Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Dan Geer On Trusting PCs In Botnets 301

walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with them without some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"
This discussion has been archived. No new comments can be posted.

Dan Geer On Trusting PCs In Botnets

Comments Filter:
  • by Gr8Apes ( 679165 ) on Tuesday November 20, 2007 @11:51PM (#21431367)
    for Sony, for one. Yep, can't say enough good things about root-kitting your customers...
    • Somebody explain how this is a) useful b) acurate c) practical or d) ethical. I'll settle for any one answer.
      • by 1u3hr ( 530656 )
        I thought it was supposed to be e) funny. In the sense of Defoe's A Modest Proposal [art-bin.com]. Similarly hoping to provoke discussion.
    • by Anonymous Coward on Wednesday November 21, 2007 @12:14AM (#21431527)
      Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing. Problem is, if you can get away with that, what else would they agree to? The benevolent company then takes measures to protect themselves since the user authorized it. They then pass the money saved from not dealing with infected computers on to their customers. Yay. If the customer initially declined, then apparently they like to keep control of their computer and you proceed under the assumption you're communicating with a clean(-ish) computer. Fair enough.

      I'd say that the main problem with this scenario is the idea of a business being benevolent. I don't trust them to not screw me... but isn't that the author's point? It's an interesting concept, even if it likely wouldn't execute well. At the very least, the idea of somehow measuring a customer's willingness to just click the "yes" button is worth some thought.
      • by Holmwood ( 899130 ) on Wednesday November 21, 2007 @01:02AM (#21431815)

        Assume for a moment that a benevolent business point blank asks their customer, "Do you mind if we root-kit your computer for additional security?" If the customer agrees, they either trust the company or don't know what they're doing.

        Actually, if I "agree" (i.e., say yes), it means I *do* mind being root-kitted. If the company then proceeds to root-kit my machine, they are definitely opening themselves up for a lawsuit.

        That question is almost as bad as the infamous:

        Yes means No and No means Yes. Format computer now, Yes/No?


        But really, this error reinforces some of the disturbing aspects of the original question as cited. Users who answer "Yes" to using a more secure question may be idiots who always click yes; they may be knowledgeable users who expect something like SSL. They are unlikely to be sophisticated users that expect to be root-kitted.

        I certainly agree with parent about the dangers of assuming benevolence -- from corporations, or governments.

        Holmwood
        • Re: (Score:3, Insightful)

          by Yetihehe ( 971185 )

          That question is almost as bad as the infamous: Yes means No and No means Yes. Format computer now, Yes/No?
          Can I choose ^C ?
        • Re: (Score:3, Insightful)

          by mtgarden ( 744770 )
          That was the point I made at ZDnet. If the company asked me if I could be root-kitted, I would say no. If they asked me if they could enable a more secure transaction, I would probably say yes. My assumption would be that the company would now require tougher passwords etc... and give me some sort of perk for being extra safety conscious. So the assumption that I would select yes, because I am dumb and always click yes, is retarded. I only click yes when I trust the source (I assume a reputable busine
    • Is this for real? The proposal is that clients who do ask for a secure connection are infected, and that the ones who don't ask for a secure connection aren't infected? Isn't this, like, precisely opposite of what you'd expect? And his response to clients who ask for a secure connection is to put a rootkit on their server?

      A few of the commentators on \. have managed to translate the editorial into a proposal that actually might make some sense, but reading it as written, the proposal is the worst, most

  • WTF (Score:5, Insightful)

    by Zouden ( 232738 ) on Tuesday November 20, 2007 @11:52PM (#21431383)
    Where's the Monty Python foot icon? This has to be a joke.
  • Numbers (Score:5, Insightful)

    by willyhill ( 965620 ) <`moc.liamg' `ta' `kaw8rp'> on Tuesday November 20, 2007 @11:58PM (#21431411) Homepage Journal
    My guess is that the number of people who would say "No" is directly proportional to the number of PCs that are not infected.

    BTW, I think this is an interesting essay in the sense that it dares suggest that users are mostly responsible for the security of their computers, not Microsoft. The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

    • Re:Numbers (Score:5, Insightful)

      by thegrassyknowl ( 762218 ) on Wednesday November 21, 2007 @12:42AM (#21431713)

      Unless we deny users the right to use their computers... or educate them.

