Slashdot Mirror
Microsoft's Vigilante Investigation of Zombies
Morgalyn writes "According to an article at Information Week, Microsoft has decided to fight zombie-launched spam in their own way. In conjunction with the FTC and consumer rights groups, Microsoft set up a clean computer and then infected it. They monitored the 'zombie' over the course of 20 days - 'In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages'. This whole operation has led to the (partial) identification of 13 different spamming groups, some of which reside in the US and may be prosecuted under the CAN-SPAM act."
Microsoft should just have Steve Ballmer fucking kill them.
Not a moment too soon! With Halloween on Monday and everything, this comes at a perfect time to save my brain. I'll still lock my doors though.
Clones are people two.
"Microsoft set up a clean computer and then infected it."
So they switched it on and connected it to the net?
---- There are 10 types of people in the world. Those that understand binary and those that don't
How is this fighting this in thier own way? Don't lots of other orgs do this same thing...? Don't they also fight spammers in other ways too? And also, if they're doing this in conjunction with a whole bunch of other people... how is this their own way? :P
There are lives at stake here!
Come one everybody together now! WE HATE SPAM! Geeze... this is only going to get worse before it gets better... and it's been getting worse for 10 years...
Schrodinger's cat- A cat is put in a sealed box. Attached to which is a radioactive nucleus and a canister of poison gas
Since when is setting up a honeypot considered "Vigilante"?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
If they are working with the FCC, why would it be considered 'vigilante'?
That's like a considering a car company working with a police forensics department to determine why a car did what it did 'vigilante'.
It takes 20 days to collect data which may be used to convict the scumbags, but it takes years for Microsoft to realize there was a problem and do something about it. To be fair, this should be law enforcement, but someone has to file those John Does in a complaint.
"At the same press conference, Dan Salsburg, the assistant director of the FTC's Bureau of Consumer Protection, urged all computer users to do their part to stymie zombies. "The FTC is taking aggressive steps to stop zombies and protect consumers, but consumers also need to insure that zombies aren't on their computers," Salsburg said."
I'm sure they're shuffling paper like they've never quite shuffled before.
I just don't want to see, a couple years from now, Microsoft being awarded patents on the invention of the Honeypot.
A feeling of having made the same mistake before: Deja Foobar
... to catch a spammer?
So MS is sending me spam now and can get away with and get positive credit for doing so?
Maybe this is part of the upcoming movie Green Arrow Begins.
A feeling of having made the same mistake before: Deja Foobar
Ok, raise your hand, who thinks there's more than 1 infected windows machine on the Redmond campus?
So I guess, Microsoft being above the law, it's OK when they do that. The end justifies the means, after all.
I'm an American. I love this country and the freedoms that we used to have.
So they admit to knowingly violating the law 18 Million times!!!!!
No, quite the opposite, they patched it.
So MS sends 18 million spam messages (presumably to you and I) and that is called research?
Something that intrigues me is: Why hasn't anyone in law enforcement done this? If they already have, why is anyone listening to MS? Why is this news?
If law enforcement agencies are not doing this, I want them fired... well, that might be a knee-jerk reaction, but hellsbells, this is just plain common sense?
Support NYCountryLawyer RIAA vs People
[i]"some of which reside in the US and may be prosecuted under the CAN-SPAM act."[/i]
Common. We all know the only way to deal with zombies is massive head trauma.
From article:
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount of data was impossible to analyze, so..."
So, seems 18 million records is too much for poor little SQL Server, hmm? I bet Oracle could help, or maybe MySQL/PostgreSQL.
I've always wanted a reason to say that.
Microsoft has decided to fight zombie-launched spam in their own way.
Boom! Head shot!
One of the many ways MS infects their own stuff. heheh
/. in under 3 minutes.
/. picks their stories.
This story was rejected by
Newest MS Critical Update protects XP from own users.
news.com is reporting that a new Microsoft Critical update that was "released Tuesday to fix four Windows flaws, including one that experts predict will be exploited by a worm in the coming days", may also inadverntly protect PC's from their own users.
According to the article: " Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said."
