Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Identifying Compromised Websites 390

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"
This discussion has been archived. No new comments can be posted.

Identifying Compromised Websites

Comments Filter:
  • by Anonymous Coward on Tuesday July 20, 2004 @07:31PM (#9755214)
    The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday July 20, 2004 @07:31PM (#9755224)
    Comment removed based on user account deletion
    • Re:Of course (Score:5, Insightful)

      by lukewarmfusion ( 726141 ) on Tuesday July 20, 2004 @07:37PM (#9755276) Homepage Journal
      If it can hurt/damage you or your property, then you should be informed.

      If not, there's no reason for you to be informed.
      • >>If not, there's no reason for you to be informed

        Define hurt.

        If say some code gets onto my machine and jsut spins processor cycles..even though it's not really 'hurting' anything I still have the right to know.

        Granted, I'd see the CPU spike, and I'd kill the process and track down the executable/script. But Joe Sixpack doesn't know how to do this.

        wbs.
      • Re:Of course (Score:2, Interesting)

        by dankney ( 631226 )
        It doesn't hurt/damage you or your property. What you own in your computer is hardware. There are very few viruses that can effect it.

        As far as the software/OS, all you own is a license -- an abstraction that remains unaffected by viruses or worms. Even if your XP installation is completely foobar, you still have the exact same legal rights to use them.

        • But what if it compromises your system and then allows someone to steal your bank account info?

          On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info.

          • Re:Of course (Score:5, Insightful)

            by XryanX ( 775412 ) <XryanX.earthlink@net> on Tuesday July 20, 2004 @09:03PM (#9755827)
            "On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."

            If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?
            • you said:

              If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

              Pure Hilarity ! ! !

            • Re:Of course (Score:3, Insightful)

              by mrwiggly ( 34597 )
              If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

              No, that's a bad analogy. A better one is if your car has a recall on its brakes, you don't get it fixed, and then get in an accident, Who is at fault?

              • Re:Of course (Score:3, Interesting)

                by Alzheimers ( 467217 )
                Actually, the best analogy would be if you saw a news report saying "An automobile manufacturer warns that one of it's late-model vehicles might have a defect." It specifies neither which manufacturer, which vehicle, or even which part is affected. Now, when an Explorer blows a tire and kills a little league team, who's at fault?
    • Re:Of course (Score:2, Interesting)

      by nkntr ( 583297 )
      What if the website where you got the virus was set up by a kid, or some high school students, or just a hobbiest? You can't sue them, or expect them to do anything... they probably haven't looked at their page in months. And people don't pay for web content in most cases, so how can you expect a guarantee for it? And, would you really want government inspectors coming to your business, going through your personal web pages to see if they are properly protected? Would you want to have to submit them pap
    • Re:Of course (Score:5, Informative)

      by John Hurliman ( 152784 ) on Tuesday July 20, 2004 @08:48PM (#9755738) Homepage
      Excellent timing of this; the Spokesman Review had an article a few days ago about how grocery store names in Washington state who got shipped potentially bad meat from the Mad Cow epidemic are being withheld, and the newspapers were denied their information requests on some obscure grounds. I'd say the website attacks are being treated like any similar situation.
  • What?!? (Score:3, Insightful)

    by Concrete Nomad ( 777836 ) on Tuesday July 20, 2004 @07:33PM (#9755244)
    What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag). Oh the humanity!! Of course they should, but they won't because that would mean they have to admit they suck. The first rule of recovery is admit your problems.
    • What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag).

      That settles it. First thing I'm going to do after I die is sue a cigarette company. Fuck 'em.
  • Running Scared. (Score:4, Insightful)

    by Soruk ( 225361 ) on Tuesday July 20, 2004 @07:34PM (#9755247) Homepage
    They're probably too scared of being sued, or seeing the share price fall through the floor.

    Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.
    • Re:Running Scared. (Score:5, Insightful)

      by jdreed1024 ( 443938 ) on Tuesday July 20, 2004 @07:45PM (#9755348)
      Unlike the food example, where bad food could kill you, a computer virus in your home machine won't,

      Until it's used as a bot to distribute kiddie porn, and the FBI comes and knocks on your door and they throw you in jail for 50 years. Yes, yes, death is irreversible, whereas you can always get acquitted later, but it comes pretty darn close to ruining your life.

    • are you sure? (Score:4, Interesting)

      by ChipMonk ( 711367 ) on Tuesday July 20, 2004 @08:14PM (#9755539) Journal
      Unlike the food example, where bad food could kill you, a computer virus in your home machine won't.

      Explain that to the sailors on the USS Yorktown [gcn.com].

      Yes, I know it wasn't a virus. It was bad SQL Server-based code. Sadly, Microsoft is equally vulnerable to both.
    • Re:Running Scared. (Score:3, Insightful)

      by slashjames ( 789070 )
      Yeah, it won't kill you. But falling victim to identity theft because your computer was infected when you visited a (normally) safe web site can make your life hell. And the operator of the web site would be none too happy if someone could prove conclusively the identity theft happened because of one of those exploits and not something else.
  • An odd analogy. (Score:4, Insightful)

    by DP ( 11614 ) on Tuesday July 20, 2004 @07:34PM (#9755250)
    I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.

    If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.

    What's up with that?
    • Re:An odd analogy. (Score:2, Interesting)

      by ihaddsl ( 772965 )
      If your server was compromised, and served up a keylogger, which was then used to empty punters bank accounts, you bear responsibility for notifing your customers of the breach.

      To not do so is negligence

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Tuesday July 20, 2004 @08:02PM (#9755458)
      Comment removed based on user account deletion
      • Re:An odd analogy. (Score:2, Insightful)

        by DP ( 11614 )
        Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation. On the other hand, my ability to continue to do business is important to me.

        You don't have to have an abhorrent track record to get hacked. Sometimes you just get unlucky. Unfortunately, no one is going to be very understanding about bad luck and, like you, they'll assume it's my fault. That is exactly why I would want to deal with it quickly and quietly. I'd be pretty upset if some third party t
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Tuesday July 20, 2004 @08:17PM (#9755557)
          Comment removed based on user account deletion
        • Re:An odd analogy. (Score:3, Insightful)

          by Artifakt ( 700173 )
          And if I find out you have been in the habit of dealing with everything quietly, and it still impacted me negatively, I will immediately assume you have not sufficently meant your promise to do it quickly, and have not had the professional ethics to treat me with equal respect to what you are expecting in turn.
          At that point, I will believe you deliberately chose to screw me, your customer, over. I will then do my level best to see to it that you never run a business again, including making damned sure y
      • Yeah! Because when you view a website, you're ALSO viewing every website that's referred to that website!
  • Perspective! (Score:3, Insightful)

    by MightyYar ( 622222 ) on Tuesday July 20, 2004 @07:34PM (#9755254)
    Shouldn't we demand the same when a businesses server poisons our computer.

    In one case, public health is at stake. Lives. In the other, an annoying computer problem.

    • Annoying? (Score:5, Insightful)

      by ktorn ( 586456 ) on Tuesday July 20, 2004 @07:43PM (#9755325) Homepage
      Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.
      • Re:Annoying? (Score:2, Insightful)

        by MightyYar ( 622222 )
        Again, money != life.

        I can't be the only one here who thinks that theft and death are not at least an order of magnitude apart...

        • Comment removed (Score:4, Insightful)

          by account_deleted ( 4530225 ) on Tuesday July 20, 2004 @08:04PM (#9755477)
          Comment removed based on user account deletion
        • ... and this is why one expects from people who run the infected sites just shrug and say, "Hey, it's only money, we can rebuild the same site usind more secure technology later..." -- and tell their customers that yeah, we've screwed up.

          I personally would be more comfortable going to a site which admits to their mistakes and tries to patch them than to the one which tries to keep this hush-hush.

          Paul B.