      You can't educate most of them. They don't want to learn. It's unfortunate but it's the truth. Laypeople think that "firewall" and "anti virus" is all they need to keep them safe from nasty people. I have the unfortunate task of dealing with people like that on a daily basis (many ask why I'm so jaded) and they don't care what the real experts say.

      If you tell average Joe that he shouldn't do something that he wants to because it's a bad idea and then Joe's "expert" mate says "nah man you've got firewall and AV installed you'll be right" he'll ignore you. He will listen to the "expert" mate of theirs that installed Windows once or twice using the restore disk that came with their shiny Dull PC and now thinks they know everything because the "expert" doesn't get in their way of doing stupid things.

      The number of users who click 'yes' and 'no' will be split 50/50, depending on the question. I don't think it's possible to predict what people are going to click because it all depends on the type of message and the wording.

      A lot of people always click allow or always click block when ZoneAlarm pops up a warning. They'll always click "Allow" when Windows pops up and says that they are trying to install an unsigned program. They have seen that type of dialog before and kind of know what to expect when they make their usual response.

      Random Internet questions are different because people aren't expecting them to be there. There is no preconceived notion of how to respond to the random question other than to read it and work out what it's trying to say.

    • Re: (Score:3, Insightful)

      by johnny boy ( 129702 )
      Except when the OS tells someone, by icon and name, that they are clicking on an image, then it shouldn't install a program instead. Hiding extensions and allowing programs to masquerade as benign files is an interface issue. There is no reason Microsoft can't design the interface to ensure that EXE icons have a special signifier indicating the nature of using the icon (Linux might improve here too).

      Hiding the extensions by default might make the interface seem less cluttered, but it definitely creates cr
    • Re:Numbers (Score:5, Insightful)

      by mcrbids ( 148650 ) on Wednesday November 21, 2007 @03:29AM (#21432585) Journal
      The vast majority of people who have 0wned machines are in that state because they did something they shouldn't have. There's no coding around that, I think. Unless we deny users the right to use their computers... or educate them.

      BBBBBZZZZZZZZZZZZZZZZZZZZZTTTTT!!!!

      Sorry, Charlie. You got this one wrong!

      True or false: Some places are more secure places to keep your money.

      True or false: Some cars are safer during a crash than others.

      True or false: Some airports are safer/more efficient than others.

      Now for the kicker:

      True or false: Some software is more secure/better designed than others.

      The truth is that my wonderful Mother in Law had her computer infected by merely clicking the subject line of an email on her otherwise patched computer with antivirus and a hardware firewall on a DSL connection. What did she do that she shouldn't have?

      People sometimes do stupid things, and even reasonable things in cars and get into accidents. But even so, a car that's well designed will protects its occupants better, and frequently makes the difference between injury and death. You get into an auto accident on the freeway, which would YOU rather be in: A Yugo or a Mercedes? I know which one I'D pick...

      People *do* make mistakes, and they *do* things that are stupid. If using a computer requires perfect behavior in order to work, then they won't work.

  • Flawed premise. (Score:5, Insightful)

    by TeraCo ( 410407 ) on Tuesday November 20, 2007 @11:59PM (#21431419) Homepage
    The premise is flawed. Just because someone wants extra security doesn't mean they always click yes to questions. Maybe they just want extra security.

    A better test would be to popup 'would you like a free ipod'. Having pointed this out, I do have to add: this is a retarded idea.
    • by QuantumG ( 50515 )
      The point is that if someone is willing to run malware once then they're most likely already infected and part of a botnet.

      • Re:Flawed premise. (Score:5, Insightful)

        by TeraCo ( 410407 ) on Wednesday November 21, 2007 @12:06AM (#21431467) Homepage
        If a reputable site is offering me 'extra security' and I accept it, that doesn't demonstrate anything about my willingness to accept malware. It just shows that I trust that reputable site.

      • The point is that if someone is willing to run malware once then they're most likely already infected and part of a botnet.