But there is assurance in the article: "Even if users experience PC trouble after installing the patch, they will still be protected against any attack exploiting the Windows flaw". What they fail to tell you that your PC is now also protected from you being able to log in. If this is the result of stuff they know about, how reliable are their predictions about upcoming worms? (Maybe they are the ones releasing the worm)
This type of protection is much easier to to in linux, nothing to install, just log in as root and type rm -rf /
----
I still can't figure out how
Maybe they looked at it and rejected it because, it has proper grammar and spelling, is timely, and is not a dupe. Maybe I should start submitting stories in l33t sp34k.
I read Slashdot for the headlines, because the headlines, unlike the articles, are usually original and never duplicated
some of which reside in the US and may be prosecuted under the CAN-SPAM act.
I'd think there were more serious charges. Did the e-mail have forged headers? Does that make it wire fraud? Is unauthorized use of one's computers not a major crime?
Zombies are entirely different from a company putting you on its mailing list without your consent. These people aren't annoying marketers, they're criminals.
________________________________________________
suwain_2
Okay, aside from issues of "entrapment", why hasn't anyone with any legal authority done this?
It isn't like it would even be difficult to do. You wouldn't even need to setup your own machine. You could find any one of the hundreds of thousands of existing zombies out there just by asking your email admin to get you the IP addresses.
If you do this for a couple dozen boxes (it shouldn't be that difficult to find people who would cooperate) you can get a LOT more info than with just one box.
US 'bot net "admins" should be a dead breed by now. We're talking money. Even if they do nothing to really fix the problem of easily owned machines, they can bust the new "admins" every few months and rake in the money in fines and confiscated property.
... rather than the honeynet project who have better tools, and far more experience at this sort of thing?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
I haven't seen anywhere in the anti-spam laws that says you have a positive duty to stop spam. There doesn't seem to be any criminal culpability for getting a system hacked. The person doing the hacking and spamming is in trouble, but not the person that it happened to.
If I'm incorrect on this, please point out the relivant part of the law.
"and sent 18 million spam messages."
So does this mean Microsoft spent time aiding spamers in their spamming? Can't they get in trouble for that?
Well, if they actually *let* the spam be sent then I'd call them irresponsible and wouldn't cut them *any* slack. But if they trap it, then yes this is a good thing.
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
On the otherhand imagine Paperclip... It looks like you're trying to fight off a zombie attack. Would you like me to (A) Shoot some of them in the head (B) Open the main gates and let some more in?
New meaning to Blue Screen of Death.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
There is no redress for grievances to or for corporations; remedy is legislated, and it is known that the remedy even recently has degraded to CAN SPAM ACT. Before CAN SPAM ACT, all that was necessary is to acknowledge the source of the transmission and send the owner a bill for purchasing the value-added resale of available communication services. It isn't so easy for a man (either male or female); to enumerate the tresspass of another in terms of billing to the use of a communications line for said data transfer, as an intended interference to a station, and further as deceptive commercial delivery of speach; the remedy would be limited to only those people acting on behalf or employed by the corporation and not the corporation. Reason being is the truth that flesh and blood, living people, can only challenge same; whereas any redress to a corporation would presume the complaint to be of a fellow corporation. Law of Nations clears up the difference between politic and corporate, and I hope everyone gets their copy certified from Project Gutenberg so they know that their are two nations, one America and the other the United States, there are American states and there are United States states, then there are the corporations chartered by their respective states. A challenge to a corporation could be transgressed by Return Service to a misnomer, or a presumption that the complaint is derived of a person in a contract with collateral to the services rendered, et al; no different than a libel of review. Abatement would clear this up, but a UNITED STATES judge or magistrate would need some coaxing as to why we believe people are more special than some fool stealing your resources for use by a UNITED STATES regulated corporation.
:-)
On a somewhat off-topic note, concerning commercial speach transmitted over FCC regulated communications lines, copper or wireless, a friend and I were discussing the circular reasoning involved with the FEDERAL COMMUNICATIONS COMMISSION for licensing; regarding their license demands that no codified transmission may emit from a FCC-licensed station, yet the study course is more FCC codes (regulations) as opposed to actual electrical theory and law. In other words, a demand to subscribe to a FCC license would itself prohibit use under the FCC license. Could this be a loophole regarding the first amendment, if enough pressure is exerted for the people to make unhindered use of services contracted, to prevent a contract stipulation to coerce agreement by reference or partial inclusion of an unrevealed contract (think FCC)? At the verry least, I know that Part 15 of the FCC code is honest about my use of a cable-cutter on copper wire.
Just trying to stimulate.
without prejudice
[Fuck Beta]
o0t!
