Cybersecurity Chief Resigns

Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

I just don't believe it!

[garcia]

Yoran has privately confided to industry colleagues his frustrations in recent months over what he considers the department's lack of attention paid to computer security issues, according to lobbyists and others who recounted these conversations on condition they not be identified because the talks were personal.

Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack. Why should they diversify right now? They might bore the public with their "crying wolf" on dirty-bombs and airplane searches and would need another shiny object to get everyone to pay attention to.

About 90 percent of computer users interviewed remembered the name of the performer from the last Super Bowl halftime show, while only 60 percent knew when they last updated their computer security program.

No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!

Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work. If it doesn't work they want to call up their ISP and have them fix it. Their computer is a dumb terminal for their ISP's webpage and http://www.thehun.com. As far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know. Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).

Re:I just don't believe it!

[PitaBred]

If I had mod points, I would give them to you.
On a semi-related note, we're the ones who need to convince people of this. Most people I know are amazed when I tell them what the keyloggers and such do, and show them what just Ad-Aware will come up with. One of my friends (an older lady) actually bought a book on my recommendation because she wants to know what's going on on her computer, and learn more about even basic security.
It takes time, but it's a grassroots movement :) And unless you use the same tactics as the "War on Terror" (the h4x0r5 will get your credit card!) and show them hard evidence of it already being there, it's hard to convince people of the threat.

Re:I just don't believe it!

People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack.

I don't think malicious code is comparable to terrorist attacks for most people. Of course, there are life-supporting systems vulnerable to attack, and those should be guarded very carefully. But those systems aren't the ones on the average Joe's desk. For the systems average people maintain, malicious code (viruses, worms, spyware) is an aggravation, not a danger. The worst that could happen is that their credit card numbers are stolen. A real monetary loss, but it'd be a stretch to compare it to a bomb of any kind.

Re:I just don't believe it!

[TomorrowPlusX]

While I'd like to mod you insightful, I have to sacrifice that right, because I have to tell you something:

Your idea of a dumb terminal to TheHun just MADE MY GODDAMN DAY. Somebody, give this man a patent!

That's all,

TomorrowPlusX

Re:I just don't believe it!

[scottp]

>>They want to flip the switch and have it work.

I know exactly what you mean. I service several professionals' (CPA's, lawyers, doctors) pc's that feel exactly that way. I try to encourage them to take a basic computer class (copy & pasting, clear printer spool, ipconfig, email attachments, updating software, etc) to make them more efficient instead of calling a tech for every little thing. Their attitude is like, "I know everything I need to know, knowing computers is not my job." Which is unbeliveable when the majority of their everyday job involves using a computer. Then they get pissed when a tech isn't there within 5 mins. Hmm.....maybe I don't charge enough for service calls?

Re:I just don't believe it!

[Moby+Cock]

What we need is a sophisticated colour coded chart to inform people of the danger. Or perhaps we can insinuate that all the children in the Mid West will become Ritual Satanic killers because of an email worm.

Homeland security is all about fear and brute force. People do not get worried about cyber security because they are blissfullt ignorant.

However, the day is going to come when cyber security is brought to the fore. Once people lose money or are drastically inconvenienced, there will be some movement to *fix* it.

That is when the Trusted Computing Initiative will be incorporated into federal law and the assimilation of this world will be complete.

Re:I just don't believe it!

[EvilTwinSkippy]

Ah America. Where we are too lazy for democracy.

I do find it funny that people will shrug off the probability of something bad happening to them if it's less than being struck by lightning, and then go ahead and by a super-mega-lotto ticket.

Re:I just don't believe it!

[chrish]

They interviewed 500 people out of 185 million Americans with Internet-enabled computers.

Wouldn't that be called a "statistically insignificant" sample set?

Re:I just don't believe it!

[proudlyindian]

No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!

Coz ur TV dude has to take action by "himself" to secure himself and he thinks it a burden. For him internet is a burden that he never asked for. He was happy paying bills physically, shopping offline at malls etc.

These are Gen-P (generation previous ppl) mostly 45 and above whereas genX knows internet is THE way to do things and take security more seriously

Re:I just don't believe it!

[siriuskase]

Lives lost is more dramatic than dollars lost. I have to admit, I'd rather lose my dollars than my family. But bringing down the economic system would hurt more people a little bit than most bombs which hurt just a few people a lot. And that little bit could be much more significant in the long run, we know how to dispose of dead bodies, what would we do if banking transaction systems failed? How long would it take for us to be back in business?

Re:I just don't believe it!

[siriuskase]

I could have picked a better example: what would we do if our communications systems failed and we could only communicate face to face? We wouldn't even know the extent of the damage.

Re:I just don't believe it!

[museumpeace]

People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack.

What you say is true enough about the the Joe and Jane Consoomer types that are referred to in latter part of the article but the "people" we are talking about here are the govmint folks whose job and is and whose claim on our loyalty and obedience is their duty TO PROTECT US. If those people don't know Internet Protocol from Intellectual Property we should fire their asses rather than let them drive every competant person they can away from the job.
Any body with a cable modem who took a minute to look at their firewall log could tell you how many times per hour their house WAS singled out for molestation by bots and hackers. Watching some pimple working from behind a Korean ISP try to telnet a home computer in Massachusettes IS a little creepy and the kind of thing that would alarm the average homeowner who would be all over 911 if he saw a person physically prowling about in his back yard...if only they were looking!

Re:I just don't believe it!

[rahlquist]

You are right about people not giving a rats ass. But in defense of the idiots out there, part of the problem is the closed loop thats is computer knowledge and those who have it.

When you have none you share none, when you have a little you share that, when you have a good amount you start to keep it to yourself, when you have enough knowledge to say setup a linux box from source, you keep you knowledge closely guarded and dont share shit with the average user.

Why? Because like most things in life when you work hard for somethign you are loathe to just give it away to Dewy Dumbshit who just crashed his system trying to install a video driver for a Nvidia card when his is an ATI. Part of the reason people are ignorant is there is no way for them to learn from experienced users. Thats why we have HR people hiring idiots from places like DeVry and expecting them to be a real system administrator.

So We have 3 groups of users, the haves (have knowledge and know how to use it), the have nots (but may actually want it) and the care nots (folks who want to read their email and dont give a flip about malicious attacks). Everyone was a n00b at one time or another, when was the last time any of you /.'ers sat down and calmly thoroughly explained cyber security to another n00b and gave them true insight?

Re:I just don't believe it!

[TykeClone]

Then they get pissed when a tech isn't there within 5 mins. Hmm.....maybe I don't charge enough for service calls?

Do you think so?

In all seriousness, charge them what you're worth to them. If they're not interested in learning about their systems, charge them for your expertise. If they want to save some money, offer to tell them how to do some of that basic stuff so they won't need to call you for silly stuff.

Re:I just don't believe it!

...The worst that could happen is that their credit card numbers are stolen. A real monetary loss, but it'd be a stretch to compare it to a bomb of any kind...

So when those "terrorists" start sucking money from those compromised credit cards to fund their continuing activities, thats ok because Joe Sixpack thinks "it doesn't affect me, I don't care". Joe Sixpack is in essence the biggest security threat to the US.

Re:I just don't believe it!

One of my friends (an older lady)

Mrs. Robinson, I believe you're trying to seduce me...

Re:I just don't believe it!

[garcia]

If those people don't know Internet Protocol from Intellectual Property we should fire their asses rather than let them drive every competant person they can away from the job.

Hah, yeah, that'll work in a country where there is an extremely high approval rating for an individual that can't pronounce half the words he had prepared for and looks like a helpless 8th grader defending his position in his first debate.

Re:I just don't believe it!

[cyber0ne]

maybe I don't charge enough for service calls?

So far, my personal record is $225 to press "continue" on someone's laserjet when a computer tried to print to A4 paper. ($75 per hour charge, minimum of 1 hour, plus this call involved 1 hour of travel each way) Unfortunately, my employer reaped the benefits of that one, as I was salary.

In my spare time I'm slowly building up an infrastructure to run a home business that will allow me to profit from the technologically inept.

Re:I just don't believe it!

[krisamico]

I am a computer scientist, so I would consider many of those you so scornfully denigrate with your remarks my potential customers, so my perspective makes it fairly difficult for me to understand why you feel they are justified. Your lamentation of everyone's lack of "computer know-how" is akin to a car aficionado complaining about the average Joe's ignorance of the inner workings of the machine he drives to work every day. Most everyday things are designed to be easily used, without intimate knowledge of their operation. A notable exception to this postulate is the Computer and the Software that allows it to accomplish tasks. I believe we still find ourselves in the Dark Ages of the software era, and our use of underdeveloped Philosophies and Practices is the reason everyday people are having so much difficulty with their computers. In short, don't blame the users -- blame me. Were engineers to build cars like we create software, driving to work would be a feat so dangerous that few would attempt it.

Hyperbole aside, I have heard attitudes like those in your post many times before, but I find amount of mod points this rant has garnered alarming. When you are smart, people need your help, not your scorn.

Re:I just don't believe it!

[955301]

No, they sampled enough folks to make this assessment. They didn't even need that many if it follows a standard distribution, right? 30 would be enough in that case, assuming they are sampling the right target.

Remember, they are just trying to draw a graph of probabilities, not learn every minute unique answer.

Re:I just don't believe it!

[JavaLord]

s far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know.

I think the everyday user thinks the worst that can happen to him or her is that someone is watching them, or their computer is ruined. Most users don't take their thinking to the next level to reason that someone could take over their computer, and use it to attack another one and if this could be done to a majority of machines on the internet for a few days it would have a negative effect on the economy.

Overall, you can blame Bush for talking about nukes but those ARE the threats most people are worried about even if the odds of them happening are lower, because the stakes are higher. Joe user thinks the worst a virus can do is destroy his computer. Joe user thinks the worst a nuke bomb can do is kill him and everyone he knows. Which one do you expect him to be worried about?

Also, on the nuclear bomb thing, foreign policy experts agree, and have agreed for years that the largest practical terrorist threat to the US is nuclear weapons in the wrong hands. If you don't think it could happen I suggest you check out "Osamas Revenge: THE NEXT 9/11 : What the Media and the Government Haven't Told You" It's a pretty good book, and you can pick it up at amazon.com

Re:I just don't believe it!

[Hard_Code]

Maybe if lightning spent our tax money to put commercials on TV everybody would be out during thunderstorms holding metal rakes in the air?

Re:I just don't believe it!

[Mr+Guy]

No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight?

This may be a crazy theory, but possibly it's because there was a nipple involved.

Re:I just don't believe it!

[gad_zuki!]

>charge them what you're worth to them

Then they'll just say "Im not paying 75 dollars an hour for you do some update I dont even understand." And you'll get undercut by some HS kid charging 7 dollars an hour.

Re:I just don't believe it!

[Hatta]

One of my friends (an older lady) actually bought a book on my recommendation because she wants to know what's going on on her computer, and learn more about even basic security.
It takes time, but it's a grassroots movement :)

May I ask what book? I've been looking for a computer book for the technically illiterate that doesn't just show someone how something is done, but some of the why. An introduction to digital common sense, perhaps.

Re:I just don't believe it!

[humuhumunukunukuapu']

i think a 'sticky terminal' may be more apropos

Re:I just don't believe it!

[TykeClone]

How much do you charge then?

Re:I just don't believe it!

[chris_mahan]

Then they'll get $7/hour security.

When disaster strikes and the backup had not been run since Jan 1, they'll scream bloody murder and then pay you $120/hr, and they'll be glad to.

It's like children and that glowing flame atop the candle. They have to put their finger in it at least once.

Re:I just don't believe it!

[Himring]

Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack. Why should they diversify right now? They might bore the public with their "crying wolf" on dirty-bombs and airplane searches and would need another shiny object to get everyone to pay attention to.

The Bush administration has raised awareness on cyber security. Many positions around the country have been created dealing with cyber security and are still being created thanks in large part to the work of the department of homeland security. Terrorism is a real threat. It so happened to have taken out a land mark ya know, and was indeed a very seminal event in our time. How can that fact be glossed over? The fact that physical threats are indeed a greater matter does not nullify the fact that all is being done that seems reasonable in all other areas of security including cyber. Perhaps the DoHLS is having issues and troubles, but that's par for a new 'anything.' You're piling on. 15 yards! First down!

About 90 percent of computer users interviewed remembered the name of the performer from the last Super Bowl halftime show, while only 60 percent knew when they last updated their computer security program.

How could anyone forget the name of the boob owner? Wtf? This post got modded up to five?

No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!

Wow. I think a post need only to have two words in it "Bush sucks" to get at least 3 good mod point.... This is turning into such tripe....

Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work. If it doesn't work they want to call up their ISP and have them fix it. Their computer is a dumb terminal for their ISP's webpage and http://www.thehun.com. As far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know. Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV). Bill

Bill, I'll this for ya, you're playing to the right crowd.

Re:I just don't believe it!

[The_K4]

And since you can't moderate and post in the same thread you wasted those mod point.

Re:I just don't believe it!

[chris_mahan]

The reality is that Joe Consumer gets a glaze over his eyes (yes, both) when I start talking about port knocking, man-in-the-middle, and automated backups.

Then usually my wife elbows me in the ribs and announces: "Don't listen to my husband, he can't make good party conversation".

So no, I don't talk security to people. They don't want to hear it.

Then they all blabber about the latest football team this and draft that and did you see that pitcher? At which point I hit the punch bowl and the cashews and sit by myself, running through my head the list of things I need to implement as xmlrpc services.

Lastly, for jane newbie, there are TONS of good sources out there on what to do and how to do it. (Borders bookstore comes to mind, as well as Professor Google).

And generally guru geeks LOVE to talk about tech, they just don't like to be ignored.

Re:I just don't believe it!

[The_K4]

Or even better, if we had a nation wide black out that lasted days (think North East last year). How would that effect people?

Re:I just don't believe it!

[PitaBred]

It was mostly because she has some teenagers using the system, and they are the type who download Comet Cursor, etc. without thinking of what could happen. I know what I'm doing, so I was going off of the review here. HTH

-Pita

Re:I just don't believe it!

[Hans+Lehmann]

They interviewed 500 people out of 185 million Americans with Internet-enabled computers. Wouldn't that be called a "statistically insignificant" sample set? Not at all, if the sample is well chosen. Take a course in statistics to find out why.
Interviewing more people will reduce the margain of error of your results from, say, 10% to 1%, but the overall results will be the same.

Re:I just don't believe it!

[SeaFox]

If it doesn't work they want to call up their ISP and have them fix it

Even if the problem has nothing to do with the internet.

Re:I just don't believe it!

[MisterClever]

copy & pasting, clear printer spool, ipconfig, email attachments, updating software, etc

I completely understand these attitudes - Software makers, even after 20+ years, can't seem to make these basic tasks easy for people. Why the heck should you have to go to school? Copy and paste? Oops wanted to paste an address, but along with the address I've pasted the margins from the other doc too now my doc is all buggered up! Clear printer spool? cancel cancel cancel cancel Print job is still there... Reboot. Print job is still there. IPConfig? There isn't even a desktop icon for "Refresh network settings..." you've got to "go to DOS." Email attachments? No warning that says "Hey do you really want to send this 4 meg JPG to aunt Mabel on her dialup connection?"

Stop blaming the users and start blaming the people who make the software.

[Insert generic comment about how those people should use macs instead here.]

Re:I just don't believe it!

[jc42]

Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work.

No, they don't. If they did, they would never buy anything from Microsoft. They'd all be buying Macs.

And don't try to claim that they're ignorant of Windows' user hostility. Jokes about the difficulty of making computers do anything right are part of the general culture. And people with even the slightest bit of computer awareness are always aware of Apple. I've overhead many forms of this exchange:

Person1: I hate my fuckin' computer; it never works right.
Person2: Hmm ... I never seem to have problems like you're having.
Person1: Yeah, but you use a Macintosh.
Person2: <shrug/>

No, there's a simple reason they buy the most user-hostile computers: marketing. They buy it because they've been told over and over that it's the only computer that people ever buy. And this happens because Microsoft has an advertising budget larger than the total operating budget of all those zillions of little computer companies like Apple or Sun or whoever.

Also, they don't want to be thought of as nerds, which is how they think of Mac users.

Re:I just don't believe it!

If the "update your PC" link was painted on some trashy broads tits, and shown on network TV every night for a few months, people might remember. They would remember when if you used different trashy broads every time.

"Oh, my last update, lets see, oh ya, it was version 'Brittany's cans'". Is that still current, and if not, where do I check for the new one."

Re:I just don't believe it!

I think it might have been a joke. *Gasp*

Re:I just don't believe it!

[magefile]

It wouldn't. "People" isn't a verb. It would affect them pretty severely, however.

Re:I just don't believe it!

[TykeClone]

Then they'll get $7/hour security.

The free market is a wonderful thing.

I live and work in a small town, and do computer work after hours. There's one other guy in town that I compete with, and I don't know what he charges (but I think it's less than me). I charge enough that I'm happy with what I get, I have enough work to keep me out of trouble, and don't have too many projects going at a time. And the other guy calls for advice from time to time.

I guess that I'm saying that being the premium service provider is a good place to be.

Re:I just don't believe it!

[michrech]

You think $75 is outrageous? We charge $110 per hour from 0 to 30 miles from our building, $130 per our 31-60 miles, and $150 an hour 61+ (no travel time is charged). We are doing well with these fees.

Two computer companies have already gone out of business and they charged half of our rates ('course, they did pretty much in-shop work only, only venturing out on special occasions). Another opened up recently, but I don't expect it will last long.

Just shows that, while people will complain, they will pay what you believe you are worth.

Re:I just don't believe it!

[magefile]

Your lamentation of everyone's lack of "computer know-how" is akin to a car aficionado complaining about the average Joe's ignorance of the inner workings of the machine he drives to work every day.

