Slashdot Mirror
Identifying Compromised Websites
linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"
The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]
Comment removed based on user account deletion
What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag). Oh the humanity!! Of course they should, but they won't because that would mean they have to admit they suck. The first rule of recovery is admit your problems.
They're probably too scared of being sued, or seeing the share price fall through the floor.
Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.
-- Soruk
...ISPs don't block access to these sites as well.
I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.
If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.
What's up with that?
-- d'arcy poirot
In one case, public health is at stake. Lives. In the other, an annoying computer problem.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.
Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.
Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.
I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.
Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.
Should we force web administrators to prove they know how to keep their boxex clean?
In the case of food poisoning, a person can get violently ill, or even die. In the case of an infected website, the worst that can happen is that their computer needs to be reformatted, or the worm copies private information off to some random email.
Food poisoning typically can't be avoided until after the fact; people can take preventative measures against worms.
Also, many of those sites do business online, while we'd like to think they'd be forthright with their customers, many PHBs would rather die a slow painful death than ever admit to their customers that their site got infected. Since full disclosure is nice but not necessary, PHBs will take the easy way out.
libertarianswag.com
If it can hurt/damage you or your property, then you should be informed.
If not, there's no reason for you to be informed.
Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.
There's 10 types of people in this world, those who understand binary and those who don't.
In the event of a food poisoning lives are at risk, while in the case of an infected computer, the worst case is lost $$$. That being said, this could be a litmus test for sites that were compromised. The ones that come clean right away gain respect, the ones that try to hide are shunned and ridiculed. But in answer to the question, a content provider should not be required to disclose infection, only encouraged. The government has too many fingers in my pie already.
is cya.
wow! not many replies to this topic with scores > 1... come one people!
-f.
...and remember in your brain boggle, wrong starts with a wubble-u.
It sounds like a good idea for a moment, before you think about it. First of all, most web content is offered as free with no warranties or guarantees of anything. You surf at your own risk. Second, a person may go through hundreds of web sites in a day, and tens or hundreds of thousands of people may hit your site. Third, most people with any sense have some form of antivirus on their computers, and those that do not are either asking for it and they know it, or wouldn't know what to do if they did get a virus. In reality, virus protection is the responsibility of the user. True, it is absolutely insane that people have unprotected web sites out there, but since the web is a public forum, there is really no way to say who does what without limiting the "for all people" part of it. The web is a beautiful thing because it is open to everyone, regardless.
...for two reasons. First, an infected website has never killed anyone. Second:
when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.
There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.
Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.
Weaselmancer
rediculous.
Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.
So which is more serious? Death of body or death of personality because of stolen information? What is more serious for a company, which has no body, but likely has much important information?
This is very serious, just not to meat bags like you or me. This should be a wakeup call to the corporations that using proprietary software is as dangerous to them as eating 3-day-old soft cheese is to a human baby.
Besides, it's also very serious to home users who are increasingly going paperless for their filing of data. Data which most people have no backups for, and data which viruses freely delete!
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
So what he's trying to say is that Infoworld's servers were among the infected, right?
I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.
That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.
It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.
Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.
Two wrongs don't make a right, but three lefts do.
Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions. Disease outbreaks take hundreds of man-hours to actually track down, and frankly I don't think its possible to get to the root of a computer based problem that affects thousands (if not millions on a worldwide scale).
Maybe someday.. just not now.
Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.
Not that relevant to the article I suppose, but an interesting angle.
"'Yrch!' said Legolas, falling into his own tongue."
interesting? come on. that's just a crap joke. (i guess this is informative now..).
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Possibly yes, but are you really sure that the Linux world is ready for 100 million tech support e-mails a day from people's relatives asking "how the hell do I setup xyz piece of hardware?". I know that for now I'm happy to sit in my own little Linux world where I have all the good fun of not worrying about virii and pretenting that I have a learning dissability whenever anyone asks me for me for help.
What if the website where you got the virus was set up by a kid, or some high school students, or just a hobbiest? You can't sue them, or expect them to do anything... they probably haven't looked at their page in months. And people don't pay for web content in most cases, so how can you expect a guarantee for it? And, would you really want government inspectors coming to your business, going through your personal web pages to see if they are properly protected? Would you want to have to submit them paperwork saying that you had taken proper precautions? Nobody wants that. Keep the web free and available to anyone with a voice, for all. I am against ANY form of government conrol over the web (except for stuff like kiddyporn and other such garbage). But this is just my opinion.
oops - should have hit preview (but the dogs need to go out NOW) ... forgot to close the bold tag :-( Didn't mean to shout.
No single security company is willing to do the finger pointing. It doesn't make sense for the reasons explained in the article.
What we need is for the various anti-virus software makers to agree on a protocol.
What this means is that, as soon as the anti-virus software is able to identify the threat, any time it encounters a web-server infected (as the user browses such site) it should send an alert to a centralised web-site. This site would list all the infected sites.
A smarter step would then be for the anti-virus software to regularly cross-check your recent browser history against the infected-listed sites.
This way no one company is doing the finger-pointing. It is rather a distributed effort, based on a common protocol.
The Spanish variant is worse. It turns those funckey upside-down question-marks at the beginnings of the sentence into little Microsoft MSN butterfly-man icons.
Can you imagine that. I know it makes me fearful.
fifth sigma, inc.
In rare cases a computer virus could easily cause death. Imagine if that had gotten into a system being used to monitor a critical system. The idea that computers CAN'T kill is obviously wrong.
But lets think up a better analogy. Credit card swipers were attached to banks in Sydney, as soon as police found out they announced exactly which banks were being targetted. So in this situation the worst that can happen is loss of money.
Its hardly fair to protect the "person" who was spreading the virus (albeit through not keeping their systems secure), and not do everything to clean systems that were infected. And to do everything means helping people identify if they've been infected.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
List of sites infected (spoof ... they probably weren't but i don't know)
........
... Ok, how many of the above did you click. None, ok, I believe you, but how many is Grandma going to click?
http://www.cnn.com/
http://www.msn.com/
http://www.slashdot.org/
http://www.ilovebacon.com/
The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.
The issue is ultimately about the public's lack of concern for computer, and more generally, digital security. My opinion is that this lack of concern stems from a lack of knowledge about the technologies we use.
I think the situation is more dangerous than most professionals realise. The majority of the people in IT shrug off security concerns. "We can always reinstall" or "we'll upgrade later" are common responses to warnings about insecurity and vulnerability. Most businesses and even governments entirely ignore digital security concerns.
We have a modern economy that depends entirely upon computer networks and data flow. All of our communication depends upon it too. So do public utilities and emergency services.
But at the same time, we perpetually neglect to protect these systems that we rely on. OS security is literally a joke; server security may or may not be a concern depending on how anal the operator is; and data encryption is still, for the most part, undiscovered by the masses.
>>If not, there's no reason for you to be informed
Define hurt.
If say some code gets onto my machine and jsut spins processor cycles..even though it's not really 'hurting' anything I still have the right to know.
Granted, I'd see the CPU spike, and I'd kill the process and track down the executable/script. But Joe Sixpack doesn't know how to do this.
wbs.
Huh?
Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.
However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.
Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.
eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.