Or we could, I suppose, get mad at the people who developed SMTP, a system so insecure in and as of itself that anyone can pretend to be anyone else and get away with it.
Of course, that was done in a kinder, gentler time when "spam" was unknown, so I guess they can be forgiven. Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence.
Naw. Much easier to hate MS. Somehow, they should have known better...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
...I wondered why my gmail inbox had 18million new spams...
A couple friends and I set up a computer to measure our own security practices for hosting our own website before brining it online and live and then continually tried hacking into it. One night after we had connected it to the Internet while we were attempting access, someone else gained access through a hole we hadn't patched and turned our machine into a zombie. We set up a bunch of monitoring software and watched it. It attempted, or rather participated in, three DDoS attacks on various websites, it was continually resending received SPAM messages, and was accessed an average of about 40 times a second from all over the Internet. We watched it for a few days and then Blew off our install and started over fresh, and by the way we patched the hole before putting it online again. We continued to hack at it for a few weeks and then left it. It was comprimised again about a month later, but was never used as Vigorously as the first time we brought it online. Is there anywhere that you know of that the log files (All backed up on a separte machine) would be sent that could be useful to humanity to stop these folks from spamming? The data and IP's are over a year old at best but it may still be helpfull.
Generation Trance: What generation are you?
How is this fighting this in thier own way? Don't lots of other orgs do this same thing...?
Well, it's their own way in that other organizations are not so irresponsible as to allow the machine to send 18 million &#$% spam messages while they ooh and aahh over their creation. Microsoft "embraces and extends" yet again...
From The Fine Article:
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.
How nice: they allowed 18M junk messages to go through, but could be bothered to look at only 10% of the data. Unbelievable.
I want to drag this out as long as possible. Bring me my protractor.
We tried to analyze our monthly router logs with Access this week, and it died at 4 million records... Back to pgsql...
be doing some of this?
Microsoft is going through the courts and the criminal justice system. In neither case is there vigilantism involved, just vigilance.
Time is Nature's way of keeping everything from happening at once... the bitch.
And on the flip side, they're also vilified if they fail to deliver "fast" and "timely" patches to problems.
And of course, somehow we're supposed to have our cake, and eat it too...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Let's get together and file for patents on the SPAM process. Then we need to file papers on creating an OS that enables the above process. Then we need to patent the process of patenting the above.
Generation Trance: What generation are you?
This has been a huge problem for longer than the past year, what took Microsoft or even the FCC so long to do investigate? The investigation wasn't exactly rocket science, they set up a zombie and watched it take connections.
...moreso when they're working with a government agency. They aren't vigilaties! They're free-lance mercenaries!
The irony is, Spamming has been a serious center of creativity and innovation. Just the sort of thinkg Patent Law is there to protect.
A feeling of having made the same mistake before: Deja Foobar
How long do you think it would take for your car to be stolen if you left it parked in the worst area of Tijuana with the windows down and the engine running?
My amazing wife - Artist, Author, Philosopher - Laurie M
Is it just me or does it seem like everyone's trying to jump on the "popular topic" bandwagon? Notice how the first half of the page is full of replies saying Microsoft's actions aren't "vigilante", then the second half is full of replies about why Microsoft should be able to get away with sending 18 million spam emails. It seems interesting to me that if people are posting their own thoughts (and not just copying someone else's thoughts that they liked) that the two different topics aren't more evenly dispersed thorughout the page. Maybe it's just me.
This is great because when people complain about infected PCs Microsoft can just claim they are part of a test to get rid of spam. I think most people would be more inclined to admit to clubbing baby seals than interfering with anti-spam research.
I Am My Own Worst Enemy
I paid my union dues on time.
The world according to SComps
Of course, they do have SEVERAL BILLION DOLLARS that they could spend on each patch!
while (sig==sig) sig=!sig;
That NONE of them read /. :D GO
I'd be amazed if it lasted 30 seconds.
:P.
When you get right down to it, cars are shitty in reliability compared to software. Off the top of my head, here are some major problems my car has, at least when looked at from a software standpoint:
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
Only on Slashdot
Oh. They setup a computer and watched how it could be exploited and went after the people doing the exploiting. Now that seems like a smart way to handle the problem. If it was my product then I would consider actually closing the holes that allow spammers to exploit Windows to be the best solution. But hell, what do I know?