Wrong. I've heard this analogy way too often. Joe will get his oil changed every few months, right? Or call/go to a mechanic if he hears a funny noise? I don't expect Joe Blow to know what OOP is, or why a[5] is just shorthand for *a+5, or operator overloading, or ...

Yet despite not being a mechanic, if my mechanic says, "your drive belt is worn and needs replacing", "your spark plugs are loose" or "your pistons are cracking because you're using regular gas, not plus gas", I'll understand what he's talking about - at least, enough to know what should be done (and without bitching about it ... it'll be a hassle, but I won't say, "eh, screw it, I'll just drive it like this").

Re:I just don't believe it!

Who was the performer? I thought they usually had more than one performer for that thing.

Re:I just don't believe it!

[repetty]

> 30 would be enough in that case,
> assuming they are sampling the right target.

Sure, depending on how they pick'em. You have a lot more faith than most people in miniscule sample sets.

--Richard

Re:I just don't believe it!

Welcome to America...land of blitheful cluelessness!

Re:I just don't believe it!

[AJWM]

Probably because most people don't understand probability and statistics.

Re:I just don't believe it!

[Ohreally_factor]

So are we at Blackwatch Plaid or Moving Pictures?

Re:I just don't believe it!

[lew3004]

Hell yes. Service professionals (doctors, lawyers, etc) obviously charge for THEIR services and a general rule of thumb is "you get what you pay for"; you don't go to a general practioner for heart surgery. Since all of these "professionals" now rely strictly on their PC's, I say charge what you're worth. You still get what you pay for and instead of a HMO, maybe geeks should start thinking about a CMO.....I'd subscribe.

Re:I just don't believe it!

Just like my previous employer said, "it is always the ISP's fault"

Re: I just don't believe it!

[gidds]

Hmmm. Maybe being a Mac user makes me biased on this, but I reckon that computer users (of all kinds) should be able to flick a switch and just have it work. They shouldn't have to educate themselves about viruses and other malware. They shouldn't need to be concerned about security and other issues. After all, I don't need to read up on emission spectra and the effect of induction on power phase lag just to fit a light bulb or press a light switch; neither should I need to learn lots about computer security just to use a few applications. In short, we shouldn't be having this conversation!

The fact that we are having this conversation seems to mean that we as software developers aren't doing our jobs properly. We should be writing secure systems, making sure that nothing we do could possibly be a point of entry for malware of any kind. This particularly means the folks at MS, of course, but even app writers need to be vigilant.

But we're not living in that ideal world; we're living in the real one, where the most popular platform has innumerable insecurities in its OS and popular apps... So I guess you're right: we do need to make users aware of these things. It just annoys me, because we shouldn't need to!

Re:I just don't believe it!

So when those "terrorists" start sucking money from those compromised credit cards to fund their continuing activities, thats ok because Joe Sixpack thinks "it doesn't affect me, I don't care". Joe Sixpack is in essence the biggest security threat to the US.

So anyone who doesn't guard all of their property carefully is now a national security threat? That's ridiculous.

Keep in mind that it's just as easy to get compromised credit card numbers by...working at a restaurant. Waiters see other people's credit card numbers all the time. No computer skills required.

Re:I just don't believe it!

But bringing down the economic system would hurt more people a little bit than most bombs which hurt just a few people a lot.

You're not going to do that with the machines on an average Joe's desk, either. Stealing individual credit card numbers won't bring down the economic system. Banking computers are run by people who, by and large, are aware that malicious code is a serious threat.

Re:I just don't believe it!

[arminw]

Darn right I want all things just to work. I should not have to know Ohms law to know how to toast bread in my toaster or the ins and outs of fuel injection or gas mixtures to drive a car! I just want the car to get me where I want to go. Why should a computer be different? When cars first appeared, motorists DID have to be somwhat knowledgeale, since there were few service places. I want my computer to just do what I bought it for, no muss, no fuss. When computer hardware and software makers are finally subject to the same kinds of product liability laws that most other consumer goods are, then maybe computers will be more secure. If the legal system would invalidate all those lame EULA's that allow the computer industry to get away with shoddy, insecure, bug infested machinery, then we'd have very few problems with cybersecurity.

Re:I just don't believe it!

[hyfe]

They interviewed 500 people out of 185 million Americans with Internet-enabled computers.
The number of people to choose from doesn't affect the variance of the result, only the number of interviews. As far as I know, 500 is usually enough to get quite good results (as long as all normal procedures for random sampling etc are followed).

To prove it to yourself, setup a webserver with extensive logging. Find somethig to measure, and measure it. Now ditch half your sample size and measure again. Do it a couple of times, and see how little the averages change until you start hitting really low numbers. Now apply that reasoning to generall statistics.

Re:I just don't believe it!

[Bill+Dog]

If I had mod points, I would give them to you.

And that's why the comment ratings on Slashdot have gone into the crapper. There is nothing "insightful" about what the OP said. Gee, the average person doesn't want to think about computer security. What a great insight that no one would have known if garcia hadn't told us. If I had mod points, I would have a tough time deciding between modding it (grossly) overrated, or flamebait for the Bush cheap-shot. Look, the OP's comment is an understandable reaction to reading the article, so the default rating of 1 is fine, but it certainly isn't adding anything valuable to the discussion as to warrant +4. Too many moderators here confuse "Insightful" with "I agree".

Re:I just don't believe it!

[rahlquist]

Hate to argue with you but I cant tell you how many times when I was learning to deal with linux that someone said RTFM. Having been in the field for years I generaly RTFM, approach the problem, if I still cant master it again I RTFM again and then ask for help. Then I get met with RTFM from some meglomaniac who could easily explain the soloution and instead he says rtfm. Best example of this, sendmail, ask a question about it and you either get ignore or told to read the FAQ. If you explain you dont quit understand it then you seriously get ignored. Think its deserved? Try setting up sendmail auth for the first time.

Re: I just don't believe it!

[Sparks23]

It's not quite that simple, though. There will always be a certain level of education needed for /anything/.

To use your analogy of the lightbulb, I may not need to read up on emission spectra and the effect of induction on power phase lag in order to change a lightbulb, but it's still important to have certain understandings; it's good for the person changing the lightbulb to know that sticking their finger into the light socket with the switch turned on is 'not advised,' for instance. Sure, that seems like common sense, but that's simply because the education about things such as that /is/ widespread. Some of the computer security issues -- don't click on attachments blindly, etc. -- are ones which should be spread and educated until they're common sense, like 'don't stick your finger in the light socket.' ;)

Yes, MacOS X is more secure than Windows in a number of ways; the Keychain is so, so much better than storing passwords in the registry, to do anything system-wide even as an administrator you have to enter your password, and the default configuration is more secure right out-of-box, with far fewer open ports. But the fact remains that writing malware for Mac will hit a far, far smaller percentage of the total users; we're secure in no part simply because we Mac users /are/ a minority. This is why we can get away with the truly abysmal state of antivirus software on the Mac (witness the travesty that was Virex 7.5).

Some of it will /always/ be education. If someone wrote malware for MacOS X -- and it could definitely be done -- and distributed it as a Trojan, an uneducated Mac user who trustingly runs the program is going to get just as screwed as a Windows user who trustingly runs the executable sent to them. How many Mac users out there simply enter their password when prompted by the system to authorize something using administrator privileges, for instance? :)

Yes, at present the combination of ease-of-development to make malware for Windows and the sheer number of viable targets make it more attractive than writing for Mac. But it's hubris -- and a dangerous hubris, at that -- to assume that just because an OS is 'more secure' that educating the users is redundant!

Just my $0.02. :)

Re:I just don't believe it!

[dpletche]

when was the last time any of you /.'ers sat down and calmly thoroughly explained cyber security to another n00b and gave them true insight?

Just about every week, to some person or another! I explain clearly and persistently the nature of the problem, what is at stake, the vectors by which computers become infected, and the clear, precise steps required to prevent it. I provide references, and even drag them kicking and screaming, to articles by reputable agencies and media outlets, describing the severity and danger of endemic computer infections.

I recommend a few simple steps for average Windows users:
1) Install some antivirus software or other. (I don't use it myself but I figure it's valuable for people who aren't quite as vigilant about prevention.)
2) Boot in safe mode then run ad-aware.
3) Update system with current security patches.
4) Install ZoneAlarm and learn to use it properly, or at least a home NAT gateway/router.
5) Never use IE for any reason. Download free and vastly superior Mozilla/Firebird.
6) Never use Outlook [Express]. Use Mozilla/Thunderbird or *anything* else!
7) Don't open executable/scriptable attachments (e.g. MS Office, .exe, etc.) If absolutely necessary, scan them with AV software at the least.

People start to get kind of hesitant at step 4, then they always freak out and get really defensive once we reach steps 5 through 7. I don't understand this undying devotion people have to IE / Outlook, despite all the evidence in the world that those two products account for 90% of the problems on the average computer. It's like you offer than a new car that gets 1000 MPG, removes greenhouse gases from the atmosphere and never requires any maintenance, but they still insist to the death on driving their rusty old Microsoft Jalopy that gets 8 MPG, can't go over 22 MPH, fills the passenger compartment with noxious fumes and catches on fire at least twice a day.

Once in a while someone listens, perhaps combatively at first, but then gets religion and goes out to spread the gospel. A couple weeks ago one of my coworkers spent a half hour arguing that I was being terribly unfair and unrealistic, expecting him and other average users not to pass around word documents and "funny bouncy ball" .exe programs, and even give up his beloved Internet Explorer (with ActiveX(tm)!) Well, about two days later, after he ran Ad-Aware, he came in to my office looking quite shell-shocked, and asked if I could write down all my suggestions again. Now he's planning to help no less than six of his friends and family members to clean up their computers and use them more responsibly in the future. He took me out for lunch as a thank you.

Anyway, spread the word; more and more people will come around in time.

Re:I just don't believe it!

Erm, no.

All those terrorists wouldn't be trying to bomb U.S. and kill Americans wholesale if Americans and their allies (Israelies) weren't killing them wholesale first.

And those few nuts who would be trying anyway would be easy to deal with.

No, it is the government of the U.S. which is the greatest security threat to average Joe Sixpack. Not only will this government bring the wrath of the world upon Joe Sixpack, it will ask said Joe to pay for this, sacrifice himself and his children fighting people government pissed off, and then meekly lie down and do whatever government tells him to do because it is Good For The Nation...

Even worse, the government isn't doing this for some lofty or idealistic goal - they are doing this because they are bought and paid for by the richest men and women in America (hint, hint, check out the Forbes' magazine list of 400 richest Americans to start your list).

So there.

Re:I just don't believe it!

Or if that money is funed to the terrorists and then you are dragged away for supporting terrorists.

Or say your machine is used to comprise a government website and used as a fileserver for terrorists. Then when the FBI kick in your door they can have it clean itself to make it look like it was you.

Re: I just don't believe it!

I'm a Mac user too (although I came from the direction of *NIX rather than pre-OSX), but I reckon that a computer is hugely more complicated than a lightswitch!

Re:I just don't believe it!

[strikethree]

"when you have enough knowledge to say setup a linux box from source, you keep you knowledge closely guarded and dont share shit with the average user."

whoah. hold on there a second chief. i recall when i first started out using linux (many years ago) i became proficient really fast. i actually felt GUILTY for using such awesome software without paying for it or otherwise reimbursing the programmers for their incredible work and generosity. what i did to "pay" for the use of my software (yes, mine. like commercial software can never be) was to go into irc and the newsgroups and i shared my hard earned knowledge. i did this for years. i have absolutely ZERO problems with sharing my knowledge, it would be hypocritical of me to use open source software and then deny others my own knowledge that i earned using that software.

i think your premise is full of holes.

"Part of the reason people are ignorant is there is no way for them to learn from experienced users."

definitely not a truism. people who are so miserly with their knowledge are probably not going to be users of open source to begin with since it is based on people NOT being miserly with their knowledge.

Re:I just don't believe it!

[Moofie]

Most statisticians are in that set.

Re:I just don't believe it!

[http]

I can't believe I read that. You are mistaken in your analysis. Fire up an IRC client and lurk on #debian or ##linux for 12 hours and you will understand just how ignorant your post is. Knowledgeable people love to share what they know, with average, above average, and below average users.

Sundays on #debian are legendary: "/msg dpkg sunday" for details.

Re: I just don't believe it!

[DarkZero]

Hmmm. Maybe being a Mac user makes me biased on this, but I reckon that computer users (of all kinds) should be able to flick a switch and just have it work. They shouldn't have to educate themselves about viruses and other malware. They shouldn't need to be concerned about security and other issues. After all, I don't need to read up on emission spectra and the effect of induction on power phase lag just to fit a light bulb or press a light switch; neither should I need to learn lots about computer security just to use a few applications. In short, we shouldn't be having this conversation!

Any suitably complicated household appliance will need to receive at least SOME care. I'd love to believe that I don't need to clean the lint trap, don't need to put this mysterious "detergent" in my dishwasher, and don't need to take old food out of my refrigerator and throw it in the trash. But I do.

Most appliances in our homes are slightly more complicated than a lightbulb. The strange part is that even though protecting a computer isn't much more complicated, no one does it. Going to Windows Update requires what, two clicks? That's easier than cleaning a lint trap. And pressing "OK" when Zone Alarm says, "Hey, you need to update me!" is even easier. While I'd love to live in a world where my appliances all take care of themselves, I'm still glad to live in a world where taking care of them is a two minute process like cleaning a lint trap or going to Windows Update. And it's ridiculous that the average computer user isn't there with me just because HP, Toshiba, and other computer manufacturers put a higher priority on pre-installing AOL on your machine than pre-installing Zone Alarm, Ad-Aware, or a host of other ridiculously-easy-to-use programs.

The instruction manual for a dryer tells you to clean the lint trap. Why can't your PC's manual do the same damn thing?

Re:I just don't believe it!

[Moofie]

If you don't think changing the margin of error changes the results, you slept through your statistics class.

Re:I just don't believe it!

[kir]

Then they all blabber about the latest football team this and draft that and did you see that pitcher? At which point I hit the punch bowl and the cashews and sit by myself, running through my head the list of things I need to implement as xmlrpc services.

You know, there is more to life than smtp, tcp/ip, http, and xmlrpc. You may already know this though. You do have a wife.

Re:I just don't believe it!

[TractorBarry]

Well you've obviously never been to http://www.linuxquestions.org then.

The people there definitely know how to "setup a linux box from source" and I've never failed to get a good detailed answer to my sometimes "dumb" questions.

Personally I find it's the opposite way round in that the more someone knows the more they seem willing to share their knowledge.

It's the people who don't really know, or who only know a small part of something really well, who seem reluctant to share knowledge.

Finally as for educating noobs I do it all the time. In the past year I've given away over 50 (self burnt) CDs containing Firefox, Ad-Aware, Zone Alarm, Spybot etc. etc. and have even been round to peoples houses to install them.

After all a zombied XP machine is a nuisance for all internet users.

So maybe you just haven't been asking the right people ?

Re:I just don't believe it!

/*when you have a good amount you start to keep it to yourself, when you have enough knowledge to say setup a linux box from source, you keep you knowledge closely guarded and dont share shit*/

Yep, just like those GPL and BSD folks, they don't give shit back either, do they?

Re:I just don't believe it!

[Darkman,+Walkin+Dude]

Eh you just have to talk them on a level they can savvy. Party conversations for example, you have to smack em in the gob with a good opener, then build up from there. Like this...

You have to admire the Russian Mafia, really.

Silence. A few fascinated and mildly horrified eyebrows are raised.

Well, they are early adopters to a new economic model, outpacing all the wall street analysts and clever people in finance! They have worked out how to turn the average home user's PC into a viable money maker for them. They probably have what, a third of the market already locked down? Shows great intiative, that.

Heheh, dunno how much business that line has gotten me. But a lot.

:D

Re:I just don't believe it!

[quarkscat]

Wrong.

Joe Sixpack has been led to believe that
everything is A-OKAY. When Department of
Homeland Security (IMHO, an oxymoron) adopts
MS Windows XP Pro/MS Server 2003 as their
platform of choice, despite numerous warnings
from industry security experts to the contrary,
the security bar has been set far too low.

When MS gets to write their own "penalty" for
monopolistic practices, as defined by the Bush
DoJ, the security bar has been set too low.

When MS gets away with statements like "IE
is integral to the OS" in Federal lawsuits,
then (finally) makes recommendations through
channels (Slate) for users to switch IE to
Mozilla, AND GETS AWAY WITH IT, the security
bar has been set too low.

Good old Joe Sixpack is just following the
government's guidelines and SOP. If it's
good enough for DHS, it is damn well good
enough for him.

The blame really neds to be placed where it
belongs: the IT industry giants that shove
insecure OSes and application suites down the
public's throats, and a government that lets
them get away with it. Twenty five years of
relaxing government regulations on industry,
the corporate welfare mindset, and a public
press increasingly in the hands of fewer and
fewer corporate entities (and the rising tide
of self-censorship on corporations' behalf)
have brought us to where we are today.

Don't blame the average Joe Sixpack user for
massive IT security policy failures.

Re:I just don't believe it!

[955301]

Well, that's why you use the first 30 to get a feel for whether you are dealing with a normal distribution. If not, then yes, you need more, but if so, the additional samples will tell you nothing.

Re: I just don't believe it!

[whereiswaldo]

In a nutshell: Welcome to the real world.

We shouldn't need to educate people on how not to get kidnapped, on the evils of society, on warfare, on countless other things that are wrong with this world. But this is the world we live in. To expect that it doesn't extend into the world of computing is naive.

Re:I just don't believe it!

[StrongAxe]

How would that effect people?

It wouldn't. "People" isn't a verb. It would affect them pretty severely, however.

"effect", however, is a verb, and in the context given, the only one possible.

"I feel, that if a person can't communicate, the very least he can do is to *shut* *up*." -- Tom Lehrer

The fact that you knew what he meant, despite his typo, meant that he did communicate effectively, even if inaccurately.