Which we identified from our logs (and blocked) has the following text on its home page:
"THE TRUSTED RESOURCE"
"OVER 75 YEARS OF TRUST"
Not any more...
"Shouldn't we demand the same when a businesses server poisons our computer."
What you do not smell is called iocane powder. It is odorless, tasteless, dissolves instantly in liquid, and is among the more deadlier poisons known to man.
All right: where is the poison? The battle of wits has begun. It ends when you decide and we both drink, and find out who is right and who is dead.
Now, a clever man would put the poison into his own goblet, because he would know that only a great fool would reach for what he was given. I'm not a great fool, so I can clearly not choose the wine in front of you. But you must have known I was not a great fool; you would have counted on it, so I can clearly not choose the wine in front of me.
This story reminds me of those inane AOL commercials about computers getting sick. Lets get sensible here. Computers do not "get sick." They do not become "poisoned."
A virus sometimes infects the Windows OS. At best, run a virus checker and stop it before you are infected. At worse, do a reformat and be done with it. You have a backup anyway. Right?
If you don't want to deal with virii in any form then run OS X or Linux. Problem solved.
The thing is that the web has a life of its own and it would be really hard to control it like that. Anyone can open a website anywhere and put almost anything on it. How would you force that random individual to be guilty for the virus they spread? The internet was not originally designed to be a controlled environment where you can hold others responsible if something bad happens to you; its not America. You have to watch your own ass.
Some things might be "morally" right, but could never happen in reality.
Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.
Unlike the food example, where bad food could kill you, a computer virus in your home machine won't.
Explain that to the sailors on the USS Yorktown.
Yes, I know it wasn't a virus. It was bad SQL Server-based code. Sadly, Microsoft is equally vulnerable to both.
The Internet right now is a very sick place, and it's going to take some distasteful medicine to make it well.
...achoo! thanks a lot /.
"The idea that computers CAN'T kill is obviously wrong."
A plausible example would help make your case. I disagree on this point until convinced otherwise. Saying "what if it got into a critical system" isn't compelling. Virtually anything is possible, I'm more concerned with what is realistic, not what may, possibly, in a very rare cases ( or never in real life but only in theory) may occur.
Now, onto the more important point. On this we may also disagree, but I feel it is up to the individual to keep their system clean, not the government to clean it up for them after the fact. My government can't keep anything of consequence straight without continuous oversight and scrutiny. Why on earth would I burden it with something which is rightly the individual's (or company's) responsibility?
is unleash the lawyers on anyone who attempts to UYA*, even if they are doing it in the public interest.
*Uncover Your ASS
I think the focus on Ject's infection of web browsers visiting the IIS servers is incorrect--if having an infected IIS server is a crime and must be acknowledged publically, then having possessing infected normal desktop should also have a mandatory public acknowledgement--I want to see a list of every American who had a Blaster infected computer. If you want biology analogies, this is equivalent to insisting on mandatory publications of the names of HIV positive individuals.
No, on the internet everyone is responsible for making themselves secure--if people without malicious intent are imprisoned for secuirty violations, we would never have enough room in all the prisons in our country.
But if a security break in reveals information that I have entrusted on the remote cite--there should DEFINITELY be required publication of that, at least privately to the victimized individuals. This is something the marketplace cannot selfregulate--how can I choose a secure business to cooperate with when I don't when the security of my information is being violated?
I think a better analogy would be a person with an infectious disease. They are not sued, as they are victims themselves, but they require quarantine and attention so they do not infect other people.
If any company, gov't organization or health service did not report an infectious disease, then there would be cause for lawsuits. Acting responsibly for the public good should not be penalized.
I know I would want to know if I was exposed, wether to an infectious disease, or a potential viral problem. ( I use linux, but some inside the network use windows. )
IT should put the blame where it belongs, right at MacroShaft's doorstep. They have been unable to mitigate the virus.worm problem for over 15 years.
"So which is more serious? Death of body or death of personality" Are you serious? DEATH is more serious moron. God damn man, "death of personality" isn't even a real problem. You write a few letters, make a few calls, maybe at the worst get a lawyer and spend some money. DEATH is non-fucking-negotiable. You're dead? Good luck getting that undone. How about this, I'll let you have all my personal details if I can chop your head off afterward. What, you're not interested?
It doesn't hurt/damage you or your property. What you own in your computer is hardware. There are very few viruses that can effect it.
As far as the software/OS, all you own is a license -- an abstraction that remains unaffected by viruses or worms. Even if your XP installation is completely foobar, you still have the exact same legal rights to use them.
I knew that recent "downtime" wasn't just for "upgrades". It's an imposter! It's a Phisher site! Its of the body! One of the pod people! :)
this is the funniest comment I've seen in ages.
That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.
News organizations should not be concerned with the impact on a business's image!
Comment removed based on user account deletion
Ibsen wrote a play about it, that's how old it is. It was made into a movie with Steve McQueen. The plot seemed scarily current, like it was taking place today, not almost a century ago.
On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info.
attrition.org used to have a very up to date website defacement list. This publicly showed which companies were compromised and served as a hall of shame.
Why not continue along these lines?
Excellent timing of this; the Spokesman Review had an article a few days ago about how grocery store names in Washington state who got shipped potentially bad meat from the Mad Cow epidemic are being withheld, and the newspapers were denied their information requests on some obscure grounds. I'd say the website attacks are being treated like any similar situation.
"...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.
Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.
When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.
So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?
Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.
Once and for all, it needs to happen, the lawsuits. SOMETHING has to be done for the consumers out there with these "products" that have NO WARRANTY, no suitability for purpose. That's the real question, not what gets done with the software, it's whether or not the software actually works as intended, and if the security is so lame that after years and years any few lines of script can compromise it-it's broken, flaed, shouldn't be sold or used until it is *really* fixed. Recalled, like any other broken product. On one hand, untold billions in profits, people going from working in a garage to multi billionaires in a few years, yet no warranties for their products. Say WHUT? The get out of any responsibility EULA is teh devil. It's the biggest problem when it comes to useability and security on the web. Nothing else comes close to causing so many problems as just universally adopted yet still bogus crapware. No other industry gets such a skate, zero. The only other one with such a deal is major league baseball, they have a special deal to be a monopoly,and it's only entertainment after all, but software people rely on to work, to make their living or to use for their other creations, to communicate, and they expect it to function and be at least reasonably secure. For sale software which is touted as just for lease as-is with no warranty? Nope, it's time that the for-financial-profit software industry is recognized as "mature enough" to require warranties, and if that means a certain few large companies have to eat it and re-code, too bad. I'm looking down the page and you know who has such an obscene amount of literal cash they can buy back millions of their shares and still have more than many small nations GNP in the bank. but no warranty. Why is this? If less software is released but of much better quality,to satisfy a certain minimum warranty, then great. If it means their "stock" takes a beating, too bad. They want intellectual patents to protect their profits, they want to patent intangibles such as IP, they want all the advantages and opportunities to profit that incorporation gives them-then they can play by all the rules everyone else in business offering a product has to follow, a certain minimum warranty.
So, my vote goes for mandatory disclosure. If that means a victim gets sued by another victim, it has to happen sometime. If that means both of those people buy a clue and look upstream and join forces instead and sue the real profiteering scamsters, even better. And any savvy lawyer would see that, too. You want real constructive change, you want a real capitalist solution-let the laws apply to them and get rid of the get out of any responsibility "license" to print money they have.
