'hurting' anything I still have the right to know.

Granted, I'd see the CPU spike, and I'd kill the process and track down the executable/script. But Joe Sixpack doesn't know how to do this.

wbs.

Re:Of course

[dankney]

It doesn't hurt/damage you or your property. What you own in your computer is hardware. There are very few viruses that can effect it.

As far as the software/OS, all you own is a license -- an abstraction that remains unaffected by viruses or worms. Even if your XP installation is completely foobar, you still have the exact same legal rights to use them.

Re:Of course

[bluekanoodle]

But what if it compromises your system and then allows someone to steal your bank account info?

On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info.

Re:Of course

[XryanX]

"On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."

If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

Re:Of course

[djdavetrouble]

you said:

If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

Pure Hilarity ! ! !

Re:Of course

[mrwiggly]

If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

No, that's a bad analogy. A better one is if your car has a recall on its brakes, you don't get it fixed, and then get in an accident, Who is at fault?

Re:Of course

[Alzheimers]

Actually, the best analogy would be if you saw a news report saying "An automobile manufacturer warns that one of it's late-model vehicles might have a defect." It specifies neither which manufacturer, which vehicle, or even which part is affected. Now, when an Explorer blows a tire and kills a little league team, who's at fault?

Re:Of course

[MntlChaos]

Just don't conceal it.

How would you go about concealing a katana?

Re:Of course

[meringuoid]

How would you go about concealing a katana?

You don't need to conceal a katana. I saw in this film once, they'll just let you take it right onto the plane with you.

Re:Of course

[nkntr]

What if the website where you got the virus was set up by a kid, or some high school students, or just a hobbiest? You can't sue them, or expect them to do anything... they probably haven't looked at their page in months. And people don't pay for web content in most cases, so how can you expect a guarantee for it? And, would you really want government inspectors coming to your business, going through your personal web pages to see if they are properly protected? Would you want to have to submit them pap

Re:Of course

[elleomea]

Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.

Re:Of course

[John Hurliman]

Excellent timing of this; the Spokesman Review had an article a few days ago about how grocery store names in Washington state who got shipped potentially bad meat from the Mad Cow epidemic are being withheld, and the newspapers were denied their information requests on some obscure grounds. I'd say the website attacks are being treated like any similar situation.

What?!?

[Concrete Nomad]

What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag). Oh the humanity!! Of course they should, but they won't because that would mean they have to admit they suck. The first rule of recovery is admit your problems.

It's settled!

[BillX]

What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag).

That settles it. First thing I'm going to do after I die is sue a cigarette company. Fuck 'em.

Re:What?!?

[fimbulvetr]

Then I can easily guess why you are most certainly not a lawyer.

Making a case, or deciding it?

[BorgCopyeditor]

If I was the lawyer my case would have been. Have you passed 4th grade reading? Really ok good then you knew you were screwing yourself have a happy. Here is a free pack on me.

You don't seem to understand the difference between "lawyer" and "judge." Why don't you look into it [m-w.com]?

Other interesting facts about the case...

[???]

• McDonald's served their coffee at about 40 degrees F hotter than is standard in the industry, and didn't inform its customers of this fact.
• The McDonald's quality assurance manager admitted in discovery that at the temperature at which it was served, the coffee was not fit for consumption
• Liebeck's unchallenged expert witness (expert in thermodynamics applied to human skin burns) testified that had the coffee been served at a temperature consistent with the rest of the industry, the coffee would have coole

Re:Other interesting facts about the case...

[shaitand]

Not to mention, the coffee in question and it's temperature are completely irrelevant. That's what the defense wants you to discuss because that is the only avenue under which they may have had a case.

But the real issue was whether or not a beverage vendor is responsible when someone has purchased a beverage, left their establishment with it, and spills it on themselves due to their own negligence or any other factor which is completely outside the vendor's control.

Of course the answer SHOULD BE no.

If t

Running Scared.

[Soruk]

They're probably too scared of being sued, or seeing the share price fall through the floor.

Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.

Re:Running Scared.

[jdreed1024]

Unlike the food example, where bad food could kill you, a computer virus in your home machine won't,

Until it's used as a bot to distribute kiddie porn, and the FBI comes and knocks on your door and they throw you in jail for 50 years. Yes, yes, death is irreversible, whereas you can always get acquitted later, but it comes pretty darn close to ruining your life.

are you sure?

