Slashdot Mirror
NYT Reports Porn Spam Hijacking Network
twitter writes "This NYT story describes how thousands of PCs have been used as porn spambots and reverse proxy servers, and mentions that they could be used for kiddie porn. Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."
Now I've got a great new excuse when the wife stumbles onto things...
Stop by my site where I write about ERP systems & more
I guess that's pretty authoritarian, and there are better ways to beat spam. Still... the elimination of the luser is a shining grail for us all, no? ;)
Finally, though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."
Umm, no they won't. First of all, very few people would notice the article in the first place. Second, people who did notice wouldn't know what to do to protect themselves (not supporting MS isn't an option for 90% of the computer users in the world). Third, was the comment necessary?
"The rogue program does not affect the Apple Macintosh line of computers or computers running variants of the Unix operating system."
so um, not to Microsoft bash or anything, but what OS does this 'sploit attack then?
That's gotta be one of the most FUDaliscious articles I have ever wasted my time on.
"Some random guy says grillions of computers are infected with an undetectable virus and is going to distribute kiddie porn!!"
Please.
P.S. I'm not saying it's not possible, but for fuck's sake, get a few details before bothering to blather on about it for pages at a time.
Try this link
Well, there's spam egg sausage and spam, that's not got much spam in it.
"...though Microsoft is not mentioned, people might start to understand what a monoculture of poor quality software enables."
Shouldnt that read:
"... though Microsoft is not mentioned, we thought we might use this as an excuse to attack them anyway."
I mean I understand MS doesnt exactly have a large fanbase here but that is frankly ridiculous.
<fnord>OBEY</fnord>
Whatever. That won't happen anytime soon.
Just as an example, we brought a remote user's laptop into the shop the other day to update it and found over 250 infected files. Even though we provide the option everytime he logs in to update the virus identites, they hadn't been updated in over a year.
To many people, a computer is like a screwdriver. They could care less about it, they just want to pick it up, make it work, and toss it aside when they are done with it. It's unfortunate, yes, but that's just the way it is.
Ryan O'Rourke
Having worked the abuse@ email address for a DSL provider, I've been seeing this for a couple of years. It's interesting that the mainstream news is finally giving lip service to the problem, though. I heard a commentator on the ABC radio network mention open relays on mail servers the other day during morning rush hour.
Someone (by someone, I mean companies that put out SMTP servers with a large share of the market) should strike while the iron is hot and take it a step further by airing some simple PSA's during a small assortment of shows. Maybe some must see TV "The More You Know" type thing...
I had a sucky sig.
Finally, though Microsoft is not mentioned,
Oh, but we'll take care of that.
The coolest voice ever.
Translation:
Pete Townsend could have used this article a few months ago.
In my experience, end-users who are not tech-savvy have little real understanding of online security practices: they tend to ignore basic things such as updating antivirus dat files because they don't know or don't understand. And from my own experience, I know that broadband providers are more interested in pitching all their cool features than they are in educating users how to be safe. Seriously, how hard would it have been for my ISP to have included a Sygate or ZoneAlarm trial on the install CD they had to send out anyway?
What kills me is that it's in the ISP's best interests to encourage safe computer habits, and they don't really emphasize that.
----------
Something cleverThere is no reason to break copyright law and repost this article. This is an example of irresponsible internet behavior at its worst - there is no justification for such action - this is not 'fair use'--it's just lazyness.
Here's the thing though, with StarBand, they have an auto-imposed limit of around 500mb/week upload, and if you go over it, you are automagically shut off for a few days. The problem with this, and I have seen it happen, is that the Spam/Pornbots can infect a Starband Customers computer, and easilly make them go over their weekly 500mb upload limit. Thus causing them to lose their internet connection.
This poses a real problem, not only for the end user (The people I deal with are all in the far reaches of Northern Minnesota where Satellite Internet is the ONLY broadband option) but also for the ISP's. Its viruses/bots like this that make it even more necessary for legislation to fight spam.
The writers of the Bots would be the spammers, not the owners of the infected systems. Just because I borrow your car to deliver the paper, does that mean that in reality, you delivered the paper because it was YOUR car?
-I may not me amish, but I am a geek!-
To many people, a computer is like a screwdriver. They could care less about it, they just want to pick it up, make it work, and toss it aside when they are done with it. It's unfortunate, yes, but that's just the way it is.
Why is this unfortunate? Do you want to know every nuance of the car you drive, just to get to work? How about when you watch TV? Do you really need to know about NTSC vs PAL? No, you want to watch TV.
Computers should be no different. People just want to send grandma some pictures, surf the web, type a paper, whatever... Not spend forever updating their AV package, SP updates, etc.
A computer is a tool. It is merely a means to an end.
There are three types of people:
(1) Those that recognize Microsoft's influence and approve of it.
(2) Those that recognize Microsoft's influence and disapprove of it.
(3) Those that are oblivious to Microsoft's influence and wouldn't care even if someone told them.