          P.S. And yes, I have no personal reason to care just yet because I use Linux at home and my office comp
        • Unfortunately, it takes money to live.

          My close friends were victims of identity theft, and for a short period of time lost all access to their funds (except a Paypal card with some cash). Losing the money in your wallet is one thing -- losing every asset and piece of credit in your name for two weeks can be *ahem* problematic.

          Don't agree with me? Go two weeks without spending any money -- cash, credit, debit, or check. Guess what you can't do:
          * Purchase groceries for the family
          * Purchase gasoline or pay
        • Sorry, money===life. Without money, you have no shelter and no food.
        • When you're 65-years old, and someone steals your retirement savings, equivalent to many years of hard work, you might feel differently about it.

          It might improve society if a few CEOs and accountants were executed.

    • Re:Perspective! (Score:3, Insightful)

      by platypibri ( 762478 )
      What?!?!?!?!?! More like in the other, possibly millions of dollars down the toilet as the infrastructure of business in major countries crawls to a halt. Not to mention any compromised financial data, that I might not know about until I get turned down for some credit application. Hell yes! They ought to tell somebody.
  • by Anonymous Coward on Tuesday July 20, 2004 @07:35PM (#9755256)
    The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.

    Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.
  • by Propagandhi ( 570791 ) on Tuesday July 20, 2004 @07:35PM (#9755257) Journal
    Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

    I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.
    • We need some public education then. Like, if you're having gay anal sex, wear a condom. Same thing really... If you're crusing for warez, don't use IE, and make sure you're firewalled. Ideally carriers/ISPs would tell their customers, but that's like admitted you know what goes over your wires or something.
  • by CelticLo ( 575344 ) on Tuesday July 20, 2004 @07:36PM (#9755270)
    Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

    Should we force web administrators to prove they know how to keep their boxex clean?
    • by nuclear305 ( 674185 ) * on Tuesday July 20, 2004 @07:52PM (#9755405)
      Something tells me such a certificate would be about as credible as having a 419 scammer send "proof" that they are Nigerian businessmen needing your help.
    • Can't belive this is modded 'Insightful'

      Just because you have a paper in how to do xyz, does not equal you do what the rules say (or what you learned).

      Every truck driver got a license, yet some (many?) break the speeding limits...

      The paper might state I know how to wash my hands, not that I did so after I handled money or went to the restroom.

      Who would you go about enforcing this certificate for web administrators?

      What is a 'web administrators'?
  • Fear of lawsuits (Score:5, Interesting)

    by Ryu2 ( 89645 ) * on Tuesday July 20, 2004 @07:38PM (#9755287) Homepage Journal
    Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.
  • Not the same (Score:3, Interesting)

    by ifwm ( 687373 ) on Tuesday July 20, 2004 @07:38PM (#9755288) Journal
    In the event of a food poisoning lives are at risk, while in the case of an infected computer, the worst case is lost $$$. That being said, this could be a litmus test for sites that were compromised. The ones that come clean right away gain respect, the ones that try to hide are shunned and ridiculed. But in answer to the question, a content provider should not be required to disclose infection, only encouraged. The government has too many fingers in my pie already.
    • In rare cases a computer virus could easily cause death. Imagine if that had gotten into a system being used to monitor a critical system. The idea that computers CAN'T kill is obviously wrong.

      But lets think up a better analogy. Credit card swipers were attached to banks in Sydney, as soon as police found out they announced exactly which banks were being targetted. So in this situation the worst that can happen is loss of money.

      Its hardly fair to protect the "person" who was spreading the virus (albeit th
      • "The idea that computers CAN'T kill is obviously wrong."

        A plausible example would help make your case. I disagree on this point until convinced otherwise. Saying "what if it got into a critical system" isn't compelling. Virtually anything is possible, I'm more concerned with what is realistic, not what may, possibly, in a very rare cases ( or never in real life but only in theory) may occur.