[ChipMonk]

Unlike the food example, where bad food could kill you, a computer virus in your home machine won't.

Explain that to the sailors on the USS Yorktown [gcn.com].

Yes, I know it wasn't a virus. It was bad SQL Server-based code. Sadly, Microsoft is equally vulnerable to both.

Re:Running Scared.

[slashjames]

Yeah, it won't kill you. But falling victim to identity theft because your computer was infected when you visited a (normally) safe web site can make your life hell. And the operator of the web site would be none too happy if someone could prove conclusively the identity theft happened because of one of those exploits and not something else.

An odd analogy.

[DP]

I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.

If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.

What's up with that?

Re:An odd analogy.

[ihaddsl]

If your server was compromised, and served up a keylogger, which was then used to empty punters bank accounts, you bear responsibility for notifing your customers of the breach.

To not do so is negligence

Re:An odd analogy.

[ihaddsl]

From a legal perspective you may well be right, but in my book it's still negligent. You have information that could prevent many others from serious consequences to their financial stablity. Imagine if your bank account were emptied because you got a keylogger from cnn.com, and you only found out about it after the fact? And yes you should be telling the public. defending yourself in keeping it secret is a disgrace in this kind of instance. You should be ashamed.

Re:An odd analogy.

[TomServo]

Well, this isn't quite the same, but UCSD recently found that some of their machines were compromised. They sent out notices that, while there was no evidence to show that anyone's information had been taken, the compromise did put the attacker in a position where they could get ahold of students' and people who applied to be students' personal information, including social security numbers.

They sent notices to everyone who was in the system with instructions on how to protect themselves, and reported it to the local media. A San Diego Union-Tribune Article [signonsandiego.com] is here.

Admittedly, it's not the same, as a state-run university isn't the same as a traded company running a website, but they obviously felt it important to inform anyone who was potentially hurt by this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:An odd analogy.

[DP]

Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation. On the other hand, my ability to continue to do business is important to me.

You don't have to have an abhorrent track record to get hacked. Sometimes you just get unlucky. Unfortunately, no one is going to be very understanding about bad luck and, like you, they'll assume it's my fault. That is exactly why I would want to deal with it quickly and quietly. I'd be pretty upset if some third party t

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:An odd analogy.

[Artifakt]

And if I find out you have been in the habit of dealing with everything quietly, and it still impacted me negatively, I will immediately assume you have not sufficently meant your promise to do it quickly, and have not had the professional ethics to treat me with equal respect to what you are expecting in turn.
At that point, I will believe you deliberately chose to screw me, your customer, over. I will then do my level best to see to it that you never run a business again, including making damned sure y

Re:An odd analogy.

[dasmegabyte]

Yeah! Because when you view a website, you're ALSO viewing every website that's referred to that website!

Perspective!

[MightyYar]

Shouldn't we demand the same when a businesses server poisons our computer.

In one case, public health is at stake. Lives. In the other, an annoying computer problem.

Annoying?

[ktorn]

Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.

Re:Annoying?

[MightyYar]

Again, money != life.

I can't be the only one here who thinks that theft and death are not at least an order of magnitude apart...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Exactly! ...

[PaulBu]

... and this is why one expects from people who run the infected sites just shrug and say, "Hey, it's only money, we can rebuild the same site usind more secure technology later..." -- and tell their customers that yeah, we've screwed up.

I personally would be more comfortable going to a site which admits to their mistakes and tries to patch them than to the one which tries to keep this hush-hush.

Paul B.

P.S. And yes, I have no personal reason to care just yet because I use Linux at home and my office comp

Re:Annoying?

[travail_jgd]

Unfortunately, it takes money to live.

My close friends were victims of identity theft, and for a short period of time lost all access to their funds (except a Paypal card with some cash). Losing the money in your wallet is one thing -- losing every asset and piece of credit in your name for two weeks can be *ahem* problematic.

Don't agree with me? Go two weeks without spending any money -- cash, credit, debit, or check. Guess what you can't do:
* Purchase groceries for the family
* Purchase gasoline or pay

Re:Annoying?

[G-funk]

Sorry, money===life. Without money, you have no shelter and no food.

Re:Annoying?