Groups 1 and 2 are not going to have very many people switching from one to the other. Group 3 is going to have even fewer people leaving it. So the whole "people might start to understand" bit is, quite simply, B.S. It reflects the submitter's membership in Group 2 more than anything else.
The coolest voice ever.
So you're saying all I have to do is install one of those screensavers shrouded in four web-site redirections and I can sit back and wait for some pirate in The Phillipines to jack all the 1337 w4r3z and pr0n for me?
Dude! This is better than PointCast **AND** Kazaa -- The stuff just shows up! It's like subscribing to the FBI files-you-shouldn't-have mailing list!
Spyware and viruses r0ck!
"Lawyers are for sucks."
- Doug McKenzie
There is a technical writeup here:
http://www.lurhq.com/migmaf.html
Mirror: http://www.joestewart.org/migmaf.html
This is terrible.
They put all that porn on my computer, and I don't even get to see it?
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Why is this unfortunate? Do you want to know every nuance of the car you drive, just to get to work? How about when you watch TV? Do you really need to know about NTSC vs PAL? No, you want to watch TV.
...but these days, computer users should have some basic training on "what attachments are likely to contain pictures from grandma - and what aren't!". Otherwise they might end up hosting some illegal warez server in their own house - without their knowledge.
I agree with the general line of your reasoning, but please observe that the examples you mention do not necessarily support your own thesis. First: if you don't know NOTHING about "NTSC vs PAL", you might quite soon end up with an unpleasant surprise buying video tapes abroad. Say, you might be an American on a trip to Amsterdam, taking advantage on their, uh-huh, liberal law regarding the pr0n. Ditto for European in Tokio.
With the car, it's even worse. You can't drive a car without valid license. The authorities consider untrained drivers too much of a threat for the public (and the drivers themselves). And it becomes more and more obvious that the Internet is also a very dangerous place for untrained computer users. You can damage yourself (sometimes just opening an email attachment) and cause damage to the others. You are absolutely right saying:
People just want to send grandma some pictures, surf the web, type a paper, whatever... Not spend forever updating their AV package, SP updates, etc.
Yeah really, laugh. From the article:
"The rogue program does not affect the Apple Macintosh line of computers or computers running variants of the Unix operating system."
Let's see, it doesn't affect Mac's or *nixes, what else is there? Why didn't they just say that it affected Windows systems only? The average person probably wouldn't put that together. It reminds me of that scene from the new austin powers movie when Dr. evil indirectly tells mini-me to go by telling everybody to get out, but then telling everybody but mini-me they can stay.
Really, I've never seen this before. Usually you report which systems were affected rather than the systems that weren't. What reason, other than ignorance, would the reporter have not to mention windows?
Why, o why must the sky fall when I've learned to fly?
I just got a new Nigerian Porn Dialer that offers a 1.5% cash back bonus and a higher credit limit, why would I want to give that up?
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
So instead of their normal scare-mongering by involving terrorism in any way possible, they are now suddenly switching into scaring everyone by mentioning kiddie porn instead? Wow, such diversity! Next thing you know NYT actually becomes a good source of news with facts and interesting content without a "we will spam your ass off" scheme! Maybe right after DNF is released...
Hate me!
The article makes a good point about unwitting hosts participating in world-wide spamming. A host that is insecure can become compromised by an automated worm or mailicous attacker and then configured to relay junk mail.
As a system administrator this worries me. Typically we use blocklists for netblocks that are known to be sources of spam. But when a random internet host is compromised and used as a mail relay, this slips past our blocklists (for a while).
The moral of the story is that computer security and spam fighting go together. Though average users don't get the point, it is every internet user's responsibility to keep their host secure both for their own good, and to be a good neighbour.
I cannot speak for later versions of Windows since I stopped using them, but I never saw a version of windows that does not force you to completely log off and back on to access privileged functions, encouraging people to run with privileges on all the time, because they cannot just enter the password for privileged activities. Su does not exist, nor does sudo.
Most other modern versions of OS's are significantly better (Lindows early versions were an exception). Just having su and sudo is much better.
OSX has no root enabled by default, and relies on sudo to limit elevated privileges to single operations.
GNU/Linux/XFree86 systems typically give warnings when the user logs in to the window manager as root, give a limited environment with a red background, etc., and on the other hand make it easy for the user to run without elevated privileges most of the time.
And the monoculture is also inherently less even if everyone were to use Linux, because the licensing allows significant derivitive / deviant branches.
Claiming that Linux would be no better if it were as successful as Windows ignores facts.
This is just the tip of the iceberg. I have been on an email team faced with the question, do we allow contents to auto-execute, which actually thought about the problem before blindly implementing it, unlike Microsoft.
[...] everyday, I get phone calls about pr0n email that she has received. She takes great delight in explicitlly describing the contents of the message, and then pretending to be offended. Then I get the "Why don't you do something about this" statement.
Tell her "Look, lady, I'm sorry if you feel neglected, but I'm sending out as much of it as I can. I'll send you a couple extra tonight when I get home, but after that, I can't make any promises." Then apologize for having misspelled "barnyard" in the subject line.
