Slashdot Mirror
20,000 Zombie PCs -- $3000
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
A one-eyed man in the land of the blind is King.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.Money? Lots and lots of money?
There are two types of people in the world: Those who crave closure
Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"People" using "unnecessary" quotes should be "shot".
These people have The Will To Stupid, and cannot be stopped!
One line blog. I hear that they're called Twitters now.
And one wonders why users do not recieve some of they blame they rightly deserve, either.
First lady in the story - obviously had zero protection beforehand, and it took a major problem w/her connection being disconnected before she got some. If nothing else, at least it sounds like she has the concept of basic security down a little better now.
Second lady mentioned - a single call to her bank for verification would have likely saved her any trouble. I have gotten several "phishing" mails myself, and they are incredibly easy to recognize - often from a bank I have no accounts with or that never sends mail otherwise, they contain grammatical/spelling errors that would never appear in a real mail, and ask for information that the real bank would have absolutely no reason to need verified.
Third lady mentioned - more Microsoft's fault than the others, due to the security holes. Still, it sounds like she either didn't patch things, opened a nasty attachment, or otherwise brought the software on through her own action. Hard to tell since they don't mention anything by name.
So yes, Microsoft is evil. But don't fool yourself into thinking that users aren't contributing their share of problems either.
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage.
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?===== Murphy's Law is recursive. =====
Yeah, it's nasty all right.
Wanna be more disgusted, though? Say we did get a good handle on one of them. Well, then the federal prosecutor has a hell of a job on his hands. All he has to do is make 12 people understand how spam works, how they found the guy, why their "searches" were legal, what he was doing, and why it's a crime. Which, if it were possible to make people understand, would have prevented the crime in the first place.
And, if he's really unlucky, the defendant waives jury trial and he instead has to convince one very conservative 70 year old man of all these things.
adam b.
How many who drive cars know how to fix it? I certainly don't, nor do I have any desire to learn to fix my car.
It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.
Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.
In Soviet Russia, I ruled you
In the world of common users, Linux boxes are about as common as snowcones in hell, too. Macs are almost as common as snowcones in Florida...not quite.
Insightful??? No. Funny??? Yes.....
Funny thing is that the author seems to say that Macs are close to ubiquitous (snowcones seem to be likely to be common in Florida because they are a form of hot-weather refreshment) but Linux machines are nowhere.
Worldwide, Linux machines probably marginally beat Macs in the desktop space. Domestically, Macs are a bit ahead, for now....
In China, OTOH, legal copies of windows are much more rare than FreeBSD desktops in the US!!!
LedgerSMB: Open source Accounting/ERP
If the spams outgoing, you dont NEED to run anything on a privileged port, and standard user access will do. So long as the rooted system accepts mail in, even on a non standard port that you can configure your master host to connect to, then it can happily spam everyone else. The mailserver doesnt need to talk FROM port 25.
That is a leading question that seems typical of a smug linux zealot. A better question would be, 'What is the ratio of zombied linux boxes in proportion to it's total installed user base.' Since most people use Windows, it follows that most of the zombie boxes should be windows boxes.
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren't a skilled admin, you are going to get haxxored regardless of the OS.
I think Linux is a superior idea and platform, but win the argument with sound logic, not snyde comments.
HA! I just wasted some of your bandwidth with a frivolous sig!
A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank.
It didn't "lose" her money. It followed the proper security procedures involving the use of a login name, password, and bank account number.
They took from her, without her permission, money from her bank account.
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock? Of course not. So why do we treat physical keys so differently than virtual keys (login credentials)? You'd never suggest that anyone but the homeowner was responsible for the loss if they gave their house key to some con artist. So why is the bank responsible when the customer gives away the "keys" to their bank account?
And I had no clue that in a time when a majority of middle aged and elderly people using PC's with just enough knowledge to turn them on, an elitist asshole could belittle someone who took time out of their life to learn nuances of security on the internet.
She's probably an expert within her peer group. It's all relative, isn't it? :)
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instance- so that phishing doesn't work.
There's no point in questioning authority if you aren't going to listen to the answers.
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
---
BDOS ERR ON A:>
However it is your responsibility to make sure your car does not fall apart on the road, so you hire people to take care of it. Same thing should be done with home pc's.
Would that be for one spam run or for "ownership" as long as they're available? If it's just for one run, that's pretty good money as you can sell the product over and over again.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
What he can't kill, he has sex on. Trent.
If grandma figures that all out, and especially if she tells all her friends, then I have no problem with her calling herself an expert. Don't worry, no prospective employer is going to hire her over someone who knows something, unless maybe she's hired to train end-users in the humdrum tasks of everyday workstation security. Imagine, if you will, a Beowulf Cluster of "grannies-who-get-it" showing everyone they know the nuts and bolts of how not to infect their computers! How to manage Microsoft update, how to d/l, install and run SpyBot S&D, a virus scanner, a spam filter program like POPFile, and maybe even a more secure browser (read, one that doesn't automatically install and run whatever random piece of code it finds on the net). They would do more for overall Internet security than a batallion of security experts preaching arcane router strategies to tired and jaded Network Admins. There would still be occasional viruses, worms, and exploits, but those could be left to the experts. I see no reason to be cynical about this.
Everything I've ever learned the hard way was based on a statistically invalid sample.
"Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!"
WHAT THE HELL???
It was NOT the woman's fault!
The fault rest solely with the theif. If somebody steals money from my bank account, it doesn't matter if they got it at gunpoint or with a fraudulent email, it is not my fault, it is not the bank's fault, it is the theif's fault.
But of course it's so much easier to blame the unsuspecting user. That's the way to get the problem solved -- get rid of the victims!
I hereby advocate the death penalty for assault victims.
(End of Rant)