[Detritus]

When you're 65-years old, and someone steals your retirement savings, equivalent to many years of hard work, you might feel differently about it.

It might improve society if a few CEOs and accountants were executed.

Re:Perspective!

[platypibri]

What?!?!?!?!?! More like in the other, possibly millions of dollars down the toilet as the infrastructure of business in major countries crawls to a halt. Not to mention any compromised financial data, that I might not know about until I get turned down for some credit application. Hell yes! They ought to tell somebody.

Re:Perspective!

[secolactico]

Yes, and when a mission-critical computer system goes down, say a hospital computer system, and lives are possibly enangered by this "annoyance," it becomes a little more clear why this sort of thing needs to be addressed publicly

Should that particular situation arise, it would be addressed publicly. The hospital would have hell to pay for exposing life support equipment to external influences.

In this case, I believe a hacking could be an "Act of God", wihout wanting to give much credit to the hacker.

I

Of course we should demand accountability

[Anonymous Coward]

The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.

Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.

User embarrassment?

[Propagandhi]

Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.

Re:User embarrassment?

[BiggerIsBetter]

We need some public education then. Like, if you're having gay anal sex, wear a condom. Same thing really... If you're crusing for warez, don't use IE, and make sure you're firewalled. Ideally carriers/ISPs would tell their customers, but that's like admitted you know what goes over your wires or something.

Certify all sysadmins?

[CelticLo]

Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

Should we force web administrators to prove they know how to keep their boxex clean?

Re:Certify all sysadmins?

[nuclear305]

Something tells me such a certificate would be about as credible as having a 419 scammer send "proof" that they are Nigerian businessmen needing your help.

Re:Certify all sysadmins?

[damgx]

Can't belive this is modded 'Insightful'

Just because you have a paper in how to do xyz, does not equal you do what the rules say (or what you learned).

Every truck driver got a license, yet some (many?) break the speeding limits...

The paper might state I know how to wash my hands, not that I did so after I handled money or went to the restroom.

Who would you go about enforcing this certificate for web administrators?

What is a 'web administrators'?

Fear of lawsuits

[Ryu2]

Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.

Not the same

[ifwm]

In the event of a food poisoning lives are at risk, while in the case of an infected computer, the worst case is lost $$$. That being said, this could be a litmus test for sites that were compromised. The ones that come clean right away gain respect, the ones that try to hide are shunned and ridiculed. But in answer to the question, a content provider should not be required to disclose infection, only encouraged. The government has too many fingers in my pie already.

Re:Not the same - It's close enough to be apt.

[Artega VH]

In rare cases a computer virus could easily cause death. Imagine if that had gotten into a system being used to monitor a critical system. The idea that computers CAN'T kill is obviously wrong.

But lets think up a better analogy. Credit card swipers were attached to banks in Sydney, as soon as police found out they announced exactly which banks were being targetted. So in this situation the worst that can happen is loss of money.

Its hardly fair to protect the "person" who was spreading the virus (albeit th

Re:Not the same - It's close enough to be apt.

[ifwm]

"The idea that computers CAN'T kill is obviously wrong."

A plausible example would help make your case. I disagree on this point until convinced otherwise. Saying "what if it got into a critical system" isn't compelling. Virtually anything is possible, I'm more concerned with what is realistic, not what may, possibly, in a very rare cases ( or never in real life but only in theory) may occur.

Now, onto the more important point. On this we may also disagree, but I feel it is up to the individual to kee

Re:Not the same - It's close enough to be apt.

[Artega VH]

Okay then how about a real life example from my country (Australia). A "hacker" was using a computer to pump sewerage into a local river as described by this article [crime-research.org]. Now its entirely possible the same scenario could happen but instead using a widespread virus with a backdoor.

Is that example real enough and plausible enough for you?

Okay I agree its up to the individual to clean their systems. So when I goto an infected site its THEIR responsibility that they didn't keep their site clean. If they had I w

Re:Not the same

[PaulBu]

The government has too many fingers in my pie already.

Agreed with this! ;-) Actually I was trying to analyse my previous comments in this thread from more reasonable point of view than just my gut reaction that we are entitled to the complete disclosure (not necessarily by legal means, in no way I'd advocate increasing the Govt.'s powers!).

Try this: for some people their personal freedom is more important than their life. And their right to their property is quite important as well (here, property being

The first rule of business club

[Neil Blender]

is cya.