        The point is that it's not the user's fault [slashdot.org] because it's trivial for web site operators to 0wn user machines. When M$ themselves estimate 2/3 of all machines are compromised, no rational person can continue to blame the user.

    • Re:Flawed premise. (Score:5, Insightful)

      by Odiumjunkie ( 926074 ) on Wednesday November 21, 2007 @12:32AM (#21431649) Journal
      > Having pointed this out, I do have to add: this is a retarded idea.

      Not only is it stupid, I imagine that it would be very hard to implement.

      Who wants to volounteer to code a "use-once rootkit" that provides a "special encrypting network stack" that guarentees secure communication on a machine that you believe is compromised with x brand of malware and y number of existing rootkits? How are you going to make it so secure than malware writers can't subvert it for their own purposes?

      The idea presented is bafflingly stupid, but the idea behind it is not: different security models for users based on behaviour patterns.

      If someone uses a six character dictionary-word password (you could check once before hashing and store the result), or fails to uncheck the "receive offers from our partners" checkbox when entering their e-mail address, then perhaps they're not terribly savvy computer users and it would be an idea to throw a few more CAPTCHAS at them each time they log in, or more closely monitor their account for suspicious activity.
      • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday November 21, 2007 @01:05AM (#21431837)
        Since we're discussing ways to make online shopping safer ...

        Instead of giving your credit card into to a store (when your bank already has it), have the store generate a random string. Copy that string to your bank's website (where you have logged in) and your bank will pay the store for that item(s) in the shopping cart identified by that string.

        There. Your credit card info NEVER crosses the wire.

        And the bank can keep records of which stores/accounts have complaints and give you some stats. Kind of like eBay's rating system.

        That store has a 99%+ positive rating with 1,532 transactions in the past month (1,926,872 total transactions).
        vs
        That store has a 25% positive rating with 4 transactions in the past month (4 total transactions).
      • Yes, the base topic makes some sense if considered abstractly, less and less in the particular examples given. (To be fair, the actual article isn't as bad as the Slashdot summary, which focuses on a specific implementation that I, like you, don't see as at all workable.). In a really abstract sense, it's the old phrase "Trust but Verify". Provide opportunities for a site's visitors to make decisions that could normally be smart or dumb, then adjust how you treat them accordingly.
      • I always click "yes" to secure transactions at URLs that I trust. If I went to a financial institution that said, "do you really want a secure connection?" I would of course say yes, its my bank for goodness sake. I then get A Root Kit installed and my keyboard tapped. What kind of fucked up shit is that?. In a good mood I would cancel my account and move. In a bad move I would be calling my lawyer.
      • If someone [...] fails to uncheck the "receive offers from our partners" checkbox when entering their e-mail address, then perhaps they're not terribly savvy computer users [...]

        That's a pretty retarded idea too, though. You're assuming people enter their real email address, when usually addresses are either fake, or some throwaway fake yahoo account which nobody reads and nobody cares if the spam can piles up in.

        It's dangerous for a computer program to make assumptions about the state of mind o

    • It's a joke. (Score:4, Informative)

      by Erris ( 531066 ) on Wednesday November 21, 2007 @12:48AM (#21431747) Homepage Journal

      When you pull your head out of M$ propaganda you will understand what the author is saying. You don't get the joke because you are a victim of double think and believe things that glaringly contradict each other.

      The author is responding to hate mail he got for challenging the M$ party line that only idiots get 0wned.

      A little over a year ago, I wrote an editorial where in back-of-the-envelope style (.pdf) I estimated that perhaps 15-30% of all privately owned computers were no longer under the sole control of their owner. In the intervening months, I received a certain amount of hate mail but in those intervening months Vint Cert guessed 20-40%, Microsoft said 2/3rds, and IDC suggested 3/4ths.

      He parodies the party line brilliantly by saying:

      This parallels the real world where people who get venereal diseases tend to get more than one. The reason is simple, the infections computer or cellular are side effects of behavior and consistent behavior tends toward consistent results.

      and then suggesting that vendors instantly 0wn anyone who says they want a secure connection. This is not a serious suggestion, it simply point out the absurdity of blaming the user for something others so easily and frequently do. Vendors are screwed and he knows it.