...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.
Serial Meta Moderator
"The problem for your problem!"
As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer."
Maybe in the US it's like this, but not elsewhere.... In Italy, for a long time some nut would inject bleach and other similar liquids in water bottles... Quite a few people ended up in the hospital, but fortunately nobody died... Well, there was no way to find out the brands of the water bottles that where poisoned.... The media kept it all hush-hush, and it does the same for lots of other things...
That sounds a lot like spy ware to me.
"On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."
If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?
You don't seem to understand the difference between "lawyer" and "judge." Why don't you look into it?
Shop as usual. And avoid panic buying.
All it takes is one user posting an image on an infected server in a popular thread and
It's a trap!
What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag).
That settles it. First thing I'm going to do after I die is sue a cigarette company. Fuck 'em.
Caveat Emptor is not a business model.
Just out of moral "niceness," we should all know if we may have visited a compromised site. The downside to this is that maybe some site owners will not report their site as being compromised in the future out of fear of losing business once word spreads.
If not, there's no reason for you to be informed.
So, if a company is using business practises I find offensive but don't actually harm me, ie exploiting farmers in the third world, I don't have a right to know that?
(OK, right is probably the wrong word to use here, I didn't RTFA, but it sounds like the infected company wants to be able to sue anyone who says their servers are infected - imagine a company suing Amnesty for telling the world they use sweatshops)
... and this is why one expects from people who run the infected sites just shrug and say, "Hey, it's only money, we can rebuild the same site usind more secure technology later..." -- and tell their customers that yeah, we've screwed up.
;-)
I personally would be more comfortable going to a site which admits to their mistakes and tries to patch them than to the one which tries to keep this hush-hush.
Paul B.
P.S. And yes, I have no personal reason to care just yet because I use Linux at home and my office computer is someone's else responsibility...
Depends- Am I just walking down a regular street?
Or am I walking down a dark alley in the 'wrong' part of town, blind drunk, with hundred dollar bills hanging out of my pockets?
I should be informed before I'm harmed, not after. To me that is the point you are missing. Then, I'm one of those "information should be free" nuts. I've never been convinced that deceiving people by withholding important information is good in the long run. It's amazing I'm still married.
... some people (at least used to) commit suicide when some embarassing facts about them are revealed (or about to be revealed)?
Paul B.
Recently a virus called Scob/Download.ject infected various high profile websites running Windows based webservers. This virus also infected visitors to the sites through a bug in the Windows operating system. The virus was able to keylog your computer and transmit information such as passwords, web addresses you typed in the browser. This information was being redirected to a website in Russia. However the US-Cert department refused to publish a list of infected sites citing damages to the business.
My complaint is if a resturant down the street came down with E. Coli and people became sick or died the US FDA would of notified the public about this resturant and we would be aware of that resturant's name and location. It happens at IHOP's and Taco Bells and many other types of ressturants. I have yet to see either of those two chains shut down due to people avoiding them due to one E Coli outbreak. I would expect the same notification about a Website also.
Those websites that were infected were run by American businesses and not operated by foreign countries. US-CERT is just one portion of the Department of Homeland Security. And it calls into question if one department is afraid to release the truth becuase it may hurt someone's bottom line then maybe another group would decide to skip out on notifing people of a biohazard at some posh vacation spot in fear that they would ruin business there.
Thanks for your time Mr Senator.
Considering yesterday I was e-mailed a Bagel-AI (or AF is what clamd says it is) from the US House of Reps, exactly HOW are the people who 'create' the laws gonna get the 'laws right' on trojans?
A plausible example would help make your case
There was a case of a radiation machine (it could produce xrays or radiation for treatment of tumors, depending on settings) that killed a few people. The issue? The people who set it for certain treatments got used to entering things a certain way. and when any changes had to be made, they just 'arrowed up' and corrected the setting. Unfortunately, the system had already set itself up for one type of treatment, and didn't fully reset for the other type of treatment, resulting in severe radiation overdoses that resulted in deaths for people who just needed an xray.
All because the computer wasn't programmed to double-check it's settings and reset itself. (I know, it's the programmer, but what a programmer can forget, a virus/worm can mess up.)
.
.
Let me also mention Traffic Control computers (setting all lights to Green can cause fatal accidents at some intersections).
And Hospital Computers. What if a hospital uses some software to cross check medications against patient allergies? If that software crashes, patients can die.
Yet another one: What if a computer in a design firm used to calculate loads is tampered with? Those calculations might be used to build a skyscraper, which collapses.
So, YES, computers CAN kill.
I think Etrade is one of the compromised sites.
On their site they say "A new security threat is currently circulating on the Internet. It is in the form of a Trojan Horse program called Download.Ject." you see this as an alert when you log in, but you can also see it without logging in. Take a look here
Either way the punk who robbed you would still go to jail if he gets caught.
Not if the protocol is kept open, and the centralised database/site is run by an idependent body.
The virus-scanning clients only need to send the info about which sites are infected with what virus. Nothing about the user necessary.
The scanning of the browser's history is an internal operation only, and only used to check if any infected site was visited recently. Not much different from doing a normal virus scan, except that instead of only checking against a library of know viruses, it also checks agains a library of known infected sites.
you said:
If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?
Pure Hilarity ! ! !
music lover since 1969
..who just scanned his hard drive?
http://www.commaecho.com
We don't need another law or cyberhygiene certs. Instead something like an extension of W3C, that guarantees ppl the site they are interacting with is clean, and more to the point - uses proper html.
You ought to be able to click on the button and lookup how long the domain has existed and it's track record for spreading worms. Then you can decide if you want them to have their hand in your pocket or not.
No W3C, no way. Nobody would have to participate it would just be a good idea as long as you're not a total fuckup admin.
Okay then how about a real life example from my country (Australia). A "hacker" was using a computer to pump sewerage into a local river as described by this article. Now its entirely possible the same scenario could happen but instead using a widespread virus with a backdoor.
Is that example real enough and plausible enough for you?
Okay I agree its up to the individual to clean their systems. So when I goto an infected site its THEIR responsibility that they didn't keep their site clean. If they had I wouldn't have been infected. So therefore as soon as the site admin knows his site is infected he should shut it down. Just like companies withdraw products when they are faced with bribery by people who put poison inside the products.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
Here's a recent example taken from the USDA recall site. Did you know that Wolverine Packing Company is recalling 101,600 pounds of fresh ground beef products that may be contaminated with E. coli? These were shipped on June 15. I didn't hear anything about it. These were shipped nation wide to "foodservice distributors".
Since nobody is likely to die from a downloadable virus, I doubt we'll see more accountability from the IT world.
Until corporations are held accountable, don't use IE and don't eat ground beef.
I can see a scenario where somebody announces thier web site was hacked. Then a greedy ambulance chaser threatens to sue for neglegence. In order to "prove" negligence, he'll supoena all you computer systems, drown you in bad press, and lock you in expensive legal battle. It'll be easier to pay him off, and thus a new industry is born.
"Your superior intellect is no match for our puny weapons!"
"if you are not If it can hurt/damage you or your property, then you should be informed.
If not, there's no reason for you to be informed.