Re:I just don't believe it!

[magefile]

Erm ... as a verb, effect means "to cause to happen or bring about", or to "act so as to bring about" (pretty much the same things, I know). My explanation was poor, and I meant to say "effect isn't a verb in this context".

Re:I just don't believe it!

[StrongAxe]

My explanation was poor, and I meant to say "effect isn't a verb in this context".

OK. However, when flaming someone's spelling or grammar, it is important to be precise, lest you leave yourself open to the same.

In any case, it's silly to argue about such things :)

Re:I just don't believe it!

[magefile]

Yeah, but I was in pedant mode. And as far as leaving myself open ... I was sick at the time. That's my excuse for everything I screw up, but it's true this time, I swear!

Me, me, ME

[Dorsai42]

I'll do it.

He quit Because

He heard that peoplesoft is hiring.

What else he said.

[caluml]

'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency.

He was also heard to say "linux is teh l33t and m$ feerz their mad penguin sk1llz".

bush administration mentality will change soon

[Triumph+The+Insult+C]

because i have a patent pending for transmitting crude oil over the internet

no Digital Pearl Harbors

[Igloodude]

Without a Digital Pearl Harbor attack hitting us, it is unlikely that anyone will take him seriously, and since Digital Pearl Harbors was just Richard Clark FUD in the first place, his resignation was inevitable.

Re:no Digital Pearl Harbors

[LanMan04]

A digital Pearl harbor is not FUD. One day our increasing reliance on automated and interconnected systems to run or critical infrastructure is going to bite us in the ass, and HARD.

It doesn't have to be terrorist related, it could be incompetence or not rebooting your aging Windows system once a month, a-la the recent air traffic control blackout. And we're in serious shit if a tech-savvy threat manages to penetrate power distribution, emergency call, or air-traffic control systems, or who knows maybe all three, and shut it all down right before a devestating physical attack. It's a huge force-multiplier, but in addition it can be a force unto itself. Imagine the whole country going without grid power for a month or two. Not a pretty picture.

As usual, no one will do anything serious until there is a major incident (involving loss of life), after which "computer security" will be beat into our skulls every minute of every day, even if it's draconian and won't actually make people much safer, just like transportation security is today.

Re:no Digital Pearl Harbors

[EnronHaliburton2004]

Oh that Richard Clark, he was just a disgruntled middle manager. No way should you trust what he says in front of congress ... he's craaaaaazyy...

Re:no Digital Pearl Harbors

[EvilTwinSkippy]

Of course this regime would respond to a Digital Pearl Harbor by invading Mexico.

Re:no Digital Pearl Harbors

[Igloodude]

Actually a "Digital Pearl Harbor" would tend to imply an intentional attack, not a massive failure as a result of incompetence or poor maintenance.

And yes, we're in serious shot if a tech-savvy threat manages to penetrate multiple infrastructure service systems and coordinate the plug-pulling with physical attacks. Isn't this the same crowd, though, that blasts Tom Ridge for vague "we have evidence that terrorists will try to attack us some time in the next two years, so be alert" warnings? I don't think that Al Qaeda will never turn to electronic warfare, but they're still doing pretty well with car bombs and have as yet shown no capability or intention to use cyberwarfare.

Re:no Digital Pearl Harbors

[Peter+La+Casse]

Your post raises a very good point. Perhaps the lack of effective Federal action in the "computer security" field is a blessing in disguise, by allowing us to implement proper security for ourselves, unhindered.

Imagine if the Federal government did for computer security what it's doing for airline security. Everybody would be required to install Microsoft Service Packs (regardless of what operating system they're running.) Internet-connected computers would be nationalized and the government would assign a federal employee to secure yours. Typing "hacker" into an internet-connected computer would be the equivalent of saying "terrorist" in an airport: a half-dozen burly guys without high school diplomas would tackle you and drag you off. Later, a spokesman would say "we take threatening behavior very seriously."

Re:no Digital Pearl Harbors

[johnjaydk]

There is not going to be a Pearl. It's a gradual process where things gradually gets more and more broken. It's not going to be a single big event. You wont be that lucky ;-)

The only way to make people aware of the problem is for somebody to fly a beowolf cluster of zombies into the statue of liberty ... on tv. Fat chance for that to happen.

So I guess we have to deal with the alternative. Users are lame. It's their priviledge. So we have to create an environment where it's safe for them to be lame.

Now there is a challenge...

Re:no Digital Pearl Harbors

[timeOday]

Imagine the whole country going without grid power for a month or two. Not a pretty picture.

Oh, but imagine if Godzilla went stomping through New York leaving a wake of destruction, it would be even worse.

There isn't going to be a "Digital Pearl Harbor." The important systems connected to the Internet, like banking and the stock market, are already under constant attack for purely financial reasons.

Re:no Digital Pearl Harbors

"I don't think that Al Qaeda will never turn to electronic warfare, but they're still doing pretty well with car bombs and have as yet shown no capability or intention to use cyberwarfare."

They did look seriously at compounding attacks via the use of ambulances loaded with explosives after initial attacks. Further Al Qaeda will have more and more people with technological skills if only because they are looking for smart educated people who they can persuade to their cause. Finally if we believe the administration (and really is there any reason not to) Al Qaeda/Islamic Jihad uses everything from email, steno encryption to sat phones. Computers obviously come into play if only for the vast sums of money that they need to track.

"Isn't this the same crowd, though, that blasts Tom Ridge for vague "we have evidence that terrorists will try to attack us some time in the next two years, so be alert" warnings?"

Yup but forgetting about the nations digital back orifice and the people who unlike Ridge are not trumpetting threats but just doing their jobs is no way to handle the situation either.

When Ridge gets up there and people rationally consider the present scary senario presented to them, people generally see a man cover this admistrations behind. The information is often outdatted (recent scare over attacks on New York based on what at best two - three year old data) or it goes against the way Americans live their lives (you can use duct tape and plastic sheeting to almost come close to the same protections as this administration's hermetically sealed in their views.) Don't get me started on the self serving and purely political colour coated system of paranoia which at its highest levels can suspend elections, declare martial law, and the congress can't say boo about it for months.

Re:no Digital Pearl Harbors

You mean like taking out the Colorado DMV for a week?

Re:no Digital Pearl Harbors

[Gopal.V]

> As usual, no one will do anything serious until there is a major incident (involving loss of life), after which "computer security" will be beat into our skulls every minute of every day Don't look now ...that guy walking down the street with the gameboy... ... he's a hacker ... children , run inside .. You see, what that will do is take the internet back 10-15 years ... instead of "real" protection. Not to mention attack a few countries because their routers were used for something ...

Re:no Digital Pearl Harbors

[LaCosaNostradamus]

You deserve the long-coveted "Score:6".

This is the goddamn thing that people can't get into their heads. The same thing happening to information networks is happening to business in general. As long as people try to increase the velocity of transactions, they invariably open themselves up to more fraud. After all, we now live in the age of "identity fraud" ... all made possible by merchants who want to do business with a voice and a number, instead of a verifiable person and cash.

The DPH is coming, and it'll happen EXACTLY as you've painted it: some little switch left in the wrong position on the wrong day. And then people will die, the talking heads will start assessing blame, and the fucking Congress will pass laws making certain citizen actions strong felonies ... all because some corporate executive wanted to save another 5% this year on his IT support costs.

Drop "Cyber" Already!!!

[LoudMusic]

If there is one marketing term I despise more than any other, it's "cyber". Well that and putting the letter "e" or "i" in front of terms.

Drop it already! It's sooo 90s, dude.

Re:Drop "Cyber" Already!!!

"Dude" is sooo 20th century.

Re:Drop "Cyber" Already!!!

[Amiga+Lover]

If there is one marketing term I despise more than any other, it's "cyber". Well that and putting the letter "e" or "i" in front of terms.


You might like to spare some loathing for http://www.eCyber.com/ and http://www.iCyber.com/ then :)

Re:Drop "Cyber" Already!!!

[sunwukong]

You've got it!

People won't take this seriously until it's the "Department of e Homeland i Security".

I believe I used up all my Karma with this post. ;-)

Re:Drop "Cyber" Already!!!

[irokitt]

The "Director of Terrorist pwnage" just quit today, citing impossible attitudes towards his job...

Re:Drop "Cyber" Already!!!

[William+Baric]

And what about putting "i" and "e" after "MS" ?

Re:Drop "Cyber" Already!!!

[Victor+Tramp]

sweet monkey jesus, i have to agree..

as long as it's not in reference to robotics, how is it "cyber"?

Re:Drop "Cyber" Already!!!

[SpaceLifeForm]

You hit the problem on the head. MS IE is the number one problem. Amit Yoran most likely quit because he could not get through to the idiots in charge that MS is the problem, *because* of all of the influence that MS has over the government.

Anyone that refuses to see the problem that MS is and continues to embrace MS software products in spite of more secure alternatives is stupid, corrupt, owns too much MS stock, or all of the above.

Re:Drop "Cyber" Already!!!

Or maybe they're just people who need to access web sites that are unusable with Firefox. Moron.

Lightning is like a virus

[swillden]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

The problem is that many PC users are doing the cybersecurity equivalent of what some idiot did near my home about fifteen years ago.

He was in his boat out on a lake when a thunderstorm moved in. When others on the boat suggested that they should go to shore for fear of lightning he scoffed, stood up on the bow of the boat, stretched his arms upward and shouted "Take me now, God!".

God complied.

Connecting an unpatched PC to a broadband connection is pretty much the same thing.

Re:Lightning is like a virus

[Chess_the_cat]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

This is a meaningless statistic. I bet if I surveyed 493 Slashdotters with the same question I'd get somewhere around 90% answering the same way because it'd be the truth.

Re:Lightning is like a virus

[siriuskase]

As long as knowledgable people have the attitude that victims of crime deserve what they get, realistic attempts to control such crimes are discouraged. Some slashdot types enjoy the superior feeling we get when we hear of the woes of those not in our tech elite.

Concerns about nightmarish tales of computer zombies and such that sound like bad horror movies are so silly when dirty bombs and anthax are lurking out there somewhere.

Re:Lightning is like a virus

[Brandybuck]

Connecting an unpatched PC to a broadband connection is pretty much the same thing.

I have to admit that I'm connected to broadband with an unpatched PC. And I still feel safe. That's because none of the three security vulnerabilies issued for my OS version affect me.

PC != Windows

Re:Lightning is like a virus

[EvilTwinSkippy]

If they were real PC users you would have at least 986 answers from 386 people surveyed.

Of course the first answer is always "I didn't do anything."

Re:Lightning is like a virus

I bet if I surveyed 493 Slashdotters with the same question I'd get somewhere around 90% answering the same way because it'd be the truth.

Certainly we're more likely to have taken measures to protect ourselves. There are two simple ones that I suggest to every user who asks me for advice. First, get a virus scanner that can be updated automatically by subscription. Set it up to scan everything coming into your machine. It takes a few minutes, but it's worth it. Second, buy a hub with an integrated firewall. They're cheap these days. You become invisible to probes from your neighbors' infected machines.

Yeah, running Linux or FreeBSD is even better, but I don't really want to talk my mother through installing anything more complex than a new mouse.

Re:Lightning is like a virus

[EvilTwinSkippy]

I had a new install of XP for a client become infected in 3 minutes, over a dialup line.

No choice one that one though. I was trying to download the patch to prevent XP from becoming infected in 3 minutes by connecting it to the internet...

Re:Lightning is like a virus

[Sique]

As long as knowledgable people have the attitude that victims of crime deserve what they get, realistic attempts to control such crimes are discouraged. Some slashdot types enjoy the superior feeling we get when we hear of the woes of those not in our tech elite.

It's the same attitude an assurance company has about you when it comes to securing your home. They tell you that certain types of locks are insecure, and that you should lock your home, and not letting the bathroom window open. And they refuse to pay when they have a wellfounded suspection that the burglars came in because of weak locks and open windows.

It's the same "you deserve it" attitude. If you are going to use a tool, please inform yourself beforehand about possible risks. Please read the manual, make sure you are not endangering other people. Don't demand your assurance company to pay for things that got worse because of your ignorance. If you don't feel apt enough to secure your computer yourself, at least ask someone with more knowledge to have a look. But be aware, that there are risk and take precaution.

Re:Lightning is like a virus

[ticktockticktock]

Unfortunately, the consumer also has to be diligent in buying a home router or they might end up buying one that had remote administration enabled by default and be no more secure than someone without a router "protecting" them.

Re:Lightning is like a virus

[swillden]

I have to admit that I'm connected to broadband with an unpatched PC. And I still feel safe. That's because none of the three security vulnerabilies issued for my OS version affect me.

There are exceptions. I met a guy who uses a DEC Alpha machine running VMS to connect to the net. He's safe, I think.

What are you using? OpenBSD?

PC != Windows

That's why I said PC, rather than saying Windows.

Re:Lightning is like a virus

[swillden]

As long as knowledgable people have the attitude that victims of crime deserve what they get, realistic attempts to control such crimes are discouraged.

Accountability isn't bivalued, it's a continuum. Buy an expensive car stereo, install it in a nice car, park it in a very bad neighborhood and leave it overnight with the doors unlocked and how much sympathy do you think you're going to get when you report the theft to the police?

When people do things that are sufficiently stupid, they do "deserve what they get", just because it's unreasonable to expect society to protect people from their own stupidity in all cases. Like the guy on the boat. Apparently, he didn't understand that making himself the highest point within a mile or so during a lightning storm was a bad idea. Who should have made his foolishness impossible? Should the boat manufacturer be required to make a boat that automatically goes to shore when it detects lightning in the area?

I posit that what we have is a large population of computer users who lack basic computer knowledge that is analogous to the sort of basic physics knowledge the boater so clearly lacked.

This isn't elitism, it's pragmatism.

Re:Lightning is like a virus

[Maul]

You may not know this, but enabling the built in XP firewall before connecting protects against most of these threats.

Maybe you can blame MS for not enabling it by default, or by hiding it away from the user as a simple checkbox that is hard to get to, but it is there.

Re:Lightning is like a virus

[Brandybuck]

What are you using? OpenBSD?

If you can't tell by my sig,it's time to increase your caffiene uptake :-)

To your original point, connecting an unpatched FreeBSD to a broadband connection is most certainly NOT the equivalent of standing up in a boat waving your arms in a thunderstorm!

Re:Lightning is like a virus

[timeOday]

The problem is that many PC users are doing the cybersecurity equivalent of what some idiot did near my home about fifteen years ago.

No, the "problem" is that "hit by malicious code" doesn't mean much. Lots of people already have spyware-infected computers, and occasionally incur email outages at work due to email virii. It's kind of a pain at the time, but simply doesn't justify the time and expense it would take to prevent or fix.

Re:Lightning is like a virus

[swillden]

If you can't tell by my sig,it's time to increase your caffiene uptake :-)

It certainly is!!

Re:Lightning is like a virus

[Al+Dimond]

Maybe 90% would say that, but I don't think it's truth. 90% of slashdotters aren't completely invulnerable, they just think they are because they're running an OS that's supposed to be secure. Just like a third of the 493 people questioned thought they were invulnerable because they bought a new PC with SP2 and Norton Anti-Virus.

Re:Lightning is like a virus

[TorKlingberg]

The grandparent of this post did not say that the thief is any less at fault or deserves less blame because the car owner is stupid. Why do you think there is a finite amount of blame to be distributed?

Re:Lightning is like a virus

[wik]

You seem to know a lot about assurance companies. Tell me again, how do these assurance companies help you when you have a tree fall on your house?

What do you get for your money? Assurance that everything will be alright?

Re:Lightning is like a virus

Post your IP on a dubious "security" forum somewhere and declare that you are "unhackable". It'll be just like the guy in the boat...except that it'll be some script kiddie trashing your computer.

Just because you don't use windows doesn't mean you're safe or that you're not a target. I suggest you go patch up your system before you learn that the hard way.

Re:Lightning is like a virus

[Brandybuck]

I suggest you go patch up your system before you learn that the hard way.

But there's nothing worthwhile to patch! Two of the available patches affect services that I am not running. The remaining patch is a local exploit. By default I am not running any services beyond ssh.

I am not saying my system is invulnerable. One guy with a flamethrower could trash my data in a heartbeat. But I'm not going to get so paranoid I'm going to worry about it.

Re:Lightning is like a virus

[Sique]

First: It is in the economic interest of an assurance company to reduce the risk for themselves to have to pay for damages. So they have an interest in reducing your risk for you by counselling and giving you hints how to improve your security. You are free to ignore their advise, but then your premium will rise. Thus they generate an economic incentive for you to increase your overall security.

Second: If a tree falls on your house it depends on hundreds of factors if you get something and how much.
Why did the tree fell? Storms? Lightning? Water floating under the roots? How frequent are such conditions? How old was the tree? Was the tree healthy, or where there lots of dead wood? Were there already other damage claims because of incidents involving the tree? Did a counsellor from the assurance company tell you it would be better to cut the tree because of possible damage?

Basicly it boils down to the old risk assesment questions: What's the possible damage? What's the expectation for the frequence of damages? What's the average damage, the maximum damage?

Your assurance premium strongly depends on the answers to those questions. And the assurance company will tell you which changes to your house and its environment lower your risk and thus lower your premium.

If it is anything like my work....

[AtariDatacenter]

They can't get anything done because they themselves are cluess (with a manager who doesn't understand security micromanaging security issues), and they're thugs who try to bully everyone into converting everything into SSH.

"You there! You're running SAP, aren't you? You have two weeks to convert this to SSH, or we're shutting you down!"

Re:If it is anything like my work....

[rwven]

ssh is not a bad thing :)

Now what would be funny would be: "You there! You're running Microsoft Word, aren't you? You have two weeks to convert this to SSH, or we're shutting you down!"

Re:If it is anything like my work....

[Sique]

And there was me thinking it was all about replacing SAP R/3 with SSH... (And yes, you can run SAPgui through an SSH tunnel. No problem here.)