9/11: Never forget it was a false-flag operation
If you can't beat them, join them. =)
a) Why did they allow it to actually send out 18 million friggin spams instead of redirecting those to /dev/null?
b) Did it scare them how easily the system was compromised? Yes, the articles says "they infected it". I'm sure they didn't, they put windos on it and let it run for a while.
c) Will the spammers get off easily because of entrapment?
d) Who is putting pressure on M$ to be suddenly so interested in spam after they ignored the problem completely for years? Something big is happening behind the scenes - M$ doesn't usually do things just to look good. There's either money to be made or a monopoly position to defend.
Assorted stuff I do sometimes: Lemuria.org
vigilante zombies investigate YOU
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
Costume 1: Guy disguises himself as a zombie and puts on a cardboard monitor. Here instead of "brainssssssss" he should say: "mailssssssssssss"
:)
Costume 2: A fat guy carrying a chair, with a Google T-Shirt (and the handwritten letters above: "I'll F**ing Kill". Obviously his secondary target would be the guy wearing costume 1.
Now the following may be off-topic, but what the heck, I got started!
Costume 3: Just put on a Bill Gates mask, and wear a Microsoft T-Shirt. And instead of "Trick or treat", you say: "End User License Agreement".
Costume 4: Disguise yourself as a Lawyer and stick the logos of BMG, Sony, Time Warner (did I miss any?) on the back. Instead of "Trick or treat", say "Court or Settlement"
Costume 5: Disguise yourself as Zombie, but instead of wearing the cardboard monitor, just put an AOL sticker on your shirt. You're an official "AOL user". Instead of moaning "brainssss" you'll say: "Me, tooooo!"
Costume 6: Disguise yourself as a monitor, and paint the front in blue.
Costume 7: Paint your face black and buy fake jewelry. Pretend you're the relative of a Nigerian prince who just died.
Ah, Microsoft: for a company returning net profits well north of $30 million per day, you'd think the poor lambs might be able to afford more than a single computer. Perhaps the news that these here "zombies" exist and are used to send this strange stuff called "spam" came as a terrific shock. Agree with another poster: this comes over as a publicity stunt. One wonders if they even paid for the computer.
Perhaps it's time for a name and shame campaign on spam with the big IT companies. How much is each of them spending on combating spam and taking down spammers? I'll bet it's not nearly as much as they'd like us all to think.
Las qué passoun
tournoun pas maï
No one has been doing this already?
Isn't this elementary?
No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
Though the Information Week article didn't mention this, an article at another site makes it clear that Microsoft blocked the outgoing spam messages during their honeypot experiement.
"Hello there! Looks like you're trying to run a party!"
How can this be called 'vigilante'? If I go arrest and beat up the guy that stole my car - then I am a vigilante. If I know who did it and report him, then I am being a good citizen. I despise M$ as much as the next nerd, but this is reaching a bit...
Sig? We don't need no stinking sig....
Well, there's their sourcesafe server for a start - that's riddled with malware.
/* This sig is disabled. Press CTRL-W to enable. Thankyou */
The only thing about "entrapment" that I can see is infecting the computer in the first place.
It comes down to whether the cops/feds took any action on their own to connect that box to that 'bot-net.
Which is why I would prefer the "clean hands" version of simply picking a few dozen boxes that are already infected. This is all about making the case as solid and complete as possible with no way for the "admin" to weasel out on technicalities.
And if any of the cops/feds are interested in a long list of IP addresses that are 99% likely to be zombies, I can provide them. Hundreds of them. With data going back months.
I will give $10,000 to charity if someone creates a game where Steve Balmer goes on a rampage killing hundreds of spammers with his deadly bloody chair (as the default weapon), and in Quake 3 Arena fashion to also have a key bound to various choice quotes uttered by Mr. Balmer like "I will fucking bury that guy" and an animation of Mr. Balmer's model pointing in front of him to go along with those utterances.
(Disclaimer: I won't really donate the money because I'm a poor college student)
Well no matter what, at least I have enough guts to post under my username.
I read Slashdot for the headlines, because the headlines, unlike the articles, are usually original and never duplicated
You forgot "brining it online." I don't think a computer filled with salt water would be very useful, and I don't understand why it was necessary to brine it online. You'd think it would be easier to brine it at the beach.
Wonder why they don't spend their time and energy fixing the problem in the first place?