        Now, onto the more important point. On this we may also disagree, but I feel it is up to the individual to kee
        • Okay then how about a real life example from my country (Australia). A "hacker" was using a computer to pump sewerage into a local river as described by this article [crime-research.org]. Now its entirely possible the same scenario could happen but instead using a widespread virus with a backdoor.

          Is that example real enough and plausible enough for you?

          Okay I agree its up to the individual to clean their systems. So when I goto an infected site its THEIR responsibility that they didn't keep their site clean. If they had I w
    • The government has too many fingers in my pie already.

      Agreed with this! ;-) Actually I was trying to analyse my previous comments in this thread from more reasonable point of view than just my gut reaction that we are entitled to the complete disclosure (not necessarily by legal means, in no way I'd advocate increasing the Govt.'s powers!).

      Try this: for some people their personal freedom is more important than their life. And their right to their property is quite important as well (here, property being
  • Might be good if... (Score:3, Interesting)

    by nkntr ( 583297 ) on Tuesday July 20, 2004 @07:40PM (#9755304)
    It sounds like a good idea for a moment, before you think about it. First of all, most web content is offered as free with no warranties or guarantees of anything. You surf at your own risk. Second, a person may go through hundreds of web sites in a day, and tens or hundreds of thousands of people may hit your site. Third, most people with any sense have some form of antivirus on their computers, and those that do not are either asking for it and they know it, or wouldn't know what to do if they did get a virus. In reality, virus protection is the responsibility of the user. True, it is absolutely insane that people have unprotected web sites out there, but since the web is a public forum, there is really no way to say who does what without limiting the "for all people" part of it. The web is a beautiful thing because it is open to everyone, regardless.
    • Sure, the content is offered free to the end user. However, the purveyor of the content is, in many cases, a business that sees a "web presence" as part of its' business operations.

      Not a freebie. Not something done out of altruism. Business.

      So they have a liability.

      If I write code in which I intentionally embed malware to steal your identity and donate it to the community, I'm still guilty.

      The lack of liability argument only comes in when there is no gain to the giver - like the Good Samaritan clauses w

    • Imagine, if you will, that I run a soup kitchen for the homeless and/or needy. Maybe a whole chain of them, in a variety of major cities. Some (undisclosed) percentage of my kitchens have, over the last few weeks, served tainted food that won't kill anyone but will make them very sick. Which kitchens, what food, and at what times, you ask? Well I won't tell you. It's bad for business. See, I count on donations to my non-profit to keep distributing the food (a free service!) and if this accident (which
  • by Weaselmancer ( 533834 ) on Tuesday July 20, 2004 @07:42PM (#9755319)

    ...for two reasons. First, an infected website has never killed anyone. Second:

    when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.

    There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.

    Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.

  • Ah-ha! (Score:2, Funny)

    So what he's trying to say is that Infoworld's servers were among the infected, right?
  • by Fryth ( 468689 ) on Tuesday July 20, 2004 @07:44PM (#9755340)
    I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

    That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.
  • by G4from128k ( 686170 ) on Tuesday July 20, 2004 @07:44PM (#9755341)
    It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.

    Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.
    • Why bother? If you had any decent anti-virus product, or applied security patches like you were supposed to, Download.ject would not be your problem.

      In short... the existing toolset would have protected us from this threat vector. It only was a threat at all because of all the people who didn't. The solution isn't creating a new security program, but getting the clueless to use the ones we're already running.
      • Why bother? If you had any decent anti-virus product, or applied security patches like you were supposed to, Download.ject would not be your problem.

        And if you didn't?

        In short... the existing toolset would have protected us from this threat vector. It only was a threat at all because of all the people who didn't. The solution isn't creating a new security program, but getting the clueless to use the ones we're already running.

        When's that going to happen and what do we do in the meantime?

        Here's my

      • Comment removed based on user account deletion
  • by slungsolow ( 722380 ) on Tuesday July 20, 2004 @07:45PM (#9755351) Homepage
    Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions. Disease outbreaks take hundreds of man-hours to actually track down, and frankly I don't think its possible to get to the root of a computer based problem that affects thousands (if not millions on a worldwide scale).