Might be good if...

[nkntr]

It sounds like a good idea for a moment, before you think about it. First of all, most web content is offered as free with no warranties or guarantees of anything. You surf at your own risk. Second, a person may go through hundreds of web sites in a day, and tens or hundreds of thousands of people may hit your site. Third, most people with any sense have some form of antivirus on their computers, and those that do not are either asking for it and they know it, or wouldn't know what to do if they did get a virus. In reality, virus protection is the responsibility of the user. True, it is absolutely insane that people have unprotected web sites out there, but since the web is a public forum, there is really no way to say who does what without limiting the "for all people" part of it. The web is a beautiful thing because it is open to everyone, regardless.

Re:Might be good if...

[tomhudson]

Sure, the content is offered free to the end user. However, the purveyor of the content is, in many cases, a business that sees a "web presence" as part of its' business operations.

Not a freebie. Not something done out of altruism. Business.

So they have a liability.

If I write code in which I intentionally embed malware to steal your identity and donate it to the community, I'm still guilty.

The lack of liability argument only comes in when there is no gain to the giver - like the Good Samaritan clauses w

Oops - forgot to close the bold tag ...

[tomhudson]

oops - should have hit preview (but the dogs need to go out NOW) ... forgot to close the bold tag :-( Didn't mean to shout.

Re:Might be good if...

[randyest]

Imagine, if you will, that I run a soup kitchen for the homeless and/or needy. Maybe a whole chain of them, in a variety of major cities. Some (undisclosed) percentage of my kitchens have, over the last few weeks, served tainted food that won't kill anyone but will make them very sick. Which kitchens, what food, and at what times, you ask? Well I won't tell you. It's bad for business. See, I count on donations to my non-profit to keep distributing the food (a free service!) and if this accident (which

The analogy doesn't hold

[Weaselmancer]

...for two reasons. First, an infected website has never killed anyone. Second:

when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.

There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.

Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.

Re:

[account_deleted]

Comment removed based on user account deletion

Ah-ha!

[Solder Fumes]

So what he's trying to say is that Infoworld's servers were among the infected, right?

Let the lawsuits begin

[Fryth]

I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.

P2P site monitoring system

[G4from128k]

It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.

Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.

Re:P2P site monitoring system

[LostCluster]

Why bother? If you had any decent anti-virus product, or applied security patches like you were supposed to, Download.ject would not be your problem.

In short... the existing toolset would have protected us from this threat vector. It only was a threat at all because of all the people who didn't. The solution isn't creating a new security program, but getting the clueless to use the ones we're already running.

Re:P2P site monitoring system

[khallow]

Why bother? If you had any decent anti-virus product, or applied security patches like you were supposed to, Download.ject would not be your problem.

And if you didn't?

In short... the existing toolset would have protected us from this threat vector. It only was a threat at all because of all the people who didn't. The solution isn't creating a new security program, but getting the clueless to use the ones we're already running.

When's that going to happen and what do we do in the meantime?

Here's my

Re:

[account_deleted]

Comment removed based on user account deletion

Its just not possible..

[slungsolow]

Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions. Disease outbreaks take hundreds of man-hours to actually track down, and frankly I don't think its possible to get to the root of a computer based problem that affects thousands (if not millions on a worldwide scale).

Maybe someday.. just not now.

Re:Its just not possible..

[gkuz]

Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions

Bullshit. Most of the very high-profile worms/viruses of recent years were traced back to specific individuals fairly quickly. It's a lot easier than forensic microbiology.

Homeland Security

[smclean]

Remember the article the other day about the secrecy surrounding cell phone outages because the Homeland Security folk believe it serves as a "terrorist blueprint"?

Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.

Not that relevant to the article I suppose, but an interesting angle.

This calls for a protocol in anti-virus software

[ktorn]

No single security company is willing to do the finger pointing. It doesn't make sense for the reasons explained in the article.

What we need is for the various anti-virus software makers to agree on a protocol.
What this means is that, as soon as the anti-virus software is able to identify the threat, any time it encounters a web-server infected (as the user browses such site) it should send an alert to a centralised web-site. This site would list all the infected sites.
A smarter step would then be for t

Re:This calls for a protocol in anti-virus softwar

[jumpingfred]

That sounds a lot like spy ware to me.