It isn't elitist to say that computers are fairly unique and complex devices. Just because everyone uses one now, improperly for the most part, doesn't mean they should or even can magically becomes television sets with six buttons on the front.
Good point...but...then they shouldn't be sold as such. If you're going to market your computer/operating system as "easy enough for grandma to use" then it better be easy enough for grandma to use.
Products will have a development cycle that gradually make them more and more user friendly. Remember programming with punchcards? Remember the days before UIs? Computers are very much like cars and toasters and VCRs. All you're showing is an elitist attitude. You are obviously a smart person (and I don't say that sarcastically), and you enjoy having a complex machine to work with. Great. But you make up about 5% of the demographic that most software and hardware companies are designing their products for.
There is a place for complex software...there's also a place for simple software that works as advertised. There _will_ be a computer with six buttons on the front sooner rather than later, because that's what the general population wants. Not everyone is a hacker, and like I said, most companies in the industry aren't getting their profits from hackers like you (or me).
By your logic, a VCR should be just as simple to use a shampoo bottle, and thus, so should computers.
Perhaps a bit of overstatement there, eh? I don't expect my shampoo bottle to safely connect to the internet and send email. But if I purchase an operating system that claims it does that, it should do it. I don't need to understand the engineering behind the top of shampoo bottle to open it. Nor do I need a degree in electrical engineering to play a VHS tape. So why should I have to be hacker to safely send and receive emails?
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
Prove yourself competent? Oh yeah, that's why Americans are such great drivers. In fact, I'm on my PDA on the freeway eating Burger King. I just finished shaving, so I figured I'd flip through slashdot while I drove. Oh, there goes the cell phone. Now I'll have to turn down the volume on Star Wars which is showing on the dashboard of my SUV.
riding round the world on an old motorcycle
Computers, on the other hand, are designed to be in partial to full control of nearly anything. In their desktop and laptop form, they are extremely generalized, and a skilled person can do all manner of tasks on it, up to and including writing their own operating system for it.
The problem, in my opinion, is the marketing not the computer. It is fully possible, and indeed there are examples, to make computers specifically designed to do non-generalized tasks, such as the one you provided at the end, reading and responding to email. It is the responsibility of manufacturers to make and support devices that do this, instead of selling all-in-one-wonder desktops that can do everything from receiving television signals to crunching gigabtyes of data in some rendering farm in Simi Valley, California.
I completely agree with your viewpoint there. Where I do not agree is that the desktop concept should be reduced in complexity to become a lesser all-in-one, just for the sake of easy of use. That is what specific intention devices should be manufactured for. There is a legitimate need for multi-purpose machines that goes beyond just satiating types like ourselves that like to tinker.
Oh, and by the way, I know people who do expect their raspberry mango shampoo bottles to connect to the Internet, people want it everywhere. :)
In summery, I don't think things are as bad as you make it sound. Yes, they are more expensive, but if all you want to do is email and a little word processing now and then, an Apple works just fine, and is enough out of the way or the mainstream to where you do not need to be hyper-paranoid about security. When you use something that is by far the most popular, and hated, operating system, in an interconnected semi-anonymous world, you have to expect a little overhead in keeping things secure. If hypothetical person A does not want to put up with that, there are alternatives that work quite nicely, even in the realm of specialized devices. I saw a little black box with a keyboard that hooks up to Earthlink that allows you to do email, and that is it. Bravo.
Once the problem with getting good alternatives to the generalized super-machine is overcome, then you really only have the newness of the tech to get over. Computers are a vast thing. Even the most hardcore geek could not claim to have significant knowledge in more than a few branches (or meta-branches,) and there are thousands of branches -- all weaved in such a way to create potentially millions of pseudo-branches through combination. The fact that we have gotten computers to the point that we have, where a vendor like Apple and even some PC vendors, can send out a machine and have a complete novice checking email a few hours later, is pretty impressive (and I am not even going to try and fix that run-on sentence, I get tired just looking at it.)
Anyway, sorry about the glib response earlier, I just get tired of the car and VCR analogies, because a turn signal stick does one thing, it operates a blinking light -- whereas a computer has to have the hypothetical turn signal programmed, and the same physical material that allows the turn signal software to work can be wiped clean and turned into a SETI number cruncher by somebody else. A powerful ability that implies the potential for powerful mistakes. :)
V
Is the problem just one of your e-mail being harvested off the webpage(s)? If so, try this:
<script language="JavaScript">
function writeAddress(name, domain, msg) {
document.write('<a href="mailto:' + name + '@' + domain + '">');
document.write(msg);
document.writeln('</a>');
}
</script>
Blah blah blah
<script language="JavaScript">
writeAddress('mymail', 'nospam.com', 'E-mail me!');
</script>
Now you've produced a document which displays links to e-mail addresses, without specifying any easily-harvested e-mail addresses in the source of the document.
!#@%*)anks for hanging up the phone, dear.