    Maybe someday.. just not now.
    • Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions

      Bullshit. Most of the very high-profile worms/viruses of recent years were traced back to specific individuals fairly quickly. It's a lot easier than forensic microbiology.

  • Homeland Security (Score:5, Interesting)

    by smclean ( 521851 ) on Tuesday July 20, 2004 @07:45PM (#9755356) Homepage
    Remember the article the other day about the secrecy surrounding cell phone outages because the Homeland Security folk believe it serves as a "terrorist blueprint"?

    Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.

    Not that relevant to the article I suppose, but an interesting angle.

  • No single security company is willing to do the finger pointing. It doesn't make sense for the reasons explained in the article.

    What we need is for the various anti-virus software makers to agree on a protocol.
    What this means is that, as soon as the anti-virus software is able to identify the threat, any time it encounters a web-server infected (as the user browses such site) it should send an alert to a centralised web-site. This site would list all the infected sites.
    A smarter step would then be for t
  • by philovivero ( 321158 ) on Tuesday July 20, 2004 @07:57PM (#9755430) Homepage Journal
    Shouldn't we demand the same when a businesses server poisons our computer.
    Have you heard about the latest virus. It silently converts all question marks (.) into periods (.). How did this happen. It is unknown.

    The Spanish variant is worse. It turns those funckey upside-down question-marks at the beginnings of the sentence into little Microsoft MSN butterfly-man icons.

    Can you imagine that. I know it makes me fearful.

  • List of sites infected (spoof ... they probably weren't but i don't know)

    http://www.cnn.com/ [cnn.com]

    http://www.msn.com/ [msn.com]

    http://www.slashdot.org/ [slashdot.org]

    http://www.ilovebacon.com/ [ilovebacon.com]

    ........

    ... Ok, how many of the above did you click. None, ok, I believe you, but how many is Grandma going to click?
  • Digital security (Score:3, Insightful)

    by bigberk ( 547360 ) <bigberk@users.pc9.org> on Tuesday July 20, 2004 @07:59PM (#9755445)
    The issue is ultimately about the public's lack of concern for computer, and more generally, digital security. My opinion is that this lack of concern stems from a lack of knowledge about the technologies we use.

    I think the situation is more dangerous than most professionals realise. The majority of the people in IT shrug off security concerns. "We can always reinstall" or "we'll upgrade later" are common responses to warnings about insecurity and vulnerability. Most businesses and even governments entirely ignore digital security concerns.

    We have a modern economy that depends entirely upon computer networks and data flow. All of our communication depends upon it too. So do public utilities and emergency services.

    But at the same time, we perpetually neglect to protect these systems that we rely on. OS security is literally a joke; server security may or may not be a concern depending on how anal the operator is; and data encryption is still, for the most part, undiscovered by the masses.
  • by LostCluster ( 625375 ) * on Tuesday July 20, 2004 @08:05PM (#9755483)
    Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.

    However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.

    Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.

    eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.
    • Many MSIE users got infected in indirect association with their use of eBay, but the flaw did not rest with eBay, but with MSIE. There is nothing inherently dangerous in using external links, even for graphics [w3.org]. Note that the SRC attribute of the IMG element is defined as a URL. So, even though most link only to local files, remote files are allowed by the standard and their absence would decrease the utility of services like eBay, not to mention greatly increase their band with and storage costs.

      The fau

  • This story reminds me of those inane AOL commercials about computers getting sick. Lets get sensible here. Computers do not "get sick." They do not become "poisoned."

    A virus sometimes infects the Windows OS. At best, run a virus checker and stop it before you are infected. At worse, do a reformat and be done with it. You have a backup anyway. Right?

    If you don't want to deal with virii in any form then run OS X or Linux. Problem solved.
  • The thing is that the web has a life of its own and it would be really hard to control it like that. Anyone can open a website anywhere and put almost anything on it. How would you force that random individual to be guilty for the virus they spread? The internet was not originally designed to be a controlled environment where you can hold others responsible if something bad happens to you; its not America. You have to watch your own ass.