      The author is also pointing out how insulting it is for M$ to continue to blame the user for M$ security problems. If M$ really believes this, they must also believe that 2/3rd of their customers are idiots who and have VD. Is there any other vendor on the planet that so casually insults their customers?

      Amazingly enough, the general population still believes the M$ party line. I had this argument with a co-worker the other day. He so strongly believed that it's the user's fault that he could not accept estimates by Vint Cerf or Michael Dell as accurate. Stories of corporate network dissaster are similarly dissmissed as the fault of idiots at work. More amazing than the man's inability to take in new information was the temper tantrum he threw when calmly questioned and confronted with facts. M$'s own estimates will also bounce off his otherwise bright head because it would force him to conclude that there's either a 2/3rd chance that he's an idiot or worse - he's been wrong headed and vocal for years, which is the definition of an idiot. How does M$ build such loyalty while being so abusive? Windoze security is a oxymoron and it's time the public at large understood that.

      • Re: (Score:3, Funny)

        by c_sd_m ( 995261 )

        This parallels the real world where people who get venereal diseases tend to get more than one. The reason is simple, the infections computer or cellular are side effects of behavior and consistent behavior tends toward consistent results.
        So if a slashdot reader has a chance to get laid he shouldn't do it since obviously the other party will do anyone?
      • Re: (Score:2, Informative)

        by willyhill ( 965620 )
        The reality is that even though Microsoft (or "M$" as you call them) are guilty of some really dumb security fuckups in the past, the numbers simply don't back up your angry assertions. The latest four or five botnet infection waves have spread through email attachments that require significant user interaction to take over a machine.

        It doesn't really matter how many safeguards you build into the system, ignorant users will do dumb things. And when you're talking about a universe of almost a billion PCs,

  • Dumb. (Score:5, Informative)

    by WK2 ( 1072560 ) on Wednesday November 21, 2007 @12:00AM (#21431421) Homepage

    When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes"

    I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.

    • This guy thinks someone who prefers secure connections is more likely to be pwned.

      It would be more realistic to put up a requester saying "Do want a secure connection?" Cancel or Allow.

      Anyone who clicked "Allow" more than a dozen times could be presumed to be infected...

    • Re: (Score:2, Insightful)

      by QuantumG ( 50515 )
      If I offer you a virus and you happily run it because you think it will give you more security, I think that's a reasonable test to see whether or not you're likely already infected with a virus (because even if you weren't, you are now).

      • by NMerriam ( 15122 )
        If I offer you a virus and you happily run it because you think it will give you more security, I think that's a reasonable test to see whether or not you're likely already infected with a virus (because even if you weren't, you are now).

        I think if your bank web site offers you a virus, the problem is not with the user accepting it.
        • by TeraCo ( 410407 )
          That is exactly the point I was trying to convey. If I already -trust- the site, due to a prior relationship (ie: my bank, my place of work, my good mates porn stash) and I can verify that the host is what I think it is due to the existing security systems in place, why shouldn't I take advantage of any extra security offered to me.

          If I click yes and get owned by a virus, it just shows that initial decision to trust them was flawed in the first place and that is something that is outside the scope of this

      • by TeraCo ( 410407 )
        It's certainly a good way to end up in 'pound you in the ass' federal prison anyway.
      • by Curien ( 267780 )
        If my bank's website was broken into and modified to offer me malware or the company is unethical enough to break into people's computers, I have worse things to worry about than getting a virus from them. I already explicitly entrusted them with tens of thousands of dollars of my money; it doesn't make sense for me to turn around and distrust them with my computer.

        Your evaluation only makes sense for business relationships in which the value of the relationship is less than the value of the security of the
        • by QuantumG ( 50515 )
          So you trust your stock trading site to have access to your banking site.. cause by running what has been described by the article as a "root kit" from your stock trading site, and then logging into your banking site, that's what you're doing.