BIG mistake

[rwven]

I think we all know it's a ridiculously HUGE mistake to underestimate the importance of cypersecurity. Whoever is responsible for "not paying enough attention" to it needs to be outright fired... We're talking about every classified document in existence being at risk. Frankly i don't blame him a bit for quitting. I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case, but obviously someone needs to get their act together....

Re:BIG mistake

> We're talking about every classified document in existence being at risk.

Which is, of course, complete and utter bullshit. Those systems most certainly *are* hardened. It's more like, say, all the major credit card processors going off the net because no one patched the security on the border routers. That sort of thing.

Re:BIG mistake

[rwven]

touche' you may be right...but you may be wrong. He wouldn't have quit if things like that were as secure as you think they are...

Re:BIG mistake

[mr_z_beeblebrox]

I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case

Exactly, we have nookalur level security on those systems.

Re:BIG mistake

I know hypersecurity and cybersecurity...but I think I really underestimate the importance of cypersecurity coz I have no clue what it is.

Re:BIG mistake

This is the 3rd time someone has quit this position since the Bush administration created it. Whoever that person is who needs to get their act together, if they haven't done it by now, they aren't going to do it. Then it's the Bush administration's job to replace them with someone who will. If the administration doesn't do it (let's hope this was the wakeup call they needed), then they're to blame.

Re:BIG mistake

[rwven]

is that pathetic attempt the best you can do at a presidential bash?

Re:BIG mistake

[Jane_Dozey]

The systems don't stop at the computers. The best system admin in the world can't stop an attack if it's:
1) original
2) helped along by a user (whether they mean to or not)
3) outside the control of the sysadmin

I'm sure the systems are hardened, but hardened deosn't mean 100% secure. There will always be a way for an attacker to be successful. Unless computers containing sensitive information are taken off a network, locked up and guarded there's a big risk of being compromised.

Re:BIG mistake

[mr_z_beeblebrox]

is that pathetic attempt the best you can do at a presidential bash?

For the moment, but don't worry I have a plan.

Re:BIG mistake

[Igneous]

Is it a cunning one?

Intractable Problem?

[Gothmolly]

As I said at a meeting one day as people were pulling their hair out over the latest MS worms, and the failures of all of the "automatic patch deployment"-type tools out there, "Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence. I half expected to be stoned to death as a heretic. When Corporate America stops sucking on the Microsoft Tit, we'll finally see real improvements in security. As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.

Re:Intractable Problem?

[Unoti]

I would also have pointed out that Skype, Firefox, and Tale in the Desert work great under Linux, and that's what I spend the majority of my workday doing, so Linux is quite viable.

Re:Intractable Problem?

[Brandybuck]

As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.

I hit the icing on the cake Wednesday. My company rolled out a PGP solution for Outlook. Good, right? Wrong! The policy is to write down your passphrase on a paper, give it to IT, who will then store your passphrase for safekeeping in case you lose it.

!!!

Re:Intractable Problem?

[FunWithHeadlines]

"I hit the icing on the cake Wednesday. My company rolled out a PGP solution for Outlook. Good, right? Wrong! The policy is to write down your passphrase on a paper, give it to IT, who will then store your passphrase for safekeeping in case you lose it."

(My jaw drops)

That is truly stunning in its short-sided cluelessness. Now a social engineer has to make only one line of attack and he or she has everyone's password at once. Brilliant.

Re:Intractable Problem?

[Kaa]

When Corporate America stops sucking on the Microsoft Tit...

So are you saying Linux needs a boob job?

Re:Intractable Problem?

[Kaa]

My company rolled out a PGP solution for Outlook. Good, right? Wrong! The policy is to write down your passphrase on a paper, give it to IT, who will then store your passphrase for safekeeping in case you lose it.

!!!

Any special reason you are upset? That'a a perfectly valid way of doing things. Storing bits of paper in a safe is traditional and fairly good method of keeping information secure. Completely immune to network attacks, by the way... ;-)

Note that Bruce Schneider, who I think happens to know something about security, freely admits to carrying a list of his passwords written on a piece of paper in his wallet.

Re:Intractable Problem?

[DogDude]

nd the failures of all of the "automatic patch deployment"-type tools out there,

What failures? Does Automatic Updates from Windows not work? It works seamlessly on all of our machines. Or, you can use SUS. Can you not get that to work either?

Re:Intractable Problem?

[Tanktalus]

Nah - just write down your password ROT13-encoded. Nigh unbreakable, I tell ya!

Re:Intractable Problem?

The question is, was it a 'stunned silence' or the sound of a room full of middle managers trying to figure out what 'intractable' means?

Re:Intractable Problem?

[Vainglorious+Coward]

Bruce Schneider, who I think happens to know something about security, freely admits to carrying a list of his passwords written on a piece of paper in his wallet.

Indeed. Note that writing down a password on a piece of paper turns something you know into something you have. Nothing wrong with that, provided you have appropriate protection on that piece of paper.

In a business setting, it makes sense that they would want control over the private key - if the employee is unable to provide it (sacked, dead, whatever), then they're going to have a *real* hard time breaking the GPG encryption. No business should want to allow themselves to be held hostage to an employee in that way.

Re:Intractable Problem?

[GoofyBoy]

>"Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence.

If someone tried this at work I would give him a stunned silence too.

Here we are trying to fix a difficult problem with everyone's job on the line and someone want to play Monday morning quarterback by sprouting off comments that does not help, unless you think you can get the entire company migrated over and trained to use Linux in the next 2 hours.

Re:Intractable Problem?

[Brandybuck]

Except that now my company has my LEGAL signature. They can sign my approval to documents that I have never seen. The can alter my contracts and agreements with them at will without my knowledge or consent. And other nasty things.

And it would stand up in a court of law!

I really don't care much if the company can read my encrypted email, since the only encrypted email I'm going to get will be from the company. But I am unwilling to give them a legally binding signet ring.

Re:Intractable Problem?

[Gothmolly]

This might work in your 100 node network, but I work for a large US bank, with over 20,000 workstations, running a mix of 95, 98, 2000, XP Pro, XP Home, many of which are laptop users, and many of which run Novell, others which log into legacy domains, and some which log into AD. Show me the tool that manages them all, and I'll be impressed. PS. Having 20,000 workstations downloading SP2 simultaneously is out.

Re:Intractable Problem?

[flosofl]

Why is that clueless?

Now we don't store PGP/GPG plaintext passwords, but we do store plaintext KEK (Key Encryption Key) and Master Keys and what not for banking networks, ATMs, etc.. They are in a safe. It takes two people to open the safe. It takes two other people to enter the plaintext into the HSMs (There's much more involved - such as the audit trail, and so on...) I dare ya to social engineer that.

As long as proper security controls are implemented (i.e. dual-control, seperation of duties, authentication procedures) there's nothing wrong with having plain-text for recovery purposes.

Re:Intractable Problem?

[Reducer2001]

Here you go. It even runs on Linux!

Re:Intractable Problem?

[edrain]

You make an excellent point. If all of your native apps are Windows native and all of your employees are trained only on Windows, you pretty much have to run Windows, at least in the short term. If we are on the verge of running out of oxygen, we can't just suggest that everyone start breathing hydrogen.

Re:Intractable Problem?

[FunWithHeadlines]

"but we do store plaintext KEK (Key Encryption Key) and Master Keys and what not for banking networks, ATMs, etc.. They are in a safe. It takes two people to open the safe. It takes two other people to enter the plaintext into the HSMs (There's much more involved - such as the audit trail, and so on...) I dare ya to social engineer that."

Heh, you don't ever want to make that last statement! :) But overall, I agree that the steps you outline reduce the danger considerably.

Re:Intractable Problem?

[sdmacguru]

Two of the coolest things about PGP in a corporate environment are split keys and signing everything to a designated key. You can set it up such that everything gets encrypted to a master key, which you split.
That way, when someone has locked something up and their key is no longer available, the superfriends can get together and re-unite the master key to unlock whatever. Nobody actually has to write down anything to keep from getting locked out.
Forgotten passwords you handle by having a designated revoker to kill your old key, then make a new one. Right?

Re:Intractable Problem?

[pjt33]

All you have to do is hang on to a copy of the memo about them storing your passphrase and you can wave that in the court of law.

Re:Intractable Problem?

[Detritus]

I would suggest writing down the pass phrase, sealing it inside a double envelope, and storing it in a safe. That way, they can get it if they need it, but it is also obvious when it has been disclosed to someone other than the account holder.

Re:Intractable Problem?

Here we are trying to fix a difficult problem with everyone's job on the line and someone want to play Monday morning quarterback by sprouting off comments that does not help, unless you think you can get the entire company migrated over and trained to use Linux in the next 2 hours.

No, but you could start phasing in Macintosh machines. Within a year, I'd expect you would have everyone using them and much happier.

Linux might work, too, depending on what they use their computers for. But I wouldn't hesitate to recommend Macs in most situations.

Re:Intractable Problem?

[winwar]

"Here we are trying to fix a difficult problem with everyone's job on the line and someone want to play Monday morning quarterback by sprouting off comments that does not help, ...."

I don't understand how saying that maybe there isn't a (good) solution is playing "Monday morning quartback". I mean if there is such a problem to begin with it is obvious that someone didn't consider some serious issues up front. And it is very likely that person has power and is clueless. And if they remain in the organization without learning from their error the organization will suffer. That said, it shouldn't be the focus of the meeting to solve the problem. But if "everyone's job is one the line" then the original solution has failed, miserably...

I infer from the "stunned silence" that he mentioned that the Emperor really had no clothes and everybody for the first time REALLY thought about it. And apparently didn't have a good reply. Maybe the best solution is to move to a different platform-sure it can't be done immediately-but it ought to be considered as an ultimate solution.

I AM more likely to be struck by lightning

[thpr]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code

Given frequent updates, ZoneAlarm, a firewall/router, precautions about not opening things I don't know about, VPNs, and other things, I probably AM more likely to be struck by lighting than hit by malicious code. But I'm a /. reader... :)

Re:I AM more likely to be struck by lightning

[ConceptJunkie]

Without security, you are more likely to get hit by malicious code than _not_ win the lottery.

A friend of mine is consulting for AOL and he was unable to install Windows 2000 without getting attacked from within their internal network. And from what I've heard the wild Internet is just as bad or worse.

Re:I AM more likely to be struck by lightning

[Waffle+Iron]

I probably AM more likely to be struck by lighting than hit by malicious code.

I wouldn't be so sure about that. This report says that the US has lightning injuries+fatalities of around 500 per year. That means the average person gets hit by lightning about once every 600,000 years.

The odds that somebody is going to develop a blockbuster zero-day exploit are much higher than that. For example, what if some person or organization discovers something like new flaws in both Cisco routers and the standard JPEG rendering .DLL or .so? And instead of posting it to security mailing lists, they write effective exploits to hijack the routers to serve up infected JPEGs?

Most of the computers on the Internet could be compromised within minutes just by ordinary browsing. No amount of patching, firewalls or care on the part of the user would prevent the attack. That is just one scenario; it's not hard to think up countless variations. It may be unlikely that this will happen in any given year, but I doubt that it would be as rare as once every 600K years.

Re:I AM more likely to be struck by lightning

[Just+Some+Guy]

OK, it's clear that you're trying to do the right thing and for that I applaud your effect. Seriously - keep it up and encourage those around you to do the same.

However, you must be smoking crack. Are all of your apps secure against the recent JPG decoding vulnerabilities (because you "open" things you don't know about each and every time you view an image on the web)? Have you read the line-by-line security audit of your VPN software and have a reasonable belief that it's mathematically correct (because I see IPSEC patches coming by every now and then)? Is your SSH client immune to the attacking hosts? Is your router provably correct or does it have "features" such as diverting random outbound port 80 requests to its manufacturers website? Is that ActiveX control that your bank makes you used safe, and are you sure that your bank isn't sending out a compromised version? Do you monitor 1337 IRC channels to learn about exploits before your OS vendor has issued patches for them so that you can isolate the problems on your own?

You can't stop risks; you can merely work to reduce them. Even OpenBSD has had remote holes in the default installation, and those guys pay a lot more attention to the minute details than you or I are likely to. I'd say that the odds of getting pwn3d are several orders of magnitude higher than getting hit by lightning or beating the tax on people bad at math.

Re:I AM more likely to be struck by lightning

127.0.0.1

Have fun.

Re:I AM more likely to be struck by lightning

[maximilln]

For example, what if some person or organization discovers something like new flaws in both Cisco routers and the standard JPEG rendering .DLL or .so? And instead of posting it to security mailing lists, they write effective exploits to hijack the routers to serve up infected JPEGs?

As an aside... that is exactly what we've been doing. And we've also been trying to get those who are guilt-ridden to quit reporting these exploits to the company.

But don't let me inform you. The big companies say that 0-day exploits don't exist... so, I guess we don't exist.

Re:I AM more likely to be struck by lightning

Derrr...hey...that's my IP address...damn you must be l337!

Re:I AM more likely to be struck by lightning

[gl4ss]

even running all those things and 'being on alert' doesn't make you inpenetrable to malicius code.

and certainly it doesn't make you more likely to win the lottery than being hit by malicious code.

Re:I AM more likely to be struck by lightning

Sure. 205.161.7.143

Have at it.

Re:I AM more likely to be struck by lightning

[jaeson]

In fact the odds of being struck by lightning in your lifetime are 1/3000.

Not sure what the odds are for getting 0wn3d...

Re:I AM more likely to be struck by lightning

[SpaceLifeForm]

Unprotected Windows freshly on the Internet? Almost every user that does that will regret it way before they are struck by lightning.

On a properly secured Linux machine, I'll take my chances vs the lightning.

Re:I AM more likely to be struck by lightning

[Gopal.V]

> Most of the computers on the Internet could be compromised within minutes just by ordinary browsing

That's like everyone in the world getting hit by lightning ... at the same time.

Btw, last year my machine was hit by lightning ... :)

Headline Roulette

[EvilTwinSkippy]

Anyone else wondering about the exact timing of this? It sure is handy to have a semi-scandal pop up just in time to gloss past the Prez's piss poor performance on the stage last night.

(Tinfoil cap, check.)

Re:Headline Roulette

[Greyfox]

Which happened just in time to prevent anyone from noticing that the House Ethics Committee was a tad upset with Tom DeLay over his handling of the medicare vote last year.

Re:Headline Roulette

[E-Rock]

Yea... A guy no one's ever heard of quit his job because no one felt it was important, either in the government or in the public. That's certainly gonna trump any news about the debate.

Re:Headline Roulette

[EvilTwinSkippy]

Which is why it made it to Slashdot and the headlines, of course.

Re:Headline Roulette

[E-Rock]

Yea, and this is news for who?
Quick check shows no blurb on the BBC, Fox News has it way down on the page, nothing on CNN, nothing from MSNBC either.
There's plenty of evil shit out there to worry about, but this is your conspiracy of the day?

Re:Headline Roulette

[mr_z_beeblebrox]

It sure is handy to have a semi-scandal pop up just in time to gloss past the Prez's piss poor performance on the stage last night.

I do not think highly of george, however I do not think that he is THAT dumb.
"God, I really screwed the pooch last night. I know, I will have the cybersecurity guy resign in frustration that the nation is no better off now than four years ago. That'll help."
Nope, not even W could be that dumb.

Re:Headline Roulette

[EvilTwinSkippy]

Kinda silly isn't it.

Re:Headline Roulette

[Politburo]

Odd. I read this on CNN before I saw it on Slashdot. I only use the front page.. I think it was 4th headline. Now it's first headline under "Technology".

Re:Headline Roulette

[E-Rock]

You're right. It is there.

So symptomatic of all politics

[FunWithHeadlines]

Please note, this is a rant that is not directed at one political party of the other, for both do it. But since the Bush team is in power, they will have to do as an example of what I mean.

All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.

This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.

Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).

Re:So symptomatic of all politics

All politics is about power, the obtaining of it and the maintaining and expanding it

Ever heard of Mahatma Gandhi?

Re:So symptomatic of all politics

[FunWithHeadlines]

Ever heard of Mahatma Gandhi?

Yes, I have. What do I win?

Re:So symptomatic of all politics

[EvilTwinSkippy]

Well airline security wasn't really an issue before Al-Queda's sightseeing tour of New York and DC, either.

Cybersecurity isn't sexy because there isn't a body count. Terrorists strike an airliner, there are 100 souls. Terrorists strike a refinery, there might be a couple of workers and firemen. The real impact is sticker shock at the gas pump. Terrorists strike a bank computer, and people can't use their ATM cards. Computer security really doesn't rank up there.

As a geek I would like to think I'm saving the world. But we do have to have some perspective.

Re:So symptomatic of all politics

[FunWithHeadlines]

Yes, that is the point, really. They focus on whatever gets votes, and terrorism is the big topic at the moment for obvious and horrible reasons. Cybersecurity should also be focused on properly, but because it's considered a lesser priority we have one cybersecurity czar after another resigning.

"Well airline security wasn't really an issue before Al-Queda's sightseeing tour of New York and DC, either. "

One quibble about that sentence: Airline security became an issue in the early 70s when hijacking came in vogue. All those security checks and rules are used to at the airport? Didn't exist back in the 60s and earlier. The hijackers would do something like smuggle a gun on board, and they would react by installing metal detectors. Then the hijackers would ratchet up the ante, and the security people would add a new check. Finally, security became fairly good at airports, such that hijacking went down in frequency. So the people who might have tried hijacking now tried, say, putting bombs on board, and the escalation of cat-and-mouse moved in a new direction.