    Some things might be "morally" right, but could never happen in realit
  • Even if private information is stolen by these worms, we're still talking about economic damage, not death. A better comparison would be whether your bank is required to notify you if your private information is stolen from their offices--it you want to convince me that there is some sort of discrepancy between internet security and offline security, then point to some law mandating that a bank or businessmust disclose real world breakins.

    I think the focus on Ject's infection of web browsers visiting the

  • by hedley ( 8715 ) <hedley@pacbell.net> on Tuesday July 20, 2004 @08:29PM (#9755626) Homepage Journal
    I knew that recent "downtime" wasn't just for "upgrades". It's an imposter! It's a Phisher site! Its of the body! One of the pod people! :)
  • by MrWa ( 144753 ) on Tuesday July 20, 2004 @08:37PM (#9755678) Homepage
    The question is not whether a company should report that their website was infected or not - the most obvious answer is that, unless they are a overly honest company, they will not divulge anything embarrassing that may affect their stock price unless required by law. The real issue here is that supposed news websites were complicit in this by not reporting the affected websites when they supposedly knew which ones they were. What, other than advertising dollars, would prevent a news organization from reporting something that would be useful and important for the customers of said news organization to know?!?

    That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.

    News organizations should not be concerned with the impact on a business's image!

  • by Anonymous Coward on Tuesday July 20, 2004 @08:40PM (#9755702)
    Ibsen wrote a play [wikipedia.org] about it, that's how old it is. It was made into a movie with Steve McQueen. The plot seemed scarily current, like it was taking place today, not almost a century ago.
  • by jerkychew ( 80913 ) on Tuesday July 20, 2004 @08:48PM (#9755745) Homepage
    "...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.

    Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.

    When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.

    So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?

    Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.
  • by panamahank ( 233338 ) on Tuesday July 20, 2004 @08:52PM (#9755766)
    ...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.
  • As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer."

    Maybe in the US it's like this, but not elsewhere.... In Italy, for a long time some nut would inject bleach and other similar liquids in water bottles... Quite a few people ended up in the hospital, but fortunately nobody died... Well, there was no way to find out the brands of the
  • by Bruha ( 412869 ) on Tuesday July 20, 2004 @09:38PM (#9756027) Homepage Journal
    Recently a virus called Scob/Download.ject infected various high profile websites running Windows based webservers. This virus also infected visitors to the sites through a bug in the Windows operating system. The virus was able to keylog your computer and transmit information such as passwords, web addresses you typed in the browser. This information was being redirected to a website in Russia. However the US-Cert department refused to publish a list of infected sites citing damages to the business.

    My complaint is if a resturant down the street came down with E. Coli and people became sick or died the US FDA would of notified the public about this resturant and we would be aware of that resturant's name and location. It happens at IHOP's and Taco Bells and many other types of ressturants. I have yet to see either of those two chains shut down due to people avoiding them due to one E Coli outbreak. I would expect the same notification about a Website also.

    Those websites that were infected were run by American businesses and not operated by foreign countries. US-CERT is just one portion of the Department of Homeland Security. And it calls into question if one department is afraid to release the truth becuase it may hurt someone's bottom line then maybe another group would decide to skip out on notifing people of a biohazard at some posh vacation spot in fear that they would ruin business there.

    Thanks for your time Mr Senator.
  • by gnovos ( 447128 ) <gnovos@nospAm.chipped.net> on Tuesday July 20, 2004 @10:38PM (#9756379) Homepage Journal
    I can see a scenario where somebody announces thier web site was hacked. Then a greedy ambulance chaser threatens to sue for neglegence. In order to "prove" negligence, he'll supoena all you computer systems, drown you in bad press, and lock you in expensive legal battle. It'll be easier to pay him off, and thus a new industry is born.

The computer is to the information industry roughly what the central power station is to the electrical industry. -- Peter Drucker

Working...