I would suggest that once a sight has been compromised, they have an obligation to inform their customers of that fact, and the damage that the customers might be susceptible to. If a vendor's site doesn't propagate virii or other malware, then they should let their userbase know!.
I have worked in several hardhat industries, and so often see "XX number of days since last accident". Web sites might want to (honestly) consider providing something similar.
With all of this SCO/Linux/IBM fud flying around, I really wish that there was something like an open source Vax/VMS solution for I386+ machines out there......
Shouldn't we demand the same when a business's server poisons our computer?
The answer is: Yes, we should!
The fact that people are not is a concentrated effort by established companies to change the rules. Why should they be allowed to change them? Simply because they are making money? Should they be making money while spreading this kind of virulent infection? Look to the food industry for that answer! Obviously NOT!
There is also the issue of defining what is "offensive". because everything can be considered offensive to somebody, doesn't that rule out any kind rights that corporations have to private information? lets just say theoreticaly that a company pays certain employees different amounts of money for different jobs but as policy do not tell them the difference, if you find that action offensive does that mean you should know what the differences are so you can tell the employees? granted this circumstance is slighty more dangerous, but that doesn't change the principle. certain actions taken by companies simply are ment to protect it's employees and it's customers from embarrasment/harasment. Perhaps their current path of action, notifing those possibly infected, is the best choice.
If my memory serves me correctly, there was a site (defaced.alldas.de or alldas.org) which in it's time would take snapshots of sites which were 'hacked' and also to a nmap against them to give a fingerprint.
This would be the perfect tool to grab a snapshot of a website which was infected, giving public record of the sites security.
I would be interested to know if there is anything similar on the net today.
i apologize for a mistype " their current path of action, informing those possibly infected, is the best for everyone " was based on the false assumpthion the company was doing as such. while i do agree that the company should be making an effort to track down people possibly infected, i don't believe that the general public needs to know which servers, sites, etc. were infected because it would result in harasment and probably and over reacted loss of reputation (granted the company does deserve some reduction of good standing for a security breech, it does not need the kind of shunning that would result if the general public found out their identity).
IF you are referring to the McDonalds Hot Coffee lawsuit, perhaps you need to read up on the facts of the case, the coffee wasn't merely hot, but was scalding.
From the link: The sweatpants Liebeck was wearing absorbed the coffee and held it next to her skin. A vascular surgeon determined that Liebeck suffered full thickness burns (or third-degree burns) over 6 percent of her body, including her inner thighs, perineum, buttocks, and genital and groin areas. She was hospitalized for eight days, during which time she underwent skin grafting. Liebeck, who also underwent debridement treatments, sought to settle her claim for 20,000, but McDonalds refused.
Sara
Designer, Gamer, Macgrrl in an XP World
More and more health care systems & hospitals are switching to computers for electronic medication ordering, drug interactions, etc. Most of these systems are (at least on the client side) Windows-based. Windows has IE.
Now, a good IT security policy would be to not allow these machines on the internet, at all. I don't know how many hospitals have such an IT policy (many might, many might not - I just don't know). But computers can and do have a dramatic effect upon people's lives - of course, final say should always rest with a human, but...
(Disclaimer: I work in the health care IT industry)
Obfuscation is not going to save anyone from lawsuits and in general, lying makes you an accomplice and liable for damages done by others. The damage was done and Microsoft should pay for it. If you lie to cover their ass and your customers suffer further harm, you too are responsible. A good class action suit can be made over this to punish M$ for their negligence, though that won't do end users any good.
Individuals have only seen the tip of the iceburg here. Their computers will have to be fixed, but that pales in comparison to all the money and time it will take from them if their bank account is syphoned dry by the crackers behind the scam.
Corporations with large windoze deployments are going to have real QA to do and that costs money. Those bills should be turned over to M$ directly and payment withheld to make TCO match projections. Banks have a double problem and need to look out for their interests before those of M$.
Banks that don't come clean should be subjected to lawsuits for not doing what they can. Banks infected should let their customers know, so they can for signs of the infection on their own machines before more damage occurs. If they don't every customer should assume they were infected and take corrective action. A good class action suit can be made over that one too. Telling the customer that they might have been hacked is the least the bank can do and not doing that makes them liable for damages.
The best action, however, is for everyone to just to dump M$. Security has been job one for two years now, but the result is more of the same. Free software does everything M$ can but better. Why do people insist on paying more to get less? The cost to fix the results of this latest mess would more than pay for the cost of a linux transition.
Friends don't help friends install M$ junk.
This fits in exactly with the whole attitude that somehow anything or anybody related to the software industry should not be held accountable for anything.
Software development quality in general is laughably bad in comparison to any other dicipline else that calls itself 'Engineering'.
But I'm preaching to the choir here...
any reader who isn't running a properly protected computer
you mean a non-iexplode.exe web browser?
Snowden and Manning are heroes.
However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.
So what popular threads were banks running that allowed customers to spread this around? What popular threads were more widely read than something like BankOne?
Pray tell, what's a "properly protected computer", other than one that runs an alternate OS, when M$ has not released a fix? Slashdot and it's community were not part of the problem because Slashdot users have enough sense not to run M$ trash outside of work where they are forced.
You blame the user post is an obvious troll. This mess is Microsoft's from server to browser.
Friends don't help friends install M$ junk.
Well that would be the fault of the police, who exist only for the purpose of insuring there are NO wrong parts of town. Thus they aren't doing their job.
It would also be the fault of the criminal who insures we need police.
But it wouldn't be the fault of the victim, who's duty is to be taken advantage of and herded as the ignorant cattle they are by either the government (police) or it's opposition (crooks).
Nobody is saying send in the inspection squads. Only that it be illegal to know and hide it. And it's the webserver, not the website which gets infected. Your homepage on tripod doesn't qualify you to publically admit anything, tripod on the other hand owes the world a self imposed quanantine if infected.
If nothing else it would at least advise the discriminating consumer that X site or hosting company is using Microsoft servers so be aware. And hopefully help to stop some people from being infected by those servers.
tobacco companies spent billions on advertising since the warnings.
Said advertising influenced people's decision to smoke.
ergo: culpability.
Either that or advertising doesn't work.
Ergo: shareholder lawsuits for squandering billions
I agree people should bear responsibility for being a dumbass. But companies should bear responsibility for inducing people to be dumbasses.
"I am against ANY form of government conrol over the web (except for stuff like kiddyporn and other such garbage)."
Then you should say you are against MOST forms of government "conrol," or SOME forms of government "conrol." And "other such garbage" could mean almost anything. For example, in China, criticism of the government could be considered "other such garbage" by some.
ANY form of government censorship is bad, and I am against ANY form of government control over the web/Internet, period.
Either way the punk who robbed you would still go to jail if he gets caught.
But it's still pretty STUPID to do that, right?
Short, sweet, and to the point. I just know that if I was to visit a website that I didn't know was effected and caught something, I'd be pretty pissed. Just as if I had sex with someone who had AIDs when I didn't know it. Of course, there is protection either way.... one is a condom and the other being good ol' MoZilla. But you probably get my point.
"Instant gratification takes too long." - Carrie Fisher
Those compromised but unidentified websites are sending a very clear warning about Internet security: industry self-regulation is always going to translate into industry self-protection.