It is a sad irony that people became trained to sit quietly during a hijacking since that was the best way to ensure your safety: wait it out until it was over and you'd be fine. The 9/11 hijackers used that psychology to their advantage. But that advantage is forever gone, for never again will passengers sit quietly by waiting for it to be over. That fact is how I know there will not be another 9/11 incident of the type we saw that horrible day. Instead, terrorists will try something entirely new. Something to think about as you wait in that endless line at the airport, realizing that they are busy chasing yesterday's terrorists, and probably haven't a clue what tomorrow's terrorists might dream up. Depressing thought, but probably realistic, given the history of airport security for the past forty years.

Re:So symptomatic of all politics

[siriuskase]

Bringing down the computerized communications systems would totally f*** us up, but what makes it worse is we wouldn't know the extent of the damage until later.

Let's hope the terrorists stick with dramatic stuff like violently killing a small percentage of us, than more insidious stuff that could leave us unable to respond to followup attacks.

Re:So symptomatic of all politics

[TykeClone]

Nothing like a geek with a hero complex.

Re:So symptomatic of all politics

[EvilTwinSkippy]

Last I checked the fireing command for an M-16 assault rifle was a mechanical linkage.

The trouble with a large scale disaster scenario is breadth versus depth. Widespread damage is a fairly trivial exercise. The right codes and you can 0wn most the PC's in the world with a worm. And yes, there are a fair share of PC's in operating around the federal government and the military.

But most of the work performed on these machines are trivial, and any valuable content on them are backed up onto large servers, CD-roms, and tape. Would it be a headache if a virus reformatted every hard drive in the world? Yes. The end of the world? No.

Anything past that requires a solid understanding of the system to be disrupted. If terrorists wanted to start a financial panic they could, theoretically, break into a bank computer and have a field day. But each bank uses a different system, indeed, many banks are Chimeras of formerly competing units with a tangle of different systems. No one attack is going to work on every bank, or even totally wipe out a single large bank.

The same is true with military systems. The more destructive you want to be, the more specific the attack has to be tailored, the less likely it will be portable to more than one target.

Re:So symptomatic of all politics

[EvilTwinSkippy]

Just ask Odessius. Oh wait, he's a Complex Greek Hero...

Re:So symptomatic of all politics

[Hard_Code]

Ever heard of Mahatma Gandhi?

Yes, I have. What do I win?

disillusionment?

Re:So symptomatic of all politics

[mabhatter654]

imagine the Blackout from '03 ...but during January instead of summer! That was a classic case where simply sloppy engineering and greedy compananies nearly took us to our knees! if a 4 day black out occured in dead of winter the death toll would be thousands...

My point is that the Blackout was stupitity...imagine if somebody actually tried at it!!!

Re:So symptomatic of all politics

You are absolutely right. All that barn door locking for a horse long gone. How can people be so stupid?

1. Half the human race is below 100 on an IQ test.

2. Agreeing with your boss, smiling and telling jokes, being a buddy (beers, golf, ... one-of-us) is what gets you a job where you do management for a living.

3. Self deception is universal.

4. Evolution works slow.

Re:So symptomatic of all politics

[timeOday]

Well airline security wasn't really an issue before Al-Queda's sightseeing tour of New York and DC, either

It was fairly important. That's why the terrorists were unarmed. The only thing that went wrong with airline security on 9/11 was that the pilots and passengers obeyed the terrorists because they were taught that was the best thing to do - except for the last plane, whose passengers got wise and probably stopped the plane from crashing into the White House or Congress.

Re:So symptomatic of all politics

[Sentry21]

All those security checks and rules are used to at the airport? Didn't exist back in the 60s and earlier.

A side note, the US is the only country I've been to that allows non-passengers up to the embarkation gates. Anywhere else, you get stopped at customs and can't proceed without a ticket. Curbside check-in, which I'm still fuzzy on, but as I understand basically puts your luggage right on the plane stright from the taxi, is another huge issue.

Let's face it, the US was always behind in security, because despite the good sense of dozens of other countries (Canada, for example, and the UK, Israel, Holland, and so on), the US didn't care about security until they had to - and even then, the rules were so absurd that they served only to provide an assurance - terrorsts are after your lucky charms, but we've put measures into place to make your cereal safe!

It's all BS. The government only cares about security because it's one more thing they can claim when the election rolls around. They can make people afraid in general, then make planes safe, but still not make people safe from planes. They're trying to have it both ways, and it just doesn't work like that.

--Dan

Re:So symptomatic of all politics

[lew3004]

Man....and I had a good day today; thanks.

Cyber security needs to be tied into defense

[Gary+Destruction]

Defending your country includes domestic and foreign defense both off and online. The fact that the military and various government agencies use the Internet is justification for including cyber security as part of defense. Cyber security should be part of the DoD's job.

Re:Cyber security needs to be tied into defense

[baby_head_rush]

Yeah, the Army really needs more to do.

Next, they'll be in charge of taking toll money on interstates.

Re:Cyber security needs to be tied into defense

[Rocky1138]

Can you just imagine the flack we'd see posted on slashdot if this were to happen? Conspiracy theorists and privacy freaks would have a fit!

Re:Cyber security needs to be tied into defense

[hostguy2004]

Does everyone remember the 'secure linux kernel' that originally came from the NSA, which part of Dept. of Defense.

There is at least 100 NSA programmers who regularly contribute to various GPL/Open Source projects. The difference is that they don't use nsa.gov email addresses when they contribute.

I'm certain if those NSA programmers had their way, Linux or FreeBSD would be the only desktop OS allowed anywhere in the DoD.

~hostguy2004

Re:Cyber security needs to be tied into defense

[Gary+Destruction]

I'm talking about government and military networks, not public networks.

Lottery eh...

[TachyonAT]

Damn... sounds like I need to start playing the lottery then...

Taking it lightly

[jdavidb]

In a possibly related story, individuals take cybersecurity lightly

To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance with silly buzzwords like "cybersecurity." Why does everything have to be "cyber"-this and "cyber"-that? In my mind this doesn't sound any different than putting e- in front of everything and trying to market it during the dot-bomb bubble, and I imagine that it has a similar effect on the public. We've been conditioned since 1998 to ignore anything with e- or cyber- as a prefix. Why are we surpised that people don't take "cybersecurity" seriously, when we show by our vocabulary that we don't, either?

Instead of "cybersecurity," how about "computer security," or "personal computer security"? See, it's possible to communicate what you mean in a simple, effective way without fancy buzzwords, and people might even pay more attention. ("You mean my computer might be in danger?")

Re:Taking it lightly

Finally, the first post in this thread that was actually worth reading...come on you acid tripping mods...give this guy a 5.

Re:Taking it lightly

[tool462]

iSecurity?

Re:Taking it lightly

[maximilln]

To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance

It's also hard to take seriously when companies like Microsoft have been telling the public, for years and years and years, that it's perfectly okay to click that EULA because the program was definitely worth $200. There was a corporate brainwashing of the public before putting them online back in '95 and that brainwashing hasn't worn off.

Re:Taking it lightly

To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance with silly buzzwords like "cybersecurity." Why does everything have to be "cyber"-this and "cyber"-that? In my mind this doesn't sound any different than putting e- in front of everything and trying to market it during the dot-bomb bubble, and I imagine that it has a similar effect on the public. We've been conditioned since 1998 to ignore anything with e- or cyber- as a prefix. Why are we surpised that people don't take "cybersecurity" seriously, when we show by our vocabulary that we don't, either?

Instead of "cybersecurity," how about "computer security," or "personal computer security"? See, it's possible to communicate what you mean in a simple, effective way without fancy buzzwords, and people might even pay more attention. ("You mean my computer might be in danger?")

But cyber means computer or computer related, so what is the functional difference except saving a few words?

Or do you underestimate the public's ability to comprehend the prefix? Why then would you expect them to have a useful understanding of computer security? A semantic shift will not usher in a new wave of cluefulness.

The etymology of cyber

[I don't see the problem with the "e-" (electronic) prefix, either. New times, new concepts.]

Security is a hard job

[GodBlessTexas]

Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.

I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.

Re:Security is a hard job

[recharged95]

Security is a very hard job indeed. Cause the best security is when you don't notice it. It's abstract like objects, interfaces, freedom, and trust (Hmmm, could be why s/w development is hard ;) ).

Considering it's in agreement that "take away electricity & technology, we're back in the stone ages" is very true and easy to understand for those wish harm on the US as well as the connected world. Computers are tools and can be used as weapons or utility, make your choice. And with computers more interconnected to that environment (business, society, etc...), protection of privacy, from malicious code, intrusion or exploitation should be top priorities.

I'd take the job, anyone here should offer. It's important for anyone in technology. Success or fail, we'll learn something. I'm surprised Yoran doesn't offer any notable "lessons learned".

Then again, from experience, I feel his pain trying to get things working at DHS. Oh well, the clock is ticking--at least those who oppose us donot have much technology...yet. I hear Iraqis have better cellphones (EDGE) than we do here...

Re:Security is a hard job

RE:I hear Iraqis have better cellphones (EDGE) than we do here...

Of course they do... we just bought them all new models!

Re:Security is a hard job

[recharged95]

Also, I wonder if we'll be shipping those 'obsolete' Diebold machines over there for the election. Then they'll have some hi-tech... Hold wait, their election is important...

my lucky day

[maxchaote]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

Time to go buy a ticket...

"an organizational inability to do his job"

[ARRRLovin]

Sounds like he feels he was being setup to fail. That or they have the department wrapped so tightly with red tape that it makes the department ineffective. As most effective CIO/information directors will tell you, they're not interested in maintaining anything. They want to innovate and if you make that impossible or do not require innovation, they will leave.

Re:"an organizational inability to do his job"

[YouHaveSnail]

Sounds like he feels he was being setup to fail.

Or perhaps he felt that there are a lot of issues to be concerned about, but nobody in the administration wanted to consider them. Maybe it's the same thing. If I recall, that was essentially Richard Clarke's beef. According to Clarke, he kept telling the administration that this terrorism stuff was serious, but his superiors didn't want to hear it, didn't want to have to do anything about it.

Re:"an organizational inability to do his job"

"Sounds like he feels he was being setup to fail."

• Wasn't that this week's storyline from 'The Apprentice'?

being "hit"

[justforaday]

More than a third of the 493 PC users surveyed...said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

It should be noted that these people are probably thinking of being "hit" in the physical sense of the word...

Hmm.

Senior department officials consider equally important the protection of the nation's physical structures, such as bridges and buildings, and computer networks, which regulate the flow of electricity, phone calls, finances and other information. They maintain that gauging risks to physical structures and computers separately is inefficient and expensive because common problems threaten both.

I'm not sure that I agree with this view. Sure there are *some* common problems but there are more threats that differ than not.

Haha!

Like all rats, they are jumping ship before the proverbial boat sinks!

The political bottleneck

[hawklord]

It can be very frustrating to someone who just wants to accomplish something when politics prevent it from happening.

Good.

[Exmet+Paff+Daxx]

Hopefully the hydra will not spring forth another head to take its place. The question we need to ask ourselves here is: should the government even be involving itself in "regulating the Internet" to "improve security"? Considering the free market has a better track record at accomplishing nearly everything (compare the DMV to 7-11) why the hell do we need a useless figurehead like this in the first place? He's ex-Microsoft for God's sake.

If the government actually wanted to promote cyber security, the best way to do it would be to put a bounty system on the evildoers and let the market compete to catch them. Microsoft but a bounty on some virus authors and look how fast they were caught! Imagine if we had a bounty on web defacers, worm authors, and other such vermin. System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change. You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers? It's not too hard to spot the goon with the notebook and the high power 802.11 antenna connecting to every network in his path.

Personally I'd love to put "Internet Bounty Hunter" on my resume. I'd probably start with the goon at 66.35.250.150 who keeps proxy scanning me.

Re:Good.

[PitaBred]

Wait, what? What does ex-Microsoft have to do with anything? They hire some very talented people. Just because I abhor their corporate policies and marketing doesn't mean that the people who work for them can't have any good points.
As for the wardriving thing... that's stupid. It's the same thing that got MS to the position it's in today. Why not have official wardrivers that find vulnerable AP's and then go knock on doors, telling people to get them fixed? Hit the root of the problem. Increase the barrier of entry for "hackers", the typical script kiddie crap, and 99% of the problem will go away. But just like any crime, you can't get rid of it completely. There will always be people trying to take advantage of others.

Re:Good.

Since when has the markets ever been "free"?

Monopolies are against free market. Cartels are against free market. Centralization of power to the hands of the few big companies is against free market, since those companies can use their scale to work against any competition, thus destroying the so-called "free market".

The free markets existed maybe in the 1800s, if even then.

Re:Good.

I'd probably start with the goon at 66.35.250.150 who keeps proxy scanning me.

Hey! You leave me out of this!

Re:Good.

[Stanistani]

>nslookup 66.35.250.150

Name: slashdot.org
Address: 66.35.250.150
Aliases: 150.250.35.66.in-addr.arpa

Nice inside joke...

Re:Good.

why the hell do we need a useless figurehead like this in the first place? He's ex-Microsoft for God's sake.

Maybe that's why he quit - he's seen the 'security' code in various Microsoft products and knew his job was going to be freakin' impossible...

Re:Good.

[Politburo]

(compare the DMV to 7-11)

Compare a convenience store to a state agency tasked with issuing legal identification and licences to operate 3,000+ lb vehicles? Why not!

Re:Good.

[Kaa]

System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change

Boggle. So you think making sysadmins read their users' email is a GOOD thing?

You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers?

LOL. Wardriving is perfectly legal.

Re:Good.

[BumbaCLot]

Why not try abuse@exodus.net? Or abuse@savvis.net? I don't see a need for an Internet Bounty Hunter when a simple email would work. And if you are curious how I found those addresses, maybe your resume would be better suited for other taskes like installing the new Windows Firewall on someone else's PC. As for wardrivers, who cares?

Re:Good.

[maximilln]

If the government actually wanted to promote cyber security, the best way to do it would be to put a bounty system on the evildoers and let the market compete to catch them

The best thing to do would be to hold the corporations who hawk substandard products at full retail price responsible for their negligence. If you bought a toaster that started your bread on fire because the settings dial was malfunctional, you don't take the bread back to the baker--you take the toaster back. If your lamp keeps burning out bulbs because it has a short you don't apply to the light bulb company for a refund, you take the lamp back.

With Linux I accept responsibility because I didn't pay for the software. What needs to be done is to remove the protection of the EULA. The EULA is crap. It's a cheap excuse. If a company charges money for a product they should be liable for its quality.

As evidenced

[ackthpt]

Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit

As evidenced by the recent slashdot articles on 20,000 zombies up for sale and the average survival time being 20 minutes for a fresh computer on the internet.

Things which are more likely to happen...

[26199]

...than winning the lottery: well, you're about 250 times more likely to be involved in a car accident than to win the lottery. And about 10 times more likely to be murdered.

(That's over a whole year, assuming you buy a ticket every week).

Virtually everything is more likely than winning the lottery. Their poll just shows that people don't really understand probability... (hmm. You're also more likely to be hit by lightning than to win the lottery.)

Re:Things which are more likely to happen...

[EvilTwinSkippy]

I propose a new measure of probability: the Franklin. One Franklin is the probability of being hit by lightning per unit time. (Kites and thunderstorms not withstanding.)

Re:Things which are more likely to happen...

[Politburo]

(That's over a whole year, assuming you buy a ticket every week).

A ticket to which lottery? There are many, and the odds of winning (the jackpot) in Pick-3 (1:1000) are much lower than winning Mega Millions (1:135,145,920).

Re:Things which are more likely to happen...

[26199]

Well, you'd get a big clue if you read my... er... very outdated user info. I'm in the UK, so the lottery is 'the' lottery, with odds a little better than 1:14 million.

Re:Things which are more likely to happen...

Yeah, but the win-a-tenner odds are on the order of 1:1000 in the UK. And with scratch cards etc, who knows?

I know more people who've won money on the lottery than have been hit by lightning. But I know more still who've been trojaned, and know it.

Re:Things which are more likely to happen...

[26199]

True. But generally 'won the lottery' refers to the big prize... you'd say 'won some money on the lottery' if you only won a small prize.

The real solution

[CrazyJim1]

They should outsource this National Cyber Security job to India.

God spoke to me:
www.geocities.com/James_Sager_PA

Mod parent up

You got it.

Until we are ready to fire Microsoft, the bad guys have the advantage.

Bruce Schneier

[mboedick]

Bruce Schneier should have this job. As a matter of fact he should be Secretary of Homeland Security.

Re:Bruce Schneier

Mod this up.

He would need a capable and tight circle of bureaucrats, but he has a correct view of security at a conceptual level.

A simple way to think about security

[The-Bus]

Imagine someone walks up to you and starts talking to you about your car insurance:

"Well, here's the thing. Your car needs to be safe, and since 1997, with more highways available, more ISEC 45 systems can't accomodate Goodyear telecons. Car insurances? In your glove box, you can find your insurance info several tachometers. Make sure to astagate the TFGG Nationwide proteases for the next fifteen days, and then every fifteen days -- dirkonite 1997 malfunctions could lead to superfinite hexagon and then your gas mileage Liberty Mutual goes down. But the car is fine, it's a good car. It's going to explode and your dog will die. Just call the state RT-678 system box accelerator engine spark plug twice, after frubbing the seats and air conditioner. So, yes, Ford and Honda are a risk, but you have filters, GM just needs shafts -- in Japan."

That's basically what the average person hears when you start talking about computer security. They seem to understand some terms, but for the most part their eyes glaze over. Then they say "OK" and go back to looking on eBay for that autographed baseball. Even running Ad-Aware is a pain for most people. There's about 20 different options and if they click the wrong one they don't know what just happenned.

Re:A simple way to think about security

[EvilTwinSkippy]

I've just come to accept that I'm a modern day car-mechanic.

Most people have the samed glazed look when you try to talk to them about how riding the brakes leads to premature wear, why accellerating to 40mph between stop signs kills gas milage, why changing the oil is important, and the relative merit of heading blinking red lights on the instrument panel.