          • by Curien ( 267780 )
            Why would I engage in thousands of dollars worth of transactions with an entity I don't trust? If they want my money, they can just *take it*. They don't need to break into my bank.
            • Re: (Score:3, Insightful)

              by QuantumG ( 50515 )
              Have you considered the possibility that someone has broken into the stock buying site and now would like to get into your banking site? Maybe because, I don't know, they think you might have *more* money in your bank account that the stock buying site doesn't have access to and they'd like that money too? Honestly, if your stock buying site tells you that you need more security than your browser supplies and asks that you download some random piece of software that you can't even inspect to ensure is not
              • by TeraCo ( 410407 )
                It's like people who ask you to run an ActiveX control because it is "more secure". They're obviously idiots and you should take your business elsewhere.

                Boy, you just can't get a break today, can you? The billiontyfuck dollar firewall at our workplace has a HTTP interface that you can go to. It will spool down an activex control and let you use the VPN to get to the internal network. If you're not a Windows user, it also lets you download a linux version.

                • by QuantumG ( 50515 )
                  yeah, stupidity abounds.

                  Please tell me that it is at *least* an SSL deployed ActiveX control.

                  It's this kind of stuff that makes penetrating corporate networks so easy once you've owned the ISP of someone who networks in from home. That and the fact that most everyone these days is happy to download an exe and run it if they think they get some dancing bunnies to giggle at.

                  • by TeraCo ( 410407 )
                    Of course it's an SSL deployed activex control, backed up with a securid token and a million and one other bells and whistles. That's because people much cleverer than you or I have put hundreds of millions of dollars into designing and deploying the system.

                    • by QuantumG ( 50515 )

                      That's because people much cleverer than you or I have put hundreds of millions of dollars into designing and deploying the system.
                      Dude, what is up with you assuming you know me?

                      Besides which, all of these systems have flaws in them, no matter how "clever" the people who make them are or how much they spend to do it.

                    • by TeraCo ( 410407 )
                      Dude, what is up with you assuming you know me?

                      Well, I think your level of computer security awareness speaks for itself :)

    • Now, see, I interpreted it as "Anyone who thinks that clicking Yes to a popup that's offering them better security is a fool and likely to be infected."

      I also took popup to be generic for anything that looks like a popup, such as an ActiveX installer thing.
    • This guy thinks someone who prefers secure connections is more likely to be pwned.

      No, he thinks that blaming the user is a joke when even M$ admits 2/3s of their customers are 0wned. It's a joke [slashdot.org]. Do you really think he's suggesting vendors screw all the customers who say they want a secure connection? If so, you admit it's trivial and that it's not the user's fault. The joke is on people who wrote him hate mail for stating the obvious: Windoze is a security dissaster and large percentages, if not al

    • I thought this was a misquote. I checked TFA, and this is exactly what it says. This guy thinks someone who prefers secure connections is more likely to be pwned.

      The point of the article is that people who click "Yes" to install random software from the Internet are much more likely to be 0wned. Just because the software claims to be secure is no reason to trust it any more than what you'd find at a shady porn site.
  • off topic (Score:2, Interesting)

    mod me off topic if you must, but I for one just cant bring myself to ever trust someone with muttonchops like that.
  • I can't wait, and if they say "No" just don't allow them into the site, because how can you trust them if they say no to an extra special secure connection, can you? I can't wait for the future where our choices are root-kitted slave or web pariah!

    --In Soviet Russia, internet connection owns you!

  • Wait a second.... (Score:5, Insightful)

    by PieSquared ( 867490 ) <isosceles2006@@@gmail...com> on Wednesday November 21, 2007 @12:03AM (#21431441)
    A dialog pops up asking "do you want to use a secure connection or not" on your internet stock-buying site.

    I would assume that any reasonably secure computer user would.... say yes? I mean, I suppose this approach would work if you assumed *everyone* either always said yes or always said no... but what about people who pay attention to what URL they are at (yes, this is *really* the site I want to buy stocks from) and *read* the prompt (yes, I would like to use a secure connection). You've just root-kitted (well, tried to rook-kit(heh, root-kit as a verb)) your most secure and computer-savy users. They aren't going to like it.