:)
Bullshit. What "industry"? Software has security holes, and I don't care what development model or software licensing model or legislative model you advocate, it will always have security holes. Remember, you're talking "lowest common denominator" here.
The best thing to do is pursue a good information policy (you'll note that Joe Public, the drooling casual user at least knows how to pronounce "security", if not necessarily how to spell it, compared to 5 years ago) and keep the admins responsible for doing their jobs and patching.
I've found ISP technical discussion groups to be fantastic forums for putting pressure on idiots who don't maintain minimal standards of security. There's also a growing trend in "industry" (whatever the hell that means anyway) to cooperate and share information about security response and new threat research. In fact, I'm helping some of my clients (big banks) build inter-company organizations like this right now. They love it.
As for the smaller shitty hacked mom-n-pop webservers, I hate to say it, but Microsoft (the prime culprits) _have_ been making it much much easier to keep systems up to date. Love 'em or hate 'em, they're catching on, and I've found their engineers and security types to be extremely motivated and cooperative.
As an affected company or user, you do not get around having up-to-date AV signatures, patched workstations and servers (I don't care how many you have, it can be done), malicious content filters for web/mail/whatever traffic and alert, skilled, well-paid security staff. Once again, this may spark the usual slashdot bitchfest of "I'm overworked, it can't be done, yada yada" but that..is...wrong. I've seen it happen, and the companies that did things right had fewer headaches, fewer costs, fewer bad things in general.
The author has a point, but he's reinventing the wheel. There are plenty of good, simple sources of information for management, developers, sysadmins, security professionals and casual users out there. What's sort of lacking is a way to pull it all together. Sites like secunia.com do a fantastic job of this (although they're too technical for Joe Sixpack) and most vendors of end-user security software certainly try.
I don't have a solution for the problem of users who just don't care, but I would challenge anyone to come up with one that doesn't break more than it fixes.
Boy do I have a chip on my shoulder today
Cole's Law: Thinly sliced cabbage
Yes! Go to $KarateSchool today! Personally I reccomend a USP .45, or, if in California (or other states that permit it) a katana. Or a broadsword. (there are no laws in the CA penal code referring to swords. I've looked. IANAL, this isn't legal advice, but the CA DOJ has the whole thing on the web, and it's searchable. Just don't conceal it.
Not a sentence!
Press space to respawn!
.. 9 .. 8 .. Go!
10
There is never, ever, any need for MS Comic Sans
Earlier this year there was some BSE infected cows that were traced to meat that went to a restaurant or grocery store. The health department refused to name which place had the meat.
This administration still denies ranchers from voluntarily testing for BSE on all their cows.
There was also a story about how the Office of Management and Budget will review all health advisories before allowing them to reach the public.
YEs we need to take all safety precautions indeed !
Chris ,
Php Programmers.
ensures
this was a joke, btw. hehehe
Just don't conceal it.
How would you go about concealing a katana?
Is that a wakizashi in your pocket, or are you just happy to see me?
Sorry folks, but most of what I see around here boils down to excuses for whatever side people happen to be on. My feeling is that the "ject" problem isn't contained in any reasonable way, because there's so much fear about the relevant information. Surely if it was "fixed", somebody would be bragging. As for the international battle about who gets to do what to who and when, you're all screwed in the head when you even have to debate those matters. Your hearts know what's right and wrong (which may depend on the situation, but the "rules" are constant, no matter your culture, religon, or social/economic background).
So much time and effort wasted trying to prove each other wrong, instead of trying to find common ground, and improving yourselves. Pride yourself on what humanity's achieved so far, and completely miss the boat on what we could do if Slashdot's energies were focused on pushing forward in the various arts and sciences.
Just something to think about. Flame as needed.
Microsoft has just released their much anticipated hands-free cordless mouse. Warning, it may hurt a little at first.
No. And you are entitled to be informed that someone beat you up and stole your money.
On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info.
Does that apply in general or only to computers ?
I'm wondering if wou will be so understanding when I have stolen your belongings and done doen nazty stuff to your persona ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
. . . it's obviously short for "function key"!
How should I know where i got my infection?
/. was affected and let's say they put up a big sign saying "you might be infected through our site. We've sanitized our servers and if you're at risk in the future you're the first to knoe.
Let's assume
Meanwhile download a check here and we apologize for the inconvenience"
Then I know they take me seriously.
The other possibility is "hey. we've caused infection of your computer, but we're not going to tell you. we don't give a shit"
If sites infect my browser they should do everything POSSIBLE to warn me. Legal issues? Dunnow. I'm more likely to get angry when they don't warn me than when I have to figure out where it came from...
Privacy is terrorism.
Why bother? If you had any decent anti-virus product, or applied security patches like you were supposed to, Download.ject would not be your problem.
Were the antivirus/security patches to prevent Download.ject running on a client computer available before Download.ject ever appeared? As a site owner, yes, proactive action would prevent the original IIS exploit that inserted download.ject on to the web site. But I don't believe that anitvirus makers had a solution for download.ject until after it appeared. A PC user with all the latest patches and antivirus was still vulnerable if they visited a site of a nonclueful site owner.
In short... the existing toolset would have protected us from this threat vector. It only was a threat at all because of all the people who didn't. The solution isn't creating a new security program, but getting the clueless to use the ones we're already running.
I agree that the clueless are a major problem. The proposed P2P system addresses this issue in two ways. First, threat of public humiliation, loss of customers, and loss of market value should motivate clueless site owners to keep their patches current. Second, this P2P system is part of being clueful -- users protecting themselves by proactively scanning the sites that they visit for malware.
Finally, this P2P system serves a crucial role in the toolset -- helping detect new server-side malware. There will always be zero-day exploits for which there is, by definition, no available patch or AV signature. A P2P monitoring system can serve as an early warning system for faster detection of novel exploits.
Two wrongs don't make a right, but three lefts do.
I'm sure you realize the NRA was the first major organization to oppose the Klan's agenda of disarming black people, which they had considerable success with in some places such as Oregon. Your attempt to paint gun owners as racist only reveals how ignorant and biased you are. Not a flame, just a suggestion to be less ignorant, and reconsider your biases.
If you get mugged walking down the main street of Harlem, it's your own fault for not taking Karate lessons, or taking better precautions/advise.
If you get mugged walking down the main street of a city with a very safe reputation, then you can hardly be blamed for not being locked away inside your house.
It all comes down to being aware of the environment you're about to venture into. Based on general information available, someone visiting America would most likely avoid Harlem. Muggings rates, etc are public knowledge.
This is completely different when it comes to compromised websites. There is no public knowledge of which websites are safe, and which you'll end up exploited just from browsing to.
This is *almost* the equivilent of someone from the 1200's walking down the main street of Harlem with a white hood, and a sign saying "Hitler is God", completely oblivious to the hazards, and trusting the person who sent them there.