If your house is insecure and you keep getting robbed you can do two things.
1) Go after the people who robbed you. -- Great.
2) Seucure your house so people can't rob you -- Even better.
They just knocked off a bunch of the dumber spammers. The world is a better place! But... now the surviving ones will realize that maybe it's not such a hot idea to connect directly to their zombies... better to get a zombie to connect to the zombie! Sure, you have to make a few connections to your zombie network to get things moving, but the chances of hitting a honey pot are pretty low, and even if you do, who's got time to investigate a thousand zombie machines to find one actual spammer (who could just say his machine was taken over as well)?
now THAT'S innovation!
if this is supposed to be a new economy, how come they still want my old fashioned money?
But unusual? I kinda doubt it.
Infuriate left and right
millions of bricks thrown at Apple and Linux. i think not. nobody bothers to hack these systems b/c they represent a fraction of the installed base.
:not as witty as it could be:
I don't think a computer filled with salt water would be very useful
Depends. If it was previously running WinME, it may be a marked improvement.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I hadn't heard of the Fed's new cyber safety website before this article. It's an interesting attempt for the average user- should be educating to see how it develops over the next few months.
J
"Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence."
e ntation.html) for an example of people have known how to write defensive code for a long time.
/ feb02/02-20mundieqa.mspx) they were looking at all their old code to focus on security.
Really?
Buffer overflow attacks have been known for well over 20 years, and while DoS is new, the concepts are not new. If you can still get your hands on it, take a look at the source of FWTK, written by Marcus Ranum (http://www.dreamwvr.com/fwtk.org/fwtk/docs/docum
Now, I think there is a grain of truth to the idea that MS is most attacked because 90% of the computers run Windows. However, the codebase of Windows XP is from the 21st century, particularly since they've released SP2 in the last year, which contained significant upgrades to all of Windows.
Especially since this was written after the time that MS announced (http://www.microsoft.com/presspass/features/2002
So all things considered, either MS fibbed about reviewing all the code to make it more secure, or they don't know how to do it very well. The idea that attacks on code are something that have only come about since the AOL moved to the internet seems a bit misguided.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I am somewhat antimicrosoft, but I fail to see why this is called "vigilante". Microsoft is working openly with the FTC. They set up their own computer, it got infected and they are investigating unauthorized connections to it. As a security professional I applaud their efforts. This is no different than anyone of you making a honeypot and checking the damage.
Yay MS! Now, make Stevie B kill them (as other posters suggested:-)
I think you're probably wrong on your first account. It's true that cars have rev limiters to prevent the air/fuel ratio from becoming too lean (i.e. injectors are at maxed capacity) to prevent mechanical damage (valve float) and another thing as if those too weren't bad enough, to prevent it from going outside it's efficient operating range. What remains to question however is if the motor operating at full speed under no load has a higher thermal load than it operating at a moderate speed under heavy load. Even if that in itself isn't enough to cause your car to stop functioning the fact that you are operating the engine under very stressful conditions for a long period of time will, increase your chance of damage to the motor.
In fact, given a long enough time span, they will all break down. This shouldn't be unexpected, all motors will eventually be so far beyond their mechanical tolerances or had a 'catastrophic' failure that they cease to run. It just stands to reason that if operation alone is a prime motivator for deterioration of an engine and other components of the vehicle, operation under extreme conditions is only moreso. Again we can note that there are many other factors that may affect the engine's lifespan which are not dependant on operation.
Regardless, the analogy is terrible. Both situations are completely unique relative to each other and the vehicle 'problems' he poses are rather intractable economically with current technologies. A more analogous situation would be the user flipping the 240 switch on the back and powering on his system. Barring an auto-sensing power supply (I hear they are mandatory in europe, guess they're just too dumb to figure it out; note: sarcasm) no software will save that pc. One could argue that collision evasion is actually a software problem, but, this is not relevant as car manufacturing and design [for the most part] are not.
Ahh but that's not the case. Regardless of if it's because of inherant flaws or simple popularity, Windows has by far the most people trying exploits against it every day. It is getting by far the most bricks thrown at it. As for Linux, well great, I'm glad you haven't gotten hacked. Wish I could say the same of the Linux boxes at work. We have a Linux box get owned at least once every 3 months. Yes, it's a moron administering it, if you were wondering.