Re:A simple way to think about security

[maximilln]

I've just come to accept that I'm a modern day car-mechanic

If you figure out a way to pull down $35/hour doing this, let me know and I'll work 12-hour days. I already do the work for free in my off time.

Re:A simple way to think about security

[winwar]

"...and the relative merit of heading blinking red lights on the instrument panel."

But you can safely ignore the yellow and orange ones, right? :)

Re:A simple way to think about security

Hmmm.... I suggest stop doing the work for free! It's all supply and demand; they'll only pay if they have to.

Re:A simple way to think about security

[maximilln]

Hmmm.... I suggest stop doing the work for free!

Need we get into the discussion about mother-in-laws, brothers, family standing, popular perception in social circles, ostricision, not getting the invite to the Thanksgiving dinner ("Oh, sorry, we forgot.") or not getting invited to bowling night ("Sorry, we were in a rush and didn't have time to call you.") again?

I don't want to be a geek stuck at home with nothing to do forever.

NCSA?

[LanMan04]

NCSA? Surely not the same guys at U of Illinois that created Mosaic?

Re:NCSA?

[YouHaveSnail]

No, not that NCSA. The one in Illinois is the "National Center for Supercomputing Applications." The one referenced above is the "National Cyber Security Alliance."

Not sure why 'cyber,' which is usually a prefix, has become an entire word there. Maybe they felt that hyphenation is for sissies. Maybe they figured it'd be easier to get a budget through Congress if they stole a well-liked organization's moniker.

Business as usual

[samberdoo]

*political rant* An administration that has lied so many times it doesn't even know the truth, doesn't need security. Seriously though most of the leading edge work on cyber security and detection is being done by the gov't or under gov't supervision.

No way, I just bought an iMac

but, it was built in 1998!

so what OS?

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

So, does that mean that more then a third of the people surveyed don't run Windows?

Odd differences in media representation

[j_stirk]

Really, same old - does ANYONE (I exclude the obvious hardcore security concious techies out there from this, obviously) take cybersecurity seriously? Companies dont. Home users dont. Hell, there are even Sys Admins out there that think security is just disabling the FTP server!

What I find odd though, is the differences in the way the media shows cybersecurity. Although it's been quite common in the media lately - movies (too numerous to bother counting - you know them anyway), news releases on viruses, phishing, etc. all have had (at least in Australia) an increase of media exposure in recent times. There's a lot of very serious attention out there to this issue, but it's not working!

People see a movie that examines cybersecurity, which may be discussing a real issue in the same way every other mainstream movie does (ie. somewhat realistic... Willing suspension of disbelief and all that). What I don't understand though is that movies about other topics make people stop and look at the bigger issue being discussed. People watch a war movie and go "oh hay, war is bad/good/hell". People watch a horror flic and go "oh hay, i'm going to buy me an axe and board my doors up to keep those psychos out". People watch a "cybersecurity" movie (or even news) and go "hah, it'll never happen to me - I know everything about my computer!".

Until we fix this problem, and get across to the public (and hence Governments) that this IS a major issue (and that it isn't going away), the problem is just going to get worse.

I guess part of the problem is the fact that the topics are usually quite abstract. Often, you can't explain how or even WHY these things happen without getting into some fairly abstract details. What do you mean people can talk to my computer? But it's listening to multiple things at once? And some might be good? But why would they want to use my computer to talk to websites?

AAAaaarrrrghhh....

Regardless, something needs to be done, as this is an all to common event.

These guys gotta toughen up!

[bitslinger_42]

Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.

On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass :-)

Joe Average

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

Which is probably just as indicative of Joe Average having a poor understanding of probability theory as of a failure to grasp cyber security issues

Unprofessional

"Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave."

• He either doesn't give a damn about national cybersecurity, or he doesn't think his job was important enough to maintain. Even if he objects with the administration's policies ... it's HIGHLY unprofessional of him to leave his job with no notice.

Well...

[jav1231]

If a story were to come out that Amit say wanted to implement more DMCA-like restrictions on the Internet and was frustrated because the administration wouldn't let him we'd all have a different attitude. But since this guy quit the BUSH administration, he obviously was suffering in his job trying to do right by all Americans and was being squashed by the man. The fact that he gave effectively 1 day's notice points to a character problem. What's the over and under he starts popping up on talk shows and campaign stops with "a revealing look into the Bush administration" soon?

Re:Well...

[Speak+Forcefully]

Giving one day's notice was the SMART thing for this guy to do. I do not know of a single person who resigned with two weeks notice that was NOT immediately escorted out the door. Giving anything beyond immediate notice to an employer like Bush would be nuts. No doubt this guy had already calculated the kind of "organization" he was involved with, and likewise chose the most EFFECTIVE way of exiting. I just hope he remembered to turn the lights out on his way out.

Re:Well...

[maximilln]

The fact that he gave effectively 1 day's notice points to a character problem

Maybe you should work in a big corporate environment before talking out your posterior. The fact that he gave 1-day's notice says something entirely different.

1) His managers wrote completely unreasonable quarterly goals and did not give him the resources or authority to accomplish them
2) His managers directed him to daily pursuits which would never amount to anything close to the goals
3) When he brought up the disparity between quarterly expectations and daily assignments he was promptly criticized for insubordination and not being a team player.

Re:Well...

[jav1231]

Uh..this is a GOVERNMENT JOB! So parallels to companies that have done this or that really don't apply. hehe >

Re:Well...

[maximilln]

Uh..this is a GOVERNMENT JOB!

Oh. Yeah. Sorry. :)

I didn't realize

[TheMediaWrangler]

that lightning had become so bad!

To everyone saying people are stupid

The average Joe does want to learn. They're just under no obligation to think that the things you want them to learn are worth learning. My mom gets on my case left and right about how culturally ignorant I am--I've only heard Monteverdi's Vespers of the Virgin Mary once, and how is it that I can hate The Marriage of Figaro when I've only heard half of it? But I'm not oblivious because I don't like opera. I've prioritized. I've made sacrifices.

The average person isn't apathetic or stupid.

Instead, the average person is not you and probably doesn't want to be you.

The average person cares a lot about things which affect their lives. Ask a farmer what he/she thinks about the latest pesticides, or if terracing has conserved as much soil as environmental proponents say. You'll get an easy hour of discussion out of a farmer that way. It'll bore you to freaking tears, but you'll get an easy hour of discussion out of a farmer that way.

Ask a teacher what he/she thinks about No Child Left Behind. Ask an automotive engineer what he/she thinks about the disappearance of shade-tree mechanics.

Kid, you are an elitist geek. The world's a much bigger and more interesting place than you give it credit for.

Open your eyes. Open your eyes and enjoy the world as much as you can while you're young. Don't do what I did and spend the first 25 years as a pessimist before realizing how empty and useless pessimism is.

I'm a cynic. A cynic is someone who's seen enough of humanity's beauty to be thoroughly convinced that it exists--and enough of humanity's ugliness to be thoroughly appalled at how rarely humanity's true beauty shows through.

But take my word for it. The beauty exists, if you're willing to open your eyes. And the beauty will take your breath away.

Have a nice life. Really. I mean that.

Re:To everyone saying people are stupid

[recharged95]

"The average Joe does wants to learn."

You're the right track, but I think it's the average Joe is just curious.

Curosity promotes learning--it's a good thing. Only a few people (like those here on slashdot) want to learn.

karma UP!

Re:To everyone saying people are stupid

[arcade]

The average person isn't apathetic or stupid.

Yes he is.

Ask a farmer what he/she thinks about the latest pesticides, or if terracing has conserved as much soil as environmental proponents say. You'll get an easy hour of discussion out of a farmer that way. It'll bore you to freaking tears, but you'll get an easy hour of discussion out of a farmer that way.

I don't know much about this on beforehand. It would on the other hand be very interesting to discuss this with a farmer once. I would actually find it very interesting - even though it's information that is totally useless for me.

I like to learn, and I like to dicuss.

Ask a teacher what he/she thinks about No Child Left Behind.

While I have no idea what "No Child Left Behind" is (I'm not an american) - I'm sure I would find it a very interesting discussion too.

I like to learn, and I like to discuss.

Ask an automotive engineer what he/she thinks about the disappearance of shade-tree mechanics.

I have no idea what you're talking about - maybe if you told me what it meant in Norwegian. ;) I'm pretty sure I would find that too interesting to talk about, even though I'm generally not very interested in cars. Mechanics on the other hand, is interesting.

Now, what I find incredibly irritating is people that don't want to learn about other things. People that say "nah, I don't need to learn about that" - or "nah, i'm not interesting in learning anything about that" .. or "Nah, i'm not good with that".

Re:To everyone saying people are stupid

Marriage of Figaro is a highly entertaining opera.

OTOH if you don't like opera, you probably wouldn't enjoy it.

Offtopic - If you think you don't know any opera music, think again:
The music at the beginning of 2001: A Space Odyssey is music from a Wagner opera;
The "Lone Ranger" theme is actually the overture to 'William Tell', an opera by Rossini.

There are others, to be sure (I think Ride of the Valkyries is pretty well known) but those are the big two I can think of off the top of my head.

Re:To everyone saying people are stupid

[winwar]

"The average person isn't apathetic or stupid."

Look, they may not be stupid (in the dictionary sense of the word) but stupid is often used in place of ignorant. But they ARE apathetic. How else do you explain the low voter turnout? If 100% of the population was involved, even minimally, in voting or civics in general, this country would be a different place...

"The average Joe does want to learn."

Uhh, maybe. Some do, but many do not want to expend any effort to do so or learn anything that conflicts with their preconceived notion of how the world is. And if you don't want to expend effort, then you really don't want to learn.

Re:To everyone saying people are stupid

[KZigurs]

lettme guess, you take it personally?

Yes, people ARE stupid. Most of them starts to doubt their actions, freeze or smile stupidly as soon as they have to do something they haven't been taught by their parents long, long ago. That's how it happens.

And as long as they think that they can use computers and don't know implications, safety procedures or have no signs of common sense - they are STUPID.

After all, you wouldnt allow your 80 years old grandma who knows shit about mechanics to forcestart your car from under the hood? Or if you will see that your neighbor, who, as you know, suffers from sudden lapses of narcolepsia, will you try to stop him?

Get a life, mr. BeautyOfTheWorld. If /. were about this stuff, we wouldn't be discussing ignorant and braindead users here.

Re:To everyone saying people are stupid

Ask an automotive engineer what he/she thinks about the disappearance of shade-tree mechanics.

I have no idea what you're talking about - maybe if you told me what it meant in Norwegian. ;) I'm pretty sure I would find that too interesting to talk about, even though I'm generally not very interested in cars. Mechanics on the other hand, is interesting.

A "shade-tree mechanic" is a person who tinkers with cars for fun. They are disappearing because cars are becoming harder to fix due to proprietary parts, tools, and computer interfaces.

In fact, it's such a big problem (at least in the US) that even independant commercial shops are going out of business, because they can't afford to buy (at exhorbitant, anticompetitive prices) the tools which are only available from the manufacturers/dealerships, which are in competition with them.

I know why he quit....

Why work here when all the tech jobs are moving to India? He's already got the right name and everything...

A personal note for Amit:

Enjoy my job! Just remember ... you're earning 1/20th what I was earning ... so it'll take you about 60 years to earn what I earned in the three years I worked here. Doesn't make your new gig look too attractive anymore, does it?

Powerballs

[droleary]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

Wow, who knew the Mac and Linux marketshares had grown that much? Seriously, far too many people seems to be taking the side of the corporate shill as though he stood on some higher ground than the other government shills. For all we know, he just wanted to attach government pork to benefit his buds back at Symantec and someone inside was smart enough and powerful enough to stop it. If they wanted to show they're serious about "cybersecurity", let me read the headline where they actually take action against the convicted monopolist that produces the systems that cause 99% of the problems. Until then, I'm not on this guy's side, or on the side of anyone who fills the same role. He was another in a string of ineffective bureaucrats, and the fewer of those we have the better.

Re:Well no wonder he quit!

no you missed the problem...

"former software executive from Symantec Corp"

I have NEVER met an executive that has a farking slightest clue as to computers let alone something as complex as computersecurity.

Let's get a restriction that that office can not be held by anyone that was an executive at ANY company.

How about a REAL expert that spend 5+ years in the trenches of a NOC?

oh wait this is the USA, those who can.... do, those who cant, LEAD.

Zombies

[Jason+Hildebrand]

"More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

These are the people whose computers are being used to send spam while they sleep.

Re:Zombies

[hsmith]

DoS attacks against companies that actually use spam to be promote their products should become manditory

Why not educate people?

[JavaLord]

This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday

For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?

Re:Why not educate people?

For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?

No, but I hear they're gonna put all that money into a giant pot and sell lottery tickets for 5 bucks a pop... : p

Re:Why not educate people?

Because I don't want to have to deal with updating my OS, my virus scanner, and my ad-blocking software everyday. I want to turn on my computer and do things with it. So do most people. A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.

Re:Why not educate people?

[JavaLord]

want to turn on my computer and do things with it. So do most people. A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.

But you realize with your car to change the oil every so often or take it to someone who can. You might even have it winterized every year. You probably buy new tires every few years and even get it washed sometimes.

All that is needed is a basic computer class (ie like getting your drivers licence), an auto-updating virus scanner and adaware type software. I don't think that is much harder than what anyone has to do to own a car.

Re:Why not educate people?

True, but in this day and age, even having up-to-date virus/ad protection won't always keep stuff out. Maybe the solution is dumb terminals...

Anyway, thanks for the reply. :)

Re:Why not educate people?

[Piquan]

A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.

A car is a tool for one job: driving. A computer is a tool for lots of different jobs, some of them very complex. If people wanted a computer to do only simple things, then we wouldn't be in this mess: ActiveX and JavaScript-enabled email would never have come along, for instance.

But users constantly demand more capabilities. Not without cause, mind you, but that's not the point. The users want to be able to send emails that make a dancing baby go along the bottom of their computer screen. If John's computer can read the dancing-baby email but Jane's can't, she'll want to change her software be able to read the dancing-baby email. We gots to have the dancing baby! And that's a normal desire for Jane to have, nothing inherently bad about it.

The problem is, it's not clear to Jane that this is unsafe. She sees John's dancing baby. Maybe she sees that John's computer crashes more often, but she doesn't link that to the dancing baby. Why should she?

I'd like to be able to step into my car and tell it, "Take me to Fry's" and off it goes. I can sit and chat with my friend while we travel, none of this pesky watching the road. The technology to do this is around today, but it's unsafe. Since car manufacturers take on liability, nobody's built this car.

The vendors of computer technology are not like car vendors. Insecurity on a computer doesn't automatically mean unsafe (that is, it's uncommon for people to be killed by computer problems). So technology vendors aren't liable if their products are insecure. That means that technology vendors have the freedom to develop insecure solutions to meet market demands.

Now, Theo the Technology Vendor builds a product that's secure, but won't show the dancing baby. Bill the Technology Vendor sells a product that's insecure, and will show the dancing baby. Of course, Bill doesn't tell people that his product is insecure. He might not even know it. So who does Jane get her technology from? (Followup: who now has money to develop and market the next product?)

I'm not saying it's the users' fault. I'm not saying it's the vendors' fault. That's a losing game: the vendors point the finger at the users, the users point the finger at the vendors, and all anybody gets is the finger. I'm simply saying that, as long as users demand complex capabilities, and vendors provide them without regard to security, the situation will not be resolved.

Homeland Security = Gestapo

[jeff13]

The purpose of Homeland Security is to centralize all information about YOU and ME and then use it... for something they never tell us.

Homeland Security cannot function without the Patriot Act to give it it's power. All of this is just like the purpose, and genesis, of the Gestapo. Back in 1933 it made sense to create new State Police only if you wanted to oppress disent.

And as we know, Homeland Security is really only famous for arresting artists, academics, hackers, musicians, and Tommmy Chong! wtf!

So of course people like Richard Clarke are "resigning" ... the truth is that even a patriot can see that the GWB White House is a criminal organization that has brought the USA to it's worst since the Vietnam Conflict, and this tim enext year you'll WISH it was only as bad as 1967. And we all know how well that turned out for those who opposed that war too. Of course, back then you only had to worry about the FBI, the CIA, the NSA, the cops... man, you'd think the USA was a nation of criminals.

Re:Homeland Security = Gestapo

You know, most of the rest of the population of the United States never owned a copy of the Anarchist's Cookbook; we don't have to obsess about these things.

As I recall in the 60's it wasn't entirely one-sided, either. You should look up in the Madison, Wisconsin newspaper archives about the chemistry building on the UW-M campus being blown up because of war protesting.

Insightful??????

How the hell is this INSIGHTFUL ?????

He's part of the frigging problem...too many people think that just because they run windows update, have a firewall, and use one of those Netgear Cable/DSL router/firewall boxes, that they are somehow immune to malicious code. Keep dreaming.

This is like thinking you can sleep with as many people as you want and as long as you use a condom you can't get an STD. Condoms break, firewalls are flawed, the hackers have exploits that Microsoft/Cisco/Red Hat/etc. don't even know about yet.

Just a little wake up call for you.

Its the whole bush pov

[cmdr_forge]

Bush administration thinks that terrorists are state or country sponor so elimate the country and you get rid of the sponors. They do not see it has individualistic groups. Case in point, National Security advisor Rice speciality is the Soviet Union. She was an expert Soviet bloc politics.

Time for Microsoft to start doing PSAs?

If the latest cyberchief resigns due to the fact that everyone else doesn't have a clue about computer security, and Microsoft is the butt of an endless virus joke. So isn't it time for Bill to pony up the money and do some actual paid advertising? Remember all of those buckle-up public service announcements on TV? Your average computer user will probably actually turn on the firewall if he/she sees it enough times. Heck get creative, every other company is shilling on NBC's Apprentice, how about getting the teams to create the PSA?

I shouldn't have to care about malicious code

[potus98]

...They want to flip the switch and have it work.