I'd like to echo Finkployd's sentiments and go a step farther: If a person/company built a crawler that was emulating the incautious [read MSIE-using] web surfers, documentation of the infections and infectiousness of sundry compromized or fraudulent websites could be amassed. That record, obtained and stored without the biases or sloth of a human, would make any body who wanted to sue because the wistle had been blown on their dirty website think twice...they would just be exacerbating their negative exposure. As a wary web surfer, I'd like to go to the report-emitting website fed by this crawler and see who was contaminated, with what and when so I could steer clear. I bet you could make a buck with such a tool/service/website if your only revenue came from ads for firewall, antivirus and spyware detecting products but even more could come from the operators of the toxic websites who SHOULD be grateful to get an early if public notice that they were contaminated. Needless to say, this hypothetical crawler had better be double hulled and bombproof. Would be a fun piece of systems programming that is part Alta Vista and part maggot: looking for sick websites, pushing all their buttons to see if pirates board you or poisoned cookies are dropped on you. Maybe you start with Apache and Mozilla code and ... Oh, I wish I had time
to write such a thing:(
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
No, that's a bad analogy. A better one is if your car has a recall on its brakes, you don't get it fixed, and then get in an accident, Who is at fault?
I was waiting for the first gun nut to take offense to that. you're slipping!
But what if you were affected by the malfunctioning brakes before the recall.
It's all well and good to blame malware problems on the user's lack of patching, but some people are affected before a patch in available.
I forget what 8 was for.
Apparently you've never watched Highlander.
Never confuse volume with power.
Admittedly, I think that the number of people who find that sites they visit are infected and stay away would be greater than the number who get infected by visiting the first link listed, but the people publishing the information aren't liable for people not knowing what sites are infected. I wouldn't be surprised if they could get a court to rule they're liable for listing the sites and having people click into them. *shrug* Or maybe I'm just being pessimistic about human nature...
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
To answer your question, no. There was NO virus present, NO worm present, and this story does not relate to the topic. The fact that a person can use computers to hurt people is a far, far cry from a virus/worm doing the same.
This does seem a little like SCO saying, "it's there, trust us..."
Or like the dept. of Homeland Security saying, "there's a threat, but we don't know what kind..."
Since I don't use IE or IIS, I just got a good chuckle out of the situation, but the tin foil hat types are sure to point out that the whole plan was just to get people to dump IE, and initial numbers make it look like the press releases were great for Mozilla.
The CEDC. Center for Electronic Disease Control.
I am Bennett Haselton! I am Bennett Haselton!
More to the point, how can we get linux administrators to use basic hygiene. Like washing their hands. Ewww!
Short answer: Yes.
Long answer: Yes they should.
The mere concept of a website being able to give a browser an infection speaks volumes about the quality of the browser.
There is no need for sympathy or complaining or whatever. --The simple fact is that for some reason, 90% of the population has chosen to learn life lessons by placing themselves within harm's way; by working within extremely faulty paradigms built and maintained by corrupt, very rich megalomaniacs who DO NOT have the public's best interest at heart and who have time and again been demonstrated to manipulate and create deliberately faulty situations for their own benefit. --And then the 90% complain and claim ignorance when the shit comes down even though all the signs were there, and people on the side-lines were waving their arms and shouting about the alternatives the whole time.
This pattern, when it exists in a person, is apt to replicate itself in all areas of a person's life. And like I said; there is no need for sympathy or even judgement. These are deliberate choices people make, (perhaps on the subconscious level), which enable them to learn certain valuable lessons in life.
When you finally get fed up with it and decide to change your paradigm, then you know you've graduated from that particular class.
-F
From the article :
was sophisticated enough to take advantage of three flaws in Microsoft products. Microsoft was able to come up with fixes for two of them, but not the third one.
Hard to keep a system patched when there is no patch...
After 3 days without programming, life becomes meaningless
- The Tao of Programming
Public health authorities often require public accomodations to list notices if someone with an infectious disease has visited. A fellow parent in my son's preschool described to me yesterday that that child of one of her friends had meningitis. The child's parents had to provide a two-week diary of where they had been and who they had seen. Notices were posted in places like the Post Office where they had visited, so that people who might be exposed could seek treatment. The restaurant analogy is not so flawed.
You know, I've worked in foodborne disease investigation in Australia and the USA and health dept.s dont always announce the source of outbreaks unless there is a chance of ongoing exposure. Sometimes the authorities cannot release the name of the affected restaurant because the public health laws forbid it (unless they believe exposed persons need a shot for hepatitis A for example). So, probably for the same reasons that Web sites arent announced, restaurants that respond rapidly and diligently arent announced.
Actually, the best analogy would be if you saw a news report saying "An automobile manufacturer warns that one of it's late-model vehicles might have a defect." It specifies neither which manufacturer, which vehicle, or even which part is affected. Now, when an Explorer blows a tire and kills a little league team, who's at fault?
man. I wish, in my mind, a comparison was valid between a virus on websites and a time-travelling moron taken advantage of by the kind of person who not only can bring people forward in time, but who also thinks it's funny to dress them in klan gear and who happens to have said klan gear handy, as well as a handy 'Hitler is God' sign. Holy crap. It's almost like there was a spacefaring talking dog on crutches playing pachinko with m&ms. Know what I mean?
http://xkcd.com/386/
I don't know about that; would you want severe burns on *your* perineum?
Provided a patch for that particular vulnerability was even available at the time. Since there are those who must use IE and no patch was released, this is one time when the users should not get the blame.
Sig? What if I prefer Glock?
You can be charged for breaking and entering without causing property damage, you know. If you can pick the lock, or if the door simply isn't locked, you can still be arrested, but not for causing property damage. Malicious code may not cause any damage whatsoever. It may simply passively relay private information to others. That's not property damage but it is still against the law.
You mean 'affected.' To 'effect' a change is to make a change happen. When you change something, that thing is 'affected.' In other words, when you effect changes, you affect the things you're changing. Of course, perhaps you were even farther off and meant 'infected,' I don't know. I've just seen approximately 5 misuses of affect/effect in this thread alone and you're the one I responded to.
http://xkcd.com/386/
If a web server gets a nasty, it doesn't affect anyone's health and people aren't going to live out a slow lingering death. We're talking generals here -- yes there could be that one in a billion freak thing where someone's ventilator shuts off because it was run by a grad students IIS server which he had a webcam attached to, but let's be realistic.
If my credit card number is stolen that's something different, but I don't feel that applies in this case. I can't think of a single virus that does anything besides propogate itself and occasionally destroy data. The only information they ever gather are email addresses, which isn't really private information.
Do we really want or need to know about every website identified as being infected? Sounds like the terror alert all over again.
breech
n.
1. The lower rear portion of the human trunk; the buttocks.
2.1. A breech presentation or delivery.
2. A fetus in breech presentation.
3. breeches
1. Knee breeches.
2. Informal. Trousers.
4. The part of a firearm behind the barrel.
5. The lower part of a pulley block.
breach
n.
1. 1. An opening, a tear, or a rupture.
2. A gap or rift, especially in or as if in a solid structure such as a dike or fortification.
2. A violation or infraction, as of a law, a legal obligation, or a promise.
3. A breaking up or disruption of friendly relations; an estrangement.
4. A leap of a whale from the water.
5. The breaking of waves or surf.
Beware of homonyms. I would really hate to see security breeches, no matter which definition of 'breech' you use.
http://xkcd.com/386/
Comment removed based on user account deletion
so you want the virus makers to flash a pop-up before they infect your system? Informed before you're harmed? When the company itself apparently doesn't know? That'd be a nice trick, if you could manage it.
http://xkcd.com/386/
Yes, but think about it realistically - the slashdot crowd is not the normal crowd of computer users. Not everyone is obsessively patching their computer system. What normal person has the time and insight to apply a new microsoft patch every two days? For that matter, who would even think that this would be the normal course of action that would be required just to stop a well known website from spreading a virus to your computer.