But of course, there's the real trick, isn't it? Windows doesn't have to get hacked. I've had a Windows webserver up, with a for-the-public website since late 2002. It was Windows 2000 until just receantly, now Windows 2003. Number of times hacked or in any way compramised? Zero. Hell I wasn't even great about patching it. So what gives? Simple: Put a firewall up to block unnecessary ports, use the IIS lockdown tool (seperate program from MS for 2k, part of 2k3) to secure IIS against any overflows (it ensures URLs are properly formatted and only with approved extensions before passing them on).
So with software, what it really comes down to is you need to secure it. Windows had a very open by default policy. This was bad, security wise, but good newbie wise. Linux is just the opposite, lock everything down and make you figure out how to enable it. Neither is invalid, though open by default is pretty naieve. Then again, that's how most peopel run their networks. Really all networks should have a firewall on the edge with a default deny on inbound yet few do.
So really MS provides software that's plenty secure, their latest offerings are really good. Take 2003 or XP with teh latest service pack and the firewall turned on and, well, nothing is getting in since the firewall is deny by default for inbound traffic. All you really need to do is what you do for any software: Keep it updated, lock down that which isn't needed, enforce good security policies.
I do all that with my car, and some assholes still tried to steal it (they failed, but did $500 of damage to it in the process).
that we go out an start shooting spammers? Why that's just...just...
I'll go get my gun. YEEHAW!
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
Because the infected computer usually has to contact the IRC channel and report in that it is infected and available.
There is no equivalent for stealing a car because the car does not call you up and tell you that it is sitting at the corner of Pike and 5th with a broken window and no car alarm.
Which is why the issue of entrapment comes up.
Most drivers are required to take a test to determine their competency. Drivers Ed is available across the US and required for minors in most if not all states.
It would be interesting to see the same for computers. Everyone seems to know that a car needs an oil change every x miles but too few seem to know that you need anti-virus and anti-spyware installed on your computer for safe operation. Perhaps seatbelts would be a better analogy.
While I think it's generally agreed that software could be safer, I think it goes just as well to say that users could be generally more educated. The problem is that software venders advertise their products as being safe all in-one products and come decorated with a "no experience necessary" sticker on the box. I think software venders could do more to educate the masses. Cars come with an owner's manual; computers come with a user agreement.
I want this account deleted.
Not exactly... the brick throwers don't bother wasting their time with the Apple sports car or the Linux dune buggy. They are vulnerable... no system is secure. The attack is designed to destroy the Windows grocery getter because thats most (~85%-90%) of what is on the road and there's money (big money when you talk about adware) in doing so. Basically they get more hack for their buck. If this were an Apple or Linux world, I would imagine they would suffer similar problems.
If that were true my non Windows systems should never get a hack attempt which is not the case. If I were to stop patching my non Windows systems today they would eventually get owned so its not as if they are bullet proof. My Linux web servers in partickular get regular probes by hackers (or is it crackers?) and so does my OS.X system. Admittedly many of these probes are Windows specific but there is still a significant number of serious Unix/Linux/OS.X specific attempts so it's not as if 99.5% of the effort is directed at Windows as you are claiming. The greater quantity of Windows specific hacks out there is not solely due to the smaller install base of non Windows systems, although that is a factor, but also due to the traditionally sucky native security setup on Windows systems (it has improved lately). Windows owes alot of it's market share to the fact that it was marketed as a system that could be administrated by semi skilled (and thus less expensive) personnel and in order achieve this, security was sacrificed. Efforts to harden Windows notwithstanding Microsoft is still dealing with the consequences of that legacy. It is certainly true that apart from hard-core crackers most of the vermin out there (which is mostly cracking computers for money and not for fun) don't bother with Linux/Unix/and OS.X machines because there is fewer of them but it also has to do with the fact that Windows machines are still simply that much more easy to crack.
Only to idiots, are orders laws.
-- Henning von Tresckow
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
A delightful analogy but totally and absolutely bogus.
Just activate your cerebrum for a few minutes.
Is it reasonable to expect a car to be resistant to efforts to break into it with a brick? Clearly not, for your typical family vehicle. No reasonable person would think so.
Is it reasonable to expect a computer to be connected to the Internet, and for its user to perform simple tasks such as surfing the net, without being infected? Clearly it is, and any reasonable person who is not an apologist for the patheticly lacking security of MS (and quite a few other) products would think so.