Shouldn't we, indeed.

[philovivero]

Shouldn't we demand the same when a businesses server poisons our computer.

Have you heard about the latest virus. It silently converts all question marks (.) into periods (.). How did this happen. It is unknown.

The Spanish variant is worse. It turns those funckey upside-down question-marks at the beginnings of the sentence into little Microsoft MSN butterfly-man icons.

Can you imagine that. I know it makes me fearful.

Ok ...

[jrl87]

List of sites infected (spoof ... they probably weren't but i don't know)

http://www.cnn.com/ [cnn.com]

http://www.msn.com/ [msn.com]

http://www.slashdot.org/ [slashdot.org]

http://www.ilovebacon.com/ [ilovebacon.com]

........

... Ok, how many of the above did you click. None, ok, I believe you, but how many is Grandma going to click?

Digital security

[bigberk]

The issue is ultimately about the public's lack of concern for computer, and more generally, digital security. My opinion is that this lack of concern stems from a lack of knowledge about the technologies we use.

I think the situation is more dangerous than most professionals realise. The majority of the people in IT shrug off security concerns. "We can always reinstall" or "we'll upgrade later" are common responses to warnings about insecurity and vulnerability. Most businesses and even governments entirely ignore digital security concerns.

We have a modern economy that depends entirely upon computer networks and data flow. All of our communication depends upon it too. So do public utilities and emergency services.

But at the same time, we perpetually neglect to protect these systems that we rely on. OS security is literally a joke; server security may or may not be a concern depending on how anal the operator is; and data encryption is still, for the most part, undiscovered by the masses.

It wasn't the restaurant, it was the customers...

[LostCluster]

Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.

However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.

Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.

eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.

eBay not at fault. MSIE was.

[SgtChaireBourne]

Many MSIE users got infected in indirect association with their use of eBay, but the flaw did not rest with eBay, but with MSIE. There is nothing inherently dangerous in using external links, even for graphics [w3.org]. Note that the SRC attribute of the IMG element is defined as a URL. So, even though most link only to local files, remote files are allowed by the standard and their absence would decrease the utility of services like eBay, not to mention greatly increase their band with and storage costs.

The fau

This is good, really

[ravenspear]

This story reminds me of those inane AOL commercials about computers getting sick. Lets get sensible here. Computers do not "get sick." They do not become "poisoned."

A virus sometimes infects the Windows OS. At best, run a virus checker and stop it before you are infected. At worse, do a reformat and be done with it. You have a backup anyway. Right?

If you don't want to deal with virii in any form then run OS X or Linux. Problem solved.

the internet is not America

[Jasmina]

The thing is that the web has a life of its own and it would be really hard to control it like that. Anyone can open a website anywhere and put almost anything on it. How would you force that random individual to be guilty for the virus they spread? The internet was not originally designed to be a controlled environment where you can hold others responsible if something bad happens to you; its not America. You have to watch your own ass.

Some things might be "morally" right, but could never happen in realit

Comparison, focus flawed.

[TRACK-YOUR-POSITION]

Even if private information is stolen by these worms, we're still talking about economic damage, not death. A better comparison would be whether your bank is required to notify you if your private information is stolen from their offices--it you want to convince me that there is some sort of discrepancy between internet security and offline security, then point to some law mandating that a bank or businessmust disclose real world breakins.

I think the focus on Ject's infection of web browsers visiting the

Aha! /. *was* compromised

[hedley]

I knew that recent "downtime" wasn't just for "upgrades". It's an imposter! It's a Phisher site! Its of the body! One of the pod people! :)

What good are reporters

[MrWa]

The question is not whether a company should report that their website was infected or not - the most obvious answer is that, unless they are a overly honest company, they will not divulge anything embarrassing that may affect their stock price unless required by law. The real issue here is that supposed news websites were complicit in this by not reporting the affected websites when they supposedly knew which ones they were. What, other than advertising dollars, would prevent a news organization from reporting something that would be useful and important for the customers of said news organization to know?!?

That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.

News organizations should not be concerned with the impact on a business's image!

Covering up is old hat

[Anonymous Coward]

Ibsen wrote a play [wikipedia.org] about it, that's how old it is. It was made into a movie with Steve McQueen. The plot seemed scarily current, like it was taking place today, not almost a century ago.

