Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identifying Compromised Websites

Posted by timothy on from the or-not dept.

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"

12 of 390 comments (clear)

  1. I have the truth by Anonymous Coward · · Score: 5, Funny

    The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

  2. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  3. Of course we should demand accountability by Anonymous Coward · · Score: 5, Funny

    The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.

    Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.

  4. User embarrassment? by Propagandhi · · Score: 5, Insightful

    Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

    I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.

  5. Certify all sysadmins? by CelticLo · · Score: 5, Insightful

    Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

    Should we force web administrators to prove they know how to keep their boxex clean?

  6. Annoying? by ktorn · · Score: 5, Insightful

    Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.

  7. Let the lawsuits begin by Fryth · · Score: 5, Insightful

    I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

    That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.

  8. Homeland Security by smclean · · Score: 5, Interesting
    Remember the article the other day about the secrecy surrounding cell phone outages because the Homeland Security folk believe it serves as a "terrorist blueprint"?

    Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.

    Not that relevant to the article I suppose, but an interesting angle.

    --

    "'Yrch!' said Legolas, falling into his own tongue."

  9. Re:An odd analogy. by finkployd · · Score: 5, Insightful

    Because to me, the security of my PC and identity is infinitely more important than your reputation and "ego" as a webmaster (or corporate entity). I'm sure restaurant chains would prefer that nobody know when a food poisoning outbreak occurs either.

    The bottom line is, if anyone is going to come away with some pain from something like this it should be the one who directly due to negligence caused it (the website), not the innocent consumer who was kept in the dark about the abhorrent security track record of someone they do business with.

    How's THAT for a run on sentence.

    Finkployd

  10. Re:Flawed analogy... by finkployd · · Score: 5, Insightful

    Clearly you have never been a victim of identity theft and thus forced to spend years correcting the problem, all the while racking up debt. Certainly no where near as bad as death by food poisoning, but certainly a little more serious than reformatting your computer.

    Finkployd

  11. Re:Of course by elleomea · · Score: 5, Insightful

    Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.

  12. If you visit a cheap whorehouse... by panamahank · · Score: 5, Funny

    ...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.

    --
    Serial Meta Moderator