Slashdot Mirror
70% Of 2004 Virus Activity Down To One Man
arpy writes "According to a report produced by anti-virus software provider Sophos, 70% of anti-virus activity in the first half of this year can be blamed on Sven Jaschan, an 18-year-old German who wrote the Netsky and Sasser worms. According to the report, "Sasser claimed the top spot of the virus chart, in spite of the raging battle between the widespread Netsky and Bagle worms." The Register has a good summary of the report."
To be honest, I'd rather have to do AV work on one virus 70% of the time, and spend the other 30% fixing a couple of others. Maybe write a script if need be, and 70% of the time, I just do the same thing over and over.
Or, you could spend 10% of the time working on each of 10 viruses. Suddenly, you think, I wish I could be 70% sure what the problem will be, it is alot easier.
...99% of virus activity this year due to bugs / vulnerabilities in products from a single company.
THANK YOU!
People like you help me argument against the beady-eyed managers that a computer-monoculture is bad for business.
How else could I easily bring Linux or Firefox on Windows to our enterprise customers? And hey, what people know from the office, they will also use at home.
Not to say that you help the OSS community, but you do.
Thanks again.
If a significant portion of the world's communications and commerce infrastructure can be signficantly effected by the hackings of a disgruntled, alienated minor, perhaps rather than murdering the most likely talented, albeit misguided youth, we could take a closer look at why our infrastructure is so vulnerable.
It's bad enough that they feel the need to "compete" against other virus writers for some internet version of "street cred" but now we're fucking ranking them?
How long until people start writing viruses just to "get points" on some chart somewhere? Christ, you people have no logic whatsoever.
Wait, you're saying it is the initial victim's fault that the virus authors wrote malicious code -and- released it publicly?
... Think of it in terms of vandalism ...
... the vandal.
... it is now the responsibility of that company to make materials that are up to the job. It won't stop the vandals, that is the job of the police, but it should make their vandalism as hard as possible to have a permanent effect.
I think if you're going to lay the responsibility chain, it lies primarily with the virus author.
Subsequently, the responsibility lies on the DSL service provider who KNOWS they are selling to often uninformed users and yet fail to provide adequate first (NOC) or second level (CPE) protection for these users.
Next responsility lands in the laps of those people who wrote software that was prone to infection.
Last, reponsibility makes it to Joe User at that point and then recycles to the beginning for any systems that his infection spreads to.
So I, as the end user, have -final- responsibility, but not primary responsibility nor -blame- for the infections.
The primary person responsible for vandalism is
Subsquent responsibility (for prevention) is law enforcement. Is law enforcement to blame for the vandalism? Only if they do less than is required to reasonably address the situation (I don't expect them to spend all day hunting down the tagger 3 blocks over, but I -do- expect them to patrol all the blocks as much as they can without hampering other worthy law enforcement activities).
Making the assumption that I know that I live in an area where people are vandalizing property, I will probably buy paint and materials that are durable enough to be washed/repaired (if I don't, we hit the next level)
Last, I am responsible for -using- the materials above, I am responsible for calling law enforcement if there is an infraction so that they can address it. However, if I fail to do the above all that happens is the 2nd and 3rd levels of responsibility are void. I am still not responsible for the unknown vandal having decided to unleash their frustrations on my neighborhood.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
"More power to him I say.[...] Expecting people 'not' to crack/compromise insecure systems, a daydream you're having"
Newsflash: the real world was not built on being 100 unbreakable and unpenetrable.
E.g., your front door would _not_ be unbreakable to someone determined to get past it with an axe. It's a known vulnerability, for the past few thousands of years, and noone's fixing it. Your windows are likely even more vulnerable.
E.g., locks can be picked. Locks with master keys allow for escalation of privileges by attacking one pin at a time. It's a known vulnerability too.
The way Real Life works isn't to waste manpower and money to make something 100% impenetrable. Real Life works by basically just setting up a big sign that says "you're not allowed past this point." And if you do, we'll throw your sorry ass in jail.
That's really all that your front door and lock are: a sign that other people are not allowed past that point. If someone actually does the effort to pick the lock or hack down the door, it's proof enough that they did get their hint to stay out and deliberately circumvented it. So we throw them in jail.
If someone entered your home, it's not the door manufacturer's fault, it's not the lock manufacturer's fault, it's simply the thief that's to blame. That's the one who deserves some fine time in a state prison.
That's the security model that the Real World society was built upon. It's not perfect, but it worked wonderfully so far.
And here's your free complimentary clue for the day: those Windows users' instinctive expectation of computer security is the same. They don't expect their computers to be an impenetrable fortress, since their RL home or car isn't either. They do expect that whoever breaks past the boundary of their home, car or computer be thrown into state jail.
Unrealistic expectation at the moment? Maybe. But not an _unreasonable_ one. As in: it's not unreasonable to throw the script kiddie or virus writer in jail anyway. Sure, we won't stop trying to make the apps more secure, but in the meantime we also throw the asshole in jail to deter other assholes.
And maybe it's time to give users what they ask for, instead of idiotically insisting that they addapt to what we feel like programming. Not even just in this aspect. The software industry is a fucking disaster in this aspect, and all this whining about "idiot users" and "idiot managers" is just proof of it.
Any other industry, they try to make things comfortable and obvious for the user. In the software industry we just call them idiots and have whole sites dedicated to whining about them.
A polar bear is a cartesian bear after a coordinate transform.