    If my trusted e-commerce site decided to give me a root-kit or take control of my keyboard/mouse... well they wouldn't be *my* trusted e-commerce site anymore. Now, if you have a security dialog that anyone actually reading *wouldn't* agree to this approach might work, as the *only* ones who agreed would be the ones who automatically say "yes."

    So yes, instead of taking a little loss on people who got tricked into buying someone else a stock you should *obviously* try to trick and "0wn" your clients for agreeing to a reasonable proposition ("would you like to use a secure connection with your trusted e-commerce site"). That is *clearly* the best approach.
    • by QuantumG ( 50515 )
      what part of this is hard to understand?

      Taking the control of the keyboard away from the OS *is* the super special security that they are asking you to install.. you said yes.

      • Re: (Score:3, Insightful)

        by nacturation ( 646836 )

        what part of this is hard to understand?

        Taking the control of the keyboard away from the OS *is* the super special security that they are asking you to install.. you said yes.

        The summary *and* the article are poorly worded. Rather than simply asking "Do you want to use our extra-secure connection?" (as in, this could be a somewhat slower but more secure 256 bit standard SSL protocol) the question should have been phrased as "Do you want to download and install this executable software to enable our extra-secure connection?". In that light, the rest of the discussion actually somewhat makes sense... however much you agree or disagree with the rest.

        • by QuantumG ( 50515 )
          Yes, well, I don't think anyone was debating whether or not Dan Geer has good communication skills. Any implementation of this ultra-stupid idea would require really good "are you sure you want us to own you?" questioning.. but basically what he's saying is that he can write a root-kit that can beat the root-kits that are already installed on your machine.. which is just not something anyone should claim with a straight face.
  • WTF? (Score:5, Insightful)

    by thatskinnyguy ( 1129515 ) on Wednesday November 21, 2007 @12:03AM (#21431447)
    Is there anyone else here who read the summary and thought "What the fuck?!"
    • Yes.

      What was the question again?

    • Yes, even after I tried reading it again.

      ~S
    • Unlike that article about the guy who sues spammers in his spare time which made sense assuming one has a basic comprehension of English and an attention span longer than a gnat's genitalia, this is definitely one of those WTF moments. Having read the article, I can figure out what his idea is... but the summary is just so out-of-this-world.

      1. Assume pink unicorns exist.
      2. Bunch of wild-ass conclusions you derive regarding people and unicorns.
      3. ???
      4. Profit!
       
    • Re: (Score:3, Insightful)

      by Tim C ( 15259 )
      Well, I actually thought (and in fact said out loud) "That's an absolutely fucking ridiculous idea!", but close enough I feel.

      So, I access a site I presumably already trust which would presumably be worthy of that trust, as they're trying to protect themselves and their users (albeit in an utterly retarded way). It pops up a dialogue asking me if I want to use a new, even more secure connection, and if I say yes then they root my PC because they think I'm an idiot and therefore my PC is almost certainly inf
  • The users that want secure connections are not the ones most likely to be pwned, it's the ones that couldn't care less that you should be worrying about. But really, the real problem here is the extreme laziness of this idea. If you impliment good security policy regardless of who you're connecting to you're better off than treating all of your users like complete idiots because they want a secure connection.
    • by QuantumG ( 50515 )
      So you're saying that the guy should force everyone to download the root-kit and install it or they can't access the website?

      Cause it is the root-kit thing that gives more security.. from the perspective that the vast majority of clients are probably infected with at least some malware.

      • So you're saying that the guy should force everyone to download the root-kit and install it or they can't access the website?
        that isn't what I meant. I didnt; realize until later what methods he was referring. with the rootkit in mind, assuming the user isn't the brightest bulb for letting a rootkit on their system is a good bet.
  • ...hundred million botnets, washed up on the shore
    Seems I'm not alone in being alone
    Hundred million castaways, looking for a home

    Ill send an SOS to the world
    Ill send an SOS to the world
    I hope someone don't get my
    I hope someone don't get my
    I hope someone don't get my
    PC in a botnet, yeah
    PC in a botnet, yeah
    PC in a botnet, yeah
    PC in a botnet, yeah
  • Dumbest. Idea. Ever. (Score:3, Interesting)

    by Opportunist ( 166417 ) on Wednesday November 21, 2007 @12:29AM (#21431621)
    Let's assume I go to this page. Let's assume I do read what's offered to me. So I could use a superspecialawesome security feature. Great. I'm security conscious and yes, I want that security feature.