Damn straight skippy! I've been dreaming of this for years

...They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus.

Sure, maybe. Or perhaps they have no idea what "malicious code" is in the first place. BTW: They shouldn't have to care about malicious code! It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East. What kind of background/training does Joe have? Why in the world would I give a crap about his answers on any polls.

...Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).

Ahhh yes, IT snobiness strikes again. The average person shouldn't have to "give two flying fucks" . The PC industry should get its act togeather and deliver "dumb" terminals that do exactly what people expect them to do. Chances are, you don't know anything about natural gas fittings, but you still use a stove. I don't know anything about generating and containing microwaves, but I still eat frozen burritos. Why the hell should we burden Joe-average with patches, virus updates, malicious code, .dll's, conflicting IRQs, etc...? Especially when all they want to do is read e-mail, download pr0n, and play games. It's not like the average PC user is trying to develop a new OS kernel.

Re:I shouldn't have to care about malicious code

[PitaBred]

The problem is, I've heard of people blowing up their houses because of natural gas fittings. That, and the people who do those are actually certified. It's not usually a DIY job. Same with designing a microwave.
But people want to put software on their computers. Hell, if you want a secure system, mount everything but the swap/temp as read only, and boom. Nothing can go wrong. As soon as you increase the complexity of the system, you run into problems.
It's almost as if you think "Hell, we can build a rowboat that anyone can use, why can't we build a Triton class submarine that anyone can use?"

Re:I shouldn't have to care about malicious code

[potus98]

...It's not usually a DIY job. Same with designing a microwave.

Exactly!!! Certified experts have already designed those products for use by Joe-average. He can cook all kinds of meals without needing to install new gas fittings, adjust microwave frequencies, or fiddle with particle beams. :-)

I have argued for years that the general, home-user PC device should have matured into appliance-level sophistication (ie: easy to use) YEARS ago. The "complexity" of the modern PC operating systems are total overkill.

Now, depending on which programs I elect to use, I would agree that an increased level of knowledge is necessary. For example, if I load Quicken for Small Business, I better understand something about accounting, finance, banking, etc...

But if all I want to do is read e-mail, surf the web, and play a game, I should ONLY be required to understand the complexities of entering URLs, knowing the difference between Reply and Reply-to-all, and that I want to play the Recruit level -not the Frag-Master level.

...As soon as you increase the complexity of the system, you run into problems.

That's my point! PC's are waaay too complex for their most common uses. That we (the tech industry) have delivered machines that require so much care-and-feeding just for the O/S is a complete embarassment. And to add insult to injury, we (the tech industry) often maintain the arrogant attitude of "well, if they're too stupid to use it, they don't deserve to read e-mail..." instead of saying to ourselves "you know, Joe-average shouldn't have to deal with all this crap just to access some basic communication services."

Re:I shouldn't have to care about malicious code

If you knew anything about generating microwaves, you wouldn't be eating frozen burritos.

Re:I shouldn't have to care about malicious code

[magefile]

They are appliance level. Keep in mind that when they call you/me/tech guy #3, that's the equivalent of me calling the appliance guys and saying "I smell gas, can you come check it out"/"I just bought a new dishwasher, can you install it for me"/"my furnace makes funny noises, what's wrong".

And I know not to leave grease drippings in the stove, or wash my lights with my darks, or put Comet Cursor stickers on my furnace "to make it look nice".

Re:I shouldn't have to care about malicious code

Chances are, you don't know anything about natural gas fittings, but you still use a stove. I don't know anything about generating and containing microwaves...

Your microwave and natural gas stove also don't reach out and grab you if you open the door wrong. Your internet connection can. Teenagers are getting sicko pedophiles that they met on IM coming to their houses with the notion that they're going to have sex! (quite possibly rape them if they have to). That shit just doesn't happen if you're clicking the remote watching TV. Nobody's going to reach out and smack you from the TV if you cuss at them.

The computer has Two Way communication, and it handles more than just web pages - it's our lives, our bank statements, phone records, electric bill, tax forms, company documents - whatever. You don't leave a phone line connected to your house lines just lying on the street so anybody can listen in, or make calls as if they were you? Do you give your house or car keys out to complete strangers that you meet at restaurants?

People learn safety in order to use a car. They may not know how to work on the car, but they must know how to drive it before they're allowed on the road. The Internet should be the same. There are safe ways of being on it, and there are unsafe ways. Many people operate it the unsafe ways. That affects everyone. Just like unsafe drivers affect other drivers.

Everyone shouldn't have to be a computer expert to use the internet or computer. However, they should learn to operate it securely. The next time someone comes to their email door and says, "Landshark, ma'am." They should know enough to not let them in! Don't click the link! Don't run the program!

Re:I shouldn't have to care about malicious code

[robochan]

"...Ahhh yes, IT snobiness strikes again. The average person shouldn't have to "give two flying fucks" . The PC industry should get its act togeather and deliver "dumb" terminals that do exactly what people expect them to do. Chances are, you don't know anything about natural gas fittings, but you still use a stove. I don't know anything about generating and containing microwaves, but I still eat frozen burritos..."

No, but you (hopefully) know that natural gas has an additive so that you can smell it in case of a gas leak, and (hopefully) you know enough not to superheat water in your microwave so you dont get scalded.
Folks seem fond of using car analogies as well. Even Ford and Chevy put in idiot lights so you know (albeit perhaps too late) that you're almost out of oil or that you really need to have your engine checked by someone who knows what they're doing.

Ignorance is no excuse for lack of maintenence. IIRC, there was an old commercial (for mufflers?) that had the slogan... "You can pay me now, or you can pay me [more] later". That sort of sums it up.

It's not "IT snobiness", it's the fact that, no matter how much you wish it so, a computer IS NOT an appliance - it's a tool. Just like every other tool, care, simple safety precautions, and maintenence are vital for your safety as well as those around you.

Re:I shouldn't have to care about malicious code

[dekashizl]

Sure, maybe. Or perhaps they have no idea what "malicious code" is in the first place. BTW: They shouldn't have to care about malicious code! It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East. What kind of background/training does Joe have? Why in the world would I give a crap about his answers on any polls.

A better analogy, instead of saying that average people need not know US "strategic and tactical strategies", is war-time rationing. You may not know how to build a tank, but if the government says "don't waste metal because we need a lot of it to build tanks" (as they have done in the past), then average person should listen.

And in this case, the government should step up and say "don't let your PC become a zombie, because you are contributing to massive DDOS attacks againt our critical infrastructure". Unfortunately, it takes an event of 9/11 proportions to wake people up enough to acknowledge the possibility.

So when NYSE, Nasdaq, banking networks, and critical communications infrastructure are brought down by a cyber-terrorist attack, THEN you'll start seeing this top-down focus on more localized security. Sadly, not before that.

Re:I shouldn't have to care about malicious code

[Jane_Dozey]

JoeUser also wants to be able to play the latest games, chat to people on the other side of the world and a multitude of other things that require complex technology. If we ever learn how to write proovably solid software (currently an impossibility) then its just not possible to have idiot-proof computers. People want to do things that need something like a PC to work.
Basic computer maintenance isn't all that complicated.
I'd have to say that the technology being complicated is only half the problem. People are the other half (and not just the average users).

Re:I shouldn't have to care about malicious code

[lew3004]

Now THAT'S the most insightful post I've read today. Thanks.

Re:I shouldn't have to care about malicious code

There is this thing called democracy that you Americans like to boast with.

Well, it won't work with illiterate, ignorant citizens. The citizens have to know the issues, the answers, or at least have enough knowledge to start to learn.

If they don't, the fact they can vote is irrelevant. There is no democracy if the electorate can't figure out there ARE issues to begin with. And most Americans simply can't.

On the side, having a knowledgeable electorate doesn't mean anything either if a few rich assholes can buy themselves any election and politician at a whim. Essentially, there must be at least a general economic equality for majority of voters, or all other trappings of democracy are nothing but an elaborate illusion. Which is the case right now in U.S.

To summarize: to have a working democracy, voters must be knowledgeable and involved with current issues, concerned enough to get involved, and well enough off so they can't be bought for a piece of bread (ie. economically independent).

THIS PRINCIPLE APPLIES TO ANY ENDEAVOR IN A DEMOCRATIC SOCIETY. It should be a goal of such society to educate any of its citizens as widely as possible. There is a clear correlation between educated citizenry and economic and scientific progress. The only societies that promote ignorance as a virtue were historically autocratic regimes trying to keep a tight grip on their own population.

The point here is that users should care enough about what is happening to their PCs to learn about basic security. They shouldn't HAVE TO, but they should know anyway, even if all PCs were always-on, never-breaks dumb terminals.

No knowledge is wasted. No learning is for naught. Ignorance is only bliss until it gets you in trouble.

Re:I shouldn't have to care about malicious code

It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East.

If Joe is a voting citizen, then he should have an informed opinion about that! After all, he has opinions about the strategy of Survivor!

Who would want his job

[codepunk]

Who would want his job...

Considering the fact that at any given moment now most of the PC's in the US could suddenly go black. The only reason nobody is taking it seriously is that somehow by the grace of god none of the script kiddies have been writing system destructive worms. It is absolutely scary to think what a really good hacker in a pissed off mood could unleash with just a few hours hours work behind a compiler.

all i have to say is...

[ftzdomino]

pwn3d!

Re:all i have to say is...

[SpaceLifeForm]

That seems to be the problem with the U.S. gubmint.

blame the user eh?

[gad_zuki!]

>Face it, people don't give two flying fucks about being educated in computer know-how.

I dont care how my fridge and toaster work, at least on the level of maintaining them properly and repairing them. Along with my car. You're being too geek-centric here and blaming the victim.

Why aren't Mac users having the massive security problems Windows and Unix users have? The problem is the product and the vendor. We are at a point where you can make a safe OS you dont have to babysit. The market has delivered it in the form of OSX, for the most part. Linux is no magic bullet either as it runs so many services, is very user unfriendly, etc. Come on, face facts here before I get modded down for diverging from the "party line."

What people need is a better product, not four CS classes on network security. What people need is to do their work and shut the thing off and not worry about it. What people need and what they are getting from Dell et al are two very different things. If we're going to blame the Bush administration, lets blame them for letting MS go when they could have broken them up into two or three different companies.

For every field there's someone like you who blames the user. Be it the mechanic who is pissed that "stupid drivers" can't figure out how to change a fuse or their own tire. Or plumbers sick of doing midnight calls because landlords put off maintenance and something breaks in the middle of the night. Or local telco/power companies sick and tired of triming your trees for you when your tree breaks a power line.

IT should work for people. People shouldnt be working for their computers. Blaming the user is the wrong way to go about it. Blame the designers for not making a user-centric design. Blame the designers for shipping code riddled with security holes.

Re:blame the user eh?

Sorry, I usually just read the posts but this bugs me.

You cannot compare everyday house hold objects even a car to "Using" a computer.

Now if you constantly had people purposly trying to run you off the road (I'm sure you sometimes feel this way) Then it would be closer to the reality of security issues with computers.

Just like when you go to do just about anything. There is instruction manuals. The problem with computers is that they are vast with multiple purposes.

If the Internet had not been developed into what it is today and people were just using their computers locally then there would be as many concerns with the computer as their is with a toaster.

As it stands. The average consumer needs to have a crash course on not only using their computer but securing it.

You can cause easily as much or more harm behind a computer as you can behind a wheel of a vehicle. Lack of a drivers license and ignorance behind the wheel will not keep you from jail if you harm a person finiancially or bodily.

It also shouldn't with computers.

Re:blame the user eh?

[Tim+C]

If the Internet had not been developed into what it is today and people were just using their computers locally then there would be as many concerns with the computer as their is with a toaster.

Viruses existed long before the Internet was a household name. I remember catching and quarantining a virus on my Amiga 500; must've been late '80s, possibly '90 or '91. Certainly a good few years before I first used the 'net ('94).

Sure, it was harder for them to spread and so consequently they spread much more slowly, but they did exist and they certainly did spread.

That said, sometimes I feel like I'm missing out. I've had maybe 3 emailed to me this year, and just today there was a trojan in a screensaver I downloaded from softpaedia; all were caught by my antivirus scanner (not that the emailed ones weren't obvious, as they were to accounts that don't get real mail). I also don't get my firewall logs filled with port scans and hack attempts like most people here seem to. Maybe I'm just on a quiet part of the 'net or something.

Re:blame the user eh?

[einhverfr]

Linux is no magic bullet either as it runs so many services, is very user unfriendly, etc. Come on, face facts here before I get modded down for diverging from the "party line."

When was the last time you actually installed Linux as a workstation or a server without installing stuff you don't need? 5 years ago?

I have only seen a couple of services enabled by default on Red Hat distributions since 8.0. These include NFS and SSH, and both are blocked by default by firewall rules.

That being said--- there is no magic bullet, even OS X. To think otherwise indicates that computer crime is somehow analogous to somone breaking into a nice home in suburban Bellevue, WA. Instead, it is like someone breaking into a random house in Bagdad. Don't believe me? I can post my firewall logs here if they don't mind the volume of the logs....

On an average day, I see 60-100 probes against my firewall. This is the equivalent of eyeing a car and checking a door to see if it is locked....

Last month someone did a complete portscan of my system and several tried extensive user account scans against SSH. These are more equivalent to scoping out a house and seing if there are any easy ways of breaking into a house-- i.e. checking all doors, windows, etc. and perhaps trying to enter by breaking a window or two. None of these were successful. So maybe it is worse than residential security on Bagdad.....

Think that services are the only problem? As soon as you install any software that uses an internet connection as any way, you now have a potential hole. Mozilla has had a graphics handling issue, even, and I wouldn't be sure that KHML is invulnerable. Add to this dependencies for libraries which may contain additional vulnerabilities and nothing is unassailable. Think OS X is invulnerable? Think again.

The average user will need to know something about security, just as the average driver needs to know something about road safety...

Re:blame the user eh?

[wobblie]

and what, exactly, are these massive security problems unix has that Mac OS does not have?

Actually, just what are these massive unix security problems?

Mac OS is a unix. jesus christ you are being such a fanboy here.

just rag on windows, 'k?

You are right about this "blame the user" mentality though. That is fucking bullshit. The application integration in windows is by design insecure. It will take years to fix this, and it doesn't appear that Micros~1 has any intention of doing so. It will only get worse.

Designers are generally to blame for security problems that could be avoided. this goes for Outlook and IIS developers as well as ISP's who do not do egress filtering.

in related news...

[revery]

In related news, the number of lottery winners has increased exponentially over the past several days with one in three computer owners being declared winners. Lottery sponsors were puzzled as to what could have caused the outbreak, but say they are not worried as all of the unexepcted lottery winners have been fatally struck by lightning.

My exerience with DHS

[erroneus]

If my experience with the TSA and the DHS is any indication, then I'd have to say that this problem is not at all surprising.

The people who are in those positions seem more interested in keeping things from changing and keeping their jobs. They want a government paycheck but they aren't interested in actually doing their jobs. The problem with that attitude is that since the DHS is so new, there is no "keeping things the same." It's about growth and forming an organization. It's amazingly ridiculous how things operate (or fail to operate) within the places I've been exposed to.

More than One-Third?

[Compulawyer]

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

That must be the one-third of users in the survey who use Mac OS X or Linux or FreeBSD.

See? BSD is NOT dying ....

Re:turn on your tvs...

you suck, retard mods.

I don't think crapdot can sink much further. If that moron Taco doesn't do something about the assfucked moderation system here the place is toast. The system is obviously broken. Not to mention a pal of mine who works at Apple says they have a whole room of guys who do nothing but astroturf here and a few other high-profile sites. Costs them a million bucks a year in wages, and they get at least 20 back in increased sales due to "word of mouth" and "good customer reviews"... Mod system doesn't do anything to combat THAT, does it? I guess Apple has made Slashdot his bitch. Good for them. Apples rule.

nonsense

[BitterAndDrunk]

If I drop cyber from my parlance, how will I entice people pretending to be women to simulate sex with me?

Ask them for eSex?

iSex is all fun and games until someone loses . . . ahhh forget it.

Probrably not

If a story were to come out that Amit say wanted to implement more DMCA-like restrictions on the Internet and was frustrated because the administration wouldn't let him we'd all have a different attitude.

The slashbots would simply do a 180 on the DMCA.

Americans in the key term

Look at this once again

"More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

This is because broadband penentration is so low in America that it's probably true. If you only use your modem to occasionally check something on the web like ordering a book off of Amazon, then you probably don't stand much chance of getting hit.
This is where the flippant attitude about letting monopolies dominate telecoms and charge whatever exorbitant rates THEY decide the market ought to bear really comes back to haunt Americans.
If this same question was asked in Korea, Taiwan or Hong Kong I bet they would find the average household has at least a software firewall and probably a NAT. Americans think this is all silly stuff, but they don't realize how far behind they've fallen. This survey really highlights that more than anything.

Who can blame 'em?

[kc7cfk]

Five years ago the sky was falling over Y2K. Of course that turned out to be one of the biggest non-events in history. Why would anyone pay attention to Chicken Little about this?

Funny, I just saw this quote on fortune:

[oGMo]

"It follows that any commander in chief who undertakes to carry out a plan which he considers defective is at fault; he must put forth his reasons, insist of the plan being changed, and finally tender his resignation rather than be the instrument of his army's downfall."

-- Napoleon, "Military Maxims and Thought"

Re:Funny, I just saw this quote on fortune:

[AJWM]

Ah, so that's why Napoleon resigned instead of invading Russia.

Oh, wait...

In other news...

[_UnderTow_]

"More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

In other news, more than a third of the 493 PC users surveyed are idiots.

It shouldn't be an end user problem

[Animats]

Microsoft should be living in fear of multi-billion dollar judgements and public accusations of "accomodating terrorists", instead.

Re:It shouldn't be an end user problem

[SpaceLifeForm]

But they are not. What does that tell you?