...no two people are not on fire.
The thing to realize though, is that slashdot surfers generally aren't the same as a regular computer user - for better or for worse, most computers just aren't patched. I mean, what normal computer user has the time to download a new microsoft patch every two days? For that matter, why would they even think that it was necesary? Realistically, to keep your computer secure, you've really got to be on top of that patching thing, and most people just aren't. Granted, there is a security risk there, but how can a user be faulted for trusting that a well known site isn't going to give them some freaky virus? I mean, I'd think that I'd be fairly safe at a large commercial site. It just makes sense.
...no two people are not on fire.
There are other sorts of violations other then the well-being personal and/or property, such as the right to privacy.
That was my point -- the age-old libretarian view of "as long as it doesn't harm me or my property, do what you want" is even more moronic than usual when applied to modern technology.
The fault lies squarely with people still using MSIE and with OEMs for not bundling a proper web browser.
However, in a different context, Ed Foster does have a good point ... as he often does. In the case were sites have been compromised or used to spread malware, it is essential that the public be informed.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
You don't need to conceal a katana. I saw in this film once, they'll just let you take it right onto the plane with you.
Real Daleks don't climb stairs - they level the building.
Park it in the garage.
If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?
In a way, yes. Most people these days aren't prepared (or willing) to protect themselves. The oblivious Windows user who goes through cyberspace giving no thought to the lurking menace code is not very different from the average Joe walking down the street with no self-defense plan.
It is your responsibility to protect yourself. The police are constitutionally prohibited from taking action against a person unless the crime has either already occurred or is imminent. But that's a little late in my book. We can't expect immediate physical protection the rare moment we may be in need unless we are willing, and able, to provide that protection ourselves.
Rights only come from laws. We have no RIGHT to anything that isn't a law in our jurisdiction. Since most people don't want to legislate the internet, but rather keep it "free", then we will have no rights.
But, yeah, it would be the "sociable" thing to do to inform people about it. Our society works better when people are good to each other that way.
How would you go about concealing a katana?
Personally, I'd put it down my pant leg, but then again, that's my answer for everything.
(Score: -1, Stupid)
So they aren't going to issue a press release and inform the general public. But if any of these companies are publicly traded, I wonder whether they will admit to this in any reports to their stock holders... which are public record... in which case they will be publicly disclosing it.
Mathematics is not a crime.
If Google ran across one of the sites, would the script still be on the cached page? Or does Google clean scripts before caching?
If you disagree, then consider that, if I burn the only copy of your thesis one week before you're due to defend it, by your standards I've only harmed you insofar as I've torched 100 or so pages of paper, and so your material loss is maybe 50 cents or so.
I forget what 8 was for.
Or suppose someone neatly opens and starts your car, goes joyriding with it, takes good care of it, and fills the gas tank before bringing it back. Nothing was damaged and all consumables were replaced, but you still lost the use of the vehicle for a time and that is wrong.
It doesn't matter what some stealthy program does; if it enters my computer and uses it for any purpose whatsoever without my permission, that is wrong and I *will* take offense.
FreeVMS. Or if you wait long enough I might actually get around to writing that "VMS-like-but-not-a-clone" OS I keep mumbling about.
Of course we should be informed. We as consumers have the right to be informed of decisions that affect the way we consume the services/products being offered.
We should only have the right to be informed when a major corporations profits are not affected.
Hence, it is okay to inform everyone that Joe's restruant has food poisoning. No major corp's profits are at stake.
A software vulnerability that may adversly affect millions of people, and businesses, but will damage a major corporation's reputation and profit; this is a thing that we should not have a right to know about.
You must weight the relative importance of the consumers' health vs. a major corporations' reputation and, most importantly, profits. I think this rule strikes the right balance.
I hope that this helps clear things up.
The price of freedom is eternal litigation.
Sure, public knowledge if you get your information from 70's films. Harlem is gentrified as fuck lately. Or are you just scared of black ppl? Sorry, African Americans.
The only sensible response to the above in this part of the thread....
Aside from saying that for the most part that slashdot readers are neurotic.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
And I guess you had a little bitch come mod your post up, because as true as it was, it was so offtopic. Why not comment about what I said, other than correct me? Look at all of the other SlashDot posts with horrible grammar... But yeah, I guess you just had a reason to respond to me only, so I'll just deal with it.
"Instant gratification takes too long." - Carrie Fisher
I guess you didn't bother to check my other posts. I guess you assumed that you were so important that you must have been the victim of a vast conspiracy against you. I guess you aren't even close to the only person I've corrected, and I guess that since I didn't personally attack you, simply corrected your grammar, you might have resolved to refrain from committing that particular error in the future, but you did not. Look, when you're posting on the internet, people are going to judge you based on your usage of the language you're posting in. If you cannot even manage to post something which is grammatically correct and which has few misspellings, why should anyone take what you are posting seriously?
I realize that attempting to stem the flood of bad grammar, even here on a site for 'nerds,' is quixotic at best. However, I shall tilt at this particular windmill until I die.
http://xkcd.com/386/
What if the software was a keystroke recorder? That could "hurt" or damage you. Say then it send the information somewhere and someone scans for strings like www.mybank.com. The next thing you might type is your login and password. Boom, goodbye money.
I'd want to know if a site I was visiting opened me to such risk. Needless to say, if say slashdot was infected as such, and I was robbed, I'd probably seek to sue the website since they didn't warn me first, especially since the change of catching the thief is remove at best.
Why do you fucking care? It's none of your business. At least I don't talk like "omg its too kewl n stuff" So maybe you might want to take your long ass paragraph and direct it towards people like that. Go away.
"Instant gratification takes too long." - Carrie Fisher
Why do you keep replying? It's none of my business? You posted it on a fucking public forum, jackass. You made it the business of anyone who wanted to reply to you. Stop making stupid mistakes that make you look like an ignorant idiot, and people will stop correcting you. (at least I will) Alternatively, you can go on looking like a fool who doesn't know the difference between 'affect' and 'effect.' Why do I care? I don't. Not about you personally; you just happened to be the fourth of fifth person I saw misusing the word effect within this thread. The decision to correct you and not each and every person who misused any word was made completely arbitrarily. However, if you keep replying to me, I'll keep replying to you. That's the way things work when you aren't in charge of who gets to talk about what.
http://xkcd.com/386/
My server is unpossible to h4x0r!!!!11!!1! im teh bomb!!!!1!!!111!
It doesn't happen every two days. Microsoft changed its policy and officially releases a patch every second Tuesday of each month. Since that policy change, they've broken policy twice, but they've kept it to a Tuesday.
They're trying to make the public think they need to patch only 12 times a year insteady of the previous 52. In a way, this has made life easier for people responsible for critical systems. Downtime across the world of Windows machines can coincide with every second Tuesday of the Month.