It is just stupid to lay all the blame on the people who do the hacking. Sure they're bozos and criminals. But how in god's name does the world's largest software company, with virtually unlimited resources, get away for so long with producing software so flakey that infection is just a matter of time if you dare to connect your machine to the Internet?
Anyone with knowledge of computer systems outside the MS world should be aware that it is possible to create software that is highly resistant to attack via the network. Its hard - very hard - to make it 100% follproof, but its easy - very easy - to do one hell of a lot better than MS has done.
The people at MS are as smart as anyone but the total focus on making things easy over making them safe ties their hands. As a result millions of people have become trained to think that it is actually reasonable to pay hundreds of dollars out on anti-virus and other "security" software
[x] auto-moderate all posts by this user as insightful
The answer to your facetious analogy is, of course, that software is not the same as cars.
It's very similar -- I might argue that computer hardware is close to a car -- but it's not quite the same, as free market mechanics demonstrate.
If you provide buggy and unreliable software, people will use other software. People are willing and able to invest in new software, so they do; as a result, there's usually strong pressure on software developers to fix bugs. (When software costs no money but only time, a different dynamic emerges.)
Of course, if you disrupt the free market in some way - for instance if you gain monopoly power - your monopoly power makes it less likely that people can change vendors, and consequently less probable that you'll focus on free-market distinguishing features like customer service, software updates, or bug fixes.
For a practical example, consider Quark & Adobe. QuarkXPress didn't really improve from v4 to v6, during the period when Quark was the de facto choice for software. Once InDesign came onto the scene, real competition emerged again and computer-aided publishing began to improve again.
You can't make a useful assessment of what "should" or "shouldn't" be fixed or implemented. You can, however, look at what does happen. Pragmatically, most insecure software gets fixed because if it doesn't, demand (users) will go elsewhere. The fact that it hasn't happened with Windows says something striking about monopoly power.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
ok, lets think about this for a minute - 18 million email is too difficult to analyze
the folks that supposedly wrote the freaking OPERATING SYSTEM can't even whip up a few scripts to analyze 18 million msgs?
the suits who employ the folks that supposedly wrote the freaking OPERATING SYSTEM can't be BOTHERED to hire a geek (or two) capable of whipping up a few scripts to analyze 18 million msgs?
no WONDER windows security is non-existant...
But that wouldn't occur to them, would it? Wouldn't take too long. Either to write or to run.
Bullshit. Put an unpatched linux box on the net for a while. You'll see.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Nuff said?
They decided to use a Mac or boot off of a Linux machine instead! :)
Bet that definitely got some laughs out of their brass -- the thought of infecting a Linux or Mac with spam. LOL
And what does connecting it to the net have to do with the infection? Once you install XP, you're doomed. Period.
Free Software: Like love, it grows best when given away.
Microsoft set up a "clean" PC, then infected it with malicious code commonly used by attackers to turn a computer into a zombie.
There is a wide interpretation with a lot of questions about this statement. By "clean" machine, I assumed that Microsoft has a current copy of Windows and it is fully patched. So did they manually put a virii on their computer locally or did they infected it remotely through a network using an unclean machine? The second part would mean that a fully patched Windows machine would not protect jack. Notice that they did not go into a lot of detail about that? Hmmmm...
Coderz 4 Life
But obviously Microsoft is giving these guys the razzberry, and also the blackberry and the olallieberry while they're at it. (The other Washington has the MarionBerry....)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But why Borg vs. Zombies is important is that they have the resources to get a bunch of lawyers to build a sufficiently large lawsuit to hunt down the spammers across jurisdictions, and sue them where it's legally possible.
And because they're MSN, the big ISP, they can make a strong case that zombies are costing them lots of money, and can get the spammers' ISPs to listen to them in ways that smaller non-ISP players usually can't.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Zombie Walks in Seattle - Boingboing seems to be a hotbed of articles on upcoming zombie mob activity and pointers to pictures of the events afterwards:
Vancouver Pictures San Francisco.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
OK, you've got me there :)
Somebody please mod parent up, that made me laugh out loud.
A very bizarre thing for Microsoft to do. They just bought Frontbridge, a spam blocking service. Now, they are going after a major number of spammers to, if I get this straight, stop them, thereby lessing the need (and I mean maybe a .01% lessen) for their brand new service to block spam.