Funny

[airrage]

Someone had a case of the Mondays. I hear he got fed up with a guy named Lumbergh.

No Child Left Behind - i work for a K-12

Ask a teacher what he/she thinks about No Child Left Behind

I work for a large (45 school) district and I can tell you it does more harm then good.

PearlHarbor 3.0

[Doc+Ruby]

It will take an event like the 9/11/2001 planebombings to get civilians to take cybersecurity seriously. Then, following the format, they'll be taught the wrong, selfserving lessons that neither follow from the event, nor make us more secure. That's how we'll be driven into the world of "Trusted Computing", an Internet available only to official publishers, and a cyberspace so crooked that it will reflect the material world as accurately as does American National Security policy. Congratulations, terrorists - inside and outside the corporate government.

Sabotage vs. Terrorism

[Doc+Ruby]

Whatever spreads fear is terrorism. Killing does a great job of spreading fear, but so does an ATM network going down. The sabotage is only worth it when it spreads fear; that's the entire point of terrorism, whence the name. Hacking is much less risky, and cheaper, than suicide bombs. With the high background fear radiation in America, from Al Qaeda to the loner neighbor to cholesterol, the accumulating terror passes unnoticed as it rises, except when the news is flooded with a spectacular upstaging event, when things get really bad.

help wanted ...

bits and bytes ...
less comment on how lax security is, more info on
those "lame" script kiddy progis.

anyone know a good link to some worm source code?

LSASS.exe exploit code?

anyone know what to do, if in bush land and bush
fire approaching? i have some matches ...

Cybersecurity experts my a$$.

[SeaFox]

I think they fact they bought all those Windows systems says enough about how much the Dept. of Homeland Security knows about Cybersecurity.

Uncharacteristic error by the Administration

See, the reason they keep losing cybersecurity chiefs is because they keep appointing people who understand the technology. If they would follow their usual practice of appointing some putz who is clueless about the technology but is politically well connected, they wouldn't be getting the resignations.

They'd invade Cupertino

[MooseByte]

"Of course this regime would respond to a Digital Pearl Harbor by invading Mexico."

To make the analogy complete, they'd invade Apple HQ and deride OSX's "lack of security" after an uberSasser++ attack on Windows.

Re:They'd invade Cupertino

To make the analogy complete, they'd invade Apple HQ and deride OSX's "lack of security" after an uberSasser++ attack on Windows.

You miss the bit where they admit that they haven't yet been able to find any trace of uberSasser++ on a Mac yet, but the invas^H^H^H^H^Hliberation was still justified as it brought freedom upon the poor, primitive Mac users inflicted with cool, designer hardware and slick user-interfaces -- won't someone think of the children.

some people call that ui improvements

enough said.

He did try for a year...

Amit tried to do this right - he had some very good people and had a solid vision for what needed to be done to secure primarily the government networks. He is a very sharp person and his executive experience was a plus - he was not an empty suit or political appointee.

Two key political issues:
1) This office was expected to shift to the new intelligence chief that reports to the president as the recommendation from the 9/11 committee- new boss + new plan = waste of his first year
as everything would start over...

2) No clear authority in his position. As mentioned in the articles, he was too low in HS to get anything done in DC. Cybersecurity could recommend solutions, but could not force ANY of the government departments to coordinate systems / procedures / etc. and adopt best practice solutions. At this level of government, each fiefdom will do their own thing and the whole point of having a security chief is eliminated.

Re:He did try for a year...

You mean he had no idea how to get anything done in gov?? Or he had no clue what he was getting himself into?

Re:He did try for a year...

[justins]

He is a very sharp person and his executive experience was a plus - he was not an empty suit or political appointee.

I have nothing against the guy, but he was by definition a "political appointee," that's the job. Which isn't a pejoritive.

You see, -they don't want to know

...because if you know, or acknowledge, the threat, you'll have to do something.

When a computer-farily-illeterate start to investigate, it is pretty soon obvious that even computer experts (qoute an quote) dont really have a clue..

Where would aunt Mary start out? What's your suggestion?

Yeah, I can fix both my double overlying camshafts, as well as my firewall - but aunt Mary never wanted to know about either - thats why she didn't buy a computer til they showed up at WallMart.

Now, you tell her how to proceed...

Maybe...

[Izago909]

Maybe the job can't be done.

Or maybe there is no incentive for higher authorities to give the resources to get the job done. After all, doing so would not pay off for the administration. There is more "profit" to be made by making people feel secure instead of going through the time and expense to actually make them safer. We are living in the age where the false sense of security is just as politically effective as providing functional security solutions, but the former costs much less.

The average Joe does want to learn.

[repetty]

> The average Joe does want to learn.

Maybe, but the average Shirley doesn't want to learn. Neither does the average Andrew or Amanda.

And I just checked... The average Sasha definitely doesn't want to learn.

If more young parents start naming their newborns "Joe" the whole world would be better off.

--Richard

organizational inability

Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job

As somebody who has worked for the .gov as a computer programmer several times over the years, I'd say that anybody who expects anything other than "organizational inability to do his job" has unrealistic expectations. My personal favorite example of how bad .gov can be is an organization that was preparing to make the move from dumb terminals to a PC based system and ordered PCs for the prgrammers to get started in the new software. A manager of one of the departments was so afraid (with good reason) that getting a more efficient system would reduce his headcount that when the PCs were delivered he signed for them with an unreadable signature, hid the computers in the back of a locked store room and spent several months saying "Computers? What computers?" And it has nothing to do with who's in the White House because the above example occurred in '94 when Clinton was in office.

Why is it that

[ch-chuck]

5 years ago the public seemed to be whipped up to an irrational froth over Y2K (when everything electronical was going to fail and WE MUST DO SOMETHING), but now that there are continued risks of, say, accidentally publishing defense docs on p2p networks or being compromised by trojans, why are they suddenly stupid and complacent?

I don't blame him a bit!

[Patchw0rk+F0g]

I have four different programs protecting my computer at the moment (admittedly, I'm using Windows 2k, due to software considerations), and I STILL have daily... nay, almost HOURLY notices that I've been breached at some point or another. At one point, I had to resort to almost 24 hours of purging to rid my system of unwanted, illicit, and interferring spyware in my system. Call it unwise surfing, but by my mind, the net should be as free as Yahoo or Google... but ever notice that Spybot blocks TONS of spyware on MSNBC? Hmmmmm.... Not seen any comments about THAT on here... Bill? You listening?

OT: your pictures

Nice pictures.. Your sunset picture is my new desktop BG :)

Re:I shouldn't have to care -then settle with less

That's my point! PC's are waaay too complex for their most common uses. That we (the tech industry) have delivered machines that require so much care-and-feeding just for the O/S is a complete embarassment. And to add insult to injury, we (the tech industry) often maintain the arrogant attitude of "well, if they're too stupid to use it, they don't deserve to read e-mail..." instead of saying to ourselves "you know, Joe-average shouldn't have to deal with all this crap just to access some basic communication services."

Hear, hear!

BUT the market is rigged, the playing field isn't level. There have been numerous attempts to market appliance-like personal computers, and they have failed. Mainly because the past 20 years have left the consumers with the impression that one glorious computer should serve every need: Office work, gaming and the Internet.

• For office work, you of course have to use Microsoft Office, or you can not exchange documents with everybody else (yes you can, but people will easily fall for that piece of FUD).
• For gaming, a Windows PC means the largest variety of available games. Besides, you don't have to buy another machine; you already bought an expensive machine to run Office, right?
• Today's Office/Gaming/Home entertainment systemts (i.e. PCs) already come with Internet Explorer installed. They are Internet-ready. No need to buy a dedicated box (although many families would have been better off if they did!)

The expectation is that computers can install new software from Independant Software Vendors, easily! And now you can do that over the Net, too. Of course it is not trivial to make that secure. There is this thing called e-mail that can be used to send Joe Sixpack devious messages, enticing him to do stupid things.

The reason for the results:

[karniv0re]

Malicious Code? What's that? Why, I remember when we used Morse Code back in Dubya-Dubya-Two. Never new it could be malicious though. No tellin' what these terrorists will think of next. I use that AOI, or AOL. Never have too much trouble with it. Of course my grandkids use it more than I do. I like to get on there and play solitaire. I like that game. Ooh, time for Matlock!

But what are the LIKELY consequences?!

[MrNally]

Here goes all my Karma.

More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

Those survey respondants might not have been able to estimate the odds on those things all that well, but I think they are actually answering a different question:

How much do you worry about each of these things happening?

Fact is, winning the lottery and getting hit by lighting have huge consequences compared to having your computer go down, especially if you're not in the Slashdot crowd!

Re:But what are the LIKELY consequences?!

[TheLink]

"but I think they are actually answering a different question:"

Nah.

Where I live (in the tropics), the odds of my PC getting damaged by lightning is higher than my PC getting infected by a virus/worm. I run a reasonably secured system (I even test/view suspect/untrusted stuff/sites using vmware virtual machines).

Here, thunderstorms are very very common (probably Florida is something like that).

I have a UPS, lightning protection devices etc, but these are usually protection against lightning _induced_ surges. If there's a direct hit, it's probably "buy new hardware and restore from backups" time.

There was a customer who sent in a modem and accessories for repair (back in the days where modems were expensive and worth repairing).

When we looked at the lightning protection device sent along with the modem - the wires weren't there any more - there was just a black coating on the inside of the device's plastic box.

Then I looked at the modem. The PCB had a bulge/bubble or two near the phone line input point. Colleague said - that's what happens when the PCB layers separate when getting zapped by lightning.

Looking at the underside of the PCB, I noticed that some of the copper tracks weren't there any more. Looked at the modem casing and found where the copper tracks went - they were deposited on the inside of the casing as small little balls/droplets of copper!

So I called the customer up and asked if everyone was OK. They said everyone was fine - the zap happened at night when nobody was around. But the PC the modem was attached to was dead, even the _mouse_ was dead, and the person jokingly (I think) said that they should sue us, coz our protection device didn't work.

Thing is while the lightning protection device used was supplied by us, it was a lower end model for city/urban use. We supplied higher grade ones to the customer for use in the plantations where the modem was (and told them to use those in the plantations).

Still not sure if things would have been much different if they had correctly used the higher grade (and more expensive) device. Maybe. These stuff need a good ground too though - no ground = no alternative place for the lightning surge to go but through the equipment.
--

But if the PC users aren't living in the tropics then they're probably those stupid/ignorant ones helping to spread spam and worms.

The NCSA site didn't ask me what OS I was using.

[crovira]

Or what Browser. Or what mail program. Or which ports I had open on my router.

I think I'm secure with Mac OSs and Linux & Mozilla & Mac's Mail.

I know every snoop program that tries to load itself as an attachment. There's a load of shit out there, but they don't get automatically run because I'm smart and I don't run anysoftware I don't have the source code for (except for Aqua.)

I took the "security test"...

[scruffyMark]

It says I need to be more vigilant. Funny thing is, I'm employed in infosec. It's a pretty laughable survey - it pretty much assumes the worst, so the best you can do is slightly better than the worst.

I guess the answers their scoring system didn't like were

• I don't have antivirus software (when someone comes out with an OS X virus, maybe I'll think about it). Actually I lie - I just remembered I have clamav, although it's not integrated into the system - doesn't automatically do anything at all, I just use it to scan the odd "important message" email attachment. Ah well.
• When I get unexpected attachments, I open them to see what they are. Of course, I don't double-click them; I run file, strings, maybe clamav, a text editor if it's written in a scripting language. What blows my mind is, people get infected by trojans that arrive as password protected zip files - I mean, even the malware is user-unfriendly and people still manage to get bit.
• I use file sharing. I chose to interpret that liberally - I run sshd, and occasionally need to transfer files via sftp.
• I don't disconnect the computer from the internet when I'm not using it - like I said, I run sshd.
• I haven't made backups recently. I admit it, I'm a slacker in that regard.
• I don't have the phone number of my cousin, the computer guru, next to the computer in case something weird happens. Right.
• The security of my "Internet browser software" is not set to high - that one cracked me up. I mean, why pretend you don't mean IE? No other browser has that "low/medium/high" security interface.

Reasonable colors

http://shit.slashdot.org/article.pl?sid=04/10/01/1 715249

Re:If it is anything.... TROLL!?!?! I only wish!

[AtariDatacenter]

Its almost scary that someone has decided that my story was so outrageous that it was a troll! But things have gotten that insane.

Using MySQL? Shut down its TCP/IP ports and make it use SSH to communicate instead! Your Oracle backups? Why can't you dump those locally and then SFTP them to a central server?

You get the idea.

RE: flip the power on and go?

[King_TJ]

No, you're probably a bit spoiled by being a Mac user - but you're not wrong at all!

As just one (of countless!) examples I run across in my line of work (on-site PC service), I was trying to help a guy out this afternoon who had spyware/virus problems crippling his Windows XP machine.

He's no dummy either. He has a PhD in Physics, and works from home as an editor for college textbooks.

This is about the 5th. time in 6 months or so that I've had to help him fix these types of issues. Originally, he was running Windows ME on his Gateway Pentium 4 system, and viruses pretty much made the computer unusable. I spent the better part of an afternoon removing the viruses and all the spyware I could find - but a lone remaining virus was a "downloader trojan horse" and apparently re-downloaded and installed numerous virii after I left.

After a second round of cleanup, I seemed to have it all fixed - but about a month later, it seems a few things got past his Symantec Personal Firewall and started causing tons of pop-up ads and other issues, so I was called out yet again!

Finally, he just asked us to wipe the drive and start fresh. We did, and made sure to do every possible Windows update, install the latest ZoneAlarm firewall, etc. etc.

So then, he decides to take the plunge and upgrade to Windows XP (since ME was a regularly crashing/blue-screening piece 'o junk anyway). We did that for him, and applied Service Pack 1 and everything else available at the time.

Well, after a couple weeks, voila - more rampant spyware/virii problems! He already tried both SpyBot and Ad-Aware SE 1.05, the very latest AVG Anti-Virus updates, and more, yet he couldn't eliminate the problems - and it was hindering him from doing his work.

I tried everything I could think of, including hours of manually deleting things. (XP likes to keep temporary files inside hidden sub-folders under the "Documents and Settings" directory, and I've found many viruses hide out in there, for example.) I got everything clean that I could find, and all the scanners report it clean, yet each time you launch Internet Explorer - it redirects you to some spyware/ad-ware web site and starts trying to install a bunch of garbage via Active-X!

Nobody should have to go through all of this B.S. just to get some work done from home! This is a disgrace. This guy isn't even "surfing porn sites" or any of the stuff people like to point fingers and accuse people of if their PC gets infected....

I've already suggested maybe he should make his next computer a Mac.... Several of his co-workers made the switch recently, already, and seem to be pleased. He's just concerned with the fact he owns so many PC only software packages and doesn't want to buy the same things over again to get a Mac native version....

Infrastructure control computers, not PCs

[siriuskase]

I was thinking of computerized telephone switches and cellular systems. For good measure I was including the computers that control the routing of the internet. There are only a few companies that manufacture telephony control systems so they are highly standardized, you know one you can figure out the rest. Let's hope they remembered to change the passwords.

Re: flip the power on and go?

Well, telling him to switch to Mac is a good idea, although I'd drop the "maybe" in favor of "definately switch to a Mac, and do it RIGHT NOW. I don't care how new your PC is, it's not worth it -- especially if you depend on your computer for work."

In the meantime, however, at least get rid of Internet Explorer and switch him to Firefox!

Re: flip the power on and go?

[stephanruby]

"...yet each time you launch Internet Explorer - it redirects you to some spyware/ad-ware web site and starts trying to install a bunch of garbage via Active-X!"

There is your problem. You're still using Internet Explorer!

Install FireBird as his default browser and install ThunderBird as his default mail client. That, coupled with Ad-Aware, Spybot, and up-to-date firewall/antivirus software, should do the trick.

Re: flip the power on and go?

[Nurgled]

...and configure his normal user account to not have "Administrator access" and show him how to use "Run As..." to install software.

Sophisticated. Cheap. Secure.

[Tim+Browse]

Pick two.

The root cause of security problems

[maximilln]

Companies like Microsoft have been telling the public, for years and years and years, that it's perfectly okay to click that EULA because the program was definitely worth $200.

There was a corporate brainwashing of the public before putting them online back in '95. That brainwashing conditioned people to WANT to be online, to feel safe and secure, to not mind every website asking them for their names, addresses, telephone numbers, credit card numbers, favorite pet's name, mother's maiden name, social security numbers, and all other data. People were made to feel comfortable using computers for a profit motive and there was ZERO attention paid to security aspects because any aversion to happily plunking their lives into the computer would have been detrimental to the profit margin. That brainwashing hasn't worn off and, with the online economy (still) fueling a large portion of the Wall Street bubble, probably never will.

Why is it?

[karb]

When government types warn of a digital Pearl Harbor, it's because they're idiots who don't understand technology.

But when government types don't pay enough attention to cyber security ... it's because they're idiots who don't understand technology.

It drives me nuts trying to figure out how so many slashdot geeks can be anti-state and liberal. It must just be an even stronger sense of self-loathing.

Union Carbide in Bhopal wasn't attacked.

Do you have information to the contrary?
If not, then don't try to relate that incident to security matters.

RE: FireFox, etc.

[King_TJ]

I already considered the FireFox browser, and it would indeed solve many of the issues. But it creates a slew of new ones. Some of the projects he's paid to work on for his employer include web-based tutorials using custom plug-ins and some fairly advanced code. They're "designed for IE 6", and don't always work quite right in FireFox.

I have FireFox on my own PC, and I've certainly found at least a handful of web sites that misbehave with it, forcing me to switch to IE now and then. It's a great web browser, but it's not 100% perfect either....

Re: FireFox, etc.

[stephanruby]

Then make him switch browsers when he needs to. IE is not perfect either. Aside from security, FireFox is a lot easier when the print is too small for those of us who are over 30.