    Let's assume I go to this page. Let's assume I am a trained clickmonkey. So I get a dialog that asks "yes" or "no", and I click yes because I always click yes.

    Erh... who'd click no?

    What's the demographic of people who would click no there? People who do read security popups but don't want to be secure?

    Sounds to me a bit like a scam. Nobody would click no there. So this all smells a bit like "look, we ASKED the customer if he wants to get a rootkit, it ain't like we didn't tell them".
    • Erh... who'd click no?

      Someone who has pop-ups enabled and don't read them but just look for the close or no thanks button to get rid of it.
  • by radimvice ( 762083 ) on Wednesday November 21, 2007 @12:32AM (#21431653) Homepage
    I have to say (and I know I'm putting my karma in front of the firing squad here), this kdawson guy really knows how to pick em...honestly, it seems that every time an off-topic, ridiculous, or horribly misleading tagline enters the front page, all I need to do is look up from the painful summary paragraph and there is good ol' posted by kdawson, smiling down from above.
  • BRILLIANT (Score:4, Funny)

    by Almahtar ( 991773 ) on Wednesday November 21, 2007 @12:39AM (#21431693) Journal
    You see, all the other rootkits will trust this one, thinking it's one of THEM!!! Then all you have to do is have your rootkit tell them that it can't stay long and would they please let it have this password/account number and they can steal the next.

    They'll never even know this was a good guy root kit the whole time!
  • I for one (Score:2, Funny)

    by enoz ( 1181117 )
    I for one, welcome our cross-platform-r00tkit-touting benevolent E-commerce overlords.

  • better dialog box (Score:5, Insightful)

    by Rudisaurus ( 675580 ) on Wednesday November 21, 2007 @12:50AM (#21431757)
    I think the dialog box should say, "Would it be alright to install a root-kit on your machine?".

    The ones who say "Yes" to that are justifiably pwned. Everyone else is reasonably trusted and left alone. It's a good filter!
    • Nevermind the dialog. Just go ahead and try to install a benevolent Windows rootkit destroying rotorooterkit. If it works, then that is sufficient proof that the machine was p0wn3d and is now repaired thanks to the rotorooter. If it doesn't, then the machine is running some sort of Unix and is OK, so no need for rotorooting.
  • Huh? (Score:4, Interesting)

    by Psychor ( 603391 ) on Wednesday November 21, 2007 @01:29AM (#21431997) Homepage
    I don't understand it to be honest... although most of the sentences seem to make sense individually, I don't really follow the logic. For a start it all seems to be based on the flawed assumption that users always make the same response to all dialog boxes. Why would one assume this? Even a complete idiot might select either option randomly, or mash their fist on the keyboard with the same effect. It's even possible that some highly advanced users might read the information and act on it accordingly!

    Anyway, assuming that ridiculous assumption is correct, the author then makes another ridiculous assumption, that if you always say yes to dialog boxes, that means your computer is infected with all kinds of malware. They then decide it would be a good idea to root kit this PC and encrypt network traffic to it. I'm not quite sure what the point of this is either since the machine would have to decrypt the traffic for it to be any use, so any malware present on the machine could still have access to the traffic. I think they could be saying that the point of this is to protect their host machine from your horrible horrible malware. To be honest if a web host is so vulnerable that malware infected clients visiting it cause them to catch it to like some kind of electronic herpes, you have even bigger problems to worry about than the inevitable lawsuits from arbitrarily rootkitting your client's PCs.

    In short, it's a long time since I've read such complete nonsense, even given Slashdot's normal submission quality. If anyone managed to follow the article's logic, perhaps you could explain it to me, and possibly also tell me which parallel universe you're from so I can cross it off my holiday list.
  • So when a website asks me if I would like to be redirected to the https version of their site, I should click...no?

    WTF?
  • by petard ( 117521 ) on Wednesday November 21, 2007 @01:48AM (#21432103) Homepage
    Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.

    Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...