You need an interdimensional trenchcoat. I hear they're all the rage amongst immortals these days.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I think a more accurate version of that metaphor would be I fiddle with your lighter, turning it way up. Then, when you use it, you burn the only copy of your thesis.
It becomes more grey there. Proper lighter safety would require you to check the gas level before lighting it. Am I responsible? Or is it your own unsafe use of the lighter responsible?
Or is it somewhere in between?
G.F.Y.
All the secrecy is surely due to embarrassment.
Nonetheless, we should be told.
I propose that social service and local health departments be given the task of informing those infected.
After all, they've got the appropriate experience...
Oh my God... I made one simple mistake and I have a fucking english major all over my ass. Why don't you go correct other people and get off my ass? I don't think making the mistake of effect and affect is going to make me look like that much of a fool, rather than you commenting and making yourself look like a jackass.
"Instant gratification takes too long." - Carrie Fisher
it could be insures - depends on the moral charactor of the said police.
Oh we were talking about what should happen, not what often does happen
Why me? Why not!
BACKUP YOUR PARTITIONS
Of course you don't think you look stupid, just as you thought you knew the proper word to use. The reason I'm all over your ass, as you put it, is not because of your initial mistake, however. It is because of your insistence on replying to my posts, even though you claim not to care. Apparently you do, and since I enjoy getting under the skin of anyone who not only takes things said on the internet so seriously, but who also cannot distinguish criticism from attack, I'm enjoying myself. You could, you know, just have started using 'affect' and 'effect' properly and gone about your day and let it go. However, you were apparently incapable of that. As to whether or not I look like a jackass for correcting your poor word choice, I don't care. I don't know any of you. There are people on here that I pay more attention to, because they have earned it through insightful posts. You have not. You're the one who took it personally, even though I made it perfectly clear in my original post that you were not the only one making that mistake. You decided to imagine that I was somehow out to get you. Just think of it this way: sometimes, you have a stroke of good luck. Sometimes, you have a stroke of bad luck. When I arbitrarily decided to reply to you instead of one of the other idiots, I had a stroke of good luck. You had a stroke of bad luck. That's the way the world works. At this point, I don't give a shit if you take offense or don't, but it was you who made it personal. It isn't your fault that I try to help morons learn to type, and it isn't my fault that you use words even when you don't know what they mean.
http://xkcd.com/386/
I'm not going to read all of that... It's not a BIG DEAL. Jesus Christ you have an enormous ego.
"Instant gratification takes too long." - Carrie Fisher
Labels like, "Computer Geek" are just labels. It's simply a matter of knowledge. Anybody can acquire the knowledge necessary to protect themselves. That's all it comes down to. It's a matter of free choice as to whether somebody seeks knowledge or does not.
I taught myself how to sew, make strawberry jam and roast a turkey. If your grandmother cares about using the internet, she would do well to learn about the people who want to attack her and how to avoid them. It's really not that hard.
I read an interesting study which demonstrated that people who actively use and push their brains are many times less likely to develop degenerative diseases of the nervous system such as Alzheimer's and similar.
-FL
No I don't. I'm not the one who thought that someone was out to get me. Just because I'm better than *you* doesn't mean I'm better than everyone. Not that being better than you is any sort of accomplishment. Carrottop is better than you. Paulie Shore is better than you. If it wasn't a BIG DEAL like you say....why did you fly off the handle at me in the first place? I thought it wasn't a BIG DEAL? I mean...it must have affected you pretty strongly for something that isn't a BIG DEAL. I must have had *some* sort of effect on you. Oh well. I guess, if it's not a BIG DEAL, you won't feel the need to reply for what...a fifth time? Good to know you don't think it's a BIG DEAL.
http://xkcd.com/386/
Ha, blah blah blah, yet again, I'm not reading that. Why the fuck do you always reply in an entire paragraph? Shut the hell up. -_-
"Instant gratification takes too long." - Carrie Fisher
Of course you're reading my replies. If you were not, you'd not bother replying in turn. Your argument can easily be applied to you as well as to me. Why do you bother replying, when you obviously cannot hope to match me? As to why I reply in entire paragraphs: it is because I can. Obviously, you would like to be able to do so, but cannot. I am sure my entire paragraphs are posted more quickly than your one-line wonders. I'm sure you'd *like* to understand my replies, as well as read them, but I'm afraid I cannot bring myself down to your level. I tried, in the interest of fairness, but could not do it. I have limitless patience. Reply as many times as you like, struggling to flagellate your poor grey matter for a line of response. I will toss off a paragraph at a time, and I don't use the term erroneously. I'm basically sperming all over you every time you attempt to reply to me. You are my bitch. I own you.
http://xkcd.com/386/
No. I'm just noticing that you're replying in entire paragraphs. I'm not going to bother reading them, so I'd advise you to shut the hell up and stop wasting your time. All of this is over one simple mistake I made... get over it.
"Instant gratification takes too long." - Carrie Fisher
Of course. You don't read my posts, you just respond to what I said in them. Idiot. Besides, it has nothing whatsoever to do with the mistake you made, and everything to do with the fact that you cannot let it go. I had already done so, ten seconds after I replied to your first post. You could not, and still cannot, thus you are driven to reply to me again and again. I definitely do not feel that I'm wasting my time, as every time you reply it makes me happy. I find it incredibly amusing that you cannot simply accept that you are inferior. I am not leveling that accusation at you because of your 'affect/effect' mistake but because of your subsequent mishandling of the simple correction I handed you. I didn't say 'OMG fag you don't even know what the words you're using mean,' I simply informed you of a mistake and why it was a mistake. You chose to take it extremely personally. You chose to reply to me. I am simply returning that courtesy. Keep making yourself my bitch. I don't care.
http://xkcd.com/386/
I'm replying to the first thing you said, dumbass. Why the fuck do you keep replying in entire paragraphs? I told you I'm not reading it. Does it help your fat ass ego problem? Take a hint and go away.
"Instant gratification takes too long." - Carrie Fisher
Sure. Of course you are. Why shouldn't I keep replying in full paragraphs? I have no reason to believe that you aren't reading them. You're the same person who doesn't know the difference between 'affect' and 'effect,' after all. Why do you keep replying to me? If you want me to go away, don't reply. Then I won't reply because there won't be anything for me to reply to. Of course, I'm not sure you are smart enough to comprehend that thought. Apparently you also don't know what the word 'hint' means. You've told me to go away now flat out a few times. It should be obvious to anyone with an IQ over 40 that when you reply, I'll reply. 'Take a hint' and stop now. It's up to you, just as it's always been.
http://xkcd.com/386/
Okay. This is the last time I'm going to reply. It's been fun pissing you off. I find it rather funny how you think I actually care... I just laugh at stupid people like you who waste their time typing an entire fucking paragraph that I don't even bother to read. You're a fool.
"Instant gratification takes too long." - Carrie Fisher
First, you haven't pissed me off at all. In fact, your posts indicate the reverse. I find it funny that although I spend less actual time writing posts than you, because they are longer you assume they take more time. Just because you are too stupid to put a paragraph together does not mean everyone is. If this truly was your last reply, fine. I have been saying for a while now that as soon as you stopped replying, I'd forget you even existed. Of course, I'm sure you don't want me to think you've read this far, but we both know you have. You are teh dumb.
http://xkcd.com/386/