There's a key difference...

[jerkychew]

"...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.

Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.

When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.

So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?

Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.

If you visit a cheap whorehouse...

[panamahank]

...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.

Maybe in the US...

[SilveRo_kun]

As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer."

Maybe in the US it's like this, but not elsewhere.... In Italy, for a long time some nut would inject bleach and other similar liquids in water bottles... Quite a few people ended up in the hospital, but fortunately nobody died... Well, there was no way to find out the brands of the

My Letter to the Senate

[Bruha]

Recently a virus called Scob/Download.ject infected various high profile websites running Windows based webservers. This virus also infected visitors to the sites through a bug in the Windows operating system. The virus was able to keylog your computer and transmit information such as passwords, web addresses you typed in the browser. This information was being redirected to a website in Russia. However the US-Cert department refused to publish a list of infected sites citing damages to the business.

My complaint is if a resturant down the street came down with E. Coli and people became sick or died the US FDA would of notified the public about this resturant and we would be aware of that resturant's name and location. It happens at IHOP's and Taco Bells and many other types of ressturants. I have yet to see either of those two chains shut down due to people avoiding them due to one E Coli outbreak. I would expect the same notification about a Website also.

Those websites that were infected were run by American businesses and not operated by foreign countries. US-CERT is just one portion of the Department of Homeland Security. And it calls into question if one department is afraid to release the truth becuase it may hurt someone's bottom line then maybe another group would decide to skip out on notifing people of a biohazard at some posh vacation spot in fear that they would ruin business there.

Thanks for your time Mr Senator.

A new age of legal extortion?

[gnovos]

I can see a scenario where somebody announces thier web site was hacked. Then a greedy ambulance chaser threatens to sue for neglegence. In order to "prove" negligence, he'll supoena all you computer systems, drown you in bad press, and lock you in expensive legal battle. It'll be easier to pay him off, and thus a new industry is born.

Er... no.

[Inoshiro]

So which is more serious? Death of body or death of personality because of stolen information? What is more serious for a company, which has no body, but likely has much important information?

This is very serious, just not to meat bags like you or me. This should be a wakeup call to the corporations that using proprietary software is as dangerous to them as eating 3-day-old soft cheese is to a human baby.

Besides, it's also very serious to home users who are increasingly going paperless for their filing

Re:Er... no.

[ifwm]

"So which is more serious? Death of body or death of personality" Are you serious? DEATH is more serious moron. God damn man, "death of personality" isn't even a real problem. You write a few letters, make a few calls, maybe at the worst get a lawyer and spend some money. DEATH is non-fucking-negotiable. You're dead? Good luck getting that undone. How about this, I'll let you have all my personal details if I can chop your head off afterward. What, you're not interested?

So, how comes...

[PaulBu]

... some people (at least used to) commit suicide when some embarassing facts about them are revealed (or about to be revealed)?

Paul B.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Flawed analogy...

[bc90021]

You're right. I haven't. I take an interest in protecting myself, and have learned to take precautions, or the "preventative measures" that I spoke about.

Too many people are too quick to want the all the benefits of a technology, without learning about them first. If we were to use cars as an analogy, there'd be tons of ten year olds driving Hummers on crowded streets.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Flawed analogy...

[pklinken]

people can take preventative measures against worms.

You take preventative medication against worms ?
Makes me wonder about your diet. ;-)

Re:this problem could be solved if...

[Biogenesis]

Possibly yes, but are you really sure that the Linux world is ready for 100 million tech support e-mails a day from people's relatives asking "how the hell do I setup xyz piece of hardware?". I know that for now I'm happy to sit in my own little Linux world where I have all the good fun of not worrying about virii and pretenting that I have a learning dissability [penny-arcade.com] whenever anyone asks me for me for help.

Re:There IS a notification law (in California).

[linuxwrangler]

Since these were alledgedly large commercial sites I would expect that they would be doing business in California but I haven't heard a peep. But...and IANAL...is there a loophole?

If I read the law correctly it requires disclosure if you (the company) somehow disclose confidential information. Now if your server merely downloads malicious code to your customer and THEIR computer discloses the information...

Re:I'll take "who cares" for $200, Bob

[Jamie Zawinski]

(Oops, I posted that comment on the wrong story! Nothing to see here, move along.)