A 9.2 on the 'hey I'm bored lets do something fun' scale but minus several hundred on the 'how will this affect our other businesses' scale.
Why do overlook and oversee mean opposite things?
The market share argument is BS FUD. Always has been. Always will be. Microsoft just doesn't have a corporate culture that encourages good coding practices over eye candy and feature bloat.
No, cruel and unsual would be making the person run Windows ME and Bob.
Fight Spammers!
Go ahead and write a script to reverse DNS and calculate routes for 18 million messages and see if you can complete processing it in a few years.
BTW, Microsoft finally figured out the criminal masterminds behind it included Google, Apple, Linus Torvalds, and Larry Ellison...
The guy I was replying to was saying nobody would stand for a car that does X, why stand for software. My point was that if you want to compare them, then the car sucks. They aren't the same thing.
he has his logic and he wrote what he wrote while he was awake,...
... now fix it") versus a reasonable complaint like "I installed Windows XP and within minutes of being on the internet (while waiting for patches to download perhaps), I was infected with a WORM. Ever since vulnerabilities are found in my system every few weeks or so".
"Wake up to yourself" is a figure of speech. I don't literally mean that he is not awake. I could have said, "wake up and smell the shit you are shoveling". He is not awake to how wrong he is.
and if you had his logic, why would you write anything else,... unless you had different initial assumptions... [and i'm guessin' that's the big difference before and after anything resembling logic]
Logic does not have to be correct. It can be flawed and his is.
or am i missing something,... again?
He is making fun of some of the crazy statements which get written here, yet the particular statement he is poking fun at is based on reasonable logic, which he is debunking with some very flawed logic and ridiculous extension to a silly analogy.
The two do not mesh.
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
Physical security being compared with logical security. If you want a car that can sustain such brute force physical attacks, then you need to spend more money on an amorized car or something like a BMW Protection. To do the same for a computer, you should be spending more on physically locking it up securely with good locks.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
This is irresponsible USER action, being blamed on the MANUFACTURER. In addition, sanity checking of input in software is of almost negligible cost, yet preventing complete and utter stupidity of a USER causing damage in this case, adds cost of additional physical mechanisms. Costs which the general public should not have to worry about, because it is much cheaper and effective to just educate vehicle owners that they should not redline or rev highly an engine without load.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
No reasonable person would claim that user misuse of a car or software should be blamed on the manufacturer. This is a silly comparison. Anything can be misused. It does not mean that the problem is with the product, rather the problem is with the user.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Okay, so lets see... car makers should somehow provide unbreakable glass and locks, should cover every possible scenario to prevent user (or other person) stupidity causing harm to the car or owner? I suppose this would have to be done at a reasonable price too?
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
As I've already said and now further elaborated on, this is ridiculous. He is comparing car owner complete and utter stupidity, with software users who paid a premium price and expect premium quality and response to stability and security issues which crop up.
One is completely unreasonable ("I drove my car into a wall / Someone threw a brick through my window
Windows is thankfully FINALLY getting better. However in the past, systems could be expected to be vulnerable to MANY different attacks out of the box and users had to be knowledgable on how to prepare and deal with those problems. Remember, Windows is targetted to be usable by people with a minimum knowledge of these sorts of
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
You obviously never have owned a Toyota.
"If anyone needs me, I'm in the angry dome."
If the computer initiates the connection, it could be seen as entrapment.
So there would still be entrapment if the computer contacted the admin. Just as there would be if the cop was walking up to cars and saying "Hi, I'm available right now".
If people were regularly breaking into my car I would demand things like bullet proof glass so that they would not succeed. If every car in the world was getting broken into that much, I would demand that the makers build it to withstand bricks. Sure I'm mad that the thief breaking in, but I'm also mad at the manufacturer who didn't make the car harder to break into.
If I regularly put my car in neutral and floored it I would demand a rev-limiter. I don't do that often. My PWC (jetski) has a rev limiter because it is common to have the engine wide open with no load - when wave jumping. They could have teach me to let off the throttle when I am in the air, but the problem is common enough that it is worth a real fix.
If I regularly drove my car into walls I would demand a car that doesn't' allow that. In fact because accidents happen fairly often car makers build crumple zones, and other such things so that I'm safe in the event of an accident. Microsoft should not have waiting for sp2 to make the firewall default - by the time of win98 second edition it was clear this was needed.